I would think that simply requiring some appropriate amount of irrevocable funds (wire transfer, etc) for a deposit that will be forfeited in the case of usage in violation of AUP/contract/etc would be both sufficient and not excessive for allowing port 25 access, etc.
On Wed, May 28, 2008 at 1:01 PM, Skywing <[EMAIL PROTECTED]> wrote: > That's somewhat ironic of a sentiment you referred to there, given that the > conception that one should have to hand over one's SSN for "verification" to > anyone who asks for it is the kind of thing that many of these > spammers/phishers thrive on in the first place... > > (I assume that you are not actually really advocating such a requirement > for anyone wanting to run a mail server...) > > - S > > -----Original Message----- > From: Sargun Dhillon [mailto:[EMAIL PROTECTED] > Sent: Wednesday, May 28, 2008 12:34 PM > To: Steve Atkins > Cc: nanog@nanog.org > Subject: Re: amazonaws.com? > > Well the thing that differentiates "the cloud" is that there is an > infinite amount of resources, the ability to have anonymous access, and > the infinite amount of identities. Basically Amazon has allocated a /18, > /19, and /17 to EC2. The chances of getting the same IP between two > instances amongst that many possibilities is low. Basically someone > could easily go get a temporary credit card and start up 10 small EC2 > instances. This would give them 10 public IPs which would probably take > 3-4 hours (minimum) to show up on any sort of blacklists. Then its just > a matter of rebooting and you have another 3-4 hours. This could last > weeks with a credit card. Then you could rinse and repeat. In the past > I've seen companies require EIN/SSN verification (a bit much) in order > to open up certain things (port 25, BGP, etc...). If Amazon is going to > continue to have policies that allow spammers to thrive it will end with > EC2 failing. > > SMTP has inherent trust issues. I'm currently researching Amazon AWS's > static IP addresses. I think it would be easiest to block everything and > just make exemptions for people who purchase the static IPs. > > My advice to you if you are buying anonymous resources would be to > purchase an agreement with a relay that isn't part of the anonymous > computing center. > > > > > Steve Atkins wrote: > > > > On May 28, 2008, at 9:03 AM, Sargun Dhillon wrote: > > > >> Has Amazon given an official statement on this? It would be nice to get > >> someone from within Amazon to give us their official view on this. It > >> would be even more appropriate for the other cloud infrastructures to > >> join in, and or have some sort of RFC to do with SMTP access within the > >> "cloud." I forsee this as a major problem as the idea of "the cloud" is > >> being pushed more and more. You are talking about a spammers dream. Low > >> cost , powerful resources with no restrictions and complete anonymity. > >> > >> Personally I'm going to block *.amazonaws.com from my mail server until > >> Amazon gives us a statement on how they are planning on fighting spam > >> from the cloud. > > > > "The cloud" is just a marketing term for a bunch of virtual servers, > > at least in Amazons case. It's nothing particularly new, just a VPS > > farm with the same constraints and abuse issues as a VPS or > > managed server provider. > > > > The only reason this is a problem in the case of Amazon is that they're > > knowingly selling service to spammers, their abuse guy is in > > way over his head and isn't interested in policing their users > > unless they're doing something illegal or the check doesn't clear. > > As long as the spam being sent doesn't violate CAN-SPAM, it's legal. > > > > Cheers, > > Steve > > > > > > > -- > +1.925.202.9485 > Sargun Dhillon > deCarta > [EMAIL PROTECTED] > www.decarta.com > > > > > >
