Had an abuse ticket opened by Linode staff earlier today because someone using spamcop.net had reported a phising email originating from our IP address.

On closer examination, this was indeed phishing. The email headers provided in the abuse ticket also clearly showed the email being sent from a server elsewhere to an email address on our server. Our customer had configured an email forwarder to his main email on a different domain, hosted elsewhere. The mail admin on that domain then saw the email and reported us via spamcop.net, which in turn generated an email to Linodes abuse email address.

This was fairly easily resolved by removing the email forwarder. Happily this occurred while I was awake and at my desk, since the abuse ticket clearly stated that unless I responded within four hours, the Linode would be taken offline.

Now I perfectly understand that Linode wants to stop spammers etc, but considering how easy it is to report someone via spamcop.net I do think the four-hour deadline was a tad aggressive. Had I been asleep at the time, I would have woken up to an offline server.

It is worth noticing that even spamcop.net does not block your IP on a single event like this one (we're on 176.58.105.163). Maybe Linode could differentiate a bit between the different kinds of abuse reports they receive and not simply send a four-hour takedown notice on everything?

We take all reports of abuse seriously and make sure the issues are resolved. We also may adjust the required response time based on the severity of the type of activity. Phishing situations are pretty much the only situations where we provide such short notice as they are quite serious.

As a note to follow up, we do check these reports to ensure they are legitimate and are being received from your Linode. Only then do we open such tickets on your Linode account.

-Tim

_________________
'If debugging is the process of removing bugs, then programming must be the process of putting them in.' //Edsger Dijkstra
'Nothing is withheld from us which we have conceived to do.' | 'Do things that have never been done.' //Russell Kirsch

"Received from your Linode" is somewhat ambiguous. This particular phishing email originated from 94.247.24.173 according to the email headers you sent me, and was then forwarded by our Linode. I'm sure that the person reporting it missed that detail, and maybe your support staff did too.

I'm not staff, but relaying bad mail and sending it out is just as bad.

I'm not trying to argue here, but it sounds like the email itself came from your Linode, regardless of whether that's where the message originated or not. The system you are responsible for was still used for malicious activity plain and simple. We reached out to you to let you know about said malicious activity, and because of the severity we gave you as much time as we felt comfortable given the activity that your Linode was taking part in.

In addition to that, such activity has the potential to negatively impact other customers (especially if some BOFH set up the filters on their mail servers to block entire /24s). It's in both of our best interests (yours and Linode's) to make sure this activity ceases to originate from our network in the quickest amount of time possible.

-Tim

_________________
'If debugging is the process of removing bugs, then programming must be the process of putting them in.' //Edsger Dijkstra
'Nothing is withheld from us which we have conceived to do.' | 'Do things that have never been done.' //Russell Kirsch

deleted

Lots of people run their mailers on a Linode, if Linode's IPs get on a blocklist those people would be very unhappy. Plus lots of us hate spam with a passion we can't express in words.

The only thing Linode could have done instead was block outbound port 25 from your IP on their switches. That depends on them running ACL's on their switches which I'm not sure they do. Failing that taking the machine down in 4 hours is totally reasonable.

Linode did good. Well done Linode.

To put things a bit into perspective: We are running a cPanel server that handles mail among other things, and one of the services provided by cPanel by default is the ability to configure email forwarders. We try to avoid using the server for email, pointing our customers to other email services where possible, and the total volume of email in a 24-hour period is maybe 400 emails arriving at the server. We use various RBLs and Spamassassin to filter email, but obviously not everything is caught.

Not everyone uses email forwarding, but a few of our customers do. These email addresses are typically of the "contact@domain.com" kind, publicly accessible and so obvious targets for spammers. They are also the type of email addresses you will likely want to forward to your main address, or sometimes maybe to 2-3 different website admins.

From looking at the email logs, and based on the amount of phishing emails I receive on my Google Apps account (not Linode related, I hasten to add), I guess that a couple of this type of email must get forwarded every day. In other words, our system is "used for malicious activity" on a daily basis.

We are in the process of informing our customers that we can no longer allow email forwarding, since we clearly cannot run the risk of having our Linode shut down on this "one strike and you're out" basis. I'm wondering what others with similar setups do, though - or are we the only ones with this type of setup on our Linodes?

I can see the need for action within a limited timeframe in a case where a website is hacked, for example, and is used for sending out large volumes of spam, phishing or the like. In this case, though, we forwarded a total of three offensive emails received from another mail server. Just our bad luck that the admin of the mail server hosting our customers other email address got pissed off and forwarded one of them to spamcop.net. (But fortunately spamcop looks at more than just the single event, so we were in no risk of ending up on their RBL).

You forwarded mail to a mail server run by an admin who did not want to receive this particular mail from you.

It does not matter whether you were merely passing along the phishing message that originated elsewhere or whether the admin of this server is being overzealous, unreasonable, etc.

You can probably still do email forwarding, but only forward mail to addresses or servers that are willing to receive mail forwarded by you and are not going to report you to the spam police or your provider.

For example, Gmail understands the concept of mail forwarding and even has a page that explains how to properly set up your forwarding server for best results, so you would probably be OK to forward to gmail.com addresses.

Small, personally hosted mail servers are notorious for having admins that sit around all day watching their mail logs and submitting anything suspicious to every spam reporting service and ISP involved in the delivery of the message, so avoid them or at least have some sort of agreement with them that they will not try to get you in trouble when you forward phishing messages.

@dcraig Thanks for the info about Gmails policies. We do not setup the forwarders ourselves, our customers have that option, but we may be able to leave forwarders to Gmail in place a bit longer than the rest.

We run a web design business, and we use Linodes to host websites for some of our small customers. We have so far been quite happy with Linode as a provider, but our takeaway from this event is that Linode is not really a suitable platform for our purposes. We do our best, but we cannot guarantee that no offensive email will ever leave our IP address, nor will we always be able to respond to complaints within four hours. We are now aware that this exposes us to a significant risk of extended downtime, or even complete loss of our Linodes.

I have to agree -- four hours is ridiculous before a shutdown, especially if the horse has already left the barn. If multiple messages are going out, sure. But a one-time phish has already done all of the damage that it's going to do.

I'm in the same position; I manage discussion lists for various topics and can't guarantee that a subscriber won't get a virus that spams their address book with a phishing message. We've had it happen twice in twenty years. I'll have to look for someplace else as well.

If you can't prevent your mail server from sending or relaying spam out, you might want to try a shady Russian host. Unlike Linode, they tend not to care when people abuse their services.

@gparent On the off chance that you are not simply trolling, I'd be very interested in understanding your email server setup.

If you know of a way to configure a real-world, useful mail server that can guarantee that not a single spam or phishing message is ever transmitted, I want to know how you do it

I wonder if I could just use emma. Most of us thought it was a phishing attack when Linode sent out the security alert in April through that service.

I don't think that anyone's arguing that Linode doesn't care. We're arguing that a knee-jerk reaction like a server shutdown with 4-hour notification is overkill and draconian.

There's a fine line between customer satisfaction and trying to maintain the reputation of your network, and my 20+ years of *NIX experience tells me that this crosses it. There are better technical ways to handle this, and I'll look for a host that understands that.

I'm not trolling. A lot of russian hosts really do not care about spam.

As for my experience, I can only speak about relaying it and how other providers seem to handle it because I do not let my users forward to emails they do not own. Have you used Gmail? To setup a relay there, you need to confirm that you are the owner of the receiving email address. Perhaps I'm not understanding your setup or your issue. Is it impossible for you to know where you're going to end up forwarding mail? Because that's the configuration weakness that spammers use to work so efficiently.

I don't think it's a knee-jerk reaction to avoid an entire net block to be banned from sending mail. In other situations, spamcop could've taken action and prevented dozens of servers from working correctly just because one person is sending/relaying bad mail.