From world.antispam.report at inbox.com Sun Aug 7 22:54:30 2011 From: world.antispam.report at inbox.com (abuse@localhost.com) Date: Sun, 7 Aug 2011 12:54:30 -0800 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: <4E313B17.3010600@powerweb.de> References: <4e31225d.90607@powerweb.de> <864f93e1-d43c-4462-af64-073e8abe783f@blacknight.ie> <4e3119f6.7010703@powerweb.de> Message-ID: <31848973D27.000004C2world.antispam.report@inbox.com> Hijacked or not, does everyone (Every network on planet earth) care? RIPE's regulation simply state that the registation needs to be exact and accurate. Does anybody has a problem with this? 'Coze the only logical reason there would be to condemn this is that the individual who wants keep his or her indentification concealed is to perpetrate abuses, frauds and who knows some terrorism. If anyone cannot be recognized as part of the humankind on this planet, there's gotta be a reason to this! Anyhow, in do time, as a network is reconized as an abuser, the best that can be done is to blacklist the whole IP# block numbers. Refuse connection! And don't count on either ARIN, RIPE of the other registry bases. It would be too costly to ask them to do that. There are many, many other means to shut down or bare an IP Block number. As long as RIPE, ARIN and the other registry data bases gives us the right registry for a given IP# allocation, the abusing network can be track down. That's what's the RIPE authority is for? I'll cope with that! > -----Original Message----- > From: ripe-anti-spam-wg at powerweb.de > Sent: Thu, 28 Jul 2011 12:33:59 +0200 > To: anti-abuse-wg at ripe.net > Subject: Re: [anti-abuse-wg] Hijacked netblocks - any SOP for these? > > Michele Neylon :: Blacknight wrote: >> >> On 28 Jul 2011, at 09:48, Frank Gadegast wrote: >>>> >>> >>> Not at all out of scope. >> >> I think it is out of scope >> >> It is a slippery slope >> >> Next you'll have people demanding that RIPE check what content is >> published on IP blocks .. > > Good idea. > > Other organisations are monitoring content too to prevent abuse, like > search engines that do not even want results from hacked sites > in their index. > > RIPE is defny responsible for any abuse, whatever it is. > > Lets have an example: > A highjacker is using some netblocks to attack a big bank. > They are flodded from this IP block and the attacker also > sets up a lot of pishing servers using these IPs. > > Will RIPE ask the LIR about whats going on with his assignment ? > Will RIPE deroute this netblock at all ? > Just after the bank complaints ? > After somebody complains to RIPE that there are pishing servers on this > netblock ? > > What will happen ? > > Cant be, that RIPE is doing nothing (to my opinion). > And it would be very interesting what RIPE would do right now > in this scenario. > Who knows more ? > > > Kind regards, Frank > >> >> >> >>> >>> You are right saying, that a listing does not proof anything, >>> but its a good indication (like I sayd above). >> >> Not necessarily. >> >> There are a multitude of reasons why an IP block can get listed - while >> it *might* be an indicator that you or I can use for our own *private* >> networks, it is not something that an organization like RIPE should be >> doing, as there is absolutely no standard or certification of DNS >> blacklists. >> >> >>> >>> RIPE NCC could ask the member, whats going on with that netblock, >>> if they see a listing. I guess a lot of members do not >>> even realize, that their old netblocks are routed >>> somewhere else. >>> >>> RIPE NCC has to check the use of assigned netblocks anyway >>> (if I understand some rules right). >> >> No - the "usage" is related to the assignment rules >> >> >>> It cannot be that >>> assigned netblocks are used by non-members or members >>> the netblock wasnt assigned to ? >> >> Sorry, but I don't understand what you mean here >> >> regards >> >> Michele >> >> Mr Michele Neylon >> Blacknight Solutions >> Hosting& Colocation, Brand Protection >> ICANN Accredited Registrar >> http://www.blacknight.com/ >> http://blog.blacknight.com/ >> http://blacknight.mobi/ >> http://mneylon.tel >> Intl. +353 (0) 59 9183072 >> US: 213-233-1612 >> UK: 0844 484 9361 >> Locall: 1850 929 929 >> Direct Dial: +353 (0)59 9183090 >> Twitter: http://twitter.com/mneylon >> ------------------------------- >> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business >> Park,Sleaty >> Road,Graiguecullen,Carlow,Ireland Company No.: 370845 >> >> >> >> > > > -- > > Mit freundlichen Gruessen, > -- > PHADE Software - PowerWeb http://www.powerweb.de > Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de > Schinkelstrasse 17 fon: +49 33200 52920 > 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 > ====================================================================== > Public PGP Key available for frank at powerweb.de ____________________________________________________________ Share photos & screenshots in seconds... TRY FREE IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if1 Works in all emails, instant messengers, blogs, forums and social networks. From world.antispam.report at inbox.com Sun Aug 7 22:57:42 2011 From: world.antispam.report at inbox.com (abuse@localhost.com) Date: Sun, 7 Aug 2011 12:57:42 -0800 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: References: <4e31225d.90607@powerweb.de> <4e313b17.3010600@powerweb.de> <864f93e1-d43c-4462-af64-073e8abe783f@blacknight.ie> <4e3119f6.7010703@powerweb.de> Message-ID: <318BA9C73AF.000004C7world.antispam.report@inbox.com> An HTML attachment was scrubbed... URL: From world.antispam.report at inbox.com Sun Aug 7 23:36:09 2011 From: world.antispam.report at inbox.com (abuse@localhost.com) Date: Sun, 7 Aug 2011 13:36:09 -0800 Subject: [anti-abuse-wg] RIPE NCC Procedure Regarding LIR Information in the RIPE Database In-Reply-To: References: <4e2fd079.8040803@ripe.net> Message-ID: <31E19BD9D25.00000543world.antispam.report@inbox.com> An HTML attachment was scrubbed... URL: From world.antispam.report at inbox.com Mon Aug 8 00:52:24 2011 From: world.antispam.report at inbox.com (abuse@localhost.com) Date: Sun, 7 Aug 2011 14:52:24 -0800 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: <87zkjys0sj.fsf@mid.deneb.enyo.de> References: Message-ID: <328C0EAD387.000005C7world.antispam.report@inbox.com> In an earlier post, Florian Weimer mentioned the following: > My personal problem with these reports is that they are totally > incomprehensible to me. Why do you think the netblocks have been > hijacked? Maybe the documentation in the WHOIS database is outdated, > and Link Telecom still enjoys full control over those prefixes. If one carry a lookup on RIPE website, and finds erroneous datas regarding the registration of a given IP# assignation, "Who's" HOIS database is outdated in such case? For instance, a false non-existant or outdated email address. Else, a civic address located in a vacant field? Why would you care so much if a network 800 miles from your civic address in another country got highkacked? You ain't a public employee of all RIPE's registered network? The only thing RIPE have legal and justified reasons to ask any network and LIR to whom RIPE allocates IP# is true and real datas such as valid email addresses and full civic location. Anybody has a problem with this? Go ahead, everybody's listening. Thank to read me. > -----Original Message----- > From: fw at deneb.enyo.de > Sent: Thu, 28 Jul 2011 20:44:12 +0200 > To: ops.lists at gmail.com > Subject: Re: [anti-abuse-wg] Hijacked netblocks - any SOP for these? ____________________________________________________________ Share photos & screenshots in seconds... TRY FREE IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if1 Works in all emails, instant messengers, blogs, forums and social networks. From leo.vegoda at icann.org Mon Aug 8 01:33:06 2011 From: leo.vegoda at icann.org (Leo Vegoda) Date: Sun, 7 Aug 2011 16:33:06 -0700 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: <318BA9C73AF.000004C7world.antispam.report@inbox.com> References: <4e31225d.90607@powerweb.de> <4e313b17.3010600@powerweb.de> <864f93e1-d43c-4462-af64-073e8abe783f@blacknight.ie> <4e3119f6.7010703@powerweb.de> <318BA9C73AF.000004C7world.antispam.report@inbox.com> Message-ID: On Aug 7, 2011, at 1:57 PM, abuse at localhost.com wrote: > Very useful that list! Where can I have access to it? > Where can I download the list? http://www.cidr-report.org/ It's also published weekly to the routing-wg at ripe.net list, among others. Regards, Leo From kzorba at otenet.gr Mon Aug 8 08:43:47 2011 From: kzorba at otenet.gr (Kostas Zorbadelos) Date: Mon, 08 Aug 2011 09:43:47 +0300 Subject: [anti-abuse-wg] RIPE NCC Procedure Regarding LIR Information in the RIPE Database In-Reply-To: <31E19BD9D25.00000543world.antispam.report@inbox.com> References: <4e2fd079.8040803@ripe.net> <31E19BD9D25.00000543world.antispam.report@inbox.com> Message-ID: <4E3F85A3.3000203@otenet.gr> On 08/08/2011 12:36 AM, abuse at localhost.com wrote: OK, since a lot of posts took place from this account, could you please at least state your name? An abuse at localhost.com can be just about anything. Now, if I understand correctly from your posts, because most of the stuff written is incomprehensible to me, you seem to pose an issue about abuse contacts and validity of contact data in RIPE DB. There is a task force [1] that was created for this reason and we all expect information about its progress and outcome. Regards, Kostas Zorbadelos [1] http://www.ripe.net/ripe/groups/tf/abuse-contact > For the least: An example... > What if a few of the email addresses provided to RIPE by a concerned > network who was allocated this or that IP Block numbers is wrong? > Or simply bounce back for any reason? > ... From ops.lists at gmail.com Mon Aug 8 10:03:27 2011 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Mon, 8 Aug 2011 13:33:27 +0530 Subject: [anti-abuse-wg] RIPE NCC Procedure Regarding LIR Information in the RIPE Database In-Reply-To: <4E3F85A3.3000203@otenet.gr> References: <4e2fd079.8040803@ripe.net> <31E19BD9D25.00000543world.antispam.report@inbox.com> <4E3F85A3.3000203@otenet.gr> Message-ID: He seems to have an entirely different issue - of some netblocks being obtained with entirely faked whois records. Like, the physical address for a netblock is an empty lot between two garages, etc. While the abuse contact wg would be good to develop a standard format for noting an abuse contact in RIPE whois, it is hardly the place to deal with netblocks registered with fake contact information, and quite possibly registered with faked justification paperwork. RIPE's existing policies *should* cover this - but there's a notable lack of a formalzed resolution process on the lines of wdprs for domains. thanks suresh On Mon, Aug 8, 2011 at 12:13 PM, Kostas Zorbadelos wrote: > Now, if I understand correctly from your posts, because most of the stuff > written is incomprehensible to me, you seem to pose an issue about abuse > contacts and validity of contact data in RIPE DB. > There is a task force [1] that was created for this reason and we all expect > information about its progress and outcome. -- Suresh Ramasubramanian (ops.lists at gmail.com) From P.Vissers at opta.nl Mon Aug 8 10:55:50 2011 From: P.Vissers at opta.nl (Vissers, Pepijn) Date: Mon, 8 Aug 2011 08:55:50 +0000 Subject: [anti-abuse-wg] RIPE NCC Procedure Regarding LIR Information in the RIPE Database In-Reply-To: References: <4e2fd079.8040803@ripe.net> <31E19BD9D25.00000543world.antispam.report@inbox.com> <4E3F85A3.3000203@otenet.gr> Message-ID: > RIPE's existing policies *should* cover this - but there's a notable > lack of a formalzed resolution process on the lines of wdprs for > domains. And it is a problem that has been noted many times by many different people, so abuse at localhost.com is in some way preaching to the choir. That being said, imho the choir needs to get off it's butt and really start taking action on these policies instead of them being just that. Policies without succession. The work is in progress, but progress is, well, s.l.o.w. I've found the RIPE LEA Roundtables are one of the best ways to talk to people directly. Maybe abuse@ could voice his/her concerns there too. +++++++++++++++++++++++++++++++++++++++++++++ Disclaimer Dit e-mailbericht kan vertrouwelijke informatie bevatten of informatie die is beschermd door een beroepsgeheim. Indien dit bericht niet voor u is bestemd, wijzen wij u erop dat elke vorm van verspreiding, vermenigvuldiging of ander gebruik ervan niet is toegestaan. Indien dit bericht blijkbaar bij vergissing bij u terecht is gekomen, verzoeken wij u ons daarvan direct op de hoogte te stellen via tel.nr 070 315 3500 of e-mail mailto:mail at opta.nl en het bericht te vernietigen. Dit e-mailbericht is uitsluitend gecontroleerd op virussen. OPTA aanvaardt geen enkele aansprakelijkheid voor de feitelijke inhoud en juistheid van dit bericht en er kunnen geen rechten aan worden ontleend. This e-mail message may contain confidential information or information protected by professional privilege. If it is not intended for you, you should be aware that any distribution, copying or other form of use of this message is not permitted. If it has apparently reached you by mistake, we urge you to notify us by phone +31 70 315 3500 or e-mail mailto:mail at opta.nl and destroy the message immediately. This e-mail message has only been checked for viruses. The accuracy, relevance, timeliness or completeness of the information provided cannot be guaranteed. OPTA expressly disclaims any responsibility in relation to the information in this e-mail message. No rights can be derived from this message. From kzorba at otenet.gr Mon Aug 8 11:20:00 2011 From: kzorba at otenet.gr (Kostas Zorbadelos) Date: Mon, 08 Aug 2011 12:20:00 +0300 Subject: [anti-abuse-wg] RIPE NCC Procedure Regarding LIR Information in the RIPE Database In-Reply-To: References: <4e2fd079.8040803@ripe.net> <31E19BD9D25.00000543world.antispam.report@inbox.com> <4E3F85A3.3000203@otenet.gr> Message-ID: <4E3FAA40.2080601@otenet.gr> On 08/08/2011 11:03 AM, Suresh Ramasubramanian wrote: > RIPE's existing policies*should* cover this - but there's a notable > lack of a formalzed resolution process on the lines of wdprs for > domains. > What exactly is "wdprs" ? Regards, Kostas > thanks > suresh From ops.lists at gmail.com Mon Aug 8 11:18:06 2011 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Mon, 8 Aug 2011 14:48:06 +0530 Subject: [anti-abuse-wg] RIPE NCC Procedure Regarding LIR Information in the RIPE Database In-Reply-To: References: <4e2fd079.8040803@ripe.net> <31E19BD9D25.00000543world.antispam.report@inbox.com> <4E3F85A3.3000203@otenet.gr> Message-ID: Agreed. Policies without teeth, an enforcement mechanism and SOP to follow that mechanism are about as useful as toilet paper is. Maybe less .. On Mon, Aug 8, 2011 at 2:25 PM, Vissers, Pepijn wrote: > > And it is a problem that has been noted many times by many different people, so abuse at localhost.com is in some way preaching to the choir. > > That being said, imho the choir needs to get off it's butt and really start taking action on these policies instead of them being just that. Policies without succession. The work is in progress, but progress is, well, s.l.o.w. > > I've found the RIPE LEA Roundtables are one of the best ways to talk to people directly. Maybe abuse@ could voice his/her concerns there too. -- Suresh Ramasubramanian (ops.lists at gmail.com) From ops.lists at gmail.com Mon Aug 8 11:18:38 2011 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Mon, 8 Aug 2011 14:48:38 +0530 Subject: [anti-abuse-wg] RIPE NCC Procedure Regarding LIR Information in the RIPE Database In-Reply-To: <4E3FAA40.2080601@otenet.gr> References: <4e2fd079.8040803@ripe.net> <31E19BD9D25.00000543world.antispam.report@inbox.com> <4E3F85A3.3000203@otenet.gr> <4E3FAA40.2080601@otenet.gr> Message-ID: http://wdprs.internic.net/ Yes its not perfect Yes it exists and is actively used On Mon, Aug 8, 2011 at 2:50 PM, Kostas Zorbadelos wrote: > On 08/08/2011 11:03 AM, Suresh Ramasubramanian wrote: >> >> RIPE's existing policies*should* ?cover this - but there's a notable >> lack of a formalzed resolution process on the lines of wdprs for >> domains. >> > > What exactly is "wdprs" ? > > Regards, > > Kostas > >> thanks >> suresh > > -- Suresh Ramasubramanian (ops.lists at gmail.com) From michele at blacknight.ie Mon Aug 8 