Amazon Bulk-Email Service Could Lure Spammers

snydeq writes "Amazon Simple Email Service and Amazon Web Services look to be a potent combination for businesses and developers, no matter which side of the law they're on, InfoWorld reports. The newly announced bulk email service, which will enable Amazon customers to send 100 emails for a penny, could prove enticing to those seeking a cheap way to bombard inboxes with spam, malware, and phishing lures. Amazon claims its in-house content filtering technology should assuage anyone thinking SES will be used by scammers. 'Those assurances aren't entirely heartening, though, unless Amazon is way ahead of the curve with content-filtering technology. Email services and software vendors have tried for years to keep spam and other unwanted messages from showing up in users' viewing pane, but the crud keeps slipping through.'"

Re:first spam!

[Larry+The+Black+Fag]

a/s/l?

Are there any spam-filters for end users?

[h00manist]

Or does anything decent really have to run on a server?

Re:Are there any spam-filters for end users?

[jimmyhat3939]

There was an open-source project called SAProxy at one point which would put SpamAssassin on your desktop. Not sure what happened to it. It was integrated into a great email client I used to use called Bloomba.

Re:Are there any spam-filters for end users?

[John+Hasler]

Spamassassin works fine here.

Re:Are there any spam-filters for end users?

[morgan_greywolf]

Thunderbird's spam filtering isn't horrible; it's based on the same ideas as SpamAssassin, but can be easily hand-tuned. In addition, on a Linux desktop, you could always setup SpamAssassin with procmail, but this implies that your end-users actually understand things like procmail. ;)

Personally, I use dovecot+postfix+spamassassin on my home e-mail server and fetchmail to grab mail from remote servers such as my gmail account and then use Thunderbird's junk mail filters to filter out anything SpamAssassin misses.

Re:Are there any spam-filters for end users?

[networkzombie]

I get no satisfaction filtering the email after it has been delivered. I go out of my way to run spam assassin and a dozen other methods to end the session before it gets delivered. I know they don't get the message that I won't be spammed, but it makes me feel good when I see that 500 or 554 rather than giving them a friendly 250.

Just don't you dare...

[colinnwn]

Amazon's content filtering may be on-par with the industry. But if any customer has the temerity to forward Wikileaks docs through their bulk email service, I bet we'll find out that their "spam" filter is better than we thought.

Unhappy interpretation

[plover]

When I read that Amazon was going to "Lure Spammers" I was hoping they meant "into pit traps, filled with tigers."

Boy, was I disappointed.

They have provisions....

[bradgoodman]

In their docs, they mentioned something about working with other Major ISPs. From what they indicated, other ISPs (Google, Yahoo, AOL, etc) track metrics on emails - people who click them as "spam", "objectional", etc. These ISPs forward this information back to Amazon. If they detect that someone is sending out mail which is being flagged as objectional by too many users, they can shut you down.

Re:They have provisions....

[Cylix]

There are also other white list approaches I've seen as well.

A similar service operates on an opt in approach in which you must respond back to the opt-in request for the bulk mailers. Once you are verified on the list of approved senders the email relay service will allow your address to be filtered by that particular opt in list.

It's very much a major-domo like service for spam, but applied more to an entity rather then a particular list. (Say concept and objects, but a slight twist). I wouldn't be too surprised if this wasn't the same fashion. A lot of their simple services are just massively scaled services we geeks have been accustomed to setting up on our and operating without pretty GUI's.

I suspect the working with ISP's is in regard to the spam filter methods. ie, in a co-operating system google will suggest sending an unsubscribe in place of an actual spam block approach. This irks me to a degree because I never opted in and I don't want them to get a free ride.

Re:They have provisions....

[hardwarefreak]

That's called a feedback loop, or FBL. These have been around a long time. Most ISPs and gorilla mailers have been using them for many years. They aren't a magic bullet against spam--far from it. An FBL is simply analogous to walking over to your neighbor's house and telling him his son just threw a rock through your window. The dad isn't able to keep tabs on his kid all the time. Same with an ISP, freemailer, or in this case, Amazon. The FBL is simply an extra set of eyes and ears.

Re:Whoa!

[morgan_greywolf]

By definition, isn't this spam?

Not necessarily. I think Amazon is marketing this technology mostly for bacn usage.

That is COMPLETE bullshit!

Making money and gaining prestige too often drive business decisions and are the enemy of "doing the right thing."

Why should businesses be interested in doing the right thing? Small businesses can develop a strong competitive advantage by deliberately focusing on ethics. They can earn repeat business and a good reputation. In addition, business ethics are important because, without them, three behaviors result:

# People follow their own preferences without concern for others.

# Individuals lose their sense of purpose and fall victim to the motives of others.

# Most importantly, people cannot set the right priorities for dealing with daily demands and stresses.

Amazon can terminate spam accounts

[arevos]

Those assurances aren't entirely heartening, though, unless Amazon is way ahead of the curve with content-filtering technology.

Amazon has the spammer's credit card details, knows where each email comes from, and can freeze or terminate accounts at the touch of a button (or via an algorithm). This gives it a considerable advantage over those that have to passively filter spam.

And in any case, spam filters are pretty damn good these days. I've had a public email address for going on 15 years, which used to get hundreds of spam emails every day. Now it's very rare for even one to slip past GMail's filter.

Re:Amazon can terminate spam accounts

[Zebai]

Very likely the sending isn't immediate either for larger bulk operations. I wouldn't be surprised if an order for 25,000 emails would appear on someones report list for investigation. It would not take a great deal of time to find out if an email was a piece of spam designed to get past normal filters as they tend to be unusual looking emails and if it wasn't designed to get past normal filters than amazons own normal filters would catch it. They can also be sure that every single email is labeled with the correct sender and that the emails follow rules for unsubscribe links and such.

Re:Amazon can terminate spam accounts

25,000 emails will cost $2.50 to send. Do you really think Amazon are going to put a human investigator on every $2.50 order?

Re:Amazon can terminate spam accounts

Cool, you have an anonymous VCC purchased from a reseller in Afghanistan and you have the anonymous proxy IP I've paid for using an anonymous foreign Paypal account. Problem?

100 emails for a penny

[John+Hasler]

Why would any spammer pay that much when they can rent a botnet?

Re:100 emails for a penny

If they're using a stolen credit card, they don't have to worry much about payment.

You're not thinking.

[postbigbang]

Spamazon.

Anti-Spammer techniques in SES

[mysidia]

I think this unattractive to true spammers due to the $0.01 per hundred messages charge, and they'll just be terminated anyways. The real spammers send millions of messages a day, most of them to invalid recipients that never get anywhere.

Most spam abuse of SES is likely to come from the uninformed, or misguided newbies.

As described on amazon's site

:

• When you first register, you'll have access to the SES "sandbox" where you can send email only to addresses that you have verified. The verification process sends a confirmation email to the address to be verified; the recipient must click on a link embedded in the email in order to verify the address. You must also verify the email address (or addresses) that will be used to send messages.
• At this point, with verified addresses in hand, you can send up to 200 messages per day, at a maximum rate of 1 message per second.
• Once your application is up and running, the next step is to request production access using the SES Production Access Request Form. We'll review your request and generally contact you within 24 hours.
• Once granted production access, you will no longer have to verify the destination addresses and you'll be able to send email to any address. ... SES will begin to increase your daily sending quota and your maximum send rate based on a number of factors including the amount of email that you send, the number of rejections and bounces that occur, and the number of complaints that it generates. This will occur gradually over time as your activities provide evidence that you are using SES in a responsible manner.
• Newly verified production accounts can send up to 1,000 emails every 24 hours.

Spammers cannot afford $0.10 per 1000 emails

[TimFreeman]

The response rate for spam is very low (1 in 12.5 million according to http://www.techradar.com/news/computing/spammers-get-1-response-to-12-500-000-emails-483381?src=rss&attr=all), so a spammer would have to pay 12.5M / 1K * $0.10 = $1,250 to get a response by paying Amazon to send emails. Multiple responses will be required to make a sale. If they can't make $1,250 of profit per response, they can't make money by using Amazon to send their spam.

Re:Spammers cannot afford $0.10 per 1000 emails

[Cylix]

An old manager of mine was one such person though.

He would often site the great deals he would get through spam. I would often explain that while he might think it is a great deal he is really making the world a worst place for the rest of us by encouraging this behavior. (Of course he didn't really care)

Naturally, he was also suckered into losing a thousand or so dollars on more then one questionable deal. (To which I advised him not to dare do it)

Re:Spammers cannot afford $0.10 per 1000 emails

[tlhIngan]

The response rate for spam is very low (1 in 12.5 million according to http://www.techradar.com/news/computing/spammers-get-1-response-to-12-500-000-emails-483381?src=rss&attr=all), so a spammer would have to pay 12.5M / 1K * $0.10 = $1,250 to get a response by paying Amazon to send emails. Multiple responses will be required to make a sale. If they can't make $1,250 of profit per response, they can't make money by using Amazon to send their spam.

