Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Persistent, un-resolved spamming from DigitalOcean.com servers
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Persistent, un-resolved spamming from DigitalOcean.com servers

Since late December of last year, one domain that we host has been receiving a persistently high volume of spam coming from various IP addresses, all apparently used by DigitalOcean.com servers. There were another 28 today, 26 yesterday, 15 on Monday, and so on.

Every single one of them has been reported to [email protected], both via Spamcop & forwarded directly - yet despite that, it appears that Digital Ocean has done absolutely nothing to address the issue, and allowed it to continue for over a month.

The EMails all have "From" addresses that begin with "john," and all use a number of different seemingly random domain names, mostly using the ".club" TLD - E.g. [email protected], [email protected], [email protected], etc. The latest batch of messages came from the following IP addresses:

165.227.120.231
46.101.62.223
139.59.176.59
138.197.147.55
165.227.120.231
178.62.227.52
139.59.176.59
178.62.40.67
159.203.67.221
178.62.40.67

Anyone from Digital Ocean care to explain why this is **still ** occurring and why it's been allowed to continue for this long? A few days to address a one-off spam run is one thing, but this is getting truly ridiculous; at this point, the only possible conclusions I can think of are that Digital Ocean is either routinely ignoring abuse complaints - or is knowingly allowing this spammer to continue operating on their network.

[Fortunately, this particular spammer appears to be terminally stupid (or hopelessly inept/lazy, or all of the above). I'm relatively certain that they're trying to map out/harvest the addresses that exist on that domain, because the messages are all sent to different users @ that domain, and the messages are also all blank (nothing in the subject line or body). I suspect that the spammer is only persisting because the messages aren't being rejected - however, the spammer appears to be too braindead to be suspicious that every single random username they've EMailed on that domain appears to be valid. The reason being that someone had mistakenly left a default/catch-all address enabled for that domain, and it was full of spam - so I decided to leave that on & use it as a honeypot, to help with training SpamAssassin, and to help identify spammer-friendly providers to block.]

Comments

  • Thanked by 1jar
  • FrankZFrankZ Veteran
    edited February 2018

    RockyRoccocco said: There were another 28 today, 26 yesterday, 15 on Monday, and so on.

    I wish I had your spam problem :) Most days I filter/reject out between 10,000 and 25,000 spam mails.

    What are you using besides SpamAssassin to filter?
    ie: milter-regex, greylisting, SPF, IP reverse matching, etc

    EDIT: I only ask the above because I believe that spending your time tuning your mail servers is time better spent then time spent trying to stop spammers from spamming :)

    Thanked by 3MCHPhil jar Aidan
  • jarjar Patron Provider, Top Host, Veteran

    Happy to receive any abuse complaints at [email protected]. We take abuse very seriously and have a team dedicated to resolving issues around it. I won't go into further discussion on the topic here.

  • MikeAMikeA Member, Patron Provider
    edited February 2018
  • rm_rm_ IPv6 Advocate, Veteran

    Because DigitalOcean is a scam site run by india.

  • @rm_ said:
    Because DigitalOcean is a scam site run by india.

    Yeah show me your vps ill reck it and u can call me serverhong

  • @jarland said:
    Happy to receive any abuse complaints at [email protected]. We take abuse very seriously and have a team dedicated to resolving issues around it. I won't go into further discussion on the topic here.

    The team also send abuse reports to people unconnected to the issue and decide to not reply when informed of this.

    This is from experience.

    So far my experience of DO customer support and abuse team is that you're the only competent person there

  • jarjar Patron Provider, Top Host, Veteran

    @lukehebb said:

    @jarland said:
    Happy to receive any abuse complaints at [email protected]. We take abuse very seriously and have a team dedicated to resolving issues around it. I won't go into further discussion on the topic here.

    The team also send abuse reports to people unconnected to the issue and decide to not reply when informed of this.

    This is from experience.

