# Vultr SMTP restriction requirements are unreasonable



## drmike (May 23, 2014)

So Vultr, who advertises here blocks SMTP by default.

To have such block lifted, requires an authorization form. That sounds, reasonable.

However, Vultr seems to want front and back scans of both a photo identification card and credit card to enable SMTP.

I don't support collection of identification.   Is this the first provider routinely requesting two complete documents for service?


----------



## KuJoe (May 23, 2014)

I don't see a problem with it. Spammers annoy me to no end so anything that makes them think twice about ordering service is a positive step in my eyes.

That being said, I remember reading about quite a few data centers that do this and the ones I worked with in the past would only accept the documents by fax, not e-mail.


----------



## Nyr (May 23, 2014)

Yeah, I think that's a bit unreasonable too, so I don't use them.

I understand the problem with spam, but if this were the norm, scammers would simply send photoshopped scans, not difficult to do.


----------



## KuJoe (May 23, 2014)

Nyr said:


> Yeah, I think that's a bit unreasonable too, so I don't use them.
> 
> I understand the problem with spam, but if this were the norm, scammers would simply send photoshopped scans, not difficult to do.


Luckily it's not the norm so spammers will go with another host that doesn't have those requirements. That's why Vult's policy is effective. It's not supposed to be bulletproof, it's just supposed to be less easy to spam with them than another provider which is what makes it work.


----------



## MannDude (May 23, 2014)

Why do they need a credit card scan? Do they only offer services paid for by credit card? If you pay using PayPal, must you still provide a CC scan?

I'm okay with the ID, I'd simply place a watermark over it that says "FOR VERIFICATION PURPOSES WITH VULTR ON 5/23/2014 ONLY!" over top of the entire thing in a semi-transparent fashion. If I didn't pay with card, no one is getting a scan of it.


----------



## dcdan (May 23, 2014)

Google blocks all possible smtp ports completely on their cloud service, with no option to enable. Google recommends using sendgrid for outgoing mail, which kind of makes sense (now spam is Sendgrid's problem). I am pretty sure you can do the same with Vultr or any other provider who blocks SMTP. No need to provide ID. As a bonus, your emails will have much better chances of being delivered.

I would not send anyone my ID as it is only the matter of time when a picture of my ID gets leaked. If it conveniently comes with a nice image of my credit card... you get the point.


----------



## KuJoe (May 23, 2014)

MannDude said:


> Why do they need a credit card scan?


I bet it's because of their Anti-spam Policy:



> In addition, because damages are often difficult to quantify, if actual damages cannot be reasonably calculated then you agree to pay VULTR.com liquidated damages of five-dollars ($5.00) for each piece of spam or unsolicited bulk email transmitted from or otherwise connected with your account, otherwise you agree to pay VULTR.com's actual damages, to the extent such actual damages can be reasonably calculated, unless otherwise specified in this Agreement or the Site's Spam Policy.


and



> For any breach of a portion of this Agreement that does not specifically state a liquidated damages amount, You hereby agree that any breach of this Agreement shall result in liquidated damages of $500 per occurrence. You specifically agree to pay this $500 in liquidated damages.


If they have a scanned credit card on file, it's easier for them to claim the "damages" (and harder for the spammer to chargeback if they have a picture of the credit card and photo ID).


----------



## Nyr (May 23, 2014)

KuJoe said:


> Luckily it's not the norm so spammers will go with another host that doesn't have those requirements. That's why Vult's policy is effective. It's not supposed to be bulletproof, it's just supposed to be less easy to spam with them than another provider which is what makes it work.



I understand, but that's a big pain and a security risk for the customers.


----------



## KuJoe (May 23, 2014)

Nyr said:


> I understand, but that's a big pain and a security risk for the customers.


But it makes the Vultr staff's life so much easier and it's not going to impact their sales much since I doubt non-spammers are going to pay more than LEB prices to send out their spam especially with a certain "spam friendly" data center that offers more IPs than Vultr at a fraction of the price.


----------



## KuJoe (May 23, 2014)

I would love to talk to them more about this policy but the lack of any contact information, form, or help desk is extremely annoying. This actually bothers me a lot more than giving somebody a scan of my ID or credit card.


----------



## DomainBop (May 23, 2014)

> If they have a scanned credit card on file,



I hope they're not keeping scans of both the front and back on file (with the CVV number on those scans) because that would be a violation of credit card industry rules.

OVH, Hetzner, and many others ask for 2 forms of ID (front of credit card, photo ID, utility bill, etc) when an account is first setup but they only keep the documents/scans for a short period of time and then destroy them.  I don't have a problem with that.

I do have a problem with Vultr asking for both the front and back of credit cards (with CVV visible) and not disclosing any info about their data retention policies (i.e. how long the documentation is kept on file) anywhere on their site that I can see.  Storing a scan with the CVV number visible for any length of time would be a violation of PCI compliance rules which basically state that the CVV number is only to be retained until the card is authorized and then needs to be discarded immediately.

_"Do not store sensitive authentication data_

_contained in the payment card’s storage chip or full_

_magnetic stripe, including the printed 3-4 digit card_

_validation code on the front or back of the payment_

_card after authorization"_

 


_Never store the card-validation code or value (three- or four-digit number printed on the front or_

_back of a payment card used to validate card-not-present transactions)_

https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf


tl;dr I hope that Vultr is destroying those credit card scans with CVV immediately after they're received because retaining a scan with a CVV for any length of time could cause them to lose their merchant account.

edited to add the "CVV storing is a no-no" rule is stated in PCI DSS requirement 3.2


----------



## drmike (May 23, 2014)

Call me paranoid, but I don't deal with companies requiring a card for payment.

Not that PayPal or similar are great, but is a layer between things. 

Handing out photo ID?  That's always been insanity, especially for said services. No way in hades that I am doing that.  I can't trust Target with my card,  does it seem smart to trust random webhost with who knows who having access to systems and storage where said documents go?

Google doing the same to a more severe degree (total ban of SMTP), meh.   Google for all of it's largess isn't proportionally large with hosting services even with all their gotchas, give yous, etc.  Passing the email issue off to a secondady company, sounds convenient and profitable.  But I am old school, email is a common service I expect from my hosting company and more importantly that I expect to be able to send. 

Any hosting service can and will be used for activity as vicious as SPAM.   What's next?   Filtering HTTP traffic, blocking outgoing HTTP requests?  It's well intentioned this blocking, but damn short sighted and when you start down that path, you start saying, why not block this and that.  Before you know it you prohibit too much and make people jump through hoops for what just works elsewhere.

Then again, you could avoid the horrors of the low cost spam magnet by... drumroll.... not advertising directly to the Lowend and not competing for a few bucks per customer per month.  At last check Linode and DigitalOcean both appear to allow SMTP traffic.


----------



## HenriqueSousa - WebUp 24/7 (May 23, 2014)

I don't know if in the US you can do the same, but at least here in Portugal we can talk to the bank to just allow automatic payments to specific companies, this meaning that you would have to give the green signal to a new company.

- Henrique


----------



## William (May 23, 2014)

Same for mine, i can block specific Merchant IDs (either by upstream ID of a former payment or by wildcard name like *Vultr*) in the webinterface.


----------



## blergh (May 24, 2014)

I can understand why they want a photo-id, but a photo of the card? There is no way in hell I am sending a photo of my CC to anyone for whatever reason. There are plenty of other providers who don't enforce this silly "anti-fraud" technique, I'd just go with those instead.


----------



## sundaymouse (May 24, 2014)

I used a different port for webmail, screw them.


----------



## NQ-Joe (May 24, 2014)

Using a verified PayPal account will be enough in most cases and won't require any scanned documents.

I've added a few funds to my account and staff liftet the block just a few minutes later.


----------



## William (May 25, 2014)

I sent a copy of a passport and got it unblocked without a CC.


----------



## DaveA (May 27, 2014)

We do not necessarily require the information you've mentioned to lift the smtp block.   Our staff is trained to identify accounts that appear suspicious.   You can PM your email address and we'll activate it on your account.   These measures are in place to prevent abuse and compromised instances from being used by spammers.  

