From chimel31 at live.fr Tue Oct 20 23:10:49 2009 From: chimel31 at live.fr (Chimel Chimel) Date: Tue, 20 Oct 2009 21:10:49 +0000 Subject: [anti-abuse-wg] Antispam measures Message-ID: Hi, I am not sure this mailing list is still active, the latest archived mail dates back from over a year ago. I have 3 questions for this mailing list: 1) Does RIPE or other registrars impose antispam fighting measures or a code of conduct to the ISPs or telcos it allocates IP ranges to? For instance, do these registrar customers specifically sign an agreement never to post spam themselves. Do they also sign an agreement to terminate IP sub-allocation or contract with their own customers who are using their IP addresses to post spam? 2) If there is such measures, how does RIPE enforce them? 3) What does RIPE intends to do about Ukrtelecom, who is alone responsible for hundreds of thousands of daily spam posts in discussion forums and BBSs? According to the people in stopforumspam.com, every single post emanating from ukrtelecom is spam, there is not a single genuine user from that telco. How can RIPE allocate hundreds of separate IP ranges to this single telco, especially if it is only a support for spam, not a telco at all. When querying the RIPE database for ukrtelecom, it returns 300 IP ranges, but that's only because the web site is limited to 300 answers. I'd like to see the whole list in order to ban it all from my forum, even if it means banning genuine users from Ukraine. And of course, when I say ukrtelecom is a spammer site, I really means it is a mafia site that makes millions of dollars every month in illegal activities, selling dangerous fake medicines such as viagra or tamiflu. In these times of IP addresses shortening, it would make a lot more IPs available if the registrars would cancel IP allocation from the customers who break the antispam rules. Thanks, Chimel. By the way, a BBS seems to be a more adequate way than a mailing list to handle this kind of discussion. Just my 2 cents. _________________________________________________________________ A la recherche de bons plans pour une rentr?e pas ch?re ? Bing ! Trouvez ! http://www.bing.com/search?q=bons+plans+rentr%C3%A9e&form=MVDE6 -------------- next part -------------- An HTML attachment was scrubbed... URL: From fweimer at bfk.de Wed Oct 21 10:52:39 2009 From: fweimer at bfk.de (Florian Weimer) Date: Wed, 21 Oct 2009 08:52:39 +0000 Subject: [anti-abuse-wg] Antispam measures In-Reply-To: (Chimel Chimel's message of "Tue\, 20 Oct 2009 21\:10\:49 +0000") References: Message-ID: <82vdi9uo14.fsf@mid.bfk.de> * Chimel Chimel: > 1) Does RIPE or other registrars impose antispam fighting measures > or a code of conduct to the ISPs or telcos it allocates IP ranges > to? No, not that I know. > For instance, do these registrar customers specifically sign an > agreement never to post spam themselves. Do they also sign an > agreement to terminate IP sub-allocation or contract with their own > customers who are using their IP addresses to post spam? No, surely not. That would be poor service. You don't want to lose your IP resources just because your infrastructure has been compromised. 8-( > 2) If there is such measures, how does RIPE enforce them? There is no enforcement. > 3) What does RIPE intends to do about Ukrtelecom, who is alone > responsible for hundreds of thousands of daily spam posts in > discussion forums and BBSs? Well ... > According to the people in stopforumspam.com, every single post > emanating from ukrtelecom is spam, there is not a single genuine > user from that telco. ... so you should be lucky that it's so easy to filter that type of spam. If you shut down netblocks, the badness just spreads far and wide and gets more difficult to track. Of course, if the activity is indeed illegal, it should be stopped. One problem we face is that a lot of questionable practices (DNS poisoning, injecting pop-ups with ads, installing software on PCs without informed consent) are also carried out by obviously legitimate businesses, so it's often difficult to convince a prosecutor that it's illegal. On top of that, many legal scholars claim that in the EU, once you say the magic word, "telco", you are no longer responsible for the traffic you handle, much like anyone could seek asylum in Germany (until we got rid of this constitutional guarantee in the 90s, which was rather disappointing because nothing expresses your national wealth better than an almost unconditional willingness to share it). This blanket liability exemption is the root of the problem, and it is pretty much unique to the telco sector, at least in its generality. It has to go. > I'd like to see the whole list in order to ban it all from my forum, > even if it means banning genuine users from Ukraine. The relevant parts of the RIPE database is available from ftp.ripe.net. In the past, I've generated anti-abuse ACLs from mnt-by handles, which was surprisingly effective. Using BGP might help as well. -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra?e 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 From peter at hk.ipsec.se Wed Oct 21 12:38:27 2009 From: peter at hk.ipsec.se (=?iso-8859-1?Q?peter_h=E5kanson?=) Date: Wed, 21 Oct 2009 12:38:27 +0200 Subject: Fwd: [anti-abuse-wg] Antispam measures References: <0E9B50D8-FF94-4284-B87A-C6684E2D1CE4@hk.ipsec.se> Message-ID: <30F6500C-06CF-4D42-8D24-F4C2A3358A5B@hk.ipsec.se> Begin forwarded message: > From: peter h?kanson > Date: October 21, 2009 10:22:13 AM GMT+02:00 > To: Chimel Chimel > Subject: Re: [anti-abuse-wg] Antispam measures > > > On Oct 20, 2009, at 11:10 PM, Chimel Chimel wrote: > >> Hi, >> >> I am not sure this mailing list is still active, the latest >> archived mail dates back from over a year ago. > > yes, the list is sprodically active, however the working group has > given up > with spam and calls itself 'anti-abuse' these days. > >> I have 3 questions for this mailing list: >> >> 1) Does RIPE or other registrars impose antispam fighting measures >> or a code of conduct to the ISPs or telcos it allocates IP ranges to? >> For instance, do these registrar customers specifically sign an >> agreement never to post spam themselves. Do they also sign an >> agreement to terminate IP sub-allocation or contract with their own >> customers who are using their IP addresses to post spam? >> >> 2) If there is such measures, how does RIPE enforce them? >> >> 3) What does RIPE intends to do about Ukrtelecom, who is alone >> responsible for hundreds of thousands of daily spam posts in >> discussion forums and BBSs? >> According to the people in stopforumspam.com, every single post >> emanating from ukrtelecom is spam, there is not a single genuine >> user from that telco. >> How can RIPE allocate hundreds of separate IP ranges to this single >> telco, especially if it is only a support for spam, not a telco at >> all. >> When querying the RIPE database for ukrtelecom, it returns 300 IP >> ranges, but that's only because the web site is limited to 300 >> answers. >> I'd like to see the whole list in order to ban it all from my >> forum, even if it means banning genuine users from Ukraine. >> And of course, when I say ukrtelecom is a spammer site, I really >> means it is a mafia site that makes millions of dollars every month >> in illegal activities, selling dangerous fake medicines such as >> viagra or tamiflu. >> In these times of IP addresses shortening, it would make a lot more >> IPs available if the registrars would cancel IP allocation from the >> customers who break the antispam rules. > > Amen ! > > In the meantime, block the offending ranges. This will make the ip's > isolated. A number > of blocklists is available that keeps current records of offending > ranges. > >> >> Thanks, >> Chimel. >> >> By the way, a BBS seems to be a more adequate way than a mailing >> list to handle this kind of discussion. Just my 2 cents. >> >> Gratuit : Hotmail plus rapide avec Internet Explorer 8 ! Cliquez >> ici ! > > > ====================================================== > Peter H?kanson Phone +46707328101 Fax +4631223190 > IPSec sverige Email peter at ipsec.se > "Safe by design" Address Bror Nilssons gata 16 > Lundbystrand > S-417 55 Gothenburg Sweden > > > ====================================================== Peter H?kanson Phone +46707328101 Fax +4631223190 IPSec sverige Email peter at ipsec.se "Safe by design" Address Bror Nilssons gata 16 Lundbystrand S-417 55 Gothenburg Sweden From peter at hk.ipsec.se Wed Oct 21 12:38:49 2009 From: peter at hk.ipsec.se (=?iso-8859-1?Q?peter_h=E5kanson?=) Date: Wed, 21 Oct 2009 12:38:49 +0200 Subject: Fwd: [anti-abuse-wg] Antispam measures References: <5036E015-CC9D-4D2E-AD84-FB340601B07F@hk.ipsec.se> Message-ID: <28DB0818-4AC0-40D1-8E52-7638C74B5DF9@hk.ipsec.se> Begin forwarded message: > From: peter h?kanson > Date: October 21, 2009 11:33:51 AM GMT+02:00 > To: Florian Weimer > Subject: Re: [anti-abuse-wg] Antispam measures > content-type: text/plain; charset=iso-8859-1; format=flowed; delsp=yes > mime-version: 1.0 (Apple Message framework v1076) > x-universally-unique-identifier: fcad27c0-c289-49cd-80b3-1b91332e229d > in-reply-to: <82vdi9uo14.fsf at mid.bfk.de> > content-transfer-encoding: quoted-printable > x-smtp-server: bore.hk.ipsec.se > message-id: <5036E015-CC9D-4D2E-AD84-FB340601B07F at hk.ipsec.se> > references: <82vdi9uo14.fsf at mid.bfk.de > > > > > On Oct 21, 2009, at 10:52 AM, Florian Weimer wrote: > >> * Chimel Chimel: >> >>> 1) Does RIPE or other registrars impose antispam fighting measures >>> or a code of conduct to the ISPs or telcos it allocates IP ranges >>> to? >> >> No, not that I know. >> >>> For instance, do these registrar customers specifically sign an >>> agreement never to post spam themselves. Do they also sign an >>> agreement to terminate IP sub-allocation or contract with their own >>> customers who are using their IP addresses to post spam? >> >> No, surely not. That would be poor service. You don't want to lose >> your IP resources just because your infrastructure has been >> compromised. 8-( > > On the contrary, a real risk of loosing their allocation might be > a good motivation to run their shop accordingly. As of today some > providers don't care ( and will benefit from spammers). > > Just like alkohol-serving firms ( bars etc) if they don't run ther bar > according to local rules they will loose the permits. > We don't allow sleazy hospitals either. Why should we permit > sleazy ISP's to poison our vital infrastructure ?? > >> >>> 2) If there is such measures, how does RIPE enforce them? >> >> There is no enforcement. >> >>> 3) What does RIPE intends to do about Ukrtelecom, who is alone >>> responsible for hundreds of thousands of daily spam posts in >>> discussion forums and BBSs? >> >> Well ... >> >>> According to the people in stopforumspam.com, every single post >>> emanating from ukrtelecom is spam, there is not a single genuine >>> user from that telco. >> >> ... so you should be lucky that it's so easy to filter that type of >> spam. If you shut down netblocks, the badness just spreads far and >> wide and gets more difficult to track. >> >> Of course, if the activity is indeed illegal, it should be stopped. >> One problem we face is that a lot of questionable practices (DNS >> poisoning, injecting pop-ups with ads, installing software on PCs >> without informed consent) are also carried out by obviously >> legitimate >> businesses, so it's often difficult to convince a prosecutor that >> it's >> illegal. >> >> On top of that, many legal scholars claim that in the EU, once you >> say >> the magic word, "telco", you are no longer responsible for the >> traffic >> you handle, much like anyone could seek asylum in Germany (until we >> got rid of this constitutional guarantee in the 90s, which was rather >> disappointing because nothing expresses your national wealth better >> than an almost unconditional willingness to share it). This blanket >> liability