Actually, that would be the business doing the spamming.

Amazon in this case is doing what spammers do - sells email services on a per-email basis. Most spammers get payment to spam N million people, and they don't really care if 99.9999% of them are filtered out by the time it's received - they've gotten their $100 or whatever they've charged. It's the business wanting the spamming service that has to make up the $100 on the remaining few.

That's why spammers make so much money - they just have to send email and not guarantee results. And the business that paid $100 to get $12 worth of business? Well, he may never hire a spammer again, but there's another business "genius" wanting marketing services at his door.

It's also why most spam is virus laden crap - that's far more profitable than trying to sell product.

Re:Spammers cannot afford $0.10 per 1000 emails

[Neil+Boekend]

Someone should start selling chemical castrations as Viagra via spam. This will increase the average intelligence over time.

Google gets it right

[rudy_wayne]

Email services and software vendors have tried for years to keep spam and other unwanted messages from showing up in users' viewing pane, but the crud keeps slipping through.

The company I work for used to use a company called Postini for spam filtering. They are now owned by Google. They do a really fantastic job of spam filtering. Over the past several years, with my employer and with GMail, zero spam has gotten thru and the number of false positives have been about 1 every few months (and even then it was never anything important).

Re:Google gets it right

[yakatz]

I can add that this is not a one-of-a-kind result. We have used postini for years and had the same great effects.

Re:Google gets it right

[John+Hasler]

A few years back CenturyTel started pushing all my email through Postini without any notice. As a direct result I quit using that account. During the first three days the filtering was in effect it passed 50% of the spam and stopped half a dozen valid messages.
They provided no way to turn it off completely: just a couple of "aggressiveness" settings.

Re:first spam!

early 30s, stocky male with a goatee, Holland, Michigan.

Re:Whoa!

[h00manist]

I think it's controlled, so won't pose a problem. Besides it's way too costly for real spammers, who send millions of emails.

Amazon Cloud network ranges to blacklist

[Arrogant-Bastard]

Several of these have already been emitting spam for a while; whatever Amazon's doing (presuming that they're actually doing ANYTHING beyond having their spokespeople lie about it) isn't working.

50.16.0.0/14
67.202.0.0/18
72.44.32.0/19
75.101.128.0/17
174.129.0.0/16
184.72.0.0/15
204.236.128.0/17
216.182.224.0/20

Mail from these ranges should probably be refused, or, at minimum, subjected to heightened scrutiny.

Re:Amazon Cloud network ranges to blacklist

[fuzzyfuzzyfungus]

I suspect that there are two different things at work here:

Amazon already sells, through "EC2", fairly cheap linux VM instances(possibly windows now, as well). It doesn't take a rocket surgeon to set up a stock linux server VM as a spam system(or, if you aren't exactly a rocket surgeon yourself, have your instance rooted and turned into a spam system for you...)

Amazon has, beyond the boilerplate "if you do wicked things, that would be against our TOS and stuff", never promised any sort of filtering of what goes on in EC2 instances.

There new service, on the other hand, is specifically email delivery, and they do promise that they will avoid delivering spam. Since the service hasn't properly hit the wild yet, we don't really know if they are lying about it or not.

Re:Amazon Cloud network ranges to blacklist

[gravyface]

Sigh. Blacklist Nazis. I just put up three new EC2 instances tonight for my clients: one's running a maintenance tracker Website for a construction firm, the other's for a realtor, and the third is for a recruiting firm. . All of them send out email now using Postini's smarthosts to send mail but I'll definitely be looking into this new Amazon service as an alternative. However, If everyone blacklisted like you do, my legitimate (and very much wanted) email notifications would never get through.

Re:Amazon Cloud network ranges to blacklist

[gravyface]

EVERYBODY sells cheap Linux instances and it's not going to stop, but what I suspect is that Amazon will eventually restrict outgoing SMTP traffic to only the Simple Email Service hosts (much like ISPs do) in order to funnel/filter spam before it leaves their network.

POPFile

[PhrostyMcByte]

POPFile classifies email. Not just spam and not-spam, either, but into any number of categories you choose (personal, business, etc.). The more email you feed it, the better it gets at automatically classifying it.

Re:Sending emails is cheap

[icebraining]

Your post advocates a

( ) technical (x) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
(x) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
(x) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
(x) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
(x) Jurisdictional problems
(x) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if ph

Re:100 for a penny?

[icebraining]

Many home addresses have dynamic IPs, which are banned by Spamhaus' PBL. I know it, because I've had some emails bouncing because of it. I'm now looking for a cheap MTA I can use, since my ISP doesn't provide any service for home users.

