Anyone else seeing M365 SMTP Relay (IP Connector) hitting SCL:8 / High Confidence Spam as of yesterday? (April 15)

Posted by Sufficient_Gain3473@reddit | sysadmin | View on Reddit | 6 comments

Hey everyone,

Woke up to multiple clients reporting that scan-to-email has stopped working as of yesterday. We use Direct Send via an MX record and an IP-based Inbound Connector in 365 and multiple customers scans we're hitting quarantine in 365.

Headers are showing messages being flagged as High Confidence Spam (SCL:8) with the category CAT:HSPM. The diagnostic info specifically shows IPV:NLI (IP Not on List).

The SPF is passing, and no changes were made on the printer or firewall side. It seems like Microsoft has dialled up the EOP heuristics for unauthenticated relay traffic, possibly linked to the High Volume Email (HVE) GA that happened a couple of weeks ago. Could be totally wrong though.

We've got a project to switch customers over to SMTP2GO which most of our customers are on, but some customers are still using 365 SMTP relay for their many printers.

Is anyone else seeing this behavior? Is Microsoft finally killing off the reputation of the IP-connector method?

Thanks guys!

[-]

doktormane@reddit

We also had this happen to us for one of our printers a few days ago.

JustHereforIT-stuff@reddit

Yes saw this too since yesterday for several scan to mail devices.

Sufficient_Gain3473@reddit (OP)

Has it gone back to normal now for you?

Looks like its better now. We still had an issue this morning were one recipient was still being quarantined but sending it to one of his colleagues was working fine.🤷‍♂️

saltyslugga@reddit

we ran into something similar a few weeks ago with a client's multifunction printers. same deal, SPF passing but EOP flagging everything as HSPM with that IPV:NLI marker.

my guess is you're right that microsoft tightened something on the EOP side. the fact that it's showing NLI means your connector IP isn't being recognized as a trusted sender even though it should be via the inbound connector config. worth double checking that the connector is scoped correctly and that the source IP hasn't changed (some firewalls rotate outbound IPs if you're behind a NAT pool).

short term fix that worked for us was creating a transport rule to bypass spam filtering for messages matching that connector's IP range. longer term, moving to authenticated SMTP submission or an external relay like you're already planning with SMTP2GO is probably the right call. microsoft has been slowly making unauthenticated relay harder to use for a while now, and i wouldn't be surprised if this is another step in that direction. we started using Suped a while back and it made it way easier to catch stuff like this early through the reporting side, since you can see authentication failures across clients before they turn into tickets.

Grand_Comprehensive@reddit

tested it 5 minutes ago and it had an SCL of 1.