Amazon Dot Spam

I have been using Amazon AWS servers for years to host large videos and to store backup files in their S3 service.  But apparently their servers have also become the home of a lot of spammers and bots.   I have been in the process of locking down the security of my climate blog, testing changes that I will then migrate here (Incapsula front end, Disqus comments, a package of improved wordpress security changes, and ZB Block to catch what still makes it through.  I am not naive enough to think that I am safe from hackers, but I can at least be safe from stupid, lazy, or automated ones.

Anyway, I probably don't see a lot of the bots any more because they hit either Disqus or Incapsula.  But a great number still get through, and if they are persistent they get banned.  What amazed me was that of the first 22 IP's banned, 9 were on the Amazon AWS servers.

My sense is that this is one of those classic tragedy of the commons issues, which happens when valuable resources are essentially free.  I had an idea years ago, that I still like, that charging a tenth of a cent to pass each sent email would shut spam down.   You and I might spend five cents a day, but spammers would be hit with a $10,000 charge to email their 10 million name lists, which would kill their margins.  Don't know if there is a similar approach one could take for bots.

12 Comments

  1. Brad Warbiany:

    "I had an idea years ago, that I still like, that charging a tenth of a cent to pass each sent email would shut spam down."

    You're probably right.

    But who would charge it? If gmail wanted to charge $0.001 per email to its customers, customers might easily leave for other services. And if it's dependent on the host service, then spammers like these would simply choose free services (or, more likely, just set up their own servers. Would it be charged by network providers? I'm not sure how, as they route packets where they're supposed to go, without necessarily knowing whether those packets are email or other.

    Would it be the government? That brings in a host of dangerous questions (including, of course, the question of what the government does regarding email sent internationally -- does an email sent from France to me get a different rate (and charged at a different jurisdiction) than an email I send to Germany?

    Your proposal makes perfect sense -- take what is an economically "free" event that is mucking up the system and assign a cost to it such that it no longer remains free. Heck, Felix Salmon just suggested the same thing regarding HFT: http://blogs.reuters.com/felix-salmon/2012/08/06/chart-of-the-day-hft-edition/ -- I.e. a *tiny* financial-transactions tax isn't large enough to affect individual investors, but it in itself could turn HFT from profitable to unprofitable. But the devil's in the details, and while a stock market is a captive environment where parties are known and the cost of entry is accountability, that is not true of email. So the devil's in the details.

  2. Brad Warbiany:

    Conversely, back in 2008 I had a different idea:

    http://www.thelibertypapers.org/2008/08/07/open-thread-a-free-market-solution-to-spam/

    The other day, though, I was thinking about it. These Nigerian phishing scams are not rocket science. There is a way to defeat them, without requiring government force. I thought of it as a merely personal idea: I would reply to every Nigerian scam email I receive, stringing the spammer along (making him think he’s swindling me) for several days or weeks, until eventually the spammer leaves me alone as he realize he’s wasted his time. Get enough of them to realize that they’re wasting their time by inducing a high rate of “false positive” responses, and they might look for other ways to scam people out of income.

    Frankly, though, I just don’t have time for that. I barely have time to respond to important emails any more; I certainly don’t have time to engage in this sort of counter-spam behavior. The amount of effect I could cause would be miniscule in relation to the number of emails they send out. I simply can’t create enough false positives to dissuade them from their task…

    But hotmail/yahoo/gmail can! Think about it. They make their living by doing things such as spam filtering, and as someone who receives a great deal of spam on a daily basis (the downside to having a publicly-accessible email address), an effort by the major email service providers would have both the scope and the size to effect some change. They have the incentive– competition with other email providers and protection of their users– and they have the resources.

    For the scam artists, the keys to success are a high target rate (to maximize response), a low false positive response rate (because it does no good for non-dupes to respond), and a high conversion rate extracting the money from respondents. Creating a situation where there would be an overwhelming number of false positives in the system would increase the response rate, and thus reduce the conversion rate. Thus, it dramatically increases the cost of attempting to extract money, because the spammers will need to treat both the dupes and the false positives equally.

    For a major email provider to assign a bank of interns to a job like this may even improve their subscriber base, as they can advertise a more spam-free email experience than their competitors. The spammers aren’t dumb. If they realize that sending spam to hotmail is likely to result in wasted time, but gmail and yahoo aren’t participating in these counter-spam tactics, they’ll stop sending to hotmail. The major email providers have the size and efficiency to engage in behavior such as this when busy guys like myself simply can’t afford the time to attempt it. All this, without relying on Congress.

