By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Using Amazon SES for phishing simulation campaign

1

Hello,

For my work, I need to simulate phishing attacks with my clients. This is an activity that I am contractually authorized to do. I have several questions regarding the use of Amazon SES and its services:

  • Is such activity allowed by Amazon SES (knowing that the account will never be used to send spam to anyone other than those designated by the client company)?
  • Is it possible to have a dedicated IP address even for a low volume of email (it is necessary to have a fixed dedicated IP so that customers can whitelist this IP in their corporate email anti-spam system)?
  • Won't sending few e-mails be a problem for the delivery of the messages (it doesn't matter if the message takes a few minutes to arrive, as long as it arrives)?

Amazon blocks SMTP port 25 on EC2 instances by default.

  • If it is not possible to use the SES service, is my activity allowed and legal to allow the unblocking of SMTP port 25 on my EC2 instance that will be responsible for sending the phishing campaign simulations to my customers?

Thank you !

Topics
ComputeFront-End Web & MobileBusiness Applications
Tags
Amazon EC2Amazon Simple Email Service
Language
English
rePost-User-4859706
asked a year ago756 views
2 Answers
0

Hello! As stated on the AWS Penetration Testing page [1], "Customers seeking to perform Simulated Phishing campaigns must submit a Simulated Events form for review. "

Here is a link to this Simulated Events form [2]

For the whole workload as you mentioned, does you customer know the account ID(s)? If so, you can add this to the form and this should allow your customer to continue to run the phishing simulations. Links: [1] - https://aws.amazon.com/security/penetration-testing/ [2] - https://console.aws.amazon.com/support/contacts#/simulated-events

profile pictureAWS
Sandip Samanta
answered a year ago
0

It is not possible to simulate phishing using SES

Internet service providers don't distinguish complaints for simulated phishing from real phishing, which means that simulated phishing by one customer negatively affects the deliverability for all SES customers.

Please review: https://docs.aws.amazon.com/ses/latest/dg/faqs-enforcement.html#e-faq-mi

Typical problems include, but aren't limited to, the following:

  • Your sending violates the AWS Acceptable Use Policy (AUP).
  • Your emails appear to be unsolicited.
  • Your content is phishing related (this includes simulated phishing).
  • Your content is otherwise associated with a use case that Amazon SES doesn't support.
AWS
Jesse_T
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content