Please explain, I don't get it

[Opportunist]

First and foremost, why should I sign up for this "service"? Last time I checked I can send out mail quite fine, without paying anyone for it. Now, I rarely send out millions of mails, but a few thousands (for a opt-in newsletter, in case you're concerned) work just fine in a matter of seconds.

And second, why should I assume that any of these mails will actually reach their targets? Any mail admin worth his salt (and every filter provider) will have the relevant addresses SO fast on his block list that you can't even use it the second day of its existence sensibly anymore.

Re:Please explain, I don't get it

[Opportunist]

Ok, but then who but companies needs a bulk e-mail service reaching thousands/millions of people? And I'd assume that companies that have a need for this already have a mail server and a corresponding admin in place.

Re:Sending emails is cheap

[guyminuslife]

I'm bookmarking your source, maybe it's a meme but I've never seen it before.

Good,

[Stan92057]

Good,spam from amazon should be easy to block since they wont be using a botnet to send it. I hope lol. Which raises another question how will amazon guarantee there spam will land in mail box's?

Re:Whoa!

[the_womble]

There are a number of services like this such as Mail Grid, Elastic Email and Postmark. I have not heard that an of them are responsible for huge volumes of spam.

Of course, Amazon getting into the business is not good news for any of them.

You want good outbound email?

[rjbrown99]

All I have to say is http://www.authsmtp.com./

I have no relationship to them other than a happy customer, but it took me WEEKS of effort to find a good mail relay from the cloud that could hit the inbox of all of the major e-mail providers (Gmail, Hotmail, Yahoo, etc.) They do it every time and for very little.

Cost

[Bert64]

It's unlikely spammers would want to pay a penny per 100 mails, when they can use compromised boxes to send thousands for free...
Spam has a very low hit rate, if you send out a million mails maybe a small handful of them will achieve the desired result, the rest will either be ignored, bounce, or get deleted by filters.

It must be authorized first...

[MunkieLife]

From their website:
http://aws.amazon.com/ses/#functionality

"Verify Email Addresses: Before you can send email via Amazon SES, you need to verify that you own the email address from which you’ll be sending email. To verify an email address, make an API call with the email address as a parameter. This API call will trigger a verification email, which will contain a link that you can click on to complete the verification process."

So, what's all this talk about Amazon needing great content filters etc? Sounds to me if anyone is getting an email through this service, they approved it and they can unsubscribe anytime. Am I missing something?

Re:It must be authorized first...

[MunkieLife]

Ok, sorry, I guess I just misunderstood it. They are only asking to verify the account you're sending from. Whoops.

Re:Whoa!

[Ash-Fox]

Uh, you have to verify whether or not want to accept mail from SES to begin with, I don't really think spammers are going to get far with using it as a spamming platform.

Re:Sending emails is cheap

[icebraining]

It appears in almost every spam-related story,

http://www.google.com/search?q=%22Your+post+advocates+a%22+site%3Aslashdot.org: 735 results.

Still all the same

[Drakkenmensch]

Doesn't matter if my viagra emails come from a hacked chinese botnet or an amazon approved paying customer - I still don't want that garbage in my inbox.

Re:Whoa!

[salesgeek]

Not really. Maintaining infrastructure for sending out invoices and statements can be expensive. Amazon's pricing is fantastic compared to maintaining your own email server and admin to deal with inevitable spam complaints and Comcast blacklisting.

So they wait until people complain, is that right?

[Linuxmagic]

What ever happened to being responsible for what leaves your network? Recipients, and even email operators often simply give up reporting abuse, as traditionally the success of reporting to abuse departments has been very low. And isn't this a little like closing the barn door after the cow is gone? A simple stolen credit card, and 24 hours head start, boy are we in trouble with that kind of power. And the idea of 'opt-in' or 'permission' based according to current anti spam legislation is so loose, and untraceable that it is laughable. Pity the legitimate users who wish to use EC2 for email, won't take before the only way for users to protect themselves will be to block the source. The email marketers are shooting themselves in the foot, and this sets the stage for some nice legal action. The idea of the sanctity of a users mailbox will have to prevail, and hopefully it will happen before people resort to radical solutions like 'blacklist unknown senders' or stop using email for communication. Just like you have the right to decide who can enter your home, you can decide who can send to your email box, but when it reaches abusive levels from a single source, this has always resulted in drastic measures. At least we hope they force a header 'X-EC2-BULK-EMAIL' ;)