From claus at marxmeier.de  Tue Apr  6 02:59:38 2010
From: claus at marxmeier.de (Claus Marxmeier)
Date: Tue, 06 Apr 2010 02:59:38 +0200
Subject: [anti-abuse-wg] update on netsecdb project
Message-ID: <4BBA877A.5000201@marxmeier.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
When starting with www.netsecdb.de in 2008 i'd never expected the
decrease of spams to round about 1% of former amount to remain a
stable value. Stats from last weeks, monthes and year now give proof
that the setup of a central communitation matrix based on worldwide
IPv4-whois databases was a great help in fighting abusive mails and a
lot more.

Inspite of common hosting environments the number of spams is
generally lower that the amount of mails containing wanted messaging.
The hourly auto-generated configuration files for MTAs like postfix,
exim, qmail and MS Excchange 2007 and later used on external partner
servers show same progresses.

In addition, files that contain the blocking lists for leading TOP25
spammer-country are distributed for free.

Starting from scratch with a localized german based environment, we
opened netranges from additional countries based on the incoming
spamlevel. Nowadays, networks from DE, CH, AT, BE, NL, FR, GB, LU, LI,
IE, IT, CZ, SE, GR, PT, NO, PL, IS, FI, ES, DK, SK, HU, RO, BG, LT,
LV, EE, US, CA, IL and defined customer nets don't get blocked but get
tickets instead. If a non-customers's netrange abuse-email is
invalid/non-functional, range gets blocked.

Many providers integrated ticket-systems for abuse-handling and
improved their quality management a lot. Only a few remained passive
and surprisingly a handful of ISPs still seem to work with quota
limited mailboxes to avoid a kind of work-overload.

Logfiles show an increasing number of HEADER connects to our
smtp-ports just to check the current status of single IP or netrange
returned by our servers.

Within the last monthes, netsol worked on rwhois integration into ARIN
whois outputs which finetuned the process of generating abuse-tickets
a lot.

Many RIPE members started updating their whois records and abuse-mail
contacts. Sometimes this results in an very effective workflow with
only a few seconds response time over far distance whereas local
providers still cannot be reached cause of invalid or missing contact
records.

Unfortunately the RIPE team stated by mail, that they have no
job-order to take care of the integrity of it's database records i.e.
finding ancient content with missing or invalid information gives
random results.

There seems to be no need for a RIPE member to keep it's records
up-2-date ?

Any additional information regardings spams, exploit attacks, hacking
can be taken from www.netsecdb.de site's sections.

I wonder how long hosters are willing to pay the traffic, energy and
CPU-time for something nobody needs to have.
I wonder how long i takes for the DialUp- and Business Customers to
learn, that security is a crucial part of internet activities and that
their ISP's deliver very diffent qualities behind their mostly
coloured flash-animated websites.

Looking forward to see the current unsolved problems beeing
transported to public clouds in datacenter and poisoned high bandwith
customer connections if everything remains 'same procedure as every
year' ...

Kind regards,

Claus





- -- 

Claus Marxmeier


- ---
Claus Marxmeier EDV-Service
Johann-Kierspel-Stra?e 5
51491 Overath  
Germany

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
 
iEYEARECAAYFAku6h3oACgkQUIsBFYVeBxC82gCfReNpv+rLKbb2n9vRxwoizCv+
0UAAn18QA/Y6irneBZyvcty9NGiKDHgq
=MuBy
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ripe.net/ripe/mail/archives/anti-abuse-wg/attachments/20100406/fd2dd2ed/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: claus.vcf
Type: text/x-vcard
Size: 278 bytes
Desc: not available
URL: <https://lists.ripe.net/ripe/mail/archives/anti-abuse-wg/attachments/20100406/fd2dd2ed/attachment.vcf>

From michele at blacknight.ie  Tue Apr  6 10:32:17 2010
From: michele at blacknight.ie (Michele Neylon :: Blacknight)
Date: Tue, 6 Apr 2010 08:32:17 +0000
Subject: [anti-abuse-wg] update on netsecdb project
In-Reply-To: <4BBA877A.5000201@marxmeier.de>
References: <4BBA877A.5000201@marxmeier.de>
Message-ID: <CE6ECCEF-7AF1-48EE-AA5D-83B2AE560C96@blacknight.ie>

On 6 Apr 2010, at 01:59, Claus Marxmeier wrote:

> -----BEGIN PGP SIGNED MESSAGE----- 
> Hash: SHA1 
>  
> When starting with www.netsecdb.de in 2008 i'd never expected the
> decrease of spams to round about 1% of former amount to remain a
> stable value. Stats from last weeks, monthes and year now give proof
> that the setup of a central communitation matrix based on worldwide
> IPv4-whois databases was a great help in fighting abusive mails and a
> lot more.
> 
> Inspite of common hosting environments the number of spams is
> generally lower that the amount of mails containing wanted messaging.
> The hourly auto-generated configuration files for MTAs like postfix,
> exim, qmail and MS Excchange 2007 and later used on external partner
> servers show same progresses.
> 
> In addition, files that contain the blocking lists for leading TOP25
> spammer-country are distributed for free.
> 
> Starting from scratch with a localized german based environment, we
> opened netranges from additional countries based on the incoming
> spamlevel. Nowadays, networks from DE, CH, AT, BE, NL, FR, GB, LU, LI,
> IE, IT, CZ, SE, GR, PT, NO, PL, IS, FI, ES, DK, SK, HU, RO, BG, LT,
> LV, EE, US, CA, IL and defined customer nets don't get blocked but get
> tickets instead. If a non-customers's netrange abuse-email is
> invalid/non-functional, range gets blocked.
> 
> Many providers integrated ticket-systems for abuse-handling and
> improved their quality management a lot. Only a few remained passive
> and surprisingly a handful of ISPs still seem to work with quota
> limited mailboxes to avoid a kind of work-overload.
> 
> Logfiles show an increasing number of HEADER connects to our
> smtp-ports just to check the current status of single IP or netrange
> returned by our servers.
> 
> Within the last monthes, netsol worked on rwhois integration into ARIN
> whois outputs which finetuned the process of generating abuse-tickets
> a lot.
> 
> Many RIPE members started updating their whois records and abuse-mail
> contacts. Sometimes this results in an very effective workflow with
> only a few seconds response time over far distance whereas local
> providers still cannot be reached cause of invalid or missing contact
> records.
> 
> Unfortunately the RIPE team stated by mail, that they have no
> job-order to take care of the integrity of it's database records i.e.
> finding ancient content with missing or invalid information gives
> random results.
> 
> There seems to be no need for a RIPE member to keep it's records
> up-2-date ?
> 
> Any additional information regardings spams, exploit attacks, hacking
> can be taken from www.netsecdb.de site's sections.
> 
> I wonder how long hosters are willing to pay the traffic, energy and
> CPU-time for something nobody needs to have.
> I wonder how long i takes for the DialUp- and Business Customers to
> learn, that security is a crucial part of internet activities and that
> their ISP's deliver very diffent qualities behind their mostly
> coloured flash-animated websites.
> 
> Looking forward to see the current unsolved problems beeing
> transported to public clouds in datacenter and poisoned high bandwith
> customer connections if everything remains 'same procedure as every
> year' ...
> 
> Kind regards,
> 
> Claus

Claus

You need to learn the meaning of the word "diplomacy"

Otherwise none of us will want to help you

Regards

Michele


Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
ICANN Accredited Registrar
http://www.blacknight.com/
http://blog.blacknight.com/
http://mneylon.tel
Intl. +353 (0) 59  9183072
US: 213-233-1612 
UK: 0844 484 9361
Locall: 1850 929 929
Direct Dial: +353 (0)59 9183090
Twitter: http://twitter.com/mneylon
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,Ireland  Company No.: 370845



From frank at powerweb.de  Tue Apr  6 10:47:51 2010
From: frank at powerweb.de (Frank Gadegast)
Date: Tue, 06 Apr 2010 10:47:51 +0200
Subject: [anti-abuse-wg] update on netsecdb project
In-Reply-To: <CE6ECCEF-7AF1-48EE-AA5D-83B2AE560C96@blacknight.ie>
References: <4BBA877A.5000201@marxmeier.de> <CE6ECCEF-7AF1-48EE-AA5D-83B2AE560C96@blacknight.ie>
Message-ID: <4BBAF537.30401@powerweb.de>

Michele Neylon :: Blacknight wrote:

Dear Michele,

>> Looking forward to see the current unsolved problems beeing
>> transported to public clouds in datacenter and poisoned high bandwith
>> customer connections if everything remains 'same procedure as every
>> year' ...
>>
>> Kind regards,
>>
>> Claus
> 
> Claus
> 
> You need to learn the meaning of the word "diplomacy"
> 
> Otherwise none of us will want to help you

Im a friend of results also, diplomacy does not help
in all cases. Sometimes somebody has to step forward
to wake everybody up.

Whats about the word "sarcasm" ?
I like this word too ...

* do we have at least a definition of spam after 2 years ?
* any recommendations to the community so far ?
* did anybody (except me) send an idea to this list
   about how to reduce the amount of spam in the RIPE region ?

Come on and be honest, what result can this group show by now ?
Anything that will reduce our spam load ?
Cant even see the horizon.


Kind regards, Frank

> 
> Regards
> 
> Michele
> 
> 
> Mr Michele Neylon
> Blacknight Solutions
> Hosting & Colocation, Brand Protection
> ICANN Accredited Registrar
> http://www.blacknight.com/
> http://blog.blacknight.com/
> http://mneylon.tel
> Intl. +353 (0) 59  9183072
> US: 213-233-1612 
> UK: 0844 484 9361
> Locall: 1850 929 929
> Direct Dial: +353 (0)59 9183090
> Twitter: http://twitter.com/mneylon
> -------------------------------
> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
> Road,Graiguecullen,Carlow,Ireland  Company No.: 370845
> 
> 
> 
> 


-- 

Mit freundlichen Gruessen,
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de



From claus at marxmeier.de  Tue Apr  6 10:59:07 2010
From: claus at marxmeier.de (Claus Marxmeier)
Date: Tue, 06 Apr 2010 10:59:07 +0200
Subject: [anti-abuse-wg] update on netsecdb project
In-Reply-To: <4BBAED5B.3070109@powerweb.de>
References: <4BBA877A.5000201@marxmeier.de> <4BBAED5B.3070109@powerweb.de>
Message-ID: <4BBAF7DB.80305@marxmeier.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 


Am 06.04.2010 10:14, schrieb Frank Gadegast:


> You defny need to update your pages to explain what the
> netsecdb.de is for in the first place, looks like our own project
> under http://www.dnsbl.de, but I cannot find any explanation on
> your pages.

It's all in section documents - moved some articles to frontpage to
give a quicker overview.

english overview: https://www.netsecdb.de/index.php?q=node/64
german overview: https://www.netsecdb.de/index.php?q=node/67

It's not only about spam status - it's a database of all known abusive
activities from an IPv4 netrange.


dnsbl and similar projects only deal with single IPs and is limited to
abusive email sourcing whereas netsecdb imports the netrange
information from whois and should be able to reports a status of all
abusive activities that originate or from or destinate to this range.
It's interface shows the network dependencies (way from
0.0.0.0-255.255.255.255 up to the smallest available segment information).

This way, logfiles and processing results can be used to mark netcidrs
for different reasons. For example, beeing wormdestination or
spamlinkdestination, hosting childporn, is affected to conficker
botnet or anything else.

netsecdb does not include any personal data from POCs - only a Matrix
of IPv4 that shows cybercrime related info.

Kind regards,

Claus

>>
>> Claus Marxmeier
>>
>>
>> - --- Claus Marxmeier EDV-Service Johann-Kierspel-Stra?e 5 51491
>> Overath  Germany
>>
>

- -- 

Claus Marxmeier


- ---
Claus Marxmeier EDV-Service
Johann-Kierspel-Stra?e 5
51491 Overath  
Germany
USt-IdNr.: DE815023931.
info at netsecdb.de
http://www.netsecdb.de
Office +49 - 2204 - 305 940
Home   +49 - 2204 - 917 365
Mobil  +49 - 1578 - 363 1130


___________________________________________________________________________________________________

This computer is protected by netsecurity-database from www.netsecdb.de
___________________________________________________________________________________________________

Hinweis: Die vorliegende E-Mail enth?lt m?glicherweise vertrauliche Daten.
Falls Ihr Name nicht in der Liste der Adressaten erscheint, beachten
Sie den Inhalt der E-Mail zun?chst nicht weiter, ?ffnen Sie keine
Dateianh?nge
und wenden Sie sich umgehend an den Absender claus at marxmeier.de


Sicherheitserkl?rung:

Der Inhalt dieser E-Mail ist ausschliesslich fuer den bezeichneten
Adressaten bestimmt.
Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen
Vertreter sein sollten,
so beachten Sie bitte, dass jede Form der Kenntnisnahme,
Veroeffentlichung, Vervielfaeltigung
oder Weitergabe des Inhalts dieser E-Mail unzulaessig ist. Ich bitte
Sie, sich in diesem Fall
mit dem Absender der E-Mail in Verbindung zu setzen. Ich moechte Sie
ausserdem darauf hinweisen,
dass die Kommunikation per E-Mail ueber das Internet unsicher ist, da
fuer unberechtigte Dritte
grundsaetzlich die Moeglichkeit der Kenntnisnahme und Manipulation
besteht - auch wenn diese Nachricht
durch einen Schl?ssel signiert wurde.

This message may contain confidential and/or privileged information.
If you
are not the intended recipient or have received this message in error
please notify the sender immediately and delete this message. Any
unauthorized copying, disclosure or distribution of the material contained
in this message is strictly forbidden.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
 
iEYEARECAAYFAku699sACgkQUIsBFYVeBxBnfwCdGbqfScUHk84LF6Uiw4w/ro/o
go8AnReeKIbeTCA63H/FkjebT1BfQrgf
=cQIn
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: claus.vcf
Type: text/x-vcard
Size: 278 bytes
Desc: not available
URL: <https://lists.ripe.net/ripe/mail/archives/anti-abuse-wg/attachments/20100406/546a3e5a/attachment.vcf>

From frank at powerweb.de  Tue Apr  6 10:14:19 2010
From: frank at powerweb.de (Frank Gadegast)
Date: Tue, 06 Apr 2010 10:14:19 +0200
Subject: [anti-abuse-wg] update on netsecdb project
In-Reply-To: <4BBA877A.5000201@marxmeier.de>
References: <4BBA877A.5000201@marxmeier.de>
Message-ID: <4BBAED5B.3070109@powerweb.de>

Claus Marxmeier wrote:

Hello,

> When starting with www.netsecdb.de in 2008 i'd never expected the

You defny need to update your pages to explain what the netsecdb.de
is for in the first place, looks like our own project under
http://www.dnsbl.de, but I cannot find any explanation on your
pages.

Anyway ...

> Many RIPE members started updating their whois records and abuse-mail
> contacts. Sometimes this results in an very effective workflow with
> only a few seconds response time over far distance whereas local
> providers still cannot be reached cause of invalid or missing contact
> records.
> 
> Unfortunately the RIPE team stated by mail, that they have no
> job-order to take care of the integrity of it's database records i.e.
> finding ancient content with missing or invalid information gives
> random results.
> 
> There seems to be no need for a RIPE member to keep it's records
> up-2-date ?

Here I really have to agree.
I always voted, that the currently optional "abuse"-field in the whois
records HAVE to be filled by the providers AND checked by RIPE.

Providers are responsible for whats leaving their networks, but it looks
like that the community has absolutely no interest to give the RIPE
NCC the order to check those addresses on a regular base.

I even mentioned that the RIPE community should develop mechanisms to
punish members that do not react to abuse reports delivered to their
abuse addresses, and thats defny work for this group to define these
mechanisms.

One simply mechanism could look like this:
- RIPE defines an emailadress scheme for every IP address like
   ip1.ip2.ip3.ip4 at abuse.ripe.net
- this scheme is mentioned in every whois output
- so, there will be no need for blacklist, other providers or
   even privat persons to do a whois lookup anymore

- any report should be delivered to these addresses and RIPE NCC
   forwards incoming reports to the abuse address of the members
   (these could be even non-public)
- any provider has to react in a whatever time by replying
   to the mail including a tracking number generated by RIPE NCC,
   to the complainant and the RIPE system, mark the reports as
   spam, false report, beeing worked one, customer blocked aso ...

- provider without a valid abuse contact get warned, and in the worst
   case, will loose their IP allocation complained about
- provider that have a valid address, but do not react will loose
   their IP allocation, if the spam level raised a defined limit
   according to the size of the providers allocation
- RIPE NCC will calculate a value for every provider depending
   on the amount of IP addresses and incoming spam reports for
   a couple of months. RIPE then urges the provider to reduce
   this value on a monthly base. The provider will also
   loose his alloctions, if the value is not reduced or
   even rising. Surely a little value of spam reports is allowed
   for every provider depending on the size of his allocation.

Surely their will be lots of details to check, but only
this will force any member to actually DO something against
spam leaving their networks, to block dialin customers with
spambotted PCs, open relays of hacked servers.


Kind regards, Frank

> I wonder how long hosters are willing to pay the traffic, energy and
> CPU-time for something nobody needs to have.
> I wonder how long i takes for the DialUp- and Business Customers to
> learn, that security is a crucial part of internet activities and that
> their ISP's deliver very diffent qualities behind their mostly
> coloured flash-animated websites.
> 
> Looking forward to see the current unsolved problems beeing
> transported to public clouds in datacenter and poisoned high bandwith
> customer connections if everything remains 'same procedure as every
> year' ...
> 
> Kind regards,
> 
> 
> Claus Marxmeier
> 
> 
> - ---
> Claus Marxmeier EDV-Service
> Johann-Kierspel-Stra?e 5
> 51491 Overath  
> Germany
> 

--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de



From fm-lists at st-kilda.org  Tue Apr  6 11:48:17 2010
From: fm-lists at st-kilda.org (Fearghas McKay)
Date: Tue, 6 Apr 2010 10:48:17 +0100
Subject: [anti-abuse-wg] update on netsecdb project
In-Reply-To: <4BBAED5B.3070109@powerweb.de>
References: <4BBA877A.5000201@marxmeier.de> <4BBAED5B.3070109@powerweb.de>
Message-ID: <3324CECD-9A96-4F8E-B8CA-4E008336858B@st-kilda.org>

Frank

On 6 Apr 2010, at 09:14, Frank Gadegast wrote:

> I even mentioned that the RIPE community should develop mechanisms to
> punish members that do not react to abuse reports delivered to their
> abuse addresses, and thats defny work for this group to define these
> mechanisms.

Policy comes from the community - we have a formal process to develop  
policy that is available at:

	http://www.ripe.net/docs/pdp.html

Section 2.1 shows how to start creating a new RIPE policy and  
highlights that anyone can start the process, it is a bottom up  
development, not top down.

-=-=-
2.1 Creating a Proposal
Discussions may be started by anyone at any time. Participants are  
welcome to discuss broad ideas as well as to make detailed policy  
proposals. Proposals are made using the Policy Proposal template,  
attached as Appendix B.

-=-=-

The NCC will be available to help you with drafting the document.

HTH

	Fearghas



From mir at ripe.net  Tue Apr  6 12:10:18 2010
From: mir at ripe.net (Mirjam Kuehne)
Date: Tue, 06 Apr 2010 12:10:18 +0200
Subject: [anti-abuse-wg] Spam sent over IPv6 - See results on RIPE Labs
Message-ID: <4BBB088A.1060403@ripe.net>

Dear colleagues,

Sorry this comes a little late to this list. Last week we published some 
data about
spam we receive over IPv6. Find the method and the results on RIPE Labs:

http://labs.ripe.net/content/spam-over-ipv6

We will continue to measure this. If you have any comments or suggestions,
please let us know. You can leave comments in the forum listed at the 
end of
the article or send mail directly to me.

Kind Regards,
Mirjam K?hne
RIPE NCC



From phade at www.powerweb.de  Tue Apr  6 12:35:42 2010
From: phade at www.powerweb.de (Frank Gadegast)
Date: Tue, 6 Apr 2010 12:35:42 +0200 (MET DST)
Subject: [anti-abuse-wg] update on netsecdb project
In-Reply-To: <3324CECD-9A96-4F8E-B8CA-4E008336858B@st-kilda.org>
Message-ID: <201004061035.o36AZhPV006676@www.powerweb.de>

> 
> Frank

Hi,

> On 6 Apr 2010, at 09:14, Frank Gadegast wrote:
> 
> > I even mentioned that the RIPE community should develop mechanisms to
> > punish members that do not react to abuse reports delivered to their
> > abuse addresses, and thats defny work for this group to define these
> > mechanisms.
> 
> Policy comes from the community - we have a formal process to develop  
> policy that is available at:
> 
> 	http://www.ripe.net/docs/pdp.html

This group IS the community, so why is their no proposal so far ?
After 2 years ?
I would love to work together with more expirienced members of the
mailling list, but as far as I see it: simply nothing happens ...

> Section 2.1 shows how to start creating a new RIPE policy and  
> highlights that anyone can start the process, it is a bottom up  
> development, not top down.
> 
> -=-=-
> 2.1 Creating a Proposal
> Discussions may be started by anyone at any time. Participants are  
> welcome to discuss broad ideas as well as to make detailed policy  
> proposals. Proposals are made using the Policy Proposal template,  
> attached as Appendix B.
> 
> -=-=-
> 
> The NCC will be available to help you with drafting the document.

The first step should be a mandatory abuse-field.

We could simply copy APNICs proposal:
http://www.apnic.net/policy/proposals/prop-079


Kind regards, Frank
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de
> 
> HTH
> 
> 	Fearghas
> 



From thor.kottelin at turvasana.com  Tue Apr  6 11:49:18 2010
From: thor.kottelin at turvasana.com (Thor Kottelin)
Date: Tue, 6 Apr 2010 12:49:18 +0300
Subject: [anti-abuse-wg] update on netsecdb project
In-Reply-To: <4BBAF7DB.80305@marxmeier.de>
References: <4BBA877A.5000201@marxmeier.de> <4BBAED5B.3070109@powerweb.de> <4BBAF7DB.80305@marxmeier.de>
Message-ID: <!&!AAAAAAAAAAAYAAAAAAAAADs1SQBfrQFIidqBOlhIPRTCgAAAEAAAAJ7iD6eL28FBivUgqvzfsncBAAAAAA==@turvasana.com>

> -----Original Message-----
> From: anti-abuse-wg-admin at ripe.net [mailto:anti-abuse-wg-
> admin at ripe.net] On Behalf Of Claus Marxmeier
> Sent: Tuesday, April 06, 2010 11:59 AM
> To: frank at powerweb.de; anti-abuse-wg at ripe.net

> english overview: https://www.netsecdb.de/index.php?q=node/64

Why does your web server respond with a 302 redirect to the IP address of the client?

$ openssl s_client -connect www.netsecdb.de:443 -quiet
depth=1 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
HEAD /index.php?q=node/64 HTTP/1.1
Host: www.netsecdb.de
Connection: close

HTTP/1.1 302 Found
Date: Tue, 06 Apr 2010 09:44:47 GMT
Server: Notepad/1.0.1 (typing)
Location: http://83.145.246.156/?q=node/64
Cache-Control: max-age=1
Expires: Tue, 06 Apr 2010 09:44:48 GMT
Connection: close
Content-Type: text/html; charset=iso-8859-1

-- 
Thor Kottelin
http://www.anta.net/




From brian.nisbet at heanet.ie  Tue Apr  6 14:36:48 2010
From: brian.nisbet at heanet.ie (Brian Nisbet)
Date: Tue, 06 Apr 2010 13:36:48 +0100
Subject: [anti-abuse-wg] update on netsecdb project
In-Reply-To: <201004061035.o36AZhPV006676@www.powerweb.de>
References: <201004061035.o36AZhPV006676@www.powerweb.de>
Message-ID: <4BBB2AE0.8050401@heanet.ie>

Frank,

> This group IS the community, so why is their no proposal so far ?
> After 2 years ?

There has been an amount of discussion on this topic in both AA and DB 
working groups over the last few years but no concensus has been reached.

At the meeting in Lisbon it was agreed between DB and AA that as no 
further comments had been made, the matter was to be closed.  This does 
not, obviously, mean that it can't be raised again and both WGs would be 
most interested in any proposals you may have.

> I would love to work together with more expirienced members of the
> mailling list, but as far as I see it: simply nothing happens ...
>
> The first step should be a mandatory abuse-field.
>
> We could simply copy APNICs proposal:
> http://www.apnic.net/policy/proposals/prop-079

In this policy Tobias Knecht (tk at abusix.org) has stated that if he is 
successful in APNIC he plans to propose something similar in the RIPE 
region.  I would suspect he is the best person to talk to about 
collaboration.

I will note again that previous attemtps to make things mandatory have 
failed, but as we are in a rapidly changing environment, it is difficult 
to predict what response a renewed proposal will bring.  As Fearghas 
points out, the NCC are always willing to aid people with proposals, as 
are the relevant WG chairs.

I would, of course, reject that the WG has done nothing in two years and 
we hope, in May, to chair another productive meeting.

Thanks,

Brian.



From aftab.siddiqui at gmail.com  Tue Apr  6 14:54:10 2010
From: aftab.siddiqui at gmail.com (Aftab Siddiqui)
Date: Tue, 6 Apr 2010 17:54:10 +0500
Subject: [anti-abuse-wg] update on netsecdb project
In-Reply-To: <4BBB2AE0.8050401@heanet.ie>
References: <201004061035.o36AZhPV006676@www.powerweb.de>
	 <4BBB2AE0.8050401@heanet.ie>
Message-ID: <k2x3c605ce11004060554l2d7c6097o9320ff863fee7fc4@mail.gmail.com>

For APNIC prop-079 there was a great deal of opposition but still it got the
consensus because of optimisim it shares. Again there is no procedure of
penalizing the members for not updating the abuse-c contact and than there
is no method to make sure the abuse-c is active or not. LACNIC and ARIN
already have this policy with slight changes for quite sometime, how was the
response in that region related to spam?


Regards,

Aftab A. Siddiqui


On Tue, Apr 6, 2010 at 5:36 PM, Brian Nisbet <brian.nisbet at heanet.ie> wrote:

> Frank,
>
>
> This group IS the community, so why is their no proposal so far ?
>> After 2 years ?
>>
>
> There has been an amount of discussion on this topic in both AA and DB
> working groups over the last few years but no concensus has been reached.
>
> At the meeting in Lisbon it was agreed between DB and AA that as no further
> comments had been made, the matter was to be closed.  This does not,
> obviously, mean that it can't be raised again and both WGs would be most
> interested in any proposals you may have.
>
>  I would love to work together with more expirienced members of the
>> mailling list, but as far as I see it: simply nothing happens ...
>>
>> The first step should be a mandatory abuse-field.
>>
>> We could simply copy APNICs proposal:
>> http://www.apnic.net/policy/proposals/prop-079
>>
>
> In this policy Tobias Knecht (tk at abusix.org) has stated that if he is
> successful in APNIC he plans to propose something similar in the RIPE
> region.  I would suspect he is the best person to talk to about
> collaboration.
>
> I will note again that previous attemtps to make things mandatory have
> failed, but as we are in a rapidly changing environment, it is difficult to
> predict what response a renewed proposal will bring.  As Fearghas points
> out, the NCC are always willing to aid people with proposals, as are the
> relevant WG chairs.
>
> I would, of course, reject that the WG has done nothing in two years and we
> hope, in May, to chair another productive meeting.
>
> Thanks,
>
> Brian.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ripe.net/ripe/mail/archives/anti-abuse-wg/attachments/20100406/72612e06/attachment.html>

From alex at seewald.at  Tue Apr  6 15:10:45 2010
From: alex at seewald.at (Dr. Alexander K. Seewald)
Date: Tue, 6 Apr 2010 15:10:45 +0200
Subject: [anti-abuse-wg] Re: update on netsecdb project
Message-ID: <20100406131045.GA17633@sdg.at>

IMHO just having blacklists based on IP addresses is not enough:
* rapidly increasing mobile internet (which has dynamic IPs unless
  one keeps a connection open indefinitely - hardly ever the case)
* tendency to reuse one bot for an ever decreasing number of spam messages
- so blacklist are and always getting to be less helpful.

We did an analysis of a commen DNSBL and found that only 3% of
active bots could be found there at the timepoint when they were
active. Roughly the same number (6%) can be got when comparing with
originating IPs from incoming spam. If spam volume is sinking - and it
definitely does at least for me - this has nothing to do with any
countermeasures but is probably just a delayed effect from the economic
crisis. Let's not delude ourselves here.

Actually, our paper on automating botnet tracking was downloaded
quite often (we got a mail from Computers & Security / Elsevier that
it was among the top 25 downloaded paper in Q4/2009 - whatever that
means ;-) so there seems to be a lot of interest in tracking bots
with more intelligent techniques. My opinion was and still is that we
need to automate detection and tracking techniques and not necessarily
rely on old obsolete filtering techniques (although they can be
helpful in some cases). But I see the limits of RIPE to make such an
approach happen and frankly I don't see any other supranational
organization that can pull that off.

So here's to hoping the spammers die out from the current crisis and
we can switch off all our spamfilters...

Best,
  Alex
-- 
Dr. Alexander K. Seewald

Seewald Solutions
www.seewald.at
Tel. +43(664)1106886
Fax. +43(1)2533033/2764



From phade at www.powerweb.de  Tue Apr  6 15:47:22 2010
From: phade at www.powerweb.de (Frank Gadegast)
Date: Tue, 6 Apr 2010 15:47:22 +0200 (MET DST)
Subject: [anti-abuse-wg] update on netsecdb project
In-Reply-To: <k2x3c605ce11004060554l2d7c6097o9320ff863fee7fc4@mail.gmail.com>
Message-ID: <201004061347.o36DlNou024223@www.powerweb.de>

> 
> For APNIC prop-079 there was a great deal of opposition but still it got the
> consensus because of optimisim it shares. Again there is no procedure of
> penalizing the members for not updating the abuse-c contact and than there
> is no method to make sure the abuse-c is active or not. LACNIC and ARIN

Not yet, that will be the next step.
Its quite easy for APNIC to send an email twice a year to all abuse-contacts
including a link, that has to be clicked.

With that you could publish a list of non-responsive provider and you
will have another instrument to measure good from bad.

Kind regards, Frank
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de

> already have this policy with slight changes for quite sometime, how was the
> response in that region related to spam?


> 
> 
> Regards,
> 
> Aftab A. Siddiqui
> 
> 
> On Tue, Apr 6, 2010 at 5:36 PM, Brian Nisbet <brian.nisbet at heanet.ie> wrote:
> 
> > Frank,
> >
> >
> > This group IS the community, so why is their no proposal so far ?
> >> After 2 years ?
> >>
> >
> > There has been an amount of discussion on this topic in both AA and DB
> > working groups over the last few years but no concensus has been reached.
> >
> > At the meeting in Lisbon it was agreed between DB and AA that as no further
> > comments had been made, the matter was to be closed.  This does not,
> > obviously, mean that it can't be raised again and both WGs would be most
> > interested in any proposals you may have.
> >
> >  I would love to work together with more expirienced members of the
> >> mailling list, but as far as I see it: simply nothing happens ...
> >>
> >> The first step should be a mandatory abuse-field.
> >>
> >> We could simply copy APNICs proposal:
> >> http://www.apnic.net/policy/proposals/prop-079
> >>
> >
> > In this policy Tobias Knecht (tk at abusix.org) has stated that if he is
> > successful in APNIC he plans to propose something similar in the RIPE
> > region.  I would suspect he is the best person to talk to about
> > collaboration.
> >
> > I will note again that previous attemtps to make things mandatory have
> > failed, but as we are in a rapidly changing environment, it is difficult to
> > predict what response a renewed proposal will bring.  As Fearghas points
> > out, the NCC are always willing to aid people with proposals, as are the
> > relevant WG chairs.
> >
> > I would, of course, reject that the WG has done nothing in two years and we
> > hope, in May, to chair another productive meeting.
> >
> > Thanks,
> >
> > Brian.
> >
> >
> 
> --00504502cbef1cc23e048390f106
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
> 
> <div>For=A0APNIC prop-079 there was a great deal of opposition but still it=
>  got the consensus because of optimisim it shares. Again there is no proced=
> ure of penalizing the members for not updating the abuse-c contact and than=
>  there is no method to make sure the abuse-c is active or not. LACNIC and A=
> RIN already have this policy with slight changes for quite sometime, how wa=
> s the response in that region related to spam?</div>
> 
> <div>=A0</div>
> <div><br clear=3D"all">Regards,<br><br>Aftab A. Siddiqui<br><br><br></div>
> <div class=3D"gmail_quote">On Tue, Apr 6, 2010 at 5:36 PM, Brian Nisbet <sp=
> an dir=3D"ltr">&lt;<a href=3D"mailto:brian.nisbet at heanet.ie">brian.nisbet at h=
> eanet.ie</a>&gt;</span> wrote:<br>
> <blockquote style=3D"BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex=
> ; PADDING-LEFT: 1ex" class=3D"gmail_quote">Frank,=20
> <div class=3D"im"><br><br>
> <blockquote style=3D"BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex=
> ; PADDING-LEFT: 1ex" class=3D"gmail_quote">This group IS the community, so =
> why is their no proposal so far ?<br>After 2 years ?<br></blockquote><br></=
> div>
> There has been an amount of discussion on this topic in both AA and DB work=
> ing groups over the last few years but no concensus has been reached.<br><b=
> r>At the meeting in Lisbon it was agreed between DB and AA that as no furth=
> er comments had been made, the matter was to be closed. =A0This does not, o=
> bviously, mean that it can&#39;t be raised again and both WGs would be most=
>  interested in any proposals you may have.<br>
> <br>
> <blockquote style=3D"BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex=
> ; PADDING-LEFT: 1ex" class=3D"gmail_quote">
> <div class=3D"im">I would love to work together with more expirienced membe=
> rs of the<br>mailling list, but as far as I see it: simply nothing happens =
> ...<br><br></div>
> <div class=3D"im">The first step should be a mandatory abuse-field.<br><br>=
> We could simply copy APNICs proposal:<br><a href=3D"http://www.apnic.net/po=
> licy/proposals/prop-079" target=3D"_blank">http://www.apnic.net/policy/prop=
> osals/prop-079</a><br>
> </div></blockquote><br>In this policy Tobias Knecht (<a href=3D"mailto:tk at a=
> busix.org" target=3D"_blank">tk at abusix.org</a>) has stated that if he is su=
> ccessful in APNIC he plans to propose something similar in the RIPE region.=
>  =A0I would suspect he is the best person to talk to about collaboration.<b=
> r>
> <br>I will note again that previous attemtps to make things mandatory have =
> failed, but as we are in a rapidly changing environment, it is difficult to=
>  predict what response a renewed proposal will bring. =A0As Fearghas points=
>  out, the NCC are always willing to aid people with proposals, as are the r=
> elevant WG chairs.<br>
> <br>I would, of course, reject that the WG has done nothing in two years an=
> d we hope, in May, to chair another productive meeting.<br><br>Thanks,<br><=
> font color=3D"#888888"><br>Brian.<br><br></font></blockquote></div><br>
> 
> --00504502cbef1cc23e048390f106--
> 



From phade at www.powerweb.de  Tue Apr  6 15:57:30 2010
From: phade at www.powerweb.de (Frank Gadegast)
Date: Tue, 6 Apr 2010 15:57:30 +0200 (MET DST)
Subject: [anti-abuse-wg] Re: update on netsecdb project
In-Reply-To: <20100406131045.GA17633@sdg.at>
Message-ID: <201004061357.o36DvVAS025107@www.powerweb.de>

Hi,

> IMHO just having blacklists based on IP addresses is not enough:
> * rapidly increasing mobile internet (which has dynamic IPs unless
>   one keeps a connection open indefinitely - hardly ever the case)
> * tendency to reuse one bot for an ever decreasing number of spam messages
> - so blacklist are and always getting to be less helpful.

most blacklist do not care to block a person, they block IPs.
If those IPs are dynamic, its up to the provider how to deal
with that.

> We did an analysis of a commen DNSBL and found that only 3% of
> active bots could be found there at the timepoint when they were
> active. Roughly the same number (6%) can be got when comparing with
> originating IPs from incoming spam. If spam volume is sinking - and it

Hm, I doubt the result, we block every bot that sends spam to our customers easily.
Any dynamic IP is just sending as ONE spam and then never again until
a the provider starts to do something.

I doubt your results.
They are probably based only on open blacklists.

> definitely does at least for me - this has nothing to do with any
> countermeasures but is probably just a delayed effect from the economic
> crisis. Let's not delude ourselves here.
> 
> Actually, our paper on automating botnet tracking was downloaded
> quite often (we got a mail from Computers & Security / Elsevier that
> it was among the top 25 downloaded paper in Q4/2009 - whatever that
> means ;-) so there seems to be a lot of interest in tracking bots
> with more intelligent techniques. My opinion was and still is that we
> need to automate detection and tracking techniques and not necessarily

You seem to be too scientific here.
Its that easy to track every bot, specially for the access providers,
if their own IPs get abused.

> rely on old obsolete filtering techniques (although they can be
> helpful in some cases). But I see the limits of RIPE to make such an
> approach happen and frankly I don't see any other supranational
> organization that can pull that off.
> 
> So here's to hoping the spammers die out from the current crisis and
> we can switch off all our spamfilters...

I disagree here.
Access provider somehow have to be force to blocked customers with
infected PCs.

This should be done via the community rather than countries
goverments. If will only end in useless methods, if goverments get involved.

I still not get how RIPE can accept criminal or even ignorant members.
Criminality cant be part of the "free internet".



Kind regards, Frank
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de

> 
> Best,
>   Alex
> -- 
> Dr. Alexander K. Seewald
> 
> Seewald Solutions
> www.seewald.at
> Tel. +43(664)1106886
> Fax. +43(1)2533033/2764
> 



From brian.nisbet at heanet.ie  Tue Apr  6 16:56:27 2010
From: brian.nisbet at heanet.ie (Brian Nisbet)
Date: Tue, 06 Apr 2010 15:56:27 +0100
Subject: [anti-abuse-wg] update on netsecdb project
In-Reply-To: <201004061301.o36D1ChQ020040@www.powerweb.de>
References: <201004061301.o36D1ChQ020040@www.powerweb.de>
Message-ID: <4BBB4B9B.2080604@heanet.ie>

Frank,

As discussed, I have copied my reply to the list.

>> There has been an amount of discussion on this topic in both AA and DB
>> working groups over the last few years but no concensus has been reached.
>>
>> At the meeting in Lisbon it was agreed between DB and AA that as no
>> further comments had been made, the matter was to be closed.  This does
>> not, obviously, mean that it can't be raised again and both WGs would be
>> most interested in any proposals you may have.
>
> This is simply weird.
> How can anybody not agree what Spam is ?

Many people agree what spam is, others disagree, the RIPE community is 
made up of many different people, but I'm not sure why a definition is 
important to this conversation?

The matter was closed in Lisbon because no proposal had been produced 
since the last time one was asked for onlist.  If there is now to be a 
proposal, then discussion will restart.

> How can not anybody have an idea, how to solve the problem ?

Many people have many ideas, not all of them work.  There remains no 
silver bullet.  And any recommendation made still needs to be adopted.

> Usally there are to many ideas resulting in at least something to do.

And many things have been discussed, and often solutions suggested.  It 
is up to people to implement those suggestions or to make proposals to 
the RIPE community and perhaps ask the NCC to undertake a task.  In 
addition, as we discussed in Lisbon and as we will be discussing again 
in Prague, the two chairs of the WG have been working with the NCC and 
international law enforcement to look at ways of furthering cooperation 
and putting procedures in place that can more directly tackle network 
abuse.  However this is, as you must appreciate, not a simple or fast task.

>> In this policy Tobias Knecht (tk at abusix.org) has stated that if he is
>> successful in APNIC he plans to propose something similar in the RIPE
>> region.  I would suspect he is the best person to talk to about
>> collaboration.
>
> I am already talking to him.

Good stuff.

> But as you know: he will need support from everybody to bring
> this proposal also to RIPE. So it would be really nice if people on this
> list dont strike him down because of politeness and instead support
> what hes doing.

Tobias and abusix have produced a number of different opinions in a very 
short period of time in operation, or at least in wide circulation. 
There is no mandate on how the members of any WG should treat the 
proposals of others, save to give them an honest and fair reading and 
treat everyone with respect.  How the proposal is greeted will depend on 
how it is presented, but obviously the chairs will do what they can to 
allow for that fair hearing.

>> we hope, in May, to chair another productive meeting.
>
> What will be discussed there ?
> Agenda ?

We're trying to finalise the agenda at the moment, but the work that is 
taking place with the NCC, the RIPE community and the LEAs will be 
playing a major part.  I hope to have a first draft by the end of this 
week.  Obviously if any proposals are brought to the WG before the 
meeting on Thursday 6th, discussion time for them will be allocated on 
the agenda.

Brian.



From brian.nisbet at heanet.ie  Tue Apr  6 17:45:18 2010
From: brian.nisbet at heanet.ie (Brian Nisbet)
Date: Tue, 06 Apr 2010 16:45:18 +0100
Subject: [anti-abuse-wg] update on netsecdb project
In-Reply-To: <201004061503.o36F3US8031877@www.powerweb.de>
References: <201004061503.o36F3US8031877@www.powerweb.de>
Message-ID: <4BBB570E.1030507@heanet.ie>

Frank,

I have assumed, hopefully correctly, that you meant this mail to go to 
the list again, so I have copied my reply there.

"Dipl-Inform. Frank Gadegast" wrote the following on 06/04/2010 16:03:
>
> Hello Brian,
>
>>> How can not anybody have an idea, how to solve the problem ?
>>
>> Many people have many ideas, not all of them work.  There remains no
>> silver bullet.  And any recommendation made still needs to be adopted.
>
> I just discribed one arround launch time.
> RIPE should urged all members to stop spam originating from their networks.

You did not describe a silver bullet.  The RIPE community has urged 
their members to stop spam and abuse for years, RIPE-409 says it quite 
plainly, this has been the repeated advice.  There are potential ways of 
enforcing this, but please do not claim that what has been discussed so 
far today will suddenly stop network abuse.

>>> Usally there are to many ideas resulting in at least something to do.
>>
>> And many things have been discussed, and often solutions suggested.  It
>
> Not on the list.

And the minutes of each meeting are posted to the list.  So far no 
discussion has come out of them.

>> is up to people to implement those suggestions or to make proposals to
>> the RIPE community and perhaps ask the NCC to undertake a task.  In
>> addition, as we discussed in Lisbon and as we will be discussing again
>> in Prague, the two chairs of the WG have been working with the NCC and
>> international law enforcement to look at ways of furthering cooperation
>
> goverments ?
> this will make all worse and slower ...

The aim is to get governments and LEAs onside, to examine policies and 
procedures at RIR level and to avoid the making of necessary legislation 
and to keep the bottom up consensus approach.  However there is no way 
that governments will not be involved, the idea is to take their input 
and show them we, as a community, are acting.

>> and putting procedures in place that can more directly tackle network
>> abuse.  However this is, as you must appreciate, not a simple or fast task.
>>
>>>> we hope, in May, to chair another productive meeting.
>>>
>>> What will be discussed there ?
>>> Agenda ?
>>
>> We're trying to finalise the agenda at the moment, but the work that is
>> taking place with the NCC, the RIPE community and the LEAs will be
>
> Well, please post it to the list, so that it can be discussed before
> its finalized.

I will post an agenda, but I'm not sure what discussion there is likely 
to be as my two calls for agenda items have, so far, met with one single 
response.  Equally, the agenda of any WG is reasonably mutable and on 
occasion has been finalised an hour or so before the meeting, so there 
will be plenty of time for discussion.

>> playing a major part.  I hope to have a first draft by the end of this
>> week.  Obviously if any proposals are brought to the WG before the
>> meeting on Thursday 6th, discussion time for them will be allocated on
>> the agenda.
>
> All this should happen all on the list, not everybody can attend meetings.

Apologies, I should have been clearer.  As has been stated elsewhere 
and, I believe, on this list, while policy proposals will, undoubtedly, 
be discussed at meetings, the primary place to discuss policy is the WG 
mailing list and there is no intention or plan to purely discuss things 
at meetings.

Brian.



From michele at blacknight.ie  Tue Apr  6 17:54:53 2010
From: michele at blacknight.ie (Michele Neylon :: Blacknight)
Date: Tue, 6 Apr 2010 15:54:53 +0000
Subject: [anti-abuse-wg] update on netsecdb project
In-Reply-To: <4BBB570E.1030507@heanet.ie>
References: <201004061503.o36F3US8031877@www.powerweb.de>
 <4BBB570E.1030507@heanet.ie>
Message-ID: <85CFD348-B094-450C-90CC-EEE2E77B209A@blacknight.ie>

On 6 Apr 2010, at 16:45, Brian Nisbet wrote:

> Frank,
> 
> I have assumed, hopefully correctly, that you meant this mail to go to the list again, so I have copied my reply there.
> 
> "Dipl-Inform. Frank Gadegast" wrote the following on 06/04/2010 16:03:
>> 
>> Hello Brian,
>> 
>>>> How can not anybody have an idea, how to solve the problem ?
>>> 
>>> Many people have many ideas, not all of them work.  There remains no
>>> silver bullet.  And any recommendation made still needs to be adopted.
>> 
>> I just discribed one arround launch time.
>> RIPE should urged all members to stop spam originating from their networks.
> 
> You did not describe a silver bullet.  The RIPE community has urged their members to stop spam and abuse for years, RIPE-409 says it quite plainly, this has been the repeated advice.  There are potential ways of enforcing this, but please do not claim that what has been discussed so far today will suddenly stop network abuse.

You can suggest things until the cows come home, but you cannot expect RIPE or anyone else to come up with a "magical" solution that is going to make everyone happy

The other thing is that a lot of anti-spam / anti-abuse people don't realise is that they are their own worse enemies
More often than not they do not take into account the business realities

If an ISP / hosting provider were to act as quickly as some people would like them to act plenty of innocent bystanders would be harmed and the ISP / hosting provider would probably be sued.

> 
>>>> Usally there are to many ideas resulting in at least something to do.
>>> 
>>> And many things have been discussed, and often solutions suggested.  It
>> 
>> Not on the list.
> 
> And the minutes of each meeting are posted to the list.  So far no discussion has come out of them.
> 
>>> is up to people to implement those suggestions or to make proposals to
>>> the RIPE community and perhaps ask the NCC to undertake a task.  In
>>> addition, as we discussed in Lisbon and as we will be discussing again
>>> in Prague, the two chairs of the WG have been working with the NCC and
>>> international law enforcement to look at ways of furthering cooperation
>> 
>> goverments ?
>> this will make all worse and slower ...
> 
> The aim is to get governments and LEAs onside, to examine policies and procedures at RIR level and to avoid the making of necessary legislation and to keep the bottom up consensus approach.  However there is no way that governments will not be involved, the idea is to take their input and show them we, as a community, are acting.

Governments are going to get involved at some level regardless of whether you like it or not.

Take a look at what has been going on with the GAC or law enforcement's latest statements regarding domains .. 


> 
>>> and putting procedures in place that can more directly tackle network
>>> abuse.  However this is, as you must appreciate, not a simple or fast task.
>>> 
>>>>> we hope, in May, to chair another productive meeting.
>>>> 
>>>> What will be discussed there ?
>>>> Agenda ?
>>> 
>>> We're trying to finalise the agenda at the moment, but the work that is
>>> taking place with the NCC, the RIPE community and the LEAs will be
>> 
>> Well, please post it to the list, so that it can be discussed before
>> its finalized.
> 
> I will post an agenda, but I'm not sure what discussion there is likely to be as my two calls for agenda items have, so far, met with one single response.  Equally, the agenda of any WG is reasonably mutable and on occasion has been finalised an hour or so before the meeting, so there will be plenty of time for discussion.
> 
>>> playing a major part.  I hope to have a first draft by the end of this
>>> week.  Obviously if any proposals are brought to the WG before the
>>> meeting on Thursday 6th, discussion time for them will be allocated on
>>> the agenda.
>> 
>> All this should happen all on the list, not everybody can attend meetings.
> 
> Apologies, I should have been clearer.  As has been stated elsewhere and, I believe, on this list, while policy proposals will, undoubtedly, be discussed at meetings, the primary place to discuss policy is the WG mailing list and there is no intention or plan to purely discuss things at meetings.
> 
> Brian.
> 


Regards

Michele


Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
ICANN Accredited Registrar
http://www.blacknight.com/
http://blog.blacknight.com/
http://mneylon.tel
Intl. +353 (0) 59  9183072
US: 213-233-1612 
UK: 0844 484 9361
Locall: 1850 929 929
Direct Dial: +353 (0)59 9183090
Twitter: http://twitter.com/mneylon
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,Ireland  Company No.: 370845



From peter at hk.ipsec.se  Tue Apr  6 17:26:20 2010
From: peter at hk.ipsec.se (peter h)
Date: Tue, 6 Apr 2010 17:26:20 +0200
Subject: [anti-abuse-wg] Re: update on netsecdb project
In-Reply-To: <20100406131045.GA17633@sdg.at>
References: <20100406131045.GA17633@sdg.at>
Message-ID: <201004061726.20663.peter@hk.ipsec.se>

On Tuesday 06 April 2010 15.10, Dr. Alexander K. Seewald wrote:
> IMHO just having blacklists based on IP addresses is not enough:
> * rapidly increasing mobile internet (which has dynamic IPs unless
>   one keeps a connection open indefinitely - hardly ever the case)
> * tendency to reuse one bot for an ever decreasing number of spam messages
> - so blacklist are and always getting to be less helpful.
spamblocklists works often on whole ranges. MIne does 
( i block the whole range assigned by ripe/apnic/arin for ISP's that allow
spam to flow out of their nets) 

But i agree; blocking single ip's does not help.

