Trust security

SMTP restricted by default

Posted: June 22, 20222 min read

Unsolicited, unwelcome, and in some cases, outright harmful communications are ever present in our interconnected world. Postal mail, email, phone, and SMS are all exploited by the mal-intended and by those looking to make a living through the modern spam economy. Service providers in each of the mediums occupied by spammers face an unending battle against misuse of their platforms.

At DigitalOcean, we know our community is bigger than us. For years we’ve looked to strike the balance between mitigating spam, while enabling those on their learning journey in the cloud to use the Simple Mail Transfer Protocol (SMTP). What we’ve found is that the Venn diagram between SMTP-use and spammers far outweighs those building in the cloud with a legitimate use case for mail. This fact has led most major cloud service providers to have a disabled-by-default stance on SMTP as one measure to reduce spam, and today we’re sharing that DigitalOcean will begin disabling SMTP on new accounts as part of our own spam reduction measures.

We have found that a vast majority of spam, at least on DigitalOcean, comes from new accounts. Due to this, we believe disabling SMTP on new signups to be a wise next step in the internet-wide chess match against spammers.

Our new disabled-by-default SMTP policy goes into effect today, June 22, 2022, for all new accounts. While our Security team will still be monitoring spam activity, we believe this decision will benefit our customers and the broader internet community in our shared quest to minimize spam. As a part of this new policy, we have launched partnerships within the DigitalOcean Marketplace for routing mail from DigitalOcean Infrastructure. Our partners have a dedicated focus on email delivery so as a DigitalOcean customer you can be assured that your emails will be delivered.

Over the past few years, we’ve worked tirelessly to keep DigitalOcean friction-free for developers by keeping SMTP enabled. We’ve also invested significant security team expertise and automation towards stopping spammers, using account behavioral analysis, network analysis, and automated anti-abuse tooling. After tweaking and tuning this approach, we’ve elected for the stronger stance for four primary reasons:

  1. Tuning anti-spam automation to stop abusive SMTP while still allowing healthy SMTP comes with a false positive rate that results in a negative customer experience.
  2. Blocking SMTP after a Droplet has started spamming, even by minutes, is too late.
  3. A poor DigitalOcean IP reputation creates a barrier for our good customers, and without a stronger stance our customers suffer.
  4. Spammers create new accounts using fraudulent information in a prolific manner. And while we do have a multi-layered approach for detecting fraudulent signups, we also strive for balance in our account sign-up friction.

We feel strongly about being responsible for our IP space and IP reputation, and we will continue to work hard to keep that reputation for our customers.

Share

You've got unique business needs. We've got powerful solutions to meet them. Chat with us to get started.Contact sales

Related Articles

Fine-grained RBAC for GitHub Action workflows With GitHub OIDC and HashiCorp Vault
trust-security

Fine-grained RBAC for GitHub Action workflows With GitHub OIDC and HashiCorp Vault

February 3, 20233 min read

Enabling engineering teams through developer-first secrets management
trust-security

Enabling engineering teams through developer-first secrets management

January 26, 20233 min read

Securing your DigitalOcean account
trust-security

Securing your DigitalOcean account

January 10, 20233 min read