When will Digital Ocean actually prevent abuse via spam email?

October 15, 2018 2.4k views
Email

I have been inundated with spam emails coming from Digital Ocean owned IP’s over the last few months. At first, it was very minimal, so I never bothered reporting it, but I am now receiving 15+ spam emails per day just from DO alone, not to mention other servers.

First and foremost, DO is in violation of the CANSPAM act, as they are allowing the sending of unsolicited emails to addresses without consent. In Canada, it’s a federal law to REQUIRE proof of consent for ANY electronic email to a Canadian citizen that isn’t a direct reply to an inquiry made by the resident of Canada.

I have been forwarding emails to abuse@digitalocean.com for the last week or so, but so far haven’t stopped receiving emails from DO’s servers. I understand the premise of renting a cloud server, as well as the difficulty of balancing fraud & abuse with real users, but the current system is not working. While we’ll never eliminate ALL spam advertising or phishing, DO needs to explain what is being done now to combat this so users have full transparency.

Digital Ocean has until the end of 2018 to publish a fully written report or whitepaper on the spam their servers have been sending over the last few years, stating what they intend to do differently to combat this growing problem. If a report is not published by then, a spreadsheet containing all IP’s, domains pointing to those IP’s, email headers, and the content of those emails will be sent to the Canadian Goverment for investigation.

178.128.52.145
142.93.97.215
46.101.76.161
128.199.127.14
46.101.76.137
178.62.124.112
128.199.93.246

🌟🌟
Home Warranty | The Perfect Family Holiday Gift
βœ… 100% FREE price quotes on home warranty - Respond!
Click on view blocked content to see this image

🌸🌸
Search home warranty in your area, say bye to unplanned home expenses.
βœ… Say bye to unplanned home expenses with all the available plans on home warranty
Click on view blocked content to see this image

πŸ™πŸ™
Special Risk Free Discount Promotion!
βœ… YOUR Special weight loss offer today only!
Click on view blocked content to see this image

🌟🌟
Special Risk Free Discount Promotion!
βœ… YOUR Special weight loss offer today only!
Click on view blocked content to see this image

πŸ’ͺπŸ’ͺ
100% FREE price quotes on home warranty - Respond!
βœ… Home Warranty | The Perfect Family Holiday Gift
Click on view blocked content to see this image

πŸ’πŸ’
Get your MIRACLE DROP PURE CBD E-LIQUID TODAY
βœ… Miracle Drop CBD- Relieve Anxiety, Reduce Blood Sugar Levels
Click on view blocked content to see this image

πŸ‘πŸ‘
The biggest investors love this company which helps you sell your home
βœ… Selling your home? This Silicon Valley company helps you do it
Click on view blocked content to see this image

3 Answers

Heya,

I am sorry to hear about your bad experience but you have to understand that DigitalOcean serves countless clients and some of those clients don’t really know how to properly secure a VM. Because of this the VMs are ealily hacked and either sold or used for spam/ddos/bruteforce etc. All you can do is report these incidents and i am 100% confident that the abuse team will review each and every report they receive and take necessary action. These things take time of course because the abuse team is comprised of merely humans that are working as fast as humanly possible.

One way to deal with this would be to block the smtp port by default with an option to enable it from the control panel but it might confuse the customers and the customer service will probably have to deal with thousands of tickets asking why the email isn’t getting trough and such.

Another way is for you and others like you to use a spam filtering application or an email hosting service that has better spam filters.

Regards,
Alex

Hey friend,

I work hard on this every single day. The reality is that spammers are not unintelligent people who can be easily stopped before they accomplish their mission, at least not without reducing service functionality for all of our customers. We take your reports very seriously, and I understand that it can seem like we do not, but that is because the matter is simply more complex than it appears from the outside.

Your reports are very important. Today alone I shut down more than 25 accounts that could only have been identified by reports like yours. That was just before breakfast. If you would ever like to talk about it, feel free to reach out to me at jdonnell @ digitalocean .com.

Jarland

  • Hey Jarland,

    Thanks for replying, and for your hard efforts sifting through what I can only imagine may be thousands of reports per week. As someone who manages shared webhosting space, I can fully appreciate the complexity of identifying and suspending accounts or servers that have been hacked or otherwise are being utilized to send spam.

    Unfortunately, this doesn’t change the fact that Canadian Citizens are protected by strict anti-spam laws. The only solution to avoid violating such laws is to not allow spam to be sent out in the first place. I guess DO just has to decide what’s a more valuable business decision: dealing with an anti-spam investigation or potentially impacting customers.

    On a more positive note, is there a better way I can help report emails sent by DO IP addresses? I started by forwarding each individual email to abuse@digitalocean.com but that quickly became tedious as I receive 15 or more per day. Most recently I’ve begun forwarding them as attachments from Outlook 2016, but if there’s a more efficient method you guys would prefer, please let me know.

    Sincerely, Erik Wright
    A concerned Canadian IT Consultant

    • Hey friend!

      Thanks very much for your reports. You can forward them to abuse@digitalocean.com. If you don’t overwhelm my inbox you can send some to jdonnell@digitalocean.com. I have two others doing that right now. Mostly what happens right now is this:

      1. Get the forwarded email
      2. Identify new pattern
      3. Kill new accounts (zero false positives, no legitimate users caught in this)
      4. Repeat step 3 until sleep
      5. Sleep (likely when you’re getting spam)
      6. Repeat step 3 until pattern changes, then back to step 1

      The patterns are impressive, we’re talking about one spammer here. One spammer with very convincing identities that change every few minutes, all day every day. I can track it with a perfect record, but I can’t train a system to do it without false positives (yet).

      The reason I bring this up is that a good portion of your forwarded emails may have no impact on what I’m doing, but there may be one out of the bunch that helps me identify a new pattern. For the most part I’m already on top of it, you’re just seeing what happens when I’m sleeping, taking a flight, etc.

      If you’re thinking this is quite unsustainable you’re right, and we’re working on something better. The key is not to suddenly break the platform for legitimate users, causing equally unsustainable results on the other side of a change. You know how they say for every action there is an equal and opposite reaction, such is my life :)

      Jarland

Affirming what @jarland said, we’re doing a ton of work on this right now. It really pains us when we see this type of behavior coming from our platform and we’ve been staffing up to aggressively tackle it. Admittedly, it does take some time for new resources to come up to speed on the problem set and figure out how to solve for it at scale.

We’re trying to find a way to do it without outright blocking outbound SMTP (which many IaaS providers have had to resort to). If we don’t get the balance right, you start seeing this: https://twitter.com/tjosm/status/1060881346002862081?s=21.

We are getting close on a bunch of different initiatives on top of the ones we’ve deployed over the past several months. Hopefully it’ll get better.

-Josh

Have another answer? Share your knowledge.