From brian.nisbet at heanet.ie Mon Mar 2 13:55:49 2009 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Mon, 02 Mar 2009 12:55:49 +0000 Subject: [anti-abuse-wg] Call for Agenda Items for RIPE 58 Message-ID: <49ABD755.7020403@heanet.ie> Colleagues, As you may have seen, registration has opened for RIPE 58 in Amsterdam. With this in mind I'd like to solicit agenda items for the WG session. We would be especially interested in anti-abuse experiences which involved interaction with government or evolution of legislation, but I do not, in any way, intend to be restrictive. If you have a presentation or any information that you think may be of interest to the working group, please let Richard or I know. Regards, Brian. From alex at seewald.at Tue Mar 3 19:48:27 2009 From: alex at seewald.at (Dr. Alexander K. Seewald) Date: Tue, 3 Mar 2009 19:48:27 +0100 Subject: [anti-abuse-wg] passive botnet tracker Message-ID: <20090303184827.GA25470@sdg.at> We've built and run a prototype passive botnet tracking system in Austria for the last year. A journal paper is pending and should be ready for the conference - hopefully only a week away from the final version. The gist: Based on a darknet (i.e. unused IP addresses), we analyze incoming packets and classify them into (currently eight) different spambot types based on learned idiosyncrasies of packet and protocol, and reference data (currently by Marshall). The system is based on machine learning techniques, scales extremely well, and can utilize all kinds of reference data. However, to track all spambots worldwide (according to ShadowServer's estimates), we need about 1.5 million unused IP addresses. In times of IPv4 shortage, that is quite a tall order. Unfortunately, spammers have not switched to IPv6 yet - in the full past year, we could not find a single IPv6 packet originating from a spambot. This will probably change in the future, but until we have enough sample data to train our models, IPv6 cannot be used reliably. Lack of reference data (i.e. known botnets, bot types, DDoS/spam sending activity etc.) has been our greatest obstacle so far. We intend to extend the system towards TCP/IP stack fingerprinting (for those bots which have their own stack) and towards true botnet tracking (e.g. by analyzing access patterns & timings) Any comments are welcome. We will try to be at RIPE-58, provided we can get a small talking slot there - half an hour should suffice. Best, Alex -- Dr. Alexander K. Seewald Seewald Solutions www.seewald.at Tel. +43(664)1106886 Fax. +43(1)2533033/2764 From peter at hk.ipsec.se Tue Mar 3 22:07:29 2009 From: peter at hk.ipsec.se (peter h) Date: Tue, 3 Mar 2009 22:07:29 +0100 Subject: [anti-abuse-wg] passive botnet tracker In-Reply-To: <20090303184827.GA25470@sdg.at> References: <20090303184827.GA25470@sdg.at> Message-ID: <200903032207.30182.peter@hk.ipsec.se> On Tuesday 03 March 2009 19.48, Dr. Alexander K. Seewald wrote: > We've built and run a prototype passive botnet tracking system in > Austria for the last year. A journal paper is pending and should be > ready for the conference - hopefully only a week away from the final > version. > > The gist: Based on a darknet (i.e. unused IP addresses), we analyze incoming > packets and classify them into (currently eight) different spambot types > based on learned idiosyncrasies of packet and protocol, and > reference data (currently by Marshall). The system is based on > machine learning techniques, scales extremely well, and can utilize > all kinds of reference data. However, to track all spambots worldwide > (according to ShadowServer's estimates), we need about 1.5 million unused > IP addresses. In times of IPv4 shortage, that is quite a tall order. > > Unfortunately, spammers have not switched to IPv6 yet - in the full > past year, we could not find a single IPv6 packet originating from a > spambot. This will probably change in the future, but until we have > enough sample data to train our models, IPv6 cannot be used reliably. > > Lack of reference data (i.e. known botnets, bot types, DDoS/spam > sending activity etc.) has been our greatest obstacle so far. We > intend to extend the system towards TCP/IP stack fingerprinting (for > those bots which have their own stack) and towards true botnet > tracking (e.g. by analyzing access patterns & timings) > > Any comments are welcome. We will try to be at RIPE-58, provided we > can get a small talking slot there - half an hour should suffice. > > Best, > Alex Technical analysis is at best a forensic tool, possibly useful when a spammer has been stand to trial What we need is legislation and spamhunting, where spamming is made illegal, no excuses allowed, badly managed computers that is taken over by spammers should be a crime, and where efforts of the law community is switched from the which-hunting of perr-to-peer networks to hunting spam and the assosiated criminality. ISP that does not prevvent spam and that does not act upon abuse-reports should be made accountable. Sorry, bot-analysing is interesting, but it does not (much) prevent the disease. -- Peter H?kanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det ?r billigare att g?ra r?tt. Det ?r dyrt att laga fel. ) From ripe-anti-spam-wg at powerweb.de Wed Mar 4 09:21:32 2009 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Wed, 04 Mar 2009 09:21:32 +0100 Subject: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: <200903032207.30182.peter@hk.ipsec.se> References: <20090303184827.GA25470@sdg.at> <200903032207.30182.peter@hk.ipsec.se> Message-ID: <49AE3A0C.80301@powerweb.de> peter h wrote: > On Tuesday 03 March 2009 19.48, Dr. Alexander K. Seewald wrote: >> We've built and run a prototype passive botnet tracking system in >> Austria for the last year. A journal paper is pending and should be ... slot there - half an hour should suffice. >> >> Best, >> Alex > > Technical analysis is at best a forensic tool, possibly useful when > a spammer has been stand to trial > > > What we need is legislation and spamhunting, where spamming is made > illegal, no excuses allowed, badly managed computers that is taken over > by spammers should be a crime, and where efforts of the law community > is switched from the which-hunting of perr-to-peer networks to > hunting spam and the assosiated criminality. ISP that does not > prevvent spam and that does not act upon abuse-reports should be > made accountable. > > Sorry, bot-analysing is interesting, but it does not (much) prevent the disease. Oh, you are so right ... And the following makes me really crazy: - preventing spambotted PCs from sending spam is SOOO easy Im talking about the following now for years and nearly nobody is listening to me, but the concept is working here with us perfectly. We identify any of our dial-in customers in minutes easily using only well-known open-source tools and block them out. I outline it again: - guess you are a dial-in provider - guess you provide mailservices for your customers - guess you already have a an antispam solution for your customers And now think about the following: - is it likely, that a spambotted PC, that dials in via one of your dial-in IPs, sends spam to the email address of this particular customer, his family and friends and colleges or simply any other customer of yours ? YES, its not only "likely", its prooven, spambots scan outlook address books, and if the provider is only big enough (it works here for only 10000 mailboxes) ... ... SPAMBOTS USING YOUR DIAL-IN IPs DO SEND SPAM TO YOUR OWN MAILSERVERS !!! And thats the point: - we are using spamassassin to identify spam for our email customers, sa has a plugins for putting the IP of the real sender or the AS-number into the header and surely the logfile - sa can also use a feature called ALL_TRUSTED, it was introduced to give mail some plus points, if they originate from identified customers, that already provided some login information (POPAuth, SMTP-Authentication aso) - so, if there is an email coming in, that - has a high spam score (currently is enough to set this to 20, what is huge for sa) and - the spam originated from our own dial-in-AS or -IP ... then we know immediately, that one of our customer either is sending spam on effort, is spambotted or has whatever problem. It even detects spambotted PCs, that are dialing in via a different provider, but are OUR mailcustomers (through ALL_TRUSTED) and identified here to send mail and use our mailservers. And do you now, what we do then ? the script that watches the sa logfile and alarmed, simply tells our radius server to disconnect the customer with the detected IP and changes the password ! Brutal ? no, its wise ... And what happens then ? the customer phones up usally 5 minutes later, we can explain and check the situation, he is cleaning his computer and there is one spambotted PC less in the world. This is so easy to implement and works perfectly, we only had a few cases so far, because we have mostly business customers with good infrastructure, we never had a false alarm, it stops crazy spam outbreaks and the best is: - this method is much easier then scanning outgoing email from your customers, what you only can achieve by transparently scanning port 25 or by blocking the port and having all the mail coming through a outgoing mailserver (I guess, thats what AOL is doing) and I think, thats a bit hard for your customers and very cost-intensiv) - furthermore, it will be really hard for the spambots to get arround this, because they would need to know wich email address belongs to what provider, surely they could check the MX records of every domain, check if there are similarities with the dialin IP to prevent sending to the same provider, but I guess this will be really hard for them ... And this will remove any spambotted PC forever. So, why not forcing any RIPE-member to detect spam on their own incoming mailservers coming from their own dial-in IPs ? RIPE could simply say: implement this, or you are not getting any more IPs, or we cancel your contract right away :o) RIPE should force TurkTelecom (ttnet.tr) to implement this as a reference and test implementation, this is one country represented by one ISP and they currently cause 8% of the spam we receive here. Better would be: TurkTelecom should volunteer for this and create a reference documentation and implementation based on open-source so any provider could easily adopt from there ... Anybody from TurkTelecom on the list ? Come one, you owe us a lot ... BTW: we call this method "SPAMTrusted" and there are more details about the implementation online in German under http://dnsbl.de/antispam.shtml Kind regards, Frank > > > -- Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== From ripe-anti-spam-wg at powerweb.de Wed Mar 4 09:21:32 2009 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Wed, 04 Mar 2009 09:21:32 +0100 Subject: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: <200903032207.30182.peter@hk.ipsec.se> References: <20090303184827.GA25470@sdg.at> <200903032207.30182.peter@hk.ipsec.se> Message-ID: <49AE3A0C.80301@powerweb.de> peter h wrote: > On Tuesday 03 March 2009 19.48, Dr. Alexander K. Seewald wrote: >> We've built and run a prototype passive botnet tracking system in >> Austria for the last year. A journal paper is pending and should be ... slot there - half an hour should suffice. >> >> Best, >> Alex > > Technical analysis is at best a forensic tool, possibly useful when > a spammer has been stand to trial > > > What we need is legislation and spamhunting, where spamming is made > illegal, no excuses allowed, badly managed computers that is taken over > by spammers should be a crime, and where efforts of the law community > is switched from the which-hunting of perr-to-peer networks to > hunting spam and the assosiated criminality. ISP that does not > prevvent spam and that does not act upon abuse-reports should be > made accountable. > > Sorry, bot-analysing is interesting, but it does not (much) prevent the disease. Oh, you are so right ... And the following makes me really crazy: - preventing spambotted PCs from sending spam is SOOO easy Im talking about the following now for years and nearly nobody is listening to me, but the concept is working here with us perfectly. We identify any of our dial-in customers in minutes easily using only well-known open-source tools and block them out. I outline it again: - guess you are a dial-in provider - guess you provide mailservices for your customers - guess you already have a an antispam solution for your customers And now think about the following: - is it likely, that a spambotted PC, that dials in via one of your dial-in IPs, sends spam to the email address of this particular customer, his family and friends and colleges or simply any other customer of yours ? YES, its not only "likely", its prooven, spambots scan outlook address books, and if the provider is only big enough (it works here for only 10000 mailboxes) ... ... SPAMBOTS USING YOUR DIAL-IN IPs DO SEND SPAM TO YOUR OWN MAILSERVERS !!! And thats the point: - we are using spamassassin to identify spam for our email customers, sa has a plugins for putting the IP of the real sender or the AS-number into the header and surely the logfile - sa can also use a feature called ALL_TRUSTED, it was introduced to give mail some plus points, if they originate from identified customers, that already provided some login information (POPAuth, SMTP-Authentication aso) - so, if there is an email coming in, that - has a high spam score (currently is enough to set this to 20, what is huge for sa) and - the spam originated from our own dial-in-AS or -IP ... then we know immediately, that one of our customer either is sending spam on effort, is spambotted or has whatever problem. It even detects spambotted PCs, that are dialing in via a different provider, but are OUR mailcustomers (through ALL_TRUSTED) and identified here to send mail and use our mailservers. And do you now, what we do then ? the script that watches the sa logfile and alarmed, simply tells our radius server to disconnect the customer with the detected IP and changes the password ! Brutal ? no, its wise ... And what happens then ? the customer phones up usally 5 minutes later, we can explain and check the situation, he is cleaning his computer and there is one spambotted PC less in the world. This is so easy to implement and works perfectly, we only had a few cases so far, because we have mostly business customers with good infrastructure, we never had a false alarm, it stops crazy spam outbreaks and the best is: - this method is much easier then scanning outgoing email from your customers, what you only can achieve by transparently scanning port 25 or by blocking the port and having all the mail coming through a outgoing mailserver (I guess, thats what AOL is doing) and I think, thats a bit hard for your customers and very cost-intensiv) - furthermore, it will be really hard for the spambots to get arround this, because they would need to know wich email address belongs to what provider, surely they could check the MX records of every domain, check if there are similarities with the dialin IP to prevent sending to the same provider, but I guess this will be really hard for them ... And this will remove any spambotted PC forever. So, why not forcing any RIPE-member to detect spam on their own incoming mailservers coming from their own dial-in IPs ? RIPE could simply say: implement this, or you are not getting any more IPs, or we cancel your contract right away :o) RIPE should force TurkTelecom (ttnet.tr) to implement this as a reference and test implementation, this is one country represented by one ISP and they currently cause 8% of the spam we receive here. Better would be: TurkTelecom should volunteer for this and create a reference documentation and implementation based on open-source so any provider could easily adopt from there ... Anybody from TurkTelecom on the list ? Come one, you owe us a lot ... BTW: we call this method "SPAMTrusted" and there are more details about the implementation online in German under http://dnsbl.de/antispam.shtml Kind regards, Frank > > > -- Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== From jrace at attglobal.net Wed Mar 4 09:49:41 2009 From: jrace at attglobal.net (Jeffrey Race) Date: Wed, 04 Mar 2009 15:49:41 +0700 Subject: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: <49AE3A0C.80301@powerweb.de> Message-ID: <20090304085559.A35D96A020@postboy.ripe.net> This simple wheel reinvented many times; need only to apply current knowledge. If someone will work with me we can submit the described RFC as is or improved as needed based on Jeffrey Race From ripe-anti-spam-wg at powerweb.de Wed Mar 4 10:19:53 2009 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Wed, 04 Mar 2009 10:19:53 +0100 Subject: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: <200903040849.n248nrPV015367@www.powerweb.de> References: <200903040849.n248nrPV015367@www.powerweb.de> Message-ID: <49AE47B9.20601@powerweb.de> Jeffrey Race wrote: > This simple wheel reinvented many times; need only to apply > current knowledge. If someone will work with me we can > submit the described RFC as is or improved as needed > > > > based on > > Great. I see two points here: - the group should define regulations to force RIPE-members to detect spam originating from their own IPs - the group should force members to have a working abuse email address (its sad, that the once defined abuse-mailbox field in RIPEs whois never made it to be a needed field, this should be changed ASAP) Our own blacklist under http://www.dnsbl.de sends out thousands of spam reports daily to the email addresses of the network administrators found in RIPEs whois. Most email address do not work (user unknown, mailbox full aso), a lot do send auto-replier with ticket numbers (telefonica is great with this), but never an email, that the case has been solved, most do not react. Currently there are only 2% answering or fixing the problem. Why do we not recommend to implement a system at RIPE, where abuse reports could be CCed to (including the netblock and the email address a report was sent too, the system then could check, if it was the right address and store a timestamp, any ISP should then be informed how he could send an email to RIPE to inform that hes working on it or that the case was fixed) so that RIPE can messure, wich ISP is really fixing abuse cases ? And: if any ISP collects more than 100 cases that are open for more than two weeks without any reaction, the problem network blocks are simply revoked by RIPE ;o) RIPE should be able to implement such a harsh system, because any member signed to not pollute the internet already. Kind regards, Frank > > Jeffrey Race > > > -- Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank at powerweb.de From fweimer at bfk.de Wed Mar 4 10:20:06 2009 From: fweimer at bfk.de (Florian Weimer) Date: Wed, 04 Mar 2009 10:20:06 +0100 Subject: [anti-abuse-wg] passive botnet tracker In-Reply-To: <20090303184827.GA25470@sdg.at> (Alexander K. Seewald's message of "Tue, 3 Mar 2009 19:48:27 +0100") References: <20090303184827.GA25470@sdg.at> Message-ID: <82wsb563w9.fsf@mid.bfk.de> * Alexander K. Seewald: > The gist: Based on a darknet (i.e. unused IP addresses), we analyze > incoming packets and classify them into (currently eight) different > spambot types based on learned idiosyncrasies of packet and > protocol, and reference data (currently by Marshall). Why do you expect bots to touch dark address space? Or put differently, I think any approach based on darkspace monitoring signficantly restricts the types of bots you can detect. -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra?e 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 From frank at powerweb.de Wed Mar 4 08:44:39 2009 From: frank at powerweb.de (Frank Gadegast) Date: Wed, 04 Mar 2009 08:44:39 +0100 Subject: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: <200903032207.30182.peter@hk.ipsec.se> References: <20090303184827.GA25470@sdg.at> <200903032207.30182.peter@hk.ipsec.se> Message-ID: <49AE3167.6010306@powerweb.de> peter h wrote: > On Tuesday 03 March 2009 19.48, Dr. Alexander K. Seewald wrote: >> We've built and run a prototype passive botnet tracking system in >> Austria for the last year. A journal paper is pending and should be ... slot there - half an hour should suffice. >> >> Best, >> Alex > > Technical analysis is at best a forensic tool, possibly useful when > a spammer has been stand to trial > > > What we need is legislation and spamhunting, where spamming is made > illegal, no excuses allowed, badly managed computers that is taken over > by spammers should be a crime, and where efforts of the law community > is switched from the which-hunting of perr-to-peer networks to > hunting spam and the assosiated criminality. ISP that does not > prevvent spam and that does not act upon abuse-reports should be > made accountable. > > Sorry, bot-analysing is interesting, but it does not (much) prevent the disease. Oh, you are so right ... And the following makes me really crazy: - preventing spambotted PCs from sending spam is SOOO easy Im talking about the following now for years and nearly nobody is listening to me, but the concept is working here with us perfectly. We identify any of our dial-in customers in minutes easily using only well-known open-source tools and block them out. I outline it again: - guess you are a dial-in provider - guess you provide mailservices for your customers - guess you already have a an antispam solution for your customers And now think about the following: - is it likely, that a spambotted PC, that dials in via one of your dial-in IPs, sends spam to the email address of this particular customer, his family and friends and colleges or simply any other customer of yours ? YES, its not only "likely", its prooven, spambots scan outlook address books, and if the provider is only big enough (it works here for only 10000 mailboxes) ... ... SPAMBOTS USING YOUR DIAL-IN IPs DO SEND SPAM TO YOUR OWN MAILSERVERS !!! And thats the point: - we are using spamassassin to identify spam for our email customers, sa has a plugins for putting the IP of the real sender or the AS-number into the header and surely the logfile - sa can also use a feature called ALL_TRUSTED, it was introduced to give mail some plus points, if they originate from identified customers, that already provided some login information (POPAuth, SMTP-Authentication aso) - so, if there is an email coming in, that - has a high spam score (currently is enough to set this to 20, what is huge for sa) and - the spam originated from our own dial-in-AS or -IP ... then we know immediately, that one of our customer either is sending spam on effort, is spambotted or has whatever problem. It even detects spambotted PCs, that are dialing in via a different provider, but are OUR mailcustomers (through ALL_TRUSTED) and identified here to send mail and use our mailservers. And do you now, what we do then ? the script that watches the sa logfile and alarmed, simply tells our radius server to disconnect the customer with the detected IP and changes the password ! Brutal ? no, its wise ... And what happens then ? the customer phones up usally 5 minutes later, we can explain and check the situation, he is cleaning his computer and there is one spambotted PC less in the world. This is so easy to implement and works perfectly, we only had a few cases so far, because we have mostly business customers with good infrastructure, we never had a false alarm, it stops crazy spam outbreaks and the best is: - this method is much easier then scanning outgoing email from your customers, what you only can achieve by transparently scanning port 25 or by blocking the port and having all the mail coming through a outgoing mailserver (I guess, thats what AOL is doing) and I think, thats a bit hard for your customers and very cost-intensiv) - furthermore, it will be really hard for the spambots to get arround this, because they would need to know wich email address belongs to what provider, surely they could check the MX records of every domain, check if there are similarities with the dialin IP to prevent sending to the same provider, but I guess this will be really hard for them ... And this will remove any spambotted PC forever. So, why not forcing any RIPE-member to detect spam on their own incoming mailservers coming from their own dial-in IPs ? RIPE could simply say: implement this, or you are not getting any more IPs, or we cancel your contract right away :o) RIPE should force TurkTelecom (ttnet.tr) to implement this as a reference and test implementation, this is one country represented by one ISP and they currently cause 8% of the spam we receive here. Better would be: TurkTelecom should volunteer for this and create a reference documentation and implementation based on open-source so any provider could easily adopt from there ... Anybody from TurkTelecom on the list ? Come one, you owe us a lot ... BTW: we call this method "SPAMTrusted" and there are more details about the implementation online in German under http://dnsbl.de/antispam.shtml Kind regards, Frank > > > -- Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== From johnpc at xs4all.net Wed Mar 4 10:47:52 2009 From: johnpc at xs4all.net (Jan Pieter Cornet) Date: Wed, 4 Mar 2009 10:47:52 +0100 Subject: [anti-abuse-wg] passive botnet tracker In-Reply-To: <82wsb563w9.fsf@mid.bfk.de> References: <20090303184827.GA25470@sdg.at> <82wsb563w9.fsf@mid.bfk.de> Message-ID: <20090304094752.GK17125@xs4all.net> On Wed, Mar 04, 2009 at 10:20:06AM +0100, Florian Weimer wrote: > * Alexander K. Seewald: > > > The gist: Based on a darknet (i.e. unused IP addresses), we analyze > > incoming packets and classify them into (currently eight) different > > spambot types based on learned idiosyncrasies of packet and > > protocol, and reference data (currently by Marshall). > > Why do you expect bots to touch dark address space? > > Or put differently, I think any approach based on darkspace monitoring > signficantly restricts the types of bots you can detect. Not if you use "dark" corners of your own PA space, eg unused /28s in your DSL space, or hosting space. -- Jan-Pieter Cornet !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! From fweimer at bfk.de Wed Mar 4 11:12:35 2009 From: fweimer at bfk.de (Florian Weimer) Date: Wed, 04 Mar 2009 11:12:35 +0100 Subject: [anti-abuse-wg] passive botnet tracker In-Reply-To: <20090304094752.GK17125@xs4all.net> (Jan Pieter Cornet's message of "Wed, 4 Mar 2009 10:47:52 +0100") References: <20090303184827.GA25470@sdg.at> <82wsb563w9.fsf@mid.bfk.de> <20090304094752.GK17125@xs4all.net> Message-ID: <82hc2961gs.fsf@mid.bfk.de> * Jan Pieter Cornet: >> Why do you expect bots to touch dark address space? >> >> Or put differently, I think any approach based on darkspace monitoring >> signficantly restricts the types of bots you can detect. > > Not if you use "dark" corners of your own PA space, eg unused /28s in > your DSL space, or hosting space. Again, why would this work? There seems to be an underlying assumption that all bots gather information through scanning (possibly neighboring) addresses, but this is simply not true. -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra?e 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 From brian.nisbet at heanet.ie Wed Mar 4 11:18:46 2009 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Wed, 04 Mar 2009 10:18:46 +0000 Subject: [anti-abuse-wg] passive botnet tracker In-Reply-To: <20090303184827.GA25470@sdg.at> References: <20090303184827.GA25470@sdg.at> Message-ID: <49AE5586.7020203@heanet.ie> Alex, Dr. Alexander K. Seewald wrote the following on 03/03/2009 18:48: > We've built and run a prototype passive botnet tracking system in > Austria for the last year. A journal paper is pending and should be > ready for the conference - hopefully only a week away from the final > version. > Any comments are welcome. We will try to be at RIPE-58, provided we > can get a small talking slot there - half an hour should suffice. I think that the WG would be interested in hearing more about this work and I feel sure that time can be made during the session on Thursday. We can likely discuss further arrangements off-list. Thanks, Brian. From brian.nisbet at heanet.ie Wed Mar 4 11:26:16 2009 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Wed, 04 Mar 2009 10:26:16 +0000 Subject: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: <49AE47B9.20601@powerweb.de> References: <200903040849.n248nrPV015367@www.powerweb.de> <49AE47B9.20601@powerweb.de> Message-ID: <49AE5748.1070806@heanet.ie> Frank/Jeffrey, Frank Gadegast wrote the following on 04/03/2009 09:19: > Jeffrey Race wrote: >> This simple wheel reinvented many times; need only to apply >> current knowledge. If someone will work with me we can submit the >> described RFC as is or improved as needed >> >> >> >> based on >> > (its sad, that the once defined abuse-mailbox field > in RIPEs whois never made it to be a needed field, > this should be changed ASAP) > Why do we not recommend to implement a system > at RIPE, where abuse reports could be CCed to > (including the netblock and the email address > a report was sent too, the system then could > check, if it was the right address and store > a timestamp, any ISP should then be informed > how he could send an email to RIPE to inform > that hes working on it or that the case was > fixed) so that RIPE can messure, wich ISP is really > fixing abuse cases ? > > And: if any ISP collects more than 100 > cases that are open for more than two weeks > without any reaction, the problem network > blocks are simply revoked by RIPE ;o) It sounds quite like you have a policy proposal in mind here and the Policy Development Process (PDP) is the way to progress this, should you wish. More information on the PDP can be found here: http://www.ripe.net/ripe/docs/pdp.html Obviously the WG chairs are available to help you with this process. Certainly there would be opportunity to discuss such things in the WG session at RIPE 58. Regards, Brian. From ripe-anti-spam-wg at powerweb.de Wed Mar 4 11:26:49 2009 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Wed, 04 Mar 2009 11:26:49 +0100 Subject: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: <20090304094203.GJ17125@xs4all.net> References: <20090303184827.GA25470@sdg.at> <200903032207.30182.peter@hk.ipsec.se> <49AE3A0C.80301@powerweb.de> <20090304094203.GJ17125@xs4all.net> Message-ID: <49AE5769.6040506@powerweb.de> Jan Pieter Cornet wrote: Hi, > On Wed, Mar 04, 2009 at 09:21:32AM +0100, Frank Gadegast wrote: >> And the following makes me really crazy: >> - preventing spambotted PCs from sending spam is SOOO easy >> > [...] >> ... SPAMBOTS USING YOUR DIAL-IN IPs DO SEND SPAM TO YOUR OWN MAILSERVERS !!! > > This fails in two ways. First, not all spambots send spam to your own I must correct you, the system is working perfectly here. We identified a couple of users using our own dial-in IPs and fixed them forever after we implemented the SPAMTrusted system. New customers nearly never a problem, because they get informed all right directly after they sign. This had the nice effect that most customers are now aware of how to protect themselve of beeing abused. And the system detected a lot of email customers coming from other dial-in Providers and helped them too. > servers, as some specifically target eg hotmail.com or hinet.net. Also Also true, but its a minority. Th only case where this does not work is, when a dial-in customer does not provide email services at all. It works on any others. An example: the biggest ISP in Germany is T-Online, we are working closely together with them and have a lot of feedback. We identify customers that dial-in via T-Online, but authenticate here, because they have mail- and webservices with us and use our mailserver to send mail out. And it happend quite often already, that the spambot also did send spam out to any of our other mailserver (we have about 3000 other domains with about 200 different mailservers). We detect this, and send lists to T-Online and they take really care, after it was running for 2 years now, we do only receive very little spam from T-Online IPs ... > be aware that a lot of spam is specifically targeted not to be detected One detected spam with a high score is enough. Dont forget that spammers work together and shared the spambot networks. Only one detectable spam is enough. And our SA-setup detects about 98% of all spam correct without any false positives. Thats more than enough. > by standard scanners, so especially when a spamrun just starts, it will > take at least an hour, even for signature based systems, to see it. (Of Why that ? SA scans in realtime any incoming mail. Any scan takes a maximum of 3 seconds, even on slow servers. And our alarm script sends us a warning mail just in this moment. Its as quick as hell ;o) T-Online only receives a daily report, ok, they cannot block the user right away, but they can identify him using there radius-logs automatically and they take appropriate actions. > course, monitoring abuse@ will eventually let you catch those) > > Second, there are also legitimate reasons people send spammish-looking > mail to your own mailservers. For example, if someone runs their own That true (maybe not for us, because we are small, but true for bigger providers), but thats we you can set the threshold for SA very high. Its still detecting the right one. And: if any provider does not like it, to blocked them out right away, they still can identify the user, check the alarm manually and decide what to do. T-Online told us, that they have far less todo, since they automated the reports. > mailserver on their DSL line, they point an MX record for some domain to > themselves, and then forwards mail for that domain to one (or a few) of > your mailboxes, using none or only minimal spamfiltering. The result is > spam coming from that node, but all of it is "legit", in the sense that > it is supposed to flow that way. That is not a usual setup, but true if they even forward mail through their on internal mailserver to the external mailserver of their provider (often used, when customers do not want to open their mailserver for webmail, CC there mails to the provider, so that their workers can use webmail there). But, scripts can send warnings alarms only or even whitelist some IPs. Most providers also have different netblocks for customers with fixed IPs (dont forget, that you need a a fixed IP and a descend reverse mapping to work a real mailserver, This changes nothing at the fact, that the system works perfectly for most spambotted PCs. And remember: any detected spambot also reduces the problem for virus, hacked servers (most attacks here are coming from dial-in IPs) and passwort scanners aso ... Lets reduce the spambotted PCs in the RIPE region for lets say only 50% and everybody lives much more peaceful. And: if RIPE does somthing like that, it is likely that other registries create something like this too, so we could start a real world-wide detection. > Another reason would be a badly configured mail server that backscatters > on a DSL line, that happens to touch your incoming servers. Not strictly > spam (yet still unwanted), but it's probably too harsh to completely > disconnect the customer. Any ISP can decide what to do exactly. Important is, that the provider detects a lot of them, and that works. And it works so good, compare the resources and knowledge that you need to implement it. We only had to write one script, configure SA the right way and the system was running only one day, after I had the idea. We realized for our customers, that it works. Their is no backscatter here for dialin customers with an own email server, or its whitelisted. > I'm not saying you shouldn't monitor your own spamscanner for your own > IPs, just that it isn't as black and white a picture as you make us Yes, anybody should do this. So why not creating a recommendation from RIPE ? Most providers are not aware, that they can easily detect most of spambotted PCs dialing into their own network. And that the main problem, they are not aware, do not take care and nobody is forcing them to deal with the problem. I thought, its the idea of this group to give recommendations ? > believe it is. For example, combining this data with abuse reports will > provide very valuable, and that could even be automated. YES, YES, YES ! > What we do is simply volume counting, combined with a whitelist of > known-good massmailers. Also make sure you count bounces and rejected > addresses, and flag anyone that goes over a few % bad addresses. And We are expirienced with this, our blacklist http://www.dnsbl.de works this way. We even throw a lot of reports away, because we cannot be sure (automatically) if they are bounces or any other doubtfull spam. Or it will be too complicated to programm an automatic decision. But there are still enough reports coming out of the system. > there will soon be network filters (user customizable, default on) that > prevent access to other mailservers than our own. Also a great idea. I also find it very hard to block port 25 completely and its great to block them and give the customer an interface to whitelist some, if they have mailservice with another provider. Kind regards, Frank Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank at powerweb.de From alex at seewald.at Wed Mar 4 12:04:30 2009 From: alex at seewald.at (Dr. Alexander K. Seewald) Date: Wed, 4 Mar 2009 12:04:30 +0100 Subject: [anti-abuse-wg] passive botnet tracker In-Reply-To: <82wsb563w9.fsf@mid.bfk.de> References: <20090303184827.GA25470@sdg.at> <82wsb563w9.fsf@mid.bfk.de> Message-ID: <20090304110430.GA4559@sdg.at> On Wed, Mar 04, 2009 at 10:20:06AM +0100, Florian Weimer wrote: > * Alexander K. Seewald: > > > The gist: Based on a darknet (i.e. unused IP addresses), we analyze > > incoming packets and classify them into (currently eight) different > > spambot types based on learned idiosyncrasies of packet and > > protocol, and reference data (currently by Marshall). > Why do you expect bots to touch dark address space? Sorry, I did not mean dark address space, but unused IP adresses. Bots touch this for proliferation purposes. > Or put differently, I think any approach based on darkspace monitoring > signficantly restricts the types of bots you can detect. In last year's project with a small 256 IP darknet, we were able to detect about half of the spambot types from our reference data very well. Paper should be ready in a few weeks. The advantage is that it is a purely passive approach which cannot be detected (i.e. the unused IP address looks exactly like an unused IP address - we don't even send out SYN packets like other darknet approaches), and it tracks the bot's proliferation function which is primary to their functionality (at least for those parts of the bot population which proliferate - there might be parts with specialized functions outside which we would be unable to detect with our system) Best, Alex -- Dr. Alexander K. Seewald Seewald Solutions www.seewald.at Tel. +43(664)1106886 Fax. +43(1)2533033/2764 From alex at seewald.at Wed Mar 4 12:13:34 2009 From: alex at seewald.at (Dr. Alexander K. Seewald) Date: Wed, 4 Mar 2009 12:13:34 +0100 Subject: [anti-abuse-wg] passive botnet tracker In-Reply-To: <82hc2961gs.fsf@mid.bfk.de> References: <20090303184827.GA25470@sdg.at> <82wsb563w9.fsf@mid.bfk.de> <20090304094752.GK17125@xs4all.net> <82hc2961gs.fsf@mid.bfk.de> Message-ID: <20090304111334.GC4559@sdg.at> On Wed, Mar 04, 2009 at 11:12:35AM +0100, Florian Weimer wrote: > There seems to be an underlying assumption that all bots gather > information through scanning (possibly neighboring) addresses, but > this is simply not true. No, we have collected about twelve months traffic from four /26 subnets and were able to recognize about half of the spambots from single packet data alone using a machine learnin system trained on packet features (excluding obvious correlations such as TCP source port). We suspect this is due to non-random ICMP payloads, TCP option ordering and UDP payloads. There is no compelling reason for this data to be there, we were as surprised as you seem to be. Best, Alex -- Dr. Alexander K. Seewald Seewald Solutions www.seewald.at Tel. +43(664)1106886 Fax. +43(1)2533033/2764 From fweimer at bfk.de Wed Mar 4 11:56:35 2009 From: fweimer at bfk.de (Florian Weimer) Date: Wed, 04 Mar 2009 11:56:35 +0100 Subject: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: <49AE3167.6010306@powerweb.de> (Frank Gadegast's message of "Wed, 04 Mar 2009 08:44:39 +0100") References: <20090303184827.GA25470@sdg.at> <200903032207.30182.peter@hk.ipsec.se> <49AE3167.6010306@powerweb.de> Message-ID: <828wnl5zfg.fsf@mid.bfk.de> * Frank Gadegast: > And the following makes me really crazy: > - preventing spambotted PCs from sending spam is SOOO easy The detection problem has been solved years ago, agreed. There are multiple, working solutions. > YES, its not only "likely", its prooven, spambots scan outlook address > books, and if the provider is only big enough (it works here for > only 10000 mailboxes) ... > ... SPAMBOTS USING YOUR DIAL-IN IPs DO SEND SPAM TO YOUR OWN MAILSERVERS !!! And even if that doesn't happen for you due to some strange scenario, there are tons of free, external data feeds to which you can subscribe which provide you with high-quality data about compromised customer PCs. > the customer phones up usally 5 minutes later, we can explain > and check the situation, he is cleaning his computer and > there is one spambotted PC less in the world. Cleaning up the PC costs between 100 and 200 EUR. Someone needs to absorb those costs. Detection is solved, but response is still an open problem. -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra?e 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 From alex at seewald.at Wed Mar 4 12:34:31 2009 From: alex at seewald.at (Dr. Alexander K. Seewald) Date: Wed, 4 Mar 2009 12:34:31 +0100 Subject: [anti-abuse-wg] passive botnet tracker (combined reply) Message-ID: <20090304113431.GD4559@sdg.at> Peter, I think that focussing just on spam is misleading. Although it is currently the most profitable use of botnets, other uses are already demonstrated, such as DDoS, distributed password/encryption cracking, phishing - which could work without spam in several scenarios (e.g. changing HOSTS on the local PC, hacking DNS servers, etc..) - and most of these would tend to give spammers a way to make money without spam. So it is important to find out what they are doing and how many there are. Frank, I applaud your system. By your fast response you even get rid of the problem with static vs. dynamic IP addresses. As long as the major business for botnets is spam, this will continue to work. Of course if only a small set of providers use it, spammers will simply stop using your mailserver to send spam, once it begins to hurt them. Yes, it is relatively trivial to get the IP from the full mail headers (although it is safer to check the IP during the SMTP conversation - I once did a test and there was a difference of about 1% where IP addresses did not match) I even once wrote a system in 2004 to analyze each mail, check whois, find out the abuse email address and send an automatically generated abuse report there... used it for a few months, but as there was absolutely no reponse (well, some email providers complained that they cannot control what their users do...) I stopped it. Our system could be used in a similar way, but tracks even inactive bots which are currently not used to send out spam. Of course they need to generate some other traffic, the nature of which is currently not well understood. Best, Alex -- Dr. Alexander K. Seewald Seewald Solutions www.seewald.at Tel. +43(664)1106886 Fax. +43(1)2533033/2764 From EHH_TF at msn.com Wed Mar 4 16:04:09 2009 From: EHH_TF at msn.com (Helmut) Date: Wed, 4 Mar 2009 15:04:09 +0000 Subject: Sv: Re: [anti-abuse-wg] how to detect spambots - SPAMTrusted References: <20090303184827.GA25470@sdg.at> <200903032207.30182.peter@hk.ipsec.se> <49AE3167.6010306@powerweb.de> <828wnl5zfg.fsf@mid.bfk.de> Message-ID: Hi guys, Sorry, but I don't understand what kind of discussion is going on. What do I have to do with it and why am I getting all these mails? Please exclude me from the mailing list! Thanks! Best regards, Helmut _______________________________________ -------Originalmeddelande------- Fr?n: Florian Weimer Datum: 2009-03-04 12:11:06 Till: frank at powerweb.de Cc: anti-abuse-wg at ripe.net ?mne: Re: [anti-abuse-wg] how to detect spambots - SPAMTrusted * Frank Gadegast: > And the following makes me really crazy: > - preventing spambotted PCs from sending spam is SOOO easy The detection problem has been solved years ago, agreed. There are multiple, working solutions. > YES, its not only "likely", its prooven, spambots scan outlook address > books, and if the provider is only big enough (it works here for > only 10000 mailboxes) ... > ... SPAMBOTS USING YOUR DIAL-IN IPs DO SEND SPAM TO YOUR OWN MAILSERVERS !!! And even if that doesn't happen for you due to some strange scenario, there are tons of free, external data feeds to which you can subscribe which provide you with high-quality data about compromised customer PCs. > the customer phones up usally 5 minutes later, we can explain > and check the situation, he is cleaning his computer and > there is one spambotted PC less in the world. Cleaning up the PC costs between 100 and 200 EUR. Someone needs to absorb those costs. Detection is solved, but response is still an open problem. -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra?e 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 -------------- next part -------------- An HTML attachment was scrubbed... URL: From fweimer at bfk.de Wed Mar 4 16:11:34 2009 From: fweimer at bfk.de (Florian Weimer) Date: Wed, 04 Mar 2009 16:11:34 +0100 Subject: Sv: Re: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: (Helmut's message of "Wed, 4 Mar 2009 15:04:09 +0000") References: <20090303184827.GA25470@sdg.at> <200903032207.30182.peter@hk.ipsec.se> <49AE3167.6010306@powerweb.de> <828wnl5zfg.fsf@mid.bfk.de> Message-ID: <82r61d2uhl.fsf@mid.bfk.de> * Helmut: > Sorry, but I don't understand what kind of discussion is going on. > What do I have to do with it and why am I getting all these mails? > Please exclude me from the mailing list! Does anybody know how to view mail headers using IncrediMail? Helmut, you could try sending an unsubscribe message to (just put "unsubscribe" in the subject line). But this won't work if you're subscribed with an address different from the one you're currently using. -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra?e 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 From johnpc at xs4all.nl Wed Mar 4 10:42:03 2009 From: johnpc at xs4all.nl (Jan Pieter Cornet) Date: Wed, 4 Mar 2009 10:42:03 +0100 Subject: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: <49AE3A0C.80301@powerweb.de> References: <20090303184827.GA25470@sdg.at> <200903032207.30182.peter@hk.ipsec.se> <49AE3A0C.80301@powerweb.de> Message-ID: <20090304094203.GJ17125@xs4all.net> On Wed, Mar 04, 2009 at 09:21:32AM +0100, Frank Gadegast wrote: > And the following makes me really crazy: > - preventing spambotted PCs from sending spam is SOOO easy > [...] > ... SPAMBOTS USING YOUR DIAL-IN IPs DO SEND SPAM TO YOUR OWN MAILSERVERS !!! This fails in two ways. First, not all spambots send spam to your own servers, as some specifically target eg hotmail.com or hinet.net. Also be aware that a lot of spam is specifically targeted not to be detected by standard scanners, so especially when a spamrun just starts, it will take at least an hour, even for signature based systems, to see it. (Of course, monitoring abuse@ will eventually let you catch those) Second, there are also legitimate reasons people send spammish-looking mail to your own mailservers. For example, if someone runs their own mailserver on their DSL line, they point an MX record for some domain to themselves, and then forwards mail for that domain to one (or a few) of your mailboxes, using none or only minimal spamfiltering. The result is spam coming from that node, but all of it is "legit", in the sense that it is supposed to flow that way. Another reason would be a badly configured mail server that backscatters on a DSL line, that happens to touch your incoming servers. Not strictly spam (yet still unwanted), but it's probably too harsh to completely disconnect the customer. I'm not saying you shouldn't monitor your own spamscanner for your own IPs, just that it isn't as black and white a picture as you make us believe it is. For example, combining this data with abuse reports will provide very valuable, and that could even be automated. What we do is simply volume counting, combined with a whitelist of known-good massmailers. Also make sure you count bounces and rejected addresses, and flag anyone that goes over a few % bad addresses. And there will soon be network filters (user customizable, default on) that prevent access to other mailservers than our own. -- Jan-Pieter Cornet !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! From aguillar at ripe.net Wed Mar 4 16:23:39 2009 From: aguillar at ripe.net (Alix Guillard) Date: Wed, 04 Mar 2009 16:23:39 +0100 Subject: Sv: Re: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: References: <20090303184827.GA25470@sdg.at> <200903032207.30182.peter@hk.ipsec.se> <49AE3167.6010306@powerweb.de> <828wnl5zfg.fsf@mid.bfk.de> Message-ID: <49AE9CFB.1080204@ripe.net> Helmut wrote: > Sorry, but I don't understand what kind of discussion is going on. > What do I have to do with it and why am I getting all these mails? > Please exclude me from the mailing list! > *Thanks!* I removed the address EHH_TF at msn.com from the list. -- Alix Guillard RIPE NCC Webmaster - http://ripe.net/ From jorgen at hovland.cx Wed Mar 4 17:44:28 2009 From: jorgen at hovland.cx (=?ISO-8859-1?Q?J=F8rgen_Hovland?=) Date: Wed, 04 Mar 2009 17:44:28 +0100 Subject: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: <49AE47B9.20601@powerweb.de> References: <200903040849.n248nrPV015367@www.powerweb.de> <49AE47B9.20601@powerweb.de> Message-ID: <49AEAFEC.3090804@hovland.cx> Hello, From many previous discussions I have a hard time believing that you will ever reach consensus on the definition of what spam is. Trying to ban it would therefore be a even more difficult task. I think the government is doing a good enough job defining basic rules. Customers actually pay me to reject your email. Isn't that great! If you stop sending, my income will decrease. That makes me sad. Please don't stop (really)! With regards to a valid contact email address, not valid abuse emailaddress, I still believe that it should be optional. Cheers, Frank Gadegast wrote: > Jeffrey Race wrote: >> This simple wheel reinvented many times; need only to apply >> current knowledge. If someone will work with me we can submit the >> described RFC as is or improved as needed >> >> >> >> based on >> >> > > Great. > > I see two points here: > > - the group should define regulations to force > RIPE-members to detect spam originating from > their own IPs > - the group should force members to have > a working abuse email address > > > (its sad, that the once defined abuse-mailbox field > in RIPEs whois never made it to be a needed field, > this should be changed ASAP) > > Our own blacklist under > http://www.dnsbl.de > sends out thousands of spam reports daily > to the email addresses of the network > administrators found in RIPEs whois. > Most email address do not work (user unknown, > mailbox full aso), a lot do send auto-replier > with ticket numbers (telefonica is great with > this), but never an email, that > the case has been solved, most do not react. > > Currently there are only 2% answering or fixing > the problem. > > Why do we not recommend to implement a system > at RIPE, where abuse reports could be CCed to > (including the netblock and the email address > a report was sent too, the system then could > check, if it was the right address and store > a timestamp, any ISP should then be informed > how he could send an email to RIPE to inform > that hes working on it or that the case was > fixed) so that RIPE can messure, wich ISP is really > fixing abuse cases ? > > And: if any ISP collects more than 100 > cases that are open for more than two weeks > without any reaction, the problem network > blocks are simply revoked by RIPE ;o) > > > RIPE should be able to implement such a > harsh system, because any member signed > to not pollute the internet already. > > > Kind regards, Frank > >> >> Jeffrey Race >> >> >> > > From johnpc at xs4all.net Wed Mar 4 16:46:37 2009 From: johnpc at xs4all.net (Jan Pieter Cornet) Date: Wed, 4 Mar 2009 16:46:37 +0100 Subject: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: <49AEAFEC.3090804@hovland.cx> References: <200903040849.n248nrPV015367@www.powerweb.de> <49AE47B9.20601@powerweb.de> <49AEAFEC.3090804@hovland.cx> Message-ID: <20090304154637.GU17125@xs4all.net> On Wed, Mar 04, 2009 at 05:44:28PM +0100, J?rgen Hovland wrote: > From many previous discussions I have a hard time believing that you will > ever reach consensus on the definition of what spam is. Trying to ban it Definition, yes. UBE is usually easier to define and is practically equivalent to spam. But pretty much everyone recognizes a spam if they see one. It is therefore easy for a human to detect spam and take corrective action against a spammer or spamming host. > With regards to a valid contact email address, not valid abuse > emailaddress, I still believe that it should be optional. What should be optional? The abuse address? The contact address? The validity? I think it's very reasonable to require all netblocks to have a valid contact email address. (PS- J?rgen: your mail server rejected my direct message to you. You may want to fix that) -- Jan-Pieter Cornet !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! From jorgen at hovland.cx Wed Mar 4 18:35:44 2009 From: jorgen at hovland.cx (=?ISO-8859-1?Q?J=F8rgen_Hovland?=) Date: Wed, 04 Mar 2009 18:35:44 +0100 Subject: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: <20090304154637.GU17125@xs4all.net> References: <200903040849.n248nrPV015367@www.powerweb.de> <49AE47B9.20601@powerweb.de> <49AEAFEC.3090804@hovland.cx> <20090304154637.GU17125@xs4all.net> Message-ID: <49AEBBF0.9010708@hovland.cx> An HTML attachment was scrubbed... URL: From ripe-anti-spam-wg at powerweb.de Wed Mar 4 17:29:11 2009 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Wed, 04 Mar 2009 17:29:11 +0100 Subject: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: <20090304154637.GU17125@xs4all.net> References: <200903040849.n248nrPV015367@www.powerweb.de> <49AE47B9.20601@powerweb.de> <49AEAFEC.3090804@hovland.cx> <20090304154637.GU17125@xs4all.net> Message-ID: <49AEAC57.4080104@powerweb.de> Jan Pieter Cornet wrote: > On Wed, Mar 04, 2009 at 05:44:28PM +0100, J?rgen Hovland wrote: >> From many previous discussions I have a hard time believing that you will >> ever reach consensus on the definition of what spam is. Trying to ban it > > Definition, yes. UBE is usually easier to define and is practically > equivalent to spam. But pretty much everyone recognizes a spam if they > see one. It is therefore easy for a human to detect spam and take > corrective action against a spammer or spamming host. > >> With regards to a valid contact email address, not valid abuse >> emailaddress, I still believe that it should be optional. > > What should be optional? The abuse address? The contact address? The > validity? I think it's very reasonable to require all netblocks to have > a valid contact email address. Please do not forget, that the abuse field shoud be machine readable, currently the abuse address is somewhere hiddden in remark fields, normal email-fields or other things. This is pretty much work for a programmer, if he likes to report spam automatically. Most provider do not like it, when its machine readable, because spammer will flood these addresses and these addresses cannot be used together with content filters, because reports contain snippets from real spam quite often. So: these addresses will be quite a pain, but: thats an OLD argument and: if any provider will do something against spam originating from his IPs, there will be much less reports coming in ;o) Kind regards, Frank > (PS- J?rgen: your mail server rejected my direct message to you. You > may want to fix that) > -- Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank at powerweb.de From ripe-anti-spam-wg at powerweb.de Wed Mar 4 17:43:50 2009 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Wed, 04 Mar 2009 17:43:50 +0100 Subject: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: <49AEBBF0.9010708@hovland.cx> References: <200903040849.n248nrPV015367@www.powerweb.de> <49AE47B9.20601@powerweb.de> <49AEAFEC.3090804@hovland.cx> <20090304154637.GU17125@xs4all.net> <49AEBBF0.9010708@hovland.cx> Message-ID: <49AEAFC6.6080306@powerweb.de> J?rgen Hovland wrote: > > > Jan Pieter Cornet wrote: >> On Wed, Mar 04, 2009 at 05:44:28PM +0100, J?rgen Hovland wrote: >> >>> From many previous discussions I have a hard time believing that you will >>> ever reach consensus on the definition of what spam is. Trying to ban it >>> >> >> Definition, yes. UBE is usually easier to define and is practically >> equivalent to spam. But pretty much everyone recognizes a spam if they >> see one. It is therefore easy for a human to detect spam and take >> corrective action against a spammer or spamming host. >> >> > Thats where I believe you are not entirely correct. UBE is permitted in > my country (not all types of course, greasy ones etc). Yes, it is Well not in ours. Our systems are getting misused, overloaded and we have to work against it, this does cost time, resource and yes, money. And other providers are responsible for it, where ever they reside, it does not matter, legal issues can always be taken (ok, not really practically to sue somebody in China, Russland or Turkey, but possible). But at least: spamming is illegal in Germany, and any German provider or provider in another country with similar regulations should be forced to prevent his users from spamming. > usually what you/I define as spam. > However, some customers still want it (I sometimes monitor whitelists in > order to correct blacklists). > Who are we to override the end-users decisions? Only the government > should do that, and sometimes even they shouldn't. Surely it should be up to the end user, if he likes to have a spam filter on its incoming mail, but thats not the point. You can scan any incoming mail, just to see, if its originated from your own dial-in IPs, that all. You do not need to modify any received mail. Scanning must be done automatically and thats even legal in Germany ;o) >>> With regards to a valid contact email address, not valid abuse >>> emailaddress, I still believe that it should be optional. >>> >> >> What should be optional? The abuse address? The contact address? The >> validity? I think it's very reasonable to require all netblocks to have >> a valid contact email address. >> >> > Any email address. Yes it is reasonable, but I still think it should be > optional. Thats also what we decided last time the topic was brought up. Jesus, no ! That is simply wrong because it will raise even more ignorance to abuse. An address or phone number is not enough. What are doing, when somebody abuses your servers ? Atacks and hacks them, infiltrate webservers with viruses ? Send a letter mail ? Get in an airplane ? Phone somebody wich only speaks a foreign language ? No, a real abuse-field is a must and it MUST be read, and it must be possible to proof, that somebody reacts. > Perhaps people have changed their opinion now. I was actually amazed > that the suggestion to make it mandatory was rejected. > > >> (PS- J?rgen: your mail server rejected my direct message to you. You >> may want to fix that) >> >> > It gets fixed by the system when I send you this email. I get ~8000 spam > daily. I have to be a little strict :-) See ? So you are against a mandatory field ? Im getting only 2-5 spams a day, that really reach me. 2000 are getting blocked or sorted out straight away. But the time for these filters just ruins us all. Kind regards, Frank > > Cheers, > > > -- Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank at powerweb.de From michele at blacknight.ie Wed Mar 4 17:46:57 2009 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Wed, 4 Mar 2009 16:46:57 +0000 Subject: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: <49AEAC57.4080104@powerweb.de> References: <200903040849.n248nrPV015367@www.powerweb.de> <49AE47B9.20601@powerweb.de> <49AEAFEC.3090804@hovland.cx> <20090304154637.GU17125@xs4all.net> <49AEAC57.4080104@powerweb.de> Message-ID: Automated spam reports lead to errors We get loads of them regarding mailscanner.info which has never sent a single email in its entire life Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.com/ http://blog.blacknight.com/ Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From ripe-anti-spam-wg at powerweb.de Wed Mar 4 17:59:30 2009 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Wed, 04 Mar 2009 17:59:30 +0100 Subject: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: References: <200903040849.n248nrPV015367@www.powerweb.de> <49AE47B9.20601@powerweb.de> <49AEAFEC.3090804@hovland.cx> <20090304154637.GU17125@xs4all.net> <49AEAC57.4080104@powerweb.de> Message-ID: <49AEB372.3080500@powerweb.de> Michele Neylon :: Blacknight wrote: > Automated spam reports lead to errors > > We get loads of them regarding mailscanner.info which has never sent a > single email in its entire life > Hm, thats bad for you, but its not an argument for a machine readable abuse field. It should be up to anybody to report spam, automatically or manually, but at least he should have the possibility. And whats better than a mandatory field. Many netblock entries contain a log of different email address, so that a normal user cannot even decide wich one to take. And: do you know how many RIPE whois entries have no email address at all ? Well I do. I always thought, that at least a normal email address field is mandatory, but we have 12504 RIPE netblocks here in our database without ANY email address. And they are not unused, that are netblocks we get spam from ! And this is to my knowledge since 2 years and didnt change. We reported this to RIPE a couple of times. Only answer was: we think about what we can do. Forming an anti-abuse group is then kind of a laugh, isnt it ? Kind regards, Frank > > Mr Michele Neylon > Blacknight Solutions > Hosting & Colocation, Brand Protection > http://www.blacknight.com/ > http://blog.blacknight.com/ > Intl. +353 (0) 59 9183072 > US: 213-233-1612 > UK: 0844 484 9361 > Locall: 1850 929 929 > Direct Dial: +353 (0)59 9183090 > Fax. +353 (0) 1 4811 763 > ------------------------------- > Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty > Road,Graiguecullen,Carlow,Ireland Company No.: 370845 > > > -- Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank at powerweb.de From leo.vegoda at icann.org Wed Mar 4 17:52:30 2009 From: leo.vegoda at icann.org (Leo Vegoda) Date: Wed, 4 Mar 2009 08:52:30 -0800 Subject: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: <49AEAFC6.6080306@powerweb.de> Message-ID: Frank, On 04/03/2009 8:43, "Frank Gadegast" wrote: [...] > No, a real abuse-field is a must and it MUST be read, and it must > be possible to proof, that somebody reacts. If you want to change the requirements for the RIPE database then you need to take it up in the Database WG: http://www.ripe.net/ripe/wg/db/index.html Regards, Leo From peter at hk.ipsec.se Wed Mar 4 20:16:00 2009 From: peter at hk.ipsec.se (peter h) Date: Wed, 4 Mar 2009 20:16:00 +0100 Subject: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: <828wnl5zfg.fsf@mid.bfk.de> References: <20090303184827.GA25470@sdg.at> <49AE3167.6010306@powerweb.de> <828wnl5zfg.fsf@mid.bfk.de> Message-ID: <200903042016.01954.peter@hk.ipsec.se> On Wednesday 04 March 2009 11.56, Florian Weimer wrote: > * Frank Gadegast: > > > And the following makes me really crazy: > > - preventing spambotted PCs from sending spam is SOOO easy > > The detection problem has been solved years ago, agreed. There are > multiple, working solutions. > > > YES, its not only "likely", its prooven, spambots scan outlook address > > books, and if the provider is only big enough (it works here for > > only 10000 mailboxes) ... > > ... SPAMBOTS USING YOUR DIAL-IN IPs DO SEND SPAM TO YOUR OWN MAILSERVERS !!! > > And even if that doesn't happen for you due to some strange scenario, > there are tons of free, external data feeds to which you can subscribe > which provide you with high-quality data about compromised customer > PCs. > > > the customer phones up usally 5 minutes later, we can explain > > and check the situation, he is cleaning his computer and > > there is one spambotted PC less in the world. > > Cleaning up the PC costs between 100 and 200 EUR. Someone needs to > absorb those costs. The "owner" has to absorb this cost. That's the price they pay to get infected in the first place. Tha main thing is to isolate it from Internet and prevent further damage. > > Detection is solved, but response is still an open problem. Why ? The connection will go blank. Any person at the other end has to do some fault-finding and will end up with the solution. Any spambot will not. Problem solved. > -- Peter H?kanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det ?r billigare att g?ra r?tt. Det ?r dyrt att laga fel. ) From ripe-anti-spam-wg at powerweb.de Fri Mar 6 10:39:14 2009 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Fri, 06 Mar 2009 10:39:14 +0100 Subject: [anti-abuse-wg] survey ? In-Reply-To: <05B243F724B2284986522B6ACD0504D78907960D8A@EXVPMBX100-1.exc.icann.org> References: ,<200903041712.n24HCHnf015781@www.powerweb.de> <05B243F724B2284986522B6ACD0504D78907960D8A@EXVPMBX100-1.exc.icann.org> Message-ID: <49B0EF42.2050709@powerweb.de> Leo Vegoda wrote: > Hi Frank, > > Frank Gadegast wrote: > > [...] > >> Somebody responsible simply has to step forward and do >> something, there will be no consensus with that many members. > > You mean you want an autocracy? No, thats democracy. Some people step forward and take responsibility. Some of them are being elected and do the job. And you can vote for somebody else, when you dont like, what they are doing. > How will you get everyone to follow the rules of this leader or king? The reason the decision making process is the way it is, is because there is no way to compel network operators to obey a king. If RIPE and the RIPE NCC began to operate in a way that most people thought was unreasonable then most people would ignore RIPE and the RIPE NCC. Well, the provider are ignoring RIPE anyway. They can ignore whatever is helpful to protect the users from spam, because there are no strict rules from RIPE to help against spam-friendly provider. The abuse-field is not mandatory. There are no regulations in RIPE membership contracts, that members are responsible for abuse they cause. But thats, what RIPE has to do to stop abuse. This workgroup is absolutely useless, if there is no interest or consense between all members, because there are members, that will block all regulations against abuse, because they make profit with spam or are not willing to invest time and money to protect the internet. Guess why the abuse-field never made it to be mandatory. Think about, why we are talking over a year now about a clear definition of abuse, without any result. So what now ? Will this group generate a recommendation soon ? Ever ? A test: ------------------------------------------------------------------ everybody on this list, should simply reply now ( ) I want RIPE to have regulations against abuse ( ) I want RIPE to take consequences against spam friendly members ------------------------------------------------------------------ We can stop talking, if we do not get 100% positive response to the first question, because any minority can then stop the whole definition process. We can also stop talking, if we do not get a 100% positive response to the second question, because regulations without consequences will be ignored like it is now. And: if some on this list are not answering, they are not against abuse and will block any progress. Kind regards, Frank > Regards, > > Leo > > > -- Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank at powerweb.de From richard.cox at btuser.net Fri Mar 6 15:48:26 2009 From: richard.cox at btuser.net (Richard Cox) Date: Fri, 06 Mar 2009 14:48:26 +0000 Subject: [anti-abuse-wg] survey ? In-Reply-To: <49B0EF42.2050709@powerweb.de> References: <05B243F724B2284986522B6ACD0504D78907960D8A@EXVPMBX100-1.exc.icann.org> <49B0EF42.2050709@powerweb.de> Message-ID: On Fri, 6 Mar 2009 Frank Gadegast wrote: > Some of them are being elected and do the job. And you can vote for > somebody else, when you dont like, what they are doing. Well, yes. But RIPE is not a democracy, even if it makes its internal decisions by democratic means. If RIPE was a democracy, every internet user in the RIPE service region would be able to elect representatives, but that is not what happens. Decisions are made by RIPE members who are mostly network operators. The fees required for membership are beyond the means of (most) individual net users. RIPE therefore acts in the interests of its members, who are mostly Network Operators, and not in the interests of end users unless they overlap. End users want to get all spam and abuse stopped. Network Operators do not (mostly) want to expend the resources that would be needed to achieve this. So it follows that they are unlikely to support any proposal for a RIPE policy that imposes any greater duties on them. > The abuse-field is not mandatory. There are no regulations in RIPE > membership contracts, that members are responsible for abuse they > cause. But thats, what RIPE has to do to stop abuse. The abuse-field is indeed not mandatory. I would prefer to have the abuse-field voluntary so that everyone could see which networks were not willing to handle abuse issues, rather than have networks forced to stipulate an abuse address that is then set to permanent ignore. If networks want to handle abuse issues properly they will provide an abuse address in the appropriate field (and in a few other important places as well). Making the abuse-field mandatory will not stop any abuse. It will not force any network operators to take any action to stop abuse. > This workgroup is absolutely useless, if there is no interest or > consense between all members, because there are members, that will > block all regulations against abuse, because they make profit with > spam or are not willing to invest time and money to protect the > internet. If it was useless I would not be here. I agree that it has not been particularly productive in the past, and both Brian and I (as the new co-chairs) are trying to focus on the issues that need most attention. > So what now ? Will this group generate a recommendation soon? Ever? I am sure that we will. We need to cohere more effectively first. > A test: > ------------------------------------------------------------------ > everybody on this list, should simply reply now > > ( ) I want RIPE to have regulations against abuse > ( ) I want RIPE to take consequences against spam friendly members > ------------------------------------------------------------------ I first want RIPE to be _able_ to do both of those. The problem is that the structure of RIPE does not currently enable RIPE to operate that way. Because RIPE is the issuer of IP etc resources it is only too easy to fall into the trap of thinking that RIPE can impose rules. It cannot. But it can - and should - make recommendations on matters like this. A simple analogy: We would like to fly to Barbados. But we do not yet have an airport. A common misunderstanding is that the Internet is automatically unique. It is only unique because nobody has yet created a second internet. The internet as we know it is a collection of networks that interconnect with each other by means of peering points and transit providers. Nobody can mandate how each network connects to another (leaving aside national and European regulations on telecomms licensing and competition policy) so any network can use any protocol, any IP or AS numbering it chooses as long as it works for them. They break no laws by doing that, although most networks agree to follow a common numbering scheme as established by IANA through the RIRs. A good example is the fact that some networks use IP addresses in 128.199.0.0/16 and rely on NAT to prevent those addresses being visible to their peers and upstreams. They "should" use 192.168.0.0/16 or one of the other IP ranges in RFC1918, but nobody can force them to change. And from time to time networks using that range encounter difficulties. I'm pointing this out because as IP4 resources exhaust, we are likely to see an increase in the abuse involving the use of IP ranges by people to whom they are not allocated. RIPE cannot do much about that, except by persuasion. As far as I can see, the only people that can prevent the inappropriate use of IP ranges and AS numbers, are the transit providers. As things stand, RIPE is the most abuse-friendly out of all the RIRs. That's not by intention, but by the fact that it gives more autonomy to individual LIRs that any of the other RIRs. LIRs are effectively resellers - their decision on whether a customer for IP resources is who they claim to be, etc, is normally accepted without question. So we see far more RIPE IP ranges appearing (and mostly used for abuse) in places outside the RIPE service area, that we see ARIN etc ranges inside the RIPE service area. So in summary I believe our most urgent duty is to make recommendations to RIPE that identify specific RIPE policies (or proposals) which have side-effects that either facilitate abuse or make it difficult to track who is responsible for the abuse. -- Richard The above is, of course, just my personal viewpoint. From frank at powerweb.de Fri Mar 6 10:38:41 2009 From: frank at powerweb.de (Frank Gadegast) Date: Fri, 06 Mar 2009 10:38:41 +0100 Subject: [anti-abuse-wg] survey ? In-Reply-To: <05B243F724B2284986522B6ACD0504D78907960D8A@EXVPMBX100-1.exc.icann.org> References: ,<200903041712.n24HCHnf015781@www.powerweb.de> <05B243F724B2284986522B6ACD0504D78907960D8A@EXVPMBX100-1.exc.icann.org> Message-ID: <49B0EF21.8010800@powerweb.de> Leo Vegoda wrote: > Hi Frank, > > Frank Gadegast wrote: > > [...] > >> Somebody responsible simply has to step forward and do >> something, there will be no consensus with that many members. > > You mean you want an autocracy? No, thats democracy. Some people step forward and take responsibility. Some of them are being elected and do the job. And you can vote for somebody else, when you dont like, what they are doing. > How will you get everyone to follow the rules of this leader or king? The reason the decision making process is the way it is, is because there is no way to compel network operators to obey a king. If RIPE and the RIPE NCC began to operate in a way that most people thought was unreasonable then most people would ignore RIPE and the RIPE NCC. Well, the provider are ignoring RIPE anyway. They can ignore whatever is helpful to protect the users from spam, because there are no strict rules from RIPE to help against spam-friendly provider. The abuse-field is not mandatory. There are no regulations in RIPE membership contracts, that members are responsible for abuse they cause. But thats, what RIPE has to do to stop abuse. This workgroup is absolutely useless, if there is no interest or consense between all members, because there are members, that will block all regulations against abuse, because they make profit with spam or are not willing to invest time and money to protect the internet. Guess why the abuse-field never made it to be mandatory. Think about, why we are talking over a year now about a clear definition of abuse, without any result. So what now ? Will this group generate a recommendation soon ? Ever ? A test: ------------------------------------------------------------------ everybody on this list, should simply reply now ( ) I want RIPE to have regulations against abuse ( ) I want RIPE to take consequences against spam friendly members ------------------------------------------------------------------ We can stop talking, if we do not get 100% positive response to the first question, because any minority can then stop the whole definition process. We can also stop talking, if we do not get a 100% positive response to the second question, because regulations without consequences will be ignored like it is now. And: if some on this list are not answering, they are not against abuse and will block any progress. Kind regards, Frank > Regards, > > Leo > > > -- Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank at powerweb.de From marcoh at marcoh.net Fri Mar 6 15:54:50 2009 From: marcoh at marcoh.net (Marco Hogewoning) Date: Fri, 6 Mar 2009 15:54:50 +0100 Subject: [anti-abuse-wg] survey ? In-Reply-To: References: <05B243F724B2284986522B6ACD0504D78907960D8A@EXVPMBX100-1.exc.icann.org> <49B0EF42.2050709@powerweb.de> Message-ID: <3752116E-B4E1-4990-969A-C715F684BDC2@marcoh.net> On 6 mrt 2009, at 15:48, Richard Cox wrote: > On Fri, 6 Mar 2009 Frank Gadegast > wrote: > >> Some of them are being elected and do the job. And you can vote for >> somebody else, when you dont like, what they are doing. > > Well, yes. But RIPE is not a democracy, even if it makes its internal > decisions by democratic means. If RIPE was a democracy, every > internet > user in the RIPE service region would be able to elect > representatives, > but that is not what happens. Decisions are made by RIPE members who > are mostly network operators. The fees required for membership are > beyond the means of (most) individual net users. RIPE therefore acts > in the interests of its members, who are mostly Network Operators, > and not in the interests of end users unless they overlap. RIPE does not exist, it has no members. RIPE NCC has members, and provides registration services. Can you please make clear what body you are talking about ? Groet, MarcoH From peter at hk.ipsec.se Fri Mar 6 16:04:47 2009 From: peter at hk.ipsec.se (peter h) Date: Fri, 6 Mar 2009 16:04:47 +0100 Subject: [anti-abuse-wg] survey ? In-Reply-To: <49B0EF42.2050709@powerweb.de> References: <05B243F724B2284986522B6ACD0504D78907960D8A@EXVPMBX100-1.exc.icann.org> <49B0EF42.2050709@powerweb.de> Message-ID: <200903061604.50101.peter@hk.ipsec.se> On Friday 06 March 2009 10.39, Frank Gadegast wrote: > Leo Vegoda wrote: > > Hi Frank, A test: > ------------------------------------------------------------------ > everybody on this list, should simply reply now > > (X ) I want RIPE to have regulations against abuse > (X ) I want RIPE to take consequences against spam friendly members > ------------------------------------------------------------------ > > -- Peter H?kanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det ?r billigare att g?ra r?tt. Det ?r dyrt att laga fel. ) From gert at space.net Fri Mar 6 16:29:29 2009 From: gert at space.net (Gert Doering) Date: Fri, 6 Mar 2009 16:29:29 +0100 Subject: [anti-abuse-wg] survey ? In-Reply-To: References: <05B243F724B2284986522B6ACD0504D78907960D8A@EXVPMBX100-1.exc.icann.org> <49B0EF42.2050709@powerweb.de> Message-ID: <20090306152928.GN44476@Space.Net> Hi, On Fri, Mar 06, 2009 at 02:48:26PM +0000, Richard Cox wrote: > Decisions are made by RIPE members who are mostly network operators. This is actually not completely correct. RIPE NCC *members* (as in "paying members") decide on the yearly fees paid to keep the RIPE NCC running, and on the way the RIPE NCC spends its budget. This is done in the formal annual general meeting (RIPE AGM). Regarding policies and best practices, every interested party of the Internet community can influence what's happening. Which can be problematic at times (reaching consensus can be difficult if the opinions differ too much), but it's definitely not tied to being a paying member. > The fees required for membership are > beyond the means of (most) individual net users. RIPE therefore acts > in the interests of its members, who are mostly Network Operators, > and not in the interests of end users unless they overlap. Please do also note that "RIPE" is "all of us in the community". If you are talking about the folks in Amsterdam that get paid to do secretariat jobs for the RIPE community: this is the RIPE NCC (and it's important to be clear on the distinction). Gert Doering -- NetMaster -- Total number of prefixes smaller than registry allocations: 128645 SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 From iane at sussex.ac.uk Mon Mar 9 15:46:03 2009 From: iane at sussex.ac.uk (Ian Eiloart) Date: Mon, 09 Mar 2009 14:46:03 +0000 Subject: Sv: Re: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: <82r61d2uhl.fsf@mid.bfk.de> References: <20090303184827.GA25470@sdg.at> <200903032207.30182.peter@hk.ipsec.se> <49AE3167.6010306@powerweb.de> <828wnl5zfg.fsf@mid.bfk.de> <82r61d2uhl.fsf@mid.bfk.de> Message-ID: <1293B3F5012DE6A2DCA2AC57@lewes.staff.uscs.susx.ac.uk> --On 4 March 2009 16:11:34 +0100 Florian Weimer wrote: > * Helmut: > >> Sorry, but I don't understand what kind of discussion is going on. >> What do I have to do with it and why am I getting all these mails? >> Please exclude me from the mailing list! > > Does anybody know how to view mail headers using IncrediMail? > > Helmut, you could try sending an unsubscribe message to > (just put "unsubscribe" in the > subject line). But this won't work if you're subscribed with an > address different from the one you're currently using. Given that there are few, if any, email clients that display List-* headers by default, why would administrators of an anti-abuse list think use of those headers alone is in any way helpful to someone in Helmut's situation. Can't we have just a little list footer with an unsubscribe link in it? -- Ian Eiloart IT Services, University of Sussex x3148 From iane at sussex.ac.uk Mon Mar 9 17:25:09 2009 From: iane at sussex.ac.uk (Ian Eiloart) Date: Mon, 09 Mar 2009 16:25:09 +0000 Subject: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: <49AEAFC6.6080306@powerweb.de> References: <200903040849.n248nrPV015367@www.powerweb.de> <49AE47B9.20601@powerweb.de> <49AEAFEC.3090804@hovland.cx> <20090304154637.GU17125@xs4all.net> <49AEBBF0.9010708@hovland.cx> <49AEAFC6.6080306@powerweb.de> Message-ID: <610947E68D2350065655BE1A@lewes.staff.uscs.susx.ac.uk> --On 4 March 2009 17:43:50 +0100 Frank Gadegast wrote: > >> Thats where I believe you are not entirely correct. UBE is permitted in >> my country (not all types of course, greasy ones etc). (.cx) > > Well not in ours. (.de) In the UK, unsolicited electronic marketing messages are illegal - bulk or otherwise - when they're sent to personal addresses. There's guidance on "unsolicited", "marketing", and "personal". Unsolicited Business to Business marketing is permitted. The law applies to all electronic messaging, not just email. The term marketing is broadly defined, and includes messages soliciting votes in elections, and charity appeals. Furthermore, a "simple means of opting out" must be supplied with EVERY marketing message. For example, even SMS messages usually carry an opt out message like "text STOP to nnnnn". I think it's sensible apply the law without regard to quantity, for several reasons: 1. The recipient can't know whether the message is "Bulk" or not, and they should be able to make a complaint based on information that they have access to. A message doesn't annoy a recipient less when they're the only recipient - at least not if they don't know that. 2. It would be hard to define "Bulk", given that senders can send variants of messages, and can send them at staggered intervals. The higher the threshold is set, the harder it is to obtain evidence to convict. 3. Bulk mailers are inherently more likely to attract complaints. They're more likely to have complaints against them upheld, and penalties are likely to be more serious. Therefore there's no necessity to add legislative discrimination. On the other hand, they may have more resources to defend an action against them. -- Ian Eiloart IT Services, University of Sussex x3148 From gert at space.net Tue Mar 10 09:49:21 2009 From: gert at space.net (Gert Doering) Date: Tue, 10 Mar 2009 09:49:21 +0100 Subject: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: <20090304154637.GU17125@xs4all.net> References: <200903040849.n248nrPV015367@www.powerweb.de> <49AE47B9.20601@powerweb.de> <49AEAFEC.3090804@hovland.cx> <20090304154637.GU17125@xs4all.net> Message-ID: <20090310084921.GI44476@Space.Net> Hi, On Wed, Mar 04, 2009 at 04:46:37PM +0100, Jan Pieter Cornet wrote: > Definition, yes. UBE is usually easier to define and is practically > equivalent to spam. But pretty much everyone recognizes a spam if they > see one. It is therefore easy for a human to detect spam and take > corrective action against a spammer or spamming host. This is actually *way* oversimplifying things. Some SPAMs are obvious, of course, but there is a wide area of "grey" in between - some people send advertising e-mails that part of their receipients find quite interesting (because the mails meet their interests), while others consider them SPAM. OTOH, we get SPAM complaints for info mails that people actually and provably subscribed to(!) [commercial service, people subscribe, forget about it, and later just report to spamcop instead of unsubscribing]. Gert Doering -- NetMaster -- Total number of prefixes smaller than registry allocations: 128645 SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 From peter at hk.ipsec.se Tue Mar 10 20:17:50 2009 From: peter at hk.ipsec.se (peter h) Date: Tue, 10 Mar 2009 20:17:50 +0100 Subject: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: <20090310084921.GI44476@Space.Net> References: <200903040849.n248nrPV015367@www.powerweb.de> <20090304154637.GU17125@xs4all.net> <20090310084921.GI44476@Space.Net> Message-ID: <200903102017.51444.peter@hk.ipsec.se> On Tuesday 10 March 2009 09.49, Gert Doering wrote: > Hi, > > On Wed, Mar 04, 2009 at 04:46:37PM +0100, Jan Pieter Cornet wrote: > > Definition, yes. UBE is usually easier to define and is practically > > equivalent to spam. But pretty much everyone recognizes a spam if they > > see one. It is therefore easy for a human to detect spam and take > > corrective action against a spammer or spamming host. > > This is actually *way* oversimplifying things. > > Some SPAMs are obvious, of course, but there is a wide area of "grey" in > between - some people send advertising e-mails that part of their > receipients find quite interesting (because the mails meet their interests), > while others consider them SPAM. I object to this view. UCE is always spam even if some recipients "think" they like it. Just look at all the suckers that get fooled by scams ! UCE or spam is illegal in some countries, however legal authorities does not seem willing to hunt and procecute. > > OTOH, we get SPAM complaints for info mails that people actually and > provably subscribed to(!) [commercial service, people subscribe, forget > about it, and later just report to spamcop instead of unsubscribing]. > That's a problem with opt-in lists too, but that is something list-owners has to adopt to. The general public should not be carrying the burden just because "it simpler for list-owners". Any sender of mail has to take it's own costs. > Gert Doering > -- NetMaster -- Peter H?kanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det ?r billigare att g?ra r?tt. Det ?r dyrt att laga fel. ) From leo.vegoda at icann.org Tue Mar 10 21:19:11 2009 From: leo.vegoda at icann.org (Leo Vegoda) Date: Tue, 10 Mar 2009 13:19:11 -0700 Subject: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: <200903102017.51444.peter@hk.ipsec.se> Message-ID: On 10/03/2009 11:17, "peter h" wrote: [...] > UCE or spam is illegal in some countries, however legal authorities does not > seem willing to hunt and procecute. I've spoken with a number of police officers involved in tackling e-crime issues and on the whole it seems to be a resource issue rather than a willingness issue. Training a police officer how to handle an investigation into something quite 'virtual' is not an easy or cheap task. This means there aren't very many trained officers and so they tend to be assigned to investigating the most serious offences. Regards, Leo From ripe-anti-spam-wg at powerweb.de Wed Mar 11 11:07:14 2009 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Wed, 11 Mar 2009 11:07:14 +0100 Subject: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: References: Message-ID: <49B78D52.7020202@powerweb.de> Leo Vegoda wrote: > On 10/03/2009 11:17, "peter h" wrote: Hi, >> UCE or spam is illegal in some countries, however legal authorities does not >> seem willing to hunt and procecute. No, they are willing but they are unable in most cases. > I've spoken with a number of police officers involved in tackling e-crime > issues and on the whole it seems to be a resource issue rather than a > willingness issue. Training a police officer how to handle an investigation > into something quite 'virtual' is not an easy or cheap task. This means > there aren't very many trained officers and so they tend to be assigned to > investigating the most serious offences. Spam and Abuse is forbidden in Germany. We had a lot of cases, from normal data crime (like competitors trying to spy some data from our customers) to illegal archiving to hacks, scans and password attacks, where we helped customers to identify problems and tried to bring the attacker to court according to German law. So we were always involved and cooperated quite close with the legal entities here. I can only say, that the entities in Germany are well equipped and trained, know defny what they are doing and are very willing. We had a lot of very positive results, if the attack started in Germany or other european countries, wich have similar laws. And the entities always have one big problem: - most attacks are started via abuse dial-in IPs somewhere in the world where they cannot work together with the provider, because provider has no interest So, its always the same, its not that the legal entities are not willing, its the providers, that are not willing to help to trace any abuse back to the real originator. This is one more reason to stop all spambot networks so that nobody can hide anymore ... Kind regards, Frank > > Regards, > > Leo > > > > -- Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank at powerweb.de From iane at sussex.ac.uk Wed Mar 11 12:42:39 2009 From: iane at sussex.ac.uk (Ian Eiloart) Date: Wed, 11 Mar 2009 11:42:39 +0000 Subject: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: <200903102017.51444.peter@hk.ipsec.se> References: <200903040849.n248nrPV015367@www.powerweb.de> <20090304154637.GU17125@xs4all.net> <20090310084921.GI44476@Space.Net> <200903102017.51444.peter@hk.ipsec.se> Message-ID: <50AD8506C77027048EE04D59@lewes.staff.uscs.susx.ac.uk> --On 10 March 2009 20:17:50 +0100 peter h wrote: > > UCE or spam is illegal in some countries, however legal authorities does > not seem willing to hunt and procecute. Under article 13 of EU DIRECTIVE 2002/58/EC, I think that the sending of UCE is illegal in every member state of the EU, which exemption where the recipient is an existing customer of the organisation sending the email. Even then, the sender has to give an opt out option with every email, and may only market "similar products or services". I don't know anywhere that this is properly enforced, though. -- Ian Eiloart IT Services, University of Sussex x3148 From eromijn at ripe.net Wed Mar 11 13:00:50 2009 From: eromijn at ripe.net (Erik Romijn) Date: Wed, 11 Mar 2009 13:00:50 +0100 Subject: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: <50AD8506C77027048EE04D59@lewes.staff.uscs.susx.ac.uk> References: <200903040849.n248nrPV015367@www.powerweb.de> <20090304154637.GU17125@xs4all.net> <20090310084921.GI44476@Space.Net> <200903102017.51444.peter@hk.ipsec.se> <50AD8506C77027048EE04D59@lewes.staff.uscs.susx.ac.uk> Message-ID: <49B7A7F2.30001@ripe.net> Hi, Ian Eiloart wrote: > Under article 13 of EU DIRECTIVE 2002/58/EC, I think that the sending of > UCE is illegal in every member state of the EU, which exemption where > the recipient is an existing customer of the organisation sending the > email. Even then, the sender has to give an opt out option with every > email, and may only market "similar products or services". > > I don't know anywhere that this is properly enforced, though. The OPTA[1], regulator of electronic communications in The Netherlands, has a website[2] where Dutch private persons can complain about spam received from Dutch sources. Quickly looking back, I see that in the past they have fined an organisation for 510.000 euro [3] and another ruling was confirmed by a court, for a 75.000 euro fine[4]. I can't find an English reference to that though. So something is definitely happening there :) [1] http://www.opta.nl/asp/en/ [2] http://www.spamklacht.nl/ (only Dutch) [3] https://www.spamklacht.nl/asp/nieuws/id/51 [4] https://www.spamklacht.nl/asp/nieuws/id/54 cheers, Erik Romijn From jrace at attglobal.net Wed Mar 11 13:24:30 2009 From: jrace at attglobal.net (Jeffrey Race) Date: Wed, 11 Mar 2009 07:24:30 -0500 Subject: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: <49B78D52.7020202@powerweb.de> Message-ID: <20090311122511.6F3506A003@postboy.ripe.net> On Wed, 11 Mar 2009 11:07:14 +0100, Frank Gadegast wrote: >And the entities always have one big problem: >- most attacks are started via abuse dial-in IPs somewhere in the world > where they cannot work together with the provider, because provider > has no interest > >So, its always the same, its not that the legal entities are not >willing, its the providers, that are not willing to help to trace >any abuse back to the real originator. And so the ONLY solution to this behavior is to motivate them to cooperate by adopting a universal rule that if you are such an ISP, your traffic is refused until you come into compliance. Other domains of human activity use the same rule e.g. you don't get a driver's license until you pass the test, and if you are a drunk driver it is withdrawn. (See earlier reference for a simple system to implement this.) Jeffrey Race From info at streamservice.nl Wed Mar 11 13:50:49 2009 From: info at streamservice.nl (Stream Service) Date: Wed, 11 Mar 2009 13:50:49 +0100 Subject: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: <49B7A7F2.30001@ripe.net> References: <200903040849.n248nrPV015367@www.powerweb.de> <20090304154637.GU17125@xs4all.net> <20090310084921.GI44476@Space.Net> <200903102017.51444.peter@hk.ipsec.se> <50AD8506C77027048EE04D59@lewes.staff.uscs.susx.ac.uk> <49B7A7F2.30001@ripe.net> Message-ID: <004701c9a248$0130a500$0391ef00$@nl> Erik Romijn wrote: Hi, Ian Eiloart wrote: > Under article 13 of EU DIRECTIVE 2002/58/EC, I think that the sending of > UCE is illegal in every member state of the EU, which exemption where > the recipient is an existing customer of the organisation sending the > email. Even then, the sender has to give an opt out option with every > email, and may only market "similar products or services". > > I don't know anywhere that this is properly enforced, though. The OPTA[1], regulator of electronic communications in The Netherlands, has a website[2] where Dutch private persons can complain about spam received from Dutch sources. Quickly looking back, I see that in the past they have fined an organisation for 510.000 euro [3] and another ruling was confirmed by a court, for a 75.000 euro fine[4]. I can't find an English reference to that though. So something is definitely happening there :) [1] http://www.opta.nl/asp/en/ [2] http://www.spamklacht.nl/ (only Dutch) [3] https://www.spamklacht.nl/asp/nieuws/id/51 [4] https://www.spamklacht.nl/asp/nieuws/id/54 cheers, Erik Romijn Hello, For as far as I can see the OPTA is only working on spam if it comes from the Netherlands AND it is received by a person in the Netherlands. This should be changed so the receiver could live outside the Netherlands. Also small companies in the Netherlands (as long as it is for te law the same as a person) can complain at spamklacht.nl. Dutch: eenmanszaken/vof mogen ook geen spam ontvangen, hetzelfde geld voor rechtspersonen vanaf 1 juli. On the 1st July the law in the Netherlands will be changed so all spam is illegal :). With kind regards, Mark Scholten Stream Service From ripe-anti-spam-wg at powerweb.de Wed Mar 11 13:53:33 2009 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Wed, 11 Mar 2009 13:53:33 +0100 Subject: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: <20090311122511.6F3506A003@postboy.ripe.net> References: <20090311122511.6F3506A003@postboy.ripe.net> Message-ID: <49B7B44D.8050602@powerweb.de> Jeffrey Race wrote: > On Wed, 11 Mar 2009 11:07:14 +0100, Frank Gadegast wrote: >> And the entities always have one big problem: >> - most attacks are started via abuse dial-in IPs somewhere in the world >> where they cannot work together with the provider, because provider >> has no interest >> >> So, its always the same, its not that the legal entities are not >> willing, its the providers, that are not willing to help to trace >> any abuse back to the real originator. > > > And so the ONLY solution to this behavior is to motivate them to > cooperate by adopting a universal rule that if you are such an ISP, > your traffic is refused until you come into compliance. Other > domains of human activity use the same rule e.g. you don't get > a driver's license until you pass the test, and if you are a drunk > driver it is withdrawn. (See earlier reference for a simple > system to implement this.) Yes, and thats exactly what this abuse group has to define ! A driver license for ISPs, they have to commit and pass a test before they get any more IP services. And RIPE has to watch their behaviour and revoke addresses that are being massively misused. Problem: no RIPE member wants to get more work (reporting or reacting to abuse) and no RIPE member is willing to have the fees raised, so the RIPE can setup such a monitoring system. And ? there we are again. This group is useless, if the members are not willing to do anything against abuse (do you remember this little survey I had a week ago ? we received exactly ONE answer !) All together that are two out of what ? a hundred ? a thousand ? How many are on this list ? Kidn regards, Frank > > Jeffrey Race > > > -- Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank at powerweb.de From brian.nisbet at heanet.ie Wed Mar 11 13:55:38 2009 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Wed, 11 Mar 2009 12:55:38 +0000 Subject: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: <50AD8506C77027048EE04D59@lewes.staff.uscs.susx.ac.uk> References: <200903040849.n248nrPV015367@www.powerweb.de> <20090304154637.GU17125@xs4all.net> <20090310084921.GI44476@Space.Net> <200903102017.51444.peter@hk.ipsec.se> <50AD8506C77027048EE04D59@lewes.staff.uscs.susx.ac.uk> Message-ID: <49B7B4CA.6050601@heanet.ie> Ian Eiloart wrote the following on 11/03/2009 11:42: > Under article 13 of EU DIRECTIVE 2002/58/EC, I think that the sending of > UCE is illegal in every member state of the EU, which exemption where > the recipient is an existing customer of the organisation sending the > email. Even then, the sender has to give an opt out option with every > email, and may only market "similar products or services". > > I don't know anywhere that this is properly enforced, though. There was a lot of flexibility in how the Member States were allowed to right the directive into law. Some went with opt-in, others with opt-out. And in some cases (probably most) the recepient was defined as the actual subscriber, so your business address was not considered to be a personal address. However enforcement and implementation still varies widely over the EU. As I mentioned at RIPE 57 we would be interested in hearing from people about their own experiences across the RIPE region regarding legislation and enforcement. If there was interest time could easily be put aside in the WG session at RIPE 58 for a number of short updates? Brian. From Sascha.Wilms at eco.de Wed Mar 11 15:44:04 2009 From: Sascha.Wilms at eco.de (Sascha Wilms) Date: Wed, 11 Mar 2009 15:44:04 +0100 Subject: AW: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: <50AD8506C77027048EE04D59@lewes.staff.uscs.susx.ac.uk> References: <200903040849.n248nrPV015367@www.powerweb.de> <20090304154637.GU17125@xs4all.net> <20090310084921.GI44476@Space.Net> <200903102017.51444.peter@hk.ipsec.se> <50AD8506C77027048EE04D59@lewes.staff.uscs.susx.ac.uk> Message-ID: Hi Ian, hi guys, we actually enforce rules regarding bulk emails through the Certified Senders Alliance. Enforcement can naturally be applied only to those senders participating in the CSA - however, in Germany our service has become the de facto industry standard for email marketers, and the amount of emails sent by certified senders is huge. Thus, we have gained a very good leverage over this industry. we at eco maintain a general complaints hotline, and I can't remember having seen any complaint by users or ISPs about a missing opt-out link only. Complaints are about UCEs, and not missing opt-out possibilities. So I guess we are pretty much the only body dealing with the enforcement of those rules like opt-out links, and we have effective sanctions for not sticking to the rules (and opt-out is definitely one of those rules!). Actually, our set of rules goes beyond the stipulations made by the EU directive. And we keep on tightening the rules: SPF has now become mandatory for senders (ISPs are left with the choice whether to use this info); DKIM and double-opt-in, for example, are now recommended criteria and will be turned into mandatory criteria with the next revision of the admission criteria. We consider this industry standard approach more efficient than any legislative approach. Rgds Sascha eco association -----Urspr?ngliche Nachricht----- Von: anti-abuse-wg-admin at ripe.net [mailto:anti-abuse-wg-admin at ripe.net] Im Auftrag von Ian Eiloart Gesendet: Mittwoch, 11. M?rz 2009 12:43 An: peter h; anti-abuse-wg at ripe.net Betreff: Re: [anti-abuse-wg] how to detect spambots - SPAMTrusted --On 10 March 2009 20:17:50 +0100 peter h wrote: > > UCE or spam is illegal in some countries, however legal authorities > does not seem willing to hunt and procecute. Under article 13 of EU DIRECTIVE 2002/58/EC, I think that the sending of UCE is illegal in every member state of the EU, which exemption where the recipient is an existing customer of the organisation sending the email. Even then, the sender has to give an opt out option with every email, and may only market "similar products or services". I don't know anywhere that this is properly enforced, though. -- Ian Eiloart IT Services, University of Sussex x3148 From angelos at unix.gr Wed Mar 11 15:50:24 2009 From: angelos at unix.gr (Angelos Karageorgiou) Date: Wed, 11 Mar 2009 16:50:24 +0200 Subject: AW: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: References: <200903040849.n248nrPV015367@www.powerweb.de> <20090304154637.GU17125@xs4all.net> <20090310084921.GI44476@Space.Net> <200903102017.51444.peter@hk.ipsec.se> <50AD8506C77027048EE04D59@lewes.staff.uscs.susx.ac.uk> Message-ID: <49B7CFB0.7010701@unix.gr> To add my 2 cents: We enforce limits on outgoing email via our SMTP servers both quantitative and qualitative. Regular users can send only a limited number of messages per minute that do not contain viruses and the spamassassin score is below a certain threshold. Still there is the issue of bulk mail servers for Businesses, but we do not guarantee service there. I.e. we tell our customers that if they manage to blacklist the server then de-listing it is a low priority issue with my team. -------------- next part -------------- A non-text attachment was scrubbed... Name: angelos.vcf Type: text/x-vcard Size: 571 bytes Desc: not available URL: From iane at sussex.ac.uk Wed Mar 11 16:20:39 2009 From: iane at sussex.ac.uk (Ian Eiloart) Date: Wed, 11 Mar 2009 15:20:39 +0000 Subject: AW: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: References: <200903040849.n248nrPV015367@www.powerweb.de> <20090304154637.GU17125@xs4all.net> <20090310084921.GI44476@Space.Net> <200903102017.51444.peter@hk.ipsec.se> <50AD8506C77027048EE04D59@lewes.staff.uscs.susx.ac.uk> Message-ID: --On 11 March 2009 15:44:04 +0100 Sascha Wilms wrote: > > Hi Ian, hi guys, > > we actually enforce rules regarding bulk emails through the Certified > Senders Alliance. Enforcement can naturally be applied only to those > senders participating in the CSA - however, in Germany our service has > become the de facto industry standard for email marketers, and the amount > of emails sent by certified senders is huge. Thus, we have gained a very > good leverage over this industry. Well, that's all good. I see that in order to discover who's using your service, I have to agree not to blacklist any of your users. That's not so good. I'm not sure that I'd be interested in whitelisting anyone who's signed up to improve their marketing outreach. However, the fact that you require your users to publish SPF records is good. Are most of your members in Germany? This probably would be something I'd be interested in if you had a significant number of UK members. I do think that you need to get your English language documentation looked at by a native English speaking lawyer. > we at eco maintain a general complaints hotline, and I can't remember > having seen any complaint by users or ISPs about a missing opt-out link > only. Complaints are about UCEs, and not missing opt-out possibilities. > So I guess we are pretty much the only body dealing with the enforcement > of those rules like opt-out links, and we have effective sanctions for > not sticking to the rules (and opt-out is definitely one of those > rules!). > > > Actually, our set of rules goes beyond the stipulations made by the EU > directive. And we keep on tightening the rules: SPF has now become > mandatory for senders (ISPs are left with the choice whether to use this > info); DKIM and double-opt-in, for example, are now recommended criteria > and will be turned into mandatory criteria with the next revision of the > admission criteria. > > > We consider this industry standard approach more efficient than any > legislative approach. > > Rgds > Sascha > eco association > > > > -----Urspr?ngliche Nachricht----- > Von: anti-abuse-wg-admin at ripe.net [mailto:anti-abuse-wg-admin at ripe.net] > Im Auftrag von Ian Eiloart Gesendet: Mittwoch, 11. M?rz 2009 12:43 > An: peter h; anti-abuse-wg at ripe.net > Betreff: Re: [anti-abuse-wg] how to detect spambots - SPAMTrusted > > > > --On 10 March 2009 20:17:50 +0100 peter h wrote: > >> >> UCE or spam is illegal in some countries, however legal authorities >> does not seem willing to hunt and procecute. > > Under article 13 of EU DIRECTIVE 2002/58/EC, I think that the sending of > UCE is illegal in every member state of the EU, which exemption where the > recipient is an existing customer of the organisation sending the email. > Even then, the sender has to give an opt out option with every email, and > may only market "similar products or services". > > I don't know anywhere that this is properly enforced, though. > > -- > Ian Eiloart > IT Services, University of Sussex > x3148 > -- Ian Eiloart IT Services, University of Sussex x3148 From Sascha.Wilms at eco.de Wed Mar 11 16:56:53 2009 From: Sascha.Wilms at eco.de (Sascha Wilms) Date: Wed, 11 Mar 2009 16:56:53 +0100 Subject: AW: AW: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: References: <200903040849.n248nrPV015367@www.powerweb.de> <20090304154637.GU17125@xs4all.net> <20090310084921.GI44476@Space.Net> <200903102017.51444.peter@hk.ipsec.se> <50AD8506C77027048EE04D59@lewes.staff.uscs.susx.ac.uk> Message-ID: I know that for some it's a hard fact not to be allowed to block CSA whitelisted entries any more. But because senders know exactly this, they know what they have from being CSA whitelisted and what they stand to lose if they get kicked off the list when not complying with the rules. It is this huge leverage we gain. Currently, we have only significant German ISPs, but at least one major European incumbent is about to join. We hope to extend the reach of our list to other providers, so that we can increase the leverage. I have talked to some British providers, but so far no commitment (though the British marketers are very keen on having something like the CSA in the UK). As I said, it is really an industry standard we are promoting here, and the more ISPs join, the better we are able to establish the standard on an international level. If you guys have more feedback, you are welcome! rgds Sascha -----Urspr?ngliche Nachricht----- Von: iane at sussex.ac.uk [mailto:iane at sussex.ac.uk] Gesendet: Mittwoch, 11. M?rz 2009 16:21 An: Sascha Wilms; anti-abuse-wg at ripe.net Betreff: Re: AW: [anti-abuse-wg] how to detect spambots - SPAMTrusted --On 11 March 2009 15:44:04 +0100 Sascha Wilms wrote: > > Hi Ian, hi guys, > > we actually enforce rules regarding bulk emails through the Certified > Senders Alliance. Enforcement can naturally be applied only to those > senders participating in the CSA - however, in Germany our service has > become the de facto industry standard for email marketers, and the > amount of emails sent by certified senders is huge. Thus, we have > gained a very good leverage over this industry. Well, that's all good. I see that in order to discover who's using your service, I have to agree not to blacklist any of your users. That's not so good. I'm not sure that I'd be interested in whitelisting anyone who's signed up to improve their marketing outreach. However, the fact that you require your users to publish SPF records is good. Are most of your members in Germany? This probably would be something I'd be interested in if you had a significant number of UK members. I do think that you need to get your English language documentation looked at by a native English speaking lawyer. > we at eco maintain a general complaints hotline, and I can't remember > having seen any complaint by users or ISPs about a missing opt-out > link only. Complaints are about UCEs, and not missing opt-out possibilities. > So I guess we are pretty much the only body dealing with the > enforcement of those rules like opt-out links, and we have effective > sanctions for not sticking to the rules (and opt-out is definitely one > of those rules!). > > > Actually, our set of rules goes beyond the stipulations made by the EU > directive. And we keep on tightening the rules: SPF has now become > mandatory for senders (ISPs are left with the choice whether to use > this info); DKIM and double-opt-in, for example, are now recommended > criteria and will be turned into mandatory criteria with the next > revision of the admission criteria. > > > We consider this industry standard approach more efficient than any > legislative approach. > > Rgds > Sascha > eco association > > > > -----Urspr?ngliche Nachricht----- > Von: anti-abuse-wg-admin at ripe.net > [mailto:anti-abuse-wg-admin at ripe.net] > Im Auftrag von Ian Eiloart Gesendet: Mittwoch, 11. M?rz 2009 12:43 > An: peter h; anti-abuse-wg at ripe.net > Betreff: Re: [anti-abuse-wg] how to detect spambots - SPAMTrusted > > > > --On 10 March 2009 20:17:50 +0100 peter h wrote: > >> >> UCE or spam is illegal in some countries, however legal authorities >> does not seem willing to hunt and procecute. > > Under article 13 of EU DIRECTIVE 2002/58/EC, I think that the sending > of UCE is illegal in every member state of the EU, which exemption > where the recipient is an existing customer of the organisation sending the email. > Even then, the sender has to give an opt out option with every email, > and may only market "similar products or services". > > I don't know anywhere that this is properly enforced, though. > > -- > Ian Eiloart > IT Services, University of Sussex > x3148 > -- Ian Eiloart IT Services, University of Sussex x3148 From info at streamservice.nl Wed Mar 11 17:28:14 2009 From: info at streamservice.nl (Stream Service) Date: Wed, 11 Mar 2009 17:28:14 +0100 Subject: AW: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: References: <200903040849.n248nrPV015367@www.powerweb.de> <20090304154637.GU17125@xs4all.net> <20090310084921.GI44476@Space.Net> <200903102017.51444.peter@hk.ipsec.se> <50AD8506C77027048EE04D59@lewes.staff.uscs.susx.ac.uk> Message-ID: <009501c9a266$6076eba0$2164c2e0$@nl> Hello Sascha, As soon as the requirement we don't block/blacklist any IP/ISP on your list is removed we will implement to reduce the spam score emails get with spam assassin in our setup. We use multiple blacklists to tag email with spam assassin and some whitelists to lower the spam score on email. With kind regards, Mark Scholten Stream Service -----Original Message----- From: anti-abuse-wg-admin at ripe.net [mailto:anti-abuse-wg-admin at ripe.net] On Behalf Of Sascha Wilms Sent: woensdag 11 maart 2009 16:57 To: 'iane at sussex.ac.uk'; anti-abuse-wg at ripe.net Subject: AW: AW: [anti-abuse-wg] how to detect spambots - SPAMTrusted I know that for some it's a hard fact not to be allowed to block CSA whitelisted entries any more. But because senders know exactly this, they know what they have from being CSA whitelisted and what they stand to lose if they get kicked off the list when not complying with the rules. It is this huge leverage we gain. Currently, we have only significant German ISPs, but at least one major European incumbent is about to join. We hope to extend the reach of our list to other providers, so that we can increase the leverage. I have talked to some British providers, but so far no commitment (though the British marketers are very keen on having something like the CSA in the UK). As I said, it is really an industry standard we are promoting here, and the more ISPs join, the better we are able to establish the standard on an international level. If you guys have more feedback, you are welcome! rgds Sascha -----Urspr?ngliche Nachricht----- Von: iane at sussex.ac.uk [mailto:iane at sussex.ac.uk] Gesendet: Mittwoch, 11. M?rz 2009 16:21 An: Sascha Wilms; anti-abuse-wg at ripe.net Betreff: Re: AW: [anti-abuse-wg] how to detect spambots - SPAMTrusted --On 11 March 2009 15:44:04 +0100 Sascha Wilms wrote: > > Hi Ian, hi guys, > > we actually enforce rules regarding bulk emails through the Certified > Senders Alliance. Enforcement can naturally be applied only to those > senders participating in the CSA - however, in Germany our service has > become the de facto industry standard for email marketers, and the > amount of emails sent by certified senders is huge. Thus, we have > gained a very good leverage over this industry. Well, that's all good. I see that in order to discover who's using your service, I have to agree not to blacklist any of your users. That's not so good. I'm not sure that I'd be interested in whitelisting anyone who's signed up to improve their marketing outreach. However, the fact that you require your users to publish SPF records is good. Are most of your members in Germany? This probably would be something I'd be interested in if you had a significant number of UK members. I do think that you need to get your English language documentation looked at by a native English speaking lawyer. > we at eco maintain a general complaints hotline, and I can't remember > having seen any complaint by users or ISPs about a missing opt-out > link only. Complaints are about UCEs, and not missing opt-out possibilities. > So I guess we are pretty much the only body dealing with the > enforcement of those rules like opt-out links, and we have effective > sanctions for not sticking to the rules (and opt-out is definitely one > of those rules!). > > > Actually, our set of rules goes beyond the stipulations made by the EU > directive. And we keep on tightening the rules: SPF has now become > mandatory for senders (ISPs are left with the choice whether to use > this info); DKIM and double-opt-in, for example, are now recommended > criteria and will be turned into mandatory criteria with the next > revision of the admission criteria. > > > We consider this industry standard approach more efficient than any > legislative approach. > > Rgds > Sascha > eco association > > > > -----Urspr?ngliche Nachricht----- > Von: anti-abuse-wg-admin at ripe.net > [mailto:anti-abuse-wg-admin at ripe.net] > Im Auftrag von Ian Eiloart Gesendet: Mittwoch, 11. M?rz 2009 12:43 > An: peter h; anti-abuse-wg at ripe.net > Betreff: Re: [anti-abuse-wg] how to detect spambots - SPAMTrusted > > > > --On 10 March 2009 20:17:50 +0100 peter h wrote: > >> >> UCE or spam is illegal in some countries, however legal authorities >> does not seem willing to hunt and procecute. > > Under article 13 of EU DIRECTIVE 2002/58/EC, I think that the sending > of UCE is illegal in every member state of the EU, which exemption > where the recipient is an existing customer of the organisation sending the email. > Even then, the sender has to give an opt out option with every email, > and may only market "similar products or services". > > I don't know anywhere that this is properly enforced, though. > > -- > Ian Eiloart > IT Services, University of Sussex > x3148 > -- Ian Eiloart IT Services, University of Sussex x3148 From Sascha.Wilms at eco.de Wed Mar 11 17:44:24 2009 From: Sascha.Wilms at eco.de (Sascha Wilms) Date: Wed, 11 Mar 2009 17:44:24 +0100 Subject: AW: AW: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: References: <200903040849.n248nrPV015367@www.powerweb.de> <20090304154637.GU17125@xs4all.net> <20090310084921.GI44476@Space.Net> <200903102017.51444.peter@hk.ipsec.se> <50AD8506C77027048EE04D59@lewes.staff.uscs.susx.ac.uk> Message-ID: > I'm not sure that I'd be interested in whitelisting anyone who's signed up to improve their marketing outreach. Just to put this right: we do not certify ANYONE. We only certify those senders who reveal themselves as trustworthy. We take a very thorough look at who applies for certification. We reject applicants when they cannot comply with our requirements, or when we get the impression that they are not trustworthy. And for those who get through the certification procedure anyway: we still have our sanctioning mechanisms. Sascha -----Urspr?ngliche Nachricht----- Von: iane at sussex.ac.uk [mailto:iane at sussex.ac.uk] Gesendet: Mittwoch, 11. M?rz 2009 16:21 An: Sascha Wilms; anti-abuse-wg at ripe.net Betreff: Re: AW: [anti-abuse-wg] how to detect spambots - SPAMTrusted --On 11 March 2009 15:44:04 +0100 Sascha Wilms wrote: > > Hi Ian, hi guys, > > we actually enforce rules regarding bulk emails through the Certified > Senders Alliance. Enforcement can naturally be applied only to those > senders participating in the CSA - however, in Germany our service has > become the de facto industry standard for email marketers, and the > amount of emails sent by certified senders is huge. Thus, we have > gained a very good leverage over this industry. Well, that's all good. I see that in order to discover who's using your service, I have to agree not to blacklist any of your users. That's not so good. I'm not sure that I'd be interested in whitelisting anyone who's signed up to improve their marketing outreach. However, the fact that you require your users to publish SPF records is good. Are most of your members in Germany? This probably would be something I'd be interested in if you had a significant number of UK members. I do think that you need to get your English language documentation looked at by a native English speaking lawyer. > we at eco maintain a general complaints hotline, and I can't remember > having seen any complaint by users or ISPs about a missing opt-out > link only. Complaints are about UCEs, and not missing opt-out possibilities. > So I guess we are pretty much the only body dealing with the > enforcement of those rules like opt-out links, and we have effective > sanctions for not sticking to the rules (and opt-out is definitely one > of those rules!). > > > Actually, our set of rules goes beyond the stipulations made by the EU > directive. And we keep on tightening the rules: SPF has now become > mandatory for senders (ISPs are left with the choice whether to use > this info); DKIM and double-opt-in, for example, are now recommended > criteria and will be turned into mandatory criteria with the next > revision of the admission criteria. > > > We consider this industry standard approach more efficient than any > legislative approach. > > Rgds > Sascha > eco association > > > > -----Urspr?ngliche Nachricht----- > Von: anti-abuse-wg-admin at ripe.net > [mailto:anti-abuse-wg-admin at ripe.net] > Im Auftrag von Ian Eiloart Gesendet: Mittwoch, 11. M?rz 2009 12:43 > An: peter h; anti-abuse-wg at ripe.net > Betreff: Re: [anti-abuse-wg] how to detect spambots - SPAMTrusted > > > > --On 10 March 2009 20:17:50 +0100 peter h wrote: > >> >> UCE or spam is illegal in some countries, however legal authorities >> does not seem willing to hunt and procecute. > > Under article 13 of EU DIRECTIVE 2002/58/EC, I think that the sending > of UCE is illegal in every member state of the EU, which exemption > where the recipient is an existing customer of the organisation sending the email. > Even then, the sender has to give an opt out option with every email, > and may only market "similar products or services". > > I don't know anywhere that this is properly enforced, though. > > -- > Ian Eiloart > IT Services, University of Sussex > x3148 > -- Ian Eiloart IT Services, University of Sussex x3148 From iane at sussex.ac.uk Wed Mar 11 18:52:59 2009 From: iane at sussex.ac.uk (Ian Eiloart) Date: Wed, 11 Mar 2009 17:52:59 +0000 Subject: AW: AW: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: References: <200903040849.n248nrPV015367@www.powerweb.de> <20090304154637.GU17125@xs4all.net> <20090310084921.GI44476@Space.Net> <200903102017.51444.peter@hk.ipsec.se> <50AD8506C77027048EE04D59@lewes.staff.uscs.susx.ac.uk> Message-ID: <0AF0BF24251D9E553259F0AE@lewes.staff.uscs.susx.ac.uk> --On 11 March 2009 16:56:53 +0100 Sascha Wilms wrote: > > I know that for some it's a hard fact not to be allowed to block CSA > whitelisted entries any more. But because senders know exactly this, they > know what they have from being CSA whitelisted and what they stand to > lose if they get kicked off the list when not complying with the rules. > It is this huge leverage we gain. So, what's the sanction against me if I apply my spam filters to one of your members? Just that you don't send me list updates? I could live with that. I'd not be able to enter any contractual obligation, though. > Currently, we have only significant German ISPs, but at least one major > European incumbent is about to join. We hope to extend the reach of our > list to other providers, so that we can increase the leverage. I have > talked to some British providers, but so far no commitment (though the > British marketers are very keen on having something like the CSA in the UK). I'm slightly confused here. Your members are ISPs or Marketers? Perhaps you're referring to users of the whitelists here? If they're ISPs, does that mean that the rules are applied to all email sent through the ISP's servers? If they're ISPs, then are you requiring that they block outbound port 25 non-whitelisted addresses? And rate limiting domestic clients? That would be something I'd be very keen to encourage. > > As I said, it is really an industry standard we are promoting here, and > the more ISPs join, the better we are able to establish the standard on > an international level. If you guys have more feedback, you are welcome! > > rgds > Sascha > > > -----Urspr?ngliche Nachricht----- > Von: iane at sussex.ac.uk [mailto:iane at sussex.ac.uk] > Gesendet: Mittwoch, 11. M?rz 2009 16:21 > An: Sascha Wilms; anti-abuse-wg at ripe.net > Betreff: Re: AW: [anti-abuse-wg] how to detect spambots - SPAMTrusted > > > > --On 11 March 2009 15:44:04 +0100 Sascha Wilms > wrote: > >> >> Hi Ian, hi guys, >> >> we actually enforce rules regarding bulk emails through the Certified >> Senders Alliance. Enforcement can naturally be applied only to those >> senders participating in the CSA - however, in Germany our service has >> become the de facto industry standard for email marketers, and the >> amount of emails sent by certified senders is huge. Thus, we have >> gained a very good leverage over this industry. > > Well, that's all good. I see that in order to discover who's using your > service, I have to agree not to blacklist any of your users. That's not > so good. I'm not sure that I'd be interested in whitelisting anyone who's > signed up to improve their marketing outreach. > > However, the fact that you require your users to publish SPF records is > good. > > Are most of your members in Germany? This probably would be something I'd > be interested in if you had a significant number of UK members. > > I do think that you need to get your English language documentation > looked at by a native English speaking lawyer. > >> we at eco maintain a general complaints hotline, and I can't remember >> having seen any complaint by users or ISPs about a missing opt-out >> link only. Complaints are about UCEs, and not missing opt-out >> possibilities. So I guess we are pretty much the only body dealing with >> the >> enforcement of those rules like opt-out links, and we have effective >> sanctions for not sticking to the rules (and opt-out is definitely one >> of those rules!). >> >> >> Actually, our set of rules goes beyond the stipulations made by the EU >> directive. And we keep on tightening the rules: SPF has now become >> mandatory for senders (ISPs are left with the choice whether to use >> this info); DKIM and double-opt-in, for example, are now recommended >> criteria and will be turned into mandatory criteria with the next >> revision of the admission criteria. >> >> >> We consider this industry standard approach more efficient than any >> legislative approach. >> >> Rgds >> Sascha >> eco association >> >> >> >> -----Urspr?ngliche Nachricht----- >> Von: anti-abuse-wg-admin at ripe.net >> [mailto:anti-abuse-wg-admin at ripe.net] >> Im Auftrag von Ian Eiloart Gesendet: Mittwoch, 11. M?rz 2009 12:43 >> An: peter h; anti-abuse-wg at ripe.net >> Betreff: Re: [anti-abuse-wg] how to detect spambots - SPAMTrusted >> >> >> >> --On 10 March 2009 20:17:50 +0100 peter h wrote: >> >>> >>> UCE or spam is illegal in some countries, however legal authorities >>> does not seem willing to hunt and procecute. >> >> Under article 13 of EU DIRECTIVE 2002/58/EC, I think that the sending >> of UCE is illegal in every member state of the EU, which exemption >> where the recipient is an existing customer of the organisation sending >> the email. Even then, the sender has to give an opt out option with >> every email, and may only market "similar products or services". >> >> I don't know anywhere that this is properly enforced, though. >> >> -- >> Ian Eiloart >> IT Services, University of Sussex >> x3148 >> > > > > -- > Ian Eiloart > IT Services, University of Sussex > x3148 > -- Ian Eiloart IT Services, University of Sussex x3148 From peter at hk.ipsec.se Thu Mar 12 07:36:38 2009 From: peter at hk.ipsec.se (peter h) Date: Thu, 12 Mar 2009 07:36:38 +0100 Subject: AW: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: References: <200903040849.n248nrPV015367@www.powerweb.de> <50AD8506C77027048EE04D59@lewes.staff.uscs.susx.ac.uk> Message-ID: <200903120736.38798.peter@hk.ipsec.se> On Wednesday 11 March 2009 15.44, Sascha Wilms wrote: > > Hi Ian, hi guys, > > we actually enforce rules regarding bulk emails through the Certified Senders Alliance. Enforcement can naturally be applied only to those senders participating in the CSA - however, in Germany our service has become the de facto industry standard for email marketers, and the amount of emails sent by certified senders is huge. Thus, we have gained a very good leverage over this industry. > > we at eco maintain a general complaints hotline, and I can't remember having seen any complaint by users or ISPs about a missing opt-out link only. Complaints are about UCEs, and not missing opt-out possibilities. So I guess we are pretty much the only body dealing with the enforcement of those rules like opt-out links, and we have effective sanctions for not sticking to the rules (and opt-out is definitely one of those rules!). > > > Actually, our set of rules goes beyond the stipulations made by the EU directive. And we keep on tightening the rules: SPF has now become mandatory for senders (ISPs are left with the choice whether to use this info); DKIM and double-opt-in, for example, are now recommended criteria and will be turned into mandatory criteria with the next revision of the admission criteria. > > > We consider this industry standard approach more efficient than any legislative approach. > > Rgds > Sascha If germany is so good at stopping spam, how come that providers like schlund is still out-of-jail ? ( i have more examples of spam originating in germany) -- Peter H?kanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det ?r billigare att g?ra r?tt. Det ?r dyrt att laga fel. ) From ripe-anti-spam-wg at powerweb.de Thu Mar 12 10:15:26 2009 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Thu, 12 Mar 2009 10:15:26 +0100 Subject: AW: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: <200903120736.38798.peter@hk.ipsec.se> References: <200903040849.n248nrPV015367@www.powerweb.de> <50AD8506C77027048EE04D59@lewes.staff.uscs.susx.ac.uk> <200903120736.38798.peter@hk.ipsec.se> Message-ID: <49B8D2AE.9030302@powerweb.de> peter h wrote: > On Wednesday 11 March 2009 15.44, Sascha Wilms wrote: >> Hi Ian, hi guys, >> >> we actually enforce rules regarding bulk emails through the Certified Senders Alliance. Enforcement can naturally be applied only to those senders participating in the CSA - however, in Germany our service has become the de facto industry standard for email marketers, and the amount of emails sent by certified senders is huge. Thus, we have gained a very good leverage over this industry. >> >> we at eco maintain a general complaints hotline, and I can't remember having seen any complaint by users or ISPs about a missing opt-out link only. Complaints are about UCEs, and not missing opt-out possibilities. So I guess we are pretty much the only body dealing with the enforcement of those rules like opt-out links, and we have effective sanctions for not sticking to the rules (and opt-out is definitely one of those rules!). >> >> >> Actually, our set of rules goes beyond the stipulations made by the EU directive. And we keep on tightening the rules: SPF has now become mandatory for senders (ISPs are left with the choice whether to use this info); DKIM and double-opt-in, for example, are now recommended criteria and will be turned into mandatory criteria with the next revision of the admission criteria. >> >> >> We consider this industry standard approach more efficient than any legislative approach. >> >> Rgds >> Sascha > > If germany is so good at stopping spam, how come that providers like schlund is > still out-of-jail ? ( i have more examples of spam originating in germany) > Hi, this is pretty easy. You will need a person or company willing to go to the police or contact a lawyer, before this can worked on by legal entities. And: you can only complain for those case, that happened to you and not in general. Users are usually uninformed about their possibilities and only complain a lot. Spam is not being recognized by the masses as being a crime so far. Thats why we need a solution to measure the spam polution of providers in general and need a more international solution that really hurts those provider. RIPE would be great, ECO too ... Kind regards, Frank Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank at powerweb.de From leo.vegoda at icann.org Thu Mar 12 16:37:51 2009 From: leo.vegoda at icann.org (Leo Vegoda) Date: Thu, 12 Mar 2009 08:37:51 -0700 Subject: AW: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: <49B8D2AE.9030302@powerweb.de> Message-ID: On 12/03/2009 1:15, "Frank Gadegast" wrote: [...] > Users are usually uninformed about their possibilities and only > complain a lot. Spam is not being recognized by the masses as > being a crime so far. And based on what I see, they tend to send abuse reports to the wrong place because they don't now how to read e-mail headers and the on-line tools they use often don't read them correctly either. I don't think end users should have to know how to read e-mail headers but I know that they often try to in an attempt to reduce the amount of spam they receive and then get very confused and frustrated when they get a note back telling them they sent the complaint to the wrong place. Regards, Leo From peter at hk.ipsec.se Thu Mar 12 18:46:59 2009 From: peter at hk.ipsec.se (peter h) Date: Thu, 12 Mar 2009 18:46:59 +0100 Subject: AW: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: References: Message-ID: <200903121846.59855.peter@hk.ipsec.se> On Thursday 12 March 2009 16.37, Leo Vegoda wrote: > On 12/03/2009 1:15, "Frank Gadegast" wrote: > > [...] > > > Users are usually uninformed about their possibilities and only > > complain a lot. Spam is not being recognized by the masses as > > being a crime so far. > > And based on what I see, they tend to send abuse reports to the wrong place > because they don't now how to read e-mail headers and the on-line tools they > use often don't read them correctly either. I don't think end users should > have to know how to read e-mail headers but I know that they often try to in > an attempt to reduce the amount of spam they receive and then get very > confused and frustrated when they get a note back telling them they sent the > complaint to the wrong place. > > Regards, > > Leo A suggestion might be to A/ encourage users to report spam via a tool s.a. spamcop where the mail & headers are interpreted correctly and B/ ask spamcop to send a copy of reports referring to RIPE-blocks to european police and let them take action. Something has to be done (or e-mail as we see it is dead). Posession of unsecure computers connected to public network should be an offense. A broken into PC sending malware manifests all proof needed of guilt. ISP also has a role, detect and prevent abuse of all sorts. A simple block-port25 ( and forcing outbound mail to be relayed over ISP-mailservers) would contribute a lot. Spammers themselfs should be targeted, all of them uses a channel for money, it should be fairly easy for police to follow that chain. I want action this day ! > > > -- Peter H?kanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det ?r billigare att g?ra r?tt. Det ?r dyrt att laga fel. ) From Sascha.Wilms at eco.de Fri Mar 13 14:54:13 2009 From: Sascha.Wilms at eco.de (Sascha Wilms) Date: Fri, 13 Mar 2009 14:54:13 +0100 Subject: AW: AW: AW: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: <0AF0BF24251D9E553259F0AE@lewes.staff.uscs.susx.ac.uk> References: <200903040849.n248nrPV015367@www.powerweb.de> <20090304154637.GU17125@xs4all.net> <20090310084921.GI44476@Space.Net> <200903102017.51444.peter@hk.ipsec.se> <50AD8506C77027048EE04D59@lewes.staff.uscs.susx.ac.uk> ,<0AF0BF24251D9E553259F0AE@lewes.staff.uscs.susx.ac.uk> Message-ID: >So, what's the sanction against me if I apply my spam filters to one of >your members? Just that you don't send me list updates? I could live with >that. I'd not be able to enter any contractual obligation, though. I was referring with the sanctions to the senders when they don't stick to the rules. The ISPs sign a license agreement with us that states that they deliver without tagging and update and use the list - taking into account two exceptions: users want to have this blocked; or the use of the whitelist puts the network's stability of the ISP at risk in some way. So far, the situation that we would have to sanction ISPs for not sticking to the license agreement has not occurred. >I'm slightly confused here. Your members are ISPs or Marketers? Perhaps >you're referring to users of the whitelists here? Both, ISPs and senders are our members. ISPs download the information contained in the whitelist, and senders apply for certification to get listed. We are the body in between that organises the central whitelisting for the participating ISPs so that they don't need to do this themselves. Member ISPs are the users of our whitelist. ________________________________________ Von: iane at sussex.ac.uk [iane at sussex.ac.uk] Gesendet: Mittwoch, 11. M?rz 2009 18:52 An: Sascha Wilms; anti-abuse-wg at ripe.net Betreff: Re: AW: AW: [anti-abuse-wg] how to detect spambots - SPAMTrusted --On 11 March 2009 16:56:53 +0100 Sascha Wilms wrote: > > I know that for some it's a hard fact not to be allowed to block CSA > whitelisted entries any more. But because senders know exactly this, they > know what they have from being CSA whitelisted and what they stand to > lose if they get kicked off the list when not complying with the rules. > It is this huge leverage we gain. So, what's the sanction against me if I apply my spam filters to one of your members? Just that you don't send me list updates? I could live with that. I'd not be able to enter any contractual obligation, though. > Currently, we have only significant German ISPs, but at least one major > European incumbent is about to join. We hope to extend the reach of our > list to other providers, so that we can increase the leverage. I have > talked to some British providers, but so far no commitment (though the > British marketers are very keen on having something like the CSA in the UK). I'm slightly confused here. Your members are ISPs or Marketers? Perhaps you're referring to users of the whitelists here? If they're ISPs, does that mean that the rules are applied to all email sent through the ISP's servers? If they're ISPs, then are you requiring that they block outbound port 25 non-whitelisted addresses? And rate limiting domestic clients? That would be something I'd be very keen to encourage. > > As I said, it is really an industry standard we are promoting here, and > the more ISPs join, the better we are able to establish the standard on > an international level. If you guys have more feedback, you are welcome! > > rgds > Sascha > > > -----Urspr?ngliche Nachricht----- > Von: iane at sussex.ac.uk [mailto:iane at sussex.ac.uk] > Gesendet: Mittwoch, 11. M?rz 2009 16:21 > An: Sascha Wilms; anti-abuse-wg at ripe.net > Betreff: Re: AW: [anti-abuse-wg] how to detect spambots - SPAMTrusted > > > > --On 11 March 2009 15:44:04 +0100 Sascha Wilms > wrote: > >> >> Hi Ian, hi guys, >> >> we actually enforce rules regarding bulk emails through the Certified >> Senders Alliance. Enforcement can naturally be applied only to those >> senders participating in the CSA - however, in Germany our service has >> become the de facto industry standard for email marketers, and the >> amount of emails sent by certified senders is huge. Thus, we have >> gained a very good leverage over this industry. > > Well, that's all good. I see that in order to discover who's using your > service, I have to agree not to blacklist any of your users. That's not > so good. I'm not sure that I'd be interested in whitelisting anyone who's > signed up to improve their marketing outreach. > > However, the fact that you require your users to publish SPF records is > good. > > Are most of your members in Germany? This probably would be something I'd > be interested in if you had a significant number of UK members. > > I do think that you need to get your English language documentation > looked at by a native English speaking lawyer. > >> we at eco maintain a general complaints hotline, and I can't remember >> having seen any complaint by users or ISPs about a missing opt-out >> link only. Complaints are about UCEs, and not missing opt-out >> possibilities. So I guess we are pretty much the only body dealing with >> the >> enforcement of those rules like opt-out links, and we have effective >> sanctions for not sticking to the rules (and opt-out is definitely one >> of those rules!). >> >> >> Actually, our set of rules goes beyond the stipulations made by the EU >> directive. And we keep on tightening the rules: SPF has now become >> mandatory for senders (ISPs are left with the choice whether to use >> this info); DKIM and double-opt-in, for example, are now recommended >> criteria and will be turned into mandatory criteria with the next >> revision of the admission criteria. >> >> >> We consider this industry standard approach more efficient than any >> legislative approach. >> >> Rgds >> Sascha >> eco association >> >> >> >> -----Urspr?ngliche Nachricht----- >> Von: anti-abuse-wg-admin at ripe.net >> [mailto:anti-abuse-wg-admin at ripe.net] >> Im Auftrag von Ian Eiloart Gesendet: Mittwoch, 11. M?rz 2009 12:43 >> An: peter h; anti-abuse-wg at ripe.net >> Betreff: Re: [anti-abuse-wg] how to detect spambots - SPAMTrusted >> >> >> >> --On 10 March 2009 20:17:50 +0100 peter h wrote: >> >>> >>> UCE or spam is illegal in some countries, however legal authorities >>> does not seem willing to hunt and procecute. >> >> Under article 13 of EU DIRECTIVE 2002/58/EC, I think that the sending >> of UCE is illegal in every member state of the EU, which exemption >> where the recipient is an existing customer of the organisation sending >> the email. Even then, the sender has to give an opt out option with >> every email, and may only market "similar products or services". >> >> I don't know anywhere that this is properly enforced, though. >> >> -- >> Ian Eiloart >> IT Services, University of Sussex >> x3148 >> > > > > -- > Ian Eiloart > IT Services, University of Sussex > x3148 > -- Ian Eiloart IT Services, University of Sussex x3148 From iane at sussex.ac.uk Mon Mar 16 13:20:53 2009 From: iane at sussex.ac.uk (Ian Eiloart) Date: Mon, 16 Mar 2009 12:20:53 +0000 Subject: AW: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: References: Message-ID: --On 12 March 2009 08:37:51 -0700 Leo Vegoda wrote: > I don't think end users should > have to know how to read e-mail headers No, the authors of email clients need to expose the data from mail headers in a way that's meaningful to the user. For example, it would be so nice if they had a button to unsubscribe from a mailing list - using the list-unsubscribe header to do the right thing. -- Ian Eiloart IT Services, University of Sussex x3148 From michele at blacknight.ie Mon Mar 16 13:31:32 2009 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Mon, 16 Mar 2009 12:31:32 +0000 Subject: AW: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: References: , Message-ID: So what about Gmail? -- Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.com/ http://blog.blacknight.com/ Intl. +353 (0) 59 9183072 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From iane at sussex.ac.uk Mon Mar 16 13:59:07 2009 From: iane at sussex.ac.uk (Ian Eiloart) Date: Mon, 16 Mar 2009 12:59:07 +0000 Subject: AW: [anti-abuse-wg] how to detect spambots - SPAMTrusted In-Reply-To: References: , Message-ID: <96A2A40D930B15F6A19D09A7@lewes.staff.uscs.susx.ac.uk> --On 16 March 2009 12:31:32 +0000 "Michele Neylon :: Blacknight" wrote: > So what about Gmail? Dunno, what about them? Some context to your question might be useful. I use Gmail, but not their web client. > -- > Mr Michele Neylon > Blacknight Solutions > Hosting & Colocation, Brand Protection > http://www.blacknight.com/ > http://blog.blacknight.com/ > Intl. +353 (0) 59 9183072 > Locall: 1850 929 929 > Direct Dial: +353 (0)59 9183090 > Fax. +353 (0) 1 4811 763 > ------------------------------- > Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business > Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 -- Ian Eiloart IT Services, University of Sussex x3148