Two notes:
1) We have seen most of the telecom fraud happen from three general locations
a. The phones themselves. For instance people putting phones out there with the default password.
b. Compromised routers. Fraudsters will compromise a CPE and bounce their traffic through it. Back in the day when we banned Palestine most of the fraud went down. Once they caught on they realized the traffic needed to flow from anywhere but PS.
c. OVH - We used to get a lot from there till we started banning large blocks of their ranges. It seems the fraudsters caught on and they are going the route of compromised CPE's.

2) I spoke a few years back with the lead network engineers at DO and without giving away too much they are very aware that people use their network for fraud and actively work against it. I am nor sure about their abuse team but I know their core engineers have methods in place and shut down malicious activity. The issue is it's easier said then done.



On Mon, Mar 18, 2019 at 8:03 PM Ronald F. Guilmette <rfg@tristatelogic.com> wrote:

OVH, DigitalOcean, and Microsoft...

Is there anybody awake and conscious at any of these places?  I mean
anybody who someone such as myself... just part of the Great Unwashed
Masses... could actually speak to about a real and ongoing problem?

Maybe most of you here will think that this is just a trivial problem, and
one that's not even worth mentioning on NANOG.  So be it. Make up you own
minds.  Here is the problem...

For some time now, there has been an ongoing campaign of bitcoin
extortion spamming going on which originates primarily or perhaps
exclusively from IPv4 addresses owned by OVH and DigitalOcean.
These scam spams have now been publicised in multiple places:

   https://myonlinesecurity.co.uk/fake-cia-sextortion-scam/

Yea, that's just one place, I know, but there's also no shortage of people
tweeting about this crap also, in multiple languages even!

    https://twitter.com/SpamAuditor/status/1107365604636278784
    https://twitter.com/dvk01uk/status/1107510553621266433
    https://twitter.com/bortzmeyer/status/1107737034049900544
    https://twitter.com/ariestess69/status/1107468838596038656
    https://twitter.com/bernhard_mahr/status/1107513313020297216
    https://twitter.com/jzmurdock/status/1107679858945974272
    https://twitter.com/gamamb/status/1107384186548207617
    https://twitter.com/davidgsIoT/status/1107725201331097606
    https://twitter.com/cybers_guards/status/1107675396076560384
    https://twitter.com/ThatHostingCo/status/1107588660831105024
    https://twitter.com/fladna9/status/1107554090765242368
    https://twitter.com/JUSTADACHI/status/1107549777607184384
    https://twitter.com/okhin/status/1107627379650908160
    https://twitter.com/Purple_Wyrm/status/1107454618705887232
    https://twitter.com/LadyOFyre/status/1107349022220550144
    https://twitter.com/laurelvail/status/1107345980062523392
    https://twitter.com/Alex__Rubio/status/1107595560440217600

The thing of it is that ALL of this crap... al of these scam spams... are
quite obviously originating out of the networks of OVH and DigitalOcean.
And it's not even all that hard to figure out where from, exactly and
specifically.  I generated the following survey, on the fly, last night,
based on a simple reverse DNS scan of the evidently relevant addrdess
ranges:

    https://pastebin.com/raw/WtM0Y5yC

As anyone who isn't as blind as a bat can easily see, there's a bit of a
pattern here.  All of the spam source IPs are on just two ASNs:

   AS16276 - OVH SAS
   AS4061 - DigitalOcean, LLC

It's equally clear that there have already been numerous reports about this
ongoing and blatantly criminal activity that have been sent to the low-level
high school dropout interns that these companies, like most others on the
Internet these days, choose to employ as their first-level minions in their
"not a profit center" abuse handling departments.  So, guess what?  Surprise,
surprise!  None of those clue-deprived flunkies have apparently yet managed
to figure out that there's a pattern here.  Duh!.  As a result, the scamming
and the spamming just go on and on and on, and the spammer-scammer just
keeps on getting fresh new IP addresess on both of these networks... and
fresh (and utterly free) new domain names from the equally careless company
called Freenom.

So, you know, I really would appreciate it if someone could either put me
in touch with some actual sentient being at either OVH or DigitalOcean...
assuming that any such actually exist... or at the very least, try to find
one to whom clue may be passed about all this, because although these scam
spams were kind of humorous and novel at first, the novelty has now worn off
and they're really not all that funny anymore.

Oh!   And while we are on the subject, I'd also like to obtain a contact,
preferbly one which is also and likewise in possession of something roughly
approximating clue, at this place:

   AS200517 - Microsoft Deutschland MCIO GmbH

The reason is that although MS Deutschland is most probably not the source
of any of the spams, they, or at least their 51.18.39.107 address, do appear
to be mixed up in all of this somehow:

    https://pastebin.com/raw/ziVNCmZ8

I dunno.  Maybe Microsoft has managed to engineer a merger with the CIA (?)
If not, then maybe they would be so kind as to rat out this specific criminal
customer of their's to appropriate authorities.

Don't get me wrong. I heartily applaud Microsoft's Digital Crimes Unit for
all of the admirable work they do, but you know the old saying... charity
begins at home.  So my hope is that they will seek to get this low-life off
their network immediately, if not sooner, and then also seek to arrange
suitable long term accomodations for him in, say, Florence, Colorado, or,
if he/she/it has a higher than average level of tan, I hope that they will
make all necessary inquiries to find out if there are still any open bunks
available in Gitmo.


Regards,
rfg


P.S.  In recent days, the popular media has fanned the flames of controversy,
as it is their habit to do, over the question of whether or not the various
social media companies could have somehow automagically spotted and deleted,
in real time, with some sort of yet-to-be-invented artificial intelligence
wizardry, the shooter videos from New Zealand.  Of course, none of the TV
personalities who so cavalierly offer up their totally uninformed opinions
on this question have ever themselves gotten within a country mile of the
kinds of AI that could, perhaps in another decade or three, reliably
distinguish between a video of a msss shooting and a video of a particularly
raucous birthday party.  It's a hard problem.

In contrast to that hard problem, spotting the kind of trivial reverse DNS
pattern I've noted above is child's play and a no brainer.  Why then, one
might reasonbly ask, have the combined abuse departments of both OVH and
DigitalOcean been either utterly unable or else utterly unwilling to do so?
Solving these kinds of trivial problems does not await the development of
some advanced new artificial intelligence.  It just requires the judicious
application of a small bit of the non-artificial kind of intelligence.  But
the industry, it seems, can't, or won't, even manage that.