FWIW, we use Fail2Ban to block all AWS EC2 IPs that have an "ec2-xxx.compute...amazonaws.com" PTR record, and another Fail2Ban rule to block hosts that HELO with "127.0.0.1".
We ourselves host on AWS successfully (for more than six years now) and have filed a number of complaints with their security team for similar bad behavior, most of which have resulted in a "behavior mitigated" notice. I think they know they have a problem; two other customers I've recently endeavored to migrate to AWS were put through the wringer to get their port 25 outbound restriction lifted. One was successful; the other was told they could relay out through SES only; given their history (despite big and necessary changes in IT...), no port 25 restriction lifting was possible -- even after a re-review. Regards, Mark _________________________________________________________________ L. Mark Stone, Founder North America's Leading Zimbra VAR/BSP/Training Partner For Companies With Mission-Critical Email Needs ----- Original Message ----- | From: "Michael Peddemors via mailop" <mailop@mailop.org> | To: "mailop" <mailop@mailop.org> | Sent: Tuesday, June 18, 2024 1:12:18 PM | Subject: [mailop] Another 'Verified Email' service on AWS EC2 | Jun 18 09:58:03 be msd[1959712]: CONN: 34.229.185.73 -> 25 GeoIP = [US] | PTR = ec2-34-229-185-73.compute-1.amazonaws.com OS = Linux 2.2.x-3.x | Jun 18 09:58:04 be msd[1959712]: HELO command received, args: [127.0.0.1] | Jun 18 09:58:04 be msd[1959712]: RSET command received, args: | Jun 18 09:58:04 be msd[1959712]: MAIL command received, args: | FROM:<verify-no-re...@thrust.io> | | * No custom PTR record | * HELO is obviously bad.. | | Love the link on their website, trusted by professionals at Amazon, | Cisco, Adobe.. | | Fortunately our spam auditing team's DRE (Dynamic Rule Engine) and DFS | (Distributed Feedback Systems) find these IPs, so they can be shared | with the community at large.. Of course, our systems don't actually let | those systems do any email scraping or verification .. | | Just another trend on Amazon's EC2 that is getting really old really fast. | | .... | | On another note, not putting up a full state of the union this week, but | of course Google/o365 fake procurement is still high on the lists.. | | Digital Ocean IP Space continues to see more types of attacks, from | spammers, phishing, #BEC attacks, WordPress attacks etc.. The line to | 'Bullet Proof' hoster is getting very blurry, and our threat teams are | getting more aggressive. | | If you have no customers using Digital Ocean, we strongly recommend | blocking all authentications from their IP space.. | | For the record, stay tuned.. our teams are looking to make more of our | threat data publicly available.. to the general public. Stay tuned. | | | -- | "Catch the Magic of Linux..." | ------------------------------------------------------------------------ | Michael Peddemors, President/CEO LinuxMagic Inc. | Visit us at http://www.linuxmagic.com @linuxmagic | A Wizard IT Company - For More Info http://www.wizard.ca | "LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd. | ------------------------------------------------------------------------ | 604-682-0300 Beautiful British Columbia, Canada | _______________________________________________ | mailop mailing list | mailop@mailop.org | https://list.mailop.org/listinfo/mailop _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
