Amazon's EC2 Having Problems With Spam and Malware 103
jamie pointed out a story about the recent problems Amazon's EC2 service has been having with malware and spam. "EC2 space is now actively blocked by Outblaze, and has been listed by Spamhaus in their PBL list [...] However as Seth Breidbart noted in the comments, 'note that Amazon will terminate the instance. That means that the spammer just creates another instance, which gets a new IP address, and continues spamming.' True enough -- as described, instance termination simply isn't good enough."
Re:Terms of Service (Score:5, Interesting)
Re:Terms of Service (Score:5, Interesting)
Then amazon needs to do a much better job of determining who their clients really are, and there are quite a few fairly reliable ways of doing so.
Nothing is perfect, but it can be made very hard.
Sheesh, seems like a match made in heaven (Score:5, Interesting)
Somebody finally solved the ????? = Profit equation. What's everyone getting so worked up about?
Re:Terminate accounts not instances? (Score:3, Interesting)
I agree of course, but how exactly do you go about identifying these people so that they don't open another account? Credit card numbers? PayPal accounts? Last names? What?
Nothing prevents Joe Spammer from creating a second account as Joe Spammer Thornton III a day after the first one is turned off. The capabilities of Amazon's cloud are too juicy to pass up.
Terminate the account! (Score:3, Interesting)
Once they have the name of the instance, they also know who launched it -- after all, they are billing someone.
I like the suggestion to charge a large fee to the credit card they have on file, but what about simply banning the account in question?
Re:Terminate accounts not instances? (Score:1, Interesting)
How about a driver's license or other gov't-issued ID? Do whatever the CAs say they do.
How are these people paying Amazon: cold, hard anonymous cash? Probably not. Supplying an ID when you pay for something by credit card or check, isn't all that unusual in retail business.
But it's unusual in online business. Well, maybe it shouldn't be, if the person who is paying you has as much incentive to fuck you over, as spammers do.
Honeynet Project (Score:2, Interesting)
Re:Terminate accounts not instances? (Score:5, Interesting)
There's actually a solution to that, but it involves slowing the process down. Just don't activate the account once the information's entered. Instead, send a physical letter to the credit-card billing address. You can require a form to be signed and returned, or just include an activation code in the letter that has to be entered to turn the account on. That should make it infeasible to use 99% of stolen cards. It introduces a few days of delay between requesting the account and getting it, but IMO if you intend to use the account for any length of time a few days shouldn't be an issue and if you don't then you're likely exactly the kind of person this is intended to filter out.
Re:Death Penalty (Score:3, Interesting)
I don't see why the government doesn't prosecute the companies that have their products spammed. They are the absolute root of all this. Without them, there wouldn't be any placebos to sell so that they can hire more spammers. There's got to be SOME way to get to them.
Re:Death Penalty (Score:3, Interesting)
As for nailing companies that ship products that don't work as advertised, we already have a mature legal framework for dealing with such organizations. Of course, that's assuming the business is operating in a jurisdiction where you can actually prosecute them (many, many foreign scam operations operate from dubious locales).
I sympathize with your frustration at the situation; I deal with it every day myself. I operate several servers that filter tens of thousands of inbound SPAM pieces a day. I have to deal with constant attacks on those servers from botnets trying to turn them into SPAM-churning zombies. It's a monthly balancing act deciding which IP blocks to ban based on nasty activity, without losing revenue from pageviews from legitimate visitors. In other words, I'd like to feed spammers their balls through the wrong end of their anatomy, but your methods simply aren't workable options.
Re:Terms of Service (Score:2, Interesting)
I lost my wallet once on a saturday and didn't notice until monday. I went out for more beer saturday night and my wallet fell out of my pocket ( best guess of what happened since the pants I was wearing always lost shit from the pocket when I sat down ) when I got in my friends car. Sunday I didn't go out so never looked for my wallet. Monday I looked and couldn't find it. Checked my bank of america online page and saw fraudulent charges. Mostly from local conveinence stores and wal-marts. I contacted BOA and the local police, BOA refunded all the money, including overdraft within a few hours. The police took a report, and never heard from them again. BOA never questioned the charges but asked I gave them a police report number. All was well. Issued a new card and got it in the mail a week or so later.