AS24940 Hetzner -- non-role contact wanted

Tue Apr 23 17:55:55 UTC 2019

Several telcos are working on a project to authenticate calls:
https://transnexus.com/whitepapers/understanding-stir-shaken/
AT&T and Comcast have reportedly tested it between their networks.

On Tue, Apr 23, 2019 at 9:23 AM Kovich Greg <greg.kovich at al-enterprise.com>
wrote:

> Hello Ronald,
>
> I did a quick search on LinkedIn and found a couple Hetzner internet
> companies - each had a couple employees listed that I could request a
> connection with.
>
> I love your passion about SPAM - I wish there was a way to stop all the
> VoIP Spoofing/Spammers… I am certainly tired of hearing that this is the
> last time I’ll be contacted about an extended car warranty, from a phone
> number that is not in service.
>
> Good luck - and thanks for trying to clean up some of the low-life trash.
>
> Regards,
> Greg
>
> -------
>
> Greg Kovich
> Director, Global Education Sales
> Alcatel-Lucent Enterprise
> ALE USA
> 3015 Abby Lane | Suite 301-B
> Schererville, IN 46375
> t:  +1-818-878-4667     m:  +1-219-276-2320
> e:  Greg.Kovich at al-enterprise.com <greg.kovich at al-enterprise.com>    w:
> www.al-enterprise.com <https://www.al-enterprise.com/en>
>
> @ALUEnterprise
> [image: LinkedIn]
> <https://www.linkedin.com/company/alcatellucententerprise> [image:
> Twitter] <https://twitter.com/aluenterprise> [image: YouTube]
> <https://www.youtube.com/user/EnterpriseALU> [image: Facebook]
> <https://www.facebook.com/ALUEnterprise> [image: Rainbow]
> <https://web.openrainbow.com/app/1.31.7/index.html#/login>
> <https://www.al-enterprise.com/en>
>
> The Alcatel-Lucent name and logo are trademarks of Nokia used under
> license by ALE.
> This communication is intended to be received only by the individual or
> entity to whom or to which it is addressed and may contain information that
> is privileged/confidential or subject to copyright. Any unauthorized use,
> copying, review or disclosure of this communication is strictly prohibited.
> If you have received this communication in error, please delete this
> message from your e-mail box and information system (including all files
> and documents attached) and notify the sender by reply email.
>
>
>
> On Apr 23, 2019, at 7:00 AM, nanog-request at nanog.org wrote:
>
>
> ** External email - Please consider with caution **
>
>
> Send NANOG mailing list submissions to
>        nanog at nanog.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://mailman.nanog.org/mailman/listinfo/nanog
> or, via email, send a message with subject or body 'help' to
>        nanog-request at nanog.org
>
> You can reach the person managing the list at
>        nanog-owner at nanog.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of NANOG digest..."
>
>
> Today's Topics:
>
>   1. AS24940 Hetzner -- non-role contact wanted (Ronald F. Guilmette)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 22 Apr 2019 21:28:20 -0700
> From: "Ronald F. Guilmette" <rfg at tristatelogic.com>
> To: nanog at nanog.org
> Subject: AS24940 Hetzner -- non-role contact wanted
> Message-ID: <23295.1555993700 at segfault.tristatelogic.com>
>
>
> Subtitle: Another Big Mess On Aisle Thirteen.  Somebody Grab The Mop!
>
> Just over a month ago, I was here, doing what I always do, bitching
> and moaning about the low-life trash that is typically allowed to roam
> free and unfettered on the Internet:
>
>    https://mailman.nanog.org/pipermail/nanog/2019-March/100135.html
>
> Shortly thereafter, it appeared that perhaps that effort on my part had
> not been a total waste of electrons.  The extortion spams stopped, for
> awhile anyway, and it started to look like Digital Ocean had in fact
> kicked the perp's as the curb.  So, you know, case closed, right?  Well,
> not really.  Once this kind of clown gets a taste for the easy money,
> it's hard to go back to actually washing dishes for a living again.  So,
> you know, HE'S BACK.
>
>    https://twitter.com/SpamAuditor/status/1120473072354635779
>
> (And for those of you who may want to claim that I'm being sexist, and
> that I can't know for sure if it is a man or a woman behind this shit,
> I just have one word:  No.  Women don't do this shit.  Perhaps they
> have more respect for their fellow humans, or whatever.  But the reality
> is, of all the low-life scumbag spammers that I've ID'd over the past 20+
> years... and there have been plenty of them... 99,99% have been men.
