[Mailman-Users] Amazon SES and Verified Senders

Rich Kulawiec rsk at gsp.org
Tue Jan 15 03:26:48 CET 2013

On Fri, Jan 11, 2013 at 09:27:23AM -0800, Duane Winner wrote:
> Does anyone have any ideas on how to deal with this? [snip]

Amazon's cloud has been a prolific long-term source of spam and other
forms of abuse (e.g., brute-force ssh attacks).  Thus it's long since been
a best practice to refuse all email from hosts in compute-1.amazonaws.com
and compute.amazonaws.com subdomains, and no doubt unless serious efforts
are made to address this, blocking of incoming SMTP connections from
Amazon's cloud will eventually increase in both scope and coverage.

Not that this is your fault, of course.  But unless you can convince
Amazon to take an active interest in controlling *outbound* abuse from
their operation, there's little you can do about it.

So my recommendation is to set up a VPN tunnel from your Mailman host
to a (secure) SMTP relay outside their network space.  (And of course
outside other problematic network spaces; check Spamhaus and similar
resources first.)  Let the host inside Amazon do the heavy lifting of
running Mailman and so on, let the one outside do the simple work of
just relaying outbound traffic.  OpenBSD+postfix+BIND on very low-end
hardware should suffice, and as long as it only relays traffic handed
off via the VPN, you should be okay.

(Incidentally, verifying senders has no anti-spam value.  I get spam by
the megabyte in my spamtraps all day, every day, from verified senders
and from verified hosts.)


More information about the Mailman-Users mailing list