Chez Linode, nous sommes extrêmement fiers de nos équipes d'assistance à la clientèle et de confiance et sécurité et du travail qu'elles accomplissent ensemble - ce sont des équipes composées de vrais humains qui partagent un objectif important : garder notre plateforme sûre et exempte d'abus et de fraude, et élaborer des politiques qui assurent la sécurité de nos clients. Cela signifie que lorsque vous envoyez un e-mail à abuse@linode.com, vous pouvez vous attendre à ce qu'une personne réelle vous réponde, généralement dans les minutes qui suivent. Il s'agit d'un membre d'une équipe entière qui a suivi une formation approfondie pour comprendre toutes les complexités liées au traitement des abus, et qui peut répondre aux rapports avec empathie et rapidité.
L'un des problèmes les plus courants pour nos équipes (et notre secteur) est l'abus de spam. Il représente une part importante des problèmes que notre équipe Trust & Safety doit gérer, et c'est un problème qui devient de plus en plus difficile à résoudre chaque année, car les utilisateurs frauduleux s'adaptent aux nouvelles méthodes d'arrêt et de blocage des abus. Au fur et à mesure que Linode s'est développé, nous avons réfléchi à ce que nous pouvions faire pour dissuader les spammeurs et les utilisateurs frauduleux d'utiliser notre plateforme.
En réponse à ce problème, à partir d'aujourd'hui, les Linodes sur les comptes clients nouvellement créés auront des connexions sortantes des ports 25, 465 et 587 restreintes par défaut. Ce changement n'affecte que les clients qui s'inscrivent à partir d'aujourd'hui - si vous êtes déjà un client Linode, aucun changement ne sera apporté aux Linodes existants ou nouveaux.
La restriction de l'accès à ces ports, qui sont utilisés pour la distribution du courrier via SMTP, contribuera grandement à réduire le nombre de spams transmis à partir de notre plateforme. Cependant, nous reconnaissons également que de nombreux clients ont un besoin légitime d'envoyer du courrier, et nous voulons les aider à le faire. Pour ces clients, la procédure de suppression de ces restrictions est simple :
- Configurez des enregistrements A et des DNS inversés valides pour les Linodes que vous souhaitez utiliser pour le publipostage.
- Ouvrez un ticket d'assistance et fournissez-nous quelques informations de base (les informations que nous vous demanderons sont décrites dans notre guide "Exécuter un serveur de messagerie").
Notre équipe d'assistance examinera votre demande - si tout semble correct, elle supprimera les restrictions de port SMTP pour que vous puissiez commencer.
En déployant cette nouvelle politique, notre objectif est de trouver un équilibre entre la nécessité d'assurer la sécurité de notre plateforme et la compréhension du fait que beaucoup de nos clients ont des besoins légitimes d'envoyer des courriers électroniques. Nous voulons que Linode soit la meilleure plateforme cloud pour les développeurs et les clients pour lesquels ils construisent. En gardant les mauvais acteurs à l'écart et notre espace IP exempt de spam et d'abus, nous espérons vous offrir une expérience plus propre, plus efficace et, en fin de compte, une meilleure expérience du cloud.
Commentaires (29)
There’s a confusing discrepancy between this article and the “Running a Mail Server” guide. Here is saying connections to (INCOMING) those ports will be blocked. The guide says OUTBOUND connections will be blocked.
Which is it?
The former makes more sense as it helps stop accidental mail servers on the network. The later doesn’t as it prevent sites/servers from sending emails to administrators. (Like logcheck, update notices for websites, etc.)
Hey Paul. I’ve just updated the post – we block outbound connections on those ports, not inbound connections.
Hi, I don’t understand how this works. I am running OpenVPN on my Linode and when I use it, I can’t email out from thunderbird. Can you explain how I can allow the connections? Because none of this makes sense unless I was using a domain/email
Next step, let ML algorithm decide who to unblock? Anyway, very stupid decision. Customers pay you money. You’re a commodity interchangeable service. If you make stupid additional barriers for customers, they will just live to your rivals. Nobody wants to wait and talk to your support, justify himself and be dependent on someone’s will.
