Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Completely disgusted with DigitalOcean's handling of spam prevention laws
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Completely disgusted with DigitalOcean's handling of spam prevention laws

sb56637sb56637 Member
edited July 2013 in General

I am completely disgusted by DigitalOcean's handling of an issue regarding spam prevention. I woke up this morning to find my site offline. It had been disabled by DigitalOcean staff about 5 hours ago while I was asleep. I found the following ambiguous and marginally threatening message from support staff:

=========================================
Hello,

Preventing abuse is a top priority here at DigitalOcean, and we ask for your help in this ongoing battle. With that in mind, we would like to verify your account details.

Providing your personal information will allow us to better assist you now, and in the future.
Please let us know the following:

  • Your name.
  • Your location.
  • Your phone number
  • The primary type(s) of traffic that will be sent from/to your droplet(s) (For example; web traffic or similar will suffice).
  • Your public Twitter handle.
  • Your public Facebook profile.
  • Your personal/business website.
  • Your personal/business blog.

We find that procuring some basic information about our customers to verify accounts is preferable to detailed billing and payment verification, as billing information can be falsified.

Please also note: None of the information we receive will be stored or used for any other purpose than initial account verification and abuse prevention.

Thank you for your time. We look forward to hearing back from you soon.

Regards,

DigitalOcean Abuse Team "

This is the most utterly illogical and unfounded handling of spam prevention laws that I have ever seen.

First of all, I am NOT a spammer and never have been. My site sends out a high number of notifications by email about new forum activity to users, and there is clear information in every email about how to disable notifications.

Second, why in the world are they asking me to verify this information now, instead of during account creation? Is it really necessary to shut down a customer's server in the early morning hours without sending ANY PRIOR NOTIFICATION beforehand? If this is some sort of compliance with spam prevention laws, I completely understand. However, entirely disabling my server without any prior warning just to ask for my personal information is completely unacceptable. There is no reason why they could not have asked me for this information without disabling my server. Or in the worst case, they could have blocked the SMTP port instead of completely crippling my site.

Third, the support message is totally ambiguous. It gives no details about the reason for this drastic shutting down of my website. Am I currently being investigated by authorities for supposed spamming? Do they want this information for a lawsuit against me? Have there been complaints by somebody about me sending spam? Or is this just to be safe and comply with the laws? It is inconceivable that they would take such drastic action and follow up with such an ambiguous support message, which, by the way, is still not being attended more than an hour after my initial response.

This is one of the worst experiences I have ever had with quite a few awful webhosts. About 5 minutes more and I'm done with DigitalOcean.

«1

Comments

  • clone1018clone1018 Member
    edited July 2013

    Spam is a big problem for everyone, your complaint as a non-spammer is completely understandable, but what if you had been a spammer?

    Also on the internet "early morning" is very relative.

    Edit: in my experiences, they first disable the SMTP port and then disable the server if you don't respond, I'd contact them to try and figure out what kind of abuse it was. As it may be unrelated to mail completely.

  • I agree, they should first disable the SMTP port, which is what all other rational hosts do. In this case, they simply shut me down. No other information, and no response to my ticket. Incredibly awful support.

  • EpidriveEpidrive Member
    edited July 2013

    Nothing wrong.

    You should have read their TOS: https://www.digitalocean.com/tos (read 2.4) They shouldve terminated you already for sending out bulk mails. But instead they give you a chance to prove your real identity for security reasons, just comply with it its just for verification anyways.

    2.4

    "...Users may not send bulk email utilizing their Network resources unless they maintain a double-authorized list of subscribed members including IP addresses and relevant contact information,..."

  • @Zen said:
    They handled it wrongly and they didn't do enough investigation.. if they had simply viewed the customers website and the email information they would have had enough right there to validate it wasn't spam, not only that but the way they handled the issue isn't great imo.

    The site being legitimate is irrelevant. Legitimate sites get compromised every hour, a seemingly unsuspecting WordPress blog could be sending 1000's of emails an hour if it's compromised.

  • I am complying with all of the requirements in their bulk mail TOS. They simply disabled the entire server, and are now refusing to answer my questions.

  • Hmm, I experienced a client similar to this before, except it costed me nearly $200.00. The client was sending spam emails in a bulk amount and my only option was to terminate the server within two hours of notifying the client. That decision then left me with a PayPal Dispute on my hands and later a dispute handled by his bank.

  • @Jeffrey: The difference is that I am not sending spam. I am sending notifications to forum users who request notifications on new post updates. My mail server is secured, no open relays, etc. etc. etc.

  • What do you mean by refusing to answer?

  • @clone1018: They are simply not responding to my messages asking for more information after hours of waiting.

