Admins Accuse Microsoft of Hotmail Cap

kurmudgeon writes "The Register is fielding reader tips that Hotmail has placed Draconian limits on the number of Hotmail recipients who can receive an email. The first 10 Hotmail addresses included in a mass email go through just fine, according to these reports. But any additional addresses are returned to sender with a message that reads: "552 Too many recipients." (Microsoft denies it has placed any such restriction on the number of senders.) This would appear to be a violation of RFC 2821, which states: "Rejection of messages (for excessive recipients) with fewer than 100 RCPT commands is a violation of this specification."

And the problem is...?

[Kelson]

Let's look at that phrasing: "Rejection of messages (for excessive recipients) with fewer than 100 RCPT commands is a violation of this specification." (emphasis added).

Are they rejecting messages, or are they rejecting recipients?

According to this, they're rejecting recipients with an obvious "try this again" code. Really that should be 452, not 552, but that same RFC 2821 says that senders should treat a 552 as temporary:

RFC 821 [30] incorrectly listed the error where an SMTP server exhausts its implementation limit on the number of RCPT commands ("too many recipients") as having reply code 552. The correct reply code for this condition is 452. Clients SHOULD treat a 552 code in this case as a temporary, rather than permanent

So whatever sending server runs into these limits should retransmit the message to the remaining recipients on the next queue run. Okay, it'll only reach 10 recipients at a time, which is annoying. It shouldn't be kicking back the error to the client.

Really, assuming Microsoft has actually put this limit in place, the only thing I can see that's wrong, from a practical standpoint, is using the outdated 552 code instead of the more specific 452 -- but that same RFC people are waving around says that their servers should treat it as temporary anyway.

Am I missing something?

Re:And the problem is...?

[Gyppo]

No - for every recepient that they reject, they are, in effect, blocking those recipient from receiving the intended message. So they are blocking messages.

Re:And the problem is...?

[fatphil]

Are you missing this bit:
"""
      recipients buffer
            The minimum total number of recipients that must be buffered is
            100 recipients. Rejection of messages (for excessive recipients)
            with fewer than 100 RCPT commands is a violation of this
            specification.
"""
which is only a couple of paragraphs above what you quoted.

You're also missing the fact that when a server rejects a message because of some issue with the recipients, it is still rejecting the message, and not "rejecting the recipient", which is a completely meaningless concept in the language of the RFC.

Re:And the problem is...?

[Kelson]

No - for every recepient that they reject, they are, in effect, blocking those recipient from receiving the intended message.

The proper reaction of a sending server to a temporary error is to try again. Per that same RFC, the server should be treating '552 too many recipients' as a temporary error.

Yahoo does the same thing at 30 recipients, though they issue the more proper 452 error code. The first 30 recipients at Yahoo get the message, then the sending server retransmits to the remaining addresses.

Re:And the problem is...?

[Obfuscant]

No, according the standards, every recipient rejected for "too many" stays in the queue and delivery is attempted at the next queue run. While Hotmail's violation of the standard seems bad, the worst effect it should have is to slow the delivery, not prevent it.

If a client actually stops trying to deliver based on a 552 error, then it, too, is violating the standard, in a way that actually prevents delivery. I consider that a more serious violation.

Re:And the problem is...?

[dgatwood]

Only if the sending SMTP server is broken. SMTP has two types of return codes: permanent failures and temporary failures. A permanent failure causes the message to bounce to the sender. A temporary failure causes the message to be queued and resent. Upon resending, only recipients for whom an error was generated are retried. Thus, if this error occurs after ten recipients, the remainder won't get the message in the first pass, but the next ten will get it when the sending server retries (usually after an hour, IIRC). This should continue until the recipient list is exhausted. Even this assumes that the sending SMTP server is extremely dumb and doesn't really understand anything about this error code at all beyond that it is a temporary error.... If it actually understands the code, it should try resending to additional recipients immediately, and divide the message into smaller batches, in which case it would delay delivery by a few minutes at most.

In theory, in some extreme cases, the recipient might never get the message. If it retries once an hour for a week (fairly typical), that would effectively cap the number of HoTMaiL recipients of a single message at 10 * 24 * 7 = 1680 recipients. Of course, a proper sending SMTP server should already be able to split messages into batches of a hundred or less because a limit of 100+ is considered acceptable behavior by the receiving server. Thus, in effect, because 1680 is larger than 100, short of a very long term net outage after the initial connection attempt, all the recipients should receive the message in every case. If this does not occur, the sending SMTP server is broken.

This is, of course, just my opinion.

Re:And the problem is...?

[morcego]

Ok, I might need some further clarification here.
Aren't 55X errors supposed to be permanent, while 45X errors are temporary ?
Why would the sender keep the message on the queue after a permanent error ?

Re:And the problem is...?

[Obfuscant]

Refer to RFC2821, which is the RFC that MS is being blamed for violating by not allowing 100 RCPT commands per session. Normally, you are right, 5XX is fatal, but 4.5.3.1 Size limits and minimums says:

RFC 821 [30] incorrectly listed the error where an SMTP server exhausts its implementation limit on the number of RCPT commands ("too many recipients") as having reply code 552. The correct reply code for this condition is 452. Clients SHOULD treat a 552 code in this case as a temporary, rather than permanent, failure so the logic below works. SHOULD means "unless you know what you are doing and have a good reason to do otherwise." The "logic below" is that the sending server removes the ones that were successful and tries the rest again later.

Re:And the problem is...?

[walt-sjc]

Dealing with mail servers that handle newsletters with subscribers numbering in the 100K+ each range, I have several special configurations on my servers to handle various broken behavior. In fact, I have a "butthead-TMR" list that contains hotmail for this EXACT reason. I also have a "butthead-TMC" list for a few broken servers that start doing the same 500 level errors for "too many simultaneous connections".

It's one thing to have anti-spam and anti-abuse mechanisms in place, it's another to deliberately break basic functionality in direct violation of the standards that make email work. There are MUCH better ways of handling situations where you want to rate limit inbound mail that are fully compliant with the RFCs, that allow all valid mail to get through.

It simply amazes me how many IDIOTS are running servers at large ISP's / sites. It is well known by most competent email admins that hotmail is totally broken and unreliable. Anyone still using hotmail for everyday use should have their head examined.

Too many?

[shine-shine]

Oof.

"552 Too many first posts."

Hotmail is unreliable anyway

[Anonymous+Brave+Guy]

Our (100% legitimate, double opt-in) mailing list gets a few Hotmail addresses added to it every now and then. We frequently get people complaining about missing mails and so on. Invariably, it's because of something silly, usually spam filtering that has been set to be so ludicrously aggressive that practically anything not white-listed (i.e., nothing on a new account) gets through.

We have now reached the point where we consider Hotmail an irrelevance. We don't even advise complainants to use another mail client any more, we just ignore them. The list is not run for profit, and the effort of supporting Microsoft's not-playing-ball freebie mail system just isn't worth it for what is basically a hobby set-up run for the benefit of our community.

Re:Hotmail is unreliable anyway

[Klaus_1250]

The bad thing about spam filtering in Hotmail is that they do it silently. I've had complaints in the past about mails being lost, so I checked my server logs: 250's for all messages to hotmail. Wrote an email to postmaster@hotmail.com which bounced back (sigh). Then I gave up and adviced to make sure recipients had the sending email-address in their addressbooks before sending them anything, which seems to do the trick most of the times.

Re:E-mail is dead for mass communication

[RollingThunder]

I take it you're not on any discussion mailing lists, then?

All MS is doing is cranking up bandwidth costs now. Instead of one copy being sent to all 68 subscribers on the server, my listserv now has to send them 68 copies of the same damned thing. Incredibly inefficient, but the subscribers want the email, so that's what'll happen.

I'm shocked

[Zashi]

Microsoft isn't following standards? I'm the rest of the slashdot community is just as surprised as I am. I mean, microsoft is a company we've come to trust, to do no evil, to side with the consumer and the technical community at large. I'm sure this is just an honest mistake, one we will not see again.

*incoherent wheezing and laughter*

What's the bid deal?

[jtroutman]

There's been a fix for this problem for a while now.

Re:What's the bid deal?

[jtroutman]

That should, of course, have read "What's the big deal?", but I've had a head cold for the last week.

People still use hotmail?

[heptapod]

There are hundreds of free alternatives available and a simple Google search brings up numerous email forwarding services that can take the sting out of changing email accounts.

Re:People still use hotmail?

[alien9]

Yes.

I use it due to integration with messenger IM.

Despite the fact I use gaim/pidgin most of time, the email/IM integration provided by their service led me to the decision of keeping my account, which is the same long before hotmail was purchased by microsoft.

I think the service fits my needs, to provide a reliable account for registrations/memberships elsewhere.

The lack of baynesian spam filtering (such has gmail and others) is a shame.

The interface (yes, I tried Live) sometimes simply sucks.

The storage and transfer limitations could be a problem for anyone lacking scp or such file transfer tools.

I said, _could be_. Email lost its credentials as serious transfer and communication tool.

Some of us may remember when Bill Gates stated that SPAM issue elimination was simply a matter of time. I gave them few credence then... and nowadays, email is clearly depicted as an unreliable, flawed tool.

Ordinary people can be kept safe by white-listing methods which figures out annoyances to me. They cay rely on such filtering to avoid Enlarge Their Penises NOW!!!

I would put my coins on a bit more intelligent solution to handle spam. There are a lot of solutions along with gmail or inova.net. The management of messages by AI systems which carries out the trash is a requirement to make email a reliable and trivial tool again... and not the scam nest it has been featured into.

This kind of announcement clears out what is the real level of microsoft improvement attempts - incredibly naive, blatantly stupid, moron-shaped company policies.

But, wait..

At all, who the heck would need to forward the message to 10+ recipients? In hotmail accounts? Oh... spammers. The less skilled and no less annoying of them. The ones who include my address in religious spiritual good intentioned chain letters.

Turns out microsoft is doing the right thing. The intelligence involved in their approach of bulk mail fits the targeted ones'.

You gotta pay up!

[argux]

I read about something like this a few days ago. A big website was warning people not to register with any Microsoft accounts (MSN, Hotmail, Live) because their mails were bouncing. They also mentioned that if they paid some fee, the cap would be lifted (obviously, they wouldn't in a million years give a cent to these people). Instead of paying, they would only recommend people to use Yahoo or Gmail.

Of course, it's not the exact, same thing, but the similarity between the two situations is spooky, to say the least.

Dont worry!

[Ariastis]

No sweat guys, for 19.99$ per year, you can become a member of the Windows MSN Live Hotmail Benefactor Plus Live rewards program!

Benefits include :
1) Spam whomever you want, bypassing all spam filters!
2) Send e-mails to more than 10 recipients (Also called the "I run a mailing list you fucktard" option)
3) Free "Upgrade to Vista (Please)" coupon.

Microsoft doesn't deny it

[jas79]

The answer Microsoft gave was about the limits for sending email, not for receiving email.

Oh NOES!

[geekoid]

Now microsoft will get hammered by the Standards police.

I'm in violation too...

[Ossifer]

... this is a well known anti-spam technique -- it helps thwart dictionary attacks. Hotmail allows 10 recipients, my email server allows at most 1 (one). Of course, my domain only has one email account...

RFCs are not laws

[Angst+Badger]

This would appear to be a violation of RFC 2821, which states: "Rejection of messages (for excessive recipients) with fewer than 100 RCPT commands is a violation of this specification."

I love the way the OP makes this sound like a serious criminal violation. Microsoft (or you, or me) is free to violate RFC 2821 till the cows come home. Whether doing so is the best way to handle whatever problem they're trying to address is another matter, but they're not drowning puppies or breaking laws, they're violating voluntary standards, which is not exactly a newsworthy activity for Microsoft.

Re:RFCs are not laws

[jamesh]

That's exactly right. The only problem it might cause them is they can't claim to be running an RFC2821 compliant mail server (for whatever that's worth), and as anyone who has ever implemented a spam filter would know, they aren't the only ones.

None of the customer mail servers I look after will accept more than about 50 recipients per message from internal users, let alone external users. Otherwise, I get too many calls from customers complaining that their internet access is slow, only to find out that their marketing department have sent a 5MB attachment to 500 people again. This is made even worse by Exchange's default setting to try and send out 100 or so messages concurrently (so they all time out and retry). If you need to get any information out to that many people, especially large amounts of information, there are better ways of doing it.

Re:RFCs are not laws

[glwtta]

I love the way the OP makes this sound like a serious criminal violation.

I love the way you just make shit up. All I got from the summary was that they are violating the RFC, I can't imagine what kind of synaptic misfire would lead anyone to think "criminal" when they read that.

Is overzealous MS reverse-bashing the in thing now?

I'm not TERRIBLY pro-MS, but...

[DigitalSorceress]

Honestly, if everyone followed all the RFCs for email and didn't adapt, spam would probably bring everything to a grinding halt. As it is, with countermeasures and counter-countermeasures in an escalating spiral in the "spam wars", I sometimes marvel that email even still works at all.

Granted, security through obscurity isn't really effective, but why should they bother telling spammers how small to make their batches in order to get things through? Make the bastards work a little bit.

Wow, I've gotten cynical.

Re:I'm not TERRIBLY pro-MS, but...

[Random832]

Granted, security through obscurity isn't really effective, but why should they bother telling spammers how small to make their batches in order to get things through? Because there are lots of legitimate reasons to send an email to more than 10 recepients on a large service like Hotmail, and batching them up (as opposed to sending the whole email, headers and body, to the server multiple times) saves bandwidth.

I would be pissed off if i were subscribed to something and I were the 11th hotmail user on their list.

Most people don't follow that standard

[billstewart]

Most mail-system managers I've talked to don't accept 100 recipients on a message except for internal communications inside a company. The problem is precisely that spammers have abused the feature - some people limit connections to 1 recipient, some to small numbers like 10, but in general if you accept a lot more you just get spammed.

It does sound to me like the too-many-recipients failure should be a 452 rather than 552, but other people have commented that mail senders are supposed to know how to deal with that.

Hotmail is just one sign

[cdrguru]

Email is useless. It cannot be relied upon. Mail servers will silently drop your mail after acknowledging receipt. Mail servers will reject your mail for no logical reason. All of this is in the name of fighting spam.

Because of spam, you can assume only that if you send an email and do not get a response that it never got through. If the only contact you have with a customer is an email address, you aren't going to get anywhere. Mail can be blocked at any point between the sender and the recipient without the knowledge or consent of the recipient - telling the recipient that they need to unblock your email is pointless as they may have nothing to do with the blocking.

Face it, email is suitable for sending threatening letters to georgebush@whitehouse.gov, love notes to your girlfriend and jokes to others in the office. And that's about it.

Re:E-mail is dead for mass communication

[SnoopJeDi]

Why are people still using these? Why haven't they been replaced by forums?

At UMBC, almost all student organizations, many classes, club teams, etc. etc. all use a mailing list system powered by Sympa to communicate. It's way more convenient than logging into our blackboard site, browsing to the class, finding the discussions forums, and finding the right thread in the mangled excuse for organization.

With the mailing list, all I have to do is check my email. Email is easier to centralize to the individual than forums, and leaves organization up to the end user. I have to check my email for personal communiques, contact from professors, and automatic notifications ANYWAY, why the hell should I not use the system to stay in the loop in a group, too?

That said, reply-all is the worst thing in the world.

RFC 2821 is not (yet) a standard

[Eric+Smith]

This would appear to be a violation of RFC 2821, which states: "Rejection of messages (for excessive recipients) with fewer than 100 RCPT commands is a violation of this specification."

RFC 2821 isn't a standard, though. It's on the standards track, but it has not yet been accepted by the IETF as a standard. The current SMTP standard is RFC 821, also known as STD 10. RFC 821 says:

recipients buffer

The maximum total number of recipients that must be buffered is 100 recipients.

TO THE MAXIMUM EXTENT POSSIBLE, IMPLEMENTATION TECHNIQUES WHICH IMPOSE NO LIMITS ON THE LENGTH OF THESE OBJECTS SHOULD BE USED.

This only requires that up to 100 recipients must be buffered, but doesn't explicitly state that there is any requirement to deliver to all 100 such recipients, nor that recipients cannot be rejected for some reason other than running out of buffer space.

Re:RFC 2821 is not (yet) a standard

It may not be a recommended IETF standard, but the RFC number (on standards track) makes it an effective (read: recommended) standard. If you're a fan of RFC's you should implement them when they are in the Standards Track Especially when it's a trivial extension of an existing protocol, especially when (most) everyone else does.

Re:E-mail is dead for mass communication

[McDutchie]

Why are people still using these? Why haven't they been replaced by forums?

Because web forums suck.

1. You're limited to whatever interface the web forum admins chose. You cannot choose your own interface. You have to use a different interface and/or register a new account for each forum.
2. Most forums lack basic features such as threading and decent filtering/sorting/killfiling. (So do most email programs, but at least you can choose one that has these features!)
3. Web interfaces are s-l-o-w.
4. Outages or being offline means you can't get to the forum.
5. You have to remember to go to them. Mailing lists come to you. (That what really kills most web forums for me. Slashdot is an exception.)

Sometimes even earlier denial is good

[kju]

Some server will deny some/more recipients even after only one prior recipient. The reason? Spam filtering during the SMTP phase and conflicting configuration of the different recipients. Doing spam filtering during SMTP is good, as you can cleanly deny spam instead of just acting like a black hole and throwing it away. In the case of a false positive the sender will at least get a clean error message without having to send one of these nowadays very annoying bounce messages. If you ever became victim to some spammer abusing your mail address as the sender of spam and you've got 25000 bounces, you know why bounce messages need to be eliminated thanks to spammers.

Unfortunately spam filtering has became so complex that more often than not one there is no one-size-fits-them-all configuration. But this means that the same message might be acceptable to the configuration settings of user A but not to the settings of user B. When now a mail sender tries to send a message to A and B, it will be necessary to deny recipient B due to the differing config (at least for filters which are based on content and thus can not be run before the recipient was accepted and the message sent).

Yes, this breaks a proposed standard. But so do a lot of other spam filtering techniques like RBL, SPF and Greylisting. Thanks to the spammers we have broken SMTP quite some while ago and one is to wonder why internet mail is still quite reliable. I predict it can only go downhill from here.

You think MS is bad? Try Yahoo!

[statemachine]

Yahoo has been junking all e-mail from my domain. Yet, my domain has been around since '99, has an SPF record, and has not been on a spam blacklist ever. I don't run any lists, and usually these e-mails are only directed at one recipient.

When I contacted Yahoo, I was referred to a broken web form that supposedly would direct me to a place where I could whitelist my domain, or at least make it less spammy-looking to Yahoo. Upon further attempts to reach them, I only received automated responses, but no answers to my questions.

I am not the only one who has had this problem sending e-mail to Yahoo accounts. Ironically, just Google for all the discussions on how Yahoo doesn't care.

Sending e-mail to GMail accounts works just fine for me. None of my messages show up in the spam folder. This is an indicator that the problem lies with Yahoo, and not with my domain.

"Admins Accuse Microsoft of Hotmail Crap"

[cliveholloway]

Heh. Am I the only one who misread the headline and thought, "How true".

Re:E-mail is dead for mass communication

[aztracker1]

To be honest, I participate on a number of email based discussion lists.. and also to be honest, I would much rather have NNTP access... this could still be nicely structured and accessed in my email client, but not interleaved with my email, and not risk being cast into the junk folder on occassion... I really wish that Google Groups, and Yahoo Groups had an NNTP interface, you could use your user login to access... that would so rock over the email mode..

Re:Hotmail has many worse problems than this one!

[saarbruck]

OP could have provided more detail but was not trolling: I run an email server on a static IP on my 768/128 DSL line. It's for 2 users. My mother, who has been a Hotmail user for so long that she can't relocate or "no one will find her!" refuses to move to gmail despite my pleas. Hotmail silently drops mail from my server about two thirds of the time. Messages such as "Hey, where are we meeting for Grandma's birthday dinner" disappear into the ether despite me being on her whitelist. Repeated hotmail support requests go something like this:

me: why are you accepting my email with code 250 OK, but never delivering it?

them: we can't talk to you until you submit all the forms at postmaster.hotmail.com

me: submits the forms, which are clearly geared toward businesses (my "site" doesn't have a "privacy policy" or an "opt out form" because I don't SELL ANYTHING).

them: we can't talk to you until you sign up for our email tracking service to analyze your traffic

me: signs up. My server doesn't generate enough traffic for them to even log.

them: you need an SPF record

me: installs an SPF record

them: your SPF record is wrong. RFC blah blah states...

me: IT WAS GENERATED BY YOUR ONLINE TOOL!! And if you want to quote RFCs at me how about the one where if your server accepts email, you're guaranteeing not to drop it for frivolous reasons (RFC 2821, sec. 6.1)?

them: our reasons are not frivolous, but we won't tell you anything.

me: like how your servers drop email sent from thunderbird but let the same messages through when sent from outlook express?

them: we don't filter based on header information

... and so it goes. I understand that I'm a small fish in a big pond and that there's a war on terror, uh, I mean spam, but hotmail just sucks.

The obligatory checklist

[Random832]

Your company advocates a

(x) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(x) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(x) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Extreme stupidity on the part of people who do business with Microsoft
( ) Extreme stupidity on the part of people who do business with Yahoo
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

( ) Sorry dude, but I don't think it would work.
(x) This is a stupid idea, and you're a stupid company for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!