Re: amazonaws.com?
On Thu, May 29, 2008 at 06:08:47AM -0700, Joel Jaeggli wrote: Dorn Hetzel wrote: There is a really huge difference in the ease with which payment from a credit card can be reversed if fraudulent, and the amount of effort necessary to reverse a wire transfer. I won't go so far as to say that reversing a wire transfer is impossible, but I would claim it's many orders of magnitude harder than the credit card reversal. To paraphrase one of my colleagues from the user interaction world: The key to offering a compelling service is minimising transaction hassles. I encourage all my competitors to implement inconvenient hard to use payment methods I do too. If all of your competitors uniformly make it just enough harder for Bad Actors to rent servers from which to Act Bad, then we'll *know* where it's coming from, and what to do about it -- and why (you wanted to make more money). See also Tragedy Of The Commons. Cheers, -- jra -- Jay R. Ashworth[EMAIL PROTECTED] Designer+-Internetworking--+-+RFC 2100 Ashworth Associates | Best Practices Wiki | | '87 e24 St Petersburg FL USA+-http://bestpractices.wikia.com-+ +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
Re: amazonaws.com?
On Thu, May 29, 2008 at 11:10:40AM -0700, Joel Jaeggli wrote: Barry Shein wrote: Equating port 25 use with domestic terrorism is specious. Ammonium nitrate requires requires some care in handling regardless of your intentions,see for exmple the oppau or texas city disasters. And how different is that from the million+ strong zombie botnets? Who owns (not pwns) those zombie'd systems and what were their intentions? Well let's see. The texas city disaster is/was considered the worst industrial accident in american history. 581 people killed by an explosive yield of about 2 kilotons. The secondary effects includes fires in many of the chemical facilities in Galveston and a swath of destruction that reached up to 40 miles inland... http://www.local1259iaff.org/disaster.html So no, I don't think internet attached hosts can casually equated with the destructive potential of a pile of fertilizer at least not in the context described. One word: SCADA. Yes, in point of fact, I think it *is* reasonable to evaluate potential threats to just some PCs getting pwned in terms of physical damage on grander scales. It's not just about spam, or fraudulent credit charges. Cheers, -- jra -- Jay R. Ashworth[EMAIL PROTECTED] Designer+-Internetworking--+-+RFC 2100 Ashworth Associates | Best Practices Wiki | | '87 e24 St Petersburg FL USA+-http://bestpractices.wikia.com-+ +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
RE: amazonaws.com?
So to get Amazon to police their customers either requires regulation or an external economic pressure. Blocking AWS from folk's mail servers would apply some pressure, No it would not. That is what AWS wants you to to. making areas of the net go dark to AWS would apply more pressure faster. A considerable amount of pressure could be placed by a big enough money damages lawsuit but that has a feedback delay of months to years. And such lawsuits can go both ways. As soon as a company moves beyond protective blocking of port 25, to punitive blocking of all traffic from AWS, they run the risk of being the target of a damages lawsuit. Not to mention complaints from their own customers. There simply is no simple solution to this problem. --Michael Dillon
Re: amazonaws.com?
I'm not on the MLC (which doesn't have any community representatives on it at present) anymore. Nonetheless, I implore everyone to consider this thread dead. It's run far enough afield on speculation and analogies that I for one think it's fairly out of scope. Thanks, ---Rob
Re: amazonaws.com?
On Wed, May 28, 2008 at 11:08 PM, Barry Shein [EMAIL PROTECTED] wrote: I am a big, big fan of assessing charges for AUP abuse and making some realistic attempt to try to make sure it's collectible, and otherwise make some attempt to know who you're doing business with. Just out of curiosity, what stats can you make available as far as: - How often you assess this AUP abuse fee? - How often it is successfully collected? - How successful are chargebacks against that fee? I've heard lots of anti-abuse folks opine that this helps with spam and other abuse prevention and cleanup, but I've never seen it in practice before. I've also heard multiple ISP folks talk about it being unenforceable. And from what I know from working for an e-commerce service provider in the past, it sounds like a chargeback magnet that could even endanger the merchant account of anybody who uses it more than once. Regards, Al Iverson -- Al Iverson on Spam and Deliverability, see http://www.spamresource.com News, stats, info, and commentary on blacklists: http://www.dnsbl.com My personal website: http://www.aliverson.com -- Chicago, IL, USA Remove lists from my email address to reach me faster and directly.
Re: amazonaws.com?
Dorn Hetzel wrote: There is a really huge difference in the ease with which payment from a credit card can be reversed if fraudulent, and the amount of effort necessary to reverse a wire transfer. I won't go so far as to say that reversing a wire transfer is impossible, but I would claim it's many orders of magnitude harder than the credit card reversal. To paraphrase one of my colleagues from the user interaction world: The key to offering a compelling service is minimising transaction hassles. I encourage all my competitors to implement inconvenient hard to use payment methods A mere court subpoena wouldn't even be remotely sufficient. The person wanting their money back would pretty much have to sue for it and win. Heck, people that get scammed and send their money via western union can't even get their money back... People who sell physical goods that get shipped internationally to places where they can't get them back from have been dealing with irrevocable payment forms for a long, long time, and those are generally wire transfers. Once that guy in Frackustan has my widgets, I need to make darn sure he can't take his money back :) So, yeah, there would be some customers for whom the couple of business hours it take their wire to go through (that's a pretty typical time from my actual experience) would be longer than they would want to wait for their port 25 or other risky service to be enabled, but really, how many is that going to be. We're not talking about the wait for ordinary customers who don't need those particular services that tend to be problem children, and we're not talking about existing accounts of long standing, just about a barrier for the drive-by customer who wants to use services and then not pay the cost when they violate the AUP... On Wed, May 28, 2008 at 11:53 PM, Peter Beckman [EMAIL PROTECTED] wrote: On Wed, 28 May 2008, Barry Shein wrote: On May 28, 2008 at 21:43 [EMAIL PROTECTED] (Peter Beckman) wrote: On Wed, 28 May 2008, Dorn Hetzel wrote: I would think that simply requiring some appropriate amount of irrevocable funds (wire transfer, etc) for a deposit that will be forfeited in the case of usage in violation of AUP/contract/etc would be both sufficient and not excessive for allowing port 25 access, etc. Until you find out that the source of those supposedly irrevocable funds was stolen or fraudulent, and you have some sort of court subpoena to give it back. I don't believe there is a way for you to outwit the scammer/spammer by making them pay more of their or someone elses money. If you have what they need, they'll find a way to trick you into giving it to them. Are you still trying to prove that Amazon, Dell, The World, etc can't possibly work? Amazon and Dell ship physical goods. Amazon Web Services sells services, as do I. Services are commonly enabled and activated immediately after payment or verification of a valid credit card, as is often expected by the customer immediately after payment. Shipment of physical goods will almost always take at least 24 hours, often longer, enabling more thorough checks of credit, however they might do it. And even with the extra time to review the transaction and attempt to detect fraud, I'm confident Amazon and Dell lose millions per year due to fraud. The reality is that the millions they lose to fraud doesn't affect us because a Blu-Ray player purchased with a stolen credit card doesn't send spam or initiate DOS attacks. At least not yet; those Blu-Ray players do have an ethernet port. By your reasoning why don't the spammers just empty out Amazon's (et al) warehouses and retire! Oh right, they'd have to sell it all over the internet which'd mean taking credit cards... Now you're just being rediculous. Or sarcastic. :-) I am a big, big fan of assessing charges for AUP abuse and making some realistic attempt to try to make sure it's collectible, and otherwise make some attempt to know who you're doing business with. Charging whom? The spammer who pays your extra AUP abuse charges with stolen paypal accounts, credit cards, and legit bank accounts funded by money stolen from paypal accounts and transferred from stolen credit cards? If you are taking card-not-present credit card transactions over the Internet or phone, and not shipping physical goods but providing services, in my experience the merchant gets screwed, no matter how much money you might have charged for the privilege of using port 25 or violating AUPs. That money you collected and believed was yours and was in your bank account can be taken out just as easily 6 months later, after the lazy card holder finally reviews his credit card bill, sees unrecognized charges and says This is fraudulent! And there you are, without your money. Getting someone to fax their ID in takes extra time and resources, and means it might be hours before you get your
RE: amazonaws.com?
