Peter Beckman beckman at
Wed May 28 22:53:49 CDT 2008

On Wed, 28 May 2008, Barry Shein wrote:

> On May 28, 2008 at 21:43 beckman at (Peter Beckman) wrote:
> > On Wed, 28 May 2008, Dorn Hetzel wrote:
> >
> > > I would think that simply requiring some appropriate amount of irrevocable
> > > funds (wire transfer, etc) for a deposit that will be forfeited in the case
> > > of usage in violation of AUP/contract/etc would be both sufficient and not
> > > excessive for allowing port 25 access, etc.
> >
> >   Until you find out that the source of those supposedly irrevocable funds
> >   was stolen or fraudulent, and you have some sort of court subpoena to give
> >   it back.
> >
> >   I don't believe there is a way for you to outwit the scammer/spammer by
> >   making them pay more of their or someone elses money.  If you have what
> >   they need, they'll find a way to trick you into giving it to them.
> Are you still trying to prove that Amazon, Dell, The World, etc can't
> possibly work?

  Amazon and Dell ship physical goods.  Amazon Web Services sells services,
  as do I.  Services are commonly enabled and activated immediately after
  payment or verification of a valid credit card, as is often expected by
  the customer immediately after payment.  Shipment of physical goods will
  almost always take at least 24 hours, often longer, enabling more thorough
  checks of credit, however they might do it.

  And even with the extra time to review the transaction and attempt to
  detect fraud, I'm confident Amazon and Dell lose millions per year due to
  fraud.  The reality is that the millions they lose to fraud doesn't affect
  us because a Blu-Ray player purchased with a stolen credit card doesn't
  send spam or initiate DOS attacks.

  At least not yet; those Blu-Ray players do have an ethernet port.

> By your reasoning why don't the spammers just empty out Amazon's (et
> al) warehouses and retire! Oh right, they'd have to sell it all over
> the internet which'd mean taking credit cards...

  Now you're just being rediculous.  Or sarcastic.  :-)

> I am a big, big fan of assessing charges for AUP abuse and making some
> realistic attempt to try to make sure it's collectible, and otherwise
> make some attempt to know who you're doing business with.

  Charging whom?  The spammer who pays your extra AUP abuse charges with
  stolen paypal accounts, credit cards, and legit bank accounts funded by
  money stolen from paypal accounts and transferred from stolen credit

  If you are taking card-not-present credit card transactions over the
  Internet or phone, and not shipping physical goods but providing services,
  in my experience the merchant gets screwed, no matter how much money you
  might have charged for the privilege of using port 25 or violating AUPs.
  That money you collected and believed was yours and was in your bank
  account can be taken out just as easily 6 months later, after the lazy
  card holder finally reviews his credit card bill, sees unrecognized
  charges and says "This is fraudulent!"  And there you are, without your

  Getting someone to fax their ID in takes extra time and resources, and
  means it might be hours before you get your account "approved," and for
  some service providers, part of the value of the service is the immediacy
  in which a customer can gain new service.

Peter Beckman                                                  Internet Guy
beckman at                       

More information about the NANOG mailing list