11:27:12 2011 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Mon, 8 Aug 2011 09:27:12 +0000 Subject: [anti-abuse-wg] RIPE NCC Procedure Regarding LIR Information in the RIPE Database In-Reply-To: <4E3FAA40.2080601@otenet.gr> References: <4e2fd079.8040803@ripe.net> <31E19BD9D25.00000543world.antispam.report@inbox.com> <4E3F85A3.3000203@otenet.gr> <4E3FAA40.2080601@otenet.gr> Message-ID: <82C6E60A-CD1A-4617-9AD0-34ABF52FF390@blacknight.ie> On 8 Aug 2011, at 10:20, Kostas Zorbadelos wrote: > On 08/08/2011 11:03 AM, Suresh Ramasubramanian wrote: >> RIPE's existing policies*should* cover this - but there's a notable >> lack of a formalzed resolution process on the lines of wdprs for >> domains. >> > > What exactly is "wdprs" ? Whois data reminder policy > > Regards, > > Kostas > >> thanks >> suresh > Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From michele at blacknight.ie Mon Aug 8 11:28:39 2011 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Mon, 8 Aug 2011 09:28:39 +0000 Subject: [anti-abuse-wg] RIPE NCC Procedure Regarding LIR Information in the RIPE Database In-Reply-To: References: <4e2fd079.8040803@ripe.net> <31E19BD9D25.00000543world.antispam.report@inbox.com> <4E3F85A3.3000203@otenet.gr> <4E3FAA40.2080601@otenet.gr> Message-ID: <054CD0B8-8D71-4F5B-B596-97265B8A17E2@blacknight.ie> On 8 Aug 2011, at 10:18, Suresh Ramasubramanian wrote: > http://wdprs.internic.net/ > > Yes its not perfect > Yes it exists and is actively used That's a reporting tool - not a policy The policy mandates the annual reminder to registrants to check that their whois data is up to date What you might be thinking about is ICANN's various policies on whois .. which are largely flawed > > On Mon, Aug 8, 2011 at 2:50 PM, Kostas Zorbadelos wrote: >> On 08/08/2011 11:03 AM, Suresh Ramasubramanian wrote: >>> >>> RIPE's existing policies*should* cover this - but there's a notable >>> lack of a formalzed resolution process on the lines of wdprs for >>> domains. >>> >> >> What exactly is "wdprs" ? >> >> Regards, >> >> Kostas >> >>> thanks >>> suresh >> >> > > > > -- > Suresh Ramasubramanian (ops.lists at gmail.com) > Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From vesely at tana.it Mon Aug 8 11:26:21 2011 From: vesely at tana.it (Alessandro Vesely) Date: Mon, 08 Aug 2011 11:26:21 +0200 Subject: [anti-abuse-wg] RIPE NCC Procedure Regarding LIR Information in the RIPE Database In-Reply-To: References: <4e2fd079.8040803@ripe.net> <31E19BD9D25.00000543world.antispam.report@inbox.com> <4E3F85A3.3000203@otenet.gr> Message-ID: <4E3FABBD.1030907@tana.it> On 08.08.2011 10:03, Suresh Ramasubramanian wrote: > While the abuse contact wg would be good to develop a standard format > for noting an abuse contact in RIPE whois, it is hardly the place to > deal with netblocks registered with fake contact information, and > quite possibly registered with faked justification paperwork. I'd hope some practical hints proposition to define a workable acceptation of the term "faked" is also on-topic. > RIPE's existing policies *should* cover this - but there's a notable > lack of a formalized resolution process on the lines of wdprs for > domains. What is the current policy about the right to anonymity, for Whois Data Problem Reporting System? It is often said that e-commerce sites cannot be anonymous. It should be added that email sites also cannot. In fact, an email site may grant the right to anonymity to its users, but IMHO it needs not be anonymous itself for doing so properly. From michele at blacknight.ie Mon Aug 8 11:37:28 2011 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Mon, 8 Aug 2011 09:37:28 +0000 Subject: [anti-abuse-wg] RIPE NCC Procedure Regarding LIR Information in the RIPE Database In-Reply-To: <4E3FABBD.1030907@tana.it> References: <4e2fd079.8040803@ripe.net> <31E19BD9D25.00000543world.antispam.report@inbox.com> <4E3F85A3.3000203@otenet.gr> <4E3FABBD.1030907@tana.it> Message-ID: On 8 Aug 2011, at 10:26, Alessandro Vesely wrote: > On 08.08.2011 10:03, Suresh Ramasubramanian wrote: >> While the abuse contact wg would be good to develop a standard format >> for noting an abuse contact in RIPE whois, it is hardly the place to >> deal with netblocks registered with fake contact information, and >> quite possibly registered with faked justification paperwork. > > I'd hope some practical hints proposition to define a workable acceptation of > the term "faked" is also on-topic. +1 "out of date", for example, is not "fake" - it's just not accurate *now* Which is a very different proposition to "faked" > >> RIPE's existing policies *should* cover this - but there's a notable >> lack of a formalized resolution process on the lines of wdprs for >> domains. > > What is the current policy about the right to anonymity, for Whois Data > Problem Reporting System? In ICANN? That's one of the many reasons why the WHOIS policy is so badly broken > It is often said that e-commerce sites cannot be > anonymous. It should be added that email sites also cannot. In fact, an > email site may grant the right to anonymity to its users, but IMHO it needs > not be anonymous itself for doing so properly. > Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From ops.lists at gmail.com Mon Aug 8 11:38:37 2011 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Mon, 8 Aug 2011 15:08:37 +0530 Subject: [anti-abuse-wg] RIPE NCC Procedure Regarding LIR Information in the RIPE Database In-Reply-To: <4E3FABBD.1030907@tana.it> References: <4e2fd079.8040803@ripe.net> <31E19BD9D25.00000543world.antispam.report@inbox.com> <4E3F85A3.3000203@otenet.gr> <4E3FABBD.1030907@tana.it> Message-ID: On Mon, Aug 8, 2011 at 2:56 PM, Alessandro Vesely wrote: > On 08.08.2011 10:03, Suresh Ramasubramanian wrote: >> While the abuse contact wg would be good to develop a standard format >> for noting an abuse contact in RIPE whois, it is hardly the place to >> deal with netblocks registered with fake contact information, and >> quite possibly registered with faked justification paperwork. > > I'd hope some practical hints proposition to define a workable acceptation of > the term "faked" is also on-topic. http://en.wikipedia.org/wiki/I_know_it_when_I_see_it HTH HAND :) Please also apply the concept of mens rea. Is this behavior associated with, say, hosting botnets and snowshoe spam, when the paperworks ays "GRE tunnels", or "dialup pool", just for example? From world.antispam.report at inbox.com Mon Aug 8 17:00:58 2011 From: world.antispam.report at inbox.com (abuse@localhost.com) Date: Mon, 8 Aug 2011 07:00:58 -0800 Subject: [anti-abuse-wg] RIPE NCC Procedure Regarding LIR Information in the RIPE Database In-Reply-To: References: <4e3f85a3.3000203@otenet.gr> <31e19bd9d25.00000543world.antispam.report@inbox.com> <4e2fd079.8040803@ripe.net> Message-ID: <3B00FAB2C97.00000533world.antispam.report@inbox.com> > -----Original Message----- > From: ops.lists at gmail.com > Sent: Mon, 8 Aug 2011 13:33:27 +0530 > To: kzorba at otenet.gr > Subject: Re: [anti-abuse-wg] RIPE NCC Procedure Regarding LIR Information > in the RIPE Database > > He seems to have an entirely different issue - of some netblocks being > obtained with entirely faked whois records. > > Like, the physical address for a netblock is an empty lot between two > garages, etc. > > While the abuse contact wg would be good to develop a standard format > for noting an abuse contact in RIPE whois, it is hardly the place to > deal with netblocks registered with fake contact information, and > quite possibly registered with faked justification paperwork. > > RIPE's existing policies *should* cover this - but there's a notable > lack of a formalzed resolution process on the lines of wdprs for > domains. > > thanks > suresh SNIP! _________________ Suresh, who else could represent any RIPE authority but a RIPE official? I am not that RIPE authority who mentionned the following:=> Further notes below that RIPE email. _______________________________________ > From: athina.fragkouli at ripe.net > Sent: Wed, 27 Jul 2011 10:46:49 +0200 > To: anti-abuse-wg at ripe.net > Subject: [anti-abuse-wg] RIPE NCC Procedure Regarding LIR Information in > the RIPE Database > > Dear Pierre, all, > > In response to your emails, here is some general information on this > matter. > > The RIPE NCC requests that the LIRs provide the RIPE NCC with truthful > information, as well as correctly maintain their registration in the > RIPE Database at all times. If an LIR fails to do so, the RIPE NCC will > terminate the service agreement with this LIR and deregister the > Internet number resources allocated to it. > > More information about this procedure can be found in the RIPE NCC > procedural document "Closure of LIR and Deregistration of Internet > Number Resources", available at: > https://www.ripe.net/ripe/docs/ripe-517 > > The RIPE NCC handles abuse complaints sent by third parties. Anyone can > send a complaint to abuse at ripe.net. > > As well as the procedures already in place, the RIPE community recently > formed the Abuse Contact Management Task Force (ACM-TF), which is > examining policy proposals around the issue of managing the abuse > contact field in the RIPE Database. More information about the task > force can be found at: > https://www.ripe.net/ripe/groups/tf/abuse-contact > > Hope this clarifies the existing procedures, if you have any further > questions, please do not hesitate to contact us. > > Kind regards, > Athina Fragkouli > RIPE NCC ______________________ Once this is clear, if anybody blame RIPE to exert such scrupulous such an "Intellect Integrety", why dont anybody who's againts these "Pre-existing" regulation get togheters and prepare any sort of vote so that next year anybody getting allocated IP# block numbers or "LIR" for that matter, can give any weird name of network owner, email addresses and civic location from where the network is based when registering to RIPE! Better yet, since RIPE will become a heap of hoaxed datas, why pay these guys to cumulate hoaxed datas? Let's give them their severance pay! And then, be prepare to deal with organized crime 'coze when there is not authority and no regulation, history has teached humankind where it leads. For now & until official RIPE regulations are changed, bring the right, true factual datas to RIPE when RIPE request registration datas. Thank you in advance. ____________________________________________________________ Publish your photos in seconds for FREE TRY IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if4 From world.antispam.report at inbox.com Mon Aug 8 17:16:34 2011 From: world.antispam.report at inbox.com (abuse@localhost.com) Date: Mon, 8 Aug 2011 07:16:34 -0800 Subject: [anti-abuse-wg] RIPE NCC Procedure Regarding LIR Information in the RIPE Database In-Reply-To: References: <4e3f85a3.3000203@otenet.gr> <31e19bd9d25.00000543world.antispam.report@inbox.com> <4e2fd079.8040803@ripe.net> Message-ID: <3B23D16D891.0000057Eworld.antispam.report@inbox.com> Bwaff! Who care if the abuse email addy is either "Boogaloo-wedoo at domain-name.xxx? I wouldn't have even have any problem if it'd be boulagalou at domain.name.xxx! As long as the email provided to RIPE for the registration of the given IP# numbers allocated by RIPE, who care really? Same thing for the other datas that this or that network owner gave to RIPE, which includes its LIRs. Give any datas you feel like including a country located on planet "Kinglon" but if you stumble on someone who request the verifications, rest assure that RIPE has all reasons to request these to be accurates and that the email address be live just like civic address needs be verifiables. Those againts this principle of "Intellectual Integretity" principle, please signigfy your position. We'll take good note of it. ____________________________ > -----Original Message----- > From: p.vissers at opta.nl > Sent: Mon, 8 Aug 2011 08:55:50 +0000 > To: anti-abuse-wg at ripe.net > Subject: RE: [anti-abuse-wg] RIPE NCC Procedure Regarding LIR Information > in the RIPE Database > >> RIPE's existing policies *should* cover this - but there's a notable >> lack of a formalzed resolution process on the lines of wdprs for >> domains. > > And it is a problem that has been noted many times by many different > people, so abuse at localhost.com is in some way preaching to the choir. > > That being said, imho the choir needs to get off it's butt and really > start taking action on these policies instead of them being just that. > Policies without succession. The work is in progress, but progress is, > well, s.l.o.w. > > I've found the RIPE LEA Roundtables are one of the best ways to talk to > people directly. Maybe abuse@ could voice his/her concerns there too. > > > +++++++++++++++++++++++++++++++++++++++++++++ > Disclaimer > Dit e-mailbericht kan vertrouwelijke informatie bevatten of informatie > die is beschermd door een beroepsgeheim. > Indien dit bericht niet voor u is bestemd, wijzen wij u erop dat elke > vorm van verspreiding, vermenigvuldiging > of ander gebruik ervan niet is toegestaan. > Indien dit bericht blijkbaar bij vergissing bij u terecht is gekomen, > verzoeken wij u ons daarvan > direct op de hoogte te stellen via tel.nr 070 315 3500 of e-mail > mailto:mail at opta.nl en het bericht te vernietigen. > Dit e-mailbericht is uitsluitend gecontroleerd op virussen. > OPTA aanvaardt geen enkele aansprakelijkheid voor de feitelijke inhoud en > juistheid van dit bericht en er kunnen > geen rechten aan worden ontleend. > > > This e-mail message may contain confidential information or information > protected by professional privilege. > If it is not intended for you, you should be aware that any distribution, > copying or other form of use of > this message is not permitted. > If it has apparently reached you by mistake, we urge you to notify us by > phone +31 70 315 3500 > or e-mail mailto:mail at opta.nl and destroy the message immediately. > This e-mail message has only been checked for viruses. > The accuracy, relevance, timeliness or completeness of the information > provided cannot be guaranteed. > OPTA expressly disclaims any responsibility in relation to the > information in this e-mail message. > No rights can be derived from this message. ____________________________________________________________ Send any screenshot to your friends in seconds... Works in all emails, instant messengers, blogs, forums and social networks. TRY IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if2 for FREE From world.antispam.report at inbox.com Mon Aug 8 17:24:40 2011 From: world.antispam.report at inbox.com (abuse@localhost.com) Date: Mon, 8 Aug 2011 07:24:40 -0800 Subject: [anti-abuse-wg] whooh Suresh! Thank you for this 1. How about LASNIC? Message-ID: <3B35F11D048.000005A7world.antispam.report@inbox.com> I already seen the one for APNIC but don't have anything for LASNIC. If you can help... Anyhow, thanks again! -----Original Message----- From: ops.lists at gmail.com Sent: Mon, 8 Aug 2011 14:48:38 +0530 To: kzorba at otenet.gr Subject: Re: [anti-abuse-wg] RIPE NCC Procedure Regarding LIR Information in the RIPE Database http://wdprs.internic.net/ Yes its not perfect Yes it exists and is actively used On Mon, Aug 8, 2011 at 2:50 PM, Kostas Zorbadelos wrote: > On 08/08/2011 11:03 AM, Suresh Ramasubramanian wrote: >> >> RIPE's existing policies*should* ?cover this - but there's a notable >> lack of a formalzed resolution process on the lines of wdprs for >> domains. >> > > What exactly is "wdprs" ? > > Regards, > > Kostas > >> thanks >> suresh > > -- Suresh Ramasubramanian (ops.lists at gmail.com) ____________________________________________________________ TRY FREE IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if5 Capture screenshots, upload images, edit and send them to your friends through IMs, post on Twitter?, Facebook?, MySpace?, LinkedIn? ? FAST! From world.antispam.report at inbox.com Mon Aug 8 17:40:36 2011 From: world.antispam.report at inbox.com (abuse@localhost.com) Date: Mon, 8 Aug 2011 07:40:36 -0800 Subject: [anti-abuse-wg] RIPE NCC Procedure Regarding LIR Information in the RIPE Database In-Reply-To: <4E3FABBD.1030907@tana.it> References: <4e3f85a3.3000203@otenet.gr> <31e19bd9d25.00000543world.antispam.report@inbox.com> <4e2fd079.8040803@ripe.net> Message-ID: <3B598C8B64A.000005EBworld.antispam.report@inbox.com> There may have been a zelote who drag this thread into the "Faked RIPE registration datas" but that was more of a strategy than