Re: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)
On Mon, Mar 18, 2019 at 05:02:38PM -0700, Ronald F. Guilmette wrote: > I generated the following survey, on the fly, last night, > based on a simple reverse DNS scan of the evidently relevant addrdess > ranges: > > https://pastebin.com/raw/WtM0Y5yC > > As anyone who isn't as blind as a bat can easily see, there's a bit of a > pattern here. I finally found time to check this out. And I have to ask: how in the heck did anybody accept this operation as a customer? Because it's obvious on inspection -- of the information in that paste -- that they're abusers. Let me 'splain. First, domains in certain TLDs should be considered as -- at best -- dubious until proven otherwise, because those TLDs are well-known as abuse magnets. Every domain in this sample falls in that category. Anyone making mass use of domains in those TLDs is up to something abusive. Second, anyone making mass requests for PTR records for random subdomains is up to something abusive. Third, anyone mass-registering domains whose names are permutations of each other is up to something abusive. (I'm not talking about someone registering a couple of domains that are plausible typos of a primary one or engaging in defensive registrations across a few TLDs. Look at the list, this is obviously quite different from those cases.) Fourth, anyone mass-registering domains whose names are intended to be typo'd and/or misread is up to something abusive. Anybody doing all of the above is not only up to something abusive, but they're standing on a rooftop screaming it through a bullhorn. The word "mass" is key throughout not only because it is a highly reliable indicator of ensuing abuse but because its nature makes detecting this up front quite easy. Once I got to it, it took me less than a minute of scanning that list to determine that there is absolutely no way I would accept this operation as a customer. I recognize that not everyone everyone has my experience in this area, but surely every operation should have someone equipped with modest experience and and a skeptical eye who screens new customers, and, at *minimum*, puts them on hold while some due diligence takes place. It's much easier (and cheaper) to refuse service to operations like this than to deal with the fallout that will inevitably ensue. It's also much better for the rest of us. So: how did these people ever get in the door? ---rsk
Re: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)
On Tue, Mar 19, 2019 at 09:17:23AM -0700, Eric Kuhnke wrote: > Absolutely unrelated to Ronald's original post, but it's ironic that the > abuse@ address is itself heavily "abused", by commercial copyright > enforcement companies which think it's a catch-all address for things which > are not operationally related to the health of a network [snip] I've seen this movie and have implemented various mitigation approaches to it -- none of which constitute a "solution" but all of which help. 1. Block the addresses originating this traffic. There's no need for staff/processes on the receiving end to put up with spam. (If it's UBE, then it's spam -- by definition. The content and intention are irrelevant.) 2. Use procmail to redirect it where it needs to go. 3. Set up (non-public) Mailman-operated mailing lists for each role account and use the moderation queue on those as a throttling tool. (This works best in conjunction with (2). Let procmail do some of the heavy/straightforward lifting and sort the rest out later.) This also makes it easy to archive everything by subscribing an address that's an append-only mailbox. 4. Funnel the output of (2) and/or (3) into one of the many ticketing systems with priority assigned based on the characteristics of the senders as observed over time. ---rsk
Re: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)
On 3/19/19, 8:23 PM, "NANOG on behalf of Ronald F. Guilmette" wrote: In message , Tom Beecher wrote: >Calling everyone an idiot in the midst of Endless Pontification isn't >really a recipe for success. I did not call "everyone" an idiot. I'm quite completely sure that there are innumerable people in all of the referenced companies who are consumate and hardworking professionals who excel at ther jobs. I do believe however, based on considerable experience and much hard evidence, that the abuse handling departnments at OVH and DigitalOcean, and indeed at essentially -every- sizable hosting company are less than entirely well staffed, less than entirely well trained, less than entirely well funded, and often inadequately effective, either due to their limited willingness or their limited authority, as circumscribed by management, when it comes to the execution of their assigned duties. The abuse handling function at *every* Internet company is the ugly stepchild, ignored whenever possible, and typically starved of resources by management whose overriding consideration is this quarter's P statement, and by extension, the nearest upcoming executive bonus period. Regards, rfg Why not just drop any prefixes from the respective ASN's? We had to do that with OVH after the endless attacks coming from their networks, and lack of abuse response. OVH really loves to shift the abuse around to new prefixes; I got tired of spending time staying ahead of it.
Re: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)
In message , Tom Beecher wrote: >Calling everyone an idiot in the midst of Endless Pontification isn't >really a recipe for success. I did not call "everyone" an idiot. I'm quite completely sure that there are innumerable people in all of the referenced companies who are consumate and hardworking professionals who excel at ther jobs. I do believe however, based on considerable experience and much hard evidence, that the abuse handling departnments at OVH and DigitalOcean, and indeed at essentially -every- sizable hosting company are less than entirely well staffed, less than entirely well trained, less than entirely well funded, and often inadequately effective, either due to their limited willingness or their limited authority, as circumscribed by management, when it comes to the execution of their assigned duties. The abuse handling function at *every* Internet company is the ugly stepchild, ignored whenever possible, and typically starved of resources by management whose overriding consideration is this quarter's P statement, and by extension, the nearest upcoming executive bonus period. Regards, rfg
Re: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)
[[ I've just collected some new information about the length of time that this specific bincoin extortion spamming bad actor has been on Digital Ocean's network. For those who may only have an interest in that one detail, you can just skip down to the line of plus signs and start reading there. ]] In message <50414.162.155.102.254.1553001814.ig...@webmail.iglou.com>, "Jeff McAdams" wrote: >(Disclosure: I, too, work for DigitalOcean as the Manager of Network >Engineering. Nikolas does not work for me, nor I for him.) > >On Tue, March 19, 2019 02:17, Ronald F. Guilmette wrote: >> > >> Nikolas Geyer wrote: >>> I have passed your email on to the relevant team within DO to have a >>> look at. > >> Thank you, but that wasn't what I requested, I asked for a contact >> there. > >Oh, is that how this works? I ask that you FedEx me a million dollars >cash, in small bills. I await the arrival of said parcel. In my experience, if you don't ask for something, you aren't likely to get it. There's no harm in asking. In any case, I offer you the pertinent observation also that "small bills" are s last century. These days, as should now be abundantly clear, payment in bitcoin is the preferable currency for such requests. :-) >> In any case, I would be more than happy to have you tell me the "right >> way" to engage with any actual live human beings at either of these >> companies, especially if you also are able to identify one or more such >> receptive individuals by name and email address, which is what I was >> requesting in the first place. > >Would you really be happy with that? You derided another good-faith >respondent to your screed with a rant about not being willing to fill out >web forms to report abuse because it offends your sensibilities. I stand by what I wrote. I don't like dealing with anonymous web forms that, for all I know, and based on the available evidence, are or may be aliased to /dev/null. I prefer the human touch, especially in cases where I am seeking to find someone who may be held accountable when and if no actual action ensues. >We would prefer, but don't require, that you use the web form because that >is integrated into the workflow of the groups that respond to those >reports. If they choose to give you their individualized contact >information, then they can do that. It is not my place, nor Nikolas', to >give out individual contact information for our co-workers out to anyone >who asks. That would be irresponsible and obnoxious for us to do that. I am not just "anyone who asks". I am a guy who's been spammed from your network. If you read my earlier report, then you should know that I am also the guy who took the time to carefully resarch this, and to provide your company with information about this specific crook/spammer... information that, it seems, you folks yourselves have apparently been largely or entirely unaware of, and for some considerable time now. Given that context, am I really entirely undeserving of even being informed of the mere email address of the head of DigitalOcean's abuse handling department, assuming, at least for the sake of argument, that such an inddividual does in fact exist? Wouldn't it be a Good Thing if that person and I could communicate direct? And more to the point, what would be the downside, exactly, if that person's name and email address were not only given to me, but also scattered to the four winds an given out to everyone on the planet? Are you implicitly asserting that that person might then have to (gasp!) deal with some additional influx of spam into his or her inbox? If so, then I can't help but wonder aloud why that person should NOT join the rest of us mere mortals in that shared and miserable club. Perhaps it would even be of some benefit for that person to come down out of the clouds at least long enough to experience what the rest of us poor sods have to deal with on a routine and daily basis. The experience might even enhance that person's understanding of, and appreciation of the very kinds of (spamming) problem that he or she is being paid to attend to. Stranger things have happened. I'll be generous here and will refrain from leaping to any conclusions that the person in question does not want his or her identity to be generally known for fear that he/she might then be personally criticised for his/her work and/or the lack thereof. But other than that, and a possible desire to avoid receiving any of this same spam-slime that the rest of us poor slobs get coated in on a daily basis, I really can't imagine what other reasons there might be that would cause Digital Ocean's abuse handling staff and/or the managment thereof to be so overwhelmingly discreet. What I can say, rather definitively now, is that the specific bitcoin scammer-spammer that prompted me to begin this thread has been given, over time, and by your company, Digital Ocean, no fewer than five hundred and fifty
Re: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)
Apologies, it was in reply to a list mail. Just bad threading. * niels=na...@bakker.net (niels=na...@bakker.net) [Tue 19 Mar 2019, 16:51 CET]: Kind of bad netiquette to repost a private email to the list
Re: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)
Absolutely unrelated to Ronald's original post, but it's ironic that the abuse@ address is itself heavily "abused", by commercial copyright enforcement companies which think it's a catch-all address for things which are not operationally related to the health of a network (BGP hijacks, DDoS, spam email traffic, botnet/virus/worm/trojan traffic command and control and such). Despite the presence of a registered DMCA agent address[1][2] for an ASN, many companies continue to flood abuse@ with copyright notices. Ask any ISP that operates in the English language Internet but is not physically located in the USA (NZ, AU, CA, etc) how many USA-specific legal threats their abuse inbox receives. Usually for something like a residential customer torrenting a TV show. 1: https://www.copyright.gov/dmca-directory/ 2: https://www.copyright.gov/rulemaking/onlinesp/NPR/faq.html On Tue, Mar 19, 2019 at 7:50 AM Rich Kulawiec wrote: > On Tue, Mar 19, 2019 at 09:23:34AM -0400, Jeff McAdams wrote: > > We would prefer, but don't require, that you use the web form because > that > > is integrated into the workflow of the groups that respond to those > > reports. > > Why isn't abuse@ integrated into the workflow? It darn well should be, > (a) given that RFC 2142 has been "on the books" for 22 years and > (b) given that methods for handling incoming abuse (or bug, or outage, > or other) reports via email to role accounts are numerous and reliable. > > To be clear: if you want to offer a web form in addition to an abuse@ > address (or a security@ address, or a postmaster@ address) that's fine. > But web forms are a markedly inferior means of communication and are > clearly not a substitute for well-known/standardized role addresses that > route to the appropriate people/processes. > > ---rsk > >
