Mailing List CGatePro@mail.stalker.com Message #106053
From: Bill Cole <cgp-2015@billmail.scconsult.com>
Subject: Re: amazonaws.com Chinese spam passes DKIM/DMARC
Date: Sat, 09 Apr 2016 16:35:47 -0400
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: MailMate (1.9.4r5234)
On 8 Apr 2016, at 10:34, Gib Henry wrote:

I’m getting a lot of spam from China via amazonaws.com.  It passes amazonaws.com’s DMARC/DKIM, so they’re authenticating it as legitimate.

That seems improbable. Can you share a raw example with ununged full headers? DKIM (& DMARC using DKIM) is normally applicable to the domain in the From header, not the envelope sender address (as SPF is) or client hostname. I haven't seen amazonaws.com in a From header *ever* despite having systems that see big fat flows of spam, and I want to make sure I understand what you're seeing.

I keep reporting it to SpamCop, which says it’s reporting it to the originating site in China (good luck with that!), but SpamCop also says amazonaws.com doesn’t accept their reports.

Given that Amazon has been spamming postmaster@scconsult.com intermittently for ~20 years despite complaints and the fact that they acquired it via illegitimate means (long story including a failed experiment by me 21 years ago), I see SpamCop's devnulling of Amazon reports as rational.

1.  I’ve seen references to amazonaws.com as being widely abused.

It has been, but sporadically. Less so in 1Q2016 than in any quarter of 2015 though, as far as I can see, but far from zero abuse. YMMV.

Is reporting it to SpamCop generally effective, or a waste of time?

Ask Cisco (the current owners of SpamCop.)

Back when Julian Haight ran SpamCop independently, he claimed the devnulled complaints were somehow used in a statistical manner that he never made clear. After IronPort bought it, the public face of SpamCop narrowed and I didn't see anyone (even SC deputies) discussing the stats being used in any way, and since the Cisco acquisition that silence has held, although the collection of stats is still clearly happening. It is maybe relevant that Cisco runs a variety of mail security projects, some of which came from IronPort and others from their own prior work, and it is not at all clear how they gather data. I prefer to believe that it is from SpamCop reports and not from surreptitiously snooping on the SMTP traffic going through every Cisco device...

Bottom line: it can't hurt and may help Cisco with some business services AND some public services like the SpamCop BL and SenderBase. I use SpamCop reporting for the stuff that makes it through to me (not much these days) because I'm too lazy to reconstruct my old Eudora-based one-key reporting tool or manually report everything, but I can't bring myself to "Just Hit Delete" as urged by all the early unapologetically public spammers.

2.  What are the implications to legitimate email if I block amazonaws.com?

Minimal. There's a good chance that you're already rejecting 99%+ of mail coming from Amazon's network space since it has long had a terrible reputation. SpamHaus has had various policies over time, including listing all AWS/EC2 space at one point on the PBL. As a consequence, no one who knows and cares much about deliverability sends directly out of Amazon's sewer. Even Amazon themselves uses mostly distinct addresses ranges lacking the AWS taint for sending their own mail. On my personal system (where there are a handful of users, all of whom are in the habit of reporting EVERY missed spam and EVERY failure to receive expected mail to me...) it has been over a year since I've been offered legitimate mail by a machine with rDNS in *.amazonaws.com and while the rate of random misbehaviors from such machines has been less recently than in the recent past, it remains varied and non-zero.

Conversely, there are a couple of cases on other systems where I've had to do inelegant things to accommodate customers (i.e. PAYING users) who wanted to receive mail being sent in technically bad ways from specific AWS/EC2 processes operating on behalf of them or their business partners. The things we do for money...

I do occasionally order stuff from Amazon, but their transaction-related email comes from domains like amazon.com, amazon.co.uk, and amazon.it.  However, I also get some legitimate notification email from vendors like Orbicule (Undercover) from that domain.

One nice thing about CGP is that the antispam tools and the router can be used together to exclude MOST mail from some set of systems but drill holes in that for special cases. Also possible with custom SpamAssassin rules if you use SpamAssassin.
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster