RIPE 61

Draft Anti-Abuse WG Minutes – RIPE 61
Thursday, 18 November 2010, 14:00 – Westin Excelsior Hotel, Rome, Italy

Co-Chairs: Brian Nisbet, Richard Cox
Scribe: Fergal Cunningham
Chat: Laura Cobley

A. Administrative Matters

A1. Welcome

Working Group Co-Chair Brian Nisbet welcomed attendees and explained that co-chair Richard Cox regrettably was unable to attend today’s session.

James Blessing, concerned Internet citizen, said that although it was good to have an active co-chair, the reputation of the Anti-Abuse Working Group was being impacted upon by the other co-chair, and he said he would like to see this addressed.

Brian said this was a matter for the AOB section of the agenda.

Brian thanked the RIPE NCC scribe and Chat monitor, and the stenographers. He asked that anyone who had a question on Chat give their full name and affiliations.

Brian asked if there were any objections to the minutes from RIPE 60 being approved. There were none, so he said the minutes were approved.

Action on RIPE NCC: Remove “Draft” status from RIPE 60 Anti-Abuse Working Group Minutes.

Brian noted that the agenda was slightly changed from the agenda posted on the mailing list because Richard was unable to attend and there were some late requests for presentations from RIPE NCC staff. The updated agenda is available at:

http://ripe61.ripe.net/presentations/343-AA-WG_RIPE61_Agenda.pdf

B. Updates

B1. Recent List Discussion - Reporting Fraud, Database Issues, Time Stamps (-B)

Working Group Co-Chair Brian Nisbet noted that there was a lot of discussion on the mailing lists recently, and most of this was related to items that would be dealt with further down the agenda.

He noted that the Anti-Abuse Working Group mailing list was not the place to report network abuse. He did remind attendees that the whois –B lookup gives the date of the last update to an object.

B2. Registrar Issues - Michele Neylon, Blacknight


Michele Neylon from Blacknight gave a presentation entitled “Abuse – Registrar Perspective”. At the beginning of the presentation, Michele asked for a show of hands on attendees who had had their credit card skimmed or Paypal account attacked, and there was quite a large number of hands.

The presentation is available at:
http://ripe61.ripe.net/presentations/244-blacknight-ripe-rome-2010.pdf

Tobias Knecht, Abusix, asked how should all these things be reported in a machine and in a human readable format. He also suggested using xarf.org.

Michele said they get manual reports and, if the reports are to be automated, there is no reason they can’t be provided in a particular order. He said everything has to be read and investigated anyway.

Konstantin Bekreyev, DARS Telecom, asked, considering the recent increase in botnets, when spam is sent through the port tcp/80 via email systems such as Hotmail, what can he do. He is unable to close port 80 to these sites.

Michele said he did not know and suggested reporting it to Hotmail.

Brian said the big email companies have gotten better with spam and dealing with it. If abuse comes from a website then it should be reported to the original IP.

Gilles Massen, Restena Foundation, asked, since abusers are moving quickly, how would Michele react to them efficiently while protecting the innocent.

Michele said you have to carefully evaluate each report you receive and you need to have a measured a response.

David Freedman, Claranet, asked what kind of proactive work the registrars do.

Michele said there were a lot of registrars and their methods varied. He said often the registrars and hosting operators did not have full control of the network. He said he would like to see some best practices coming out of the Anti-Abuse Working Group.

Brian said producing best practice documents is an action item for this working group, and although this was not on the agenda for the current meeting, he hoped to be able to come back to the mailing list with something soon.

An attendee asked about the Google tool that was presented earlier by Michele. He said that an ISP would need to have specific examples of abuse before it would take action on a customer. He asked if the registrar would contact the customer based on a Google report alone.

Brian explained that the Google safe browsing alerts tool lets Google notify you if a site you are hosting has malware.

Michele said this used to be the case with registrars but now they have to take a more proactive approach because of the number of reports they receive each day. He said he would not contact anyone based on the alert alone, but the alert would give you an indication of where abuse was taking place and you can go there and see what is happening.

Andy Davidson, Netsumo, in response to the question from Konstantin, recommended a tool from Loughborough University that looks in outbound mail for evidence that someone has been phished. He added that it locks the accounts of people who have been phished. Andy said he would send details to the mailing list.

James Blessing, Limelight Networks, asked that the time stamp and correct time zone be noted in all reports.

B3. RIPE NCC Draft Closure Agreement/Service Abuse

Athina Fragkouli, RIPE NCC, gave a presentation on the new RIPE NCC document, Closure of an LIR and Deregistration of Resources. The presentation is available at:

http://ripe61.ripe.net/presentations/281-Closure_of_LIRs_and_deregistration_of_resources_anti_abuse_aspects.pdf

Athina asked that attendees read the document and give feedback.

James Blessing, Limelight Networks, asked if the only thing that could be effected under law was full termination of the service agreement.

Athina said this was the case but if the RIPE NCC received a Dutch court order it could deregister resources. She confirmed that the RIPE NCC would comply with a Dutch court order no matter what it contained.

David Freedman, Claranet, asked if there would be a way to let people know that resources were in the process of being deregistered.

Athina said a tag would be added to such resources in the RIPE Database.

Brian noted that there was a bigger version of Athina’s presentation available from the NCC Services Working Group and that it would be made available in that working group’s archive.

Volodymyr Yakovenko, Google, asked if there was an example of a Dutch court order available and the conditions for such a court order.

Athina said the RIPE NCC hadn’t received one yet but was working with Dutch national authorities on what should be contained in such an order.

Brian asked that the RIPE NCC make known to the community the outcome of the RIPE NCC’s discussion with the Dutch legal authorities.

Wilfried Woeber, Database Working Group Co-Chair, said it was important to get the provisions of the document correct as soon as possible, and he also advised against overreacting to a court order in terms of deregistration.

Athina said termination of the service contract between the RIPE NCC and an LIR resulted in a loss of service, and that included registration of resources.

Rob Blokzijl, RIPE Chair, said the RIPE NCC has been in contact with legal enforcement agencies (LEAs) for a number of years, and the police are doubtful that they will see a need to bring a court order or deregister resources. He said LEAs are interested in stopping criminals and removing information is not something they would see as helping this goal.

Brian said further discussion of the document should take place on the RIPE NCC Services Working Group mailing list.

B4. RIPE NCC Survey on Improving RIPE Database Quality

Ferenc Csorba from the RIPE NCC gave a presentation on a survey aimed at improving RIPE Database quality. The presentation is available at:

http://ripe61.ripe.net/presentations/279-RIPE_DB_Quality_Survey.key

There were no questions and Brian said feedback on the survey should be directed to the Database Working Group mailing list.

C. Policies

C1. 2010-08 Abuse Contact Information

Working Group Co-Chair Brian Nisbet called Tobias Knecht, Abusix, the proposer of 2010-08, on Skype.

Brian noted that he had discussed the proposal with Tobias and they had talked to the Database Working Group and RIPE NCC staff. He said some changes had been recommended.

Brian explained that the proposal was to “add a mandatory reference to IRT objects in the INETNUM, INET6NUM and AUT-NUM objects in the RIPE Database. He added that potential changes to the proposal include removal of implementation details. He said there would be a redraft of the proposal and asked for any comments on having the mandatory reference to abuse contacts in IRT objects.

Michele Neylon, Blacknight, said there might be some confusion because some people seemed to be confusing introduction of a mandatory abuse contact with solving all problems. He said he foresaw problems with people expecting the proposal to have a broader impact that was originally intended.

Tobias said the main point of the proposal was the mandatory nature of having the reference, but this was something people might have to decide for themselves and he was open to hearing comments on this.

James Blessing, Limelight, said the proposal was a nice idea but there would have to be a lot of objects referenced. He recalled that there was a proposal to deregister objects that didn’t have accurate details. He foresaw a situation in three months where people who did not hear about this policy would have objects deregistered.

Brian said the deregistration policy was not something that would happen overnight. He said there would have to be a proper process of negotiation with the LIR before anything would happen.

Peter Koch, DENIC, said he failed to see a clear problem statement for this proposal. He said if people are not getting a response from abuse contacts, then making it mandatory would not change anything. He said if people are sending abuse reports and it’s not going to the correct address, then he would like to see evidence of this.

Tobias said the problem was that there were too many places where people could add abuse contact details and people are confused. He said the main intention is to have one place where people know they have to put contact information and where other people will know they can find contact information.

Peter said he disagreed there too many places to put contact information already and he said it seemed to be more of an education problem rather than anything else.

Tobias said if you are going to educate people on where to find information, it is easier to do if you know the information is in one place rather than in one or more of 15 locations.

Shane Kerr, Internet Systems Consortium, said there were already references to IRT objects in INETNUM and INET6NUM objects, and he asked if it was not to be mandatory then what was the point of having the proposal.

Brian agreed that this was the crux of the issue.

Tobias said there might be a better way to do things, but it is important that everyone knows how to do it.

Sascha Eilms, ECO/CSA, said he wanted to support the proposal because it showed willingness from the industry to self-regulate and tackle the problem of abuse.

Wilfried Woeber, Database Working Group Co-Chair, said he was a co-architect of the IRT object and had sympathy with the idea that there were too many choices on where to place contact information at the moment. He said that coming up with ways to simplify things does have merit.

Brian asked Tobias if, based on the comments, they could sit down and redraft the policy to be resubmitted, and Tobias agreed to this.

Shane said there was the issue of simplification that most people would agree with, but there was also the issue of making it mandatory. He suggested this should be discussed in the Address Policy Working Group because if the proposal to make this mandatory was accepted this would be a big issue for LIRs.

Peter Koch said making such an attribute mandatory would have major operational implications for the RIPE Database and said the matter of how to apply the technology was also an important issue.

Brian said they would take the comments on board when redrafting and the conversation could continue on the mailing list.

C2. 2010-09 – “Frequent Update Request” and 2010-10 “Change to RIPE 452”

Brian explained that 2010-09 was a proposal to have the RIPE NCC regularly contact all current RIPE Database object holders with resources in the RIPE Database to ask them to actively check that all their details are up-to-date.

He explained that 2010-10 proposed to add a reference to the sponsoring LIR in INETNUM, INET6NUM and AUT-NUM objects to increase the possibility of abuse tracking and handling.

Brian said that these were two huge proposals with major implications. He said he agreed with the proposers to withdraw these proposals, at least temporarily, and set up a RIPE Task Force featuring people from the RIPE Database Working Group and the Anti-Abuse Working Group among others to look at improving the registry and the RIPE Database. He said they wanted to consult the RIPE NCC and other parties to see what was the best way to deal with the issues rather than bringing a number of proposals.

Brian said the two proposals would be withdrawn with the knowledge that the proposers resubmit them if the task force did not make sufficient progress

D. Interactions


D1. Working Groups


Working Group Co-Chair Brian Nisbet noted that there has been a lot of interaction with the RIPE Database Working Group and the RIPE NCC Services Working Group. He said the RIPE Task Force to address issues with the RIPE Database arose from communication with the RIPE NCC Service Working Group, and this task force would feed back to both those working groups as well as the Anti-Abuse Working Group.

D2. CCWP

Brian explained that Wout de Natris chaired the Cybercrime Working Party (CCWP). He said there was a meeting today that saw a number of inputs/outputs from this group. He said the main thing to come out of the meeting was the need for cross training of the groups – technical and policy training for legal enforcements agencies, and information on how to detect dubious registrations for the RIPE NCC and RIPE community.

Brian said the CCWP met approximately four times a year and it has proved to be very useful so far. He said if anyone had any input to bring to the CCWP they should talk to either Brian himself or Jochem de Ruig from the RIPE NCC.

D3. RIPE NCC Gov/LEA Interactions Update

Brian said Paul Rendek from the RIPE NCC covered this area extensively in the RIPE NCC Services Working Group and he did not want to revisit it here.

X. A.O.B.

James Blessing, concerned Internet citizen, said he noticed that Co-Chair Richard Cox tends often not to be present at RIPE Meetings or not involved, unless it is to be hostile towards RIPE itself. He asked if Richard was the correct person to be working group co-chair.

Working Group Co-Chair Brian Nisbet said he contacted Richard and asked him to respond to comments that had been made, but Brian had not heard back from Richard in relation to this.

Jim Reid, Internet citizen, said this was a delicate issue, and even if the co-chair of a working group was critical of RIPE, that is not necessarily a bad thing. He said, however, that his opinion was that Richard crossed a line insofar as his comments were unfair and unjustified, and he confused RIPE with the RIPE NCC in his comments, which is not helpful. He said Richard’s comments unfairly damaged the reputation of RIPE, the RIPE NCC and the Anti-Abuse Working Group.

Rob Blokzijl, RIPE Chair, noted that this is the first time there has been a situation like this in the history of RIPE. Rob noted that the RIPE Chair, the Chairman of the RIPE NCC Executive Board and the RIPE NCC Managing Director met with Richard where they tried to clear up some misunderstandings. He said all three who met with Richard are disappointed that the outcome of this meeting, where they thought issues had been cleared up, were not reflected in subsequent posts from Richard that were published on websites. He said he felt that if you were elected to chair a working group by the RIPE community then you had a responsibility to that community and to its secretariat, the RIPE NCC. He concluded that it would be better for the community if Richard would step down so it would be clear that when he spoke he was speaking for himself and not the RIPE community.

David Freedman, Claranet, read verbatim a public post from Richard to give context to the discussion. (http://www.spamhaus.org/news.lasso?article=663)

Brian said there was no written procedure for the current situation.

Rob said that if you accept that it is up to the RIPE community to appoint working group chairs, then it is implicit that the community has the same responsibility to remove a chair when necessary.

Brian said he did not want to see a protracted discussion about this on the mailing list. He added that he spoke to Richard and asked him to consider his position but there has been no response. He asked if anyone felt the Anti-Abuse Working Group should deal with the situation of if there was any particular way that this situation should be approached.

Michele Neylon, Blacknight, said it was unfortunate there was no written procedure for this situation. He said one individual can cause major problems for a working group, whether they are a co-chair or not, and in such a situation it might be best for that person to move on. He said he respected Richard and the work he does but in this situation some decisive action was needed.

Rob said a possible solution would for both co-chairs to step down, new chairs to be elected at the next RIPE Meeting and for Brian to act as interim chair of the working group until then. He said the simplest solution would be for this working group to decide Richard Cox was no longer a co-chair of the working group and to elect a new co-chair at the next RIPE Meeting.

Peter Koch said the session was already overrun by 15 minutes and that such a delicate issue should not be handled in AOB and overtime for the Working Group.

Jim Reid said that changes of co-chair happen for various reasons and it’s a natural process. He said it seemed as though Richard’s time as co-chair might be over but he would be free to be involved with the working group as any other individual is welcome to be.

Rob said that if nothing were done at this session, there would be potentially six months of damage to the RIPE NCC and six months of damage to the RIPE community. He urged the community to take action at this session.

Sander Steffann, Address Policy Working Group Co-Chair, said if there was a lack of support for a working group chair then that chair should step down.

Shane Kerr, ISC, said he thought this situation might be a reflection of a larger disconnect between people working in Anti-Abuse and the ISPs. He said the Anti-Abuse community often had goals that were very disconnected from the Internet community at large. He said such people could use this as another example of people in the Internet community not listening to their wishes.

Nick Hilliard, INEX, asked what were the contingency plans if Richard refused to step down as co-chair. He said he wasn’t sure it was typical in RIPE for someone to be forced to step down as a working group chair because that working group has lost faith in that chair. He said the RIPE community should address the lack of a formal procedure as a matter of urgency.

James Blessing suggested it might be possible to suspend his chairmanship but it must be made clear that the working group did not support him 100% as co-chair.

Rob said it was not for Richard to decide that he represented the community; rather it was for the community to decide this. He asked the working group to make a decision or else expect to have a difficult six months ahead. He said he did not care what Richard published as long as it was disconnected from the RIPE community.

Remco van Mook, Equinix, said if this working group could not make a decision then it could be disbanded and reformed at the RIPE Plenary with new co-chairs.

Rob said he was happy to support Remco’s proposal. He said he the Anti-Abuse Working Group had until the Closing Plenary session to resolve this matter. He added that it would be good for the whole RIPE community to be aware of its responsibilities in matters such as this one.

Brian said that he was not in favour of this option. He noted that no one had stood up to support Richard’s position as co-chair.

Jim Reid said someone should post a motion of no confidence in Richard to the mailing list.

Brian said the chairs were always elected at RIPE Meetings and there was no requirement to go to the mailing list with this.

Rob said he felt that matters were clear but that no one was willing to say anything formally.

James Blessing said he would be willing to do what was required if he could be told exactly what that was. He asked for audible consensus from the room. The reaction was judged to be consensus.

Brian said he had discussed the matter with Rob prior to the working group session and they agreed that the working group had the authority to appoint its co-chairs and, therefore, to remove them. Brian asked if anyone was willing to stand up and object to Richard Cox being removed as Co-Chair of the Anti-Abuse Working Group. As nobody took this action, Brian declared that consensus had been reached. He said that he would require a new co-chair and he expressed his wishes that one could be in place by the RIPE 62 Meeting.

Z. Close

Brian thanked everyone for attending and for their patience and said he hoped to see everyone at RIPE 62.

The Agenda and all presentations are available at:
http://ripe61.ripe.net/programme/meeting-plan/anti-abuse-agenda/

The stenography transcript of this session is available at:
http://ripe61.ripe.net/archives/steno/4