To be honest, I've been subscribed to this list for some time, but haven't actually been reading the list traffic for quite awhile.
Recently however, it was brought to my attention that there has, of late, been some discussion about Digital Ocean and its abundant spammer problems. Given that I just found another such problem on Digital Ocean (and a sizable one at that) I thought that I should just share what I know about that with you all. Before we get to the new stuff however, let's briefly review some of the historical evidence that may give us some idea of the level of concern Digital Ocean has for keeping their network free of spammers. Back on March 19, 2019, I posted to the NANOG mailing list regarding a spam operation that I personally found particularly disturbing. I don't normally make a public fuss about "ordinary" snowshoe spammers, but this one was special. It was one of three separate operations that I have worked to try to destroy that were all involved in sending so-called bitcoin extortion spams: https://mailman.nanog.org/pipermail/nanog/2019-March/100135.html As you can see, at that time (Mar 19) I had managed to construct a fairly comprehensive listing of the IP addresses that were in use by this specific "extortion" spammer, and I provided a link to that in my March 19th NANOG posting: https://pastebin.com/raw/WtM0Y5yC As you can see in the above listing, the IP addresses in question were all located on either AS16276 (OVH) or AS14061 (Digital Ocean). I assumed at the time that my bitching an moaning about this "extortion" spamming operation, via the NANOG list, would get some attention focused on the problem by both OVH and Digital Ocean. I posted very complete information about this spammer, and the specific IP addresses he was using, and I was sure that that infomation would allow both companies to fully expunge this spammer from their networks. As I subsequently learned, both companies -were- made aware of my NANOG posting. Shortly thereafter, and to their credit, OVH took steps to completely remove the perpetrator from their network. I thought no more about the matter after that, assuming the problem either had been or was being solved on both networks. (Silly me!) I was thus understandably dismayed to learn, just recently, about a thread here on the mailop mailing list which was apparently begun on April 8, 2019, nearly three weeks after my posting about all this to the NANOG list: https://chilli.nosignal.org/cgi-bin/mailman/private/mailop/2019-April/013754.html I personally have no knowledge of, or information about the listing of spammer IPs that Michael Peddemors posted here on that date in the above message. I had no hand in creating that listing, and indeed, I only even just found out about its existance this week. I must say however that simply comparing and contrasting the list that I posted to NANOG on March 19th with the listing that Michael Peddemors posted here, nearly three weeks later on April 8th strongly suggests that (a) it is the same spammer in both cases, and also (b) that either the spammer or Digital Ocean simply swapped out the IP addresses that the spammer had been using for some new ones. (And the new ones were also located on the Digital Ocean network.) No matter how this is viewed, it isn't good. There are really only two plausible explanations. Either (a) Digital Ocean is in cahoots with the spammer in this case or else (b) Digital Ocean staff is simply too dumb to be able to tell when this spammer is signing up for fresh new accounts... and lots of them. There is no third possibility. Generosity demands that we rely on Hanlon's Razor in such circumstances: https://en.wikipedia.org/wiki/Hanlon%27s_razor If we do so, then we are forced to conclude that possibility (b) applies and that Digital Ocean staff are simply too stupid to be able to effectively prevent spammers who they have already turfed from getting a fresh new set of Digital Ocean IP addresses, perhaps even as soon as the following day. Regardless of whether Digital Ocean is in any sense "in on" this game or not, the outward effects, including on Digital Ocean's reputation, among both anti-spam activists *and* spammers, is and should be quite immediately apparent. Over time, Digital Ocean, has, I believe, garnered a reputation as a relatively "safe" place for spammers to set up shop, at least in and among the professional spammer community. It should thus come as little surprise to anyone when I disclose, as I now do, that other and additional snoewshoe spaming enterprises are, as we speak, operating from Digital Ocean's network. I provide here but one example of one such operation that my attention was called to recently. At the following link, I provide a list of 862 currently live IP addresses, all located on AS14061 (Digital Ocean) which I have meticulously verified as all being in use by a single large-scale snowshoe spamming operation which is controlled by the same individuals who also own and control the recently-minted RIPE network AS209298 -- Online Marketing Sources Kft -- ostensibly headquartered in Budapest, Hungary. https://pastebin.com/raw/VYx2Yee1 (Note that the right-hand column in the above listing provides current live reverse DNS for each of the listed Digital Ocean IP addresses included in this listing.) In addition to the IP addresses given in the link above, credible evidence suggests that this particular spamming company has, over time, frequently been swaping out the IP addresses it uses for outbound spamming and then replacing those with newer ones, presumably as part of a sensible overall strategy to evade blacklists. This, of course, is reminicent of the actions of the bitcoin extortion spammer, as noted above, who appears to have employed the same strategy for the same reason. I feel it necesary to emphasize again that, from the outside, it really makes no difference at all whether Digital Ocean is in any sense complicit with the spammers they are hosting. It makes no material difference what- soever, either to spam recipients or to spammers, if Digital Ocean is actively aiding and abetting spammers or if they are just simply too dumb to be able to keep them off their network. The outcome is the same either way. Spammers and aspiring spammers -do- talk to one another, share tips, tricks and secrets, and it would not be much of a stretch to imagine that right this minute they are hanging out on their private message boards, discussing the best places to get "safe" hosting. If the name of Digital Ocean comes up in such discussions, then I, for one, would not be terribly shocked. One last thing. In decades before the present one, we all used to have lots and lots of spam coming in from end-luser dial-up and broadband lines. Thankfully, quite a lot of networks that supply those end-luser last-mile IP addresses eventually wised up and began disabling direct outbound port 25 connectivity by default. That solved a lot of the problems. Thet's the good news. The bad news is that with the arrival of the various mega-scale "cloud" hosting providers, the problem is now, quite obviously, back, and with a vengence. In particular there are numerous and serious snowshoe spammer infestations present, as we speak on Amazon AWS, on Digital Ocean (obviously), and also on France's OVH and on Germany's Hetzner. The solution is obvious and it has already been implemented by at least a few sizable hosting providers that I am personally aware of. Outbound direct port 25 connectivity MUST be disabled by default for all new hosting customers, with holes poked in such firewall rules, selectively, and only in response to explicit customer requests. The fact that other hosting providers have done and are doing this already demonstrates quite convincingly that it is technically possible, and that the four mega-providers that I have just named are simply dragging their feet, and in so doing, shifting their costs onto the rest of us. And that, my friends, is the essence of what the spammers themselves do. We should not tolerate it from the spammers, and we should also and likewise not tolerate it from Amazon AWS, from Digital Ocean, from OVH, or from Hetzner. In particular however, Digital Ocean appears to be the current spammer-magnet de jure. And to reiterate, due to Hanlon's Razor, I cannot and will not question Digital Ocean's possible complicity. I -am- however forced by the available facts to question Digital Ocean's competence, or rather, I should say, the apparent lack thereof. Regards, rfg _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop