Why does Linode seem to be a new Spam Generator?
So, we have been reporting SPAM to source for ever and a day.
Linode-based has been reported (this workstation) since October of 2017 (coincides with the month we started logfiles).
The questions are, why? Why does it go on and on, Linode responds that "The customer has been cancelled as fraudulent and removed from our platform." or some other supposedly reassuring nebulous commentary.
In the old days, providers filtered data…..the most common way was words in subject line…remember Viagra? And the spammers tried workarounds with v1 aGR A? Or Pharmacy? And purposeful mis-spellings to avoid filters?
Here's the deal. Sunglasses. May through what, October? HUNDREDS of Linode-based Spam messages with that word in the subject line. All the way back to 2017 (on this workstation). Then there is Moncler, UGG, and the word Winter, during the rest of the year.
We have logfiles. To finish with second question, why cannot Linode keyword filter and block? Seems like removing a PRC-based Spammer from your platform does just about as much good as…..nothing.
The only provider with more Spam, and the gap is getting smaller, than Linode is Amazon AWS/ EC2.
I really think you don't want the distinction of being the biggest Jersey-Based Spam Generator in North America…but I could be wrong.
Try it….filtering subject line keywords…..and I am fairly certain your TOS allow that.
6 Replies
If Linode says they cancelled somebody, they cancelled somebody. Linode truly does care about abuse complaints, and properly handles all valid complaints they receive (source: I used to work for Linode, and one of my responsibilities was handling abuse complaints). However, dealing with abuse has always been and will always be whack-a-mole. There's only so much that Linode can do. Keyword filtering is not very effective, both because spammers just bypass the filtering by not using the keywords as you have them in the system, and that for every keyword you might put into the system that is a regular word or phrase, somebody's going to have a legitimate reason for sending mail with that keyword, and subsequently be rather mad that you blocked their mail. Furthermore, there could potentially be legal ramifications for content filtering (but IANAL and TINLA), possibly including losing the liability shield that comes from simply being the transit provider. Keyword filter systems are made even more ineffective by the fact that most modern mailservers support STARTTLS for MTA<->MTA SMTP exchanges, and will do this opportunistically, so a keyword filter system would not even see the email being exchanged.
The best thing that you can do is to automate your spam reporting process as much as possible. Linode accepts automated reports sent to their abuse address, provided they provide sufficient information to verify the complaint. For email, this would simply require the full headers of the spam email; including the body of the email is also helpful, but not strictly required.
I recall one provider HAD to do that to stop the Romanian Spam Gang (seriously), and it worked.
Of course, the PRC spammers just use anybody now, since we've blocked the PRC-based IP addresses.
Oh, I believe that Linode removed them. But they just sign up again under different name.
The big thing to remember here is that Linode is a server hosting provider, not an email hosting provider. The spammers create a node, load up mail server software, and go to town.
Same with Amazon's EC2, Digital Ocean, and any other unmanaged VPS provider.
Is it possible for these providers to put some kind of filtering on their network's edge? Sure, but that gets into a lot of other problems.
Cancelling the accounts is really the best they can do. Sure, the spammers will sign up for new accounts and/or move on to another provider. There's only so much that any provider can do in identifying these folks during the signup process.
It's the nature of the beast.
Not knowing for sure what is spoofed in the headers, but it doth appear that most of this latest batch are from accounts ending in .top. Found out what .top is, but it's supposed to have a two letter country identifier, which these do not:
Received: from bws.djcwwch.top ([45.79.178.178])
by ibscan-midway.atl.sa.earthlink.net (EarthLink SMTP Server) with ESMTP id 1HJAs93q13PGoUi1
Received: from tfm.fizgzdk.top ([139.162.208.37])
by ibscan-saratoga.atl.sa.earthlink.net (EarthLink SMTP Server) with ESMTP
id 1HJdpP2Jm3PGoUm1
Received: from hsjt.eozcqxf.top ([69.164.219.78])
by ibscan-saratoga.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 1HISf61Yh3PGoUm1
Received: from nhp.crkehbf.top ([173.230.139.37])
by ibscan-princeton.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 1HIbG95Jt3PGoUj0
The hash before the .top is very reminiscent of SPAM generators of the past…..some .ro, mostly PRC. Should be able to filter by that, one would think, but that takes work…manpower..money.
I mean, they have to know source of this stuff, right? When it goes through their system, that information becomes lost to recipient (like google-sourced SPAM…you never know where it came from), but if I could, every SPAM sourced from PRC, .ru. .ro, and .in would be dumped. And anything originating from AFRINC. I mean, how many versions of "Dear friend….we have your inheritance on an ATM card for you" do I need to see?
I've been reporting stuff to source since…Lordy, has it been WIN95?
Couple of years ago I quit .ro, and .ru…..as they were harvesting known good e-mails….found that out with the Romanian Spam Gang.
All the IPs you mentioned have been listed on at least a few major spam block lists which should cause any sane mail system to reject any new mail from them.
Linode or any major server provider can't really do anything other than canceling the customers and maybe preventing the reuse of the credit card number. But since they are spamming, the credit card is likely fraudulent/stolen anyways. It is fruitless to attempt outbound SMTP filtering from compute service providers like Linode for many reasons. The primary reason is mail sent over TLS (the default for most mail servers) can't be feasibly inspected or filtered by the provider. The only feasible places to perform filtering today are on the receiving server (which most servers do), on shared sending servers (like gmail,outlook,etc, which some do) or the receiving client(s) themselves (rare).
Detecting malicious "customers" is a problem for any server host. I'm sure Linode appreciates the help identifying them.
All but the last of those 4 IP addresses doesn't respond to ping (and I find it unlikely that spammers would have went through the effort of blocking ICMP), so those Linodes have already been terminated. The last IP responds in such a way that suggests that it's no longer being used for spam (as in, it was recycled to another customer). The Received header is added by the receiving mailserver, and the hostname that shows up before the parentheses is the SMTP HELO name provided by the remote server (and thus can be anything).
You seem to be expecting Linode to do things that they're either not capable of, or would risk losing their liability shield and still not be effective in the modern era of opportunistic TLS.