To be honest, I've been subscribed to this list for some time, but haven't
actually been reading the list traffic for quite awhile.
Recently however, it was brought to my attention that there has, of late,
been some discussion about Digital Ocean and its abundant spammer problems.
Given that I just found another such problem on Digital Ocean (and
a sizable one at that) I thought that I should just share what I know
about that with you all.
Before we get to the new stuff however, let's briefly review some of
the historical evidence that may give us some idea of the level of
concern Digital Ocean has for keeping their network free of spammers.
Back on March 19, 2019, I posted to the NANOG mailing list regarding a
spam operation that I personally found particularly disturbing. I don't
normally make a public fuss about "ordinary" snowshoe spammers, but this
one was special. It was one of three separate operations that I have
worked to try to destroy that were all involved in sending so-called
bitcoin extortion spams:
https://mailman.nanog.org/pipermail/nanog/2019-March/100135.html
As you can see, at that time (Mar 19) I had managed to construct a
fairly comprehensive listing of the IP addresses that were in use by
this specific "extortion" spammer, and I provided a link to that in my
March 19th NANOG posting:
https://pastebin.com/raw/WtM0Y5yC
As you can see in the above listing, the IP addresses in question were all
located on either AS16276 (OVH) or AS14061 (Digital Ocean).
I assumed at the time that my bitching an moaning about this "extortion"
spamming operation, via the NANOG list, would get some attention focused
on the problem by both OVH and Digital Ocean. I posted very complete
information about this spammer, and the specific IP addresses he was using,
and I was sure that that infomation would allow both companies to fully
expunge this spammer from their networks. As I subsequently learned, both
companies -were- made aware of my NANOG posting.
Shortly thereafter, and to their credit, OVH took steps to completely remove
the perpetrator from their network.
I thought no more about the matter after that, assuming the problem either
had been or was being solved on both networks. (Silly me!)
I was thus understandably dismayed to learn, just recently, about a thread
here on the mailop mailing list which was apparently begun on April 8, 2019,
nearly three weeks after my posting about all this to the NANOG list:
https://chilli.nosignal.org/cgi-bin/mailman/private/mailop/2019-April/013754.html
I personally have no knowledge of, or information about the listing of
spammer IPs that Michael Peddemors posted here on that date in the above
message. I had no hand in creating that listing, and indeed, I only even
just found out about its existance this week. I must say however that
simply comparing and contrasting the list that I posted to NANOG on March
19th with the listing that Michael Peddemors posted here, nearly three weeks
later on April 8th strongly suggests that (a) it is the same spammer
in both cases, and also (b) that either the spammer or Digital Ocean simply
swapped out the IP addresses that the spammer had been using for some new
ones. (And the new ones were also located on the Digital Ocean network.)
No matter how this is viewed, it isn't good. There are really only two
plausible explanations. Either (a) Digital Ocean is in cahoots with the
spammer in this case or else (b) Digital Ocean staff is simply too dumb to
be able to tell when this spammer is signing up for fresh new accounts...
and lots of them. There is no third possibility.
Generosity demands that we rely on Hanlon's Razor in such circumstances:
https://en.wikipedia.org/wiki/Hanlon%27s_razor
If we do so, then we are forced to conclude that possibility (b) applies
and that Digital Ocean staff are simply too stupid to be able to effectively
prevent spammers who they have already turfed from getting a fresh new set
of Digital Ocean IP addresses, perhaps even as soon as the following day.
Regardless of whether Digital Ocean is in any sense "in on" this game or
not, the outward effects, including on Digital Ocean's reputation, among
both anti-spam activists *and* spammers, is and should be quite immediately
apparent. Over time, Digital Ocean, has, I believe, garnered a reputation
as a relatively "safe" place for spammers to set up shop, at least in and
among the professional spammer community.
It should thus come as little surprise to anyone when I disclose, as I now
do, that other and additional snoewshoe spaming enterprises are, as we
speak, operating from Digital Ocean's network. I provide here but one
example of one such operation that my attention was called to recently.
At the following link, I provide a list of 862 currently live IP addresses,
all located on AS14061 (Digital Ocean) which I have meticulously verified
as all being in use by a single large-scale snowshoe spamming operation
which is controlled by the same individuals who also own and control the
recently-minted RIPE network AS209298 -- Online Marketing Sources Kft --
ostensibly headquartered in Budapest, Hungary.
https://pastebin.com/raw/VYx2Yee1
(Note that the right-hand column in the above listing provides current live
reverse DNS for each of the listed Digital Ocean IP addresses included in
this listing.)
In addition to the IP addresses given in the link above, credible evidence
suggests that this particular spamming company has, over time, frequently
been swaping out the IP addresses it uses for outbound spamming and then
replacing those with newer ones, presumably as part of a sensible overall
strategy to evade blacklists. This, of course, is reminicent of the actions
of the bitcoin extortion spammer, as noted above, who appears to have employed
the same strategy for the same reason.
I feel it necesary to emphasize again that, from the outside, it really
makes no difference at all whether Digital Ocean is in any sense complicit
with the spammers they are hosting. It makes no material difference what-
soever, either to spam recipients or to spammers, if Digital Ocean is
actively aiding and abetting spammers or if they are just simply too dumb
to be able to keep them off their network. The outcome is the same either
way. Spammers and aspiring spammers -do- talk to one another, share tips,
tricks and secrets, and it would not be much of a stretch to imagine that
right this minute they are hanging out on their private message boards,
discussing the best places to get "safe" hosting. If the name of Digital
Ocean comes up in such discussions, then I, for one, would not be terribly
shocked.
One last thing. In decades before the present one, we all used to have
lots and lots of spam coming in from end-luser dial-up and broadband lines.
Thankfully, quite a lot of networks that supply those end-luser last-mile
IP addresses eventually wised up and began disabling direct outbound port
25 connectivity by default. That solved a lot of the problems. Thet's the
good news. The bad news is that with the arrival of the various mega-scale
"cloud" hosting providers, the problem is now, quite obviously, back, and
with a vengence.
In particular there are numerous and serious snowshoe spammer infestations
present, as we speak on Amazon AWS, on Digital Ocean (obviously), and also
on France's OVH and on Germany's Hetzner. The solution is obvious and it
has already been implemented by at least a few sizable hosting providers
that I am personally aware of. Outbound direct port 25 connectivity MUST
be disabled by default for all new hosting customers, with holes poked in
such firewall rules, selectively, and only in response to explicit customer
requests. The fact that other hosting providers have done and are doing
this already demonstrates quite convincingly that it is technically possible,
and that the four mega-providers that I have just named are simply dragging
their feet, and in so doing, shifting their costs onto the rest of us.
And that, my friends, is the essence of what the spammers themselves do.
We should not tolerate it from the spammers, and we should also and likewise
not tolerate it from Amazon AWS, from Digital Ocean, from OVH, or from
Hetzner.
In particular however, Digital Ocean appears to be the current spammer-magnet
de jure. And to reiterate, due to Hanlon's Razor, I cannot and will not
question Digital Ocean's possible complicity. I -am- however forced by the
available facts to question Digital Ocean's competence, or rather, I should
say, the apparent lack thereof.
Regards,
rfg
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