> 
<snip>

> So here's to hoping the spammers die out from the current crisis and
> we can switch off all our spamfilters...
I wouldn't bet on this. As long as law-enforcement does not hunt spammers we
will continue to have the spamproblem.

What if spam would be characterized as terrorism, then maybe ISP had to act ...

> 
> Best,
>   Alex

-- 
        Peter H?kanson   

        There's never money to do it right, but always money to do it
        again ... and again ... and again ... and again.
        ( Det ?r billigare att g?ra r?tt. Det ?r dyrt att laga fel. )



From alex at seewald.at  Tue Apr  6 18:58:23 2010
From: alex at seewald.at (Dr. Alexander K. Seewald)
Date: Tue, 6 Apr 2010 18:58:23 +0200
Subject: [anti-abuse-wg] Re: update on netsecdb project
In-Reply-To: <201004061357.o36DvVAS025107@www.powerweb.de>
References: <20100406131045.GA17633@sdg.at> <201004061357.o36DvVAS025107@www.powerweb.de>
Message-ID: <20100406165823.GC21559@sdg.at>

On Tue, Apr 06, 2010 at 03:57:30PM +0200, Frank Gadegast wrote:
> most blacklist do not care to block a person, they block IPs.
> If those IPs are dynamic, its up to the provider how to deal
> with that.
I'm just noting that almost all of the spam nowadays is sent out
from dynamic IP addresses by bots and that these are used to send
out a number of spams per bot which tends to decrease (obviously to
make detection and blocking harder). These finding are not in dispute
in the community AFAIK.


> I doubt your results.
> They are probably based only on open blacklists.
We've used SpamHaus XBL which specifically targets bots. I don't see
how a non-open blacklist could be used in a scientific paper as
nobody would be able to check the results - anything could be
claimed. Our claims have been verified by peer review, been published
in a prestiguous journal and been quite popular (at least according
to download counts, provided these have been correctly counted by
Elsevier).

One reason for a seemingly good performance in detecting bots via
blacklists could be if you blocked whole network ranges instead of
single IPs. This would make it possible to block whole ISPs (mostly
those who don't care about bots in their ranges), but also
significantly increases the FP rate by blocking legitimate traffic.
Not all users from "bad" ISPs are necessarily "bad" themselves.

Hidden costs of such as system can be quite high and are costly to
analyze. I'm still taking a few hours each month to manually analyze a
random sample of incoming spam for false positives but very few companies
do. In fact when I worked for a spam filter company for a few months and
did the same for a 24h sample, I found out that their actual FP rate was
ten times(!) higher than their previously estimated value based on
explicit customer feedback.

Feel free to read our paper and download our systems, run them on
your own data and check our results.


> Its that easy to track every bot, specially for the access providers,
> if their own IPs get abused.
Indeed. But since some access providers make money off lots of bot
traffic, it might be hard to convince them to stop this. If we have
to wait till all access providers have software to detect bots, we
are likely to wait a long time...


> > So here's to hoping the spammers die out from the current crisis and
> > we can switch off all our spamfilters...
> I disagree here.
So you want the spammers to survive?  One of the hindrances in my work
has been that - because spam filters work extremely well and the
costs of FPs are easily overlooked - a lot of companies profit from the
status quo: not only spam filter companies, but also free email
services, ISPs with traffic-dependent fees (mobile may be upcoming
here), anti-virus companies, IT security firms etc..  They are not
interested in a permanent solution and indirectly contribute to a
prolonging of the current situation. I had some first-hand
encounters with this mindset.


> I still not get how RIPE can accept criminal or even ignorant members.
> Criminality cant be part of the "free internet".
If it cannot, it can no longer be free. There is a price to pay for
freedom and it is exactly that. Also, AFAIK RIPE was never designed
for that and has no legal way to enforce their rules even if they wanted
to. You can't expect a technical governing body to take the role of
world internet criminality police without additional resources. It
would be far too much like legislation, judgment and execution in one
organization, and that's clearly _not_ my definition of freedom.

Best,
  Alex
-- 
Dr. Alexander K. Seewald

Seewald Solutions
www.seewald.at
Tel. +43(664)1106886
Fax. +43(1)2533033/2764



From jogi at mur.at  Tue Apr  6 18:52:43 2010
From: jogi at mur.at (Jogi =?utf-8?Q?Hofm=C3=BCller?=)
Date: Tue, 6 Apr 2010 18:52:43 +0200
Subject: [anti-abuse-wg] update on netsecdb project
In-Reply-To: <4BBB570E.1030507@heanet.ie>
References: <201004061503.o36F3US8031877@www.powerweb.de> <4BBB570E.1030507@heanet.ie>
Message-ID: <20100406165243.GD3708@kathy>

On Tue, Apr 06, 2010 at 04:45:18PM +0100, Brian Nisbet wrote:

>>>> How can not anybody have an idea, how to solve the problem ?
>>>
>>> Many people have many ideas, not all of them work.  There remains no
>>> silver bullet.  And any recommendation made still needs to be adopted.
>>
>> I just discribed one arround launch time.
>> RIPE should urged all members to stop spam originating from their networks.

Sure, once we agree on a definition for spam, that COULD work fine.

Cheers,
j.
-- 
j.hofm?ller                                http://users.mur.at/thesix/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <https://lists.ripe.net/ripe/mail/archives/anti-abuse-wg/attachments/20100406/7f6f210d/attachment.sig>

From furio+as at spin.it  Tue Apr  6 19:26:20 2010
From: furio+as at spin.it (furio ercolessi)
Date: Tue, 6 Apr 2010 19:26:20 +0200
Subject: [anti-abuse-wg] update on netsecdb project
In-Reply-To: <20100406165243.GD3708@kathy>
References: <201004061503.o36F3US8031877@www.powerweb.de> <4BBB570E.1030507@heanet.ie> <20100406165243.GD3708@kathy>
Message-ID: <20100406172620.GD4327@spin.it>

On Tue, Apr 06, 2010 at 06:52:43PM +0200, Jogi Hofm?ller wrote:
> On Tue, Apr 06, 2010 at 04:45:18PM +0100, Brian Nisbet wrote:
> 
> >>>> How can not anybody have an idea, how to solve the problem ?
> >>>
> >>> Many people have many ideas, not all of them work.  There remains no
> >>> silver bullet.  And any recommendation made still needs to be adopted.
> >>
> >> I just discribed one arround launch time.
> >> RIPE should urged all members to stop spam originating from their networks.
> 
> Sure, once we agree on a definition for spam, that COULD work fine.

Is there a disagreement on this point ? I thought it was 
"unsolicited+bulk"  (as in http://www.spamhaus.org/definition.html )
and that this definition was quite universally accepted in the industry.

furio



From aftab.siddiqui at gmail.com  Tue Apr  6 20:18:44 2010
From: aftab.siddiqui at gmail.com (Aftab Siddiqui)
Date: Tue, 6 Apr 2010 23:18:44 +0500
Subject: [anti-abuse-wg] update on netsecdb project
In-Reply-To: <20100406172620.GD4327@spin.it>
References: <201004061503.o36F3US8031877@www.powerweb.de>
	 <4BBB570E.1030507@heanet.ie> <20100406165243.GD3708@kathy>
	 <20100406172620.GD4327@spin.it>
Message-ID: <s2m3c605ce11004061118pd525e691xecc4eed60dbd9e96@mail.gmail.com>

Reference to the WG policy/working document ripe-409 which by all means is a
very comprehensive document, would have yield a good result if the industry
took the measures identified in the said document. I would like to raise few
points on the same.

- As many said that most of the Spam is generated from the dynamic IP
clients and usually from spam bots, than my point is why those dynamic IP
clients have the privilege to use port 25 at the first hand?

- What measures do the service provider take after receiving an abuse report
from an authority? I have my self seen totally no response from such email
generated from our anti-spam bots.

- Is "Two Strike Policy" implemented in atleast 50% of the service providers
industry within the region?

adding abuse-c contact in the RIR database doesn't allow the RIR to give any
right to enhance the ability to curb spam. As long as the service industry
is on board there is nothing RIR can do to avoid it. In my opinion the
agenda item should be based on the above three points.

My 2c

Regards,

Aftab A. Siddiqui


On Tue, Apr 6, 2010 at 10:26 PM, furio ercolessi
<furio+as at spin.it<furio%2Bas at spin.it>
> wrote:

> On Tue, Apr 06, 2010 at 06:52:43PM +0200, Jogi Hofm?ller wrote:
> > On Tue, Apr 06, 2010 at 04:45:18PM +0100, Brian Nisbet wrote:
> >
> > >>>> How can not anybody have an idea, how to solve the problem ?
> > >>>
> > >>> Many people have many ideas, not all of them work.  There remains no
> > >>> silver bullet.  And any recommendation made still needs to be
> adopted.
> > >>
> > >> I just discribed one arround launch time.
> > >> RIPE should urged all members to stop spam originating from their
> networks.
> >
> > Sure, once we agree on a definition for spam, that COULD work fine.
>
> Is there a disagreement on this point ? I thought it was
> "unsolicited+bulk"  (as in http://www.spamhaus.org/definition.html )
> and that this definition was quite universally accepted in the industry.
>
> furio
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ripe.net/ripe/mail/archives/anti-abuse-wg/attachments/20100406/6df347b5/attachment.html>

From phade at www.powerweb.de  Tue Apr  6 20:40:23 2010
From: phade at www.powerweb.de (Frank Gadegast)
Date: Tue, 6 Apr 2010 20:40:23 +0200 (MET DST)
Subject: [anti-abuse-wg] update on netsecdb project
In-Reply-To: <4BBB570E.1030507@heanet.ie>
Message-ID: <201004061840.o36IeNk5020412@www.powerweb.de>

> 
> Frank,

Hi again,

> > I just discribed one arround launch time.
> > RIPE should urged all members to stop spam originating from their networks.
> 
> You did not describe a silver bullet.  The RIPE community has urged 
> their members to stop spam and abuse for years, RIPE-409 says it quite 
> plainly, this has been the repeated advice.  There are potential ways of 

Advise is very different to forcing members to do something and
to have sanctions, right ?

It looks like that "advice" did not change anything.

I might be that it helped for long term members, but I guess here
that those members finaly understood themself, that they block
their own business, if they do nothing.

Newer members arent so far, and any "advise" will not changed that for years.
A change in the RIPEs regulations WILL change something very quickly ...
Thats what we should work for.

(still waiting on a discussion of the system I discribed arround lunch time)

> enforcing this, but please do not claim that what has been discussed so 
> far today will suddenly stop network abuse.

Well, I see it from my perspective.
Developing a own dnsbl basing on the spam our customers receive
reduced the problem for us to nearly nothing, but this was hard work
and still needs ajustments and further development to keep up
with the spammers newest technologies.

Adapting this expirience and the expirience from all members
for the whole RIPE region and developing regulations for all
members cannot be so complicated ...

There is just no will from most members, because it means work.
Who will vote for a regulation that ends up in work ?

> >>> Usally there are to many ideas resulting in at least something to do.
> >>
> >> And many things have been discussed, and often solutions suggested.  It
> >
> > Not on the list.
> 
> And the minutes of each meeting are posted to the list.  So far no 
> discussion has come out of them.

Sure, most interested members will not intend meetings (because
they have to fight against the Spam arriving out of the networks
from attendees *** sorry *** had to make this joke).

It would be much more productive and generate more consensus,
if the points would be discussed on the list BEFORE the meeting.

> >> is up to people to implement those suggestions or to make proposals to
> >> the RIPE community and perhaps ask the NCC to undertake a task.  In
> >> addition, as we discussed in Lisbon and as we will be discussing again
> >> in Prague, the two chairs of the WG have been working with the NCC and
> >> international law enforcement to look at ways of furthering cooperation
> >
> > goverments ?
> > this will make all worse and slower ...
> 
> The aim is to get governments and LEAs onside, to examine policies and 

Might be your aim, this was not discussed on the list.

Germany talkes now for about 2 years about an introduction
of general Internet blocking systems (mostly because of
sex crimes), this is absolutely not productive.
Germany already has weird regulations for mail control
to fight against spam.

Goverments have no technical background at all and neither
have the so-called experts the pay for advise.

> procedures at RIR level and to avoid the making of necessary legislation 
> and to keep the bottom up consensus approach.  However there is no way 

Forget, how do you think that there will be a world-wide consensus
in Goverments ? That does not happen in the EU and will never.

> that governments will not be involved, the idea is to take their input 
> and show them we, as a community, are acting.

Weird starting point, goverments have no idea, what the Internet is ...

> >> We're trying to finalise the agenda at the moment, but the work that is
> >> taking place with the NCC, the RIPE community and the LEAs will be
> >
> > Well, please post it to the list, so that it can be discussed before
> > its finalized.
> 
> I will post an agenda, but I'm not sure what discussion there is likely 
> to be as my two calls for agenda items have, so far, met with one single 
> response.  Equally, the agenda of any WG is reasonably mutable and on 

Well, maybe there will be more ideas coming ...

> occasion has been finalised an hour or so before the meeting, so there 
> will be plenty of time for discussion.
> 
> >> playing a major part.  I hope to have a first draft by the end of this
> >> week.  Obviously if any proposals are brought to the WG before the
> >> meeting on Thursday 6th, discussion time for them will be allocated on
> >> the agenda.
> >
> > All this should happen all on the list, not everybody can attend meetings.
> 
> Apologies, I should have been clearer.  As has been stated elsewhere 
> and, I believe, on this list, while policy proposals will, undoubtedly, 
> be discussed at meetings, the primary place to discuss policy is the WG 
> mailing list and there is no intention or plan to purely discuss things 
> at meetings.

Then I somehow really missed detailed discussion, I counted about
100 mails during the last year ...


Kind regards, Frank
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de

> 
> Brian.
> 



From phade at www.powerweb.de  Tue Apr  6 20:46:39 2010
From: phade at www.powerweb.de (Frank Gadegast)
Date: Tue, 6 Apr 2010 20:46:39 +0200 (MET DST)
Subject: [anti-abuse-wg] update on netsecdb project
In-Reply-To: <85CFD348-B094-450C-90CC-EEE2E77B209A@blacknight.ie>
Message-ID: <201004061846.o36IkeRf020892@www.powerweb.de>

Hi,

> > You did not describe a silver bullet.  The RIPE community has urged their members to stop spam and abuse for years, RIPE-409 says it quite plainly, this has been the repeated advice.  There are potential ways of enforcing this, but please do not claim that what has been discussed so far today will suddenly stop network abuse.
> 
> You can suggest things until the cows come home, but you cannot expect RIPE or anyone else to come up with a "magical" solution that is going to make everyone happy

Sorry that blabla.

Does anybody have a better idea how to urge members to stop using
their allocations for spamming ?
Any real technical comments for my idea ?
Any improvement we could make to such a system and recommendation ?

I would love to work with all of you to develop a system we could all
agree to and that works and could be recommended as proposal for
the community.

> The other thing is that a lot of anti-spam / anti-abuse people don't realise is that they are their own worse enemies
> More often than not they do not take into account the business realities
> 
> If an ISP / hosting provider were to act as quickly as some people would like them to act plenty of innocent bystanders would be harmed and the ISP / hosting provider would probably be sued.

Time is no problem, a change to RIPEs regulation can be timed for 1 or 2 years
until it will really end up in any punishment against spam provider.
This whole process can be slow.

Goverment regulations also have a time schedule.

Its stupid to stop thinking or working because the final goal is still far away ...


Kind regards, Frank
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de



From phade at www.powerweb.de  Tue Apr  6 20:54:04 2010
From: phade at www.powerweb.de (Frank Gadegast)
Date: Tue, 6 Apr 2010 20:54:04 +0200 (MET DST)
Subject: [anti-abuse-wg] change the anti-spam-system to a complaint-system
In-Reply-To: <20100406165243.GD3708@kathy>
Message-ID: <201004061854.o36Is5cY021423@www.powerweb.de>

Hi,

> >> I just discribed one arround launch time.
> >> RIPE should urged all members to stop spam originating from their networ=
> ks.
> 
> Sure, once we agree on a definition for spam, that COULD work fine.

If we cannot define something, then we should do something, where
we dont need this definition.

What about if we forget about the definition of spam and let the Internet
users do it for us ?

If the RIPE will finally get the spam reports and complaints
and forward them to the provider, nobody has to define what spams
or complaints are, because RIPE will only count the complaints
and these complaints could be anything ...

So lets start talking about complaints :o)

Good idea ?


Kind regards, Frank
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de

> 
> Cheers,
> j.
> --=20
> j.hofm=C3=BCller                                http://users.mur.at/thesix/
> 
> --2JFBq9zoW8cOFH7v
> Content-Type: application/pgp-signature; name="signature.asc"
> Content-Description: Digital signature
> Content-Disposition: inline
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> 
> iEYEARECAAYFAku7ZtsACgkQAPrjdblyzsG3WQCfZhK0BeuMiOGAUZusXUo0VcuN
> degAniQ/tyVmn5Dq8sycHsmOX+GG+Ug5
> =DFYT
> -----END PGP SIGNATURE-----
> 
> --2JFBq9zoW8cOFH7v--
> 



From gert at space.net  Tue Apr  6 21:57:00 2010
From: gert at space.net (Gert Doering)
Date: Tue, 6 Apr 2010 21:57:00 +0200
Subject: [anti-abuse-wg] update on netsecdb project
In-Reply-To: <20100406172620.GD4327@spin.it>
References: <201004061503.o36F3US8031877@www.powerweb.de>
 <4BBB570E.1030507@heanet.ie>
 <20100406165243.GD3708@kathy>
 <20100406172620.GD4327@spin.it>
Message-ID: <20100406195700.GY69383@Space.Net>

Hi,

On Tue, Apr 06, 2010 at 07:26:20PM +0200, furio ercolessi wrote:
> > Sure, once we agree on a definition for spam, that COULD work fine.
> 
> Is there a disagreement on this point ? I thought it was 
> "unsolicited+bulk"  (as in http://www.spamhaus.org/definition.html )
> and that this definition was quite universally accepted in the industry.

JFTR, I don't think it has to be "bulk" to be SPAM.  OTOH, I see the
"C" in "UCE" as relevant... if someone sends a commercial sales mail 
to my private e-mail, and it's just a single and directly targeted
e-mail, it's *still* SPAM.

So, you see, there is no universal definition.

Gert Doering
        -- NetMaster
-- 
Total number of prefixes smaller than registry allocations:  150584

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444            USt-IdNr.: DE813185279



From esa.laitinen at iki.fi  Wed Apr  7 08:53:17 2010
From: esa.laitinen at iki.fi (Esa Laitinen)
Date: Wed, 7 Apr 2010 08:53:17 +0200
Subject: [anti-abuse-wg] update on netsecdb project
In-Reply-To: <201004061840.o36IeNk5020412@www.powerweb.de>
References: <4BBB570E.1030507@heanet.ie>
	 <201004061840.o36IeNk5020412@www.powerweb.de>
Message-ID: <w2gd5be4ed1004062353g366c59c0x67cf0ceeb6ae5c99@mail.gmail.com>

On Tue, Apr 6, 2010 at 8:40 PM, Frank Gadegast <phade at www.powerweb.de>wrote:

>
> Forget, how do you think that there will be a world-wide consensus
> in Goverments ? That does not happen in the EU and will never.
>

What makes you think that this will be somehow different within RIPE?

-- 
Esa Laitinen
Tel. +41 76 200 2870
skype/yahoo: reunaesa
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ripe.net/ripe/mail/archives/anti-abuse-wg/attachments/20100407/04b3acb3/attachment.html>

From phade at www.powerweb.de  Wed Apr  7 09:25:53 2010
From: phade at www.powerweb.de (Frank Gadegast)
Date: Wed, 7 Apr 2010 09:25:53 +0200 (MET DST)
Subject: [anti-abuse-wg] update on netsecdb project
In-Reply-To: <x2nd5be4ed1004070005sa8d6550bo27f2e612599ab594@mail.gmail.com>
Message-ID: <201004070725.o377Prt1006360@www.powerweb.de>

> 
> HI, Frank!

Hi,

> Feel your frustration. But do a quick google search on FUSSP.

April fools day if over ...

> Anyway, your solution would impose costs on others (i.e. RIPE, other ISPs),

Sure, but they can easily be shared with the same method that RIPE
uses for the member fees, big ISPs pay more, small ones less.
In fact it will be simple some costs at RIPE.
And who cares what a spamming provider will have to invest to get
his customers cleaned ?


Im somehow getting the idea, that those people on this list that
are always AGAINST any idea ARE these providers, that are too lazy
to control their spambotted customers.
Could that be the final reason why we do not find a solution ?

I added some more statistics to our own blacklist.
Then I will run the ASes of everyboy on this list Im aware
off through this statistics next month and gonna post
the results to this list, lets see ...

Maybe everybody on this list running a blacklist or statistics
about spam he receives should do this too.

> and would be easily abused to destroy an ISP you don't like.

How that ?
By sending fake reports to RIPE clearing address ?

I recommended that the ISP has to categorize the report
himself like you can do on spamcop too, he can simply
select "no spam from us" and thats it.

And RIPE can control the behaviour of the ISP easily
with some simple statistics ...
The system should work fuzzy-like, only the really
bad ones get punished and the ones with little problems
get away.

And RIPE can easily reject reports coming from the same
IPs all the time ... or the ISP under a fake attack can
talk to RIPE about it, that problem isnt really hard
to solve.


Kind regards, Frank
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de

> 
> 
> -- 
> Esa Laitinen
> Tel. +41 76 200 2870
> skype/yahoo: reunaesa
> 
> --000e0cd1145cbf98e60483a02e56
> Content-Type: text/html; charset=ISO-8859-1
> 
> HI, Frank!<br><br>Feel your frustration. But do a quick google search on FUSSP.<br><br>Anyway, your solution would impose costs on others (i.e. RIPE, other ISPs), and would be easily abused to destroy an ISP you don&#39;t like.<br>
> <br clear="all"><br>-- <br>Esa Laitinen<br>Tel. +41 76 200 2870<br>skype/yahoo: reunaesa<br>
> 
> --000e0cd1145cbf98e60483a02e56--
> 



From aftab.siddiqui at gmail.com  Wed Apr  7 09:46:18 2010
From: aftab.siddiqui at gmail.com (Aftab Siddiqui)
Date: Wed, 7 Apr 2010 12:46:18 +0500
Subject: [anti-abuse-wg] update on netsecdb project
In-Reply-To: <201004070725.o377Prt1006360@www.powerweb.de>
References: <x2nd5be4ed1004070005sa8d6550bo27f2e612599ab594@mail.gmail.com>
	 <201004070725.o377Prt1006360@www.powerweb.de>
Message-ID: <z2i3c605ce11004070046tc942a40bwe863f379d7f0d973@mail.gmail.com>

Frank Wrote:

I added some more statistics to our own blacklist.
Then I will run the ASes of everyboy on this list Im aware
off through this statistics next month and gonna post
the results to this list, lets see ...

Maybe everybody on this list running a blacklist or statistics
about spam he receives should do this too.

What this would result in? Haven't you seen many bogus prefixes generating
from ASes everybody knows about (ref: weekly routing analysis)? Havent's you
seen hell de-aggregation from big providers for so long? Havent you seen
some frequently blacklisted IPs belonging to the same ASes for quite
sometime? I'm not saying that what your are doing is bad but seriously
providers who are generating spams either totally aware of it or are too
naive to do anything about it.

IMHO, first we have to agree/build consensus that there is a problem and
there are the problem makers among us.


Regards,

Aftab A. Siddiqui


On Wed, Apr 7, 2010 at 12:25 PM, Frank Gadegast <phade at www.powerweb.de>wrote:

> >
> > HI, Frank!
>
> Hi,
>
> > Feel your frustration. But do a quick google search on FUSSP.
>
> April fools day if over ...
>
> > Anyway, your solution would impose costs on others (i.e. RIPE, other
> ISPs),
>
> Sure, but they can easily be shared with the same method that RIPE
> uses for the member fees, big ISPs pay more, small ones less.
> In fact it will be simple some costs at RIPE.
> And who cares what a spamming provider will have to invest to get
> his customers cleaned ?
>
>
> Im somehow getting the idea, that those people on this list that
> are always AGAINST any idea ARE these providers, that are too lazy
> to control their spambotted customers.
> Could that be the final reason why we do not find a solution ?
>
> I added some more statistics to our own blacklist.
> Then I will run the ASes of everyboy on this list Im aware
> off through this statistics next month and gonna post
> the results to this list, lets see ...
>
> Maybe everybody on this list running a blacklist or statistics
> about spam he receives should do this too.
>
> > and would be easily abused to destroy an ISP you don't like.
>
> How that ?
> By sending fake reports to RIPE clearing address ?
>
> I recommended that the ISP has to categorize the report
> himself like you can do on spamcop too, he can simply
> select "no spam from us" and thats it.
>
> And RIPE can control the behaviour of the ISP easily
> with some simple statistics ...
> The system should work fuzzy-like, only the really
> bad ones get punished and the ones with little problems
> get away.
>
> And RIPE can easily reject reports coming from the same
> IPs all the time ... or the ISP under a fake attack can
> talk to RIPE about it, that problem isnt really hard
> to solve.
>
>
> Kind regards, Frank
> --
> PHADE Software - PowerWeb                       http://www.powerweb.de
> Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
> Schinkelstrasse 17                                fon: +49 33200 52920
> 14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
> ======================================================================
> Public PGP Key available for frank at powerweb.de
>
> >
> >
> > --
> > Esa Laitinen
> > Tel. +41 76 200 2870
> > skype/yahoo: reunaesa
> >
> > --000e0cd1145cbf98e60483a02e56
> > Content-Type: text/html; charset=ISO-8859-1
> >
> > HI, Frank!<br><br>Feel your frustration. But do a quick google search on
> FUSSP.<br><br>Anyway, your solution would impose costs on others (i.e. RIPE,
> other ISPs), and would be easily abused to destroy an ISP you don&#39;t
> like.<br>
> > <br clear="all"><br>-- <br>Esa Laitinen<br>Tel. +41 76 200
> 2870<br>skype/yahoo: reunaesa<br>
> >
> > --000e0cd1145cbf98e60483a02e56--
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ripe.net/ripe/mail/archives/anti-abuse-wg/attachments/20100407/ad11008f/attachment.html>

From brian.nisbet at heanet.ie  Wed Apr  7 13:14:27 2010
From: brian.nisbet at heanet.ie (Brian Nisbet)
Date: Wed, 07 Apr 2010 12:14:27 +0100
Subject: [anti-abuse-wg] update on netsecdb project
In-Reply-To: <201004061840.o36IeNk5020412@www.powerweb.de>
References: <201004061840.o36IeNk5020412@www.powerweb.de>
Message-ID: <4BBC6913.8010104@heanet.ie>

"Dipl-Inform. Frank Gadegast" wrote the following on 06/04/2010 19:40:
>>
>>> I just discribed one arround launch time.
>>> RIPE should urged all members to stop spam originating from their networks.
>>
>> You did not describe a silver bullet.  The RIPE community has urged
>> their members to stop spam and abuse for years, RIPE-409 says it quite
>> plainly, this has been the repeated advice.  There are potential ways of
>
> Advise is very different to forcing members to do something and
> to have sanctions, right ?

So, you are suggesting a number of measures that the community should 
ask the NCC to put in place to punish members who are judged, by 
someone, to be responsible for network abuse?

> (still waiting on a discussion of the system I discribed arround lunch time)

Are you talking about replicating the Tobias' APNIC proposal in the RIPE 
region and/or publishing lists of non-responders?  I, the list and, I 
have no doubt, the community, are interested in any proposal that might 
reduce network abuse, but after the mails today and yesterday I think 
some clarification and something that might be motion towards a proposal 
might be useful?

>> enforcing this, but please do not claim that what has been discussed so
>> far today will suddenly stop network abuse.
>
> Well, I see it from my perspective.
> Developing a own dnsbl basing on the spam our customers receive
> reduced the problem for us to nearly nothing, but this was hard work
> and still needs ajustments and further development to keep up
> with the spammers newest technologies.
>
> Adapting this expirience and the expirience from all members
> for the whole RIPE region and developing regulations for all
> members cannot be so complicated ...

It really can.

> There is just no will from most members, because it means work.
> Who will vote for a regulation that ends up in work ?

Many people have in the past, if they believe the work will involve 
improving the situation for their customers and for their staff.

>> And the minutes of each meeting are posted to the list.  So far no
>> discussion has come out of them.
>
> Sure, most interested members will not intend meetings (because
> they have to fight against the Spam arriving out of the networks
> from attendees *** sorry *** had to make this joke).
>
> It would be much more productive and generate more consensus,
> if the points would be discussed on the list BEFORE the meeting.

As the agenda will, in no small part, feature presentations and 
discussions, it is difficult to proceed as you're suggesting, however 
consensus is not something that is reached purely at meetings.  The 
mailing list, where more members can participate is, as I've mentioned, 
the main location for dicussion.  To take, for instance, the IRT object 
discussion, it was decided in Lisbon to close that item as no discussion 
had taken place, either at meetings or on the mailing list, for some 
time, not just because of an action at a meeting.

>>> goverments ?
>>> this will make all worse and slower ...
>>
>> The aim is to get governments and LEAs onside, to examine policies and
>
> Might be your aim, this was not discussed on the list.

No, this is a oft-stated aim of the NCC and a fair chunk of the 
community.  In addition, our interactions with governments and the LEAs 
were clearly referenced and minuted at the Lisbon meeting.  There will 
be further information presented in Prague (and remember, these meetings 
can be followed online) and the points raised there will be put forward 
for further discussion on the mailing list.  We will post what agenda we 
can, but there's very little to discuss on the list before a meeting, 
unless some concrete proposals are made.

>> procedures at RIR level and to avoid the making of necessary legislation
>> and to keep the bottom up consensus approach.  However there is no way
>
> Forget, how do you think that there will be a world-wide consensus
> in Goverments ? That does not happen in the EU and will never.

I do not believe there will be consensus amongst governements, that's 
not what I'm suggesting.

>> that governments will not be involved, the idea is to take their input
>> and show them we, as a community, are acting.
>
> Weird starting point, goverments have no idea, what the Internet is ...

It's not the starting point, but there is no question that the RIPE 
community and the NCC need to talk to governments need to show good 
stewardship of the resources we have and need to avoid *un*-necessary 
legislation.  (Thanks to NOR for pointing out the lacking *un* when I 
mentioned this previously.)

>>>> We're trying to finalise the agenda at the moment, but the work that is
>>>> taking place with the NCC, the RIPE community and the LEAs will be
>>>
>>> Well, please post it to the list, so that it can be discussed before
>>> its finalized.
>>
>> I will post an agenda, but I'm not sure what discussion there is likely
>> to be as my two calls for agenda items have, so far, met with one single
>> response.  Equally, the agenda of any WG is reasonably mutable and on
>
> Well, maybe there will be more ideas coming ...

For agenda items?

>> Apologies, I should have been clearer.  As has been stated elsewhere
>> and, I believe, on this list, while policy proposals will, undoubtedly,
>> be discussed at meetings, the primary place to discuss policy is the WG
>> mailing list and there is no intention or plan to purely discuss things
>> at meetings.
>
> Then I somehow really missed detailed discussion, I counted about
> 100 mails during the last year ...

Well, no, there has not been discussion, equally there has not been any 
policy proposals.  Discussion will take place on list, should there be 
things to discuss.

Brian.



From iane at sussex.ac.uk  Wed Apr  7 15:09:59 2010
From: iane at sussex.ac.uk (Ian Eiloart)
Date: Wed, 07 Apr 2010 14:09:59 +0100
Subject: [anti-abuse-wg] update on netsecdb project
In-Reply-To: <20100406195700.GY69383@Space.Net>
References: <201004061503.o36F3US8031877@www.powerweb.de>
 <4BBB570E.1030507@heanet.ie> <20100406165243.GD3708@kathy>
 <20100406172620.GD4327@spin.it> <20100406195700.GY69383@Space.Net>
Message-ID: <759A3A4617D348CCDEA0074B@lewes.staff.uscs.susx.ac.uk>


--On 6 April 2010 21:57:00 +0200 Gert Doering <gert at space.net> wrote:

> Hi,
>
> On Tue, Apr 06, 2010 at 07:26:20PM +0200, furio ercolessi wrote:
>> > Sure, once we agree on a definition for spam, that COULD work fine.
>>
>> Is there a disagreement on this point ? I thought it was
>> "unsolicited+bulk"  (as in http://www.spamhaus.org/definition.html )
>> and that this definition was quite universally accepted in the industry.
>
> JFTR, I don't think it has to be "bulk" to be SPAM.  OTOH, I see the
> "C" in "UCE" as relevant... if someone sends a commercial sales mail
> to my private e-mail, and it's just a single and directly targeted
> e-mail, it's *still* SPAM.

In the UK, the term "marketing" is used in place of commercial. It's wider 
than commercial. You could be marketing a political party, charity, or 
church.

>
> So, you see, there is no universal definition.
>
> Gert Doering
>         -- NetMaster



-- 
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/

 /\  Document Freedom Day        - Liberate your documents
_\/` http://documentfreedom.org/ - March 31st 2010



From iane at sussex.ac.uk  Wed Apr  7 15:08:33 2010
From: iane at sussex.ac.uk (Ian Eiloart)
Date: Wed, 07 Apr 2010 14:08:33 +0100
Subject: [anti-abuse-wg] update on netsecdb project
In-Reply-To: <20100406172620.GD4327@spin.it>
References: <201004061503.o36F3US8031877@www.powerweb.de>
 <4BBB570E.1030507@heanet.ie> <20100406165243.GD3708@kathy>
 <20100406172620.GD4327@spin.it>
Message-ID: <68CF146CA9E3B5261DAA0DBB@lewes.staff.uscs.susx.ac.uk>


--On 6 April 2010 19:26:20 +0200 furio ercolessi <furio+as at spin.it> wrote:

> On Tue, Apr 06, 2010 at 06:52:43PM +0200, Jogi Hofm?ller wrote:
>> On Tue, Apr 06, 2010 at 04:45:18PM +0100, Brian Nisbet wrote:
>>
>> >>>> How can not anybody have an idea, how to solve the problem ?
>> >>>
>> >>> Many people have many ideas, not all of them work.  There remains no
>> >>> silver bullet.  And any recommendation made still needs to be
>> >>> adopted.
>> >>
>> >> I just discribed one arround launch time.
>> >> RIPE should urged all members to stop spam originating from their
>> >> networks.
>>
>> Sure, once we agree on a definition for spam, that COULD work fine.
>
> Is there a disagreement on this point ? I thought it was
> "unsolicited+bulk"  (as in http://www.spamhaus.org/definition.html )
> and that this definition was quite universally accepted in the industry.

Not here. The problem with "bulk" is that this can only be determined with 
certainty by the sender. Since "unsolicited" can only be determined with 
certainty by the recipient, "unsolicted bulk" can only be determined with 
co-operation between sender and recipient. The recipient doesn't 
necessarily care about the "bulk" part. The sender, doesn't necessarily 
care about co-operating.

It's also quite difficult to define "bulk" in a way that's robust 
technically and legally. Especially when snow-shoe spammers are using 
templated spam that never looks the same twice.

In UK law, the definition is "unsolicited and marketing". In my view, 
that's a much better definition, provided "marketing" is drawn fairly 
widely - which it is. Both can be determined by the recipient. The problem 
in the UK is enforcement.

> furio
>



-- 
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/

 /\  Document Freedom Day        - Liberate your documents
_\/` http://documentfreedom.org/ - March 31st 2010



From phade at www.powerweb.de  Wed Apr  7 20:54:24 2010
From: phade at www.powerweb.de (Frank Gadegast)
Date: Wed, 7 Apr 2010 20:54:24 +0200 (MET DST)
Subject: [anti-abuse-wg] themes on lists and meetings
In-Reply-To: <4BBC6913.8010104@heanet.ie>
Message-ID: <201004071854.o37IsOrM001597@www.powerweb.de>

> 

Hi,

> "Dipl-Inform. Frank Gadegast" wrote the following on 06/04/2010 19:40:
> >>
> >>> I just discribed one arround launch time.
> >>> RIPE should urged all members to stop spam originating from their networks.
> >>
> >> You did not describe a silver bullet.  The RIPE community has urged
> >> their members to stop spam and abuse for years, RIPE-409 says it quite
> >> plainly, this has been the repeated advice.  There are potential ways of
> >
> > Advise is very different to forcing members to do something and
> > to have sanctions, right ?
> 
> So, you are suggesting a number of measures that the community should 
> ask the NCC to put in place to punish members who are judged, by 
> someone, to be responsible for network abuse?

Sure.

> > (still waiting on a discussion of the system I discribed arround lunch time)
> 
> Are you talking about replicating the Tobias' APNIC proposal in the RIPE 
> region and/or publishing lists of non-responders?  I, the list and, I 

No, Im talking about an abuse-adress like ip1.ip2.ip3.ip4 at abuse.ripe.net
wich forward all incoming abuse reports to the responsible member
I discribed.

> > Well, I see it from my perspective.
> > Developing a own dnsbl basing on the spam our customers receive
> > reduced the problem for us to nearly nothing, but this was hard work
> > and still needs ajustments and further development to keep up
> > with the spammers newest technologies.
> >
> > Adapting this expirience and the expirience from all members
> > for the whole RIPE region and developing regulations for all
> > members cannot be so complicated ...
> 
> It really can.

So were are the constructive ideas and discussion.
Everything I here sound like: doesn work, doesn want ...

> As the agenda will, in no small part, feature presentations and 
> discussions, it is difficult to proceed as you're suggesting, however 
> consensus is not something that is reached purely at meetings.  The 
> mailing list, where more members can participate is, as I've mentioned, 
> the main location for dicussion.  To take, for instance, the IRT object 

But there is no discussion.
And this might be, becuase most discussion currently happens
at the meetings.
Thats why everybody on the list should now, what will be discussed
on the meetings to give feedback BEFORE the meeting ist happening.
If people get the feeling, that there ideas and input are welcome,
they might even appear at the mettings ...

> discussion, it was decided in Lisbon to close that item as no discussion 

Nobody talked about the IRT object before the meeting took place
and thats very sad, because I guess a lot of people would
vote for them.

> had taken place, either at meetings or on the mailing list, for some 
> time, not just because of an action at a meeting.

Its the first time I heard about the IRT object, it was maybe a short
note somewhere in the meeting protocol, but never discussed
on this list.

We need to change this, so that discissions are not only made
by people that can attend meetings.

> >>> goverments ?
> >>> this will make all worse and slower ...
> >>
> >> The aim is to get governments and LEAs onside, to examine policies and
> >
> > Might be your aim, this was not discussed on the list.
> 
> No, this is a oft-stated aim of the NCC and a fair chunk of the 
> community.  In addition, our interactions with governments and the LEAs 
> were clearly referenced and minuted at the Lisbon meeting.  There will 

Again, doing anythign at meetings cuts out the majority of the members,
this is like an oligarchy ...

> be further information presented in Prague (and remember, these meetings 
> can be followed online) and the points raised there will be put forward 
> for further discussion on the mailing list.  We will post what agenda we 
> can, but there's very little to discuss on the list before a meeting, 
> unless some concrete proposals are made.

Thats what the list is for.
The people on the list should give the input for the meetings.
There should be discussions before an agenda will be settled.

> > Well, maybe there will be more ideas coming ...
> 
> For agenda items?

Sure, did anybody ever asked for them ?
Im maybe old and forget a lot, but quickly flicked
through the last mails from the list and did not find anything like
"call for agenda items".

> Well, no, there has not been discussion, equally there has not been any 
> policy proposals.  Discussion will take place on list, should there be 
> things to discuss.

There is a lot to discuss.
- first I would call for agenda items
- then I would call for anti-spam-system hosted by RIPE

Then we should talk in details about all this to finally find the best
ideas and solution and these should be talked about at the meetings.
I bet that lots of people will attend meetings, when their ideas
will find there way to meetings ...


And last I would call everybody to use usefull subjects on this list,
when the themes change, instead of just replying.


Kind regards, Frank
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de
> 
> Brian.
> 



From brian.nisbet at heanet.ie  Thu Apr  8 11:23:49 2010
From: brian.nisbet at heanet.ie (Brian Nisbet)
Date: Thu, 08 Apr 2010 10:23:49 +0100
Subject: [anti-abuse-wg] themes on lists and meetings
In-Reply-To: <201004071854.o37IsOrM001597@www.powerweb.de>
References: <201004071854.o37IsOrM001597@www.powerweb.de>
Message-ID: <4BBDA0A5.1030100@heanet.ie>

Frank,

I fear we are rapidly entering into, or have already entered into, 
unproductive territory, but anyway...

"Dipl-Inform. Frank Gadegast" wrote the following on 07/04/2010 19:54:
>
>>> (still waiting on a discussion of the system I discribed arround lunch time)
>>
>> Are you talking about replicating the Tobias' APNIC proposal in the RIPE
>> region and/or publishing lists of non-responders?  I, the list and, I
>
> No, Im talking about an abuse-adress like ip1.ip2.ip3.ip4 at abuse.ripe.net
> wich forward all incoming abuse reports to the responsible member
> I discribed.

Then by all means write a proposal, please.  From a personal point of 
view, I cannot see the usefulness of creating another abuse address, as 
it still has to be pointed at a real address and something still needs 
to be done with it, the latter two are the bigger problem.  And if 
people were mailing an @ripe.net address, it would seem to shift the 
responsibility for enforcement, and the blame for breach, onto the NCC?

>> As the agenda will, in no small part, feature presentations and
>> discussions, it is difficult to proceed as you're suggesting, however
>> consensus is not something that is reached purely at meetings.  The
>> mailing list, where more members can participate is, as I've mentioned,
>> the main location for dicussion.  To take, for instance, the IRT object
>
> But there is no discussion.
> And this might be, becuase most discussion currently happens
> at the meetings.
> Thats why everybody on the list should now, what will be discussed
> on the meetings to give feedback BEFORE the meeting ist happening.
> If people get the feeling, that there ideas and input are welcome,
> they might even appear at the mettings ...

There are certain things that it's possible to give feedback on, other 
things it's more difficult to give feedback on, especially presentations 
which will only be finished shortly before the WG meeting.  I will, as I 
promised, be publishing a draft agenda for the meeting before the end of 
this week and we can see what comes from that.

>> discussion, it was decided in Lisbon to close that item as no discussion
>
> Nobody talked about the IRT object before the meeting took place
> and thats very sad, because I guess a lot of people would
> vote for them.

There was extensive discussion both on the mailing list this group (as 
anti-spam) and DB (as the proposal was formally raised there), so that's 
worth checking out.  However there was no consensus.  And remember, it's 
not a voting situation.

>> No, this is a oft-stated aim of the NCC and a fair chunk of the
>> community.  In addition, our interactions with governments and the LEAs
>> were clearly referenced and minuted at the Lisbon meeting.  There will
>
> Again, doing anythign at meetings cuts out the majority of the members,
> this is like an oligarchy ...

Anything?  By the extension of that logic we'd never have meetings.  The 
reality of human social interaction is that we're still better at doing 
things when we're face to face with each other for short periods of 
time.  There is no intent to cut people out, remote participation is now 
much easier, no hard decisions are made (consensus is not declared 
purely based on a meeting) and minutes are posted.

>>> Well, maybe there will be more ideas coming ...
>>
>> For agenda items?
>
> Sure, did anybody ever asked for them ?
> Im maybe old and forget a lot, but quickly flicked
> through the last mails from the list and did not find anything like
> "call for agenda items".

Really?  I sent two mails, one on the 10th of March, one on the 31st. 
I've received a couple of offers of talks, they will be happening at the 
meeting.  I also received a suggestion of something to look at, so I 
did. :)  Generally a call for items goes out two months before a 
meeting, so yes.  Please note, these two mails were the latest two on 
the list before Claus' mail on the 6th.

> There is a lot to discuss.
> - first I would call for agenda items
> - then I would call for anti-spam-system hosted by RIPE
>
> Then we should talk in details about all this to finally find the best
> ideas and solution and these should be talked about at the meetings.
> I bet that lots of people will attend meetings, when their ideas
> will find there way to meetings ...

Their ideas will find their way to meetings, please stop claiming 
otherwise without any evidence to support that.  Agenda items have 
always been called for.  So far very few concrete ideas have been put 
forth.  The notion you raised of an abuse address requires a lot more 
fleshing out before it could become a proposal and be properly 
discussed.  A variety of questions spring to mind for me, some of which 
I've outlined above.  However without more detail, there will not be 
proper discussion.

Regards,

Brian.



From phade at www.powerweb.de  Thu Apr  8 12:37:32 2010
From: phade at www.powerweb.de (Frank Gadegast)
Date: Thu, 8 Apr 2010 12:37:32 +0200 (MET DST)
Subject: [anti-abuse-wg] themes on lists and meetings
In-Reply-To: <4BBDA0A5.1030100@heanet.ie>
Message-ID: <201004081037.o38AbW5u027790@www.powerweb.de>

> 
> Frank,

Hi,

> I fear we are rapidly entering into, or have already entered into, 
> unproductive territory, but anyway...
> 
> "Dipl-Inform. Frank Gadegast" wrote the following on 07/04/2010 19:54:
> >
> >>> (still waiting on a discussion of the system I discribed arround lunch time)
> >>
> >> Are you talking about replicating the Tobias' APNIC proposal in the RIPE
> >> region and/or publishing lists of non-responders?  I, the list and, I
> >
> > No, Im talking about an abuse-adress like ip1.ip2.ip3.ip4 at abuse.ripe.net
> > wich forward all incoming abuse reports to the responsible member
> > I discribed.
> 
> Then by all means write a proposal, please.  From a personal point of 

A proposal should be discussed with lots of people to get enough input first.
This list would be perfect for this.

> view, I cannot see the usefulness of creating another abuse address, as 

First, nobody has to look up abuse addresses via whois anymore.
Second, the real abuse address of the member can be hidden.
Third, delivery of abuse reports can be automated and maybe
standarized in the future (there are already formats for abuse reports).

> it still has to be pointed at a real address and something still needs 
> to be done with it, the latter two are the bigger problem.  And if 
> people were mailing an @ripe.net address, it would seem to shift the 
> responsibility for enforcement, and the blame for breach, onto the NCC?

Not all all.

Fourth, RIPE could find out, what member really reads abuse reports
and control which one are failing with "User unknown", "Mailbox full"
aso.

The usefullness would be that NCC could monitor wich member gets
how many complaints to quickly overlook what member really
needs more information about how to secure the own networks.
Most newer providers are no even aware of, that there own
customers are causing a lot of trouble.

> >> As the agenda will, in no small part, feature presentations and
> >> discussions, it is difficult to proceed as you're suggesting, however
> >> consensus is not something that is reached purely at meetings.  The
> >> mailing list, where more members can participate is, as I've mentioned,
> >> the main location for dicussion.  To take, for instance, the IRT object
> >
> > But there is no discussion.
> > And this might be, becuase most discussion currently happens
> > at the meetings.
> > Thats why everybody on the list should now, what will be discussed
> > on the meetings to give feedback BEFORE the meeting ist happening.
> > If people get the feeling, that there ideas and input are welcome,
> > they might even appear at the mettings ...
> 
> There are certain things that it's possible to give feedback on, other 
> things it's more difficult to give feedback on, especially presentations 

But at least the agenda could be discussed.

