RFG; I have passed your email on to the relevant team within DO to have a look at. I’d like to thank you for your deriding commentary to bring attention to this problem. I am not sure it is the most effective way to try and engage the wider industry on a public list, but each to their own. Oh, and additionally, as an Australian citizen with many Aussie and Kiwi colleagues working at DO of various religious persuasions; your postscript relating this back to the recent terror attacks is abhorrent and disgusting. You should be completely ashamed. Kind regards, Nik. Sent from my iPhone
On Mar 18, 2019, at 9:39 PM, Christian Kuhtz via NANOG <nanog@nanog.org> wrote:
Ronald,
we are asking Microsoft CDOC to investigate.
You can find a variety of ways to report issues at their website as well: https://www.microsoft.com/en-us/msrc/cdoc
Thanks, Christian
________________________________ From: NANOG <nanog-bounces@nanog.org> on behalf of Ronald F. Guilmette <rfg@tristatelogic.com> Sent: Monday, March 18, 2019 5:02:38 PM To: nanog@nanog.org Subject: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)
OVH, DigitalOcean, and Microsoft...
Is there anybody awake and conscious at any of these places? I mean anybody who someone such as myself... just part of the Great Unwashed Masses... could actually speak to about a real and ongoing problem?
Maybe most of you here will think that this is just a trivial problem, and one that's not even worth mentioning on NANOG. So be it. Make up you own minds. Here is the problem...
For some time now, there has been an ongoing campaign of bitcoin extortion spamming going on which originates primarily or perhaps exclusively from IPv4 addresses owned by OVH and DigitalOcean. These scam spams have now been publicised in multiple places:
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmyonlinese...
Yea, that's just one place, I know, but there's also no shortage of people tweeting about this crap also, in multiple languages even!
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.co... https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.co... https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.co... https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.co... https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.co... https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.co... https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.co... https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.co... https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.co... https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.co... https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.co... https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.co... https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.co... https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.co... https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.co... https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.co... https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.co...
The thing of it is that ALL of this crap... al of these scam spams... are quite obviously originating out of the networks of OVH and DigitalOcean. And it's not even all that hard to figure out where from, exactly and specifically. I generated the following survey, on the fly, last night, based on a simple reverse DNS scan of the evidently relevant addrdess ranges:
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpastebin.c...
As anyone who isn't as blind as a bat can easily see, there's a bit of a pattern here. All of the spam source IPs are on just two ASNs:
AS16276 - OVH SAS AS4061 - DigitalOcean, LLC
It's equally clear that there have already been numerous reports about this ongoing and blatantly criminal activity that have been sent to the low-level high school dropout interns that these companies, like most others on the Internet these days, choose to employ as their first-level minions in their "not a profit center" abuse handling departments. So, guess what? Surprise, surprise! None of those clue-deprived flunkies have apparently yet managed to figure out that there's a pattern here. Duh!. As a result, the scamming and the spamming just go on and on and on, and the spammer-scammer just keeps on getting fresh new IP addresess on both of these networks... and fresh (and utterly free) new domain names from the equally careless company called Freenom.
So, you know, I really would appreciate it if someone could either put me in touch with some actual sentient being at either OVH or DigitalOcean... assuming that any such actually exist... or at the very least, try to find one to whom clue may be passed about all this, because although these scam spams were kind of humorous and novel at first, the novelty has now worn off and they're really not all that funny anymore.
Oh! And while we are on the subject, I'd also like to obtain a contact, preferbly one which is also and likewise in possession of something roughly approximating clue, at this place:
AS200517 - Microsoft Deutschland MCIO GmbH
The reason is that although MS Deutschland is most probably not the source of any of the spams, they, or at least their 51.18.39.107 address, do appear to be mixed up in all of this somehow:
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpastebin.c...
I dunno. Maybe Microsoft has managed to engineer a merger with the CIA (?) If not, then maybe they would be so kind as to rat out this specific criminal customer of their's to appropriate authorities.
Don't get me wrong. I heartily applaud Microsoft's Digital Crimes Unit for all of the admirable work they do, but you know the old saying... charity begins at home. So my hope is that they will seek to get this low-life off their network immediately, if not sooner, and then also seek to arrange suitable long term accomodations for him in, say, Florence, Colorado, or, if he/she/it has a higher than average level of tan, I hope that they will make all necessary inquiries to find out if there are still any open bunks available in Gitmo.
Regards, rfg
P.S. In recent days, the popular media has fanned the flames of controversy, as it is their habit to do, over the question of whether or not the various social media companies could have somehow automagically spotted and deleted, in real time, with some sort of yet-to-be-invented artificial intelligence wizardry, the shooter videos from New Zealand. Of course, none of the TV personalities who so cavalierly offer up their totally uninformed opinions on this question have ever themselves gotten within a country mile of the kinds of AI that could, perhaps in another decade or three, reliably distinguish between a video of a msss shooting and a video of a particularly raucous birthday party. It's a hard problem.
In contrast to that hard problem, spotting the kind of trivial reverse DNS pattern I've noted above is child's play and a no brainer. Why then, one might reasonbly ask, have the combined abuse departments of both OVH and DigitalOcean been either utterly unable or else utterly unwilling to do so? Solving these kinds of trivial problems does not await the development of some advanced new artificial intelligence. It just requires the judicious application of a small bit of the non-artificial kind of intelligence. But the industry, it seems, can't, or won't, even manage that.