From marcoh at marcoh.net Thu Jul 30 12:35:12 2009 From: marcoh at marcoh.net (Marco Hogewoning) Date: Thu, 30 Jul 2009 12:35:12 +0200 Subject: [anti-abuse-wg] Re: [db-wg] please test email validity in whois records In-Reply-To: <4A709564.7040304@knutix.de> References: <4A709564.7040304@knutix.de> Message-ID: <839D3B1F-414B-4421-BB09-50F929580619@marcoh.net> Hi Tobias, Have a look at the archives[1]. I think I answered them years ago already. IRT is virtually non existent and the database has already been changed to contain abuse related information in an attribute clearly named "abuse-mailbox" to try and get away from the freeform remarks fields people tend to use. So basically it's al there but nobody uses it, not every address user fills in the right details and when the information is there people are happily ignoring it by only searching for the least specific range. Now I might be a bit biased regarding the technical solutions being in place but I do think database wise all mechanisms and fields are there. What's left is to get people to use it and I'm not only talking about the people who register address blocks in the database but also the people who retrieve that information (or at least try to). Now obviously you could try and change the policy that any address blocks registered need to have certain information attached to it, but how to enforce this information is correct and more importantly stays correct and what to do with the over 3 billion addresses registered already today ? Secondly you might still want to try and get more information out there on how to use the information in the ripe database to get to the correct people, we had some attempts when working on the abuse-mailbox attr but it never really took off. Grtx, Marco [1] http://www.ripe.net/ripe/meetings/ripe-47/presentations/ripe47-db-abusec.pdf On Jul 29, 2009, at 8:31 PM, Tobias Knecht wrote: > Hi, > > we are talking to the Abuse Working Group at the moment and we will > start a discussion soon about exactly this. > > Parts of the discussion will be: > - IRT Object usage > - One place to put the abuse@ contact data. (not neccesarily making it > mandatory, but if somebody wants to offer it, everybody should do it > at > the same place. > - ... > > While waiting for that discussion you could have a look at this. > > http://www.abusix.de/abuse-contact-db/ > > We build up this Database and you can use it for free. > Next step is to get it out the beta status, which has nothing to do > with > the data accuracy, more with speeding up some update processes in the > backend. > > Another thing we are working on at the moment is a validation of email > addresses we offer and give back status codes for working or not > working > addresses. Since abusix.org is a volunteer driven project, this > takes a > little bit of time. ;-) > > So feel free to use it and give us hints or suggestions what is good > and > what is not good. > > Thanks, > > Tobias > > -- > abusix.org > From dostaboy at bellsouth.net Thu Jul 30 13:31:57 2009 From: dostaboy at bellsouth.net (Bruce Fornes) Date: Thu, 30 Jul 2009 07:31:57 -0400 Subject: [anti-abuse-wg] Attack Message-ID: <96984C73137943B785AFB61C446419BC@brucefornes> My home computer is being attacked by 78.47.186.165, 80. So far Symantec has stopped this illegal entry attempt. Following is the text from my Norton history: An intrusion attempt by 78.47.186.165 was blocked Application path \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE Risk Name: HTTP Malicious Toolkit Variant Activity Attacking Computer: 78.47.186.165,80 Attacker URL: kb952069.in/eng.php?grp=15&trk=07292004728241237 Traffic Description: TCP-www-http I would appreciate if you stop these attacks coming through RIPE. Bruce Fornes Valdosta, GA USA From michele at blacknight.ie Thu Jul 30 15:11:47 2009 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Thu, 30 Jul 2009 14:11:47 +0100 Subject: [anti-abuse-wg] Attack In-Reply-To: <96984C73137943B785AFB61C446419BC@brucefornes> References: <96984C73137943B785AFB61C446419BC@brucefornes> Message-ID: <4007EBD15590AC4BAE51C54C7CA5367E2733FCB458@BKEXCHMBX01.blacknight.local> They're not coming from RIPE That IP address is on Hetzner's netblock, so you could try contacting them OR the person / company the block is assigned to This mailing list is NOT the place to address your concerns - sorry Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.com/ http://blog.blacknight.com/ http://mneylon.tel/ Intl. +353 (0) 59 9183072 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 ________________________________________ From: anti-abuse-wg-admin at ripe.net [anti-abuse-wg-admin at ripe.net] On Behalf Of Bruce Fornes [dostaboy at bellsouth.net] Sent: 30 July 2009 12:31 To: anti-abuse-wg at ripe.net Subject: [anti-abuse-wg] Attack My home computer is being attacked by 78.47.186.165, 80. So far Symantec has stopped this illegal entry attempt. Following is the text from my Norton history: An intrusion attempt by 78.47.186.165 was blocked Application path \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE Risk Name: HTTP Malicious Toolkit Variant Activity Attacking Computer: 78.47.186.165,80 Attacker URL: kb952069.in/eng.php?grp=15&trk=07292004728241237 Traffic Description: TCP-www-http I would appreciate if you stop these attacks coming through RIPE. Bruce Fornes Valdosta, GA USA