Where are the archives of this list ?
http://www.ripe.net/mailman/listinfo/anti-abuse-wg
does not point me to the right page ?

I would really like to flip through them now.

> which will only be finished shortly before the WG meeting.  I will, as I 
> promised, be publishing a draft agenda for the meeting before the end of 
> this week and we can see what comes from that.
> 
> > Again, doing anythign at meetings cuts out the majority of the members,
> > this is like an oligarchy ...
> 
> Anything?  By the extension of that logic we'd never have meetings.  The 

I meant "doing everthing at meetings".

> reality of human social interaction is that we're still better at doing 
> things when we're face to face with each other for short periods of 
> time.  There is no intent to cut people out, remote participation is now 
> much easier, no hard decisions are made (consensus is not declared 
> purely based on a meeting) and minutes are posted.
> 
> >>> Well, maybe there will be more ideas coming ...
> >>
> >> For agenda items?
> >
> > Sure, did anybody ever asked for them ?
> > Im maybe old and forget a lot, but quickly flicked
> > through the last mails from the list and did not find anything like
> > "call for agenda items".
> 
> Really?  I sent two mails, one on the 10th of March, one on the 31st. 

Well, they did not reach me ...
Checked my archive, my antispam-folders, nothing.

> I've received a couple of offers of talks, they will be happening at the 
> meeting.  I also received a suggestion of something to look at, so I 
> did. :)  Generally a call for items goes out two months before a 
> meeting, so yes.  Please note, these two mails were the latest two on 
> the list before Claus' mail on the 6th.
> 
> > There is a lot to discuss.
> > - first I would call for agenda items
> > - then I would call for anti-spam-system hosted by RIPE
> >
> > Then we should talk in details about all this to finally find the best
> > ideas and solution and these should be talked about at the meetings.
> > I bet that lots of people will attend meetings, when their ideas
> > will find there way to meetings ...
> 
> Their ideas will find their way to meetings, please stop claiming 
> otherwise without any evidence to support that.  Agenda items have 
> always been called for.  So far very few concrete ideas have been put 
> forth.  The notion you raised of an abuse address requires a lot more 
> fleshing out before it could become a proposal and be properly 

Indeed, lets discuss it.
Here.

So far, I only received two comments.
One from you simply saying "dont think its good for anything"
and from sombody else saying "dont like it".

Did not receive one usefull and productive comment ...

> discussed.  A variety of questions spring to mind for me, some of which 
> I've outlined above.  However without more detail, there will not be 
> proper discussion.

Maybe everybody on this list could comment it, I collect the ideas
and improvements and re-post it to the list ?



Kind regards, Frank
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de



> Regards,
> 
> Brian.
> 



From fm-lists at st-kilda.org  Thu Apr  8 12:57:31 2010
From: fm-lists at st-kilda.org (Fearghas McKay)
Date: Thu, 8 Apr 2010 11:57:31 +0100
Subject: [anti-abuse-wg] themes on lists and meetings
In-Reply-To: <201004081037.o38AbW5u027790@www.powerweb.de>
References: <201004081037.o38AbW5u027790@www.powerweb.de>
Message-ID: <CED117B1-38B1-4B3E-A6CD-F12B088EE702@st-kilda.org>

On 8 Apr 2010, at 11:37, Frank Gadegast wrote:

> Maybe everybody on this list could comment it, I collect the ideas
> and improvements and re-post it to the list ?

If you write a proposal people will do that.

Unless there is something concrete to discuss, all we have is more  
talk. You have suggested enough to start a draft proposal that can be  
worked on to deliver an outcome, but first it needs a concrete  
proposal as a starting point.

HTH

	f



From brian.nisbet at heanet.ie  Thu Apr  8 13:12:17 2010
From: brian.nisbet at heanet.ie (Brian Nisbet)
Date: Thu, 08 Apr 2010 12:12:17 +0100
Subject: [anti-abuse-wg] themes on lists and meetings
In-Reply-To: <201004081037.o38AbW5u027790@www.powerweb.de>
References: <201004081037.o38AbW5u027790@www.powerweb.de>
Message-ID: <4BBDBA11.5020402@heanet.ie>

"Dipl-Inform. Frank Gadegast" wrote the following on 08/04/2010 11:37:
>>
>>>>> (still waiting on a discussion of the system I discribed arround lunch time)
>>>>
>>>> Are you talking about replicating the Tobias' APNIC proposal in the RIPE
>>>> region and/or publishing lists of non-responders?  I, the list and, I
>>>
>>> No, Im talking about an abuse-adress like ip1.ip2.ip3.ip4 at abuse.ripe.net
>>> wich forward all incoming abuse reports to the responsible member
>>> I discribed.
>>
>> Then by all means write a proposal, please.  From a personal point of
>
> A proposal should be discussed with lots of people to get enough input first.
> This list would be perfect for this.

Perhaps a better way to actually have discussion would be to formulate 
your thoughts into more than a one line entry, try to describe how it 
would work etc, perhaps with a small group of people, then present a 
more concrete idea to the list for further discussion.  Ideally those 
behind an idea would present a proposal as the starting point for list. 
  The way you have presented this so far has either been missed or there 
is not enough there to discuss.

>> There are certain things that it's possible to give feedback on, other
>> things it's more difficult to give feedback on, especially presentations
>
> But at least the agenda could be discussed.

Of course it can.

> Where are the archives of this list ?
> http://www.ripe.net/mailman/listinfo/anti-abuse-wg
> does not point me to the right page ?
>
> I would really like to flip through them now.

The old Anti-Spam WG archives are here:

http://www.ripe.net/ripe/maillists/archives/anti-spam-wg/index.html

And the Anti-Abuse WG archives are here:

http://www.ripe.net/ripe/maillists/archives/anti-abuse-wg/index.html

>>> Sure, did anybody ever asked for them ?
>>> Im maybe old and forget a lot, but quickly flicked
>>> through the last mails from the list and did not find anything like
>>> "call for agenda items".
>>
>> Really?  I sent two mails, one on the 10th of March, one on the 31st.
>
> Well, they did not reach me ...
> Checked my archive, my antispam-folders, nothing.

It has been pointed out to me by the lovely NCC staff who moderate the 
mailing lists that there seems to be some confusion over which email 
address you're subscribed to the group under as you appear to be using 
both frank at powerweb.de and phade at www.powerweb.de.  Currently I'm 
assuming that mails are being sent from phade@, which isn't subscribed, 
but that's something you may wish to investigate.  Certainly, both mails 
reached the list.

> Did not receive one usefull and productive comment ...

I don't think there was much to discuss, although you mentioned some 
points in your last mail.  I really would encourage you to collect your 
thoughts, possibly talk to some other people off-list, then write a mail 
to the list setting out your idea, how it would work, the pros and cons 
etc.  This would be a far more effective idea than burying them in the 
middle of a discussion.

>> discussed.  A variety of questions spring to mind for me, some of which
>> I've outlined above.  However without more detail, there will not be
>> proper discussion.
>
> Maybe everybody on this list could comment it, I collect the ideas
> and improvements and re-post it to the list ?

Everybody won't, such is the nature of these things, but you have a 
better chance of a better response with a clear mail setting out your 
idea in detail.

Regards,

Brian.



From brian.nisbet at heanet.ie  Thu Apr  8 13:23:42 2010
From: brian.nisbet at heanet.ie (Brian Nisbet)
Date: Thu, 08 Apr 2010 12:23:42 +0100
Subject: [anti-abuse-wg] RIPE 60 - Draft Agenda
Message-ID: <4BBDBCBE.5030508@heanet.ie>

As promised, we have a draft agenda for the meeting in Prague.  I wish 
to emphasise the draft nature of this agenda at present, I have no doubt 
it will change over the next four weeks.

http://www.ripe.net/ripe/meetings/ripe-60/agendas/anti-abuse.html

Anti-Abuse Working Group Agenda - RIPE 60

Location: - Bohemia I

Date: Thursday, 6 May 2010, 16:00-17:30

Anti-Abuse Working Group Home Page

A. Administrative Matters

     * Welcome
     * Select a scribe
     * Jabber Monitor
     * Microphone Etiquette
     * Approve Minutes from RIPE 59
     * Finalise agenda

B Update

     * B1. Network Abuse Update - Richard Cox
     * B2. Recent List Discussion - Abuse contacts, Sanctions, etc.

C. Technical Measures

     * C1. RIPE NCC Tools update.

D. Interactions

     * D1. Working Groups
     * D2. Law Enforcement Interaction - Wout de Natris, LAP
     * D3. RIPE NCC Gov/LEA Interactions Update

E. Documents

     * E1. BCP Documentation

X. A.O.B.

Z. Agenda for RIPE 61; Plenary Presentations



From ripe-anti-spam-wg at powerweb.de  Thu Apr  8 15:29:44 2010
From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast)
Date: Thu, 08 Apr 2010 15:29:44 +0200
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an abuse monitor system
Message-ID: <4BBDDA48.9080106@powerweb.de>

Dear all,

please discuss and comment to following draft proposal ...
(and please forgive but correct my english, bad formatting
  or terms)

Kind regards, Frank

--------------------------------------------------------------


DRAFT: implementation of an abuse monitor system
(draft RIPE proposal)



Abstract
This document describes the implementation of an abuse monitor system
at RIPE NCC. Its intention is to ensure working abuse contacts on the
members side and to improve the awareness, responsiveness and work flow
for abuse reports for the reporting (and abused) internet users and the
RIPE members (owning the misused services).


Contents
1. Introduction
2. Goals of an abuse monitor system
3. Requirements
4. Description
5. Advantages
6. Disadvantages
7. Enhancements
8. Outlook


1. Introduction
Taking in account the amount of spam and other abuse currently
happening every day, there is a need to ensure that ISPs and
other organisations are aware of the problem their customers
and end users can cause for others.

The current procedure of having non-mandatory abuse contacts in
whois output is causing several problems for the incident reporting
side as well as for the receiver.

RIPEs member should be responsible for the abuse their
customers cause, like this is enforced by law in many countries
already.


2. Goals of an abuse monitor system
Currently most abuse contact addresses are hidden in whois output
remark fields in several non-standarized ways or do not even exist,
because the real abuse-field is non-mandatory. There should be
a standarized method how to contact responsible people to send
abuse reports too.

It should be possible to to send abuse reports to a standarized
email address, because whois queries are limited. The system should
bypass whois queries, so that reports can be automated.

Currently there is no control, if existing abuse contacts are still
valid, working or incoming emails are beeing read.

The real abuse email address of any RIPE member should be hidden
by the abuse monitor system.

Finally a monitoring system should be able to messure the amount
of incoming reports for any RIPE member. This will enable
RIPE NCC to help members to become more aware of security breakouts
or help members that are not aware of the problems they cause.

RIPE NCC could e.g. arrange for security training cources and
invite members with a very high reporting rate according to
the amount of allocated IP addresses.


3. Requirements
RIPE NCC should enhance the member section with an extra abuse contact
field. This field should be filled at startup with the main email
address of any member automatically, but should be editable for the
members.


4. Description
RIPE NCC should implement a mailserver able to receive emails in the
form of

         IP1.IP2.IP3.IP4 at abuse.ripe.net (example)

Incoming emails to these addresses can be treated as incoming abuse
reports and will be forwarded to the members internal abuse contact
address (non-public), after the mailserver finds the correct member by
looking up internal allocation tables.

The amount of incoming emails for every member will be logged and should
create internal statistics for RIPE NCCs internal usage.

Their should be no anti spam systems implemented on this server to
ensure that every incoming email gets forwarded. Anti spam systems
should be up to the member.

Furthermore, RIPE NCC should monitor, if the members abuse contact
address generates errors, bounces or other problems like "User unknown"
or "Mailbox full". If the members abuse contact address is not valid
anymore, it could be reset to the members hidden main email address, and
the member could be informed about the problem in other ways (letter,
phone call aso).


5. Advantages
The system does neither have to define or decide what spam or abuse is,
because it only forwards abuse reports to the responsible person.
It is likely that any incoming email is a description of a real
abusive problem (except incoming spam).

The described system would make it very easy for any ISP or private
person to report received spam, hacks or other abuses directly to
the responsible RIPE member, without having to know its name and without
having to know how to use whois.
Reporting systems could be easily automated without having to query whois.

The ISP or RIPE member can easily change and control his internal abuse
contact address without having to update several objects in RIPEs
database.

RIPE NCC can ensure that all alocations have a working abuse address.

This all can ensure that incidents are really reported by the abused
users (and not beeing ignored or forgotten because its to much work to
report incidents) and that reports will be read by the right and
responsible person.

This will finally increase the awareness of any RIPE member about the
problems his end users or misused servers may cause and will hopefully
force any member to implement methods to monitor there own servers
and/or dialin users to improve the detection of misused services.

This will hopefully reduce the amount of spams and abuse worldwide.

Finally this will maybe influence other RIRs to implement similar
systems.


6. Disadvantages
It is likely that spammer will misuse the new general abuse adresses
massively. Anti spam methos needs to be implemented at the members side.


7. Enhancements
The system could be enhanced with addtional services easily on RIPE NCCs
side, after implementation and a test period of the system. More
detailed statistics could help improving the awareness at the members
side.

Enhancing forwarded abuse report with an feedback link could help to
categorize incoming reports. Members could then visit a ticket system to
back report incoming reports as "spam", "incident" or "wrong report"
(like popular spam blacklist like SpamCop are doing this already), add
comments like "missing information", "incident currently under
investigation" or "incident solved". This could help members to track
reports and incident easily without having to implement a own system
(what could be very interesting for smaller ISPs). Finally this would
allow the reporting internet user to receive feedback to ensure that his
input is valuable, important and taking care off.


8. Outlook
Standarization of a general abuse address will be another step to the
standarization of an abuse report format, wich are currently in process.
This could lead to open source implemantations of spam detection
solutions that include standarized reporting features.
Standarized reporting could also be included in other monitoring
and detection software, like Intrusion Detection Systems or
Antispam Solutions.



Author: Frank Gadegast
Company: PHADE Software - PowerWeb
Contact: frank at powerweb.de
Version: 0.1
Date: 08.04.2010




From frank at powerweb.de  Thu Apr  8 15:16:19 2010
From: frank at powerweb.de (Frank Gadegast)
Date: Thu, 08 Apr 2010 15:16:19 +0200
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an abuse monitor system
Message-ID: <4BBDD723.8090908@powerweb.de>

Dear all,

please discuss and comment to following draft proposal ...
(and please forgive but correct my english, bad formatting
  or terms)

Kind regards, Frank

--------------------------------------------------------------


DRAFT: implementation of an abuse monitor system
(draft RIPE proposal)



Abstract
This document describes the implementation of an abuse monitor system
at RIPE NCC. Its intention is to ensure working abuse contacts on the
members side and to improve the awareness, responsiveness and work flow
for abuse reports for the reporting (and abused) internet users and the
RIPE members (owning the misused services).


Contents
1. Introduction
2. Goals of an abuse monitor system
3. Requirements
4. Description
5. Advantages
6. Disadvantages
7. Enhancements
8. Outlook


1. Introduction
Taking in account the amount of spam and other abuse currently
happening every day, there is a need to ensure that ISPs and
other organisations are aware of the problem their customers
and end users can cause for others.

The current procedure of having non-mandatory abuse contacts in
whois output is causing several problems for the incident reporting
side as well as for the receiver.

RIPEs member should be responsible for the abuse their
customers cause, like this is enforced by law in many countries
already.


2. Goals of an abuse monitor system
Currently most abuse contact addresses are hidden in whois output
remark fields in several non-standarized ways or do not even exist,
because the real abuse-field is non-mandatory. There should be
a standarized method how to contact responsible people to send
abuse reports too.

It should be possible to to send abuse reports to a standarized
email address, because whois queries are limited. The system should
bypass whois queries, so that reports can be automated.

Currently there is no control, if existing abuse contacts are still
valid, working or incoming emails are beeing read.

The real abuse email address of any RIPE member should be hidden
by the abuse monitor system.

Finally a monitoring system should be able to messure the amount
of incoming reports for any RIPE member. This will enable
RIPE NCC to help members to become more aware of security breakouts
or help members that are not aware of the problems they cause.

RIPE NCC could e.g. arrange for security training cources and
invite members with a very high reporting rate according to
the amount of allocated IP addresses.


3. Requirements
RIPE NCC should enhance the member section with an extra abuse contact
field. This field should be filled at startup with the main email
address of any member automatically, but should be editable for the
members.


4. Description
RIPE NCC should implement a mailserver able to receive emails in the
form of

         IP1.IP2.IP3.IP4 at abuse.ripe.net (example)

Incoming emails to these addresses can be treated as incoming abuse
reports and will be forwarded to the members internal abuse contact
address (non-public), after the mailserver finds the correct member by
looking up internal allocation tables.

The amount of incoming emails for every member will be logged and should
create internal statistics for RIPE NCCs internal usage.

Their should be no anti spam systems implemented on this server to
ensure that every incoming email gets forwarded. Anti spam systems
should be up to the member.

Furthermore, RIPE NCC should monitor, if the members abuse contact 
address generates errors, bounces or other problems like "User unknown"
or "Mailbox full". If the members abuse contact address is not valid
anymore, it could be reset to the members hidden main email address, and
the member could be informed about the problem in other ways (letter,
phone call aso).


5. Advantages
The system does neither have to define or decide what spam or abuse is,
because it only forwards abuse reports to the responsible person.
It is likely that any incoming email is a description of a real
abusive problem (except incoming spam).

The described system would make it very easy for any ISP or private
person to report received spam, hacks or other abuses directly to
the responsible RIPE member, without having to know its name and without
having to know how to use whois.
Reporting systems could be easily automated without having to query whois.

The ISP or RIPE member can easily change and control his internal abuse
contact address without having to update several objects in RIPEs
database.

RIPE NCC can ensure that all alocations have a working abuse address.

This all can ensure that incidents are really reported by the abused
users (and not beeing ignored or forgotten because its to much work to
report incidents) and that reports will be read by the right and
responsible person.

This will finally increase the awareness of any RIPE member about the
problems his end users or misused servers may cause and will hopefully
force any member to implement methods to monitor there own servers
and/or dialin users to improve the detection of misused services.

This will hopefully reduce the amount of spams and abuse worldwide.

Finally this will maybe influence other RIRs to implement similar
systems.


6. Disadvantages
It is likely that spammer will misuse the new general abuse adresses
massively. Anti spam methos needs to be implemented at the members side.


7. Enhancements
The system could be enhanced with addtional services easily on RIPE NCCs
side, after implementation and a test period of the system. More
detailed statistics could help improving the awareness at the members
side.

Enhancing forwarded abuse report with an feedback link could help to
categorize incoming reports. Members could then visit a ticket system to
back report incoming reports as "spam", "incident" or "wrong report"
(like popular spam blacklist like SpamCop are doing this already), add
comments like "missing information", "incident currently under
investigation" or "incident solved". This could help members to track
reports and incident easily without having to implement a own system
(what could be very interesting for smaller ISPs). Finally this would
allow the reporting internet user to receive feedback to ensure that his
input is valuable, important and taking care off.


8. Outlook
Standarization of a general abuse address will be another step to the
standarization of an abuse report format, wich are currently in process.
This could lead to open source implemantations of spam detection
solutions that include standarized reporting features.
Standarized reporting could also be included in other monitoring
and detection software, like Intrusion Detection Systems or
Antispam Solutions.



Author: Frank Gadegast
Company: PHADE Software - PowerWeb
Contact: frank at powerweb.de
Version: 0.1
Date: 08.04.2010




From bradley.freeman at csirt.ja.net  Thu Apr  8 15:44:31 2010
From: bradley.freeman at csirt.ja.net (Bradley Freeman)
Date: Thu, 8 Apr 2010 14:44:31 +0100
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an abuse monitor system
In-Reply-To: <4BBDDA48.9080106@powerweb.de>
References: <4BBDDA48.9080106@powerweb.de>
Message-ID: <004201cad721$9e444f90$dacceeb0$@freeman@csirt.ja.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Maybe I am missing something but I can't see the benefit in having RIPE
proxy abuse requests, as a member of a CSIRT I feel this would add a layer
of abstraction between the 2 network operators and definitely wouldn't use
it as a first port of call. Additionally RIPE are not in a position to force
the badly behaving ISPs to cooperate, if you have an uncooperative ISP with
problem X do you really believe that RIPE suggesting they go on a training
course is going to help? Sure the RIPE NCC may have some other contact
details but most ISPs within the RIPE region you can get hold of even if the
abuse mailbox does not work by making a few phone calls etc.

And if the only benefit is a common abuse alias, hasn't this has already
been suggested with an abuse@ address in RFC2142 - Mailbox Names for Common
Services, Roles and Functions which is not RIPE region specific?

Bradley

> -----Original Message-----
> From: anti-abuse-wg-admin at ripe.net [mailto:anti-abuse-wg-
> admin at ripe.net] On Behalf Of Frank Gadegast
> Sent: 08 April 2010 14:30
> To: anti-abuse-wg at ripe.net
> Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an
> abuse monitor system
> 
> 
> Dear all,
> 
> please discuss and comment to following draft proposal ...
> (and please forgive but correct my english, bad formatting
>   or terms)
> 
> Kind regards, Frank
> 
> --------------------------------------------------------------
> 
> 
> DRAFT: implementation of an abuse monitor system
> (draft RIPE proposal)
> 
> 
> 
> Abstract
> This document describes the implementation of an abuse monitor system
> at RIPE NCC. Its intention is to ensure working abuse contacts on the
> members side and to improve the awareness, responsiveness and work flow
> for abuse reports for the reporting (and abused) internet users and the
> RIPE members (owning the misused services).
> 
> 
> Contents
> 1. Introduction
> 2. Goals of an abuse monitor system
> 3. Requirements
> 4. Description
> 5. Advantages
> 6. Disadvantages
> 7. Enhancements
> 8. Outlook
> 
> 
> 1. Introduction
> Taking in account the amount of spam and other abuse currently
> happening every day, there is a need to ensure that ISPs and
> other organisations are aware of the problem their customers
> and end users can cause for others.
> 
> The current procedure of having non-mandatory abuse contacts in
> whois output is causing several problems for the incident reporting
> side as well as for the receiver.
> 
> RIPEs member should be responsible for the abuse their
> customers cause, like this is enforced by law in many countries
> already.
> 
> 
> 2. Goals of an abuse monitor system
> Currently most abuse contact addresses are hidden in whois output
> remark fields in several non-standarized ways or do not even exist,
> because the real abuse-field is non-mandatory. There should be
> a standarized method how to contact responsible people to send
> abuse reports too.
> 
> It should be possible to to send abuse reports to a standarized
> email address, because whois queries are limited. The system should
> bypass whois queries, so that reports can be automated.
> 
> Currently there is no control, if existing abuse contacts are still
> valid, working or incoming emails are beeing read.
> 
> The real abuse email address of any RIPE member should be hidden
> by the abuse monitor system.
> 
> Finally a monitoring system should be able to messure the amount
> of incoming reports for any RIPE member. This will enable
> RIPE NCC to help members to become more aware of security breakouts
> or help members that are not aware of the problems they cause.
> 
> RIPE NCC could e.g. arrange for security training cources and
> invite members with a very high reporting rate according to
> the amount of allocated IP addresses.
> 
> 
> 3. Requirements
> RIPE NCC should enhance the member section with an extra abuse contact
> field. This field should be filled at startup with the main email
> address of any member automatically, but should be editable for the
> members.
> 
> 
> 4. Description
> RIPE NCC should implement a mailserver able to receive emails in the
> form of
> 
>          IP1.IP2.IP3.IP4 at abuse.ripe.net (example)
> 
> Incoming emails to these addresses can be treated as incoming abuse
> reports and will be forwarded to the members internal abuse contact
> address (non-public), after the mailserver finds the correct member by
> looking up internal allocation tables.
> 
> The amount of incoming emails for every member will be logged and
> should
> create internal statistics for RIPE NCCs internal usage.
> 
> Their should be no anti spam systems implemented on this server to
> ensure that every incoming email gets forwarded. Anti spam systems
> should be up to the member.
> 
> Furthermore, RIPE NCC should monitor, if the members abuse contact
> address generates errors, bounces or other problems like "User unknown"
> or "Mailbox full". If the members abuse contact address is not valid
> anymore, it could be reset to the members hidden main email address,
> and
> the member could be informed about the problem in other ways (letter,
> phone call aso).
> 
> 
> 5. Advantages
> The system does neither have to define or decide what spam or abuse is,
> because it only forwards abuse reports to the responsible person.
> It is likely that any incoming email is a description of a real
> abusive problem (except incoming spam).
> 
> The described system would make it very easy for any ISP or private
> person to report received spam, hacks or other abuses directly to
> the responsible RIPE member, without having to know its name and
> without
> having to know how to use whois.
> Reporting systems could be easily automated without having to query
> whois.
> 
> The ISP or RIPE member can easily change and control his internal abuse
> contact address without having to update several objects in RIPEs
> database.
> 
> RIPE NCC can ensure that all alocations have a working abuse address.
> 
> This all can ensure that incidents are really reported by the abused
> users (and not beeing ignored or forgotten because its to much work to
> report incidents) and that reports will be read by the right and
> responsible person.
> 
> This will finally increase the awareness of any RIPE member about the
> problems his end users or misused servers may cause and will hopefully
> force any member to implement methods to monitor there own servers
> and/or dialin users to improve the detection of misused services.
> 
> This will hopefully reduce the amount of spams and abuse worldwide.
> 
> Finally this will maybe influence other RIRs to implement similar
> systems.
> 
> 
> 6. Disadvantages
> It is likely that spammer will misuse the new general abuse adresses
> massively. Anti spam methos needs to be implemented at the members
> side.
> 
> 
> 7. Enhancements
> The system could be enhanced with addtional services easily on RIPE
> NCCs
> side, after implementation and a test period of the system. More
> detailed statistics could help improving the awareness at the members
> side.
> 
> Enhancing forwarded abuse report with an feedback link could help to
> categorize incoming reports. Members could then visit a ticket system
> to
> back report incoming reports as "spam", "incident" or "wrong report"
> (like popular spam blacklist like SpamCop are doing this already), add
> comments like "missing information", "incident currently under
> investigation" or "incident solved". This could help members to track
> reports and incident easily without having to implement a own system
> (what could be very interesting for smaller ISPs). Finally this would
> allow the reporting internet user to receive feedback to ensure that
> his
> input is valuable, important and taking care off.
> 
> 
> 8. Outlook
> Standarization of a general abuse address will be another step to the
> standarization of an abuse report format, wich are currently in
> process.
> This could lead to open source implemantations of spam detection
> solutions that include standarized reporting features.
> Standarized reporting could also be included in other monitoring
> and detection software, like Intrusion Detection Systems or
> Antispam Solutions.
> 
> 
> 
> Author: Frank Gadegast
> Company: PHADE Software - PowerWeb
> Contact: frank at powerweb.de
> Version: 0.1
> Date: 08.04.2010
> 



-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 10.0.0
Charset: us-ascii

wsBVAwUBS73dxjR8IIjdC+5SAQJEAQf/cG+OZ3r0JYXxLhTxk2dXumEATmrULXl4
/ZBCJ5szqvhCArMCg5/dUAhA2Fp2j2jm8knh7+I2IIOX62UThDQiQRjwxvX2QDbB
8moAsEiGlOWw5SCkydXCu2l/a1O7xSZuU5lmggJa85xaCw/eQEOsHQD5lEi7YEHN
VCTiV0+n4xLFniKLE1PfqS9xo7xqlZ4yq4YqJazCQIBd44siDlGh86Ck8oLjA5FK
IgRyHRwNBPh1Tbg4WdGQUyms/gXeO1cldK4F/FPWPUOobKNR8VZwed++sxgf/ECE
yWng6ckMNkknKZJDp4tXUp5f2D4Vjc4GSL9Aur+woNws+n2YV2xIwQ==
=eI5K
-----END PGP SIGNATURE-----



From ripe-anti-spam-wg at powerweb.de  Thu Apr  8 16:07:07 2010
From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast)
Date: Thu, 08 Apr 2010 16:07:07 +0200
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an abuse
 monitor system
In-Reply-To: <004201cad721$9e444f90$dacceeb0$@freeman@csirt.ja.net>
References: <4BBDDA48.9080106@powerweb.de> <004201cad721$9e444f90$dacceeb0$@freeman@csirt.ja.net>
Message-ID: <4BBDE30B.2090908@powerweb.de>

Bradley Freeman wrote:
> 

Hello,

> Maybe I am missing something but I can't see the benefit in having RIPE

Please read section 5. Advantages ... I described a lot of good reasons.

I personally think that its really important to automate abuse reports.
And this can not be done with the current practice of non standarized
abuse contacts hidden somewhere in whois queries.

> proxy abuse requests, as a member of a CSIRT I feel this would add a layer
> of abstraction between the 2 network operators and definitely wouldn't use
> it as a first port of call. Additionally RIPE are not in a position to force
> the badly behaving ISPs to cooperate, if you have an uncooperative ISP with

Well RIPE NCC can at least force their members to have a working
contact address.

> problem X do you really believe that RIPE suggesting they go on a training
> course is going to help? Sure the RIPE NCC may have some other contact

Maybe on some, we are running an internal blacklist that clearly states
that most spam is coming from NEW members, if you compare it to
the amount of IPs the members have.
If you see that there is even a lot of spam coming out of the new
IPv6 allocation it is clear, that most new members do not even
think about abuse they cause.

> details but most ISPs within the RIPE region you can get hold of even if the
> abuse mailbox does not work by making a few phone calls etc.
> 
> And if the only benefit is a common abuse alias, hasn't this has already
> been suggested with an abuse@ address in RFC2142 - Mailbox Names for Common
> Services, Roles and Functions which is not RIPE region specific?

Yes, but it is only a recommendation, reality looks different.
Most abuse addresses are hidden or not working or do not exist.

RIPE can easily monitor a working address with this alias proxy.
Thats what its for.

I really believe it would work better than now, if the NCC
can control and monitor the addresses. This will even
work better than trying to make the abuse-field mandatory
again.

What we need now are comments to make the system working
better and taking care about problems I wasnt thinking of
in the first place ...



Kind regards, Frank
> 
> Bradley
> 
>> -----Original Message-----
>> From: anti-abuse-wg-admin at ripe.net [mailto:anti-abuse-wg-
>> admin at ripe.net] On Behalf Of Frank Gadegast
>> Sent: 08 April 2010 14:30
>> To: anti-abuse-wg at ripe.net
>> Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an
>> abuse monitor system
>>
>>
>> Dear all,
>>
>> please discuss and comment to following draft proposal ...
>> (and please forgive but correct my english, bad formatting
>>   or terms)
>>
>> Kind regards, Frank
>>
>> --------------------------------------------------------------
>>
>>
>> DRAFT: implementation of an abuse monitor system
>> (draft RIPE proposal)
>>
>>
>>
>> Abstract
>> This document describes the implementation of an abuse monitor system
>> at RIPE NCC. Its intention is to ensure working abuse contacts on the
>> members side and to improve the awareness, responsiveness and work flow
>> for abuse reports for the reporting (and abused) internet users and the
>> RIPE members (owning the misused services).
>>
>>
>> Contents
>> 1. Introduction
>> 2. Goals of an abuse monitor system
>> 3. Requirements
>> 4. Description
>> 5. Advantages
>> 6. Disadvantages
>> 7. Enhancements
>> 8. Outlook
>>
>>
>> 1. Introduction
>> Taking in account the amount of spam and other abuse currently
>> happening every day, there is a need to ensure that ISPs and
>> other organisations are aware of the problem their customers
>> and end users can cause for others.
>>
>> The current procedure of having non-mandatory abuse contacts in
>> whois output is causing several problems for the incident reporting
>> side as well as for the receiver.
>>
>> RIPEs member should be responsible for the abuse their
>> customers cause, like this is enforced by law in many countries
>> already.
>>
>>
>> 2. Goals of an abuse monitor system
>> Currently most abuse contact addresses are hidden in whois output
>> remark fields in several non-standarized ways or do not even exist,
>> because the real abuse-field is non-mandatory. There should be
>> a standarized method how to contact responsible people to send
>> abuse reports too.
>>
>> It should be possible to to send abuse reports to a standarized
>> email address, because whois queries are limited. The system should
>> bypass whois queries, so that reports can be automated.
>>
>> Currently there is no control, if existing abuse contacts are still
>> valid, working or incoming emails are beeing read.
>>
>> The real abuse email address of any RIPE member should be hidden
>> by the abuse monitor system.
>>
>> Finally a monitoring system should be able to messure the amount
>> of incoming reports for any RIPE member. This will enable
>> RIPE NCC to help members to become more aware of security breakouts
>> or help members that are not aware of the problems they cause.
>>
>> RIPE NCC could e.g. arrange for security training cources and
>> invite members with a very high reporting rate according to
>> the amount of allocated IP addresses.
>>
>>
>> 3. Requirements
>> RIPE NCC should enhance the member section with an extra abuse contact
>> field. This field should be filled at startup with the main email
>> address of any member automatically, but should be editable for the
>> members.
>>
>>
>> 4. Description
>> RIPE NCC should implement a mailserver able to receive emails in the
>> form of
>>
>>          IP1.IP2.IP3.IP4 at abuse.ripe.net (example)
>>
>> Incoming emails to these addresses can be treated as incoming abuse
>> reports and will be forwarded to the members internal abuse contact
>> address (non-public), after the mailserver finds the correct member by
>> looking up internal allocation tables.
>>
>> The amount of incoming emails for every member will be logged and
>> should
>> create internal statistics for RIPE NCCs internal usage.
>>
>> Their should be no anti spam systems implemented on this server to
>> ensure that every incoming email gets forwarded. Anti spam systems
>> should be up to the member.
>>
>> Furthermore, RIPE NCC should monitor, if the members abuse contact
>> address generates errors, bounces or other problems like "User unknown"
>> or "Mailbox full". If the members abuse contact address is not valid
>> anymore, it could be reset to the members hidden main email address,
>> and
>> the member could be informed about the problem in other ways (letter,
>> phone call aso).
>>
>>
>> 5. Advantages
>> The system does neither have to define or decide what spam or abuse is,
>> because it only forwards abuse reports to the responsible person.
>> It is likely that any incoming email is a description of a real
>> abusive problem (except incoming spam).
>>
>> The described system would make it very easy for any ISP or private
>> person to report received spam, hacks or other abuses directly to
>> the responsible RIPE member, without having to know its name and
>> without
>> having to know how to use whois.
>> Reporting systems could be easily automated without having to query
>> whois.
>>
>> The ISP or RIPE member can easily change and control his internal abuse
>> contact address without having to update several objects in RIPEs
>> database.
>>
>> RIPE NCC can ensure that all alocations have a working abuse address.
>>
>> This all can ensure that incidents are really reported by the abused
>> users (and not beeing ignored or forgotten because its to much work to
>> report incidents) and that reports will be read by the right and
>> responsible person.
>>
>> This will finally increase the awareness of any RIPE member about the
>> problems his end users or misused servers may cause and will hopefully
>> force any member to implement methods to monitor there own servers
>> and/or dialin users to improve the detection of misused services.
>>
>> This will hopefully reduce the amount of spams and abuse worldwide.
>>
>> Finally this will maybe influence other RIRs to implement similar
>> systems.
>>
>>
>> 6. Disadvantages
>> It is likely that spammer will misuse the new general abuse adresses
>> massively. Anti spam methos needs to be implemented at the members
>> side.
>>
>>
>> 7. Enhancements
>> The system could be enhanced with addtional services easily on RIPE
>> NCCs
>> side, after implementation and a test period of the system. More
>> detailed statistics could help improving the awareness at the members
>> side.
>>
>> Enhancing forwarded abuse report with an feedback link could help to
>> categorize incoming reports. Members could then visit a ticket system
>> to
>> back report incoming reports as "spam", "incident" or "wrong report"
>> (like popular spam blacklist like SpamCop are doing this already), add
>> comments like "missing information", "incident currently under
>> investigation" or "incident solved". This could help members to track
>> reports and incident easily without having to implement a own system
>> (what could be very interesting for smaller ISPs). Finally this would
>> allow the reporting internet user to receive feedback to ensure that
>> his
>> input is valuable, important and taking care off.
>>
>>
>> 8. Outlook
>> Standarization of a general abuse address will be another step to the
>> standarization of an abuse report format, wich are currently in
>> process.
>> This could lead to open source implemantations of spam detection
>> solutions that include standarized reporting features.
>> Standarized reporting could also be included in other monitoring
>> and detection software, like Intrusion Detection Systems or
>> Antispam Solutions.
>>
>>
>>
>> Author: Frank Gadegast
>> Company: PHADE Software - PowerWeb
>> Contact: frank at powerweb.de
>> Version: 0.1
>> Date: 08.04.2010
>>
> 
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 10.0.0
> Charset: us-ascii
> 
> wsBVAwUBS73dxjR8IIjdC+5SAQJEAQf/cG+OZ3r0JYXxLhTxk2dXumEATmrULXl4
> /ZBCJ5szqvhCArMCg5/dUAhA2Fp2j2jm8knh7+I2IIOX62UThDQiQRjwxvX2QDbB
> 8moAsEiGlOWw5SCkydXCu2l/a1O7xSZuU5lmggJa85xaCw/eQEOsHQD5lEi7YEHN
> VCTiV0+n4xLFniKLE1PfqS9xo7xqlZ4yq4YqJazCQIBd44siDlGh86Ck8oLjA5FK
> IgRyHRwNBPh1Tbg4WdGQUyms/gXeO1cldK4F/FPWPUOobKNR8VZwed++sxgf/ECE
> yWng6ckMNkknKZJDp4tXUp5f2D4Vjc4GSL9Aur+woNws+n2YV2xIwQ==
> =eI5K
> -----END PGP SIGNATURE-----
> 
> 
> 


-- 

Mit freundlichen Gruessen,
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de




From james.davis at ja.net  Thu Apr  8 16:20:42 2010
From: james.davis at ja.net (James Davis)
Date: Thu, 08 Apr 2010 15:20:42 +0100
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an abuse
 monitor system
In-Reply-To: <4BBDDA48.9080106@powerweb.de>
References: <4BBDDA48.9080106@powerweb.de>
Message-ID: <4BBDE63A.2070305@ja.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frank Gadegast wrote:

> Currently most abuse contact addresses are hidden in whois output
> remark fields in several non-standarized ways or do not even exist,
> because the real abuse-field is non-mandatory. There should be
> a standarized method how to contact responsible people to send
> abuse reports too.

My impression is that the irt object provide an unambiguous way to
provide this information; if it is present.

> Currently there is no control, if existing abuse contacts are still
> valid, working or incoming emails are beeing read.

The proposal doesn't ensure that the abuse mailbox is read or that the
information is acted upon. That's not something that's easy to tell just
by records of e-mail transmission. Many abuse mailboxes are monitored
and acted upon but otherwise show no external signs of a response.

> The real abuse email address of any RIPE member should be hidden
> by the abuse monitor system.

I don't think that's a good idea. There are legitimate reasons to want
to know the real abuse email address, or you may simply not want to
relate a report to a specific IP address.

> RIPE NCC could e.g. arrange for security training cources and
> invite members with a very high reporting rate according to
> the amount of allocated IP addresses.

What do you propose as a metric for this? The raw volume of reports, or
reports per IP address, whilst obvious are not too helpful.

I'm sure that  at specific time there's always a host on our network
causing lots of reports to be sent to our abuse mailbox, but that's not
a sign that we're running the network badly but simply that our network
is very large.

You could look at reports averaged across address space but that'll
count unfairly against large networks using address translation. We have
this problem here where a few IP addresses generate unusual levels of
reports, but not when you take into account that those few addresses
have many tens of thousands of computers and users behind them.

I'm not suggesting it's not possible, but that this is a very difficult
question that we've had to think about in the past, and I'd love to hear
the answers :) More useful to us is when we talk to our customers about
activity and realize that something 'hinky' is going on
(http://www.schneier.com/blog/archives/2007/04/recognizing_hin_1.html).

> Their should be no anti spam systems implemented on this server to
> ensure that every incoming email gets forwarded. Anti spam systems
> should be up to the member.
> ...
> 6. Disadvantages
> It is likely that spammer will misuse the new general abuse adresses
> massively. Anti spam methos needs to be implemented at the members side.

The stats that RIPE would gather, in no way would correspond to the
actual reports ending up in front of the abuse handler, as the RIPE
stats would include spam sent to a.b.c.d at abuse.ripe.net

> Furthermore, RIPE NCC should monitor, if the members abuse contact
> address generates errors, bounces or other problems like "User unknown"
> or "Mailbox full". If the members abuse contact address is not valid
> anymore, it could be reset to the members hidden main email address, and
> the member could be informed about the problem in other ways (letter,
> phone call aso).

That could be a good idea. You'd have to have a think about how many
man-hours that'd involve though.

> The system does neither have to define or decide what spam or abuse is,
> because it only forwards abuse reports to the responsible person.
> It is likely that any incoming email is a description of a real
> abusive problem (except incoming spam).

Not only incoming spam, but it also would include all the other stuff
that ends up in our abuse mailboxes but isn't "abuse". I'm thinking of
people wanting us to step into personal disputers, or people who are
just very confused as to what we can help them with ;)

> This all can ensure that incidents are really reported by the abused
> users (and not beeing ignored or forgotten because its to much work to
> report incidents) and that reports will be read by the right and
> responsible person.

No, it'll just ensure that the reports end up being delivered to an
mailbox. Even if they then end up being read, that's not going to be
enough is it?

> This will finally increase the awareness of any RIPE member about the
> problems his end users or misused servers may cause and will hopefully
> force any member to implement methods to monitor there own servers
> and/or dialin users to improve the detection of misused services.

I'd like to see RIPE members being more aware of the irt object.

James

- --
James Davis	+44 1235 822 229    	   PGP: 0xD1622876
JANET CSIRT	0870 850 2340	        (+44 1235 822 340)
Lumen House, Library Avenue, Didcot, Oxfordshire, OX11 0SG
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFLveY6hZi14NFiKHYRAqBIAJ9xQf07MrEaw3sspxd8NpBCkQoh9QCfa7Mw
1wqUA/ZUML/crgpi/visJHo=
=MdAe
-----END PGP SIGNATURE-----

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG



From thor.kottelin at turvasana.com  Thu Apr  8 16:30:36 2010
From: thor.kottelin at turvasana.com (Thor Kottelin)
Date: Thu, 8 Apr 2010 17:30:36 +0300
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an abuse monitor system
In-Reply-To: <004201cad721$9e444f90$dacceeb0$@freeman@csirt.ja.net>
References: <4BBDDA48.9080106@powerweb.de> <004201cad721$9e444f90$dacceeb0$@freeman@csirt.ja.net>
Message-ID: <!&!AAAAAAAAAAAYAAAAAAAAADs1SQBfrQFIidqBOlhIPRTCgAAAEAAAAM/PLfbSDCpGqSMmK0tBMYMBAAAAAA==@turvasana.com>

> -----Original Message-----
> From: anti-abuse-wg-admin at ripe.net [mailto:anti-abuse-wg-
> admin at ripe.net] On Behalf Of Bradley Freeman
> Sent: Thursday, April 08, 2010 4:45 PM
> To: 'Frank Gadegast'; anti-abuse-wg at ripe.net

> And if the only benefit is a common abuse alias, hasn't this has
> already
> been suggested with an abuse@ address in RFC2142 - Mailbox Names
> for Common
> Services, Roles and Functions which is not RIPE region specific?

It is not always obvious which abuse@ domain should be selected for a particular IP address. I like the suggestion of routing reports according to the IP address of the abuse source.

-- 
Thor Kottelin
http://www.anta.net/




From brian.nisbet at heanet.ie  Thu Apr  8 17:11:20 2010
From: brian.nisbet at heanet.ie (Brian Nisbet)
Date: Thu, 08 Apr 2010 16:11:20 +0100
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an abuse
 monitor system
In-Reply-To: <4BBDD723.8090908@powerweb.de>
References: <4BBDD723.8090908@powerweb.de>
Message-ID: <4BBDF218.6000401@heanet.ie>

Frank,

"Frank Gadegast" wrote the following on 08/04/2010 14:16:
>
> Dear all,
>
> please discuss and comment to following draft proposal ...
> (and please forgive but correct my english, bad formatting
> or terms)

Thanks for formulating your thoughts.

However in order to turn this into a full RIPE proposal the PDP must be 
used.  In this case a PDP number and be published at 
http://www.ripe.net/ripe/policies/proposals/index.html and the process 
will be fully tracked by the responsible people in the NCC. However this 
requires the document to following the proposal template mentioned at 
http://www.ripe.net/ripe/docs/pdp.html.

Assistance in formulating such a proposal can be given, of course, by 
both the the relevant WG chairs and the Filiz.  The document you have 
put out is fine from a discussion point of view, but nothing more if you 
wish it to progress.

Feel free to contact me off-list about this, should you wish.

Brian.




From jdfalk-lists at cybernothing.org  Thu Apr  8 17:55:32 2010
From: jdfalk-lists at cybernothing.org (J.D. Falk)
Date: Thu, 8 Apr 2010 09:55:32 -0600
Subject: [anti-abuse-wg] update on netsecdb project
In-Reply-To: <4BBAF537.30401@powerweb.de>
References: <4BBA877A.5000201@marxmeier.de> <CE6ECCEF-7AF1-48EE-AA5D-83B2AE560C96@blacknight.ie> <4BBAF537.30401@powerweb.de>
Message-ID: <01EB6D10-C9C3-45C1-AF31-E34F6F41DA85@cybernothing.org>

On Apr 6, 2010, at 2:47 AM, Frank Gadegast wrote:

> * do we have at least a definition of spam after 2 years ?

There've been pointless arguments about the definition of spam for about 16 years, actually.

--
J.D. Falk


From james.davis at ja.net  Thu Apr  8 18:13:01 2010
From: james.davis at ja.net (James Davis)
Date: Thu, 08 Apr 2010 17:13:01 +0100
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an abuse
In-Reply-To: <201004081540.o38Fe8V9021227@www.powerweb.de>
References: <201004081540.o38Fe8V9021227@www.powerweb.de>
Message-ID: <4BBE008D.2040409@ja.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dipl-Inform. Frank Gadegast wrote:

> You dont need to know the real one until you have one for every IP.

As I mentioned, you might simply want to contact the abuse team
regarding a more general issue. Quite often if I can't find a published
abuse contact for foo.com so I'll dig www.foo.com and then lookup the
returned address in the RIPE DB - I'm not at all interested in an
address specific to that IP address though.

> Metric ?

Metric as in a standard of measurement. Sorry that probably wasn't very
clear language on my part.

> And that prooves what ?

I have 17 million+ users, and a remit to provide very open network
access to them. It's inevitable that somewhere on the network someone is
sending large volumes of spam, what's important is how quickly and
effecitvely we react to that incident.

Someone from RIPE calling us, to offer us a training course we don't
need, because last year we had a few hosts sending 100,000+ spam e-mails
isn't a useful use of anyone's resources.

This, and my comment about NAT, are just illustrations of how you need
to be careful over deciding what you consider to be a large volume of
reports.

> Well at least you will hear about incidents with the new system
> and thats more thats currently happening.

We already hear about incidents. Almost all the address space used on
our network has an irt object published and reports reach us at the
correct address.  I'm not convinced that any abuse team who really wants
to make themselves contactable has problems doing so (whether they are
aware of the irt object or not is another matter).

The difficulty is in convincing network owners that they need abuse
teams that take the issue seriously :)

> Yes, thats why I stated that.
> A solution could be, that the RIPE system will return a link
> to the report sender, that has to be clicked, before the report
> will be forwarded to the member.
> 
> Will that help ?

Sorry I missed that in my original reading.

> A member abuse address could be resetted automatically to the members
> main email adress (but is very likely to be read by the member).
> The member would not want that many emails arrive at that main address
> and fix the abuse address asap.
> 
> This process could be automated at RIPE system.

I don't know anything about RIPE's existing processes for making sure
that member information is correct but I suspect that it still requires
human effort as a last resort.

> Another idea to stop spam coming in, could be to open
> the whole system only to RIPE members first !
> 
> The ISP could work together and all others stay out.
> 
> Will that be a solution ?

No, I suspect most of our reports come from non RIPE members. The link
confirmation would be enough, although you'd need some way to deal with
automated reports.

>> No, it'll just ensure that the reports end up being delivered to an
> 
> Thats far more, that we have now ...

Shuffling bits from one mailbox to another doesn't constitute actual
progress. You need to give a reason for the recipient to care enough
about the reports to do something - and if they have that reason they'll
take care of making themselves contactable for you :)

James

- --
James Davis	+44 1235 822 229    	   PGP: 0xD1622876
JANET CSIRT	0870 850 2340	        (+44 1235 822 340)
Lumen House, Library Avenue, Didcot, Oxfordshire, OX11 0SG
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFLvgCNhZi14NFiKHYRAnvWAJ9z0cWJq/rXaNZgyEPcG3MhdEODhgCfb2OZ
MMz5kWuRdgtPKF3vuY9L2OI=
=DfbR
-----END PGP SIGNATURE-----

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG



From thor.kottelin at turvasana.com  Thu Apr  8 18:00:12 2010
From: thor.kottelin at turvasana.com (Thor Kottelin)
Date: Thu, 8 Apr 2010 19:00:12 +0300
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an abuse monitor system
In-Reply-To: <201004081542.o38Fg8eV021462@www.powerweb.de>
References: <!&!AAAAAAAAAAAYAAAAAAAAADs1SQBfrQFIidqBOlhIPRTCgAAAEAAAAM/PLfbSDCpGqSMmK0tBMYMBAAAAAA==@turvasana.com> <201004081542.o38Fg8eV021462@www.powerweb.de>
Message-ID: <!&!AAAAAAAAAAAYAAAAAAAAADs1SQBfrQFIidqBOlhIPRTCgAAAEAAAAOPOAPf7LdNChRz4dqIV5fEBAAAAAA==@turvasana.com>

> -----Original Message-----
> From: Frank Gadegast [mailto:phade at www.powerweb.de]
> Sent: Thursday, April 08, 2010 6:42 PM
> To: Thor Kottelin
> Cc: anti-abuse-wg at postboy.ripe.net

> > > -----Original Message-----
> > > From: anti-abuse-wg-admin at ripe.net [mailto:anti-abuse-wg-
> > > admin at ripe.net] On Behalf Of Bradley Freeman
> > > Sent: Thursday, April 08, 2010 4:45 PM
> > > To: 'Frank Gadegast'; anti-abuse-wg at ripe.net
> >
> > > And if the only benefit is a common abuse alias, hasn't this
> has
> > > already
> > > been suggested with an abuse@ address in RFC2142 - Mailbox
> Names
> > > for Common
> > > Services, Roles and Functions which is not RIPE region
> specific?
> >
> > It is not always obvious which abuse@ domain should be selected
> for a particular IP address. I like the suggestion of routing
> reports according to the IP address of the abuse source.
> 
> Not getting it.

I apologise. Allow me to rephrase:

Any organisation to which net space is allocated or assigned may own zero, one or several Internet domains. It may be difficult to know exactly what to type on the domain side of an abuse@ address. Your proposal avoids this issue. This is an advantage of your proposal as compared with RFC 2142.

-- 
Thor Kottelin
http://www.anta.net/




From bradley.freeman at csirt.ja.net  Thu Apr  8 18:53:45 2010
From: bradley.freeman at csirt.ja.net (Bradley Freeman)
Date: Thu, 8 Apr 2010 17:53:45 +0100
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an abuse monitor system
In-Reply-To: <!&!AAAAAAAAAAAYAAAAAAAAADs1SQBfrQFIidqBOlhIPRTCgAAAEAAAAOPOAPf7LdNChRz4dqIV5fEBAAAAAA==@turvasana.com>
References: <!&!AAAAAAAAAAAYAAAAAAAAADs1SQBfrQFIidqBOlhIPRTCgAAAEAAAAM/PLfbSDCpGqSMmK0tBMYMBAAAAAA==@turvasana.com> <201004081542.o38Fg8eV021462@www.powerweb.de> <!&!AAAAAAAAAAAYAAAAAAAAADs1SQBfrQFIidqBOlhIPRTCgAAAEAAAAOPOAPf7LdNChRz4dqIV5fEBAAAAAA==@turvasana.com>
Message-ID: <004301cad73c$0dd98810$298c9830$@freeman@csirt.ja.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Any organisation to which net space is allocated or assigned may own
> zero, one or several Internet domains. It may be difficult to know
> exactly what to type on the domain side of an abuse@ address. Your
> proposal avoids this issue. This is an advantage of your proposal as
> compared with RFC 2142.

This functionality is already provided by the irt object, maybe it would be more beneficial to change the policy to require that the irt-object contains valid information.

Bradley


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 10.0.0
Charset: UTF-8

wsBVAwUBS74KGjR8IIjdC+5SAQIMMQgAhc/hROUOANw1hjo9Cku/FL3kXE73XuSe
z5fmRnopHbxOft1pEgBfdbBrMePZIjmJbASKyeQYNVBuA8mOESrVLMqsujBmxz2v
ovErYMNsch58OJsb9Ob2wbMbkeKsGLvOMAMxoy+Dln9wo8c0wEzt7LM4puYogLrd
HQ8Dlq0iofiGX6p9PK2r8Ja3WuGh6C9jmo7GLIRIa3O5u+iyo5zjMDJcrhs6brzs
YeinCDqXbOD2e9q/Y6RNz633Jb8V2WndWSb9Iz9S7cqpgqAzfgutWFAPMtKj9HEV
kc7LZ4h7mmMDw0cAdUkFVvpYbfHqMt/u2pjdIEXaQc+Cg8kl0eX3LQ==
=8W67
-----END PGP SIGNATURE-----



From phade at www.powerweb.de  Thu Apr  8 19:57:25 2010
From: phade at www.powerweb.de (Frank Gadegast)
Date: Thu, 8 Apr 2010 19:57:25 +0200 (MET DST)
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an abuse monitor system
In-Reply-To: <!&!AAAAAAAAAAAYAAAAAAAAADs1SQBfrQFIidqBOlhIPRTCgAAAEAAAAOPOAPf7LdNChRz4dqIV5fEBAAAAAA==@turvasana.com>
Message-ID: <201004081757.o38HvPHh032487@www.powerweb.de>

> 
> > 
> > Not getting it.
> 
> I apologise. Allow me to rephrase:
> 
> Any organisation to which net space is allocated or assigned may own zero, one or several Internet domains. It may be difficult to know exactly what to type on the domain side of an abuse@ address. Your proposal avoids this issue. This is an advantage of your proposal as compared with RFC 2142.

No, because the system generates email addresses only related to the IP address
that causes the abuse.

The monitoring system at RIPE NCC than "translates" this IP like email addresses
to either the abuse address, that the member was putting into RIPEs system
or the main member address, the member has to setup, when becoming a
member.

RIPE NCC knows best how to "translate" the IP like abuse email address
to the members address, because RIPE NCC has best knowlegde about
the allocation all member ownes.

BTW: thats the main advantage of my draft ... nobody has to know
the actual abuse address for a IP range or has to look it up
via whois. Anybody that gets attacked knows the right address
just by sending his report to

1.2.3.4 at abuse.ripe.net

when the IP 1.2.3.4 caused the abuse.


Kind regards, Frank

> 
> -- 
> Thor Kottelin
> http://www.anta.net/
> 
> 
> 



From balasari at gmail.com  Thu Apr  8 21:19:45 2010
From: balasari at gmail.com (Balaji Naglagave)
Date: Fri, 9 Apr 2010 00:49:45 +0530
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an abuse 
	monitor system
In-Reply-To: <201004081757.o38HvPHh032487@www.powerweb.de>
References: <!&!AAAAAAAAAAAYAAAAAAAAADs1SQBfrQFIidqBOlhIPRTCgAAAEAAAAOPOAPf7LdNChRz4dqIV5fEBAAAAAA==@turvasana.com>
	 <201004081757.o38HvPHh032487@www.powerweb.de>
Message-ID: <v2v144937aa1004081219pf00352b8o83862b5ef2fc1a1e@mail.gmail.com>

Frank ,

How do you propose to do this Ip to mail Address translation ?

BR
Balaji

On Thu, Apr 8, 2010 at 11:27 PM, Frank Gadegast <phade at www.powerweb.de>wrote:

> >
> > >
> > > Not getting it.
> >
> > I apologise. Allow me to rephrase:
> >
> > Any organisation to which net space is allocated or assigned may own
> zero, one or several Internet domains. It may be difficult to know exactly
> what to type on the domain side of an abuse@ address. Your proposal avoids
> this issue. This is an advantage of your proposal as compared with RFC 2142.
>
> No, because the system generates email addresses only related to the IP
> address
> that causes the abuse.
>
> The monitoring system at RIPE NCC than "translates" this IP like email
> addresses
> to either the abuse address, that the member was putting into RIPEs system
> or the main member address, the member has to setup, when becoming a
> member.
>
> RIPE NCC knows best how to "translate" the IP like abuse email address
> to the members address, because RIPE NCC has best knowlegde about
> the allocation all member ownes.
>
> BTW: thats the main advantage of my draft ... nobody has to know
> the actual abuse address for a IP range or has to look it up
> via whois. Anybody that gets attacked knows the right address
> just by sending his report to
>
> 1.2.3.4 at abuse.ripe.net
>
> when the IP 1.2.3.4 caused the abuse.
>
>
> Kind regards, Frank
>
> >
> > --
> > Thor Kottelin
> > http://www.anta.net/
> >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ripe.net/ripe/mail/archives/anti-abuse-wg/attachments/20100409/30a5d348/attachment.html>

From leo.vegoda at icann.org  Thu Apr  8 22:33:21 2010
From: leo.vegoda at icann.org (Leo Vegoda)
Date: Thu, 8 Apr 2010 13:33:21 -0700
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an
 abuse monitor system
In-Reply-To: <4BBDDA48.9080106@powerweb.de>
References: <4BBDDA48.9080106@powerweb.de>
Message-ID: <6AF99617-57DB-4A2A-8CD7-1AD2E0BA6337@icann.org>

On 8 Apr 2010, at 6:29, Frank Gadegast wrote:

[...]

> This document describes the implementation of an abuse monitor system
> at RIPE NCC. Its intention is to ensure working abuse contacts on the
> members side and to improve the awareness, responsiveness and work flow
> for abuse reports for the reporting (and abused) internet users and the
> RIPE members (owning the misused services).

I still don't understand how a system similar to the one proposed would compel members to deal with abuse reports. Presumably a member could just send all their incoming abuse reports to /dev/null. As I understand it, the people who want to receive reports to help them keep their networks clean already publish IRT objects.

A system like the one proposed would add an extra layer between the complainant and the relevant network and could well become a target for abuse itself. I am not sure how it would make network managers want to deal with abuse complaints that they are currently ignoring, though. Can you expand on that?

Thanks,

Leo


From phade at www.powerweb.de  Thu Apr  8 20:27:43 2010
From: phade at www.powerweb.de (Frank Gadegast)
Date: Thu, 8 Apr 2010 20:27:43 +0200 (MET DST)
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an abuse
In-Reply-To: <4BBE008D.2040409@ja.net>
Message-ID: <201004081827.o38IRiuA002097@www.powerweb.de>

> 
> > You dont need to know the real one until you have one for every IP.
> 
> As I mentioned, you might simply want to contact the abuse team
> regarding a more general issue. Quite often if I can't find a published
> abuse contact for foo.com so I'll dig www.foo.com and then lookup the
> returned address in the RIPE DB - I'm not at all interested in an
> address specific to that IP address though.

well, you can still look it up.

But see it this way:
- most provider use anti spam tools like SpamAssassin to protect there
  customer
- SA surely lists the IP that was connecting and causing the spam
- you can then automatically forward the spam plus a initial text,
  describing that you do not want this to the general "IP like" address
- and the monitoring system will then forward it to the
  right RIPE member (and to EVERY member)

> Metric as in a standard of measurement. Sorry that probably wasn't very
> clear language on my part.
> 
> > And that prooves what ?
> 
> I have 17 million+ users, and a remit to provide very open network
> access to them. It's inevitable that somewhere on the network someone is
> sending large volumes of spam, what's important is how quickly and
> effecitvely we react to that incident.

Clear.
Think about, how easy it would be for you, when you are receiving a
report ASAP via the new system.

It is likely, that you get a problem report just a few minutes
after on of your users started to send spam, because his PC
is invected.

You can then look up the report (or even automate it), reset
his radius password and kick him out, waiting for him
to phone your support :o)

Or you could redirect him to a webpage describing that there
are too many reports coming in for his IP in a whatever time.
Its all up you.

My dream system looks like this:
- abuse reports will get standarized
- monitoring systems will be developed at all RIRs
- spam detection will be automated at the providers side
  and send standarized reports to the RIRs monitoring system

- and the RIRs member automates and scans the incoming reports
  like he wants (maybe by devining minimum values and limits)
  and automates the blockage and information of his users

Sounds great ?

Well, thats actually what we are doing already with our own users.
If we detect incoming spam with high scores a couple of times
in a short time we kick the users offline automatically and redirect
him next time he loggs in to a information page, where he finds
our support numbers :o)

Wroks simply great, and I would love to get closer to such a system
together with ALL ISP

> Someone from RIPE calling us, to offer us a training course we don't
> need, because last year we had a few hosts sending 100,000+ spam e-mails
> isn't a useful use of anyone's resources.

Thats was just an idea to inform newer members.
For you it might be more important to automate as much as
you can, and to be informed as quick as possible,
and the monitoring system in my draft simply acchieves that.

> This, and my comment about NAT, are just illustrations of how you need
> to be careful over deciding what you consider to be a large volume of
> reports.

Well, limits, counts and how you act on them, are fully up to you.
We had to test limits as well for our users.

Lets say, you receive 100 reports in about 10 minutes for one
IP, where this IP had no report ever ?

What is likely to happen ?
What would you do ?

Its up to you, but surely you would read about 5 reports more closely
( to check, that you are not spammed) and then do whatever you are doing normally,
(like looking up your own logs, checking other blacklists to proove that
there is a problem, dial into the supposed hacked server aso) when you detect a
dialin user or a hacked server.

> > Well at least you will hear about incidents with the new system
> > and thats more thats currently happening.
> 
> We already hear about incidents. Almost all the address space used on

But very slow, we see from our own blacklist, that ISPs most
often realize problem far later than our blacklist detected
the problem or even get informed about the problem via our blacklist
for the first time.

> our network has an irt object published and reports reach us at the
> correct address.  I'm not convinced that any abuse team who really wants
> to make themselves contactable has problems doing so (whether they are

Yes they have, the really have a problem receiving breakout infos
quick enough ... believe me, we have experiences for now more
than 3 years with them.

> aware of the irt object or not is another matter).
> 
> The difficulty is in convincing network owners that they need abuse
> teams that take the issue seriously :)

Defny agree.
But an implemented system will make them even more aware,
espacillay when they have to have a working abuse address
and this one is getting flodded with reports.

The only thing they can do, is emptying it with
cp -f /dev/null /var/spool/mail/abuse
every minute.
But this will then result in some attention at RIPE NCC,
because they do not answer incoming reports to set
their state via the backlink.

"Bad providers" could be even published by RIPE :o)

The incoming reports will maybe even stress their mail servers :o)

> > The member would not want that many emails arrive at that main address
> > and fix the abuse address asap.
> > 
> > This process could be automated at RIPE system.
> 
> I don't know anything about RIPE's existing processes for making sure
> that member information is correct but I suspect that it still requires
> human effort as a last resort.

Well, thats only work at RIPE NCC, its not that complicated to
automated bounces ...

> > Another idea to stop spam coming in, could be to open
> > the whole system only to RIPE members first !
> > 
> > The ISP could work together and all others stay out.
> > 
> > Will that be a solution ?
> 
> No, I suspect most of our reports come from non RIPE members. The link

Hm, we receive still more than 20% of all spam from RIPE members.
TTNET, TPNET and most russian (and new) eastern ISPs are a bid
problem.
Sure, the most is currentyl coming out of china, brasial and korea.

But that has nothing to do, with getting the RIPE zone more advanced
and cleaned.

Think about the headline: "Europe is clear of spam senders now !"
(ok, ok, newl reporters are never correct and a bit too much
entusiastic, but it could come close).

> confirmation would be enough, although you'd need some way to deal with
> automated reports.

Well, the monitoring system could send always the same backlink
for the same IP, so that the ISP could still count the amount
of incoming reports for one IP automatically and then
"answers" it as being closed with just clicking ONE link.

Good idea ?

> Shuffling bits from one mailbox to another doesn't constitute actual
> progress. You need to give a reason for the recipient to care enough
> about the reports to do something - and if they have that reason they'll
> take care of making themselves contactable for you :)

Defny right, but lets start with something ...


Kind regards, Frank
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de



> 
> James
> 
> - --
> James Davis	+44 1235 822 229    	   PGP: 0xD1622876
> JANET CSIRT	0870 850 2340	        (+44 1235 822 340)
> Lumen House, Library Avenue, Didcot, Oxfordshire, OX11 0SG
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iD8DBQFLvgCNhZi14NFiKHYRAnvWAJ9z0cWJq/rXaNZgyEPcG3MhdEODhgCfb2OZ
> MMz5kWuRdgtPKF3vuY9L2OI=
> =DfbR
> -----END PGP SIGNATURE-----
> 
> JANET(UK) is a trading name of The JNT Association, a company limited
> by guarantee which is registered in England under No. 2881024 
> and whose Registered Office is at Lumen House, Library Avenue,
> Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG
> 



From phade at www.powerweb.de  Thu Apr  8 20:31:39 2010
From: phade at www.powerweb.de (Frank Gadegast)
Date: Thu, 8 Apr 2010 20:31:39 +0200 (MET DST)
Subject: [anti-abuse-wg] mandatory information in the IRT object
In-Reply-To: <004301cad73c$0dd98810$298c9830$@freeman@csirt.ja.net>
Message-ID: <201004081831.o38IVdKR002437@www.powerweb.de>

> 
> This functionality is already provided by the irt object, maybe it would be more beneficial to change the policy to require that the irt-object contains valid information.

But it seems that there is no majority to make abuse fields (whatever abuse fields) mandatory.
And there is still no idea how to validate the supplied email addresses.

Thats why I thought that my system is better (and easier, because
the member has just one email address to setup instead to take
care about hundred objects).


Kind regards, Frank
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de


> 
> Bradley
> 



From phade at www.powerweb.de  Thu Apr  8 21:30:26 2010
From: phade at www.powerweb.de (Frank Gadegast)
Date: Thu, 8 Apr 2010 21:30:26 +0200 (MET DST)
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an abuse
In-Reply-To: <v2v144937aa1004081219pf00352b8o83862b5ef2fc1a1e@mail.gmail.com>
Message-ID: <201004081930.o38JUQeO007737@www.powerweb.de>

> 
> Frank ,

Hi,

> How do you propose to do this Ip to mail Address translation ?

Im sure, that RIPE NCC knows what IP address belongs to
wich allocation (like they know when answering whois
queries) and that they then know wich member owns
this allocation.

That should be not more than two database lookups
for RIPE NCC.
And a third one to find his abuse address the LIR
entered into the system ...


Kind regards, Frank
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de
> 
> BR
> Balaji
> 
> On Thu, Apr 8, 2010 at 11:27 PM, Frank Gadegast <phade at www.powerweb.de>wrote:
> 
> > >
> > > >
> > > > Not getting it.
> > >
> > > I apologise. Allow me to rephrase:
> > >
> > > Any organisation to which net space is allocated or assigned may own
> > zero, one or several Internet domains. It may be difficult to know exactly
> > what to type on the domain side of an abuse@ address. Your proposal avoids
> > this issue. This is an advantage of your proposal as compared with RFC 2142.
> >
> > No, because the system generates email addresses only related to the IP
> > address
> > that causes the abuse.
> >
> > The monitoring system at RIPE NCC than "translates" this IP like email
> > addresses
> > to either the abuse address, that the member was putting into RIPEs system
> > or the main member address, the member has to setup, when becoming a
> > member.
> >
> > RIPE NCC knows best how to "translate" the IP like abuse email address
> > to the members address, because RIPE NCC has best knowlegde about
> > the allocation all member ownes.
> >
> > BTW: thats the main advantage of my draft ... nobody has to know
> > the actual abuse address for a IP range or has to look it up
> > via whois. Anybody that gets attacked knows the right address
> > just by sending his report to
> >
> > 1.2.3.4 at abuse.ripe.net
> >
> > when the IP 1.2.3.4 caused the abuse.
> >
> >
> > Kind regards, Frank
> >
> > >
> > > --
> > > Thor Kottelin
> > > http://www.anta.net/
> > >
> > >
> > >
> >
> >
> 
> --0016e648cf9ac832e20483be8f1c
> Content-Type: text/html; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
> 
> Frank , <br><br>How do you propose to do this Ip to mail Address translatio=
> n ? <br><br>BR <br>Balaji <br><br><div class=3D"gmail_quote">On Thu, Apr 8,=
>  2010 at 11:27 PM, Frank Gadegast <span dir=3D"ltr">&lt;<a href=3D"mailto:p=
> hade at www.powerweb.de">phade at www.powerweb.de</a>&gt;</span> wrote:<br>
> <blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde=
> r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">&gt;<br>
> &gt; &gt;<br>
> &gt; &gt; Not getting it.<br>
> &gt;<br>
> &gt; I apologise. Allow me to rephrase:<br>
> &gt;<br>
> &gt; Any organisation to which net space is allocated or assigned may own z=
> ero, one or several Internet domains. It may be difficult to know exactly w=
> hat to type on the domain side of an abuse@ address. Your proposal avoids t=
> his issue. This is an advantage of your proposal as compared with RFC 2142.=
> <br>
> 
> <br>
> No, because the system generates email addresses only related to the IP add=
> ress<br>
> that causes the abuse.<br>
> <br>
> The monitoring system at RIPE NCC than &quot;translates&quot; this IP like =
> email addresses<br>
> to either the abuse address, that the member was putting into RIPEs system<=
> br>
> or the main member address, the member has to setup, when becoming a<br>
> member.<br>
> <br>
> RIPE NCC knows best how to &quot;translate&quot; the IP like abuse email ad=
> dress<br>
> to the members address, because RIPE NCC has best knowlegde about<br>
> the allocation all member ownes.<br>
> <br>
> BTW: thats the main advantage of my draft ... nobody has to know<br>
> the actual abuse address for a IP range or has to look it up<br>
> via whois. Anybody that gets attacked knows the right address<br>
> just by sending his report to<br>
> <br>
> <a href=3D"mailto:1.2.3.4 at abuse.ripe.net">1.2.3.4 at abuse.ripe.net</a><br>
> <br>
> when the IP 1.2.3.4 caused the abuse.<br>
> <br>
> <br>
> Kind regards, Frank<br>
> <br>
> &gt;<br>
> &gt; --<br>
> &gt; Thor Kottelin<br>
> &gt; <a href=3D"http://www.anta.net/" target=3D"_blank">http://www.anta.net=
> /</a><br>
> &gt;<br>
> &gt;<br>
> &gt;<br>
> <br>
> </blockquote></div><br>
> 
> --0016e648cf9ac832e20483be8f1c--
> 



From jogi at mur.at  Fri Apr  9 09:32:37 2010
From: jogi at mur.at (Jogi =?utf-8?Q?Hofm=C3=BCller?=)
Date: Fri, 9 Apr 2010 09:32:37 +0200
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an
	abuse monitor system
In-Reply-To: <4BBDDA48.9080106@powerweb.de>
References: <4BBDDA48.9080106@powerweb.de>
Message-ID: <20100409073237.GN3708@kathy>

Hi all,

For various reasons - allready mentioned by some people - I cannot see
much benefit coming from this proposal.  Most important seems the fact
that it will not solve the problem of ISPs not having/reading/treating
abuse email contacts.

On Thu, Apr 08, 2010 at 03:29:44PM +0200, Frank Gadegast wrote:

> 4. Description
> RIPE NCC should implement a mailserver able to receive emails in the
> form of
>
>         IP1.IP2.IP3.IP4 at abuse.ripe.net (example)

In case this proposal is going to be continued PLEASE make it IPv6
compatible.

cheers,
j.
-- 
j.hofm?ller                                http://users.mur.at/thesix/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <https://lists.ripe.net/ripe/mail/archives/anti-abuse-wg/attachments/20100409/bce96e4c/attachment.sig>

From michele at blacknight.ie  Fri Apr  9 10:38:36 2010
From: michele at blacknight.ie (Michele Neylon :: Blacknight)
Date: Fri, 9 Apr 2010 08:38:36 +0000
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an
 abuse
In-Reply-To: <201004081827.o38IRiuA002097@www.powerweb.de>
References: <201004081827.o38IRiuA002097@www.powerweb.de>
Message-ID: <15B312A8-900A-4E76-A455-98878F2F029A@blacknight.ie>

On 8 Apr 2010, at 19:27, Frank Gadegast , Dipl-Inform. Frank Gadegast wrote:

>> 
>>> You dont need to know the real one until you have one for every IP.
>> 
>> As I mentioned, you might simply want to contact the abuse team
>> regarding a more general issue. Quite often if I can't find a published
>> abuse contact for foo.com so I'll dig www.foo.com and then lookup the
>> returned address in the RIPE DB - I'm not at all interested in an
>> address specific to that IP address though.
> 
> well, you can still look it up.
> 
> But see it this way:
> - most provider use anti spam tools like SpamAssassin to protect there
>  customer
> - SA surely lists the IP that was connecting and causing the spam
> - you can then automatically forward the spam plus a initial text,
>  describing that you do not want this to the general "IP like" address
> - and the monitoring system will then forward it to the
>  right RIPE member (and to EVERY member)

So if a machine on a network were compromised / abused and a large amount of spam was sent out, how many of these emails would you see being relayed via RIPE to the abuse contact??

> 
> 
> You can then look up the report (or even automate it), reset
> his radius password and kick him out, waiting for him
> to phone your support :o)

Not everyone has the same business model


> 
> Or you could redirect him to a webpage describing that there
> are too many reports coming in for his IP in a whatever time.
> Its all up you.
> 
> My dream system looks like this:
> - abuse reports will get standarized

that would be helpful


> - monitoring systems will be developed at all RIRs

Monitoring for what exactly???

> - spam detection will be automated at the providers side
>  and send standarized reports to the RIRs monitoring system
> 
> - and the RIRs member automates and scans the incoming reports
>  like he wants (maybe by devining minimum values and limits)
>  and automates the blockage and information of his users
> 
> Sounds great ?
> 
> Well, thats actually what we are doing already with our own users.
> If we detect incoming spam with high scores a couple of times
> in a short time we kick the users offline automatically and redirect
> him next time he loggs in to a information page, where he finds
> our support numbers :o)
> 
> Wroks simply great, and I would love to get closer to such a system
> together with ALL ISP


And again you are working under the false assumption that ALL RIPE members offer the same services as you do and in the same way.

> 
> "Bad providers" could be even published by RIPE :o)


Are you insane? RIPE cannot open itself up for that kind of liability

>> 
> 
> Well, thats only work at RIPE NCC, its not that complicated to
> automated bounces ...

So you say .. 

You cannot speak for all providers / RIPE members.

You are also suggesting putting a very heavy load on RIPE's systems which someone will have to pay for. Who?

> 
> 
>> confirmation would be enough, although you'd need some way to deal with
>> automated reports.
> 
> Well, the monitoring system could send always the same backlink
> for the same IP, so that the ISP could still count the amount
> of incoming reports for one IP automatically and then
> "answers" it as being closed with just clicking ONE link.
> 
> Good idea ?

So you expect RIPE members to completely rework their abuse desks to fit into your view of the world?

I can't see that happening, because not all RIPE members are the same or work in the same way.


Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
ICANN Accredited Registrar
http://www.blacknight.com/
http://blog.blacknight.com/
http://mneylon.tel
Intl. +353 (0) 59  9183072
US: 213-233-1612 
UK: 0844 484 9361
Locall: 1850 929 929
Twitter: http://twitter.com/mneylon
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,Ireland  Company No.: 370845



From michele at blacknight.ie  Fri Apr  9 11:19:47 2010
From: michele at blacknight.ie (Michele Neylon :: Blacknight)
Date: Fri, 9 Apr 2010 09:19:47 +0000
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an
In-Reply-To: <201004090902.o39921DR028433@www.powerweb.de>
References: <201004090902.o39921DR028433@www.powerweb.de>
Message-ID: <FFB09585-41EA-45C0-8F53-467A3BAFD9B3@blacknight.ie>


On 9 Apr 2010, at 10:02, Frank Gadegast , Dipl-Inform. Frank Gadegast wrote:
>> 
> 
> Thats up for discussion.
> Preferably every incident will generate one mail to be qick as possible.
> Surely its also possible to summarizereal  outbreaks.

OK

> 
>>> 
>>> You can then look up the report (or even automate it), reset
>>> his radius password and kick him out, waiting for him
>>> to phone your support :o)
>> 
>> Not everyone has the same business model
> 
> Right, some members seem to make money with abuse ...


Again - if you expect there to be ANY dialogue you need to drop that attitude

It's offensive and totally unhelpful


> 
>>> Or you could redirect him to a webpage describing that there
>>> are too many reports coming in for his IP in a whatever time.
>>> Its all up you.
>>> 
>>> My dream system looks like this:
>>> - abuse reports will get standarized
>> 
>> that would be helpful
> 
> Indeed.
> 
>>> - monitoring systems will be developed at all RIRs
>> 
>> Monitoring for what exactly???
> 
> abuse reports


I'm having difficulty understanding this.

If a RIPE member has an abuse contact and sets up abuse contact objects for every allocation, why do you need anything else?

>> 
>> 
>> And again you are working under the false assumption that ALL RIPE members offer the same services as you do and in the same way.
> 
> So we are even not clear that abuse is kind of "evil" and should be acceptable
> because its the business of the member ?
> 
> We should close this list, if we could not even have the same oppinion here.
> 
> But feel free to explain these "business models" to me ...

Again - drop the attitude

You have to understand that not every RIPE member offers the same services or has the same resources at their disposal etc.,



> 
>>> "Bad providers" could be even published by RIPE :o)
>> 
>> 
>> Are you insane? RIPE cannot open itself up for that kind of liability
> 
> Why not, blacklists are doing the same, whats the difference ?

Ask a lawyer.





> 
>>> Well, thats only work at RIPE NCC, its not that complicated to
>>> automated bounces ...
>> 
>> So you say .. 
> 
> Yes, its quite easy.

No it isn't. 

Either:

- learn how to discuss this with other RIPE members
or

keep on with your stupid attitude and see how far it gets you

> 
>> You cannot speak for all providers / RIPE members.
> 
> Thats one of the reasons for a centralized system located at RIPE.
> The system only needs to be implemented once, there will be nearly
> no costs on the members side (except that they have
> to deal with report, but they can still ignore them and except
> the costs that might be added to RIPEs fees, but that should not be that
> much.

You do not know that.

You have no way of knowing how much of a load would be placed on RIPE's systems


> 
>> You are also suggesting putting a very heavy load on RIPE's systems which someone will have to pay for. Who?
> 
> The member.
> Simply add the costs to RIPE general costs and shared the along the members
> with the current mechanism, small member pay less, big one more.
> 
>>>> confirmation would be enough, although you'd need some way to deal with
>>>> automated reports.
>>> 
>>> Well, the monitoring system could send always the same backlink
>>> for the same IP, so that the ISP could still count the amount
>>> of incoming reports for one IP automatically and then
>>> "answers" it as being closed with just clicking ONE link.
>>> 
>>> Good idea ?
>> 
>> So you expect RIPE members to completely rework their abuse desks to fit into your view of the world?
> 
> Not MY VIEW, a standarized view.

You're not a very good listener, are you?



> Thats the goal.
> 
> Lets see it this way: providers have to change their infrastructure
> regulary for a couple or reasons and always have done.
> Serverhousing changed pretty much during the last years.
> There was the change from ISDN to DSL dialin, there are new
> technologies for HTML, Flash and Mail every day.
> 
> And do not forget IPv6, EVERY member has to change that in the new future.
> 
>> I can't see that happening, because not all RIPE members are the same or work in the same way.
> 
> Well they work on the same basics, what are allocations and other resources.
> Resources cause traffic, and every members uses resources like nameservices,
> webpages and email. And spam problem comes into play with the later.
> 
> The difference isnt that big.
> Business models have nothing to do with how to deal with resources the got from RIPE.

Yes it does

If you think that you can live in a world where business models have zero impact on reality then you are deluded


> 
> 
> Kind regards, Frank
> 
>> 
>> 
>> Mr Michele Neylon
>> Blacknight Solutions
>> Hosting & Colocation, Brand Protection
>> ICANN Accredited Registrar
>> http://www.blacknight.com/
>> http://blog.blacknight.com/
>> http://mneylon.tel
>> Intl. +353 (0) 59  9183072
>> US: 213-233-1612 
>> UK: 0844 484 9361
>> Locall: 1850 929 929
>> Twitter: http://twitter.com/mneylon
>> -------------------------------
>> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
>> Road,Graiguecullen,Carlow,Ireland  Company No.: 370845
>> 
>> 
> 

Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
ICANN Accredited Registrar
http://www.blacknight.com/
http://blog.blacknight.com/
http://mneylon.tel
Intl. +353 (0) 59  9183072
US: 213-233-1612 
UK: 0844 484 9361
Locall: 1850 929 929
Direct Dial: +353 (0)59 9183090
Twitter: http://twitter.com/mneylon
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,Ireland  Company No.: 370845



From peter at hk.ipsec.se  Fri Apr  9 11:19:25 2010
From: peter at hk.ipsec.se (peter h)
Date: Fri, 9 Apr 2010 11:19:25 +0200
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an abuse
In-Reply-To: <15B312A8-900A-4E76-A455-98878F2F029A@blacknight.ie>
References: <201004081827.o38IRiuA002097@www.powerweb.de> <15B312A8-900A-4E76-A455-98878F2F029A@blacknight.ie>
Message-ID: <201004091119.26406.peter@hk.ipsec.se>

On Friday 09 April 2010 10.38, Michele Neylon :: Blacknight wrote:
> 
> On 8 Apr 2010, at 19:27, Frank Gadegast , Dipl-Inform. Frank Gadegast wrote:
> 
> >> 
> >>> You dont need to know the real one until you have one for every IP.
> >> 
> >> As I mentioned, you might simply want to contact the abuse team
> >> regarding a more general issue. Quite often if I can't find a published
> >> abuse contact for foo.com so I'll dig www.foo.com and then lookup the
> >> returned address in the RIPE DB - I'm not at all interested in an
> >> address specific to that IP address though.
> > 
> > well, you can still look it up.
> > 
> > But see it this way:
> > - most provider use anti spam tools like SpamAssassin to protect there
> >  customer
> > - SA surely lists the IP that was connecting and causing the spam
> > - you can then automatically forward the spam plus a initial text,
> >  describing that you do not want this to the general "IP like" address
> > - and the monitoring system will then forward it to the
> >  right RIPE member (and to EVERY member)
> 
> So if a machine on a network were compromised / abused and a large amount of spam was sent out, how many of these emails would you see being relayed via RIPE to the abuse contact??
proportional to the number of spam. Are you suprised that lot's of spam
generates lots of complaints ?
> 
> > 
> > 
> > You can then look up the report (or even automate it), reset
> > his radius password and kick him out, waiting for him
> > to phone your support :o)
> 
> Not everyone has the same business model
Some does better the others. For those that has no means of
blocking a bad behaving customer the would need to rethink their model.
> 
> 
> > 
> > Or you could redirect him to a webpage describing that there
> > are too many reports coming in for his IP in a whatever time.
> > Its all up you.
> > 
> > My dream system looks like this:
> > - abuse reports will get standarized
> 
> that would be helpful
> 
> 
> > - monitoring systems will be developed at all RIRs
> 
> Monitoring for what exactly???
Analysing incoming abusereports ( and acting accordingly)
> 
> > - spam detection will be automated at the providers side
> >  and send standarized reports to the RIRs monitoring system
> > 
> > - and the RIRs member automates and scans the incoming reports
> >  like he wants (maybe by devining minimum values and limits)
> >  and automates the blockage and information of his users
> > 
> > Sounds great ?
> > 
> > Well, thats actually what we are doing already with our own users.
> > If we detect incoming spam with high scores a couple of times
> > in a short time we kick the users offline automatically and redirect
> > him next time he loggs in to a information page, where he finds
> > our support numbers :o)
> > 
> > Wroks simply great, and I would love to get closer to such a system
> > together with ALL ISP
> 
> 
> And again you are working under the false assumption that ALL RIPE members offer the same services as you do and in the same way.
Nope, some lazy ISP's will have to adjust their procedures.
Allowed to use an ip-range is both a benefit and an obligation. Society at large does 
not work when rogue individuals mis-behaves and ignores "common rules-of-conduct". 
> 
> > 
> > "Bad providers" could be even published by RIPE :o)
> 
> 
> Are you insane? RIPE cannot open itself up for that kind of liability
Why ? If ranges are supplied with an explicit rules-of-use, the if
the provider does not follow the (agreed rules) it's not RIPE's problem.
The key here is to couple assignment of ranges to specific rules for use.
> 
> >> 
> > 
> > Well, thats only work at RIPE NCC, its not that complicated to
> > automated bounces ...
> 
> So you say .. 
> 
> You cannot speak for all providers / RIPE members.
> 
> You are also suggesting putting a very heavy load on RIPE's systems which someone will have to pay for. Who?
Why not take a fee per ip-address / year ? This is something i suggested to IETF ages ago, 
and it would have made allocations much more fair. Noone would like to pay
for resources they don't need, and everyone would have a decent chance of getting
addresses when they need.

> 
> > 
> > 
> >> confirmation would be enough, although you'd need some way to deal with
> >> automated reports.
> > 
> > Well, the monitoring system could send always the same backlink
> > for the same IP, so that the ISP could still count the amount
> > of incoming reports for one IP automatically and then
> > "answers" it as being closed with just clicking ONE link.
> > 
> > Good idea ?
> 
> So you expect RIPE members to completely rework their abuse desks to fit into your view of the world?
Why not ? The world changes and if some refuses to follow thay will find themselfs
outside the loop.
> 
> I can't see that happening, because not all RIPE members are the same or work in the same way.

Unfortently.

> 
> 
> Mr Michele Neylon
> Blacknight Solutions
> Hosting & Colocation, Brand Protection
> ICANN Accredited Registrar
> http://www.blacknight.com/
> http://blog.blacknight.com/
> http://mneylon.tel
> Intl. +353 (0) 59  9183072
> US: 213-233-1612 
> UK: 0844 484 9361
> Locall: 1850 929 929
> Twitter: http://twitter.com/mneylon
> -------------------------------
> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
> Road,Graiguecullen,Carlow,Ireland  Company No.: 370845


-- 
        Peter H?kanson   

        There's never money to do it right, but always money to do it
        again ... and again ... and again ... and again.
        ( Det ?r billigare att g?ra r?tt. Det ?r dyrt att laga fel. )



From peter at hk.ipsec.se  Fri Apr  9 11:34:06 2010
From: peter at hk.ipsec.se (peter h)
Date: Fri, 9 Apr 2010 11:34:06 +0200
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an abuse monitor system
In-Reply-To: <4BBDDA48.9080106@powerweb.de>
References: <4BBDDA48.9080106@powerweb.de>
Message-ID: <201004091134.07277.peter@hk.ipsec.se>

On Thursday 08 April 2010 15.29, Frank Gadegast wrote:
> 
> Dear all,
> 
> please discuss and comment to following draft proposal ...
> (and please forgive but correct my english, bad formatting
>   or terms)
> 
> Kind regards, Frank
> 
<suggestion removed to save some space>
> 
Frank,
i find this initiative excellent as a startingpoint, in fact it would be quite
workable as-is. Good work.

But we must remember that most spam comes from West ( us and latin america) and east. This
is outside RIPE's authority.

Implementing successful abuse/spam countermeasures will however serve as an example
for both west and east, europes example will have effects on opinions worldwide ( providing
the get real effects of course).

I'd say "YES" to your proposal. 
-- 
        Peter H?kanson   

        There's never money to do it right, but always money to do it
        again ... and again ... and again ... and again.
        ( Det ?r billigare att g?ra r?tt. Det ?r dyrt att laga fel. )



From phade at www.powerweb.de  Fri Apr  9 12:08:18 2010
From: phade at www.powerweb.de (Frank Gadegast)
Date: Fri, 9 Apr 2010 12:08:18 +0200 (MET DST)
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an
In-Reply-To: <FFB09585-41EA-45C0-8F53-467A3BAFD9B3@blacknight.ie>
Message-ID: <201004091008.o39A8IUB007057@www.powerweb.de>

   First a ...

Hello (thats good tone in Germany),

> Again - if you expect there to be ANY dialogue you need to drop that attitude
> 
> It's offensive and totally unhelpful

Well, like we say in Germany: people are only offended, if somebody
gets them, thats they are doing something wrong.

This is defny not against you or any other member that takes care
about abuse reports.

Its only against members, that are ignoring that there attitude
or business model causes real harm to others.
I will keep THAT attitute.

> I'm having difficulty understanding this.
> 
> If a RIPE member has an abuse contact and sets up abuse contact objects for every allocation, why do you need anything else?

Like I outline already:
- whois is complicated and unusefull for end users
- IRT objects makes it even more complicated
- nobody is meassuring the members so far
- nobody has detailed data about how much abuse is really happening
  except really well-known blacklists like spamhaus

> > But feel free to explain these "business models" to me ...
> 
> Again - drop the attitude
> 
> You have to understand that not every RIPE member offers the same services or has the same resources at their disposal etc.,

Again, please give me an example, why any business model should ignore,
that the business model is causing real harm to others.

An example please.

> >>> "Bad providers" could be even published by RIPE :o)
> >> 
> >> 
> >> Are you insane? RIPE cannot open itself up for that kind of liability
> > 
> > Why not, blacklists are doing the same, whats the difference ?
> 
> Ask a lawyer.

More details please.

> >>> Well, thats only work at RIPE NCC, its not that complicated to
> >>> automated bounces ...
> >> 
> >> So you say .. 
> > 
> > Yes, its quite easy.
> 
> No it isn't. 

It is, we developed our own blacklist, and that wasnt that much work.
A powerfull organisation with competent workers like RIPE would create
that in really short time.

Please give me arguments, why its soo complicated.

Mailtools are wellknown, open source and available for nearly everything
you might want to do with mail.
It is easy, I was even already thinking about to use our own
blacklist as testbed, we not all available abuse contacts anyway
and to setup a general formatted email address is two lines
in the mailserver config and to pump that in a script that
forwards the mail after looking up the correct address is a
ten-liner in perl.

Im still thinking about this testbed, the only problem is:
- our abuse addresses we have might not be as reliable
  than RIPE will have them and it would be really bad to accuse
  the wrong person or even expose details to the wrong
  person

If I would get complete access to all personal objects at RIPE in
a live process, a would think about the testbed again ...

I could even sign whatever non-disclosure to ensure, that we
are not doing anything wrong with this data.

> Either:
> 
> - learn how to discuss this with other RIPE members
> or
> 
> keep on with your stupid attitude and see how far it gets you

Hm, Im not starting with words like "stupid", so please do not
reglement my tone and cool down first.

You seem to fight heavily against any idea arriving here.
What are you so frightened about ?

> >> You cannot speak for all providers / RIPE members.
> > 
> > Thats one of the reasons for a centralized system located at RIPE.
> > The system only needs to be implemented once, there will be nearly
> > no costs on the members side (except that they have
> > to deal with report, but they can still ignore them and except
> > the costs that might be added to RIPEs fees, but that should not be that
> > much.
> 
> You do not know that.
> 
> You have no way of knowing how much of a load would be placed on RIPE's systems

Sure, but RIPE is using millions of EUR yearly to get everything going.
You are an ISP yourself, make a guess, how much that costs
if you do not have to make provit.

I quick guess:
- a redundant mailserver environment capable of what ? deliver 50 mio mails a day ?
- a would say 100GB traffic/day and 25 highend server
- thats about 3000 EUR traffic-costs a month
- and about 50 thousand one time invest for the servers

- plus the development, I would implement something like this with
  one month work, ok 5.000
- plus hirering one person to take care about hardware and special cases, that
  3.000/month

All together, lets say 6.000 per month plus the invest.
And now devide this to all members with the usual scale
(small pay less than big members), how much would that add
to the normal yearly membership costs ?
Could somebody could quickly compare that to the last yearly costs at RIPE ?

You can save that if you only cut 30 peoples journeys to nice holiday locations
for "meetings" that could be done via modern comunication techniques anyway
per year.

> >>> Well, the monitoring system could send always the same backlink
> >>> for the same IP, so that the ISP could still count the amount
> >>> of incoming reports for one IP automatically and then
> >>> "answers" it as being closed with just clicking ONE link.
> >>> 
> >>> Good idea ?
> >> 
> >> So you expect RIPE members to completely rework their abuse desks to fit into your view of the world?
> > 
> > Not MY VIEW, a standarized view.
> 
> You're not a very good listener, are you?

Might be because Im not english-speaking ... (like I noted when I was sending the draft).

But, like I outlined above, a rework is not really neccessary.
Currently members are receiving lots of different formatted reports
to their abuse desk (if they have one) and have to read them all manually.
It isnt that bad, if you will get reports, that are more standarized.

> > Thats the goal.
> > 
> > Lets see it this way: providers have to change their infrastructure
> > regulary for a couple or reasons and always have done.
> > Serverhousing changed pretty much during the last years.
> > There was the change from ISDN to DSL dialin, there are new
> > technologies for HTML, Flash and Mail every day.
> > 
> > And do not forget IPv6, EVERY member has to change that in the new future.
> > 
> >> I can't see that happening, because not all RIPE members are the same or work in the same way.
> > 
> > Well they work on the same basics, what are allocations and other resources.
> > Resources cause traffic, and every members uses resources like nameservices,
> > webpages and email. And spam problem comes into play with the later.
> > 
> > The difference isnt that big.
> > Business models have nothing to do with how to deal with resources the got from RIPE.
> 
> Yes it does
> 
> If you think that you can live in a world where business models have zero impact on reality then you are deluded

Example, please give an example ....


Kind regards, Frank
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de
> 
> 
> > 
> > 
> > Kind regards, Frank
> > 
> >> 
> >> 
> >> Mr Michele Neylon
> >> Blacknight Solutions
> >> Hosting & Colocation, Brand Protection
> >> ICANN Accredited Registrar
> >> http://www.blacknight.com/
> >> http://blog.blacknight.com/
> >> http://mneylon.tel
> >> Intl. +353 (0) 59  9183072
> >> US: 213-233-1612 
> >> UK: 0844 484 9361
> >> Locall: 1850 929 929
> >> Twitter: http://twitter.com/mneylon
> >> -------------------------------
> >> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
> >> Road,Graiguecullen,Carlow,Ireland  Company No.: 370845
> >> 
> >> 
> > 
> 
> Mr Michele Neylon
> Blacknight Solutions
> Hosting & Colocation, Brand Protection
> ICANN Accredited Registrar
> http://www.blacknight.com/
> http://blog.blacknight.com/
> http://mneylon.tel
> Intl. +353 (0) 59  9183072
> US: 213-233-1612 
> UK: 0844 484 9361
> Locall: 1850 929 929
> Direct Dial: +353 (0)59 9183090
> Twitter: http://twitter.com/mneylon
> -------------------------------
> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
> Road,Graiguecullen,Carlow,Ireland  Company No.: 370845
> 
> 



From ripe-anti-spam-wg at powerweb.de  Fri Apr  9 12:26:45 2010
From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast)
Date: Fri, 09 Apr 2010 12:26:45 +0200
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - other RIRs
In-Reply-To: <201004091134.07277.peter@hk.ipsec.se>
References: <4BBDDA48.9080106@powerweb.de> <201004091134.07277.peter@hk.ipsec.se>
Message-ID: <4BBF00E5.8020001@powerweb.de>

peter h wrote:
> On Thursday 08 April 2010 15.29, Frank Gadegast wrote:
>> Dear all,

Hi Peter,

>> please discuss and comment to following draft proposal ...
>> (and please forgive but correct my english, bad formatting
>>   or terms)
>>
>> Kind regards, Frank
>>
> <suggestion removed to save some space>
> Frank,
> i find this initiative excellent as a startingpoint, in fact it would be quite
> workable as-is. Good work.
> 
> But we must remember that most spam comes from West ( us and latin america) and east. This
> is outside RIPE's authority.

Thats right, but remember, that most RIRs are doing the same in the end
anyway, If there is a new idea at on RIR, it is likely that the others
make the same, maybe slightly different to their regional needs.

> Implementing successful abuse/spam countermeasures will however serve as an example
> for both west and east, europes example will have effects on opinions worldwide ( providing
> the get real effects of course).
> 
> I'd say "YES" to your proposal. 

Great and thnx again.

