Amazon Bulk-Email Service Could Lure Spammers

snydeq writes "Amazon Simple Email Service and Amazon Web Services look to be a potent combination for businesses and developers, no matter which side of the law they're on, InfoWorld reports. The newly announced bulk email service, which will enable Amazon customers to send 100 emails for a penny, could prove enticing to those seeking a cheap way to bombard inboxes with spam, malware, and phishing lures. Amazon claims its in-house content filtering technology should assuage anyone thinking SES will be used by scammers. 'Those assurances aren't entirely heartening, though, unless Amazon is way ahead of the curve with content-filtering technology. Email services and software vendors have tried for years to keep spam and other unwanted messages from showing up in users' viewing pane, but the crud keeps slipping through.'"

Are there any spam-filters for end users?

[h00manist]

Or does anything decent really have to run on a server?

Re:Are there any spam-filters for end users?

[jimmyhat3939]

There was an open-source project called SAProxy at one point which would put SpamAssassin on your desktop. Not sure what happened to it. It was integrated into a great email client I used to use called Bloomba.

Just don't you dare...

[colinnwn]

Amazon's content filtering may be on-par with the industry. But if any customer has the temerity to forward Wikileaks docs through their bulk email service, I bet we'll find out that their "spam" filter is better than we thought.

Unhappy interpretation

[plover]

When I read that Amazon was going to "Lure Spammers" I was hoping they meant "into pit traps, filled with tigers."

Boy, was I disappointed.

They have provisions....

[bradgoodman]

In their docs, they mentioned something about working with other Major ISPs. From what they indicated, other ISPs (Google, Yahoo, AOL, etc) track metrics on emails - people who click them as "spam", "objectional", etc. These ISPs forward this information back to Amazon. If they detect that someone is sending out mail which is being flagged as objectional by too many users, they can shut you down.

Re:Whoa!

[morgan_greywolf]

By definition, isn't this spam?

Not necessarily. I think Amazon is marketing this technology mostly for bacn usage.

Amazon can terminate spam accounts

[arevos]

Those assurances aren't entirely heartening, though, unless Amazon is way ahead of the curve with content-filtering technology.

Amazon has the spammer's credit card details, knows where each email comes from, and can freeze or terminate accounts at the touch of a button (or via an algorithm). This gives it a considerable advantage over those that have to passively filter spam.

And in any case, spam filters are pretty damn good these days. I've had a public email address for going on 15 years, which used to get hundreds of spam emails every day. Now it's very rare for even one to slip past GMail's filter.

Re:Amazon can terminate spam accounts

[Zebai]

Very likely the sending isn't immediate either for larger bulk operations. I wouldn't be surprised if an order for 25,000 emails would appear on someones report list for investigation. It would not take a great deal of time to find out if an email was a piece of spam designed to get past normal filters as they tend to be unusual looking emails and if it wasn't designed to get past normal filters than amazons own normal filters would catch it. They can also be sure that every single email is labeled with the correct sender and that the emails follow rules for unsubscribe links and such.

100 emails for a penny

[John+Hasler]

Why would any spammer pay that much when they can rent a botnet?

Re:100 emails for a penny

If they're using a stolen credit card, they don't have to worry much about payment.

You're not thinking.

[postbigbang]

Spamazon.

Spammers cannot afford $0.10 per 1000 emails

[TimFreeman]

The response rate for spam is very low (1 in 12.5 million according to http://www.techradar.com/news/computing/spammers-get-1-response-to-12-500-000-emails-483381?src=rss&attr=all), so a spammer would have to pay 12.5M / 1K * $0.10 = $1,250 to get a response by paying Amazon to send emails. Multiple responses will be required to make a sale. If they can't make $1,250 of profit per response, they can't make money by using Amazon to send their spam.

Re:Spammers cannot afford $0.10 per 1000 emails

[tlhIngan]

The response rate for spam is very low (1 in 12.5 million according to http://www.techradar.com/news/computing/spammers-get-1-response-to-12-500-000-emails-483381?src=rss&attr=all), so a spammer would have to pay 12.5M / 1K * $0.10 = $1,250 to get a response by paying Amazon to send emails. Multiple responses will be required to make a sale. If they can't make $1,250 of profit per response, they can't make money by using Amazon to send their spam.

Actually, that would be the business doing the spamming.

Amazon in this case is doing what spammers do - sells email services on a per-email basis. Most spammers get payment to spam N million people, and they don't really care if 99.9999% of them are filtered out by the time it's received - they've gotten their $100 or whatever they've charged. It's the business wanting the spamming service that has to make up the $100 on the remaining few.

That's why spammers make so much money - they just have to send email and not guarantee results. And the business that paid $100 to get $12 worth of business? Well, he may never hire a spammer again, but there's another business "genius" wanting marketing services at his door.

It's also why most spam is virus laden crap - that's far more profitable than trying to sell product.

Google gets it right

[rudy_wayne]

Email services and software vendors have tried for years to keep spam and other unwanted messages from showing up in users' viewing pane, but the crud keeps slipping through.

The company I work for used to use a company called Postini for spam filtering. They are now owned by Google. They do a really fantastic job of spam filtering. Over the past several years, with my employer and with GMail, zero spam has gotten thru and the number of false positives have been about 1 every few months (and even then it was never anything important).

Re:Google gets it right

[yakatz]

I can add that this is not a one-of-a-kind result. We have used postini for years and had the same great effects.

Re:Google gets it right

[John+Hasler]

A few years back CenturyTel started pushing all my email through Postini without any notice. As a direct result I quit using that account. During the first three days the filtering was in effect it passed 50% of the spam and stopped half a dozen valid messages.
They provided no way to turn it off completely: just a couple of "aggressiveness" settings.

Re:first spam!

early 30s, stocky male with a goatee, Holland, Michigan.

Re:Whoa!

[h00manist]

I think it's controlled, so won't pose a problem. Besides it's way too costly for real spammers, who send millions of emails.

Amazon Cloud network ranges to blacklist

[Arrogant-Bastard]

Several of these have already been emitting spam for a while; whatever Amazon's doing (presuming that they're actually doing ANYTHING beyond having their spokespeople lie about it) isn't working.

50.16.0.0/14
67.202.0.0/18
72.44.32.0/19
75.101.128.0/17
174.129.0.0/16
184.72.0.0/15
204.236.128.0/17
216.182.224.0/20

Mail from these ranges should probably be refused, or, at minimum, subjected to heightened scrutiny.

Re:Amazon Cloud network ranges to blacklist

[fuzzyfuzzyfungus]

I suspect that there are two different things at work here:

Amazon already sells, through "EC2", fairly cheap linux VM instances(possibly windows now, as well). It doesn't take a rocket surgeon to set up a stock linux server VM as a spam system(or, if you aren't exactly a rocket surgeon yourself, have your instance rooted and turned into a spam system for you...)

Amazon has, beyond the boilerplate "if you do wicked things, that would be against our TOS and stuff", never promised any sort of filtering of what goes on in EC2 instances.

There new service, on the other hand, is specifically email delivery, and they do promise that they will avoid delivering spam. Since the service hasn't properly hit the wild yet, we don't really know if they are lying about it or not.

Re:Amazon Cloud network ranges to blacklist

[gravyface]

Sigh. Blacklist Nazis. I just put up three new EC2 instances tonight for my clients: one's running a maintenance tracker Website for a construction firm, the other's for a realtor, and the third is for a recruiting firm. . All of them send out email now using Postini's smarthosts to send mail but I'll definitely be looking into this new Amazon service as an alternative. However, If everyone blacklisted like you do, my legitimate (and very much wanted) email notifications would never get through.

Re:Amazon Cloud network ranges to blacklist

[gravyface]

EVERYBODY sells cheap Linux instances and it's not going to stop, but what I suspect is that Amazon will eventually restrict outgoing SMTP traffic to only the Simple Email Service hosts (much like ISPs do) in order to funnel/filter spam before it leaves their network.

Re:Sending emails is cheap

[icebraining]

Your post advocates a

( ) technical (x) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
(x) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
(x) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
(x) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
(x) Jurisdictional problems
(x) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if ph

Please explain, I don't get it

[Opportunist]

First and foremost, why should I sign up for this "service"? Last time I checked I can send out mail quite fine, without paying anyone for it. Now, I rarely send out millions of mails, but a few thousands (for a opt-in newsletter, in case you're concerned) work just fine in a matter of seconds.

And second, why should I assume that any of these mails will actually reach their targets? Any mail admin worth his salt (and every filter provider) will have the relevant addresses SO fast on his block list that you can't even use it the second day of its existence sensibly anymore.

You want good outbound email?

[rjbrown99]

All I have to say is http://www.authsmtp.com./

I have no relationship to them other than a happy customer, but it took me WEEKS of effort to find a good mail relay from the cloud that could hit the inbox of all of the major e-mail providers (Gmail, Hotmail, Yahoo, etc.) They do it every time and for very little.

Re:Sending emails is cheap

[icebraining]

It appears in almost every spam-related story,

http://www.google.com/search?q=%22Your+post+advocates+a%22+site%3Aslashdot.org: 735 results.