Network News

X My Profile
View More Activity

Amazon: Hey Spammers, Get Off My Cloud!

I am accustomed to receiving e-mail from Amazon.com, as I am a fiercely loyal customer who shops there quite frequently. But it took me by surprise this weekend to discover that mounds of porn spam and junk e-mail laced with computer viruses are actively being blasted from digital real estate leased to the e-commerce giant.

I wasn't the only one who spotted it. Websense Security Labs issued an alert about the spam attacks on Monday, but it didn't name Amazon as the source. The advisory rightly noted that it had discovered "a substantial number of spam messages utilizing a reliable social engineering trick." The junk mail claims to have been sent from Microsoft, and urges the recipient to install an attached security update.

Windows users who fall for the ruse will have their systems infected with a backdoor Trojan horse program that gives the attackers easy access with which to control the infected machine from afar or upload additional malicious software. In a dig at U.S. law enforcement, the malware authors even tweaked a portion of the Web site used to host the malicious software so that a novice investigator would trace its origins back to the official Web site of the U.S. Secret Service.

But the most interesting aspect of this attack (at least to me) was left out of the Websense advisory: All of the spam came from Amazon's Elastic Compute Cloud (EC2) servers, which are marketed to companies -- mainly small to mid-sized businesses -- that want to purchase access to any number of computer applications hosted on the Internet, from data crunching and storage to on-demand computer processing power. These so-called "cloud computing" services potentially put the strength of massive computer arrays in the hands of the average user, and the service is "pay-as-you-go," so customers only pay for the resources and services they consume.

But to spammers and scammers accustomed to paying for all kinds of Web services with stolen credit cards, Amazon's service is another place to host their junk, said Suresh Ramasubramanian, head of anti-spam operations at Outblaze, a Hong Kong-based outfit that has listed all of Amazon's EC2 Internet space on its spam blocklists (to see just a few examples of this Microsoft malware spam, check out any of these three links, and then click on the "spam evidence" button).

Anti-spam group Spamhaus also has flagged a large swath of Amazon's EC2 Internet address space on its "policy blocklist," which subscribers use to block e-mail from dynamic Internet addresses known to change frequently (most often these are home-user PCs on residential broadband networks, but the addresses used by virtual servers on the EC2 service also shift constantly).

"The [numeric Internet address] for these services can shift within minutes, so if you want to block spam sent from a dynamic address, blocking just one address is not feasible," Ramasubramanian said. "Right now, if Amazon was able to control or restrict the spam issues, as well as other security incidents on that service, there would be no problems with it."

A group of security experts on the North American Network Operators Group (NANOG) mailing list have been discussing the spamming presence on EC2 for the past few days, with most dismissing Amazon's abuse response team.

"Yeah, if you can call them that," wrote Jon Lewis, the lead system administrator for Atlantic.net, an Internet service provider in Florida. "I got the impression the only thing Amazon considers abuse is use of their servers and not paying the bill. If you're a paying customer, you can do whatever you like."

Amazon spokeswoman Kay Kinton said the company clearly advertises its abuse contact details.

"We have a clear acceptable use policy and whenever we have received a complaint of spam or malware coming through Amazon EC2, we have moved swiftly to strictly enforce the use policy by network isolating (or even terminating) any offending instances," Kinton said. She added that Amazon has since taken action against the EC2 systems hosting the fake Microsoft patches.

But Paul Vixie, founder and chairman of the Internet Software Consortium, believes spammers and malware authors will continue to make a home in Amazon's EC2 service, despite the company's best efforts. For one thing, he said, the dynamic Internet addresses will continue to remain in various spam block lists, precisely because the addresses spammers use within EC2 will constantly change. Thus, the block lists will make it very difficult for legitimate users of the service to use it for delivering e-mail.

For another, Vixie noted that the EC2 system is entirely automated, so for Amazon to try to separate legitimate users from spammers would require a significant human and technological investment. For Amazon to bring this activity to heel, he said, it would have to expend enough money that the service would no longer be profitable.