Kind regards, Frank
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de



From tk at abusix.org  Fri Apr  9 12:25:09 2010
From: tk at abusix.org (Tobias Knecht)
Date: Fri, 09 Apr 2010 12:25:09 +0200
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an abuse
 monitor system
In-Reply-To: <4BBDDA48.9080106@powerweb.de>
References: <4BBDDA48.9080106@powerweb.de>
Message-ID: <4BBF0085.4080908@abusix.com>

Hi,

to be honest I like the idea, but unfortunately I'm sure that it will
not work.

3.3 reasons therefor:

1.) We have a few customers in the RIPE region and they receive several
million reports per day. There is absolutly no way to route all the
complaints over a centralized system. And the number of reports is
increasing every day, which is a good thing in my opinion.

2.) Centralized systems are dangerous. Spammers are not stupid and if
they see that such a system is doing a good job, they will attack it. We
have seen that even in smaller company enviroments. They will be able to
kill this system within days and everything is getting worse.

3.) Even with a huge undestroyable system we will not be able to get
good metrics. As mentioned in point 2 spammers will attack this system.
But only the ISP itself can decide if a message is spam or just a spammy
looking complaint. That means everything has to be forwarded even if it
is 50% spam which opens the door:
 a.) to aspers selective ISPs with spam attacks on single netranges.
 b.) kills the abuse department of smaller ISPs which do not have an  	
     automatic system. I would like that approach, because it would
     generate lot's of new customers for our Abuse Handling Framework.
 c.) makes metrics absolutely unusable.


I think this idea is great, but it is not working.

I will wait for the result of this discussion and propose the same
policy proposal which was accepted by APNIC, is in discussing at AfriNIC
now, to the RIPE policy group.

Thanks

Tobias

-- 
abusix.org






Am 08.04.2010 15:29, schrieb Frank Gadegast:
> 
> Dear all,
> 
> please discuss and comment to following draft proposal ...
> (and please forgive but correct my english, bad formatting
>  or terms)
> 
> Kind regards, Frank
> 
> --------------------------------------------------------------
> 
> 
> DRAFT: implementation of an abuse monitor system
> (draft RIPE proposal)
> 
> 
> 
> Abstract
> This document describes the implementation of an abuse monitor system
> at RIPE NCC. Its intention is to ensure working abuse contacts on the
> members side and to improve the awareness, responsiveness and work flow
> for abuse reports for the reporting (and abused) internet users and the
> RIPE members (owning the misused services).
> 
> 
> Contents
> 1. Introduction
> 2. Goals of an abuse monitor system
> 3. Requirements
> 4. Description
> 5. Advantages
> 6. Disadvantages
> 7. Enhancements
> 8. Outlook
> 
> 
> 1. Introduction
> Taking in account the amount of spam and other abuse currently
> happening every day, there is a need to ensure that ISPs and
> other organisations are aware of the problem their customers
> and end users can cause for others.
> 
> The current procedure of having non-mandatory abuse contacts in
> whois output is causing several problems for the incident reporting
> side as well as for the receiver.
> 
> RIPEs member should be responsible for the abuse their
> customers cause, like this is enforced by law in many countries
> already.
> 
> 
> 2. Goals of an abuse monitor system
> Currently most abuse contact addresses are hidden in whois output
> remark fields in several non-standarized ways or do not even exist,
> because the real abuse-field is non-mandatory. There should be
> a standarized method how to contact responsible people to send
> abuse reports too.
> 
> It should be possible to to send abuse reports to a standarized
> email address, because whois queries are limited. The system should
> bypass whois queries, so that reports can be automated.
> 
> Currently there is no control, if existing abuse contacts are still
> valid, working or incoming emails are beeing read.
> 
> The real abuse email address of any RIPE member should be hidden
> by the abuse monitor system.
> 
> Finally a monitoring system should be able to messure the amount
> of incoming reports for any RIPE member. This will enable
> RIPE NCC to help members to become more aware of security breakouts
> or help members that are not aware of the problems they cause.
> 
> RIPE NCC could e.g. arrange for security training cources and
> invite members with a very high reporting rate according to
> the amount of allocated IP addresses.
> 
> 
> 3. Requirements
> RIPE NCC should enhance the member section with an extra abuse contact
> field. This field should be filled at startup with the main email
> address of any member automatically, but should be editable for the
> members.
> 
> 
> 4. Description
> RIPE NCC should implement a mailserver able to receive emails in the
> form of
> 
>         IP1.IP2.IP3.IP4 at abuse.ripe.net (example)
> 
> Incoming emails to these addresses can be treated as incoming abuse
> reports and will be forwarded to the members internal abuse contact
> address (non-public), after the mailserver finds the correct member by
> looking up internal allocation tables.
> 
> The amount of incoming emails for every member will be logged and should
> create internal statistics for RIPE NCCs internal usage.
> 
> Their should be no anti spam systems implemented on this server to
> ensure that every incoming email gets forwarded. Anti spam systems
> should be up to the member.
> 
> Furthermore, RIPE NCC should monitor, if the members abuse contact
> address generates errors, bounces or other problems like "User unknown"
> or "Mailbox full". If the members abuse contact address is not valid
> anymore, it could be reset to the members hidden main email address, and
> the member could be informed about the problem in other ways (letter,
> phone call aso).
> 
> 
> 5. Advantages
> The system does neither have to define or decide what spam or abuse is,
> because it only forwards abuse reports to the responsible person.
> It is likely that any incoming email is a description of a real
> abusive problem (except incoming spam).
> 
> The described system would make it very easy for any ISP or private
> person to report received spam, hacks or other abuses directly to
> the responsible RIPE member, without having to know its name and without
> having to know how to use whois.
> Reporting systems could be easily automated without having to query whois.
> 
> The ISP or RIPE member can easily change and control his internal abuse
> contact address without having to update several objects in RIPEs
> database.
> 
> RIPE NCC can ensure that all alocations have a working abuse address.
> 
> This all can ensure that incidents are really reported by the abused
> users (and not beeing ignored or forgotten because its to much work to
> report incidents) and that reports will be read by the right and
> responsible person.
> 
> This will finally increase the awareness of any RIPE member about the
> problems his end users or misused servers may cause and will hopefully
> force any member to implement methods to monitor there own servers
> and/or dialin users to improve the detection of misused services.
> 
> This will hopefully reduce the amount of spams and abuse worldwide.
> 
> Finally this will maybe influence other RIRs to implement similar
> systems.
> 
> 
> 6. Disadvantages
> It is likely that spammer will misuse the new general abuse adresses
> massively. Anti spam methos needs to be implemented at the members side.
> 
> 
> 7. Enhancements
> The system could be enhanced with addtional services easily on RIPE NCCs
> side, after implementation and a test period of the system. More
> detailed statistics could help improving the awareness at the members
> side.
> 
> Enhancing forwarded abuse report with an feedback link could help to
> categorize incoming reports. Members could then visit a ticket system to
> back report incoming reports as "spam", "incident" or "wrong report"
> (like popular spam blacklist like SpamCop are doing this already), add
> comments like "missing information", "incident currently under
> investigation" or "incident solved". This could help members to track
> reports and incident easily without having to implement a own system
> (what could be very interesting for smaller ISPs). Finally this would
> allow the reporting internet user to receive feedback to ensure that his
> input is valuable, important and taking care off.
> 
> 
> 8. Outlook
> Standarization of a general abuse address will be another step to the
> standarization of an abuse report format, wich are currently in process.
> This could lead to open source implemantations of spam detection
> solutions that include standarized reporting features.
> Standarized reporting could also be included in other monitoring
> and detection software, like Intrusion Detection Systems or
> Antispam Solutions.
> 
> 
> 
> Author: Frank Gadegast
> Company: PHADE Software - PowerWeb
> Contact: frank at powerweb.de
> Version: 0.1
> Date: 08.04.2010
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ripe.net/ripe/mail/archives/anti-abuse-wg/attachments/20100409/26ad15e3/attachment.sig>

From bradley.freeman at csirt.ja.net  Fri Apr  9 12:44:45 2010
From: bradley.freeman at csirt.ja.net (Bradley Freeman)
Date: Fri, 9 Apr 2010 11:44:45 +0100
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an
In-Reply-To: <201004091008.o39A8IUB007057@www.powerweb.de>
References: <FFB09585-41EA-45C0-8F53-467A3BAFD9B3@blacknight.ie> <201004091008.o39A8IUB007057@www.powerweb.de>
Message-ID: <002401cad7d1$abf09d50$03d1d7f0$@freeman@csirt.ja.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This thread is getting long so I have only commented on a few of your main
points.

> Its only against members, that are ignoring that there attitude
> or business model causes real harm to others.

This proposal still will not help the abuse desks which are uncooperative
which is the real problem.

> > If a RIPE member has an abuse contact and sets up abuse contact
> objects for every allocation, why do you need anything else?
> 
> Like I outline already:
> - whois is complicated and unusefull for end users

And do you believe that this proposal will be used by end users who couldn't
use whois?

> - IRT objects makes it even more complicated

I simply disagree, IRT objects simplify the whois and provide a clear
contact email.

> - nobody is meassuring the members so far
> - nobody has detailed data about how much abuse is really happening
>   except really well-known blacklists like spamhaus

My network != your network, I don't see any point in measuring the abuse
from ISPs in this manner. As James said previously larger networks will
generate greater amounts of abuse, and ISPs with different businesses models
will generate varying amounts of abuse, a high level of abuse from a network
is not indicative that you are running a bad network. Additionally there is
nothing that RIPE could do with this data it is simply a meaningless metric.

> It isnt that bad, if you will get reports, that are more standarized.

There is an IETF working group on Messaging Abuse Reporting Format, I am not
involved in it and not aware of its status, this proposal would not achieve
standardisation.

Cheers

Bradley



-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 10.0.0
Charset: us-ascii

wsBVAwUBS78FHjR8IIjdC+5SAQLc3Qf/cDL8MIlnVIUXJpWFb/M21TGYloZpp8DJ
IlXMs4ITrhW3RMkSb1jS81h2uEtw3SY8DkA7qsQt8Pp5mbEOZcJaKoM4taIyc1iY
27Iuc/TOVPgTs6D6vYgnjDkCn5mZE8yccGcDDZ2++WDLssVsD4zhSqFa2d3SdeWm
3/i9bTLd5rWTRfDOiAkw2heJbIaP1w4tQOW8yBqEAqGLP7zba3Mekog+VvweXv9B
kDXL9I7GkjgSXgaxRWYLBjOyoR4G4Xni5qU13bjizhQjj2rvQpgMnvylJ37xJftH
EMR9FVays48orPYtlwb7L8A0Z58aqi8iVuwo+99pFq+U90IDEAVnzw==
=2ypS
-----END PGP SIGNATURE-----



From ripe-anti-spam-wg at powerweb.de  Fri Apr  9 12:57:01 2010
From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast)
Date: Fri, 09 Apr 2010 12:57:01 +0200
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an abuse
In-Reply-To: <4BBEFA9A.5020308@ja.net>
References: <201004081827.o38IRiuA002097@www.powerweb.de> <4BBEFA9A.5020308@ja.net>
Message-ID: <4BBF07FD.6020103@powerweb.de>

James Davis wrote:

Hello,

>> It is likely, that you get a problem report just a few minutes
>> after on of your users started to send spam, because his PC
>> is invected.
> 
> This already happens. Our contact details are published in a clear and
> unambiguous fashion, in all the places that you'd expect. Automated spam
> reporting schemes appear to have no problems contacting us. This is
> because as a network operator we have chosen to deal with these issues,
> not because we're told to.

Sorry but this is not true for all members.
Most newer or smaller ISPs are pretty puzzled, when they have their
first real outbreak, and even ask us for advise and help to fix
their holes and others do not subscribe lists, that could
give them up-to-date warnings or get enough reports, if its
only a smaller problem.

At least, this is our experience here with our own blacklist.

>> You can then look up the report (or even automate it), reset
>> his radius password and kick him out, waiting for him
>> to phone your support :o)
> 
> Not all ISPs can operate like that. Every one of our customers would
> rather we offered them help and advice on how to deal with the problem
> rather than taking automated action. That is why we have a CSIRT/abuse
> team.p

Good for you, impossible for big ISPs that have no real contact
to their customers. Cutting the line is a hard method, right,
but for some ISPs the only methods to get attention
immediatelly.

But again: its up for the member what to do with the reports ...

And Im not saying, that the system would fit everybody needs,
but I defny think that it would be better than the current state.

>> Lets say, you receive 100 reports in about 10 minutes for one
>> IP, where this IP had no report ever ?
>>
>> What is likely to happen ?
>> What would you do ?
> 
> An incident would likely be opened in our ticketing system before that
> ten minutes were up, and someone would be on the phone to our customer
> shortly afterwards. We deal with every complaint of spam, even if it's
> just a single report, although the response is proportionate to the
> particular incident.

Great, you are part of a very small club ;o)

> Like I said, you'd have to think really carefully about how you'd
> measure what a "bad provider" was, or you risk not only wasting your
> efforts but making a lot of people angry.

Sure, so that why limits have to very high and these kind of limits
are up for discussion on this list.
But making analysis like this public should not be the first step
for the system at all, it might be a future option, if things
are settled, everybody got used to the new system aso ...

> We get questions like this a lot from our customers - asking us how they
> rank abuse wise compared to other customers and honestly there isn't an
> easy way to measure this.

Ok, got it ...

> The proposal, whether I agree with it or not, needs a concrete answer
> for how you would measure a 'bad provider'.

I dont think so, because the first intention of the system is not
how to define a "bad provider", it only talkes about how RIPE
staff could talk to those providers.

If I would implement limits, I would messure rates according to
the size of the member allocations first and monitor these rates
to see whats currently normal for a member.
And if those rates are much higher than compared to others, I would
ask the member to try to do something against that or to explain
it, then slowly adjusting the allowed rates up or down again.

Finally, after a long period, I would tell all members, that
its time to drop the rates, if they are rising over their
allowed limit or not really dropping over a long period,
THEN, and only then I would call them a "bad provider",
because they are obviously not capable or willing to
do anything ...

But thats a big step for the future.
The first step should be a backlink system, to ensure
that reports are read and categorized (ok,
"really bad provider" will propably program
something arround that backlink system to bypass
it, I heared even about people that are bypassing
captcha codes already with OCR-software).

>> Well, thats only work at RIPE NCC, its not that complicated to
>> automated bounces ...
> 
> Say the abuse contact is abuse at foo.com and the billing contact is
> john.doe at foo.com, if the domain foo.com expires then no amount of e-mail
> is going to resolve the issue. Someone has to get on the phone and find

Clear, but a member without any working email contact ?
Is that really possible ?
How can you work with new allocations or changes to old one
without any working email contact ?

> out what's happened. This happens fairly frequently here with only
> around a thousand customers.

Cant believe it.
Does the RIPEs system do not check automatically if (e.g.)
allocations messages bounce ?

>> Defny right, but lets start with something ...
> 
> Starting is good when you know what direction you're heading in. It's
> the other half of the question that people here are more interested in :)

Interesting point ...


Kind regards, Frank
> 
> James
> 
> - --
> James Davis	+44 1235 822 229    	   PGP: 0xD1622876
> JANET CSIRT	0870 850 2340	        (+44 1235 822 340)
> Lumen House, Library Avenue, Didcot, Oxfordshire, OX11 0SG
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iD8DBQFLvvqahZi14NFiKHYRAkpHAJ4s3tiryuoTmY3j8Jivot909exfkgCfYLy3
> Wm34pL98ZdkkHClYthklcEg=
> =b+z3
> -----END PGP SIGNATURE-----
> 
> JANET(UK) is a trading name of The JNT Association, a company limited
> by guarantee which is registered in England under No. 2881024 
> and whose Registered Office is at Lumen House, Library Avenue,
> Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG
> 
> 
> 


-- 

Mit freundlichen Gruessen,
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de



From michele at blacknight.ie  Fri Apr  9 12:59:58 2010
From: michele at blacknight.ie (Michele Neylon :: Blacknight)
Date: Fri, 9 Apr 2010 10:59:58 +0000
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an
In-Reply-To: <201004091008.o39A8IUB007057@www.powerweb.de>
References: <201004091008.o39A8IUB007057@www.powerweb.de>
Message-ID: <4F262BB0-5925-4792-A297-B53F0DFD4DBA@blacknight.ie>

On 9 Apr 2010, at 11:08, Frank Gadegast , Dipl-Inform. Frank Gadegast wrote:

> 
>   First a ...
> 
> Hello (thats good tone in Germany),
> 
>> Again - if you expect there to be ANY dialogue you need to drop that attitude
>> 
>> It's offensive and totally unhelpful
> 
> Well, like we say in Germany: people are only offended, if somebody
> gets them, thats they are doing something wrong.
> 
> This is defny not against you or any other member that takes care
> about abuse reports.
> 
> Its only against members, that are ignoring that there attitude
> or business model causes real harm to others.
> I will keep THAT attitute.

As someone who has spent a lot of money and time combatting network abuse I find your attitude completely unhelpful

If you want to get "buy in" from as many RIPE members as possible you really need to learn to tone it down


> 
>> I'm having difficulty understanding this.
>> 
>> If a RIPE member has an abuse contact and sets up abuse contact objects for every allocation, why do you need anything else?
> 
> Like I outline already:
> - whois is complicated and unusefull for end users
> - IRT objects makes it even more complicated
> - nobody is meassuring the members so far

Why is measuring the data of any use to any one?

What data are you trying to measure?


> - nobody has detailed data about how much abuse is really happening
>  except really well-known blacklists like spamhaus

Again - I fail to see how this is of any real use to anyone.

The only people who seem to benefit from lots of data are vendors trying to sell "solutions"


> 
>>> But feel free to explain these "business models" to me ...
>> 
>> Again - drop the attitude
>> 
>> You have to understand that not every RIPE member offers the same services or has the same resources at their disposal etc.,
> 
> Again, please give me an example, why any business model should ignore,
> that the business model is causing real harm to others.

You're not listening

Not all RIPE members offer connectivity in the same way nor do they have the same types of services.

You assume that my comment about business models infers that people would ignore an issue. This is not in the least bit helpful

What you need to understand is that not every single RIPE member is going to be doing the same thing and may not be aware of or need to be aware of certain things.

Lack of awareness does not equate with anything more than lack of awareness, however you seem to think that a bit of ignorance equates with culpability.


> 
> An example please.
> 
>>>>> "Bad providers" could be even published by RIPE :o)
>>>> 
>>>> 
>>>> Are you insane? RIPE cannot open itself up for that kind of liability
>>> 
>>> Why not, blacklists are doing the same, whats the difference ?
>> 
>> Ask a lawyer.
> 
> More details please.

Seriously - if you cannot understand why RIPE (or anyone else) publishing a list of companies that are described as "bad" does not open it up to liability then you really need to talk to your legal team (if you have one)

Spamhaus et al get hit with legal threats on a regular basis.

As a sponsor of Spamhaus we've had people try to get us involved in the past .. 

> 
>>>>> Well, thats only work at RIPE NCC, its not that complicated to
>>>>> automated bounces ...
>>>> 
>>>> So you say .. 
>>> 
>>> Yes, its quite easy.
>> 
>> No it isn't. 
> 
> It is, we developed our own blacklist, and that wasnt that much work.

You obviously have a lot of technical staff. Not every RIPE member does nor needs to.

You need to understand that just because something is "easy" for you due to your particular setup does not mean that it is going to be as "easy" for everyone else


> A powerfull organisation with competent workers like RIPE would create
> that in really short time.
> 
> Please give me arguments, why its soo complicated.
> 
> Mailtools are wellknown, open source and available for nearly everything
> you might want to do with mail.
> It is easy, I was even already thinking about to use our own
> blacklist as testbed, we not all available abuse contacts anyway
> and to setup a general formatted email address is two lines
> in the mailserver config and to pump that in a script that
> forwards the mail after looking up the correct address is a
> ten-liner in perl.
> 
> Im still thinking about this testbed, the only problem is:
> - our abuse addresses we have might not be as reliable
>  than RIPE will have them and it would be really bad to accuse
>  the wrong person or even expose details to the wrong
>  person
> 
> If I would get complete access to all personal objects at RIPE in
> a live process, a would think about the testbed again ...
> 
> I could even sign whatever non-disclosure to ensure, that we
> are not doing anything wrong with this data.
> 
>> Either:
>> 
>> - learn how to discuss this with other RIPE members
>> or
>> 
>> keep on with your stupid attitude and see how far it gets you
> 
> Hm, Im not starting with words like "stupid", so please do not
> reglement my tone and cool down first.


> 
> You seem to fight heavily against any idea arriving here.
> What are you so frightened about ?

If you present what could be potentially be a positive thing in this manner it will not be accepted by people for a multitude of reasons, not least your tunneled view of the world.



> 
>>>> You cannot speak for all providers / RIPE members.
>>> 
>>> Thats one of the reasons for a centralized system located at RIPE.
>>> The system only needs to be implemented once, there will be nearly
>>> no costs on the members side (except that they have
>>> to deal with report, but they can still ignore them and except
>>> the costs that might be added to RIPEs fees, but that should not be that
>>> much.
>> 
>> You do not know that.
>> 
>> You have no way of knowing how much of a load would be placed on RIPE's systems
> 
> Sure, but RIPE is using millions of EUR yearly to get everything going.
> You are an ISP yourself, make a guess, how much that costs
> if you do not have to make provit.
> 
> I quick guess:
> - a redundant mailserver environment capable of what ? deliver 50 mio mails a day ?
> - a would say 100GB traffic/day and 25 highend server
> - thats about 3000 EUR traffic-costs a month
> - and about 50 thousand one time invest for the servers
> 
> - plus the development, I would implement something like this with
>  one month work, ok 5.000
> - plus hirering one person to take care about hardware and special cases, that
>  3.000/month

OK, but centralising anything like this has a lot of negative consequences that other list members have outlined.

> 
> All together, lets say 6.000 per month plus the invest.
> And now devide this to all members with the usual scale
> (small pay less than big members), how much would that add
> to the normal yearly membership costs ?
> Could somebody could quickly compare that to the last yearly costs at RIPE ?
> 
> You can save that if you only cut 30 peoples journeys to nice holiday locations
> for "meetings" that could be done via modern comunication techniques anyway
> per year.

Face to face meetings work better for a LOT of people.



> 
>>>>> Well, the monitoring system could send always the same backlink
>>>>> for the same IP, so that the ISP could still count the amount
>>>>> of incoming reports for one IP automatically and then
>>>>> "answers" it as being closed with just clicking ONE link.
>>>>> 
>>>>> Good idea ?
>>>> 
>>>> So you expect RIPE members to completely rework their abuse desks to fit into your view of the world?
>>> 
>>> Not MY VIEW, a standarized view.
>> 
>> You're not a very good listener, are you?
> 
> Might be because Im not english-speaking ... (like I noted when I was sending the draft).
> 
> But, like I outlined above, a rework is not really neccessary.
> Currently members are receiving lots of different formatted reports
> to their abuse desk (if they have one) and have to read them all manually.
> It isnt that bad, if you will get reports, that are more standarized.
> 
>>> Thats the goal.
>>> 
>>> Lets see it this way: providers have to change their infrastructure
>>> regulary for a couple or reasons and always have done.
>>> Serverhousing changed pretty much during the last years.
>>> There was the change from ISDN to DSL dialin, there are new
>>> technologies for HTML, Flash and Mail every day.
>>> 
>>> And do not forget IPv6, EVERY member has to change that in the new future.
>>> 
>>>> I can't see that happening, because not all RIPE members are the same or work in the same way.
>>> 
>>> Well they work on the same basics, what are allocations and other resources.
>>> Resources cause traffic, and every members uses resources like nameservices,
>>> webpages and email. And spam problem comes into play with the later.
>>> 
>>> The difference isnt that big.
>>> Business models have nothing to do with how to deal with resources the got from RIPE.
>> 
>> Yes it does
>> 
>> If you think that you can live in a world where business models have zero impact on reality then you are deluded
> 
> Example, please give an example ....

I don't need to 

It's a simple fact.

The fact that I've raised it (more than once) is enough (we are a RIPE member among other things .. )



Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
ICANN Accredited Registrar
http://www.blacknight.com/
http://blog.blacknight.com/
http://mneylon.tel
Intl. +353 (0) 59  9183072
US: 213-233-1612 
UK: 0844 484 9361
Locall: 1850 929 929
Direct Dial: +353 (0)59 9183090
Twitter: http://twitter.com/mneylon
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,Ireland  Company No.: 370845



From ripe-anti-spam-wg at powerweb.de  Fri Apr  9 12:23:20 2010
From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast)
Date: Fri, 09 Apr 2010 12:23:20 +0200
Subject: [anti-abuse-wg] the final question ...
In-Reply-To: <201004091119.26406.peter@hk.ipsec.se>
References: <201004081827.o38IRiuA002097@www.powerweb.de> <15B312A8-900A-4E76-A455-98878F2F029A@blacknight.ie> <201004091119.26406.peter@hk.ipsec.se>
Message-ID: <4BBF0018.8040205@powerweb.de>

peter h wrote:

(please also read below)

Hello,

>> So if a machine on a network were compromised / abused and a large amount of spam was sent out, how many of these emails would you see being relayed via RIPE to the abuse contact??
> proportional to the number of spam. Are you suprised that lot's of spam
> generates lots of complaints ?

Thats a point, so there should be methods implemented to detect 
outbreaks, lets say something like:
if there are more than 50 reports are coming for one IP
during 10 minutes, store the reports and do not notify
the member anymore about it.

>>>
>>> You can then look up the report (or even automate it), reset
>>> his radius password and kick him out, waiting for him
>>> to phone your support :o)
>> Not everyone has the same business model
> Some does better the others. For those that has no means of
> blocking a bad behaving customer the would need to rethink their model.

Defny right.
But at least the system would make it easier for everybody willing
to something.

>>> Or you could redirect him to a webpage describing that there
>>> are too many reports coming in for his IP in a whatever time.
>>> Its all up you.
>>>
>>> My dream system looks like this:
>>> - abuse reports will get standarized
>> that would be helpful

A big yes.
Thats why I outlined it as a final goal in the draft.

>>> Well, thats actually what we are doing already with our own users.
>>> If we detect incoming spam with high scores a couple of times
>>> in a short time we kick the users offline automatically and redirect
>>> him next time he loggs in to a information page, where he finds
>>> our support numbers :o)
>>>
>>> Wroks simply great, and I would love to get closer to such a system
>>> together with ALL ISP
>>
>> And again you are working under the false assumption that ALL RIPE members offer the same services as you do and in the same way.
> Nope, some lazy ISP's will have to adjust their procedures.
> Allowed to use an ip-range is both a benefit and an obligation. Society at large does 
> not work when rogue individuals mis-behaves and ignores "common rules-of-conduct". 

Good comment.

>>> "Bad providers" could be even published by RIPE :o)
>>
>> Are you insane? RIPE cannot open itself up for that kind of liability
> Why ? If ranges are supplied with an explicit rules-of-use, the if
> the provider does not follow the (agreed rules) it's not RIPE's problem.
> The key here is to couple assignment of ranges to specific rules for use.

Another big YES !!!!!
Thats really the point we should discuss here instead of technical
solution (wich would help at least a bit, but do not solve the problem
all together).

So here the final question:
------------------------------------------------------------
Is the community willing to combine the assignment of ranges
with specific rules how to use them and how not to use them
and should the misuse of the applied resources have consequences ?
------------------------------------------------------------

If we get consensus about that, the problem will be solved
all together, because than its only detailed work.

But: if we not get consensus about that, we could stop
talking about abuse on this group and the spammer
will have won, also on this list ...

>>> Well, thats only work at RIPE NCC, its not that complicated to
>>> automated bounces ...
>> So you say .. 
>>
>> You cannot speak for all providers / RIPE members.
>>
>> You are also suggesting putting a very heavy load on RIPE's systems which someone will have to pay for. Who?
> Why not take a fee per ip-address / year ? This is something i suggested to IETF ages ago, 
> and it would have made allocations much more fair. Noone would like to pay
> for resources they don't need, and everyone would have a decent chance of getting
> addresses when they need.

Or the cost will be simply added to the normal member fee.
I like to idea that smaller member have to pay less.


Peter: nany thnx for putting the problem of the abuse member
back into the foregound and for submitting ideas to solve
potential problems !


Kind regards, Frank
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de



From niall at blacknight.com  Fri Apr  9 12:51:27 2010
From: niall at blacknight.com (Niall Donegan)
Date: Fri, 09 Apr 2010 11:51:27 +0100
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an abuse
In-Reply-To: <201004081827.o38IRiuA002097@www.powerweb.de>
References: <201004081827.o38IRiuA002097@www.powerweb.de>
Message-ID: <4BBF06AF.5000100@blacknight.com>

Dipl-Inform. Frank Gadegast wrote:
> My dream system looks like this:
> - abuse reports will get standarized

There is already an effort under way to implement a standard abuse
report format: http://www.ietf.org/id/draft-ietf-marf-base-02.txt


-- 
Niall Donegan
----------------

http://www.blacknight.com
Blacknight Internet Solutions Ltd,
Unit 12A,
Barrowside Business Park,
Sleaty Road,
Graiguecullen,
Carlow,
Ireland

Company No.: 370845



From ripe-anti-spam-wg at powerweb.de  Fri Apr  9 13:38:39 2010
From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast)
Date: Fri, 09 Apr 2010 13:38:39 +0200
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an
In-Reply-To: <002401cad7d1$abf09d50$03d1d7f0$@freeman@csirt.ja.net>
References: <FFB09585-41EA-45C0-8F53-467A3BAFD9B3@blacknight.ie> <201004091008.o39A8IUB007057@www.powerweb.de> <002401cad7d1$abf09d50$03d1d7f0$@freeman@csirt.ja.net>
Message-ID: <4BBF11BF.3020906@powerweb.de>

Bradley Freeman wrote:

Hello,

>> Its only against members, that are ignoring that there attitude
>> or business model causes real harm to others.
> 
> This proposal still will not help the abuse desks which are uncooperative
> which is the real problem.

Yes, thats true, if your are willing to ignore reports, it will
help nothing.
But it will help to make uneducated members more aware and
to help others that are not really far in the process
of developing a real abuse team.

>>> If a RIPE member has an abuse contact and sets up abuse contact
>> objects for every allocation, why do you need anything else?
>>
>> Like I outline already:
>> - whois is complicated and unusefull for end users
> 
> And do you believe that this proposal will be used by end users who couldn't
> use whois?

Yes, it this easy IP-scheme-email address will get public, there
will be a lot of more people akt, when they receive spam.

Our customers asking as a lot, where to report spam too ...
... and we have no easy answer to that.

>> - IRT objects makes it even more complicated
> 
> I simply disagree, IRT objects simplify the whois and provide a clear
> contact email.

IRT objects will be additional and maybe even non-mandatory again.
It will end up having two things to check.
The remarks of a netrange object, maybe even the route object and
the IRT object.

And thats send all different for a lot of RIRs.

If like the IRT object being a help, it would have to
be mandatory, and there we start again.

>> - nobody is meassuring the members so far
>> - nobody has detailed data about how much abuse is really happening
>>   except really well-known blacklists like spamhaus
> 
> My network != your network, I don't see any point in measuring the abuse
> from ISPs in this manner. As James said previously larger networks will
> generate greater amounts of abuse, and ISPs with different businesses models
> will generate varying amounts of abuse, a high level of abuse from a network
> is not indicative that you are running a bad network. Additionally there is
> nothing that RIPE could do with this data it is simply a meaningless metric.

Clear.

I clarified this in another mail today, as an example how I think
it could work ...

> 
>> It isnt that bad, if you will get reports, that are more standarized.
> 
> There is an IETF working group on Messaging Abuse Reporting Format, I am not
> involved in it and not aware of its status, this proposal would not achieve
> standardisation.

Somebody just posted a link, thnx for that !
Will include that in the next version of the draft, including
all valuable feedback I collected so far.


Kind regards, Frank
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de



From brian.nisbet at heanet.ie  Fri Apr  9 13:41:39 2010
From: brian.nisbet at heanet.ie (Brian Nisbet)
Date: Fri, 09 Apr 2010 12:41:39 +0100
Subject: [anti-abuse-wg] the final question ...
In-Reply-To: <4BBF0018.8040205@powerweb.de>
References: <201004081827.o38IRiuA002097@www.powerweb.de> <15B312A8-900A-4E76-A455-98878F2F029A@blacknight.ie> <201004091119.26406.peter@hk.ipsec.se> <4BBF0018.8040205@powerweb.de>
Message-ID: <4BBF1273.7020506@heanet.ie>

Frank,

"Frank Gadegast" wrote the following on 09/04/2010 11:23:
> So here the final question:
> ------------------------------------------------------------
> Is the community willing to combine the assignment of ranges
> with specific rules how to use them and how not to use them
> and should the misuse of the applied resources have consequences ?
> ------------------------------------------------------------
>
> If we get consensus about that, the problem will be solved
> all together, because than its only detailed work.
>
> But: if we not get consensus about that, we could stop
> talking about abuse on this group and the spammer
> will have won, also on this list ...

The community will never reach consensus on this, but this does not mean 
that those who wish to abuse the network will win.  The point here is 
that what you believe is abuse is not what others believe is abuse.  For 
a start, you are still focusing almost entirely on spam (from everything 
you've indicated, but I'm happy to be told I'm wrong), whereas others 
consider UBE to be a symptom and annoyance now, rather than the real 
problem.

There are members in the RIPE service region who have incredibly 
different concepts of what consitutes network abuse, there are likely to 
be some intersections in most cases, but I think that the binary 
proposal of reach consensus or declare defeat is a very blinkered one.

I am, it should be pointed out, not adverse to attempting to build at 
least rough consensus on this, but I do not believe that it is an 
either/or situation.  Nor do I believe that, if consensus is reached, 
everything else will just work.

There is work ongoing to look more closely at what the RIPE NCC can do 
in reaction to a properly judged case of network abuse, in compliance 
with proper legal requirements and procedures and hopefully we'll hear 
more about that soon, but the bald statement you have above is dangerous 
in a variety of ways and far too light on detail to be any sort of real 
question.

Brian.



From michele at blacknight.ie  Fri Apr  9 13:46:22 2010
From: michele at blacknight.ie (Michele Neylon :: Blacknight)
Date: Fri, 9 Apr 2010 11:46:22 +0000
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an
In-Reply-To: <201004091129.o39BTLd7014136@www.powerweb.de>
References: <201004091129.o39BTLd7014136@www.powerweb.de>
Message-ID: <5D11D165-77B9-4904-9CBC-44B8E21815D9@blacknight.ie>

On 9 Apr 2010, at 12:29, Frank Gadegast , Dipl-Inform. Frank Gadegast wrote:
>>> 
>> 
>> As someone who has spent a lot of money and time combatting network abuse I find your attitude completely unhelpful
> 
> Not at all, we are small, and have no stress with abuse reports for our customers,

Yes - you are small

Not all RIPE members are ..


> because they are trained and the servers are managed by us, hardened and monitored.
> We have abuse problem, but very little.
> 
> The implementation of our blacklist took a month work for one person
> and is now protecting about 5000 email accounts.

So you have no real experience of dealing with large volumes of mail then.



> Small, but effective.
> 
>>> Like I outline already:
>>> - whois is complicated and unusefull for end users
>>> - IRT objects makes it even more complicated
>>> - nobody is meassuring the members so far
>> 
>> Why is measuring the data of any use to any one?
> 
> This group is already talking to Government related organisations.
> If you like them to act, you need data.
> 
>> What data are you trying to measure?
> 
> Surely the amount of spam every member causes.

"causes" ?

Seriously you cannot state that a member "causes" anything. 

> 
>> The only people who seem to benefit from lots of data are vendors trying to sell "solutions"
> 
> Why that ?
> RIPE will not have to buy any "solution".
> RIPE NCC has a own programmers team.
> They will have to buy servers and bandwidth, thats it.

Please actually read what I wrote

> 
>> Not all RIPE members offer connectivity in the same way nor do they have the same types of services.
> 
> Do you mean Universities or others with free access ?

Have a look at the full list of RIPE members and have a look at what each and every one of them is doing.



> Where a needed abuse team would cause additional costs ?
> 
> Come on, if any non-provit organisation is not taking into account what they
> cause by ignoring the risks they cause, there is something wrong in the calulation
> anyway.

I never said anything about non-profits


> 
>> You assume that my comment about business models infers that people would ignore an issue. This is not in the least bit helpful
> 
> Well, a lot are ignoring it, and even worse, a lot make profit with it

Again - accusing RIPE members of profiting from something that you consider to be criminal is NOT helpful

Please tone it down



> (if its only, that they charged the traffic and are happy about every
> spam that comes out of a spambotted PC).
> 
>> What you need to understand is that not every single RIPE member is going to be doing the same thing and may not be aware of or need to be aware of certain things.
> 
> Thats the basic problem, like I wrote an hour ago.
> 
> Is the community willing to accept the fact, that there are members causing
> a lot of problems, that they harm others, that they create costs for others
> and even act against laws in other countries, just because they are
> not willing to take responsibility for the services they get from RIPE ?
> 
> And is RIPE willing to do nothing against those members ?
> 
>> Lack of awareness does not equate with anything more than lack of awareness, however you seem to think that a bit of ignorance equates with culpability.
> 
> Missing awareness could be changed with education ...


Yes, but your concept of education would not be conducive to anyone actually wanting to learn .. 

> 
> 
> 
> Kind regards, Frank
> --
> PHADE Software - PowerWeb                       http://www.powerweb.de
> Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
> Schinkelstrasse 17                                fon: +49 33200 52920
> 14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
> ======================================================================
> Public PGP Key available for frank at powerweb.de
>> 
>> 
>>> 
>>> An example please.
>>> 
>>>>>>> "Bad providers" could be even published by RIPE :o)
>>>>>> 
>>>>>> 
>>>>>> Are you insane? RIPE cannot open itself up for that kind of liability
>>>>> 
>>>>> Why not, blacklists are doing the same, whats the difference ?
>>>> 
>>>> Ask a lawyer.
>>> 
>>> More details please.
>> 
>> Seriously - if you cannot understand why RIPE (or anyone else) publishing a list of companies that are described as "bad" does not open it up to liability then you really need to talk to your legal team (if you have one)
>> 
>> Spamhaus et al get hit with legal threats on a regular basis.
>> 
>> As a sponsor of Spamhaus we've had people try to get us involved in the past .. 
>> 
>>> 
>>>>>>> Well, thats only work at RIPE NCC, its not that complicated to
>>>>>>> automated bounces ...
>>>>>> 
>>>>>> So you say .. 
>>>>> 
>>>>> Yes, its quite easy.
>>>> 
>>>> No it isn't. 
>>> 
>>> It is, we developed our own blacklist, and that wasnt that much work.
>> 
>> You obviously have a lot of technical staff. Not every RIPE member does nor needs to.
>> 
>> You need to understand that just because something is "easy" for you due to your particular setup does not mean that it is going to be as "easy" for everyone else
>> 
>> 
>>> A powerfull organisation with competent workers like RIPE would create
>>> that in really short time.
>>> 
>>> Please give me arguments, why its soo complicated.
>>> 
>>> Mailtools are wellknown, open source and available for nearly everything
>>> you might want to do with mail.
>>> It is easy, I was even already thinking about to use our own
>>> blacklist as testbed, we not all available abuse contacts anyway
>>> and to setup a general formatted email address is two lines
>>> in the mailserver config and to pump that in a script that
>>> forwards the mail after looking up the correct address is a
>>> ten-liner in perl.
>>> 
>>> Im still thinking about this testbed, the only problem is:
>>> - our abuse addresses we have might not be as reliable
>>> than RIPE will have them and it would be really bad to accuse
>>> the wrong person or even expose details to the wrong
>>> person
>>> 
>>> If I would get complete access to all personal objects at RIPE in
>>> a live process, a would think about the testbed again ...
>>> 
>>> I could even sign whatever non-disclosure to ensure, that we
>>> are not doing anything wrong with this data.
>>> 
>>>> Either:
>>>> 
>>>> - learn how to discuss this with other RIPE members
>>>> or
>>>> 
>>>> keep on with your stupid attitude and see how far it gets you
>>> 
>>> Hm, Im not starting with words like "stupid", so please do not
>>> reglement my tone and cool down first.
>> 
>> 
>>> 
>>> You seem to fight heavily against any idea arriving here.
>>> What are you so frightened about ?
>> 
>> If you present what could be potentially be a positive thing in this manner it will not be accepted by people for a multitude of reasons, not least your tunneled view of the world.
>> 
>> 
>> 
>>> 
>>>>>> You cannot speak for all providers / RIPE members.
>>>>> 
>>>>> Thats one of the reasons for a centralized system located at RIPE.
>>>>> The system only needs to be implemented once, there will be nearly
>>>>> no costs on the members side (except that they have
>>>>> to deal with report, but they can still ignore them and except
>>>>> the costs that might be added to RIPEs fees, but that should not be that
>>>>> much.
>>>> 
>>>> You do not know that.
>>>> 
>>>> You have no way of knowing how much of a load would be placed on RIPE's systems
>>> 
>>> Sure, but RIPE is using millions of EUR yearly to get everything going.
>>> You are an ISP yourself, make a guess, how much that costs
>>> if you do not have to make provit.
>>> 
>>> I quick guess:
>>> - a redundant mailserver environment capable of what ? deliver 50 mio mails a day ?
>>> - a would say 100GB traffic/day and 25 highend server
>>> - thats about 3000 EUR traffic-costs a month
>>> - and about 50 thousand one time invest for the servers
>>> 
>>> - plus the development, I would implement something like this with
>>> one month work, ok 5.000
>>> - plus hirering one person to take care about hardware and special cases, that
>>> 3.000/month
>> 
>> OK, but centralising anything like this has a lot of negative consequences that other list members have outlined.
>> 
>>> 
>>> All together, lets say 6.000 per month plus the invest.
>>> And now devide this to all members with the usual scale
>>> (small pay less than big members), how much would that add
>>> to the normal yearly membership costs ?
>>> Could somebody could quickly compare that to the last yearly costs at RIPE ?
>>> 
>>> You can save that if you only cut 30 peoples journeys to nice holiday locations
>>> for "meetings" that could be done via modern comunication techniques anyway
>>> per year.
>> 
>> Face to face meetings work better for a LOT of people.
>> 
>> 
>> 
>>> 
>>>>>>> Well, the monitoring system could send always the same backlink
>>>>>>> for the same IP, so that the ISP could still count the amount
>>>>>>> of incoming reports for one IP automatically and then
>>>>>>> "answers" it as being closed with just clicking ONE link.
>>>>>>> 
>>>>>>> Good idea ?
>>>>>> 
>>>>>> So you expect RIPE members to completely rework their abuse desks to fit into your view of the world?
>>>>> 
>>>>> Not MY VIEW, a standarized view.
>>>> 
>>>> You're not a very good listener, are you?
>>> 
>>> Might be because Im not english-speaking ... (like I noted when I was sending the draft).
>>> 
>>> But, like I outlined above, a rework is not really neccessary.
>>> Currently members are receiving lots of different formatted reports
>>> to their abuse desk (if they have one) and have to read them all manually.
>>> It isnt that bad, if you will get reports, that are more standarized.
>>> 
>>>>> Thats the goal.
>>>>> 
>>>>> Lets see it this way: providers have to change their infrastructure
>>>>> regulary for a couple or reasons and always have done.
>>>>> Serverhousing changed pretty much during the last years.
>>>>> There was the change from ISDN to DSL dialin, there are new
>>>>> technologies for HTML, Flash and Mail every day.
>>>>> 
>>>>> And do not forget IPv6, EVERY member has to change that in the new future.
>>>>> 
>>>>>> I can't see that happening, because not all RIPE members are the same or work in the same way.
>>>>> 
>>>>> Well they work on the same basics, what are allocations and other resources.
>>>>> Resources cause traffic, and every members uses resources like nameservices,
>>>>> webpages and email. And spam problem comes into play with the later.
>>>>> 
>>>>> The difference isnt that big.
>>>>> Business models have nothing to do with how to deal with resources the got from RIPE.
>>>> 
>>>> Yes it does
>>>> 
>>>> If you think that you can live in a world where business models have zero impact on reality then you are deluded
>>> 
>>> Example, please give an example ....
>> 
>> I don't need to 
>> 
>> It's a simple fact.
>> 
>> The fact that I've raised it (more than once) is enough (we are a RIPE member among other things .. )
>> 
>> 
>> 
>> Mr Michele Neylon
>> Blacknight Solutions
>> Hosting & Colocation, Brand Protection
>> ICANN Accredited Registrar
>> http://www.blacknight.com/
>> http://blog.blacknight.com/
>> http://mneylon.tel
>> Intl. +353 (0) 59  9183072
>> US: 213-233-1612 
>> UK: 0844 484 9361
>> Locall: 1850 929 929
>> Direct Dial: +353 (0)59 9183090
>> Twitter: http://twitter.com/mneylon
>> -------------------------------
>> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
>> Road,Graiguecullen,Carlow,Ireland  Company No.: 370845
>> 
>> 
> 

Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
ICANN Accredited Registrar
http://www.blacknight.com/
http://blog.blacknight.com/
http://mneylon.tel
Intl. +353 (0) 59  9183072
US: 213-233-1612 
UK: 0844 484 9361
Locall: 1850 929 929
Direct Dial: +353 (0)59 9183090
Twitter: http://twitter.com/mneylon
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,Ireland  Company No.: 370845



From michele at blacknight.ie  Fri Apr  9 15:41:02 2010
From: michele at blacknight.ie (Michele Neylon :: Blacknight)
Date: Fri, 9 Apr 2010 13:41:02 +0000
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an
In-Reply-To: <201004091328.o39DS3WJ025151@www.powerweb.de>
References: <201004091328.o39DS3WJ025151@www.powerweb.de>
Message-ID: <5F074FFF-924E-4C00-A644-DB51CC12EB50@blacknight.ie>

Frank

Either you are doing this intentionally or accidentally, but you keep emailing me offlist


>
> Yes I do. And my experience is even, that things get more easy,
> when they get bigger.
> But its not my reputation that we should talk about.

You are trying to impose your views on everyone else, so it is therefore important to understand from what stance you are speaking

>
> If just that weird that a few members on the list are that heavily
> against anything that would change the current situation without
> really saying what disturbing them.

Your modus operandi


>
> If you have another perspective or other needs, simply name them.
> In details.

Read my last few emails


>
>>> Small, but effective.
>>>
>>>>> Like I outline already:
>>>>> - whois is complicated and unusefull for end users
>>>>> - IRT objects makes it even more complicated
>>>>> - nobody is meassuring the members so far
>>>>
>>>> Why is measuring the data of any use to any one?
>>>
>>> This group is already talking to Government related organisations.
>>> If you like them to act, you need data.
>>>
>>>> What data are you trying to measure?
>>>
>>> Surely the amount of spam every member causes.
>>
>> "causes" ?
>
> The amount of spam they cause ... thats running
> out of there networks ... or even how many real abuse reports
> they get or whatever else to indicate, who does care or
> what doesnt.
>
>> Seriously you cannot state that a member "causes" anything.
>
> Sure I can.


Ok, let me put it to you in very clear terms

If you ever get spam or other junk from our network and you state anywhere in public that we "caused it" I will sue you and I'm sure there are others who would too.

You need to learn that you cannot use certain terms without there being repurcussions. If you state that AS39122 / Blacknight "caused" spam then that, as far as I am concerned, is both:

- false
- damaging to us

and enough of a reason for us to sue you.

Clear enough?


>
> There is a lot of members that actively host spammers.

Define "a lot"

Define "spammers"

> That make money on it.
> That make money with things that are illegal in other countries.

That's an inane comment.

Lots of things are illegal in lots of countries.

You cannot honestly expect an Irish ISP to impose a German law on its Irish customers, can you?


> That dont care about hacked servers or hacked dialin customers.
>
>>>> The only people who seem to benefit from lots of data are vendors trying to sell "solutions"
>>>
>>> Why that ?
>>> RIPE will not have to buy any "solution".
>>> RIPE NCC has a own programmers team.
>>> They will have to buy servers and bandwidth, thats it.
>>
>> Please actually read what I wrote
>
> Well, your comment was out of scope

Why?

Just because you are having difficulties understanding my reasoning does not render my comment "out of scope" and in any case, who are you to decide what is "in scope" and what isn't?



> , so you mean, that a system like
> I described will cut the revenue of vendors selling antispam or
> antivirus solutions ?
>
> Well, who cares ?
> Internet is free.

No it isn't


> And business is, when you can sell something.
>
> If there is no oil anymore tomorrow, well sell electric cars ...
>
>>>> Not all RIPE members offer connectivity in the same way nor do they have the same types of services.
>>>
>>> Do you mean Universities or others with free access ?
>>
>> Have a look at the full list of RIPE members and have a look at what each and every one of them is doing.
>
> Come on, I you that wise, please let me participate at your knowledge ...

You are the one proposing a well meaning, but very badly thought out concept.
You have not taken into consideration a lot of factors that you probably should.



>
>>> Where a needed abuse team would cause additional costs ?
>>>
>>> Come on, if any non-provit organisation is not taking into account what they
>>> cause by ignoring the risks they cause, there is something wrong in the calulation
>>> anyway.
>>
>> I never said anything about non-profits
>
> Yes, buts the only organisation form I can think of, that will have a problem
> in developing an abuse team.


Then maybe you need to broaden your mind.

As I already suggested, have a closer look at the RIPE member list


>
>>>> You assume that my comment about business models infers that people would ignore an issue. This is not in the least bit helpful
>>>
>>> Well, a lot are ignoring it, and even worse, a lot make profit with it
>>
>> Again - accusing RIPE members of profiting from something that you consider to be criminal is NOT helpful
>
> Why not ?
> Naming things is always helpfull.

Being sued isn't ..

>
> Do you think that RIPE is a cleaner region than others ?
> Look at the worsed spammer at spamhaus, where are they located ?
> USA, Russia, Korea ... oops, Russia is the RIPE region.
>
>
> Kind regards, Frank
>
>>
>> Please tone it down
>>
>>
>>
>>> (if its only, that they charged the traffic and are happy about every
>>> spam that comes out of a spambotted PC).
>>>
>>>> What you need to understand is that not every single RIPE member is going to be doing the same thing and may not be aware of or need to be aware of certain things.
>>>
>>> Thats the basic problem, like I wrote an hour ago.
>>>
>>> Is the community willing to accept the fact, that there are members causing
>>> a lot of problems, that they harm others, that they create costs for others
>>> and even act against laws in other countries, just because they are
>>> not willing to take responsibility for the services they get from RIPE ?
>>>
>>> And is RIPE willing to do nothing against those members ?
>>>
>>>> Lack of awareness does not equate with anything more than lack of awareness, however you seem to think that a bit of ignorance equates with culpability.
>>>
>>> Missing awareness could be changed with education ...
>>
>>
>> Yes, but your concept of education would not be conducive to anyone actually wanting to learn ..
>>
>>>
>>>
>>>
>>> Kind regards, Frank
>>> --
>>> PHADE Software - PowerWeb                       http://www.powerweb.de
>>> Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
>>> Schinkelstrasse 17                                fon: +49 33200 52920
>>> 14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
>>> ======================================================================
>>> Public PGP Key available for frank at powerweb.de
>>>>
>>>>
>>>>>
>>>>> An example please.
>>>>>
>>>>>>>>> "Bad providers" could be even published by RIPE :o)
>>>>>>>>
>>>>>>>>
>>>>>>>> Are you insane? RIPE cannot open itself up for that kind of liability
>>>>>>>
>>>>>>> Why not, blacklists are doing the same, whats the difference ?
>>>>>>
>>>>>> Ask a lawyer.
>>>>>
>>>>> More details please.
>>>>
>>>> Seriously - if you cannot understand why RIPE (or anyone else) publishing a list of companies that are described as "bad" does not open it up to liability then you really need to talk to your legal team (if you have one)
>>>>
>>>> Spamhaus et al get hit with legal threats on a regular basis.
>>>>
>>>> As a sponsor of Spamhaus we've had people try to get us involved in the past ..
>>>>
>>>>>
>>>>>>>>> Well, thats only work at RIPE NCC, its not that complicated to
>>>>>>>>> automated bounces ...
>>>>>>>>
>>>>>>>> So you say ..
>>>>>>>
>>>>>>> Yes, its quite easy.
>>>>>>
>>>>>> No it isn't.
>>>>>
>>>>> It is, we developed our own blacklist, and that wasnt that much work.
>>>>
>>>> You obviously have a lot of technical staff. Not every RIPE member does nor needs to.
>>>>
>>>> You need to understand that just because something is "easy" for you due to your particular setup does not mean that it is going to be as "easy" for everyone else
>>>>
>>>>
>>>>> A powerfull organisation with competent workers like RIPE would create
>>>>> that in really short time.
>>>>>
>>>>> Please give me arguments, why its soo complicated.
>>>>>
>>>>> Mailtools are wellknown, open source and available for nearly everything
>>>>> you might want to do with mail.
>>>>> It is easy, I was even already thinking about to use our own
>>>>> blacklist as testbed, we not all available abuse contacts anyway
>>>>> and to setup a general formatted email address is two lines
>>>>> in the mailserver config and to pump that in a script that
>>>>> forwards the mail after looking up the correct address is a
>>>>> ten-liner in perl.
>>>>>
>>>>> Im still thinking about this testbed, the only problem is:
>>>>> - our abuse addresses we have might not be as reliable
>>>>> than RIPE will have them and it would be really bad to accuse
>>>>> the wrong person or even expose details to the wrong
>>>>> person
>>>>>
>>>>> If I would get complete access to all personal objects at RIPE in
>>>>> a live process, a would think about the testbed again ...
>>>>>
>>>>> I could even sign whatever non-disclosure to ensure, that we
>>>>> are not doing anything wrong with this data.
>>>>>
>>>>>> Either:
>>>>>>
>>>>>> - learn how to discuss this with other RIPE members
>>>>>> or
>>>>>>
>>>>>> keep on with your stupid attitude and see how far it gets you
>>>>>
>>>>> Hm, Im not starting with words like "stupid", so please do not
>>>>> reglement my tone and cool down first.
>>>>
>>>>
>>>>>
>>>>> You seem to fight heavily against any idea arriving here.
>>>>> What are you so frightened about ?
>>>>
>>>> If you present what could be potentially be a positive thing in this manner it will not be accepted by people for a multitude of reasons, not least your tunneled view of the world.
>>>>
>>>>
>>>>
>>>>>
>>>>>>>> You cannot speak for all providers / RIPE members.
>>>>>>>
>>>>>>> Thats one of the reasons for a centralized system located at RIPE.
>>>>>>> The system only needs to be implemented once, there will be nearly
>>>>>>> no costs on the members side (except that they have
>>>>>>> to deal with report, but they can still ignore them and except
>>>>>>> the costs that might be added to RIPEs fees, but that should not be that
>>>>>>> much.
>>>>>>
>>>>>> You do not know that.
>>>>>>
>>>>>> You have no way of knowing how much of a load would be placed on RIPE's systems
>>>>>
>>>>> Sure, but RIPE is using millions of EUR yearly to get everything going.
>>>>> You are an ISP yourself, make a guess, how much that costs
>>>>> if you do not have to make provit.
>>>>>
>>>>> I quick guess:
>>>>> - a redundant mailserver environment capable of what ? deliver 50 mio mails a day ?
>>>>> - a would say 100GB traffic/day and 25 highend server
>>>>> - thats about 3000 EUR traffic-costs a month
>>>>> - and about 50 thousand one time invest for the servers
>>>>>
>>>>> - plus the development, I would implement something like this with
>>>>> one month work, ok 5.000
>>>>> - plus hirering one person to take care about hardware and special cases, that
>>>>> 3.000/month
>>>>
>>>> OK, but centralising anything like this has a lot of negative consequences that other list members have outlined.
>>>>
>>>>>
>>>>> All together, lets say 6.000 per month plus the invest.
>>>>> And now devide this to all members with the usual scale
>>>>> (small pay less than big members), how much would that add
>>>>> to the normal yearly membership costs ?
>>>>> Could somebody could quickly compare that to the last yearly costs at RIPE ?
>>>>>
>>>>> You can save that if you only cut 30 peoples journeys to nice holiday locations
>>>>> for "meetings" that could be done via modern comunication techniques anyway
>>>>> per year.
>>>>
>>>> Face to face meetings work better for a LOT of people.
>>>>
>>>>
>>>>
>>>>>
>>>>>>>>> Well, the monitoring system could send always the same backlink
>>>>>>>>> for the same IP, so that the ISP could still count the amount
>>>>>>>>> of incoming reports for one IP automatically and then
>>>>>>>>> "answers" it as being closed with just clicking ONE link.
>>>>>>>>>
>>>>>>>>> Good idea ?
>>>>>>>>
>>>>>>>> So you expect RIPE members to completely rework their abuse desks to fit into your view of the world?
>>>>>>>
>>>>>>> Not MY VIEW, a standarized view.
>>>>>>
>>>>>> You're not a very good listener, are you?
>>>>>
>>>>> Might be because Im not english-speaking ... (like I noted when I was sending the draft).
>>>>>
>>>>> But, like I outlined above, a rework is not really neccessary.
>>>>> Currently members are receiving lots of different formatted reports
>>>>> to their abuse desk (if they have one) and have to read them all manually.
>>>>> It isnt that bad, if you will get reports, that are more standarized.
>>>>>
>>>>>>> Thats the goal.
>>>>>>>
>>>>>>> Lets see it this way: providers have to change their infrastructure
>>>>>>> regulary for a couple or reasons and always have done.
>>>>>>> Serverhousing changed pretty much during the last years.
>>>>>>> There was the change from ISDN to DSL dialin, there are new
>>>>>>> technologies for HTML, Flash and Mail every day.
>>>>>>>
>>>>>>> And do not forget IPv6, EVERY member has to change that in the new future.
>>>>>>>
>>>>>>>> I can't see that happening, because not all RIPE members are the same or work in the same way.
>>>>>>>
>>>>>>> Well they work on the same basics, what are allocations and other resources.
>>>>>>> Resources cause traffic, and every members uses resources like nameservices,
>>>>>>> webpages and email. And spam problem comes into play with the later.
>>>>>>>
>>>>>>> The difference isnt that big.
>>>>>>> Business models have nothing to do with how to deal with resources the got from RIPE.
>>>>>>
>>>>>> Yes it does
>>>>>>
>>>>>> If you think that you can live in a world where business models have zero impact on reality then you are deluded
>>>>>
>>>>> Example, please give an example ....
>>>>
>>>> I don't need to
>>>>
>>>> It's a simple fact.
>>>>
>>>> The fact that I've raised it (more than once) is enough (we are a RIPE member among other things .. )
>>>>
>>>>
>>>>
>>>> Mr Michele Neylon
>>>> Blacknight Solutions
>>>> Hosting & Colocation, Brand Protection
>>>> ICANN Accredited Registrar
>>>> http://www.blacknight.com/
>>>> http://blog.blacknight.com/
>>>> http://mneylon.tel
>>>> Intl. +353 (0) 59  9183072
>>>> US: 213-233-1612
>>>> UK: 0844 484 9361
>>>> Locall: 1850 929 929
>>>> Direct Dial: +353 (0)59 9183090
>>>> Twitter: http://twitter.com/mneylon
>>>> -------------------------------
>>>> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
>>>> Road,Graiguecullen,Carlow,Ireland  Company No.: 370845
>>>>
>>>>
>>>
>>
>> Mr Michele Neylon
>> Blacknight Solutions
>> Hosting & Colocation, Brand Protection
>> ICANN Accredited Registrar
>> http://www.blacknight.com/
>> http://blog.blacknight.com/
>> http://mneylon.tel
>> Intl. +353 (0) 59  9183072
>> US: 213-233-1612
>> UK: 0844 484 9361
>> Locall: 1850 929 929
>> Direct Dial: +353 (0)59 9183090
>> Twitter: http://twitter.com/mneylon
>> -------------------------------
>> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
>> Road,Graiguecullen,Carlow,Ireland  Company No.: 370845
>>
>>
>

Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
ICANN Accredited Registrar
http://www.blacknight.com/
http://blog.blacknight.com/
http://mneylon.tel
Intl. +353 (0) 59  9183072
US: 213-233-1612
UK: 0844 484 9361
Locall: 1850 929 929
Direct Dial: +353 (0)59 9183090
Twitter: http://twitter.com/mneylon
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,Ireland  Company No.: 370845



From jrace at attglobal.net  Fri Apr  9 16:09:43 2010
From: jrace at attglobal.net (Jeffrey Race)
Date: Fri, 09 Apr 2010 10:09:43 -0400
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an abuse
In-Reply-To: <15B312A8-900A-4E76-A455-98878F2F029A@blacknight.ie>
Message-ID: <20100409141502.CA6C76A0B6@postboy.ripe.net>

On Fri, 9 Apr 2010 08:38:36 +0000, Michele Neylon :: Blacknight wrote:

>> "Bad providers" could be even published by RIPE :o)
>
>Are you insane? RIPE cannot open itself up for that kind of liability

One can publish the truthfully measured metrics without liability




From neitzel at gaertner.de  Fri Apr  9 16:23:08 2010
From: neitzel at gaertner.de (Martin Neitzel)
Date: Fri, 09 Apr 2010 16:23:08 +0200
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an abuse monitor system
In-Reply-To: <201004081757.o38HvPHh032487@www.powerweb.de>
References: <201004081757.o38HvPHh032487@www.powerweb.de>
Message-ID: <4bbf384c.OktgSnPTksXiuqzB%neitzel@gaertner.de>

frank at powerweb.de wrote:
> No, because the system generates email addresses [1.2.3.4 at abuse.ripe.net]
> only related to the IP address that causes the abuse.

No, it doesn't.  The mail will go to wherever some human or robot
*assumes* the spam cause to be.  Never seen a complaint which was
mis-directed to because some bozo fell prey to faked headers?

If I understood your draft section 5 correctly, you think that there are
actually people who consider researching "whois" records too complicated
but, at the same time, are able to do a decent analysis of email headers?
I've never met members of this species.  And I'd be afraid if I were
*forced* (by RIPE) to read and repsond to their spam reports.

Your policy draft is extremely week on th only policy point it contains:

	Section 5 "Advantages":
	[...]
	RIPE NCC can ensure that all allocations have a working
	abuse address.
	[...]

Like, how?  As someone else has already pointed out:  redirecting all
reports to /dev/null would make your control system happy -- no bounces.

It all gets back to human checks:  Internet user U complaints (at the
RIPE) about LIR L, saying something like "unrepsonsive LIR, restract
its allocation containing 62.67.229.200".  Your proposal would have to
state the further course of action (i.e., "the policy").  In particular,
please be clear on legal issues.  When U complains about "the contact for
62.67.229.200", the RIPE NCC should do what?  Snail-mail two warnings,
then "pull the plug" for 62.67.228.0/20 (or would it be the 62.67.0.0/16,
because of "remarks: all abuse reports to abuse at level3.com")?  The very
next day, the three distinct end users of, say, 62.67.1.1, 62.67.231.254,
and 62.67.255.254, respectively, get a bit upset that their businesses
have RPSLy fallen off the Internet.  Ooops.  A merry round of "A sues
B" follows.  Anybody in this game who you think should be idemnified at
this point?  The RIPE NCC for example?  How?


Shifting the focus away from "forced policies" towards "useful tools":

Any well-intentioned LIR/ISP will happily use whatever tools it can
get its hands to be aware of any abuse of its network.  It appears
to me that simply monitoring your network ranges on various DNSBLs
is achieving pretty much the same benefits (for the ISP/LIR) as your
proposol does, without inflicting any work on the RIPE NCC to forward
spam complaints and to collect statistics.  You're kinda reinventing
wheels many folks already use.

You do seem to have a valid point about educating new LIRs/ISPs.

							Martin



From michele at blacknight.ie  Fri Apr  9 16:29:09 2010
From: michele at blacknight.ie (Michele Neylon :: Blacknight)
Date: Fri, 9 Apr 2010 14:29:09 +0000
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an
In-Reply-To: <201004091419.o39EJdul029608@www.powerweb.de>
References: <201004091419.o39EJdul029608@www.powerweb.de>
Message-ID: <CFA3C073-9643-4E24-996C-5E6D31B03D6A@blacknight.ie>

On 9 Apr 2010, at 15:19, Frank Gadegast , Dipl-Inform. Frank Gadegast wrote:

>>
>> Frank
>
> "Hello",
>
>> Either you are doing this intentionally or accidentally, but you keep emailing me offlist
>
> Intentionally, because this discussion has not much valuable feedback
> to the draft, its like a discussion of personal opinions ...

That is your opinion and I disagree

If you're going to insist on emailing me offlist change the subject line


>
>>> Yes I do. And my experience is even, that things get more easy,
>>> when they get bigger.
>>> But its not my reputation that we should talk about.
>>
>> You are trying to impose your views on everyone else, so it is therefore important to understand from what stance you are speaking
>
> Obvious, everybody can only speak for things he believes in, he knows
> about or he cares about.
>
> I care about reducing the spam load bothering me and my customers
> and hackers misusing unattended servers to attack us and my customers.

Ok, but you need to understand that not all companies will care as much about this as you do. You need to understand that not caring as much as you does not mean that they do not care


>
>>> If you have another perspective or other needs, simply name them.
>>> In details.
>>
>> Read my last few emails
>
> No details yet, nothing with any kind of substance neither an example.
> You will have to make things clear, if you want that others are
> understanding your point of view.

There was plenty of substance. That you failed to either understand it or chose to ignore it is another matter entirely


>
>>> Sure I can.
>>
>>
>> Ok, let me put it to you in very clear terms
>
> Woah, Im already looking forward to this ...
>
>> If you ever get spam or other junk from our network and you state anywhere in public that we "caused it" I will sue you and I'm sure there are others who would too.
>
> Thats a point.
>
> And its difficult.
> In Germany there is a term called "Mittaeter", lets try to explains this.
>
> If you have knowledge about a crime and you can easily do something against
> it, you will be sued too, if you do nothing.
> In fact, if you are doing nothing, you are partly a "cause" of the crime.
>
> So calling you a cause of a crime would not be sued in Germany

I'm not in Germany.


> , if
> you could have prevented it.
> Your reputation will be ruined already ...

There you go again. ..

You're not actually listening

>
> An example:
> there is a old granny trying to walk over red lights and you are standing
> near to her, you are not saying anything, you dont wave your
> hands to warn the coming car driver and you dont run to the granny
> to hold her back, you are not even trying to do anything and
> ignore the situation against better knowledge.
>
> The granny is going over red lights, gets run over by the car and dies.
> Somebody else is watching this from the far and the police gets you.
> You will end up in prison for that in Germany.
>
> And there will be no harm to the one more far away if he calls you
> one (one or a !) cause of grannys dead  ...
>
> That how different things are in different countries.
>
> So if I would call you "a" cause of the problem, if you leave
> your servers like the are and you know that they are hacked and misused,
> there will be nothing happening to me Germany.


But we're not in Germany.

And spam is an international problem AND RIPE is not dealing with Germany ONLY



>
>> You need to learn that you cannot use certain terms without there being repurcussions. If you state that AS39122 / Blacknight "caused" spam then that, as far as I am concerned, is both:
>>
>> - false
>> - damaging to us
>>
>> and enough of a reason for us to sue you.
>>
>> Clear enough?
>
> Yes, but not true in Germany.

Maybe you need to talk to the German RIPE members only then?


>
> I could call you that even, if you have enough knowledge and manpower to prevent
> spam and hacks coming from your networks even without being informed
> through third parties and still are doing nothing (where I personally
> think, the knwoledge should be part of it).
>
> Lets say, one of your servers is hacked and the hacking of one of
> our servers started from your IP.
> I could sue against "unknown" AND you as being a "Mittaeter", because
> you could have monitored your server better (as a big and experiences
> ISP you should have the possibility to monitor your traffic and servers
> easily).
>
> Surely only if your company is located in Germany.
>
>
> Thats why I can call everybody that could do something against
> spam and hacks easily "a" cause of the problem, if he doesnt
> do anything after he gets informed.
> And thats why it is that important to have the possibility to inform
> every RIPE member from a German view.
> If they have knowledge, it is even more easy to sue them, if they
> didnt do anything.
>
> And thats why all bigger German ISPs have a working abuse department.
> They would be sued to often, if they would totally ignore the reality.
> Sure there is spam also coming from German networks, but its dropping
> and more and more ISPs implement usefull ssystem to prevent abuse.
> And according to the amount of Germans activley using the Internet
> and the amount of servers hosted in Germany, I personally think,
> that the rate isnt that bad.
>
> The only problem here is still, that you have to sue them
> for every single incident and not in a more general way,
> and that you have to proove how much you lost, because
> of the incident, but the later is possible in most cases.
>
>
> Kind regards, Frank
> --
> PHADE Software - PowerWeb                       http://www.powerweb.de
> Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
> Schinkelstrasse 17                                fon: +49 33200 52920
> 14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
> ======================================================================
> Public PGP Key available for frank at powerweb.de
>
>>
>>
>>>
>>> There is a lot of members that actively host spammers.
>>
>> Define "a lot"
>>
>> Define "spammers"
>>
>>> That make money on it.
>>> That make money with things that are illegal in other countries.
>>
>> That's an inane comment.
>>
>> Lots of things are illegal in lots of countries.
>>
>> You cannot honestly expect an Irish ISP to impose a German law on its Irish customers, can you?
>>
>>
>>> That dont care about hacked servers or hacked dialin customers.
>>>
>>>>>> The only people who seem to benefit from lots of data are vendors trying to sell "solutions"
>>>>>
>>>>> Why that ?
>>>>> RIPE will not have to buy any "solution".
>>>>> RIPE NCC has a own programmers team.
>>>>> They will have to buy servers and bandwidth, thats it.
>>>>
>>>> Please actually read what I wrote
>>>
>>> Well, your comment was out of scope
>>
>> Why?
>>
>> Just because you are having difficulties understanding my reasoning does not render my comment "out of scope" and in any case, who are you to decide what is "in scope" and what isn't?
>>
>>
>>
>>> , so you mean, that a system like
>>> I described will cut the revenue of vendors selling antispam or
>>> antivirus solutions ?
>>>
>>> Well, who cares ?
>>> Internet is free.
>>
>> No it isn't
>>
>>
>>> And business is, when you can sell something.
>>>
>>> If there is no oil anymore tomorrow, well sell electric cars ...
>>>
>>>>>> Not all RIPE members offer connectivity in the same way nor do they have the same types of services.
>>>>>
>>>>> Do you mean Universities or others with free access ?
>>>>
>>>> Have a look at the full list of RIPE members and have a look at what each and every one of them is doing.
>>>
>>> Come on, I you that wise, please let me participate at your knowledge ...
>>
>> You are the one proposing a well meaning, but very badly thought out concept.
>> You have not taken into consideration a lot of factors that you probably should.
>>
>>
>>
>>>
>>>>> Where a needed abuse team would cause additional costs ?
>>>>>
>>>>> Come on, if any non-provit organisation is not taking into account what they
>>>>> cause by ignoring the risks they cause, there is something wrong in the calulation
>>>>> anyway.
>>>>
>>>> I never said anything about non-profits
>>>
>>> Yes, buts the only organisation form I can think of, that will have a problem
>>> in developing an abuse team.
>>
>>
>> Then maybe you need to broaden your mind.
>>
>> As I already suggested, have a closer look at the RIPE member list
>>
>>
>>>
>>>>>> You assume that my comment about business models infers that people would ignore an issue. This is not in the least bit helpful
>>>>>
>>>>> Well, a lot are ignoring it, and even worse, a lot make profit with it
>>>>
>>>> Again - accusing RIPE members of profiting from something that you consider to be criminal is NOT helpful
>>>
>>> Why not ?
>>> Naming things is always helpfull.
>>
>> Being sued isn't ..
>>
>>>
>>> Do you think that RIPE is a cleaner region than others ?
>>> Look at the worsed spammer at spamhaus, where are they located ?
>>> USA, Russia, Korea ... oops, Russia is the RIPE region.
>>>
>>>
>>> Kind regards, Frank
>>>
>>>>
>>>> Please tone it down
>>>>
>>>>
>>>>
>>>>> (if its only, that they charged the traffic and are happy about every
>>>>> spam that comes out of a spambotted PC).
>>>>>
>>>>>> What you need to understand is that not every single RIPE member is going to be doing the same thing and may not be aware of or need to be aware of certain things.
>>>>>
>>>>> Thats the basic problem, like I wrote an hour ago.
>>>>>
>>>>> Is the community willing to accept the fact, that there are members causing
>>>>> a lot of problems, that they harm others, that they create costs for others
>>>>> and even act against laws in other countries, just because they are
>>>>> not willing to take responsibility for the services they get from RIPE ?
>>>>>
>>>>> And is RIPE willing to do nothing against those members ?
>>>>>
>>>>>> Lack of awareness does not equate with anything more than lack of awareness, however you seem to think that a bit of ignorance equates with culpability.
>>>>>
>>>>> Missing awareness could be changed with education ...
>>>>
>>>>
>>>> Yes, but your concept of education would not be conducive to anyone actually wanting to learn ..
>>>>
>>>>>
>>>>>
>>>>>
>>>>> Kind regards, Frank
>>>>> --
>>>>> PHADE Software - PowerWeb                       http://www.powerweb.de
>>>>> Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
>>>>> Schinkelstrasse 17                                fon: +49 33200 52920
>>>>> 14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
>>>>> ======================================================================
>>>>> Public PGP Key available for frank at powerweb.de
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> An example please.
>>>>>>>
>>>>>>>>>>> "Bad providers" could be even published by RIPE :o)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Are you insane? RIPE cannot open itself up for that kind of liability
>>>>>>>>>
>>>>>>>>> Why not, blacklists are doing the same, whats the difference ?
>>>>>>>>
>>>>>>>> Ask a lawyer.
>>>>>>>
>>>>>>> More details please.
>>>>>>
>>>>>> Seriously - if you cannot understand why RIPE (or anyone else) publishing a list of companies that are described as "bad" does not open it up to liability then you really need to talk to your legal team (if you have one)
>>>>>>
>>>>>> Spamhaus et al get hit with legal threats on a regular basis.
>>>>>>
>>>>>> As a sponsor of Spamhaus we've had people try to get us involved in the past ..
>>>>>>
>>>>>>>
>>>>>>>>>>> Well, thats only work at RIPE NCC, its not that complicated to
>>>>>>>>>>> automated bounces ...
>>>>>>>>>>
>>>>>>>>>> So you say ..
>>>>>>>>>
>>>>>>>>> Yes, its quite easy.
>>>>>>>>
>>>>>>>> No it isn't.
>>>>>>>
>>>>>>> It is, we developed our own blacklist, and that wasnt that much work.
>>>>>>
>>>>>> You obviously have a lot of technical staff. Not every RIPE member does nor needs to.
>>>>>>
>>>>>> You need to understand that just because something is "easy" for you due to your particular setup does not mean that it is going to be as "easy" for everyone else
>>>>>>
>>>>>>
>>>>>>> A powerfull organisation with competent workers like RIPE would create
>>>>>>> that in really short time.
>>>>>>>
>>>>>>> Please give me arguments, why its soo complicated.
>>>>>>>
>>>>>>> Mailtools are wellknown, open source and available for nearly everything
>>>>>>> you might want to do with mail.
>>>>>>> It is easy, I was even already thinking about to use our own
>>>>>>> blacklist as testbed, we not all available abuse contacts anyway
>>>>>>> and to setup a general formatted email address is two lines
>>>>>>> in the mailserver config and to pump that in a script that
>>>>>>> forwards the mail after looking up the correct address is a
>>>>>>> ten-liner in perl.
>>>>>>>
>>>>>>> Im still thinking about this testbed, the only problem is:
>>>>>>> - our abuse addresses we have might not be as reliable
>>>>>>> than RIPE will have them and it would be really bad to accuse
>>>>>>> the wrong person or even expose details to the wrong
>>>>>>> person
>>>>>>>
>>>>>>> If I would get complete access to all personal objects at RIPE in
>>>>>>> a live process, a would think about the testbed again ...
>>>>>>>
>>>>>>> I could even sign whatever non-disclosure to ensure, that we
>>>>>>> are not doing anything wrong with this data.
>>>>>>>
>>>>>>>> Either:
>>>>>>>>
>>>>>>>> - learn how to discuss this with other RIPE members
>>>>>>>> or
>>>>>>>>
>>>>>>>> keep on with your stupid attitude and see how far it gets you
>>>>>>>
>>>>>>> Hm, Im not starting with words like "stupid", so please do not
>>>>>>> reglement my tone and cool down first.
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> You seem to fight heavily against any idea arriving here.
>>>>>>> What are you so frightened about ?
>>>>>>
>>>>>> If you present what could be potentially be a positive thing in this manner it will not be accepted by people for a multitude of reasons, not least your tunneled view of the world.
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>>>> You cannot speak for all providers / RIPE members.
>>>>>>>>>
>>>>>>>>> Thats one of the reasons for a centralized system located at RIPE.
>>>>>>>>> The system only needs to be implemented once, there will be nearly
>>>>>>>>> no costs on the members side (except that they have
>>>>>>>>> to deal with report, but they can still ignore them and except
>>>>>>>>> the costs that might be added to RIPEs fees, but that should not be that
>>>>>>>>> much.
>>>>>>>>
>>>>>>>> You do not know that.
>>>>>>>>
>>>>>>>> You have no way of knowing how much of a load would be placed on RIPE's systems
>>>>>>>
>>>>>>> Sure, but RIPE is using millions of EUR yearly to get everything going.
>>>>>>> You are an ISP yourself, make a guess, how much that costs
>>>>>>> if you do not have to make provit.
>>>>>>>
>>>>>>> I quick guess:
>>>>>>> - a redundant mailserver environment capable of what ? deliver 50 mio mails a day ?
>>>>>>> - a would say 100GB traffic/day and 25 highend server
>>>>>>> - thats about 3000 EUR traffic-costs a month
>>>>>>> - and about 50 thousand one time invest for the servers
>>>>>>>
>>>>>>> - plus the development, I would implement something like this with
>>>>>>> one month work, ok 5.000
>>>>>>> - plus hirering one person to take care about hardware and special cases, that
>>>>>>> 3.000/month
>>>>>>
>>>>>> OK, but centralising anything like this has a lot of negative consequences that other list members have outlined.
>>>>>>
>>>>>>>
>>>>>>> All together, lets say 6.000 per month plus the invest.
>>>>>>> And now devide this to all members with the usual scale
>>>>>>> (small pay less than big members), how much would that add
>>>>>>> to the normal yearly membership costs ?
>>>>>>> Could somebody could quickly compare that to the last yearly costs at RIPE ?
>>>>>>>
>>>>>>> You can save that if you only cut 30 peoples journeys to nice holiday locations
>>>>>>> for "meetings" that could be done via modern comunication techniques anyway
>>>>>>> per year.
>>>>>>
>>>>>> Face to face meetings work better for a LOT of people.
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>>>>> Well, the monitoring system could send always the same backlink
>>>>>>>>>>> for the same IP, so that the ISP could still count the amount
>>>>>>>>>>> of incoming reports for one IP automatically and then
>>>>>>>>>>> "answers" it as being closed with just clicking ONE link.
>>>>>>>>>>>
>>>>>>>>>>> Good idea ?
>>>>>>>>>>
>>>>>>>>>> So you expect RIPE members to completely rework their abuse desks to fit into your view of the world?
>>>>>>>>>
>>>>>>>>> Not MY VIEW, a standarized view.
>>>>>>>>
>>>>>>>> You're not a very good listener, are you?
>>>>>>>
>>>>>>> Might be because Im not english-speaking ... (like I noted when I was sending the draft).
>>>>>>>
>>>>>>> But, like I outlined above, a rework is not really neccessary.
>>>>>>> Currently members are receiving lots of different formatted reports
>>>>>>> to their abuse desk (if they have one) and have to read them all manually.
>>>>>>> It isnt that bad, if you will get reports, that are more standarized.
>>>>>>>
>>>>>>>>> Thats the goal.
>>>>>>>>>
>>>>>>>>> Lets see it this way: providers have to change their infrastructure
>>>>>>>>> regulary for a couple or reasons and always have done.
>>>>>>>>> Serverhousing changed pretty much during the last years.
>>>>>>>>> There was the change from ISDN to DSL dialin, there are new
>>>>>>>>> technologies for HTML, Flash and Mail every day.
>>>>>>>>>
>>>>>>>>> And do not forget IPv6, EVERY member has to change that in the new future.
>>>>>>>>>
>>>>>>>>>> I can't see that happening, because not all RIPE members are the same or work in the same way.
>>>>>>>>>
>>>>>>>>> Well they work on the same basics, what are allocations and other resources.
>>>>>>>>> Resources cause traffic, and every members uses resources like nameservices,
>>>>>>>>> webpages and email. And spam problem comes into play with the later.
>>>>>>>>>
>>>>>>>>> The difference isnt that big.
>>>>>>>>> Business models have nothing to do with how to deal with resources the got from RIPE.
>>>>>>>>
>>>>>>>> Yes it does
>>>>>>>>
>>>>>>>> If you think that you can live in a world where business models have zero impact on reality then you are deluded
>>>>>>>
>>>>>>> Example, please give an example ....
>>>>>>
>>>>>> I don't need to
>>>>>>
>>>>>> It's a simple fact.
>>>>>>
>>>>>> The fact that I've raised it (more than once) is enough (we are a RIPE member among other things .. )
>>>>>>
>>>>>>
>>>>>>
>>>>>> Mr Michele Neylon
>>>>>> Blacknight Solutions
>>>>>> Hosting & Colocation, Brand Protection
>>>>>> ICANN Accredited Registrar
>>>>>> http://www.blacknight.com/
>>>>>> http://blog.blacknight.com/
>>>>>> http://mneylon.tel
>>>>>> Intl. +353 (0) 59  9183072
>>>>>> US: 213-233-1612
>>>>>> UK: 0844 484 9361
>>>>>> Locall: 1850 929 929
>>>>>> Direct Dial: +353 (0)59 9183090
>>>>>> Twitter: http://twitter.com/mneylon
>>>>>> -------------------------------
>>>>>> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
>>>>>> Road,Graiguecullen,Carlow,Ireland  Company No.: 370845
>>>>>>
>>>>>>
>>>>>
>>>>
>>>> Mr Michele Neylon
>>>> Blacknight Solutions
>>>> Hosting & Colocation, Brand Protection
>>>> ICANN Accredited Registrar
>>>> http://www.blacknight.com/
>>>> http://blog.blacknight.com/
>>>> http://mneylon.tel
>>>> Intl. +353 (0) 59  9183072
>>>> US: 213-233-1612
>>>> UK: 0844 484 9361
>>>> Locall: 1850 929 929
>>>> Direct Dial: +353 (0)59 9183090
>>>> Twitter: http://twitter.com/mneylon
>>>> -------------------------------
>>>> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
>>>> Road,Graiguecullen,Carlow,Ireland  Company No.: 370845
>>>>
>>>>
>>>
>>
>> Mr Michele Neylon
>> Blacknight Solutions
>> Hosting & Colocation, Brand Protection
>> ICANN Accredited Registrar
>> http://www.blacknight.com/
>> http://blog.blacknight.com/
>> http://mneylon.tel
>> Intl. +353 (0) 59  9183072
>> US: 213-233-1612
>> UK: 0844 484 9361
>> Locall: 1850 929 929
>> Direct Dial: +353 (0)59 9183090
>> Twitter: http://twitter.com/mneylon
>> -------------------------------
>> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
>> Road,Graiguecullen,Carlow,Ireland  Company No.: 370845
>>
>>
>

Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
ICANN Accredited Registrar
http://www.blacknight.com/
http://blog.blacknight.com/
http://mneylon.tel
Intl. +353 (0) 59  9183072
US: 213-233-1612
UK: 0844 484 9361
Locall: 1850 929 929
Direct Dial: +353 (0)59 9183090
Twitter: http://twitter.com/mneylon
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,Ireland  Company No.: 370845



From phade at www.powerweb.de  Fri Apr  9 16:38:35 2010
From: phade at www.powerweb.de (Frank Gadegast)
Date: Fri, 9 Apr 2010 16:38:35 +0200 (MET DST)
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an abuse monitor system
In-Reply-To: <4bbf384c.OktgSnPTksXiuqzB%neitzel@gaertner.de>
Message-ID: <201004091438.o39EcZ3p031469@www.powerweb.de>

Hello,

> frank at powerweb.de wrote:
> > No, because the system generates email addresses [1.2.3.4 at abuse.ripe.net]
> > only related to the IP address that causes the abuse.
> 
> No, it doesn't.  The mail will go to wherever some human or robot
> *assumes* the spam cause to be.  Never seen a complaint which was
> mis-directed to because some bozo fell prey to faked headers?

Sure, thats what the backlink idea is for.
So the member is free to categorize the report himself
(where it would be detectable, if one member simply sets all his reports
 always to "false report, started not from our network" without any
 more details".

> If I understood your draft section 5 correctly, you think that there are
> actually people who consider researching "whois" records too complicated

Sure, no normal mail user in Germany I know about knows what RIPE is
or whois, they even do not know what a domain whois and e.g.
the DENIC is, even if they have a own domainname.

And that normal end user is not different in other coutries ...

> but, at the same time, are able to do a decent analysis of email headers?

Point for you.

> I've never met members of this species.  And I'd be afraid if I were

Hm, maybe the system should be enhanced to that the system tracks the source
doing it self, complicated but possible, like spamhaus or spamcop
are doing it ...

But then we have a real clearing system that has to be reliable
(instead of just forwarding spam).

In the end, this is the really first point against a system I described.

Anybody ideas to solve that ?

Otherwise the system will only good for professional and they know
what whois is (even its still more complicated and non-mandatory
information is still missing).

> *forced* (by RIPE) to read and repsond to their spam reports.
> 
> Your policy draft is extremely week on th only policy point it contains:
> 
> 	Section 5 "Advantages":
> 	[...]
> 	RIPE NCC can ensure that all allocations have a working
> 	abuse address.
> 	[...]
> 
> Like, how?  As someone else has already pointed out:  redirecting all
> reports to /dev/null would make your control system happy -- no bounces.

Well, not that bad in the first step.
They work, ok, there are not read, but the exist and work.

These days we have thousand of abuse addresses that do not work,
intentionally or not.
It would be helpful to find those, that should work, but dont
and warn the ISP about it on time ...

> It all gets back to human checks:  Internet user U complaints (at the
> RIPE) about LIR L, saying something like "unrepsonsive LIR, restract
> its allocation containing 62.67.229.200".  Your proposal would have to

Funny IP :o)

> state the further course of action (i.e., "the policy").  In particular,
> please be clear on legal issues.  When U complains about "the contact for
> 62.67.229.200", the RIPE NCC should do what?  Snail-mail two warnings,
> then "pull the plug" for 62.67.228.0/20 (or would it be the 62.67.0.0/16,
> because of "remarks: all abuse reports to abuse at level3.com")?  The very
> next day, the three distinct end users of, say, 62.67.1.1, 62.67.231.254,
> and 62.67.255.254, respectively, get a bit upset that their businesses
> have RPSLy fallen off the Internet.  Ooops.  A merry round of "A sues
> B" follows.  Anybody in this game who you think should be idemnified at
> this point?  The RIPE NCC for example?  How?

Hm, your a bit too quick here ... but I get the point.

> Shifting the focus away from "forced policies" towards "useful tools":
> 
> Any well-intentioned LIR/ISP will happily use whatever tools it can
> get its hands to be aware of any abuse of its network.  It appears
> to me that simply monitoring your network ranges on various DNSBLs
> is achieving pretty much the same benefits (for the ISP/LIR) as your

But there are that many ...

> proposol does, without inflicting any work on the RIPE NCC to forward
> spam complaints and to collect statistics.  You're kinda reinventing
> wheels many folks already use.

Yes, but I started a discussion of really important points I think (where
this list was kind of sleeping for a while).

My main question from today is still not answered (by nobody so far):

If the community willing to accept, that RIPE members cause
harm to other members without any consequences simply because they
are lazy, uneducated, ignorant or without resources to prevent problem
or maybe even because they provit or intended the problem ?

Does "free internet" means that we have to live with that ?

> You do seem to have a valid point about educating new LIRs/ISPs.

Well then ...



Kind regards, Frank
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de
> 
> 							Martin
> 



From michele at blacknight.ie  Fri Apr  9 17:18:09 2010
From: michele at blacknight.ie (Michele Neylon :: Blacknight)
Date: Fri, 9 Apr 2010 15:18:09 +0000
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an
 abuse monitor system
In-Reply-To: <201004091438.o39EcZ3p031469@www.powerweb.de>
References: <201004091438.o39EcZ3p031469@www.powerweb.de>
Message-ID: <E10845A1-82A1-4272-9ABF-BA16B67B9A44@blacknight.ie>

On 9 Apr 2010, at 15:38, Frank Gadegast , Dipl-Inform. Frank Gadegast wrote:

> 
> But there are that many ...

There are only a handful that really matter and anyone who actually cares is probably monitoring them

Combine that with the "feedback" loops from AOL / MSN etc., and you've covered pretty much anything of any real importance

> 
> 
> If the community willing to accept, that RIPE members cause
> harm to other members without any consequences simply because they
> are lazy, uneducated, ignorant or without resources to prevent problem
> or maybe even because they provit or intended the problem ?

That isn't a question that can be answered with a simple yes / no

It's a grey area

For example, if you were to report an issue to us which involved our main mail cluster it would probably be dealt with within a few minutes to a couple of hours (depending on what it was)

However, if you were reporting an issue involving an IP or range of IPs that are used by a client of ours with dedicated / colo or even IP transit then it may take a lot longer for the issue to be fully resolved.

Does that mean that we are not acting responsibly in your view?

Or do you understand that we cannot simply unplug a chunk of our network that quickly?

Is the delay causing "harm" ? Probably. 

Is that "harm" a huge problem?

That depends on what the "harm" is.

Network abuse comes in many shapes and forms. Email abuse could be a simple commercial email that you did not want to get OR it could be a much more serious problem such as a phishing email




> 
> Does "free internet" means that we have to live with that ?

What do you mean by "free"?

free as in freedom?

or 

Free as in cost?


Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
ICANN Accredited Registrar
http://www.blacknight.com/
http://blog.blacknight.com/
http://mneylon.tel
Intl. +353 (0) 59  9183072
US: 213-233-1612 
UK: 0844 484 9361
Locall: 1850 929 929
Direct Dial: +353 (0)59 9183090
Twitter: http://twitter.com/mneylon
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,Ireland  Company No.: 370845



From phade at www.powerweb.de  Fri Apr  9 21:43:11 2010
From: phade at www.powerweb.de (Frank Gadegast)
Date: Fri, 9 Apr 2010 21:43:11 +0200 (MET DST)
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an
In-Reply-To: <DA489A95-0FDB-4A78-BA0B-E9DEE9E1C80B@icann.org>
Message-ID: <201004091943.o39JhBAb024493@www.powerweb.de>

Hello Leo,

> > The benefit is clear:
> > - it will give RIPE NCC the chance to seperate good from
> >   "spam-friendly" members, prepare impresive statistics
> >   for further discussions (e.g. with Governments) and much more
> > - it will simplify the process of reporting spam
> >   and reacting to spam reports for everybody, querying
> >   whois is still too complicated and unknown to the normal
> >   end user and hard to automate for blacklists or other
> >   services, because there are about 20 different whois
> >   output formats worldwide (inserting an abuse-address into
> >   an IRT object will even make it more complicated)
> > - having an easy and unique address to report to, is another
> >   step in standarizing the report format, what would make
> >   it much more easy for members that are willing to deal
> >   with abuse reports
> 
> You didn't answer the question, though. Why would you proposal make ISPs want to deal with abuse reports when they are not doing so already? 

I did answer this a couple of times now, but ok, again.
The first version will not work against members, that are not willing
to do something against abuse that is coming from their networks.

Working against them will need some kind of "punishment", and sure there
is more to talk about first with this. But at least there will be
some kind of identification, wich one needs to be educated
or even "punished" with this kind of system.
The consequences are still for further discussion.

> As to the claim that whois is to complicated to normal end users, I would contend that normal end users should not have to try and work out where abuse actually originates from. That is something that service providers should be doing. As someone who receives abuse reports for most of the special use IPv4 addresses reserved in various RFCs I can assure you that end users have a very hard time reading mail headers or understanding the warning messages provided by their firewall software. 

whois is even too complicated for normal people even for ISPs or blacklist owners
like we are. Or even for super-professionals.

- abuse-records are mostly hidden in remark-field because the abuse-field
  isnt used very often, because its non-mandatory (yet).

- whois is showing IP ranges and ranges are often quite small, what means
  that you have to look up each range, better each IP seperatly

- whois has only a connection to the owner of the range and not to the
  member, unless you do even more queries

- queries to personal objects are limited, what makes automated systems
  impossible, if they are not starting to cache queries or read old
  database dumps or have the special right to receive as many infos
  as they need

- caching query results are causing delays, what means that the abuse contacts
  cant be correct all the time, because they could have changed already

- if the IRT object is introduced including abuse records, you will have
  to look up the normal whois AND the IRT object, and what result will
  you prefer, if both is available ?

and if you see it world-wide:
- the formatting of the world wide whois systems is not equal and sometimes
  even hard to parse, even if they nearly have the same fields
- IPv4 ranges are widely spread between all RIRs, you will need to look
  up arins whois first, to find out, where the range actually belongs to,
  and then ask that RIR
- dont forget the early registration blocks spread all over the world
- arins whois requires up to three queries to finally get the abuse contact
  hidden in several possible objects, multi-range listings with more than one
  correct answer. What field will you really look for in arins whois ?
  OrgTechHandle, OrgAbuseHandle, RAbuseEmail, OrgNOCEmail, OrgTechEmail ?
- apnics whois is now spread along several other referral whois in different countries
  and there is not clear and often changing relocation or change in the size
  of the assigned blocks for those sub-RIRs
- lacnic also spreads, brasil has its own whois
- lacnic always includes the mains RIRs abuse contats, relevant ? yes, no, both ?
- the objects changed-date is not visible on all whois worldwide
- tools that should make this more easy (like jwhois for domainname) are
  always developed with big delays and are never accurate

And many more problems, thats not what I understand as standarized ....

And if there is an RFC nearly for everything, its pretty weird,
that whois is not equal all over the world.

(well, but the same with domain whois, at least the output format could
 be the same, even if every country will hide fields or not like its
 needed by local law or commitment)

> >> A system like the one proposed would add an extra layer between the complainant and the relevant network and could well become a target for abuse itself. I am not sure how it would make network managers want to deal with abuse complaints that they are currently ignoring, though. Can you expand on that?
> > 
> > Thats right, the possible amount of reports arriving could be a real
> > problem and could use more resources than expected. The problem is,
> > that the amount is not really predictable until maybe even
> > a testbed is implemented.
> > 
> > Members that are ignoring spam reports could be at least
> > identified, whatever "punishment" ( starting from public
> > blame reaching up to real sanctions) will appear after
> > identification, is for further discussions.
> > 
> > It could start with a blacklist filled from RIPEs data,
> > lets call it the "spam report ignoring RIPE member blacklist",
> > or SRIRMB ;o)
> 
> So, if I understand your proposal correctly, you want RIPE NCC membership fees to be used to create a system that will be used to 'name and shame' RIPE NCC members. I think this brings me back to the question I asked in my last message and which you did not answer: what is the incentive for RIPE NCC members to finance this system?

Yes, because the development and maintance cost are spread on all members,
instead on only those, that are willing to do something, this would
be one way to "punish" the others :o)

And the system only has to be developed once.

And it will get even cheaper for everybody, if you add more functionality
in the next steps ...

And no member that already receives and reads and works on abuse reports
has to fear this system, that how it should be constructed.
It should help members with working abuse departments to simplify their work.
It should also be a starting point to get report formats standarized,
to simplify the lookup of abuse contacts (or even make lookups
unnessessary). It should be a start to talk about consequences
if a member ignores abuse reports.


Kind regards, Frank
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de

> 
> Regards,
> 
> Leo
> 



From jorgen at hovland.cx  Sat Apr 10 14:17:40 2010
From: jorgen at hovland.cx (=?ISO-8859-1?Q?J=F8rgen_Hovland?=)
Date: Sat, 10 Apr 2010 14:17:40 +0200
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an
In-Reply-To: <201004091943.o39JhBAb024493@www.powerweb.de>
References: <201004091943.o39JhBAb024493@www.powerweb.de>
Message-ID: <4BC06C64.1000103@hovland.cx>

Hello,

On 09/04/2010 21:43, Frank Gadegast wrote:
>
> to do something against abuse that is coming from their networks.
>
>    

What is abuse, and why do you think you are a better judge than the 
government?


> Working against them will need some kind of "punishment", and sure there
> is more to talk about first with this. But at least there will be
> some kind of identification, wich one needs to be educated
> or even "punished" with this kind of system.
> The consequences are still for further discussion.
>
>    

But this already exists (the law).
Anyone else dealing with punishment, like some blacklists do, is by me 
considered having a very poor credibility.
If you want things to be done better against abusive activity on the 
internet, why don't you become a politician?
RIPE is a registry. That's it. If you think it is difficult to find 
contact information in the registry, perhaps RIPE should make 
improvements to http://www.db.ripe.net/whois ?


