Could Amazon's bulk-email service spawn spam and malware?

Simple Email Service and Amazon Web Services could be potent combo for businesses and developers, no matter which side of the law they're on

Amazon Web Services (AWS) has been a boon for developers and organizations that need large-scale code-crunching power but can't or won't shell out for the server racks. Unfortunately, those cheap, on-tap computing capabilities are an irresistible temptation to bad guys who can, for example, use EC2 to smash passwords in mere minutes for a handful of change.

A bulk email service called Amazon Simple Email Service (SES), the newest announcement from AWS, builds on that theme. When used for good -- or at least legitimate -- purposes, it gives companies and developers an inexpensive way to communicate with users via email. But it also plausibly equips bad guys with another tool for cheaply and anonymously perpetuating spam and malware.

In brief, SES is a scalable, inexpensive bulk and transactional email-sending service that integrates, via API, with existing AWS services. The idea is to enable customers to inject email-sending capabilities into their AWS-hosted applications without having to build their own mail system or enlist a third party.

Customers have two choices of APIs: The SendEmail API requires users to provide only a source address, a destination address, a message subject, and a message body. The service will properly format a multipart MIME email message that suits the display of the receiving email-viewing software.

The SendRawEmail API is for more advanced users, allowing them to format and send their own raw emails by specifying headers, MIME parts, and content types.

Users can also add images to their outgoing messages using an HTML option.

Can SES be used for sending bulk messages? You betcha -- per Amazon: "Simply call the SendEmail or SendRawEmail APIs repeatedly for each email you would like to send. Software running on Amazon EC2, Amazon Elastic MapReduce, or your own servers can compose and deliver bulk emails via Amazon SES in whatever way best suits your business."

Price-wise, customers can expect to shell out just 10 cents per 1,000 email messages sent. Additionally, a customer can send 2,000 email messages for free each day when these emails originate from Amazon EC2 or AWS Elastic Beanstalk.

One of the key questions is what's to stop someone from using this service in tandem with a custom-built app to bombard people with spam, malware, or messages containing phishing lures? Amazon says it has the topic covered: "Amazon SES uses in-house content filtering technologies to scan email content for spam and malware. When such content is detected, Amazon SES prevents these emails from being sent."

Those assurances aren't entirely heartening, though, unless Amazon is way ahead of the curve with content-filtering technology. Email services and software vendors have tried for years to keep spam and other unwanted messages from showing up in users' viewing pane, but the crud keeps slipping through.

Further, with access to the array of the AWS offerings, there's additional room for abuse than you might find in a mere bulk-email service. A clever developer could, for example, build an application for sending out spam or phishing messages that adjusts subject lines and email content in real time so that missives slip through Amazon's net. In the background, the app could use a service like bit.ly to mask links to websites built to spread malware or to dupe users into surrendering credentials and credit card numbers.

Amazon doesn't deserve condemnation for the types of capabilities it's making accessible to potential criminals, no more so than other pioneers of email, Web technology, or really any type of automation that can be abused. But the company does need to ensure that it has measures in place to prevent potentially harmful abuses of its services. It's a tough line to walk, no question, as the company also has to respect its customers' privacy.

Follow Ted Samson on Twitter at tsamson_iw.

This article, "Could Amazon's bulk-email service spawn spam and malware?," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow InfoWorld.com on Twitter.

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies