NinerNet Communications™
System Status

Server and System Status

Email failures from Apple email addresses

25 March 2025 04:33:20 +0000

Due to support requests recently, it has become obvious that Apple have mis-configured their mail servers, either intentionally or because they’re stupid (both are one and the same in this case, but I’m leaning towards the latter of course), so that they don’t play well with an anti-spam technology that NinerNet and millions around the world use called greylisting. (If you want to more thoroughly understand greylisting, we recommend you read the page at that link.)

It seems that some (many?) users of Apple-administered mail servers on domains like mac.com, me.com, icloud.com (maybe even apple.com itself) and possibly other domains that we’re not aware of receive bounce messages for email messages they send to NinerNet-hosted domains that contain this text:

<email-address@ninernet-hosted-domain.com>: host mx.niner.net[178.62.195.26] said:
451 4.7.1 <*****@*****************>: Recipient address rejected:
Intentional policy rejection, please try again later (in reply to RCPT TO command)

At this time we don’t know if this also applies to domains running on any of the servers that use an Apple operating system, but we haven’t seen evidence of this because even those servers generally run applications (e.g., Postfix [which we use], Qmail, etc.) that are not Apple products and comply with email standards. We also don’t know the frequency with which email sent to NinerNet-hosted domains fail.

Here’s the explanation we have sent to recent clients:

The four (hundred) codes (451 and 4.7.1) tell the sending server that the error is temporary, and that the sending server should (as it also says in plain English), “try again later”. A four-hundred error code is not a permanent error; those are five-hundred codes. Email messages should not be bounced by four-hundred error codes, so this is why the sending (Apple) server is behaving incorrectly according to email standards. Email doesn’t work if organisations (i.e., Apple) ignore standards.

Greylisting isn’t something we invented while I was bored last weekend; it’s an extremely widely used and also extremely successful anti-spam technique that we have been using for about as long as NinerNet has been in business, which is thirty years.

So the sender needs to bring this to the attention of the support department at Apple. NinerNet is not the cause of this problem.

As we’ve also explained, “standards” are not vague suggestions; they’re the “laws” on which servers and clients agree to operate so that they can work together.

In order to compensate for the stupidity of the brain trust at Apple we have whitelisted the following domains server-wide, so that greylisting is not applied to email from these domains:

  • apple.com
  • icloud.com
  • me.com
  • mac.com

This, of course, means that spam from these domains will more likely reach our clients, and for this we humbly apologise. We hope that Apple are doing a better job of keeping spammers off of their systems than they are at actually running the mail servers themselves.

If your correspondents on other Apple-hosted domains report similar problems sending email to you, please let us know and we’ll add those domains too to our mail servers’ whitelists.

If you have any questions about this, please feel free to contact NinerNet support. Thanks for your attention.

Tags: , , , , , , ,
Categories: Email, NC036
No Comments »

NC036: Significant issue with delivery of email to Microsoft-hosted domains

21 June 2024 03:51:33 +0000

Yesterday, 20 June 2024, multiple clients began contacting us to report that email they were sending to certain domains was bouncing. We responded as usual by routing messages to the problem domains via our secondary SMTP server. In other words, this wasn’t an unusual experience, and we mitigated it immediately as we always do.

However, it very quickly became apparent that all of the problem destination domains in these multiple reports were hosted by a single hosting provider: Microsoft … or Outlook, or Hotmail, or however they’d like to be known today.

As we’ve said to our clients for many years, fighting spam is a never-ending battle. It’s a big issue for hosting companies big and small; however, the power of small hosting companies like NinerNet to deal with massive companies like Microsoft, Gmail, Yahoo, etc., is almost non-existent. Actually, it’s not almost non-existent, it is totally non-existent. For many years NinerNet has been (and still is) a member of or participant in the Outlook.com “Smart Network Data Services” system. This was supposed to give small providers like NinerNet access to the decision makers at Microsoft (the so-called postmaster[s]) so that we could work out issues together as if we were all grown-ups. However, it has never actually worked that way. Instead, the big hosting providers listed above treat companies like NinerNet with disdain. After all, we’re competitors, and every client who hosts with NinerNet takes away revenue from the big boys.

The rest of this blog post is lengthy, and goes into a fair bit of detail. The summary is that a huge email hosting provider (Microsoft) has suddenly made sending email to them very difficult for us, but NinerNet has done and is doing everything we can to provide a working service to our clientele.

Today we find we’re in a situation where one of the biggest email hosting companies in the world — owned and run by Microsoft — is refusing email from companies like NinerNet. This is anti-competitive, which you wouldn’t expect from a company headquartered in a country where the competitive marketplace is supposed to trump (pardon the pun) everything else.

The bounce messages generated by the failed deliveries offer a “delisting” service, purely because Microsoft seems to actually realise that they have acted with a very heavy hand in this instance. However, when we tried for the third time to get our mail server’s IP address delisted, the automated response we got was that, “The IP address in question is not currently blocked in our system.” This is interesting.

What we believe has happened here is that Microsoft are using a blacklist that includes every single one of the IP addresses owned by the company where a number of our servers (including our primary mail server) are physically located, and have been located for about eight years. This company is Digital Ocean. Why are all of Digital Ocean’s IP addresses blacklisted? Good question. The summary seems to be that Digital Ocean has no interest in dedicating resources to keeping spammers off of their servers. This results in their telling their customers (like NinerNet) that they should send all email out via third parties. This is a ridiculous and expensive requirement, of course, because that is not how the Internet was designed several decades ago, and it’s not how NinerNet operates or has ever operated. When this requirement was forced on us by another data centre company many years ago (Interland), we refused and moved our business elsewhere. For sometime now we have known that the data centre for our next mail server would not be a Digital Ocean data centre but, strangely enough, Microsoft didn’t give us any notice of this change in their practices. And as you know if you’ve been a NinerNet client for any length of time, moving email hosting to a new server is no small undertaking.

The result of Digital Ocean doing nothing to keep spammers out of their data centres is that their IP addresses (including ours) have been elevated from UCEPROTECT Level 0, to Level 1, to Level 2 and finally (over time) to Level 3. UCEPROTECT describes Level 3 as listing the “IP Space of the worst ASNs”. (An ASN is a “Autonomous System Number”, “an identifier for a collection of IP networks and routers under the control of one entity”. [Wikipedia.]) So NinerNet’s mail server is in a blacklist, not because of something we or one of our clients have done (or not done), but because Digital Ocean fails to do anything to keep spammers off of their systems.

For sometime we have known about the fact that UCEPROTECT has a system by which companies like NinerNet, who have no track record of providing safe harbour to spammers, can have their IP address(es) whitelisted, so that we are essentially excluded from the Level 3 blacklisting of all Digital Ocean IP addresses. Previously we chose not to do this because of the added expense, and we preferred to spend money on other ways (described in the first paragraph of this post) of mitigating this problem. However, we have broken down and paid a fee to UCEPROTECT to have our IP address whitelisted.

Therefore, if we are correct in deducing the cause of the current problem, we expect that email to domains hosted by Microsoft will be delivered without hindrance starting by about 04:18 UTC today, 21 June 2024.

Update, 2024-06-22: We thought that our having paid for an exception to the UCEPROTECT blacklist had solved the problem. And it does seem to have solved the problem, for the most part. However, very oddly, messages to only some Microsoft-hosted domains are still being blocked with the exact same bounce message that directs senders to their article, “External senders – Use the delist portal to remove yourself from the blocked senders list and address 5.7.511 Access denied errors” at http://go.microsoft.com/fwlink/?LinkID=526655, which redirects to https://learn.microsoft.com/en-gb/defender-office-365/external-senders-use-the-delist-portal-to-unblock-yourself?redirectedfrom=MSDN. (The 5.7.511 error in the title does not appear to apply to the messages bounced from our server, as those errors are 5.7.1.) However, every time we try to have our mail server’s IP address delisted, the response we receive is, “The IP address in question is not currently blocked in our system.” So why are messages being blocked?!

This seems to be a ridiculous game of cat-and-mouse that Microsoft are playing instead of being open with people about what they are doing, and companies like NinerNet cannot do anything to counter that. It makes absolutely no sense, and doesn’t serve Microsoft, their customers, or NinerNet or our customers.

