Who knows about hotmail? Techy wizards, please step this way!

You need to talk to the ISP who provides your mailserver hosting. That would be AWS, according to the information discovered by looking up the MX record for permies.com and seeing who owns the netblock:

ARIN WHOIS Lookup ( 52.41.164.144 )

NetRange:       52.0.0.0 - 52.79.255.255
CIDR:           52.0.0.0/10, 52.64.0.0/12
NetName:        AT-88-Z
NetHandle:      NET-52-0-0-0-1
Parent:         NET52 (NET-52-0-0-0-0)
NetType:        Direct Allocation
OriginAS:
Organization:   Amazon Technologies Inc. (AT-88-Z)
RegDate:        1991-12-19
Updated:        2021-02-10
Ref:            https://rdap.arin.net/registry/ip/52.0.0.0



OrgName:        Amazon Technologies Inc.
OrgId:          AT-88-Z
Address:        410 Terry Ave N.
City:           Seattle
StateProv:      WA
PostalCode:     98109
Country:        US
RegDate:        2011-12-08
Updated:        2022-09-30
Comment:        All abuse reports MUST include:
Comment:        * src IP
Comment:        * dest IP (your IP)
Comment:        * dest port
Comment:        * Accurate date/timestamp and timezone of activity
Comment:        * Intensity/frequency (short log extracts)
Comment:        * Your contact details (phone and email) Without these we will be unable to identify the correct owner of the IP address at that point in time.
Ref:            https://rdap.arin.net/registry/entity/AT-88-Z


OrgAbuseHandle: AEA8-ARIN
OrgAbuseName:   Amazon EC2 Abuse
OrgAbusePhone:  +1-206-555-0000
OrgAbuseEmail:  abuse@amazonaws.com
OrgAbuseRef:    https://rdap.arin.net/registry/entity/AEA8-ARIN

OrgRoutingHandle: ARMP-ARIN
OrgRoutingName:   AWS RPKI Management POC
OrgRoutingPhone:  +1-206-555-0000
OrgRoutingEmail:  aws-rpki-routing-poc@amazon.com
OrgRoutingRef:    https://rdap.arin.net/registry/entity/ARMP-ARIN

OrgRoutingHandle: IPROU3-ARIN
OrgRoutingName:   IP Routing
OrgRoutingPhone:  +1-206-555-0000
OrgRoutingEmail:  aws-routing-poc@amazon.com
OrgRoutingRef:    https://rdap.arin.net/registry/entity/IPROU3-ARIN

OrgTechHandle: ANO24-ARIN
OrgTechName:   Amazon EC2 Network Operations
OrgTechPhone:  +1-206-555-0000
OrgTechEmail:  amzn-noc-contact@amazon.com
OrgTechRef:    https://rdap.arin.net/registry/entity/ANO24-ARIN

In a nutshell: someone who shares that IP address space* with your mail host has been flagged as a spammer and the maintainers of Hotmail's block list have now got you in the naughty corner just because the numbers are in that range. You can follow the advice in the bounce report, and try to get AWS net ops to deal with it. You may also be able to plead your case with Hotmail and ask them to whitelist permies.com since you're not the bad guys.

Getting caught in an RBL listing sucks, but in my experience Hotmail is one of the better outfits to deal with because at least a real human will be responding to you at some stage. Gmail won't bother.

* discouraging footnote: that IP subnet is GINORMOUS...52.64.0.0/12 is a block of over 1 million addresses, and 52.0.0.0/10 comprises 4 M.

Thanks Phil!  My understanding is that we've reached out to AWS previously and been told the issue is resolved but it continues to happen.  It's definitely worth us trying again though, as you suggest, and also with hotmail directly.

Perhaps we could consider a dedicated IP if we don't get any further.  If you have any other advice we'll gladly take it!  Thanks again :)

Hi Jules. If AWS can't do what is required then I would strongly recommend moving to another hosting provider where you're not sharing address space with such a (ahem) diverse and potentially misbehaving crowd. in the meantime, you might be able to get Hotmail to whitelist permies.com if you explain the situation. Banning a /12 or /10 due to a handful of bad actors is real overkill, but apparently that's how they roll.

Phil Stevens wrote:I would strongly recommend moving to another hosting provider where you're not sharing address space with such a (ahem) diverse and potentially misbehaving crowd

Is there a provider that you can recommend?

So, the question is....what exactly is MSFT blocking?  Is it a specific IP, a subnet?, the whole block in US-West-2 (52.40.0.0/14)?  Is there anyone from 'the 'Soft' around here that can look internally and bypass the nighmarish  SNDS request process?

Depends on how much testing you want to do...and how much you want to muck with your mail server.  For my money, I'd spin up another mail server in US-West-2 with the same config, and a different EIP.  What subnet the EIP comes out of will matteer in a minute.  Set your original mail server to relay hotmail.com, live.com, outlook.com, etc. through the new one and see if they go through.

As for subnets, I'd start with any other IP you get...then specifically target an EIP outside of 52.40.0.0/14 (anything 52.40 - 52.43), If neither of these work, then spin one up in a different AWS region....maybe us-east-2 or canada.  If that doesn't work then there is something with MSFT blocking all AWS IPs...spin a mail server up inside of Azure and lather, rinse, repeat.  That way they'll have to solve their own problems. :P

After all of that is done, we should understand what the shape of the problem is and can make some decisions.

Cheers,
Dave

[edit] p.s.  I just realized from Jules comment...if you aren't using a static IP already then you definitely should be.  Either a NAT-GW or an EIP will be static...depending on how you've set your stuff up.

Ron McLeod wrote:

Phil Stevens wrote:I would strongly recommend moving to another hosting provider where you're not sharing address space with such a (ahem) diverse and potentially misbehaving crowd

Is there a provider that you can recommend?

I'm a fan of Digital Ocean myself, but I think you'd need to test from any different provider before you pull the plug.  Large MTAs tend to loathe cloud provider IPs in general.

It's also an arms race between the spammers and the folks protecting your inbox, so it'll change over time as well.

Dave's advice is good. The bit about cloud provider IPs is important, so here is an opportunity to "buy local" and see it there is a nice ISP in the PNW who you can work with. This is one of the reasons why I use a NZ-based provider for all my hosting (which includes a mailserver) even though it costs me a little more than the equivalent AWS commodity service and I don't get all the wizzy dashboard tools.