Amazon's EC2 Having Problems With Spam and Malware

jamie pointed out a story about the recent problems Amazon's EC2 service has been having with malware and spam. "EC2 space is now actively blocked by Outblaze, and has been listed by Spamhaus in their PBL list [...] However as Seth Breidbart noted in the comments, 'note that Amazon will terminate the instance. That means that the spammer just creates another instance, which gets a new IP address, and continues spamming.' True enough -- as described, instance termination simply isn't good enough."

Re:Terms of Service

[MBCook]

No kidding. I'd say you have to put up a bond if you want to be able send more than some small threshold of emails out per day (100?). If you're good, you are safe. Maybe you get your bond back after 6 months. If you misbehave, Amazon cuts you off and you just lost $5-$10k.

Re:Terms of Service

[macx666]

Then amazon needs to do a much better job of determining who their clients really are, and there are quite a few fairly reliable ways of doing so.

Nothing is perfect, but it can be made very hard.

Sheesh, seems like a match made in heaven

[fuzzy12345]

Previously, senders of large volumes of paid-for (by the sender) yet unwanted (by the receiver) emails had to corral their own clouds of distributed, low-cost computing resources (a.k.a botnets). Amazon provides similar capabilities for pennies an hour. Both Amazon's and the emailers' business models work, and questionable penetration of third parties' computers is no longer required.

Somebody finally solved the ????? = Profit equation. What's everyone getting so worked up about?

Re:Terminate accounts not instances?

[dedazo]

I agree of course, but how exactly do you go about identifying these people so that they don't open another account? Credit card numbers? PayPal accounts? Last names? What?

Nothing prevents Joe Spammer from creating a second account as Joe Spammer Thornton III a day after the first one is turned off. The capabilities of Amazon's cloud are too juicy to pass up.

Terminate the account!

[SanityInAnarchy]

Once they have the name of the instance, they also know who launched it -- after all, they are billing someone.

I like the suggestion to charge a large fee to the credit card they have on file, but what about simply banning the account in question?

Re:Terminate accounts not instances?

[Anonymous Coward]

how exactly do you go about identifying these people so that they don't open another account? Credit card numbers? PayPal accounts? Last names? What?

How about a driver's license or other gov't-issued ID? Do whatever the CAs say they do.

How are these people paying Amazon: cold, hard anonymous cash? Probably not. Supplying an ID when you pay for something by credit card or check, isn't all that unusual in retail business.

But it's unusual in online business. Well, maybe it shouldn't be, if the person who is paying you has as much incentive to fuck you over, as spammers do.

Honeynet Project

[fatrat]

The UK Honeynet Project spotted this a few days earlier :) http://www.ukhoneynet.org/2008/06/30/it-had-to-happen [ukhoneynet.org]

Re:Terminate accounts not instances?

[Todd Knarr]

There's actually a solution to that, but it involves slowing the process down. Just don't activate the account once the information's entered. Instead, send a physical letter to the credit-card billing address. You can require a form to be signed and returned, or just include an activation code in the letter that has to be entered to turn the account on. That should make it infeasible to use 99% of stolen cards. It introduces a few days of delay between requesting the account and getting it, but IMO if you intend to use the account for any length of time a few days shouldn't be an issue and if you don't then you're likely exactly the kind of person this is intended to filter out.

Re:Death Penalty

[Hojima]

I don't see why the government doesn't prosecute the companies that have their products spammed. They are the absolute root of all this. Without them, there wouldn't be any placebos to sell so that they can hire more spammers. There's got to be SOME way to get to them.

Re:Death Penalty

[palegray.net]

You're talking about two completely different things here. Your original idea was to hold the "final destination" companies responsible for the actions of spammers. This *will not work* in a great many cases for the reasons I cited in my previous post. Referencing your gun sales procedures analogy, it sounds like you've never run an affiliate program. Yes, you do your best to screen applicants to make sure they have a legitimate web presence before agreeing to allow them to market your products in exchange for commissions on sales. However, this is *really* easy to circumvent if someone is truly interested in using spam as a promotion mechanism. Would you advocate requiring something like a photo ID before allowing someone to do affiliate marketing? I'm sure Amazon.com and the like are sure to implement such a requirement any day now (light sarcasm). It would simply make your affiliate marketing program near-worthless in an age where people are extremely hesitant to part with a lot of their personal information, and wouldn't do anything to deter the spammers (in many ways resembling how gun control laws frequently do nothing to prevent crime, because criminals don't usually obtain their guns through legal channels anyhow).

As for nailing companies that ship products that don't work as advertised, we already have a mature legal framework for dealing with such organizations. Of course, that's assuming the business is operating in a jurisdiction where you can actually prosecute them (many, many foreign scam operations operate from dubious locales).

I sympathize with your frustration at the situation; I deal with it every day myself. I operate several servers that filter tens of thousands of inbound SPAM pieces a day. I have to deal with constant attacks on those servers from botnets trying to turn them into SPAM-churning zombies. It's a monthly balancing act deciding which IP blocks to ban based on nasty activity, without losing revenue from pageviews from legitimate visitors. In other words, I'd like to feed spammers their balls through the wrong end of their anatomy, but your methods simply aren't workable options.

Re:Terms of Service

[L0stm4n]

I lost my wallet once on a saturday and didn't notice until monday. I went out for more beer saturday night and my wallet fell out of my pocket ( best guess of what happened since the pants I was wearing always lost shit from the pocket when I sat down ) when I got in my friends car. Sunday I didn't go out so never looked for my wallet. Monday I looked and couldn't find it. Checked my bank of america online page and saw fraudulent charges. Mostly from local conveinence stores and wal-marts. I contacted BOA and the local police, BOA refunded all the money, including overdraft within a few hours. The police took a report, and never heard from them again. BOA never questioned the charges but asked I gave them a police report number. All was well. Issued a new card and got it in the mail a week or so later.