Ask HN: Microsoft blocked my outlook.com account for using a VPN. Any ideas?
As the title suggests, my outlook.com account has been suspended due to violations. However, I can't find any reference in their terms and conditions to my specific violation.
The reason is that I use NordVPN to connect to the internet.
Any ideas? I can't do anything without that account as changing my email on many services requires access to my old email.
Over the years I have read many stories on here of this happening to people, mainly on Google services, and it pretty much stops them dead in their tracks... well, now it's happened to me.
I've been thinking about it over the last several days and, legitimately, the only possible recourse is to run your own email server. Now this has it's own issues but it means I have (almost) total control over my data.
Anyway, as the title suggests, any ideas? I just need to get it reinstated so I can move all my email away from it now.
71 comments
[ 3.2 ms ] story [ 53.1 ms ] threadBy the way, I often hear how it's good for privacy to use (basically all the time) such VPNs. But my experience so far is that using internet via popular VPNs is annoying. Some websites won't let you in, you get a lot of random CAPTCHAs to solve (e.g. to get Google results) and it seems you can lose email account. For me it's too much hassle.
I would always recommend everyone to run their own email server. However that has its caveats such as of needing to build up IP reputation.
Any chance you could point me to some good documentation on that? I'm about to set up a homelab and play with OpenBSD some, is 'man opensmtpd' enough to start out with?
You may find one of the printed books on Postfix helpful. No Starch Press has a decent one, which, regardless of its age, still is a good one.
Make sure that your server cannot be used as an open relay to deliver spam. Take a look at http://www.postfix.org/SMTPD_ACCESS_README.html to learn how to do that. Postfix is a well written piece of software and (IMHO) rather easy to maintain once you understood the basic principles. I've been using it for more than a decade now.
Edit: For anyone else who is looking and can't find it on NSP's website, I found it with 'filetype:pdf The Book of Postfix' on duckduckgo.
This kind of got out of control with YouTube ads for VPNs. I want to scream "what is your threat model!?" at people who tell me they use it all the time. Using them without having a specific reason why is silly. And as you've noticed it's not without downsides.
I can tell you that using a VPN wasn't why your account was blocked. Most corporate employees connect to Outlook.com through corporate VPNs (both of my last employers required it).
I think it is just more likely MS doesn't know who you are yet. For example, if you're talking about how you get more captcha to fill out, I think this is because your IP address doesn't have the history to build reputation as you with MS.
I use mullvad and have used other vpns all the time with zero difficulty. The only service I can't use is netflix and even they let me access my account just fine I just can't actually play videos while connected to the vpn.
There is a huge difference between not allowing access to the service via vpn and banning an account by virtue of accessing the account from a legitimate vpn service. The latter is unusual it is not something anyone ought to expect from "every major service".
The latter is something I'd expect all the time, if I logged in to eBay from a M247 IP I'd expect the account to be suspended within minutes.
what makes you possibly think that?
using a VPN is the equivalent of walking into a bank with a motorcycle helmet or a bataclava, don't be surprised of the unwarm welcome.
I've worked in bank and fintech around fraud. Blocked quite a few VPN/hosting at the network level so they couldn't even reach our network at all.
Why do you think so? Do you want your ISP to not know who you bank with? Do you not trust TLS? Is your network operator an active, advanced threat actor? What problems would you like to solve with VPN in this case?
They’re also known to use traffic shaping to websites they don’t like, and which they they should pay them more money to get to your eyeballs. Netflix and YouTube are popular examples here. When I can get much higher throughput to Netflix and YouTube when on VPN versus when I’m not using VPN, something is very wrong.
So, no. I don’t trust my ISP. Not at all. Not as far as I can bodily throw their HQ building.
They also fuck with your VPN connections. Which is why I have accounts with multiple VPN providers.
Ads can be changed with plain HTTP requests, or DPI can be used to gain info about the HTTPS request and possibly block subsequent requests. The I in DPI is for inspection, AFAIK modification would be very difficult.
I've been doing this with RamNode for a few years with their $15/year OpenVZ mostly via SOCKS with DNS passthrough (the main disadvantage of this is that it doesn't allow direct DNS resolution and some adblock techniques require being able to do that). This includes a fixed dedicated IP address. Presumably they will eventually support wireguard and then everything should work without fuss (you could setup OpenVPN if you are so inclined and I think would need to if you want to additionally use anonymity providing VPNs on top of that). There are still a few issues with various sites but it sounds like it is quite a bit less annoying than anonymous VPNs, at least once Google and Cloudflare figure out what you are doing. The 500GB bandwidth is per month and generously accounted so I've only once reached it (it would be $4/month for an additional TB). I'd guess there are a number of low priced ISPs that would work. Most software I've used seems to respect ALL_PROXY=socks5h://... these days although not all.
