메인 콘텐츠로 건너뛰기
블로그 Linode (주) 스팸 퇴치를 위한 새로운 정책

스팸 방지를 위한 새로운 정책

Linode는 고객 지원 및 신뢰 및 안전 팀과 함께 하는 일에 대해 매우 자랑스럽게 생각하며, 플랫폼을 남용및 사기로 안전하게 유지하고 고객을 안전하게 보호하는 정책을 수립하는 중요한 목표를 공유하는 실제 인간이 팀을 구성합니다. 즉, abuse@linode.com이메일을 보내면 일반적으로 실제 사람으로부터 학대를 처리하는 데 있어 올 수 있는 모든 복잡성을 이해하고 공감과 긴급성으로 보고서에 응답할 수 있는 전체 팀의 일원으로부터 들을 수 있습니다.

당사 팀(및 업계)에서 가장 일반적인 문제 중 하나는 스팸 이메일 악용입니다. 이는 당사의 신뢰 및 안전 팀이 처리해야 할 문제의 상당 부분을 차지하며, 사기성 사용자가 악용을 방지하고 차단하는 새로운 방법에 적응하기에 매년 해결하기 점점 더 어려워지는 문제입니다. Linode가 성장하면서 우리는 스팸 발신자와 사기성 사용자가 플랫폼을 사용하지 못하도록 방지하기 위해 할 수 있는 일을 숙고해 보았습니다.

이 문제에 대한 대응으로 오늘부터 새로 생성된 고객 계정의 Linode는 기본적으로 제한된 포트 25, 465 및 587의 발신 연결을 갖게 됩니다. 이 변경 사항은 오늘부터 가입한 고객에게만 영향을 미칩니다. 이미 Linode 고객인 경우 기존 또는 신규 Linode에 변경 사항이 적용되지 않습니다.

SMTP를 통한 메일 전달에 사용되는 이러한 포트에 대한 액세스를 제한하면 플랫폼에서 전송되는 스팸의 양을 줄이는 데 큰 도움이 됩니다. 그러나 우리는 또한 많은 고객이 메일을 보내야 하는 타당한 필요성이 있음을 알고 있으며, 이를 지원하고 싶습니다. 이러한 고객의 경우 제한 사항을 제거하는 프로세스는 간단합니다. 

  1. 메일링에 사용하려는 Linode에 대해 유효한 A 레코드역방향 DNS를 구성합니다.
  2. 지원 티켓을 열고 몇 가지 기본 정보를 제공합니다(당사에서 요청할 정보는 “메일 서버 실행” 가이드에 간략히 설명되어 있습니다).

지원 팀에서 귀하의 요청을 검토합니다. 모든 것이 정상이면 SMTP 포트 제한을 제거하여 진행할 수 있습니다.

이 새로운 정책을 시행하는 데 있어 우리의 목표는 많은 고객이 메일을 보내야 하는 타당한 필요성이 있다는 이해와 플랫폼을 안전하게 유지해야 할 필요성의 균형을 맞추는 것입니다. 우리는 Linode가 개발자 및 개발자가 빌드하는 고객을 위한 최고의 클라우드 플랫폼이 되기를 바랍니다. 악성 사용자를 차단하고 IP 공간에 스팸 및 악용이 없도록 유지함으로써 더욱 깨끗하고 효율적이며 궁극적으로 더 나은 클라우드 경험을 제공하고자 합니다.


댓글 (27)

  1. Author Photo

    There’s a confusing discrepancy between this article and the “Running a Mail Server” guide. Here is saying connections to (INCOMING) those ports will be blocked. The guide says OUTBOUND connections will be blocked.

    Which is it?

    The former makes more sense as it helps stop accidental mail servers on the network. The later doesn’t as it prevent sites/servers from sending emails to administrators. (Like logcheck, update notices for websites, etc.)

