amazonaws.com?

Barry_Shein1 · May 23, 2008, 11:59pm

Is it just us or does someone pWn *.amazonaws.com?

Every one of our mail servers is being slammed by I'm not sure what
but many thousands of user unknowns per hour (fortunately we handle
those pretty quickly but this is a deluge.)

All I know is "amazonaws.com" is "Amazon Web Services", not sure if
these particular systems should be sending email at all, the hostnames
look like:

Those don't look like mail servers but what do I know?

Anyhow, if there's anyone awake at Amazonaws.com, your hair is on
fire.

-b

Patrick_Clochesy · May 24, 2008, 12:06am

EC2 is a pay-per-cycle service, where you can run your work on their servers. Probably one of their clients. Try abuse@?

-Patrick

Chris_Stone1 · May 24, 2008, 12:12am

Patrick Clochesy wrote:

EC2 is a pay-per-cycle service, where you can run your work on their
servers. Probably one of their clients. Try abuse@?

-Patrick

Is it just us or does someone pWn *.amazonaws.com?

Every one of our mail servers is being slammed by I'm not sure what
but many thousands of user unknowns per hour (fortunately we handle
those pretty quickly but this is a deluge.)

All I know is "amazonaws.com" is "Amazon Web Services", not sure if
these particular systems should be sending email at all, the hostnames
look like:

Send to abuse@amazon.com - amazonaws.com has no MX:

[cstone@csmdv ~]$ host -tmx amazonaws.com
amazonaws.com has no MX record

- --
Chris Stone, MCSE
Vice President, CTO
AxisInternet, Inc.

DSL, dialup, hosting, email filtering, co-location, online backup
Phone: +1 303 592 2947 x302 (office) +1 303 570 6947 (cell)
- -------------------------------------------------------------------------

Steve_Atkins · May 24, 2008, 12:42am

It's a compute farm. Anyone can rent time on it. The processes
they run will be assigned to random machines in the farm, AIUI,
and will have full network access.

If you're seeing something more egregious than just deluges of spam
then ec2-abuse@amazon.com would likely be the right people
to talk to.

They've been contacted about it and, AIUI, state that the spam being sent
from there is not something they're going to take action on.

I suspect that taking the obvious preemptive action w.r.t. 67.202.0.0/18
is likely to be more effective than relying on their abuse staff.

Cheers,
Steve

Suresh_Ramasubramani · May 24, 2008, 2:26am

Why dont you just use spamhaus PBL? That'd take care of email from
the EC2 cloud, dynamic IP ranges etc etc.

http://www.spamhaus.org/pbl/query/PBL181003

Ref: PBL181003

67.202.0.0/18 is listed on the Policy Block List (PBL)

Outbound Email Policy of The Spamhaus Project for this IP range:

This IP range has been identified by Spamhaus as not meeting our
policy for IPs which should deliver 'direct-to-mx' mail to PBL users.

Colin · May 24, 2008, 7:24am

You should not accept SMTP from the Amazon EC2 cloud at all. Amazon don't intend for anyone to use it as an email platform and tell their clients to use an external relay.

Kee_Hinckley1 · May 24, 2008, 4:13pm

I'm sure this is good advice. But if an ISP used that as an excuse for not taking action, we'd hang them over hot coals. Is Amazon truly not policing the network for spammers?

Christopher_Morrow · May 24, 2008, 6:08pm

not to excuse this, but... it's not a simple problem. The 'bad guy'
rolls up to the website, orders 200 machines for 20 mins under the
name 'xplosiveman' pays with some paypal/CC and runs his/her job. That
job happens to create a bunch of email outbound. It could be a
legitimate email service outsourcing their compute/bw needs to AWS, it
could be 'pick-yer-bad-spammer' ... AWS really can't tell until after
when the complaints roll in.

I suppose they could say: "no tcp/25 outbound from AWS computer
clusters", though that's probably a decent market in the real
email-deliver-services Also, truly bad folk will just move to using
proxies or other methods

-Chris.

Barry_Shein1 · May 24, 2008, 6:32pm

not to excuse this, but... it's not a simple problem. The 'bad guy'

> rolls up to the website, orders 200 machines for 20 mins under the
> name 'xplosiveman' pays with some paypal/CC and runs his/her job. That
> job happens to create a bunch of email outbound. It could be a
> legitimate email service outsourcing their compute/bw needs to AWS, it
> could be 'pick-yer-bad-spammer' ... AWS really can't tell until after
> when the complaints roll in.

Oh rubbish, it's a trivial problem.

You verify the payment method in advance and make it clear in the
agreement to use the resources that any of the following activities
(list, define...) will be billed at a steep rate (e.g., $100 per
spamming complaint) and make some reasonable effort to ensure you can
collect that, like do an authorize on their credit card (that's what
hotels do to reserve but not charge typically $1000 or whatever on
your card when you check in.)

It's trivial, using your systems to spam is a cost, make sure at the
very least you get paid for it.

This isn't hypothetical, I have done exactly this many times here and
billed customers who were crossing the line and generating too many
complaints (but not quite what I'd call egregious spamming, but maybe
harvesting addresses for their "newsletter" from specific chat groups
for example) $50 per complaint, and I've collected it, and it stopped,
either they paid it and cleaned up their act or they went away, good
riddance.

Anyone who builds a business model which allows for this sort of
massive fraud and criminality where a few common sense precautions
would prevent it is just transferring the costs of reasonable
precaution to others and courts should come to understand that sooner
than later.

Their business model is monetizing your time and efforts to accomodate
that abuse. The money is going right into their pockets by not having
to pay for employees to implement and execute an avoidance, detection,
and recovery plan, for starters.

Microsoft has made untold billions monetizing spam (by knowingly not
fixing their OS for over a decade) and others are figuring this out
and building new business models which profit on abuse enablement even
if indirectly (i.e., as a cost savings.)

They're laughing all the way to the bank as you get shook out of bed
with another 3AM emergency or stay over the weekend to upgrade your
newly purchased firewall capacity, etc etc etc.

Seth_Mattinen · May 24, 2008, 7:10pm

Barry Shein wrote:

> not to excuse this, but... it's not a simple problem. The 'bad guy'
> rolls up to the website, orders 200 machines for 20 mins under the
> name 'xplosiveman' pays with some paypal/CC and runs his/her job. That
> job happens to create a bunch of email outbound. It could be a
> legitimate email service outsourcing their compute/bw needs to AWS, it
> could be 'pick-yer-bad-spammer' ... AWS really can't tell until after
> when the complaints roll in.

Oh rubbish, it's a trivial problem.

You verify the payment method in advance and make it clear in the
agreement to use the resources that any of the following activities
(list, define...) will be billed at a steep rate (e.g., $100 per
spamming complaint) and make some reasonable effort to ensure you can
collect that, like do an authorize on their credit card (that's what
hotels do to reserve but not charge typically $1000 or whatever on
your card when you check in.)

It's trivial, using your systems to spam is a cost, make sure at the
very least you get paid for it.

And 6 months later, a chargeback shows up because the cardholder claims their card was used fraudulently. The bank will most likely side with the cardholder if you challenge it. How can that loophole be closed?

~Seth

Barry_Shein1 · May 24, 2008, 7:36pm

Since this comment applies equally to every single credit card payment
on the internet etc I suppose you've just proven that credit cards
can't possibly work and even Amazon itself is an
impossibility. Perhaps we can move on to why bumble bees can't fly?

Like I said, they have to verify who they're doing business with to
some reasonable degree matching the risk involved. Declining a
legitimate charge can be a criminal fraud.

Even when someone declines a charge it doesn't mean you can't collect
what you believe to be money legitimately owed you. You can hand it to
a collection agency if it's worthwhile. If not (e.g., you took a card
w/o any verification from someone in a country whose name you can't
even pronounce) OH WELL, you're a fool, or it better be part of your
cost of doing business.

Obviously an occasional successful fraud will happen, you can't make
the best the enemy of the good, but what a reasonable rather than
totally irresponsible policy does is discourage criminals
preventatively.

STICKING TO THE POINT OF THESE COMPUTING CLOUDS...

What is the dollar range of a typical charge for these services? Let's
not broaden the point to include every pennyante transaction on the
internet.

There's a big difference between talking about credit card problems
with $20 charges which are hardly worth pursuing and thousands of
dollars.

Anyhow, it's not my problem to get them paid, it's my problem when
they're aiding and abetting criminals who harm me and my business.

If they're not even getting paid for that then they're just stupid and
deserve whatever happens to them.

You make it sound like I have to design a successful business model
for them in order to claim damages from their flawed model.

I don't think so.

Suresh_Ramasubramani · May 25, 2008, 2:13am

The funny part is, the scam artists already know that "mismatch
between account holder's name and cc holder's name / address /
country" is one of the first and most elementary anti fraud checks.

So, if they steal a cc from Joe Sixpack of Bumfuck, Iowa, guess who
signs up to Amazon AWS for 200 VMs and 20 minutes worth of service?

--srs

Colin · May 25, 2008, 7:02am

Well, all I know is that they deliberately leave the compute cloud ranges in blacklists. I don't really like the idea of using DNS blacklists but they work. As I also said, you have many peoples blessing to simply block the entire range as per their service terms they don't gurantee mail going out at all - blocking 25 entirely would be counter productive to allowing people to use an authenticated relay though unless they used the submission port.

It is entirely possible that the spammers do pay for the service genuinely though, since it's very cheap.

Barry_Shein1 · May 25, 2008, 6:14pm

If I may be so bold as to summarize a few posts:

  It's ok to let spammers and other criminals use your systems (e.g.,
  compute clouds) to slam others just so long as you get yourself into
  the various blacklists.

But I thought (routed) bandwidth was the ISP's stock in trade? And
trust (e.g., whaddya think of people who hijack IP blocks?)

I don't think it's ok for someone to be slamming my bandwidth and
computrons, even at the firewall.

As was mentioned some of these clouds are looking at multiple 10gb
connections.

Just because I can fend off seeing their content at my end doesn't
mean I'm not being damaged. I have to keep up with their bandwidth and
firewall computron usage, and managing usage of the blacklists.

That's damages.

Barry_Shein1 · May 26, 2008, 7:17am

> > Since this comment applies equally to every single credit card payment on
> > the internet etc I suppose you've just proven that credit cards can't
> > possibly work and even Amazon itself is an impossibility. Perhaps we can
> > move on to why bumble bees can't fly?
>
> It's clear to me that people believe it is easy, cheap and inexpensive to
> prevent credit card fraud. You think this until you yourself run a small
> business, and an entire months profits go into the toilet because you
> missed someone who got through what you thought were thorough checks for
> fraud.

Hello, let me introduce myself to you. I'm Barry Shein, president of
The World, the oldest public access internet service provider on the
planet, since 1989 (see rfc 2235). We have always taken credit cards.

But thank you for the lecture on doing business with credit cards and
the potential pitfalls.

Anyhow, let me reiterate, making Amazon's business models work, or
ensuring that their customers can get the service they want when they
want it, is none of my concern.

What is my concern is if they're running their resources so
irresponsibly that it permits criminals to use them to damage my
business.

Personally I don't really care if their compute cloud service succeeds
or fails, except on general principles (I always like to wish people
well.)

But if their business model is designed so poorly that it enables
criminality to be directed at my business then, for me, that's a
problem.

So I'm not particularly interested in how hard it would be for Amazon
to make a buck on cloud services if they had to stop damaging
me. 'kay?

This thread started when I found my mail servers being pounded by
their cloud machines for a day or so.

It's since stopped, thank you, but a few here indicated, and I don't
know if they speak with any authority, that Amazon seems to believe
that so long as their cloud machines are in blacklists then they
shouldn't have to feel any responsibilty to exercise any control over
them vis a vis spammers et al. It should just be up to the rest of us
to buy sufficient firewalls and bandwidth and staff to manage it all.

That sounds so outlandish that I am suspicious of its origin.

But others indicated "they're in the blacklists so what's your beef?"
and I responded that there's a problem with large computing resources
(their clouds) pounding on my mail servers even if we can dodge seeing
the content with blacklist entries.

> > Declining a legitimate charge can be a criminal fraud.
>
> In what world do you live in? I can decline to take anyone's money and
> decline to provide them service, for any reason. If I don't like your

I'm sorry, you're having trouble with the english language, let me
help you out here:

  That comment was in response to a reference to a credit card
  customer declining a legitimate charge for goods and/or services
  s/he received.

Ya know, you buy a laptop over the net on a credit card, the laptop
comes, and then you try to decline the charge? Got it?

That can be a criminal fraud.

Whatever the relevance that's what that comment was referring to.

> tone, I don't take your money, you don't get my service. Criminal fraud,
> ha. Where exactly do you live? Maybe I assume to much, because in the
> US, I get to decide who's money I take.

(key in twilight zone music)

You've been hurt before, haven't you? (whoo boy, angry man alert...)

Colin · May 26, 2008, 7:58am

You are speaking a bit hyperbolically and that is not what anyone believes or feels.

Much like any large datacenter or hosting provider it is not feasible to police every packet in and out of the network, I assume "The World" has lots of experience with super-scale networks so I'll limit my "lecturing" on the subject.

Regardless, like any large datacenter or hosting provider they can only respond to complaints when they get them, and they do, and they respond (unless you have evidence to suggest the contrary). As a corollary to this I was simply noting that their terms do not include the ability to SMTP at all and as such the ranges are left in any blacklists they might fall into. You are also free to block them for SMTP on your own kit given this directive. Blocking at RCPT time or even before limits any bandwidth usage from spam to negligible amounts in most cases.

The consequences of blocking TCP/25 as an upstream though is much worse since customers frown on upstream port filtering and it makes SMTP impossible for everything except those which accept the submission port. Many people may still have numerous valid reasons for using port 25 to talk to their own kit somewhere else.

Alan_Hetzel · May 26, 2008, 2:31pm

Requiring accounts have more time active with charges on the same credit
card than the length of the chargeback window before they can transmit on
25, or be filled by wire transfer if someone is in a huge hurry would
certainly do the trick.n Yes, some business would be lost, but probably not
much.

Suresh_Ramasubramani · May 26, 2008, 4:13pm

Much like any large datacenter or hosting provider it is not feasible to
police every packet in and out of the network, I assume "The World" has lots

Not a question of packet policing as much as having sufficient
controls in place to get rid of card fraud, regular audits etc .. and
THEN looking for obvious signs of abuse, proactively (inbound and
outbound traffic flow analysis, passive dns checks and a whole host of
other things that are possible).

The second thing is, of course, having an active abuse desk, but by
the time an abuse desk gets around to reading and responding to the
complaint, the damage is done (1 business day is a very good
turnaround indeed, at shops rather larger than world.std.com).

(unless you have evidence to suggest the contrary). As a corollary to this I
was simply noting that their terms do not include the ability to SMTP at all
and as such the ranges are left in any blacklists they might fall into. You

With respect, in such cases, amazon is better off firewalling outbound
port 25 (or indeed, outbound anything at all) for accounts that dont
specifically ask for it. Quite a lot of EC2 compute time is for
number crunching and such - not just hosting, or email, or ..

srs

Colin · May 26, 2008, 7:40pm

That's not actually true, the trend is towards thumbnail generation and video encoding dispatch for sites that use it, this requires getting the information back to storage. Mail processing would be an entirely valid use of this as well - you could for instance offload your own mail to EC2 instances for virus scanning and Bayesian spam filtering.

Either way, limiting of ports is a direct and undeniable limiting of the capability of the product. A staggeringly large amount of my spam comes from DSL lines in eastern europe and such places, and yet for some reason I don't see anyone here asserting that DSL lines should only be used for POP, IMAP and WWW and to talk to your ISP's SMTP relay. That's because it's a stupid move. It doesn't matter what EC2 or any service is used for, it's sold as having an IP connection, not IP minus whatever TCP ports NANOG people dictate based on their beliefs about how you should do business or how customers should use it.

I agree with abuse reports and active abuse desks but please, don't for one second expect me to believe you side with the idea that upstream providers and hosts should randomly firewall ports - since 90% of the time, as history has shown me, they screw it up.

Suresh_Ramasubramani · May 27, 2008, 2:16am

I didnt actually, Bonomi did .. but going on ..

Quite a lot of EC2 compute time is for
number crunching and such - not just hosting, or email, or ..

That's not actually true, the trend is towards thumbnail generation and
video encoding dispatch for sites that use it, this requires getting the

[yes, that's right - twitter seems to be using it for example]

Either way, limiting of ports is a direct and undeniable limiting of the
capability of the product. A staggeringly large amount of my spam comes from
DSL lines in eastern europe and such places, and yet for some reason I don't

You're at odds with a lot of best practice there. This one for
example - http://www.maawg.org/port25

I agree with abuse reports and active abuse desks but please, don't for one
second expect me to believe you side with the idea that upstream providers
and hosts should randomly firewall ports - since 90% of the time, as history
has shown me, they screw it up.

I am sure that all the nanog regulars here who are / have been the
guys with enable on tier 1 networks routers (and run huge dialup/dsl
pools) will agree with that (!)

Port firewalling, especially port 25 firewalling, isnt - or rather
shouldnt be - random. There are enough cookbook configs to just
blanket block port 25, and far more advanced configs (ask Chris Morrow
sometime about huge uunet dialup pools with radius filters to punch
holes for port 25 connectivity to different ISP smarthosts etc etc)

--srs