Re: [anti-spam-wg] abuse address field ?

  • To: Michael Horn nibbler@localhost, anti-spam-wg@localhost
  • From: Frank Gadegast frank@localhost
  • Date: Mon, 14 Apr 2008 12:25:06 +0200
  • Organization: PHADE Software - PowerWeb
  • Reply-to: frank@localhost

Michael Horn wrote:
Hi Frank,

Hi Michael,

On Fri, 11 Apr 2008, Frank Gadegast wrote:

there was once (arround 2001) an attemp to introduce a abuse-field
into all whois entries, but it somehow never made it.

Are you talking about a proposal to force all ip holders to use the
abuse contact field or was that just about the existence of such a field?

Yes, the field is there, but only used very rarely. I should be forced.
It could be even restricted, so that only RIPE-members can see it.

There is no abuse-address in the remarks very often.
There is not even an email address in the admin-c or tech-c handles.
Lots of abuse-addresses have a "mailbox full" or "user unknown" error
according to our reports we send ...

> the field itself exists since quite some time:
> nibbler@localhost:~$ whois -t PERSON|grep abuse
> abuse-mailbox:  [optional]   [multiple]   [inverse key]
> > Is anybody interested in opening a discussion on this again ?
> Having a well working abuse contact is an incredibly great thing.
> However nobody can warrant that the contact named there is actually
> working at all. Which means - even if people are forced to provide e.g.

Thats the first step of my idea.

> an email address - the question remains how much care is taken of its
> inbox.

Sure, but I think, that all local registries should have a resonsibility
to force providers (or members in general) to work on reducing spam.
I would really like to discuss methods how this could be arranged.

My current idea looks like this:
- RIPE forces their members to have an abuse-contact for any netblock
- RIPE creates a spam messurement system by analysing their own spam,
  and by working together with trusted blacklists and commercial
  spam providers and maybe even by setting up a few tarpits.
  Our DNSBL can easily tell, wich providers have wich rates ...
- RIPE then messures the spam average for 30 days of any netblock

- the RIPE member and netblock owner gets a warning, if the average
  they then have e.g. 30 days to reduce the average
- if the average does no fall in between 30 days, the netblock gets
  de-routed and revoked for 10 days (what will surely drop the average
  and it will be routed again)
- if the average falls in between 30 days, the average of the new and
  the old value will become the new value of "allowed spam"

All messurement values could be very loose, like an SpamAssassin
value over 15 and at least 10 Spams from one IP in one day aso ...
There is no need to identify every spam, but you can easily identify
any spam sending IP.

The main problem are really the spambots coming in through dialin IPs.
They produce more that 90% of the worldwide spam, according to our messurements. More than 10% from Turkey, more the 6% from Germany,
more than 5% from Poland and 5% from France.
Any good approach from RIPE could drop the worldwide spamrate
easily for more than 25 %
(see our for details).

Dialin provider can also easily identify their spam sending customers:
They only have to analyze incoming mail (what they all do anyway), and see if the originating IP belongs to them.
This works great according to our expierience,
because most spambots do send spam also to the email address of the
misused user and surely also to other customers of the same provider).
And if its easy to identify the spambotted dialin cusomters, its also
very easy for the provider to block them, they could send out warnings
or easily change the password on their radius server automatically.
The customer will call, if dialin does not work anymore and it then
could be explained, that the customer has to clean its computer first.
He will be allowed to dial in again, after he promised, that his computer is clean. And the contract will be terminated completely,
if it happens again. Very easy.

And if you think, that these are many customers, you're wrong.
We are only talking about 10.000 IPs daily.
That are only about 4.000 out of Europe, and as an example
only 1.000 in Germany. No provider will risk losing complete
network blocks, for only a hand full of customers.

And all this is already covered by most provider contracts and even
by RIPEs regulation (correct me, if Im wrong): they all state that
dialin and IP address ranges should not be misused.

The only thing missing, is some pressure to make this happen
and this pressure could come from the registries or
the goverment. Guess whats easier ...
Yes, government regulations do not help, there is still 10%
originating from the US, and they really have harsh laws now.

Comments ?
Was something like this already discussed on the group ?
Whats the agenda for the group on the RIPE-meeting in Berlin ?
Should we discuss this any further there ?

Kind regards, Frank
Mit freundlichen Gruessen,
PHADE Software - PowerWeb             
Inh. Dipl.-Inform. Frank Gadegast             
Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank@localhost