That's somewhat ironic of a sentiment you referred to there, given that the conception that one should have to hand over one's SSN for "verification" to anyone who asks for it is the kind of thing that many of these spammers/phishers thrive on in the first place... (I assume that you are not actually really advocating such a requirement for anyone wanting to run a mail server...) - S -----Original Message----- From: Sargun Dhillon [mailto:sdhillon@decarta.com] Sent: Wednesday, May 28, 2008 12:34 PM To: Steve Atkins Cc: nanog@nanog.org Subject: Re: amazonaws.com? Well the thing that differentiates "the cloud" is that there is an infinite amount of resources, the ability to have anonymous access, and the infinite amount of identities. Basically Amazon has allocated a /18, /19, and /17 to EC2. The chances of getting the same IP between two instances amongst that many possibilities is low. Basically someone could easily go get a temporary credit card and start up 10 small EC2 instances. This would give them 10 public IPs which would probably take 3-4 hours (minimum) to show up on any sort of blacklists. Then its just a matter of rebooting and you have another 3-4 hours. This could last weeks with a credit card. Then you could rinse and repeat. In the past I've seen companies require EIN/SSN verification (a bit much) in order to open up certain things (port 25, BGP, etc...). If Amazon is going to continue to have policies that allow spammers to thrive it will end with EC2 failing. SMTP has inherent trust issues. I'm currently researching Amazon AWS's static IP addresses. I think it would be easiest to block everything and just make exemptions for people who purchase the static IPs. My advice to you if you are buying anonymous resources would be to purchase an agreement with a relay that isn't part of the anonymous computing center. Steve Atkins wrote:
On May 28, 2008, at 9:03 AM, Sargun Dhillon wrote:
Has Amazon given an official statement on this? It would be nice to get someone from within Amazon to give us their official view on this. It would be even more appropriate for the other cloud infrastructures to join in, and or have some sort of RFC to do with SMTP access within the "cloud." I forsee this as a major problem as the idea of "the cloud" is being pushed more and more. You are talking about a spammers dream. Low cost , powerful resources with no restrictions and complete anonymity.
Personally I'm going to block *.amazonaws.com from my mail server until Amazon gives us a statement on how they are planning on fighting spam from the cloud.
"The cloud" is just a marketing term for a bunch of virtual servers, at least in Amazons case. It's nothing particularly new, just a VPS farm with the same constraints and abuse issues as a VPS or managed server provider.
The only reason this is a problem in the case of Amazon is that they're knowingly selling service to spammers, their abuse guy is in way over his head and isn't interested in policing their users unless they're doing something illegal or the check doesn't clear. As long as the spam being sent doesn't violate CAN-SPAM, it's legal.
Cheers, Steve
-- +1.925.202.9485 Sargun Dhillon deCarta sdhillon@decarta.com www.decarta.com