anything else. If one discovers that some datas for a a RIPE allocated registration is false and erroneous, the complaining party should simply request RIPE to rectify the erroneous. And check back the validity of the registration datas a little later. Simply. It ain't a matter of "Right to anonymity" since anybody who signed with RIPE had a legal responsability to be aware of RIPE's regulation. If one gets into the Internet business and after this of that amount of time in business, remains unaware that RIPE has regulations... Maybe it could time for that network owner to change his job or get some knowledgable employee (S) ? Simple logic. > -----Original Message----- > From: vesely at tana.it > Sent: Mon, 08 Aug 2011 11:26:21 +0200 > To: anti-abuse-wg at ripe.net > Subject: Re: [anti-abuse-wg] RIPE NCC Procedure Regarding LIR Information > in the RIPE Database > > On 08.08.2011 10:03, Suresh Ramasubramanian wrote: >> While the abuse contact wg would be good to develop a standard format >> for noting an abuse contact in RIPE whois, it is hardly the place to >> deal with netblocks registered with fake contact information, and >> quite possibly registered with faked justification paperwork. > > I'd hope some practical hints proposition to define a workable > acceptation of the term "faked" is also on-topic. > >> RIPE's existing policies *should* cover this - but there's a notable >> lack of a formalized resolution process on the lines of wdprs for >> domains. > > What is the current policy about the right to anonymity, for Whois Data > Problem Reporting System? It is often said that e-commerce sites cannot > be anonymous. It should be added that email sites also cannot. > In fact, an email site may grant the right to anonymity to its users, > but IMHO it needs not be anonymous itself for doing so properly. ____________________________________________________________ TRY FREE IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if5 Capture screenshots, upload images, edit and send them to your friends through IMs, post on Twitter?, Facebook?, MySpace?, LinkedIn? ? FAST! From Woeber at CC.UniVie.ac.at Mon Aug 8 17:42:35 2011 From: Woeber at CC.UniVie.ac.at (Wilfried Woeber, UniVie/ACOnet) Date: Mon, 08 Aug 2011 15:42:35 +0000 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: References: <4E3119F6.7010703@powerweb.de> <4E31225D.90607@powerweb.de> <864F93E1-D43C-4462-AF64-073E8ABE783F@blacknight.ie> <4E313B17.3010600@powerweb.de> <20110728105311.GI72014@Space.Net> <20110728111306.GJ72014@Space.Net> Message-ID: <4E4003EB.8070604@CC.UniVie.ac.at> [Catching up after being out of office for a while...] Suresh Ramasubramanian wrote: [...] > > Can we turn back to the question that was actually riased in the thread? Yes, please. :-) As Spamhouse was mentioned, and the term "hijacked" pointed at, can anyone please provide me/us with (a pointer to) the definition of "hijacked", in particular as used by Spamhouse? TIA, Wilfried. From world.antispam.report at inbox.com Mon Aug 8 17:57:30 2011 From: world.antispam.report at inbox.com (abuse@localhost.com) Date: Mon, 8 Aug 2011 07:57:30 -0800 Subject: Wrong "brian.nisbet@heanet.ie" (Was)=>[anti-abuse-wg] Hijacked netblocks - any SOP for these? Message-ID: <3B7F4F62B0F.0000064Cworld.antispam.report@inbox.com> Brian, with all do respect, the only topic that was at stake here, was any network who submit his datas to RIPE (Allocation), RIPE regulation state that you are "NOT PERMITED" to give false or erroneous or obviously misleading informations such as "Non-Valid" email addresses civic locations (Where, goegraphically you make business or false "Voice Mail" traps which n fact are never replied. In no manner what so ever, it was suggested that for now and until further notice, RIPE as any responsability toward any sort of SPAM fraud or illegal activities on the Internet. The only sole thing in the original RIPE registration regulation regarding the data a given network provides to RIPE for registering the RIPE allocated IP block number, is that RIPE wants to have valid factual datas like "Live" email addresses or civic address where the network really operates. Not an address located in a forest. Now, have you got any objection about RIPE's regulation that require that minimal amount of intellectual intregrety? We're all ears, go ahead. -----Original Message----- From: brian.nisbet at heanet.ie Sent: Thu, 28 Jul 2011 12:04:12 +0100 To: anti-abuse-wg at ripe.net Subject: Re: [anti-abuse-wg] Hijacked netblocks - any SOP for these? "Gert Doering" wrote the following on 28/07/2011 11:53: > Hi, > > On Thu, Jul 28, 2011 at 12:33:59PM +0200, Frank Gadegast wrote: >> RIPE is defny responsible for any abuse, whatever it is. > > So if you are hosting porn on your web site, and making it accessible > to minors, why exactly would the RIPE NCC be responsible for that? Before this particular thread of the discussion goes any further can I please remind people that neither the RIPE NCC nor the charter of this WG deals with content. If content breaks laws, then there are systems in place to deal with that on a per country basis and the NCC assists law enforcement when requested, however this mailing list is not the right place to debate matters of content. Brian. ____________________________________________________________ Send any screenshot to your friends in seconds... Works in all emails, instant messengers, blogs, forums and social networks. TRY IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if2 for FREE From furio+as at spin.it Mon Aug 8 18:01:37 2011 From: furio+as at spin.it (furio ercolessi) Date: Mon, 8 Aug 2011 18:01:37 +0200 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: <4E4003EB.8070604@CC.UniVie.ac.at> References: <4E3119F6.7010703@powerweb.de> <4E31225D.90607@powerweb.de> <864F93E1-D43C-4462-AF64-073E8ABE783F@blacknight.ie> <4E313B17.3010600@powerweb.de> <20110728105311.GI72014@Space.Net> <20110728111306.GJ72014@Space.Net> <4E4003EB.8070604@CC.UniVie.ac.at> Message-ID: <20110808160137.GA13456@spin.it> On Mon, Aug 08, 2011 at 03:42:35PM +0000, Wilfried Woeber, UniVie/ACOnet wrote: > [Catching up after being out of office for a while...] > > Suresh Ramasubramanian wrote: > > [...] > > > > Can we turn back to the question that was actually riased in the thread? > > Yes, please. :-) > > As Spamhouse was mentioned, and the term "hijacked" pointed at, > can anyone please provide me/us with (a pointer to) the definition of > "hijacked", in particular as used by Spamhouse? They define "hijacked netblocks" in http://www.spamhaus.org/faq/answers.lasso?section=DROP%20FAQ#258 furio From michele at blacknight.ie Mon Aug 8 18:13:11 2011 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Mon, 8 Aug 2011 16:13:11 +0000 Subject: Wrong "brian.nisbet@heanet.ie" (Was)=>[anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: <3B7F4F62B0F.0000064Cworld.antispam.report@inbox.com> References: <3B7F4F62B0F.0000064Cworld.antispam.report@inbox.com> Message-ID: On 8 Aug 2011, at 16:57, abuse at localhost.com wrote: > Brian, with all do respect, the only topic that was at stake here, was any network who submit his datas to RIPE (Allocation), RIPE regulation state that you are "NOT PERMITED" to give false or erroneous or obviously misleading informations such as "Non-Valid" email addresses civic locations (Where, goegraphically you make business or false "Voice Mail" traps which n fact are never replied. I can give you my mobile phone number if you want - it's real. No guarantee I'll ever answer it .. What's your point? > > In no manner what so ever, it was suggested that for now and until further notice, RIPE as any responsability toward any sort of SPAM fraud or illegal activities on the Internet. > The only sole thing in the original RIPE registration regulation regarding the data a given network provides to RIPE for registering the RIPE allocated IP block number, is that RIPE wants to have valid factual datas like "Live" email addresses or civic address where the network really operates. Not an address located in a forest. > > Now, have you got any objection about RIPE's regulation that require that minimal amount of intellectual intregrety? > > We're all ears, go ahead. You need to tone it down and / or learn how to follow email threads properly Brian's email was in reply to emails several days ago where people were talking about content If you expect people to take you seriously then show them some modicum of respect At least most of us are posting to this list as ourselves and not hiding our identities .. Michele > > -----Original Message----- > From: brian.nisbet at heanet.ie > Sent: Thu, 28 Jul 2011 12:04:12 +0100 > To: anti-abuse-wg at ripe.net > Subject: Re: [anti-abuse-wg] Hijacked netblocks - any SOP for these? > > "Gert Doering" wrote the following on 28/07/2011 11:53: >> Hi, >> >> On Thu, Jul 28, 2011 at 12:33:59PM +0200, Frank Gadegast wrote: >>> RIPE is defny responsible for any abuse, whatever it is. >> >> So if you are hosting porn on your web site, and making it accessible >> to minors, why exactly would the RIPE NCC be responsible for that? > > Before this particular thread of the discussion goes any further can I > please remind people that neither the RIPE NCC nor the charter of this > WG deals with content. If content breaks laws, then there are systems in > place to deal with that on a per country basis and the NCC assists law > enforcement when requested, however this mailing list is not the right > place to debate matters of content. > > Brian. > > ____________________________________________________________ > Send any screenshot to your friends in seconds... > Works in all emails, instant messengers, blogs, forums and social networks. > TRY IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if2 for FREE > > Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From world.antispam.report at inbox.com Mon Aug 8 18:47:35 2011 From: world.antispam.report at inbox.com (abuse@localhost.com) Date: Mon, 8 Aug 2011 08:47:35 -0800 Subject: Wrong "brian.nisbet@heanet.ie" (Was)=>[anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: References: <3b7f4f62b0f.0000064cworld.antispam.report@inbox.com> Message-ID: <3BEF4784D5F.00000720world.antispam.report@inbox.com> A phone number is only one of the various datas RIPE request for registering a given block number allocation. Since I'm not here for a "Game" as some are, I'll leave that the already recognized authority, RIPE regulating authority. By the way Michele who-ever, thank for publishing where you're standing. @ Blacknight.ie isn't it? > -----Original Message----- > From: michele at blacknight.ie > Sent: Mon, 8 Aug 2011 16:13:11 +0000 > To: abuse at localhost.com > Subject: Re: Wrong "brian.nisbet at heanet.ie" (Was)=>[anti-abuse-wg] > Hijacked netblocks - any SOP for these? > > > On 8 Aug 2011, at 16:57, abuse at localhost.com wrote: > >> Brian, with all do respect, the only topic that was at stake here, was >> any network who submit his datas to RIPE (Allocation), RIPE regulation >> state that you are "NOT PERMITED" to give false or erroneous or >> obviously misleading informations such as "Non-Valid" email addresses >> civic locations (Where, goegraphically you make business or false "Voice >> Mail" traps which n fact are never replied. > > I can give you my mobile phone number if you want - it's real. No > guarantee I'll ever answer it .. > > What's your point? > > >> >> In no manner what so ever, it was suggested that for now and until >> further notice, RIPE as any responsability toward any sort of SPAM fraud >> or illegal activities on the Internet. >> The only sole thing in the original RIPE registration regulation >> regarding the data a given network provides to RIPE for registering the >> RIPE allocated IP block number, is that RIPE wants to have valid factual >> datas like "Live" email addresses or civic address where the network >> really operates. Not an address located in a forest. >> >> Now, have you got any objection about RIPE's regulation that require >> that minimal amount of intellectual intregrety? >> >> We're all ears, go ahead. > > You need to tone it down and / or learn how to follow email threads > properly > > Brian's email was in reply to emails several days ago where people were > talking about content > > If you expect people to take you seriously then show them some modicum of > respect > > At least most of us are posting to this list as ourselves and not hiding > our identities .. > > > Michele > > >> >> -----Original Message----- >> From: brian.nisbet at heanet.ie >> Sent: Thu, 28 Jul 2011 12:04:12 +0100 >> To: anti-abuse-wg at ripe.net >> Subject: Re: [anti-abuse-wg] Hijacked netblocks - any SOP for these? >> >> "Gert Doering" wrote the following on 28/07/2011 11:53: >>> Hi, >>> >>> On Thu, Jul 28, 2011 at 12:33:59PM +0200, Frank Gadegast wrote: >>>> RIPE is defny responsible for any abuse, whatever it is. >>> >>> So if you are hosting porn on your web site, and making it accessible >>> to minors, why exactly would the RIPE NCC be responsible for that? >> >> Before this particular thread of the discussion goes any further can I >> please remind people that neither the RIPE NCC nor the charter of this >> WG deals with content. If content breaks laws, then there are systems in >> place to deal with that on a per country basis and the NCC assists law >> enforcement when requested, however this mailing list is not the right >> place to debate matters of content. >> >> Brian. >> >> ____________________________________________________________ >> Send any screenshot to your friends in seconds... >> Works in all emails, instant messengers, blogs, forums and social >> networks. >> TRY IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if2 for >> FREE >> >> > > Mr Michele Neylon > Blacknight Solutions > Hosting & Colocation, Brand Protection > ICANN Accredited Registrar > http://www.blacknight.com/ > http://blog.blacknight.com/ > http://blacknight.mobi/ > http://mneylon.tel > Intl. +353 (0) 59 9183072 > US: 213-233-1612 > UK: 0844 484 9361 > Locall: 1850 929 929 > Direct Dial: +353 (0)59 9183090 > Twitter: http://twitter.com/mneylon > ------------------------------- > Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business > Park,Sleaty > Road,Graiguecullen,Carlow,Ireland Company No.: 370845 ____________________________________________________________ Send your photos by email in seconds... TRY FREE IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if3 Works in all emails, instant messengers, blogs, forums and social networks. From world.antispam.report at inbox.com Mon Aug 8 18:56:46 2011 From: world.antispam.report at inbox.com (abuse@localhost.com) Date: Mon, 8 Aug 2011 08:56:46 -0800 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: <4E4003EB.8070604@CC.UniVie.ac.at> References: <4e31225d.90607@powerweb.de> <20110728111306.gj72014@space.net> <4e313b17.3010600@powerweb.de> <4e3119f6.7010703@powerweb.de> <20110728105311.gi72014@space.net> <864f93e1-d43c-4462-af64-073e8abe783f@blacknight.ie> Message-ID: <3C03CD5EDCD.0000074Fworld.antispam.report@inbox.com> The problem is : Does any network operator wants to examine how does a "Spamming Trojan that works on its own" works? Live, while in contact with the remote intruder with whom the infected trojan is in contact with? Please, let me give a specific example... I have this "Other" given mailbox for which maybe its exact email address was given to what is know as a "SPAM List". I decide to keep to keep that address instead of getting rid of it. Of course, if there was a SPAM to get on the Internet, rest assure that I'll get that SPAM at that email address! Anyhow, at one time (Rather many, many times), I get a SPAM that bares an HTLM link in its email body but the domain name is an absolutle gibberish word inintellible in any language that anyone could dream of. So, I sent the complaint to both the abuse@ department from which the SPAM originated and to the other network website (IP#) where the gibberish domain name was located... If I remember well, the origin of the SPAM was from "Spain-Bada-Telecome", a very respectable & serious network and the other network hosting the "Gibberish" domain name (IP#...) was also a quite respectable network... I have kept their reply as some other "Same type" reply in which a given network operator thank me to advise him about this or that trojan using his own network for spamming purpose (Sort of an