RE: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)
I agree it could have definitely been simplified, but I also found the “endless pontification” a little amusing this morning. What I do not find amusing is the social outrage and identity politics that has made it’s way into the sacred NANOG mailing list. From: NANOG On Behalf Of Tom Beecher Sent: Tuesday, March 19, 2019 9:01 AM To: Ronald F. Guilmette Cc: NANOG Subject: Re: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland) This entire thread could easily have been simply : "Hey all! I'm having some challenges reaching a live person in the abuse groups for X, Y, and Z. Can anyone help with a contact, or if anyone from those companies sees this, can you contact me off-list?" Calling everyone an idiot in the midst of Endless Pontification isn't really a recipe for success. On Mon, Mar 18, 2019 at 8:04 PM Ronald F. Guilmette mailto:r...@tristatelogic.com>> wrote: OVH, DigitalOcean, and Microsoft... Is there anybody awake and conscious at any of these places? I mean anybody who someone such as myself... just part of the Great Unwashed Masses... could actually speak to about a real and ongoing problem? Maybe most of you here will think that this is just a trivial problem, and one that's not even worth mentioning on NANOG. So be it. Make up you own minds. Here is the problem... For some time now, there has been an ongoing campaign of bitcoin extortion spamming going on which originates primarily or perhaps exclusively from IPv4 addresses owned by OVH and DigitalOcean. These scam spams have now been publicised in multiple places: https://myonlinesecurity.co.uk/fake-cia-sextortion-scam/ Yea, that's just one place, I know, but there's also no shortage of people tweeting about this crap also, in multiple languages even! https://twitter.com/SpamAuditor/status/1107365604636278784 https://twitter.com/dvk01uk/status/1107510553621266433 https://twitter.com/bortzmeyer/status/1107737034049900544 https://twitter.com/ariestess69/status/1107468838596038656 https://twitter.com/bernhard_mahr/status/1107513313020297216 https://twitter.com/jzmurdock/status/1107679858945974272 https://twitter.com/gamamb/status/1107384186548207617 https://twitter.com/davidgsIoT/status/1107725201331097606 https://twitter.com/cybers_guards/status/1107675396076560384 https://twitter.com/ThatHostingCo/status/1107588660831105024 https://twitter.com/fladna9/status/1107554090765242368 https://twitter.com/JUSTADACHI/status/1107549777607184384 https://twitter.com/okhin/status/1107627379650908160 https://twitter.com/Purple_Wyrm/status/1107454618705887232 https://twitter.com/LadyOFyre/status/110734900550144 https://twitter.com/laurelvail/status/1107345980062523392 https://twitter.com/Alex__Rubio/status/1107595560440217600 The thing of it is that ALL of this crap... al of these scam spams... are quite obviously originating out of the networks of OVH and DigitalOcean. And it's not even all that hard to figure out where from, exactly and specifically. I generated the following survey, on the fly, last night, based on a simple reverse DNS scan of the evidently relevant addrdess ranges: https://pastebin.com/raw/WtM0Y5yC As anyone who isn't as blind as a bat can easily see, there's a bit of a pattern here. All of the spam source IPs are on just two ASNs: AS16276 - OVH SAS AS4061 - DigitalOcean, LLC It's equally clear that there have already been numerous reports about this ongoing and blatantly criminal activity that have been sent to the low-level high school dropout interns that these companies, like most others on the Internet these days, choose to employ as their first-level minions in their "not a profit center" abuse handling departments. So, guess what? Surprise, surprise! None of those clue-deprived flunkies have apparently yet managed to figure out that there's a pattern here. Duh!. As a result, the scamming and the spamming just go on and on and on, and the spammer-scammer just keeps on getting fresh new IP addresess on both of these networks... and fresh (and utterly free) new domain names from the equally careless company called Freenom. So, you know, I really would appreciate it if someone could either put me in touch with some actual sentient being at either OVH or DigitalOcean... assuming that any such actually exist... or at the very least, try to find one to whom clue may be passed about all this, because although these scam spams were kind of humorous and novel at first, the novelty has now worn off and they're really not all that funny anymore. Oh! And while we are on the subject, I'd also like to obtain a contact, preferbly one which is also and likewise in possession of something roughly approximating clue, at this place: AS200517 - Microsoft Deutschland MCIO GmbH The reason is that although MS Deutschland is most probably not the source of any of the spams, they, or a
Re: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)
Kind of bad netiquette to repost a private email to the list -- Niels.
Re: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)
Just to clarify, we are RFC 2142 section 4 compliant. I mention section 4 specifically as that is directly within my realm of control, the remaining sections I will check. Both methods, web form submission and abuse@ are integrated ultimately into the same workflow. Being transparent, as things currently stand, the abuse@ submission method requires an additional element of human verification before ingestion to the workflow as it is open to abuse itself. For example, an annoyed former user who has been removed from the platform for abusive activities trying to subscribe it (and other RFC 2142 addresses) to thousands of pornographic mailing lists, or attempting to slam it with tens of thousands of junk emails. We do take platform abuse seriously but, like any other company, there is always room for improvement. We have a dedicated team who’s 24/7 job function is to continually improve our systems and processes surrounding abuse, from trying to stem it at top of funnel, to mitigating on-going issues with as low MTTR as possible, to responding to abuse@ (and web form) submissions. tl;dr - both submission methods are available Sent from my iPhone > On Mar 19, 2019, at 10:52 AM, Rich Kulawiec wrote: > >> On Tue, Mar 19, 2019 at 09:23:34AM -0400, Jeff McAdams wrote: >> We would prefer, but don't require, that you use the web form because that >> is integrated into the workflow of the groups that respond to those >> reports. > > Why isn't abuse@ integrated into the workflow? It darn well should be, > (a) given that RFC 2142 has been "on the books" for 22 years and > (b) given that methods for handling incoming abuse (or bug, or outage, > or other) reports via email to role accounts are numerous and reliable. > > To be clear: if you want to offer a web form in addition to an abuse@ > address (or a security@ address, or a postmaster@ address) that's fine. > But web forms are a markedly inferior means of communication and are > clearly not a substitute for well-known/standardized role addresses that > route to the appropriate people/processes. > > ---rsk >
