XF 2.2 Cloud email bounces from Hotmail

[MapleOne]

Anyone else having issues on cloud with hotmail/live/outlook bouncing email notifications.

Checking my logs and the soft bounces seem to come from hotmail addresses.

Also a few members registering with hotmail addresses have contacted me about not getting registration verification emails.

I hate hotmail, they give me problems at work too, whenever someone does not get an email its always a bloody hotmail address.

 

[Suzanne O]

I respect your answers on this forum, but this is nonsense.
Hotmail/outlook is one of te biggest mailproviders and widely used.
Now because the XF mail server is rejected again, we have to advise all users to stop using hotmail as mailprovider?
Not going to happen.

MS is very active in trying to prevent spam from their servers. Blocking legit servers is problematic, but if this is the 4th time, there must be something that triggers this. They provide special portals like SNDS and JMRP to get more insights in why your IPs are being rejected.

I am sure XF does all it can to get unblocked and this is frustrating, but advising users to stop using this is like advising Android users to switch to Apple because something on Android does not work as expected.

For me, this attitude was the reason to use an external email provider for XF Cloud some time ago. They managed to deliver all mail without being blocked.

Get tougher with your members.
Don't allow them back if they continue to sign up with invalid email addresses.
XF allows valid email addresses.
Some people ask for validation tokens of their xf forum.

 

[Paul B]

this is nonsense

I agree, MS are nonsense for repeatedly doing this.

People are of course free to keep using them, on the understanding that any site they use can be blacklisted by MS at any time, so they may not receive emails.

 

[FTL]

Get tougher with your members.
Don't allow them back if they continue to sign up with invalid email addresses.
XF allows valid email addresses.
Some people ask for validation tokens of their xf forum.

This isn't about someone signing up with an invalid email address (they can't anyway as they'll never get the verification email) but Hotmail / Outlook blacklisting the IP addresses that XF Cloud uses. You can't force people off a perfectly normal and large email provider because your system is getting spam blocked by them. That's what's nonsense.

 

[thedunes]

I agree, MS are nonsense for repeatedly doing this.

People are of course free to keep using them, on the understanding that any site they use can be blacklisted by MS at any time, so they may not receive emails.

I understand that my users with Microsoft email accounts won't get email while the IP is blocked but I don't understand why they can't log in to the forum while this is happening, I keep having to set them back to valid. I guess my question is, if they are already signed up why is a blocked MS IP address affecting current users? Apologize if this is obvious, I am just trying to understand.

Thanks,

John

 

[Chromaniac]

it's probably happening because of the bounced email feature that is probably preconfigured on cloud installations. on self hosted like mine, i do not have it setup and i get the bounced email on my own id and i mark them as bounced manually. so if the user is subscribed to any email alerts from the forum, they are likely getting blocked coz emails being generated by thread updates are getting bounced and xenforo is marking them as invalid.

 

[TPerry]

Don't allow them back if they continue to sign up with invalid email addresses.
XF allows valid email addresses.

And last time I checked, @live.com, @hotmail.com and @outlook.com were all very valid email addresses used by a large segment of society.
The issue is that the XF cloud MTA server is getting blocked by Microsoft and their "magic beans" filtering algorithm. Their blocking is overly aggressive at times, and usually you can't find out exactly why the server is getting blocked easily (been there, done that, got all the accessories).
It's one reason that I went with Amazon SES for my mail delivery.

I wonder if there are some cloud clients that are using the ACP email user function to blast out "home grown" newsletters to their users and that might be triggering it?

 

[thedunes]

Does anyone have an idea why the users on my forum who have Microsoft accounts ie Live, Outlook, and Hotmail keep getting locked out of the forum requiring me to go in and set the user state back to valid about every hour or so?

I get that the IP is blocking email but don't understand why it is affecting user logins, any ideas?

Sorry, if I have asked this already but I can't seem to get support to answer the question.

The users do not have 2FA turned on either.

 

[TPerry]

I get that the IP is blocking email but don't understand why it is affecting user logins, any ideas?

Sorry, if I have asked this already but I can't seem to get support to answer the question.

It is probably the bounce function. Once their email gets bounced by hotmail (especially if a hard bounce) their account status changes via the XF cron job to require revalidation of the email.



You should be able to disable using the bounce function in your ACP. But disabling it will probably do more to damage the IP reputation of the XF MTA server with Microsoft since your site would continue trying to send emails that they have blocked (ergo damaging the XF MTA server IP reputation).

If you remove these entries, it should disable the bounce checking.



Honestly, I have been a member of several sites that simply do not allow the use of Outlook/Live/Hotmail addresses to sign up or change to.

 

[thedunes]

It is probably the bounce function. Once their email gets bounced by hotmail (especially if a hard bounce) their account status changes via the XF cron job to require revalidation of the email.

View attachment 296113

You should be able to disable using the bounce function in your ACP. But disabling it will probably do more to damage the IP reputation of the XF MTA server with Microsoft since your site would continue trying to send emails that they have blocked (ergo damaging the XF MTA server IP reputation).

If you remove these entries, it should disable the bounce checking.

View attachment 296111

Honestly, I have been a member of several sites that simply do not allow the use of Outlook/Live/Hotmail addresses to sign up or change to.

Thank you so much, this makes sense. I will leave the settings as is, I don't want to cause more problems for XF.

I did add language to the registration page asking users not to use Microsoft accounts per Paul B post.

 

[Paul B]

You can increase the trigger values which would give more time before accounts are set as bounced.



That may or may not make the situation worse as far as the server and MS is concerned.

 

[thedunes]

You can increase the trigger values which would give more time before accounts are set as bounced.

View attachment 296114

That may or may not make the situation worse as far as the server and MS is concerned.

Thanks, Paul, I don't want to make things worse so I will just wait and hope that MS clears things up soon.

Last question, why is the email being bounced in the first place if they are already current users? Does the system check the email against the MS server every time the user logs in? Why does that login check even need to leave the XF server? Newbie question.

 

[Sim]

I wonder if there are some cloud clients that are using the ACP email user function to blast out "home grown" newsletters to their users and that might be triggering it?

From my experience dealing with MS deliverability - the issues are likely a result of repeated failed attempts to deliver emails to either non-existant or problematic email addresses.

So any mass mailouts that any site makes where they haven't previously cleaned their mailing lists and/or don't have bounced email handling configured - will directly cause a drop in sending reputation for the IP addresses doing the sending and will eventually cause it to get blocked.

The problem is that it won't ever get better until this behaviour is changed - a huge red flag for ESPs is when you continually attempt to send emails to an address that doesn't want them or can't receive them, because that is what spammers do - they don't care how many get through, they just send them in bulk.

This is one of the reasons why I use SparkPost to send emails - they have automatic suppression lists, meaning that any email that bounces back as undeliverable is automatically added to a suppression list, which prevents me from mailing those users again no matter how many times I try (but I also used bounced email handling, so I won't try!). To re-activate an address, I have to manually remove them from the suppression list (I have a tool that does it for me with one click).

XF may need to look at making bounced email handling mandatory for Cloud customers to prevent this type of issue - it's not the only issue that could be affecting deliverability here, but I think it will help to stop making things worse.

 

[Paul B]

XF may need to look at making bounced email handling mandatory for Cloud customers

It is if PHP email is used.

 

[Sim]

Last question, why is the email being bounced in the first place if they are already current users? Does the system check the email against the MS server every time the user logs in? Why does that login check even need to leave the XF server? Newbie question.

Mailbox full is a very common reason for bounces - causes a "soft" bounce.

Invalid recipient "hard" bounces could occur if a user deletes or changes their email address after registering

Spam Content causes a "hard" bounce if the user marks your emails as spam.

Spam Block is a "hard" bounce and is the result of the receiving email provider considering the sending server to be a known spam source or having too low sending reputation - which is what's happening with MS.

Every time you try to send an email to a user (new post notification, etc), it gets bounced back as undeliverable by the receiving server because it's not accepting any emails at all from that source.

 

[Paul B]

To clarify, if PHP mail is selected, the trigger values are the only configurable values with regards to email.



Maybe we also need to remove those

 

[thedunes]

Mailbox full is a very common reason for bounces - causes a "soft" bounce.

Invalid recipient "hard" bounces could occur if a user deletes or changes their email address after registering

Spam Content causes a "hard" bounce if the user marks your emails as spam.

Spam Block is a "hard" bounce and is the result of the receiving email provider considering the sending server to be a known spam source or having too low sending reputation - which is what's happening with MS.

Every time you try to send an email to a user (new post notification, etc), it gets bounced back as undeliverable by the receiving server because it's not accepting any emails at all from that source.

Thanks for trying to explain it, I guess I just don't have enough experience to get it. Ever since this Microsoft IP issue started earlier this week it keeps setting the user state to Email invalid (bounced), I just can't connect the dots on why a current user logging into the forum (not for the first time) would have their email bounced. When a user logs in does his login request leave the XF server for validation and this is why his email is getting bounced by the blocked MS IP and bounced back thus setting his user state to Email invalid (bounced)?