The financial services world felt the same pre-9/11. Since then FINRA and SEC regulations enforce Know Your Customer rules that require extensive record keeping. The regulations now are quite burdensome. Given that usage of cloud resources could be used for DDOS and other illegal activities, I wonder how long it will take companies to realize that if they don't do a good job of self policing, the result will be something they would prefer not to have happen. Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 www.otaotr.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: Joel Jaeggli [mailto:[EMAIL PROTECTED] Sent: Thursday, May 29, 2008 9:09 AM To: Dorn Hetzel Cc: nanog@nanog.org Subject: Re: amazonaws.com? Dorn Hetzel wrote: There is a really huge difference in the ease with which payment from a credit card can be reversed if fraudulent, and the amount of effort necessary to reverse a wire transfer. I won't go so far as to say that reversing a wire transfer is impossible, but I would claim it's many orders of magnitude harder than the credit card reversal. To paraphrase one of my colleagues from the user interaction world: The key to offering a compelling service is minimising transaction hassles. I encourage all my competitors to implement inconvenient hard to use payment methods A mere court subpoena wouldn't even be remotely sufficient. The person wanting their money back would pretty much have to sue for it and win. Heck, people that get scammed and send their money via western union can't even get their money back... People who sell physical goods that get shipped internationally to places where they can't get them back from have been dealing with irrevocable payment forms for a long, long time, and those are generally wire transfers. Once that guy in Frackustan has my widgets, I need to make darn sure he can't take his money back :) So, yeah, there would be some customers for whom the couple of business hours it take their wire to go through (that's a pretty typical time from my actual experience) would be longer than they would want to wait for their port 25 or other risky service to be enabled, but really, how many is that going to be. We're not talking about the wait for ordinary customers who don't need those particular services that tend to be problem children, and we're not talking about existing accounts of long standing, just about a barrier for the drive-by customer who wants to use services and then not pay the cost when they violate the AUP... On Wed, May 28, 2008 at 11:53 PM, Peter Beckman [EMAIL PROTECTED] wrote: On Wed, 28 May 2008, Barry Shein wrote: On May 28, 2008 at 21:43 [EMAIL PROTECTED] (Peter Beckman) wrote: On Wed, 28 May 2008, Dorn Hetzel wrote: I would think that simply requiring some appropriate amount of irrevocable funds (wire transfer, etc) for a deposit that will be forfeited in the case of usage in violation of AUP/contract/etc would be both sufficient and not excessive for allowing port 25 access, etc. Until you find out that the source of those supposedly irrevocable funds was stolen or fraudulent, and you have some sort of court subpoena to give it back. I don't believe there is a way for you to outwit the scammer/spammer by making them pay more of their or someone elses money. If you have what they need, they'll find a way to trick you into giving it to them. Are you still trying to prove that Amazon, Dell, The World, etc can't possibly work? Amazon and Dell ship physical goods. Amazon Web Services sells services, as do I. Services are commonly enabled and activated immediately after payment or verification of a valid credit card, as is often expected by the customer immediately after payment. Shipment of physical goods will almost always take at least 24 hours, often longer, enabling more thorough checks of credit, however they might do it. And even with the extra time to review the transaction and attempt to detect fraud, I'm confident Amazon and Dell lose millions per year due to fraud. The reality is that the millions they lose to fraud doesn't affect us because a Blu-Ray player purchased with a stolen credit card doesn't send spam or initiate DOS attacks. At least not yet; those Blu-Ray players do have an ethernet port. By your reasoning why don't the spammers just empty out Amazon's (et al) warehouses and retire! Oh right, they'd have to sell it all over the internet which'd mean taking credit cards... Now you're just being rediculous. Or sarcastic. :-) I am a big, big fan of assessing charges for AUP abuse and making some realistic attempt to try to make sure it's collectible, and otherwise make some attempt to know who you're doing business with. Charging whom? The spammer who pays your extra AUP abuse charges
Re: amazonaws.com?
Oh, come on... Businesses buy services every day that have to be paid for by methods like wire transfer. We're not talking about making it the only payment method, just the method for deposits for risky services. I wonder what percentage of Amazon E2C customers even want outbound port 25 access anyway. Of those that do want port 25 access, how many are going to wind up being more trouble than they are worth? And it's not really central to this conversation, but I don't think Amazon is in *any* danger with respect to their merchant account, almost no matter what they do :) On Thu, May 29, 2008 at 9:08 AM, Joel Jaeggli [EMAIL PROTECTED] wrote: Dorn Hetzel wrote: There is a really huge difference in the ease with which payment from a credit card can be reversed if fraudulent, and the amount of effort necessary to reverse a wire transfer. I won't go so far as to say that reversing a wire transfer is impossible, but I would claim it's many orders of magnitude harder than the credit card reversal. To paraphrase one of my colleagues from the user interaction world: The key to offering a compelling service is minimising transaction hassles. I encourage all my competitors to implement inconvenient hard to use payment methods A mere court subpoena wouldn't even be remotely sufficient. The person wanting their money back would pretty much have to sue for it and win. Heck, people that get scammed and send their money via western union can't even get their money back... People who sell physical goods that get shipped internationally to places where they can't get them back from have been dealing with irrevocable payment forms for a long, long time, and those are generally wire transfers. Once that guy in Frackustan has my widgets, I need to make darn sure he can't take his money back :) So, yeah, there would be some customers for whom the couple of business hours it take their wire to go through (that's a pretty typical time from my actual experience) would be longer than they would want to wait for their port 25 or other risky service to be enabled, but really, how many is that going to be. We're not talking about the wait for ordinary customers who don't need those particular services that tend to be problem children, and we're not talking about existing accounts of long standing, just about a barrier for the drive-by customer who wants to use services and then not pay the cost when they violate the AUP... On Wed, May 28, 2008 at 11:53 PM, Peter Beckman [EMAIL PROTECTED] wrote: On Wed, 28 May 2008, Barry Shein wrote: On May 28, 2008 at 21:43 [EMAIL PROTECTED] (Peter Beckman) wrote: On Wed, 28 May 2008, Dorn Hetzel wrote: I would think that simply requiring some appropriate amount of irrevocable funds (wire transfer, etc) for a deposit that will be forfeited in the case of usage in violation of AUP/contract/etc would be both sufficient and not excessive for allowing port 25 access, etc. Until you find out that the source of those supposedly irrevocable funds was stolen or fraudulent, and you have some sort of court subpoena to give it back. I don't believe there is a way for you to outwit the scammer/spammer by making them pay more of their or someone elses money. If you have what they need, they'll find a way to trick you into giving it to them. Are you still trying to prove that Amazon, Dell, The World, etc can't possibly work? Amazon and Dell ship physical goods. Amazon Web Services sells services, as do I. Services are commonly enabled and activated immediately after payment or verification of a valid credit card, as is often expected by the customer immediately after payment. Shipment of physical goods will almost always take at least 24 hours, often longer, enabling more thorough checks of credit, however they might do it. And even with the extra time to review the transaction and attempt to detect fraud, I'm confident Amazon and Dell lose millions per year due to fraud. The reality is that the millions they lose to fraud doesn't affect us because a Blu-Ray player purchased with a stolen credit card doesn't send spam or initiate DOS attacks. At least not yet; those Blu-Ray players do have an ethernet port. By your reasoning why don't the spammers just empty out Amazon's (et al) warehouses and retire! Oh right, they'd have to sell it all over the internet which'd mean taking credit cards... Now you're just being rediculous. Or sarcastic. :-) I am a big, big fan of assessing charges for AUP abuse and making some realistic attempt to try to make sure it's collectible, and otherwise make some attempt to know who you're doing business with. Charging whom? The spammer who pays your extra AUP abuse charges with stolen paypal accounts, credit cards, and legit bank accounts funded by money stolen from paypal accounts and
Re: amazonaws.com?
