Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)

Ronald_F_Guilmette1 · March 19, 2019, 12:02am

OVH, DigitalOcean, and Microsoft...

Is there anybody awake and conscious at any of these places? I mean
anybody who someone such as myself... just part of the Great Unwashed
Masses... could actually speak to about a real and ongoing problem?

Maybe most of you here will think that this is just a trivial problem, and
one that's not even worth mentioning on NANOG. So be it. Make up you own
minds. Here is the problem...

For some time now, there has been an ongoing campaign of bitcoin
extortion spamming going on which originates primarily or perhaps
exclusively from IPv4 addresses owned by OVH and DigitalOcean.
These scam spams have now been publicised in multiple places:

https://myonlinesecurity.co.uk/fake-cia-sextortion-scam/

Yea, that's just one place, I know, but there's also no shortage of people
tweeting about this crap also, in multiple languages even!

The thing of it is that ALL of this crap... al of these scam spams... are
quite obviously originating out of the networks of OVH and DigitalOcean.
And it's not even all that hard to figure out where from, exactly and
specifically. I generated the following survey, on the fly, last night,
based on a simple reverse DNS scan of the evidently relevant addrdess
ranges:

https://pastebin.com/raw/WtM0Y5yC

As anyone who isn't as blind as a bat can easily see, there's a bit of a
pattern here. All of the spam source IPs are on just two ASNs:

AS16276 - OVH SAS
AS4061 - DigitalOcean, LLC

It's equally clear that there have already been numerous reports about this
ongoing and blatantly criminal activity that have been sent to the low-level
high school dropout interns that these companies, like most others on the
Internet these days, choose to employ as their first-level minions in their
"not a profit center" abuse handling departments. So, guess what? Surprise,
surprise! None of those clue-deprived flunkies have apparently yet managed
to figure out that there's a pattern here. Duh!. As a result, the scamming
and the spamming just go on and on and on, and the spammer-scammer just
keeps on getting fresh new IP addresess on both of these networks... and
fresh (and utterly free) new domain names from the equally careless company
called Freenom.

So, you know, I really would appreciate it if someone could either put me
in touch with some actual sentient being at either OVH or DigitalOcean...
assuming that any such actually exist... or at the very least, try to find
one to whom clue may be passed about all this, because although these scam
spams were kind of humorous and novel at first, the novelty has now worn off
and they're really not all that funny anymore.

Oh! And while we are on the subject, I'd also like to obtain a contact,
preferbly one which is also and likewise in possession of something roughly
approximating clue, at this place:

AS200517 - Microsoft Deutschland MCIO GmbH

The reason is that although MS Deutschland is most probably not the source
of any of the spams, they, or at least their 51.18.39.107 address, do appear
to be mixed up in all of this somehow:

https://pastebin.com/raw/ziVNCmZ8

I dunno. Maybe Microsoft has managed to engineer a merger with the CIA (?)
If not, then maybe they would be so kind as to rat out this specific criminal
customer of their's to appropriate authorities.

Don't get me wrong. I heartily applaud Microsoft's Digital Crimes Unit for
all of the admirable work they do, but you know the old saying... charity
begins at home. So my hope is that they will seek to get this low-life off
their network immediately, if not sooner, and then also seek to arrange
suitable long term accomodations for him in, say, Florence, Colorado, or,
if he/she/it has a higher than average level of tan, I hope that they will
make all necessary inquiries to find out if there are still any open bunks
available in Gitmo.

Regards,
rfg

P.S. In recent days, the popular media has fanned the flames of controversy,
as it is their habit to do, over the question of whether or not the various
social media companies could have somehow automagically spotted and deleted,
in real time, with some sort of yet-to-be-invented artificial intelligence
wizardry, the shooter videos from New Zealand. Of course, none of the TV
personalities who so cavalierly offer up their totally uninformed opinions
on this question have ever themselves gotten within a country mile of the
kinds of AI that could, perhaps in another decade or three, reliably
distinguish between a video of a msss shooting and a video of a particularly
raucous birthday party. It's a hard problem.

In contrast to that hard problem, spotting the kind of trivial reverse DNS
pattern I've noted above is child's play and a no brainer. Why then, one
might reasonbly ask, have the combined abuse departments of both OVH and
DigitalOcean been either utterly unable or else utterly unwilling to do so?
Solving these kinds of trivial problems does not await the development of
some advanced new artificial intelligence. It just requires the judicious
application of a small bit of the non-artificial kind of intelligence. But
the industry, it seems, can't, or won't, even manage that.

