I'm sure they can and will. We do it ourselves when we detect multiple intrusion attempts from the same subnet, for example. However, in this particular case, we are talking about a single event involving one phishing message. I don't see any realistic scenario where that could lead to a block of IP addresses being blacklisted. Do you?

Granted.


I have no interest in sullying Linode's reputation, but I do think it is fair to use the forum they provide to discuss what I see as an issue with their service. From your posts it is obvious that you agree with the treatment the abuse report received, and that's fine - we don't have to agree.

We run a low-volume mail service that we try to keep free from spam etc by using RBLs and spam filtering. Clearly this involves a danger to our servers that we were not aware of, and we will deal with that for now by removing the email forwarding service. We will also consider moving elsewhere if we think that reduces our exposure. If we find that everyone else deals with this type of issue the same way as Linode, we will probably stay where we are. Fair?

I was really disappointed when I read this from the Linode rep. bro and netflows are very useful tools.
EDIT: It wouldn't work when scanning encrypted SMTP traffic, though.



Personally, I'm glad that this was brought up. It's a big issue, and I want to make informed decisions for my business since this Linode policy isn't explicitly stated anywhere. It's nebulously covered in the ToS, so having hard numbers like four hours helps me understand what limitations I might run into here.

A good compromise is a port 25/465/587 block to/from the host. It won't send out any more spam/phishing messages, and the host won't lose its other services.

As an aside, I just received an email from a Spamcop admin that the user making the abuse report has had his/her reporting privileges suspended over this. Apparently they frown on users setting up email forwarders, forgetting about them, and then reporting the forwarding server for spamming

I'm not sure if you're referencing Yaakov, but I am currently the only Linode employee active in this thread. Yaakov is a fellow customer, not a Linode employee.

-Tim

Edit: In addition to that, it still requires us to do some sort of deep inspection of your network traffic which is something we're not in the business of doing. Nor do we have the infrastructure in place to do this on customer systems.

_________________
'If debugging is the process of removing bugs, then programming must be the process of putting them in.' //Edsger Dijkstra
'Nothing is withheld from us which we have conceived to do.' | 'Do things that have never been done.' //Russell Kirsch

It is nice to hear of a DNSBL that has proactive and sensible policies. So much more often you hear of the messes they cause.

Hi Tim,

I was referencing your post when you said 'Without some deep traffic inspection, which is something we do not do, it's hard to determine what content exists in the emails you are sending out of your system'. Sorry about the confusion. I was too lazy to page back and get your name to attribute it properly.

I'm going to stop beating a dead horse here and want to say that I've generally been very happy with Linode. I'll continue recommending them and will use them myself when possible. I need to re-think the email side of things, though.

As a final follow up on this thread, let me briefly recap what actually led to the abuse ticket being opened:

* A user has an email address on our server, contact@somedomain.com. Our user forwards all email to this address to another email address that he owns, user@otherdomain.com
* We check arriving email against three RBLs and using spamassassin.
* A phishing email arrives for contact@somedomain.com from 94.247.24.173 which is not blocked or caught by our spam filtering. It is forwarded to user@otherdomain.com
* Our user sees the phishing email in his user@otherdomain.com inbox and forwards it to spamcop.net
* spamcop.net parses the email, and automatically sends an abuse report to Linode with our IP address in it
* Linode opens abuse ticket, stating likely compromise of our Linode. We are given four hours to repond or the Linode will be powered down.

While I understand that spamming and phishing from a Linode can lead to all sorts of bad consequences for other Linode customers, at no point did the above events endanger anyone else. Nor do I believe that this demonstrates that we are particularly inept system administrators, although we are now removing the email forwarding feature from our systems.

Given the facts of what actually happened, I continue to think that Linode's response was disproportionate. If an abuse ticket is opened at all in this type of case, a longer response time would have been appropriate.

I understand that it may not be cost effective for Linode to distinguish between different types of abuse reports, or to implement less dramatic measure of dealing with them, but that does mean that sending email from a Linode carries risks that we were not previously aware of.

Presumably this could have happened to many other Linode customers. I think it is a fair use of this forum to post about it here.

Linode support have subsequently told us that they will actually not simply power off the Linode after four hours, but try to reach us via phone first. This obviously improves matters quite a bit - I much prefer being waken up by a call from Linode support instead of an alert from our monitoring systems. Others may want to verify that they have current contact numbers in the Linode Manager

Why do you keep complaining about this - Linode didn't actually do anything. They received a valid abuse complaint and warned you to deal with it or else they would handle it themselves. The fact that it was your own user who generated the complaint doesn't mean noone was hurt by it.

I have found this thread very informative. I have always been wary of email systems on the servers I administer. After reading all of this, I'm going to go back and review current techniques and see if I can reinforce my security.

Thanks, Jeff

So I think the moral of the story here is that until Linode does deep packet inspection on every customer (which I hope they never do), you're responsible for being proactive with the security of your mail server.

*you* weren't aware of. Most of us understand that sending abusive email can get our service temporarily suspended.