So in these circumstances, if you’re still having messages to Microsoft-hosted domains bounced — you will know if you see references to Outlook(.com) and Microsoft(.com) in the bounce message — please forward the bounce message(s) to NinerNet support and we will add the problem domains to the mail server configuration that redirects messages sent to those domains via our secondary SMTP server. This is the same procedure that we followed previously, but we were hoping to avoid that procedure by buying our way out of the UCEPROTECT blacklist. However, at least now the number of Microsoft-hosted domains that we have to add to our mail server configuration should be far less than previously.

Again, we apologise to you, our clients, for this non-consensual position in which Microsoft has put us and many small hosting companies around the world.

Update, 2024-06-28: Over the last week we have added a grand total of 21 domains to our mail server’s configuration to redirect outgoing messages to them via our secondary mail server. In that time we have learned that there is no consistency to the problem. Sometimes mails that are blocked are delivered five minutes later if the sender retries, without our adding that domain to our mail server’s configuration. And delivery succeeds to some Microsoft-hosted domains consistently without any intervention by us. There’s nothing more frustrating than an inconsistent problem that is not possible to troubleshoot.

So at this point it seems that we are back to the point we were at before this incident started. Here is a summary of what has transpired:

  • All emails to Microsoft-hosted domains started bouncing.
  • We paid to be removed from a blacklist that we thought might be the cause.
  • This seemed to help to some extent, but over the course of the next few days we added 21 destination domains to our mail server’s configuration to direct messages to those domains via our secondary mail server.
  • We are still exploring alternative ways of automatically determining the MX record of destination domains and automatically redirecting mail to Microsoft-hosted domains via our secondary mail server.
  • We are also still looking for ways to contact Microsoft to determine the cause of this issue, but we hold out little hope of doing that.
  • This server will be replaced in the near term. To that end we will be looking for a data centre where we won’t run into the issue of all of their IP addresses being blacklisted as is the case where our primary mail server is currently located on a Digital Ocean IP address.

As always, if you have mail you send bounced by Microsoft, please forward the bounce message to support and we will add the destination domain to our mail server’s configuration. We appreciate your patience and continued patronage.

Tags: , , , , , , , ,
Categories: Email, Incidents, Maintenance, NC036
1 Comment »

Email messages from Xneelo (formerly Hetzner South Africa) senders blocked

19 January 2024 01:23:15 +0000

We’ve been meaning to post about this for several years (since 2020), but we haven’t because there’s always something more important to do and it’s not our job to highlight how badly a competitor is running their mail servers. However, after the issue had gone away for a time we thought that perhaps Xneelo (formerly Hetzner South Africa) had resolved their problem. But now it’s back.

The problem is that one of the multiple mail servers they run is in multiple anti-spam blacklists/blocklists. We don’t know how many outbound mail servers they run, but let’s say (for the sake of example) it’s ten. If the IP address of one of those servers is in a blacklist, and all of their outbound mail is equally spread among those ten servers, then 10% of their outbound messages will not be delivered to anyone that is using the blacklists in which that server is listed.

The problem for us is that we end up devoting a significant percentage of our support resources to answering questions from clients who don’t understand what is going on, and who think that we are the problem. But we’re not!

Getting into an anti-spam blacklist is a significant event for any company, but the bigger you are and the more servers you run the less of an issue it is. NinerNet is not big, and so if one of our servers gets into a blacklist it’s a big deal, and we jump around to fix the problem and have our IP address removed from the blacklist. Considering how long one of Xneelo’s mail servers has been in a major blacklist, and how many of their clients we (or our clients) have told to take the problem to Xneelo, it’s shocking to us that they don’t seem to have done a thing about it. So we’re making this blog post to try and bring their attention to it publicly and to point our clients here whenever they have a question about the problem.

If one of your correspondents tells you that their email messages to you are not getting through to you, and they’re a Xneelo customer, this is almost certainly the reason. Your correspondent — the Xneelo client — needs to go to Xneelo to demand that Xneelo resolve their years-old problem in order to serve their own clientele properly.

Update, 2024-03-01: A Xneelo client that was failing to correspond with one of our clients engaged Xneelo support on 28 February 2024, and we are in ongoing discussions with Xneelo for them to fix this problem. Xneelo have acknowledged that at least two of their outgoing mail servers (197.189.244.82 and 197.189.244.90) are in six blacklists between them, so the situation is actually far worse than the hypothetical example given above. When the issue is resolved we will post an update here.