Yeah, there was a day when anyone could buy a pickup truck full of ammonium nitrate fertilizer from a random feed store and not attract any attention at all, now, maybe not. Just like port 25, it has plenty of legitimate uses, and some more problematic ones. On Thu, May 29, 2008 at 9:14 AM, Matthew Huff [EMAIL PROTECTED] wrote: The financial services world felt the same pre-9/11. Since then FINRA and SEC regulations enforce Know Your Customer rules that require extensive record keeping. The regulations now are quite burdensome. Given that usage of cloud resources could be used for DDOS and other illegal activities, I wonder how long it will take companies to realize that if they don't do a good job of self policing, the result will be something they would prefer not to have happen. Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 www.otaotr.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: Joel Jaeggli [mailto:[EMAIL PROTECTED] Sent: Thursday, May 29, 2008 9:09 AM To: Dorn Hetzel Cc: nanog@nanog.org Subject: Re: amazonaws.com? Dorn Hetzel wrote: There is a really huge difference in the ease with which payment from a credit card can be reversed if fraudulent, and the amount of effort necessary to reverse a wire transfer. I won't go so far as to say that reversing a wire transfer is impossible, but I would claim it's many orders of magnitude harder than the credit card reversal. To paraphrase one of my colleagues from the user interaction world: The key to offering a compelling service is minimising transaction hassles. I encourage all my competitors to implement inconvenient hard to use payment methods A mere court subpoena wouldn't even be remotely sufficient. The person wanting their money back would pretty much have to sue for it and win. Heck, people that get scammed and send their money via western union can't even get their money back... People who sell physical goods that get shipped internationally to places where they can't get them back from have been dealing with irrevocable payment forms for a long, long time, and those are generally wire transfers. Once that guy in Frackustan has my widgets, I need to make darn sure he can't take his money back :) So, yeah, there would be some customers for whom the couple of business hours it take their wire to go through (that's a pretty typical time from my actual experience) would be longer than they would want to wait for their port 25 or other risky service to be enabled, but really, how many is that going to be. We're not talking about the wait for ordinary customers who don't need those particular services that tend to be problem children, and we're not talking about existing accounts of long standing, just about a barrier for the drive-by customer who wants to use services and then not pay the cost when they violate the AUP... On Wed, May 28, 2008 at 11:53 PM, Peter Beckman [EMAIL PROTECTED] wrote: On Wed, 28 May 2008, Barry Shein wrote: On May 28, 2008 at 21:43 [EMAIL PROTECTED] (Peter Beckman) wrote: On Wed, 28 May 2008, Dorn Hetzel wrote: I would think that simply requiring some appropriate amount of irrevocable funds (wire transfer, etc) for a deposit that will be forfeited in the case of usage in violation of AUP/contract/etc would be both sufficient and not excessive for allowing port 25 access, etc. Until you find out that the source of those supposedly irrevocable funds was stolen or fraudulent, and you have some sort of court subpoena to give it back. I don't believe there is a way for you to outwit the scammer/spammer by making them pay more of their or someone elses money. If you have what they need, they'll find a way to trick you into giving it to them. Are you still trying to prove that Amazon, Dell, The World, etc can't possibly work? Amazon and Dell ship physical goods. Amazon Web Services sells services, as do I. Services are commonly enabled and activated immediately after payment or verification of a valid credit card, as is often expected by the customer immediately after payment. Shipment of physical goods will almost always take at least 24 hours, often longer, enabling more thorough checks of credit, however they might do it. And even with the extra time to review the transaction and attempt to detect fraud, I'm confident Amazon and Dell lose millions per year due to fraud. The reality is that the millions they lose to fraud doesn't affect us because a Blu-Ray player purchased with a stolen credit card doesn't send spam or initiate DOS attacks. At least not yet; those Blu-Ray players do have an ethernet port. By your reasoning why don't the spammers just empty out Amazon's (et al) warehouses
Re: amazonaws.com?
Dorn Hetzel wrote: Yeah, there was a day when anyone could buy a pickup truck full of ammonium nitrate fertilizer from a random feed store and not attract any attention at all, now, maybe not. Just like port 25, it has plenty of legitimate uses, and some more problematic ones. Equating port 25 use with domestic terrorism is specious. Ammonium nitrate requires requires some care in handling regardless of your intentions,see for exmple the oppau or texas city disasters. On Thu, May 29, 2008 at 9:14 AM, Matthew Huff [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: The financial services world felt the same pre-9/11. Since then FINRA and SEC regulations enforce Know Your Customer rules that require extensive record keeping. The regulations now are quite burdensome. Given that usage of cloud resources could be used for DDOS and other illegal activities, I wonder how long it will take companies to realize that if they don't do a good job of self policing, the result will be something they would prefer not to have happen. Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 www.otaotr.com http://www.otaotr.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: Joel Jaeggli [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] Sent: Thursday, May 29, 2008 9:09 AM To: Dorn Hetzel Cc: nanog@nanog.org mailto:nanog@nanog.org Subject: Re: amazonaws.com http://amazonaws.com? Dorn Hetzel wrote: There is a really huge difference in the ease with which payment from a credit card can be reversed if fraudulent, and the amount of effort necessary to reverse a wire transfer. I won't go so far as to say that reversing a wire transfer is impossible, but I would claim it's many orders of magnitude harder than the credit card reversal. To paraphrase one of my colleagues from the user interaction world: The key to offering a compelling service is minimising transaction hassles. I encourage all my competitors to implement inconvenient hard to use payment methods A mere court subpoena wouldn't even be remotely sufficient. The person wanting their money back would pretty much have to sue for it and win. Heck, people that get scammed and send their money via western union can't even get their money back... People who sell physical goods that get shipped internationally to places where they can't get them back from have been dealing with irrevocable payment forms for a long, long time, and those are generally wire transfers. Once that guy in Frackustan has my widgets, I need to make darn sure he can't take his money back :) So, yeah, there would be some customers for whom the couple of business hours it take their wire to go through (that's a pretty typical time from my actual experience) would be longer than they would want to wait for their port 25 or other risky service to be enabled, but really, how many is that going to be. We're not talking about the wait for ordinary customers who don't need those particular services that tend to be problem children, and we're not talking about existing accounts of long standing, just about a barrier for the drive-by customer who wants to use services and then not pay the cost when they violate the AUP... On Wed, May 28, 2008 at 11:53 PM, Peter Beckman [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: On Wed, 28 May 2008, Barry Shein wrote: On May 28, 2008 at 21:43 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] (Peter Beckman) wrote: On Wed, 28 May 2008, Dorn Hetzel wrote: I would think that simply requiring some appropriate amount of irrevocable funds (wire transfer, etc) for a deposit that will be forfeited in the case of usage in violation of AUP/contract/etc would be both sufficient and not excessive for allowing port 25 access, etc. Until you find out that the source of those supposedly irrevocable funds was stolen or fraudulent, and you have some sort of court subpoena to give it back. I don't believe there is a way for you to outwit the scammer/spammer by making them pay more of their or someone elses money. If you have what they need, they'll find a way to trick you into giving it to them. Are you still trying to prove that Amazon, Dell, The World, etc can't possibly work? Amazon and Dell ship physical goods. Amazon Web Services sells services, as do I. Services are commonly enabled and activated immediately
Re: amazonaws.com?
On May 28, 2008 at 23:53 [EMAIL PROTECTED] (Peter Beckman) wrote: Getting someone to fax their ID in takes extra time and resources, and means it might be hours before you get your account approved, and for some service providers, part of the value of the service is the immediacy in which a customer can gain new service. Right, which means they're monetizing the risk and cost of damages for the rest of the net. They're selling your resources also (e.g., need for firewalls, bandwidth, cleanup.) That monetization needs to be recognized. If I rented cars to people w/o checking creds to a reasonable standard and those cars were used in the commission of crimes or generated a lot of insurance claims and emergency personnel expenses what would the reaction be? I doubt it would be ...but fast turnaround is that car rental company's competitive advantage! what can they do??? -- -Barry Shein The World | [EMAIL PROTECTED] | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Login: Nationwide Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: amazonaws.com?
On May 29, 2008 at 09:07 [EMAIL PROTECTED] (Al Iverson) wrote: On Wed, May 28, 2008 at 11:08 PM, Barry Shein [EMAIL PROTECTED] wrote: I am a big, big fan of assessing charges for AUP abuse and making some realistic attempt to try to make sure it's collectible, and otherwise make some attempt to know who you're doing business with. Just out of curiosity, what stats can you make available as far as: - How often you assess this AUP abuse fee? - How often it is successfully collected? - How successful are chargebacks against that fee? I'll just say we have certainly assessed AUP abuse fees and in most cases collected those fees. The most common fee is a $50 per incident charge for spam complaints after a stern warning or two which depends on frequency, a few per day is very different than one or two per month, and what to do with those phony AOL TOS complaints which almost always mean I asked to be on this list but I forgot how to get off so maybe if I keep clicking the spam button...? These are not generally for all-out spamming in our experience. I don't think that's even happened from here in this century. But I've had people who sold services and harvested addresses from, e.g., usenet groups or mailing lists they joined specific to those services (kinda like the router salesman you sometimes hear about on nanog) which generated complaints. They got a lecture and a warning. In a few cases their persistance got them billed, as warned, which usually put a stop to it. One time very early on I remember someone did some more egregious spamming and I shut him down and added a $1500 clean-up fee and he paid it. I was a bit shocked. I've billed a few others like that and of course they just disappeared. One advantage of AUP abuse fees, from a business point of view, is that if you've done your homework (in the AUP, customer clearly warned on first offense, response received) you can then shut them down pending a significant deposit or payment of abuse fees on your terms. You can, e.g., say this is too much for a credit card if you doubt their trustworthiness, credit cards aren't legal tender, and demand some more trustworthy payment method. Let's be frank, once you're pretty sure they're willful spammers you're not losing a lot of sleep over keeping them happy, you're mostly trying to get rid of them unless this is really something they're willing to give up entirely. Should they try to come back at you legally this is a lot more understandable (I never extended them a credit relationship of $1500 on a $20/mo account!) than just we didn't like what they were doing with their account. Anyone can understand non-payment, even a court, so claims of business damages etc mostly go out the window (but if it was so important to your business why didn't you just pay the fees??? it was in their AUP, didn't you read it?) Obviously the fees have to be steep enough to discourage even someone who might otherwise be willing to pay the fees. And for the way spammers work that doesn't have to be very high, they mostly shoot for free as an overhead goal, even the semi-legitimate types who would claim they're just doing direct email marketing and sell products a little more credible than herbal body enlargement pills. At any rate I'll admit all this begs the zombie bot spammers and others whose businesses are entirely built on crime and fraud but we were talking about computing clouds. As to chargebacks, over almost 20 years we've punched millions of card charges and I'd say the number of chargebacks is small enough that it usually gets mentioned when it happens, hmm, we had a couple of chargebacks this month, very few, certainly not one a month. We have what I'd call a normal number of card invalid (closed, over limit, expiration date wrong, etc.), you get a steady stream of those, but nothing I'd call serious and in most cases gets straightened out with the customer...before someone (as usually happens in these discussions) re-defines those as chargebacks and uses the redefinition to question my credibility/sanity. By chargebacks I mean a disputed charge, they're clearly distinguished in your merchant acct from just bad cards. -- -Barry Shein The World | [EMAIL PROTECTED] | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Login: Nationwide Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: amazonaws.com?
On May 29, 2008 at 06:46 [EMAIL PROTECTED] (Joel Jaeggli) wrote: Dorn Hetzel wrote: Yeah, there was a day when anyone could buy a pickup truck full of ammonium nitrate fertilizer from a random feed store and not attract any attention at all, now, maybe not. Just like port 25, it has plenty of legitimate uses, and some more problematic ones. Equating port 25 use with domestic terrorism is specious. Ammonium nitrate requires requires some care in handling regardless of your intentions,see for exmple the oppau or texas city disasters. And how different is that from the million+ strong zombie botnets? Who owns (not pwns) those zombie'd systems and what were their intentions? -- -Barry Shein The World | [EMAIL PROTECTED] | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Login: Nationwide Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: amazonaws.com?
Peter Beckman [EMAIL PROTECTED] writes: If you are taking card-not-present credit card transactions over the ...snip hard to charge fradulent customers and also verifying customer identity annoys the customer... points- The goal here is to give abuse a negative expected return. One way to do this is to charge (and collect) a fee that is greater than what the spammer can earn between when they sign up and when you shut then down. There are two ways to do this - 1. raise (and collect) the abuse fee, or 2. lower the amount they can earn before you shut them down. I am suggesting that we put some effort into 2- If we can reduce the amount of time between when a spammer signs up and when they are shut down, we raise the spammer's costs. I think there is low-hanging fruit in this area. I believe that the 'strongly authenticate customer, then take legal action' model is dictated by the fact that most abuse incidents are not actually reported to your abuse desk- some abusive customers can go days or weeks before you receive a complaint. to give abuse a negative expected return, then, you need to make the consequence expensive. (to say nothing of covering the costs of trying to get good logs/evidence out of those who are complaining, or trying to figure out if your customer is a spammer or if your customer was owned by a spammer, and the costs of collecting the fee.) I wanted to point out another option providers now have. IDS technology has matured. Snort is free and pretty standard. Personally, I find monitoring incoming traffic to be... of limited utility. However, I believe snort is an excellent tool for lowering the cost of running an abuse desk, if you run it on the outgoing traffic. Snort is pretty good about alerting you to outgoing abuse before people complain. Heck, if you trust it, you can have it automatically shut down the abusive customers.
Re: amazonaws.com?
Barry Shein wrote: On May 29, 2008 at 06:46 [EMAIL PROTECTED] (Joel Jaeggli) wrote: Dorn Hetzel wrote: Yeah, there was a day when anyone could buy a pickup truck full of ammonium nitrate fertilizer from a random feed store and not attract any attention at all, now, maybe not. Just like port 25, it has plenty of legitimate uses, and some more problematic ones. Equating port 25 use with domestic terrorism is specious. Ammonium nitrate requires requires some care in handling regardless of your intentions,see for exmple the oppau or texas city disasters. And how different is that from the million+ strong zombie botnets? Who owns (not pwns) those zombie'd systems and what were their intentions? Well let's see. The texas city disaster is/was considered the worst industrial accident in american history. 581 people killed by an explosive yield of about 2 kilotons. The secondary effects includes fires in many of the chemical facilities in Galveston and a swath of destruction that reached up to 40 miles inland... http://www.local1259iaff.org/disaster.html So no, I don't think internet attached hosts can casually equated with the destructive potential of a pile of fertilizer at least not in the context described.
Re: amazonaws.com?
On Thu, 29 May 2008, Luke S Crawford wrote: Peter Beckman [EMAIL PROTECTED] writes: If you are taking card-not-present credit card transactions over the ...snip hard to charge fradulent customers and also verifying customer identity annoys the customer... points- The goal here is to give abuse a negative expected return. One way to do this is to charge (and collect) a fee that is greater than what the spammer can earn between when they sign up and when you shut then down. There are two ways to do this - 1. raise (and collect) the abuse fee, or 2. lower the amount they can earn before you shut them down. All these charges do is line the coffers. Sure, a few might be prevented from doing it in the first place, but the rest will continue, and everyone else here, including Barry, will continue to get hit by spam and DOS and backscatter. I wanted to point out another option providers now have. IDS technology has matured. Snort is free and pretty standard. Personally, I find monitoring incoming traffic to be... of limited utility. However, I believe snort is an excellent tool for lowering the cost of running an abuse desk, if you run it on the outgoing traffic. Snort is pretty good about alerting you to outgoing abuse before people complain. Heck, if you trust it, you can have it automatically shut down the abusive customers. This is what I think we should ALL be doing -- monitoring our own network to make sure we aren't the source, via customers, of the spam or DOS attacks. All outbound email from your own network should be scanned by some sort of best-practice system before delivery to prevent or limit spam from originating on your network. IMO. But let's be realistic -- the reality is that not everyone does, due to financial or resource or management constraints, and that receiving spam and being hit by DOS attacks and being slashdotted is simply part of the cost of being on the 'net. Profiting MORE from those that proliferate these attacks may hurt you less in the bottom line, but it still hurts everyone else who is the target of the attacks enabled by high AUP abuse fees. I know I'd be just as ticked off about a spam attack from Amazon EC2, whether or not Amazon got paid extra to enable it. Beckman --- Peter Beckman Internet Guy [EMAIL PROTECTED] http://www.angryox.com/ ---
Re: amazonaws.com?
What I really, really, (really), don't understand is what is this perverse urge to argue incessantly that spam and related do little or no harm, are of little consequence, and nothing can be done about it anyhow? You'd think we were discussing ways to prevent hurricanes (and some won't even accept that there's no answer to those!) I realize there's a little bit of one-upsmanship to just beating a hopeless point to death (ok, fine, huge ammonium nitrate explosions which level entire cities are worse than million+ zombie bot armies, and superman can beat up the hulk, etc.) Zombie bot armies et al do cause probably billions of dollars in damages (e.g., equipment and personnel to deal with them not to mention lost productivity by end users), undermine trust, etc. But don't you ever stop to consider where your collective bread is buttered before you give the public and quotable impression as professionals that whether or not spam, phishing et al are bad is debateable, like we were arguing creationism vs. evolution, that there's no point in even trying to curb it, that credit cards can't possibly work, etc? It's one thing to give an idea a proper vetting, it's something else to work backwards from the assumption that nothing can possibly be done and just use reasoning like I can think of something even worse, so therefore it's not so bad, or fraud has occurred in credit card transactions, therefore credit cards cannot be viable. On May 29, 2008 at 11:10 [EMAIL PROTECTED] (Joel Jaeggli) wrote: Barry Shein wrote: On May 29, 2008 at 06:46 [EMAIL PROTECTED] (Joel Jaeggli) wrote: Dorn Hetzel wrote: Yeah, there was a day when anyone could buy a pickup truck full of ammonium nitrate fertilizer from a random feed store and not attract any attention at all, now, maybe not. Just like port 25, it has plenty of legitimate uses, and some more problematic ones. Equating port 25 use with domestic terrorism is specious. Ammonium nitrate requires requires some care in handling regardless of your intentions,see for exmple the oppau or texas city disasters. And how different is that from the million+ strong zombie botnets? Who owns (not pwns) those zombie'd systems and what were their intentions? Well let's see. The texas city disaster is/was considered the worst industrial accident in american history. 581 people killed by an explosive yield of about 2 kilotons. The secondary effects includes fires in many of the chemical facilities in Galveston and a swath of destruction that reached up to 40 miles inland... http://www.local1259iaff.org/disaster.html So no, I don't think internet attached hosts can casually equated with the destructive potential of a pile of fertilizer at least not in the context described. -- -Barry Shein The World | [EMAIL PROTECTED] | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Login: Nationwide Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: amazonaws.com?
Peter Beckman [EMAIL PROTECTED] writes: ...snip use snort suggestion This is what I think we should ALL be doing -- monitoring our own network to make sure we aren't the source, via customers, of the spam or DOS attacks. All outbound email from your own network should be scanned by some sort of best-practice system before delivery to prevent or limit spam from originating on your network. IMO. But let's be realistic -- the reality is that not everyone does, due to financial or resource or management constraints I believe that in the case of a VPS provider like ec2, monitoring outgoing traffic with an IDS is cheaper than not monitoring it. Abuse reports are expensive to process. You need people with both social and technical skills on your end, people with social and technical skills who are willing to do what amounts to technical support. Often the abuse reports are vague, requiring back-and-fourth. Even if your IDS only catches a small percentage of the abuse-generating complaints (and I bet the IDS can get a large percentage of the complaint-generating abuse- it takes a lot of abuse to generate a complaint) you are saving a lot of money on abuse desk services. Heck, I bet just the ability to search IDS logs after a abuse report would pay for the IDS.
Re: amazonaws.com?
Barry Shein wrote: What I really, really, (really), don't understand is what is this perverse urge to argue incessantly that spam and related do little or no harm, are of little consequence, and nothing can be done about it anyhow? You'd think we were discussing ways to prevent hurricanes (and some won't even accept that there's no answer to those!) I realize there's a little bit of one-upsmanship to just beating a hopeless point to death (ok, fine, huge ammonium nitrate explosions which level entire cities are worse than million+ zombie bot armies, and superman can beat up the hulk, etc.) So don't use bad analogies... Describe the scope of the possible harm you envision. Zombie bot armies et al do cause probably billions of dollars in damages (e.g., equipment and personnel to deal with them not to mention lost productivity by end users), undermine trust, etc. But don't you ever stop to consider where your collective bread is buttered before you give the public and quotable impression as professionals that whether or not spam, phishing et al are bad is debateable, like we were arguing creationism vs. evolution, that there's no point in even trying to curb it, that credit cards can't possibly work, etc? The fact that is criminal enterprise is undesirable is not a subject of much debate. I object to the notion the destruction of life and property are suitably analogous to spam, fraud, theft of resource and denial of service. They aren't. One is at risk of minimizing the suffering of the victims of the former by equating them with the later. It's one thing to give an idea a proper vetting, it's something else to work backwards from the assumption that nothing can possibly be done and just use reasoning like I can think of something even worse, so therefore it's not so bad, or fraud has occurred in credit card transactions, therefore credit cards cannot be viable. I don't think there's any evidence of me assuming that. The potential for abuse is not a prima facie reason not to do something. Large successful parts of our economy as well as the basic human condition are devoted to the business of managing opportunity vs risk and the mitigation of the later where possible. On May 29, 2008 at 11:10 [EMAIL PROTECTED] (Joel Jaeggli) wrote: Barry Shein wrote: On May 29, 2008 at 06:46 [EMAIL PROTECTED] (Joel Jaeggli) wrote: Dorn Hetzel wrote: Yeah, there was a day when anyone could buy a pickup truck full of ammonium nitrate fertilizer from a random feed store and not attract any attention at all, now, maybe not. Just like port 25, it has plenty of legitimate uses, and some more problematic ones. Equating port 25 use with domestic terrorism is specious. Ammonium nitrate requires requires some care in handling regardless of your intentions,see for exmple the oppau or texas city disasters. And how different is that from the million+ strong zombie botnets? Who owns (not pwns) those zombie'd systems and what were their intentions? Well let's see. The texas city disaster is/was considered the worst industrial accident in american history. 581 people killed by an explosive yield of about 2 kilotons. The secondary effects includes fires in many of the chemical facilities in Galveston and a swath of destruction that reached up to 40 miles inland... http://www.local1259iaff.org/disaster.html So no, I don't think internet attached hosts can casually equated with the destructive potential of a pile of fertilizer at least not in the context described.
Re: amazonaws.com?
On 27 May 2008, at 16:33, Robert Bonomi wrote: From [EMAIL PROTECTED] Mon May 26 21:16:58 2008 Date: Tue, 27 May 2008 07:46:26 +0530 From: Suresh Ramasubramanian [EMAIL PROTECTED] To: Colin Alston [EMAIL PROTECTED] Subject: Re: amazonaws.com? Cc: [EMAIL PROTECTED] On Tue, May 27, 2008 at 1:10 AM, Colin Alston [EMAIL PROTECTED] wrote: On 26/05/2008 18:13 Suresh Ramasubramanian wrote: I didnt actually, Bonomi did .. but going on .. Mis-credit where mis-credit isn't due ... Twasn't me, either. grin I just commented that I couldn't think of a reason for a _compute_ cluster to need access to unlimited remote machines/ports. And that it could 'trivially' be made an _automatic_ part of the 'compute session' config -- to allow access to a laundry-list of ports/machines, and those ports/machines -only-. If Amazon were a 'good neighbor', they _would_ implement something like this. That they see no need to do _anything_ -- when _actual_ problems, which are directly attributable to their failure to do so, have been brought to their attention -- does argue in favor of wholesale firewalling of the EC2 address- space. If the address-space owner won't police it's own property, there is no reason for the rest of the world to spend the time/effort to _selectively_ police it for them. Amazon _might_ 'get a clue' if enough providers walled off the EC2 space, and they found difficulty selling cycles to people who couldn't access the machines to set up their compute applications. This is a classic example of externalities in the economics of security. Currently, any damage caused by Amazon customers costs Amazon little or nothing. The costs are borne by the victims of that damage. On the other hand mitigating this damage would cause Amazon costs, in engineering and lost revenue. So in economic terms they have no incentive to 'do the right thing'. So to get Amazon to police their customers either requires regulation or an external economic pressure. Blocking AWS from folk's mail servers would apply some pressure, making areas of the net go dark to AWS would apply more pressure faster. A considerable amount of pressure could be placed by a big enough money damages lawsuit but that has a feedback delay of months to years.
Re: amazonaws.com?
[EMAIL PROTECTED] (Ian Mason) writes: On 27 May 2008, at 16:33, Robert Bonomi wrote: Amazon _might_ 'get a clue' if enough providers walled off the EC2 space, and they found difficulty selling cycles to people who couldn't access the machines to set up their compute applications. This is a classic example of externalities in the economics of security. Currently, any damage caused by Amazon customers costs Amazon little or nothing. The costs are borne by the victims of that damage. On the other hand mitigating this damage would cause Amazon costs, in engineering and lost revenue. So in economic terms they have no incentive to 'do the right thing'. i've heard this called the chemical polluter business model. So to get Amazon to police their customers either requires regulation or an external economic pressure. Blocking AWS from folk's mail servers would apply some pressure, making areas of the net go dark to AWS would apply more pressure faster. A considerable amount of pressure could be placed by a big enough money damages lawsuit but that has a feedback delay of months to years. to that end, i don't accept e-mail from any free e-mail provider, including gmail, nor from most ISP mail servers. all of them face this same economics decision, and all of them end up spewing quite a bit of spam, and there's no end in sight. e-mail sourcing doesn't scale. the highest quality e-mail comes from the smallest communities. EC2 will probably face some boycotts. i don't think these will change the endgame, whatever it is. -- Paul Vixie
RE: amazonaws.com?
On Tue, 27 May 2008, [EMAIL PROTECTED] wrote: But a more advanced intelligence will wonder why we have to have an SMTP server architecture that invites attacks. Why, by definition, do SMTP servers have to accept connections from all comers, by default? We have shown that other architectures are workable on the Internet, where communications only take place between peers who have prearranged which devices talk to which. This worked for USENET news and it works for exchanging BGP route announcements. Of course there's no unwanted traffic on USENET or BGP. Everyone de-peers Tiscali when their customers' compromised home computers perform DDOS attacks. As long as we don't fix the architecture of Internet email, we are stuck with the catch-22 situation that Amazon, and all hosting providers find themsleves in. These companies really have no choice but to allow spammers to exploit their services until the spamming is detected, either proactively by the provider, or reactively by a complaint to their abuse desk. Nothing prevents Amazon from implementing a hierarchial email delivery network for their little corner of the net. They just have to block outgoing port 25 and require their users to use Amazon's smarthosts. I don't see how, in your preferred replacement email architecture, a provider would be able to avoid policing their users to prevent spam in the way that you complain is so burdensome. Tony. -- f.anthony.n.finch [EMAIL PROTECTED] http://dotat.at/ HUMBER: SOUTHEAST VEERING SOUTHWEST 5 TO 7, PERHAPS GALE 8 LATER. MODERATE OR ROUGH. THUNDERY RAIN, FOG PATCHES. MODERATE, OCCASIONALLY VERY POOR.
RE: amazonaws.com?
I don't see how, in your preferred replacement email architecture, a provider would be able to avoid policing their users to prevent spam in the way that you complain is so burdensome. To begin with, mail could only enter such a system through port 587 or through a rogue operator signing an email peering agreement. In either case, there is a bilateral contract involved so that it is clear whose customer is doing wrong, and therefore who is responsible for policing it. It's a different model in which email traffic follows a chain of bilateral agreements from the sender to the recipient. At each link in the chain, a provider can block traffic if it does not conform to the peering agreement (or service agreement for end users). Today, an anonymous spammer can obfuscate the source of their email in a way that an average user can't figure out who to complain to. In a hierarchical email peering system, only a rogue operator could do that, and by nature of the system, they can't really be totally anonymous. After all they have to sign a peering agreement with someone. --Michael Dillon
Re: amazonaws.com?
I would think that simply requiring some appropriate amount of irrevocable funds (wire transfer, etc) for a deposit that will be forfeited in the case of usage in violation of AUP/contract/etc would be both sufficient and not excessive for allowing port 25 access, etc. On Wed, May 28, 2008 at 1:01 PM, Skywing [EMAIL PROTECTED] wrote: That's somewhat ironic of a sentiment you referred to there, given that the conception that one should have to hand over one's SSN for verification to anyone who asks for it is the kind of thing that many of these spammers/phishers thrive on in the first place... (I assume that you are not actually really advocating such a requirement for anyone wanting to run a mail server...) - S -Original Message- From: Sargun Dhillon [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 28, 2008 12:34 PM To: Steve Atkins Cc: nanog@nanog.org Subject: Re: amazonaws.com? Well the thing that differentiates the cloud is that there is an infinite amount of resources, the ability to have anonymous access, and the infinite amount of identities. Basically Amazon has allocated a /18, /19, and /17 to EC2. The chances of getting the same IP between two instances amongst that many possibilities is low. Basically someone could easily go get a temporary credit card and start up 10 small EC2 instances. This would give them 10 public IPs which would probably take 3-4 hours (minimum) to show up on any sort of blacklists. Then its just a matter of rebooting and you have another 3-4 hours. This could last weeks with a credit card. Then you could rinse and repeat. In the past I've seen companies require EIN/SSN verification (a bit much) in order to open up certain things (port 25, BGP, etc...). If Amazon is going to continue to have policies that allow spammers to thrive it will end with EC2 failing. SMTP has inherent trust issues. I'm currently researching Amazon AWS's static IP addresses. I think it would be easiest to block everything and just make exemptions for people who purchase the static IPs. My advice to you if you are buying anonymous resources would be to purchase an agreement with a relay that isn't part of the anonymous computing center. Steve Atkins wrote: On May 28, 2008, at 9:03 AM, Sargun Dhillon wrote: Has Amazon given an official statement on this? It would be nice to get someone from within Amazon to give us their official view on this. It would be even more appropriate for the other cloud infrastructures to join in, and or have some sort of RFC to do with SMTP access within the cloud. I forsee this as a major problem as the idea of the cloud is being pushed more and more. You are talking about a spammers dream. Low cost , powerful resources with no restrictions and complete anonymity. Personally I'm going to block *.amazonaws.com from my mail server until Amazon gives us a statement on how they are planning on fighting spam from the cloud. The cloud is just a marketing term for a bunch of virtual servers, at least in Amazons case. It's nothing particularly new, just a VPS farm with the same constraints and abuse issues as a VPS or managed server provider. The only reason this is a problem in the case of Amazon is that they're knowingly selling service to spammers, their abuse guy is in way over his head and isn't interested in policing their users unless they're doing something illegal or the check doesn't clear. As long as the spam being sent doesn't violate CAN-SPAM, it's legal. Cheers, Steve -- +1.925.202.9485 Sargun Dhillon deCarta [EMAIL PROTECTED] www.decarta.com
Re: amazonaws.com?
On 28 May 2008, at 16:34, Sargun Dhillon wrote: Well the thing that differentiates the cloud is that there is an infinite amount of resources, the ability to have anonymous access, and the infinite amount of identities. That sounds great. Presumably in addition to the above the sun is always shining, cats never crap in the kitchen and those responsible for the American Idol franchise have been lined up against the wall and shot? Joe
Re: amazonaws.com?
On Wed, May 28, 2008 at 12:01:30PM -0500, Skywing wrote: That's somewhat ironic of a sentiment you referred to there, given that the conception that one should have to hand over one's SSN for verification to anyone who asks for it is the kind of thing that many of these spammers/phishers thrive on in the first place... What... are people still using SSNs as authenticators instead of identifiers, 20 years on? Cheers, -- jra -- Jay R. Ashworth[EMAIL PROTECTED] Designer+-Internetworking--+-+RFC 2100 Ashworth Associates | Best Practices Wiki | | '87 e24 St Petersburg FL USA+-http://bestpractices.wikia.com-+ +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
RE: amazonaws.com?
I think the straightforward fix is for Amazon to put some practical mail guidelines together for their environment Has anyone making these suggestions ever thought to look at the Amazon Web Services agreement that governs these EC2 customers? http://www.amazon.com/AWS-License-home-page-Money/b/ref=sc_fe_c_0_20159 0011_13?ie=UTF8node=3440661no=201590011me=A36L942TSJ2AJA --Michael Dillon
Re: amazonaws.com?
On Wed, 28 May 2008, Barry Shein wrote: On May 28, 2008 at 21:43 [EMAIL PROTECTED] (Peter Beckman) wrote: On Wed, 28 May 2008, Dorn Hetzel wrote: I would think that simply requiring some appropriate amount of irrevocable funds (wire transfer, etc) for a deposit that will be forfeited in the case of usage in violation of AUP/contract/etc would be both sufficient and not excessive for allowing port 25 access, etc. Until you find out that the source of those supposedly irrevocable funds was stolen or fraudulent, and you have some sort of court subpoena to give it back. I don't believe there is a way for you to outwit the scammer/spammer by making them pay more of their or someone elses money. If you have what they need, they'll find a way to trick you into giving it to them. Are you still trying to prove that Amazon, Dell, The World, etc can't possibly work? Amazon and Dell ship physical goods. Amazon Web Services sells services, as do I. Services are commonly enabled and activated immediately after payment or verification of a valid credit card, as is often expected by the customer immediately after payment. Shipment of physical goods will almost always take at least 24 hours, often longer, enabling more thorough checks of credit, however they might do it. And even with the extra time to review the transaction and attempt to detect fraud, I'm confident Amazon and Dell lose millions per year due to fraud. The reality is that the millions they lose to fraud doesn't affect us because a Blu-Ray player purchased with a stolen credit card doesn't send spam or initiate DOS attacks. At least not yet; those Blu-Ray players do have an ethernet port. By your reasoning why don't the spammers just empty out Amazon's (et al) warehouses and retire! Oh right, they'd have to sell it all over the internet which'd mean taking credit cards... Now you're just being rediculous. Or sarcastic. :-) I am a big, big fan of assessing charges for AUP abuse and making some realistic attempt to try to make sure it's collectible, and otherwise make some attempt to know who you're doing business with. Charging whom? The spammer who pays your extra AUP abuse charges with stolen paypal accounts, credit cards, and legit bank accounts funded by money stolen from paypal accounts and transferred from stolen credit cards? If you are taking card-not-present credit card transactions over the Internet or phone, and not shipping physical goods but providing services, in my experience the merchant gets screwed, no matter how much money you might have charged for the privilege of using port 25 or violating AUPs. That money you collected and believed was yours and was in your bank account can be taken out just as easily 6 months later, after the lazy card holder finally reviews his credit card bill, sees unrecognized charges and says This is fraudulent! And there you are, without your money. Getting someone to fax their ID in takes extra time and resources, and means it might be hours before you get your account approved, and for some service providers, part of the value of the service is the immediacy in which a customer can gain new service. Beckman --- Peter Beckman Internet Guy [EMAIL PROTECTED] http://www.angryox.com/ ---
RE: amazonaws.com?
From [EMAIL PROTECTED] Tue May 27 12:06:50 2008 Subject: RE: amazonaws.com? Date: Tue, 27 May 2008 18:08:16 +0100 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] If the address-space owner won't police it's own property, there is no reason for the rest of the world to spend the time/effort to _selectively_ police it for them. Exactly!!! If an SMTP server operator is not willing to police their server by implementing a list of approved email partners, then why should the rest of the Internet have to block outgoing port 25 connections? Because the _privilege_ to send packets to other networks has been, from 'day one', conditional on the presumption that the sending network _is_ a good neighbor to the networks receiving their traffic. AS SUCH, they have a firm 'moral responsibility' to *NOT* let _their_ users =originate= traffic that is harmful/offensive/abusive to the receiving/destination network. Or, are you arguing for _no_ acceptable use policies for _anything_ on the 'net. That anyone should be free to attempt anything against any server/network, and that it is the sole responsibility of the receiving system to build and maintain the defenses against whatever any malefactor might decide to do? *AND* that the party providing that black hat' with connectivity should bear no responsibility for anything that their customer's do? Thinking about it, I realize that asking _you_ (an employee of major telephone company) is a silly question -- you have a biased viewopoint from a government-regulated monopoly The buck needs to stop right where the problem is and that is on the SMTP servers that are promiscuously allowing almost any IP address to open an socket with them and inject email messages. Since one _cannot_ stop the -attempts- at the destination end, and the volume of -attempts- (even though they're blocked at the fence-line) *CAN* be enough to to render 'normal' operations of the receiving network impossible -- it should be obvious to the meanest intelligence that the matter *must* be addressed at a point _upstream_ from the destination network. It is universally recognized in the real world that 'toxic waste' issues must be dealt with at the _source_ point -- where that toxic waste is produced. AND that the costs of doing so should fall on those who produce them. There is no reason that the Internet should be any different. The polluter is the party who *should* get hits with the majority of the costs of handling the toxic waste they produce, not the party simply tryng to enjoy the 'quiet satisfaction' of their own property. It is arguable that the Internet has advanced from the 'early pioneer' days of the '80s, to a state that is comparable to the height of the Robber Baron era -- where everybody was out for 'me first, and to h*ll with whomever isn't big enough, mean enough, and tough enough to stand up to whatever I want to do to take advantage of them. History shows that such attitudes weren't right _for_the_world_as_a_whole_ then, and societal barriers were put in place to prevent such abuses from re-occuring. Amazon _might_ 'get a clue' if enough providers walled off the EC2 space, and they found difficulty selling cycles to people who couldn't access the machines to set up their compute applications. Amazon might get a clue and sue companies who take such outrageously extreme action. *SNICKER* The results of such a suit are _utterly_ predictable. There's established case-law going back a couple of _decades_. For, example, look at any of the (100% _unsuccessful) suits that Cyber Promotions, Inc. filed against any of the several providers that did exactly that to said plaintiff. There's similar case law in England, the Netherlands, Germany, Switzerland, Norway, Finland, and Austrailia -- just to name a few of the places where the matter has been litigated. There are no rights on the Internet, only privileges. Your right to access any part of my network exists only -if- I extend you that privilege. And it _is_ revokable at whim. WITHOUT any need to 'show cause why'. Such a suit as you suggest runs the very real risk that the filing party would be sanctioned as regards frivolous filings. Even if you are being slammed by millions of email messaged from Amazon address space, that is not justification for blocking all access to the space. It's a point problem on your mail server so leave the shotgun alone, and put an ACL blocking port 25 access to your mail server. FALSE TO FACT. If they generate _enough_ 'unwanted' traffic towards me, that can/will constitute a fairly effective (D)DOS attack -- admittedly, it's only 'slightly' distributed, and it's coming from a single block, so it can be dealt with by some forms of point responses. I _cannot_ deal with volume-based DOS at -my- end of my pipes; it -requires- blocking/limiting the traffic *before* it hits the choke-point that is my external connectivity
Re: amazonaws.com?
