Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)

Dovid Bender dovid at telecurve.com
Tue Mar 19 01:17:19 UTC 2019


Two notes:
1) We have seen most of the telecom fraud happen from three general
locations
a. The phones themselves. For instance people putting phones out there with
the default password.
b. Compromised routers. Fraudsters will compromise a CPE and bounce their
traffic through it. Back in the day when we banned Palestine most of the
fraud went down. Once they caught on they realized the traffic needed to
flow from anywhere but PS.
c. OVH - We used to get a lot from there till we started banning large
blocks of their ranges. It seems the fraudsters caught on and they are
going the route of compromised CPE's.

2) I spoke a few years back with the lead network engineers at DO and
without giving away too much they are very aware that people use their
network for fraud and actively work against it. I am nor sure about their
abuse team but I know their core engineers have methods in place and shut
down malicious activity. The issue is it's easier said then done.



On Mon, Mar 18, 2019 at 8:03 PM Ronald F. Guilmette <rfg at tristatelogic.com>
wrote:

>
> OVH, DigitalOcean, and Microsoft...
>
> Is there anybody awake and conscious at any of these places?  I mean
> anybody who someone such as myself... just part of the Great Unwashed
> Masses... could actually speak to about a real and ongoing problem?
>
> Maybe most of you here will think that this is just a trivial problem, and
> one that's not even worth mentioning on NANOG.  So be it. Make up you own
> minds.  Here is the problem...
>
> For some time now, there has been an ongoing campaign of bitcoin
> extortion spamming going on which originates primarily or perhaps
> exclusively from IPv4 addresses owned by OVH and DigitalOcean.
> These scam spams have now been publicised in multiple places:
>
>    https://myonlinesecurity.co.uk/fake-cia-sextortion-scam/
>
> Yea, that's just one place, I know, but there's also no shortage of people
> tweeting about this crap also, in multiple languages even!
>
>     https://twitter.com/SpamAuditor/status/1107365604636278784
>     https://twitter.com/dvk01uk/status/1107510553621266433
>     https://twitter.com/bortzmeyer/status/1107737034049900544
>     https://twitter.com/ariestess69/status/1107468838596038656
>     https://twitter.com/bernhard_mahr/status/1107513313020297216
>     https://twitter.com/jzmurdock/status/1107679858945974272
>     https://twitter.com/gamamb/status/1107384186548207617
>     https://twitter.com/davidgsIoT/status/1107725201331097606
>     https://twitter.com/cybers_guards/status/1107675396076560384
>     https://twitter.com/ThatHostingCo/status/1107588660831105024
>     https://twitter.com/fladna9/status/1107554090765242368
>     https://twitter.com/JUSTADACHI/status/1107549777607184384
>     https://twitter.com/okhin/status/1107627379650908160
>     https://twitter.com/Purple_Wyrm/status/1107454618705887232
>     https://twitter.com/LadyOFyre/status/1107349022220550144
>     https://twitter.com/laurelvail/status/1107345980062523392
>     https://twitter.com/Alex__Rubio/status/1107595560440217600
>
> The thing of it is that ALL of this crap... al of these scam spams... are
> quite obviously originating out of the networks of OVH and DigitalOcean.
> And it's not even all that hard to figure out where from, exactly and
> specifically.  I generated the following survey, on the fly, last night,
> based on a simple reverse DNS scan of the evidently relevant addrdess
> ranges:
>
>     https://pastebin.com/raw/WtM0Y5yC
>
> As anyone who isn't as blind as a bat can easily see, there's a bit of a
> pattern here.  All of the spam source IPs are on just two ASNs:
>
>    AS16276 - OVH SAS
>    AS4061 - DigitalOcean, LLC
>
> It's equally clear that there have already been numerous reports about this
> ongoing and blatantly criminal activity that have been sent to the
> low-level
> high school dropout interns that these companies, like most others on the
> Internet these days, choose to employ as their first-level minions in their
> "not a profit center" abuse handling departments.  So, guess what?
> Surprise,
> surprise!  None of those clue-deprived flunkies have apparently yet managed
> to figure out that there's a pattern here.  Duh!.  As a result, the
> scamming
> and the spamming just go on and on and on, and the spammer-scammer just
> keeps on getting fresh new IP addresess on both of these networks... and
> fresh (and utterly free) new domain names from the equally careless company
> called Freenom.
>
> So, you know, I really would appreciate it if someone could either put me
> in touch with some actual sentient being at either OVH or DigitalOcean...
> assuming that any such actually exist... or at the very least, try to find
> one to whom clue may be passed about all this, because although these scam
> spams were kind of humorous and novel at first, the novelty has now worn
> off
> and they're really not all that funny anymore.
>
> Oh!   And while we are on the subject, I'd also like to obtain a contact,
> preferbly one which is also and likewise in possession of something roughly
> approximating clue, at this place:
>
>    AS200517 - Microsoft Deutschland MCIO GmbH
>
> The reason is that although MS Deutschland is most probably not the source
> of any of the spams, they, or at least their 51.18.39.107 address, do
> appear
> to be mixed up in all of this somehow:
>
>     https://pastebin.com/raw/ziVNCmZ8
>
> I dunno.  Maybe Microsoft has managed to engineer a merger with the CIA (?)
> If not, then maybe they would be so kind as to rat out this specific
> criminal
> customer of their's to appropriate authorities.
>
> Don't get me wrong. I heartily applaud Microsoft's Digital Crimes Unit for
> all of the admirable work they do, but you know the old saying... charity
> begins at home.  So my hope is that they will seek to get this low-life off
> their network immediately, if not sooner, and then also seek to arrange
> suitable long term accomodations for him in, say, Florence, Colorado, or,
> if he/she/it has a higher than average level of tan, I hope that they will
> make all necessary inquiries to find out if there are still any open bunks
> available in Gitmo.
>
>
> Regards,
> rfg
>
>
> P.S.  In recent days, the popular media has fanned the flames of
> controversy,
> as it is their habit to do, over the question of whether or not the various
> social media companies could have somehow automagically spotted and
> deleted,
> in real time, with some sort of yet-to-be-invented artificial intelligence
> wizardry, the shooter videos from New Zealand.  Of course, none of the TV
> personalities who so cavalierly offer up their totally uninformed opinions
> on this question have ever themselves gotten within a country mile of the
> kinds of AI that could, perhaps in another decade or three, reliably
> distinguish between a video of a msss shooting and a video of a
> particularly
> raucous birthday party.  It's a hard problem.
>
> In contrast to that hard problem, spotting the kind of trivial reverse DNS
> pattern I've noted above is child's play and a no brainer.  Why then, one
> might reasonbly ask, have the combined abuse departments of both OVH and
> DigitalOcean been either utterly unable or else utterly unwilling to do so?
> Solving these kinds of trivial problems does not await the development of
> some advanced new artificial intelligence.  It just requires the judicious
> application of a small bit of the non-artificial kind of intelligence.  But
> the industry, it seems, can't, or won't, even manage that.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190318/b4880db6/attachment.html>


More information about the NANOG mailing list