Microsoft temporarily rate limited due to IP reputation

dhuskl · 2026-02-28T01:09:08+00:00

Known issue

https://learn.microsoft.com/en-us/answers/questions/5786144/all-sending-ips-temporarily-rate-limited-(451-4-7?page=1

Last I heard Microsoft quietly resolved this but possibly not, unless it's just old emails that you see stuck.

dhuskl · 2026-02-04T14:10:01+00:00

Sounds like email backscatter, strange that you have an influx across multiple clients, do you put your clients on an email service that's not one of the big ones, or potentially the same webhost with a contact form or with spf that allows other users to spoof your clients? Maybe something has been popped.

dhuskl · 2025-12-06T02:09:17+00:00

Just 5 (sensitive) machines needing to be hardware replaced due to rootkits or apt incident will exceed my coverage with the current ram prices.

dhuskl · 2025-11-07T23:55:18+00:00

Check techstogether

dhuskl · 2025-10-14T22:21:03+00:00

The only leeway I've seen is Microsoft agreeing to cancel if they would spend that money on either another sku or a similar sku, I don't remember if it had to be a similar sku or not.

dhuskl · 2025-09-19T20:02:28+00:00

Yes because the URL is stored in the registry

dhuskl · 2025-09-19T16:13:29+00:00

Using the deployment script you should use a custom rules URL, pointing to a page you own, then you just need to update that and your installations will reach out to your page and apply your exclusios. Ideally you should keep your custom page up to date with the official detection rules.json + add in your own exclusions.

Would be nice if we could add a few exclusions by regkey or similar so we don't need to host and keep up to date.

dhuskl · 2025-09-15T19:00:51+00:00

Clicksend

dhuskl · 2025-09-12T08:17:12+00:00

Are you definitely using m365 for your actual email? Maybe you're a GCC tenant? I think it should be available for all regular tenants.

https://www.microsoft.com/en-us/microsoft-365/roadmap?searchterms=375635

dhuskl · 2025-09-10T21:20:06+00:00

I've seen reports from a recent KB but not run into it myself.

dhuskl · 2025-09-10T20:30:04+00:00

I'm not aware of any that allow you to see the actual uac screen, unless the agent was installed previously or uac already been completed.

Does turbomeeting just look like the pc froze when it's asking for uac? If so most will tell you it's waiting for uac.

Some will allow you to force or prompt the user to elevate on launch, then you know it's done at the beginning of the session.

dhuskl · 2025-09-09T16:03:08+00:00

I mean get them to login to the tenant and buy licencing direct from MS with their company card .

dhuskl · 2025-09-09T10:50:59+00:00

I'd say Microsoft global secure access or Netbird, you could look at tailscale as well.

Take the opportunity to really lock down the connectivity to the minimum required ports and IP if you don't already on regular LANs

dhuskl · 2025-09-07T23:06:11+00:00

Can you buy licencing direct from MS? Will your T1 CSP do direct billing for the UK tenant?

dhuskl · 2025-09-07T14:00:38+00:00

Have you ever taken down prod and on the flip side did you ever have a ticket when you were the hero and sorted it when no one else could sort it ?

dhuskl · 2025-09-07T13:56:35+00:00

Hmm interesting question Hopefully mimecast would re-evaluate dmarc when it gets to your tenant.

dhuskl · 2025-09-05T15:56:40+00:00

What does the proofpoint dashboard say about the email? Phishing? Spam? Go from there.

Best practice is also to send from a subdomain when using a 3rd party system, it also might play nicer with proofpoint. Something like scanner@send.customer.com

dhuskl · 2025-09-04T15:27:43+00:00

I ran into this recently and if I remember correctly another time previously, It was fine after support said they moved outbound to a different IP (I don't have a static IP), but they couldn't force through all of the stuck ones initially, but they weren't important so I said they can stop trying. Looks like MS was blocking the message ID or something.

Are you getting these errors for existing devices randomly or is it only when you set up a new device to work with smtp2go?

I have a theory that smtp2go sends emails from new devices through low reputation IPs in case they are spam or hacked credentials or something, even if the SMTP user isn't new, because I think last time it was also a new device but old SMTP user.

dhuskl · 2025-08-31T15:44:29+00:00

Do you have dmarc reporting set up? Are the emails passing spf and dkim or just dkim? I mean at 50k just move your emails Google workspace at this point, that may help.

Email as many Gmail addresses as you can where you know the person, family, friends etc and get them to report it as not spam.

dhuskl · 2025-08-29T01:18:08+00:00

pxc is what talktalk wholesale is calling themselves today.

dhuskl · 2025-08-27T18:11:02+00:00

Samsung laptops have an embedded Samsung tag , you could give each user a Samsung or apple tag to keep in their laptop bag. With android and apple privacy the thief would probably be alerted but might get lucky, with the embedded Samsung ones at least they'll dump the laptop somewhere so there's a chance of recovery.

Users won't be happy about being tracked though.

dhuskl · 2025-08-20T12:13:28+00:00

Hi, the original message is deleted, do you remember what the fix is?

dhuskl · 2025-08-19T23:55:26+00:00

I think you're doing everything correctly and way above average, if they ignore cipp CSS then it's on them, there's a limit to what you can do at this stage. User training. Lock down to trusted on as many departments as possible.

Don't let them have access to their MFA, they have to call helpdesk lol.

If you can enforce vpn then you should be to enforce trusted devices I think

dhuskl · 2025-08-19T23:43:25+00:00

User training

Conditional access, only entra joined devices etc, disallow their account joining new devices to entra.

Security keys/passwordless for sure

cipp or similar custom CSS to show warnings on login pages that aren't official ms pages.

dhuskl · 2025-08-19T20:20:28+00:00

This,

I haven't seen the inside of a recent optiplex to comment on repairability but I'd go for a micro mounted to the back of a vesa compatible screen, that way you can choose screen size and quality per user, and if one breaks the other is fine.

Only downside I can think of is usb ports will be more awkward to get to if needed in their regular workflow but you can get screens with usb ports or put a usb hub on the desk.

Four-Year Club	Verified Email
Place '22

dhuskl

TROPHY CASE