Last year I wrote a blog post titled Spammers in Space, describing how webmail spam from Africa often uses satellite internet connectivity. Well, now it seems that Spammers are in the clouds!
Cloud computing is becoming increasingly popular as it allows a business to quickly and cost-effectively deploy additional servers based on demand. Third party providers own huge server farms and share the hardware among users. For new Web 2.0 startups it's an ideal way to effectively rent a server on an hourly basis rather than paying the outright hardware costs. It is an excellent service and we use it to bring up a huge number of machines for short durations of load testing.
However, the model is open to abuse as a new IP address, owned by the cloud computing provider, is typically allocated with a new instance of a server is created. It's been speculated for quite a while that this could be used to send spam but now it's actually happening. The Washington Post covered the use of cloud Services to send malware. Our Technical Advisor, Justin Mason recently blogged about the issue and the story appeared on Slashdot with the comment:
"EC2 space is now actively blocked by Outblaze, and has been listed by Spamhaus in their PBL list [...] However as Seth Breidbart noted in the comments, 'note that Amazon will terminate the instance. That means that the spammer just creates another instance, which gets a new IP address, and continues spamming.' True enough -- as described, instance termination simply isn't good enough."
So what does this mean? Given that the current Anti-Spam Policy enforcement in cloud services appears to revolve around terminating the instance rather than the account it's very open to spam abuse. The Anti-Spam community need to protect their customers so are forced to list the IP space on blocklists. For example, Spamhaus has marked the EC2 address space in it's PBL - Policy Blocklist which is widely used to block e-mail from dynamic IP space. Any Web 2.0 companies using cloud computing will need to realize that there's a high probability that e-mails generated directly from the cloud to the recipients MTA could be rejected as spam.