> That's just a fact.)
>
> So anyway, based on the current evidence, it's looking like Digital
> Ocean -may- possibly have actually -tried- to kick this guy off their
> network, or maybe not.  (See below.)  It's possible that they just told
> him that they would be happy to keep on taking his money, but that he
> just shouldn't spam from their network anymore.  I don't really have
> any way of knowing.  They didn't tell me the crook's name, so who the
> hell knows?
>
> In any case, now it appears that this same specific spammer and con-man
> si now doing his extortion spamming 100% from AS24940 Hetzner.  Here is
> a freshly updated list of all of his spam spewer FQDNs, and the IPv4
> addresses that all of them are pointed at right now:
>
>    https://pastebin.com/raw/3fbACedn
>
> If and only if Digital Ocean (AS14061) really did kick this scumbag's
> ass to the curb... or if they at least tried to do so... then that
> eliminates all of the IP address shown in the above list that are
> prefixed with Digital Ocean's ASN (14061) from the ilst, at least as
> far as outbound spamming is concerned.  That would leave us with only
> the AS24940 Hetzner IP addresses as current live spam spewers:
>
>    https://pastebin.com/raw/t9Rs4HMT
>
> (In case it isn't obvious, I do advise all parties not to accept any
> incoming email from any of the above listed IPs or domain names until
> this all gets cleaned up.)
>
> Meanwhile, I'd like to get hold of a (non-role) contact email address
> for any warm body at Hetzner who may actually give a shit about any of
> this.  I understand that this may be a REAL big ask.  I have been
> informed, just today, by a reliable source that fundamentally, Hetzner
> just doesn't do shit about spam reports sent their way.
>
> And anyway, why would they?  Apparently, none of the other big hosting
> providers do anything but ignore the spam reports that are sent to them
> either.  And just as Digital Ocean had done to me one month ago, when I had
> occasion to send Hetzner a report about some totally unrelated spam that
> I received, just today, from their network, about 30 seconds later I got
> back what can only be called an "ignore bot" automated email reply, telling
> me ... just as Digital Ocean has done to me previously... that while it
> was perfectly OK with them if their customers spammed my via the medium
> of email, that there was nontheless no frekin' way that THEY would
> entertain
> any reports about that VIA EMAIL.  So I was told to fill out some web form
> on the Hetzner web site, so that Hetzner staff could remain anonymous, and
> could anonymously receive that report, and then immediately and with all
> due haste dispatch it forthwith directly to /dev/null.  Swell.
>
> So, you know, it may not do a bit of good, but I really would like to be
> able to find out for myself if Hetzner is just totally staffed by mindless
> robots, utterly lacking in compassion and empathy and also any sense of
> ethics, or if there is at least one live engineer there... someone with
> a name and a face and maybe ever a friend or relative who has been conned
> by one in this endless parade of unaccountable Internet fraudsters.  I'd
> like to find out, in other words, if there is any warm body there who even
> gives a shit.
>
> So, if any fo you who are reading this happen to know any live humans at
> Hetzner, please do send me their contact info.   I am most certainly
> *not* going to flll out Hetzner's dumb-ass watse-of-my-time web form just
> for the honor of informing THEM of THEIR freekin't problem child customer,
> especially guven the high probability that my attempt to report this to
> them will go straight to the but bucket.
>
> I actually don't mind lending a hand to help mega providers like this to
> clean their own toilets.  I do mind however when they go out of their way
> to make it harder and more tedious and time consuming for me to do that.
>
> In fact it would be nice if this entire industry would get its collective
> head out of its collective ass, recognize that it has an ongoing problem
> with Bad Actors acquiring "hosting" resources, and figure out a way to
> deal with that that DOESN'T just involve taking the money and looking
> the other way, and routinely ignoring all abuse reports.  (Ther smaller
> providers actually deal with this problem much better than the bigger ones.
> THEY as least are not cowed into utter silence by paranoid and
> over-protective
> corporate counsel.  So they can and do let one another know when a Bad
> Actor
> is out there, roaming the streets, looking for hosting companies to use and
> abuse.  Just search webhostingtalk.com for mentions of "PredictLabs" and
> you can see for yourselves.  This isn't anti-trust.  This is
> self-preservation,
> which is different, even if a lot of corporate counsel are just too effing
> stoopid to grasp the important differences between Standard Oil in the year
> 1900 and a modern Neighborhood Watch group.)
