Subtitle: Another Big Mess On Aisle Thirteen. Somebody Grab The Mop! Just over a month ago, I was here, doing what I always do, bitching and moaning about the low-life trash that is typically allowed to roam free and unfettered on the Internet: https://mailman.nanog.org/pipermail/nanog/2019-March/100135.html Shortly thereafter, it appeared that perhaps that effort on my part had not been a total waste of electrons. The extortion spams stopped, for awhile anyway, and it started to look like Digital Ocean had in fact kicked the perp's as the curb. So, you know, case closed, right? Well, not really. Once this kind of clown gets a taste for the easy money, it's hard to go back to actually washing dishes for a living again. So, you know, HE'S BACK. https://twitter.com/SpamAuditor/status/1120473072354635779 (And for those of you who may want to claim that I'm being sexist, and that I can't know for sure if it is a man or a woman behind this shit, I just have one word: No. Women don't do this shit. Perhaps they have more respect for their fellow humans, or whatever. But the reality is, of all the low-life scumbag spammers that I've ID'd over the past 20+ years... and there have been plenty of them... 99,99% have been men. That's just a fact.) So anyway, based on the current evidence, it's looking like Digital Ocean -may- possibly have actually -tried- to kick this guy off their network, or maybe not. (See below.) It's possible that they just told him that they would be happy to keep on taking his money, but that he just shouldn't spam from their network anymore. I don't really have any way of knowing. They didn't tell me the crook's name, so who the hell knows? In any case, now it appears that this same specific spammer and con-man si now doing his extortion spamming 100% from AS24940 Hetzner. Here is a freshly updated list of all of his spam spewer FQDNs, and the IPv4 addresses that all of them are pointed at right now: https://pastebin.com/raw/3fbACedn If and only if Digital Ocean (AS14061) really did kick this scumbag's ass to the curb... or if they at least tried to do so... then that eliminates all of the IP address shown in the above list that are prefixed with Digital Ocean's ASN (14061) from the ilst, at least as far as outbound spamming is concerned. That would leave us with only the AS24940 Hetzner IP addresses as current live spam spewers: https://pastebin.com/raw/t9Rs4HMT (In case it isn't obvious, I do advise all parties not to accept any incoming email from any of the above listed IPs or domain names until this all gets cleaned up.) Meanwhile, I'd like to get hold of a (non-role) contact email address for any warm body at Hetzner who may actually give a shit about any of this. I understand that this may be a REAL big ask. I have been informed, just today, by a reliable source that fundamentally, Hetzner just doesn't do shit about spam reports sent their way. And anyway, why would they? Apparently, none of the other big hosting providers do anything but ignore the spam reports that are sent to them either. And just as Digital Ocean had done to me one month ago, when I had occasion to send Hetzner a report about some totally unrelated spam that I received, just today, from their network, about 30 seconds later I got back what can only be called an "ignore bot" automated email reply, telling me ... just as Digital Ocean has done to me previously... that while it was perfectly OK with them if their customers spammed my via the medium of email, that there was nontheless no frekin' way that THEY would entertain any reports about that VIA EMAIL. So I was told to fill out some web form on the Hetzner web site, so that Hetzner staff could remain anonymous, and could anonymously receive that report, and then immediately and with all due haste dispatch it forthwith directly to /dev/null. Swell. So, you know, it may not do a bit of good, but I really would like to be able to find out for myself if Hetzner is just totally staffed by mindless robots, utterly lacking in compassion and empathy and also any sense of ethics, or if there is at least one live engineer there... someone with a name and a face and maybe ever a friend or relative who has been conned by one in this endless parade of unaccountable Internet fraudsters. I'd like to find out, in other words, if there is any warm body there who even gives a shit. So, if any fo you who are reading this happen to know any live humans at Hetzner, please do send me their contact info. I am most certainly *not* going to flll out Hetzner's dumb-ass watse-of-my-time web form just for the honor of informing THEM of THEIR freekin't problem child customer, especially guven the high probability that my attempt to report this to them will go straight to the but bucket. I actually don't mind lending a hand to help mega providers like this to clean their own toilets. I do mind however when they go out of their way to make it harder and more tedious and time consuming for me to do that. In fact it would be nice if this entire industry would get its collective head out of its collective ass, recognize that it has an ongoing problem with