exemption is the root of the problem, and it is pretty much >> unique to the telco sector, at least in its generality. It has to >> go. > > We don't have to resort to legal discussions here , if RIPE supplies > goods > under some conditions, any breakage of that condition is enought > to terminate the contract. It's a deal between business partners. >> >>> I'd like to see the whole list in order to ban it all from my forum, >>> even if it means banning genuine users from Ukraine. >> >> The relevant parts of the RIPE database is available from >> ftp.ripe.net. In the past, I've generated anti-abuse ACLs from mnt- >> by >> handles, which was surprisingly effective. Using BGP might help as >> well. >> >> -- >> Florian Weimer >> BFK edv-consulting GmbH http://www.bfk.de/ >> Kriegsstra?e 100 tel: +49-721-96201-1 >> D-76133 Karlsruhe fax: +49-721-96201-99 >> >> >> > > > ====================================================== > Peter H?kanson Phone +46707328101 Fax +4631223190 > IPSec sverige Email peter at ipsec.se > "Safe by design" Address Bror Nilssons gata 16 > Lundbystrand > S-417 55 Gothenburg Sweden > > > ====================================================== Peter H?kanson Phone +46707328101 Fax +4631223190 IPSec sverige Email peter at ipsec.se "Safe by design" Address Bror Nilssons gata 16 Lundbystrand S-417 55 Gothenburg Sweden From brian.nisbet at heanet.ie Wed Oct 21 14:06:13 2009 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Wed, 21 Oct 2009 13:06:13 +0100 Subject: [anti-abuse-wg] Antispam measures In-Reply-To: References: Message-ID: <4ADEF935.8030705@heanet.ie> Hi, I'm going to be repeating some of what Florian said, but hopefully not all! Chimel Chimel wrote the following on 20/10/2009 22:10: > Hi, > > I am not sure this mailing list is still active, the latest archived > mail dates back from over a year ago. The Anti-Spam WG became the Anti-Abuse WG in or around a year ago. The Anti-Abuse WG mailing list is definitely active. > I have 3 questions for this mailing list: > > 1) Does RIPE or other registrars impose antispam fighting measures or a > code of conduct to the ISPs or telcos it allocates IP ranges to? > For instance, do these registrar customers specifically sign an > agreement never to post spam themselves. Do they also sign an agreement > to terminate IP sub-allocation or contract with their own customers who > are using their IP addresses to post spam? There is an existing RIPE document, RIPE-409, Good Practice in Minimising E-mail Abuse, which is a BCP document written for ISPs. This is not a code of conduct, per se, not is it imposed, but it is what the RIPE community thinks a good Internet citizen should do. There is no specific agreement signed as part of becoming a member. So, really, the answer is no, but the BCP document does exist and it will be expanded shortly. > 2) If there is such measures, how does RIPE enforce them? The RIPE NCC do not police their members activities in this way. There was some information given as part of the NCC Services WG session at RIPE 59 discussing the circumstances in which the NCC would close a registry and also the limitations inherent in the actions the NCC can take in this regard. > 3) What does RIPE intends to do about Ukrtelecom, who is alone > responsible for hundreds of thousands of daily spam posts in discussion > forums and BBSs? If you are asking what does the RIPE NCC plan to do about individual ISPs or members, then you should direct your questions to them, rather than to this WG, which is part of the RIPE community, not the NCC. This is an important difference. Florian's answer to this point covers it well, these things are often not as straightforward as they are painted. If this ISP is breaking the law in the Ukraine, then it should be dealt with by the local law enforcement there. The RIPE NCC, as mentioned, is limited in the reasons it has to close a member, such as non-payment of fees or breach of contract, and even if they did shut a member down, this does not stop that member from continuing to use the resourses. There is no kill switch. If you feel that the NCC should have more/different powers in this area, then it is up to the community to create a policy that will get consensus. However, registries are not the Internet police, this is an important point to remember. Regards, Brian Co-Chair, RIPE AA-WG From jrace at attglobal.net Wed Oct 21 14:54:58 2009 From: jrace at attglobal.net (Jeffrey Race) Date: Wed, 21 Oct 2009 19:54:58 +0700 Subject: [anti-abuse-wg] Antispam measures In-Reply-To: <4ADEF935.8030705@heanet.ie> Message-ID: <20091021130025.839DC6A002@postboy.ripe.net> On Wed, 21 Oct 2009 13:06:13 +0100, Brian Nisbet wrote: > However, registries are not the Internet police, this is an >important point to remember. Precisely; you cannot curb anti-social behavior without rapid and ultimately terminal penalties; this is the way of the world; the Internet will remain lawless and spam will continue to increase until the same lessons applied in every other domain of human activity are brought to be bear on the Internet, by e.g RIPE and ICANN. As you say, it's your choice. It's all in based on From jerome.bouat at wanadoo.fr Wed Oct 21 18:25:46 2009 From: jerome.bouat at wanadoo.fr (=?ISO-8859-1?Q?J=E9r=F4me_Bouat?=) Date: Wed, 21 Oct 2009 18:25:46 +0200 Subject: [anti-abuse-wg] Whois database accuracy In-Reply-To: <20091021130025.839DC6A002@postboy.ripe.net> References: <20091021130025.839DC6A002@postboy.ripe.net> Message-ID: <4ADF360A.4070907@wanadoo.fr> Hello, I use to report spam to the spam abuse mailboxes which are defined by the whois database. However, I'm always encountering the below issues: - the mailbox domain isn't valid - the mailbox is full - the mailbox doesn't exist Who can I contact in order to ensure the Whois database is tidied up. I tried to reach the top registry of the domain (-l whois option). However nobody is fixing those reference databases ! Could we possibly disconnect the network which aren't tidying their whois records ? Regards. From michele at blacknight.ie Thu Oct 22 00:52:32 2009 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Wed, 21 Oct 2009 23:52:32 +0100 Subject: [anti-abuse-wg] Whois database accuracy In-Reply-To: <4ADF360A.4070907@wanadoo.fr> References: <20091021130025.839DC6A002@postboy.ripe.net> <4ADF360A.4070907@wanadoo.fr> Message-ID: On 21 Oct 2009, at 17:25, J?r?me Bouat wrote: > Hello, > > > I use to report spam to the spam abuse mailboxes which are defined by > the whois database. Which one?? > > However, I'm always encountering the below issues: > - the mailbox domain isn't valid > - the mailbox is full > - the mailbox doesn't exist > > > Who can I contact in order to ensure the Whois database is tidied up. > > I tried to reach the top registry of the domain (-l whois option). > > However nobody is fixing those reference databases ! > > Could we possibly disconnect the network which aren't tidying their > whois records ? Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.com/ http://blog.blacknight.com/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Fax. +353 (0) 1 4811 763 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From knut at abusix.org Thu Oct 22 01:01:30 2009 From: knut at abusix.org (Tobias Knecht) Date: Thu, 22 Oct 2009 01:01:30 +0200 Subject: [anti-abuse-wg] Whois database accuracy In-Reply-To: References: <20091021130025.839DC6A002@postboy.ripe.net> <4ADF360A.4070907@wanadoo.fr> Message-ID: <4ADF92CA.7050802@abusix.org> Hi, >> I use to report spam to the spam abuse mailboxes which are defined by >> the whois database. > > Which one?? Good question. We (abusix) are trying to get a new Best Practice done. Please have a look at the attachment. That's a first draft to get a standardized place for abuse addresses. Once this is done and accepted as a best practice we could take the next step and try to get it mandatory and lets see what will happen than. >> However, I'm always encountering the below issues: >> - the mailbox domain isn't valid >> - the mailbox is full >> - the mailbox doesn't exist http://abusix.org/services/abuse-contact-db Could be interesting for you. ;-) >> Who can I contact in order to ensure the Whois database is tidied up. >> >> I tried to reach the top registry of the domain (-l whois option). >> >> However nobody is fixing those reference databases ! >> >> Could we possibly disconnect the network which aren't tidying their >> whois records ? We had some good effort by doing the global reporting thing. Possibly you wanna join us and report your stuff globally. If you need helpor some scripts for ARF reporting. Let me know. Whatever you do to move RIPE and those members, let us know. We will support you. Thanks, Tobias -- abusix.org -------------- next part -------------- A non-text attachment was scrubbed... Name: draft-irt-ripe.pdf Type: application/pdf Size: 225090 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 260 bytes Desc: OpenPGP digital signature URL: From michele at blacknight.ie Thu Oct 22 01:27:24 2009 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Thu, 22 Oct 2009 00:27:24 +0100 Subject: [anti-abuse-wg] Whois database accuracy In-Reply-To: <4ADF92CA.7050802@abusix.org> References: <20091021130025.839DC6A002@postboy.ripe.net> <4ADF360A.4070907@wanadoo.fr> <4ADF92CA.7050802@abusix.org> Message-ID: On 22 Oct 2009, at 00:01, Tobias Knecht wrote: > Hi, > >>> I use to report spam to the spam abuse mailboxes which are defined >>> by >>> the whois database. >> >> Which one?? > > Good question. We (abusix) are trying to get a new Best Practice done. > > Please have a look at the attachment. That's a first draft to get a > standardized place for abuse addresses. Once this is done and accepted > as a best practice we could take the next step and try to get it > mandatory and lets see what will happen than. Does that address the question posed though? ie. which whois database > >>> However, I'm always encountering the below issues: >>> - the mailbox domain isn't valid >>> - the mailbox is full >>> - the mailbox doesn't exist > > http://abusix.org/services/abuse-contact-db > > Could be interesting for you. ;-) > >>> Who can I contact in order to ensure the Whois database is tidied >>> up. >>> >>> I tried to reach the top registry of the domain (-l whois option). >>> >>> However nobody is fixing those reference databases ! >>> >>> Could we possibly disconnect the network which aren't tidying their >>> whois records ? > > > We had some good effort by doing the global reporting thing. Possibly > you wanna join us and report your stuff globally. If you need helpor > some scripts for ARF reporting. Let me know. Oh how I hate those things! I'm sick to death of our abuse desk being flooded with reports about mailscanner.info Please tell me you've whitelisted it! > > > Whatever you do to move RIPE and those members, let us know. We will > support you. Spam and abuse (in general) are global problems. > > Thanks, > > Tobias > > -- > abusix.org > Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.com/ http://blog.blacknight.com/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From leo.vegoda at icann.org Thu Oct 22 01:32:43 2009 From: leo.vegoda at icann.org (Leo Vegoda) Date: Wed, 21 Oct 2009 16:32:43 -0700 Subject: [anti-abuse-wg] Whois database accuracy In-Reply-To: <4ADF92CA.7050802@abusix.org> Message-ID: Tobias, On 21/10/2009 4:01, "Tobias Knecht" wrote: [...] > http://abusix.org/services/abuse-contact-db > > Could be interesting for you. ;-) Did you get permission from the RIPE NCC to re-package the RIPE database data? See Article 4, clause 5: http://www.ripe.net/db/support/db-terms-conditions.pdf Regards, Leo From chimel31 at live.fr Thu Oct 22 01:54:34 2009 From: chimel31 at live.fr (Chimel Chimel) Date: Wed, 21 Oct 2009 23:54:34 +0000 Subject: [anti-abuse-wg] Whois database accuracy In-Reply-To: <4ADF360A.4070907@wanadoo.fr> References: <20091021130025.839DC6A002@postboy.ripe.net> Message-ID: I can add a #4, J?r?me: - The abuse mailbox does not answer or acknowledge the spam report mail Happened several times when I asked Israel NV-Hosen_Stones if they were aware that spam came from their IP range. I have now blocked their whole IP range from our forum, since I consider that not answering spam reports is equivalent to actively supporting spam. That might block genuine users, but since our forum is addictive, that will hopefully force our members to change ISP and support clean ones. ;-) > From: jerome.bouat at wanadoo.fr > To: anti-abuse-wg at ripe.net > Subject: [anti-abuse-wg] Whois database accuracy > Date: Wed, 21 Oct 2009 18:25:46 +0200 > > Hello, > > > I use to report spam to the spam abuse mailboxes which are defined by > the whois database. > > However, I'm always encountering the below issues: > - the mailbox domain isn't valid > - the mailbox is full > - the mailbox doesn't exist > > > Who can I contact in order to ensure the Whois database is tidied up. > > I tried to reach the top registry of the domain (-l whois option). > > However nobody is fixing those reference databases ! > > Could we possibly disconnect the network which aren't tidying their > whois records ? > > > Regards. > _________________________________________________________________ Nouveau ! Tout Windows d?barque dans votre t?l?phone. Voir les Windows phone http://clk.atdmt.com/FRM/go/175819071/direct/01/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerome.bouat at wanadoo.fr Thu Oct 22 03:05:26 2009 From: jerome.bouat at wanadoo.fr (=?ISO-8859-1?Q?J=E9r=F4me_Bouat?=) Date: Thu, 22 Oct 2009 03:05:26 +0200 Subject: [anti-abuse-wg] Whois database accuracy In-Reply-To: References: <20091021130025.839DC6A002@postboy.ripe.net> <4ADF360A.4070907@wanadoo.fr> Message-ID: <4ADFAFD6.2070908@wanadoo.fr> > Which one?? It depends on the origin: http://www.afrinic.net/cgi-bin/whois https://ws.arin.net/whois http://lacnic.net/cgi-bin/lacnic/whois?lg=EN http://www.db.ripe.net/whois http://wq.apnic.net/apnic-bin/whois.pl I think it would be easier to have 1 only big whois primary source which may be replicated in each continent. From jerome.bouat at wanadoo.fr Thu Oct 22 03:15:44 2009 From: jerome.bouat at wanadoo.fr (=?ISO-8859-1?Q?J=E9r=F4me_Bouat?=) Date: Thu, 22 Oct 2009 03:15:44 +0200 Subject: [anti-abuse-wg] Whois database accuracy In-Reply-To: <4ADF92CA.7050802@abusix.org> References: <20091021130025.839DC6A002@postboy.ripe.net> <4ADF360A.4070907@wanadoo.fr> <4ADF92CA.7050802@abusix.org> Message-ID: <4ADFB240.9040705@wanadoo.fr> > http://abusix.org/services/abuse-contact-db I don't see how it is different from a standardized whois entry like the "abuse-mailbox" whois records. I think that the databases already exist (the whois database was designed for that). The problem is that they aren't maintained. We need resources in order to kick the invalid whois records and possibly cut/slowdown/harm the bad networks in case of lack of admin. From esa at laitinen.org Thu Oct 22 08:43:39 2009 From: esa at laitinen.org (Esa Laitinen) Date: Thu, 22 Oct 2009 08:43:39 +0200 Subject: [anti-abuse-wg] Whois database accuracy In-Reply-To: <4ADF92CA.7050802@abusix.org> References: <20091021130025.839DC6A002@postboy.ripe.net> <4ADF360A.4070907@wanadoo.fr> <4ADF92CA.7050802@abusix.org> Message-ID: <816d19510910212343h5306ffcel6737e80c7673056d@mail.gmail.com> 2009/10/22 Tobias Knecht > > http://abusix.org/services/abuse-contact-db > > Could be interesting for you. ;-) > Another good resource would be http://abuse.net/using.phtml I really hate this fragmentation of anti-spam effort, like we had over abundance of volunteers and time. Unfortunately there is nothing I can do about it. esa -------------- next part -------------- An HTML attachment was scrubbed... URL: From emile.aben at ripe.net Thu Oct 22 14:48:10 2009 From: emile.aben at ripe.net (Emile Aben) Date: Thu, 22 Oct 2009 14:48:10 +0200 Subject: [anti-abuse-wg] Antispam measures In-Reply-To: References: Message-ID: <4AE0548A.6050601@ripe.net> Triggered by this email thread I decided to take a closer look at data for Ukrtelecom using the Resource Explainer tool we presented at RIPE59. Here are my findings: http://labs.ripe.net/node/85 Hope people find it useful. best regards, Emile Aben RIPE NCC Research Engineer Chimel Chimel wrote: > Hi, > > I am not sure this mailing list is still active, the latest archived > mail dates back from over a year ago. > I have 3 questions for this mailing list: > > 1) Does RIPE or other registrars impose antispam fighting measures or a > code of conduct to the ISPs or telcos it allocates IP ranges to? > For instance, do these registrar customers specifically sign an > agreement never to post spam themselves. Do they also sign an agreement > to terminate IP sub-allocation or contract with their own customers who > are using their IP addresses to post spam? > > 2) If there is such measures, how does RIPE enforce them? > > 3) What does RIPE intends to do about Ukrtelecom, who is alone > responsible for hundreds of thousands of daily spam posts in discussion > forums and BBSs? > According to the people in stopforumspam.com, every single post > emanating from ukrtelecom is spam, there is not a single genuine user > from that telco. > How can RIPE allocate hundreds of separate IP ranges to this single > telco, especially if it is only a support for spam, not a telco at all. > When querying the RIPE database for ukrtelecom, it returns 300 IP > ranges, but that's only because the web site is limited to 300 answers. > I'd like to see the whole list in order to ban it all from my forum, > even if it means banning genuine users from Ukraine. > And of course, when I say ukrtelecom is a spammer site, I really means > it is a mafia site that makes millions of dollars every month in illegal > activities, selling dangerous fake medicines such as viagra or tamiflu. > In these times of IP addresses shortening, it would make a lot more IPs > available if the registrars would cancel IP allocation from the > customers who break the antispam rules. > > Thanks, > Chimel. > > By the way, a BBS seems to be a more adequate way than a mailing list to > handle this kind of discussion. Just my 2 cents. > > ------------------------------------------------------------------------ > Gratuit : Hotmail plus rapide avec Internet Explorer 8 ! Cliquez ici ! > From brian.nisbet at heanet.ie Thu Oct 22 16:18:06 2009 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Thu, 22 Oct 2009 15:18:06 +0100 Subject: [anti-abuse-wg] Whois database accuracy In-Reply-To: <4ADF92CA.7050802@abusix.org> References: <20091021130025.839DC6A002@postboy.ripe.net> <4ADF360A.4070907@wanadoo.fr> <4ADF92CA.7050802@abusix.org> Message-ID: <4AE0699E.7050200@heanet.ie> Tobias, >>> I use to report spam to the spam abuse mailboxes which are defined by >>> the whois database. >> Which one?? > > Good question. We (abusix) are trying to get a new Best Practice done. > > Please have a look at the attachment. That's a first draft to get a > standardized place for abuse addresses. Once this is done and accepted > as a best practice we could take the next step and try to get it > mandatory and lets see what will happen than. I'm not sure if there is any disagreement amongst the community that the best practice is to have clearly marked abuse contact information. However, with this agreement in mind, what do you consider the benchmark of having your best practice suggestions formally accepted, by your standards? >>> Who can I contact in order to ensure the Whois database is tidied up. >>> >>> I tried to reach the top registry of the domain (-l whois option). >>> >>> However nobody is fixing those reference databases ! >>> >>> Could we possibly disconnect the network which aren't tidying their >>> whois records ? > > > We had some good effort by doing the global reporting thing. Possibly > you wanna join us and report your stuff globally. If you need helpor > some scripts for ARF reporting. Let me know. I should note at this point that there was no voices raised in support of abusix's manner of reporting at the WG session in Lisbon. While obviously there are those who do support your methodology, I would contend that this support is not community wide. Tobias, to be honest, I'm not sure what the victory conditions are for your feelings on abuse mailboxes/contacts. I don't think anyone is arguing (or certainly not here) that they are useful and should be properly in place, but I'm not at all sure you will receive backing to make them mandatory. However, we'll never find that out until a policy is proposed to the RIPE community. Regards, Brian. From chimel31 at live.fr Thu Oct 22 16:29:02 2009 From: chimel31 at live.fr (Chimel Chimel) Date: Thu, 22 Oct 2009 14:29:02 +0000 Subject: [anti-abuse-wg] Antispam measures In-Reply-To: <4AE0548A.6050601@ripe.net> References: Message-ID: Thanks, Emile, and to all the other persons in the mailing list who replied. I'll check out REX! > From: emile.aben at ripe.net > To: anti-abuse-wg at ripe.net > Subject: Re: [anti-abuse-wg] Antispam measures > Date: Thu, 22 Oct 2009 14:48:10 +0200 > > Triggered by this email thread I decided to take a closer look at data > for Ukrtelecom using the Resource Explainer tool we presented at RIPE59. > Here are my findings: > http://labs.ripe.net/node/85 > > Hope people find it useful. > > best regards, > Emile Aben > RIPE NCC Research Engineer > > > Chimel Chimel wrote: > > Hi, > > > > I am not sure this mailing list is still active, the latest archived > > mail dates back from over a year ago. > > I have 3 questions for this mailing list: > > > > 1) Does RIPE or other registrars impose antispam fighting measures or a > > code of conduct to the ISPs or telcos it allocates IP ranges to? > > For instance, do these registrar customers specifically sign an > > agreement never to post spam themselves. Do they also sign an agreement > > to terminate IP sub-allocation or contract with their own customers who > > are using their IP addresses to post spam? > > > > 2) If there is such measures, how does RIPE enforce them? > > > > 3) What does RIPE intends to do about Ukrtelecom, who is alone > > responsible for hundreds of thousands of daily spam posts in discussion > > forums and BBSs? > > According to the people in stopforumspam.com, every single post > > emanating from ukrtelecom is spam, there is not a single genuine user > > from that telco. > > How can RIPE allocate hundreds of separate IP ranges to this single > > telco, especially if it is only a support for spam, not a telco at all. > > When querying the RIPE database for ukrtelecom, it returns 300 IP > > ranges, but that's only because the web site is limited to 300 answers. > > I'd like to see the whole list in order to ban it all from my forum, > > even if it means banning genuine users from Ukraine. > > And of course, when I say ukrtelecom is a spammer site, I really means > > it is a mafia site that makes millions of dollars every month in illegal > > activities, selling dangerous fake medicines such as viagra or tamiflu. > > In these times of IP addresses shortening, it would make a lot more IPs > > available if the registrars would cancel IP allocation from the > > customers who break the antispam rules. > > > > Thanks, > > Chimel. > > > > By the way, a BBS seems to be a more adequate way than a mailing list to > > handle this kind of discussion. Just my 2 cents. > > > > ------------------------------------------------------------------------ > > Gratuit : Hotmail plus rapide avec Internet Explorer 8 ! Cliquez ici ! > > > _________________________________________________________________ Nouveau Windows 7 : Trouvez le PC qui vous convient. En savoir plus. http://clk.atdmt.com/FRM/go/181574580/direct/01/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at hk.ipsec.se Thu Oct 22 18:43:23 2009 From: peter at hk.ipsec.se (=?iso-8859-1?Q?peter_h=E5kanson?=) Date: Thu, 22 Oct 2009 18:43:23 +0200 Subject: [anti-abuse-wg] Whois database accuracy In-Reply-To: References: <20091021130025.839DC6A002@postboy.ripe.net> Message-ID: <10D7D6CD-7DED-4D45-9A1D-DF1A91B5E2B7@hk.ipsec.se> On Oct 22, 2009, at 1:54 AM, Chimel Chimel wrote: > I can add a #4, J?r?me: > > - The abuse mailbox does not answer or acknowledge the spam report > mail > > Happened several times when I asked Israel NV-Hosen_Stones if they > were aware that spam came from their IP range. > I have now blocked their whole IP range from our forum, since I > consider that not answering spam reports is equivalent to actively > supporting spam. > That might block genuine users, but since our forum is addictive, > that will hopefully force our members to change ISP and support > clean ones. ;-) exactly the right(Tm) action to do. ( blocking abusive ISP's and have their users to take their money elsewhere) ====================================================== Peter H?kanson Phone +46707328101 Fax +4631223190 IPSec sverige Email peter at ipsec.se "Safe by design" Address Bror Nilssons gata 16 Lundbystrand S-417 55 Gothenburg Sweden From richard.cox at btuser.net Fri Oct 23 16:20:53 2009 From: richard.cox at btuser.net (Richard Cox) Date: Fri, 23 Oct 2009 14:20:53 +0000 Subject: [anti-abuse-wg] Whois database accuracy In-Reply-To: <4ADF360A.4070907@wanadoo.fr> Message-ID: On Wed, 21 Oct 2009 Jerome Bouat wrote: > Could we possibly disconnect the network which aren't tidying their > whois records ? To amplify one of Brian's points: The problem there is that WE (which for the purposes of this discussion only, would include RIPE NCC) can't disconnect anybody. You've made an invalid assumption which - frankly - I also made for many years, until the full reality of the situation dawned on me. The only people who can disconnect a network are its peers and upstreams. To a large extent that means that if any of the backbone networks agrees to accept the traffic, the network stays connected. If ALL the backbone networks agree not to accept traffic from block owners that do not have (or do not answer) valid abuse etc addresses, then we would have a way forward. It only takes one such backbone network to carry the traffic and the problem remains. And experience tells us that there will be one. RIPE and other RIRs allocate IP ranges and ASNs. Although there is a routing database, that does NOT actually control the routing. All that RIPE NCC controls, is the entitlement to use the numbers, and the reverse DNS delegations. Now, if the RIPE NCC were to recover a block allocation or ASN because the WHOIS data was bad, or the network would not deal with abuse issues reported (and by the way I am not advocating that as a policy) those addresses and ASN could continue to be used. All that would happen would be that rDNS would stop working, and there would no longer be any visible track of who was running that network. In an ideal world the upstreams would stop routing the traffic as soon as they became aware of the situation. That's very far from being a universally adopted practice, as was found recently when several of the other RIRs withdrew numerous IP address blocks for non-payment of fees: and Afrinic's withdrawal of Zimbabwean blocks was one example of this triggered by the recent currency problems in Zimbabwe. IP traffic is just like international telephone routing - if an entity says it is using a number range, and its peers and upstreams accept the claim, then connections will get through. And in many cases those upstreams will be influenced by the payments they get for the traffic, either at standard or enhanced rates. If there are conflicting routing claims, then obviously the connectivity will become somewhat unreliable. So effectively the only people who can "disconnect" an address range are the individual ISPs - by rejecting that traffic locally - but that rarely happens either, because of the probability of losing legitimate traffic in the process. There are a few network ranges that are known to be all used for crime or abuse, and a lot of ISPs now use the list at http://www.spamhaus.org/drop to block that traffic. I hope you do! For the other cases, pressure on the upstreams carrying the traffic from the entity that has misconfigured data, is probably the best way to get the problem fixed. Blocking that traffic locally is a good thing for ISPs to do, but it will take a lot of them to impose blocking before corrective action will be taken. Regards, Richard Co-Chair, RIPE AA-WG From chimel31 at live.fr Fri Oct 23 18:47:41 2009 From: chimel31 at live.fr (Chimel Chimel) Date: Fri, 23 Oct 2009 16:47:41 +0000 Subject: [anti-abuse-wg] Whois database accuracy In-Reply-To: References: <4ADF360A.4070907@wanadoo.fr> Message-ID: Thanks for summarizing the situation, Richard, but that's really frustrating nonetheless. If the registrars can't enforce penalties because the whois information is broken or the ISP does not answer, it is basically useless to contact their abuse email, even for documentation purpose. Same for abuse penalties: As one moderator in one very small forum, we are attacked daily by 10-20 spam posts that pass the barrier of the stopforumspam blacklist. I often find myself being the first to report a spammer in their database. Email spam does not seem to have the same problem, at least with the main email providers such as gmail and live, the blacklist they use seem to be efficient, I never receive spam on these accounts. As an individual wasting at least 2 man-weeks every year (basically, that's my vacations gone) figthing abuse, what can we do to raise awareness and help stopping this abuse definitely? I understand that telcos have too much financial interest in that matter to let go the millions they make out of spam traffic, and I understand that the politicians can't really fight the telcos lobbies either, so what's left to us, and how can we help give the registrars the responsibilities and enforcement powers they should have? For instance, it is a real shame that all these blacklist databases have been created privately by people fed up with abuse. This should be funded and controlled by the registrars IMHO. I think there are already clauses asking the telcos and ISPs to maintain the whois data up to date and accurate, and there should be the same about abuse, but you can't put such clauses if you don't have the means to enforce them or put the infrastructure that goes around, such as blacklists, and make their usage mandatory at all levels. BTW, if btuser.net means you work for British Telecoms, congrats, I never experienced forum spam from one of their accounts (in my short moderator life.) And you should renew the fee for that btuser.net domain, it goes to a godaddy.com spam page telling this domain is for sale at $1.99. ;-) Thanks, A naive Chimel. > From: richard.cox at btuser.net > Subject: Re: [anti-abuse-wg] Whois database accuracy > To: anti-abuse-wg at ripe.net > Date: Fri, 23 Oct 2009 14:20:53 +0000 > > On Wed, 21 Oct 2009 Jerome Bouat wrote: > > > Could we possibly disconnect the network which aren't tidying their > > whois records ? > > To amplify one of Brian's points: > > The problem there is that WE (which for the purposes of this discussion > only, would include RIPE NCC) can't disconnect anybody. You've made an > invalid assumption which - frankly - I also made for many years, until > the full reality of the situation dawned on me. > > The only people who can disconnect a network are its peers and upstreams. > To a large extent that means that if any of the backbone networks agrees > to accept the traffic, the network stays connected. If ALL the backbone > networks agree not to accept traffic from block owners that do not have > (or do not answer) valid abuse etc addresses, then we would have a way > forward. It only takes one such backbone network to carry the traffic > and the problem remains. And experience tells us that there will be one. > > RIPE and other RIRs allocate IP ranges and ASNs. Although there is > a routing database, that does NOT actually control the routing. All > that RIPE NCC controls, is the entitlement to use the numbers, and the > reverse DNS delegations. Now, if the RIPE NCC were to recover a block > allocation or ASN because the WHOIS data was bad, or the network would > not deal with abuse issues reported (and by the way I am not advocating > that as a policy) those addresses and ASN could continue to be used. > All that would happen would be that rDNS would stop working, and there > would no longer be any visible track of who was running that network. > > In an ideal world the upstreams would stop routing the traffic as soon > as they became aware of the situation. That's very far from being a > universally adopted practice, as was found recently when several of the > other RIRs withdrew numerous IP address blocks for non-payment of fees: > and Afrinic's withdrawal of Zimbabwean blocks was one example of this > triggered by the recent currency problems in Zimbabwe. > > IP traffic is just like international telephone routing - if an entity > says it is using a number range, and its peers and upstreams accept the > claim, then connections will get through. And in many cases those > upstreams will be influenced by the payments they get for the traffic, > either at standard or enhanced rates. If there are conflicting routing > claims, then obviously the connectivity will become somewhat unreliable. > > So effectively the only people who can "disconnect" an address range > are the individual ISPs - by rejecting that traffic locally - but that > rarely happens either, because of the probability of losing legitimate > traffic in the process. There are a few network ranges that are known > to be all used for crime or abuse, and a lot of ISPs now use the list > at http://www.spamhaus.org/drop to block that traffic. I hope you do! > > For the other cases, pressure on the upstreams carrying the traffic > from the entity that has misconfigured data, is probably the best way > to get the problem fixed. Blocking that traffic locally is a good > thing for ISPs to do, but it will take a lot of them to impose blocking > before corrective action will be taken. > > Regards, > > Richard > Co-Chair, RIPE AA-WG > _________________________________________________________________ Nouveau Windows 7 : Trouvez le PC qui vous convient. En savoir plus. http://clk.atdmt.com/FRM/go/181574580/direct/01/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From richard.cox at btuser.net Sat Oct 24 02:49:03 2009 From: richard.cox at btuser.net (Richard Cox) Date: Sat, 24 Oct 2009 00:49:03 +0000 Subject: [anti-abuse-wg] Whois database accuracy In-Reply-To: Message-ID: On Fri, 23 Oct 2009 Chimel Chimel wrote: > Thanks for summarizing the situation, Richard, but that's really > frustrating nonetheless. If the registrars can't enforce penalties > because the whois information is broken or the ISP does not answer, > it is basically useless to contact their abuse email, even for > documentation purpose. As I explained, the party that can enforce penalities is the upstream. > For instance, it is a real shame that all these blacklist databases > have been created privately by people fed up with abuse. This should > be funded and controlled by the registrars IMHO. If they were controlled by Registrars the situation would be far worse. > BTW, if btuser.net means you work for British Telecoms, congrats, No, in a sense it means I am a USER of BT's services. BTUSER.NET is a "neutral" domain which I use in order to be able to speak here without using my normal work account. > And you should renew the fee for that btuser.net domain, it goes to > a godaddy.com spam page telling this domain is for sale at $1.99. ;-) To keep things neutral, that domain has just a GoDaddy parking page. You may have misread the advertisement, it says that GoDaddy has (other) domains at $1.99: the btuser.net domain is not to my knowledge for sale. Regards, -- Richard Co-Chair, RIPE AA-WG