    There are numerous technology methods for combating spam. This would be a human way to do so. It increases the "cost" to the spammers without requiring some huge collection/tracking system, most likely administered by government, and which has a high likelihood of infringing liberty.

  3. Johnathan:

    "I had an idea years ago, that I still like, that charging a tenth of a cent to pass each sent email would shut spam down. You and I might spend five cents a day, but spammers would be hit with a $10,000 charge to email their 10 million name lists, which would kill their margins."

    This is one of those "wouldn't it be nice?" ideas that falls apart upon examination.

    Charged by whom? Their ISP? Your ISP? You? The government? Who would force this to happen? How would prices be set?

    If I am an ISP, and someone is being charged (and not by me) for the emails they send, am I required to handle their traffic? Would I be responsible for them, since their email would be originating on my network?

    Would there be a single per-email price? Would large emails cost the same as small emails?

    What about people who run (like me) many thousands of subscribers mail reflectors (mailing lists)? Would the sender of a list email be charged for the thousands of emails that get replicated and sent out? Would I have to? Would the subscribers have to pay to receive list emails, in order to defray the costs of the mailing list provider?

    Saying "charging a tenth of a cent", without specifying who would be doing the charging and who would be doing the paying, and whether the all the actors involved are acting voluntarily or not, glosses over anything to do with the actual processing of sending and receiving email.

    Johnathan

  4. Daublin:

    The sender would buy electronic stamps that are only redeemable by a given recipient, and the stamp service would take a cut. Most ISPs would offer a stamp service as part of their package, so that most users don't have to think about it any more than they think about where they get DNS from.

    I suspect the reason it hasn't caught on is that people just don't care enough. The automated spam tools do well enough that we just carry on with it, much the way we carry on using credit cards even though they have significant overhead for the fraud detection.

  5. Ian Random:

    Tangentially related, but I wish in your email preferences you could whitelist countries. I'd just whitelist the US and the UK, that would be it for me. I realize your example wouldn't apply for that idea.

  6. David Zetland:

    Yes, since they "only" make $200 million per year: http://tinyurl.com/cnowms4

    It's also no big deal to refund that email fee for users who do not get reported as spammers...

  7. Mike Soja:

    I block all Amazon AWS visitors that I see, about fifteen different IP ranges, so far, and automatically block new bots, many of which come via Amazon's cloud.

  8. IGotBupkis, Legally Defined Cyberbully in All 57 States:

    I've always been a fan of the automated white list notion... create an add-on for the major browsers that collects feedback from users on what/who is sending out spam, then you could turn on a "% through" allowed to control it to a fairly manageable level (the reason to limit it to only a % rather than whole-blockage is to get feedback on falsely-flagged addresses, too -- you KNOW people are going to report stuff they "don't like" as spammers even if they are completely on-topic and polite).

    Add to that a mechanism to appeal such and "reset to zero" based on the spam-reports and it should do a fairly decent and equitable job cutting down on spam.

  9. IGotBupkis, Legally Defined Cyberbully in All 57 States:

    .

    >>>>> The other day, though, I was thinking about it. These Nigerian phishing scams are not rocket science. There is a way to defeat them, without requiring government force. I thought of it as a merely personal idea: I would reply to every Nigerian scam email I receive, stringing the spammer along (making him think he’s swindling me) for several days or weeks, until eventually the spammer leaves me alone as he realize he’s wasted his time. Get enough of them to realize that they’re wasting their time by inducing a high rate of “false positive” responses, and they might look for other ways to scam people out of income.

    BWAAAAhahhahahahhaahhaaaa:

    419 Eater

    One of my own favorites -- VERY extended, but he actually baits the guy into spending REAL money on him!!

    .

  10. NL_:

    Maybe you could structure it so that your email provider charges people to email you, unless they appear on a free list that you create and modify. Which in practice would look a lot like blocking emails not on an approved sender list, which basically any email program can already create.

  11. jay:

    I do hope that doesn't mean you are going to go to using Disqus (or Facebook/Google) as the only choices for comment login.

    I (and I expect others who are concerned with privacy) don't use any those single sign on services.

  12. SuperMike:

    I don't know whether you were the first one to suggest it, or not, but this is actually a business now. See amazon's http://aws.amazon.com/ses/ and sendgrid's service http://sendgrid.com/

    They both so some kind of work to maintain good mail "citizenship", but I think the bulk of it is that they charge a (pretty small) fee per message, so it's clear that pure spammers won't use it.