Unsurprisingly, Amazon is now running a mail spamming service

May 22, 2015

I recently got email from an amazonses.com machine, cheerfully sending me a mailing list message from some random place that desperately wanted me to know about their thing. It was, of course, spam, which means that Amazon is now in the business of running a mail spamming service. Oh, Amazon doesn't call what they're running a mail spamming service, but in practice that's what it is.

For those that have not run into it, amazonses.com is 'Amazon Simple Email Service', where Amazon carefully sends out email for you in a way that is designed to get as much of it delivered as possible and to let you wash annoying people who complain out of your lists as effectively as possible (which probably includes forwarding complaints from those people to you, which is something that has historically caused serious problems for people who file complaints due to spammer retaliation). I translate from the marketing language on their website, of course.

In the process of doing this amazonses.com sends from their own IP address space, using their own HELO names, their own domain name, and completely opaque sender envelope address information. Want to get some email sent through amazonses.com but not the email from spammers you've identified? You're plain out of luck at the basic SMTP level; your only option is to parse the actual message during the DATA phase and look for markers. Of course this helps spammers, since they get a free ride on the fact that you may not be able to block amazonses.com email in general.

I'm fairly sure that Amazon does not deliberately want to run a mail spamming service. It's just that, as usual, not running a mail spamming service would cost them too much money and too much effort and they are in a position to not actually care. So everyone else gets to lose. Welcome to the modern Internet email environment, where receiving email from random strangers to anything except disposable email addresses gets to be more and more of a problem every year.

(As far as I can tell, Amazon does not even require you to use their own mailing list software, managed by Amazon so that Amazon can confirm subscriptions and monitor things like that. You're free to roll your own mail blast software and as far as I can tell my specific spammer did.)


Comments on this page:

Interesting. As an AWS consumer using SES, I was told in very stern words to let Amazon scan outgoing email for anti-spam purposes. Ostensibly, to prevent spam from being sent out in the first place. Apparently, that didn't work. I wonder if there is any information in the email to report it to Amazon.

Yep, Amazon SES is nothing but a giant spam cannom. It's essentially an HTTP API direct to the Internet's port 25. I put it in the blocklist years ago, and have never had cause to regret that decision.

By cks at 2015-05-23 16:02:12:

Amazon can only remove obvious, crude spam from outgoing SES email, and no competent spammer is going to send that sort of stuff. Without involving themselves in the list management, Amazon can't tell smart spammer UBE from legitimate mail sending because the problem is exactly that 'unsolicited' bit. So in my view, scanning outbound SES email is pretty much just to make sure that people are not sending viruses or obvious advance fee fraud or phish spam or whatever, either deliberately or by accident because their SES credentials/etc have been compromised.

Written on 22 May 2015.
« It's time for me to stop using lighttpd
The right way for your WSGI app to know if it's using HTTPS »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Fri May 22 01:04:18 2015
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.