In our opinion it makes the service better for everyone in the long run.   Once your account is flagged to allow smtp you will never have an issue again so its really just a one-time nuisance.    This is better than our customers being inconvenienced with fraudulent accounts and spammers getting entire IP blocks blacklisted, etc.  

We will evaluate the documents we require to be sent in tomorrow.  We certainly understand everyones privacy concerns. It should be noted the documents are deleted immediately and not stored on our systems after the verification process is completed.


----------



## jarland (May 27, 2014)

DaveA said:


> We do not necessarily require the information you've mentioned to lift the smtp block.   Our staff is trained to identify accounts that appear suspicious.   You can PM your email address and we'll activate it on your account.   These measures are in place to prevent abuse and compromised instances from being used by spammers.
> 
> In our opinion it makes the service better for everyone in the long run.   Once your account is flagged to allow smtp you will never have an issue again so its really just a one-time nuisance.    This is better than our customers being inconvenienced with fraudulent accounts and spammers getting entire IP blocks blacklisted, etc.
> 
> We will evaluate the documents we require to be sent in tomorrow.  We certainly understand everyones privacy concerns. It should be noted the documents are deleted immediately and not stored on our systems after the verification process is completed.


See that right there...

If people would understand the difference between policy made for justification of worst case scenarios and common practice, they might not freak out so much. Just talk to people guys, they'll surprise you most of the time. You want to make spammers run with their tail between their legs, but a little conversation goes a long way. Certain requirements are often waived.


----------



## klimenta (Jun 6, 2014)

A week ago I bought a FreeBSD VPS and paid with US issued credit card. After I realized that port 25 is blocked I've opened a ticket asking to lift this restriction (I googled the issue before I've opened the ticket so I was kind of aware that they might require a scan of my CC). 30 mins later, they've opened the port 25 and sent me this link.

https://www.vultr.com/legal/antispam_policy.php

Long story short, it's $5 per spam email that you send, but only if you are liable.

"you agree to pay VULTR.com liquidated damages of five-dollars ($5.00) for each piece of spam or unsolicited bulk email transmitted from or otherwise connected with your account,"

"If customers server was compromised (hacked) and then subsequently used for spamming this clause will not apply."


----------



## jas88 (Sep 6, 2014)

klimenta said:


> "you agree to pay VULTR.com liquidated damages of five-dollars ($5.00) for each piece of spam or unsolicited bulk email transmitted from or otherwise connected with your account,"
> 
> "If customers server was compromised (hacked) and then subsequently used for spamming this clause will not apply."


I'm relieved by that last bit! I don't know about others on here, but one of my fears is getting compromised and having some spammer rack up huge bills, or worse. (I've never had my own machines compromised - going back as far as early Apache on Solaris 2.5.1 - but I see enough attempts for it to be a worry.)

I've just signed up for a Vultr VM of my own and set it up running OpenBSD. Spam is actually part of my motivation (filtering it out, I mean, not sending it!) - with a few persistent spammers, I really need either to reject or ideally tarpit their MTA during the attempt. Fastmail (my current provider) are actually pretty good, but rejecting particular envelope-senders during the SMTP session doesn't seem to be an option: I need my own MTA for that.

I was surprised to see Hetzner mentioned as having anti-spam precautions: given the amount of my current spamload which comes from there, and their apparent indifference (or worse!) to Spamcop reports about it, I had concluded they must be some sort of "pink contract" operation! Indeed, tarpitting SMTP from their whole ASN is quite high up my todo list.


----------



## Amitz (Sep 6, 2014)

DaveA said:


> We do not necessarily require the information you've mentioned to lift the smtp block.   Our staff is trained to identify accounts that appear suspicious.   You can PM your email address and we'll activate it on your account.   These measures are in place to prevent abuse and compromised instances from being used by spammers.
> 
> 
> In our opinion it makes the service better for everyone in the long run.   Once your account is flagged to allow smtp you will never have an issue again so its really just a one-time nuisance.    This is better than our customers being inconvenienced with fraudulent accounts and spammers getting entire IP blocks blacklisted, etc.
> ...


I can confirm that. It did not take me more than a simple ticket to have to block lifted within 10 mins.


----------

