Wednesday, 29 October 2008 13:30

Anti Abuse WG

The antiabuse session commenced as follows:

SPEAKER: We are going to give people a few minutes to come back from their unexpectedly early lunch and then we will begin. (Antiabuse is antiabuse)

Hello, as we have or many of us have an excursion to the desert this evening we should probably start and make sure that you are all finished in time to get into the no doubt lovely four by fours and head out into the willederness. Welcome to the RIPE 57 session, and first ever session of the AntiAbuse Working Group. If you thought you were supposed to be coming to the AntiSpam Working Group at this RIPE meeting, you effectively are. We sneakily, through many months of changes and discussions and all sorts of other things changed our name and charter and I will go into that in more detail in a moment.

My cochair Richard Cox sends his apologies, he wasn't able to travel but he hopes to see you all again in Amsterdam in a few months' time.

So, yes, as I said, we have a new Working Group name which is antiabuse. We did discuss abuse but it seemed far too terribly short and might involve all of us standing up and going I haven't spammed in six months and we have a new charter which I am going to go through in a moment but before I do that, we circulated the agenda which I warn you now is mostly me talking so if you wish to avoid this, please do step up to the microphone at appropriate times and/or submit agenda items for the next� for RIPE 58. We also circulated the minutes from RIPE 56 and there were no comments, no particular additions or comments so I am going to consider them to be approved and accepted unless anyone says anything now. No one has, wonderful.

We have our wonderful stenographer, minutestaker and indeed one of the NCC staff on Jabber, so thank you all to them for their assistance this afternoon and thank you to the NCC for all the work they have done facilitating myself and Richard messing around it, made the process incredibly easy and we never had any problems with anything at all. So that charter I mentioned earlier which I am now going to see if Firefox will be nice, I apologise for the photographs, I realise you can see me here. For those of you who haven't been monitoring the mailing list I wish to go briefly through the charter that was agreed for the AntiAbuse Working Group. A lot of it has a lot of similarities to the old charter for antispam, but I just want to point out, I suppose, the differences. You can probably see most of it up there, I will just run through it very quickly, the high points.

Essentially, previously, in years gone by, spam was the most visible form of network abuse and it's now really just a symptom of much deeper abuse, viruses botnets etc., which cause the spam and various other abuses we seed to. To reflect this change at RIPE 55 we proposed widen its focus to include all relevant forms of the abuse. Over the last year various iterations and charters and arrived at the points we have gotted to. It's considered difficult for this charter to include an exhaustive list because that would have taken many, many pages. And we consider within the scope of the Working Group not least expected to change over time so we have a list there of some fairly visible and obvious types of abuse, ones we could all agree on. The kicker, really, is the fifth bulletpoint there which is all systems and mechanisms technical and nonused to create and control and make money from such abuse. That is the pretty wide part and it allows us discuss an all of lot of things. More so than just those four that we have clearly identified there. We did not put any process or policy in place to add things to that list because we feel that we really, if we really need to add to them it should be fairly easy to get consensus from the Working Group to do so. The caveat below that is important to note that areas such as signer squatting or hosting illegal content are not seen to be part of the remit of the Working Group. We really don't want to start going through that.

So the three points we kind of identified as definite pieces of work you wanted to do was to produce and continue to update best practice BGP document for� covering wider range of possible abusive behaviours and more on that later. Provide advice beyond to the BGP to relevant parties within the RIPE regions... on strategic and operational matters. And to discuss and disseminate information on technical and nonpreventing or reducing network abuse 6789

Now as we have spent most of the last while sorting out this charter and reaching consensus which we only managed, oh, I think probably about a month, month and a half ago there has been no further action taken on those three points.

We have a mailing list of course, now what we did with that because of obviously the direct move from antispam to antiabuse was we just changed the name. So we kept the list of subscribers and changed the name to antiabuse. Mainly because we didn't want to lose any of the wonderful who had already subscribed to the list and sadly, the realistic situation was that if we'd asked everyone to resubscribe we probably would have lost a lot of people who may not have remembered that morning or may have had something else to do, and so we have kind of maybe remembered six months later that they had dropped off the list. And the important point to note but hopefully something that everyone in this room should be aware of, this is not the address to use if you wish to report abuse or spam; we do occasionally get emails saying that some random ISP who is a member, /WHAOS /HRAO*ER member of RIPE has sent them spam and can we do something about it. Big and scary and all that I am it's not my job to go around knocking on ISPs' doors and asking them to stop abusing networks. There are� there is other information there and there is a link there to the relevant page.

So, to go back to where we were. So, we got all this together as I said, fairly late in the day, and I put a request out for agenda items about a month ago, possibly sooner, more recently and sadly got no response. I think we are going to have some presentations and some very interesting discussion in Amsterdam but, sadly, the few people who were interested or might come along and talk to us couldn't get as far as Dubai, which is a pity because it's wonderful. So we are to go through a number of things. I am going to raise a number of points and really the less talking I can do the happier I will certainly be and I would love to hear from some of you guys, sadly I am not as lucky at Address Policy to have the network go down for the first hour or so of my session.

So, this may look familiar to those of you who are regular attendees at antispam. It's not a huge departure in the agenda. I wish at some point to take stuff away from this and start talking about agenda items people wish to raise but I will stop going on about that now. So, developments in antiabuse, it's a very wide area, I will admit. But there are obviously as we identified various factors which are very similar. So the question is, is anything happening? Are there any products, is there any legislation, are there any particular items which people have come across which they have' put on to their own network and said this is fantastic, this has reduced the amount of abuse I am seeing, this has reduced the number of windows machines that are getting compromised and turned into both nets, the amount of spam in my inbox, are anything that have ilk, or is it just kind of hoping the fire walls will get faster and hoping that antivirus will keep up with the various signatures and hoping that antispam will manage to filter? (Manage to). He said hopefully. I do know that we ourselves, I work for HE I /TPHEPBT and part of our mission it is to supply broadband connectivity to all of the primary and secondary schools in Ireland and recently we have got to the point where the content filtering which also doubles as an antivirus and antispam solution, has finally begun to get to a point where it's almost line rate on the gigabit interfaces that are being plugged into it and you are looking at 4,000 end points going into centralised filtering system and we went through a lot of pain with the vendor in question and did a lot of product testing for them to the point where we can now actually, it can manage to handle the 5 or 600 Meg that is going through it. But again, it's nothing startlingly new. And also, certainly from my own point of view, my wonderful home country has not managed to go any further steps in legislation since the European Union instrument in 2003, which has been reasonably toothless, but will /R* there any comments to make, any new laws, new tools or even particularly your situations in countries where people may wish to discuss the legislation situation that they have? OK.

From the point of view of recent list discussion, there hasn't been a lot, most of it has been about the charter. There was someone raising the point of contact details, but again, that is something I am going to touch on in more detail a little bit later on. So the technical measures is again, it's similar what are to what we were saying earlier. Some of this is obviously biased towards spam at the moment and it tends to be some of the easier things to identify, but again, I am not particularly aware of anything amazingly new in that particular field, but would be very interested to hear from anyone who has� put something new in place, saw something new or even just found ways of, not even productwise but scriptwise or otherwise. Of course if someone has come up with a way of educating users which works that would be of great interest as well. This could be a terribly short Working Group meeting.

So, one of the things we did identify is obviously and we identify this part of the AntiSpam Working Group meeting for quite some time we needed to work with other people and antiabuse is no different. As regards the Working Groups, there has been floating around for some time a discussion about putting proper contact details into the database for network objects. There has been a number of complaints raised about abuse contact details which are not mandatory and indeed are sometimes false, and there is no policy stating that people must absolutely put the correct details in there, and this is one of the big problems which crops up again and again when people do suffer abuse from a network, that they aren't sure who to contact. Now, the problem is that every so often someone stands up and says this should change, and then promptly sits down again the moment anyone mentions the policy development process or writing a few words down other than some very annoyed grumbling about how all of the world is and how we should do something about it, so this has cropped up with database and conversations with the chairs there a couple of times. But again, we are not really planning to write this ourselves or otherwise, so the question; is there a real call from the community to look at a process, and this process would probably fundamentally sit in the Database Working Group but it would certainly have a lot of influence from antiabuse, but as yet no one has /SA*ET sat down or even offered to work with the chairs on a policy. So, it's something to think about, and it's going to continue to be the answer to mailing list questions about why can't we contact the correct people, we are going to say well because there is no policy, would you like to write one? If you have a question or point, if you want to step up to the microphone. The session is being recorded and we all need to hear you. Say your name and where you are from.

AUDIENCE:  /TKPRRB the Serious Organised Crime Agency in the UK I don't know if you are aware but there is a bill in front of the House of Representatives in the UK� in US rather, an antiphishing bill and one of the clauses in that is a proposal to make it illegal to register incorrect whois data, whether that goes through the House of Representatives or not, obviously that is going fob an interesting development for whatever you are doing.

SPEAKER: Absolutely. I wasn't to be honest with you, sadly haven't managed to pay that much attention to things but thank you very much for that and that could certainly be very interesting and would be interested to see what effect then that will have on various regional registries and whatever policies they have in their databases, so this is one of the things which obviously is possible, interaction with the enhanced cooperation workforce, as well, as governments see more abuse and they are asking questions as to where this abuse comes from, you know, the possibilities for them emphasising they would like us to have proper records is going to increase, and it's a question of how long it is before national governments saying no you absolutely must have it there and then asking questions like well, you have this database of networks why don't you have it there? But as I said, I don't think that we are going to, certainly the chairs of database and antiabuse aren't going to start writing policies unless we do feel that there is a community wish for such a policy and every time it has kind of floated to the top of the database or AntiAbuse Working Group lists, it hasn't really gone any where, no one has put any particular work into even kind of going, formulating even the beginnings of a policy beyond the initial mail they send, so that is something we are going to have to look at, but it would require community support before we spent a lot of time doing it. Now, whether there is a reason to kind of push for that support more actively is another argument but it's certainly something we will be talking about again.

Obviously, as the Working Group in this particular incarnation is very new, we haven't had a lot of interaction with other people, but we are hoping that once things have settled and the charter is in place or the charter has been in place for more than a wet week we will have the opportunity talk to other people to see what people are doing this other regions and indeed to get a better idea of what ISPs, IXs and national governments are doing and looking at at this point in time and I think the problems that we have are only going to get worse and the problems of identification are also potentially going to get worse as more and more people put Nat in place and things like that and look at it as a very flawed security measure.

So, unless there are any other comments from any other regions about what they are doing, or any other comments on national legislation.

AUDIENCE: From the European� European ISPS association, and German ISPS association. I wonder if you are aware of the spam initial tip of from Microsoft and some ISPs collecting spam in order to get those people in front of court who are sending out this spam and as in many legislations, legislations you need individual complaining about the spam otherwise you can't do anything. And this� they build up a Europeanwide database collecting spams and then trying to get hold of the spammer at the end front of court. No, no, I can provide you with more information if you need it. And there is another thing I want to mention; it's a German initiative, it's called, it's a wide list because sometimes people want to receive advertising and not filter it out by spamers.

SPEAKER: Absolutely

AUDIENCE SPEAKER: And we have introduced in Germany as ISP association white list to allow companies to send their advertising and it's not considered to be spam by the ISPs and this works wonderful, as well, it's similar to some kind of a post stamp on the mail so it gets through.

SPEAKER: Absolutely. There is� I have seen a couple of similar initiatives to the white list or kind of branding mails to, give them a post stamp or logo which not only yes you have asked for this but also hopefully reducing the phishing incidents and things like that and they are definitely the mails that people have asked to get and expect to get. And I think I mean, that is obviously one of the challenges is to educate people; people are sometimes very trigger happy with report spam or otherwise, and there are what I shall describe as Internet marketing people who have lists which have been confirmed have been opted into and then six months later somebody forgets they ever asked for the mail and sends a report to spam. I had heard of the Microsoft initiative, I wasn't sure what stage it had got, I certainly would be interested in more information and that is one of the kind of things we would like to hear more on and possibly even have, get some contact details, get present to� get someone to present at a later RIPE meeting in relation to it and see how the project is going would be fantastic. Yes, I think� if there is anything else anyone wishes to add to any that have or any points they feel should be brought up.

So the documents I mentioned; the currently existing document that the work group has procuesed is RIPE  409 which is an updated version of 206 if memory serves. This is the BCP for ISPs greatly based on work that was done by Linx for their BCP for their members, and put together to say these are� thou shalt not spam, let their members spam or members claim they have affiliates who spam. And it is the most obvious document to either update or to alter, possibly slightly, to reflect the wider scope of the Working Group. Now, this is something that myself and Richard are going to look at, but one of the questions is: A, if anyone is interested in helping us with that, to take the document and, well, update it as it needs to be done every so often and also increase the scope to cover other forms of abuse and anything that anyone feels is missing, should� obviously there is a lot missing from it at the moment because if needs to be updated but definitely needs to be in there or is something which may not be obvious which should be added or otherwise. Or are Richard and I doing all the work ourselves? We will be putting this out to the mailing list to see if anyone is interested in spending sometime doing it.

We shall send more to the mailing list on that and circulate our thoughts on it and then see about putting some drafts of documents in place.

The other question is, other documentation, new documentation, the Working Group should output. I think the BCP is going to be a core document for RIPE members on how to behave and how to hopefully protect their network both by technical measures and processes and nontechnical measures for those who would use it to abuse others or indeed use it to abuse other customers of that network. But the consideration is on other documentation, whether white papers for law enforcement, for those who may not be as used to computer crime, whatever you wish to call it, as some other jurisdictions, or documentation of that type. Now, again, we have been spending most of our time on the charter so I don't have a huge list of suggestion that we have come up with, but we are wondering if there is anything that the Working Group feels is a priority as an output or you know that anyone would really love to see that they think would help them convince their bosses they need to spend more time on this or convince salespeople that just because somebody is snot willing to offer them money doesn't necessarily mean they are not a good client or anything from that particular respect orange he will. Or is everybody perfectly happy with all the information they have to hand right now? Obviously, we can spend time creating documents but we want to know we are creating ones which will help and which people will actually like.

So, nothing at all. OK. So that is the agenda I have. I haven't got a lot more than that. As I said, most of our time recently has been spent actually getting to the point where we can launch the Working Group with the wider scope, but it will very definitely require I suppose guidance and assistance now that we have got to that point, of what people would like to see and see us do. And hopefully now we have got that out of the way we can concentrate on catching up on the projects ourselves and maybe targeting some more people to speak to you in Amsterdam, which is slightly, I suppose, the up side there it's slightly easier to get to for a day or so to come and present. So as I said, that is the agenda I have, which is quite short and we have gone through it quite quickly. But is there any AOB, any points anyone would like to raise? Any suggestions for agenda items for other meetings or anything at all like that? And apparently not. So, that is half an hour, no one can say I kept you too long, anyway. So that is pretty much concludes the meeting for the moment. As I said, it was to launch all that, please take a look at the charter again, see� and if you haven't already joined the mailing list, the signup details are there so we can have some more discussion and hopefully we have got that out of the way we will be able to put some more directed requests out into the mailing list and see where we go /TPWR there and have a much longer, still only an hourandahalf meeting, in Amsterdam at RIPE 58. So thank you very much.


