RFG; I have passed your email on to the relevant team within DO to have a look at.
I’d like to thank you for your deriding commentary to bring attention to this problem. I am not sure it is the most effective way to try and engage the wider industry on a public list, but each to their own. Oh, and additionally, as an Australian citizen with many Aussie and Kiwi colleagues working at DO of various religious persuasions; your postscript relating this back to the recent terror attacks is abhorrent and disgusting. You should be completely ashamed. Kind regards, Nik. Sent from my iPhone > On Mar 18, 2019, at 9:39 PM, Christian Kuhtz via NANOG <nanog@nanog.org> > wrote: > > Ronald, > > we are asking Microsoft CDOC to investigate. > > You can find a variety of ways to report issues at their website as well: > https://www.microsoft.com/en-us/msrc/cdoc > > Thanks, > Christian > > ________________________________ > From: NANOG <nanog-boun...@nanog.org> on behalf of Ronald F. Guilmette > <r...@tristatelogic.com> > Sent: Monday, March 18, 2019 5:02:38 PM > To: nanog@nanog.org > Subject: Contacts wanted: OVH, DigitalOcean, and Microsoft (Deutschland) > > > OVH, DigitalOcean, and Microsoft... > > Is there anybody awake and conscious at any of these places? I mean > anybody who someone such as myself... just part of the Great Unwashed > Masses... could actually speak to about a real and ongoing problem? > > Maybe most of you here will think that this is just a trivial problem, and > one that's not even worth mentioning on NANOG. So be it. Make up you own > minds. Here is the problem... > > For some time now, there has been an ongoing campaign of bitcoin > extortion spamming going on which originates primarily or perhaps > exclusively from IPv4 addresses owned by OVH and DigitalOcean. > These scam spams have now been publicised in multiple places: > > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmyonlinesecurity.co.uk%2Ffake-cia-sextortion-scam%2F&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393817755&sdata=G9Hg5walAZerFD9PnEQXIGzAVbzJNIS2KYET4HBBuco%3D&reserved=0 > > Yea, that's just one place, I know, but there's also no shortage of people > tweeting about this crap also, in multiple languages even! > > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FSpamAuditor%2Fstatus%2F1107365604636278784&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747&sdata=k%2BMCTB2IkJwSqTONEkyo5rclZ7ACRB5B1%2FPLCFdfih4%3D&reserved=0 > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fdvk01uk%2Fstatus%2F1107510553621266433&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747&sdata=td3Ut9lblQnfKP2%2FDcVOSmrv%2F2vBop3PciSjELtv6GU%3D&reserved=0 > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fbortzmeyer%2Fstatus%2F1107737034049900544&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747&sdata=FV9rQ433O0uFkolp%2F4nz%2BFSRp4qC7YzjfHXM8sQTVbk%3D&reserved=0 > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fariestess69%2Fstatus%2F1107468838596038656&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747&sdata=sw5szX9XIE5gn9T5QB1qYSGW%2FF0ZFrBXi1R%2BaXY8c50%3D&reserved=0 > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fbernhard_mahr%2Fstatus%2F1107513313020297216&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747&sdata=wNhWzgjRIdon3zbnxlWBAo8rtiGwcqSSFFPwon7BQzY%3D&reserved=0 > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fjzmurdock%2Fstatus%2F1107679858945974272&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747&sdata=7tUqGf%2B157mD4d%2BLt11rnYT0xymSd4zwSDFmiof0ZmE%3D&reserved=0 > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fgamamb%2Fstatus%2F1107384186548207617&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747&sdata=xRJyg4F45qXdZtA3iMM3USsB7lZb0%2BIYXMSH%2BsY6jYA%3D&reserved=0 > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FdavidgsIoT%2Fstatus%2F1107725201331097606&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747&sdata=7klohIIudOseoOGP52YAR8iaytskolyM4nR8L6tbYeI%3D&reserved=0 > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fcybers_guards%2Fstatus%2F1107675396076560384&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747&sdata=oQr6NZJALnj69Msz7P7XjPgYfQ3mqKEZWnp1bmNzi2M%3D&reserved=0 > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FThatHostingCo%2Fstatus%2F1107588660831105024&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747&sdata=nj7CPej33pQFejB5Q8AF2nvANB%2BuLt8wv2imnlIggnU%3D&reserved=0 > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Ffladna9%2Fstatus%2F1107554090765242368&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747&sdata=v7CxmK3NbtoKVPu9aaRvtZh2xyMXXxocjbWM6ipz3DQ%3D&reserved=0 > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FJUSTADACHI%2Fstatus%2F1107549777607184384&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747&sdata=SnR1zh5au%2B1E1NrSK8v8BAE2SZT5QeDqKKu8ZxfhZlI%3D&reserved=0 > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fokhin%2Fstatus%2F1107627379650908160&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747&sdata=kRepqjm69Q4FYvaxSXocdMmVWZFKeLwaepSDjRecSgk%3D&reserved=0 > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FPurple_Wyrm%2Fstatus%2F1107454618705887232&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747&sdata=OrjjyCmz8dg7GmAu%2BsrWGx1AEeQWldDCNM7HdFj6XO0%3D&reserved=0 > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FLadyOFyre%2Fstatus%2F1107349022220550144&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747&sdata=bfVOPifXbNnvmuby13VI%2B%2FYsBXSIHF8tIfaCj1OQrmE%3D&reserved=0 > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Flaurelvail%2Fstatus%2F1107345980062523392&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393827747&sdata=RO%2Bsz5FXjn78A8x7c%2BZ6P%2BghH9bJYgDCBcJi20SYOro%3D&reserved=0 > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FAlex__Rubio%2Fstatus%2F1107595560440217600&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393837741&sdata=BK8L6WcuS039Rf2lYNI0qZftj2DcIIomH0gl89P4APM%3D&reserved=0 > > The thing of it is that ALL of this crap... al of these scam spams... are > quite obviously originating out of the networks of OVH and DigitalOcean. > And it's not even all that hard to figure out where from, exactly and > specifically. I generated the following survey, on the fly, last night, > based on a simple reverse DNS scan of the evidently relevant addrdess > ranges: > > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpastebin.com%2Fraw%2FWtM0Y5yC&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393837741&sdata=I7W%2FyU7yoMlor3u4CkkSlmPtgO7clQA42sz6blLPY3U%3D&reserved=0 > > As anyone who isn't as blind as a bat can easily see, there's a bit of a > pattern here. All of the spam source IPs are on just two ASNs: > > AS16276 - OVH SAS > AS4061 - DigitalOcean, LLC > > It's equally clear that there have already been numerous reports about this > ongoing and blatantly criminal activity that have been sent to the low-level > high school dropout interns that these companies, like most others on the > Internet these days, choose to employ as their first-level minions in their > "not a profit center" abuse handling departments. So, guess what? Surprise, > surprise! None of those clue-deprived flunkies have apparently yet managed > to figure out that there's a pattern here. Duh!. As a result, the scamming > and the spamming just go on and on and on, and the spammer-scammer just > keeps on getting fresh new IP addresess on both of these networks... and > fresh (and utterly free) new domain names from the equally careless company > called Freenom. > > So, you know, I really would appreciate it if someone could either put me > in touch with some actual sentient being at either OVH or DigitalOcean... > assuming that any such actually exist... or at the very least, try to find > one to whom clue may be passed about all this, because although these scam > spams were kind of humorous and novel at first, the novelty has now worn off > and they're really not all that funny anymore. > > Oh! And while we are on the subject, I'd also like to obtain a contact, > preferbly one which is also and likewise in possession of something roughly > approximating clue, at this place: > > AS200517 - Microsoft Deutschland MCIO GmbH > > The reason is that although MS Deutschland is most probably not the source > of any of the spams, they, or at least their 51.18.39.107 address, do appear > to be mixed up in all of this somehow: > > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpastebin.com%2Fraw%2FziVNCmZ8&data=02%7C01%7Cchkuhtz%40microsoft.com%7Cb1ca95b917fe4df0e3ee08d6abfe627f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636885506393837741&sdata=dSVZUSMJeIZFaBgDygm7o7SmTibWdi8LwQBO6v4ftWo%3D&reserved=0 > > I dunno. Maybe Microsoft has managed to engineer a merger with the CIA (?) > If not, then maybe they would be so kind as to rat out this specific criminal > customer of their's to appropriate authorities. > > Don't get me wrong. I heartily applaud Microsoft's Digital Crimes Unit for > all of the admirable work they do, but you know the old saying... charity > begins at home. So my hope is that they will seek to get this low-life off > their network immediately, if not sooner, and then also seek to arrange > suitable long term accomodations for him in, say, Florence, Colorado, or, > if he/she/it has a higher than average level of tan, I hope that they will > make all necessary inquiries to find out if there are still any open bunks > available in Gitmo. > > > Regards, > rfg > > > P.S. In recent days, the popular media has fanned the flames of controversy, > as it is their habit to do, over the question of whether or not the various > social media companies could have somehow automagically spotted and deleted, > in real time, with some sort of yet-to-be-invented artificial intelligence > wizardry, the shooter videos from New Zealand. Of course, none of the TV > personalities who so cavalierly offer up their totally uninformed opinions > on this question have ever themselves gotten within a country mile of the > kinds of AI that could, perhaps in another decade or three, reliably > distinguish between a video of a msss shooting and a video of a particularly > raucous birthday party. It's a hard problem. > > In contrast to that hard problem, spotting the kind of trivial reverse DNS > pattern I've noted above is child's play and a no brainer. Why then, one > might reasonbly ask, have the combined abuse departments of both OVH and > DigitalOcean been either utterly unable or else utterly unwilling to do so? > Solving these kinds of trivial problems does not await the development of > some advanced new artificial intelligence. It just requires the judicious > application of a small bit of the non-artificial kind of intelligence. But > the industry, it seems, can't, or won't, even manage that.
