DarrenOfficial
dpaste.org is down
Yes, I'm working w/ our service provider to solve it.
Someone keeps posting CSAM link, and i'm not getting the abuse email, rather the provider does.
It kinda has been a nightmare, since they go to Domain Registrar (took down the whole domain... fun), now they went to report it to the hosting provider (server still offline till now.)
It's very frustrating. If any folks have bright idea to solve this pls do share :)
I think someone also did it to Mozilla dpaste instance too, that's why they took theirs down. Not too sure.
Hmm how are the links being flagged? As I understand pastes are not publicly searchable?
Maybe adding an official "report abuse" function would allow people to contact the admin (you) instead of having to go through the provider/webhost
Welp. Here's a statement from our hosting provider
Unfortunately based upon this information and the severe risk which incidents such as this present to the relationship with our upstream provider and therefore our continued operation, we are unable to permit the continued hosting of dpaste.org on the platform.
Please advise if you require to retrieve the data currently stored on the server and we can make this available for you to download.
Maybe adding an official "report abuse" function would allow people to contact the admin (you) instead of having to go through the provider/webhost
There is an abuse email @ about page.
But then again, there is also a delete button accessible to anyone.
Hmm how are the links being flagged? As I understand pastes are not publicly searchable?
Yes they are not, AFAIK these links are posted x site, that's how it got caught.
tbh sounds like a shitty hosting provider response but i guess they wanted to cover their own butts. i would say find a different webhost though that's probably easier said than done. people love to ruin a good thing. best of luck and hope you figure something out.
There is no other option than moving the service to another company, when reading the statement from the hosting provider. This does not sound as if there is much you could do about the current provider. I would also say move the service somewhere else.
I'd love that, I'm still waiting for Fran's stuff to be in stock (BuyVM);
This current provider sponsored us for a good year or two, found them on lowendtalk. So dpaste next provider should be someone that's a bit open to receiving and working with abuse email from time to time.
Maybe run dpaste as a lambda/containerapp/(whatever gcp calls theirs) and use the cloud service’s waf to try to detect this? If the provider’s waf fails to detect this, we’d consider that a bug for them to fix? Also, if we created a deployment script (maybe pure terraform/tofu or maybe through a makefile) you could then have tons of paste sites popping up and people could deal with this individually?
I used to run a URL shortener, abuse@ address featured prominently on the homepage. People still went around me to report abuse directly to my VPS provider. And the kicker is, I automatically disabled any URL from my service found in an abuse email as it was received and a script read it. So it always took longer to get things taken down by bypassing me.
This is why we can't have nice things on the Internet. The bad guys are bad, and the good guys are bad.
My sympathies. Most users don't guess the level of spam/abuse/crime content that a typical pastebin receives. CSAM, porn, doxxing, encoded malware, plain old spam, and wannabe carders selling "FRESH CC FULLZ DUMPS+PIN PAYPAL BANK LOGIN WU…"
The old paste.pocoo.org suffered a similar fate:
The real reason however why this pastebin is now gone is that it turns out, running a pastebin is a horrible idea if you don't do entry expiration or spam filtering.
Good luck! I've been there.
— Paul from dpaste.com
Maybe run dpaste as a lambda/containerapp/(whatever gcp calls theirs) and use the cloud service’s waf to try to detect this? If the provider’s waf fails to detect this, we’d consider that a bug for them to fix?
Might be a good idea, not too sure on the implementation; I did for a while rely on Cloudflare CSAM scanning tool, which is a major help... until they stopped functioning well. dpaste.org itself is on Cloudflare business plan. Thanks Cloudflare!
Also, if we created a deployment script (maybe pure terraform/tofu or maybe through a makefile) you could then have tons of paste sites popping up and people could deal with this individually?
There is the docker-compose which should be easy enough for people to run their own pastebin, pr are welcomed if you want to add terraform/tofu.
This is why we can't have nice things on the Internet. The bad guys are bad, and the good guys are bad.
Agree with you on this one, it is super frustrating.
The real reason however why this pastebin is now gone is that it turns out, running a pastebin is a horrible idea if you don't do entry expiration
Entry level expiration ✔️ Anyone can delete public paste ✔️
Does it prevent people from reporting to registrar/hosting provider/network abuse contact, nope.
I suppose this is also the reason mozilla stopped hosting their own dpaste public instance.
spam filtering
A question that I myself still wonder, what would be the way to implement this faithfully.
@pbx, whats your secret to keeping dpaste.com alive 🤔
@DarrenOfficial — thanks for asking.
- I liberally block IPs — ones that have violated the TOS, and selected lists from https://iplists.firehol.org/
- I have validation that checks for a few common abuse patterns, especially ones that are likely to bring trouble (e.g. large encoded binaries, financial crime solicitations). Repeat offenses result in auto-blocklisting.
- I do spot-checks daily. That's how I identify new patterns (e.g. this week about 100 different IPs making identically-formatted posts of AWS credentials)
- I have a support-form link on the rejection page, so people can report false positives. I get about two unblock requests per month, on a volume of about 100K posts per month and 1000 blocks per day.
- I actually gave a talk about this last year, if you're interested in more detail.
Just want to chip in that perma-blocking IPs in this day and age is not the most ideal approach. Most ISPs now rotate residential IPs pretty frequently from a large pool, so in 24 hours the perpetrator is gonna have a new clean IP while some other victim gets blocked. Data centers and cloud services mean that I can simply spin up a new VM instance and get a fresh IP too, unless you want to ban an entire range. And CGNAT means that blocking one IP can affect thousands of people in some ISPs.
A temp block is fine, but it should have automatic expiry mechanisms.
Indeed. I don't perma-block. It's not useful.
That said, a lot of the inbound abuse I see comes from AWS IPs, which are more long-lived than residential DHCP, so I do use a cooldown period longer than 1 day for them.
django-blocklist has a default of 7 days but I do vary that as seems fit.