nanog mailing list archives

RE: Suggestions for a more privacy conscious email provider


From: Edwin Pers <EPers () ansencorp com>
Date: Wed, 6 Dec 2017 18:12:46 +0000

-----Original Message-----
From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Gordon Ewasiuk via NANOG
Sent: Wednesday, December 6, 2017 12:30 PM
To: nanog () nanog org
Subject: Re: Suggestions for a more privacy conscious email provider

Suggesting AWS doesn't care seems...well...inaccurate.

-Gordon

This is all anecdotal so take it as you will.
In 2016 I filed a total of 76 reports either via their web form or by emailing their abuse email directly. Every single 
one got this in reply:

After submitting the initial abuse report (providing all the information they ask for in an initial report):
Hello,
Thank you for your abuse report. We were unable to identify the customer responsible for the reported activity. Due to 
the frequency with which AWS >public IP addresses can change ownership, we will need additional information in order 
to identify the responsible customer(s).

Then a few days later, after replying back to their email with the same content that was in the initial abuse report:
Hello,
This is a follow up regarding the abusive content or activity report that you submitted to AWS. We have investigated 
this report, and have taken steps to >mitigate the reported abusive content or activity. Due to our privacy and 
security policies we are unable to provide details regarding the resolution of this >case or the identity of our 
customer.
We are committed to mediating reports of abusive content or activity to the satisfaction of both the reporters and our 
customers. If you believe the >reported content or activity persists, or are not satisfied with the resolution of this 
case, please reply directly to this message with more information. Your >response should include the most recent 
activity logs or web location of the content that you have available that indicates that the activity or content 
persists, as well as a clear, succinct explanation of what you expect of us and our customer.

Thank you for bringing this matter to our attention.

Regards, 
AWS Abuse Team

So yes, it would //appear// that they do care. They do have an abuse team and they're very good at sending out those 
canned emails and making you think they've done something.

But here we are in 2017 and I'm still seeing the exact same attempts from the exact same IP's that I reported in 2016. 
The way I see it, there's only two explanations:
A bunch of people are running the same exact bots that use the same exact source ports and they all just happened to 
get the same set of public v4's assigned to them and they all just happened to target all of my sites at the exact same 
rate.

or 

AWS didn't actually do anything about it.

(Yes, none of that applies to their SES service, but there's nothing stopping someone from running postfix on an e2c 
instance. I won't comment on how the SES team there handles things, because I haven't had any dealings with their abuse 
team.)


-----Original Message-----
From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Filip Hruska
Sent: Wednesday, December 6, 2017 12:55 PM
To: nanog () nanog org
Subject: Re: Suggestions for a more privacy conscious email provider

SES can't hit your firewall with bots, it's just an email service.

Maybe you meant EC2? And as I said earlier, if you have correctly setup 
firewall and servers, port scanning or bots can't hurt you in any way.


--
Filip Hruska
Linux System Administrator


I don't remember mentioning SES in this thread before today. But as Rich said earlier:

And the latter is the problem: we are faced, unfortunately, with massive
operations that were designed, built, and deployed without the slightest
consideration for responsible behavior toward the rest of the Internet.
All the rest of us are paying the price for that arrogance, incompetence
and negligence: we're paying for it with DoS/DDoS defenses, with spam
and phish defenses, with brute-force attack defenses, with time and
money and computing resources,  with complexity, with late nights and
early mornings, with annoyed customers, and -- on the occasions when those
defenses fail -- devastating consequences for organizations and people.

These costs aren't always obvious because they're not highlighted line
items in an accounting statement.  But they're real, and they're huge.

How huge?  Well, one measure could be found in the observation that
there's now an entire -- large and growing -- market segment that
exists solely to mitigate the fallout from these operations.

And those same massive operations are doing everything they possibly
can to avoid hearing about any of this.  That's why abuse@ is effectively
hardwired to /dev/null.  And I note with interest that nobody from AWS
has had the professionalism to show up in this thread and say "Gosh, we're
sorry.  We screwed up.  We'll try to do better.  Can you help us?"

Because we would.


I agree, the dumber bots won't cause any harm (beyond the wasted bandwidth)
But every now and then there's a slightly smarter and more targeted bot run by someone who actually knows how to use 
nmap. New exploits are discovered every day, and as we all know the ones that are made public are in the minority.
I know I'd sleep better at night knowing that one of the largest cloud providers would do something about it. I'm sure 
most of you would agree.



I'll leave it at that.

-Ed


Current thread: