I was recently targeted by a spam campaign for one of my projects, and all of the IP addresses were pointing back to being hosted by OVH.
After parsing my logs, I put together all the information and sent through the OVH's Abuse form.
To my surprise, I received the following email back:
---
"It's important to note that most of our services are rented "unmanaged" to our customers. This means that we only have physical access to the server and cannot access its content (no root, administrator, or user access). We are technically unable to modify or delete content, or making an abusive behavior stop by intervening directly on the server, as it is not managed by us.
We will however transmit the technical information of your report to the customer managing the infrastructure concerned, and we will follow this ticket to its resolution."
---
So why this is surprising is that first, they can't actually "check" the server because it is "unmanaged". And second, they will pass the information I sent them to the owner of the machines that have been spamming me.
Uhm.... what? That is quite literally like shooting myself in the foot. In other words, OVH is passing on the information that I am being targeted by this person's machine. If I am the direct target, this is like poking a bear and asking it not to harm you.
Sadly, I never got any follow-up emails from OVH about this even though they state that they will "follow to its resolution".
But, at the same time, if I parse my logs for things like bots scanning for .env files - there are thousands of machines that actively do this, and 99% of them have been reported by hundreds of others on sites like AbuseIPDB, etc.
And yet none of these hosting companies do anything?
So, my question is, unless you have the means to hire a lawyer or have a registered business entity - is it pretty much pointless to report spammers unless you want to anger them some more and get caught up in an even bigger mess?
Any thoughts on this? Any articles you recommend or maybe you have experiences to share?
Most VPS providers don't have the technical resources to track down the command-and-control nodes. This requires a higher level of visibility they do not have. The folks that have this level of visibility will not likely assist with bot noise unless the bots are also being used to steal government secrets or embarrass government officials or attack public infrastructure. There are ways to trick some of the bots into attacking public infrastructure but I would not want to be caught up in that legal quagmire as I am easy to find and bot owners are not.
In summary, the best one can do is either configure systems to discard the noise in web logs and block low reputation IP addresses in their mail servers or if one feels the desire to do something, create tarpits/honeypots for the bots to get stuck in. Tarpits have very little impact on bots but if one wanted to feel like they were doing something it's a start. For example, I have numerous nodes that accept email for all the popular domains. Spam bots think they are relaying thousands of emails through my nodes per day but that is a tiny fraction of a tiny fraction of the spam that people will receive. I am not even making a tiny dent in the problem.
As a side note, there are ways to block some of these bots if you control your web and email servers but that is another topic all together and if too many people implemented such techniques then the bot developers would evolve around it. Apologies if this sounds defeatist. Some use blocklists [1][2] to reduce the noise on their web servers and RBL/RSL [3][4][5] servers to reduce the noise on their mail servers but this has limited efficacy and I think it just takes up memory by increasing the routing table or takes up CPU by making large ipset lists for iptables.
[1] - https://github.com/firehol/blocklist-ipsets
[2] - https://github.com/StevenBlack/hosts
[3] - https://www.uceprotect.net/en/index.php?m=6&s=0
I do not believe it to be a waste of time. I regularly make reports for my personal systems for two types of abuse.
1. Email: phishing/spam
2. Text: a) political spam b) banking fraud
Positive instances. Results vary by the abuse@ owner. In cases where there is a successful take-down or escalation, I typically receive a positive response within 24 hours. Gandi.net and AWS are examples of an abuse@ that responds quickly. These types of escalations take ~5 minutes of my time when the data includes a screenshot of the activity/logs + whois details.
Some instances take longer. I have an ongoing escalation with Microsoft that started at abuse@microsoft, was redirected to junk@o365, and has now been redirected to abuse@azure. I assume Microsoft is just a massive org and there are inefficiencies. While somewhat arduous, I have received a response ~24 hours from Microsoft staff, and they have been helpful in forwarding the requests.
Some instances may be successful and have no response. I have never received a response from SendGrid (small number of escalations); however, the group associated with the activity appears to have been kicked off SendGrid or moved to Microsoft services. This is the same group I am escalating to Microsoft.
Some instances are not successful. For text message spam, I have found that bandwidth.com (owner of the source phone number) will only forward the complaint to their downstream customer w/o identifying the customer. Similar to what you have described. My bandwidth.com experience includes cases of what I would consider excessive abuse. Note that the downstream customer for bandwidth.com may not be the consumer of the phone number, rather a reseller of the phone numbers (if I understand their responses correctly)
I have never received a response from godaddy for any type of escalation. I do not recall a single escalation to godaddy ever resulting in a takedown.
reported by hundreds of others on sites like AbuseIPDB, etc.
A report to a blacklist is not equivalent to a report to an abuse@ address. A few of my opinions/experiences working at the ecosystem / platform level:
- IP addresses for abuse may be highly ephemeral. Professionally, I've run into many occurrences of AWS Lambda (and other serverless) IP's being marked as malicious. This is not limited to Lambda, but it provides a good example, as the owner of a serverless function often has no control over their public IP addresses.
- Data quality can be a major problem with crowdsourced abuse lists. Especially when it comes to evidence, last_seen timestamps, and classifications. This can be an impairment to monitoring these lists as a provider.
In summary, I've been able to do take-downs on banking fraud that took me less than five minutes. I have also had some failures and these can be frustrating. I don't mind doing the escalations, and in total I spend less than 20 minutes a week on this. I do hope that you continue to try. Further details to the above anecdotes are linked in my profile.
*edit for formatting.