Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Microsoft blocked my outlook.com account for using a VPN. Any ideas?
61 points by _Understated_ on Oct 31, 2020 | hide | past | favorite | 70 comments
As the title suggests, my outlook.com account has been suspended due to violations. However, I can't find any reference in their terms and conditions to my specific violation.

The reason is that I use NordVPN to connect to the internet.

Any ideas? I can't do anything without that account as changing my email on many services requires access to my old email.

Over the years I have read many stories on here of this happening to people, mainly on Google services, and it pretty much stops them dead in their tracks... well, now it's happened to me.

I've been thinking about it over the last several days and, legitimately, the only possible recourse is to run your own email server. Now this has it's own issues but it means I have (almost) total control over my data.

Anyway, as the title suggests, any ideas? I just need to get it reinstated so I can move all my email away from it now.

Last week google did something like that to me. It said "device not recognized" and "suspected activity detected" and won't let me in even after I reset my password. That was my reality check. Fortuanately, I was able to login via my old smartphone. I did a google takeout and downloaded all my data. Then I got a domain name and protonmail account and changed email on all of my accounts to my own domain. Now I have some peace of mind that nothing would be lost even if my gmail account is to be gone tomorrow.

My advice is to enable 2FA on your account and then Google pretty much leaves you alone. Last I checked you did have to provide a phone number when initially turning on 2FA, but once you have any other 2FA method defined (totp, u2f, recovery codes, etc) you can then remove the phone number.

Without 2FA it can be a real pain to recover a Google account if you get locked out.

I did have my phone number linked to gmail and I was able to reset my password using otp code, not 2FA though. As you say, it might not happen if I enable 2FA but I've had enough that day frantically trying to get my ~10 year old account tied to many things back. But still, I would like to keep my account and will follow your advice but won't be counting on it to last forever anymore.

Few months ago I've had an issue with someone trying to fraud money via partner program, testing and using a lot of credit cards, changing IP each time he tested one card. In the end he managed pass trough fraud checks around 50 times. All IP's were from northvpn/expressvpn. So no wonder that you might get ban elsewhere by using same IP as someone else trying to do someting illegal.

What happens if your protonmail account is gone tomorrow?

> What happens if your protonmail account is gone tomorrow?

> > I did a google takeout and downloaded all my data.

> > Then I got a domain name and protonmail account and changed email on all of my accounts to my own domain.

Sounds like they'll be fine? Maybe missing a day or two of email as they switch to a new provider.

Still owns domain/email.

What happens if the domain is gone tomorrow?

See https://news.ycombinator.com/item?id=21700139 for example.

Definitely easier to get back a gone domain(unless I missed payment) than a gone gmail/other free account.

One suggestion: for your primary email address, use an alias (college alumni account, personal dns, etc.) that forwards to your provider of choice (gmail, outlook, whoever) so that when this kind of thing happens you can just update your forwarding address with your provider and instantly restore access to your other accounts.

Doesn’t help with your old email, though...

In practice I have seen this forwarding be less than expeditious with delays on the order of hours. It would seem like using your own domain name allowing you to switch providers may be a better option.

I have been hosting my own email for a while now. It has it's quirks, and outbound can be hard, but for just getting password reset emails and the like, it does everything I need it to. I use my own domain, with a catch-all for everything on the domain, that way I can just make up emails on the fly. 'nick.apps.hackernews@mydomain.com' is a pretty common set up for me.

I deploy the mailu service to a small home server using HomelabOS, configured to use a $5 Digital Ocean droplet as a bastion server to prevent needing to mess with dynamic DNS, port forwards, and firewall circumvention.

Interested in how you forwardvthe bastion host mail ports to your home server?


You don't really need own email server to solve such problem. If only you had own domain, you could have moved it to different provider and still have access to the services which require your email address.

By the way, I often hear how it's good for privacy to use (basically all the time) such VPNs. But my experience so far is that using internet via popular VPNs is annoying. Some websites won't let you in, you get a lot of random CAPTCHAs to solve (e.g. to get Google results) and it seems you can lose email account. For me it's too much hassle.

It's what infuriates me about google. I have my own colocation and run my own VPN. Because the ISP is me which is not not public listed I get captcha's. And it's not the simple "Click here" either, click on traffic lights and wait seconds for the image to forever fade.

I would always recommend everyone to run their own email server. However that has its caveats such as of needing to build up IP reputation.

> I would always recommend everyone to run their own email server.

Any chance you could point me to some good documentation on that? I'm about to set up a homelab and play with OpenBSD some, is 'man opensmtpd' enough to start out with?

While I don't have an OpenBSD system to check that man page, I doubt that it is sufficient to set up a proper mail server.

You may find one of the printed books on Postfix helpful. No Starch Press has a decent one, which, regardless of its age, still is a good one.

Make sure that your server cannot be used as an open relay to deliver spam. Take a look at http://www.postfix.org/SMTPD_ACCESS_README.html to learn how to do that. Postfix is a well written piece of software and (IMHO) rather easy to maintain once you understood the basic principles. I've been using it for more than a decade now.

Many thanks. I'll take a look at that book, I haven't gone wrong with No Starch Press yet.

Edit: For anyone else who is looking and can't find it on NSP's website, I found it with 'filetype:pdf The Book of Postfix' on duckduckgo.

I haven't made time for it yet but this guide seems pretty comprehensive and will be my starting point: https://www.c0ffee.net/blog/mail-server-guide/

Nice! That does indeed look like quite a nice resource.

> I often hear how it's good for privacy to use (basically all the time) such VPNs

This kind of got out of control with YouTube ads for VPNs. I want to scream "what is your threat model!?" at people who tell me they use it all the time. Using them without having a specific reason why is silly. And as you've noticed it's not without downsides.

I don't understand how adding another party (the VPN provider) that can monitor your traffic is automatically beneficial to privacy.

> Microsoft blocked my outlook.com account for using a VPN. Any ideas? […] The reason is that I use NordVPN to connect to the internet.

That is weird. Are you confident NordVPN caused the problem?

I ask because I also have a NordVPN subscription. I have it for more than a year now. I keep it running 24/7 and switch countries every 2-3 days. I visit all the major websites, and I have never had significant problems with my accounts. Google Search is probably the only website (that I remember) that blocks NordVPN IP addresses, but I connect to a different server and reload the page to continue.

When I switch between NordVPN servers, I do it across countries. For example, I browse the Internet for a couple of hours from France and then switch to a Japan server. It is impossible to travel between France and Japan in less than 5 minutes, so, Outlook —among other companies— flag these connections as highly suspicious. However, aside from a security alert, I have never had any problems connecting to my online accounts. Even my banks are cool with NordVPN.

I am not saying NordVPN was not the cause of your problems. Anything is possible.

It would help me, though, to know what server(s) you selected to avoid connecting to them.

You can find them in the NordVPN connection history or system logs.

I hope you recover access to your account. Thanks in advance.

Definitely due to NordVPN.

For the last several weeks, I was getting issues where it detected "suspicious activity"... now, I am using Outlook on the desktop and it stopped me logging in.

So, I would click the link and it would take me to my Microsoft account to verify my phone number. I'd get sent a text and that would be it.

When I don't use Nord due to forgetting to switch it on, it works fine 100% of the time.

Now, they just shut the door on me. I can't even change my Amazon email address because they need to send a confirmation email to my current address which I can't get in to!!!!!!

For my own purposes (coffee shops, basic geolocation stuff), I usually spun up a VPN server on Linode or something like that. You still run into a lot of issues (many services blacklist VPS provider ranges, including most streaming services), but I never got any suspensions as a result.

And the reason why NordVPN IP was blocked is that NordVPN is often used for scam/hack purposes.

This is why when I need to proxy traffic I do it through an AWS instance in whatever region I need. Many services not only don't suspect AWS IPs as malicious, they might even have whitelists on their firewalls for AWS IPs.

I have that same problem with VPNs, all of the big banks lock your account if you use a VPN, and accessing your bank is the one time you would really want to use a VPN.

>>> accessing your bank is the one time you would really want to use a VPN.

what makes you possibly think that?

using a VPN is the equivalent of walking into a bank with a motorcycle helmet or a bataclava, don't be surprised of the unwarm welcome.

I've worked in bank and fintech around fraud. Blocked quite a few VPN/hosting at the network level so they couldn't even reach our network at all.

CitiBank? Is that really you? You may be an undigested bit of beef, a blot of mustard, a crumb of cheese, a fragment of underdone potato. There’s more of gravy than of grave about you, whatever you are!

> accessing your bank is the one time you would really want to use a VPN

Why do you think so? Do you want your ISP to not know who you bank with? Do you not trust TLS? Is your network operator an active, advanced threat actor? What problems would you like to solve with VPN in this case?

Major US carriers are known to use deep packet inspection techniques to change out the advertisements you see on your webpages. If they’re doing that with DPI for purely profit driven reasons, then they are totally untrustworthy when it comes to more criminal activities.

They’re also known to use traffic shaping to websites they don’t like, and which they they should pay them more money to get to your eyeballs. Netflix and YouTube are popular examples here. When I can get much higher throughput to Netflix and YouTube when on VPN versus when I’m not using VPN, something is very wrong.

So, no. I don’t trust my ISP. Not at all. Not as far as I can bodily throw their HQ building.

They also fuck with your VPN connections. Which is why I have accounts with multiple VPN providers.

The other thing you can do for that issue is find some more trustworthy ISP somewhere (hopefully not too far away) that allows personal traffic (many do not) and always connect through them. This does not provide anonymity (likely requires ID to sign up) but does provide an encrypted channel through the extra shady ISPs that provide the actual network connection (even worse if you ever use free wifi).

I've been doing this with RamNode for a few years with their $15/year OpenVZ mostly via SOCKS with DNS passthrough (the main disadvantage of this is that it doesn't allow direct DNS resolution and some adblock techniques require being able to do that). This includes a fixed dedicated IP address. Presumably they will eventually support wireguard and then everything should work without fuss (you could setup OpenVPN if you are so inclined and I think would need to if you want to additionally use anonymity providing VPNs on top of that). There are still a few issues with various sites but it sounds like it is quite a bit less annoying than anonymous VPNs, at least once Google and Cloudflare figure out what you are doing. The 500GB bandwidth is per month and generously accounted so I've only once reached it (it would be $4/month for an additional TB). I'd guess there are a number of low priced ISPs that would work. Most software I've used seems to respect ALL_PROXY=socks5h://... these days although not all.

I thought DPI was for analyzing and blocking traffic. How are they able to decrypt, modify and re-encrypt the payload? Unless they are MITM and have access to a root signing cert and are creating valid false certificates in real-time. Or they get the end user to add a malicious root cert to their store.

Ads can be changed with plain HTTP requests, or DPI can be used to gain info about the HTTPS request and possibly block subsequent requests. The I in DPI is for inspection, AFAIK modification would be very difficult.

Many companies seem to be determined to defeat encryption via the public use of vanity domains that redirect without supporting TLS on the published domain name. Usually this is for particular marketing campaigns and not the main site, however as long as browers support HTTP only redirects it is a poential risk for many sites (depending on the browser and any other measures they take to avoid such things). US banks have also been training customers to accept redirects to various shady sounding domains as a normal thing so there is a huge variety of domains that could be used to MITM with full TLS and without seeming unusual. Still not trivial to do the MITM and avoid detection. So hopefully that raises the cost to the point that Centurylink and Comcast won't actually do it but they obviously would not have any ethical reservations about doing something like that if it made them more money.

Sure, there are some reasons for a web proxy. But I asked about the bank case specifically and none of those apply.

exactly, had a lot of attack attempts from nordvpn/expressvpn, no wonder someone might got ban because of same IP.

I was in a similar situation. My outlook.com account was locked because I was violating their "no nudity" policy and some random naked girls (legal aged ofc!) were uploaded to skydrive. This happened several years ago.

I lost everything and couldnt access any mails.

After trying everything possible online, I wrote Microsoft a letter. A real letter on paper. Several weeks later I got a reply that they could do nothing as their tos was violated.

FUCK microsoft. Since then I am very careful with centralization of accounts. I am using many different email and cloud provider today and despise people who are happy that e.g. apple is today providing everything: from music over cloud to movies, mail, pay and so much more.

I had no idea they had a no-nudity TOS. It is US-centric, i.e. topless females is considered nudity? What about males?

What about onions? [0] Not an email provider, but AI enforcing TOS can go badly...

[0] https://www.cbc.ca/news/canada/newfoundland-labrador/onions-...

Get yourself a lifetime domain name. And connect that to a email service. And do regular backups of your mails in a structured way.

Email hoster misbehaving. Just switch mail provider, keep mail adres, restore mail. And live a happy life?

> Get yourself a lifetime domain name.

AFAIK, the longest term you can register a domain for is 10 years -- and I believe some TLDs have much shorter limits.

> I've been thinking about it over the last several days and, legitimately, the only possible recourse is to run your own email server.

A possible alternative that is almost as good might be to get your own domain and use some email service like Fastmail with that domain. Have something that regularly downloads all your mail from the service (which might be as simple as configuring your normal email client to download and retain everything).

If you ever have a problem with Fastmail, sign up for some other email service that allows you to use your own domain, such as Protonmail, and change your domain's mail-related records to point to that service.

Your incoming email will be down during the time it takes to sign up for the other service and change your domain setup, but hopefully getting tossed off email services is a once in a blue moon event for you so.

(If you do this, make sure that changing domain settings at your name service provider does not depend on receiving email at your domain. It would be very irritating to not be able to point your mail-related records to the new provider because your name service provider is sending a TOTP token to your old email provider).

Right now there is a lot of activity around the US elections and ransomware campaigns where VPN devices are a common source of traffic.

Many places will discard the traffic due to elevated risk. Frankly, the public VPN services are pretty pointless anyway.

Did you attach a phone number to the account?

I had a similar issue with an outlook account I abandoned for a few years. They claimed that the account had been used to send spam (a bloody lie.) It was an account I used for RECEIVING spam (I don't see how that's a violation of terms of service).

They simply wanted collect my phone number. Try to go through the recovery process. They might simply be trying to get your phone number.

I did but they've outright shut the door on me now.

I've periodically had to re-validate where they send me a text message but this is the first time they've locked me out completely

Many service providers will block access from known VPN endpoints. Try changing your endpoint and see if that helps. Otherwise, pick a different VPN.

It's unfortunately late by now for you, but I would suggest to have a local copy of all your data in the cloud. I use offlineimap to download all my email boxes each hour and commit them in a git repository. If the lock me out, at least I keep my data.

> the only possible recourse is to run your own email server

Or you get paid email hosting, preferably from a company whose entire business is just that. Then they'd have a stronger incentive to make sure their users are able to keep using their service.

outlook.com isn't paid?

Is it? I look it up and it says "free personal email from Microsoft". That's neither necessarily paid (though it might be optionally), nor from a company whose main/only business is email hosting.

My point is that relationships work as good as incentives are aligned. Aligning incentives better leads to a better relationship.

Microsoft offers both free and paid services. There’s the old Hotmail via outlook.com for free, and for $5/mo you can get Office 365 and access it via Outlook (app or web) and they won’t treat you like a freeloader.

Its what hotmail is called now

How do you know it was because of your vpn? Where are the other stories?

I've replied to this above but when I don't use the VPN it just worked fine.

On occasion with the VPN active, it flagged up something suspicious and I had to enter my phone number and receive a text to verify me.

Now they won't even let me do that.

They told you specifically it's because you use a VPN to connect, or is this your guess?

I heard fastmail is pretty cool

The reason is that I use NordVPN to connect to the internet.

I can tell you that using a VPN wasn't why your account was blocked. Most corporate employees connect to Outlook.com through corporate VPNs (both of my last employers required it).

Could it be Nord VPN specifically which seems like a more popular consumer oriented VPN compared to say Corporate VPN ?

Yes. The VPN you use is basically attacking, bruteforcing Microsoft and multiple Microsoft services 24x7 continuously. Almost any consumer VPN will trigger something similar at every major service.

Do you mean the a mount of traffic that the VPN sends to MS would look like an attack?

I think it is just more likely MS doesn't know who you are yet. For example, if you're talking about how you get more captcha to fill out, I think this is because your IP address doesn't have the history to build reputation as you with MS.

I think the idea is bad actors are using Nord to attempt hAx0r1ng.

The VPN service isn't attacking Microsoft. Do you mean customers of the VPN are attacking Microsoft?

I use mullvad and have used other vpns all the time with zero difficulty. The only service I can't use is netflix and even they let me access my account just fine I just can't actually play videos while connected to the vpn.

There is a huge difference between not allowing access to the service via vpn and banning an account by virtue of accessing the account from a legitimate vpn service. The latter is unusual it is not something anyone ought to expect from "every major service".

> The latter is unusual it is not something anyone ought to expect from "every major service".

The latter is something I'd expect all the time, if I logged in to eBay from a M247 IP I'd expect the account to be suspended within minutes.

I can log into ebay with my vpn so long as I also also verify I have access to my email or phone. This does automatically trigger extra checking but they didn't suspend my account within minutes or indeed at all.

A corporate VPN probably wouldn't appear in the lists of "known VPNs" or have low IP reputation; also, outside perhaps of some subtle timing issues, there's nothing to distinguish client->corpvpn->service traffic from regular old probably-NATted traffic from that network.

It could be. We've had Microsoft accounts locked when they log in from other countries for suspicious activity. Had to unlock the account from the admin panel and it didn't have any issues with overseas access after that.

That would make sense in a corp environment but I only connect to the UK ones.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact