jlewis@lewis.org (Jon Lewis) writes:
On Sun, 22 Jun 2008, Paul Kelly :: Blacknight wrote:
Has anyone any experience with Amazons abuse people?
Yeah, if you can call them that. There is no abuse coming from Amazon's EC2 cluster. I got the impression the only thing Amazon considers abuse is use of their servers and not paying the bill. If you're a paying customer, you can do whatever you like.
it seems that amazon has succeeded where google and microsoft failed. with e-mail only services like hotmail and gmail, it was still possible to treat an IP address as having a reputation, and to therefore blackhole hotmail and gmail (and other free e-mail services) due to the spam emanating from them, even though they are shared IP addresses and also emit much non-spam traffic. since EC2 (and eventually google app engine) are used for server side, and commerce, the mere fact that probes and spam and ddos comes from these shared IP addresses won't be sufficient grounds to reject all traffic from them. i await with interest the final result: will most IP reputation services simply whitelist EC2 and GAE and similar, and grit their teeth at their inability to react to abuse from those IP addresses? this is the end of an era. since the day i started the first RBL i have had to listen to operators of shared IP addresses whine at me about how they had many non-spamming customers and it wasn't fair that i blackholed them simply because they couldn't stop it all. we went for many years trying to find the equilibrium point between making sure IP address owners were doing everything they could do (no pink contracts, fully staffed abuse desk with the power to suspend or disconnect customers pending management's later review, etc) while lots of other whiners said "vixie's gone soft on spam, he's letting UUNET get away with murder, let's lynch him!" with EC2, it's game-over for the IP reputation industry, other than possibly lists of dynamic IP blocks (modems, DSL, etc) from which SMTP ought not come. but for the wider IP address space, we now return to content based filtering, and i predict a mighty increase in the number of pink contracts in colo rooms. (the silver lining is, this could reduce pressure on BGP piracy/injection.) as randy bush often says, "it's just business." amazon has solid business reasons for creating EC2 and there's no way it could be profitable if they can't scale the user base, and there's no way to scale the user base if they have to police it at the application or "intent" level. so, i'm not whining, just pointing out that this is a sea change, the end of an era. -- Paul Vixie