Dovid_Bender · March 19, 2019, 1:17am

Two notes:

We have seen most of the telecom fraud happen from three general locations
a. The phones themselves. For instance people putting phones out there with the default password.
b. Compromised routers. Fraudsters will compromise a CPE and bounce their traffic through it. Back in the day when we banned Palestine most of the fraud went down. Once they caught on they realized the traffic needed to flow from anywhere but PS.
c. OVH - We used to get a lot from there till we started banning large blocks of their ranges. It seems the fraudsters caught on and they are going the route of compromised CPE’s.
I spoke a few years back with the lead network engineers at DO and without giving away too much they are very aware that people use their network for fraud and actively work against it. I am nor sure about their abuse team but I know their core engineers have methods in place and shut down malicious activity. The issue is it’s easier said then done.

Christian_Kuhtz · March 19, 2019, 1:37am

Ronald,

we are asking Microsoft CDOC to investigate.

You can find a variety of ways to report issues at their website as well: https://www.microsoft.com/en-us/msrc/cdoc

Thanks,
Christian

Nik_Geyer · March 19, 2019, 1:50am

RFG;

I have passed your email on to the relevant team within DO to have a look at.

I’d like to thank you for your deriding commentary to bring attention to this problem. I am not sure it is the most effective way to try and engage the wider industry on a public list, but each to their own.

Oh, and additionally, as an Australian citizen with many Aussie and Kiwi colleagues working at DO of various religious persuasions; your postscript relating this back to the recent terror attacks is abhorrent and disgusting. You should be completely ashamed.

Kind regards,
Nik.

Ronald_F_Guilmette1 · March 19, 2019, 4:15am

In message <MW2PR2101MB0892D3ED3F5F3D58F2F30171B2400@MW2PR2101MB0892.namprd21.prod.outlook.com>,

we are asking Microsoft CDOC to investigate.

Thank you. I am not at all sure who the mysterious "we" is intended to
represent in that sentence. Perpahs it is just intended as the royal
"we" as in "We are not amused." But I don't really care. I am greatful
for any assitance from whatever quarter.

You can find a variety of ways to report issues at their website as well:
https://www.microsoft.com/en-us/msrc/cdoc

I do not use web forms to report spam incidents, even those as widespread
and blatantly criminal as in this instance. It's a matter of principal.

Why should companies such as these hide behind impersonal web forms, even
as their paying customers are allowed to incessantly badger and harass me,
and millions of others, via the medium of email? Are they too good to get
down in the muck of email with the rest of us mere peasants? It appears
that they think so. And in any event, where is the evidence that filling
in such a form would result in any actual action whatsoever? I don't
see any. Quite the opposite. What I see, and what is exemplified by this
specific case, is that EVEN IF people do actually jump through all of the
ridiculous hoops, spammers like this are allowed to just go on and on an
on. Where is the accountability, either personal or corporate? Who,
specifically, should be blamed, or can be blamed, if the output of such a
web form is improperly being diverted, on a routine basis, to /dev/null?

If I'm going to invest (or waste?) my time in meticulously explaining to
some large corporation, exactly how they are screwing up, and/or exactly
who and where their bad customers are, then is it really asking too much
to hope and expect that these same companies should, at the very least,
make available some actual human being with whom I can interact, as
necessary, in order to make sure that they understand what I have taken
my time to research and explain to them?

It's a serious question, and I am constantly befuddled by the apparent
desire of large corporations... even and perhaps especially those in the
"communications" business... to isolate themselves from any and all
outside communications, even those which might be helpful and beneficial
to the corporations themselves. In short, would it really kill your
people in your Digital Crimes Unit to just simply publish their names
and email addresses, you know, sort of like the rest of us mere mortals
do?

Furthermore, I am compelled to ask this additional question: Why should
it even be incumbant upon an unpaid volunteer Internet firefighters, such
as myself, to inform various multi-billion dollar corporations that they
have a problem? Are they really incapable of keeping a close eye on their
own networks and figuring this out for themselves? I confess that on some
days it would seem so.

I now have your email address, which I see is in the microsoft.com domain.
And I thank you for that. I hope that you won't begrudge me too awfully
much if, the next time such a situation arises, I make use of it. As I
have bemoaned at length now, it is both rare and difficult to find an
actual and/or accountable human at most of the large corporations that
run so much of the modern Internet, and thus, I am greatful to have one
more such contact in my back pocket, especially given that you have already
demonstrated that you both care and will take at least some action in
response to serious ongoing situations such as this one. I thank you,
and only ask that you please stay healthy and do not seek employment
elsewhere, at least until my own demise or until the sun goes nova,
whichever comes first.

Regards,
rfg

Christian_Kuhtz · March 19, 2019, 6:08am

Please use the links I provided to make sure it gets to the right people with the information they need as fast as possible.

Thanks,
Christian

Tom_Beecher · March 19, 2019, 2:01pm

This entire thread could easily have been simply :

“Hey all! I’m having some challenges reaching a live person in the abuse groups for X, Y, and Z. Can anyone help with a contact, or if anyone from those companies sees this, can you contact me off-list?”

Calling everyone an idiot in the midst of Endless Pontification isn’t really a recipe for success.