"Security is the natural prey of scale. You can't make something safe if everyone is supposed to be able to use it," Vixie said.

By Brian Krebs  |  July 1, 2008; 1:04 PM ET
Categories:  Fraud , From the Bunker , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Forty Percent of Web Users Surf With Unsafe Browsers
Next: Apple Pushes Peck of Patches

Comments

Note that Amazon will terminate the _instance_. That means that the spammer just creates another instance, which gets a new IP address, and continues spamming, and whoever blocked the previous spamming instance gets no benefit from that block. It is therefore necessary to block the entire EC2 network to avoid its spam.

Posted by: Seth Breidbart | July 1, 2008 1:37 PM | Report abuse

Could it be related that Amazon.com was reportedly down for a while on Friday and Monday after being hit with a DDOs attack?

http://www.hackzona.ru/hz.php?name=News&file=article&sid=8779 (in Russian)

Posted by: Gary | July 1, 2008 1:45 PM | Report abuse

The key observation is that while EC2 has unique advantages for customers who want to do a lot of computing, it has no particular
advantage for legitimate bulk mailers, whose workload tends not to be particularly compute heavy. Couple that with some attractive features for spammers, notably the ability to hop IPs to to avoid blacklists, and it's a recipe for trouble.

My advice to them would be to rate limit outgoing mail to a few messages a minute, adequate to send status reports, not to spam.

Posted by: John Levine | July 1, 2008 2:06 PM | Report abuse

Amazon is facing a significant technical challenge to rein in customer abuse of its dynamic EC2 ranges. The only "cheap" solutions I can see would involve severely limiting or outright blocking outgoing email from those ranges.

In addition, they need to require that any email sent from those ranges be sent through an SMTP AUTH server, which requires the user to log on first. That means blocking any attempt to run a mail server on these IPs or send email from them directly.

A note of interest to some: the Spamhaus listing is a PBL listing, not an SBL listing. These are very different things: an SBL listing means "this IP range is inhabited by spammers", while a PBL listing means "this IP range should send email only through an SMTP AUTH server." Many ISPs list their own dynamically-assigned IP ranges in the PBL and manage those listings themselves.

In other words, a PBL listing is not a black mark. It does not mean that there is a problem with that IP range. It just means that this isn't an IP that should be running a mail server or sending email directly to other users.

I suspect that someone at Amazon with more marketing experience than technical experience conceived of the EC2 service. Unfortunately either nobody at Amazon spoke up about the huge spam and abuse implications, or if they did, Amazon didn't listen. Ignoring these issues carries a price. Amazon can count itself fortunate if that price is limited to a spam block at Outblaze. If they are wise, they will take this as a wakeup call.

Posted by: Catherine Jefferson | July 1, 2008 4:10 PM | Report abuse

It would also help if Amazon could expose a way to look up customer IDs from the IP address of the EC2 nodes they're using -- either via WHOIS or through rDNS. Even a customer ID number would allow anti-spam people to correlate a single customer's activity as they start up and shut down EC2 nodes.

I agree that Amazon need to sort this out before more blocks appear...

Posted by: Justin Mason | July 1, 2008 4:54 PM | Report abuse

No legitimate application is going to use EC2 for outgoing mail due to the many problems running a mail server on a host with a dynamic IP address and to the EC2 IP ranges being flagged. Therefore, I don't see any reason why Amazon shouldn't simply block outgoing traffic on port 25 from EC2 instances.

Posted by: Hans | July 1, 2008 11:29 PM | Report abuse

spamhaus is tough, they block the entire isp of india's second largest telecom company, reliance communications.

any email sent from a reliance internet connection is spam ... would be the same as blocking verizon customers

Posted by: gregory | July 2, 2008 1:00 AM | Report abuse

Reliance has a couple of major problems.

1. Their cdma dialup pool (cellphone modem based internet connectivity) is a dynamic pool - so yes that would be blocked

2. Their datacenter has a lot of spam issues in it - hosted spammers. And they also took over a provider in the USA - Yipes - and renamed it Reliance Globalcom, and Yipes has a huge number of spam issues on their network.

Note the number of yellow highlighted sbl listings - those are for "ROKSO" spammers, known large scale spammers who have been kicked off at least 3 ISPs for spam in the past.

http://www.spamhaus.org/sbl/listings.lasso?isp=yipes.com

http://www.spamhaus.org/sbl/listings.lasso?isp=relianceada.com

http://www.spamhaus.org/sbl/listings.lasso?isp=relianceglobalcom.com

Posted by: Suresh Ramasubramanian | July 2, 2008 1:22 AM | Report abuse

I hate it when they don't disclose the culprit. To protect the culprit? Why not think about protecting ordinary Joes and Josephines?

Great article as always, Bk!

Posted by: Rick | July 2, 2008 5:20 AM | Report abuse

@Suresh:

Spamhaus. Their funny cookies page. Click yes to approve and you go through. Click no and they take you to a TOU page where it says you have to agree to even visit the site? But funniest is clicking 'I'm not sure' - you get the cookies anyway!

Posted by: Rick | July 2, 2008 5:34 AM | Report abuse

Yup. Click through and accept the terms of use. They've had more than one spammer sue them, which is why there's that stuff there.

Posted by: Suresh Ramasubramanian | July 2, 2008 5:39 AM | Report abuse

'No legitimate application is going to use EC2 for outgoing mail'

That's incorrect. I do. it's trivial to get an exception in the Spamhaus PBL, by design, and our mail-relay on EC2 hasn't needed a change of IP address in months. Assuming that EC2 nodes will never send non-spam mail is a mistake.

Posted by: Justin Mason | July 2, 2008 5:53 AM | Report abuse

Scary stuff back doors and trojans, il be writing a paper soon how to take malware apart ;)

Posted by: billy | July 2, 2008 7:56 AM | Report abuse

It's curtain call for EC2:

Say good-bye to Amazon profits, "customer ease of use" , but "victim-hostile" service design:

67.202.0.0/18
72.44.32.0/19
216.182.224.0/20
75.101.128.0/17

And yes, the blocks really say "In case our service victimizes you, please spend this excessive amount of human resources on your side, or we can't do anything - sorry, it's a failure in our design!"

Comment: This network is a member of a dynamic hosting
Comment: environment. See http://ec2.amazonaws.com/
Comment: All reports MUST include:
Comment: * src IP
Comment: * dest IP (your IP)
Comment: * dest port
Comment: * Accurate date/timestamp and timezone of activity
Comment: * Intensity/frequency (short log extracts)
Comment: * Your contact details (phone and email)
Comment: Without these we will be unable to identify
Comment: the correct owner of the IP address at that
Comment: point in time.


Posted by: Kai | July 2, 2008 5:33 PM | Report abuse

There will be continuous spamming from EC2 despite the Amazon attempts and the only way to stop these nuisances to change the spam filtering system.I changed my spam filtering system to Abaca's Email Protection Gateway service.Abaca's ReceiverNet technology characterizes each protected user based on the percentage of spam they receive and then uses those reputations to rate the incoming message flow. I found that Abaca's ReceiverNet service has 99% efficiency in blocking spam mails and they guarantee their results. Download the Osterman Research white paper from this link http://abaca.com/downloads/A%20New%20Approach%20to%20Defeating%20Spam.pdf for more information.

Posted by: Michael | July 4, 2008 12:01 AM | Report abuse

Compare credit cards with Australia's leading financial
comparison web site, Credit world.

-http://www.creditworld.com.au/credit-cards.html

Posted by: Credit Cards | July 7, 2008 3:38 AM | Report abuse

One way to fight spam is hit the origin of the spam. Fine the companies that hire the spammer. Just go after the company/product that were featured in the spam. The only way to get them off the hook is turn over the info on spammer that they hired.

Posted by: Jim | August 26, 2008 3:57 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company