Attacks from

Hi All,

Lately we have seen a lot of attacks from IPs where the PTR record ends in to PBX systems. A quick search on twitter ( shows multiple people complaining
that they reported the IP's yet nothing happens. Has anyone had the
pleasure of dealing with them and have you gotten anywhere? I wonder if the
only option is public shaming.

I would rather not ban their AS as it may hurt legit traffic but I am out
of ideas at this point....



Have you emailed their abuse or NOC teams with the attack logs from their

Sometimes ISP servers or their customer CPEs are compromised without their


Back in September, I documented my poor experience with AS12876 here:
Since then, their handling of abuse notifications (or lack thereof) has
largely remained the same. The volume of malicious traffic from their
network hasn't decreased either.

As you noted, others have reported similar issues with AS12876, including
my associate Dr. Neal Krawetz:
ackerfactor/status/932593355648667649. I've also compiled a list of
complaints regarding AS12876 in this thread:



1) As others have mentioned your AS seemingly has a history of tolerating
abuse. I know some of the other VPS players such as DO have automated
scripts that look for attacks and lock them out. I see you peer with them
perhaps they can share some scripts :wink:
2) I went to the abuse URL you have posted and it just lands at your main

The offending IP was I checked two different boxes (one
our own range and another a hosted box elsewhere) and both have entries in
the last 3 days from that IP. Scans have been going on for at least the
last 48+ hours.


That AS has been originating brute-force attacks against ssh, pop, imap, etc.
for at least four years (and likely longer, but I didn't have older logs
handy). It's also a persistent high-volume source of spam. Its operators
are either thoroughly incompetent or fully complicit; there's no way to
tell from outside and operationally, it makes no difference. So at minimum
I recommend blocking all connections from it to authenticated services
and refusing all SMTP traffic from and


I have no idea why anyone thinks it is acceptable to require victims to fill out online web forms.


AS12876 is home of the €2.99 physical server, perfect for all of your favorite illegitimate activity. I’m curious how much traffic originates from that ASN that is actually legitimate... probably close to none.

Quite a lot actually. Those servers are fine seedboxes. People also use them for media storage, i.e. online galleries and smaller video streaming sites.


Depends on what "legitimate" means.

We have a decent amount of traffic to the network (like 2Gbps sustained in any afternoon). Its typically a mix of bittorrent, tor-relay traffic, ftp-transfers and of course the expected scanners, malware-hosts, ddos-bots and such.

For me Poney/Illiad/ has always been a bulletproof hoster (or bulletproof transit even), the response to abuse has always been NIL. I know tons of my customers just blocks out their whole ip-ranges in their SIP-servers and email-machines to lessen the white-noise.

However - judging from the website it atleast seems that they are trying to up their game and look like something that would be attractive to a legitimate business to consider. On the other hand, looking at it looks more like something that would rather fit as a place where i put the shady stuff, so not sure where on the map they fall these days.

Because the number of people who successfully provide actionable
information without being prompted is vanishingly small and the number of
people who fire off automated complaints to the best guess abuse address
(also without actionable information) is disappointingly large?

Why anyone thinks it's acceptable for the form submission to vanish in to
the faceless support queue is more of a quandary. The form submission
should provide a case number, the individual to whom it is assigned, direct
contact information for that individual and a promise that your report will
receive a response.

Bill Herrin

SETI at home?
Bitcoin mining?

In their defense I was pleasantly surprised that I got a response back from
them telling me the account was banned. Though it makes me wonder if this
is just them trying to save face. I have spoken with the guys that run DO's
network and they have an extensive amount of automation to weed out
spammers, attackers etc. It makes you wonder why for years that are known
in the spammer community as a safe heaven.

Not a valid excuse. (1) It is a trivial matter for any "abuse desk" worthy
of the title to priority-sort incoming traffic. (2) An excellent way for
operations to reduce the volume of such complaints is to reduce the volume
of the abuse they emit/support.


The very real problem with direct contact info is that people latch onto it.
Then, if there's another issue the person will bypass your form submission,
send a direct e-mail - which would then not be dealt with if that particular
person wasn't working, for reasons ranging from vacation to no longer being
with the provider in an abuse desk role.

Been there, done that. Been out of the country and offline for 36 hours,
reconnect and there's a user with a problem that would have been dealt
with 36 hours earlier if they had sent it to our help desk instead of to me

I've never dealt with a support queue that resolved the issue faster than a
direct contact.

Which would the user prefer - a guaranteed 15 minute response time from the queue,
or 10 minute from a direct contact, unless it's an hour because they're in a meeting,
or the next day because they're out sick, or 2 weeks because they're on vacation?

Bonus points for recognizing there's a confirmation bias effect here - people will
remember the 2 week response time more than they'll remember the 5 minutes
faster the rest of the time.

Hint: How many "I haven't heard back in a week" do we see here and on the mailop
list, and how many "Congrats to so-n-so who fixed my problem in 5 minutes flat?"

Also, unless the requester already has a close relationship with someone in that department at the company they are contacting - it is sort of offensive to contact them without FIRST filling out the form and allotting a reasonable time for a response. Then, if filling out the form didn't work as fast as expected - THEN it might be appropriate to contact someone directly to help escalate the form submission. That is the RIGHT way to do these things. The opposite of this produces insufficiency, miscommunication, legal entanglements (if things didn't get handled properly), lost audit-trails/metrics etc. Some larger companies FORBID their employees from doing such direct help that is entirely outside their regular support system.

I've never dealt with a support queue that's more competent than the last
direct contact I talked with. Navigating the support queue to the guy
competent to deal with my problem is one of the more infuriating things
about big company support.


They use your direct contact info because your help desk isn't responsive.

They go where they get results. No results from help desk = direct contact to you.


it does get kind of old when you have to argue with first tier support on how to read smtp headers. or that an IP address registered to them in ARIN actually belongs to them.

people reach out to nanog because first tier support is clueless and completely ineffective.

when the first tier incompetence stops, the direct contacts will stop too.