Amazon's EC2 Having Problems With Spam and Malware

jamie pointed out a story about the recent problems Amazon's EC2 service has been having with malware and spam. "EC2 space is now actively blocked by Outblaze, and has been listed by Spamhaus in their PBL list [...] However as Seth Breidbart noted in the comments, 'note that Amazon will terminate the instance. That means that the spammer just creates another instance, which gets a new IP address, and continues spamming.' True enough -- as described, instance termination simply isn't good enough."

Re:Terms of Service

[MBCook]

No kidding. I'd say you have to put up a bond if you want to be able send more than some small threshold of emails out per day (100?). If you're good, you are safe. Maybe you get your bond back after 6 months. If you misbehave, Amazon cuts you off and you just lost $5-$10k.

Re:Terms of Service

[macx666]

Then amazon needs to do a much better job of determining who their clients really are, and there are quite a few fairly reliable ways of doing so.

Nothing is perfect, but it can be made very hard.

Sheesh, seems like a match made in heaven

[fuzzy12345]

Previously, senders of large volumes of paid-for (by the sender) yet unwanted (by the receiver) emails had to corral their own clouds of distributed, low-cost computing resources (a.k.a botnets). Amazon provides similar capabilities for pennies an hour. Both Amazon's and the emailers' business models work, and questionable penetration of third parties' computers is no longer required.

Somebody finally solved the ????? = Profit equation. What's everyone getting so worked up about?

Re:Terminate accounts not instances?

[dedazo]

I agree of course, but how exactly do you go about identifying these people so that they don't open another account? Credit card numbers? PayPal accounts? Last names? What?

Nothing prevents Joe Spammer from creating a second account as Joe Spammer Thornton III a day after the first one is turned off. The capabilities of Amazon's cloud are too juicy to pass up.

Re:Terminate accounts not instances?

[Todd+Knarr]

There's actually a solution to that, but it involves slowing the process down. Just don't activate the account once the information's entered. Instead, send a physical letter to the credit-card billing address. You can require a form to be signed and returned, or just include an activation code in the letter that has to be entered to turn the account on. That should make it infeasible to use 99% of stolen cards. It introduces a few days of delay between requesting the account and getting it, but IMO if you intend to use the account for any length of time a few days shouldn't be an issue and if you don't then you're likely exactly the kind of person this is intended to filter out.

Re:Death Penalty

[palegray.net]

You're talking about two completely different things here. Your original idea was to hold the "final destination" companies responsible for the actions of spammers. This *will not work* in a great many cases for the reasons I cited in my previous post. Referencing your gun sales procedures analogy, it sounds like you've never run an affiliate program. Yes, you do your best to screen applicants to make sure they have a legitimate web presence before agreeing to allow them to market your products in exchange for commissions on sales. However, this is *really* easy to circumvent if someone is truly interested in using spam as a promotion mechanism. Would you advocate requiring something like a photo ID before allowing someone to do affiliate marketing? I'm sure Amazon.com and the like are sure to implement such a requirement any day now (light sarcasm). It would simply make your affiliate marketing program near-worthless in an age where people are extremely hesitant to part with a lot of their personal information, and wouldn't do anything to deter the spammers (in many ways resembling how gun control laws frequently do nothing to prevent crime, because criminals don't usually obtain their guns through legal channels anyhow).

As for nailing companies that ship products that don't work as advertised, we already have a mature legal framework for dealing with such organizations. Of course, that's assuming the business is operating in a jurisdiction where you can actually prosecute them (many, many foreign scam operations operate from dubious locales).

I sympathize with your frustration at the situation; I deal with it every day myself. I operate several servers that filter tens of thousands of inbound SPAM pieces a day. I have to deal with constant attacks on those servers from botnets trying to turn them into SPAM-churning zombies. It's a monthly balancing act deciding which IP blocks to ban based on nasty activity, without losing revenue from pageviews from legitimate visitors. In other words, I'd like to feed spammers their balls through the wrong end of their anatomy, but your methods simply aren't workable options.