Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)
Nikolas Geyer
nik at neko.id.au
Tue Mar 19 01:50:26 UTC 2019
RFG;
I have passed your email on to the relevant team within DO to have a look at.
I’d like to thank you for your deriding commentary to bring attention to this problem. I am not sure it is the most effective way to try and engage the wider industry on a public list, but each to their own.
Oh, and additionally, as an Australian citizen with many Aussie and Kiwi colleagues working at DO of various religious persuasions; your postscript relating this back to the recent terror attacks is abhorrent and disgusting. You should be completely ashamed.
Kind regards,
Nik.
Sent from my iPhone
> On Mar 18, 2019, at 9:39 PM, Christian Kuhtz via NANOG <nanog at nanog.org> wrote:
>
> Ronald,
>
> we are asking Microsoft CDOC to investigate.
>
> You can find a variety of ways to report issues at their website as well: https://www.microsoft.com/en-us/msrc/cdoc
>
> Thanks,
> Christian
>
> ________________________________
> From: NANOG <nanog-bounces at nanog.org> on behalf of Ronald F. Guilmette <rfg at tristatelogic.com>
> Sent: Monday, March 18, 2019 5:02:38 PM
> To: nanog at nanog.org
> Subject: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)
>
>
> OVH, DigitalOcean, and Microsoft...
>
> Is there anybody awake and conscious at any of these places? I mean
> anybody who someone such as myself... just part of the Great Unwashed
> Masses... could actually speak to about a real and ongoing problem?
>
> Maybe most of you here will think that this is just a trivial problem, and
> one that's not even worth mentioning on NANOG. So be it. Make up you own
> minds. Here is the problem...
>
> For some time now, there has been an ongoing campaign of bitcoin
> extortion spamming going on which originates primarily or perhaps
> exclusively from IPv4 addresses owned by OVH and DigitalOcean.
> These scam spams have now been publicised in multiple places:
>
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmyonlinesecurity.co.uk%2Ffake-cia-sextortion-scam%2F&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393817755&sdata=G9Hg5walAZerFD9PnEQXIGzAVbzJNIS2KYET4HBBuco%3D&reserved=0
>
> Yea, that's just one place, I know, but there's also no shortage of people
> tweeting about this crap also, in multiple languages even!
>
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FSpamAuditor%2Fstatus%2F1107365604636278784&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747&sdata=k%2BMCTB2IkJwSqTONEkyo5rclZ7ACRB5B1%2FPLCFdfih4%3D&reserved=0
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fdvk01uk%2Fstatus%2F1107510553621266433&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747&sdata=td3Ut9lblQnfKP2%2FDcVOSmrv%2F2vBop3PciSjELtv6GU%3D&reserved=0
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fbortzmeyer%2Fstatus%2F1107737034049900544&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747&sdata=FV9rQ433O0uFkolp%2F4nz%2BFSRp4qC7YzjfHXM8sQTVbk%3D&reserved=0
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fariestess69%2Fstatus%2F1107468838596038656&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747&sdata=sw5szX9XIE5gn9T5QB1qYSGW%2FF0ZFrBXi1R%2BaXY8c50%3D&reserved=0
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fbernhard_mahr%2Fstatus%2F1107513313020297216&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747&sdata=wNhWzgjRIdon3zbnxlWBAo8rtiGwcqSSFFPwon7BQzY%3D&reserved=0
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fjzmurdock%2Fstatus%2F1107679858945974272&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747&sdata=7tUqGf%2B157mD4d%2BLt11rnYT0xymSd4zwSDFmiof0ZmE%3D&reserved=0
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fgamamb%2Fstatus%2F1107384186548207617&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747&sdata=xRJyg4F45qXdZtA3iMM3USsB7lZb0%2BIYXMSH%2BsY6jYA%3D&reserved=0
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FdavidgsIoT%2Fstatus%2F1107725201331097606&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747&sdata=7klohIIudOseoOGP52YAR8iaytskolyM4nR8L6tbYeI%3D&reserved=0
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fcybers_guards%2Fstatus%2F1107675396076560384&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747&sdata=oQr6NZJALnj69Msz7P7XjPgYfQ3mqKEZWnp1bmNzi2M%3D&reserved=0
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FThatHostingCo%2Fstatus%2F1107588660831105024&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747&sdata=nj7CPej33pQFejB5Q8AF2nvANB%2BuLt8wv2imnlIggnU%3D&reserved=0
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Ffladna9%2Fstatus%2F1107554090765242368&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747&sdata=v7CxmK3NbtoKVPu9aaRvtZh2xyMXXxocjbWM6ipz3DQ%3D&reserved=0
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FJUSTADACHI%2Fstatus%2F1107549777607184384&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747&sdata=SnR1zh5au%2B1E1NrSK8v8BAE2SZT5QeDqKKu8ZxfhZlI%3D&reserved=0
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fokhin%2Fstatus%2F1107627379650908160&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747&sdata=kRepqjm69Q4FYvaxSXocdMmVWZFKeLwaepSDjRecSgk%3D&reserved=0
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FPurple_Wyrm%2Fstatus%2F1107454618705887232&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747&sdata=OrjjyCmz8dg7GmAu%2BsrWGx1AEeQWldDCNM7HdFj6XO0%3D&reserved=0
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FLadyOFyre%2Fstatus%2F1107349022220550144&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747&sdata=bfVOPifXbNnvmuby13VI%2B%2FYsBXSIHF8tIfaCj1OQrmE%3D&reserved=0
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Flaurelvail%2Fstatus%2F1107345980062523392&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747&sdata=RO%2Bsz5FXjn78A8x7c%2BZ6P%2BghH9bJYgDCBcJi20SYOro%3D&reserved=0
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FAlex__Rubio%2Fstatus%2F1107595560440217600&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393837741&sdata=BK8L6WcuS039Rf2lYNI0qZftj2DcIIomH0gl89P4APM%3D&reserved=0
>
> The thing of it is that ALL of this crap... al of these scam spams... are
> quite obviously originating out of the networks of OVH and DigitalOcean.
> And it's not even all that hard to figure out where from, exactly and
> specifically. I generated the following survey, on the fly, last night,
> based on a simple reverse DNS scan of the evidently relevant addrdess
> ranges:
>
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpastebin.com%2Fraw%2FWtM0Y5yC&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393837741&sdata=I7W%2FyU7yoMlor3u4CkkSlmPtgO7clQA42sz6blLPY3U%3D&reserved=0
>
> As anyone who isn't as blind as a bat can easily see, there's a bit of a
> pattern here. All of the spam source IPs are on just two ASNs:
>
> AS16276 - OVH SAS
> AS4061 - DigitalOcean, LLC
>
> It's equally clear that there have already been numerous reports about this
> ongoing and blatantly criminal activity that have been sent to the low-level
> high school dropout interns that these companies, like most others on the
> Internet these days, choose to employ as their first-level minions in their
> "not a profit center" abuse handling departments. So, guess what? Surprise,
> surprise! None of those clue-deprived flunkies have apparently yet managed
> to figure out that there's a pattern here. Duh!. As a result, the scamming
> and the spamming just go on and on and on, and the spammer-scammer just
> keeps on getting fresh new IP addresess on both of these networks... and
> fresh (and utterly free) new domain names from the equally careless company
> called Freenom.
>
> So, you know, I really would appreciate it if someone could either put me
> in touch with some actual sentient being at either OVH or DigitalOcean...
> assuming that any such actually exist... or at the very least, try to find
> one to whom clue may be passed about all this, because although these scam
> spams were kind of humorous and novel at first, the novelty has now worn off
> and they're really not all that funny anymore.
>
> Oh! And while we are on the subject, I'd also like to obtain a contact,
> preferbly one which is also and likewise in possession of something roughly
> approximating clue, at this place:
>
> AS200517 - Microsoft Deutschland MCIO GmbH
>
> The reason is that although MS Deutschland is most probably not the source
> of any of the spams, they, or at least their 51.18.39.107 address, do appear
> to be mixed up in all of this somehow:
>
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpastebin.com%2Fraw%2FziVNCmZ8&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393837741&sdata=dSVZUSMJeIZFaBgDygm7o7SmTibWdi8LwQBO6v4ftWo%3D&reserved=0
>
> I dunno. Maybe Microsoft has managed to engineer a merger with the CIA (?)
> If not, then maybe they would be so kind as to rat out this specific criminal
> customer of their's to appropriate authorities.
>
> Don't get me wrong. I heartily applaud Microsoft's Digital Crimes Unit for
> all of the admirable work they do, but you know the old saying... charity
> begins at home. So my hope is that they will seek to get this low-life off
> their network immediately, if not sooner, and then also seek to arrange
> suitable long term accomodations for him in, say, Florence, Colorado, or,
> if he/she/it has a higher than average level of tan, I hope that they will
> make all necessary inquiries to find out if there are still any open bunks
> available in Gitmo.
>
>
> Regards,
> rfg
>
>
> P.S. In recent days, the popular media has fanned the flames of controversy,
> as it is their habit to do, over the question of whether or not the various
> social media companies could have somehow automagically spotted and deleted,
> in real time, with some sort of yet-to-be-invented artificial intelligence
> wizardry, the shooter videos from New Zealand. Of course, none of the TV
> personalities who so cavalierly offer up their totally uninformed opinions
> on this question have ever themselves gotten within a country mile of the
> kinds of AI that could, perhaps in another decade or three, reliably
> distinguish between a video of a msss shooting and a video of a particularly
> raucous birthday party. It's a hard problem.
>
> In contrast to that hard problem, spotting the kind of trivial reverse DNS
> pattern I've noted above is child's play and a no brainer. Why then, one
> might reasonbly ask, have the combined abuse departments of both OVH and
> DigitalOcean been either utterly unable or else utterly unwilling to do so?
> Solving these kinds of trivial problems does not await the development of
> some advanced new artificial intelligence. It just requires the judicious
> application of a small bit of the non-artificial kind of intelligence. But
> the industry, it seems, can't, or won't, even manage that.
More information about the NANOG
mailing list