    • Jim Ackley

      Hey Paul. I’ve just updated the post – we block outbound connections on those ports, not inbound connections.

      • Author Photo

        Hi, I don’t understand how this works. I am running OpenVPN on my Linode and when I use it, I can’t email out from thunderbird. Can you explain how I can allow the connections? Because none of this makes sense unless I was using a domain/email

  2. Author Photo

    Next step, let ML algorithm decide who to unblock? Anyway, very stupid decision. Customers pay you money. You’re a commodity interchangeable service. If you make stupid additional barriers for customers, they will just live to your rivals. Nobody wants to wait and talk to your support, justify himself and be dependent on someone’s will.

    • Author Photo

      Thank you for sharing your thoughts with us. This policy was created out of a need to address abuse on our platform in a comprehensive way, and we carefully weighed this against industry practices. We are, and always will be, a team of real humans, and we will respond to every request.

      If you would like to reach out to us immediately to address these concerns on your account, we are available 24/7 via phone. https://www.linode.com/contact

      • Author Photo

        Can I suggest that moving your main site to Cloudflare may not look the best to some from an anti-spam (and anti-abuse in general) perspective, and perhaps could also suggest to others a possible lack of confidence in your infrastructure’s ability to handle your site’s traffic by itself?

        Or could it be in part because your new site has a significantly large bandwidth usage and they help you with the static content bandwidth?

  3. Author Photo

    Spammers send mail, that is, make outgoing connections to other mail servers, so I’m not sure how blocking incoming connections helps.

    • Jim Ackley

      Hey Kenyon. Just updated the post to clarify – we block connections *from* Linodes (e.g. outbound connections), not inbound. Sorry for the confusion!

      • Author Photo

        Ah, but mail servers don’t usually make outgoing connections to ports 465/587…mail client apps do.

        I think I understand the change, having seen quite a few SMTP bruteforce attempts in my own mailserver’s logs, but it still doesn’t entirely *fit* the explanation provided.

        I think that for many users an intermediate unlock level where 465/587 are allowed but 25 is still blocked would make sense, e.g. if they’re not running a mail server at all but just want to use msmtp for relaying Cron mail through Gmail, or using Amazon SES, or such.

        • pwoods

          That’s an interesting idea and something we can consider as we review the implications of this change. I appreciate you taking the time to share your thoughts on how to better serve legitimate users. I’ve shared your thoughts with the rest of the company to review.

  4. Author Photo

    Port 587 should not be blocked, this port is not used for receiving unauthenticated mail and was created specifically to allow authenticated mail from senders so that networks can block port 25 for non-mail-server traffic.

    To be clear, port 587 cannot be used to send spam.

    • pwoods

      While most mail servers ask for authentication, port 587 can be used as a way to send spam. Port 587 is often used for outgoing unencrypted mail from an SMTP server, and is why we’ve chosen to include it in these ports that are initially blocked.

  5. Author Photo

    Good move (both actions), if it helps Linode users running legitimate mail servers getting their non-spam mail accepted on the internet. This has been a problem in the past; also due to other actors (e.g. Google) being entirely non-transparent about how they decide to drop your mail.

  6. Author Photo

    When you say we need a valid A record, does that mean we have to use your DNS service in order for the ports to be unblocked? What if we use DNS servers provided by our registrar, a third party, or even a server we operate? Will there be any accommodations for those customers?

    • Jessica Yoo

      You’ll still be able to use whichever DNS servers you like. We can verify valid records using commands like dig in order to validate requests to unblock mail ports. More information about using dig can be found via this link.

  7. Author Photo

    I am curious how do you plan to work this for setups where servers come up and down frequently but have a need to send email when done? Is this going to be an account wide approval or per machine approval?

    What is going to be the SLA for response on these requests?

  8. Author Photo

    I am an existing customer. If I understand correctly I can still provision a new server and not have to contact support to get it unblocked?

  9. Author Photo

    Oh cool. I’m sure people are going to be happy to reach out to support immediately after creating an account and waiting hours to actually have full access to the services they’ve paid for.

    Such a useless change that will undoubtedly be followed by more. How long until each Linode requires justification?

    • Jim Ackley

      Hi James! Between actively looking for tickets related to these SMTP restrictions and our 24/7 phone support, we’re able to grab most requests fairly quickly. And I can definitively say that we have no plans to require justification for each new Linode 🙂

  10. Author Photo

    Based on what I see in my servers logs, only one way to fight with spam and attack attempts originated from Linode subnets is to block traffic from them. There is no day without attempts:
    139.162.204.61 – – [05/Dec/2019:19:28:52 +0000] “GET /api/v1/pods HTTP/1.1” 403 341 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36”
    176.58.124.134 – – [05/Dec/2019:23:46:37 +0000] “GET /msdn.cpp HTTP/1.1” 400 345 “-” “WinHTTP/1.1”

    • Author Photo

      Hey there — our Trust & Safety team has determined that the IP addresses you’re reporting are currently operated by security researchers, and that the associated traffic isn’t intended to be malicious.

      Apart from blocking traffic originating from us, we’d gladly pass blacklist requests for your own IP addresses on to our customers — just send the requests to us at abuse@linode.com along with the information you’ve posted here. We monitor this email 24/7, so you can also report any other malicious activity you see coming from our platform there and we’ll quickly investigate.

  11. Author Photo

    I feel that this is a good approach, however, those that do have an SMTP server might now know the best ways to fight spam.

    Perhaps it would help to have a linked document on best practices, or considerations to keep in mind, emphasising stuff like…

    – Establishing and maintaining a secure password policy for e-mail accounts (so passwords can not be ‘123456’ or ‘password’, and some other dumb ones)

    – Having an outgoing filter might avoid spam/malware distribution (ie. SpamAssassin, MailScanner, or cloud services like SpamExperts, MailChannels)

    – Preventing users from redirecting their inbox to free e-mail providers (or any at all) will also stop spam distribution. Most of these services provide POP/IMAP import which is by far superior to a forwarder

    – Enforcing SPF / DKIM on your domains, and outgoing SMTP server. This will make it harder for people to use your domains for phishing, but also will prevent your own server from sending e-mail thru domains you don’t own.

    – Setup your SMTP server to reject outgoing e-mail when it belongs to an e-mail address that you don’t own (ie. don’t allow your servers to send e-mail personifying someone else)

    – Always use SSL, everywhere, self-signed or free certificates are OK, but not recommended.

    • Author Photo

      Hi Emiliano!

      Those are all great points. Thank you for outlining them for people. Linode has a few different email server guides that walk the user through setting things up properly. In particular, the Configure Spam and Virus Protection section of the Running a Mail Server guide, which is linked in the post above. This section goes over a few of the things you’ve mentioned. I can definitely see how helpful it would be to have all of this information in one place. So, I’ve passed your suggestions along to our documentation team for consideration. ?

  12. Author Photo

    It would be better if Linode default whitelist certain well-known 3rd party SMTP gateways. For example “email-smtp.us-west-2.amazonaws.com:587” for Amazon SES service.

    I mainly use Amazon SES for email because of reliability. After I moved my website to linode, I found that all the email can’t be send because Linode blocked my server connect to Amazon SES gateway. Now I have to open a ticket and wait for unblock, not a smooth experience overall.

    • Author Photo

      Hi Kam,

      I’m sorry to hear that you experienced some frustration with this process. We are constantly looking for ways to improve this procedure, and we really appreciate you sharing your thoughts with us. I can definitely understand the validity of your point, so, I’ve passed it along to our team for further consideration.

      Please, feel free to share any thoughts you may have about any of our services by sending an email to feedback@linode.com.

댓글 남기기

이메일 주소는 게시되지 않습니다. 필수 필드가 표시됩니다 *