  • According to a meta blacklist checker, my IP and my domain are NOT listed on any blacklists except SpamCannibal, who doesn't like the PTR record that DigitalOcean is using. And I've been sending out a LOT of legitimate notifications for a LONG time.

  • @sb56637 - go to their irc channel or tweet to DO and they have to respond.

  • @finlandvps: Already tried that, just a bunch of cocky DigitalOcean fanboys who told me to just hand over all my personal information to the support people and get lost.

  • @sb56637 is there a problem for not providing that info?

    Make a tweet about it. Probably they will provide a free month if you ask about it.
    You can also email [email protected]. They sent me a free credit even when I had deleted my droplets. they wanted me to get back.

  • @findlandvps: Just on a matter of principal I will not provide information unless they fully disclose what is at stake. I asked them to tell me what the issue is, if I am being investigated for spamming or if there has been a complaint against me, and now they appear to be playing hardball and holding my site hostage until I give them information. No replies from them hours later.

    Thanks for the tips, I'll try the CEO email.

  • @sb56637 probably they just forgot to identify you. you could make a second ticket and click the urgent box. if you have done nothing wrong there should be no issue really. Probably no complaints either. They just dont know what the site is (they dont check) nor what you have been sending. just let them know its a forum and you're sending notifications. Probably easier to identify yourself though. I really dont see why you cant identify yourself to handle it legitimately.

  • Ok, this is an improvement. Finally a response:

    =================
    Hello

    I have immediately turned on your server it should be online now.

    We are further investigating the issue.

    Thank you for your patience

    Support

  • SpiritSpirit Member

    @finlandvps said:
    sb56637 probably they just forgot to identify you.

    No, it's their service ordering system made for fast money pick without personal information form. That's very rare in hosting industry and solely DO fault. They usually require personally identifiable information months later in order to unlock some basic vps feature for you or something after you happily pay and use their service per months.
    This host is by my experience too unpredictable for serious usage. They don't have clear strategy about anything, all the time it seems like they are in early learning/experimenting phase how to do things right.
    You never know what limit.. ermm, feature they will invent tomorrow to cause you more problems or squeeze more money out of you.
    (opinion based on my personal experience with DO)

  • @Spirit: Unfortunately I have to agree with you. I want to like DigitalOcean, but this has been a train wreck.

    So, any recommendations for a different KVM host in the same price range as DO that offers fast SSD storage and immediate creation/cloning of servers without admin intervention?

    Thanks!

  • marcmmarcm Member
    edited July 2013

    I agree with @sb56637 - as this kind of behavior is absolutely unacceptable. Given how many high quality providers there are at the moment I doubt that anyone needs their services so bad that they should compromise their online privacy. For example if we have reason to believe that an order could be fraudulent we ask the customer for a second form of identification, something that they are comfortable with sharing or if we can call them to verify.

    @Spirit - Digital Ocean came out so strong with their unrealistic offers in order to squeeze out competing SSD providers. Remember for example when they offered unlimited bandwidth? They seem to me more like a bait and switch type of provider. What about thin provisioning their KVM VPS servers in order to be able to oversell disk space? Or using RAID 5 and possibly (and that's a big if) RAID 50 instead of RAID 10 like other reputable SSD providers are using? What about completely loosing some of their customer's data? These are the questions that customers completely forget to ask when they are blinded by a low price and the promise of allot of resources for very little money. The trend amongst providers, at least for the past year or so around here has been to provide node specifications with their offers. Digital Ocean has not been transparent at all about their configurations. IMHO people need to question things that are too good to be true.

  • @marcm despite conspiracy they're already profitable. They run a huge number of droplets, they get huge discounts. Their network in Amsterdam seem to have improved. They had a lot of bad hdds recently that's what they published. So I wonder where is the SSD part I dont know. Their Cpanel is simple. Support is in between fast-slow. Perhaps their server configuration is a business secret, all that they say that they run on hexacore cpus and ssd really. Guess they're here until some bigger cloud player buys them out, I suppose thats the reason for getting business angels involved this time.
    Every host has had their issues in the startup phase. They provide backups but who generally trusts a generic backup system when backups arent verified by any way. so they can lose data.

  • My site sends out a high number of notifications by email about new forum activity to users, and there is clear information in every email about how to disable notifications.

    Notification emails to customers/members don't fall under the CAN-SPAM definition of bulk email or UCE/SPAM, but the sending of a large number of notification emails can trigger false positive spam alerts when providers base their alert systems primarily on "x number of emails per hour=spammer!". The fault here lies with DO's spam alert triggers (and all of the other companies that base their spam alerts primarily on number of emails per hour.).

    Guess they're here until some bigger cloud player buys them out,

    The larger cloud players tend to focus on enterprise customers and my guess would be DO has very few of those. DO uses cloud as a marketing gimmick but their offering seems to be closer to a traditional VPS. A high availability solution it's not.

    Thanked by 1marcm
  • perennateperennate Member, Host Rep

    Biggest problem IMO is their lousy CPU virtual core.

  • I, personally, haven't used or owned a DigitalOcean Cloud VPS in almost half a year, so I can't really say how they are going to go with this or not. They have over 200,000 live servers, I'm sure they're quite busy so I would just give them some time.

  • rds100rds100 Member

    @Jeffrey said:
    over 200,000 live servers

    I believe our definition of a "live server" differs then.

  • To be fair, DigitalOcean made a sincere effort to apologize. I actually received a detailed response from the co-founder Moisey, and they gave me a huge $100 credit. I wasn't expecting or asking for a credit, but they did take their mistake very seriously. I applaud them for being honest and transparent, even at this late stage. I'll probably stay with them for the time being.

  • With Moisey's permission, I am re-posting his replies:

    Thanks for providing the requested information and we would love to never send such messages to customers or restrict any usage but unfortunately with a public cloud service where a customer can signup from any where in the world and then begin malicious activity abuse is a very high priority for us.

    Occasionally a legitimate customer such as yourself falls into this category and this is an area where Paypal is also an issue for us and one of the reasons that we aren't integrating any other forms of payment. Mainly that Paypal does not provide us with any customer information so when we review the account it becomes very difficult to determine the legitimacy of the user.
    While the action seems harsh and I agree with you that it is very frustrating, the reverse is that without these measures in place we would have a considerable amount of abuse which would not only cause problems for the internet in terms of outbound SPAM, port scanning, and UDP flooding, but also results in retaliatory action against us which can impact customers on the hypervisor which leads to an overall bad experience.
    I'd love to apologize for this but unfortunately these are our current measures and I feel that an apology for a practice and procedure that we still have in place with be disingenuous. We do our best to try to avoid filtering a legitimate customer in to this process but occasionally it does happen. Whenever there is human interaction involved there is always the possibility for error and in this case we are making judgements based on the information we have on the account.
    We thank you for choosing to continue to use DigitalOcean and we're issuing you a $100 credit.
    Thanks,
    Moisey
    Cofounder DigitalOcean

    And another reply:

    We engage in as many online forums as we can unfortunately there simply isn't enough time in the day to do so while also helping customers with issues and developing features. We've had customers post our replies on forums in their entirety or recap them so I leave that to your description.

    In regards to the slow response times that is correct, there was a delay in the response which is inappropriate and something that we are working on. We do flag tickets into certain queues and this one ended up in the abuse queue which gets less priority than open customer issues.
    Obviously this is something we need to review as when a legitimate customer is snagged in the process it can lead to a slower response time than appropriate.
    There are several things that we are doing to improve this process. First is hiring more support staff and we've staffed up considerably since January but there still have open positions and are hiring. However there is time to interview, make sure the fit is correct, and then on-board the new customer support person and get them up to speed.
    The second is we are working on a searchable FAQ which will be integrated in to the support page so that if there is already an answer to a specific question the customer can see that. This should reduce the support volume a bit, give customers immediate information so they can resolve their issue, and allow us to focus on the specific issues which customers are having which aren't already covered.
    We understand that you weren't looking for handout and respect that but one of our core values is love. We try to show that to our customers as often as possible and it goes into everything from our community section, to our interface, which we hope users find pleasant to use, to our interactions in support. In this case we can't send you flowers to say we messed up, so we sent a credit instead.

  • DomainBopDomainBop Member
    edited July 2013

    They have over 200,000 live servers

    200,000+ total VPS's deployed since they started is possible but it's doubtful they have anywhere near that number of live droplets because they have under 60,000 IPs.

    http://bgp.he.net/AS46652#_prefixes
    http://bgp.he.net/AS14061#_prefixes

  • SpiritSpirit Member

    @sb56637 the power of public opinion :) Incredible how cooperative become some hosts after exposed issue with them here or some other hosting forum.

  • I am having the opposite problem with DO. I created a droplet and got everything setup the way I wanted. Upon testing emailing out to various services I began to get reject notices from Google that the IP had been banned for bulk emailing. I contacted DO support about this and they gave really no help. They suggested I provision another droplet to get a new IP. Since I had spent the better part of two days getting the vps configured the way I wanted, rebuilding from scratch isn't really what I want to do.

Sign In or Register to comment.