I agree 4 hours is too short for a single abuse complaint like this, but it is true that email forwarding is seriously broken, not just for the reasons already discussed, but also because it creates backscatter: if you try to forward a spam message with a forged from address, and the next hop mail server rejects the message because it's spammy, your server sends a bounce message to the innocent person who had his address forged. Backscatter is extremely annoying and there are blacklists for servers which generate too much of it.

I commend you for phasing out forwarding. An alternative to forwarding which I've deployed is to hold the mail locally and tell users they can retrieve it using POP. A lot of webmail providers have the ability to pull email from a POP server. Once it's set up, it works just like forwarding from a user's perspective, though with a slight delay (typically 15-60 minutes for gmail).

It doesn't have to just be email forwarding. It can be anything that sends an email. If you have a bad PHP script, an old version of Joomla or WordPress, a comment area in your blog, a forum, etc. then you can be responsible for sending spam. I've even had people subscribe to discussion lists, then years later they forgot how to unsubscribe, didn't want to figure it out, and just complained that everything was spam.

What if someone registers on your wiki page, enters a bunch of spam, and then a watcher for that page gets an email with the spam in it?
What if one of your users gets their password hacked and sends a spam?

These aren't things that you can guarantee won't happen. They will. I manage a relay for 30,000+ accounts (elsewhere) with millions of messages passing through it daily. You can't stop spam, inbound or outbound. You can only try to be proactive with different filtering technologies and responsive when something fails. It *will* fail, and often in unique ways that you never envisioned.

In this case we're talking about something more serious -- phishing. But even in the case of phishing we would *never* shut someone down unless they were actively sending out messages. A one-time message that was received and subsequently forwarded to another account would be investigated, but the host wouldn't be shut down within four hours. What's the point? Unless that system is hosting the site that the phishing attack sends people to, you're closing the door after the horse has already left the barn.

The best solution if you really need to act is to block ports 25/465/587 to/from that host. Remote systems will continue queuing email without killing other services that might be running on the same system. Outbound mail will also queue.

There isn't a problem with allowing email forwarding on your system. A point should be made that there should be strict controls in place for what can be forwarded and from where. We don't personally see a problem with forwarding email, as long as you whitelist the sending server(s) for example. Other measures can be put in place to ensure a random bot on the Internet can't use your Linode for malicious purposes.

I think there me some misunderstanding about how we operate when it comes to abuse complaints. If you send a malicious email from your Linode for example, we're not just going to obliterate your Linode. In addition to that, we're not worried about offensive email. We're worried about things that violate our terms of service and are malicious in nature (for the purposes of this conversation, let's consider unsolicited spam emails as malicious as well).



Without some deep traffic inspection, which is something we do not do, it's hard to determine what content exists in the emails you are sending out of your system. I completely agree that single email has already done its damage. What seems to be missing here, is the understanding that the vector used is still available and can be used for further emails. Beyond that, we aren't able to reliably determine how your system used and what state it is currently in. So we don't know what else could happen with your Linode in its current state.

In short, phishing is an absolutely serious situation and as mentioned before, it's in everyone's best interest to get them ironed out ASAP. We're not going to delete your Linode, or ask you to leave, for a single complaint. In addition to that, making sure you have your system configured properly to allow emails from trusted sources you should be able to cut down on this.

Any reputable hosting provider, I'm sure, will have very similar policies when handling high-risk abuse situations. And lastly, shame on someone who would report such emails having obviously originated from a mailing list. I'd like to think most people on mailing lists are understanding enough to know it originated from a compromised system/account and that the list maintainers would take care of it.

-Tim

_________________
'If debugging is the process of removing bugs, then programming must be the process of putting them in.' //Edsger Dijkstra
'Nothing is withheld from us which we have conceived to do.' | 'Do things that have never been done.' //Russell Kirsch

I understand your issue more now, but surely if you're sending millions of messages per day you can afford to have at least one person reply to something within 4 hours?

