Stop using the Spamhaus PBL on mail submitted by *authenticated* inbound connections
I understand this is a duplicate of the below ticket, but MS is being particularly short sighted with the problems this causes:
As per SpamHaus PBL description:
THE PBL IS NOT A BLACKLIST. You are not listed for spamming or for anything you have done. The PBL is simply a list of all of the world's dynamic IP space, i.e: IP ranges normally assigned by ISPs to broadband customers routers/modems (DSL, DHCP, PPP, cable, dialup). It is perfectly normal for these IP addresses to be listed on the PBL. In fact all dynamic IP addresses in the world should be on the PBL. Even static IPs which do not send mail should be listed in the PBL.
MS is blocking mail from all IPs on the list, EVEN WHEN THEY'RE AUTHENTICATED. Note: you can authenticate is other ways than with a username and password. This effectively kills either the effectiveness of the PBL of listing all non-mail servers in the world (as we need to de-list ourselves) or the ability of users to connect alternative devices to O365:
Users may have many devices located on the internet that need to send email through O365, including but not limited to MFCs, Webservers, Storage devices, CCTV Cameras, Firewalls, Routers, etc. MS gives 3 ways of connecting these to O365:
a) Create an account on O365: This can get very expensive if the content of each device's emails needs to be partitioned between different departments. Plus it's creating unmonitored mailboxes holding dead end messages.
b) Send mail directly to your MX records, list the IP in your SPF: MS blocks all mail to your MX records if the IP address is correctly listed on the PBL.
c) Configure a Connector to AUTHENTICATE that IP address: MS blocks all mail to your MX records if the IP address is correctly listed on the PBL
How it should work:
1) If mail is authenticated with a username and password, MS should not apply filtering based on the PBL <- Current behaviour
2) If mail is authenticated by IP address in the SPF record, MS should not apply filtering based on the PBL
3) If mail is authenticated by IP address in the Exchange IP Whitelist, MS should not apply filtering based on the PBL
4) If mail is authenticated by IP address in the Exchange Connectors, MS should not apply filtering based on the PBL
5) If mail is unauthenticated, MS should apply a higher SPAM score to the mail, but should not block the email outright. A listing on the PBL is in no way a certain indication of spam, it's just an indication of higher confidence in Spam.
MS is effectively banning connections from IP addresses that the user has created specific exceptions for in Exchange (SPF Records, Connectors and IP Whitelist).
At the very least: When a user has created an Exchange Connector for an IP address, MS should not be blocking connections from that IP address, especially for something so innocuous as the PBL.
MS should look to Google for how they operate in relaying mail from MFCs and IoT, etc. Effectively Google allows the user to create an IP whitelist of allowed direct send devices. Google then relays the mail accordingly.
John Greenfield commented
This is a huge issue. Some multifunction devices are unable to use authentication and TLS1.2. The only way to connect these is using a connector with SPF record, but still Microsoft blocks based on Spamhaus PBL. Please fix. Relaying emails through Office 365 is a joke at the moment.
I've edited the title as authenticated users is interpreted as email submissions from clients using SMTP AUTH for example. Authenticated inbound connections better describes connections using connectors.
Have you heard anything back from MS about this or Spamhaus?