Is it just us or does someone pWn *.amazonaws.com? Every one of our mail servers is being slammed by I'm not sure what but many thousands of user unknowns per hour (fortunately we handle those pretty quickly but this is a deluge.) All I know is "amazonaws.com" is "Amazon Web Services", not sure if these particular systems should be sending email at all, the hostnames look like: ec2-67-202-36-134.compute-1.amazonaws.com ec2-67-202-37-35.compute-1.amazonaws.com ec2-67-202-37-38.compute-1.amazonaws.com ec2-67-202-38-112.compute-1.amazonaws.com ec2-67-202-39-87.compute-1.amazonaws.com ec2-67-202-8-122.compute-1.amazonaws.com ec2-72-44-37-77.compute-1.amazonaws.com ec2-75-101-192-20.compute-1.amazonaws.com ec2-75-101-202-130.compute-1.amazonaws.com ec2-75-101-207-190.compute-1.amazonaws.com ec2-75-101-210-120.compute-1.amazonaws.com ec2-75-101-224-146.compute-1.amazonaws.com ec2-75-101-227-187.compute-1.amazonaws.com ec2-75-101-228-221.compute-1.amazonaws.com ec2-75-101-229-15.compute-1.amazonaws.com ec2-75-101-230-147.compute-1.amazonaws.com ec2-75-101-234-192.compute-1.amazonaws.com ec2-75-101-236-135.compute-1.amazonaws.com ec2-75-101-238-69.compute-1.amazonaws.com ec2-75-101-241-105.compute-1.amazonaws.com Those don't look like mail servers but what do I know? Anyhow, if there's anyone awake at Amazonaws.com, your hair is on fire. -b
EC2 is a pay-per-cycle service, where you can run your work on their servers. Probably one of their clients. Try abuse@? -Patrick On May 23, 2008, at 6:59 PM, Barry Shein <bzs@world.std.com> wrote:
Is it just us or does someone pWn *.amazonaws.com?
Every one of our mail servers is being slammed by I'm not sure what but many thousands of user unknowns per hour (fortunately we handle those pretty quickly but this is a deluge.)
All I know is "amazonaws.com" is "Amazon Web Services", not sure if these particular systems should be sending email at all, the hostnames look like:
ec2-67-202-36-134.compute-1.amazonaws.com ec2-67-202-37-35.compute-1.amazonaws.com ec2-67-202-37-38.compute-1.amazonaws.com ec2-67-202-38-112.compute-1.amazonaws.com ec2-67-202-39-87.compute-1.amazonaws.com ec2-67-202-8-122.compute-1.amazonaws.com ec2-72-44-37-77.compute-1.amazonaws.com ec2-75-101-192-20.compute-1.amazonaws.com ec2-75-101-202-130.compute-1.amazonaws.com ec2-75-101-207-190.compute-1.amazonaws.com ec2-75-101-210-120.compute-1.amazonaws.com ec2-75-101-224-146.compute-1.amazonaws.com ec2-75-101-227-187.compute-1.amazonaws.com ec2-75-101-228-221.compute-1.amazonaws.com ec2-75-101-229-15.compute-1.amazonaws.com ec2-75-101-230-147.compute-1.amazonaws.com ec2-75-101-234-192.compute-1.amazonaws.com ec2-75-101-236-135.compute-1.amazonaws.com ec2-75-101-238-69.compute-1.amazonaws.com ec2-75-101-241-105.compute-1.amazonaws.com
Those don't look like mail servers but what do I know?
Anyhow, if there's anyone awake at Amazonaws.com, your hair is on fire.
-b
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Patrick Clochesy wrote:
EC2 is a pay-per-cycle service, where you can run your work on their servers. Probably one of their clients. Try abuse@?
-Patrick
On May 23, 2008, at 6:59 PM, Barry Shein <bzs@world.std.com> wrote:
Is it just us or does someone pWn *.amazonaws.com?
Every one of our mail servers is being slammed by I'm not sure what but many thousands of user unknowns per hour (fortunately we handle those pretty quickly but this is a deluge.)
All I know is "amazonaws.com" is "Amazon Web Services", not sure if these particular systems should be sending email at all, the hostnames look like:
Send to abuse@amazon.com - amazonaws.com has no MX: [cstone@csmdv ~]$ host -tmx amazonaws.com amazonaws.com has no MX record - -- Chris Stone, MCSE Vice President, CTO AxisInternet, Inc. http://www.axint.net DSL, dialup, hosting, email filtering, co-location, online backup Phone: +1 303 592 2947 x302 (office) +1 303 570 6947 (cell) - ------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org iEYEAREKAAYFAkg3XYIACgkQnSVip47FEdNW6wCdF4KcQEbgCIYQVEjt7vCxwi7Y pEUAn3D1wYWIy08BE9XuOE99Ojon2V5O =BQ1p -----END PGP SIGNATURE-----
On May 23, 2008, at 4:59 PM, Barry Shein wrote:
Is it just us or does someone pWn *.amazonaws.com?
Every one of our mail servers is being slammed by I'm not sure what but many thousands of user unknowns per hour (fortunately we handle those pretty quickly but this is a deluge.)
All I know is "amazonaws.com" is "Amazon Web Services", not sure if these particular systems should be sending email at all, the hostnames look like:
It's a compute farm. Anyone can rent time on it. The processes they run will be assigned to random machines in the farm, AIUI, and will have full network access. If you're seeing something more egregious than just deluges of spam then ec2-abuse@amazon.com would likely be the right people to talk to. They've been contacted about it and, AIUI, state that the spam being sent from there is not something they're going to take action on. I suspect that taking the obvious preemptive action w.r.t. 67.202.0.0/18 is likely to be more effective than relying on their abuse staff. Cheers, Steve
On 24/05/2008 02:42 Steve Atkins wrote:
If you're seeing something more egregious than just deluges of spam then ec2-abuse@amazon.com would likely be the right people to talk to.
They've been contacted about it and, AIUI, state that the spam being sent from there is not something they're going to take action on.
You should not accept SMTP from the Amazon EC2 cloud at all. Amazon don't intend for anyone to use it as an email platform and tell their clients to use an external relay. -- Colin Alston ~ http://syllogism.co.za/ "To the world you may be one person, to one person you may be the world" ~ Rachel Ann Nunes.
On May 24, 2008, at 3:24 AM, Colin Alston wrote:
You should not accept SMTP from the Amazon EC2 cloud at all. Amazon don't intend for anyone to use it as an email platform and tell their clients to use an external relay.
I'm sure this is good advice. But if an ISP used that as an excuse for not taking action, we'd hang them over hot coals. Is Amazon truly not policing the network for spammers?
On Sat, May 24, 2008 at 12:13 PM, Kee Hinckley <nazgul@somewhere.com> wrote:
On May 24, 2008, at 3:24 AM, Colin Alston wrote:
You should not accept SMTP from the Amazon EC2 cloud at all. Amazon don't intend for anyone to use it as an email platform and tell their clients to use an external relay.
I'm sure this is good advice. But if an ISP used that as an excuse for not taking action, we'd hang them over hot coals. Is Amazon truly not policing the network for spammers?
not to excuse this, but... it's not a simple problem. The 'bad guy' rolls up to the website, orders 200 machines for 20 mins under the name 'xplosiveman' pays with some paypal/CC and runs his/her job. That job happens to create a bunch of email outbound. It could be a legitimate email service outsourcing their compute/bw needs to AWS, it could be 'pick-yer-bad-spammer' ... AWS really can't tell until after when the complaints roll in. :( I suppose they could say: "no tcp/25 outbound from AWS computer clusters", though that's probably a decent market in the real email-deliver-services :( Also, truly bad folk will just move to using proxies or other methods :( -Chris.
not to excuse this, but... it's not a simple problem. The 'bad guy' rolls up to the website, orders 200 machines for 20 mins under the name 'xplosiveman' pays with some paypal/CC and runs his/her job. That job happens to create a bunch of email outbound. It could be a legitimate email service outsourcing their compute/bw needs to AWS, it could be 'pick-yer-bad-spammer' ... AWS really can't tell until after when the complaints roll in. :(
Oh rubbish, it's a trivial problem. You verify the payment method in advance and make it clear in the agreement to use the resources that any of the following activities (list, define...) will be billed at a steep rate (e.g., $100 per spamming complaint) and make some reasonable effort to ensure you can collect that, like do an authorize on their credit card (that's what hotels do to reserve but not charge typically $1000 or whatever on your card when you check in.) It's trivial, using your systems to spam is a cost, make sure at the very least you get paid for it. This isn't hypothetical, I have done exactly this many times here and billed customers who were crossing the line and generating too many complaints (but not quite what I'd call egregious spamming, but maybe harvesting addresses for their "newsletter" from specific chat groups for example) $50 per complaint, and I've collected it, and it stopped, either they paid it and cleaned up their act or they went away, good riddance. Anyone who builds a business model which allows for this sort of massive fraud and criminality where a few common sense precautions would prevent it is just transferring the costs of reasonable precaution to others and courts should come to understand that sooner than later. Their business model is monetizing your time and efforts to accomodate that abuse. The money is going right into their pockets by not having to pay for employees to implement and execute an avoidance, detection, and recovery plan, for starters. Microsoft has made untold billions monetizing spam (by knowingly not fixing their OS for over a decade) and others are figuring this out and building new business models which profit on abuse enablement even if indirectly (i.e., as a cost savings.) They're laughing all the way to the bank as you get shook out of bed with another 3AM emergency or stay over the weekend to upgrade your newly purchased firewall capacity, etc etc etc. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Login: Nationwide Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
Barry Shein wrote:
not to excuse this, but... it's not a simple problem. The 'bad guy' rolls up to the website, orders 200 machines for 20 mins under the name 'xplosiveman' pays with some paypal/CC and runs his/her job. That job happens to create a bunch of email outbound. It could be a legitimate email service outsourcing their compute/bw needs to AWS, it could be 'pick-yer-bad-spammer' ... AWS really can't tell until after when the complaints roll in. :(
Oh rubbish, it's a trivial problem.
You verify the payment method in advance and make it clear in the agreement to use the resources that any of the following activities (list, define...) will be billed at a steep rate (e.g., $100 per spamming complaint) and make some reasonable effort to ensure you can collect that, like do an authorize on their credit card (that's what hotels do to reserve but not charge typically $1000 or whatever on your card when you check in.)
It's trivial, using your systems to spam is a cost, make sure at the very least you get paid for it.
And 6 months later, a chargeback shows up because the cardholder claims their card was used fraudulently. The bank will most likely side with the cardholder if you challenge it. How can that loophole be closed? ~Seth
On May 24, 2008 at 12:10 sethm@rollernet.us (Seth Mattinen) wrote:
And 6 months later, a chargeback shows up because the cardholder claims their card was used fraudulently. The bank will most likely side with the cardholder if you challenge it. How can that loophole be closed?
Since this comment applies equally to every single credit card payment on the internet etc I suppose you've just proven that credit cards can't possibly work and even Amazon itself is an impossibility. Perhaps we can move on to why bumble bees can't fly? Like I said, they have to verify who they're doing business with to some reasonable degree matching the risk involved. Declining a legitimate charge can be a criminal fraud. Even when someone declines a charge it doesn't mean you can't collect what you believe to be money legitimately owed you. You can hand it to a collection agency if it's worthwhile. If not (e.g., you took a card w/o any verification from someone in a country whose name you can't even pronounce) OH WELL, you're a fool, or it better be part of your cost of doing business. Obviously an occasional successful fraud will happen, you can't make the best the enemy of the good, but what a reasonable rather than totally irresponsible policy does is discourage criminals preventatively. STICKING TO THE POINT OF THESE COMPUTING CLOUDS... What is the dollar range of a typical charge for these services? Let's not broaden the point to include every pennyante transaction on the internet. There's a big difference between talking about credit card problems with $20 charges which are hardly worth pursuing and thousands of dollars. Anyhow, it's not my problem to get them paid, it's my problem when they're aiding and abetting criminals who harm me and my business. If they're not even getting paid for that then they're just stupid and deserve whatever happens to them. You make it sound like I have to design a successful business model for them in order to claim damages from their flawed model. I don't think so. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Login: Nationwide Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
On Sun, May 25, 2008 at 1:06 AM, Barry Shein <bzs@world.std.com> wrote:
Even when someone declines a charge it doesn't mean you can't collect what you believe to be money legitimately owed you. You can hand it to a collection agency if it's worthwhile. If not (e.g., you took a card w/o any verification from someone in a country whose name you can't even pronounce) OH WELL, you're a fool, or it better be part of your cost of doing business.
