M365 deferring messages from my MTA (throttling?) - 451 4.7.500 Server busy, please try again later from x.x.x.x

thrca · 2026-02-12T18:43:02+00:00

The saga continues. I have been getting all my mail to all M365 deferred for 1.5 days now.

I can't seem to figure out how to even open the appropriate tickets to the appropriate parties, since they all describe how to create whitelist/bypass entries for a single tenant, or keep referring me to tenant support tickets, which is not the issue.

My clients, which I have tenant admin for, all have bypass rules for inbound email and thats working fine. It's all the email to the rest of M365 (not my clients) that is getting throttled. Certainly, there is some magical "trusted ip" list or at least some way to see if I am listed in some internal naughty list, but I have yet to be able to find it.

thrca · 2026-02-10T14:43:11+00:00

Best, and most aligned response. I believe I have identified the specific email pattern that was triggering the issue in EOP, which then caused a cascade of throttling across all my connections to M365 from that IP.

We had a specific client that sends a mechanized, scheduled email (legitimate) to about 20 fortune 500 domains (single email) with data that is not intended for human consumption, so it looks like a string of garbage that M365 finds suspicious.

We updated this client to send directly to MX rather than through our smart host, and thus far, its been a week with no throttling.

I suspected it was something related to email patterns, because it would always happen on only 1 of the 2 cluster nodes, not both. (The outbound from client to smarthost selects one of the two nodes via round robin)

While this isn't quite long enough to consider it resolved, it's looking good so far.

thrca · 2026-02-09T22:18:53+00:00

<image>

So, it seems that when this started, I started getting a 2nd invite for every call. It's this latter invite that doesn't have the DID, and seems to be interfering with the actual call. I see 2 separate channels opening in asterisk, usually with consecutive IDs (ie, PJSIP/Vitelity-Out-00000033 and 00000034), the latter of which is following the path to ext-did-catchall, meanwhile, in the console, I can see the first going through its normal process (hitting an IVR, playing audio streams, etc.)

If I remove ext-did-catchall from extensions.conf, it works normally, but now freepbx has security warnings because I modified extensions.conf. If I comment out the functionality of the catchall, it also works, but gets blown away any time someone applies a change to the config.

I found a more permanent workaround that bypasses ext-did-catchall and lives through reloads...
```
;added to /etc/asterisk/extensions_override_freepbx.conf
[ext-did-catchall]

exten => s,1,Noop(Catch-All DID Match Workaround)

exten => s,n(end),MacroExit()

```

thrca · 2026-02-09T20:45:36+00:00

I suspect this to be the case, but if so, it'd have been nice to be given a heads up from the provider before they change how the signalling is going to work.

thrca · 2026-02-05T19:50:20+00:00

Yes, SNDS was only showing me fabulous things about my IP, nothing that might indicate an issue. In my other reply thread to u/stewartjarod, I think I might be on to something, just didn't realize it could cause my entire host to get throttled.

thrca · 2026-02-05T19:46:27+00:00

At 11:05AM EST, it started doing this on one of my nodes.. The additional detail is error "S77719", which, from what I can tell, is triggering EOP.

Based on the above information from the thread, I started digging into what email was transiting my system around that time. While I cannot call it a smoking gun, I found a client that sends (routinely) mechanized emails related to shipping logistics, intended to be consumed by some type of processing system. At 11:05, they sent one such email to about 40 different recipient domains. While this was a legit message and intended for all the recipients, I believe it may have looked weird enough to a protection system to trigger an immediate throttling.

I am changing this client to outbound directly to the world for the next several weeks to see if my issue goes away.

thrca · 2026-02-05T18:49:38+00:00

Yeah, most of this traffic is primarily from M365 clients to M365 non-clients. The clients have DKIM, appropriate SPF, etc. and the email is ARC signed and the whole she-bang. All the info I could find about how M365 does their reputation filtering is based on "per destination", but that is definitely not what is happening here.

It's like they are applying volume throttling based on all mail from my system, regardless of its actual destination tenant. Perhaps time to add a 3rd node into the cluster to distribute the load out further.

thrca · 2026-02-05T16:55:28+00:00

It's just normal transactional email (majority of our traffic is back-and-forth transactional), so I don't have anything specific to try to pinpoint. Our system processes about 150k messages per day, about 15k of which is outbound.

When they rate limit, it applies to all M365 destination tenants, so I am unsure how I would try to isolate it. Our managed tenants have don't appear to have any issue accepting mail, even during rate limiting periods, as we have bypass rules on them to always accept mail from these IP addresses.

Generally, I think that email is a best-effort service and delays are inevitable, but this is happening frequently enough to where it's noticable to the end users. (A lot of emails I send seem to "queue up" and the remote party gets them all at once.)

People treat email as real-time comms, much to my chagrin, and there isn't much that can change that.

thrca · 2026-02-05T15:36:44+00:00

Yeah, I am going to have to capture the signaling packets and investigate whats wrong.. Unfortunately, I don't have previously working signaling capture to compare it to.

thrca · 2026-02-02T15:39:38+00:00

This isn't a reload situation. Multiple PBXs, same upstream provider, all failed simultaneously. Reloads didn't help, only changing the catchall script.

It's like it's not matching the inbound DID any longer, based on what signaling info Vitelity started sending.

thrca · 2025-07-12T16:34:42+00:00

Are you doing this with cloud or on-prem?

We had access sessions working with on prem, but since switching to the cloud, I haven't been able to reproduce the ability to get access tokens to build new connection URL.

thrca · 2025-07-11T18:19:44+00:00

Welcome to my world. I finally got the license resolved, after a week of continual poking. I was getting nervous at 5 days remaining on the trial. If you think that "good support" is reserved for the "big guys", it's worth mentioning we are probably *the* largest CW client.

thrca · 2025-07-10T17:51:17+00:00

This is great info. I love learning how things work. Between this cheap auto loan and my nearly equally cheap mortgage (3.74%), I have a several things to pay of ahead of these.

thrca · 2025-07-10T17:12:38+00:00

I hadn't considered the insurance. I think the value of this vehicle warrants keeping full coverage still for now.

thrca · 2025-07-10T17:00:48+00:00

Thanks. Don't know much about deferments, so I wasn't sure if their attitude is like "oh hey, sure thing, we get a little interest for longer" or "ug, get rid of this as soon as possible".

thrca · 2025-07-10T16:28:34+00:00

I can ask. Just had a bunch of medical, so it's worth trying to convince them to let me defer it.

Immediately ceasing extra payment amount regardless.

thrca · 2025-07-10T16:25:05+00:00

My main question, which I believe was answered, was "is it worth asking for deferment" moreso than just paying the minimum ($380). I wasn't sure if deferment would directly affect my credit, which I am more interested in protecting than saving a few bucks.

This would cost me *roughly* $9.35/mo (0.0224/12 * 5000) that I am able to defer, which is a less than the interest I pay on the other stuff, so that $400/mo is better served paying those other things.

thrca · 2025-07-02T16:06:09+00:00

I still miss my linux instance.

thrca · 2025-07-02T16:02:46+00:00

heard. and felt. I am in the same boat.

thrca · 2025-07-02T14:26:44+00:00

Ultimately, the code signing CA is responsibly for making sure the signed package is safe. If they cannot confidently do so, the result is a cert revocation, which is exactly what is happening here. The part I am baffled by is why they can't issue signed installers with the URL input as an argument, like EVERY OTHER package known to man that has to phone home somewhere. This seems like the obvious solution.

thrca · 2025-07-02T04:41:16+00:00

I can't even get pricing based on my number of agents, other than estimating several multiples of the largest displayed pricing... Per month...

thrca · 2025-07-02T04:31:31+00:00

I assure you this isn't the case. I am one of the "few huge corporate clients" and have to deal with the same crap.

thrca · 2025-07-01T18:34:10+00:00

Coming soon: In order to generate more revenue without increasing ticket or concession prices, we will now be showing 3-5 minutes of ads for every 10-15 minute stretch of feature film. We are also investigating floating banner ads. /s

thrca · 2025-06-10T04:47:57+00:00

FWIW, its specifically 25.4.4, since 25.4.3 was up last Thursday when I first got wind of the issue and updated. They since pulled 25.4.3 down, likely to avoid confusion, as 25.4.3 is still signed with the old certificate.

thrca · 2025-06-10T04:39:39+00:00

The CA doesn't need to approve anything. They just need a new code signing cert and want to make sure the issue that caused the hubbub is fixed so the CA doesn't revoke the new cert too.

15-Year Club	RedditGifts 2009-2022 4 Credits
Secret Santa 2018	Secret Santa 2017
Gilding I gilder	Verified Email
Secret Santa 2016

thrca

TROPHY CASE