Thank you for sharing your thoughts with us. This policy was created out of a need to address abuse on our platform in a comprehensive way, and we carefully weighed this against industry practices. We are, and always will be, a team of real humans, and we will respond to every request.
If you would like to reach out to us immediately to address these concerns on your account, we are available 24/7 via phone. https://www.linode.com/contact
Can I suggest that moving your main site to Cloudflare may not look the best to some from an anti-spam (and anti-abuse in general) perspective, and perhaps could also suggest to others a possible lack of confidence in your infrastructure’s ability to handle your site’s traffic by itself?
Or could it be in part because your new site has a significantly large bandwidth usage and they help you with the static content bandwidth?
Spammers send mail, that is, make outgoing connections to other mail servers, so I’m not sure how blocking incoming connections helps.
Hey Kenyon. Just updated the post to clarify – we block connections *from* Linodes (e.g. outbound connections), not inbound. Sorry for the confusion!
Ah, but mail servers don’t usually make outgoing connections to ports 465/587…mail client apps do.
I think I understand the change, having seen quite a few SMTP bruteforce attempts in my own mailserver’s logs, but it still doesn’t entirely *fit* the explanation provided.
I think that for many users an intermediate unlock level where 465/587 are allowed but 25 is still blocked would make sense, e.g. if they’re not running a mail server at all but just want to use msmtp for relaying Cron mail through Gmail, or using Amazon SES, or such.
That’s an interesting idea and something we can consider as we review the implications of this change. I appreciate you taking the time to share your thoughts on how to better serve legitimate users. I’ve shared your thoughts with the rest of the company to review.
Port 587 should not be blocked, this port is not used for receiving unauthenticated mail and was created specifically to allow authenticated mail from senders so that networks can block port 25 for non-mail-server traffic.
To be clear, port 587 cannot be used to send spam.
While most mail servers ask for authentication, port 587 can be used as a way to send spam. Port 587 is often used for outgoing unencrypted mail from an SMTP server, and is why we’ve chosen to include it in these ports that are initially blocked.
Good move (both actions), if it helps Linode users running legitimate mail servers getting their non-spam mail accepted on the internet. This has been a problem in the past; also due to other actors (e.g. Google) being entirely non-transparent about how they decide to drop your mail.
When you say we need a valid A record, does that mean we have to use your DNS service in order for the ports to be unblocked? What if we use DNS servers provided by our registrar, a third party, or even a server we operate? Will there be any accommodations for those customers?
You’ll still be able to use whichever DNS servers you like. We can verify valid records using commands like
digin order to validate requests to unblock mail ports. More information about usingdigcan be found via this link.I am curious how do you plan to work this for setups where servers come up and down frequently but have a need to send email when done? Is this going to be an account wide approval or per machine approval?
What is going to be the SLA for response on these requests?
Account wide approval can be done by opening a Support ticket. We work to get to these requests quickly, but if the request is urgent, it’s best to reach us by phone.
I am an existing customer. If I understand correctly I can still provision a new server and not have to contact support to get it unblocked?
Yes, that’s correct! Existing customers do not have to contact support, as mail ports are not blocked by default for them.
Oh cool. I’m sure people are going to be happy to reach out to support immediately after creating an account and waiting hours to actually have full access to the services they’ve paid for.
Such a useless change that will undoubtedly be followed by more. How long until each Linode requires justification?
Hi James! Between actively looking for tickets related to these SMTP restrictions and our 24/7 phone support, we’re able to grab most requests fairly quickly. And I can definitively say that we have no plans to require justification for each new Linode 🙂
Based on what I see in my servers logs, only one way to fight with spam and attack attempts originated from Linode subnets is to block traffic from them. There is no day without attempts:
139.162.204.61 – – [05/Dec/2019:19:28:52 +0000] “GET /api/v1/pods HTTP/1.1” 403 341 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36”
176.58.124.134 – – [05/Dec/2019:23:46:37 +0000] “GET /msdn.cpp HTTP/1.1” 400 345 “-” “WinHTTP/1.1”
Hey there — our Trust & Safety team has determined that the IP addresses you’re reporting are currently operated by security researchers, and that the associated traffic isn’t intended to be malicious.
Apart from blocking traffic originating from us, we’d gladly pass blacklist requests for your own IP addresses on to our customers — just send the requests to us at abuse@linode.com along with the information you’ve posted here. We monitor this email 24/7, so you can also report any other malicious activity you see coming from our platform there and we’ll quickly investigate.
I feel that this is a good approach, however, those that do have an SMTP server might now know the best ways to fight spam.
Perhaps it would help to have a linked document on best practices, or considerations to keep in mind, emphasising stuff like…
– Establishing and maintaining a secure password policy for e-mail accounts (so passwords can not be ‘123456’ or ‘password’, and some other dumb ones)
– Having an outgoing filter might avoid spam/malware distribution (ie. SpamAssassin, MailScanner, or cloud services like SpamExperts, MailChannels)
– Preventing users from redirecting their inbox to free e-mail providers (or any at all) will also stop spam distribution. Most of these services provide POP/IMAP import which is by far superior to a forwarder
– Enforcing SPF / DKIM on your domains, and outgoing SMTP server. This will make it harder for people to use your domains for phishing, but also will prevent your own server from sending e-mail thru domains you don’t own.
– Setup your SMTP server to reject outgoing e-mail when it belongs to an e-mail address that you don’t own (ie. don’t allow your servers to send e-mail personifying someone else)
– Always use SSL, everywhere, self-signed or free certificates are OK, but not recommended.
Hi Emiliano!
Those are all great points. Thank you for outlining them for people. Linode has a few different email server guides that walk the user through setting things up properly. In particular, the Configure Spam and Virus Protection section of the Running a Mail Server guide, which is linked in the post above. This section goes over a few of the things you’ve mentioned. I can definitely see how helpful it would be to have all of this information in one place. So, I’ve passed your suggestions along to our documentation team for consideration. ?
It would be better if Linode default whitelist certain well-known 3rd party SMTP gateways. For example “email-smtp.us-west-2.amazonaws.com:587” for Amazon SES service.
I mainly use Amazon SES for email because of reliability. After I moved my website to linode, I found that all the email can’t be send because Linode blocked my server connect to Amazon SES gateway. Now I have to open a ticket and wait for unblock, not a smooth experience overall.
Hi Kam,
I’m sorry to hear that you experienced some frustration with this process. We are constantly looking for ways to improve this procedure, and we really appreciate you sharing your thoughts with us. I can definitely understand the validity of your point, so, I’ve passed it along to our team for further consideration.
Please, feel free to share any thoughts you may have about any of our services by sending an email to feedback@linode.com.
It’s 2024 and I’ve just been bitten by this mind-numbingly stupid policy.
I’ve been with Linode for over a decade and never had problems sending email from any of my old machines, so imagine my frustration when I suddenly started having email issues from a Linode I spun up a few weeks ago.
Only after painstaking debugging did I discover it’s not my fault – it’s Linode intentionally blocking my ability to send outbound traffic in a way which is *TOTALLY OPAQUE* to the customer.
I really can’t believe this policy has been implemented the way it has.
When customers commission a new Linode there should be a huge notice in red letters which says “BY THE WAY, WE’RE RESTRICTING THIS REALLY BASIC FEATURE” so customers don’t waste their time like I did.
Time for a new cloud host for me and my many Linodes.
Hey Greg,
We understand that it was a frustrating process to go through setting up your mail server to find out that the SMTP filters were restricted by default. If you’d like to request to remove these restrictions, we recommend opening a ticket with our Support team.
We appreciate the suggestion you’ve provided and have passed along your feedback to our team. This way the relevant teams can keep this in mind as we continue to improve our infrastructure and services.
We do not have a time for when this feature will be implemented, but the feedback provided is invaluable to us and we want to ensure your voice is heard. If you have any more suggestions, please feel free to submit your feedback.