    So far my experience of DO customer support and abuse team is that you're the only competent person there

    I'm sorry that you've had that experience. As a team lead for our support team, if you feel that the support is incompetent, then it is my fault. I can tell you that I work with an incredibly talented team (many of which I've personally interviewed and approved their hiring) and that there's likely more to that story, but it doesn't subtract the perception. Frankly if it has to be explained to counter the perception, that is problematic in itself.

    I'm happy to review any case with my team and work on improving any bad experience. With the volume we push, it can be difficult to review every situation, but anything reported to me will most definitely be reviewed. Any time you ask for management to review a ticket, the same will occur.

    Thanked by 2lukehebb FHR
  • @jarland said:

    @lukehebb said:

    @jarland said:
    Happy to receive any abuse complaints at [email protected]. We take abuse very seriously and have a team dedicated to resolving issues around it. I won't go into further discussion on the topic here.

    The team also send abuse reports to people unconnected to the issue and decide to not reply when informed of this.

    This is from experience.

    So far my experience of DO customer support and abuse team is that you're the only competent person there

    I'm sorry that you've had that experience. As a team lead for our support team, if you feel that the support is incompetent, then it is my fault. I can tell you that I work with an incredibly talented team (many of which I've personally interviewed and approved their hiring) and that there's likely more to that story, but it doesn't subtract the perception. Frankly if it has to be explained to counter the perception, that is problematic in itself.

    I'm happy to review any case with my team and work on improving any bad experience. With the volume we push, it can be difficult to review every situation, but anything reported to me will most definitely be reviewed. Any time you ask for management to review a ticket, the same will occur.

    In this case can you please check out Ticket #1047605?

    Seeing this side of the abuse process and what OP is seeing is quite concerning as a customer of DO

  • jarjar Patron Provider, Top Host, Veteran

    lukehebb said: In this case can you please check out Ticket #1047605?

    Seeing this side of the abuse process and what OP is seeing is quite concerning as a customer of DO

    Sometimes it can happen that an abuse complaint is sent to the new owner of an IP address where the issue receiving the complaint was caused by the previous IP owner. Consider that when the two users may have the IP within 24 hours of each other that timezones (or even bad time settings on servers) can make it nearly impossible to truly determine which of the two users it would be relevant for.

    What's more important there is to consider this: Were you held accountable and treated poorly for receiving the report? Were any services shut down or anything like that? It's just a forwarded report, there's no reason to think that just because it was forwarded to you that we're going to shut you down or anything. We try to be a bit more intelligent than that :)

    Thanked by 1lukehebb
  • jarland said: What's more important there is to consider this: Were you held accountable and treated poorly for receiving the report? Were any services shut down or anything like that? It's just a forwarded report, there's no reason to think that just because it was forwarded to you that we're going to shut you down or anything. We try to be a bit more intelligent than that :)

    The problem is none of this is explained. The member of staff just said

    Hello,

    Please review the following abuse complaint we received regarding a Droplet you control.

    Regards,

    Trust & Safety
    DigitalOcean

    I replied, and got completely ignored. I don't know what's happening, if anything is needed or going to happen, or anything. A simple reply saying "sorry for the mistake, nothing is marked against your account" would go a long way to making this better from my end

    Thanked by 1jar
  • jarjar Patron Provider, Top Host, Veteran

    lukehebb said: I replied, and got completely ignored

    I honestly don't see the reply, I don't know what happened there :(

    Thanked by 1lukehebb
  • @jarland said:

    lukehebb said: I replied, and got completely ignored

    I honestly don't see the reply, I don't know what happened there :(

    Oh, that's really weird! Showing as sent here (from my account address which uses G Suite free). I guess that explains why I didn't get a reply! Can't reply to something you don't get :-)

    Thanked by 1jar
  • jarjar Patron Provider, Top Host, Veteran
    edited February 2018

    @lukehebb said:

    @jarland said:

    lukehebb said: I replied, and got completely ignored

    I honestly don't see the reply, I don't know what happened there :(

    Oh, that's really weird! Showing as sent here (from my account address which uses G Suite free). I guess that explains why I didn't get a reply! Can't reply to something you don't get :-)

    Aye, sorry about that. I wish I had any insight into the why on that as well. Kind of a black box on the Google side :(

    Edit: I am looking into it though. Will seek out any potential causes for the reply not being received, and make sure that any necessary steps are taken. Losing replies is obviously a very bad thing.

    Thanked by 2lukehebb FHR
  • @FrankZ said:

    RockyRoccocco said: There were another 28 today, 26 yesterday, 15 on Monday, and so on.

    I wish I had your spam problem :) Most days I filter/reject out between 10,000 and 25,000 spam mails.

    >

    Oh, I wish that were the full extent of the spam I get - those are only the numbers for one particularly-persistent spammer.

    What are you using besides SpamAssassin to filter?
    ie: milter-regex, greylisting, SPF, IP reverse matching, etc

    I mainly rely on SpamAssassin, which I've tweaked fairly heavily & added a few custom filters to (mostly to deal with SEO/web dev spam from India) - along with greylisting.

    EDIT: I only ask the above because I believe that spending your time tuning your mail servers is time better spent then time spent trying to stop spammers from spamming :)

    I agree, and I take that approach with spam from countries/providers where we receive virtually no legitimate EMails (you won't see me griping about, say, OVH, Lanset, or Leaseweb on here). But with seemingly above-board providers, I'd rather the issue be addressed at its source - I'd prefer to allow 100 spam EMails through than block 1 legitimate EMail.

    @jarland said:
    Happy to receive any abuse complaints at [email protected]. We take abuse very seriously and have a team dedicated to resolving issues around it. I won't go into further discussion on the topic here.

    I will reply to your PM shortly. But I will mention here that [email protected] is not the address listed by Spamcop when I report the messages there, they list [email protected] instead, so that's where I've been sending the direct reports.

    Come again? You're saying that reporting 100+ individual messages through a web form, one-by-one, is easier than... what, exactly? Certainly not easier than reporting them via Spamcop and/or forwarding the messages en-masse as .EML attachments

    Thanked by 1FrankZ
  • jarjar Patron Provider, Top Host, Veteran

    RockyRoccocco said: I will reply to your PM shortly. But I will mention here that [email protected] is not the address listed by Spamcop when I report the messages there, they list [email protected] instead, so that's where I've been sending the direct reports.

    Actually if you don't mind, email me back at jdonnell @ digitalocean.com. I may be away from LET for a bit, but would love to chat with you more about it. Weird about the fbl@ thing. I may be confused on how spamcop gets their abuse listings, but abuse@ is the one that we import into our ticket system and then use to assign abuse complaints to customers.

    I should note that while unresolved trends and/or serious issues are dealt with, our abuse complaints are filtered through human eyes and we determine whether or not they're legitimate. For example, you could file a hundred abuse complaints and see no result, or one and see a clear result. When you'd see no result would roughly be something like what you're reporting is of no liability or violation of our policy. I don't think any of that describes your issue but I just want to be clear as you won't be the only one reading and I frequently find myself called out on the idea that "we take abuse seriously" in cases where I wouldn't agree that what they're reporting is abuse.

  • bsdguybsdguy Member
    edited February 2018

    @jarland

    You bloody asshole! I get your message, I do get it. You don't like me. Or why is it that your company never spammed me? Nevar, not a single time! Not even one small tiny spam message to show some courtesy. Nothin.

    Am I not pretty enough for mxroute and DO, huh? Not enough penises? Or what? Or maybe roccoccoccoccoccco sings nicer than me?

    Assholes! I hate y'all!

  • ¯\_(ツ)_/¯

  • Start reporting the IPs to get blacklisted. That will get their attention..

Sign In or Register to comment.