A New Policy to Help Fight Spam

blog-generic-triangles

At Linode, we’re extremely proud of our Customer Support and Trust & Safety teams and the work they do together – they’re teams staffed by real humans who share an important goal: keeping our platform safe and free of abuse and fraud, and crafting policies that keep our customers safe. This means that when you email [email protected], you can expect to hear, usually within minutes, from a real person – a member of an entire team that’s undergone extensive training to understand all of the complexities that can come with handling abuse, and who can respond to reports with empathy and urgency.

One of the most common problems for our teams (and our industry) is spam email abuse. It makes up a significant portion of the issues that our Trust & Safety team has to handle, and it’s a problem that’s getting harder to solve every year as fraudulent users adapt to new methods of stopping and blocking abuse. As Linode has grown, we’ve reflected on what we can do to dissuade spammers and fraudulent users from using our platform.

In response to this problem, starting today, Linodes on newly created customer accounts will have connections from ports 25, 465, and 587 blocked by default. This change only affects customers who sign up starting today – if you’re already a Linode customer, no changes will be made to any existing or new Linodes.

Restricting access to these ports, which are used for mail delivery via SMTP, will go a long way to reducing the amount of spam transmitted from our platform. However, we also recognize that many customers have a legitimate need to send mail, and we want to help them do that. For those customers, the process for removing these restrictions is straight-forward: 

  1. Configure valid A records and reverse DNS for the Linodes you’d like to use for mailing.
  2. Open a Support ticket and provide us with some basic information (the information we’ll ask for is outlined in our “Running a Mail Server” guide.)

Our Support team will review your request – if everything looks good, they’ll remove the SMTP port restrictions so you can get underway.

In rolling out this new policy, our goal is to balance the need to keep our platform safe with the understanding that many of our customers have legitimate needs to send mail. We want Linode to be the best cloud platform for developers and the customers they build for. By keeping bad actors out and our IP space free of spam and abuse, we hope to deliver a cleaner, more efficient and, ultimately, better cloud experience for you.

Comments (16)

  1. Paul N. Marano

    There’s a confusing discrepancy between this article and the “Running a Mail Server” guide. Here is saying connections to (INCOMING) those ports will be blocked. The guide says OUTBOUND connections will be blocked.

    Which is it?

    The former makes more sense as it helps stop accidental mail servers on the network. The later doesn’t as it prevent sites/servers from sending emails to administrators. (Like logcheck, update notices for websites, etc.)

    • Jim Ackley

      Hey Paul. I’ve just updated the post – we block outbound connections on those ports, not inbound connections.

  2. Customer

    Next step, let ML algorithm decide who to unblock? Anyway, very stupid decision. Customers pay you money. You’re a commodity interchangeable service. If you make stupid additional barriers for customers, they will just live to your rivals. Nobody wants to wait and talk to your support, justify himself and be dependent on someone’s will.

    • Regina Daniels

      Thank you for sharing your thoughts with us. This policy was created out of a need to address abuse on our platform in a comprehensive way, and we carefully weighed this against industry practices. We are, and always will be, a team of real humans, and we will respond to every request.

      If you would like to reach out to us immediately to address these concerns on your account, we are available 24/7 via phone. https://www.linode.com/contact

      • William

        Can I suggest that moving your main site to Cloudflare may not look the best to some from an anti-spam (and anti-abuse in general) perspective, and perhaps could also suggest to others a possible lack of confidence in your infrastructure’s ability to handle your site’s traffic by itself?

        Or could it be in part because your new site has a significantly large bandwidth usage and they help you with the static content bandwidth?

  3. Kenyon Ralph

    Spammers send mail, that is, make outgoing connections to other mail servers, so I’m not sure how blocking incoming connections helps.

    • Jim Ackley

      Hey Kenyon. Just updated the post to clarify – we block connections *from* Linodes (e.g. outbound connections), not inbound. Sorry for the confusion!

      • grwy

        Ah, but mail servers don’t usually make outgoing connections to ports 465/587…mail client apps do.

        I think I understand the change, having seen quite a few SMTP bruteforce attempts in my own mailserver’s logs, but it still doesn’t entirely *fit* the explanation provided.

        I think that for many users an intermediate unlock level where 465/587 are allowed but 25 is still blocked would make sense, e.g. if they’re not running a mail server at all but just want to use msmtp for relaying Cron mail through Gmail, or using Amazon SES, or such.

        • pwoods

          That’s an interesting idea and something we can consider as we review the implications of this change. I appreciate you taking the time to share your thoughts on how to better serve legitimate users. I’ve shared your thoughts with the rest of the company to review.

  4. Dave

    Port 587 should not be blocked, this port is not used for receiving unauthenticated mail and was created specifically to allow authenticated mail from senders so that networks can block port 25 for non-mail-server traffic.

    To be clear, port 587 cannot be used to send spam.

    • pwoods

      While most mail servers ask for authentication, port 587 can be used as a way to send spam. Port 587 is often used for outgoing unencrypted mail from an SMTP server, and is why we’ve chosen to include it in these ports that are initially blocked.

  5. Bruno

    Good move (both actions), if it helps Linode users running legitimate mail servers getting their non-spam mail accepted on the internet. This has been a problem in the past; also due to other actors (e.g. Google) being entirely non-transparent about how they decide to drop your mail.

  6. William

    When you say we need a valid A record, does that mean we have to use your DNS service in order for the ports to be unblocked? What if we use DNS servers provided by our registrar, a third party, or even a server we operate? Will there be any accommodations for those customers?

    • Jessica Yoo

      You’ll still be able to use whichever DNS servers you like. We can verify valid records using commands like dig in order to validate requests to unblock mail ports. More information about using dig can be found via this link.

  7. Conrad

    I am curious how do you plan to work this for setups where servers come up and down frequently but have a need to send email when done? Is this going to be an account wide approval or per machine approval?

    What is going to be the SLA for response on these requests?

    • pwoods

      Account wide approval can be done by opening a Support ticket. We work to get to these requests quickly, but if the request is urgent, it’s best to reach us by phone.

Leave a Reply

Your email address will not be published. Required fields are marked *