FWIW, "mail forwarding" causes a lot of problems. I know some smaller ISPs who have been blacklisted by AOL (for example) because that ISP forwarded (customer configured) mail to the AOL account; the AOL account owner saw spam and reported it. AOL saw the ISP server in the received headers, and so blocked the ISP server.

It was a semi-regular occurance at one ISP where a friend works.

This is a risk you chose to take by allowing users to forward their email elsewhere; your mail server is the only one that can be positively identified as handling the message.

_________________
Rgds
Stephen
(Linux user since kernel version 0.11)

Oh, absolutely. However, as previously mentioned, the amount of email leaving our server on a daily basis is on the order of hundreds, not millions.

Thanks to other posters for the inputs on the dangers of forwarding. We'll limit our exposure for now by eliminating that possibility, and by helping those of our users who need it to find alternative solutions.

The fact that remains, though, is that we were lucky to avoid our Linode being shut down - I am frequently away from my desk for a few hours. Uptime matters to us, and we now need to factor in the risk that Linode staff will shut us down based on single events like this one.

I'm sure that all reputable service providers take spam and phishing seriously, but knee-jerk reactions like this one is something I'm fairly confident are only common at the low end of the market.

You do realize that not only can the phishing hurt recipients of the messages, but your neighbors in the subnet as well? If the subnet is tainted by being a source of malicious traffic, how you you expect Linode to help me, or anyone else affected by your behavior after the fact? They can't. So, instead of your node going down for whatever time it takes you to respond after the four hours, I may have to deal with a situation where I cannot send email. This is not acceptable to me, a completely innocent party in this transaction.

I really can't see anything about the fact that the email originated somewhere else as mitigating the fact that your node delivered it. As you've said, you have taken steps to avoid this problem, which is appropriate. But claiming that preserving the reputation of all the other customers in your subnet is a "knee-jerk" reaction is probably not so well thought out. Your complaining here is irritating to Linode customers that are actually happy Linode has such strong policies in this area. You should probably stop.

Blocking SMTP access to/from the affected IP would also work, without shutting down the Linode and affecting other services that might be running on it.

Then you need to design that into your system architecture - there are many (MANY) other things that are also out of your control that could bring you offline - if that's unacceptable YOU need to figure out how to minimize that risk.

Blaming Linode for protecting everyone else is NOT the cause of your problem - deal with it.

_________________
Either provide enough details for people to help, or sit back and listen to the crickets chirp.
Security thru obscurity is a myth - and really really annoying.

Linode sells unmanaged VPSs. Expecting them to firewall a particular 'node because it is misbehaving is really not reasonable. "Blocking SMTP access" requires filtering of a kind they don't otherwise do, and I, for one, don't want to pay them to be able to do it because some people don't know how to manage their 'node.

Apologies for irritating you. I think the Linode response was excessive, but that point has been made by now.

Spamcop never listed our IP. Even if they had, that would have affected only our IP, and the listing would have automatically cleared within 24 hours, assuming the problem was dealt with. It would take a lot more than a single phishing email to endanger anyone elses Linode.

And you're the one to tell us what damage you think your Linode would do? For the most part, most of us are speaking first hand when an entire block gets nuked from sending email because one person messed up.

I hope it doesn't come as a surprise that Spamcop isn't the only organization responsible for preventing spam on this planet. Netblocks can and will be blocked.

Look, I'm genuinely interested, not trying to prolong an argument here. Do you really have first hand experience of a situation where one or two spam/phishing emails caused an entire subnet to be blacklisted by a reputable RBL?

Unfortunately, this is both rhetorical and incorrect. If a phishing complaint comes in it is not at all clear how many messages will follow it. Linode doesn't watch your mail. The have no idea if is the first report for thousands. So, even if it was one message in this case, that can't be known to Linode.

Second, if you read the history of DNSBLs you will discover that even errors can lead to listing, and some lists use subnets. Why should we take the risk for your convenience?

The truth is, your complaining is annoying. The proper place to have this discussion is not in this forum but in email to Linode. Why should you make public denouncments about Linode's policies except to sully their reputation? I can't see any value other than being a nuisance to Linode because you don't like what they did. That is annoying. Full stop.