Vultr SMTP restriction requirements are unreasonable

drmike

100% Tier-1 Gogent
So Vultr, who advertises here blocks SMTP by default.

To have such block lifted, requires an authorization form. That sounds, reasonable.

However, Vultr seems to want front and back scans of both a photo identification card and credit card to enable SMTP.

I don't support collection of identification.   Is this the first provider routinely requesting two complete documents for service?
 

KuJoe

Well-Known Member
Verified Provider
I don't see a problem with it. Spammers annoy me to no end so anything that makes them think twice about ordering service is a positive step in my eyes.

That being said, I remember reading about quite a few data centers that do this and the ones I worked with in the past would only accept the documents by fax, not e-mail.
 
Last edited by a moderator:

Nyr

New Member
Yeah, I think that's a bit unreasonable too, so I don't use them.

I understand the problem with spam, but if this were the norm, scammers would simply send photoshopped scans, not difficult to do.
 

KuJoe

Well-Known Member
Verified Provider
Yeah, I think that's a bit unreasonable too, so I don't use them.

I understand the problem with spam, but if this were the norm, scammers would simply send photoshopped scans, not difficult to do.
Luckily it's not the norm so spammers will go with another host that doesn't have those requirements. That's why Vult's policy is effective. It's not supposed to be bulletproof, it's just supposed to be less easy to spam with them than another provider which is what makes it work.
 

MannDude

Just a dude
vpsBoard Founder
Moderator
Why do they need a credit card scan? Do they only offer services paid for by credit card? If you pay using PayPal, must you still provide a CC scan?

I'm okay with the ID, I'd simply place a watermark over it that says "FOR VERIFICATION PURPOSES WITH VULTR ON 5/23/2014 ONLY!" over top of the entire thing in a semi-transparent fashion. If I didn't pay with card, no one is getting a scan of it.
 

dcdan

New Member
Verified Provider
Google blocks all possible smtp ports completely on their cloud service, with no option to enable. Google recommends using sendgrid for outgoing mail, which kind of makes sense (now spam is Sendgrid's problem). I am pretty sure you can do the same with Vultr or any other provider who blocks SMTP. No need to provide ID. As a bonus, your emails will have much better chances of being delivered.

I would not send anyone my ID as it is only the matter of time when a picture of my ID gets leaked. If it conveniently comes with a nice image of my credit card... you get the point.
 

KuJoe

Well-Known Member
Verified Provider
Why do they need a credit card scan?
I bet it's because of their Anti-spam Policy:

In addition, because damages are often difficult to quantify, if actual damages cannot be reasonably calculated then you agree to pay VULTR.com liquidated damages of five-dollars ($5.00) for each piece of spam or unsolicited bulk email transmitted from or otherwise connected with your account, otherwise you agree to pay VULTR.com's actual damages, to the extent such actual damages can be reasonably calculated, unless otherwise specified in this Agreement or the Site's Spam Policy.
and

For any breach of a portion of this Agreement that does not specifically state a liquidated damages amount, You hereby agree that any breach of this Agreement shall result in liquidated damages of $500 per occurrence. You specifically agree to pay this $500 in liquidated damages.
If they have a scanned credit card on file, it's easier for them to claim the "damages" (and harder for the spammer to chargeback if they have a picture of the credit card and photo ID).
 
Last edited by a moderator:

Nyr

New Member
Luckily it's not the norm so spammers will go with another host that doesn't have those requirements. That's why Vult's policy is effective. It's not supposed to be bulletproof, it's just supposed to be less easy to spam with them than another provider which is what makes it work.
I understand, but that's a big pain and a security risk for the customers.
 

KuJoe

Well-Known Member
Verified Provider
I understand, but that's a big pain and a security risk for the customers.
But it makes the Vultr staff's life so much easier and it's not going to impact their sales much since I doubt non-spammers are going to pay more than LEB prices to send out their spam especially with a certain "spam friendly" data center that offers more IPs than Vultr at a fraction of the price.
 
Last edited by a moderator:

KuJoe

Well-Known Member
Verified Provider
I would love to talk to them more about this policy but the lack of any contact information, form, or help desk is extremely annoying. This actually bothers me a lot more than giving somebody a scan of my ID or credit card.
 

DomainBop

Dormant VPSB Pathogen
If they have a scanned credit card on file,
I hope they're not keeping scans of both the front and back on file (with the CVV number on those scans) because that would be a violation of credit card industry rules.

OVH, Hetzner, and many others ask for 2 forms of ID (front of credit card, photo ID, utility bill, etc) when an account is first setup but they only keep the documents/scans for a short period of time and then destroy them.  I don't have a problem with that.

