From emadaio at ripe.net Wed Dec 1 16:16:52 2010 From: emadaio at ripe.net (Emilio Madaio) Date: Wed, 01 Dec 2010 16:16:52 +0100 Subject: [anti-abuse-wg] 2010-09 Policy Proposal Withdrawn (Frequent Update Request) Message-ID: <20101201151652.55E286A002@postboy.ripe.net> Dear Colleagues, The proposal has been withdrawn. It is now archived and can be found at: http://ripe.net/ripe/policies/proposals/2010-09.html Reason for withdrawal: the proposer decided to withdraw the proposal based on the feedback received at RIPE 61. A task force will be organised to solve the implementation issues pointed out by the proposal discussion. Regards Emilio Madaio Policy Development Officer RIPE NCC From heather.skanks at gmail.com Wed Dec 1 17:51:01 2010 From: heather.skanks at gmail.com (Heather Schiller) Date: Wed, 1 Dec 2010 11:51:01 -0500 Subject: [anti-abuse-wg] 2010-09 New Policy Proposal (Frequent Update Request) In-Reply-To: <1289395081.2235.175.camel@shane-asus-laptop> References: <20101109145022.A93F36A021@postboy.ripe.net> <1289395081.2235.175.camel@shane-asus-laptop> Message-ID: In the ARIN region we attempted to safe guard against the list being missued, by making the data available only to entities who have qualified to obtain bulk whois data from ARIN. In order to obtain bulk whois data, you must sign an agreement with ARIN and meet certain qualifications: https://www.arin.net/resources/services/poc_validation_readme.html Ideally, the data would be used for good and not evil -- that service providers would check against the list before permitting a prefix to be announced. --Heather On Wed, Nov 10, 2010 at 8:18 AM, Shane Kerr wrote: > Hello, > > I recall when ARIN was discussing automatically marking non-responsive > contacts in their database, a concern did come up. The concern was that > address hijackers would have an excellent pre-filtered list of networks > that are likely to be poorly maintained. > > A spammer could: > > ? ? 1. Download the latest list of non-responsive object owners. > ? ? 2. Download the latest list of inetnum in the RIPE Database. > ? ? 3. Extract out the network ranges with non-responsive object > ? ? ? ?owners. > ? ? 4. Find those network ranges that also happen to be missing from > ? ? ? ?BGP. > ? ? 5. Advertise those ranges. > ? ? 6. Send spam from those ranges. > ? ? 7. Profit! > > Since the spammer knows that the mail for these ranges don't work, she > can be pretty sure that it will take a while for the good guys to figure > out what is going on. By that time she's sipping cocktails on the beach. > > I am not opposed to having regular checks of contact information. I am > not even opposed to providing a public view of the "quality" of contact > information, as proposed in 2010-09. > > However, perhaps a better way forward would be to make this something > handled in the context of the RIPE NCC/LIR relationship. > > Keeping in mind that these are people who have been contacted via the > LIR Portal and e-mail, they need to be encouraged to care a bit. There > are several ways this could be done: > > ? ? ?* Changing the contact information on the maintainers to the > ? ? ? ?contact for the LIR, along with an appropriate message > ? ? ? ?explaining it (I think the LIR contact information is corrected > ? ? ? ?at least often enough to send an annual invoice) > ? ? ?* Require checking of maintainer information before receiving > ? ? ? ?future RIPE NCC registration services (this will probably be > ? ? ? ?less important post-IPv4 runout... what services do I need after > ? ? ? ?I get my IPv6 /32 block!?!) > ? ? ?* Adding a penalty in the annual membership fees if maintainer > ? ? ? ?information is not confirmed (I suppose this could be named a > ? ? ? ?"Good Quality Discount" instead, but that amounts to the same > ? ? ? ?thing) > ? ? ?* Revoking the resources from the LIR > > The problem here, as always, is that LIRs set the policies, and I think > they are unlikely to approve a policy that can be used against them. I > doubt the RIPE NCC actually wants to enforce this kind of stuff either! > > -- > Shane > > From brian.nisbet at heanet.ie Wed Dec 15 16:47:42 2010 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Wed, 15 Dec 2010 15:47:42 +0000 Subject: [anti-abuse-wg] Draft Anti-Abuse WG Minutes =?windows-1252?Q?=96_RIPE_61?= Message-ID: <4D08E31E.8000909@heanet.ie> Colleagues, These are the draft minutes for the WG session from RIPE61. If you have any comments, please do let me know. Brian. Draft Anti-Abuse WG Minutes ? RIPE 61 Thursday, 18 November 2010, 14:00 ? Westin Excelsior Hotel, Rome, Italy Co-Chairs: Brian Nisbet, Richard Cox Scribe: Fergal Cunningham Chat: Laura Cobley A. Administrative Matters A1. Welcome Working Group Co-Chair Brian Nisbet welcomed attendees and explained that co-chair Richard Cox regrettably was unable to attend today?s session. James Blessing, concerned Internet citizen, said that although it was good to have an active co-chair, the reputation of the Anti-Abuse Working Group was being impacted upon by the other co-chair, and he said he would like to see this addressed. Brian said this was a matter for the AOB section of the agenda. Brian thanked the RIPE NCC scribe and Chat monitor, and the stenographers. He asked that anyone who had a question on Chat give their full name and affiliations. Brian asked if there were any objections to the minutes from RIPE 60 being approved. There were none, so he said the minutes were approved. Action on RIPE NCC: Remove ?Draft? status from RIPE 60 Anti-Abuse Working Group Minutes. Brian noted that the agenda was slightly changed from the agenda posted on the mailing list because Richard was unable to attend and there were some late requests for presentations from RIPE NCC staff. The updated agenda is available at: http://ripe61.ripe.net/presentations/343-AA-WG_RIPE61_Agenda.pdf B. Updates B1. Recent List Discussion - Reporting Fraud, Database Issues, Time Stamps (-B) Working Group Co-Chair Brian Nisbet noted that there was a lot of discussion on the mailing lists recently, and most of this was related to items that would be dealt with further down the agenda. He noted that the Anti-Abuse Working Group mailing list was not the place to report network abuse. He did remind attendees that the whois ?B lookup gives the date of the last update to an object. B2. Registrar Issues - Michele Neylon, Blacknight Michele Neylon from Blacknight gave a presentation entitled ?Abuse ? Registrar Perspective?. At the beginning of the presentation, Michele asked for a show of hands on attendees who had had their credit card skimmed or Paypal account attacked, and there was quite a large number of hands. The presentation is available at: http://ripe61.ripe.net/presentations/244-blacknight-ripe-rome-2010.pdf Tobias Knecht, Abusix, asked how should all these things be reported in a machine and in a human readable format. He also suggested using xarf.org. Michele said they get manual reports and, if the reports are to be automated, there is no reason they can?t be provided in a particular order. He said everything has to be read and investigated anyway. Konstantin Bekreyev, DARS Telecom, asked, considering the recent increase in botnets, when spam is sent through the port tcp/80 via email systems such as Hotmail, what can he do. He is unable to close port 80 to these sites. Michele said he did not know and suggested reporting it to Hotmail. Brian said the big email companies have gotten better with spam and dealing with it. If abuse comes from a website then it should be reported to the original IP. Gilles Massen, Restena Foundation, asked, since abusers are moving quickly, how would Michele react to them efficiently while protecting the innocent. Michele said you have to carefully evaluate each report you receive and you need to have a measured a response. David Freedman, Claranet, asked what kind of proactive work the registrars do. Michele said there were a lot of registrars and their methods varied. He said often the registrars and hosting operators did not have full control of the network. He said he would like to see some best practices coming out of the Anti-Abuse Working Group. Brian said producing best practice documents is an action item for this working group, and although this was not on the agenda for the current meeting, he hoped to be able to come back to the mailing list with something soon. An attendee asked about the Google tool that was presented earlier by Michele. He said that an ISP would need to have specific examples of abuse before it would take action on a customer. He asked if the registrar would contact the customer based on a Google report alone. Brian explained that the Google safe browsing alerts tool lets Google notify you if a site you are hosting has malware. Michele said this used to be the case with registrars but now they have to take a more proactive approach because of the number of reports they receive each day. He said he would not contact anyone based on the alert alone, but the alert would give you an indication of where abuse was taking place and you can go there and see what is happening. Andy Davidson, Netsumo, in response to the question from Konstantin, recommended a tool from Loughborough University that looks in outbound mail for evidence that someone has been phished. He added that it locks the accounts of people who have been phished. Andy said he would send details to the mailing list. James Blessing, Limelight Networks, asked that the time stamp and correct time zone be noted in all reports. B3. RIPE NCC Draft Closure Agreement/Service Abuse Athina Fragkouli, RIPE NCC, gave a presentation on the new RIPE NCC document, Closure of an LIR and Deregistration of Resources. The presentation is available at: http://ripe61.ripe.net/presentations/281-Closure_of_LIRs_and_deregistration_of_resources_anti_abuse_aspects.pdf Athina asked that attendees read the document and give feedback. James Blessing, Limelight Networks, asked if the only thing that could be effected under law was full termination of the service agreement. Athina said this was the case but if the RIPE NCC received a Dutch court order it could deregister resources. She confirmed that the RIPE NCC would comply with a Dutch court order no matter what it contained. David Freedman, Claranet, asked if there would be a way to let people know that resources were in the process of being deregistered. Athina said a tag would be added to such resources in the RIPE Database. Brian noted that there was a bigger version of Athina?s presentation available from the NCC Services Working Group and that it would be made available in that working group?s archive. Volodymyr Yakovenko, Google, asked if there was an example of a Dutch court order available and the conditions for such a court order. Athina said the RIPE NCC hadn?t received one yet but was working with Dutch national authorities on what should be contained in such an order. Brian asked that the RIPE NCC make known to the community the outcome of the RIPE NCC?s discussion with the Dutch legal authorities. Wilfried Woeber, Database Working Group Co-Chair, said it was important to get the provisions of the document correct as soon as possible, and he also advised against overreacting to a court order in terms of deregistration. Athina said termination of the service contract between the RIPE NCC and an LIR resulted in a loss of service, and that included registration of resources. Rob Blokzijl, RIPE Chair, said the RIPE NCC has been in contact with legal enforcement agencies (LEAs) for a number of years, and the police are doubtful that they will see a need to bring a court order or deregister resources. He said LEAs are interested in stopping criminals and removing information is not something they would see as helping this goal. Brian said further discussion of the document should take place on the RIPE NCC Services Working Group mailing list. B4. RIPE NCC Survey on Improving RIPE Database Quality Ferenc Csorba from the RIPE NCC gave a presentation on a survey aimed at improving RIPE Database quality. The presentation is available at: http://ripe61.ripe.net/presentations/279-RIPE_DB_Quality_Survey.key There were no questions and Brian said feedback on the survey should be directed to the Database Working Group mailing list. C. Policies C1. 2010-08 Abuse Contact Information Working Group Co-Chair Brian Nisbet called Tobias Knecht, Abusix, the proposer of 2010-08, on Skype. Brian noted that he had discussed the proposal with Tobias and they had talked to the Database Working Group and RIPE NCC staff. He said some changes had been recommended. Brian explained that the proposal was to ?add a mandatory reference to IRT objects in the INETNUM, INET6NUM and AUT-NUM objects in the RIPE Database. He added that potential changes to the proposal include removal of implementation details. He said there would be a redraft of the proposal and asked for any comments on having the mandatory reference to abuse contacts in IRT objects. Michele Neylon, Blacknight, said there might be some confusion because some people seemed to be confusing introduction of a mandatory abuse contact with solving all problems. He said he foresaw problems with people expecting the proposal to have a broader impact that was originally intended. Tobias said the main point of the proposal was the mandatory nature of having the reference, but this was something people might have to decide for themselves and he was open to hearing comments on this. James Blessing, Limelight, said the proposal was a nice idea but there would have to be a lot of objects referenced. He recalled that there was a proposal to deregister objects that didn?t have accurate details. He foresaw a situation in three months where people who did not hear about this policy would have objects deregistered. Brian said the deregistration policy was not something that would happen overnight. He said there would have to be a proper process of negotiation with the LIR before anything would happen. Peter Koch, DENIC, said he failed to see a clear problem statement for this proposal. He said if people are not getting a response from abuse contacts, then making it mandatory would not change anything. He said if people are sending abuse reports and it?s not going to the correct address, then he would like to see evidence of this. Tobias said the problem was that there were too many places where people could add abuse contact details and people are confused. He said the main intention is to have one place where people know they have to put contact information and where other people will know they can find contact information. Peter said he disagreed there too many places to put contact information already and he said it seemed to be more of an education problem rather than anything else. Tobias said if you are going to educate people on where to find information, it is easier to do if you know the information is in one place rather than in one or more of 15 locations. Shane Kerr, Internet Systems Consortium, said there were already references to IRT objects in INETNUM and INET6NUM objects, and he asked if it was not to be mandatory then what was the point of having the proposal. Brian agreed that this was the crux of the issue. Tobias said there might be a better way to do things, but it is important that everyone knows how to do it. Sascha Eilms, ECO/CSA, said he wanted to support the proposal because it showed willingness from the industry to self-regulate and tackle the problem of abuse. Wilfried Woeber, Database Working Group Co-Chair, said he was a co-architect of the IRT object and had sympathy with the idea that there were too many choices on where to place contact information at the moment. He said that coming up with ways to simplify things does have merit. Brian asked Tobias if, based on the comments, they could sit down and redraft the policy to be resubmitted, and Tobias agreed to this. Shane said there was the issue of simplification that most people would agree with, but there was also the issue of making it mandatory. He suggested this should be discussed in the Address Policy Working Group because if the proposal to make this mandatory was accepted this would be a big issue for LIRs. Peter Koch said making such an attribute mandatory would have major operational implications for the RIPE Database and said the matter of how to apply the technology was also an important issue. Brian said they would take the comments on board when redrafting and the conversation could continue on the mailing list. C2. 2010-09 ? ?Frequent Update Request? and 2010-10 ?Change to RIPE 452? Brian explained that 2010-09 was a proposal to have the RIPE NCC regularly contact all current RIPE Database object holders with resources in the RIPE Database to ask them to actively check that all their details are up-to-date. He explained that 2010-10 proposed to add a reference to the sponsoring LIR in INETNUM, INET6NUM and AUT-NUM objects to increase the possibility of abuse tracking and handling. Brian said that these were two huge proposals with major implications. He said he agreed with the proposers to withdraw these proposals, at least temporarily, and set up a RIPE Task Force featuring people from the RIPE Database Working Group and the Anti-Abuse Working Group among others to look at improving the registry and the RIPE Database. He said they wanted to consult the RIPE NCC and other parties to see what was the best way to deal with the issues rather than bringing a number of proposals. Brian said the two proposals would be withdrawn with the knowledge that the proposers resubmit them if the task force did not make sufficient progress D. Interactions D1. Working Groups Working Group Co-Chair Brian Nisbet noted that there has been a lot of interaction with the RIPE Database Working Group and the RIPE NCC Services Working Group. He said the RIPE Task Force to address issues with the RIPE Database arose from communication with the RIPE NCC Service Working Group, and this task force would feed back to both those working groups as well as the Anti-Abuse Working Group. D2. CCWP Brian explained that Wout de Natris chaired the Cybercrime Working Party (CCWP). He said there was a meeting today that saw a number of inputs/outputs from this group. He said the main thing to come out of the meeting was the need for cross training of the groups ? technical and policy training for legal enforcements agencies, and information on how to detect dubious registrations for the RIPE NCC and RIPE community. Brian said the CCWP met approximately four times a year and it has proved to be very useful so far. He said if anyone had any input to bring to the CCWP they should talk to either Brian himself or Jochem de Ruig from the RIPE NCC. D3. RIPE NCC Gov/LEA Interactions Update Brian said Paul Rendek from the RIPE NCC covered this area extensively in the RIPE NCC Services Working Group and he did not want to revisit it here. X. A.O.B. James Blessing, concerned Internet citizen, said he noticed that Co-Chair Richard Cox tends often not to be present at RIPE Meetings or not involved, unless it is to be hostile towards RIPE itself. He asked if Richard was the correct person to be working group co-chair. Working Group Co-Chair Brian Nisbet said he contacted Richard and asked him to respond to comments that had been made, but Brian had not heard back from Richard in relation to this. Jim Reid, Internet citizen, said this was a delicate issue, and even if the co-chair of a working group was critical of RIPE, that is not necessarily a bad thing. He said, however, that his opinion was that Richard crossed a line insofar as his comments were unfair and unjustified, and he confused RIPE with the RIPE NCC in his comments, which is not helpful. He said Richard?s comments unfairly damaged the reputation of RIPE, the RIPE NCC and the Anti-Abuse Working Group. Rob Blokzijl, RIPE Chair, noted that this is the first time there has been a situation like this in the history of RIPE. Rob noted that the RIPE Chair, the Chairman of the RIPE NCC Executive Board and the RIPE NCC Managing Director met with Richard where they tried to clear up some misunderstandings. He said all three who met with Richard are disappointed that the outcome of this meeting, where they thought issues had been cleared up, were not reflected in subsequent posts from Richard that were published on websites. He said he felt that if you were elected to chair a working group by the RIPE community then you had a responsibility to that community and to its secretariat, the RIPE NCC. He concluded that it would be better for the community if Richard would step down so it would be clear that when he spoke he was speaking for himself and not the RIPE community. David Freedman, Claranet, read verbatim a public post from Richard to give context to the discussion. Brian said there was no written procedure for the current situation. Rob said that if you accept that it is up to the RIPE community to appoint working group chairs, then it is implicit that the community has the same responsibility to remove a chair when necessary. Brian said he did not want to see a protracted discussion about this on the mailing list. He added that he spoke to Richard and asked him to consider his position but there has been no response. He asked if anyone felt the Anti-Abuse Working Group should deal with the situation of if there was any particular way that this situation should be approached. Michele Neylon, Blacknight, said it was unfortunate there was no written procedure for this situation. He said one individual can cause major problems for a working group, whether they are a co-chair or not, and in such a situation it might be best for that person to move on. He said he respected Richard and the work he does but in this situation some decisive action was needed. Rob said a possible solution would for both co-chairs to step down, new chairs to be elected at the next RIPE Meeting and for Brian to act as interim chair of the working group until then. He said the simplest solution would be for this working group to decide Richard Cox was no longer a co-chair of the working group and to elect a new co-chair at the next RIPE Meeting. Peter Koch said the session was already overrun by 15 minutes and this delicate issue should be resolved at another time. Jim Reid said that changes of co-chair happen for various reasons and it?s a natural process. He said it seemed as though Richard?s time as co-chair might be over but he would be free to be involved with the working group as any other individual is welcome to be. Rob said that if nothing were done at this session, there would be potentially six months of damage to the RIPE NCC and six months of damage to the RIPE community. He urged the community to take action at this session. Sander Steffann, Address Policy Working Group Co-Chair, said if there was a lack of support for a working group chair then that chair should step down. Shane Kerr, ISC, said he thought this situation might be a reflection of a larger disconnect between the Anti-Abuse Working Group and the ISPs. He said people in the Anti-Abuse Working Group often had goals that were very disconnected from the Internet community at large. He said the people in the working group would use this as another example of people in the Internet community not listening to their wishes. Nick Hilliard, INEX, asked what were the contingency plans if Richard refused to step down as co-chair. He said he wasn?t sure it was typical in RIPE for someone to be forced to step down as a working group chair because that working group has lost faith in that chair. He said the RIPE community should address the lack of a formal procedure as a matter of urgency. James Blessing suggested it might be possible to suspend his chairmanship but it must be made clear that the working group did not support him 100% as co-chair. Rob said it was not for Richard to decide that he represented the community; rather it was for the community to decide this. He asked the working group to make a decision or else expect to have a difficult six months ahead. He said he did not care what Richard published as long as it was disconnected from the RIPE community. Remco van Mook, Equinix, said if this working group could not make a decision then it could be disbanded and reformed at the RIPE Plenary with new co-chairs. Rob said he was happy to support Remco?s proposal. He said he the Anti-Abuse Working Group had until the Closing Plenary session to resolve this matter. He added that it would be good for the whole RIPE community to be aware of its responsibilities in matters such as this one. Brian said that he was not in favour of this option. He noted that no one had stood up to support Richard?s position as co-chair. Jim Reid said someone should post a motion of no confidence in Richard to the mailing list. Brian said the chairs were always elected at RIPE Meetings and there was no requirement to go to the mailing list with this. Rob said he felt that matters were clear but that no one was willing to say anything formally. James Blessing said he would be willing to do what was required if he could be told exactly what that was. He asked for audible consensus from the room. The reaction was judged to be consensus. Brian said he had discussed the matter with Rob prior to the working group session and they agreed that the working group had the authority to appoint its co-chairs and, therefore, to remove them. Brian asked if anyone was willing to stand up and object to Richard Cox being removed as Co-Chair of the Anti-Abuse Working Group. As nobody took this action, Brian declared that consensus had been reached. He said that he would require a new co-chair and he expressed his wishes that one could be in place by the RIPE 62 Meeting. Z. Close Brian thanked everyone for attending and for their patience and said he hoped to see everyone at RIPE 62. The Agenda and all presentations are available at: http://ripe61.ripe.net/programme/meeting-plan/anti-abuse-agenda/ The stenography transcript of this session is available at: http://ripe61.ripe.net/archives/steno/4 From shane at time-travellers.org Thu Dec 16 00:15:50 2010 From: shane at time-travellers.org (Shane Kerr) Date: Thu, 16 Dec 2010 00:15:50 +0100 Subject: [anti-abuse-wg] Draft Anti-Abuse WG Minutes =?UTF-8?Q?=E2=80=93?= RIPE 61 In-Reply-To: <4D08E31E.8000909@heanet.ie> References: <4D08E31E.8000909@heanet.ie> Message-ID: <1292454950.25763.15900.camel@shane-asus-laptop> Brian, A small clarification: On Wed, 2010-12-15 at 15:47 +0000, Brian Nisbet wrote: > Shane Kerr, ISC, said he thought this situation might be a reflection of > a larger disconnect between the Anti-Abuse Working Group and the ISPs. > He said people in the Anti-Abuse Working Group often had goals that were > very disconnected from the Internet community at large. He said the > people in the working group would use this as another example of people > in the Internet community not listening to their wishes. I think that my point was that there is a disconnect between people working on anti-abuse and the ISPs, not about the Anti-Abuse Working Group or its participants. I might not have said that of course... -- Shane From brian.nisbet at heanet.ie Thu Dec 16 16:20:18 2010 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Thu, 16 Dec 2010 15:20:18 +0000 Subject: [anti-abuse-wg] =?UTF-8?B?UmU6IFthbnRpLWFidXNlLXdnXSBEcmFmdCBBbnRpLUFidXNlIFdHIE0=?= =?UTF-8?B?aW51dGVzIOKAkyBSSVBFIDYx?= In-Reply-To: <1292454950.25763.15900.camel@shane-asus-laptop> References: <4D08E31E.8000909@heanet.ie> <1292454950.25763.15900.camel@shane-asus-laptop> Message-ID: <4D0A2E32.8010600@heanet.ie> Shane, "Shane Kerr" wrote the following on 15/12/2010 23:15: > Brian, > > A small clarification: > > On Wed, 2010-12-15 at 15:47 +0000, Brian Nisbet wrote: >> Shane Kerr, ISC, said he thought this situation might be a reflection of >> a larger disconnect between the Anti-Abuse Working Group and the ISPs. >> He said people in the Anti-Abuse Working Group often had goals that were >> very disconnected from the Internet community at large. He said the >> people in the working group would use this as another example of people >> in the Internet community not listening to their wishes. > > I think that my point was that there is a disconnect between people > working on anti-abuse and the ISPs, not about the Anti-Abuse Working > Group or its participants. I might not have said that of course... I'll reflect that clarification, thanks. Brian. From kpbhat at sta.samsung.com Fri Dec 17 21:59:29 2010 From: kpbhat at sta.samsung.com (Kong Posh Bhat) Date: Fri, 17 Dec 2010 14:59:29 -0600 Subject: [anti-abuse-wg] Question regarding IP address abuse Message-ID: Greetings, We are trying to develop an architecture that is based around the premise that there is a special purpose local HTTPS server with a well known address. We intend to reserve the port number with IANA and define a well known local address in each of the following address spaces: 10.0.0.0, 172.16.0.0, 192.168.0.0, as well as in some private IPv6 address ranges. When a device comes up, as part of its startup logic it tries all these well known addresses one by one, until there is a hit. If there is no hit, the process terminates. However, if there is a hit, the device will make a special HTTPS request to this server, which in turn will deliver some management bootstrapping information to the device. One of my distinguished colleagues thinks that this constitutes an IP address abuse. Is that so? I do not seem to find any reference to this on the IANA Abuse FAQ site (http://www.iana.org/abuse/faq.html). Thanks in anticipation. I really appreciate your patience with me on this issue. Regards, Kong Posh Bhat Standards Research Lab Samsung Telecommunications America Ph: 972-761-7450 (Desk); 214-766-1743 (Mobile) Fax: 972-761-7631 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 2833 bytes Desc: image001.jpg URL: From peter at hk.ipsec.se Fri Dec 17 22:31:16 2010 From: peter at hk.ipsec.se (peter h) Date: Fri, 17 Dec 2010 22:31:16 +0100 Subject: [anti-abuse-wg] Question regarding IP address abuse In-Reply-To: References: Message-ID: <201012172231.17061.peter@hk.ipsec.se> On Friday 17 December 2010 21.59, Kong Posh Bhat wrote: > Greetings, > > > > We are trying to develop an architecture that is based around the > premise that there is a special purpose local HTTPS server with a well > known address. We intend to reserve the port number with IANA and > define a well known local address in each of the following address > spaces: 10.0.0.0, 172.16.0.0, 192.168.0.0, as well as in some private > IPv6 address ranges. > > > > When a device comes up, as part of its startup logic it tries all these > well known addresses one by one, until there is a hit. If there is no > hit, the process terminates. However, if there is a hit, the device > will make a special HTTPS request to this server, which in turn will > deliver some management bootstrapping information to the device. > > > > One of my distinguished colleagues thinks that this constitutes an IP > address abuse. Is that so? I do not seem to find any reference to this > on the IANA Abuse FAQ site (http://www.iana.org/abuse/faq.html). > > > > Thanks in anticipation. I really appreciate your patience with me on > this issue. > I'm not a ripe representative. I do however have a suggestion : why don't you send a multicast packet to a known multicast address ? That way a client with any address ( not only 1918 ones) be functionally equivalent The range would be limited by the networks multicast config, but you could always reach a server on your local wire. > > > Regards, > > Kong Posh Bhat > > Standards Research Lab > > Samsung Telecommunications America > > Ph: 972-761-7450 (Desk); 214-766-1743 (Mobile) > > Fax: 972-761-7631 > > > > > > -- Peter H?kanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det ?r billigare att g?ra r?tt. Det ?r dyrt att laga fel. ) From pk at DENIC.DE Sat Dec 18 17:43:34 2010 From: pk at DENIC.DE (Peter Koch) Date: Sat, 18 Dec 2010 17:43:34 +0100 Subject: [anti-abuse-wg] Draft Anti-Abuse WG Minutes ? RIPE 61 In-Reply-To: <4D08E31E.8000909@heanet.ie> References: <4D08E31E.8000909@heanet.ie> Message-ID: <20101218164334.GF25903@x27.adm.denic.de> On Wed, Dec 15, 2010 at 03:47:42PM +0000, Brian Nisbet wrote: > Peter Koch said the session was already overrun by 15 minutes and this > delicate issue should be resolved at another time. I'd like to clarify that my point was that this topic was placed under AOB _and_ mostly dealt with during overtime, which, absence of written process and procedures nonwithstanding, did not meet my expectations and experiences of appropriateness given delicacy. That said, I consider the issue closed. -Peter From gert at space.net Sat Dec 18 18:45:07 2010 From: gert at space.net (Gert Doering) Date: Sat, 18 Dec 2010 18:45:07 +0100 Subject: [anti-abuse-wg] Question regarding IP address abuse In-Reply-To: References: Message-ID: <20101218174507.GD3695@Space.Net> Hi, On Fri, Dec 17, 2010 at 02:59:29PM -0600, Kong Posh Bhat wrote: > When a device comes up, as part of its startup logic it tries all these > well known addresses one by one, until there is a hit. DNS has been invented some years ago. Gert Doering -- NetMaster -- did you enable IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 From pk at DENIC.DE Sat Dec 18 20:16:28 2010 From: pk at DENIC.DE (Peter Koch) Date: Sat, 18 Dec 2010 20:16:28 +0100 Subject: [anti-abuse-wg] Question regarding IP address abuse In-Reply-To: References: Message-ID: <20101218191628.GH25903@x27.adm.denic.de> On Fri, Dec 17, 2010 at 02:59:29PM -0600, Kong Posh Bhat wrote: > We are trying to develop an architecture that is based around the > premise that there is a special purpose local HTTPS server with a well > known address. We intend to reserve the port number with IANA and > define a well known local address in each of the following address > spaces: 10.0.0.0, 172.16.0.0, 192.168.0.0, as well as in some private > IPv6 address ranges. the topics of service discovery, service location, zero configuration networking and the like has been addressed in multiple ways, some of which have been standardized within the IETF. There might be a better starting point for evaluating existing solution frameworks against your requirements than this list. > One of my distinguished colleagues thinks that this constitutes an IP > address abuse. Is that so? I do not seem to find any reference to this > on the IANA Abuse FAQ site (http://www.iana.org/abuse/faq.html). Some people would probably agree with your distinguished colleague, but there is a subtle difference between the "abuse" you quoted him mention and the abuse this working group is addressing. On the former - there is a reason some of the schemas mentioned above have been developed. For instance, you cannot be sure that the addresses you are trying to probe are within the same administrative domain/realm and there is no method to limit the scope of these packets. Even though RFC 4085 "Embedding Globally-Routable Internet Addresses Considered Harmful" aims at globally routable addresses, similar logic is likely to apply. This connects to the latter, network abuse as an operational phenomenon - see the charter at . -Peter From brian.nisbet at heanet.ie Mon Dec 20 10:35:22 2010 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Mon, 20 Dec 2010 09:35:22 +0000 Subject: [anti-abuse-wg] Draft Anti-Abuse WG Minutes ? RIPE 61 In-Reply-To: <20101218164334.GF25903@x27.adm.denic.de> References: <4D08E31E.8000909@heanet.ie> <20101218164334.GF25903@x27.adm.denic.de> Message-ID: <4D0F235A.5060907@heanet.ie> Peter, "Peter Koch" wrote the following on 18/12/2010 16:43: > On Wed, Dec 15, 2010 at 03:47:42PM +0000, Brian Nisbet wrote: > >> Peter Koch said the session was already overrun by 15 minutes and this >> delicate issue should be resolved at another time. > > I'd like to clarify that my point was that this topic was placed under AOB > _and_ mostly dealt with during overtime, which, absence of written process > and procedures nonwithstanding, did not meet my expectations and experiences > of appropriateness given delicacy. That said, I consider the issue closed. So noted, on both counts, the published minutes will be amended to reflect this. Brian. From brian.nisbet at heanet.ie Tue Dec 21 11:43:26 2010 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Tue, 21 Dec 2010 10:43:26 +0000 Subject: [anti-abuse-wg] Updated Draft Minutes - RIPE 61 Message-ID: <4D1084CE.2050801@heanet.ie> Colleagues, I've made a couple of changes as requested, assuming this is ok I'll pass it back to the NCC. Brian. ********************************** Draft Anti-Abuse WG Minutes ? RIPE 61 Thursday, 18 November 2010, 14:00 ? Westin Excelsior Hotel, Rome, Italy Co-Chairs: Brian Nisbet, Richard Cox Scribe: Fergal Cunningham Chat: Laura Cobley A. Administrative Matters A1. Welcome Working Group Co-Chair Brian Nisbet welcomed attendees and explained that co-chair Richard Cox regrettably was unable to attend today?s session. James Blessing, concerned Internet citizen, said that although it was good to have an active co-chair, the reputation of the Anti-Abuse Working Group was being impacted upon by the other co-chair, and he said he would like to see this addressed. Brian said this was a matter for the AOB section of the agenda. Brian thanked the RIPE NCC scribe and Chat monitor, and the stenographers. He asked that anyone who had a question on Chat give their full name and affiliations. Brian asked if there were any objections to the minutes from RIPE 60 being approved. There were none, so he said the minutes were approved. Action on RIPE NCC: Remove ?Draft? status from RIPE 60 Anti-Abuse Working Group Minutes. Brian noted that the agenda was slightly changed from the agenda posted on the mailing list because Richard was unable to attend and there were some late requests for presentations from RIPE NCC staff. The updated agenda is available at: http://ripe61.ripe.net/presentations/343-AA-WG_RIPE61_Agenda.pdf B. Updates B1. Recent List Discussion - Reporting Fraud, Database Issues, Time Stamps (-B) Working Group Co-Chair Brian Nisbet noted that there was a lot of discussion on the mailing lists recently, and most of this was related to items that would be dealt with further down the agenda. He noted that the Anti-Abuse Working Group mailing list was not the place to report network abuse. He did remind attendees that the whois ?B lookup gives the date of the last update to an object. B2. Registrar Issues - Michele Neylon, Blacknight Michele Neylon from Blacknight gave a presentation entitled ?Abuse ? Registrar Perspective?. At the beginning of the presentation, Michele asked for a show of hands on attendees who had had their credit card skimmed or Paypal account attacked, and there was quite a large number of hands. The presentation is available at: http://ripe61.ripe.net/presentations/244-blacknight-ripe-rome-2010.pdf Tobias Knecht, Abusix, asked how should all these things be reported in a machine and in a human readable format. He also suggested using xarf.org. Michele said they get manual reports and, if the reports are to be automated, there is no reason they can?t be provided in a particular order. He said everything has to be read and investigated anyway. Konstantin Bekreyev, DARS Telecom, asked, considering the recent increase in botnets, when spam is sent through the port tcp/80 via email systems such as Hotmail, what can he do. He is unable to close port 80 to these sites. Michele said he did not know and suggested reporting it to Hotmail. Brian said the big email companies have gotten better with spam and dealing with it. If abuse comes from a website then it should be reported to the original IP. Gilles Massen, Restena Foundation, asked, since abusers are moving quickly, how would Michele react to them efficiently while protecting the innocent. Michele said you have to carefully evaluate each report you receive and you need to have a measured a response. David Freedman, Claranet, asked what kind of proactive work the registrars do. Michele said there were a lot of registrars and their methods varied. He said often the registrars and hosting operators did not have full control of the network. He said he would like to see some best practices coming out of the Anti-Abuse Working Group. Brian said producing best practice documents is an action item for this working group, and although this was not on the agenda for the current meeting, he hoped to be able to come back to the mailing list with something soon. An attendee asked about the Google tool that was presented earlier by Michele. He said that an ISP would need to have specific examples of abuse before it would take action on a customer. He asked if the registrar would contact the customer based on a Google report alone. Brian explained that the Google safe browsing alerts tool lets Google notify you if a site you are hosting has malware. Michele said this used to be the case with registrars but now they have to take a more proactive approach because of the number of reports they receive each day. He said he would not contact anyone based on the alert alone, but the alert would give you an indication of where abuse was taking place and you can go there and see what is happening. Andy Davidson, Netsumo, in response to the question from Konstantin, recommended a tool from Loughborough University that looks in outbound mail for evidence that someone has been phished. He added that it locks the accounts of people who have been phished. Andy said he would send details to the mailing list. James Blessing, Limelight Networks, asked that the time stamp and correct time zone be noted in all reports. B3. RIPE NCC Draft Closure Agreement/Service Abuse Athina Fragkouli, RIPE NCC, gave a presentation on the new RIPE NCC document, Closure of an LIR and Deregistration of Resources. The presentation is available at: http://ripe61.ripe.net/presentations/281-Closure_of_LIRs_and_deregistration_of_resources_anti_abuse_aspects.pdf Athina asked that attendees read the document and give feedback. James Blessing, Limelight Networks, asked if the only thing that could be effected under law was full termination of the service agreement. Athina said this was the case but if the RIPE NCC received a Dutch court order it could deregister resources. She confirmed that the RIPE NCC would comply with a Dutch court order no matter what it contained. David Freedman, Claranet, asked if there would be a way to let people know that resources were in the process of being deregistered. Athina said a tag would be added to such resources in the RIPE Database. Brian noted that there was a bigger version of Athina?s presentation available from the NCC Services Working Group and that it would be made available in that working group?s archive. Volodymyr Yakovenko, Google, asked if there was an example of a Dutch court order available and the conditions for such a court order. Athina said the RIPE NCC hadn?t received one yet but was working with Dutch national authorities on what should be contained in such an order. Brian asked that the RIPE NCC make known to the community the outcome of the RIPE NCC?s discussion with the Dutch legal authorities. Wilfried Woeber, Database Working Group Co-Chair, said it was important to get the provisions of the document correct as soon as possible, and he also advised against overreacting to a court order in terms of deregistration. Athina said termination of the service contract between the RIPE NCC and an LIR resulted in a loss of service, and that included registration of resources. Rob Blokzijl, RIPE Chair, said the RIPE NCC has been in contact with legal enforcement agencies (LEAs) for a number of years, and the police are doubtful that they will see a need to bring a court order or deregister resources. He said LEAs are interested in stopping criminals and removing information is not something they would see as helping this goal. Brian said further discussion of the document should take place on the RIPE NCC Services Working Group mailing list. B4. RIPE NCC Survey on Improving RIPE Database Quality Ferenc Csorba from the RIPE NCC gave a presentation on a survey aimed at improving RIPE Database quality. The presentation is available at: http://ripe61.ripe.net/presentations/279-RIPE_DB_Quality_Survey.key There were no questions and Brian said feedback on the survey should be directed to the Database Working Group mailing list. C. Policies C1. 2010-08 Abuse Contact Information Working Group Co-Chair Brian Nisbet called Tobias Knecht, Abusix, the proposer of 2010-08, on Skype. Brian noted that he had discussed the proposal with Tobias and they had talked to the Database Working Group and RIPE NCC staff. He said some changes had been recommended. Brian explained that the proposal was to ?add a mandatory reference to IRT objects in the INETNUM, INET6NUM and AUT-NUM objects in the RIPE Database. He added that potential changes to the proposal include removal of implementation details. He said there would be a redraft of the proposal and asked for any comments on having the mandatory reference to abuse contacts in IRT objects. Michele Neylon, Blacknight, said there might be some confusion because some people seemed to be confusing introduction of a mandatory abuse contact with solving all problems. He said he foresaw problems with people expecting the proposal to have a broader impact that was originally intended. Tobias said the main point of the proposal was the mandatory nature of having the reference, but this was something people might have to decide for themselves and he was open to hearing comments on this. James Blessing, Limelight, said the proposal was a nice idea but there would have to be a lot of objects referenced. He recalled that there was a proposal to deregister objects that didn?t have accurate details. He foresaw a situation in three months where people who did not hear about this policy would have objects deregistered. Brian said the deregistration policy was not something that would happen overnight. He said there would have to be a proper process of negotiation with the LIR before anything would happen. Peter Koch, DENIC, said he failed to see a clear problem statement for this proposal. He said if people are not getting a response from abuse contacts, then making it mandatory would not change anything. He said if people are sending abuse reports and it?s not going to the correct address, then he would like to see evidence of this. Tobias said the problem was that there were too many places where people could add abuse contact details and people are confused. He said the main intention is to have one place where people know they have to put contact information and where other people will know they can find contact information. Peter said he disagreed there too many places to put contact information already and he said it seemed to be more of an education problem rather than anything else. Tobias said if you are going to educate people on where to find information, it is easier to do if you know the information is in one place rather than in one or more of 15 locations. Shane Kerr, Internet Systems Consortium, said there were already references to IRT objects in INETNUM and INET6NUM objects, and he asked if it was not to be mandatory then what was the point of having the proposal. Brian agreed that this was the crux of the issue. Tobias said there might be a better way to do things, but it is important that everyone knows how to do it. Sascha Eilms, ECO/CSA, said he wanted to support the proposal because it showed willingness from the industry to self-regulate and tackle the problem of abuse. Wilfried Woeber, Database Working Group Co-Chair, said he was a co-architect of the IRT object and had sympathy with the idea that there were too many choices on where to place contact information at the moment. He said that coming up with ways to simplify things does have merit. Brian asked Tobias if, based on the comments, they could sit down and redraft the policy to be resubmitted, and Tobias agreed to this. Shane said there was the issue of simplification that most people would agree with, but there was also the issue of making it mandatory. He suggested this should be discussed in the Address Policy Working Group because if the proposal to make this mandatory was accepted this would be a big issue for LIRs. Peter Koch said making such an attribute mandatory would have major operational implications for the RIPE Database and said the matter of how to apply the technology was also an important issue. Brian said they would take the comments on board when redrafting and the conversation could continue on the mailing list. C2. 2010-09 ? ?Frequent Update Request? and 2010-10 ?Change to RIPE 452? Brian explained that 2010-09 was a proposal to have the RIPE NCC regularly contact all current RIPE Database object holders with resources in the RIPE Database to ask them to actively check that all their details are up-to-date. He explained that 2010-10 proposed to add a reference to the sponsoring LIR in INETNUM, INET6NUM and AUT-NUM objects to increase the possibility of abuse tracking and handling. Brian said that these were two huge proposals with major implications. He said he agreed with the proposers to withdraw these proposals, at least temporarily, and set up a RIPE Task Force featuring people from the RIPE Database Working Group and the Anti-Abuse Working Group among others to look at improving the registry and the RIPE Database. He said they wanted to consult the RIPE NCC and other parties to see what was the best way to deal with the issues rather than bringing a number of proposals. Brian said the two proposals would be withdrawn with the knowledge that the proposers resubmit them if the task force did not make sufficient progress D. Interactions D1. Working Groups Working Group Co-Chair Brian Nisbet noted that there has been a lot of interaction with the RIPE Database Working Group and the RIPE NCC Services Working Group. He said the RIPE Task Force to address issues with the RIPE Database arose from communication with the RIPE NCC Service Working Group, and this task force would feed back to both those working groups as well as the Anti-Abuse Working Group. D2. CCWP Brian explained that Wout de Natris chaired the Cybercrime Working Party (CCWP). He said there was a meeting today that saw a number of inputs/outputs from this group. He said the main thing to come out of the meeting was the need for cross training of the groups ? technical and policy training for legal enforcements agencies, and information on how to detect dubious registrations for the RIPE NCC and RIPE community. Brian said the CCWP met approximately four times a year and it has proved to be very useful so far. He said if anyone had any input to bring to the CCWP they should talk to either Brian himself or Jochem de Ruig from the RIPE NCC. D3. RIPE NCC Gov/LEA Interactions Update Brian said Paul Rendek from the RIPE NCC covered this area extensively in the RIPE NCC Services Working Group and he did not want to revisit it here. X. A.O.B. James Blessing, concerned Internet citizen, said he noticed that Co-Chair Richard Cox tends often not to be present at RIPE Meetings or not involved, unless it is to be hostile towards RIPE itself. He asked if Richard was the correct person to be working group co-chair. Working Group Co-Chair Brian Nisbet said he contacted Richard and asked him to respond to comments that had been made, but Brian had not heard back from Richard in relation to this. Jim Reid, Internet citizen, said this was a delicate issue, and even if the co-chair of a working group was critical of RIPE, that is not necessarily a bad thing. He said, however, that his opinion was that Richard crossed a line insofar as his comments were unfair and unjustified, and he confused RIPE with the RIPE NCC in his comments, which is not helpful. He said Richard?s comments unfairly damaged the reputation of RIPE, the RIPE NCC and the Anti-Abuse Working Group. Rob Blokzijl, RIPE Chair, noted that this is the first time there has been a situation like this in the history of RIPE. Rob noted that the RIPE Chair, the Chairman of the RIPE NCC Executive Board and the RIPE NCC Managing Director met with Richard where they tried to clear up some misunderstandings. He said all three who met with Richard are disappointed that the outcome of this meeting, where they thought issues had been cleared up, were not reflected in subsequent posts from Richard that were published on websites. He said he felt that if you were elected to chair a working group by the RIPE community then you had a responsibility to that community and to its secretariat, the RIPE NCC. He concluded that it would be better for the community if Richard would step down so it would be clear that when he spoke he was speaking for himself and not the RIPE community. David Freedman, Claranet, read verbatim a public post from Richard to give context to the discussion. (http://www.spamhaus.org/news.lasso?article=663) Brian said there was no written procedure for the current situation. Rob said that if you accept that it is up to the RIPE community to appoint working group chairs, then it is implicit that the community has the same responsibility to remove a chair when necessary. Brian said he did not want to see a protracted discussion about this on the mailing list. He added that he spoke to Richard and asked him to consider his position but there has been no response. He asked if anyone felt the Anti-Abuse Working Group should deal with the situation of if there was any particular way that this situation should be approached. Michele Neylon, Blacknight, said it was unfortunate there was no written procedure for this situation. He said one individual can cause major problems for a working group, whether they are a co-chair or not, and in such a situation it might be best for that person to move on. He said he respected Richard and the work he does but in this situation some decisive action was needed. Rob said a possible solution would for both co-chairs to step down, new chairs to be elected at the next RIPE Meeting and for Brian to act as interim chair of the working group until then. He said the simplest solution would be for this working group to decide Richard Cox was no longer a co-chair of the working group and to elect a new co-chair at the next RIPE Meeting. Peter Koch said the session was already overrun by 15 minutes and that such a delicate issue should not be handled in AOB and overtime for the Working Group. Jim Reid said that changes of co-chair happen for various reasons and it?s a natural process. He said it seemed as though Richard?s time as co-chair might be over but he would be free to be involved with the working group as any other individual is welcome to be. Rob said that if nothing were done at this session, there would be potentially six months of damage to the RIPE NCC and six months of damage to the RIPE community. He urged the community to take action at this session. Sander Steffann, Address Policy Working Group Co-Chair, said if there was a lack of support for a working group chair then that chair should step down. Shane Kerr, ISC, said he thought this situation might be a reflection of a larger disconnect between people working in Anti-Abuse and the ISPs. He said the Anti-Abuse community often had goals that were very disconnected from the Internet community at large. He said such people could use this as another example of people in the Internet community not listening to their wishes. Nick Hilliard, INEX, asked what were the contingency plans if Richard refused to step down as co-chair. He said he wasn?t sure it was typical in RIPE for someone to be forced to step down as a working group chair because that working group has lost faith in that chair. He said the RIPE community should address the lack of a formal procedure as a matter of urgency. James Blessing suggested it might be possible to suspend his chairmanship but it must be made clear that the working group did not support him 100% as co-chair. Rob said it was not for Richard to decide that he represented the community; rather it was for the community to decide this. He asked the working group to make a decision or else expect to have a difficult six months ahead. He said he did not care what Richard published as long as it was disconnected from the RIPE community. Remco van Mook, Equinix, said if this working group could not make a decision then it could be disbanded and reformed at the RIPE Plenary with new co-chairs. Rob said he was happy to support Remco?s proposal. He said he the Anti-Abuse Working Group had until the Closing Plenary session to resolve this matter. He added that it would be good for the whole RIPE community to be aware of its responsibilities in matters such as this one. Brian said that he was not in favour of this option. He noted that no one had stood up to support Richard?s position as co-chair. Jim Reid said someone should post a motion of no confidence in Richard to the mailing list. Brian said the chairs were always elected at RIPE Meetings and there was no requirement to go to the mailing list with this. Rob said he felt that matters were clear but that no one was willing to say anything formally. James Blessing said he would be willing to do what was required if he could be told exactly what that was. He asked for audible consensus from the room. The reaction was judged to be consensus. Brian said he had discussed the matter with Rob prior to the working group session and they agreed that the working group had the authority to appoint its co-chairs and, therefore, to remove them. Brian asked if anyone was willing to stand up and object to Richard Cox being removed as Co-Chair of the Anti-Abuse Working Group. As nobody took this action, Brian declared that consensus had been reached. He said that he would require a new co-chair and he expressed his wishes that one could be in place by the RIPE 62 Meeting. Z. Close Brian thanked everyone for attending and for their patience and said he hoped to see everyone at RIPE 62. The Agenda and all presentations are available at: http://ripe61.ripe.net/programme/meeting-plan/anti-abuse-agenda/ The stenography transcript of this session is available at: http://ripe61.ripe.net/archives/steno/4 From jdfalk-lists at cybernothing.org Tue Dec 21 16:14:15 2010 From: jdfalk-lists at cybernothing.org (J.D. Falk) Date: Tue, 21 Dec 2010 07:14:15 -0800 Subject: [anti-abuse-wg] =?windows-1252?Q?Re=3A_=5Banti-abuse-wg=5D_Draft_Anti-Abuse_WG_M?= =?windows-1252?Q?inutes_=96_RIPE_61?= In-Reply-To: <1292454950.25763.15900.camel@shane-asus-laptop> References: <4D08E31E.8000909@heanet.ie> <1292454950.25763.15900.camel@shane-asus-laptop> Message-ID: <78AE2D36-2273-4CD8-84E8-45842157A9E1@cybernothing.org> On Dec 15, 2010, at 3:15 PM, Shane Kerr wrote: > I think that my point was that there is a disconnect between people > working on anti-abuse and the ISPs, not about the Anti-Abuse Working > Group or its participants. I might not have said that of course... Many people who work for ISPs would agree. It's often simply a matter of scale and imagination.... From michele at blacknight.ie Tue Dec 21 18:36:17 2010 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Tue, 21 Dec 2010 17:36:17 +0000 Subject: [anti-abuse-wg] How Not To Ask For A Website to Be taken Down Message-ID: Got this earlier today (not to our abuse contact of course .. ) Couple of things to note Unless you read it a few times it's not easy to work out what the hell they are actually asking about If your first language isn't English then I suspect you'll dismiss it as spam .. .. I know some of my staff did and they supposedly speak English! "Dear Sir or Madame, As a result of our activities, Bank of America and/or its affiliates have acquired significant reputations in the field of banking and financial services worldwide and our trademark and brand (the ?Marks?) are registered and/or used in the United States as well as many countries globally. We have now detected a website, or a redirect to a website, hosted on your network that purports to be a Bank of America or a Bank of America affiliate* website. The referenced site(s) uses the Marks, leading visitors to believe it is a website sponsored or endorsed by Bank of America or a Bank of America affiliate* while no such sponsorship or endorsement actually exists. The site requests visitors to supply sensitive personal or financial information. We have confirmed that this webpage is NOT authorized or endorsed by Bank of America and/or its affiliates. The use of our Marks in this way is likely to cause confusion in the mind of the public, leading them to believe that the website is associated with Bank of America or that we are otherwise supplying goods and services through it. As you know, ?Phishing? sites such as this usually are part of larger criminal schemes that violate a number of federal, state and international laws. We request your immediate assistance in stopping the continued operation of this website and its unauthorized use of our Marks. Continued operation of the website in this way is not only likely to result in substantial damage to our reputation and goodwill but also perpetuates the appearance that your network is cooperating with the fraudulent purpose behind the website. We request that you please assist us in shutting down the website immediately. URL - http://xxxxxxxxx IP Address - xxxxxx As part of this action we request that you redirect all traffic going to this website to the following URL: http://education.apwg.org/r/en?xxxxxxxxxxxx By doing this it will provide a way for consumers to educate themselves about phishing. Information about implementing a redirect to this page can be found here: http://education.apwg.org/r/how_to.html Please forward this message with your response, directly to anti-phishing at bankofamerica.com. We thank you in advance for assisting us in stopping phishing and refusing to allow your network to be used for illegal activity. Thank you, Abuse Team Bank of America Contact Email: anti-phishing at bankofamerica.com *Bank of America affiliates include the following brands: MBNA Merrill Lynch Countrywide Military Bank LaSalle Fleet" Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Twitter: http://twitter.com/mneylon PS: Check out our latest offers on domains & hosting: http://domainoffers.me/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From rfg at tristatelogic.com Wed Dec 22 00:33:45 2010 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Tue, 21 Dec 2010 15:33:45 -0800 Subject: [anti-abuse-wg] How Not To Ask For A Website to Be taken Down In-Reply-To: Message-ID: <36551.1292974425@tristatelogic.com> In message , "Michele Neylon :: Blacknight" wrote: >Got this earlier today (not to our abuse contact of course .. ) > >Couple of things to note > >Unless you read it a few times it's not easy to work out what the hell they= >are actually asking about I confess that I am utterly baffled by your comment. The message from BofA seemed altogether clear and entirely straightforward and unambiguous to me. What is it, exactly, about that message that caused you to have any difficulty in "working it out"? >If your first language isn't English then I suspect you'll dismiss it as >spam .. .. I know some of my staff did and they supposedly speak English! Again, I am utterly baffled by your comment. Can you explain why anyone would ever dismiss BofA's message to you as spam? I also occasionally send messages to various networks, generally regarding serious ongoing security issues. If I was BofA, and I had to draft an e-mail to your organization, asking you to remove a phishing site from your network, I think I would have phrased the e-mail almost exactly the way that BofA did. And if you were tempted to ignore & trash BofA's notification to you, then I really would like to understand why, because if I can understand that, then perhaps I might also be able to understand why various networks have utterly ignored various messages I have sent, over time, alerting them to, e.g., hacked machines on their respective networks. Regards, rfg P.S. I think that a discussion of the BofA message, and your comments about it, would be quite entierly apropos for this mailing list, because after all, hasn't this WG just been working (struggling?) to finalize/ formalize a proposal to get abuse contact e-mail addresses into all RIPE allocation records? As someone else pointed out, requiring those (abuse) e-mail contacts will really be utterly pointless if the folks on the receiving ends of those e-mail addresses regularly or routinely trash inbound messages sent to those addresses, e.g. because, in their opinions, said messages "look vaguely like spam". From michele at blacknight.ie Wed Dec 22 00:46:22 2010 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Tue, 21 Dec 2010 23:46:22 +0000 Subject: [anti-abuse-wg] How Not To Ask For A Website to Be taken Down In-Reply-To: <36551.1292974425@tristatelogic.com> References: <36551.1292974425@tristatelogic.com> Message-ID: <97C58E22-A243-4A57-9602-7184B5D3522A@blacknight.ie> On 21 Dec 2010, at 23:33, Ronald F. Guilmette wrote: > > In message , > "Michele Neylon :: Blacknight" wrote: > >> Got this earlier today (not to our abuse contact of course .. ) >> >> Couple of things to note >> >> Unless you read it a few times it's not easy to work out what the hell they= >> are actually asking about > > I confess that I am utterly baffled by your comment. The message from BofA > seemed altogether clear and entirely straightforward and unambiguous to me. > > What is it, exactly, about that message that caused you to have any difficulty > in "working it out"? To start with it was sent to just about every single contact point imaginable except our abuse contact. The only reason it made it to our abuse team at all was because one of our sales staff asked me to look at it. > >> If your first language isn't English then I suspect you'll dismiss it as >> spam .. .. I know some of my staff did and they supposedly speak English! > > Again, I am utterly baffled by your comment. Can you explain why anyone > would ever dismiss BofA's message to you as spam? Read the message. Instead of simply stating that they are alerting us to an issue they start off with a long convoluted text about their trademarks, which is totally irrelevant to us. All we want to know is that someone is reporting abuse, what type of abuse it is and where it is located. You might not find this hard to understand, but I suspect this is because you are used to reading these kind of emails and might be immune to how badly worded they are. If your first language isn't English how are you expected to deal with this? A much simpler email with the type of abuse and its location at the TOP of the email would be a lot saner and more likely to be dealt with in a timely fashion If someone wants (or needs to) include a lot of boiler legal text etc., then put it further down the email. > > I also occasionally send messages to various networks, generally regarding > serious ongoing security issues. If I was BofA, and I had to draft an e-mail > to your organization, asking you to remove a phishing site from your network, > I think I would have phrased the e-mail almost exactly the way that BofA did. Then it probably would have been greeted with the same level of disdain that the one we got today was, > And if you were tempted to ignore & trash BofA's notification to you, then > I really would like to understand why, because if I can understand that, then > perhaps I might also be able to understand why various networks have utterly > ignored various messages I have sent, over time, alerting them to, e.g., > hacked machines on their respective networks. > > > Regards, > rfg > > > P.S. I think that a discussion of the BofA message, and your comments > about it, would be quite entierly apropos for this mailing list, because > after all, hasn't this WG just been working (struggling?) to finalize/ > formalize a proposal to get abuse contact e-mail addresses into all RIPE > allocation records? > > As someone else pointed out, requiring those (abuse) e-mail contacts will > really be utterly pointless if the folks on the receiving ends of those > e-mail addresses regularly or routinely trash inbound messages sent to those > addresses, e.g. because, in their opinions, said messages "look vaguely > like spam". > I totally agree. I've been asking security companies / banks etc etc to send simpler and more accessible abuse reports for ages. Some do, but a lot of them still don't (And then there's the opposite end of the spectrum, where you get a vague message saying that an IP is abusing someone's system, but they fail to tell you what that system is or who they are .. ) Regards Michele Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From esa.laitinen at iki.fi Wed Dec 22 09:36:57 2010 From: esa.laitinen at iki.fi (Esa Laitinen) Date: Wed, 22 Dec 2010 09:36:57 +0100 Subject: [anti-abuse-wg] How Not To Ask For A Website to Be taken Down In-Reply-To: <36551.1292974425@tristatelogic.com> References: <36551.1292974425@tristatelogic.com> Message-ID: On Wed, Dec 22, 2010 at 12:33 AM, Ronald F. Guilmette wrote: > I confess that I am utterly baffled by your comment. The message from BofA > seemed altogether clear and entirely straightforward and unambiguous to me. > > What is it, exactly, about that message that caused you to have any > difficulty > in "working it out"? > > Well, I for one had hard time to find the beef, and I'm language skills are reasonably good. The language is IMHO appropriate for letters sent to a lawyer, but doesn't necessarily properly communicate to anybody else. -- Mr. Esa Laitinen Tel. +41 76 200 2870 skype/yahoo: reunaesa -------------- next part -------------- An HTML attachment was scrubbed... URL: From leo.vegoda at icann.org Wed Dec 22 10:05:07 2010 From: leo.vegoda at icann.org (Leo Vegoda) Date: Wed, 22 Dec 2010 01:05:07 -0800 Subject: [anti-abuse-wg] How Not To Ask For A Website to Be taken Down In-Reply-To: <36551.1292974425@tristatelogic.com> References: <36551.1292974425@tristatelogic.com> Message-ID: On Dec 21, 2010, at 11:34 PM, "Ronald F. Guilmette" wrote: > In message , > "Michele Neylon :: Blacknight" wrote: > >> Got this earlier today (not to our abuse contact of course .. ) >> >> Couple of things to note >> >> Unless you read it a few times it's not easy to work out what the hell they= >> are actually asking about > > I confess that I am utterly baffled by your comment. The message from BofA > seemed altogether clear and entirely straightforward and unambiguous to me. A few years back there was a movie called ?The Front Page?. In it, the reporter played by Jack Lemmon filed a story about the execution of a criminal. His editor asked where some of the details were. ?It?s in the second paragraph,? replied Lemmon. ?Nobody reads the second paragraph!? barked the editor. > At the risk of breaking the rule, I think it is reasonable to ask people sending abuse reports to put the details of the abuse and the requested action first and to put waffle at the end, if they feel they have to include it at all. The BoA message started with waffle and it would be perfectly reasonable to not read past that to the meat of the report. Regards, Leo From rfg at tristatelogic.com Thu Dec 23 07:59:43 2010 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Wed, 22 Dec 2010 22:59:43 -0800 Subject: [anti-abuse-wg] How Not To Ask For A Website to Be taken Down In-Reply-To: <97C58E22-A243-4A57-9602-7184B5D3522A@blacknight.ie> Message-ID: <51348.1293087583@tristatelogic.com> My apologies for not following up on this sooner. It's definitely the busy season... In message <97C58E22-A243-4A57-9602-7184B5D3522A at blacknight.ie>, "Michele Neylon :: Blacknight" wrote: >>What is it, exactly, about that message that caused you to have any >>difficulty in "working it out"? > >To start with it was sent to just about every single contact point imaginab >le except our abuse contact. The only reason it made it to our abuse team a >t all was because one of our sales staff asked me to look at it. Well, OK. Arguably that was bad form on their part. But having been "in the trenches" now myself for over 15 years, I can well and truly understand why they didn't even bother to CC: abuse@ (even though I myself would have done so). In fact there are many reasons why an intelligent and an _experienced_ person would never even waste the bits to even CC: abuse at . Here are justr a few of those reasons: #1) On a large number of commercial ISP networks, abuse@ has been aliased to /dev/null. This isn't speculation. This is fact. Certainly, a lot of commercial ISPs make a business of catering especially to the lucrative spamming trade. Thus, these ISPs in particular they have less than zero interest in _anything_ anybody might send to abuse at . (And some, like several in Russia... or that one in "Belize" I already posted about... are run by folks who are criminals themselves. So they don't even care even if you have a non-spam related "abuse" issue.) Even for the vast majority of commercial networks that are NOT specifically going out of their way to cater especially to spammers or other criminals, the decision has been made, long ago (and in many cases even BEFORE the advent of the Great Recession) that any sort of "abuse desk" type function is an unjustifiable "cost center" as opposed to a "profit center". Thus, with only rare exceptions, virtually every ISP that is any bigger than a small-time "mon and pop" operation has long ago aliased abuse@ to /dev/null because management sees no profit potential whatsoever is assigning even a fractional warm body to read that stuff. And of course, the advent of the Great Recession only speeded up the final (and now near total and global) aliasing of abuse@ to /dev/null. Even for those networks... a minority to begin with... where there existed some sense of public/community responsibility (e.g. to investigate & respond to network abuse reports) and/or a sense of the importantance and value of maintaining a good corporate reputation, the Great Recession has, for many, sharpened the coroprate focus on mere survival, while niceities like good corporate netizenship have, understandably I suppose, gone by the wayside. #2) Even for those networks where abuse@ is not aliased to /dev/null, sending anything other than a _spam_ report to that address will typically engender either (a) no response at all (with the message being silently discarded) or else (b) an irritated response of the form "Why are you sending this to abuse@??" or else (c) a more or less automated response (either from an actual program or else from a low-paid human who has been trained to act like one) the form "We're sorry, but we cannot accept abuse complaints without either (a) a full set of e-mail headers or else (b) a complete set of system intrusion logs." Obviously, in the case under discussion, which involved primarily violations of trademark rights (and with the high probability of associated phishing activity being only "unproven" and speculative) the party sending the report had no system logs nor any e-mail headers to send. #3) Although, for the various reasons noted above, and others, sending a report like this to an abuse@ address might yield no meaningful or useful action at all, the mere presence of the corporate abuse@ address, either in the To: header or in the Cc: header would most likely cause any and all other parties to whom such a report had been addressed (and who might otherwise potentially be more responsive/responsible than abuse@) to simply trash the message, e.g. because they might reasonably assume that "Oh! This was sent to abuse@ too, so the abuse department/person will surely handle it, and I don't need to get involved." #4) Last but not least, in the circles I travel in, a clear and unambiguous distinction is often drawn between "abuse ON the network" and "abuse OF the network". As we all know, the latter occurs almost every second of the day, somewhere on the Internet, and it can range from undeserved insults and slanders to sophisticated social engineering con games involving millions of dollars. But none of that "abuse ON the network" in any way threatens the operational status of any part of the net. Conversely, of course, spam and DoS attack directly threaten the operational status of either parts of the net or, in sum, even the whole thing, and thus, by tradition among the people I commonly hang out with, "abuse OF the net" is widley considered to be the only thing (a) that humans can reasonably fight and also (b) in many people's minds, it is the only thing that's _worth_ fighting for. (After all, the world and the net will go on even if you or I are heniously slandered or even defrauded, tomorrow, somewhere on the Internet.) The upshot of all this line of thinking is that some (many?) believe that it's not even the job of an ISP abuse desk to even delve into any matters that do not clearly affect network operational status. At any and all ISPs of this persuasion, a note to abuse@ regarding a clear trademark violation (and a plausible/possible phishing threat) would be discarded virtually the moment it was opened. _=_=_= I'm not saying that any if the above are ``good'' reasons why a report like the one sent to you from BofA _should_ be effectively ignored by the person or robot tasked with reading mail sent to abuse@ (at various ISPs). I am only saying that out here in the Real World, that is, alas, what often would (and does) happen. >>> If your first language isn't English then I suspect you'll dismiss it as >>> spam .. .. I know some of my staff did and they supposedly speak English >> >> Again, I am utterly baffled by your comment. Can you explain why anyone >> would ever dismiss BofA's message to you as spam? > >Read the message. Instead of simply stating that they are alerting us to an > issue they start off with a long convoluted text about their trademarks, w >hich is totally irrelevant to us. All we want to know is that someone is re >porting abuse, what type of abuse it is and where it is located. OK, now _here_ you have a point that I cannot reasonably take issue with. And your point is, I think, not only valid but also, potentially very useful. You're right. I think the way that people in the news business commonly express the point you just made is that it is bad practice to "bury the lead", i.e. its important to express the major point you are trying to make (in a news story or in an abuse report) clearly, concisely, and in the first sentence. That's a good lesson for all of us writers of abuse reports, and one I'll try, in future, never to forget myself. >You might not find this hard to understand, but I suspect this is because y >ou are used to reading these kind of emails and might be immune to how badly >worded they are. No, actually, it is more because I have some extensive experience reading legal documents (e.g. court filings) and thus I'm already so adept at hacking through the thicket of words (to find the meat) that it's almost second nature (and automatic/subconcious) to me now, kind of like people who are so practiced that they can almost play a piano concerto in their sleep. That explains why, when I see something like that BofA e-mail you posted, its verbosity and/or failure to clearly and quickly come to the point doesn't faze me in the slightest. (I guess that I have been hanging out with lawyers too long. :-) Regards, rfg From kzorba at otenet.gr Thu Dec 23 08:17:20 2010 From: kzorba at otenet.gr (Kostas Zorbadelos) Date: Thu, 23 Dec 2010 09:17:20 +0200 Subject: [anti-abuse-wg] How Not To Ask For A Website to Be taken Down In-Reply-To: <51348.1293087583@tristatelogic.com> References: <51348.1293087583@tristatelogic.com> Message-ID: <201012230917.20959.kzorba@otenet.gr> On Thursday, December 23, 2010 08:59:43 am Ronald F. Guilmette wrote: Now, let me see if I get this right... This post contains more than a 1000 words, to argue about NOT using abuse contacts, in the real world, and this is how reports should be sent? I am definitely missing something here... Regards, Kostas > My apologies for not following up on this sooner. It's definitely the busy > season... > > In message <97C58E22-A243-4A57-9602-7184B5D3522A at blacknight.ie>, > > "Michele Neylon :: Blacknight" wrote: > >>What is it, exactly, about that message that caused you to have any > >>difficulty in "working it out"? > > > >To start with it was sent to just about every single contact point > >imaginab le except our abuse contact. The only reason it made it to our > >abuse team a t all was because one of our sales staff asked me to look at > >it. > > Well, OK. Arguably that was bad form on their part. But having been > "in the trenches" now myself for over 15 years, I can well and truly > understand why they didn't even bother to CC: abuse@ (even though I > myself would have done so). > > In fact there are many reasons why an intelligent and an _experienced_ > person would never even waste the bits to even CC: abuse at . Here are > justr a few of those reasons: > > #1) On a large number of commercial ISP networks, abuse@ has been aliased > to /dev/null. This isn't speculation. This is fact. > > Certainly, a lot of commercial ISPs make a business of catering especially > to the lucrative spamming trade. Thus, these ISPs in particular they have > less than zero interest in _anything_ anybody might send to abuse at . (And > some, like several in Russia... or that one in "Belize" I already posted > about... are run by folks who are criminals themselves. So they don't even > care even if you have a non-spam related "abuse" issue.) > > Even for the vast majority of commercial networks that are NOT specifically > going out of their way to cater especially to spammers or other criminals, > the decision has been made, long ago (and in many cases even BEFORE the > advent of the Great Recession) that any sort of "abuse desk" type function > is an unjustifiable "cost center" as opposed to a "profit center". Thus, > with only rare exceptions, virtually every ISP that is any bigger than a > small-time "mon and pop" operation has long ago aliased abuse@ to /dev/null > because management sees no profit potential whatsoever is assigning even > a fractional warm body to read that stuff. > > And of course, the advent of the Great Recession only speeded up the final > (and now near total and global) aliasing of abuse@ to /dev/null. > > Even for those networks... a minority to begin with... where there existed > some sense of public/community responsibility (e.g. to investigate & > respond to network abuse reports) and/or a sense of the importantance and > value of maintaining a good corporate reputation, the Great Recession has, > for many, sharpened the coroprate focus on mere survival, while niceities > like good corporate netizenship have, understandably I suppose, gone by > the wayside. > > #2) Even for those networks where abuse@ is not aliased to /dev/null, > sending anything other than a _spam_ report to that address will typically > engender either (a) no response at all (with the message being silently > discarded) or else (b) an irritated response of the form "Why are you > sending this to abuse@??" or else (c) a more or less automated response > (either from an actual program or else from a low-paid human who has been > trained to act like one) the form "We're sorry, but we cannot accept > abuse complaints without either (a) a full set of e-mail headers or else > (b) a complete set of system intrusion logs." > > Obviously, in the case under discussion, which involved primarily > violations of trademark rights (and with the high probability of > associated phishing activity being only "unproven" and speculative) the > party sending the report had no system logs nor any e-mail headers to > send. > > #3) Although, for the various reasons noted above, and others, sending a > report like this to an abuse@ address might yield no meaningful or useful > action at all, the mere presence of the corporate abuse@ address, either > in the To: header or in the Cc: header would most likely cause any and > all other parties to whom such a report had been addressed (and who might > otherwise potentially be more responsive/responsible than abuse@) to simply > trash the message, e.g. because they might reasonably assume that "Oh! > This was sent to abuse@ too, so the abuse department/person will surely > handle it, and I don't need to get involved." > > #4) Last but not least, in the circles I travel in, a clear and unambiguous > distinction is often drawn between "abuse ON the network" and "abuse OF the > network". As we all know, the latter occurs almost every second of the > day, somewhere on the Internet, and it can range from undeserved insults > and slanders to sophisticated social engineering con games involving > millions of dollars. But none of that "abuse ON the network" in any way > threatens the operational status of any part of the net. Conversely, of > course, spam and DoS attack directly threaten the operational status of > either parts of the net or, in sum, even the whole thing, and thus, by > tradition among the people I commonly hang out with, "abuse OF the net" is > widley considered to be the only thing (a) that humans can reasonably > fight and also (b) in many people's minds, it is the only thing that's > _worth_ fighting for. (After all, the world and the net will go on even > if you or I are heniously slandered or even defrauded, tomorrow, somewhere > on the Internet.) > > The upshot of all this line of thinking is that some (many?) believe that > it's not even the job of an ISP abuse desk to even delve into any matters > that do not clearly affect network operational status. At any and all > ISPs of this persuasion, a note to abuse@ regarding a clear trademark > violation (and a plausible/possible phishing threat) would be discarded > virtually the moment it was opened. > > _=_=_= > > I'm not saying that any if the above are ``good'' reasons why a report like > the one sent to you from BofA _should_ be effectively ignored by the person > or robot tasked with reading mail sent to abuse@ (at various ISPs). I am > only saying that out here in the Real World, that is, alas, what often > would (and does) happen. > > >>> If your first language isn't English then I suspect you'll dismiss it > >>> as spam .. .. I know some of my staff did and they supposedly speak > >>> English > >> > >> Again, I am utterly baffled by your comment. Can you explain why anyone > >> would ever dismiss BofA's message to you as spam? > > > >Read the message. Instead of simply stating that they are alerting us to > >an > > > > issue they start off with a long convoluted text about their trademarks, > > w > > > >hich is totally irrelevant to us. All we want to know is that someone is > >re porting abuse, what type of abuse it is and where it is located. > > OK, now _here_ you have a point that I cannot reasonably take issue with. > And your point is, I think, not only valid but also, potentially very > useful. You're right. I think the way that people in the news business > commonly express the point you just made is that it is bad practice to > "bury the lead", i.e. its important to express the major point you are > trying to make (in a news story or in an abuse report) clearly, concisely, > and in the first sentence. > > That's a good lesson for all of us writers of abuse reports, and one I'll > try, in future, never to forget myself. > > >You might not find this hard to understand, but I suspect this is because > >y ou are used to reading these kind of emails and might be immune to how > >badly worded they are. > > No, actually, it is more because I have some extensive experience reading > legal documents (e.g. court filings) and thus I'm already so adept at > hacking through the thicket of words (to find the meat) that it's almost > second nature (and automatic/subconcious) to me now, kind of like people > who are so practiced that they can almost play a piano concerto in their > sleep. That explains why, when I see something like that BofA e-mail you > posted, its verbosity and/or failure to clearly and quickly come to the > point doesn't faze me in the slightest. (I guess that I have been hanging > out with lawyers too long. :-) > > > Regards, > rfg From thor.kottelin at turvasana.com Thu Dec 23 08:59:21 2010 From: thor.kottelin at turvasana.com (Thor Kottelin) Date: Thu, 23 Dec 2010 09:59:21 +0200 Subject: [anti-abuse-wg] How Not To Ask For A Website to Be taken Down In-Reply-To: <51348.1293087583@tristatelogic.com> References: <97C58E22-A243-4A57-9602-7184B5D3522A@blacknight.ie> <51348.1293087583@tristatelogic.com> Message-ID: > -----Original Message----- > From: anti-abuse-wg-admin at ripe.net [mailto:anti-abuse-wg- > admin at ripe.net] On Behalf Of Ronald F. Guilmette > Sent: Thursday, December 23, 2010 9:00 AM > To: > In message <97C58E22-A243-4A57-9602-7184B5D3522A at blacknight.ie>, > "Michele Neylon :: Blacknight" wrote: > > Instead of simply stating that they are alerting > us to an > > issue they start off with a long convoluted text about their > trademarks, w > >hich is totally irrelevant to us. > You're right. I think the way that people in the news business > commonly > express the point you just made is that it is bad practice to "bury > the > lead", i.e. its important to express the major point you are trying > to > make (in a news story or in an abuse report) clearly, concisely, > and in > the first sentence. What was the "Subject:" line of the takedown request? (My apologies if it was already mentioned. The archive at http://www.ripe.net/ripe/maillists/archives/anti-abuse-wg/2010/ seems to be broken. "Archive Last Changed: 01 December 2010 17:58 CET") -- Thor Kottelin http://www.anta.net/ From rfg at tristatelogic.com Thu Dec 23 09:31:06 2010 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Thu, 23 Dec 2010 00:31:06 -0800 Subject: [anti-abuse-wg] How Not To Ask For A Website to Be taken Down In-Reply-To: Message-ID: <52383.1293093066@tristatelogic.com> In message , Esa Laitinen wrote: >On Wed, Dec 22, 2010 at 12:33 AM, Ronald F. Guilmette > wrote: > >> I confess that I am utterly baffled by your comment. The message from BofA >> seemed altogether clear and entirely straightforward and unambiguous to me. >> >> What is it, exactly, about that message that caused you to have any >> difficulty >> in "working it out"? >> >> >Well, I for one had hard time to find the beef, and I'm language skills are >reasonably good. Assuming that the above was not a veiled attempt at humor, allow me to say that some might find cause to question your assertion, embedded within the assertion itself. But yes, as I previously agreed (in another posting), the language of the notice from BofA was indeed verbose, prolix, and failed to clarify the issue that prompted the e-mail within the first sentence, as it should have. Regards, rfg From rfg at tristatelogic.com Thu Dec 23 10:52:44 2010 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Thu, 23 Dec 2010 01:52:44 -0800 Subject: [anti-abuse-wg] How Not To Ask For A Website to Be taken Down In-Reply-To: <201012230917.20959.kzorba@otenet.gr> Message-ID: <53254.1293097964@tristatelogic.com> In message <201012230917.20959.kzorba at otenet.gr>, Kostas Zorbadelos wrote: >On Thursday, December 23, 2010 08:59:43 am Ronald F. Guilmette wrote: > >Now, let me see if I get this right... >This post contains more than a 1000 words, to argue about NOT using abuse >contacts, in the real world, Yes. >and this is how reports should be sent? This last part of your sentence seems entirely disconnected and unrelated to the first part. If there was in fact some connection between the two which you intended to convey, please do enlighten me about what that might be. The first part seems to be about a message I sent as part of a discussion (hopefully a detailed and intelligent one) here on the RIPE Anti-Abuse working group mailing list, while the latter part seems to be about how e-mails sent to ISP abuse@ contacts should or should not appear. Was there some rule somewhere that says that both types of communication should be of similar style and/or of equal length? If so, I missed that. >I am definitely missing something here... Either you are or I am. One of the two. Regards, rfg From kzorba at otenet.gr Thu Dec 23 11:37:21 2010 From: kzorba at otenet.gr (Kostas Zorbadelos) Date: Thu, 23 Dec 2010 12:37:21 +0200 Subject: [anti-abuse-wg] How Not To Ask For A Website to Be taken Down In-Reply-To: <53254.1293097964@tristatelogic.com> References: <53254.1293097964@tristatelogic.com> Message-ID: <201012231237.21841.kzorba@otenet.gr> On Thursday, December 23, 2010 11:52:44 am Ronald F. Guilmette wrote: > In message <201012230917.20959.kzorba at otenet.gr>, > > Kostas Zorbadelos wrote: > >On Thursday, December 23, 2010 08:59:43 am Ronald F. Guilmette wrote: > > If I may use an "analogy" from the programming world you seem to quite overload the meaning of words. To me the thing is as clear as this: a discussion was raised because of an abuse report sent to someone and it was written and addressed in such a way that the recipient could have mistaken it as SPAM. Now I get that you are saying that we should generally not use in the "real world" abuse contacts to send reports or anything else related to abuse. To me this doesn't make sense. Having said this, I consider the case closed. I think that we (as a group) should try to produce more meaningful and actual work on anti-abuse. But this is the subject of a different mail I intend to send to the list a bit later... Regards, Kostas > >Now, let me see if I get this right... > >This post contains more than a 1000 words, to argue about NOT using abuse > >contacts, in the real world, > > Yes. > > >and this is how reports should be sent? > > This last part of your sentence seems entirely disconnected and unrelated > to the first part. If there was in fact some connection between the two > which you intended to convey, please do enlighten me about what that might > be. > > The first part seems to be about a message I sent as part of a discussion > (hopefully a detailed and intelligent one) here on the RIPE Anti-Abuse > working group mailing list, while the latter part seems to be about how > e-mails sent to ISP abuse@ contacts should or should not appear. > > Was there some rule somewhere that says that both types of communication > should be of similar style and/or of equal length? If so, I missed that. > > >I am definitely missing something here... > > Either you are or I am. One of the two. > > > Regards, > rfg From rfg at tristatelogic.com Thu Dec 23 12:22:22 2010 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Thu, 23 Dec 2010 03:22:22 -0800 Subject: [anti-abuse-wg] How Not To Ask For A Website to Be taken Down In-Reply-To: <201012231237.21841.kzorba@otenet.gr> Message-ID: <53979.1293103342@tristatelogic.com> In message <201012231237.21841.kzorba at otenet.gr>, Kostas Zorbadelos wrote: >Now I get that you are saying that we should generally not use in the "real >world" abuse contacts to send reports or anything else related to abuse. Actually, I never said anything remotely like that. Not even close. I merely noted all of the reasons why someone (or some company) trying to protect their trademarks from being misused in conjunction with apparent phishing sites might reasonably avoid even trying to file a report about a problem like that with any abuse@ type e-mail address. I didn't even say that I felt that BofA had done either the Right Thing or the Best Thing in this case. I was merely defending their choices as probably being reasonable ones... even if perhaps not the best ones... given the actual (sad) situation "on the ground" on the net these days. >To me this doesn't make sense. Indeed. Had I in fact said what you thought I said, then I would agree that what I said would not have made sense. But I didn't, so I don't. >Having said this, I consider the case closed. I think that we (as a group) >should try to produce more meaningful and actual work on anti-abuse. Well now hold on just one moment. As I said before, other people here have previously noted that mandating abuse contact e-mail addresses in RIPE whois may be a fruitless exercise in futility if there is nobody on the other end of those e-mail addresses, reading the stuff sent there. But that's only one of the many ways that such contact e-mail addresses might be rendered less-than-useful, or at any rate less than as maximally useful as they could potentially be. Another thing that... as this BofA example has shown... might cause those newly mandated abuse@ addresses to be less than maximally useful is if the people sending to those addresses, and the people who are reading the messages coming in to those addresses have fundamental disagreements about what is or what is not an appropriate kind of "abuse" that should be reported to said addresses. In short, what I suspect we all might benefit from would be (a) a Best Current Practices document which would clearly lay out what kinds of "abuse" these newly mandated e-mail contact addresses should be handling (and perhaps even an outline of what they should be doing to respond to different kinds of reports, e.g. trademark infringment, with a possible helping of phishing on the side). Without such a BCP document, disagree- ments, between sender and receivers, about where to send different kinds of "abuse" reports (as illustrated by this BofA example) may continue and even proliferate. Furthermore, and again as this BofA example has helped to illustrate, it seems to me that perhaps development of a community- endorsed BCP for abuse _reporters_ would be just as useful and just as important as a community-endorsed BCP for abuse report handlers. In the absence of both/either, the current plan to mandate abuse contacts in RIPE records may in the end have little practical effect, i.e. if it is still the case that nobody has any solid or commonly agreed ideas about how or for what purposes such things might be used. I disagree that discussion of such matters fails to constitute "meaningful and actual work on anti-abuse." In fact it might be argued that discussion of such matters may go to the heart of net's abundant, multiple, and growing abuse problems. After all, if nobody even agrees on what abuse is, what kinds should be reported, or where, or what reasonable ISPs should do about "abuse", then it seems to me that everything else that we... the collective we... might undertake "meaningful and actual work on" might in the end, be rendered utterly superfluous by these more fundamental unresolved disagree- ments. Regards, rfg From brian.nisbet at heanet.ie Thu Dec 23 12:35:45 2010 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Thu, 23 Dec 2010 11:35:45 +0000 Subject: [anti-abuse-wg] How Not To Ask For A Website to Be taken Down In-Reply-To: References: <97C58E22-A243-4A57-9602-7184B5D3522A@blacknight.ie> <51348.1293087583@tristatelogic.com> Message-ID: <4D133411.20205@heanet.ie> "Thor Kottelin" wrote the following on 23/12/2010 07:59: >> -----Original Message----- >> From: anti-abuse-wg-admin at ripe.net [mailto:anti-abuse-wg- >> admin at ripe.net] On Behalf Of Ronald F. Guilmette >> Sent: Thursday, December 23, 2010 9:00 AM >> To: > >> In message<97C58E22-A243-4A57-9602-7184B5D3522A at blacknight.ie>, >> "Michele Neylon :: Blacknight" wrote: > >>> Instead of simply stating that they are alerting >> us to an >>> issue they start off with a long convoluted text about their >> trademarks, w >>> hich is totally irrelevant to us. > >> You're right. I think the way that people in the news business >> commonly >> express the point you just made is that it is bad practice to "bury >> the >> lead", i.e. its important to express the major point you are trying >> to >> make (in a news story or in an abuse report) clearly, concisely, >> and in >> the first sentence. > > What was the "Subject:" line of the takedown request? > > (My apologies if it was already mentioned. The archive at > http://www.ripe.net/ripe/maillists/archives/anti-abuse-wg/2010/ seems to be > broken. "Archive Last Changed: 01 December 2010 17:58 CET") The lovely people in the NCC tell me this should now be fixed. Brian. From shane at time-travellers.org Thu Dec 23 12:38:53 2010 From: shane at time-travellers.org (Shane Kerr) Date: Thu, 23 Dec 2010 12:38:53 +0100 Subject: [anti-abuse-wg] How to Ask For A Website to Be taken Down, was How Not To Ask For A Website to Be taken Down In-Reply-To: References: Message-ID: <1293104333.2386.209.camel@shane-asus-laptop> All, On Tue, 2010-12-21 at 17:36 +0000, Michele Neylon :: Blacknight wrote: > Got this earlier today (not to our abuse contact of course .. ) > > Couple of things to note > > Unless you read it a few times it's not easy to work out what the hell > they are actually asking about Does it make any sense to produce a RIPE document suggesting the proper way to report abuse? This document can be short & sweet, just like the reports should be. A few good ideas are already in this thread: report to the right people, say the important bits up-front, and so on. -- Shane From mir at ripe.net Thu Dec 23 12:33:40 2010 From: mir at ripe.net (Mirjam Kuehne) Date: Thu, 23 Dec 2010 12:33:40 +0100 Subject: [anti-abuse-wg] Re: Additional Layers for Economic Incentives to improve Internet Security In-Reply-To: <4CD8008A.3050709@ripe.net> References: <4CCA8762.3020605@ripe.net> <4CD8008A.3050709@ripe.net> Message-ID: <4D133394.9040008@ripe.net> Dear colleagues, Following up from his earlier posts on RIPE Labs, John Quarterman is now looking at 'ASN Ranking Correlations Between Spam Blocklists': http://labs.ripe.net/Members/jsq/asn-ranking-correlations-between-spam-blocklist Kind Regards and Happy Holidays, Mirjam Kuehne RIPE NCC From michele at blacknight.ie Thu Dec 23 13:42:03 2010 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Thu, 23 Dec 2010 12:42:03 +0000 Subject: [anti-abuse-wg] How to Ask For A Website to Be taken Down, was How Not To Ask For A Website to Be taken Down In-Reply-To: <1293104333.2386.209.camel@shane-asus-laptop> References: <1293104333.2386.209.camel@shane-asus-laptop> Message-ID: <90870C82-86EA-4092-9FCB-465A8B3080EE@blacknight.ie> On 23 Dec 2010, at 11:38, Shane Kerr wrote: > All, > > On Tue, 2010-12-21 at 17:36 +0000, Michele Neylon :: Blacknight wrote: >> Got this earlier today (not to our abuse contact of course .. ) >> >> Couple of things to note >> >> Unless you read it a few times it's not easy to work out what the hell >> they are actually asking about > > Does it make any sense to produce a RIPE document suggesting the proper > way to report abuse? > > This document can be short & sweet, just like the reports should be. A > few good ideas are already in this thread: report to the right people, > say the important bits up-front, and so on. > > -- > Shane > Shane That would make a lot of sense to me :) Regards Michele Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From brian.nisbet at heanet.ie Thu Dec 23 13:45:50 2010 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Thu, 23 Dec 2010 12:45:50 +0000 Subject: [anti-abuse-wg] How to Ask For A Website to Be taken Down, was How Not To Ask For A Website to Be taken Down In-Reply-To: <1293104333.2386.209.camel@shane-asus-laptop> References: <1293104333.2386.209.camel@shane-asus-laptop> Message-ID: <4D13447E.3010707@heanet.ie> "Shane Kerr" wrote the following on 23/12/2010 11:38: > All, > > On Tue, 2010-12-21 at 17:36 +0000, Michele Neylon :: Blacknight wrote: >> Got this earlier today (not to our abuse contact of course .. ) >> >> Couple of things to note >> >> Unless you read it a few times it's not easy to work out what the hell >> they are actually asking about > > Does it make any sense to produce a RIPE document suggesting the proper > way to report abuse? > > This document can be short& sweet, just like the reports should be. A > few good ideas are already in this thread: report to the right people, > say the important bits up-front, and so on. It makes a lot of sense. The BCP on how to report and act on abuse/avoid abuse has been a headline action for the group. I haven't done enough on this and I'm not sure I'm going to be able to in the short term. I am hoping that adding a co-chair to the group will help on this, but either way, if someone is willing to lead this piece of work, I will assist them in any way I can (both with wording, resources and process). There are people willing to help, but the project needs someone to head it up. Thanks, Brian. Chair, AA-WG From tk at abusix.com Thu Dec 23 16:30:15 2010 From: tk at abusix.com (Tobias Knecht) Date: Thu, 23 Dec 2010 16:30:15 +0100 Subject: [anti-abuse-wg] How to Ask For A Website to Be taken Down, was How Not To Ask For A Website to Be taken Down In-Reply-To: <1293104333.2386.209.camel@shane-asus-laptop> References: <1293104333.2386.209.camel@shane-asus-laptop> Message-ID: <4D136B07.8060108@abusix.com> Hi all, > Does it make any sense to produce a RIPE document suggesting the proper > way to report abuse? > > This document can be short & sweet, just like the reports should be. A > few good ideas are already in this thread: report to the right people, > say the important bits up-front, and so on. We are already working on a format, that is used by more and more people. It is meant as an extension to the well known RFC 5965 ARF. Called X-ARF. http://xarf.org Everybody who is interested in helping and using it, let us know and we can subscribe you to the mailinglist. Some tools are already available here: https://github.com/xarf Thank you everybody and Merry Christmas Tobias -- abusix -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 267 bytes Desc: OpenPGP digital signature URL: From rfg at tristatelogic.com Fri Dec 24 00:58:46 2010 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Thu, 23 Dec 2010 15:58:46 -0800 Subject: [anti-abuse-wg] Re: Additional Layers for Economic Incentives to improve Internet Security In-Reply-To: <4D133394.9040008@ripe.net> Message-ID: <61270.1293148726@tristatelogic.com> In message <4D133394.9040008 at ripe.net>, Mirjam Kuehne wrote: >Dear colleagues, > >Following up from his earlier posts on RIPE Labs, John Quarterman is now >looking at 'ASN Ranking Correlations Between Spam Blocklists': > >http://labs.ripe.net/Members/jsq/asn-ranking-correlations-between-spam-blockli >st I skimmed this document, and I'm still not 100% sure that I have grasped the ultimate point. It begins thus: "Comparing ASN rankings by spam volume from two different data sources... indicates there is enough correlation to have confidence in the rankings." Yes. And? This is a little like saying that the track records of multiple meterologists do indeed indicate that yes, by and large they generally seem to get it right. But then what is the functional value of that knowledge? Is the point here that I can leave my umbrella at home when two or more of them say that it's not going to rain today? Is the point of Mr. Quarterman's study that certain entire ASNs may be safely or reasonably blacklisted? Regards, rfg From blakjak at gmail.com Fri Dec 24 22:44:37 2010 From: blakjak at gmail.com (Mark Foster) Date: Sat, 25 Dec 2010 10:44:37 +1300 Subject: Fwd: [anti-abuse-wg] How to Ask For A Website to Be taken Down, was How Not To Ask For A Website to Be taken Down In-Reply-To: References: <1293104333.2386.209.camel@shane-asus-laptop> <4D136B07.8060108@abusix.com> Message-ID: ... This too. ---------- Forwarded message ---------- From: Mark Foster Date: Fri, Dec 24, 2010 at 9:54 AM Subject: Re: [anti-abuse-wg] How to Ask For A Website to Be taken Down, was How Not To Ask For A Website to Be taken Down To: tk at abusix.com 2010/12/24 Tobias Knecht Hi all, > > > Does it make any sense to produce a RIPE document suggesting the proper > > way to report abuse? > > > > This document can be short & sweet, just like the reports should be. A > > few good ideas are already in this thread: report to the right people, > > say the important bits up-front, and so on. > > We are already working on a format, that is used by more and more > people. It is meant as an extension to the well known RFC 5965 ARF. > Called X-ARF. http://xarf.org > > Everybody who is interested in helping and using it, let us know and we > can subscribe you to the mailinglist. > > Some tools are already available here: https://github.com/xarf > > Anything that makes reporting abuse harder for the victim, is counter-productive, IMHO. This to me is all an attempt to make abuse-complaint-receivers better equipped to use automation to deal with complaints. Noone who reports abuse likes talking to automation. Mark. -------------- next part -------------- An HTML attachment was scrubbed... URL: From blakjak at gmail.com Fri Dec 24 22:43:36 2010 From: blakjak at gmail.com (Mark Foster) Date: Sat, 25 Dec 2010 10:43:36 +1300 Subject: Fwd: [anti-abuse-wg] How Not To Ask For A Website to Be taken Down In-Reply-To: References: <97C58E22-A243-4A57-9602-7184B5D3522A@blacknight.ie> <51348.1293087583@tristatelogic.com> Message-ID: Sent this directly to Ronald by mistake, it was meant for the list... ---------- Forwarded message ---------- From: Mark Foster Date: Fri, Dec 24, 2010 at 9:48 AM Subject: Re: [anti-abuse-wg] How Not To Ask For A Website to Be taken Down On Thu, Dec 23, 2010 at 7:59 PM, Ronald F. Guilmette wrote: > > > > #2) Even for those networks where abuse@ is not aliased to /dev/null, > sending anything other than a _spam_ report to that address will typically > engender either (a) no response at all (with the message being silently > discarded) or else (b) an irritated response of the form "Why are you > sending this to abuse@??" or else (c) a more or less automated response > (either from an actual program or else from a low-paid human who has been > trained to act like one) the form "We're sorry, but we cannot accept > abuse complaints without either (a) a full set of e-mail headers or else > (b) a complete set of system intrusion logs." > I find myself taking exception to this and whilst I usually lurk in the background here I think it needs to be said: - I would expect any malicious or illegal behavior to be reported to abuse@ - Whilst Spam reports will form the vast majority of these, I expect my Abuse-Queue-Staff to be plucking the _non_-Spam reports out for early attention (as other types of abuse are more frequently time sensitive). Those who do tech support are familiar with the idea of triage in a customer-facing sense; the stuff that's likely to have large ramifications, either in scale, or PR, or cost, will get early attention because that's just commonsense. For stuff happening in real-time that's a serious issue (say a DoS) I have (as an engineer) taken both emails and phonecalls directly - but I still expect a report to abuse@ so that the appropriate records are able to be created and placed on file for future legal or customer-service obligations. This logic has applied for ISPs operating with 1000 to 500,000 customers. Unfortunately as your organisation gets larger, the 'human touch' of handling abuse cases seems to dissapear and you do wind up with lesser-cloo'd people dealing with the complaints, and using templated answers that infuriate those who're actually taking the time to report abuse. The number of people these days who simply block, or ignore, abusive internet behavior, is counter-productive to those ISPs who are resultantly blind as to the actual negative impact their customers are having. So with these points in mind, (a) above is possible, but a move that demonstrates poor 'internet citizenship' on the part of the ISP, (b) shouldn't ever happen, and in my experience only happens when you land an idiot at the other end, and (c) again demonstrates poor internet citizenship. To the point where I will actively take my business away from any organisation that operates that way. My current issue is with Yahoo's requirement that all complaints comply with ARF. They're one of the biggest sources of spam and have opted to require complaints to fit into their particular brand of round-shaped-hole or they're going to ignore the report. I refuse to waste more of my time reporting spammers, and instead am much more prepared to simply block their domain(s) with a reject line similar to 'mail will not be accepted until Yahoo stops with the head-in-sand technique of operating, and instead deals with the spammers in its midst'. If your operation is big enough to spin millions of dollars per year in revenue, you're big enough to be a responsible netizen and show some respect to anyone taking the time to report abuse. Because if you deliberately ignore complaints, you become responsible for the behavior itself and become an accessory to the abuse, or crime, in effect. > > > #3) Although, for the various reasons noted above, and others, sending a > report like this to an abuse@ address might yield no meaningful or useful > action at all, the mere presence of the corporate abuse@ address, either > in the To: header or in the Cc: header would most likely cause any and > all other parties to whom such a report had been addressed (and who might > otherwise potentially be more responsive/responsible than abuse@) to > simply > trash the message, e.g. because they might reasonably assume that "Oh! > This was sent to abuse@ too, so the abuse department/person will surely > handle it, and I don't need to get involved." > If your abuse@ team are of any value, they will of course do exactly that. If you're an 'other recipient' then in good concience you should at least be checking with them to ensure it's followed up. That's customer service 101. Is the risk to your reputation worth it? > #4) Last but not least, in the circles I travel in, a clear and unambiguous > distinction is often drawn between "abuse ON the network" and "abuse OF the > network". As we all know, the latter occurs almost every second of the > day, > somewhere on the Internet, and it can range from undeserved insults and > slanders to sophisticated social engineering con games involving millions > of dollars. But none of that "abuse ON the network" in any way threatens > the operational status of any part of the net. Conversely, of course, spam > and DoS attack directly threaten the operational status of either parts of > the net or, in sum, even the whole thing, and thus, by tradition among the > people I commonly hang out with, "abuse OF the net" is widley considered to > be the only thing (a) that humans can reasonably fight and also (b) in many > people's minds, it is the only thing that's _worth_ fighting for. (After > all, the world and the net will go on even if you or I are heniously > slandered > or even defrauded, tomorrow, somewhere on the Internet.) > If someone reports a customer of mine breaching T&C I will expect our customer care team to enforce T&C. Antisocial behavior might not be a T&C breach. If it crosses that line, however, we'll act as a reasonable ISP should. If the customers conduct is illegal, or a DoS, or spam, or other behavior which will negatively affect our own online reputation, we'll similarly take steps to respond. Often an external report is the way that we find out about this behavior - we don't have eyes everywhere. > The upshot of all this line of thinking is that some (many?) believe that > it's not even the job of an ISP abuse desk to even delve into any matters > that do not clearly affect network operational status. At any and all > ISPs of this persuasion, a note to abuse@ regarding a clear trademark > violation (and a plausible/possible phishing threat) would be discarded > virtually the moment it was opened. > > The ISP is responsible for being a good online citzen (morally). But they're also obliged to preserve their own reputation if they want to ensure folks won't simply blackhole their traffic, so if they choose to turn a blind eye to the problems their customers cause, ultimately it will affect their bottom line. The ISP will then care - so the ISP's Abuse Desk, being the group who deal with the outside world in respects abusive behavior online, should be prepared to deal with this. Across the several ISP's I've worked for, this is certainly the case. And I will actively steer business away from any ISP who chooses to reneg on this obligation. Mark. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rfg at tristatelogic.com Mon Dec 27 00:10:05 2010 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Sun, 26 Dec 2010 15:10:05 -0800 Subject: [anti-abuse-wg] Re: Additional Layers for Economic Incentives to improve Internet Security In-Reply-To: <1293396598.484327.23897@bolo.quarterman.com> Message-ID: <47756.1293405005@tristatelogic.com> In message <1293396598.484327.23897 at bolo.quarterman.com>, "John S. Quarterman" wrote: >The purpose of the proposed ranking system is that the organizations >that own the ASNs should be concerned that people might decide to >blacklist them, Unfortunately, I rather doubt that any sort of ranking will have that effect, which is a pity, because in an ideal world, these kinds of ranking _should_ have the effect of generating concern among those ASNs that receive bad rankings. But the reality is that instances of entire ASNs being blacklisted by anybody and/or for anything are few and far between. Thus we have the current situation where certain ASes make a healthy business out of thumbing their noses at the rest of the Internet community as they continue to host rampant criminality, etc. >or, for example if the organization is a bank, >that people might not want to do business with a bank that has >sufficiently bad Internet security that it is emitting spam. >If an organization has that many vulnerabilities, some of them >may also be exploitable for DDoS attacks or for password sniffing >of customers or for other nefarious ends. > >Conversely, organizations that have good security should emit >very little spam, and they could brag about their good rankings >and thus retain and gain customers. I only wish that the world operated in so simple a fashion. Unfortunately, because network operators the world over have been con- sistantly reluctant to do what is necessary to forcefully shun the criminal, and the merely irresponsible, from their midst, instead of a bad reputation causing loss of connectivity, it often seems to have the perverse effect of generating even more business for various well-known criminal-friendly ASNs. Regards, rfg From jsq at quarterman.com Sun Dec 26 21:49:48 2010 From: jsq at quarterman.com (John S. Quarterman) Date: Sun, 26 Dec 2010 15:49:48 -0500 Subject: [anti-abuse-wg] Re: Additional Layers for Economic Incentives to improve Internet Security In-Reply-To: Your message of "Thu, 23 Dec 2010 15:58:46 PST." <61270.1293148726@tristatelogic.com> Message-ID: <1293396598.484327.23897@bolo.quarterman.com> Howdy, My response is inline below. > In message <4D133394.9040008 at ripe.net>, Mirjam Kuehne wrote: > > >Dear colleagues, > > > >Following up from his earlier posts on RIPE Labs, John Quarterman is now > >looking at 'ASN Ranking Correlations Between Spam Blocklists': > > > >http://labs.ripe.net/Members/jsq/asn-ranking-correlations-between-spam-blocklist > I skimmed this document, and I'm still not 100% sure that I have grasped > the ultimate point. > > It begins thus: > > "Comparing ASN rankings by spam volume from two different data sources... > indicates there is enough correlation to have confidence in the rankings. > " > > Yes. And? The point of this particular article is exactly what you quoted: there is enough correlation to have confidence in the rankings. Some people don't believe it is possible to build such a ranking system, so we have demonstrated that it is possible. > This is a little like saying that the track records of multiple meterologists > do indeed indicate that yes, by and large they generally seem to get it right > . Thanks for the complimentary analogy. > But then what is the functional value of that knowledge? Is the point here > that I can leave my umbrella at home when two or more of them say that it's > not going to rain today? > > Is the point of Mr. Quarterman's study that certain entire ASNs may be > safely or reasonably blacklisted? The purpose of the proposed ranking system is that the organizations that own the ASNs should be concerned that people might decide to blacklist them, or, for example if the organization is a bank, that people might not want to do business with a bank that has sufficiently bad Internet security that it is emitting spam. If an organization has that many vulnerabilities, some of them may also be exploitable for DDoS attacks or for password sniffing of customers or for other nefarious ends. Conversely, organizations that have good security should emit very little spam, and they could brag about their good rankings and thus retain and gain customers. See the other articles in this series (there are links at the end of the present article) for more about the proposed rankings and related certifications, SLA self-insurance, and insurance policies. > Regards, > rfg Thanks for your comment, -jsq From jorgen at hovland.cx Mon Dec 27 12:29:11 2010 From: jorgen at hovland.cx (=?ISO-8859-1?Q?J=F8rgen_Hovland?=) Date: Mon, 27 Dec 2010 12:29:11 +0100 Subject: [anti-abuse-wg] Re: Additional Layers for Economic Incentives to improve Internet Security In-Reply-To: <1293396598.484327.23897@bolo.quarterman.com> References: <1293396598.484327.23897@bolo.quarterman.com> Message-ID: <4D187887.1000002@hovland.cx> Hi, On 26/12/2010 21:49, John S. Quarterman wrote: > >> "Comparing ASN rankings by spam volume from two different data sources... >> indicates there is enough correlation to have confidence in the rankings. >> " >> >> >> > The point of this particular article is exactly what you quoted: > there is enough correlation to have confidence in the rankings. > Some people don't believe it is possible to build such a ranking > system, so we have demonstrated that it is possible. > > Strictly speaking it isn't ranking the spam volume. It indicates how many IP-addresses per ASN that is added to a certain blocklist. It doesn't indicate the amount of spam from the IP or the ASN measured by customer and/or mail volume. >> But then what is the functional value of that knowledge? Is the point here >> that I can leave my umbrella at home when two or more of them say that it's >> not going to rain today? >> >> Is the point of Mr. Quarterman's study that certain entire ASNs may be >> safely or reasonably blacklisted? >> > The purpose of the proposed ranking system is that the organizations > that own the ASNs should be concerned that people might decide to > blacklist them, or, for example if the organization is a bank, > that people might not want to do business with a bank that has > sufficiently bad Internet security that it is emitting spam. > If an organization has that many vulnerabilities, some of them > may also be exploitable for DDoS attacks or for password sniffing > of customers or for other nefarious ends. > > So a quick summary: An ASN does not represent a single legal entity Spam in general cannot be defined It's not ranking the spam volume Yes, I am really concerned that people might decide to blacklist ASNs due to spam. It doesn't make any sense in almost all cases. But we already have blocklists aggressively doing that with netblocks (uceprotect, spamhaus etc). No serious mailprovider in my neighbourhood use those blocklists and no serious mailprovider would ever use an asn-blocklist like that to block mail or anything else. The good thing here is that as long as this ASN-blocklist list AS-numbers in the same manner as uceprotect, "nobody" will use it because it is useless. > Conversely, organizations that have good security should emit > very little spam, and they could brag about their good rankings > and thus retain and gain customers. > > Organizations that doesn't use mail at all will emit very little spam. Cheers, From peter at hk.ipsec.se Mon Dec 27 17:01:38 2010 From: peter at hk.ipsec.se (=?iso-8859-1?Q?peter_h=E5kanson?=) Date: Mon, 27 Dec 2010 17:01:38 +0100 Subject: [anti-abuse-wg] Re: Additional Layers for Economic Incentives to improve Internet Security In-Reply-To: <4D187887.1000002@hovland.cx> References: <1293396598.484327.23897@bolo.quarterman.com> <4D187887.1000002@hovland.cx> Message-ID: <7C104C5D-32E1-4F28-AAF8-76AC6FFBF414@hk.ipsec.se> On Dec 27, 2010, at 12:29 PM, J?rgen Hovland wrote: > Hi, > > On 26/12/2010 21:49, John S. Quarterman wrote: >> >> >> > > Organizations that doesn't use mail at all will emit very little spam. Wrong. Organizations that don't use mail might still be spam-emitters if their security is bad. In fact organizations that don't understand security is likley to be victims of spambots. > > > Cheers, > > From jdfalk-lists at cybernothing.org Mon Dec 27 20:38:52 2010 From: jdfalk-lists at cybernothing.org (J.D. Falk) Date: Mon, 27 Dec 2010 11:38:52 -0800 Subject: [anti-abuse-wg] How to Ask For A Website to Be taken Down, was How Not To Ask For A Website to Be taken Down In-Reply-To: <1293104333.2386.209.camel@shane-asus-laptop> References: <1293104333.2386.209.camel@shane-asus-laptop> Message-ID: On Dec 23, 2010, at 3:38 AM, Shane Kerr wrote: > Does it make any sense to produce a RIPE document suggesting the proper > way to report abuse? > > This document can be short & sweet, just like the reports should be. A > few good ideas are already in this thread: report to the right people, > say the important bits up-front, and so on. Similar documents were written in years past, but something up to date would be very welcome. On Dec 23, 2010, at 7:30 AM, Tobias Knecht wrote: > We are already working on a format, that is used by more and more > people. It is meant as an extension to the well known RFC 5965 ARF. > Called X-ARF. http://xarf.org When will your proposed extension be brought to the IETF, so it can be made an official standard? From joe at oregon.uoregon.edu Mon Dec 27 19:09:08 2010 From: joe at oregon.uoregon.edu (Joe St Sauver) Date: Mon, 27 Dec 2010 10:09:08 -0800 (PST) Subject: [anti-abuse-wg] Re: Additional Layers for Economic Incentives to improve Internet Security Message-ID: <10122710090862_81BC@oregon.uoregon.edu> jorgen at hovland.cx commented: #So a quick summary: #An ASN does not represent a single legal entity Actually, at least some ASNs do represent single legal entities. For example, AS25 is the University of California at Berkley and AS4983 is Intel, just to mention a couple of many examples. Other ASNs may represent ISPs which provide services to multiple downstream customers, but those ISPs are still "single legal entities" I think the point that you're trying to make is that blocking by ASN is overly broad, and might cause too much collateral damage in some cases. I would agree with you, for example, that folks likely wouldn't want to block AS701, for example, but in other cases blocking by ASN, or at least accumulating reputation by ASN, may be quite feasible. #Spam in general cannot be defined Sure it can, and many folks offer definitions, including folks such as Spamhaus, see http://www.spamhaus.org/definition.html Other entities, such as MAAWG, prefer to opt out of the whole "what is and what isn't spam" debate, simply referring to "abusive mail" for things like their quarterly email metrics reports (see http://www.maawg.org/email_metrics_report ) #It's not ranking the spam volume People can (and do) track spam volume by IP, by the netblock encompassing a spamming IP, by in-addr domain, and yes, by ASN. Some track actual spam volume by ASN, others may just track the number of observed spam sources (e.g., typically botted hosts) per ASN. Both can be interesting numbers, and the two are typically strongly correlated. And FWIW, ASNs do work just fine as an aggregation channel for network abuse sources, particularly since who's *using* (e.g., routing) a network block may be more important than the person to whom a given netblock may nominally be assigned or allocated (e.g., we know that number resources can and have been hijacked). There's also the pragmatic reality that you may not be allowed to do the sustained volume of whois queries you'd need to do to map all observed IPs to encompassing netblocks, but you can easily map IPs to ASNs at the rate that's required. (Besides, trying to work at the per-netblock level is pretty unwieldy when it comes to things like maintaining abuse point of contact information, while ASN point of contact information is far more stable). #Yes, I am really concerned that people might decide to blacklist ASNs #due to spam. It doesn't make any sense in almost all cases. I'd have to disagree with your assertion that "it doesn't make sense in almost all cases." There are some ASNs that may be routing only a small amount of space, and which seem to have an extremely strong correlation with badness. In those cases it may makes perfect sense for an ISP to decide that it doesn't want to exchange traffic with that provider. Heck, some people just tag their incoming email with the ASN of the handoff host, and then let selected anti-spam products automatically handle the hand-off host's ASN as added to the header as just another Bayesian message attribute -- if it is helpful when it comes to classifying spam and non-spam, it gets used; if it isn't, it doesn't. Shrug. See http://linuxmafia.com/~karsten/Download/procmail-asn-header for one recipe that some folks use for this purpose. In any event, if you elect to route a given network block, you're responsible for the unwanted traffic that may be emitted by that network block. #But we already have blocklists aggressively doing that with netblocks #(uceprotect, spamhaus etc). No serious mailprovider in my neighbourhood #use those blocklists You must be in an unusual neighborhood since Spamhaus is generally considered to protect about 1.4 billion mailboxes worldwide according to http://www.spamhaus.org/organization/index.lasso Regards, Joe St Sauver (joe at oregon.uoregon.edu) http://pages.uoregon.edu/joe/ Disclaimer: all opinions expressed are my own From tk at abusix.com Mon Dec 27 23:34:41 2010 From: tk at abusix.com (Tobias Knecht) Date: Mon, 27 Dec 2010 23:34:41 +0100 Subject: [anti-abuse-wg] How to Ask For A Website to Be taken Down, was How Not To Ask For A Website to Be taken Down In-Reply-To: References: <1293104333.2386.209.camel@shane-asus-laptop> Message-ID: <4D191481.1020105@abusix.com> > On Dec 23, 2010, at 7:30 AM, Tobias Knecht wrote: > >> We are already working on a format, that is used by more and more >> people. It is meant as an extension to the well known RFC 5965 >> ARF. Called X-ARF. http://xarf.org > > When will your proposed extension be brought to the IETF, so it can > be made an official standard? At the moment there is no such plan in our pocket. We are trying to figure out what helps people and how we can use the possibilities of the xarf idea best. Tobias -- abusix -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 267 bytes Desc: OpenPGP digital signature URL: From jorgen at hovland.cx Tue Dec 28 10:06:29 2010 From: jorgen at hovland.cx (=?ISO-8859-1?Q?J=F8rgen_Hovland?=) Date: Tue, 28 Dec 2010 10:06:29 +0100 Subject: [anti-abuse-wg] Re: Additional Layers for Economic Incentives to improve Internet Security In-Reply-To: <10122710090862_81BC@oregon.uoregon.edu> References: <10122710090862_81BC@oregon.uoregon.edu> Message-ID: <4D19A895.9070009@hovland.cx> Hello, On 27/12/2010 19:09, Joe St Sauver wrote: > jorgen at hovland.cx commented: > > #So a quick summary: > #An ASN does not represent a single legal entity > > Actually, at least some ASNs do represent single legal entities. For example, > AS25 is the University of California at Berkley and AS4983 is Intel, just to > mention a couple of many examples. > Maybe or maybe not. You have probably no way of knowing that one day to another unless you work for those companies. > #Spam in general cannot be defined > > Sure it can, and many folks offer definitions, including folks such as > Spamhaus, see http://www.spamhaus.org/definition.html > > Other entities, such as MAAWG, prefer to opt out of the whole "what is > and what isn't spam" debate, simply referring to "abusive mail" for > things like their quarterly email metrics reports (see > http://www.maawg.org/email_metrics_report ) > > Didn't you just show me that it in fact cannot be defined in general? :) > #It's not ranking the spam volume > > People can (and do) track spam volume by IP, by the netblock encompassing > a spamming IP, by in-addr domain, and yes, by ASN. > > There are several ways to attempt to measure spam. The method used on that website is however bad, but I guess Quarterman was just making a point. A site that does measure real mail volume is senderbase. > There's also the pragmatic reality that you may not be allowed to do > the sustained volume of whois queries you'd need to do to map all observed > IPs to encompassing netblocks, but you can easily map IPs to ASNs at the > rate that's required. (Besides, trying to work at the per-netblock level > is pretty unwieldy when it comes to things like maintaining abuse point > of contact information, while ASN point of contact information is far more > stable). > Because something is easier doesn't mean it is better (the opposite also applies). > #Yes, I am really concerned that people might decide to blacklist ASNs > #due to spam. It doesn't make any sense in almost all cases. > > I'd have to disagree with your assertion that "it doesn't make sense > in almost all cases." > > There are some ASNs that may be routing only a small amount of space, > and which seem to have an extremely strong correlation with badness. > I believe you are saying the same thing as I. > #But we already have blocklists aggressively doing that with netblocks > #(uceprotect, spamhaus etc). No serious mailprovider in my neighbourhood > #use those blocklists to block mail or anything else. > > You must be in an unusual neighborhood since Spamhaus is generally > considered to protect about 1.4 billion mailboxes worldwide according > to http://www.spamhaus.org/organization/index.lasso > > Certain blocklists have lost their credibility because of their ways of creating collateral damage instead of dealing with the real problem: Spam. The number 1.4 billion becomes interesting when some people believe there are only 1.3 billion mailboxes in the world. None of it is probably true. http://wiki.answers.com/Q/How_many_email_accounts_are_there_in_the_world Blocking entire ASNs is quite feasibly when you are incapable of filtering spam. Cheers, From rfg at tristatelogic.com Tue Dec 28 12:06:59 2010 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Tue, 28 Dec 2010 03:06:59 -0800 Subject: [anti-abuse-wg] Re: Additional Layers for Economic Incentives to improve Internet Security In-Reply-To: <10122710090862_81BC@oregon.uoregon.edu> Message-ID: <61809.1293534419@tristatelogic.com> In message <10122710090862_81BC at oregon.uoregon.edu>, "Joe St Sauver" wrote: >#But we already have blocklists aggressively doing that with netblocks >#(uceprotect, spamhaus etc). No serious mailprovider in my neighbourhood >#use those blocklists > >You must be in an unusual neighborhood since Spamhaus is generally >considered to protect about 1.4 billion mailboxes worldwide according >to http://www.spamhaus.org/organization/index.lasso Well, that's what the marketing department @ Spamhaus tells everybody anyway. I for one have never seen a single shread of proof to back up their rather exhorbitant claims in this regard however. But to return to the point at hand, no, generally Spamhaus _doesn't_ block big swaths of IP space... a fact for which I, at least, have criticised them repeatedly. They bend over backwards to be far far too lenient, in my opinion. Regards, rfg From vesely at tana.it Tue Dec 28 16:31:17 2010 From: vesely at tana.it (Alessandro Vesely) Date: Tue, 28 Dec 2010 16:31:17 +0100 Subject: Fwd: [anti-abuse-wg] How to Ask For A Website to Be taken Down, was How Not To Ask For A Website to Be taken Down In-Reply-To: References: <1293104333.2386.209.camel@shane-asus-laptop> <4D136B07.8060108@abusix.com> Message-ID: <4D1A02C5.1070700@tana.it> On 24/Dec/10 22:44, Mark Foster wrote: > 2010/12/24 Tobias Knecht > >> We are already working on a format, that is used by more and more >> people. It is meant as an extension to the well known RFC 5965 ARF. >> Called X-ARF. http://xarf.org > > Anything that makes reporting abuse harder for the victim, is > counter-productive, IMHO. Automation is supposed to make reporting easier for the victim, not harder. Many webmail sites already have a "Report as Spam" button. It should be added to regular (POP3/IMAP) mail clients too. > This to me is all an attempt to make abuse-complaint-receivers better > equipped to use automation to deal with complaints. Yes, for the good and the bad of it. Among the goodies, it should be feasible to to route spam reports so that a network provider gets a copy and forwards it to the relevant mailbox provider, thereby allowing the former to somehow control the latter. > Noone who reports abuse likes talking to automation. I think you mean noone who /manually/ reports abuse, as in the OP BofA case. If an abuse@ mailbox is equipped with software that recognizes automatic formats, human recipients might still be able to read the rest in the usual way. Whether a hand-written complaint should be sent to an abuse@ address depends on how report formats will take on. This consideration may explain why some organizations try and push a specific format. The abuse@ address is just mentioned by RFC 2142, but issuing a spam report does not necessarily require even SMTP, although it seems to be the most natural way of reporting email abuse. BTW, there is a third format, developed in the framework of RFC 6045. From joe at oregon.uoregon.edu Tue Dec 28 17:29:40 2010 From: joe at oregon.uoregon.edu (Joe St Sauver) Date: Tue, 28 Dec 2010 08:29:40 -0800 (PST) Subject: [anti-abuse-wg] Re: Additional Layers for Economic Incentives to improve Internet Security Message-ID: <10122808294083_9796@oregon.uoregon.edu> Hi, jorgen at hovland.cx commented: #> #An ASN does not represent a single legal entity #> #> Actually, at least some ASNs do represent single legal entities. For example, #> AS25 is the University of California at Berkley and AS4983 is Intel, just to #> mention a couple of many examples. # #Maybe or maybe not. You have probably no way of knowing that one day to #another unless you work for those companies. Routine daily life requires reliance on what some term "basic continuity assumptions", e.g., things that we take for granted because they've always been so. For example, assuming I pay my bills, drinking water will continue to come from my faucets, and not pilsner. I could spend a lot of time checking optimistically for (nearly) free beer, but based on historical consistency and other factors, there doesn't seem to be much point. :-; Similarly, I'm willing to make the "leap of faith" and assume that AS25 will continue to be Berkeley and AS4983 will continue to be Intel, etc. That may be more daring than running with scissors, but I'm comfortable taking the chance and I suspect most other folks are, too. #> #Spam in general cannot be defined #> #> Sure it can, and many folks offer definitions, including folks such as #> Spamhaus, see http://www.spamhaus.org/definition.html #> #> Other entities, such as MAAWG, prefer to opt out of the whole "what is #> and what isn't spam" debate, simply referring to "abusive mail" for #> things like their quarterly email metrics reports (see #> http://www.maawg.org/email_metrics_report ) # #Didn't you just show me that it in fact cannot be defined in general? :) No. What you may be noticing is that, unlike units of measurement in the metric system, where a single universal definition exists, squishier concepts (such as spam) may have multiple accepted definitions that exist at the same time. This is not uncommon in the human experience. Beauty, like spam, may mean different things to different people. However, even given regional or cultural differences, changes over time, or differing individual preferences, humans have a working "consensus understanding" of what most would perceive to be beautiful (or of what most would perceive to be spammy). #A site that does measure real mail volume is senderbase. Senderbase does indeed measure real email volume. Unfortunately, that's not the same as spam, although for many sites, spam may be 90% or more of that total volume, so it may be closely correlated for some sites that don't manage their outbound traffic. #> There's also the pragmatic reality that you may not be allowed to do #> the sustained volume of whois queries you'd need to do to map all observed #> IPs to encompassing netblocks, but you can easily map IPs to ASNs at the #> rate that's required. (Besides, trying to work at the per-netblock level #> is pretty unwieldy when it comes to things like maintaining abuse point #> of contact information, while ASN point of contact information is far more #> stable). # #Because something is easier doesn't mean it is better (the opposite also #applies). I'm just a pragmatic person, I suppose, happy for solutions that work (even if they may not be perfect). Like many people I'm also lazy. If a "good-enough" solution is also easy to use, I'm doubly delighted. #> #But we already have blocklists aggressively doing that with netblocks #> #(uceprotect, spamhaus etc). No serious mailprovider in my neighbourhood #> #use those blocklists to block mail or anything else. #> #> You must be in an unusual neighborhood since Spamhaus is generally #> considered to protect about 1.4 billion mailboxes worldwide according #> to http://www.spamhaus.org/organization/index.lasso # #Certain blocklists have lost their credibility because of their ways of #creating collateral damage instead of dealing with the real problem: Spam. #The number 1.4 billion becomes interesting when some people believe #there are only 1.3 billion mailboxes in the world. None of it is #probably true. # http://wiki.answers.com/Q/How_many_email_accounts_are_there_in_the_world I'm not sure that I'd put much stock in an estimate from an unnamed "research organization" (as is the case for the web page you suggested). As a baseline, I would note that MAAWG alone represents over 1 billion mailboxes (as reported by participating ISPs), although it draws largely from North American and European ISPs (some ISPs from other continents also participate, but not as many as I'd like to see). Just to provide one email account estimate from a *named* research organization, :-), the Radicati Group, Inc., estimates the number of email accounts worldwide at 2.9 billion in 2010 (see http://www.mmdnewswire.com/press-release-distribution-8142.html ). Based on that denominator, I could easily believe that Spamhaus really does have 1.4/2.9*100=48.2% market share. Regards, Joe Disclaimer: all opinions strictly my own. From vesely at tana.it Tue Dec 28 18:57:21 2010 From: vesely at tana.it (Alessandro Vesely) Date: Tue, 28 Dec 2010 18:57:21 +0100 Subject: [anti-abuse-wg] Re: Additional Layers for Economic Incentives to improve Internet Security In-Reply-To: <10122710090862_81BC@oregon.uoregon.edu> References: <10122710090862_81BC@oregon.uoregon.edu> Message-ID: <4D1A2501.3070001@tana.it> On 27/Dec/10 19:09, Joe St Sauver wrote: > jorgen at hovland.cx commented: > > #Spam in general cannot be defined > > Sure it can, and many folks offer definitions, including folks such as > Spamhaus, see http://www.spamhaus.org/definition.html Although I mostly agree with that definition, it is not quite applicable: * "bulk" is ill defined (by induction), and * "unsolicited" cannot be verified (no opt-in acknowledge protocol). Possibly, reputation ranking should be based on (verified and verifiable) spam reports... > There's also the pragmatic reality that you may not be allowed to do > the sustained volume of whois queries you'd need [...] Getting the abuse@ address should be an exception to such limit. > #Yes, I am really concerned that people might decide to blacklist ASNs > #due to spam. It doesn't make any sense in almost all cases. > > I'd have to disagree with your assertion that "it doesn't make sense > in almost all cases." May I ask how blocking by ASN is different than by IP? I consider the latter somewhat anti-historical, in view of IPv6. It is also counter-productive as it tends to favor those who change addresses and names more often (spammers). Does block-by-ASN hinge on intrinsic difficulties in setting up an AS? > There are some ASNs that may be routing only a small amount of space, > and which seem to have an extremely strong correlation with badness. > In those cases it may makes perfect sense for an ISP to decide that > it doesn't want to exchange traffic with that provider. I would block ranges from Spamhaus' DROP list. It has already defined a file format. Thus, it may be more practical for an host to convert an ASN into the corresponding ranges, and then block those. > In any event, if you elect to route a given network block, you're > responsible for the unwanted traffic that may be emitted by that > network block. This statement makes lots of sense! It paves the way for resolving network issues inside the network, rather than resorting to unspecified legal resources. > #But we already have blocklists aggressively doing that with netblocks > #(uceprotect, spamhaus etc). No serious mailprovider in my neighbourhood > #use those blocklists > > You must be in an unusual neighborhood since Spamhaus is generally > considered to protect about 1.4 billion mailboxes worldwide according > to http://www.spamhaus.org/organization/index.lasso Spamhaus is Spamhaus. However, small mailbox providers will always have difficulties at blocking huge senders. For example, I had to whitelist TelecomItalia when it was blacklisted. Possibly, block-by-ASN should be done by the other AS's, directly and unconditionally. For example, block port 25 after an AS has been proved to blatantly ignore abuse reports... We'd probably need some sort of recognized authority to issue such sentences, though. From jorgen at hovland.cx Tue Dec 28 21:43:31 2010 From: jorgen at hovland.cx (=?ISO-8859-1?Q?J=F8rgen_Hovland?=) Date: Tue, 28 Dec 2010 21:43:31 +0100 Subject: [anti-abuse-wg] Re: Additional Layers for Economic Incentives to improve Internet Security In-Reply-To: <10122808294083_9796@oregon.uoregon.edu> References: <10122808294083_9796@oregon.uoregon.edu> Message-ID: <4D1A4BF3.3030603@hovland.cx> On 28/12/2010 17:29, Joe St Sauver wrote: > Hi, > > jorgen at hovland.cx commented: > > #> #An ASN does not represent a single legal entity > #> > > Routine daily life requires reliance on what some term "basic continuity > assumptions", e.g., things that we take for granted because they've always > been so. ... > > ...Similarly, I'm willing to make the "leap of faith" and assume that AS25 will > continue to be Berkeley and AS4983 will continue to be Intel, etc. I think I'm not being clear enough. I am not talking about the single entity an AS-number is registered on. There are probably no AS-numbers on the internet that originates traffic from only a single legal entity, including Berkeley. When talking about blacklisting or nullrouting an AS-number due to unwanted actions taken from a set of IP-addresses you will probably always blacklist other legal entities than just the one(s) you really want to blacklist. The same applies for blacklisting IP-addresses although the probability is far less. > #> #Spam in general cannot be defined > #> > #> Sure it can, and many folks offer definitions, including folks such as > #> Spamhaus, see http://www.spamhaus.org/definition.html > #> > #> Other entities, such as MAAWG, prefer to opt out of the whole "what is > #> and what isn't spam" debate, simply referring to "abusive mail" for > #> things like their quarterly email metrics reports (see > #> http://www.maawg.org/email_metrics_report ) > # > #Didn't you just show me that it in fact cannot be defined in general? :) > > No. What you may be noticing is that, unlike units of measurement in > the metric system, where a single universal definition exists, squishier > concepts (such as spam) may have multiple accepted definitions that exist > at the same time. > Which was not what I meant, but you have a point there. Obviously there are a huge amount of spamdefinitions. The problem, if you can call it that, is that your definition is not equal to mine. Therefore, if you tell me that AS65000 is your top1 spammer in your network, that info is useless to me. You are right that it is fine with many definitions, but when dealing with global/regional policies and anti-abuse, which we for example do on this list, people seem mostly to refer to their own definition and have little or no understanding/respect of that there are others. > #A site that does measure real mail volume is senderbase. > > Senderbase does indeed measure real email volume. Unfortunately, that's > not the same as spam, although for many sites, spam may be 90% or more > of that total volume, so it may be closely correlated for some sites > that don't manage their outbound traffic. > Although I didn't mention it measured spam volume, there are however others that do. Cheers, From blakjak at gmail.com Wed Dec 29 01:30:17 2010 From: blakjak at gmail.com (Mark Foster) Date: Wed, 29 Dec 2010 13:30:17 +1300 Subject: Fwd: [anti-abuse-wg] How to Ask For A Website to Be taken Down, was How Not To Ask For A Website to Be taken Down In-Reply-To: <4D1A02C5.1070700@tana.it> References: <1293104333.2386.209.camel@shane-asus-laptop> <4D136B07.8060108@abusix.com> <4D1A02C5.1070700@tana.it> Message-ID: On Wed, Dec 29, 2010 at 4:31 AM, Alessandro Vesely wrote: > On 24/Dec/10 22:44, Mark Foster wrote: > > 2010/12/24 Tobias Knecht > > >> We are already working on a format, that is used by more and more > >> people. It is meant as an extension to the well known RFC 5965 ARF. > >> Called X-ARF. http://xarf.org > > > > Anything that makes reporting abuse harder for the victim, is > > counter-productive, IMHO. > > Automation is supposed to make reporting easier for the victim, not > harder. Many webmail sites already have a "Report as Spam" button. > It should be added to regular (POP3/IMAP) mail clients too. > Yes, and this is a key point. Standard formats for abuse reporting via email will in turn allow email client developers to embed the tech required to simplify reporting of abuse. However by making it easier, you also increase the chances that the report is inadvertant? For example Gmail allow you to 'undo' reporting as Spam. This would also need to be an option available to a user.... > > > This to me is all an attempt to make abuse-complaint-receivers better > > equipped to use automation to deal with complaints. > > Yes, for the good and the bad of it. Among the goodies, it should be > feasible to to route spam reports so that a network provider gets a > copy and forwards it to the relevant mailbox provider, thereby > allowing the former to somehow control the latter. > Concur, though again the use of automation means that the network provider can turn a blind eye to it and claim that appropriate action is being taken... it doesn't inspire folks to manually check to ensure action is infact being taken, that reports aren't repeat in nature, etc. > > > Noone who reports abuse likes talking to automation. > > I think you mean noone who /manually/ reports abuse, as in the OP BofA > case. If an abuse@ mailbox is equipped with software that recognizes > automatic formats, human recipients might still be able to read the > rest in the usual way. > > Whether a hand-written complaint should be sent to an abuse@ address > depends on how report formats will take on. This consideration may > explain why some organizations try and push a specific format. The > abuse@ address is just mentioned by RFC 2142, but issuing a spam > report does not necessarily require even SMTP, although it seems to be > the most natural way of reporting email abuse. > > BTW, there is a third format, developed in the framework of RFC 6045. > > My main personal frustration is that as a 'power' end-user, I read email in various ways; serverside commandline mail program, webmail tool, various pop3/imap tools. At work i'm either using the COE email application or a CRM system that manages email. None of these will support a common, standards-driven method of generating abuse@ reports for spam, etc, for some time. In the meantime i'm constantly frustrated by the time that i'm obliged to waste either a) reporting abuse in the method that ISP X demands, or b) trashing large volumes of junk because to do anything else would taken even _ longer_. I'm not averse to standard (infact i'm a big fan) but i'm also a big fan of ensuring a human remains in the loop and able to accept reports that're not within the standard format, at least until it's reasonable to expect _everyone_ to be using the standard format (which could take years)... Mark. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rfg at tristatelogic.com Wed Dec 29 03:48:54 2010 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Tue, 28 Dec 2010 18:48:54 -0800 Subject: Fwd: [anti-abuse-wg] How to Ask For A Website to Be taken Down, was How Not To Ask For A Website to Be taken Down In-Reply-To: Message-ID: <78371.1293590934@tristatelogic.com> In message , Mark Foster wrote: >Concur, though again the use of automation means that the network provider >can turn a blind eye to it and claim that appropriate action is being >taken... Those so inclined are already doing that anyway, automation or no automation. >... it doesn't inspire folks to manually check to ensure action is >infact being taken, that reports aren't repeat in nature, etc. I'm not persuaded that it deters such follow-up either. As I (sort of) said earlier, we have have all the standards we want for WHO to report network abuse to, and even HOW gto report it, but until we have a standard that says what any decent self-respecting network operator or service provider should actually DO, at a minimum, in response to such reports, nothing is going to be any better than it is right now. (It may also not get any better even _after_ we have a formal BCP that we can try to shame wayward providers with, but at least it will be entirely less ambiguous who is and isn't living up to their community responsibilities, once a BCP for abuse handling is ratified and in place.) Regards, rfg From vesely at tana.it Wed Dec 29 14:01:22 2010 From: vesely at tana.it (Alessandro Vesely) Date: Wed, 29 Dec 2010 14:01:22 +0100 Subject: Fwd: [anti-abuse-wg] How to Ask For A Website to Be taken Down, was How Not To Ask For A Website to Be taken Down In-Reply-To: References: <1293104333.2386.209.camel@shane-asus-laptop> <4D136B07.8060108@abusix.com> <4D1A02C5.1070700@tana.it> Message-ID: <4D1B3122.60605@tana.it> On 29/Dec/10 01:30, Mark Foster wrote: > On Wed, Dec 29, 2010 at 4:31 AM, Alessandro Vesely > wrote: >> Automation is supposed to make reporting easier for the victim, >> not harder. Many webmail sites already have a "Report as Spam" >> button. It should be added to regular (POP3/IMAP) mail clients >> too. > > Yes, and this is a key point. > Standard formats for abuse reporting via email will in turn allow > email client developers to embed the tech required to simplify > reporting of abuse. > However by making it easier, you also increase the chances that the > report is inadvertant? For example Gmail allow you to 'undo' > reporting as Spam. This would also need to be an option available to > a user.... Implementation is lacking. Policies should be devised so that complaints are transmitted backward to each responsible relay, forwarder, or author, along some trusted path. For single hops, this is currently carried out with feedback loops. The possibility to challenge a report should be granted to authors. That is, it would be fair if authors could prompt careless reporters for undoing their reports. In facts, purported authors are probably the only humans who may want to look at the body of a reported message. >>> This to me is all an attempt to make abuse-complaint-receivers >>> better equipped to use automation to deal with complaints. >> >> Yes, for the good and the bad of it. Among the goodies, it >> should be feasible to to route spam reports so that a network >> provider gets a copy and forwards it to the relevant mailbox >> provider, thereby allowing the former to somehow control the >> latter. > > Concur, though again the use of automation means that the network > provider can turn a blind eye to it and claim that appropriate > action is being taken... it doesn't inspire folks to manually check > to ensure action is infact being taken, that reports aren't repeat > in nature, etc. This may also be covered by adequate policy dressing. For example, a mailbox provider may choose to ban authors from sending for a period of time proportional to the number of complaints. Such policy can be verified by looking at the "auth" property of reported messages --along with a bunch of methods to validate authentication policies for the relevant provider. This kind of treatment hinges on the ever-missing reputation system... >> Whether a hand-written complaint should be sent to an abuse@ >> address depends on how report formats will take on. > > My main personal frustration is that as a 'power' end-user, I read > email in various ways; serverside commandline mail program, webmail > tool, various pop3/imap tools. At work i'm either using the COE email > application or a CRM system that manages email. None of these will > support a common, standards-driven method of generating abuse@ reports > for spam, etc, for some time. In the meantime i'm constantly > frustrated by the time that i'm obliged to waste either a) reporting > abuse in the method that ISP X demands, or b) trashing large volumes > of junk because to do anything else would taken even _ longer_. Mailbox providers should help here. The entity responsible for accepting a message may want to provide the means for reporting it as spam, including any required formatting. IMAP allows for considerable optimizations for such kind of actions. For POP3, it has been proposed to submit reports to the abuse-mailbox at the server indicated in the Authentication-Results field (the authserv-id of RFC 5451, Section 2.3, in case it is actually a fully-qualified domain name). In any case, reporting through the receiver gives it a chance to adjust its reputation and Bayesian records. > I'm not averse to standard (infact i'm a big fan) but i'm also a big > fan of ensuring a human remains in the loop and able to accept reports > that're not within the standard format, at least until it's reasonable > to expect _everyone_ to be using the standard format (which could take > years)... The fact remains that reading the body of messages reported as spam is a frustrating job that no human would want to routinely undertake. OTOH, there will always be unusual abuse cases that deserve human intelligence.