Bad Actors acquiring "hosting" resources, and figure out a way to deal with that that DOESN'T just involve taking the money and looking the other way, and routinely ignoring all abuse reports. (Ther smaller providers actually deal with this problem much better than the bigger ones. THEY as least are not cowed into utter silence by paranoid and over-protective corporate counsel. So they can and do let one another know when a Bad Actor is out there, roaming the streets, looking for hosting companies to use and abuse. Just search webhostingtalk.com for mentions of "PredictLabs" and you can see for yourselves. This isn't anti-trust. This is self-preservation, which is different, even if a lot of corporate counsel are just too effing stoopid to grasp the important differences between Standard Oil in the year 1900 and a modern Neighborhood Watch group.) Anyway, to return to today's Bad Actor de jure, although it is looking like he is graciously confining his outbound spamming to just AS24940, i.e. Hetzner at the moment, it's apparent that he plans to be around for awhile, even in the unlikely even that anybody at Hetzner should notice what he is doing -or- elect to give a shit about it. So he's done what any Internet user seeking survivability does... he has distributed his name servers over several different networks. Specifically here they all are: 67.215.224.116 ns1.eatshit.xyz 81.4.102.145 ns1.epicdns.xyz 81.17.24.253 ns1.suck-me.xyz 95.179.209.35 ns1.suckmycock.online 142.11.199.11 ns1.privatedns.top 142.93.227.159 ns1.younoob.life 145.14.157.84 ns1.gmail-dns.com 168.235.86.16 ns1.privatedns.rocks 185.158.249.155 ns1.mynameservers.org 185.249.197.6 ns1.fuckdns.org (The ns2. name server in all of these cases is on the same IPv4 address with the ns1. server.) So, even though this guy is likely only spamming from Hetzner at present, he's got his name servers well distributed, as you can see above. Those name server are scattered around on all ofthe following networks (in numerical order): AS3842 US RamNode LLC AS8100 US QuadraNet Enterprises LLC AS14061 US DigitalOcean, LLC AS20473 US Choopa, LLC AS47583 CY Hostinger International Limited AS51852 PA Private Layer INC AS54290 US Hostwinds LLC. AS58329 DE easystores GmbH AS62370 NL Snel.com B.V. AS197071 DE Dennis Rainer Warnholz trading as active-servers.com I would consider it a good day's work if I could get people here on this lest to help me to get some of these name server turned off, and the associated accounts canceled, but I'm probably hoping for too much. Still, I have to ask. Please help if you can. I spent several hours working on this case today. maybe the rest of you could pictch in just long enough to send polite email to one or more of the above networks, just to let them know that they have a problem child as a customer (at the exact addresses listed above). You can send them also a link to this posting in teh NANOG archives also if you like. I don't know if that would help or hurt, but it is worth a try. Anyway, "takedowns" shouldn't only be for botnets. When the Internet does... as it frequently does these days... get this kind of exceptionally annoying AND exceptionally criminal professional spammer, it would be kind of nice if there were some way to get his ass totally turfed from the whole Internet. That seems to have happened in the case of Bitcanal... with a lot of help from a lot of concerned netizens. Why should a case like this be any different? This guy needs to be gone. I'm perfectly OK with me repeatedly -finding- all of his shit, and then reporting it here or elsewhere. (It takes -me- less effort to find it that it takes -him- to set it all up.) The missing part of the puzzle is action, by the relevant providers. So, please help me to do a full takedown on this guy. Please. Thanks for listening. Regards, rfg P.S. I do hope that everyone will have noticed that Digital Ocean is listed above as being among the set of providers that are giving service to one of this dickhead's name servers. I'll give them the benefit of the doubt and try to believe that they really did fully kick this guy to the curb last month, not long after I bitched about him here. Even if that's the case however, he has clearly managed to sneak back on to Digital Ocean's network. So, obvious question: Whose fault is that? About ten years ago I had my one and only European Vacation. I was shocked when, in France, I went to buy a cheap cell phone that would work on French networks and they ASKED ME FOR MY PASSPORT. It wasn't a problem. It just seemed weird because I was unaccustomed to this extra level of security. So, I have to ask: Why does one need to demonstrate one's identity to a greater degree if one buys a simple cell phone, as opposed to, say, buying a hosting account, late on a Friday, after which you may immediately start spamming and then spam one's brains out, to all seven billion people on this planet if desired, before the regular staff at the hosting company even comes back in to work on Monday morning? If there's a universe in which this all makes sense, then all I can say is that I personally am not in that one.