On occasion with the VPN active, it flagged up something suspicious and I had to enter my phone number and receive a text to verify me.
Now they won't even let me do that.
Or you get paid email hosting, preferably from a company whose entire business is just that. Then they'd have a stronger incentive to make sure their users are able to keep using their service.
My point is that relationships work as good as incentives are aligned. Aligning incentives better leads to a better relationship.
See https://news.ycombinator.com/item?id=21700139 for example.
> > I did a google takeout and downloaded all my data.
> > Then I got a domain name and protonmail account and changed email on all of my accounts to my own domain.
Sounds like they'll be fine? Maybe missing a day or two of email as they switch to a new provider.
Without 2FA it can be a real pain to recover a Google account if you get locked out.
Doesn’t help with your old email, though...
Email hoster misbehaving. Just switch mail provider, keep mail adres, restore mail. And live a happy life?
AFAIK, the longest term you can register a domain for is 10 years -- and I believe some TLDs have much shorter limits.
I had a similar issue with an outlook account I abandoned for a few years. They claimed that the account had been used to send spam (a bloody lie.) It was an account I used for RECEIVING spam (I don't see how that's a violation of terms of service).
They simply wanted collect my phone number. Try to go through the recovery process. They might simply be trying to get your phone number.
I've periodically had to re-validate where they send me a text message but this is the first time they've locked me out completely
I lost everything and couldnt access any mails.
After trying everything possible online, I wrote Microsoft a letter. A real letter on paper. Several weeks later I got a reply that they could do nothing as their tos was violated.
FUCK microsoft. Since then I am very careful with centralization of accounts. I am using many different email and cloud provider today and despise people who are happy that e.g. apple is today providing everything: from music over cloud to movies, mail, pay and so much more.
[0] https://www.cbc.ca/news/canada/newfoundland-labrador/onions-...
I deploy the mailu service to a small home server using HomelabOS, configured to use a $5 Digital Ocean droplet as a bastion server to prevent needing to mess with dynamic DNS, port forwards, and firewall circumvention.
Many places will discard the traffic due to elevated risk. Frankly, the public VPN services are pretty pointless anyway.
A possible alternative that is almost as good might be to get your own domain and use some email service like Fastmail with that domain. Have something that regularly downloads all your mail from the service (which might be as simple as configuring your normal email client to download and retain everything).
If you ever have a problem with Fastmail, sign up for some other email service that allows you to use your own domain, such as Protonmail, and change your domain's mail-related records to point to that service.
Your incoming email will be down during the time it takes to sign up for the other service and change your domain setup, but hopefully getting tossed off email services is a once in a blue moon event for you so.
(If you do this, make sure that changing domain settings at your name service provider does not depend on receiving email at your domain. It would be very irritating to not be able to point your mail-related records to the new provider because your name service provider is sending a TOTP token to your old email provider).
That is weird. Are you confident NordVPN caused the problem?
I ask because I also have a NordVPN subscription. I have it for more than a year now. I keep it running 24/7 and switch countries every 2-3 days. I visit all the major websites, and I have never had significant problems with my accounts. Google Search is probably the only website (that I remember) that blocks NordVPN IP addresses, but I connect to a different server and reload the page to continue.
When I switch between NordVPN servers, I do it across countries. For example, I browse the Internet for a couple of hours from France and then switch to a Japan server. It is impossible to travel between France and Japan in less than 5 minutes, so, Outlook —among other companies— flag these connections as highly suspicious. However, aside from a security alert, I have never had any problems connecting to my online accounts. Even my banks are cool with NordVPN.
I am not saying NordVPN was not the cause of your problems. Anything is possible.
It would help me, though, to know what server(s) you selected to avoid connecting to them.
You can find them in the NordVPN connection history or system logs.
I hope you recover access to your account. Thanks in advance.
For the last several weeks, I was getting issues where it detected "suspicious activity"... now, I am using Outlook on the desktop and it stopped me logging in.
So, I would click the link and it would take me to my Microsoft account to verify my phone number. I'd get sent a text and that would be it.
When I don't use Nord due to forgetting to switch it on, it works fine 100% of the time.
Now, they just shut the door on me. I can't even change my Amazon email address because they need to send a confirmation email to my current address which I can't get in to!!!!!!