Amazon's EC2 Having Problems With Spam and Malware

jamie pointed out a story about the recent problems Amazon's EC2 service has been having with malware and spam. "EC2 space is now actively blocked by Outblaze, and has been listed by Spamhaus in their PBL list [...] However as Seth Breidbart noted in the comments, 'note that Amazon will terminate the instance. That means that the spammer just creates another instance, which gets a new IP address, and continues spamming.' True enough -- as described, instance termination simply isn't good enough."

Terms of Service

[macx666]

They have the credit card numbers of these people, no? Add a $1000 (or more) charge to the TOS each time someone gets caught spamming through them. That should make a pretty clear point.

Terminate accounts not instances?

[teh kurisu]

Why aren't Amazon terminating the accounts of offenders, and blacklisting whatever payment method they're using? It's a paid service, it's not like spammers can register for new accounts as much as they like, they're going to run out of credit card numbers (well, assuming their activities aren't more nefarious than mere spam).

It's not in Amazon's interests to have EC2 blacklisted.

Re:Terms of Service

[thermian]

And what if the credit card in question is stolen?

Re:Terms of Service

[adolf]

Then the owner will actually notice that his/her card is stolen, and finally go over the bill with a fine-toothed comb, disputing charges as they go.

Nothing is lost.

Re:Terminate accounts not instances?

[RabidMoose]

I agree with parent. This should be a non-issue. Just shut the account off, (possibly with a fine, as suggested elsewhere), and disallow the account holder from creating another account.

Re:Terms of Service

[thermian]

That's something of an extreme approach. Not exactly the sort of behaviour that would endear a company to its customers.

If your EC2 account got hacked (which may happen if its worth the effort), you would end up hacked, billed, and having quite possibly a hell of a fight to get your cash back.

Re:Sheesh, seems like a match made in heaven

[QuantumRiff]

Amazon will fix this, as soon as they have an incentive to do so. IE, if enough blocklists start adding their IP's, customers will threaten to take their business elsewhere, as their legitimate emails are not going through.. then, and only then, will amazon act (and only if the cost benefit to fix are less than the development time, and income from spammers). Would you expect a corporation to do differently?

Re:Terms of Service

[MrMr]

Depends, if it is not reported stolen; tough luck for the card holder, if it is; tough luck for the credit card company.

Re:How is this different from any colo...

[klingens]

The hoster terminates the client and won't sign him up again. Amazon could easily do he same but doesn't. Instead the only terminate the instance.

Re:Terms of Service

[Anonymous Coward]

Crap idea. Small start-ups use this kind of service instead of a dedicated server in a server farm. Compare costs and you'll see why.

What is small for emails? One small project I set up has over 5000 users, when their reports are ready they get notified, when something changes, they get notified.

6 months of spam will generate a hell of a lot more than thr $5-10k bond.

There are far better ways to stop spamming. Follow the money all the way to the companies selling the drugs, watches, or whatever. Someone is paying the piper to send the spam. Want it stopped. Slap massive fines onto the companies caught using them. Make it double per case. Shut them down if they persist.

Someone running a company is not going to want to use spammer once they're prosecuted and heavily fined.

Re:Terminate accounts not instances?

[rnswebx]

I think you're missing the point. If the offenders have stolen credit cards, they likely also have the correct name and address to go along with them. Adding electronic verification does absolutely nothing to solve the problem, unless we start requiring matching state issued IDs or SSNs to our cards. The obvious problem with that is now we're allowing even more private, extremely sensitive data to flow across the internet.

It's a difficult problem to solve; certainly more so than simply requiring matching names and addresses to a credit card.

Re:Require DKIM

[Kalriath]

EV certificates cannot sign mail, only server to server communication. E-mail signing certificates cost about $30, and require absolutely no proof of identity, just existence. This is no barrier whatsoever.

How about improving the monitoring?

[Amamdouh]

I think all the ideas of placing a deposit or putting an extra charge per message are against the EC2 model. The whole idea is to offer a high capability solution at a low entry price that scales easily.
Spammers and abusers tend to have distinctive patterns and this what Amazon should be paying attention to. Ie. some guy using a US credit card, logging to his instance from eastern Europe and sending a zillion emails messages the second day after sign up should raise some doubts. Manual inspection of suspicious traffic can be very costly but they can easily build a growing list of trusted customers who use the service for legitimate reasons and monitor suspicious traffic from new registrations.

instead of trying to collect after abuse,

[LukeCrawford]

why not run an inward facing IDS- something like snort. It's easy enough to setup a script that automatically terminates accounts of people sending abuse, and to do it on the first instance of that abuse.

Re:Terms of Service

[encoderer]

Actually, both Visa and MasterCard hold banks to the same "Zero Fraud Guarantee" policy for Debit Cards as they do Credit Cards.

In fact, if you search Visa.com for their Consumer Credit Card and Consumer Debit Card pages, you'll see that the Zero Fraud Policy link on both takes you to the same page.

They require that banks put provisional funds back into your account within 5 days of the dispute being made. Most banks do this the same day. I bank at BoA and they do it within hours.

The policy extends to charges incurred as a side-effect of the fraud, like overdrafts.

It does not apply to pin-based transactions, but there are no pin-based transactions on the web anyhow.

This makes sense if you think about it and it has nothing to do with Congress. Many people are transitioning away from cash. I hardly EVER carry cash. I use my Debit card for everything. And Visa has a vested interest in seeing this continue. A HUGE interest.

Besides, there is no difference between "Banks and credit unions" and "credit card companies."

Visa doesn't give out credit. They don't even give out credit-cards. They just provide a clearinghouse network. On their end, a Debit Card transaction (non-pin-based) looks identical to a CC transaction.

Of course, none of this applies if your debit card doesn't carry a Visa or MC logo. But if that's the case, you're not using it online, anyway.

Re:Death Penalty

[palegray.net]

Because oftentimes it isn't those companies' fault. Say you have an affiliate program, or you rely on a third-party affiliate program management firm to provide compensation for those who promote your products. You can have strict terms for those people that warn against using spamming tactics to promote their affiliate sales, and you can terminate the ones who get caught, but you can't ever guarantee compliance en masse.

Your suggestion is equivalent to throwing knife makers in prison because some of their customers misuse the product.

Re:Terms of Service

[EVil Lawyer]

What's interesting about the set up (where the merchants are responsible for the fraud, not the credit card companies) is that the card companies have very little incentive to prevent fraud. In fact, they frequently have a disincentive: They collect a $25+ per charge "chargeback fee" from the merchants, for fraudulent charges. It would be in credit card companies' interests if fraud increased! (Of course, not past the level where merchants are hurt too badly to stop accepting cards).

Re:Death Penalty

[localman]

As someone who has been involved with both sides of an affiliate program myself, I tend not to agree with your assessment. The company I worked for did an amazingly good job of keeping spammers from promoting our products. We had people on this continuously. These aren't random folks, they're people who we are paying (i.e. have an ongoing legal business relationship with) to bring customers to us. You can damn well bet it's our responsibility to make sure they act appropriately: they're our employees (claims of "independent contractor" notwithstanding).

I think that a reasonable legal framework for applying pressure to companies that benefit from spammers is warranted. I would have been glad to work under such a framework myself. Really, there's no excuse.

Cheers.