>
> Anyway, to return to today's Bad Actor de jure, although it is looking
> like he is graciously confining his outbound spamming to just AS24940,
> i.e. Hetzner at the moment, it's apparent that he plans to be around for
> awhile, even in the unlikely even that anybody at Hetzner should notice
> what he is doing -or- elect to give a shit about it.  So he's done what
> any Internet user seeking survivability does... he has distributed his
> name servers over several different networks.  Specifically here they
> all are:
>
> 67.215.224.116 ns1.eatshit.xyz
> 81.4.102.145 ns1.epicdns.xyz
> 81.17.24.253 ns1.suck-me.xyz
> 95.179.209.35 ns1.suckmycock.online
> 142.11.199.11 ns1.privatedns.top
> 142.93.227.159 ns1.younoob.life
> 145.14.157.84 ns1.gmail-dns.com
> 168.235.86.16 ns1.privatedns.rocks
> 185.158.249.155 ns1.mynameservers.org
> 185.249.197.6 ns1.fuckdns.org
>
> (The ns2. name server in all of these cases is on the same IPv4 address
> with the ns1. server.)
>
> So, even though this guy is likely only spamming from Hetzner at present,
> he's got his name servers well distributed, as you can see above.  Those
> name server are scattered around on all ofthe following networks (in
> numerical order):
>
> AS3842    US  RamNode LLC
> AS8100    US  QuadraNet Enterprises LLC
> AS14061   US  DigitalOcean, LLC
> AS20473   US  Choopa, LLC
> AS47583   CY  Hostinger International Limited
> AS51852   PA  Private Layer INC
> AS54290   US  Hostwinds LLC.
> AS58329   DE  easystores GmbH
> AS62370   NL  Snel.com B.V.
> AS197071  DE  Dennis Rainer Warnholz trading as active-servers.com
>
> I would consider it a good day's work if I could get people here on this
> lest to help me to get some of these name server turned off, and the
> associated accounts canceled, but I'm probably hoping for too much.
> Still, I have to ask.  Please help if you can.  I spent several hours
> working on this case today.  maybe the rest of you could pictch in just
> long enough to send polite email to one or more of the above networks,
> just to let them know that they have a problem child as a customer
> (at the exact addresses listed above).  You can send them also a link
> to this posting in teh NANOG archives also if you like.  I don't know
> if that would help or hurt, but it is worth a try.
>
> Anyway, "takedowns" shouldn't only be for botnets.  When the Internet
> does... as it frequently does these days... get this kind of exceptionally
> annoying AND exceptionally criminal professional spammer, it would be
> kind of nice if there were some way to get his ass totally turfed from
> the whole Internet.  That seems to have happened in the case of Bitcanal...
> with a lot of help from a lot of concerned netizens.  Why should a case
> like this be any different?  This guy needs to be gone.  I'm perfectly
> OK with me repeatedly -finding- all of his shit, and then reporting it
> here or elsewhere.  (It takes -me- less effort to find it that it takes
> -him- to set it all up.)  The missing part of the puzzle is action, by
> the relevant providers.
>
> So, please help me to do a full takedown on this guy.  Please.
>
> Thanks for listening.
>
>
> Regards,
> rfg
>
>
> P.S.  I do hope that everyone will have noticed that Digital Ocean is
> listed above as being among the set of providers that are giving service
> to one of this dickhead's name servers.  I'll give them the benefit of
> the doubt and try to believe that they really did fully kick this guy
> to the curb last month, not long after I bitched about him here.  Even
> if that's the case however, he has clearly managed to sneak back on to
> Digital Ocean's network.
>
> So, obvious question:  Whose fault is that?
>
> About ten years ago I had my one and only European Vacation.  I was shocked
> when, in France, I went to buy a cheap cell phone that would work on French
> networks and they ASKED ME FOR MY PASSPORT.  It wasn't a problem.  It just
> seemed weird because I was unaccustomed to this extra level of security.
>
> So, I have to ask:  Why does one need to demonstrate one's identity to a
> greater degree if one buys a simple cell phone, as opposed to, say, buying
> a hosting account, late on a Friday, after which you may immediately start
> spamming and then spam one's brains out, to all seven billion people on
> this
> planet if desired, before the regular staff at the hosting company even
> comes
> back in to work on Monday morning?
>
> If there's a universe in which this all makes sense, then all I can say is
> that I personally am not in that one.
>
>
> End of NANOG Digest, Vol 135, Issue 21
> **************************************
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190423/52e38393/attachment.html>