It had to happen
Monday, June 30th, 2008Today we received our first bit of spam from EC2. The message itself was pretty standard:
From: "Microsoft"Date: 29 June 2008 11:47:43 BST To: XXX Subject: Important Update Notification Hello XXX, You are receiving this notification because the version of Windows you are running is effected by a critical security issue. For the protection of yourself and others using the Windows operating system, it is reccomended that all consumers update their operating system at their earliest convenience. To do so, you may visit Microsoft Update by clicking here, and simply pressing "Open" or "Run" to begin the automatic update process. Thank you for your cooperation in resolving this matter. Kind Regards, Microsoft Customer Support
The link points to a phishing site
http://XXX/go.nhn?url=http%3A%2F%2Fupdate%2Emicrosoft%2Ecom%2E00000000000000000000000000000000000000000000000000000000000000%2Enet
So far, so standard. The interesting bit is in the headers of the message:
Received: (qmail 29794 invoked from network); 29 Jun 2008 09:53:08 -0000 Received: from ec2-75-101-198-26.compute-1.amazonaws.com (HELO ec2-75-101-198-26.compute-1.amazonaws.com) (75.101.198.26) by server-14.tower-117.messagelabs.com with SMTP; 29 Jun 2008 09:53:08 -0000 From: "Microsoft"
How long before all email from EC2 is blacklisted? It was only a matter of time before services like this started to be used for sending spam, but this is the first time I’ve seen it in the wild.