On May 25, 2008 at 22:11 beckman@angryox.com (Peter Beckman) wrote:
On Sat, 24 May 2008, Barry Shein wrote:
Since this comment applies equally to every single credit card payment on the internet etc I suppose you've just proven that credit cards can't possibly work and even Amazon itself is an impossibility. Perhaps we can move on to why bumble bees can't fly?
It's clear to me that people believe it is easy, cheap and inexpensive to prevent credit card fraud. You think this until you yourself run a small business, and an entire months profits go into the toilet because you missed someone who got through what you thought were thorough checks for fraud.
Hello, let me introduce myself to you. I'm Barry Shein, president of The World, the oldest public access internet service provider on the planet, since 1989 (see rfc 2235). We have always taken credit cards. But thank you for the lecture on doing business with credit cards and the potential pitfalls. Anyhow, let me reiterate, making Amazon's business models work, or ensuring that their customers can get the service they want when they want it, is none of my concern. What is my concern is if they're running their resources so irresponsibly that it permits criminals to use them to damage my business. Personally I don't really care if their compute cloud service succeeds or fails, except on general principles (I always like to wish people well.) But if their business model is designed so poorly that it enables criminality to be directed at my business then, for me, that's a problem. So I'm not particularly interested in how hard it would be for Amazon to make a buck on cloud services if they had to stop damaging me. 'kay? This thread started when I found my mail servers being pounded by their cloud machines for a day or so. It's since stopped, thank you, but a few here indicated, and I don't know if they speak with any authority, that Amazon seems to believe that so long as their cloud machines are in blacklists then they shouldn't have to feel any responsibilty to exercise any control over them vis a vis spammers et al. It should just be up to the rest of us to buy sufficient firewalls and bandwidth and staff to manage it all. That sounds so outlandish that I am suspicious of its origin. But others indicated "they're in the blacklists so what's your beef?" and I responded that there's a problem with large computing resources (their clouds) pounding on my mail servers even if we can dodge seeing the content with blacklist entries.
Declining a legitimate charge can be a criminal fraud.
In what world do you live in? I can decline to take anyone's money and decline to provide them service, for any reason. If I don't like your
I'm sorry, you're having trouble with the english language, let me help you out here: That comment was in response to a reference to a credit card customer declining a legitimate charge for goods and/or services s/he received. Ya know, you buy a laptop over the net on a credit card, the laptop comes, and then you try to decline the charge? Got it? That can be a criminal fraud. Whatever the relevance that's what that comment was referring to.
tone, I don't take your money, you don't get my service. Criminal fraud, ha. Where exactly do you live? Maybe I assume to much, because in the US, I get to decide who's money I take.
(key in twilight zone music) You've been hurt before, haven't you? (whoo boy, angry man alert...) -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Login: Nationwide Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
On 26/05/2008 09:17 Barry Shein wrote:
It's since stopped, thank you, but a few here indicated, and I don't know if they speak with any authority, that Amazon seems to believe that so long as their cloud machines are in blacklists then they shouldn't have to feel any responsibilty to exercise any control over them vis a vis spammers et al.
You are speaking a bit hyperbolically and that is not what anyone believes or feels. Much like any large datacenter or hosting provider it is not feasible to police every packet in and out of the network, I assume "The World" has lots of experience with super-scale networks so I'll limit my "lecturing" on the subject. Regardless, like any large datacenter or hosting provider they can only respond to complaints when they get them, and they do, and they respond (unless you have evidence to suggest the contrary). As a corollary to this I was simply noting that their terms do not include the ability to SMTP at all and as such the ranges are left in any blacklists they might fall into. You are also free to block them for SMTP on your own kit given this directive. Blocking at RCPT time or even before limits any bandwidth usage from spam to negligible amounts in most cases. The consequences of blocking TCP/25 as an upstream though is much worse since customers frown on upstream port filtering and it makes SMTP impossible for everything except those which accept the submission port. Many people may still have numerous valid reasons for using port 25 to talk to their own kit somewhere else. -- Colin Alston ~ http://syllogism.co.za/ "To the world you may be one person, to one person you may be the world" ~ Rachel Ann Nunes.
