Re: [mailop] DigitalOcean calling for social media s* storm? (Re: Why is it so hard to have takedown's performed..)
Sorry, should have clarified; a mixture of spam and SSH bruteforcing attempts. On Fri, 10 May 2019, 21:43 Luis E. Muñoz via mailop, wrote: > On 10 May 2019, at 11:49, James Cloos via mailop wrote: > > >> "CW" == Chris Woods via mailop writes: > > > > CW> Like others I've reached the end of my tether with DO. In my case, > I've > > CW> seen increasing volumes of malicious / junk traffic via their IPv6 > > CW> prefixes, with reports to abuse doing virtually nothing, so now I > just > > CW> define ip/ip6tables drop rules. > > > > That is odd. They have always blocked 25 out on v6. > > > > Port 25 outgoing only works from any of theirs on v4. > > This is still the case with my DO droplets. > > Best regards > > -lem > > ___ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] DigitalOcean calling for social media s* storm? (Re: Why is it so hard to have takedown's performed..)
On 10 May 2019, at 11:49, James Cloos via mailop wrote: >> "CW" == Chris Woods via mailop writes: > > CW> Like others I've reached the end of my tether with DO. In my case, I've > CW> seen increasing volumes of malicious / junk traffic via their IPv6 > CW> prefixes, with reports to abuse doing virtually nothing, so now I just > CW> define ip/ip6tables drop rules. > > That is odd. They have always blocked 25 out on v6. > > Port 25 outgoing only works from any of theirs on v4. This is still the case with my DO droplets. Best regards -lem ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] DigitalOcean calling for social media s* storm? (Re: Why is it so hard to have takedown's performed..)
> "CW" == Chris Woods via mailop writes: CW> Like others I've reached the end of my tether with DO. In my case, I've CW> seen increasing volumes of malicious / junk traffic via their IPv6 CW> prefixes, with reports to abuse doing virtually nothing, so now I just CW> define ip/ip6tables drop rules. That is odd. They have always blocked 25 out on v6. Port 25 outgoing only works from any of theirs on v4. -JimC -- James Cloos OpenPGP: 0x997A9F17ED7DAEA6 ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] DigitalOcean calling for social media s* storm? (Re: Why is it so hard to have takedown's performed..)
Like others I've reached the end of my tether with DO. In my case, I've seen increasing volumes of malicious / junk traffic via their IPv6 prefixes, with reports to abuse doing virtually nothing, so now I just define ip/ip6tables drop rules. 30 seconds' browsing will return the ranges you need, https://www.peeringdb.com/net/6494 https://bgp.he.net/AS14061#_prefixes & https://bgp.he.net/AS14061#_prefixes6 https://bgp.he.net/AS46652#_prefixes I don't miss their traffic... On Thu, 9 May 2019 at 17:57, John Levine via mailop wrote: > In article <20190509145346.gd8...@gsp.org> you write: > >It would be far easier and much more effective if everyone on this > >mailing list caused every mail server that they run to refuse all > >mail from all Digital Ocean network space without warning, effective > >immediately > > Don't waste your time, they don't care. I've blocked all of the > blocks I was aware of for a long time and haven't seen it affect any > real mail at all. > > I would encourage people to block their corporate mail servers except > that they don't have any. Mail for digitalocean.com is outsourced to > Google. > > They could save themselves a lot of pain by just blocking port 25 > across their entire network, and saying if you want to send mail, send > it through a submission server somewhere else, and you can get your > VPS port 25 unblocked after you've been a paying customer for three > months. > > Other cloud providers do roughly that and it works pretty well. Some > of them even monetize it by referring users to freemium service at > Sendgrid. > > > > > > > ___ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] DigitalOcean calling for social media s* storm? (Re: Why is it so hard to have takedown's performed..)
In article <20190509145346.gd8...@gsp.org> you write: >It would be far easier and much more effective if everyone on this >mailing list caused every mail server that they run to refuse all >mail from all Digital Ocean network space without warning, effective >immediately Don't waste your time, they don't care. I've blocked all of the blocks I was aware of for a long time and haven't seen it affect any real mail at all. I would encourage people to block their corporate mail servers except that they don't have any. Mail for digitalocean.com is outsourced to Google. They could save themselves a lot of pain by just blocking port 25 across their entire network, and saying if you want to send mail, send it through a submission server somewhere else, and you can get your VPS port 25 unblocked after you've been a paying customer for three months. Other cloud providers do roughly that and it works pretty well. Some of them even monetize it by referring users to freemium service at Sendgrid. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] DigitalOcean calling for social media s* storm? (Re: Why is it so hard to have takedown's performed..)
On Mon, Apr 29, 2019 at 03:54:41PM +0200, Benoit Panizzon via mailop wrote: > I wonder if DigitalOcean is running for some social media related > wake-up call. It would be far easier and much more effective if everyone on this mailing list caused every mail server that they run to refuse all mail from all Digital Ocean network space without warning, effective immediately, remaining in effect until such time as all open issues have been addressed, apologies have been made, and a convincing plan for prompt future action put forth. After all, there seems little reason to continue extending them the privilege of access to mail (and other) services when they repay that largesse by abusing it on a mass scale. And my guess is that a concerted move of this nature would get their attention in a matter of hours and that long-overdue remediation would quickly follow. (And if not? I don't see a problem with letting them enjoy their intranet. That might be the best outcome for all concerned.) Alternatively, we can continue to note the chronically, systematically, deliberately abusive conduct of Digital Ocean for another decade or two. ---rsk ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] DigitalOcean calling for social media s* storm? (Re: Why is it so hard to have takedown's performed..)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Mon, 2019-04-29 at 16:49 -0700, Michael Peddemors via mailop wrote: > PPS, You know the IP(s) can change at any time ;) That is what cron is for. So far, synapp.io has been very good about listing *only* their own address validators in their spf records. Daily spf resolution of the known domains, combined with automated greps of the mail logs for "ehlo mta-wk-[0-9].mk[0-9]" to discover new domains as they are added, and feed that into firewall scripts. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEAREKAAYFAlzHvJsACgkQL6j7milTFsHrHACfSbSEBY9X6vZxuLQH01/Jq7M5 XRwAnAm6wJmBmXszX7Al0GSZzKA48u9V =UbUQ -END PGP SIGNATURE- ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] DigitalOcean calling for social media s* storm? (Re: Why is it so hard to have takedown's performed..)
Thanks everyone for suggestions about stopping them, but we already have that.. but to be clearer, just wanted to see if anyone had any insight into the "operator" behind them.. Any sense of legitimacy at all? Who's lists are they washing? PS, don't block them, just tell them every email exists and is valid ;) Just kidding, why let them use valuable resources.. PPS, You know the IP(s) can change at any time ;) On 2019-04-29 3:40 p.m., Carl Byington via mailop wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Mon, 2019-04-29 at 09:12 -0700, Michael Peddemors via mailop wrote: Speaking of.. anyone have any insight into these guys? They keep popping up on various CDN's eg, DO, AZURE, etc.. 45.32.138.192 (M) 1 mta-wk-3.mk3.ipruz.com 45.76.246.69(M) 2 mta-wk-3.mk1.uulio.com 45.76.246.127(M) 1 mta-wk-5.mk3.uulio.com 45.77.5.861 mta-wk-0.mk1.ipruz.com http://www.synapp.io resolve spf records for all those domain names and merge the results, followed by firewall rules of your choice. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEAREKAAYFAlzHfUAACgkQL6j7milTFsEA1ACeM1yJR7LuGqPGeKVHjwxZLDkg AaYAoIODCVKxr2k3hILMp8yTURAgdYlC =5vqk -END PGP SIGNATURE- ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] DigitalOcean calling for social media s* storm? (Re: Why is it so hard to have takedown's performed..)
On 4/29/2019 12:12 PM, Michael Peddemors via mailop wrote: On 2019-04-29 8:37 a.m., Michael Peddemors via mailop wrote: Speaking of.. anyone have any insight into these guys? They keep popping up on various CDN's eg, DO, AZURE, etc.. Most, possibly all of these networks are blocked here. It's a limited view because of that but their connections here seem to be only for the purpose of address validation, list washing. Before blocking them they were seen going up to the DATA phase but never proceeding through to actually sending a message. From what I've seen here these addresses have only been showing up on port 25, not IMAP or POP3. Their reputation is usually green at talosintelligence. Which is really remarkable since from my perspective here, if they never deliver any mail, how do they get a green reputation? The answer seems to be that they must be emitting some type of valid mail stream in order to earn a good reputation but it is done with the validation attempts mixed in at a low enough rate to avoid detection. These particular ones with Digital Ocean seem to done by a single operator. The reverse DNS pattern is consistent even with most on Digital Ocean but some others with Choopa / Vultr. Domains are registered at namecheap. DNS is provided by googledomains. The fact that they have been doing it for such a long time is amazing. It would be more understandable if it was being carried out through a botnet where tracing it would be much more difficult. Obviously the ISPs, registrars, and name service providers have no problems with providing them services for it. Perhaps they just have bigger problems to deal with. Perhaps list washing has gained such respectability today that few think there is anything wrong with it. Although "namespace mining" is listed by Microsoft reason for blocking. Address validation must be quite lucrative today given the volume of it that's taking place. Digital Ocean and the botnet of Amazon are packed with them. - John J. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] DigitalOcean calling for social media s* storm? (Re: Why is it so hard to have takedown's performed..)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Mon, 2019-04-29 at 09:12 -0700, Michael Peddemors via mailop wrote: > Speaking of.. anyone have any insight into these guys? > They keep popping up on various CDN's eg, DO, AZURE, etc.. > 45.32.138.192 (M) 1 mta-wk-3.mk3.ipruz.com > 45.76.246.69(M) 2 mta-wk-3.mk1.uulio.com > 45.76.246.127(M) 1 mta-wk-5.mk3.uulio.com > 45.77.5.861 mta-wk-0.mk1.ipruz.com http://www.synapp.io resolve spf records for all those domain names and merge the results, followed by firewall rules of your choice. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEAREKAAYFAlzHfUAACgkQL6j7milTFsEA1ACeM1yJR7LuGqPGeKVHjwxZLDkg AaYAoIODCVKxr2k3hILMp8yTURAgdYlC =5vqk -END PGP SIGNATURE- ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] DigitalOcean calling for social media s* storm? (Re: Why is it so hard to have takedown's performed..)
On 2019-04-29 8:37 a.m., Michael Peddemors via mailop wrote: On 2019-04-29 8:18 a.m., Anne P. Mitchell, Esq. via mailop wrote: I wonder if we should*all* tweet to them, including the hashtag #DigitalOceanHostsBadGuys ?;-) When Anne suggests something like this.. ;) Done! Speaking of.. anyone have any insight into these guys? They keep popping up on various CDN's eg, DO, AZURE, etc.. 45.32.138.192 (M) 1 mta-wk-3.mk3.ipruz.com 45.76.246.69(M) 2 mta-wk-3.mk1.uulio.com 45.76.246.127(M) 1 mta-wk-5.mk3.uulio.com 45.77.5.861 mta-wk-0.mk1.ipruz.com 45.77.6.144 1 mta-wk-5.mk2.ipruz.com 66.42.64.206(M) 1 mta-wk-4.mk3.uulio.com 67.205.139.149 (M) 1 mta-wk-0.mk1.oekla.com 67.205.150.104 (M) 1 mta-wk-0.mk2.ibloi.com 67.205.163.34 (M) 1 mta-wk-4.mk0.ibloi.com 67.205.163.49(M) 2 mta-wk-5.mk0.ibloi.com 67.205.163.99(M) 1 mta-wk-4.mk1.oekla.com 144.202.72.192 (M) 1 mta-wk-6.mk2.xzare.com 144.202.97.97 (M) 1 mta-wk-4.mk0.ipruz.com 144.202.101.249 (M) 1 mta-wk-4.mk1.livqa.com 144.202.102.35 (M) 1 mta-wk-5.mk3.livqa.com 144.202.110.168 (M) 1 mta-wk-6.mk2.livqa.com 149.28.195.245 (M) 2 mta-wk-2.mk1.livqa.com 149.28.203.254 (M) 1 mta-wk-1.mk2.ipruz.com 155.138.131.133 (M) 1 mta-wk-3.mk0.fouqz.com 155.138.131.226 (M) 1 mta-wk-1.mk3.fouqz.com 155.138.132.26 (M) 1 mta-wk-3.mk1.fouqz.com 155.138.132.111 (M) 1 mta-wk-3.mk2.fouqz.com 155.138.132.127 (M) 1 mta-wk-2.mk3.fouqz.com 159.203.182.109 (M) 1 mta-wk-2.mk0.oekla.com 159.203.191.114 (M) 1 mta-wk-1.mk0.oekla.com 162.243.3.171 (M) 2 mta-wk-3.mk2.shockitect.com 162.243.4.16(M) 1 mta-wk-2.mk2.buzzinator.com 162.243.4.222(M) 2 mta-wk-7.mk0.buzzinator.com 162.243.5.9 (M) 1 mta-wk-1.mk2.buzzinator.com 162.243.12.199 (M) 1 mta-wk-0.mk2.digimiller.com 162.243.13.48 (M) 1 mta-wk-0.mk0.digimiller.com 162.243.14.195 (M) 1 mta-wk-2.mk3.digimiller.com 162.243.17.82 (M) 1 mta-wk-6.mk0.digimiller.com 162.243.23.190 (M) 1 mta-wk-5.mk3.buzzinator.com 162.243.29.61 (M) 1 mta-wk-4.mk2.buzzinator.com 162.243.29.135 (M) 1 mta-wk-6.mk3.digimiller.com 162.243.33.97 (M) 1 mta-wk-7.mk1.digimiller.com 162.243.39.107 (M) 1 mta-wk-5.mk0.digimiller.com 162.243.44.85 (M) 2 mta-wk-5.mk0.shockitect.com 162.243.53.146 (M) 1 mta-wk-4.mk3.shockitect.com 162.243.65.109 (M) 1 mta-wk-1.mk1.shockitect.com 162.243.67.85 (M) 1 mta-wk-0.mk1.shockitect.com 162.243.67.128 (M) 1 mta-wk-0.mk0.shockitect.com 162.243.79.220 (M) 1 mta-wk-5.mk0.buzzinator.com 162.243.80.178 (M) 1 mta-wk-1.mk3.shockitect.com 162.243.82.92 (M) 1 mta-wk-3.mk0.digimiller.com 162.243.83.53 (M) 2 mta-wk-5.mk2.buzzinator.com 162.243.85.95 (M) 1 mta-wk-6.mk2.buzzinator.com 162.243.94.31 (M) 1 mta-wk-1.mk0.buzzinator.com 162.243.100.108 (M) 1 mta-wk-4.mk1.digimiller.com 162.243.102.242 (M) 1 mta-wk-3.mk2.digimiller.com 162.243.105.32 (M) 1 mta-wk-6.mk2.digimiller.com 192.34.57.57(M) 1 mta-wk-6.mk2.ibloi.com 192.34.57.187(M) 1 mta-wk-7.mk1.oekla.com 192.241.145.118 (M) 1 mta-wk-4.mk1.ibloi.com 192.241.148.136 (M) 1 mta-wk-5.mk2.ibloi.com 192.241.159.37 (M) 1 mta-wk-5.mk2.oekla.com 192.241.191.29 (M) 1 mta-wk-0.mk3.digimiller.com 198.199.67.220 (M) 1 mta-wk-5.mk3.ibloi.com 198.199.91.16 (M) 2 mta-wk-2.mk0.ibloi.com 198.211.103.36 (M) 3 mta-wk-2.mk3.ibloi.com 207.148.3.179 (M) 1 mta-wk-4.mk1.xzare.com -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are so
Re: [mailop] DigitalOcean calling for social media s* storm? (Re: Why is it so hard to have takedown's performed..)
On 2019-04-29 8:18 a.m., Anne P. Mitchell, Esq. via mailop wrote: I wonder if we should*all* tweet to them, including the hashtag #DigitalOceanHostsBadGuys ?;-) When Anne suggests something like this.. ;) Done! -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] DigitalOcean calling for social media s* storm? (Re: Why is it so hard to have takedown's performed..)
On 2019-04-29 7:58 a.m., Michael Rathbun via mailop wrote: On Mon, 29 Apr 2019 07:26:23 -0700, Michael Peddemors via mailop wrote: PS, pgHammer went quiet yesterday.. either someone caught/killed his C&C server, or the actor realized that there was too much attention on the activity. That doesn't mean those servers listed should not still be taken down, as they are still compromised.. Seems he has one server that is still running, he might have lost control of that one.. or just testing .. My provider had me offline for 34 hours starting Friday morning. When things came back up on Saturday evening, the nine-second "EHLO server{dot}com" onslaught had abated. Now there is a lower-volume "EHLO ADMIN" effort that seems to have ramped up significantly in that interval. Yesterday saw 517 connection attempts for ADMIN, which is about 10% of the volume for the other in its waning days. There have been only 9 IPs involved, the vast majority of the attempts coming from 78.142.19.95. mdr Yes, we know that actor.. Compromised windows machines, looks like a remote desktop exploit.. But currently the Ubiquiti Router compromises, and the Mikrotek, and the other routers, probably part of that Hajime botnet compromise from March, that is leading the pack.. Ubiquiti Routers engaged in Brute Force attacks.. about 14,000 IP(s) reported over night.. Not sure how to ever take down those botnets, when we have so much trouble with just a few static servers.. Still about 750 old CutWail compromises, and 94 IP(s) in the new CutWail variant.. But yes, that ADMIN one is a little more aggressive per IP in volume, but our Dynamic Rule Engine catches those and dumps them into the penaltybox pretty quick. But if anyone knows the magic bullet to stop all the compromised IoT devices (and there will be millions more soon, now that the P2P compromise is public) by all means, let us know.. Which is why we are simply enhancing all legacy email authentication, it helps stop all the brute force attacks, and makes them easier to see.. But still, the sheer volume of those attacks can only be stopped at the source.. it isn't like we can stop accepting legitimate connections from world at large... -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] DigitalOcean calling for social media s* storm? (Re: Why is it so hard to have takedown's performed..)
> I Twittered to @digitalocean about the lack of responsiveness from their > abuse desk. > > They promptly replied via Twitter: > > "We apologise for the trouble. Our security & operation team is already > looking into it." > > As I still had a case open with them, I appended your nice list of > pgHammer IP Addresses. > > This time, they replied promptly: > > "As we are an unmanaged cloud hosting provider, we do not create, > administer, or have direct access to our customers' Droplets. This > means that we cannot make direct changes to any programs or websites > hosted there." Sigh, well then I guess there is little hope for the DCMA takedown that I just Saturday sent to them for privacy-formula.com, which is wholesalely ripping off all sorts of content sites (including ours). That said, a few of the others include Sophos, Bloomberg, and Politico, and I've clued all of their legal departments into the situation, so...maybe... I wonder if we should *all* tweet to them, including the hashtag #DigitalOceanHostsBadGuys ? ;-) Anne Attorney at Law GDPR, CCPA (CA) & CCDPA (CO) Compliance Consultant Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law) Legislative Consultant CEO/President, Institute for Social Internet Public Policy Board of Directors, Denver Internet Exchange Board of Directors, Asilomar Microcomputer Workshop Legal Counsel: The CyberGreen Institute Former Counsel: Mail Abuse Prevention System (MAPS California Bar Association Cal. Bar Cyberspace Law Committee Colorado Cyber Committee Ret. Professor of Law, Lincoln Law School of San Jose ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] DigitalOcean calling for social media s* storm? (Re: Why is it so hard to have takedown's performed..)
On Mon, 29 Apr 2019 07:26:23 -0700, Michael Peddemors via mailop wrote: >PS, pgHammer went quiet yesterday.. either someone caught/killed his C&C >server, or the actor realized that there was too much attention on the >activity. That doesn't mean those servers listed should not still be >taken down, as they are still compromised.. Seems he has one server that >is still running, he might have lost control of that one.. or just >testing .. My provider had me offline for 34 hours starting Friday morning. When things came back up on Saturday evening, the nine-second "EHLO server{dot}com" onslaught had abated. Now there is a lower-volume "EHLO ADMIN" effort that seems to have ramped up significantly in that interval. Yesterday saw 517 connection attempts for ADMIN, which is about 10% of the volume for the other in its waning days. There have been only 9 IPs involved, the vast majority of the attempts coming from 78.142.19.95. mdr -- "There will be more spam." -- Paul Vixie ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] DigitalOcean calling for social media s* storm? (Re: Why is it so hard to have takedown's performed..)
If you follow any of the white hat groups, or security researchers, you will see a lot of them already doing it with little or no effect.. (Which means of course people stop bothering to report it) However, a little birdie told me that certain government agencies are finally waking up and gathering evidence on lack of abuse resolution response times at ISP's and Hosting Providers on North American soil.. If anything, the time is better spent supporting those. Send complaints to your local CERT's, Anti-Spam groups, and internet governing bodies.. And/or include them in your social media posts on the topic.. Since you suggested that financial motives are at play (and that suggestion goes all the way to the 2000's and cable operators were at that time the ones not responding) a few fines pointed their way might make it a financial motive to be responsible for what comes out of their networks. Happy Monday Everyone! -- Michael -- PS, pgHammer went quiet yesterday.. either someone caught/killed his C&C server, or the actor realized that there was too much attention on the activity. That doesn't mean those servers listed should not still be taken down, as they are still compromised.. Seems he has one server that is still running, he might have lost control of that one.. or just testing .. 81.169.142.116 x88 h2530146.stratoserver.net On 2019-04-29 6:54 a.m., Benoit Panizzon via mailop wrote: Hi List I wonder if DigitalOcean is running for some social media related wake-up call. I Twittered to @digitalocean about the lack of responsiveness from their abuse desk. They promptly replied via Twitter: "We apologise for the trouble. Our security & operation team is already looking into it." As I still had a case open with them, I appended your nice list of pgHammer IP Addresses. This time, they replied promptly: "As we are an unmanaged cloud hosting provider, we do not create, administer, or have direct access to our customers' Droplets. This means that we cannot make direct changes to any programs or websites hosted there." Well I once more pointed out, all they need to do is pull the 'virtual' plug to those servers which are the origin of abusive behavior. But I fear the do not understand or do not want to understand as long as the customer is paying the bill. McColo/2 ? So anyone else wanting to moan via their social media channels? I think their quick reaction shows, this bothers them. Mit freundlichen Grüssen -Benoît Panizzon- -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
[mailop] DigitalOcean calling for social media s* storm? (Re: Why is it so hard to have takedown's performed..)
Hi List I wonder if DigitalOcean is running for some social media related wake-up call. I Twittered to @digitalocean about the lack of responsiveness from their abuse desk. They promptly replied via Twitter: "We apologise for the trouble. Our security & operation team is already looking into it." As I still had a case open with them, I appended your nice list of pgHammer IP Addresses. This time, they replied promptly: "As we are an unmanaged cloud hosting provider, we do not create, administer, or have direct access to our customers' Droplets. This means that we cannot make direct changes to any programs or websites hosted there." Well I once more pointed out, all they need to do is pull the 'virtual' plug to those servers which are the origin of abusive behavior. But I fear the do not understand or do not want to understand as long as the customer is paying the bill. McColo/2 ? So anyone else wanting to moan via their social media channels? I think their quick reaction shows, this bothers them. Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop