Vultr SMTP restriction requirements are unreasonable

Discussion in 'Hosting Talk & Reviews' started by drmike, May 23, 2014.

  1. drmike

    drmike 100% Tier-1 Gogent

    8,573
    2,717
    May 13, 2013
    So Vultr, who advertises here blocks SMTP by default.

    To have such block lifted, requires an authorization form. That sounds, reasonable.

    However, Vultr seems to want front and back scans of both a photo identification card and credit card to enable SMTP.

    I don't support collection of identification.   Is this the first provider routinely requesting two complete documents for service?
     
  2. KuJoe

    KuJoe Well-Known Member Verified Provider

    1,761
    1,318
    May 17, 2013
    I don't see a problem with it. Spammers annoy me to no end so anything that makes them think twice about ordering service is a positive step in my eyes.

    That being said, I remember reading about quite a few data centers that do this and the ones I worked with in the past would only accept the documents by fax, not e-mail.
     
    Last edited by a moderator: May 23, 2014
  3. Nyr

    Nyr New Member

    113
    47
    May 16, 2013
    Yeah, I think that's a bit unreasonable too, so I don't use them.

    I understand the problem with spam, but if this were the norm, scammers would simply send photoshopped scans, not difficult to do.
     
  4. KuJoe

    KuJoe Well-Known Member Verified Provider

    1,761
    1,318
    May 17, 2013
    Luckily it's not the norm so spammers will go with another host that doesn't have those requirements. That's why Vult's policy is effective. It's not supposed to be bulletproof, it's just supposed to be less easy to spam with them than another provider which is what makes it work.
     
  5. MannDude

    MannDude Just a dude vpsBoard Founder Moderator

    5,036
    2,634
    Mar 8, 2013
    MannDude
    Why do they need a credit card scan? Do they only offer services paid for by credit card? If you pay using PayPal, must you still provide a CC scan?

    I'm okay with the ID, I'd simply place a watermark over it that says "FOR VERIFICATION PURPOSES WITH VULTR ON 5/23/2014 ONLY!" over top of the entire thing in a semi-transparent fashion. If I didn't pay with card, no one is getting a scan of it.
     
  6. dcdan

    dcdan New Member Verified Provider

    171
    54
    Aug 18, 2013
    Google blocks all possible smtp ports completely on their cloud service, with no option to enable. Google recommends using sendgrid for outgoing mail, which kind of makes sense (now spam is Sendgrid's problem). I am pretty sure you can do the same with Vultr or any other provider who blocks SMTP. No need to provide ID. As a bonus, your emails will have much better chances of being delivered.

    I would not send anyone my ID as it is only the matter of time when a picture of my ID gets leaked. If it conveniently comes with a nice image of my credit card... you get the point.
     
  7. KuJoe

    KuJoe Well-Known Member Verified Provider

    1,761
    1,318
    May 17, 2013
    I bet it's because of their Anti-spam Policy:

    and

    If they have a scanned credit card on file, it's easier for them to claim the "damages" (and harder for the spammer to chargeback if they have a picture of the credit card and photo ID).
     
    Last edited by a moderator: May 23, 2014
  8. Nyr

    Nyr New Member

    113
    47
    May 16, 2013
    I understand, but that's a big pain and a security risk for the customers.
     
  9. KuJoe

    KuJoe Well-Known Member Verified Provider

    1,761
    1,318
    May 17, 2013
    But it makes the Vultr staff's life so much easier and it's not going to impact their sales much since I doubt non-spammers are going to pay more than LEB prices to send out their spam especially with a certain "spam friendly" data center that offers more IPs than Vultr at a fraction of the price.
     
    Last edited by a moderator: May 23, 2014
    k0nsl likes this.
  10. KuJoe

    KuJoe Well-Known Member Verified Provider

    1,761
    1,318
    May 17, 2013
    I would love to talk to them more about this policy but the lack of any contact information, form, or help desk is extremely annoying. This actually bothers me a lot more than giving somebody a scan of my ID or credit card.
     
  11. DomainBop

    DomainBop Dormant VPSB Pathogen

    2,260
    2,190
    Oct 11, 2013
    I hope they're not keeping scans of both the front and back on file (with the CVV number on those scans) because that would be a violation of credit card industry rules.

    OVH, Hetzner, and many others ask for 2 forms of ID (front of credit card, photo ID, utility bill, etc) when an account is first setup but they only keep the documents/scans for a short period of time and then destroy them.  I don't have a problem with that.

    I do have a problem with Vultr asking for both the front and back of credit cards (with CVV visible) and not disclosing any info about their data retention policies (i.e. how long the documentation is kept on file) anywhere on their site that I can see.  Storing a scan with the CVV number visible for any length of time would be a violation of PCI compliance rules which basically state that the CVV number is only to be retained until the card is authorized and then needs to be discarded immediately.

    "Do not store sensitive authentication data

    contained in the payment card’s storage chip or full

    magnetic stripe, including the printed 3-4 digit card

    validation code on the front or back of the payment

    card after authorization"

     


    Never store the card-validation code or value (three- or four-digit number printed on the front or

    back of a payment card used to validate card-not-present transactions)

    https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf


    tl;dr I hope that Vultr is destroying those credit card scans with CVV immediately after they're received because retaining a scan with a CVV for any length of time could cause them to lose their merchant account.

    edited to add the "CVV storing is a no-no" rule is stated in PCI DSS requirement 3.2
     
    Last edited by a moderator: May 23, 2014
  12. drmike

    drmike 100% Tier-1 Gogent

    8,573
    2,717
    May 13, 2013
    Call me paranoid, but I don't deal with companies requiring a card for payment.

    Not that PayPal or similar are great, but is a layer between things. 

    Handing out photo ID?  That's always been insanity, especially for said services. No way in hades that I am doing that.  I can't trust Target with my card,  does it seem smart to trust random webhost with who knows who having access to systems and storage where said documents go?

    Google doing the same to a more severe degree (total ban of SMTP), meh.   Google for all of it's largess isn't proportionally large with hosting services even with all their gotchas, give yous, etc.  Passing the email issue off to a secondady company, sounds convenient and profitable.  But I am old school, email is a common service I expect from my hosting company and more importantly that I expect to be able to send. 

    Any hosting service can and will be used for activity as vicious as SPAM.   What's next?   Filtering HTTP traffic, blocking outgoing HTTP requests?  It's well intentioned this blocking, but damn short sighted and when you start down that path, you start saying, why not block this and that.  Before you know it you prohibit too much and make people jump through hoops for what just works elsewhere.

    Then again, you could avoid the horrors of the low cost spam magnet by... drumroll.... not advertising directly to the Lowend and not competing for a few bucks per customer per month.  At last check Linode and DigitalOcean both appear to allow SMTP traffic.  
     
    Last edited by a moderator: May 23, 2014
  13. HenriqueSousa - WebUp 24/7

    HenriqueSousa - WebUp 24/7 New Member

    154
    20
    Oct 21, 2013
    I don't know if in the US you can do the same, but at least here in Portugal we can talk to the bank to just allow automatic payments to specific companies, this meaning that you would have to give the green signal to a new company.

    - Henrique
     
  14. William

    William pr0 Verified Provider

    440
    191
    Oct 10, 2013
    Same for mine, i can block specific Merchant IDs (either by upstream ID of a former payment or by wildcard name like *Vultr*) in the webinterface.
     
  15. blergh

    blergh New Member Verified Provider

    654
    209
    Apr 10, 2013
    I can understand why they want a photo-id, but a photo of the card? There is no way in hell I am sending a photo of my CC to anyone for whatever reason. There are plenty of other providers who don't enforce this silly "anti-fraud" technique, I'd just go with those instead.
     
    drmike likes this.
  16. sundaymouse

    sundaymouse New Member

    123
    42
    Aug 31, 2013
    I used a different port for webmail, screw them.
     
    drmike likes this.
  17. NQ-Joe

    NQ-Joe New Member

    21
    8
    Jan 10, 2014
    Using a verified PayPal account will be enough in most cases and won't require any scanned documents.

    I've added a few funds to my account and staff liftet the block just a few minutes later.
     
    ModyDev, drmike and KuJoe like this.
  18. William

    William pr0 Verified Provider

    440
    191
    Oct 10, 2013
    I sent a copy of a passport and got it unblocked without a CC.
     
  19. DaveA

    DaveA New Member Verified Provider

    7
    12
    Feb 23, 2014
    We do not necessarily require the information you've mentioned to lift the smtp block.   Our staff is trained to identify accounts that appear suspicious.   You can PM your email address and we'll activate it on your account.   These measures are in place to prevent abuse and compromised instances from being used by spammers.  

    In our opinion it makes the service better for everyone in the long run.   Once your account is flagged to allow smtp you will never have an issue again so its really just a one-time nuisance.    This is better than our customers being inconvenienced with fraudulent accounts and spammers getting entire IP blocks blacklisted, etc.  

    We will evaluate the documents we require to be sent in tomorrow.  We certainly understand everyones privacy concerns. It should be noted the documents are deleted immediately and not stored on our systems after the verification process is completed.
     
    FHN-Eric, fm7, KuJoe and 1 other person like this.
  20. jarland

    jarland The ocean is digital

    873
    562
    Apr 4, 2013
    See that right there...

    If people would understand the difference between policy made for justification of worst case scenarios and common practice, they might not freak out so much. Just talk to people guys, they'll surprise you most of the time. You want to make spammers run with their tail between their legs, but a little conversation goes a long way. Certain requirements are often waived.
     
    DaveA likes this.