I do have a problem with Vultr asking for both the front and back of credit cards (with CVV visible) and not disclosing any info about their data retention policies (i.e. how long the documentation is kept on file) anywhere on their site that I can see.  Storing a scan with the CVV number visible for any length of time would be a violation of PCI compliance rules which basically state that the CVV number is only to be retained until the card is authorized and then needs to be discarded immediately.

"Do not store sensitive authentication data

contained in the payment card’s storage chip or full

magnetic stripe, including the printed 3-4 digit card

validation code on the front or back of the payment

card after authorization"

 


Never store the card-validation code or value (three- or four-digit number printed on the front or

back of a payment card used to validate card-not-present transactions)

https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf


tl;dr I hope that Vultr is destroying those credit card scans with CVV immediately after they're received because retaining a scan with a CVV for any length of time could cause them to lose their merchant account.

edited to add the "CVV storing is a no-no" rule is stated in PCI DSS requirement 3.2
 
Last edited by a moderator:

drmike

100% Tier-1 Gogent
Call me paranoid, but I don't deal with companies requiring a card for payment.

Not that PayPal or similar are great, but is a layer between things. 

Handing out photo ID?  That's always been insanity, especially for said services. No way in hades that I am doing that.  I can't trust Target with my card,  does it seem smart to trust random webhost with who knows who having access to systems and storage where said documents go?

Google doing the same to a more severe degree (total ban of SMTP), meh.   Google for all of it's largess isn't proportionally large with hosting services even with all their gotchas, give yous, etc.  Passing the email issue off to a secondady company, sounds convenient and profitable.  But I am old school, email is a common service I expect from my hosting company and more importantly that I expect to be able to send. 

Any hosting service can and will be used for activity as vicious as SPAM.   What's next?   Filtering HTTP traffic, blocking outgoing HTTP requests?  It's well intentioned this blocking, but damn short sighted and when you start down that path, you start saying, why not block this and that.  Before you know it you prohibit too much and make people jump through hoops for what just works elsewhere.

Then again, you could avoid the horrors of the low cost spam magnet by... drumroll.... not advertising directly to the Lowend and not competing for a few bucks per customer per month.  At last check Linode and DigitalOcean both appear to allow SMTP traffic.  
 
Last edited by a moderator:
I don't know if in the US you can do the same, but at least here in Portugal we can talk to the bank to just allow automatic payments to specific companies, this meaning that you would have to give the green signal to a new company.

- Henrique
 

William

pr0
Verified Provider
Same for mine, i can block specific Merchant IDs (either by upstream ID of a former payment or by wildcard name like *Vultr*) in the webinterface.
 

blergh

New Member
Verified Provider
I can understand why they want a photo-id, but a photo of the card? There is no way in hell I am sending a photo of my CC to anyone for whatever reason. There are plenty of other providers who don't enforce this silly "anti-fraud" technique, I'd just go with those instead.
 

NQ-Joe

New Member
Using a verified PayPal account will be enough in most cases and won't require any scanned documents.

I've added a few funds to my account and staff liftet the block just a few minutes later.
 

DaveA

New Member
Verified Provider
We do not necessarily require the information you've mentioned to lift the smtp block.   Our staff is trained to identify accounts that appear suspicious.   You can PM your email address and we'll activate it on your account.   These measures are in place to prevent abuse and compromised instances from being used by spammers.  

In our opinion it makes the service better for everyone in the long run.   Once your account is flagged to allow smtp you will never have an issue again so its really just a one-time nuisance.    This is better than our customers being inconvenienced with fraudulent accounts and spammers getting entire IP blocks blacklisted, etc.  

We will evaluate the documents we require to be sent in tomorrow.  We certainly understand everyones privacy concerns. It should be noted the documents are deleted immediately and not stored on our systems after the verification process is completed.
 

jarland

The ocean is digital
We do not necessarily require the information you've mentioned to lift the smtp block.   Our staff is trained to identify accounts that appear suspicious.   You can PM your email address and we'll activate it on your account.   These measures are in place to prevent abuse and compromised instances from being used by spammers.  

In our opinion it makes the service better for everyone in the long run.   Once your account is flagged to allow smtp you will never have an issue again so its really just a one-time nuisance.    This is better than our customers being inconvenienced with fraudulent accounts and spammers getting entire IP blocks blacklisted, etc.  

We will evaluate the documents we require to be sent in tomorrow.  We certainly understand everyones privacy concerns. It should be noted the documents are deleted immediately and not stored on our systems after the verification process is completed.
See that right there...

If people would understand the difference between policy made for justification of worst case scenarios and common practice, they might not freak out so much. Just talk to people guys, they'll surprise you most of the time. You want to make spammers run with their tail between their legs, but a little conversation goes a long way. Certain requirements are often waived.
 
Top