How serious does digital ocean take abuse reports?

August 15, 2018 3.5k views
DigitalOcean Debian Ubuntu FreeBSD

I get a ton of ssh attacks, port scans, voip attacks, etc, from other Digital Ocean IPs. Some even originate from the same /24s that I am on. Is it worth trying to report them?

3 Answers

Hey friend!

I can answer that question well, and I can also leverage common outside perspective on the issue. We take abuse reports very seriously, and we have humans reviewing every single one of them. We take a heavy hand to intentional abuse, and a firm but forgiving hand to unintentional abuse (compromised servers from legitimate customers performing outbound attacks, for example).

With that said, many people do feel that we do not take abuse reports seriously, and I want to get ahead of that by outlining some of the reasons:

  1. They do not often hear back from us on the action that was taken.
  2. From their perception, the abuse continues without apparent effort to stop it.
  3. We do not take down servers on request, only if we deem it necessary.

The reasons for these are not easily seen from the outside. Customer privacy, for example, would prevent us from sharing our communications with the customer about what they've done to prevent outbound abuse from a server that was not intentionally created to do that (but had been compromised due to vulnerable software). Shutting down abuse can also be a complex task, often involving more than one account or user, and sometimes we need multiple reports to identify the common variables of a trend. Finally, we do look out for our customers and try to give them the benefit of the doubt when we are able to do so, which means that we will not let an abuse complaint be used as an avenue for shutting down a customer simply because someone wanted them to be shut down. We review each case and make a decision based on it's individual context.

I hope that helps to explain our take on abuse complaints. Please do send them in here:
https://www.digitalocean.com/company/contact/#abuse

Kind Regards,
Jarland

It happens and it will keep happening because DO is used by a lot of people and a big part of them use the vms for tests and as such don't care all that much about security(more about convenience ie they are using password authentication, ssh on port 22 and simple passwords like let's say the ip's hostname+the year the vm was created) or they simply aren't aware(yet) of the steps they need to take to secure a VM. An attacker then will scan for these well'known vulnerabilities and ofc because DO has so many customers and thousands of VMs are created and recreated daily, the attacker will get access to multiple VMs on a daily basis. Even if you record the same/a different attack from the ip you already reported, all it means is that the ip now belongs to another customer that failed to properly secure the VM.

I have sent you dozens of reports from you and it has been 100% useless.
I receive daily several spam messages from Digitalocean IPs.

Their spam contains the link UNSUBSCRIBED but clicking it causes more spam mail.
Filtering is almost impossible due to several IP addresses.

Also today I received three spam Norwegian, that is language what I don't understand..
In addition, two spam in Finnish.

It also amazes you that you are a sponsor of abuseipdb.com
I have been reported there hundreds of spam emails.

I have service through mxguarddog.com but their trap does not filter all of them..

I can't send them a header of spam because my server prevents spamming.

Should I have an email account on your server so I can send a spam email header to mxguearddog.com? Because you allow sending of spam...

The thing is that DigitalOcean don't care at all about spam etc.
I'm really annoyed..

Edit:
Now I have send 6 pieces of spams headers trough following link https://www.digitalocean.com/company/contact/#abuse

-Pete

Have another answer? Share your knowledge.