@lbutlr wrote:
I've had the following in my fqrdns.pcre checks for quite awhile:/^ec2(-[12]?[0-9]{1,2}){4}\.compute-[0-9]\.amazonaws\.com$/ REJECT Generic - Please relay via ISP (amazonaws.com) And I have noticed that I frequently get a series of 50 or more connection attempts from some aws server out there in a burst (50+ connections in a few minutes). Fine, everything is working as it should with my settings, the connection is dropped right away (although the REJECT is not logged). Am I right in blocking these connections? Is there any reason for an aws server to be sending mail directly that I am overlooking?
IMO this *should* be absolutely completely 100% correct and safe. (Also IMO, Amazon should actively block outbound direct-to-MX connections from these IP ranges in much the same way most ISPs block direct-to-MX mail from their dynamic connection IP ranges.)
Unfortunately many people with AWS services either don't agree, or more likely don't know what their mail ends up looking like from the spam control perspective, because I see a modest but regular flow of legitimate mail from Amazon compute nodes. :(
A quick sampling of our FP archive and mail logs shows a seed company, a political something, a propane/fuel supply company, several smallish web forums, a smallish payment processing company, and several apps.
I'm pretty sure I've seen mail from nearby IP ranges that have had "proper" (ie, user-specific) reverse DNS applied, so clearly there's a mechanism for Amazon VPS customers to do it right.
Amazon doesn't make life easier by insisting in their abuse reporting form that IP assignments are highly volatile; there's next to no way to tell, for sure, from the outside, whether a given Amazon IP is part of their static IP pool for long-running VPSes, or part of their "compute power for hire" cloud, which may change "ownership" several times in an hour. Or even if they actually maintain separate IP pools for these functions - possibly they don't.
-kgd