Update, 2024-03-05: Almost a week later and Xneelo are still spouting excuses and fabrications, and assuming that the people they are addressing (including us!) are too stupid to understand how email works. This may or may not be resolved at some point, but at this point it seems it likely won’t be. Email service providers should cooperate with one another to reduce spam across the Internet, and they should communicate truthfully with one another, but that seems to be too much of a challenge for Xneelo. We’d love to run our mail servers without having to consult blacklists of spammers, but your email account would become instantly useless if we did. All we can suggest you do is to advise your correspondents to use email hosting providers that take care of the reputations of their IP addresses, as otherwise their email will be tainted with the same negative reputation. This is how the combined actions of hosting clients are supposed to drive the bad actors out of business.

Update, 2024-03-14: It has emerged that Xneelo doesn’t even handle greylisting properly! One of the parties involved in the ticket with Xneelo decided to communicate with us directly (to become a client, ironically), but because Xneelo’s mail servers don’t respond correctly to NinerNet’s use of the well-established anti-spam technique greylisting, their messages to us are now bouncing! Apparently this client of Xneelo has done the right thing and told Xneelo that they will be moving their hosting business away if they don’t fix the problem. It blows us away how badly Xneelo is running their mail servers!

Update 2, 2024-03-14: We have added various IP addresses, server names and domains to various whitelists on our mail servers. Adding the blacklisted IP address will not have any effect on messages from Xneelo’s blacklisted servers that are listed in the blacklists our anti-spam system consults, but these additions are, as far as we can tell so far, having a positive effect on Xneelo’s inability to handle greylisting. If you communicate with a South African correspondent who is hosted by Xneelo and their emails to you are bouncing or taking hours to come through, please log into the mail server control panel and add their domain at Domains and Accounts -> YOUR_DOMAIN -> Greylisting -> Do not apply greylisting on listed senders. If your correspondent is susie@example.com, you need to add “@example.com” (with the leading @ symbol) to that text box, and click the green “Save changes” button.

Update, 2024-03-25: We have not heard back from Xneelo in three weeks, and it seems clear that we won’t. So our advice remains the same: If one of your correspondents tells you that their email messages to you are not getting through to you, and they’re a Xneelo customer, this (everything explained above) is almost certainly the reason. Your correspondent — the Xneelo client — needs to go to Xneelo to demand that Xneelo resolve their years-old problem in order to serve their own clientele properly. But please do also contact NinerNet support and we will assist you to do all that can be done to help the Xneelo mail servers get their messages through to you. However, the situation described above — the two IP addresses above are still in multiple blacklist — is still just as true today as it was when we first posted this in January.

Update, 2024-12-07: When Xneelo customers contact Xneelo support now, Xneelo are blaming NinerNet for this problem by stating:

The cause of the delivery failure is due to the recipient blacklisting your email address. This can be seen in the delivery failure itself: Recipient address rejected: Blacklisted.

This is not an issue on your phone or an issue with the server. The error would need to be investigated by the recipient themselves as they are the ones rejecting the emails.

As is very clearly demonstrated above, this is completely false, and shows a complete lack of understanding on the part of Xneelo of how Internet email and widely circulated and used blacklists work. This is surprising considering this untruth is being perpetuated by someone who labels himself as a “Senior Technical Support Consultant”! The fact is that NinerNet does not normally block individual email addresses, as this is generally pointless because spammers change their email addresses all the time, often with every email message. We block the IP addresses of mail servers (including Xneelo’s) that spew spam and malware.

If you’re hosting your domain with Xneelo, you’re entrusting it to incompetents. That’s a poor business decision.

Tags: , , ,
Categories: Email, NC036
Comments Off on Email messages from Xneelo (formerly Hetzner South Africa) senders blocked

NC036: Mail server disk space issue

15 October 2021 11:34:08 +0000

Server NC036 (the primary mail server) briefly ran out of disk space on Friday 15 October at 11:02 UTC. This was immediately rectified, and the server was running normally again at 11:10.

This is the reason for this weekend’s scheduled maintenance. This problem won’t happen again after the maintenance. We apologise for this temporary problem.

If you have any questions, please contact NinerNet support. Thank-you.

Tags: , , , , ,
Categories: Email, Incidents, NC036
Comments Off on NC036: Mail server disk space issue

NC036: Emails to Hotmail/Outlook being redirected

22 May 2020 07:03:49 +0000

Some clients may have had emails they sent to Hotmail, Outlook and other Microsoft email service domains bounced in the last 24 hours. This is because the primary mail server’s IP address has been blacklisted by Microsoft, despite our being enrolled in their “Junk Mail Reporting Program”. Our being enrolled is supposed to result in our being informed of spam complaints (which are overwhelmingly false) before our IP address is blacklisted, but their system seems to have been broken for the last few years.

Until we can get in touch with Microsoft support to have our IP address removed, or until our listing expires, we are automatically directing all email to their domains through our relay server, which is not blacklisted.

If you had an email bounced, please resend it. Thank-you, and sorry for the hassle. If you have any questions please contact NinerNet support.

Tags: , , , , , ,
Categories: Email, NC036
Comments Off on NC036: Emails to Hotmail/Outlook being redirected

NC036: Migration update 23 — SMTP AUTH is required for users under this sender domain

11 June 2018 09:38:23 +0000

There are two reasons why you may be getting the above error in response to messages you’ve sent to addresses on domains hosted by NinerNet, likely your own domain:

  • It may be because you’re sending from an address on a domain that we host, but instead of sending your email through our SMTP server (smtp.niner.net) you’re sending through another SMTP server, possibly that of an ISP or another email service provider. In some cases this can happen because of a situation similar to that described in the sixth bullet point of our post “NC036: Migration update 20 — Solutions“, where you’ve sent the email through a third party, perhaps an ISP, or an email account you have with another provider.
  • If you’re using some cloud-hosted application that tries to send email to you as you (or another user on your own domain), then that email looks like spam to the mail server, because lots of spammers mistakenly try to get their email through by sending their spam from your email address to your email address, or from another address on your own domain to you.

The solutions are, respectively (and respectfully):

  • Configure your email program to use smtp.niner.net to send email from any domain that we host. If you’re following the configuration instructions we send you, then that is the case by default, and always has been.
  • Have the provider of the cloud service send those emails from an address — even a “no-reply” address — on their own domain, or use SMTP AUTH to send the email through smtp.niner.net from an address on your own domain, just as you or any other human with an address on your domain would.
Tags: , , ,
Categories: Email, Incidents, NC036
Comments Off on NC036: Migration update 23 — SMTP AUTH is required for users under this sender domain

NinerNet home page

Systems at a Glance:


Loc.SystemStatusPing
Server NC023, London, United Kingdom (Relay server), INTERNAL.NC023InternalUp?
Server NC028, Vancouver, Canada (Monitoring server), INTERNAL.NC028InternalUp?
Server NC031, New York, United States of America (Web server), INTERNAL.NC031InternalUp?
Server NC033, Toronto, Canada (Primary nameserver), OPERATIONAL.NC033OperationalUp?
Server NC034, Lusaka, Zambia (Phone server), INTERNAL.NC034InternalUp?
Server NC035, Sydney, Australia (Secondary nameserver), OPERATIONAL.NC035OperationalUp?
Server NC036, Amsterdam, Netherlands (Mail server), OPERATIONAL.NC036OperationalUp?
Server NC040, Toronto, Canada (Web server), INTERNAL.NC040InternalUp?
Server NC041, New York, United States of America (Web server), OPERATIONAL.NC041OperationalUp?
Server NC042, Seattle, United States of America (Status website), OPERATIONAL.NC042OperationalUp?

Subscriptions:

RSS icon. RSS

Twitter icon. Twitter

Search:

 

Recent Posts:

Archives:

Categories:

Links

Tags:

.co.zm domains .com.zm domains .zam.co domains back-up bounce messages browser warnings connection issues control panel database dns dos attack dot-zm domains down time email email delivery error messages ftp hardware imap mail mailing lists mail relay mail server microsoft migration nameservers network networking performance php phplist pop reboot shaw shaw communications inc. smtp spam spamassassin ssl ssl certificate tls tls certificate viruses webmail web server

Resources:

On NinerNet: