Incident report: Spam attack..

On Tuesday 2026-03-03, a number of user accounts on Kolab Now was used to send out large amounts of spam. The spammers didn’t get to send out much mail. Most of it was stopped in the Kolab Now exit filtering, but the spam rating of the mails going out unfortunately was high and caused Microsoft online services, specifically outlook.com, hotmail.com, to add two of the Kolab Now exit IP addresses to their block lists. This caused emails sent to recipients on these services to bounce with messages like:

550 5.7.1 Unfortunately, messages from [212.103.80.154] weren’t sent.

Please contact your Internet service provider since part of their network is on our block list (S3150).

The spammers were identified and stopped, but the damage was done.

The Kolab Now staff immediately started the delisting procedure with the implicated services, but the (digital) reputation needed to be restored, and that took some time. On Wednesday midday, the two IPs were fully delisted and restored, however many emails were already sent back to senders, and caches on mail relays across the internet needed time to restore the Kolab Now reputation.

Thursday, we still saw a few mails being returned, but most of these mails was ‘leftovers’; emails that was sent and bounced earlier, but being returned very slowly.

At this time, Friday morning, we do not see any bounced messages (caused by the blocklisting). We have found weak spots in our spam handling for this specific situation. We are going to mitigate these weaknesses as soon as it is possible, and surely avoid that these are moving over to the new systems and hardware together with the rest of Kolab Now.

Please note that this situation in no way had any relation to the ongoing work on the migration of Kolab Now described elsewhere in this blog.

We regret any inconvenience that this may have caused you as a user.