Spam From Amazon SES

Spam has always been a problem with Amazon’s email service (SES). They make an effort to filter the outgoing missives transmitted by their customers, but it’s not perfect. And Amazon is no respecter of laws outside the good ‘ol US of A, where the right to free speech is a license to spam any kind of junk you like; whether the recipient asked for it or not.

Here’s a case in point:

Received: from ( [])
	by (8.14.4/8.14.4) with ESMTP id t5NHpefn075543
	for <>; Tue, 23 Jun 2015 18:51:40 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
	s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug;; t=1435081898;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
	s=lfgclj2zbjygv5i5rirpal2v2zj3dquy;; t=1435081898;
From: Ray-Ban Sale <>
Date: Tue, 23 Jun 2015 17:51:38 +0000
To: "" <>
X-MessageID: OXx8fHwxMzY3MXx8fHxmcmFuazJAZmpsLmNvLnVrfHx8fDEwfHx8fDF8fHx8MA%3D%3D MIME-Version: 1.0
Message-ID: <>
X-Priority: 3
Reply-to: Ray-Ban Sale <>
Subject: Spambait: Keep Calm and Get 80% Off Ray-Ban!
Content-Type: multipart/alternative; boundary="b1_b18fea4f74280e521923210f4d5c61eb"
X-SES-Outgoing: 2015.06.23-
Content-Type: text/plain; charset = "utf-8"
Content-Transfer-Encoding: base64

As you can see (if you’re used to reading email headers), this looks very legitimate – send from a correctly configured server. However. these characters are as guilty has hell. The email body, once decoded, claims that the spambait email address belonged to a past customer of theirs, and was used for placing an order (in the USA). This is, of course, physically impossible.

If this had been sent in Europe they’d have been breaking the local law that implemented  the EU Privacy and Electronic Communications Directive, 2002.  But they’re sending it from the USA. Other text in the email suggests it’s not from an English-speaking country (not even the USA), and it’s probably a scam. But Amazon doesn’t t seem to mind – they don’t even have an abuse reporting system for ISPs plagued by this stuff.

It’s tempting to simply block all Amazon SES IP addresses, but this will cause collateral damage. Spam filtering isn’t likely to detect it any other way, as the sending server is set up correctly, with SPF records and so on, so the Bayesian filter in a spam classifier will be over-ruled. However, this correctness can be used against it…

Please generate and paste your ad code here. If left empty, the ad location will be highlighted on your blog pages with a reminder to enter your code. Mid-Post

Let’s be clear here – it’s easy enough to block the whole of SES. You can get its address range just by looking at it’s SPF records:

> set type=TXT
Address: text = "v=spf1 ip4: ip4: ip4: -all"

I suspect this may cover more than SES, but SES is certainly covered by it. However, blocking it will, as I mentioned earlier, block some innocent stuff that you do want. This is a job for Spamassassin.

I’m experimenting by adding the following to SA’s file:

header AMAZON_SES Received =~ /
score AMAZON_SES 3.5
describe AMAZON_SES Sent from Amazon SES - often used by spammers

The the appropriate score to weight it by is an interesting question. By default good SPF records are ignored anyway; if they were not then it would obviously be a good idea to negate a positive score here. So I’ve picked 3.5 as this matches a clear Bayesian score rather than for any good statistical reason. Check back later to see how well it works.