Sargun Dhillon sdhillon at
Wed May 28 11:34:24 CDT 2008

Well the thing that differentiates "the cloud" is that there is an
infinite amount of resources, the ability to have anonymous access, and
the infinite amount of identities. Basically Amazon has allocated a /18,
/19, and /17 to EC2. The chances of getting the same IP between two
instances amongst that many possibilities is low. Basically someone
could easily go get a temporary credit card and start up 10 small EC2
instances. This would give them 10 public IPs which would probably take
3-4 hours (minimum) to show up on any sort of blacklists. Then its just
a matter of rebooting and you have another 3-4 hours. This could last
weeks with a credit card. Then you could rinse and repeat. In the past
I've seen companies require EIN/SSN verification (a bit much) in order
to open up certain things (port 25, BGP, etc...). If Amazon is going to
continue to have policies that allow spammers to thrive it will end with
EC2 failing.

SMTP has inherent trust issues. I'm currently researching Amazon AWS's
static IP addresses. I think it would be easiest to block everything and
just make exemptions for people who purchase the static IPs.

My advice to you if you are buying anonymous resources would be to
purchase an agreement with a relay that isn't part of the anonymous
computing center.

Steve Atkins wrote:
> On May 28, 2008, at 9:03 AM, Sargun Dhillon wrote:
>> Has Amazon given an official statement on this? It would be nice to get
>> someone from within Amazon to give us their official view on this. It
>> would be even more appropriate for the other cloud infrastructures to
>> join in, and or have some sort of RFC to do with SMTP access within the
>> "cloud." I forsee this as a major problem as the idea of "the cloud" is
>> being pushed more and more. You are talking about a spammers dream. Low
>> cost , powerful resources with no restrictions and complete anonymity.
>> Personally I'm going to block * from my mail server until
>> Amazon gives us a statement on how they are planning on fighting spam
>> from the cloud.
> "The cloud" is just a marketing term for a bunch of virtual servers,
> at least in Amazons case. It's nothing particularly new, just a VPS
> farm with the same constraints and abuse issues as a VPS or
> managed server provider.
> The only reason this is a problem in the case of Amazon is that they're
> knowingly selling service to spammers, their abuse guy is in
> way over his head and isn't interested in policing their users
> unless they're doing something illegal or the check doesn't clear.
> As long as the spam being sent doesn't violate CAN-SPAM, it's legal.
> Cheers,
> Steve

Sargun Dhillon
sdhillon at

More information about the NANOG mailing list