On Mon, May 26, 2008 at 1:28 PM, Colin Alston <karnaugh@karnaugh.za.net> wrote:
Much like any large datacenter or hosting provider it is not feasible to police every packet in and out of the network, I assume "The World" has lots
Not a question of packet policing as much as having sufficient controls in place to get rid of card fraud, regular audits etc .. and THEN looking for obvious signs of abuse, proactively (inbound and outbound traffic flow analysis, passive dns checks and a whole host of other things that are possible). The second thing is, of course, having an active abuse desk, but by the time an abuse desk gets around to reading and responding to the complaint, the damage is done (1 business day is a very good turnaround indeed, at shops rather larger than world.std.com).
(unless you have evidence to suggest the contrary). As a corollary to this I was simply noting that their terms do not include the ability to SMTP at all and as such the ranges are left in any blacklists they might fall into. You
With respect, in such cases, amazon is better off firewalling outbound port 25 (or indeed, outbound anything at all) for accounts that dont specifically ask for it. Quite a lot of EC2 compute time is for number crunching and such - not just hosting, or email, or .. srs
On 26/05/2008 18:13 Suresh Ramasubramanian wrote:
Quite a lot of EC2 compute time is for number crunching and such - not just hosting, or email, or ..
That's not actually true, the trend is towards thumbnail generation and video encoding dispatch for sites that use it, this requires getting the information back to storage. Mail processing would be an entirely valid use of this as well - you could for instance offload your own mail to EC2 instances for virus scanning and Bayesian spam filtering. Either way, limiting of ports is a direct and undeniable limiting of the capability of the product. A staggeringly large amount of my spam comes from DSL lines in eastern europe and such places, and yet for some reason I don't see anyone here asserting that DSL lines should only be used for POP, IMAP and WWW and to talk to your ISP's SMTP relay. That's because it's a stupid move. It doesn't matter what EC2 or any service is used for, it's sold as having an IP connection, not IP minus whatever TCP ports NANOG people dictate based on their beliefs about how you should do business or how customers should use it. I agree with abuse reports and active abuse desks but please, don't for one second expect me to believe you side with the idea that upstream providers and hosts should randomly firewall ports - since 90% of the time, as history has shown me, they screw it up. -- Colin Alston ~ http://syllogism.co.za/ "To the world you may be one person, to one person you may be the world" ~ Rachel Ann Nunes.
On Tue, May 27, 2008 at 1:10 AM, Colin Alston <karnaugh@karnaugh.za.net> wrote:
On 26/05/2008 18:13 Suresh Ramasubramanian wrote:
I didnt actually, Bonomi did .. but going on ..
Quite a lot of EC2 compute time is for number crunching and such - not just hosting, or email, or ..
That's not actually true, the trend is towards thumbnail generation and video encoding dispatch for sites that use it, this requires getting the
[yes, that's right - twitter seems to be using it for example]
Either way, limiting of ports is a direct and undeniable limiting of the capability of the product. A staggeringly large amount of my spam comes from DSL lines in eastern europe and such places, and yet for some reason I don't
You're at odds with a lot of best practice there. This one for example - http://www.maawg.org/port25
I agree with abuse reports and active abuse desks but please, don't for one second expect me to believe you side with the idea that upstream providers and hosts should randomly firewall ports - since 90% of the time, as history has shown me, they screw it up.
I am sure that all the nanog regulars here who are / have been the guys with enable on tier 1 networks routers (and run huge dialup/dsl pools) will agree with that (!) Port firewalling, especially port 25 firewalling, isnt - or rather shouldnt be - random. There are enough cookbook configs to just blanket block port 25, and far more advanced configs (ask Chris Morrow sometime about huge uunet dialup pools with radius filters to punch holes for port 25 connectivity to different ISP smarthosts etc etc) --srs -- Suresh Ramasubramanian (ops.lists@gmail.com)
participants (3)
-
Barry Shein
-
Colin Alston
-
Suresh Ramasubramanian