Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland)

Wed Mar 20 00:01:31 UTC 2019

[[ I've just collected some new information about the length of time
   that this specific bincoin extortion spamming bad actor has been
   on Digital Ocean's network.  For those who may only have an interest
   in that one detail, you can just skip down to the line of plus signs
   and start reading there. ]]

In message <50414.162.155.102.254.1553001814.iglou at webmail.iglou.com>, 
"Jeff McAdams" <jeffm at iglou.com> wrote:

>(Disclosure: I, too, work for DigitalOcean as the Manager of Network
>Engineering.  Nikolas does not work for me, nor I for him.)
>
>On Tue, March 19, 2019 02:17, Ronald F. Guilmette wrote:
>>
>
>> Nikolas Geyer <nik at neko.id.au> wrote:
>>> I have passed your email on to the relevant team within DO to have a
>>> look at.
>
>> Thank you, but that wasn't what I requested,  I asked for a contact
>> there.
>
>Oh, is that how this works?  I ask that you FedEx me a million dollars
>cash, in small bills.  I await the arrival of said parcel.

In my experience, if you don't ask for something, you aren't likely to
get it.  There's no harm in asking.

In any case, I offer you the pertinent observation also that "small bills"
are soooooooo last century.  These days, as should now be abundantly
clear, payment in bitcoin is the preferable currency for such requests.  :-)

>> In any case, I would be more than happy to have you tell me the "right
>> way" to engage with any actual live human beings at either of these
>> companies, especially if you also are able to identify one or more such
>> receptive individuals by name and email address, which is what I was
>> requesting in the first place.
>
>Would you really be happy with that?  You derided another good-faith
>respondent to your screed with a rant about not being willing to fill out
>web forms to report abuse because it offends your sensibilities.

I stand by what I wrote.  I don't like dealing with anonymous web forms
that, for all I know, and based on the available evidence, are or may be
aliased to /dev/null.  I prefer the human touch, especially in cases
where I am seeking to find someone who may be held accountable when and
if no actual action ensues.

>We would prefer, but don't require, that you use the web form because that
>is integrated into the workflow of the groups that respond to those
>reports.  If they choose to give you their individualized contact
>information, then they can do that.  It is not my place, nor Nikolas', to
>give out individual contact information for our co-workers out to anyone
>who asks.  That would be irresponsible and obnoxious for us to do that.

I am not just "anyone who asks".  I am a guy who's been spammed from your
network.  If you read my earlier report, then you should know that I am
also the guy who took the time to carefully resarch this, and to provide
your company with information about this specific crook/spammer...
information that, it seems, you folks yourselves have apparently been
largely or entirely unaware of, and for some considerable time now.
Given that context, am I really entirely undeserving of even being
informed of the mere email address of the head of DigitalOcean's abuse
handling department, assuming, at least for the sake of argument, that
such an inddividual does in fact exist?  Wouldn't it be a Good Thing
if that person and I could communicate direct?

And more to the point, what would be the downside, exactly, if that
person's name and email address were not only given to me, but also
scattered to the four winds an given out to everyone on the planet?
Are you implicitly asserting that that person might then have to (gasp!)
deal with some additional influx of spam into his or her inbox?  If so,
then I can't help but wonder aloud why that person should NOT join the
rest of us mere mortals in that shared and miserable club.  Perhaps it
would even be of some benefit for that person to come down out of the
clouds at least long enough to experience what the rest of us poor
sods have to deal with on a routine and daily basis.  The experience
might even enhance that person's understanding of, and appreciation of
the very kinds of (spamming) problem that he or she is being paid to
attend to.  Stranger things have happened.

I'll be generous here and will refrain from leaping to any conclusions
that the person in question does not want his or her identity to be
generally known for fear that he/she might then be personally criticised
for his/her work and/or the lack thereof.  But other than that, and a
possible desire to avoid receiving any of this same spam-slime that the
rest of us poor slobs get coated in on a daily basis, I really can't
imagine what other reasons there might be that would cause Digital
Ocean's abuse handling staff and/or the managment thereof to be so
overwhelmingly discreet.

What I can say, rather definitively now, is that the specific bitcoin
scammer-spammer that prompted me to begin this thread has been given,
over time, and by your company, Digital Ocean, no fewer than five hundred
and fifty three (553) separate, distinct, discrete and individual IPv4
addresses and that many, most or all of those have been used for outbound
spamming purposes, all just by this one bad actor, and all during the
present calendar year.  The evidence supporting this assertion was and
is available here:

    https://pastebin.com/raw/WtM0Y5yC

Note that this is the equivalent of more than a full /23 that Digital
Ocean has given to this one customer, presumably after vetting the
customer according to current industry standard due diligence procedures,
which is to say no due diligence whatsoever, other than making sure that
the check clears.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Additionally, I have just collected some additional evidence, courtesy
of the Farsight Security passive DNS service, which appears to indicate
that this specific bad actor has been (and perhaps remains?) a customer
of Digital Ocean, not just for a few days, or just for a week or two,
but for a period in excess of two full months, continuously, based upon
reverse DNS settings in place on your network since at least January 7th:

====================================================================
;;  bailiwick: 71.128.178.in-addr.arpa.
;;      count: 155
;; first seen: 2019-01-07 13:09:45 -0000
;;  last seen: 2019-03-18 07:51:33 -0000
40.71.128.178.in-addr.arpa. IN PTR mx.c.cryptoaccount.ml.
====================================================================

This additional information raises a number of rather obvious questions:

    *)  How many reports/complaints has Digital Ocean received, since
        the beginning of the current calendar year, regarding this
        specific criminal extortion spammer on your network?  (Hint:
        If your assertion is that the number has been zero, I will
        likely point out that that estimate is not really credible,
        under the circumstances, and in light of the numerous Twitter
        spamming reports that I've previously cited.)

    *)  Within the time period since this bad actor became active on the
        Digital Ocean network, and since the first relevant report of 
        network abuse was received by your company about this specific
        bad actor, what has prevented Digital Ocean's abuse handling
        department from being either able or willing to effectively
        action this case?

    *)  Does Digital Ocean enable outbound TCP port 25 connectivity for
        its new customers by default and in the absence of explicit
        customer requests?  And if so, is that really the best choice?

I look forward to your responses with respect to these relevant questions.

Regards,
rfg