RE: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)
I originally held back on a similar response. But I had the exact same opinion. It works against your argument when you start off with insults and condescension. Personally, I would not refer anyone to someone making a post like this. Regards, Ray Orsini – CEO Orsini IT, LLC – Technology Consultants VOICE DATA BANDWIDTH SECURITY SUPPORT P: 305.967.6756 x1009 E: r...@orsiniit.com<mailto:r...@orsiniit.com> TF: 844.OIT.VOIP http://www.orsiniit.com<http://www.orsiniit.com/> | Schedule a Call<https://orsiniit.as.me/?calendarID=1756688> From: NANOG On Behalf Of Tom Beecher Sent: Tuesday, March 19, 2019 10:01 AM To: Ronald F. Guilmette Cc: NANOG Subject: Re: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland) This entire thread could easily have been simply : "Hey all! I'm having some challenges reaching a live person in the abuse groups for X, Y, and Z. Can anyone help with a contact, or if anyone from those companies sees this, can you contact me off-list?" Calling everyone an idiot in the midst of Endless Pontification isn't really a recipe for success. On Mon, Mar 18, 2019 at 8:04 PM Ronald F. Guilmette mailto:r...@tristatelogic.com>> wrote: OVH, DigitalOcean, and Microsoft... Is there anybody awake and conscious at any of these places? I mean anybody who someone such as myself... just part of the Great Unwashed Masses... could actually speak to about a real and ongoing problem? Maybe most of you here will think that this is just a trivial problem, and one that's not even worth mentioning on NANOG. So be it. Make up you own minds. Here is the problem... For some time now, there has been an ongoing campaign of bitcoin extortion spamming going on which originates primarily or perhaps exclusively from IPv4 addresses owned by OVH and DigitalOcean. These scam spams have now been publicised in multiple places: https://myonlinesecurity.co.uk/fake-cia-sextortion-scam/ Yea, that's just one place, I know, but there's also no shortage of people tweeting about this crap also, in multiple languages even! https://twitter.com/SpamAuditor/status/1107365604636278784 https://twitter.com/dvk01uk/status/1107510553621266433 https://twitter.com/bortzmeyer/status/1107737034049900544 https://twitter.com/ariestess69/status/1107468838596038656 https://twitter.com/bernhard_mahr/status/1107513313020297216 https://twitter.com/jzmurdock/status/1107679858945974272 https://twitter.com/gamamb/status/1107384186548207617 https://twitter.com/davidgsIoT/status/1107725201331097606 https://twitter.com/cybers_guards/status/1107675396076560384 https://twitter.com/ThatHostingCo/status/1107588660831105024 https://twitter.com/fladna9/status/1107554090765242368 https://twitter.com/JUSTADACHI/status/1107549777607184384 https://twitter.com/okhin/status/1107627379650908160 https://twitter.com/Purple_Wyrm/status/1107454618705887232 https://twitter.com/LadyOFyre/status/110734900550144 https://twitter.com/laurelvail/status/1107345980062523392 https://twitter.com/Alex__Rubio/status/1107595560440217600 The thing of it is that ALL of this crap... al of these scam spams... are quite obviously originating out of the networks of OVH and DigitalOcean. And it's not even all that hard to figure out where from, exactly and specifically. I generated the following survey, on the fly, last night, based on a simple reverse DNS scan of the evidently relevant addrdess ranges: https://pastebin.com/raw/WtM0Y5yC As anyone who isn't as blind as a bat can easily see, there's a bit of a pattern here. All of the spam source IPs are on just two ASNs: AS16276 - OVH SAS AS4061 - DigitalOcean, LLC It's equally clear that there have already been numerous reports about this ongoing and blatantly criminal activity that have been sent to the low-level high school dropout interns that these companies, like most others on the Internet these days, choose to employ as their first-level minions in their "not a profit center" abuse handling departments. So, guess what? Surprise, surprise! None of those clue-deprived flunkies have apparently yet managed to figure out that there's a pattern here. Duh!. As a result, the scamming and the spamming just go on and on and on, and the spammer-scammer just keeps on getting fresh new IP addresess on both of these networks... and fresh (and utterly free) new domain names from the equally careless company called Freenom. So, you know, I really would appreciate it if someone could either put me in touch with some actual sentient being at either OVH or DigitalOcean... assuming that any such actually exist... or at the very least, try to find one to whom clue may be passed about all this, because although these scam spams were kind of humorous and novel at first, the novelty has now worn off and they're really not all that funny anymore. Oh! And while we are on th
Re: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)
On 3/19/19 10:49 AM, Rich Kulawiec wrote: On Tue, Mar 19, 2019 at 09:23:34AM -0400, Jeff McAdams wrote: We would prefer, but don't require, that you use the web form because that is integrated into the workflow of the groups that respond to those reports. Why isn't abuse@ integrated into the workflow? It darn well should be, (a) given that RFC 2142 has been "on the books" for 22 years and (b) given that methods for handling incoming abuse (or bug, or outage, or other) reports via email to role accounts are numerous and reliable. To be clear: if you want to offer a web form in addition to an abuse@ address (or a security@ address, or a postmaster@ address) that's fine. But web forms are a markedly inferior means of communication and are clearly not a substitute for well-known/standardized role addresses that route to the appropriate people/processes. ---rsk +1 -- John PGP Public Key: 412934AC
Re: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)
On Tue, Mar 19, 2019 at 09:23:34AM -0400, Jeff McAdams wrote: > We would prefer, but don't require, that you use the web form because that > is integrated into the workflow of the groups that respond to those > reports. Why isn't abuse@ integrated into the workflow? It darn well should be, (a) given that RFC 2142 has been "on the books" for 22 years and (b) given that methods for handling incoming abuse (or bug, or outage, or other) reports via email to role accounts are numerous and reliable. To be clear: if you want to offer a web form in addition to an abuse@ address (or a security@ address, or a postmaster@ address) that's fine. But web forms are a markedly inferior means of communication and are clearly not a substitute for well-known/standardized role addresses that route to the appropriate people/processes. ---rsk
Re: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)
This entire thread could easily have been simply : "Hey all! I'm having some challenges reaching a live person in the abuse groups for X, Y, and Z. Can anyone help with a contact, or if anyone from those companies sees this, can you contact me off-list?" Calling everyone an idiot in the midst of Endless Pontification isn't really a recipe for success. On Mon, Mar 18, 2019 at 8:04 PM Ronald F. Guilmette wrote: > > OVH, DigitalOcean, and Microsoft... > > Is there anybody awake and conscious at any of these places? I mean > anybody who someone such as myself... just part of the Great Unwashed > Masses... could actually speak to about a real and ongoing problem? > > Maybe most of you here will think that this is just a trivial problem, and > one that's not even worth mentioning on NANOG. So be it. Make up you own > minds. Here is the problem... > > For some time now, there has been an ongoing campaign of bitcoin > extortion spamming going on which originates primarily or perhaps > exclusively from IPv4 addresses owned by OVH and DigitalOcean. > These scam spams have now been publicised in multiple places: > >https://myonlinesecurity.co.uk/fake-cia-sextortion-scam/ > > Yea, that's just one place, I know, but there's also no shortage of people > tweeting about this crap also, in multiple languages even! > > https://twitter.com/SpamAuditor/status/1107365604636278784 > https://twitter.com/dvk01uk/status/1107510553621266433 > https://twitter.com/bortzmeyer/status/1107737034049900544 > https://twitter.com/ariestess69/status/1107468838596038656 > https://twitter.com/bernhard_mahr/status/1107513313020297216 > https://twitter.com/jzmurdock/status/1107679858945974272 > https://twitter.com/gamamb/status/1107384186548207617 > https://twitter.com/davidgsIoT/status/1107725201331097606 > https://twitter.com/cybers_guards/status/1107675396076560384 > https://twitter.com/ThatHostingCo/status/1107588660831105024 > https://twitter.com/fladna9/status/1107554090765242368 > https://twitter.com/JUSTADACHI/status/1107549777607184384 > https://twitter.com/okhin/status/1107627379650908160 > https://twitter.com/Purple_Wyrm/status/1107454618705887232 > https://twitter.com/LadyOFyre/status/110734900550144 > https://twitter.com/laurelvail/status/1107345980062523392 > https://twitter.com/Alex__Rubio/status/1107595560440217600 > > The thing of it is that ALL of this crap... al of these scam spams... are > quite obviously originating out of the networks of OVH and DigitalOcean. > And it's not even all that hard to figure out where from, exactly and > specifically. I generated the following survey, on the fly, last night, > based on a simple reverse DNS scan of the evidently relevant addrdess > ranges: > > https://pastebin.com/raw/WtM0Y5yC > > As anyone who isn't as blind as a bat can easily see, there's a bit of a > pattern here. All of the spam source IPs are on just two ASNs: > >AS16276 - OVH SAS >AS4061 - DigitalOcean, LLC > > It's equally clear that there have already been numerous reports about this > ongoing and blatantly criminal activity that have been sent to the > low-level > high school dropout interns that these companies, like most others on the > Internet these days, choose to employ as their first-level minions in their > "not a profit center" abuse handling departments. So, guess what? > Surprise, > surprise! None of those clue-deprived flunkies have apparently yet managed > to figure out that there's a pattern here. Duh!. As a result, the > scamming > and the spamming just go on and on and on, and the spammer-scammer just > keeps on getting fresh new IP addresess on both of these networks... and > fresh (and utterly free) new domain names from the equally careless company > called Freenom. > > So, you know, I really would appreciate it if someone could either put me > in touch with some actual sentient being at either OVH or DigitalOcean... > assuming that any such actually exist... or at the very least, try to find > one to whom clue may be passed about all this, because although these scam > spams were kind of humorous and novel at first, the novelty has now worn > off > and they're really not all that funny anymore. > > Oh! And while we are on the subject, I'd also like to obtain a contact, > preferbly one which is also and likewise in possession of something roughly > approximating clue, at this place: > >AS200517 - Microsoft Deutschland MCIO GmbH > > The reason is that although MS Deutschland is most probably not the source > of any of the spams, they, or at least their 51.18.39.107 address, do > appear > to be mixed up in all of this somehow: > > https://pastebin.com/raw/ziVNCmZ8 > > I dunno. Maybe Microsoft has managed to engineer a merger with the CIA (?) > If not, then maybe they would be so kind as to rat out this specific > criminal > customer of their's to appropriate authorities. > > Don't get me
Re: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)
(Disclosure: I, too, work for DigitalOcean as the Manager of Network Engineering. Nikolas does not work for me, nor I for him.) On Tue, March 19, 2019 02:17, Ronald F. Guilmette wrote: > > Nikolas Geyer wrote: >> I have passed your email on to the relevant team within DO to have a >> look at. > Thank you, but that wasn't what I requested, I asked for a contact > there. Oh, is that how this works? I ask that you FedEx me a million dollars cash, in small bills. I await the arrival of said parcel. > In any case, I would be more than happy to have you tell me the "right > way" to engage with any actual live human beings at either of these > companies, especially if you also are able to identify one or more such > receptive individuals by name and email address, which is what I was > requesting in the first place. Would you really be happy with that? You derided another good-faith respondent to your screed with a rant about not being willing to fill out web forms to report abuse because it offends your sensibilities. Nikolas brought your report to the attention of the relevant group at DigitalOcean, we also have a link on the front page of https://www.digitalocean.com/ to Report Abuse that goes directly to the relevant group or groups responsible. We respond to reports (even rude ones) here on nanog and on other relevant industry mailing lists. We would prefer, but don't require, that you use the web form because that is integrated into the workflow of the groups that respond to those reports. If they choose to give you their individualized contact information, then they can do that. It is not my place, nor Nikolas', to give out individual contact information for our co-workers out to anyone who asks. That would be irresponsible and obnoxious for us to do that. >> Oh, and additionally, as an Australian citizen with many Aussie and >> Kiwi colleagues working at DO of various religious persuasions; your >> postscript relating this back to the recent terror attacks is abhorrent >> and disgusting. You should be completely ashamed. > It's pretty clear to me that you have rather dramatically misread my > the aforementioned postscript to my earlier post, and that a fair and > clear-eyed reading of that should be quite entirely inoffensive to all, > with the possible exception of some few people who work in mass media > and/or the "news" business, such as it currently is. As a caucasian American, born and raised in the US Midwest, I too was offended by your postscript. I would encourage you to take a step back, and consider your rhetorical tactics and whether they are beneficial to the community, or even to your own efforts. -- Jeff McAdams Manager of Network Engineering DigitalOcean
Re: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)
On 3/18/19 11:17 PM, Ronald F. Guilmette wrote: > I am not sure that there is any other way that a lone outsider can or > could engage either OVH or DigitalOcean in a way that would actually > cause either company to take action on the issues I've reported on. > Complaints from ordinary Internet end-lusers about this, which both > companies must surely be drowing in by now, don't seem to be doing the > job. > I have sent reports to DigitalOcean and Microsoft about the abuse reported to me that appears on my network. The only response I'm interested in is the end of said abuse. When abuse continues to be seen on a DigitalOcean allocation, that allocation goes into a file-and-forget ACL. I investigate further only when a customer reports a problem connecting with a DigitalOcean netblock. No such reports yet, by the way. I respond to abuse reports promptly and completely. I expect others to do so, just as promptly and completely. "Pretty please" is not in my netadmin vocabulary.
Re: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)
Please use the links I provided to make sure it gets to the right people with the information they need as fast as possible. Thanks, Christian From: NANOG on behalf of Ronald F. Guilmette Sent: Monday, March 18, 2019 9:15:52 PM To: nanog@nanog.org Subject: Re: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland) In message , Christian Kuhtz wrote: >we are asking Microsoft CDOC to investigate. Thank you. I am not at all sure who the mysterious "we" is intended to represent in that sentence. Perpahs it is just intended as the royal "we" as in "We are not amused." But I don't really care. I am greatful for any assitance from whatever quarter. >You can find a variety of ways to report issues at their website as well: >https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fmsrc%2Fcdocdata=02%7C01%7Cchkuhtz%40microsoft.com%7Ca476f83d6507497b512908d6ac21bf7f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885658276641149sdata=qg2YKsQ%2FjLtlgD7E4Gfjq0zJET%2Bvr07aCHynATFlbzU%3Dreserved=0 I do not use web forms to report spam incidents, even those as widespread and blatantly criminal as in this instance. It's a matter of principal. Why should companies such as these hide behind impersonal web forms, even as their paying customers are allowed to incessantly badger and harass me, and millions of others, via the medium of email? Are they too good to get down in the muck of email with the rest of us mere peasants? It appears that they think so. And in any event, where is the evidence that filling in such a form would result in any actual action whatsoever? I don't see any. Quite the opposite. What I see, and what is exemplified by this specific case, is that EVEN IF people do actually jump through all of the ridiculous hoops, spammers like this are allowed to just go on and on an on. Where is the accountability, either personal or corporate? Who, specifically, should be blamed, or can be blamed, if the output of such a web form is improperly being diverted, on a routine basis, to /dev/null? If I'm going to invest (or waste?) my time in meticulously explaining to some large corporation, exactly how they are screwing up, and/or exactly who and where their bad customers are, then is it really asking too much to hope and expect that these same companies should, at the very least, make available some actual human being with whom I can interact, as necessary, in order to make sure that they understand what I have taken my time to research and explain to them? It's a serious question, and I am constantly befuddled by the apparent desire of large corporations... even and perhaps especially those in the "communications" business... to isolate themselves from any and all outside communications, even those which might be helpful and beneficial to the corporations themselves. In short, would it really kill your people in your Digital Crimes Unit to just simply publish their names and email addresses, you know, sort of like the rest of us mere mortals do? Furthermore, I am compelled to ask this additional question: Why should it even be incumbant upon an unpaid volunteer Internet firefighters, such as myself, to inform various multi-billion dollar corporations that they have a problem? Are they really incapable of keeping a close eye on their own networks and figuring this out for themselves? I confess that on some days it would seem so. I now have your email address, which I see is in the microsoft.com domain. And I thank you for that. I hope that you won't begrudge me too awfully much if, the next time such a situation arises, I make use of it. As I have bemoaned at length now, it is both rare and difficult to find an actual and/or accountable human at most of the large corporations that run so much of the modern Internet, and thus, I am greatful to have one more such contact in my back pocket, especially given that you have already demonstrated that you both care and will take at least some action in response to serious ongoing situations such as this one. I thank you, and only ask that you please stay healthy and do not seek employment elsewhere, at least until my own demise or until the sun goes nova, whichever comes first. Regards, rfg
Re: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)
In message , Christian Kuhtz wrote: >we are asking Microsoft CDOC to investigate. Thank you. I am not at all sure who the mysterious "we" is intended to represent in that sentence. Perpahs it is just intended as the royal "we" as in "We are not amused." But I don't really care. I am greatful for any assitance from whatever quarter. >You can find a variety of ways to report issues at their website as well: >https://www.microsoft.com/en-us/msrc/cdoc I do not use web forms to report spam incidents, even those as widespread and blatantly criminal as in this instance. It's a matter of principal. Why should companies such as these hide behind impersonal web forms, even as their paying customers are allowed to incessantly badger and harass me, and millions of others, via the medium of email? Are they too good to get down in the muck of email with the rest of us mere peasants? It appears that they think so. And in any event, where is the evidence that filling in such a form would result in any actual action whatsoever? I don't see any. Quite the opposite. What I see, and what is exemplified by this specific case, is that EVEN IF people do actually jump through all of the ridiculous hoops, spammers like this are allowed to just go on and on an on. Where is the accountability, either personal or corporate? Who, specifically, should be blamed, or can be blamed, if the output of such a web form is improperly being diverted, on a routine basis, to /dev/null? If I'm going to invest (or waste?) my time in meticulously explaining to some large corporation, exactly how they are screwing up, and/or exactly who and where their bad customers are, then is it really asking too much to hope and expect that these same companies should, at the very least, make available some actual human being with whom I can interact, as necessary, in order to make sure that they understand what I have taken my time to research and explain to them? It's a serious question, and I am constantly befuddled by the apparent desire of large corporations... even and perhaps especially those in the "communications" business... to isolate themselves from any and all outside communications, even those which might be helpful and beneficial to the corporations themselves. In short, would it really kill your people in your Digital Crimes Unit to just simply publish their names and email addresses, you know, sort of like the rest of us mere mortals do? Furthermore, I am compelled to ask this additional question: Why should it even be incumbant upon an unpaid volunteer Internet firefighters, such as myself, to inform various multi-billion dollar corporations that they have a problem? Are they really incapable of keeping a close eye on their own networks and figuring this out for themselves? I confess that on some days it would seem so. I now have your email address, which I see is in the microsoft.com domain. And I thank you for that. I hope that you won't begrudge me too awfully much if, the next time such a situation arises, I make use of it. As I have bemoaned at length now, it is both rare and difficult to find an actual and/or accountable human at most of the large corporations that run so much of the modern Internet, and thus, I am greatful to have one more such contact in my back pocket, especially given that you have already demonstrated that you both care and will take at least some action in response to serious ongoing situations such as this one. I thank you, and only ask that you please stay healthy and do not seek employment elsewhere, at least until my own demise or until the sun goes nova, whichever comes first. Regards, rfg
Re: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)
RFG; I have passed your email on to the relevant team within DO to have a look at. I’d like to thank you for your deriding commentary to bring attention to this problem. I am not sure it is the most effective way to try and engage the wider industry on a public list, but each to their own. Oh, and additionally, as an Australian citizen with many Aussie and Kiwi colleagues working at DO of various religious persuasions; your postscript relating this back to the recent terror attacks is abhorrent and disgusting. You should be completely ashamed. Kind regards, Nik. Sent from my iPhone > On Mar 18, 2019, at 9:39 PM, Christian Kuhtz via NANOG > wrote: > > Ronald, > > we are asking Microsoft CDOC to investigate. > > You can find a variety of ways to report issues at their website as well: > https://www.microsoft.com/en-us/msrc/cdoc > > Thanks, > Christian > > > From: NANOG on behalf of Ronald F. Guilmette > > Sent: Monday, March 18, 2019 5:02:38 PM > To: nanog@nanog.org > Subject: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland) > > > OVH, DigitalOcean, and Microsoft... > > Is there anybody awake and conscious at any of these places? I mean > anybody who someone such as myself... just part of the Great Unwashed > Masses... could actually speak to about a real and ongoing problem? > > Maybe most of you here will think that this is just a trivial problem, and > one that's not even worth mentioning on NANOG. So be it. Make up you own > minds. Here is the problem... > > For some time now, there has been an ongoing campaign of bitcoin > extortion spamming going on which originates primarily or perhaps > exclusively from IPv4 addresses owned by OVH and DigitalOcean. > These scam spams have now been publicised in multiple places: > > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmyonlinesecurity.co.uk%2Ffake-cia-sextortion-scam%2Fdata=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393817755sdata=G9Hg5walAZerFD9PnEQXIGzAVbzJNIS2KYET4HBBuco%3Dreserved=0 > > Yea, that's just one place, I know, but there's also no shortage of people > tweeting about this crap also, in multiple languages even! > > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FSpamAuditor%2Fstatus%2F1107365604636278784data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747sdata=k%2BMCTB2IkJwSqTONEkyo5rclZ7ACRB5B1%2FPLCFdfih4%3Dreserved=0 > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fdvk01uk%2Fstatus%2F1107510553621266433data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747sdata=td3Ut9lblQnfKP2%2FDcVOSmrv%2F2vBop3PciSjELtv6GU%3Dreserved=0 > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fbortzmeyer%2Fstatus%2F1107737034049900544data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747sdata=FV9rQ433O0uFkolp%2F4nz%2BFSRp4qC7YzjfHXM8sQTVbk%3Dreserved=0 > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fariestess69%2Fstatus%2F1107468838596038656data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747sdata=sw5szX9XIE5gn9T5QB1qYSGW%2FF0ZFrBXi1R%2BaXY8c50%3Dreserved=0 > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fbernhard_mahr%2Fstatus%2F1107513313020297216data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747sdata=wNhWzgjRIdon3zbnxlWBAo8rtiGwcqSSFFPwon7BQzY%3Dreserved=0 > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fjzmurdock%2Fstatus%2F1107679858945974272data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747sdata=7tUqGf%2B157mD4d%2BLt11rnYT0xymSd4zwSDFmiof0ZmE%3Dreserved=0 > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fgamamb%2Fstatus%2F1107384186548207617data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747sdata=xRJyg4F45qXdZtA3iMM3USsB7lZb0%2BIYXMSH%2BsY6jYA%3Dreserved=0 > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FdavidgsIoT%2Fstatus%2F1107725201331097606data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747sdata=7klohIIudOseoOGP52YAR8iaytskolyM4nR8L6tbYeI%3Dreserved=0 > >
Re: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)
Ronald, we are asking Microsoft CDOC to investigate. You can find a variety of ways to report issues at their website as well: https://www.microsoft.com/en-us/msrc/cdoc Thanks, Christian From: NANOG on behalf of Ronald F. Guilmette Sent: Monday, March 18, 2019 5:02:38 PM To: nanog@nanog.org Subject: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland) OVH, DigitalOcean, and Microsoft... Is there anybody awake and conscious at any of these places? I mean anybody who someone such as myself... just part of the Great Unwashed Masses... could actually speak to about a real and ongoing problem? Maybe most of you here will think that this is just a trivial problem, and one that's not even worth mentioning on NANOG. So be it. Make up you own minds. Here is the problem... For some time now, there has been an ongoing campaign of bitcoin extortion spamming going on which originates primarily or perhaps exclusively from IPv4 addresses owned by OVH and DigitalOcean. These scam spams have now been publicised in multiple places: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmyonlinesecurity.co.uk%2Ffake-cia-sextortion-scam%2Fdata=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393817755sdata=G9Hg5walAZerFD9PnEQXIGzAVbzJNIS2KYET4HBBuco%3Dreserved=0 Yea, that's just one place, I know, but there's also no shortage of people tweeting about this crap also, in multiple languages even! https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FSpamAuditor%2Fstatus%2F1107365604636278784data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747sdata=k%2BMCTB2IkJwSqTONEkyo5rclZ7ACRB5B1%2FPLCFdfih4%3Dreserved=0 https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fdvk01uk%2Fstatus%2F1107510553621266433data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747sdata=td3Ut9lblQnfKP2%2FDcVOSmrv%2F2vBop3PciSjELtv6GU%3Dreserved=0 https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fbortzmeyer%2Fstatus%2F1107737034049900544data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747sdata=FV9rQ433O0uFkolp%2F4nz%2BFSRp4qC7YzjfHXM8sQTVbk%3Dreserved=0 https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fariestess69%2Fstatus%2F1107468838596038656data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747sdata=sw5szX9XIE5gn9T5QB1qYSGW%2FF0ZFrBXi1R%2BaXY8c50%3Dreserved=0 https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fbernhard_mahr%2Fstatus%2F1107513313020297216data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747sdata=wNhWzgjRIdon3zbnxlWBAo8rtiGwcqSSFFPwon7BQzY%3Dreserved=0 https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fjzmurdock%2Fstatus%2F1107679858945974272data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747sdata=7tUqGf%2B157mD4d%2BLt11rnYT0xymSd4zwSDFmiof0ZmE%3Dreserved=0 https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fgamamb%2Fstatus%2F1107384186548207617data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747sdata=xRJyg4F45qXdZtA3iMM3USsB7lZb0%2BIYXMSH%2BsY6jYA%3Dreserved=0 https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FdavidgsIoT%2Fstatus%2F1107725201331097606data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747sdata=7klohIIudOseoOGP52YAR8iaytskolyM4nR8L6tbYeI%3Dreserved=0 https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fcybers_guards%2Fstatus%2F1107675396076560384data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747sdata=oQr6NZJALnj69Msz7P7XjPgYfQ3mqKEZWnp1bmNzi2M%3Dreserved=0 https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FThatHostingCo%2Fstatus%2F1107588660831105024data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747sdata=nj7CPej33pQFejB5Q8AF2nvANB%2BuLt8wv2imnlIggnU%3Dreserved=0
Re: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)
Two notes: 1) We have seen most of the telecom fraud happen from three general locations a. The phones themselves. For instance people putting phones out there with the default password. b. Compromised routers. Fraudsters will compromise a CPE and bounce their traffic through it. Back in the day when we banned Palestine most of the fraud went down. Once they caught on they realized the traffic needed to flow from anywhere but PS. c. OVH - We used to get a lot from there till we started banning large blocks of their ranges. It seems the fraudsters caught on and they are going the route of compromised CPE's. 2) I spoke a few years back with the lead network engineers at DO and without giving away too much they are very aware that people use their network for fraud and actively work against it. I am nor sure about their abuse team but I know their core engineers have methods in place and shut down malicious activity. The issue is it's easier said then done. On Mon, Mar 18, 2019 at 8:03 PM Ronald F. Guilmette wrote: > > OVH, DigitalOcean, and Microsoft... > > Is there anybody awake and conscious at any of these places? I mean > anybody who someone such as myself... just part of the Great Unwashed > Masses... could actually speak to about a real and ongoing problem? > > Maybe most of you here will think that this is just a trivial problem, and > one that's not even worth mentioning on NANOG. So be it. Make up you own > minds. Here is the problem... > > For some time now, there has been an ongoing campaign of bitcoin > extortion spamming going on which originates primarily or perhaps > exclusively from IPv4 addresses owned by OVH and DigitalOcean. > These scam spams have now been publicised in multiple places: > >https://myonlinesecurity.co.uk/fake-cia-sextortion-scam/ > > Yea, that's just one place, I know, but there's also no shortage of people > tweeting about this crap also, in multiple languages even! > > https://twitter.com/SpamAuditor/status/1107365604636278784 > https://twitter.com/dvk01uk/status/1107510553621266433 > https://twitter.com/bortzmeyer/status/1107737034049900544 > https://twitter.com/ariestess69/status/1107468838596038656 > https://twitter.com/bernhard_mahr/status/1107513313020297216 > https://twitter.com/jzmurdock/status/1107679858945974272 > https://twitter.com/gamamb/status/1107384186548207617 > https://twitter.com/davidgsIoT/status/1107725201331097606 > https://twitter.com/cybers_guards/status/1107675396076560384 > https://twitter.com/ThatHostingCo/status/1107588660831105024 > https://twitter.com/fladna9/status/1107554090765242368 > https://twitter.com/JUSTADACHI/status/1107549777607184384 > https://twitter.com/okhin/status/1107627379650908160 > https://twitter.com/Purple_Wyrm/status/1107454618705887232 > https://twitter.com/LadyOFyre/status/110734900550144 > https://twitter.com/laurelvail/status/1107345980062523392 > https://twitter.com/Alex__Rubio/status/1107595560440217600 > > The thing of it is that ALL of this crap... al of these scam spams... are > quite obviously originating out of the networks of OVH and DigitalOcean. > And it's not even all that hard to figure out where from, exactly and > specifically. I generated the following survey, on the fly, last night, > based on a simple reverse DNS scan of the evidently relevant addrdess > ranges: > > https://pastebin.com/raw/WtM0Y5yC > > As anyone who isn't as blind as a bat can easily see, there's a bit of a > pattern here. All of the spam source IPs are on just two ASNs: > >AS16276 - OVH SAS >AS4061 - DigitalOcean, LLC > > It's equally clear that there have already been numerous reports about this > ongoing and blatantly criminal activity that have been sent to the > low-level > high school dropout interns that these companies, like most others on the > Internet these days, choose to employ as their first-level minions in their > "not a profit center" abuse handling departments. So, guess what? > Surprise, > surprise! None of those clue-deprived flunkies have apparently yet managed > to figure out that there's a pattern here. Duh!. As a result, the > scamming > and the spamming just go on and on and on, and the spammer-scammer just > keeps on getting fresh new IP addresess on both of these networks... and > fresh (and utterly free) new domain names from the equally careless company > called Freenom. > > So, you know, I really would appreciate it if someone could either put me > in touch with some actual sentient being at either OVH or DigitalOcean... > assuming that any such actually exist... or at the very least, try to find > one to whom clue may be passed about all this, because although these scam > spams were kind of humorous and novel at first, the novelty has now worn > off > and they're really not all that funny anymore. > > Oh! And while we are on the subject, I'd also like to obtain a contact, > preferbly one which is
