Skywing at valhallalegends.com
Wed May 28 12:01:30 CDT 2008
That's somewhat ironic of a sentiment you referred to there, given that the conception that one should have to hand over one's SSN for "verification" to anyone who asks for it is the kind of thing that many of these spammers/phishers thrive on in the first place...
(I assume that you are not actually really advocating such a requirement for anyone wanting to run a mail server...)
From: Sargun Dhillon [mailto:sdhillon at decarta.com]
Sent: Wednesday, May 28, 2008 12:34 PM
To: Steve Atkins
Cc: nanog at nanog.org
Subject: Re: amazonaws.com?
Well the thing that differentiates "the cloud" is that there is an
infinite amount of resources, the ability to have anonymous access, and
the infinite amount of identities. Basically Amazon has allocated a /18,
/19, and /17 to EC2. The chances of getting the same IP between two
instances amongst that many possibilities is low. Basically someone
could easily go get a temporary credit card and start up 10 small EC2
instances. This would give them 10 public IPs which would probably take
3-4 hours (minimum) to show up on any sort of blacklists. Then its just
a matter of rebooting and you have another 3-4 hours. This could last
weeks with a credit card. Then you could rinse and repeat. In the past
I've seen companies require EIN/SSN verification (a bit much) in order
to open up certain things (port 25, BGP, etc...). If Amazon is going to
continue to have policies that allow spammers to thrive it will end with
SMTP has inherent trust issues. I'm currently researching Amazon AWS's
static IP addresses. I think it would be easiest to block everything and
just make exemptions for people who purchase the static IPs.
My advice to you if you are buying anonymous resources would be to
purchase an agreement with a relay that isn't part of the anonymous
Steve Atkins wrote:
> On May 28, 2008, at 9:03 AM, Sargun Dhillon wrote:
>> Has Amazon given an official statement on this? It would be nice to get
>> someone from within Amazon to give us their official view on this. It
>> would be even more appropriate for the other cloud infrastructures to
>> join in, and or have some sort of RFC to do with SMTP access within the
>> "cloud." I forsee this as a major problem as the idea of "the cloud" is
>> being pushed more and more. You are talking about a spammers dream. Low
>> cost , powerful resources with no restrictions and complete anonymity.
>> Personally I'm going to block *.amazonaws.com from my mail server until
>> Amazon gives us a statement on how they are planning on fighting spam
>> from the cloud.
> "The cloud" is just a marketing term for a bunch of virtual servers,
> at least in Amazons case. It's nothing particularly new, just a VPS
> farm with the same constraints and abuse issues as a VPS or
> managed server provider.
> The only reason this is a problem in the case of Amazon is that they're
> knowingly selling service to spammers, their abuse guy is in
> way over his head and isn't interested in policing their users
> unless they're doing something illegal or the check doesn't clear.
> As long as the spam being sent doesn't violate CAN-SPAM, it's legal.
sdhillon at decarta.com
More information about the NANOG