Subtitle: Another Big Mess On Aisle Thirteen. Somebody Grab The Mop!
Just over a month ago, I was here, doing what I always do, bitching
and moaning about the low-life trash that is typically allowed to roam
free and unfettered on the Internet:
Shortly thereafter, it appeared that perhaps that effort on my part had
not been a total waste of electrons. The extortion spams stopped, for
awhile anyway, and it started to look like Digital Ocean had in fact
kicked the perp's as the curb. So, you know, case closed, right? Well,
not really. Once this kind of clown gets a taste for the easy money,
it's hard to go back to actually washing dishes for a living again. So,
you know, HE'S BACK.
(And for those of you who may want to claim that I'm being sexist, and
that I can't know for sure if it is a man or a woman behind this shit,
I just have one word: No. Women don't do this shit. Perhaps they
have more respect for their fellow humans, or whatever. But the reality
is, of all the low-life scumbag spammers that I've ID'd over the past 20+
years... and there have been plenty of them... 99,99% have been men.
That's just a fact.)
So anyway, based on the current evidence, it's looking like Digital
Ocean -may- possibly have actually -tried- to kick this guy off their
network, or maybe not. (See below.) It's possible that they just told
him that they would be happy to keep on taking his money, but that he
just shouldn't spam from their network anymore. I don't really have
any way of knowing. They didn't tell me the crook's name, so who the
In any case, now it appears that this same specific spammer and con-man
si now doing his extortion spamming 100% from AS24940 Hetzner. Here is
a freshly updated list of all of his spam spewer FQDNs, and the IPv4
addresses that all of them are pointed at right now:
If and only if Digital Ocean (AS14061) really did kick this scumbag's
ass to the curb... or if they at least tried to do so... then that
eliminates all of the IP address shown in the above list that are
prefixed with Digital Ocean's ASN (14061) from the ilst, at least as
far as outbound spamming is concerned. That would leave us with only
the AS24940 Hetzner IP addresses as current live spam spewers:
(In case it isn't obvious, I do advise all parties not to accept any
incoming email from any of the above listed IPs or domain names until
this all gets cleaned up.)
Meanwhile, I'd like to get hold of a (non-role) contact email address
for any warm body at Hetzner who may actually give a shit about any of
this. I understand that this may be a REAL big ask. I have been
informed, just today, by a reliable source that fundamentally, Hetzner
just doesn't do shit about spam reports sent their way.
And anyway, why would they? Apparently, none of the other big hosting
providers do anything but ignore the spam reports that are sent to them
either. And just as Digital Ocean had done to me one month ago, when I had
occasion to send Hetzner a report about some totally unrelated spam that
I received, just today, from their network, about 30 seconds later I got
back what can only be called an "ignore bot" automated email reply, telling
me ... just as Digital Ocean has done to me previously... that while it
was perfectly OK with them if their customers spammed my via the medium
of email, that there was nontheless no frekin' way that THEY would entertain
any reports about that VIA EMAIL. So I was told to fill out some web form
on the Hetzner web site, so that Hetzner staff could remain anonymous, and
could anonymously receive that report, and then immediately and with all
due haste dispatch it forthwith directly to /dev/null. Swell.
So, you know, it may not do a bit of good, but I really would like to be
able to find out for myself if Hetzner is just totally staffed by mindless
robots, utterly lacking in compassion and empathy and also any sense of
ethics, or if there is at least one live engineer there... someone with
a name and a face and maybe ever a friend or relative who has been conned
by one in this endless parade of unaccountable Internet fraudsters. I'd
like to find out, in other words, if there is any warm body there who even
gives a shit.
So, if any fo you who are reading this happen to know any live humans at
Hetzner, please do send me their contact info. I am most certainly
*not* going to flll out Hetzner's dumb-ass watse-of-my-time web form just
for the honor of informing THEM of THEIR freekin't problem child customer,
especially guven the high probability that my attempt to report this to
them will go straight to the but bucket.
I actually don't mind lending a hand to help mega providers like this to
clean their own toilets. I do mind however when they go out of their way
to make it harder and more tedious and time consuming for me to do that.
In fact it would be nice if this entire industry would get its collective
head out of its collective ass, recognize that it has an ongoing problem
with Bad Actors acquiring "hosting" resources, and figure out a way to
deal with that that DOESN'T just involve taking the money and looking
the other way, and routinely ignoring all abuse reports. (Ther smaller
providers actually deal with this problem much better than the bigger ones.
THEY as least are not cowed into utter silence by paranoid and over-protective
corporate counsel. So they can and do let one another know when a Bad Actor
is out there, roaming the streets, looking for hosting companies to use and
abuse. Just search webhostingtalk.com for mentions of "PredictLabs" and
you can see for yourselves. This isn't anti-trust. This is self-preservation,
which is different, even if a lot of corporate counsel are just too effing
stoopid to grasp the important differences between Standard Oil in the year
1900 and a modern Neighborhood Watch group.)
Anyway, to return to today's Bad Actor de jure, although it is looking
like he is graciously confining his outbound spamming to just AS24940,
i.e. Hetzner at the moment, it's apparent that he plans to be around for
awhile, even in the unlikely even that anybody at Hetzner should notice
what he is doing -or- elect to give a shit about it. So he's done what
any Internet user seeking survivability does... he has distributed his
name servers over several different networks. Specifically here they
(The ns2. name server in all of these cases is on the same IPv4 address
with the ns1. server.)
So, even though this guy is likely only spamming from Hetzner at present,
he's got his name servers well distributed, as you can see above. Those
name server are scattered around on all ofthe following networks (in
AS3842 US RamNode LLC
AS8100 US QuadraNet Enterprises LLC
AS14061 US DigitalOcean, LLC
AS20473 US Choopa, LLC
AS47583 CY Hostinger International Limited
AS51852 PA Private Layer INC
AS54290 US Hostwinds LLC.
AS58329 DE easystores GmbH
AS62370 NL Snel.com B.V.
AS197071 DE Dennis Rainer Warnholz trading as active-servers.com
I would consider it a good day's work if I could get people here on this
lest to help me to get some of these name server turned off, and the
associated accounts canceled, but I'm probably hoping for too much.
Still, I have to ask. Please help if you can. I spent several hours
working on this case today. maybe the rest of you could pictch in just
long enough to send polite email to one or more of the above networks,
just to let them know that they have a problem child as a customer
(at the exact addresses listed above). You can send them also a link
to this posting in teh NANOG archives also if you like. I don't know
if that would help or hurt, but it is worth a try.
Anyway, "takedowns" shouldn't only be for botnets. When the Internet
does... as it frequently does these days... get this kind of exceptionally
annoying AND exceptionally criminal professional spammer, it would be
kind of nice if there were some way to get his ass totally turfed from
the whole Internet. That seems to have happened in the case of Bitcanal...
with a lot of help from a lot of concerned netizens. Why should a case
like this be any different? This guy needs to be gone. I'm perfectly
OK with me repeatedly -finding- all of his shit, and then reporting it
here or elsewhere. (It takes -me- less effort to find it that it takes
-him- to set it all up.) The missing part of the puzzle is action, by
the relevant providers.
So, please help me to do a full takedown on this guy. Please.
Thanks for listening.
P.S. I do hope that everyone will have noticed that Digital Ocean is
listed above as being among the set of providers that are giving service
to one of this dickhead's name servers. I'll give them the benefit of
the doubt and try to believe that they really did fully kick this guy
to the curb last month, not long after I bitched about him here. Even
if that's the case however, he has clearly managed to sneak back on to
Digital Ocean's network.
So, obvious question: Whose fault is that?
About ten years ago I had my one and only European Vacation. I was shocked
when, in France, I went to buy a cheap cell phone that would work on French
networks and they ASKED ME FOR MY PASSPORT. It wasn't a problem. It just
seemed weird because I was unaccustomed to this extra level of security.
So, I have to ask: Why does one need to demonstrate one's identity to a
greater degree if one buys a simple cell phone, as opposed to, say, buying
a hosting account, late on a Friday, after which you may immediately start
spamming and then spam one's brains out, to all seven billion people on this
planet if desired, before the regular staff at the hosting company even comes
back in to work on Monday morning?
If there's a universe in which this all makes sense, then all I can say is
that I personally am not in that one.