The funny part is, the scam artists already know that "mismatch between account holder's name and cc holder's name / address / country" is one of the first and most elementary anti fraud checks. So, if they steal a cc from Joe Sixpack of Bumfuck, Iowa, guess who signs up to Amazon AWS for 200 VMs and 20 minutes worth of service? --srs
On 24/05/2008 21:36 Barry Shein wrote:
Anyhow, it's not my problem to get them paid, it's my problem when they're aiding and abetting criminals who harm me and my business.
Well, all I know is that they deliberately leave the compute cloud ranges in blacklists. I don't really like the idea of using DNS blacklists but they work. As I also said, you have many peoples blessing to simply block the entire range as per their service terms they don't gurantee mail going out at all - blocking 25 entirely would be counter productive to allowing people to use an authenticated relay though unless they used the submission port. It is entirely possible that the spammers do pay for the service genuinely though, since it's very cheap. -- Colin Alston ~ http://syllogism.co.za/ "To the world you may be one person, to one person you may be the world" ~ Rachel Ann Nunes.
If I may be so bold as to summarize a few posts: It's ok to let spammers and other criminals use your systems (e.g., compute clouds) to slam others just so long as you get yourself into the various blacklists. But I thought (routed) bandwidth was the ISP's stock in trade? And trust (e.g., whaddya think of people who hijack IP blocks?) I don't think it's ok for someone to be slamming my bandwidth and computrons, even at the firewall. As was mentioned some of these clouds are looking at multiple 10gb connections. Just because I can fend off seeing their content at my end doesn't mean I'm not being damaged. I have to keep up with their bandwidth and firewall computron usage, and managing usage of the blacklists. That's damages. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Login: Nationwide Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
Requiring accounts have more time active with charges on the same credit card than the length of the chargeback window before they can transmit on 25, or be filled by wire transfer if someone is in a huge hurry would certainly do the trick.n Yes, some business would be lost, but probably not much. On Sat, May 24, 2008 at 3:10 PM, Seth Mattinen <sethm@rollernet.us> wrote:
Barry Shein wrote:
not to excuse this, but... it's not a simple problem. The 'bad guy' rolls up to the website, orders 200 machines for 20 mins under the name 'xplosiveman' pays with some paypal/CC and runs his/her job. That job happens to create a bunch of email outbound. It could be a legitimate email service outsourcing their compute/bw needs to AWS, it could be 'pick-yer-bad-spammer' ... AWS really can't tell until after when the complaints roll in. :(
Oh rubbish, it's a trivial problem.
You verify the payment method in advance and make it clear in the agreement to use the resources that any of the following activities (list, define...) will be billed at a steep rate (e.g., $100 per spamming complaint) and make some reasonable effort to ensure you can collect that, like do an authorize on their credit card (that's what hotels do to reserve but not charge typically $1000 or whatever on your card when you check in.)
It's trivial, using your systems to spam is a cost, make sure at the very least you get paid for it.
And 6 months later, a chargeback shows up because the cardholder claims their card was used fraudulently. The bank will most likely side with the cardholder if you challenge it. How can that loophole be closed?
~Seth
On Sat, May 24, 2008 at 5:29 AM, Barry Shein <bzs@world.std.com> wrote:
Is it just us or does someone pWn *.amazonaws.com?
ec2-67-202-36-134.compute-1.amazonaws.com ec2-67-202-37-35.compute-1.amazonaws.com
Why dont you just use spamhaus PBL? That'd take care of email from the EC2 cloud, dynamic IP ranges etc etc. http://www.spamhaus.org/pbl/query/PBL181003 Ref: PBL181003 67.202.0.0/18 is listed on the Policy Block List (PBL) Outbound Email Policy of The Spamhaus Project for this IP range: This IP range has been identified by Spamhaus as not meeting our policy for IPs which should deliver 'direct-to-mx' mail to PBL users.
participants (10)
-
Barry Shein
-
Chris Stone
-
Christopher Morrow
-
Colin Alston
-
Dorn Hetzel
-
Kee Hinckley
-
Patrick Clochesy
-
Seth Mattinen
-
Steve Atkins
-
Suresh Ramasubramanian