On 27/05/2008 20:53 Robert Bonomi wrote: Because the _privilege_ to send packets to other networks has been, from 'day one', conditional on the presumption that the sending network _is_ a good neighbor to the networks receiving their traffic. You need to wake up Dorothy, this isn't Kansas anymore. Free access to the internet won long ago, it's all about defending your self. -- Colin Alston ~ http://syllogism.co.za/ To the world you may be one person, to one person you may be the world ~ Rachel Ann Nunes.
Re: amazonaws.com?
If I may be so bold as to summarize a few posts: It's ok to let spammers and other criminals use your systems (e.g., compute clouds) to slam others just so long as you get yourself into the various blacklists. But I thought (routed) bandwidth was the ISP's stock in trade? And trust (e.g., whaddya think of people who hijack IP blocks?) I don't think it's ok for someone to be slamming my bandwidth and computrons, even at the firewall. As was mentioned some of these clouds are looking at multiple 10gb connections. Just because I can fend off seeing their content at my end doesn't mean I'm not being damaged. I have to keep up with their bandwidth and firewall computron usage, and managing usage of the blacklists. That's damages. -- -Barry Shein The World | [EMAIL PROTECTED] | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Login: Nationwide Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: amazonaws.com?
On 24/05/2008 02:42 Steve Atkins wrote: If you're seeing something more egregious than just deluges of spam then [EMAIL PROTECTED] would likely be the right people to talk to. They've been contacted about it and, AIUI, state that the spam being sent from there is not something they're going to take action on. You should not accept SMTP from the Amazon EC2 cloud at all. Amazon don't intend for anyone to use it as an email platform and tell their clients to use an external relay. -- Colin Alston ~ http://syllogism.co.za/ To the world you may be one person, to one person you may be the world ~ Rachel Ann Nunes.
Re: amazonaws.com?
On Sat, May 24, 2008 at 12:13 PM, Kee Hinckley [EMAIL PROTECTED] wrote: On May 24, 2008, at 3:24 AM, Colin Alston wrote: You should not accept SMTP from the Amazon EC2 cloud at all. Amazon don't intend for anyone to use it as an email platform and tell their clients to use an external relay. I'm sure this is good advice. But if an ISP used that as an excuse for not taking action, we'd hang them over hot coals. Is Amazon truly not policing the network for spammers? not to excuse this, but... it's not a simple problem. The 'bad guy' rolls up to the website, orders 200 machines for 20 mins under the name 'xplosiveman' pays with some paypal/CC and runs his/her job. That job happens to create a bunch of email outbound. It could be a legitimate email service outsourcing their compute/bw needs to AWS, it could be 'pick-yer-bad-spammer' ... AWS really can't tell until after when the complaints roll in. :( I suppose they could say: no tcp/25 outbound from AWS computer clusters, though that's probably a decent market in the real email-deliver-services :( Also, truly bad folk will just move to using proxies or other methods :( -Chris.
Re: amazonaws.com?
not to excuse this, but... it's not a simple problem. The 'bad guy' rolls up to the website, orders 200 machines for 20 mins under the name 'xplosiveman' pays with some paypal/CC and runs his/her job. That job happens to create a bunch of email outbound. It could be a legitimate email service outsourcing their compute/bw needs to AWS, it could be 'pick-yer-bad-spammer' ... AWS really can't tell until after when the complaints roll in. :( Oh rubbish, it's a trivial problem. You verify the payment method in advance and make it clear in the agreement to use the resources that any of the following activities (list, define...) will be billed at a steep rate (e.g., $100 per spamming complaint) and make some reasonable effort to ensure you can collect that, like do an authorize on their credit card (that's what hotels do to reserve but not charge typically $1000 or whatever on your card when you check in.) It's trivial, using your systems to spam is a cost, make sure at the very least you get paid for it. This isn't hypothetical, I have done exactly this many times here and billed customers who were crossing the line and generating too many complaints (but not quite what I'd call egregious spamming, but maybe harvesting addresses for their newsletter from specific chat groups for example) $50 per complaint, and I've collected it, and it stopped, either they paid it and cleaned up their act or they went away, good riddance. Anyone who builds a business model which allows for this sort of massive fraud and criminality where a few common sense precautions would prevent it is just transferring the costs of reasonable precaution to others and courts should come to understand that sooner than later. Their business model is monetizing your time and efforts to accomodate that abuse. The money is going right into their pockets by not having to pay for employees to implement and execute an avoidance, detection, and recovery plan, for starters. Microsoft has made untold billions monetizing spam (by knowingly not fixing their OS for over a decade) and others are figuring this out and building new business models which profit on abuse enablement even if indirectly (i.e., as a cost savings.) They're laughing all the way to the bank as you get shook out of bed with another 3AM emergency or stay over the weekend to upgrade your newly purchased firewall capacity, etc etc etc. -- -Barry Shein The World | [EMAIL PROTECTED] | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Login: Nationwide Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: amazonaws.com?
EC2 is a pay-per-cycle service, where you can run your work on their servers. Probably one of their clients. Try [EMAIL PROTECTED] -Patrick On May 23, 2008, at 6:59 PM, Barry Shein [EMAIL PROTECTED] wrote: Is it just us or does someone pWn *.amazonaws.com? Every one of our mail servers is being slammed by I'm not sure what but many thousands of user unknowns per hour (fortunately we handle those pretty quickly but this is a deluge.) All I know is amazonaws.com is Amazon Web Services, not sure if these particular systems should be sending email at all, the hostnames look like: ec2-67-202-36-134.compute-1.amazonaws.com ec2-67-202-37-35.compute-1.amazonaws.com ec2-67-202-37-38.compute-1.amazonaws.com ec2-67-202-38-112.compute-1.amazonaws.com ec2-67-202-39-87.compute-1.amazonaws.com ec2-67-202-8-122.compute-1.amazonaws.com ec2-72-44-37-77.compute-1.amazonaws.com ec2-75-101-192-20.compute-1.amazonaws.com ec2-75-101-202-130.compute-1.amazonaws.com ec2-75-101-207-190.compute-1.amazonaws.com ec2-75-101-210-120.compute-1.amazonaws.com ec2-75-101-224-146.compute-1.amazonaws.com ec2-75-101-227-187.compute-1.amazonaws.com ec2-75-101-228-221.compute-1.amazonaws.com ec2-75-101-229-15.compute-1.amazonaws.com ec2-75-101-230-147.compute-1.amazonaws.com ec2-75-101-234-192.compute-1.amazonaws.com ec2-75-101-236-135.compute-1.amazonaws.com ec2-75-101-238-69.compute-1.amazonaws.com ec2-75-101-241-105.compute-1.amazonaws.com Those don't look like mail servers but what do I know? Anyhow, if there's anyone awake at Amazonaws.com, your hair is on fire. -b
Re: amazonaws.com?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Patrick Clochesy wrote: EC2 is a pay-per-cycle service, where you can run your work on their servers. Probably one of their clients. Try [EMAIL PROTECTED] -Patrick On May 23, 2008, at 6:59 PM, Barry Shein [EMAIL PROTECTED] wrote: Is it just us or does someone pWn *.amazonaws.com? Every one of our mail servers is being slammed by I'm not sure what but many thousands of user unknowns per hour (fortunately we handle those pretty quickly but this is a deluge.) All I know is amazonaws.com is Amazon Web Services, not sure if these particular systems should be sending email at all, the hostnames look like: Send to [EMAIL PROTECTED] - amazonaws.com has no MX: [EMAIL PROTECTED] ~]$ host -tmx amazonaws.com amazonaws.com has no MX record - -- Chris Stone, MCSE Vice President, CTO AxisInternet, Inc. http://www.axint.net DSL, dialup, hosting, email filtering, co-location, online backup Phone: +1 303 592 2947 x302 (office) +1 303 570 6947 (cell) - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org iEYEAREKAAYFAkg3XYIACgkQnSVip47FEdNW6wCdF4KcQEbgCIYQVEjt7vCxwi7Y pEUAn3D1wYWIy08BE9XuOE99Ojon2V5O =BQ1p -END PGP SIGNATURE-