Jack_Barrett_Appia · March 19, 2019, 2:15pm

I agree it could have definitely been simplified, but I also found the “endless pontification” a little amusing this morning. What I do not find amusing is the social outrage and identity politics that has made it’s way into the sacred NANOG mailing list.

Ray_Orsini1 · March 19, 2019, 3:29pm

I originally held back on a similar response. But I had the exact same opinion. It works against your argument when you start off with insults and condescension. Personally, I would not refer anyone to someone making a post like this.

Regards,

Ray Orsini – CEO
Orsini IT, LLC – Technology Consultants
VOICE –DATA – BANDWIDTH – SECURITY – SUPPORT
P**:** 305.967.6756 x1009 E: ray@orsiniit.com TF: 844.OIT.VOIP

http://www.orsiniit.com | Schedule a Call

Ronald_F_Guilmette1 · March 20, 2019, 12:22am

In message <CAL9Qcx7=-eTCJ7yGDT7oO2tkAJGOY3YMtYrtx5A-qH=-gN6vRg@mail.gmail.com>,

Calling everyone an idiot in the midst of Endless Pontification isn't
really a recipe for success.

I did not call "everyone" an idiot. I'm quite completely sure that there
are innumerable people in all of the referenced companies who are consumate
and hardworking professionals who excel at ther jobs. I do believe however,
based on considerable experience and much hard evidence, that the abuse
handling departnments at OVH and DigitalOcean, and indeed at essentially
-every- sizable hosting company are less than entirely well staffed, less
than entirely well trained, less than entirely well funded, and often
inadequately effective, either due to their limited willingness or their
limited authority, as circumscribed by management, when it comes to the
execution of their assigned duties. The abuse handling function at *every*
Internet company is the ugly stepchild, ignored whenever possible, and
typically starved of resources by management whose overriding consideration
is this quarter's P&L statement, and by extension, the nearest upcoming
executive bonus period.

Regards,
rfg

David_Hubbard · March 20, 2019, 12:33am

In message <CAL9Qcx7=-eTCJ7yGDT7oO2tkAJGOY3YMtYrtx5A-qH=-gN6vRg@mail.gmail.com>,

    >Calling everyone an idiot in the midst of Endless Pontification isn't
    >really a recipe for success.

    I did not call "everyone" an idiot. I'm quite completely sure that there
    are innumerable people in all of the referenced companies who are consumate
    and hardworking professionals who excel at ther jobs. I do believe however,
    based on considerable experience and much hard evidence, that the abuse
    handling departnments at OVH and DigitalOcean, and indeed at essentially
    -every- sizable hosting company are less than entirely well staffed, less
    than entirely well trained, less than entirely well funded, and often
    inadequately effective, either due to their limited willingness or their
    limited authority, as circumscribed by management, when it comes to the
    execution of their assigned duties. The abuse handling function at *every*
    Internet company is the ugly stepchild, ignored whenever possible, and
    typically starved of resources by management whose overriding consideration
    is this quarter's P&L statement, and by extension, the nearest upcoming
    executive bonus period.

    Regards,
    rfg

Why not just drop any prefixes from the respective ASN's? We had to do that with OVH after the endless attacks coming from their networks, and lack of abuse response. OVH really loves to shift the abuse around to new prefixes; I got tired of spending time staying ahead of it.

Rich_Kulawiec · March 27, 2019, 3:09pm

I finally found time to check this out. And I have to ask: how in the
heck did anybody accept this operation as a customer? Because it's
obvious on inspection -- of the information in that paste -- that they're
abusers. Let me 'splain.

First, domains in certain TLDs should be considered as -- at best --
dubious until proven otherwise, because those TLDs are well-known as
abuse magnets. Every domain in this sample falls in that category.
Anyone making mass use of domains in those TLDs is up to something
abusive.

Second, anyone making mass requests for PTR records for random subdomains
is up to something abusive.

Third, anyone mass-registering domains whose names are permutations of
each other is up to something abusive. (I'm not talking about someone
registering a couple of domains that are plausible typos of a primary one
or engaging in defensive registrations across a few TLDs. Look at the
list, this is obviously quite different from those cases.)

Fourth, anyone mass-registering domains whose names are intended
to be typo'd and/or misread is up to something abusive.

Anybody doing all of the above is not only up to something abusive,
but they're standing on a rooftop screaming it through a bullhorn.

The word "mass" is key throughout not only because it is a highly reliable
indicator of ensuing abuse but because its nature makes detecting this
up front quite easy. Once I got to it, it took me less than a minute
of scanning that list to determine that there is absolutely no way I
would accept this operation as a customer. I recognize that not everyone
everyone has my experience in this area, but surely every operation should
have someone equipped with modest experience and and a skeptical eye who
screens new customers, and, at *minimum*, puts them on hold while some
due diligence takes place. It's much easier (and cheaper) to refuse
service to operations like this than to deal with the fallout that
will inevitably ensue. It's also much better for the rest of us.

So: how did these people ever get in the door?

---rsk