Barry Shein bzs at
Sat May 24 13:32:37 CDT 2008

 > not to excuse this, but... it's not a simple problem. The 'bad guy'
 > rolls up to the website, orders 200 machines for 20 mins under the
 > name 'xplosiveman' pays with some paypal/CC and runs his/her job. That
 > job happens to create a bunch of email outbound. It could be a
 > legitimate email service outsourcing their compute/bw needs to AWS, it
 > could be 'pick-yer-bad-spammer' ... AWS really can't tell until after
 > when the complaints roll in. :(

Oh rubbish, it's a trivial problem.

You verify the payment method in advance and make it clear in the
agreement to use the resources that any of the following activities
(list, define...) will be billed at a steep rate (e.g., $100 per
spamming complaint) and make some reasonable effort to ensure you can
collect that, like do an authorize on their credit card (that's what
hotels do to reserve but not charge typically $1000 or whatever on
your card when you check in.)

It's trivial, using your systems to spam is a cost, make sure at the
very least you get paid for it.

This isn't hypothetical, I have done exactly this many times here and
billed customers who were crossing the line and generating too many
complaints (but not quite what I'd call egregious spamming, but maybe
harvesting addresses for their "newsletter" from specific chat groups
for example) $50 per complaint, and I've collected it, and it stopped,
either they paid it and cleaned up their act or they went away, good

Anyone who builds a business model which allows for this sort of
massive fraud and criminality where a few common sense precautions
would prevent it is just transferring the costs of reasonable
precaution to others and courts should come to understand that sooner
than later.

Their business model is monetizing your time and efforts to accomodate
that abuse. The money is going right into their pockets by not having
to pay for employees to implement and execute an avoidance, detection,
and recovery plan, for starters.

Microsoft has made untold billions monetizing spam (by knowingly not
fixing their OS for over a decade) and others are figuring this out
and building new business models which profit on abuse enablement even
if indirectly (i.e., as a cost savings.)

They're laughing all the way to the bank as you get shook out of bed
with another 3AM emergency or stay over the weekend to upgrade your
newly purchased firewall capacity, etc etc etc.

        -Barry Shein

The World              | bzs at           |
Purveyors to the Trade | Voice: 800-THE-WRLD        | Login: Nationwide
Software Tool & Die    | Public Access Internet     | SINCE 1989     *oo*

More information about the NANOG mailing list