We are in the process of migrating this forum. A new space will be available soon. We are sorry for the inconvenience.

OVH still a "spam support" provider?


StephenB
2017-01-26, 11:37 AM
Quote Originally Posted by StephenB
So, correct me if I'm wrong here, but this experience gives a strong impression that OVH has no problem hosting a spam support site, just so long as the site is only spamvertised via redirects and not direct links, yes? Or at the very least, the OVH staff responsible for reviewing abuse complaints are not a capable of spotting obvious patterns, such as multiple different spam URLs that all ultimately redirect to the same URL.
Should I take the lack of response to mean that you accept my interpretation of the situation as a correct?

At this point, it's abundantly clear that OVH lacks either the will, or the wherewithal (or both) to effectively deal with spammers using your network - even to the point of knowingly allowing your customers to continue blatant violations of federal laws in countries where you have a presence. So I'm going to take a different approach from now on: if OVH wants to conduct itself like a fly-by-night "bulletproof" provider out of Russia or Eastern Europe, I'm perfectly happy to treat you like one. From now on, every time I see spam from your network, I'm going to make note of the IP and add the entire class C /24 range to our mail servers' blacklists. Effective immediately, that will apply to the following IP ranges:

193.70.91.0/24
79.137.73.0/24

I've also added the following custom filter to the SpamAssassin config on all of our servers:

# OVH PERSISTENT SPAMMERS
header OVH_SPAM_ALL ALL =~ /ovh\.net/i
score OVH_SPAM_ALL 10
describe OVH_SPAM_ALL From OVH.net servers, persistently spammy ISP


And I'll make sure to forward a copy of each spam EMail from OVH servers as a follow-up to the complaint we sent to the CRTC earlier this week, regarding the Kijiji alert spammers & the fact that OVH has continued to allow them to violate Canada's anti-spam laws. So, don't worry, you'll no longer have to deal with irate forum posts from the admin of a small hosting network: now, your Canadian branch can deal with the federal government here instead. Have fun!

StephenB
2017-01-24, 09:24 AM
Another fake kijiji alert overnight, this one from 193.70.91.175 and advertising the URL www.elpaix.science/kijiji - which of course uses OVH for both its hosting and its domain registration. And like all of the other previous recent examples, it redirects to http://classifieds-news.com/ - which is still live on OVH's servers, and registered through OVH, and using OVH's nameservers:

https://www.easywhois.com/index.php?...fieds-news.com

So, correct me if I'm wrong here, but this experience gives a strong impression that OVH has no problem hosting a spam support site, just so long as the site is only spamvertised via redirects and not direct links, yes? Or at the very least, the OVH staff responsible for reviewing abuse complaints are not a capable of spotting obvious patterns, such as multiple different spam URLs that all ultimately redirect to the same URL.

To summarize the situation as I see it: it's been nearly 3 weeks since I reported the issue via multiple channels, yet the problem continues - the only action taken in response to multiple abuse complaints appears to have been shutting down a few redirect URLs, and it appears that no action whatsoever has been taken regarding the actual site being advertised by & benefiting from the spam (despite the fact that OVH hosts that site as well).

That being the case, I think I will be going ahead and filing a complaint with the CRTC for violation of Canada's anti-spam laws today, and include details of OVH's response to the issue (or lack thereof).

StephenB
2017-01-22, 12:15 PM
Oh, to provide some contrast: the latest spoofed Kijiji alert contained a link hosted by another French hosting provider. We sent them a complaint via Spamcop at about 9:30PM - and received a response from them within 3 hours, indicating that the offending site had been shut down.

StephenB
2017-01-20, 08:46 PM
Thank you for the update, I see that http://www.alipat.trade/kijiji and http://www.meetis.loan/kijiji are offline... however, the http://classifieds-news.com/ site is still active. And I've just received another spam EMail advertising that site (via a redirect link, though the redirect URL isn't hosted on OVH), from 193.70.91.175.

Phil @ OVH
2017-01-19, 12:10 PM
Hello,

Good news! I spoke with the Abuse team. There was some time that we had to give our customer to take down the offending sites, but the job has now been done and the sites are offline.

Regards,
Phil C.

StephenB
2017-01-19, 09:49 AM
ANOTHER 48 hours later, and ALL three links are still active.

StephenB
2017-01-17, 08:59 AM
Another 24 hours, and all 3 spam links are still active on your servers:

http://www.alipat.trade/kijiji
http://classifieds-news.com/
http://www.meetis.loan/kijiji

At this point, there is no way you can legitimately claim that OVH is unaware of the issue- and yet the issue continues. So if the conclusion that "OVH is knowingly allowing their customers to violate Canada's federal anti-spam laws" is not a valid, then what alternative conclusion would you suggest I draw from those facts...?

StephenB
2017-01-16, 01:59 PM
Quote Originally Posted by Phil @ OVH
Hello,

We absolutely aren't. We simply need the issues to be reported to act on them. Our abuse team doesn't frequent the forums, so you need to open an abuse file.
The issue has already been reported to OVH, the first report was sent over 72 hours ago - both via Spamcop and directly to abuse@ovh.net - and there have been 2 spam messages since then, both of which were reported the exact same: totaling 6 abuse complaints sent in the past 3 days (if you don't count the posts on this forum).

So how many times DO we need to report spam to OVH before any action is taken?

StephenB
2017-01-16, 01:26 PM
Quote Originally Posted by Phil @ OVH
Hello,

Have you reported all of this to the Abuse portal?

Regards,
Phil
If by "reported all of this to the Abuse portal," you mean forwarded copies of the full messages, with headers, to abuse@ovh.net? Yes, that has been done with all of the recent Kijij-spoofing spam I've received.

Phil @ OVH
2017-01-16, 01:24 PM
Hello,

We absolutely aren't. We simply need the issues to be reported to act on them. Our abuse team doesn't frequent the forums, so you need to open an abuse file. All hosting providers work this way.

Regards,
Phil C.

StephenB
2017-01-16, 01:18 PM
Aaaaaand another one - this time spamvertising the URL www.meetis.loan/kijiji - and true to form, OVH is providing hosting & domain registration to that domain too.

Given that even posting the details of the issue in your forums has no effect anymore, and given that OVH has a presence here in Canada, tell me: at this point can you think of ANY reason why I shouldn't simply file a complaint that OVH is knowingly allowing their customers to violate Canada's federal anti-spam laws?

Phil @ OVH
2017-01-16, 12:39 PM
Hello,

Have you reported all of this to the Abuse portal?

Regards,
Phil

StephenB
2017-01-16, 11:03 AM
Another 12 hours (and counting): both sites are still active on OVH's web servers.

Out of curiosity, how many additional spam EMails do you think have been sent from your servers since the issue was first reported? And in that time, how many of your legitimate customers' EMails do you think have been rejected because the unaddressed spamming caused that mailserver IP to end up in blacklists? Hundreds? Thousands?

StephenB
2017-01-15, 09:42 PM
Twenty-four hours later, and both spam sites are still active on your network - and we just received another EMail from the same spammer. Kijiji/eBay have also been notified of the issue.

StephenB
2017-01-14, 09:51 PM
And what do you know, the fake "Kijiji alert" spammers are back on your network! Received another one today, from 193.70.91.175 & advertising the website http://www.alipat.trade/kijiji - which you also host. Oh, and OVH is also the registrar for that domain. And the link redirects to http://classifieds-news.com... which OVH is also the host and registrar for.

StephenB
2017-01-11, 09:48 AM
Quote Originally Posted by Phil @ OVH
Hello,

Our abuse team group together messages for the same subject, so if you've contacted them multiple times for the same issue, it will be under the same ticket.

Regards,
Phil
Since when does OVH respond to abuse complaints? I've sent hundreds through spamcop, and dozens directly to the abuse@ovh.net address - and I've never received so much as an automated acknowledgement of receipt (even with return receipts enabled), let alone an actual response.

Also, it looks like I may have given OVH too much credit for addressing the spam issue I've mentioned in this thread - that was before I checked my fail2ban alerts and found nearly 1,200 alerts for failed brute-force login attempts from OVH-controlled IP addresses (for example, FTP login failures yesterday from 188.165.212.54, trying to break into 7 different accounts). And since f2b is configured to add firewall reject rules for multiple failed login attempts, it appears that the brute force attackers on OVH's network are effectively poisoning the well for the spammers on OVH's network - by getting their IPs preemptively blacklisted (also known as the "Three Stooges" strategy for dealing with abuse).

Phil @ OVH
2016-12-06, 10:57 AM
Hello,

Our abuse team group together messages for the same subject, so if you've contacted them multiple times for the same issue, it will be under the same ticket.

Regards,
Phil

firefox
2016-12-05, 07:55 PM
@ Phil @ OVH
How is your Abuse team working ?? Every time i send email to abuse@ovh.ca and noc@ovh.net i get the same ticket Number #ZPGQDXSVKF
Looks like there is no Abuse Team or i use the wring Address ??

StephenB
2016-12-02, 03:20 PM
According to stats, we are #3 worldwide, behind AWS and Digital Ocean.

http://www.thewhir.com/web-hosting-n...any-behind-aws
https://news.netcraft.com/archives/2...the-world.html
Noted, I didn't realize OVH was that large. I'm not, however, really clear what relevance OVH's size has. I'm assuming your implied point is something along the lines of "as a large provider that allows self-serve signup, some spam problems are an unavoidable fact of life". I would agree if we were talking about the type of random, one-off spam runs that I periodically see from many large hosts - but that's not the case here.

As I've outlined in previous posts, this is persistent spamming that was occurring for more than a year, with several indications that it was done by the same group of people: identical messages, sent to the same recipients, all from OVH-controlled IP addresses. The only variable was that every few weeks the messages would start coming from a different OVH IP, and/or the domain of the spamvertised site would change. It appears that it was consistently taking a week or more before offending accounts/servers were shut down (despite sending multiple reports against the same mail/web server IPs) - and when OVH finally did take action, it seems that the spammers would just sign up for a new account/VPS.

We did have some problems in 2014 with spam
Characterizing that as "some problems [...] with spam" seems like a bit of an understatement - to put it very, very mildly.

but we quickly rectified the issue. One year later we were no longer on their top ten list:
There are some fairly significant details that you've left out. When OVH occupied the #1 spot on that list, it was with 79 current known spam issues - today, the ISP in the top spot has almost 4 times that number of issues (286), and 79 wouldn't be enough to even make it on the list at all. So even if nothing at all was done to address those issues, OVH still would have dropped off that list simply because of other ISPs overtaking you.

And when comparing the actual number of issues then and now, it doesn't look like much has changed:

https://www.spamhaus.org/sbl/listings/ovh.net

SpamHaus currently lists OVH as having 72 known spam issues - only 7 fewer than in August of 2014. That's reduction of only about 9%, so I wouldn't exactly call that "rectified" - more like "slightly reduced." And some of the active listings on that page go as far back as this August, which seems consistent with my experiences of OVH's turnaround time for abuse complaints.

As for the time taken to shut down links, it isn't always immediate. Our customers have rights too. Often, as I mentioned earlier, they are resellers. On first offences, we contact our customer and ask them to rectify the issue. If the problem persists, only then will we take further action. This can sometimes take several days before the entire cycle completes itself.
As I've said multiple times, the issue I'm referring to persisted well past "several days." I don't claim to have any special knowledge of the inner workings of OVH's abuse department - but whatever was being done in response to the dozens of abuse complaints I sent, it was obviously insufficient to actually deal with that issue. Clearly OVH had/has the ability to address that issue effectively (instead of just playing Whack-A-Mole when the spammers pop up under a new account), why did it take a year to do so? Why was it only resolved after I posted about it here & reported the issue to the organization that was being impersonated - is there any reason to believe that the issue would have ever been resolved, if I hadn't gone to that additional effort?

I would also point out that the "we're a big provider" argument cuts both ways. Yes, the larger you are, the more likely it is that you'll have some issues with customers spamming - but by the same token, the larger you are, the greater the resources you should have to deal with spam effectively, and a greater responsibility to do so because of the larger potential consequences of ignoring those issues. Even if you have absolutely no concern for the time & money it costs third-parties who have to deal with spam and other abuse from your network, I would assume that your own customers don't appreciate having their outgoing mail rejected because they're using a mailserver that's in multiple RBLs.

Phil @ OVH
2016-10-14, 12:12 PM
Hello,

According to stats, we are #3 worldwide, behind AWS and Digital Ocean.

http://www.thewhir.com/web-hosting-n...any-behind-aws
https://news.netcraft.com/archives/2...the-world.html

We did have some problems in 2014 with spam, but we quickly rectified the issue. One year later we were no longer on their top ten list:

https://web.archive.org/web/20150820...tics/networks/

And currently we are not either. http://www.spamhaus.org/statistics/networks/

As for the time taken to shut down links, it isn't always immediate. Our customers have rights too. Often, as I mentioned earlier, they are resellers. On first offences, we contact our customer and ask them to rectify the issue. If the problem persists, only then will we take further action. This can sometimes take several days before the entire cycle completes itself.

Our Abuse team work hard to follow up on all reports, but any additional communication on the forum or by twitter is always helpful as well.

Regards,
Phil

StephenB
2016-10-14, 11:54 AM
Phil,

I appreciate finally getting a response. That said:

Quote Originally Posted by Phil @ OVH
Hello,
We are one of the world's largest hosting providers. While there is a lot of great things that come with that, it also means that statistically more problems will come from our servers too. Additionally, many of our customers are resellers, which can put another layer of abstraction between us and the problem. We work 24/7 to stop abuse of our systems, and we do monitor and evaluate all abuse complaints.
Would you say that OVH is larger than GoDaddy, BlueHost, DreamHost, Amazon, Softcom, etc? Because my servers have been consistently receiving more spam from OVH's servers than all of those providers combined. I'm also far from the first person to notice that OVH's network is the source of an unusually high volume of spam, even by the standards of large hosting providers: it's been just over 2 years since SpamHaus listed OVH as #1 in their "World's Worst ISPs" list.

Quote Originally Posted by Phil @ OVH
From what I can see, the new link you provided no longer works either.
And how long would it have remained active if I hadn't gone to the extra effort of reporting it to abuse@ovh.net directly & posting about it here - and instead, had simply reported the message & link to OVH via Spamcop? Because the last time I did that, it took OVH 12 days & change to shut the link down.

Quote Originally Posted by Phil @ OVH
Please continue to advise us of any issues, and we will do everything possible to shut out abuse.
Oh, you don't have to worry about that - I just finished sending Spamcop reports for another 10-15 spam from OVH servers (all from 137.74.254.106 this time). And the person I spoke with at Kijiji was quite interested in the issue, so I made sure to forward a copy of the fake/spam alerts to them as well.

Phil @ OVH
2016-10-13, 02:59 PM
Hello,

We are one of the world's largest hosting providers. While there is a lot of great things that come with that, it also means that statistically more problems will come from our servers too. Additionally, many of our customers are resellers, which can put another layer of abstraction between us and the problem. We work 24/7 to stop abuse of our systems, and we do monitor and evaluate all abuse complaints.

From what I can see, the new link you provided no longer works either. Please continue to advise us of any issues, and we will do everything possible to shut out abuse.

Regards,
Phil @ OVH

StephenB
2016-10-12, 02:55 PM
So, it looks like OVH actually has shut down 137.74.195.209 (vps312432.ovh.net) - I don't envy any legit users who end up with that IP, since they'll likely have a fair amount of work to do to get that IP out of the half dozen blacklists it's now in. I don't know exactly when they shut down that server - but after posting here, I received another spam EMail from the same server & advertising the same OVH-hosted site just before noon (Eastern) yesterday. The first spam I received from that IP and with that OVH-hosted spam site was on September 29th of this year at 10:21AM Eastern & was reported to OVH shortly afterward. So from the time of the initial report, it took OVH at LEAST 12 days to shut down the offending account. Partly shut down, that is...

But wait, there's more! Earlier today, I received another spam that was identical to ones mentioned above - except that it came from a different IP address / host (92.222.82.4 / helo=vps312115.ovh.net) and contained a different spamvertised URL (http://www.ameblou.bid/kijiji), which of course is also hosted by OVH. And although the domain name of the OVH-hosted spam site is different, the IP address is exactly the same as the site mentioned in the previous post: 213.186.33.50. But even THAT'S not all! In the WHOIS output for both spamvertised domain names (ameblou.bid and amiblo.accountant), guess who's listed as the "sponsoring registrar"? That's right, "OVH SARL.".

So it appears that, at best, OVH is not capable of effectively policing abuse of their network in anything even remotely resembling a timely fashion - even with spammers who shameless/lazy enough to use OVH for not only sending the spam, but also for hosting the spamvertised website AND registration of its domain name. And that's the generous explanation. The cynical explanation is that OVH is fully aware of the issue, and is perfectly OK with providing services to spammers/criminals, just as long as they pay their bills - and may even be actively helping them, by moving them to different IP addresses when the previous ones get blacklisted.

The fake Kijiji spam from OVH's servers has been going on for more than a year. At this point, I think maybe I'll get in touch with Kijiji and forward a copy of all the details I've collected over the past year and change - perhaps will take the spam complaints a little if they're coming from eBay (Kijiji's parent company).

StephenB
2016-10-10, 07:25 PM
More than a year ago, I posted about the large volume of spam received from OVH's servers - the post received no response from OVH and the one person who did respond basically said that OVH ignores complaints received via Spamcop.

Since then, it appears that not a single thing has been done to address the problem. I'm still seeing the same volume of spam from OVH's servers - and mostly the same type (primarily fake kijiji alerts) - in fact, I see more spam from OVH's network than from any other provider, except for GMail and Hotmail. There is one key difference between OVH and free webmail providers, though: for example, I just received another fake kijiji alert, from the same OVH IP as one I received on Friday: 137.74.195.209 (vps312432.ovh.net). It advertises the URL http://www.amiblo.accountant/kijiji - which resolves to another OVH IP address, 213.186.33.50. Even with GMail and Hotmail, they at least typically don't host the site advertised in the spam as well.

As I'm writing this, both IPs are active and respond to pings - and the spam-vertised is still online. So I've decided to conduct a simple experiment: I've reported both EMails via SpamCop and directly to abuse@ovh.net - now I'm going to periodically check both of them to see how long it takes OVH to shut down those accounts (if they ever do - I certainly wouldn't rule out the possibility of OVH simply ignoring the issue altogether).