 

[Sim]

Thanks for trying to explain it, I guess I just don't have enough experience to get it. Ever since this Microsoft IP issue started earlier this week it keeps setting the user state to Email invalid (bounced), I just can't connect the dots on why a current user logging into the forum (not for the first time) would have their email bounced. When a user logs in does his login request leave the XF server for validation and this is why his email is getting bounced by the blocked MS IP and bounced back thus setting his user state to Email invalid (bounced)?

It's got nothing to do with login.

What's probably happened is that forum has tried to send the existing user an email like a "new post" notification message (or similar) - these are very frequently sent and probably make up 90% of the emails we send from our forums. The user doesn't have to be logged in to receive these emails - they get sent automatically to alert users about a new post/thread/message/etc that they might like to visit the forum to look at.

So the forum sends an email to the user - but the user happens to use Hotmail (or some other MS email) and becuase MS are blocking the sending server - the message bounces back as undeliverable. Now your forums bounced email handler will pick up that bounced message and automatically change the user's state to "Email invalid (bounced)" to prevent further emails being sent to that user. Again, none of this requires the user to be logged in.

So the next time the user does try to log in, they're likely going to see a message about their account being disabled because of bounced emails. Again - this was not a result of them logging in - it already happened before then.

Hope this helps.

 

[thedunes]

It's got nothing to do with login.

What's probably happened is that forum has tried to send the existing user an email like a "new post" notification message (or similar) - these are very frequently sent and probably make up 90% of the emails we send from our forums. The user doesn't have to be logged in to receive these emails - they get sent automatically to alert users about a new post/thread/message/etc that they might like to visit the forum to look at.

So the forum sends an email to the user - but the user happens to use Hotmail (or some other MS email) and becuase MS are blocking the sending server - the message bounces back as undeliverable. Now your forums bounced email handler will pick up that bounced message and automatically change the user's state to "Email invalid (bounced)" to prevent further emails being sent to that user. Again, none of this requires the user to be logged in.

So the next time the user does try to log in, they're likely going to see a message about their account being disabled because of bounced emails. Again - this was not a result of them logging in - it already happened before then.

Hope this helps.

Wow, now that I understand. I really appreciate you taking the time to break it down for me. I just wanted to understand why it was happening and now I do.

Thank you,

John

 

[thedunes]

Our site is still experiencing issues with this, does it usually take more than a week for Microsoft to release the IP address?

Is this something every forum platform would have trouble with or is it just the Xenforo software?

 

[Chris D]

Just wanted to update you all on this issue, what we have done to mitigate it, and what we are doing in future to reduce the disruption.

A brief history...

As a brand new IP address and mail server, we did have a few teething problems not long after we launched XenForo Cloud. To potentially correct @Paul B, at least from my memory, I don't think we got blocked by Microsoft more than once or twice before. And for the most part, these were simply reputation things, because we were a new server, and it has been mostly working fine for a little while.

What I think has happened, because it affected the mail server we use here and the mail server we use for Cloud customers, is Linode, the hosting provider we use for those servers, may have had its entire AS ranges blocked.

We became aware of the XF.com issue just before Christmas. This was reported immediately, but Microsoft denied there was an issue. The email said we could reply to add further details, which I did. It wasn't until after Christmas that I became aware that the Cloud mail server was affected too. So I again replied to that previous email. Despite assurances in the email we received, these emails were seemingly ignored.

We submitted a fresh request and this was eventually actioned and resolved the issue for Cloud customers on January 8th. Annoyingly, Microsoft were still denying there was anything blocking XF.com emails, but this contradicts the exact bounce messages they were sending which explicitly states they are

In terms of what we're doing to reduce disruption in the future:

1. We're building two new mail servers to replace the existing ones
2. Each of these servers are going to have multiple public facing IP addresses
3. The new server will send mail using any one of the IP addresses configured in our "pool"
4. The new software we have set up is significantly better in helping us surface errors that may be affecting deliverability

This has been rolled out to XF.com already which means we're now successfully delivering messages to most email providers, though we will be monitoring closely for any bounces that may indicate blocks we need to address. We now have a pool of multiple IP addresses and we can effectively remove IP addresses that might be blocked from that pool and either restore them once the block is resolved or replace them with new IP addresses entirely. This is now as simple as assigning a new IP address, configuring it in our IP pool and updating our SPF records. We can also assign a priority to each IP address so new IP addresses can be configured to be less likely to be used while they "warm up". The fact that we have multiple IPs also means any significant volume of email is now less "alarming".

If the next day or two goes well, we can roll these changes out to Cloud customers too. Something which should be mostly transparent without any significant disruption to existing sites.

In summary: For now, the issues should be resolved, and in future they should be less likely to be as disruptive.