Cheers,





From jrace at attglobal.net  Sat Apr 10 14:32:28 2010
From: jrace at attglobal.net (Jeffrey Race)
Date: Sat, 10 Apr 2010 08:32:28 -0400
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an
In-Reply-To: <4BC06C64.1000103@hovland.cx>
Message-ID: <20100410123246.E85556A070@postboy.ripe.net>

Legal systems are ineffective in dealing with this
type of issue for well understood structural reasons.
See

 <http://www.camblab.com/misc/univ_std.txt>
   based on
 <http://www.camblab.com/nugget/spam_03.pdf>


On Sat, 10 Apr 2010 14:17:40 +0200, J?rgen Hovland wrote:>Hello,
>>On 09/04/2010 21:43, Frank Gadegast wrote:
>>>> to do something against abuse that is coming from their networks.
>>>What is abuse, and why do you think you are a better judge than the 
>government?>
>> Working against them will need some kind of "punishment", and sure there
>> is more to talk about first with this. But at least there will be
>> some kind of identification, wich one needs to be educated
>> or even "punished" with this kind of system.
>> The consequences are still for further discussion.
>>>But this already exists (the law).




From michele at blacknight.ie  Sat Apr 10 18:04:06 2010
From: michele at blacknight.ie (Michele Neylon :: Blacknight)
Date: Sat, 10 Apr 2010 16:04:06 +0000
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an
In-Reply-To: <201004091943.o39JhBAb024493@www.powerweb.de>
References: <201004091943.o39JhBAb024493@www.powerweb.de>
Message-ID: <C811A2AE-6A0E-4FA0-A331-A99A4E907575@blacknight.ie>

On 9 Apr 2010, at 20:43, Frank Gadegast , Dipl-Inform. Frank Gadegast wrote:
> - whois is showing IP ranges and ranges are often quite small, what means
>  that you have to look up each range, better each IP seperatly

Huh?



> 
> - whois has only a connection to the owner of the range and not to the
>  member, unless you do even more queries

What are you talking about?

If you do a lookup on an IP you can clearly see which AS number they belong to. You might need to do a second lookup on the AS number to get a bit more verbose information, but it's clearly there


> 
> - queries to personal objects are limited, what makes automated systems
>  impossible, if they are not starting to cache queries or read old
>  database dumps or have the special right to receive as many infos
>  as they need

Why do you need to query personal objects?

> 
> - caching query results are causing delays, what means that the abuse contacts
>  cant be correct all the time, because they could have changed already

Abuse contacts are unlikely to change that often. Sure, they may change, but they're not going to be changing on a regular basis.

> 
> - if the IRT object is introduced including abuse records, you will have
>  to look up the normal whois AND the IRT object, and what result will
>  you prefer, if both is available ?
> 
> and if you see it world-wide:
> - the formatting of the world wide whois systems is not equal and sometimes
>  even hard to parse, even if they nearly have the same fields
> - IPv4 ranges are widely spread between all RIRs, you will need to look
>  up arins whois first, to find out, where the range actually belongs to,
>  and then ask that RIR

No you don't.
You just do a whois lookup using a proper whois client and it will automatically handle the RIR side of things for you.

If you're having issues with this then your whois client is out of date.


> - dont forget the early registration blocks spread all over the world
> - arins whois requires up to three queries to finally get the abuse contact
>  hidden in several possible objects, multi-range listings with more than one
>  correct answer. What field will you really look for in arins whois ?

You're talking about a proposal for RIPE. Broadening it to other regions and any possible issues they may have isn't going to help RIPE much .. 


>  OrgTechHandle, OrgAbuseHandle, RAbuseEmail, OrgNOCEmail, OrgTechEmail ?
> - apnics whois is now spread along several other referral whois in different countries
>  and there is not clear and often changing relocation or change in the size
>  of the assigned blocks for those sub-RIRs
> - lacnic also spreads, brasil has its own whois
> - lacnic always includes the mains RIRs abuse contats, relevant ? yes, no, both ?
> - the objects changed-date is not visible on all whois worldwide
> - tools that should make this more easy (like jwhois for domainname) are
>  always developed with big delays and are never accurate
> 
> And many more problems, thats not what I understand as standarized ....
> 
> And if there is an RFC nearly for everything, its pretty weird,
> that whois is not equal all over the world.
> 
> (well, but the same with domain whois, at least the output format could
> be the same, even if every country will hide fields or not like its
> needed by local law or commitment)

What has domain whois got to do with anything?



> 
>> 
>> So, if I understand your proposal correctly, you want RIPE NCC membership fees to be used to create a system that will be used to 'name and shame' RIPE NCC members. I think this brings me back to the question I asked in my last message and which you did not answer: what is the incentive for RIPE NCC members to finance this system?
> 
> Yes, because the development and maintance cost are spread on all members,
> instead on only those, that are willing to do something, this would
> be one way to "punish" the others :o)


Which doesn't answer Leo's question at all.


> 
> And the system only has to be developed once.
> 
> And it will get even cheaper for everybody, if you add more functionality
> in the next steps ...
> 
> And no member that already receives and reads and works on abuse reports
> has to fear this system, that how it should be constructed.

If we're already handling our own abuse reports and paying our normal RIPE fees why on earth would we want our RIPE fees to increase?

Sorry, but you've completely lost me on this one.

Regards

Michele


Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
ICANN Accredited Registrar
http://www.blacknight.com/
http://blog.blacknight.com/
http://mneylon.tel
Intl. +353 (0) 59  9183072
US: 213-233-1612 
UK: 0844 484 9361
Fax. +353 (0) 1 4811 763
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,Ireland  Company No.: 370845



From jorgen at hovland.cx  Sun Apr 11 13:50:49 2010
From: jorgen at hovland.cx (=?ISO-8859-1?Q?J=F8rgen_Hovland?=)
Date: Sun, 11 Apr 2010 13:50:49 +0200
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an
Message-ID: <4BC1B799.9020906@hovland.cx>


On 10/04/2010 14:32, Jeffrey Race wrote:
> Legal systems are ineffective in dealing with this
> type of issue for well understood structural reasons.
> See
>
>   <http://www.camblab.com/misc/univ_std.txt>
>     based on
>   <http://www.camblab.com/nugget/spam_03.pdf>
>
>
>    

I disagree. It is of course more timeconsuming, but legal systems 
(should) give everyone a fair chance. Franks witch-hunt suggestion is 
exactly what I don't want.
Legal systems also pursue the party that is legally doing something 
wrong, not the ISP or any other third party that shouldn't be bothered 
in the first place (of course sometimes it is the ISP etc).

A lot of what you would define as spam isn't spam at all in legal 
terms.  The company I work for block this spam too (only the spam, not 
the entire provider), but we would certainly not punish or file a lawsuit.




From phade at www.powerweb.de  Sat Apr 10 19:42:43 2010
From: phade at www.powerweb.de (Frank Gadegast)
Date: Sat, 10 Apr 2010 19:42:43 +0200 (MET DST)
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an
In-Reply-To: <C811A2AE-6A0E-4FA0-A331-A99A4E907575@blacknight.ie>
Message-ID: <201004101742.o3AHghar019362@www.powerweb.de>

Hi again,

> On 9 Apr 2010, at 20:43, Frank Gadegast , Dipl-Inform. Frank Gadegast wrote:
> > - whois is showing IP ranges and ranges are often quite small, what means
> >  that you have to look up each range, better each IP seperatly
> 
> Huh?

Who cares about a range, when I want the responsible person for a fixed IP ?

> > - whois has only a connection to the owner of the range and not to the
> >  member, unless you do even more queries
> 
> What are you talking about?
> 
> If you do a lookup on an IP you can clearly see which AS number they belong to. You might need to do a second lookup on the AS number to get a bit more verbose information, but it's clearly there

Thats it, you need a second query, thats weird these days.

whois is that old and has nothing to do with up-to-date database design.

If I design a database, I design it to serve the questions I like
to ask the database about, e.g. I like to ask the RIPEs database the following things:

- give me the abuse address of the responsible RIPE member for this IP
- give me the abuse address of the responsible IP user/owner
- give me the abuse address of the upstream provider for this IP
- give me the telephone number of the RIPE member for this IP
- aso ...
 
You cant do that with whois without programming a lot
of special cases, understand what type of objects to query
and to parse the first result, do a second query, parse
that result.

whois has really nothing to do with current databases.

If I could run RIPEs databases I would love to do a simple:
SELECT abuseemail FROM owner where ip='1.2.3.4'
and send this to port whatever via telnet and get a clean
asnwer in one line just containing what I asked for and
nothing else.

Easier ?
Yes.

Is whois kind of blocking the development of several tools
because of an non-up-to-date design ? Yes sure.
 
> > - queries to personal objects are limited, what makes automated systems
> >  impossible, if they are not starting to cache queries or read old
> >  database dumps or have the special right to receive as many infos
> >  as they need
> 
> Why do you need to query personal objects?

For the abuse email address or the owners email address or the tech-c email address.
A lot of netobjects do neither have a remark section including
an abuse address, they do not have a valid abuse-email field,
the only thing they have is a "link" to the admin-c or tech-c
object, that you have to query then again ...

> > - caching query results are causing delays, what means that the abuse contacts
> >  cant be correct all the time, because they could have changed already
> 
> Abuse contacts are unlikely to change that often.

Wrong. They change really quick.
Specially for those netrange objects that do only have personal objects
and no abuse-email field or remark.

> Sure, they may change, but they're not going to be changing on a regular basis.

admin-c and tech-c do change quite often, at least this is
our expirience with our own blacklist.

We decided to look up any object as quick again as RIPE whois allows
us with their limits, otherwise we will send report to the wrong person,
at that still happens too often.

> > and if you see it world-wide:
> > - the formatting of the world wide whois systems is not equal and sometimes
> >  even hard to parse, even if they nearly have the same fields
> > - IPv4 ranges are widely spread between all RIRs, you will need to look
> >  up arins whois first, to find out, where the range actually belongs to,
> >  and then ask that RIR
> 
> No you don't.
> You just do a whois lookup using a proper whois client and it will automatically handle the RIR side of things for you.

Love to have a whois tool, that can somehow sniff the right RIR
out of the air without having to do a query first, look it up
in whatever file on a ftp server or some other remote thing.
How do you think that a proper whois client is doing that decision ?

Come on ... he has to look it up first, to wich RIR it belongs.

> If you're having issues with this then your whois client is out of date.

Sure, and it will be out of date every week, if its not doing
that "magic" lookup.
109.x.x.x was assigned to RIPE not that long ago.
APNIC got a few blocks lately.
KRNIC got a few blocks from APNIC
All not long ago ...

> > - dont forget the early registration blocks spread all over the world
> > - arins whois requires up to three queries to finally get the abuse contact
> >  hidden in several possible objects, multi-range listings with more than one
> >  correct answer. What field will you really look for in arins whois ?
> 
> You're talking about a proposal for RIPE. Broadening it to other regions and any possible issues they may have isn't going to help RIPE much .. 

Its written in the draft, that other RIRs might pick up on the same idea.
In the end I would love if all RIRs have the same tools, protocols one day.

> >  OrgTechHandle, OrgAbuseHandle, RAbuseEmail, OrgNOCEmail, OrgTechEmail ?
> > - apnics whois is now spread along several other referral whois in different countries
> >  and there is not clear and often changing relocation or change in the size
> >  of the assigned blocks for those sub-RIRs
> > - lacnic also spreads, brasil has its own whois
> > - lacnic always includes the mains RIRs abuse contats, relevant ? yes, no, both ?
> > - the objects changed-date is not visible on all whois worldwide
> > - tools that should make this more easy (like jwhois for domainname) are
> >  always developed with big delays and are never accurate

No comment here ?

> > And many more problems, thats not what I understand as standarized ....
> > 
> > And if there is an RFC nearly for everything, its pretty weird,
> > that whois is not equal all over the world.

Hm, no answer on that too ?
Why is whois output different all over the world ?
Its like having a different internet everywhere.

> > (well, but the same with domain whois, at least the output format could
> > be the same, even if every country will hide fields or not like its
> > needed by local law or commitment)
> 
> What has domain whois got to do with anything?

That was only a note.
Domains are also hard to parse.
At least the last new domain registries (like .org, .biz, .name) finally
picked up, that whois should look the same, should be easy to parse
and should at least try to have the same fields all over the world.

But, look at ARINs whois, this one is a desaster according to a parsing function.

Sometimes you get even two answers when asking for ONE IP, then you have to parse
the least significant object from the NET-name and query that object again.
Really weird ...

> >> So, if I understand your proposal correctly, you want RIPE NCC membership fees to be used to create a system that will be used to 'name and shame' RIPE NCC members. I think this brings me back to the question I asked in my last message and which you did not answer: what is the incentive for RIPE NCC members to finance this system?
> > 
> > Yes, because the development and maintance cost are spread on all members,
> > instead on only those, that are willing to do something, this would
> > be one way to "punish" the others :o)
> 
> 
> Which doesn't answer Leo's question at all.

Different mail.

> > And the system only has to be developed once.
> > 
> > And it will get even cheaper for everybody, if you add more functionality
> > in the next steps ...
> > 
> > And no member that already receives and reads and works on abuse reports
> > has to fear this system, that how it should be constructed.
> 
> If we're already handling our own abuse reports and paying our normal RIPE fees why on earth would we want our RIPE fees to increase?
> 
> Sorry, but you've completely lost me on this one.

Answer in the reply to Leos mail ...


Kind regards, Frank
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de
> 
> Regards
> 
> Michele
> 
> 
> Mr Michele Neylon
> Blacknight Solutions
> Hosting & Colocation, Brand Protection
> ICANN Accredited Registrar
> http://www.blacknight.com/
> http://blog.blacknight.com/
> http://mneylon.tel
> Intl. +353 (0) 59  9183072
> US: 213-233-1612 
> UK: 0844 484 9361
> Fax. +353 (0) 1 4811 763
> -------------------------------
> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
> Road,Graiguecullen,Carlow,Ireland  Company No.: 370845
> 
> 



From jrace at attglobal.net  Sun Apr 11 17:52:51 2010
From: jrace at attglobal.net (Jeffrey Race)
Date: Sun, 11 Apr 2010 11:52:51 -0400
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an
In-Reply-To: <4BC1B799.9020906@hovland.cx>
Message-ID: <20100411155307.8E29E6A006@postboy.ripe.net>

On Sun, 11 Apr 2010 13:50:49 +0200, J?rgen Hovland wrote:
> It is of course more timeconsuming, but legal systems 
>(should) give everyone a fair chance. 

Legal systems have failed in this task and will continue
to fail for the reasons described in the article.  It is
magical thinking to believe that legal systems can help.

>Legal systems also pursue the party that is legally doing something 
>wrong, not the ISP or any other third party that shouldn't be bothered 
>in the first place (of course sometimes it is the ISP etc).

The analogy is incorrect.   Airlines are the ones who keep
drunk pilots out of cockpits, not legal systems.  You hold
the entity responsible for its behavior.   To continue to
comparison, an airline could tell one of his pilots he is
to stop flying due to misconduct.  It might separately
be a crime which the state authorities might pursue or not.
But the adverse impact should be prevented as a separate
action





From michele at blacknight.ie  Sun Apr 11 18:01:16 2010
From: michele at blacknight.ie (Michele Neylon :: Blacknight)
Date: Sun, 11 Apr 2010 16:01:16 +0000
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an
In-Reply-To: <20100411155307.8E29E6A006@postboy.ripe.net>
References: <20100411155307.8E29E6A006@postboy.ripe.net>
Message-ID: <316B3EC8-0800-40E9-AA8F-9600171E90B8@blacknight.ie>

On 11 Apr 2010, at 16:52, Jeffrey Race wrote:

> On Sun, 11 Apr 2010 13:50:49 +0200, J?rgen Hovland wrote:
>> It is of course more timeconsuming, but legal systems 
>> (should) give everyone a fair chance. 
> 
> Legal systems have failed in this task and will continue
> to fail for the reasons described in the article.  It is
> magical thinking to believe that legal systems can help.

And a witch hunt is better?



Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
ICANN Accredited Registrar
http://www.blacknight.com/
http://blog.blacknight.com/
http://mneylon.tel
Intl. +353 (0) 59  9183072
US: 213-233-1612 
UK: 0844 484 9361
Locall: 1850 929 929
Twitter: http://twitter.com/mneylon
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,Ireland  Company No.: 370845



From jrace at attglobal.net  Sun Apr 11 18:25:36 2010
From: jrace at attglobal.net (Jeffrey Race)
Date: Sun, 11 Apr 2010 12:25:36 -0400
Subject: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an
In-Reply-To: <316B3EC8-0800-40E9-AA8F-9600171E90B8@blacknight.ie>
Message-ID: <20100411162549.6257C6A003@postboy.ripe.net>

On Sun, 11 Apr 2010 16:01:16 +0000, Michele Neylon :: Blacknight wrote:
>And a witch hunt is better?


"witch-hunt also witch hunt N. An investigation carried out
 ostensibly to uncover subversive activities but actually 
 used to harass and undermine those with differing views."

The measures proposed in the RFC I am drafting do not
relate to the content of the message traffic.   The
objective measures are clearly specified.  Read the
proposal please.  It has nil to do with politics or
dissenting views.

Note that many network operators already enforce such
rules.  The issue is just to universalize this best
practice.



From phade at www.powerweb.de  Sun Apr 11 17:12:28 2010
From: phade at www.powerweb.de (Frank Gadegast)
Date: Sun, 11 Apr 2010 17:12:28 +0200 (MET DST)
Subject: [anti-abuse-wg] spam definition
In-Reply-To: <4BC1B799.9020906@hovland.cx>
Message-ID: <201004111512.o3BFCSOa020997@www.powerweb.de>

Hi,

> A lot of what you would define as spam isn't spam at all in legal 
> terms.  The company I work for block this spam too (only the spam, not 
> the entire provider), but we would certainly not punish or file a lawsuit.

That is your opinion.
And we learned with this group that there is no general consensus
about how to define spam or abuse.

I think that everything IS spam, what somebody, who receives it, is bothered
with, because he did no want it, he feel offended, did not ask for it
or whatever personal reason.

Compare it to normal adverts in TV or magazine.
The person viewing or reading it, still can decide
not to consume TV or read magazines, switch the channel or read different
ones, where hes interested in the adverts, because
it belongs to work or interest and where they dont bother him.

With mail you cant do that.
You have a mail address and receive stuff you did not ask for,
that has nothing to do with business or interest.

E.g. I dont want to buy viagra, but still get bothered with it.
Im even offened with newsletters, where the sender thinks, that it
could have something to do with my work, but actually fails
with his estimation.
I feel abused of stuff like this.

And if I feel abused, I think its spam.
Spam cannot be defined in general terms, because its definition
depends from the recipients perpective.

And thats excatly what is the background idea of a spam report
delivery system.
Let the recipient decide, what he think hes abuse about.



Kind regards, Frank
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de



From phade at www.powerweb.de  Sun Apr 11 17:29:20 2010
From: phade at www.powerweb.de (Frank Gadegast)
Date: Sun, 11 Apr 2010 17:29:20 +0200 (MET DST)
Subject: SV: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an
In-Reply-To: <F49F17AFBAC7EF49845B5AD3370364D1089A36@HSMAILMBX1.hogia.local>
Message-ID: <201004111529.o3BFTKkE022558@www.powerweb.de>

Hi,

> I think the following should be the "easiest" way of reducing spam:
> 
> 1. Adding that the ISP should have a responsibily to reduce spam to the contract between the ISP and RIPE. (If as only adding "ISP should try to reduce spam" with no other details.)

Yes, but this has to be formulated a way, that the recipient decides
what spam is, so that there has no definition of spam to be included.

So: RIPE has to add to the members contract, that the member is responsible
for receiving abuse reports and reducing the cause of these reports as much as possible.

> 2. Measure how much spam originates from each ISP.

Difficult to formulate this way.

Better would be: RIPE has to start to messure the amount of abuse reports any member receives.
Messurement systems have to include a system run by RIPE NCC and could include
other reliable data from souces not related to RIPE.

> 3. Give RIPE possibility to fine the misbehaving ISP or to cancel the agreement in worst case scenario.

A big yes, but we will have to find consensus here, whats worse
and what punishment could happen, there are a lot of possibilities.

I would prefer to make this step later, after contracts
are changed and a messurement system is introduced.
Having facts, data and results from such a system could
help defining who is  really "bad".

> I saw you had the same or similar idea on http://www.ripe.net/ripe/maillists/archives/anti-spam-wg/2008/msg00056.html
> 
> >From the looks of it im suspecting we cant even get consensus on the first step, unfortunately. :(
> For step number two i think the easiest way would be using spamcop or some similar system. The benefits for using spamcop is that its already an existing system. No cost for developing the system or for teaching users how to report spam. People all around the world already uses it and knows how to report spam. Spamcop has already a system for contacting the correct ISP (I think). RIPE can use the statistics provided by spamcop to see what ISPs misbehaves. (Of course RIPE must be more accepting for the amount of spam than Spamcop. Its already prepared for all other RIRs if they should follow after RIPE has begun. And if RIPE cooperates with spamcop i also assume more users would be reporting the spam there. 

You see, its not that old :o)

> Cons. I dont know if the spamreports on spamcop are reliable or if they can be forged by spammers. I guess their shoud be some way of fixing that problem if that is the case.

The system is well known, and most big provider use it and forget problems
to their customers, the are even opening tickets for these cases, to
not forget them.
spamhaus is another very reliable source.
I bet both and even others would love to share their data with a RIR.

But again, to be really reliable, RIPE needs to have a own system, no judgement
could be done, if RIPE ONLY counts on other resources ...

> Do you think this could work? I will continue to read the archive to see if someone has found a problem with this earlier.

Well, I started this discussion, so I think it would work and would help.
Its only how to formulate this and how details should look like.

There I do still need more input ...


Kidn regards, Frank
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de

> 
> Best Regards
> Martin Tranefjord
> 



From michele at blacknight.ie  Mon Apr 12 10:58:22 2010
From: michele at blacknight.ie (Michele Neylon :: Blacknight)
Date: Mon, 12 Apr 2010 08:58:22 +0000
Subject: SV: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an
In-Reply-To: <201004111529.o3BFTKkE022558@www.powerweb.de>
References: <201004111529.o3BFTKkE022558@www.powerweb.de>
Message-ID: <6648CD43-8412-45EF-92F4-A21431A4E997@blacknight.ie>

On 11 Apr 2010, at 16:29, Frank Gadegast , Dipl-Inform. Frank Gadegast wrote:

> 
> Hi,
> 
>> I think the following should be the "easiest" way of reducing spam:
>> 
>> 1. Adding that the ISP should have a responsibily to reduce spam to the contract between the ISP and RIPE. (If as only adding "ISP should try to reduce spam" with no other details.)
> 
> Yes, but this has to be formulated a way, that the recipient decides
> what spam is, so that there has no definition of spam to be included.
> 
> So: RIPE has to add to the members contract, that the member is responsible
> for receiving abuse reports and reducing the cause of these reports as much as possible.

You cannot expect anyone to sign a contract which expects them to take action against something which has not been defined.


> 
>> 2. Measure how much spam originates from each ISP.
> 
> Difficult to formulate this way.
> 
> Better would be: RIPE has to start to messure the amount of abuse reports any member receives.
> Messurement systems have to include a system run by RIPE NCC and could include
> other reliable data from souces not related to RIPE.

This means that all the spam reports would have to go via RIPE which is not a good idea for a multitude of reasons.


> 
>> 3. Give RIPE possibility to fine the misbehaving ISP or to cancel the agreement in worst case scenario.
> 
> A big yes, but we will have to find consensus here, whats worse
> and what punishment could happen, there are a lot of possibilities.

You cannot expect anyone to agree to being fined without workable definitions

> 
> I would prefer to make this step later, after contracts
> are changed and a messurement system is introduced.
> Having facts, data and results from such a system could
> help defining who is  really "bad".
> 
>> I saw you had the same or similar idea on http://www.ripe.net/ripe/maillists/archives/anti-spam-wg/2008/msg00056.html
>> 
>>> From the looks of it im suspecting we cant even get consensus on the first step, unfortunately. :(
>> For step number two i think the easiest way would be using spamcop or some similar system. The benefits for using spamcop is that its already an existing system. No cost for developing the system or for teaching users how to report spam. People all around the world already uses it and knows how to report spam. Spamcop has already a system for contacting the correct ISP (I think). RIPE can use the statistics provided by spamcop to see what ISPs misbehaves. (Of course RIPE must be more accepting for the amount of spam than Spamcop. Its already prepared for all other RIRs if they should follow after RIPE has begun. And if RIPE cooperates with spamcop i also assume more users would be reporting the spam there. 
> 
> You see, its not that old :o)
> 
>> Cons. I dont know if the spamreports on spamcop are reliable or if they can be forged by spammers. I guess their shoud be some way of fixing that problem if that is the case.
> 
> The system is well known, and most big provider use it

That's a wonderfully broad sweeping statement.

Do you have proof to back that up?

Spamcop can be useful, yes. But a lot of Spamcop reports are not reliable at all.



> and forget problems
> to their customers, the are even opening tickets for these cases, to
> not forget them.
> spamhaus is another very reliable source.
> I bet both and even others would love to share their data with a RIR.
> 
> But again, to be really reliable, RIPE needs to have a own system, no judgement
> could be done, if RIPE ONLY counts on other resources ...
> 
>> Do you think this could work? I will continue to read the archive to see if someone has found a problem with this earlier.
> 
> Well, I started this discussion, so I think it would work and would help.
> Its only how to formulate this and how details should look like.
> 
> There I do still need more input ...
> 
> 
> Kidn regards, Frank
> --
> PHADE Software - PowerWeb                       http://www.powerweb.de
> Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
> Schinkelstrasse 17                                fon: +49 33200 52920
> 14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
> ======================================================================
> Public PGP Key available for frank at powerweb.de
> 
>> 
>> Best Regards
>> Martin Tranefjord
>> 
> 

Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
ICANN Accredited Registrar
http://www.blacknight.com/
http://blog.blacknight.com/
http://mneylon.tel
Intl. +353 (0) 59  9183072
US: 213-233-1612 
UK: 0844 484 9361
Locall: 1850 929 929
Direct Dial: +353 (0)59 9183090
Twitter: http://twitter.com/mneylon
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,Ireland  Company No.: 370845



From esa.laitinen at iki.fi  Mon Apr 12 11:18:52 2010
From: esa.laitinen at iki.fi (Esa Laitinen)
Date: Mon, 12 Apr 2010 11:18:52 +0200
Subject: [anti-abuse-wg] spam definition
In-Reply-To: <201004111512.o3BFCSOa020997@www.powerweb.de>
References: <4BC1B799.9020906@hovland.cx>
	 <201004111512.o3BFCSOa020997@www.powerweb.de>
Message-ID: <h2td5be4ed1004120218xb6a773ccs52b352ab2ff1c7f8@mail.gmail.com>

2010/4/11 Frank Gadegast <phade at www.powerweb.de>

> I think that everything IS spam, what somebody, who receives it, is
> bothered
> with, because he did no want it, he feel offended, did not ask for it
> or whatever personal reason.
>
>
Really? So the newsletter you've subscribed yesterday, received the first
issue today and was happy about it, turns into spam tomorrow when they
publish a story that annoys you?

Now we're entering very interesting terrain...



> You have a mail address and receive stuff you did not ask for,
> that has nothing to do with business or interest.
>

No, but it is something to do with consent, don't you think? The consent
should be the most important thing when considering if something is spam.



> And if I feel abused, I think its spam.
>

I might think that white is black, but it doesn't make it so. Consent, that
is the key.

And thats excatly what is the background idea of a spam report
> delivery system.
> Let the recipient decide, what he think hes abuse about.
>
> So, are you talking about abuse, or are you talking about spam?


-- 
Esa Laitinen
Tel. +41 76 200 2870
skype/yahoo: reunaesa
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ripe.net/ripe/mail/archives/anti-abuse-wg/attachments/20100412/e1aa85f4/attachment.html>

From ripe-anti-spam-wg at powerweb.de  Mon Apr 12 11:47:52 2010
From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast)
Date: Mon, 12 Apr 2010 11:47:52 +0200
Subject: SV: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of
 an
In-Reply-To: <6648CD43-8412-45EF-92F4-A21431A4E997@blacknight.ie>
References: <201004111529.o3BFTKkE022558@www.powerweb.de> <6648CD43-8412-45EF-92F4-A21431A4E997@blacknight.ie>
Message-ID: <4BC2EC48.3040407@powerweb.de>

Michele Neylon :: Blacknight wrote:
> On 11 Apr 2010, at 16:29, Frank Gadegast , Dipl-Inform. Frank Gadegast wrote:
> 
>> Hi,

Hi,

>>> I think the following should be the "easiest" way of reducing spam:
>>>
>>> 1. Adding that the ISP should have a responsibily to reduce spam to the contract between the ISP and RIPE. (If as only adding "ISP should try to reduce spam" with no other details.)
>> Yes, but this has to be formulated a way, that the recipient decides
>> what spam is, so that there has no definition of spam to be included.
>>
>> So: RIPE has to add to the members contract, that the member is responsible
>> for receiving abuse reports and reducing the cause of these reports as much as possible.
> 
> You cannot expect anyone to sign a contract which expects them to take action against something which has not been defined.

Again, the above sentence is not talking about abuse, its talking about 
abuse reports, or name it complaints, when you like that more.
You dont need a definition of abuse, if you make the member
responsible for taking care of complaints.

Abuse is then everything what the recipient or attack person like to 
complain about, because he feels abused.

>>> 2. Measure how much spam originates from each ISP.
>> Difficult to formulate this way.
>>
>> Better would be: RIPE has to start to messure the amount of abuse reports any member receives.
>> Messurement systems have to include a system run by RIPE NCC and could include
>> other reliable data from souces not related to RIPE.
> 
> This means that all the spam reports would have to go via RIPE which is not a good idea for a multitude of reasons.

Looks like you did not read the DRAFT at all.
Thats excatly why we need a system at RIPE.
And the pros and cons of such a system are discussed here since last week.

>>> 3. Give RIPE possibility to fine the misbehaving ISP or to cancel the agreement in worst case scenario.
>> A big yes, but we will have to find consensus here, whats worse
>> and what punishment could happen, there are a lot of possibilities.
> 
> You cannot expect anyone to agree to being fined without workable definitions

Again, you dont need a definition.
Its only important that the members takes care about complaints.

>>> Cons. I dont know if the spamreports on spamcop are reliable or if they can be forged by spammers. I guess their shoud be some way of fixing that problem if that is the case.
>> The system is well known, and most big provider use it
> 
> That's a wonderfully broad sweeping statement.
> 
> Do you have proof to back that up?

No, and I dont have too, because I sayd, that RIPE needs an own system
to be bullet-proof, toher source "could" be used to proof
own data, nothing more.


Kind regards, Frank

>>> Martin Tranefjord
>>>
> 
> Mr Michele Neylon
> Blacknight Solutions
> Hosting & Colocation, Brand Protection
> ICANN Accredited Registrar
> http://www.blacknight.com/
> http://blog.blacknight.com/
> http://mneylon.tel
> Intl. +353 (0) 59  9183072
> US: 213-233-1612 
> UK: 0844 484 9361
> Locall: 1850 929 929
> Direct Dial: +353 (0)59 9183090
> Twitter: http://twitter.com/mneylon
> -------------------------------
> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
> Road,Graiguecullen,Carlow,Ireland  Company No.: 370845
> 
> 
> 
> 


-- 

Mit freundlichen Gruessen,
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de



From michele at blacknight.ie  Mon Apr 12 11:53:55 2010
From: michele at blacknight.ie (Michele Neylon :: Blacknight)
Date: Mon, 12 Apr 2010 09:53:55 +0000
Subject: SV: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an
In-Reply-To: <4BC2EC48.3040407@powerweb.de>
References: <201004111529.o3BFTKkE022558@www.powerweb.de>
 <6648CD43-8412-45EF-92F4-A21431A4E997@blacknight.ie>
 <4BC2EC48.3040407@powerweb.de>
Message-ID: <1B0E058A-4A11-4358-8264-16893CCD6750@blacknight.ie>

On 12 Apr 2010, at 10:47, Frank Gadegast wrote:

> Michele Neylon :: Blacknight wrote:
>> On 11 Apr 2010, at 16:29, Frank Gadegast , Dipl-Inform. Frank Gadegast wrote:
>>> Hi,
> 
> Hi,
> 
>>>> I think the following should be the "easiest" way of reducing spam:
>>>> 
>>>> 1. Adding that the ISP should have a responsibily to reduce spam to the contract between the ISP and RIPE. (If as only adding "ISP should try to reduce spam" with no other details.)
>>> Yes, but this has to be formulated a way, that the recipient decides
>>> what spam is, so that there has no definition of spam to be included.
>>> 
>>> So: RIPE has to add to the members contract, that the member is responsible
>>> for receiving abuse reports and reducing the cause of these reports as much as possible.
>> You cannot expect anyone to sign a contract which expects them to take action against something which has not been defined.
> 
> Again, the above sentence is not talking about abuse, its talking about abuse reports, or name it complaints, when you like that more.
> You dont need a definition of abuse, if you make the member
> responsible for taking care of complaints.
> 
> Abuse is then everything what the recipient or attack person like to complain about, because he feels abused.


That is wide open to gaming.

Taking care of a complaint can be as simple as closing the ticket.



> 
>>>> 2. Measure how much spam originates from each ISP.
>>> Difficult to formulate this way.
>>> 
>>> Better would be: RIPE has to start to messure the amount of abuse reports any member receives.
>>> Messurement systems have to include a system run by RIPE NCC and could include
>>> other reliable data from souces not related to RIPE.
>> This means that all the spam reports would have to go via RIPE which is not a good idea for a multitude of reasons.
> 
> Looks like you did not read the DRAFT at all.
> Thats excatly why we need a system at RIPE.
> And the pros and cons of such a system are discussed here since last week.

And I and others have pointed out why such a centralised system is a fundamentally flawed idea


> 
>>>> 3. Give RIPE possibility to fine the misbehaving ISP or to cancel the agreement in worst case scenario.
>>> A big yes, but we will have to find consensus here, whats worse
>>> and what punishment could happen, there are a lot of possibilities.
>> You cannot expect anyone to agree to being fined without workable definitions
> 
> Again, you dont need a definition.
> Its only important that the members takes care about complaints.

"Take care" how exactly?

You really can't be this vague if you want to modify a contract and introduce censure against RIPE members


> 
>>>> Cons. I dont know if the spamreports on spamcop are reliable or if they can be forged by spammers. I guess their shoud be some way of fixing that problem if that is the case.
>>> The system is well known, and most big provider use it
>> That's a wonderfully broad sweeping statement.
>> Do you have proof to back that up?
> 
> No, and I dont have too, because I sayd, that RIPE needs an own system
> to be bullet-proof, toher source "could" be used to proof
> own data, nothing more.


You are putting forward a proposal which you expect to be taken seriously

If you cannot defend it properly why did you even start?

> 
> 
> Kind regards, Frank
> 
>>>> Martin Tranefjord
>>>> 
>> Mr Michele Neylon
>> Blacknight Solutions
>> Hosting & Colocation, Brand Protection
>> ICANN Accredited Registrar
>> http://www.blacknight.com/
>> http://blog.blacknight.com/
>> http://mneylon.tel
>> Intl. +353 (0) 59  9183072
>> US: 213-233-1612 UK: 0844 484 9361
>> Locall: 1850 929 929
>> Direct Dial: +353 (0)59 9183090
>> Twitter: http://twitter.com/mneylon
>> -------------------------------
>> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
>> Road,Graiguecullen,Carlow,Ireland  Company No.: 370845
> 
> 
> -- 
> 
> Mit freundlichen Gruessen,
> --
> PHADE Software - PowerWeb                       http://www.powerweb.de
> Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
> Schinkelstrasse 17                                fon: +49 33200 52920
> 14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
> ======================================================================
> Public PGP Key available for frank at powerweb.de
> 

Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
ICANN Accredited Registrar
http://www.blacknight.com/
http://blog.blacknight.com/
http://mneylon.tel
Intl. +353 (0) 59  9183072
US: 213-233-1612 
UK: 0844 484 9361
Locall: 1850 929 929
Direct Dial: +353 (0)59 9183090
Twitter: http://twitter.com/mneylon
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,Ireland  Company No.: 370845



From niall at blacknight.com  Mon Apr 12 11:25:23 2010
From: niall at blacknight.com (Niall Donegan)
Date: Mon, 12 Apr 2010 10:25:23 +0100
Subject: [anti-abuse-wg] spam definition
In-Reply-To: <201004111512.o3BFCSOa020997@www.powerweb.de>
References: <201004111512.o3BFCSOa020997@www.powerweb.de>
Message-ID: <4BC2E703.1000400@blacknight.com>

Dipl-Inform. Frank Gadegast wrote:
> I think that everything IS spam, what somebody, who receives it, is bothered
> with, because he did no want it, he feel offended, did not ask for it
> or whatever personal reason.

Just to give you a very specific example that we received last week from
AOL's Scomp. It was an email which a real estate management company sent
to the landlord, informing them that the tenant had paid the rent,
however they were asking if something could come over and check the cold
water tap in the bathroom. The landlord just hit "Report Spam".

By your definition, that is spam, as the landlord didn't want it. I'm
sure everyone on this list who runs an abuse desk can share similar
stories. I know we have plenty more examples.

The problem here is user education. A lot of users see the "Report Spam"
button as a "Delete And Don't Come Back" button, not understanding the
difference between Spam and legitimate email which they don't like.

Niall.

-- 
Niall Donegan
----------------

http://www.blacknight.com
Blacknight Internet Solutions Ltd,
Unit 12A,
Barrowside Business Park,
Sleaty Road,
Graiguecullen,
Carlow,
Ireland

Company No.: 370845



From frank at powerweb.de  Mon Apr 12 12:02:33 2010
From: frank at powerweb.de (Frank Gadegast)
Date: Mon, 12 Apr 2010 12:02:33 +0200
Subject: [anti-abuse-wg] spam definition
In-Reply-To: <h2td5be4ed1004120218xb6a773ccs52b352ab2ff1c7f8@mail.gmail.com>
References: <4BC1B799.9020906@hovland.cx>	 <201004111512.o3BFCSOa020997@www.powerweb.de> <h2td5be4ed1004120218xb6a773ccs52b352ab2ff1c7f8@mail.gmail.com>
Message-ID: <4BC2EFB9.4030603@powerweb.de>

Esa Laitinen wrote:
> 

Hi,

> 2010/4/11 Frank Gadegast <phade at www.powerweb.de 
> <mailto:phade at www.powerweb.de>>
> 
>     I think that everything IS spam, what somebody, who receives it, is
>     bothered
>     with, because he did no want it, he feel offended, did not ask for it
>     or whatever personal reason.
> 
> 
> Really? So the newsletter you've subscribed yesterday, received the 
> first issue today and was happy about it, turns into spam tomorrow when 
> they publish a story that annoys you?
> 
> Now we're entering very interesting terrain...

No, why ?
I wanted the newsletter and I can unsubscribe.

But even then: when Im to stupid to unsubscribe and get angry
about it and like to complain ?
Whats wrong with that ?

If I complain about that the webpage of the ISP looks stupid
I could complain about it, if I dont like the weather in finland,
I could complain about, and thats still something the ISP
should take care of.
You maybe know that yourself, that customers sometimes
think, that you as your ISP are responsible for nearly
everything. But the customer still complains.

HOW the ISP is taking care of this, is a really different
point.

Like I outlined (about 20 times already) the system
should start with a backlink included by RIPEs system,
that enables the ISP to give feedback, how he treated
the complaint.

And this should be completely free for the member, how
he categorizes the complaint. He should be able
to select "has nothing to do with us", "out of scope",
"no real complaint" up to "server was hacked here",
"we are investigating this currently" to
"problem fixed" or whatever else category
we like to include.

And now the point:
RIPE NCC could then easily track, wich member
is doing nothing !
And thats what we need to find out.

And maybe some bad members find a trick
to give feedback in an automatic way, with
real comments, that look like, if they
are really doing something, maybe to fool
us all.

But: first RIPE NCC can still find those
that are doing nothing and probably
after a while and a bit more expirience,
they find even those, that are trying to
fool us (e.g. by comparing own data
to the data from other blacklists ?)

>     You have a mail address and receive stuff you did not ask for,
>     that has nothing to do with business or interest.
> 
> 
> No, but it is something to do with consent, don't you think? The consent 
> should be the most important thing when considering if something is spam.

Not at all.
We cannot reach consensus about what spam or abuse is.

So lets forget it, lets talk about complaints and resulting
abuse reports.

>     And thats excatly what is the background idea of a spam report
>     delivery system.
>     Let the recipient decide, what he think hes abuse about.
> 
> So, are you talking about abuse, or are you talking about spam?

Im taking about abuse reports and complaints.

> -- 
> Esa Laitinen
> Tel. +41 76 200 2870
> skype/yahoo: reunaesa


-- 

Kind regards, Frank
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de



From michele at blacknight.ie  Mon Apr 12 12:16:12 2010
From: michele at blacknight.ie (Michele Neylon :: Blacknight)
Date: Mon, 12 Apr 2010 10:16:12 +0000
Subject: [anti-abuse-wg] spam definition
In-Reply-To: <4BC2EFB9.4030603@powerweb.de>
References: <4BC1B799.9020906@hovland.cx>
	 <201004111512.o3BFCSOa020997@www.powerweb.de>
 <h2td5be4ed1004120218xb6a773ccs52b352ab2ff1c7f8@mail.gmail.com>
 <4BC2EFB9.4030603@powerweb.de>
Message-ID: <94BD65EF-EB4D-4A81-8B8D-D35705E3F5CE@blacknight.ie>

On 12 Apr 2010, at 11:02, Frank Gadegast wrote:
> <snip>
> 
> And this should be completely free for the member, how
> he categorizes the complaint. He should be able
> to select "has nothing to do with us", "out of scope",
> "no real complaint" up to "server was hacked here",
> "we are investigating this currently" to
> "problem fixed" or whatever else category
> we like to include.

Are you going to pay my staff to waste their time with spurious complaints?

Is RIPE?


> 
> And now the point:
> RIPE NCC could then easily track, wich member
> is doing nothing !
> And thats what we need to find out.

No - it's what you in your little world would like to find out


> 
> And maybe some bad members find a trick
> to give feedback in an automatic way, with
> real comments, that look like, if they
> are really doing something, maybe to fool
> us all.

And again - are you going to pay my staff to waste their time dealing with thousands of spurious complaints? Because that's basically what you're expecting us to do

> 
> Not at all.
> We cannot reach consensus about what spam or abuse is.
> 
> So lets forget it, lets talk about complaints and resulting
> abuse reports.

You cannot simply "forget it"

You need to define clearly the boundaries of what your idea is meant to cover.

if you cannot do that then it should be rejected immediately


> 
>>    And thats excatly what is the background idea of a spam report
>>    delivery system.
>>    Let the recipient decide, what he think hes abuse about.
>> So, are you talking about abuse, or are you talking about spam?
> 
> Im taking about abuse reports and complaints.

Provide proper definitions of these or at least boundaries


Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
ICANN Accredited Registrar
http://www.blacknight.com/
http://blog.blacknight.com/
http://mneylon.tel
Intl. +353 (0) 59  9183072
US: 213-233-1612 
UK: 0844 484 9361
Locall: 1850 929 929
Direct Dial: +353 (0)59 9183090
Twitter: http://twitter.com/mneylon
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,Ireland  Company No.: 370845



From ripe-anti-spam-wg at powerweb.de  Mon Apr 12 12:27:05 2010
From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast)
Date: Mon, 12 Apr 2010 12:27:05 +0200
Subject: SV: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of
 an
In-Reply-To: <1B0E058A-4A11-4358-8264-16893CCD6750@blacknight.ie>
References: <201004111529.o3BFTKkE022558@www.powerweb.de> <6648CD43-8412-45EF-92F4-A21431A4E997@blacknight.ie> <4BC2EC48.3040407@powerweb.de> <1B0E058A-4A11-4358-8264-16893CCD6750@blacknight.ie>
Message-ID: <4BC2F579.7020105@powerweb.de>

Michele Neylon :: Blacknight wrote:

Still no "hello" from you ...
(and then complaining about "my tone")

Hello Michele,

> On 12 Apr 2010, at 10:47, Frank Gadegast wrote:
> 
>> Michele Neylon :: Blacknight wrote:
>>> On 11 Apr 2010, at 16:29, Frank Gadegast , Dipl-Inform. Frank Gadegast wrote:
>>>> Hi,
>> Hi,
>>
>>>>> I think the following should be the "easiest" way of reducing spam:
>>>>>
>>>>> 1. Adding that the ISP should have a responsibily to reduce spam to the contract between the ISP and RIPE. (If as only adding "ISP should try to reduce spam" with no other details.)
>>>> Yes, but this has to be formulated a way, that the recipient decides
>>>> what spam is, so that there has no definition of spam to be included.
>>>>
>>>> So: RIPE has to add to the members contract, that the member is responsible
>>>> for receiving abuse reports and reducing the cause of these reports as much as possible.
>>> You cannot expect anyone to sign a contract which expects them to take action against something which has not been defined.
>> Again, the above sentence is not talking about abuse, its talking about abuse reports, or name it complaints, when you like that more.
>> You dont need a definition of abuse, if you make the member
>> responsible for taking care of complaints.
>>
>> Abuse is then everything what the recipient or attack person like to complain about, because he feels abused.
> 
> 
> That is wide open to gaming.

See me next mailing about this.
I explained it now 10 times, and maybe
you read the 11th.
Thats whats the backlink is for.

> Taking care of a complaint can be as simple as closing the ticket.

Right, and to give a comment, select a category or whatever.

But: you will still get those that do not react at all,
that have a dead abuse address aso.

And it will be quite easy to detect, if one member
simply closes all his tickets without giving
any feedback.

>> Looks like you did not read the DRAFT at all.
>> Thats excatly why we need a system at RIPE.
>> And the pros and cons of such a system are discussed here since last week.
> 
> And I and others have pointed out why such a centralised system is a fundamentally flawed idea

Right, but its not at all helpful to repeat the cons.

It would be more helpful, if you present ideas to make a whatever
anti abuse system make it to work, so that you like it.

What do you need to drop your cons ?

>>>>> 3. Give RIPE possibility to fine the misbehaving ISP or to cancel the agreement in worst case scenario.
>>>> A big yes, but we will have to find consensus here, whats worse
>>>> and what punishment could happen, there are a lot of possibilities.
>>> You cannot expect anyone to agree to being fined without workable definitions
>> Again, you dont need a definition.
>> Its only important that the members takes care about complaints.
> 
> "Take care" how exactly?

Up to the member.
Nobody will tell the member how to react, and how could we ?

> You really can't be this vague if you want to modify a contract and introduce censure against RIPE members
> 
> 
>>>>> Cons. I dont know if the spamreports on spamcop are reliable or if they can be forged by spammers. I guess their shoud be some way of fixing that problem if that is the case.
>>>> The system is well known, and most big provider use it
>>> That's a wonderfully broad sweeping statement.
>>> Do you have proof to back that up?
>> No, and I dont have too, because I sayd, that RIPE needs an own system
>> to be bullet-proof, toher source "could" be used to proof
>> own data, nothing more.
> 
> 
> You are putting forward a proposal which you expect to be taken seriously

Not at all, its a draft for discussion, thats what we are
doing here. The next version will be much better and suite
the needs of much more people here on the list.
But surely only those that give feedback about how to make it better.

> If you cannot defend it properly why did you even start?

Sorry, you dont help the discussion.
All you do is critizising me (not for the first time
and too personal I would say).

I have nothing to "defend", an RFC is a
"request for comment", if you dont know that.

Do your comments, give ideas, tell me how to make
a better system, that suits even more people.

Others on this list give really valuable feedback,
like "hm, thats not a good idea, you did not think
about this or that, better do it this way",
thats what I need.

But I can write an RFC with the title
"RFC 3302: why frank is that stupid"
then you can comment me personally ...


Kind regards, Frank

> 
>>
>> Kind regards, Frank
>>
>>>>> Martin Tranefjord
>>>>>
>>> Mr Michele Neylon
>>> Blacknight Solutions
>>> Hosting & Colocation, Brand Protection
>>> ICANN Accredited Registrar
>>> http://www.blacknight.com/
>>> http://blog.blacknight.com/
>>> http://mneylon.tel
>>> Intl. +353 (0) 59  9183072
>>> US: 213-233-1612 UK: 0844 484 9361
>>> Locall: 1850 929 929
>>> Direct Dial: +353 (0)59 9183090
>>> Twitter: http://twitter.com/mneylon
>>> -------------------------------
>>> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
>>> Road,Graiguecullen,Carlow,Ireland  Company No.: 370845
>>
>> -- 
>>
>> Mit freundlichen Gruessen,
>> --
>> PHADE Software - PowerWeb                       http://www.powerweb.de
>> Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
>> Schinkelstrasse 17                                fon: +49 33200 52920
>> 14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
>> ======================================================================
>> Public PGP Key available for frank at powerweb.de
>>
> 
> Mr Michele Neylon
> Blacknight Solutions
> Hosting & Colocation, Brand Protection
> ICANN Accredited Registrar
> http://www.blacknight.com/
> http://blog.blacknight.com/
> http://mneylon.tel
> Intl. +353 (0) 59  9183072
> US: 213-233-1612 
> UK: 0844 484 9361
> Locall: 1850 929 929
> Direct Dial: +353 (0)59 9183090
> Twitter: http://twitter.com/mneylon
> -------------------------------
> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
> Road,Graiguecullen,Carlow,Ireland  Company No.: 370845
> 
> 
> 
> 


-- 

Mit freundlichen Gruessen,
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de



From thor.kottelin at turvasana.com  Mon Apr 12 12:28:52 2010
From: thor.kottelin at turvasana.com (Thor Kottelin)
Date: Mon, 12 Apr 2010 13:28:52 +0300
Subject: [anti-abuse-wg] spam definition
In-Reply-To: <4BC2EFB9.4030603@powerweb.de>
References: <4BC1B799.9020906@hovland.cx>	 <201004111512.o3BFCSOa020997@www.powerweb.de> <h2td5be4ed1004120218xb6a773ccs52b352ab2ff1c7f8@mail.gmail.com> <4BC2EFB9.4030603@powerweb.de>
Message-ID: <!&!AAAAAAAAAAAYAAAAAAAAADs1SQBfrQFIidqBOlhIPRTCgAAAEAAAAAdcN9AYiIlBryIasMakxZgBAAAAAA==@turvasana.com>

> -----Original Message-----
> From: anti-abuse-wg-admin at ripe.net [mailto:anti-abuse-wg-
> admin at ripe.net] On Behalf Of Frank Gadegast
> Sent: Monday, April 12, 2010 1:03 PM
> To: Esa Laitinen; anti-abuse-wg at ripe.net

> If I complain about that the webpage of the ISP looks stupid
> I could complain about it, if I dont like the weather in finland,
> I could complain about, and thats still something the ISP
> should take care of.

This would fall outside the scope of the Anti-Abuse WG, becoming off topic here.

-- 
Thor Kottelin
http://www.anta.net/




From ripe-anti-spam-wg at powerweb.de  Mon Apr 12 12:38:30 2010
From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast)
Date: Mon, 12 Apr 2010 12:38:30 +0200
Subject: [anti-abuse-wg] spam definition
In-Reply-To: <94BD65EF-EB4D-4A81-8B8D-D35705E3F5CE@blacknight.ie>
References: <4BC1B799.9020906@hovland.cx>	 <201004111512.o3BFCSOa020997@www.powerweb.de> <h2td5be4ed1004120218xb6a773ccs52b352ab2ff1c7f8@mail.gmail.com> <4BC2EFB9.4030603@powerweb.de> <94BD65EF-EB4D-4A81-8B8D-D35705E3F5CE@blacknight.ie>
Message-ID: <4BC2F826.5070508@powerweb.de>

Michele Neylon :: Blacknight wrote:
> On 12 Apr 2010, at 11:02, Frank Gadegast wrote:
>> <snip>

HELLO MICHELE,

>>
>> And this should be completely free for the member, how
>> he categorizes the complaint. He should be able
>> to select "has nothing to do with us", "out of scope",
>> "no real complaint" up to "server was hacked here",
>> "we are investigating this currently" to
>> "problem fixed" or whatever else category
>> we like to include.
> 
> Are you going to pay my staff to waste their time with spurious complaints?
> 
> Is RIPE?

What is more likely.
That you get more reports about real abuse or more reports
about funny things or things that dont have anything to do
with you ?

And what is more likely: that you receive more reports
about something that has nothing to do with you than
you get already on your normal info email address ?
You will have to deal with them too.

I dont think that the new system will create more
work on false reports for you that much.

>> And now the point:
>> RIPE NCC could then easily track, wich member
>> is doing nothing !
>> And thats what we need to find out.
> 
> No - it's what you in your little world would like to find out

Sure Michele, a spammer does not want to be identified.
An ISP thats lazy and does not care, what he lazyness
is causing others, does not like to get identified either.

>> And maybe some bad members find a trick
>> to give feedback in an automatic way, with
>> real comments, that look like, if they
>> are really doing something, maybe to fool
>> us all.
> 
> And again - are you going to pay my staff to waste their time dealing with thousands of spurious complaints? Because that's basically what you're expecting us to do

See above.

>> Not at all.
>> We cannot reach consensus about what spam or abuse is.
>>
>> So lets forget it, lets talk about complaints and resulting
>> abuse reports.
> 
> You cannot simply "forget it"
> 
> You need to define clearly the boundaries of what your idea is meant to cover.

Why, my system does not like to "cover" abuse.
It likes to deliver abuse reports more easily, more standarized
and likes to find out, what member is handling abuse reports
and who doesnt.

> if you cannot do that then it should be rejected immediately

Again, the next version will clearly state, that its not about
abuse, its about complaints.

> 
>>>    And thats excatly what is the background idea of a spam report
>>>    delivery system.
>>>    Let the recipient decide, what he think hes abuse about.
>>> So, are you talking about abuse, or are you talking about spam?
>> Im taking about abuse reports and complaints.
> 
> Provide proper definitions of these or at least boundaries

That what all spammers want, to define abuse, what we can do.
And that the main reason I hear here for year and that
"need to define abuse" is the old criteria, the lazy
members repeated here constantly to block all effort
from the others, that are handling complaints and
that like to get rid of all these criminal attacks
(my opinion).

Now the spammers can be afraid, because we can finally
jump over that hurdle ;o)


Kind regards, Frank

> 
> 
> Mr Michele Neylon
> Blacknight Solutions
> Hosting & Colocation, Brand Protection
> ICANN Accredited Registrar
> http://www.blacknight.com/
> http://blog.blacknight.com/
> http://mneylon.tel
> Intl. +353 (0) 59  9183072
> US: 213-233-1612 
> UK: 0844 484 9361
> Locall: 1850 929 929
> Direct Dial: +353 (0)59 9183090
> Twitter: http://twitter.com/mneylon
> -------------------------------
> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
> Road,Graiguecullen,Carlow,Ireland  Company No.: 370845
> 
> 
> 
> 


-- 

Mit freundlichen Gruessen,
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de



From michele at blacknight.ie  Mon Apr 12 12:40:17 2010
From: michele at blacknight.ie (Michele Neylon :: Blacknight)
Date: Mon, 12 Apr 2010 10:40:17 +0000
Subject: SV: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an
In-Reply-To: <4BC2F579.7020105@powerweb.de>
References: <201004111529.o3BFTKkE022558@www.powerweb.de>
 <6648CD43-8412-45EF-92F4-A21431A4E997@blacknight.ie>
 <4BC2EC48.3040407@powerweb.de>
 <1B0E058A-4A11-4358-8264-16893CCD6750@blacknight.ie>
 <4BC2F579.7020105@powerweb.de>
Message-ID: <22C6FD16-C71A-47E2-9B60-D8CC85378655@blacknight.ie>

On 12 Apr 2010, at 11:27, Frank Gadegast wrote:

> Michele Neylon :: Blacknight wrote:
> 
> Still no "hello" from you ...
> (and then complaining about "my tone")

Frank

I've addressed emails in reply to you "correctly" ie. by including your name - yet you still expect me to post using some kind of form that you like.

It is NOT correct in English to open an email with the line "Hello John Doe"

>>> 
>> That is wide open to gaming.
> 
> See me next mailing about this.
> I explained it now 10 times, and maybe
> you read the 11th.
> Thats whats the backlink is for.

Just because you repeat something 10 times does not make it right

> 
>> Taking care of a complaint can be as simple as closing the ticket.
> 
> Right, and to give a comment, select a category or whatever.

You don't know how our ticketing system works or that of anyone else other than your own.

If we simply close a ticket you won't see anything

> 
> But: you will still get those that do not react at all,
> that have a dead abuse address aso.

So you won't know about them. Or, as someone else suggested, you could simply route all the email to /dev/null 

> 
> And it will be quite easy to detect, if one member
> simply closes all his tickets without giving
> any feedback.

Why would anyone "give feedback" if the "complaints" were just a massive waste of time to deal with?


> 
>>> Looks like you did not read the DRAFT at all.
>>> Thats excatly why we need a system at RIPE.
>>> And the pros and cons of such a system are discussed here since last week.
>> And I and others have pointed out why such a centralised system is a fundamentally flawed idea
> 
> Right, but its not at all helpful to repeat the cons.

Why? Because you don't like them?

> 
> It would be more helpful, if you present ideas to make a whatever
> anti abuse system make it to work, so that you like it.


If you want to push standardising abuse reports then I'd be more than happy to help you.


> 
> What do you need to drop your cons ?

A sane solution to be presented to me by someone who actually has an understanding of how things work in the real world?


> 
>>>>>> 3. Give RIPE possibility to fine the misbehaving ISP or to cancel the agreement in worst case scenario.
>>>>> A big yes, but we will have to find consensus here, whats worse
>>>>> and what punishment could happen, there are a lot of possibilities.
>>>> You cannot expect anyone to agree to being fined without workable definitions
>>> Again, you dont need a definition.
>>> Its only important that the members takes care about complaints.
>> "Take care" how exactly?
> 
> Up to the member.
> Nobody will tell the member how to react, and how could we ?

Hangon. You want to modify the RIPE contracts with each and every member and introduce penalties etc., You need to be less vague.  


> 
>> You really can't be this vague if you want to modify a contract and introduce censure against RIPE members
>>>>>> Cons. I dont know if the spamreports on spamcop are reliable or if they can be forged by spammers. I guess their shoud be some way of fixing that problem if that is the case.
>>>>> The system is well known, and most big provider use it
>>>> That's a wonderfully broad sweeping statement.
>>>> Do you have proof to back that up?
>>> No, and I dont have too, because I sayd, that RIPE needs an own system
>>> to be bullet-proof, toher source "could" be used to proof
>>> own data, nothing more.
>> You are putting forward a proposal which you expect to be taken seriously
> 
> Not at all, its a draft for discussion, thats what we are
> doing here. The next version will be much better and suite
> the needs of much more people here on the list.
> But surely only those that give feedback about how to make it better.

Well I've told you clearly what I don't like. 


> 
>> If you cannot defend it properly why did you even start?
> 
> Sorry, you dont help the discussion.
> All you do is critizising me (not for the first time
> and too personal I would say).

Of course I am going to criticise your idea - it's malformed and totally unreasonable



> 
> I have nothing to "defend", an RFC is a
> "request for comment", if you dont know that.

> 
> Do your comments, give ideas, tell me how to make
> a better system, that suits even more people.
> 
> Others on this list give really valuable feedback,
> like "hm, thats not a good idea, you did not think
> about this or that, better do it this way",
> thats what I need.

So because  you don't like my feedback you think it's not "valuable"?




> 
> But I can write an RFC with the title
> "RFC 3302: why frank is that stupid"
> then you can comment me personally ...
> 
> 
> Kind regards, Frank
> 
>>> 
>>> Kind regards, Frank
>>> 
>>>>>> Martin Tranefjord
>>>>>> 
>>>> Mr Michele Neylon
>>>> Blacknight Solutions
>>>> Hosting & Colocation, Brand Protection
>>>> ICANN Accredited Registrar
>>>> http://www.blacknight.com/
>>>> http://blog.blacknight.com/
>>>> http://mneylon.tel
>>>> Intl. +353 (0) 59  9183072
>>>> US: 213-233-1612 UK: 0844 484 9361
>>>> Locall: 1850 929 929
>>>> Direct Dial: +353 (0)59 9183090
>>>> Twitter: http://twitter.com/mneylon
>>>> -------------------------------
>>>> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
>>>> Road,Graiguecullen,Carlow,Ireland  Company No.: 370845
>>> 
>>> -- 
>>> 
>>> Mit freundlichen Gruessen,
>>> --
>>> PHADE Software - PowerWeb                       http://www.powerweb.de
>>> Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
>>> Schinkelstrasse 17                                fon: +49 33200 52920
>>> 14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
>>> ======================================================================
>>> Public PGP Key available for frank at powerweb.de
>>> 
>> Mr Michele Neylon
>> Blacknight Solutions
>> Hosting & Colocation, Brand Protection
>> ICANN Accredited Registrar
>> http://www.blacknight.com/
>> http://blog.blacknight.com/
>> http://mneylon.tel
>> Intl. +353 (0) 59  9183072
>> US: 213-233-1612 UK: 0844 484 9361
>> Locall: 1850 929 929
>> Direct Dial: +353 (0)59 9183090
>> Twitter: http://twitter.com/mneylon
>> -------------------------------
>> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
>> Road,Graiguecullen,Carlow,Ireland  Company No.: 370845
> 
> 
> -- 
> 
> Mit freundlichen Gruessen,
> --
> PHADE Software - PowerWeb                       http://www.powerweb.de
> Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
> Schinkelstrasse 17                                fon: +49 33200 52920
> 14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
> ======================================================================
> Public PGP Key available for frank at powerweb.de
> 

Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
ICANN Accredited Registrar
http://www.blacknight.com/
http://blog.blacknight.com/
http://mneylon.tel
Intl. +353 (0) 59  9183072
US: 213-233-1612 
UK: 0844 484 9361
Locall: 1850 929 929
Direct Dial: +353 (0)59 9183090
Twitter: http://twitter.com/mneylon
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,Ireland  Company No.: 370845



From ripe-anti-spam-wg at powerweb.de  Mon Apr 12 12:40:52 2010
From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast)
Date: Mon, 12 Apr 2010 12:40:52 +0200
Subject: [anti-abuse-wg] spam definition
In-Reply-To: <!&!AAAAAAAAAAAYAAAAAAAAADs1SQBfrQFIidqBOlhIPRTCgAAAEAAAAAdcN9AYiIlBryIasMakxZgBAAAAAA==@turvasana.com>
References: <4BC1B799.9020906@hovland.cx>	 <201004111512.o3BFCSOa020997@www.powerweb.de> <h2td5be4ed1004120218xb6a773ccs52b352ab2ff1c7f8@mail.gmail.com> <4BC2EFB9.4030603@powerweb.de> <!&!AAAAAAAAAAAYAAAAAAAAADs1SQBfrQFIidqBOlhIPRTCgAAAEAAAAAdcN9AYiIlBryIasMakxZgBAAAAAA==@turvasana.com>
Message-ID: <4BC2F8B4.1010308@powerweb.de>

Thor Kottelin wrote:

Hello Thor,

>> -----Original Message-----
>> From: anti-abuse-wg-admin at ripe.net [mailto:anti-abuse-wg-
>> admin at ripe.net] On Behalf Of Frank Gadegast
>> Sent: Monday, April 12, 2010 1:03 PM
>> To: Esa Laitinen; anti-abuse-wg at ripe.net
> 
>> If I complain about that the webpage of the ISP looks stupid
>> I could complain about it, if I dont like the weather in finland,
>> I could complain about, and thats still something the ISP
>> should take care of.
> 
> This would fall outside the scope of the Anti-Abuse WG, becoming off topic here.
> 

Why that ?

A abuse complain is a abuse complain and belongs to this discussion.
The question is, how the member has to handle it.

Give me details and ideas instead of "washing" it away ...


Kind regards, Frank
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de

-- 

Mit freundlichen Gruessen,
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de



From ripe-anti-spam-wg at powerweb.de  Mon Apr 12 12:50:42 2010
From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast)
Date: Mon, 12 Apr 2010 12:50:42 +0200
Subject: [anti-abuse-wg] spam definition
In-Reply-To: <4BC2E703.1000400@blacknight.com>
References: <201004111512.o3BFCSOa020997@www.powerweb.de> <4BC2E703.1000400@blacknight.com>
Message-ID: <4BC2FB02.70708@powerweb.de>

Niall Donegan wrote:

Hello Niall,

> Dipl-Inform. Frank Gadegast wrote:
>> I think that everything IS spam, what somebody, who receives it, is bothered
>> with, because he did no want it, he feel offended, did not ask for it
>> or whatever personal reason.
> 
> Just to give you a very specific example that we received last week from
> AOL's Scomp. It was an email which a real estate management company sent
> to the landlord, informing them that the tenant had paid the rent,
> however they were asking if something could come over and check the cold
> water tap in the bathroom. The landlord just hit "Report Spam".
> 
> By your definition, that is spam, as the landlord didn't want it. I'm
> sure everyone on this list who runs an abuse desk can share similar
> stories. I know we have plenty more examples.

Use the backlink and click "is no spam".

> The problem here is user education. A lot of users see the "Report Spam"
> button as a "Delete And Don't Come Back" button, not understanding the
> difference between Spam and legitimate email which they don't like.

Yes, thats why there is a need for the backlink, so that you,
beeing more educated, can correct the situation easily.

And remember: your abuse team has already to do this.
Maybe your example brought your IP into Spamcop.
You will have to react and select the right category
already so that spamcop does not include you IP
in the blacklist.

Nothing else you should have to do with the RIPE system,
just repair your credibility by following a link.
Thats no different and not more work than before.

But this would identify you as being a member taking
care about the usage of the services you got from RIPE.
Is that bad for you ? dont think so.

And anybody thats doing nothing will be identified too ;o)

> Niall.

Think about future developments:
- maybe one day the RIPE system is that reliable,
   that other blacklists catch up on the feedback data
   collected at RIPE, so that your abuse team only
   has to comment the complaint once and your IP
   will be remove automatically from other lists,
   or your comment will be used there too

   then you will have LESS work ...


Kind regards, Frank
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de



From james.davis at ja.net  Mon Apr 12 12:56:18 2010
From: james.davis at ja.net (James Davis)
Date: Mon, 12 Apr 2010 11:56:18 +0100
Subject: [anti-abuse-wg] spam definition
In-Reply-To: <4BC2F8B4.1010308@powerweb.de>
References: <4BC1B799.9020906@hovland.cx>	 <201004111512.o3BFCSOa020997@www.powerweb.de> <h2td5be4ed1004120218xb6a773ccs52b352ab2ff1c7f8@mail.gmail.com> <4BC2EFB9.4030603@powerweb.de> <!&!AAAAAAAAAAAYAAAAAAAAADs1SQBfrQFIidqBOlhIPRTCgAAAEAAAAAdcN9AYiIlBryIasMakxZgBAAAAAA==@turvasana.com> <4BC2F8B4.1010308@powerweb.de>
Message-ID: <4BC2FC52.9060507@ja.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frank Gadegast wrote:

> Why that ?
> 
> A abuse complain is a abuse complain and belongs to this discussion.
> The question is, how the member has to handle it.
> 
> Give me details and ideas instead of "washing" it away ...

In the four years I've been sitting behind our rather busy abuse mailbox
we've had questions like:

"Your customer published something I don't agree with. Take their
website down now!"

"Someone broke into my office, please could you send the security staff
around sometime today".

"My ex boyfriend is really annoying me, please tell him to stop
e-mailing me".

"I was playing CS2 with a ping time of 15ms, now 14ms, helpz!"

"My internet activity is being traced by the Illuminati using your
network, please help me. There's an albino monk at my door!"

None of these are cases of *network* abuse, even though the often end up
in an abuse mailbox, and so outside the scope of the address.

HTH,

James

- --
James Davis	+44 1235 822 229    	   PGP: 0xD1622876
JANET CSIRT	0870 850 2340	        (+44 1235 822 340)
Lumen House, Library Avenue, Didcot, Oxfordshire, OX11 0SG
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFLwvxShZi14NFiKHYRAkP4AJ9iNwv0HPag51osszhHLG47JNt3UgCdFqCe
4FE92KCYM8cBItNF68s5yAU=
=iRwI
-----END PGP SIGNATURE-----

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG



From michele at blacknight.ie  Mon Apr 12 12:58:38 2010
From: michele at blacknight.ie (Michele Neylon :: Blacknight)
Date: Mon, 12 Apr 2010 10:58:38 +0000
Subject: [anti-abuse-wg] spam definition
In-Reply-To: <4BC2FB02.70708@powerweb.de>
References: <201004111512.o3BFCSOa020997@www.powerweb.de>
 <4BC2E703.1000400@blacknight.com> <4BC2FB02.70708@powerweb.de>
Message-ID: <2B95064C-FF8A-4453-BE07-11D715D178E6@blacknight.ie>

Frank

On 12 Apr 2010, at 11:50, Frank Gadegast wrote:

> And remember: your abuse team has already to do this.
> Maybe your example brought your IP into Spamcop.
> You will have to react and select the right category
> already so that spamcop does not include you IP
> in the blacklist.

That's not entirely true

First off with Spamcop you have an option for some types of reports "don't tell me about this again" (or something like that )

Secondly, if Spamcop lists an IP allocated to one of my customers who haven't done a particularly good job of keeping their IPs "clean", then why would I care if it's listed or not?


Regards

Michele


Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
ICANN Accredited Registrar
http://www.blacknight.com/
http://blog.blacknight.com/
http://mneylon.tel
Intl. +353 (0) 59  9183072
US: 213-233-1612 
UK: 0844 484 9361
Locall: 1850 929 929
Direct Dial: +353 (0)59 9183090
Twitter: http://twitter.com/mneylon
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,Ireland  Company No.: 370845



From michele at blacknight.ie  Mon Apr 12 13:02:22 2010
From: michele at blacknight.ie (Michele Neylon :: Blacknight)
Date: Mon, 12 Apr 2010 11:02:22 +0000
Subject: [anti-abuse-wg] spam definition
In-Reply-To: <4BC2FC52.9060507@ja.net>
References: <4BC1B799.9020906@hovland.cx>
	 <201004111512.o3BFCSOa020997@www.powerweb.de>
 <h2td5be4ed1004120218xb6a773ccs52b352ab2ff1c7f8@mail.gmail.com>
 <4BC2EFB9.4030603@powerweb.de>
 <!&!AAAAAAAAAAAYAAAAAAAAADs1SQBfrQFIidqBOlhIPRTCgAAAEAAAAAdcN9AYiIlBryIasMakxZgBAAAAAA==@turvasana.com>
 <4BC2F8B4.1010308@powerweb.de> <4BC2FC52.9060507@ja.net>
Message-ID: <AC2EB8E8-5EB1-4ECE-8975-67AA112F8ADB@blacknight.ie>

On 12 Apr 2010, at 11:56, James Davis wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Frank Gadegast wrote:
> 
>> Why that ?
>> 
>> A abuse complain is a abuse complain and belongs to this discussion.
>> The question is, how the member has to handle it.
>> 
>> Give me details and ideas instead of "washing" it away ...
> 
> In the four years I've been sitting behind our rather busy abuse mailbox
> we've had questions like:
> 
> "Your customer published something I don't agree with. Take their
> website down now!"
> 
> "Someone broke into my office, please could you send the security staff
> around sometime today".
> 
> "My ex boyfriend is really annoying me, please tell him to stop
> e-mailing me".
> 
> "I was playing CS2 with a ping time of 15ms, now 14ms, helpz!"
> 
> "My internet activity is being traced by the Illuminati using your
> network, please help me. There's an albino monk at my door!"
> 
> None of these are cases of *network* abuse, even though the often end up
> in an abuse mailbox, and so outside the scope of the address.

James

Sounds very similar to the type of stuff we get, though I don't think we've ever had any claims about the illuminati :)

We did, however, have one guy who reported our abuse desk response to us as abuse (try to make sense of that sentence!)

Regards

Michele

> 

Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
ICANN Accredited Registrar
http://www.blacknight.com/
http://blog.blacknight.com/
http://mneylon.tel
Intl. +353 (0) 59  9183072
US: 213-233-1612 
UK: 0844 484 9361
Locall: 1850 929 929
Direct Dial: +353 (0)59 9183090
Twitter: http://twitter.com/mneylon
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,Ireland  Company No.: 370845



From frank at powerweb.de  Mon Apr 12 13:17:37 2010
From: frank at powerweb.de (Frank Gadegast)
Date: Mon, 12 Apr 2010 13:17:37 +0200
Subject: [anti-abuse-wg] spam definition
In-Reply-To: <AC2EB8E8-5EB1-4ECE-8975-67AA112F8ADB@blacknight.ie>
References: <4BC1B799.9020906@hovland.cx>	 <201004111512.o3BFCSOa020997@www.powerweb.de> <h2td5be4ed1004120218xb6a773ccs52b352ab2ff1c7f8@mail.gmail.com> <4BC2EFB9.4030603@powerweb.de> <!&!AAAAAAAAAAAYAAAAAAAAADs1SQBfrQFIidqBOlhIPRTCgAAAEAAAAAdcN9AYiIlBryIasMakxZgBAAAAAA==@turvasana.com> <4BC2F8B4.1010308@powerweb.de> <4BC2FC52.9060507@ja.net> <AC2EB8E8-5EB1-4ECE-8975-67AA112F8ADB@blacknight.ie>
Message-ID: <4BC30151.3070707@powerweb.de>

 > Michele Neylon :: Blacknight wrote:

Dear Michele,

 > Why would anyone "give feedback" if the "complaints" were just a 
massive waste of time to deal with?

Thats a question, that is something we can talk about and that we can
discuss, exchange exstimations, whatever.

I even suggested, that the RIPE system could analyze reports like
spamcop does this, the end user gets also a webinterface to drop
his spam into, and the correctness of the email will be checked
and delivered to the right member.
I even suggested, that we could hide the real members abuse address
this way. So there will be only REAL spam abuse reports coming in
from that part of the system, highly trustable.
Will that not be valuable for every member too ?

I gave my comment in another mail coming right now to you.
I dont think, that it will cause that much more work for the member.


Kind regards, Frank
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de



From frank at powerweb.de  Mon Apr 12 13:24:42 2010
From: frank at powerweb.de (Frank Gadegast)
Date: Mon, 12 Apr 2010 13:24:42 +0200
Subject: [anti-abuse-wg] spam definition
In-Reply-To: <4BC2FC52.9060507@ja.net>
References: <4BC1B799.9020906@hovland.cx>	 <201004111512.o3BFCSOa020997@www.powerweb.de> <h2td5be4ed1004120218xb6a773ccs52b352ab2ff1c7f8@mail.gmail.com> <4BC2EFB9.4030603@powerweb.de> <!&!AAAAAAAAAAAYAAAAAAAAADs1SQBfrQFIidqBOlhIPRTCgAAAEAAAAAdcN9AYiIlBryIasMakxZgBAAAAAA==@turvasana.com> <4BC2F8B4.1010308@powerweb.de> <4BC2FC52.9060507@ja.net>
Message-ID: <4BC302FA.7060407@powerweb.de>

James Davis wrote:

Hello,

> Frank Gadegast wrote:
> 
>> Why that ?
>>
>> A abuse complain is a abuse complain and belongs to this discussion.
>> The question is, how the member has to handle it.
>>
>> Give me details and ideas instead of "washing" it away ...
> 
> In the four years I've been sitting behind our rather busy abuse mailbox
> we've had questions like:
> 
> "Your customer published something I don't agree with. Take their
> website down now!"
> 
> "Someone broke into my office, please could you send the security staff
> around sometime today".
> 
> "My ex boyfriend is really annoying me, please tell him to stop
> e-mailing me".
> 
> "I was playing CS2 with a ping time of 15ms, now 14ms, helpz!"
> 
> "My internet activity is being traced by the Illuminati using your
> network, please help me. There's an albino monk at my door!"
> 
> None of these are cases of *network* abuse, even though the often end up
> in an abuse mailbox, and so outside the scope of the address.

You see, they are already bothering you.
So lets create a system thats better.

A standard report format could be better.
The RIPE system could generate that by supplying
an easy form with explanations and FAQs.
The RIPE system could hide your abuse address
from this stuff.

There will be no need for any abuse contact
in RIPE objects anymore.

Lets drop my idea with the general IP-adress-like
email address and let the system under
http://abuse.ripe.net present a form instead,
thats capable of analysing reports much better
and filter the most stupid things out.
And filter spam reports out, that dont
belong to you ...

And think about how valuable this
system will be for all those, that
do not have a good abuse team so far.

I bet a lot of members are not publishing
their abuse address, because they dont
want to be enoyed with these cases you
described and they will be
happy to use this system instead.


Kind regards, Frank



> 
> HTH,
> 
> James
> 
> - --
> James Davis	+44 1235 822 229    	   PGP: 0xD1622876
> JANET CSIRT	0870 850 2340	        (+44 1235 822 340)
> Lumen House, Library Avenue, Didcot, Oxfordshire, OX11 0SG
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iD8DBQFLwvxShZi14NFiKHYRAkP4AJ9iNwv0HPag51osszhHLG47JNt3UgCdFqCe
> 4FE92KCYM8cBItNF68s5yAU=
> =iRwI
> -----END PGP SIGNATURE-----
> 
> JANET(UK) is a trading name of The JNT Association, a company limited
> by guarantee which is registered in England under No. 2881024 
> and whose Registered Office is at Lumen House, Library Avenue,
> Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG
> 
> 
> 


-- 

Mit freundlichen Gruessen,
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de



From frank at powerweb.de  Mon Apr 12 13:27:48 2010
From: frank at powerweb.de (Frank Gadegast)
Date: Mon, 12 Apr 2010 13:27:48 +0200
Subject: [anti-abuse-wg] spam definition
In-Reply-To: <2B95064C-FF8A-4453-BE07-11D715D178E6@blacknight.ie>
References: <201004111512.o3BFCSOa020997@www.powerweb.de> <4BC2E703.1000400@blacknight.com> <4BC2FB02.70708@powerweb.de> <2B95064C-FF8A-4453-BE07-11D715D178E6@blacknight.ie>
Message-ID: <4BC303B4.5050107@powerweb.de>

Michele Neylon :: Blacknight wrote:
> Frank

Dear Michele,

> On 12 Apr 2010, at 11:50, Frank Gadegast wrote:
> 
>> And remember: your abuse team has already to do this.
>> Maybe your example brought your IP into Spamcop.
>> You will have to react and select the right category
>> already so that spamcop does not include you IP
>> in the blacklist.
> 
> That's not entirely true
> 
> First off with Spamcop you have an option for some types of reports "don't tell me about this again" (or something like that )

Surely that should not be possible.
If we change RIPEs regulations, that any member is responsible for 
reports, it should not be an option to ignore it again, right ?

> Secondly, if Spamcop lists an IP allocated to one of my customers who haven't done a particularly good job of keeping their IPs "clean", then why would I care if it's listed or not?

Not getting it.

Because your customers are making a fearly enough good job, you dont 
take new incidents seriously ?
Select "forwarded to the end user" in the backlink and send
it to him again ...


Kind regars, Frank
> 
> 
> Regards
> 
> Michele
> 
> 
> Mr Michele Neylon
> Blacknight Solutions
> Hosting & Colocation, Brand Protection
> ICANN Accredited Registrar
> http://www.blacknight.com/
> http://blog.blacknight.com/
> http://mneylon.tel
> Intl. +353 (0) 59  9183072
> US: 213-233-1612 
> UK: 0844 484 9361
> Locall: 1850 929 929
> Direct Dial: +353 (0)59 9183090
> Twitter: http://twitter.com/mneylon
> -------------------------------
> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
> Road,Graiguecullen,Carlow,Ireland  Company No.: 370845
> 
> 
> 
> 


-- 

Mit freundlichen Gruessen,
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de



From michele at blacknight.ie  Mon Apr 12 13:37:35 2010
From: michele at blacknight.ie (Michele Neylon :: Blacknight)
Date: Mon, 12 Apr 2010 11:37:35 +0000
Subject: [anti-abuse-wg] spam definition
In-Reply-To: <4BC302FA.7060407@powerweb.de>
References: <4BC1B799.9020906@hovland.cx>
	 <201004111512.o3BFCSOa020997@www.powerweb.de>
 <h2td5be4ed1004120218xb6a773ccs52b352ab2ff1c7f8@mail.gmail.com>
 <4BC2EFB9.4030603@powerweb.de>
 <!&!AAAAAAAAAAAYAAAAAAAAADs1SQBfrQFIidqBOlhIPRTCgAAAEAAAAAdcN9AYiIlBryIasMakxZgBAAAAAA==@turvasana.com>
 <4BC2F8B4.1010308@powerweb.de> <4BC2FC52.9060507@ja.net>
 <4BC302FA.7060407@powerweb.de>
Message-ID: <55417113-8781-4321-8DAD-4493034AB14A@blacknight.ie>

Frank

> 
> 
> A standard report format could be better.

Yes - I would support that


> The RIPE system could generate that by supplying
> an easy form with explanations and FAQs.
> The RIPE system could hide your abuse address
> from this stuff.
> 
> There will be no need for any abuse contact
> in RIPE objects anymore.
> 
> Lets drop my idea with the general IP-adress-like
> email address and let the system under
> http://abuse.ripe.net present a form instead,
> thats capable of analysing reports much better
> and filter the most stupid things out.
> And filter spam reports out, that dont
> belong to you ...

Making people use a webform instead of email is counter-intuitive.

> 
> 
> I bet a lot of members are not publishing
> their abuse address, because they dont
> want to be enoyed with these cases you
> described and they will be
> happy to use this system instead.

If you offer other services you probably will have to publish an abuse address somewhere else 

Also, just because you don't have an abuse address does not mean that you won't get abuse reports .. 

Regards

Michele


Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
ICANN Accredited Registrar
http://www.blacknight.com/
http://blog.blacknight.com/
http://mneylon.tel
Intl. +353 (0) 59  9183072
US: 213-233-1612 
UK: 0844 484 9361
Locall: 1850 929 929
Direct Dial: +353 (0)59 9183090
Twitter: http://twitter.com/mneylon
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,Ireland  Company No.: 370845



From brian.nisbet at heanet.ie  Mon Apr 12 14:04:21 2010
From: brian.nisbet at heanet.ie (Brian Nisbet)
Date: Mon, 12 Apr 2010 13:04:21 +0100
Subject: [anti-abuse-wg] Draft Proposals and Spam Definition - A Call for a Pause
Message-ID: <4BC30C45.6000502@heanet.ie>

Afternoon,

I feel, at this point, that the conversation is getting rather circular 
and more argumentative than we would like.  It is probably best if, 
Frank, you take the feedback you've collected so far and consider how 
you wish to proceed.  Based on the list traffic so far I think you have 
a lot to work with and some feeling of how your ideas have been received 
so far.

For everyone else, Frank has said he has taken the feedback and is 
preparing a new draft, so perhaps is would be best at this point to wait 
for any updated proposals before proceeding further.

It should be noted that considering the far reaching nature of these 
ideas, the full PDP process will need to be followed, should Frank 
decide to make a formal proposal.

Frank, I'm not sure if you'll be joining us in Prague, but I would like 
to invite you to speak at the meeting as I am sure some discussion will 
take place at RIPE 60.

Thanks,

Brian.




From peter at hk.ipsec.se  Mon Apr 12 19:23:46 2010
From: peter at hk.ipsec.se (peter h)
Date: Mon, 12 Apr 2010 19:23:46 +0200
Subject: [anti-abuse-wg] spam definition
In-Reply-To: <2B95064C-FF8A-4453-BE07-11D715D178E6@blacknight.ie>
References: <201004111512.o3BFCSOa020997@www.powerweb.de> <4BC2FB02.70708@powerweb.de> <2B95064C-FF8A-4453-BE07-11D715D178E6@blacknight.ie>
Message-ID: <201004121923.47003.peter@hk.ipsec.se>

On Monday 12 April 2010 12.58, Michele Neylon :: Blacknight wrote:
> Frank
> 
> On 12 Apr 2010, at 11:50, Frank Gadegast wrote:
> 
> > And remember: your abuse team has already to do this.
> > Maybe your example brought your IP into Spamcop.
> > You will have to react and select the right category
> > already so that spamcop does not include you IP
> > in the blacklist.
> 
> That's not entirely true
> 
> First off with Spamcop you have an option for some types of reports "don't tell me about this again" (or something like that )
> 
> Secondly, if Spamcop lists an IP allocated to one of my customers who haven't done 
> a particularly good job of keeping their IPs "clean", then why would I care if 
> it's listed or not?  

Thats the issue in a nutshell. An ISP that does not care if one of his/her customers 
spams IS the problem.  By ignoring the complaints more blacklists will block
the entire ISP.   Also, many spamming customers uses dynamic addresses, thus 
the single address that spamcop blocks will belong to an innocent bystander the next day ( blocking 
another address).




> 
> 
> Regards
> 
> Michele
> 
> 
> Mr Michele Neylon
> Blacknight Solutions
> Hosting & Colocation, Brand Protection
> ICANN Accredited Registrar
> http://www.blacknight.com/
> http://blog.blacknight.com/
> http://mneylon.tel
> Intl. +353 (0) 59  9183072
> US: 213-233-1612 
> UK: 0844 484 9361
> Locall: 1850 929 929
> Direct Dial: +353 (0)59 9183090
> Twitter: http://twitter.com/mneylon
> -------------------------------
> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
> Road,Graiguecullen,Carlow,Ireland  Company No.: 370845
> 
> 
> 

-- 
        Peter H?kanson   

        There's never money to do it right, but always money to do it
        again ... and again ... and again ... and again.
        ( Det ?r billigare att g?ra r?tt. Det ?r dyrt att laga fel. )



From mir at ripe.net  Mon Apr 26 16:22:58 2010
From: mir at ripe.net (Mirjam Kuehne)
Date: Mon, 26 Apr 2010 16:22:58 +0200
Subject: [anti-abuse-wg] Abuse Finder Tool
Message-ID: <4BD5A1C2.5050503@ripe.net>

[apologies for duplicates]

Dear colleagues,

If you ever wished there would be an easier way to find all 
abuse-related contact information for a specific network in the RIPE 
Database, this new Abuse Finder tool might be interesting for you:

http://labs.ripe.net/content/abuse-finder

As always, please let us know what you think. We are also curious to 
find out if there are other more customised 'use case queries' you would 
find useful. We set up a forum to gather your feedback:

http://labs.ripe.net/content/ripe-database-api-0

Kind Regards,
Mirjam K?hne
RIPE NCC



From balasari at gmail.com  Mon Apr 26 17:45:12 2010
From: balasari at gmail.com (Balaji Nagalgave)
Date: Mon, 26 Apr 2010 10:45:12 -0500 (CDT)
Subject: [anti-abuse-wg] Invitation from Balaji Nagalgave
Message-ID: <20100426154512.BED878386A@toulouse.intechnic.com>





 


    
        
            Balaji Nagalgave is inviting you to join Resumark.com 
        

    



    
        
            
            
            Post your resume (we can hide it from your boss) and make $1 every time an employer downloads it! 

            Know anyone who is looking for a job? Get paid for inviting them. 

            In today's economy even job search monsters are not enough. We help you find a job by doing something that hasn't been done before: 

            We pay YOU for your resume!

            Count me in!   How this works?

            	            
            Message from Resumark.com: 

            Greetings!

We've been working hard on this website to help people find jobs in this economy. We don't think it is fair for other websites to capitalize on people's resumes so we came up with an idea to share the money that employers pay for resumes with those who are looking for jobs. Doesn't this sound like the right thing to do? We appeal to you - please help us spread the word to others who can benefit from this website! 
Thank you!

The Resumark Team

            Resumark.com

            
            
        

    








    
        
            You received this e-mail because someone you know thought you may find this website interesting. If you no longer wish to receive any e-mails from us, please go to http://www.resumark.com/block.html?env=donotinvite---OnBlock-&email=anti-abuse-wg at ripe.net 
        

    


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ripe.net/ripe/mail/archives/anti-abuse-wg/attachments/20100426/f5c69aa4/attachment.html>

From peter at hk.ipsec.se  Mon Apr 26 18:04:21 2010
From: peter at hk.ipsec.se (peter h)
Date: Mon, 26 Apr 2010 18:04:21 +0200
Subject: [anti-abuse-wg] Invitation from Balaji Nagalgave
In-Reply-To: <20100426154512.BED878386A@toulouse.intechnic.com>
References: <20100426154512.BED878386A@toulouse.intechnic.com>
Message-ID: <201004261804.22157.peter@hk.ipsec.se>

Spam received on a anti-spamm (sorry anti-abuse) mailinglist.

How ironic !

Source ( 66.110.24.210 ) seems to be Intechnic Corporation a new spammer corporaytion.




On Monday 26 April 2010 17.45, Balaji Nagalgave wrote:
> 
>             Balaji Nagalgave is inviting you to join Resumark.com 
>         
> 
>     
> 
> 
> 
>     
>         
>             
>             
>             Post your resume (we can hide it from your boss) and make $1 every time an employer downloads it! 
> 
>             Know anyone who is looking for a job? Get paid for inviting them. 
> 
>             In today's economy even job search monsters are not enough. We help you find a job by doing something that hasn't been done before: 
> 
>             We pay YOU for your resume!
> 
>             Count me in!   How this works?
> 
>             	            
>             Message from Resumark.com: 
> 
>             Greetings!
> 
> We've been working hard on this website to help people find jobs in this economy. We don't think it is fair for other websites to capitalize on people's resumes so we came up with an idea to share the money that employers pay for resumes with those who are looking for jobs. Doesn't this sound like the right thing to do? We appeal to you - please help us spread the word to others who can benefit from this website! 
> Thank you!
> 
> The Resumark Team
> 
>             Resumark.com
> 
>             
>             
>         
> 
>     
> 
> 
> 
> 
> 
> 
> 
> 
>     
>         
>             You received this e-mail because someone you know thought you may find this website interesting. If you no longer wish to receive any e-mails from us, please go to http://www.resumark.com/block.html?env=donotinvite---OnBlock-&email=anti-abuse-wg at ripe.net 
>         
> 
>     
> 
> 
> 

-- 
        Peter H?kanson   

        There's never money to do it right, but always money to do it
        again ... and again ... and again ... and again.
        ( Det ?r billigare att g?ra r?tt. Det ?r dyrt att laga fel. )



From peter at hk.ipsec.se  Mon Apr 26 18:06:05 2010
From: peter at hk.ipsec.se (peter h)
Date: Mon, 26 Apr 2010 18:06:05 +0200
Subject: [anti-abuse-wg] Abuse Finder Tool
In-Reply-To: <4BD5A1C2.5050503@ripe.net>
References: <4BD5A1C2.5050503@ripe.net>
Message-ID: <201004261806.05859.peter@hk.ipsec.se>

On Monday 26 April 2010 16.22, Mirjam Kuehne wrote:
> [apologies for duplicates]
> 
> Dear colleagues,
> 
> If you ever wished there would be an easier way to find all 
> abuse-related contact information for a specific network in the RIPE 
> Database, this new Abuse Finder tool might be interesting for you:
> 
> http://labs.ripe.net/content/abuse-finder

the webforms seems to need userid/password. Where do i get this ?


Also, i personallt would prefer scriptable stuff ( anything that generates
text output that may be scripted) Any hope for that ?

> 
> As always, please let us know what you think. We are also curious to 
> find out if there are other more customised 'use case queries' you would 
> find useful. We set up a forum to gather your feedback:
> 
> http://labs.ripe.net/content/ripe-database-api-0
> 
> Kind Regards,
> Mirjam K?hne
> RIPE NCC
> 
> 

-- 
        Peter H?kanson   

        There's never money to do it right, but always money to do it
        again ... and again ... and again ... and again.
        ( Det ?r billigare att g?ra r?tt. Det ?r dyrt att laga fel. )



From ppalse at ripe.net  Tue Apr 27 12:33:06 2010
From: ppalse at ripe.net (Paul Palse)
Date: Tue, 27 Apr 2010 12:33:06 +0200
Subject: [anti-abuse-wg] Abuse Finder Tool
In-Reply-To: <201004261806.05859.peter@hk.ipsec.se>
References: <4BD5A1C2.5050503@ripe.net> <201004261806.05859.peter@hk.ipsec.se>
Message-ID: <581CB483-A2AD-4B9E-9571-BDCBB3FD5F44@ripe.net>

Dear Peter,

The "Abuse Finder" form doesn't need a UserID and Password. If you are  
referring to the Labs site, then I sugest you just register yourself  
and you'll be able to post to the forum.

The "Abuse Finder" form actually uses an extension to the RIPE  
Database Query API, which is implemented in the form of a RESTful Web  
Service.
The API allows you to write script against this search tool and  
responses can be received in either XML or JSON format for easy parsing.

We will be updating the API documentation soon, but in the meantime  
you could try clicking the XML and JSON icons next to the response  
from the "Abuse Finder" form to see the original response from the web  
service.

Regards,

Paul Palse
-- 
Database Group Manager at RIPE NCC
http://www.ripe.net/info/ncc/contact.html

On 26 Apr, 2010 Week: 18, at 18:06 PM, peter h wrote:

> On Monday 26 April 2010 16.22, Mirjam Kuehne wrote:
>> [apologies for duplicates]
>>
>> Dear colleagues,
>>
>> If you ever wished there would be an easier way to find all
>> abuse-related contact information for a specific network in the RIPE
>> Database, this new Abuse Finder tool might be interesting for you:
>>
>> http://labs.ripe.net/content/abuse-finder
>
> the webforms seems to need userid/password. Where do i get this ?
>
>
> Also, i personallt would prefer scriptable stuff ( anything that  
> generates
> text output that may be scripted) Any hope for that ?
>
>>
>> As always, please let us know what you think. We are also curious to
>> find out if there are other more customised 'use case queries' you  
>> would
>> find useful. We set up a forum to gather your feedback:
>>
>> http://labs.ripe.net/content/ripe-database-api-0
>>
>> Kind Regards,
>> Mirjam K?hne
>> RIPE NCC
>>
>>
>
> -- 
>        Peter H?kanson
>
>        There's never money to do it right, but always money to do it
>        again ... and again ... and again ... and again.
>        ( Det ?r billigare att g?ra r?tt. Det ?r dyrt att laga fel. )
>



From denis at ripe.net  Tue Apr 27 13:01:06 2010
From: denis at ripe.net (Denis Walker)
Date: Tue, 27 Apr 2010 13:01:06 +0200
Subject: [anti-abuse-wg] Abuse Finder Tool
In-Reply-To: <581CB483-A2AD-4B9E-9571-BDCBB3FD5F44@ripe.net>
References: <4BD5A1C2.5050503@ripe.net> <201004261806.05859.peter@hk.ipsec.se> <581CB483-A2AD-4B9E-9571-BDCBB3FD5F44@ripe.net>
Message-ID: <4BD6C3F2.20809@ripe.net>

Dear Colleagues,

We received these suggestions in response to the Abuse Finder tool
announced on RIPE Labs
http://labs.ripe.net/content/abuse-finder

- it would be helpful, if its noted in the output from wich object or field
 the abuse email address was extracted from (e.g. admin-c, tech-c, remarks,
 abuse-field aso)
 so output could look like:
 admin-c: noc at tester.de
 abuse-email: abuse at tester.de
 so that one can decide, wich one is really relevant for the own needs

- what are the exact limits ?
- is there a way of raising the limits for special cases (we maintain our
 own spam blcklist and do send about 30.000 reports, where there are
 about 5.000 to 8.000 reports originate from the RIPE region) daily
- how can the finder be testes via other protocols (then just a webpage)

We did think about applying some weighting to the email addresses
returned. However, the abuse handling data is not structured within the
RIPE Database. There are many places the abuse handling email can be
put. This depends on where the network administrator thinks is the most
appropriate place. It could be in an IRT object. Or in the admin-c of
the maintainer of the INETNUM object. Because it is very subjective, one
address is no more valuable or important than another. In most cases you
are unlikely to receive a long list of email address options. So the
actual objects they came from is less important.

One of the main reasons for developing this tool is to reduce the need
for users to query for personal data objects. In which case limits
become less relevant. With the current data structure we cannot yet
totally remove this need. Many abuse email addresses are contained in
remarks, some of which are within personal data objects. We return links
to the objects that contain remarks that may hold such an email address.
If the tool does not return any "abuse-mailbox:" email addresses you
will need to follow these links to the suggested objects with remarks.
By pointing to those objects that have such remarks this tool avoids the
need for users to directly query for all personal data objects referenced.

The back end web service can be accessed via any HTTP client library.
The response is available in XML or JSON.

Regards
Denis Walker
Business Analyst
RIPE NCC Database Group