intrusion)... If you want I can send or post these thanfull dudes? Ok??? Let's go on... Some 2 days later, I get another SPAM baring the same gibberish HTML domain name but now located on a IP# located within the APNIC authority... Done complaint as usual and watched it for the whole day thereafter... For about 10 hours, the gibberish domain name disapeared from the APNIC network and re-appeared on a network located in Romania and for which close to none of the "RIPE registration datas" appeared to be valid. All email addies and civic addies appeared wrong, bounced back, etc... Now, about the question what does the term "hijacked Netwok or IP#" means to RiPE or to any Internet concerned individual? Within all the cases I seen up to now, all network operators of good faith and good will resolved the given problem in less than 6 hours. Aside from blacklisting the "Supposed" source of trojan intruders. In do time, if the infectuous network runs into problems because he's refused connection with this network elsewhere, he could always use another email address to reach the network that blacklisted him? No problem there! Got it? > -----Original Message----- > From: woeber at cc.univie.ac.at > Sent: Mon, 08 Aug 2011 15:42:35 +0000 > To: ops.lists at gmail.com > Subject: Re: [anti-abuse-wg] Hijacked netblocks - any SOP for these? > > [Catching up after being out of office for a while...] > > Suresh Ramasubramanian wrote: > > [...] >> >> Can we turn back to the question that was actually riased in the thread? > > Yes, please. :-) > > As Spamhouse was mentioned, and the term "hijacked" pointed at, > can anyone please provide me/us with (a pointer to) the definition of > "hijacked", in particular as used by Spamhouse? > > TIA, > Wilfried. ____________________________________________________________ Send any screenshot to your friends in seconds... Works in all emails, instant messengers, blogs, forums and social networks. TRY IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if2 for FREE From kjz at gmx.net Mon Aug 8 20:27:39 2011 From: kjz at gmx.net (Karl-Josef Ziegler) Date: Mon, 08 Aug 2011 20:27:39 +0200 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? Message-ID: <4E402A9B.707@gmx.net> > They define "hijacked netblocks" in > http://www.spamhaus.org/faq/answers.lasso?section=DROP%20FAQ#258 And, if you look it up there: http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK2493 you can get: APNIC: 18 listings http://www.spamhaus.org/sbl/listings.lasso?isp=apnic ARIN: 258 listings http://www.spamhaus.org/sbl/listings.lasso?isp=arin LACNIC: 26 listings http://www.spamhaus.org/sbl/listings.lasso?isp=lacnic RIPE: has far too many records to list. This ISP has an extremely serious spam problem. http://www.spamhaus.org/sbl/listings.lasso?isp=arin Hmmm... 'extremely serious spam problem'? Only RIPE 'has far too many records to list.' What's this? Best regards, - Karl-Josef From kjz at gmx.net Mon Aug 8 21:13:18 2011 From: kjz at gmx.net (Karl-Josef Ziegler) Date: Mon, 08 Aug 2011 21:13:18 +0200 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? Message-ID: <4E40354E.9000800@gmx.net> Uuups, last link: http://www.spamhaus.org/sbl/listings.lasso?isp=arin should be: http://www.spamhaus.org/sbl/listings.lasso?isp=ripe of course. From jorgen at hovland.cx Mon Aug 8 22:04:32 2011 From: jorgen at hovland.cx (=?iso-8859-1?Q?J=F8rgen_Hovland?=) Date: Mon, 8 Aug 2011 22:04:32 +0200 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: <3C03CD5EDCD.0000074Fworld.antispam.report@inbox.com> References: <4e31225d.90607@powerweb.de> <20110728111306.gj72014@space.net> <4e313b17.3010600@powerweb.de> <4e3119f6.7010703@powerweb.de> <20110728105311.gi72014@space.net> <864f93e1-d43c-4462-af64-073e8abe783f@blacknight.ie> <3C03CD5EDCD.0000074Fworld.antispam.report@inbox.com> Message-ID: <44DBC68C-3F58-46A3-8879-54EE15B0A8AF@hovland.cx> Mr World Antispam Report, Please stop complaining about your spamproblems. Get a (better) spamfilter or stop reading your mail :) If you would like to send a comlaint regarding a resource assigned by RIPE with inaccurate contactinformation I suggest you send it to the provider (as in LIR or RIR) instead. As always, anyone can decide not to read or reply to your complaint. The type of people you are talking about in your mail will most likely do just that. Good luck, On Aug 8, 2011, at 6:56 PM, abuse at localhost.com wrote: > The problem is : Does any network operator wants to examine how does a "Spamming Trojan that works on its own" works? > Live, while in contact with the remote intruder with whom the infected trojan is in contact with? > > Please, let me give a specific example... > I have this "Other" given mailbox for which maybe its exact email address was given to what is know as a "SPAM List". > I decide to keep to keep that address instead of getting rid of it. > Of course, if there was a SPAM to get on the Internet, rest assure that I'll get that SPAM at that email address! > > Anyhow, at one time (Rather many, many times), I get a SPAM that bares an HTLM link in its email body but the domain name is an absolutle gibberish word inintellible in any language that anyone could dream of. > So, I sent the complaint to both the abuse@ department from which the SPAM originated and to the other network website (IP#) where the gibberish domain name was located... > If I remember well, the origin of the SPAM was from "Spain-Bada-Telecome", a very respectable & serious network and the other network hosting the "Gibberish" domain name (IP#...) was also a quite respectable network... > I have kept their reply as some other "Same type" reply in which a given network operator thank me to advise him about this or that trojan using his own network for spamming purpose (Sort of an intrusion)... > If you want I can send or post these thanfull dudes? > > Ok??? Let's go on... > > Some 2 days later, I get another SPAM baring the same gibberish HTML domain name but now located on a IP# located within the APNIC authority... > Done complaint as usual and watched it for the whole day thereafter... > For about 10 hours, the gibberish domain name disapeared from the APNIC network and re-appeared on a network located in Romania and for which close to none of the "RIPE registration datas" appeared to be valid. > All email addies and civic addies appeared wrong, bounced back, etc... > > Now, about the question what does the term "hijacked Netwok or IP#" means to RiPE or to any Internet concerned individual? > > Within all the cases I seen up to now, all network operators of good faith and good will resolved the given problem in less than 6 hours. > Aside from blacklisting the "Supposed" source of trojan intruders. > > In do time, if the infectuous network runs into problems because he's refused connection with this network elsewhere, he could always use another email address to reach the network that blacklisted him? > No problem there! > > Got it? >> -----Original Message----- >> From: woeber at cc.univie.ac.at >> Sent: Mon, 08 Aug 2011 15:42:35 +0000 >> To: ops.lists at gmail.com >> Subject: Re: [anti-abuse-wg] Hijacked netblocks - any SOP for these? >> >> [Catching up after being out of office for a while...] >> >> Suresh Ramasubramanian wrote: >> >> [...] >>> >>> Can we turn back to the question that was actually riased in the thread? >> >> Yes, please. :-) >> >> As Spamhouse was mentioned, and the term "hijacked" pointed at, >> can anyone please provide me/us with (a pointer to) the definition of >> "hijacked", in particular as used by Spamhouse? >> >> TIA, >> Wilfried. > > ____________________________________________________________ > Send any screenshot to your friends in seconds... > Works in all emails, instant messengers, blogs, forums and social networks. > TRY IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if2 for FREE > > > From world.antispam.report at inbox.com Tue Aug 9 02:01:20 2011 From: world.antispam.report at inbox.com (abuse@localhost.com) Date: Mon, 8 Aug 2011 16:01:20 -0800 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: <44DBC68C-3F58-46A3-8879-54EE15B0A8AF@hovland.cx> References: <4e31225d.90607@powerweb.de> <864f93e1-d43c-4462-af64-073e8abe783f@blacknight.ie> <20110728111306.gj72014@space.net> <3c03cd5edcd.0000074fworld.antispam.report@inbox.com> <4e313b17.3010600@powerweb.de> <4e3119f6.7010703@powerweb.de> <20110728105311.gi72014@space.net> Message-ID: <3FB8C1C12CD.00000DA5world.antispam.report@inbox.com> Thak you for the informations you provided here below as well as for the network you use for your post. It makes thing much clearer as to what type of individual you are. Good luck as well for you! > -----Original Message----- > From: jorgen at hovland.cx > Sent: Mon, 8 Aug 2011 22:04:32 +0200 > To: anti-abuse-wg at ripe.net > Subject: Re: [anti-abuse-wg] Hijacked netblocks - any SOP for these? > > Mr World Antispam Report, > > Please stop complaining about your spamproblems. Get a (better) > spamfilter or stop reading your mail :) > > If you would like to send a comlaint regarding a resource assigned by > RIPE with inaccurate contactinformation I suggest you send it to the > provider (as in LIR or RIR) instead. > As always, anyone can decide not to read or reply to your complaint. The > type of people you are talking about in your mail will most likely do > just that. > > > Good luck, > > > > On Aug 8, 2011, at 6:56 PM, abuse at localhost.com wrote: > >> The problem is : Does any network operator wants to examine how does a >> "Spamming Trojan that works on its own" works? >> Live, while in contact with the remote intruder with whom the infected >> trojan is in contact with? >> >> Please, let me give a specific example... >> I have this "Other" given mailbox for which maybe its exact email >> address was given to what is know as a "SPAM List". >> I decide to keep to keep that address instead of getting rid of it. >> Of course, if there was a SPAM to get on the Internet, rest assure that >> I'll get that SPAM at that email address! >> >> Anyhow, at one time (Rather many, many times), I get a SPAM that bares >> an HTLM link in its email body but the domain name is an absolutle >> gibberish word inintellible in any language that anyone could dream of. >> So, I sent the complaint to both the abuse@ department from which the >> SPAM originated and to the other network website (IP#) where the >> gibberish domain name was located... >> If I remember well, the origin of the SPAM was from >> "Spain-Bada-Telecome", a very respectable & serious network and the >> other network hosting the "Gibberish" domain name (IP#...) was also a >> quite respectable network... >> I have kept their reply as some other "Same type" reply in which a given >> network operator thank me to advise him about this or that trojan using >> his own network for spamming purpose (Sort of an intrusion)... >> If you want I can send or post these thanfull dudes? >> >> Ok??? Let's go on... >> >> Some 2 days later, I get another SPAM baring the same gibberish HTML >> domain name but now located on a IP# located within the APNIC >> authority... >> Done complaint as usual and watched it for the whole day thereafter... >> For about 10 hours, the gibberish domain name disapeared from the APNIC >> network and re-appeared on a network located in Romania and for which >> close to none of the "RIPE registration datas" appeared to be valid. >> All email addies and civic addies appeared wrong, bounced back, etc... >> >> Now, about the question what does the term "hijacked Netwok or IP#" >> means to RiPE or to any Internet concerned individual? >> >> Within all the cases I seen up to now, all network operators of good >> faith and good will resolved the given problem in less than 6 hours. >> Aside from blacklisting the "Supposed" source of trojan intruders. >> >> In do time, if the infectuous network runs into problems because he's >> refused connection with this network elsewhere, he could always use >> another email address to reach the network that blacklisted him? >> No problem there! >> >> Got it? >>> -----Original Message----- >>> From: woeber at cc.univie.ac.at >>> Sent: Mon, 08 Aug 2011 15:42:35 +0000 >>> To: ops.lists at gmail.com >>> Subject: Re: [anti-abuse-wg] Hijacked netblocks - any SOP for these? >>> >>> [Catching up after being out of office for a while...] >>> >>> Suresh Ramasubramanian wrote: >>> >>> [...] >>>> >>>> Can we turn back to the question that was actually riased in the >>>> thread? >>> >>> Yes, please. :-) >>> >>> As Spamhouse was mentioned, and the term "hijacked" pointed at, >>> can anyone please provide me/us with (a pointer to) the definition of >>> "hijacked", in particular as used by Spamhouse? >>> >>> TIA, >>> Wilfried. >> >> ____________________________________________________________ >> Send any screenshot to your friends in seconds... >> Works in all emails, instant messengers, blogs, forums and social >> networks. >> TRY IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if2 for >> FREE >> >> >> ____________________________________________________________ Share photos & screenshots in seconds... TRY FREE IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if1 Works in all emails, instant messengers, blogs, forums and social networks. From world.antispam.report at inbox.com Tue Aug 9 02:35:00 2011 From: world.antispam.report at inbox.com (abuse@localhost.com) Date: Mon, 8 Aug 2011 16:35:00 -0800 Subject: [anti-abuse-wg] Here's a few factual examples Wilfried:=> In-Reply-To: <4E4003EB.8070604@CC.UniVie.ac.at> References: <4e31225d.90607@powerweb.de> <20110728111306.gj72014@space.net> <4e313b17.3010600@powerweb.de> <4e3119f6.7010703@powerweb.de> <20110728105311.gi72014@space.net> <864f93e1-d43c-4462-af64-073e8abe783f@blacknight.ie> Message-ID: <40040746E02.00000DF4world.antispam.report@inbox.com> Here below are the few factual examples I can provide. May you please note that I don't think that the trojans (What the N-Americans qualify as "Exploited") don't take over all IP# of an infected network through the infection? -Though, that is only an opinion. Otherwise, the poor operator would be climbing on the walls! He'd pull the plug out! HiHiHi! Nope! The trojan simply implant itself on a given infected network (An email server for instance) to take over (1-2) IP# and sends forged headers spam from the intruded network. In most cases I seen up to now if not all, the "Exploiting" individual (Trojan encoder) do not implant both the HTML website advertised by the spamming trojan and the spamming trojan on the same sole network for obvious reasons. Therefore, once the infected network operator discovers the "Exploit", the HTML website to which the spam bares the link remains live. Even thought the intruded network gets rid of the automated spamming trojan. The website to which the spams refer (Hyperlink) is not yet destroyed! Being elsewhere on another infected network... On the contrary, when the "Other" network baring an intruded trojan that take over a given IP# within the network to give life to an HLML simple abusive webpage is destroyed by the infected network operator as Glen J., did (Here below) a little while back, and did clean that trojan up, does the abusive website should go down? NOPE! Rarely, very rarely goes down... Because the guy controlling the trojan which intruded the network to begin with, sure has sort of a motoring device that warns him when the infected network operator cleans his network and brings down the website. When GlenJ, destroyed the trojan-exploiting website, the abuser seen his website goes down and brought back on an IP# based his own network abroad from where he or she operates. This, until he finds that his intruder trojan succeeded to infect a new network. Never take so long... Only during that time, it is feasable to know exactly "Whois" the one who dissiminated those 2 types of exploit-trojans! The whole goal is free hosting and under the responsability of "Who Knows Who"! But who care really? If you'd want further details on all the methods as to how coders and "Pirates" can do such tricks, you'd be better to address yourself to peoples who want to protect these types of abusers. There just ought to be a few watching and taking good notes. I done what I could do, Ok? Thank you very much for reading me. ======================================== Note that one email here below is from an ARIN jurisdiction, another one from a huge network in SPAIN, very formal but also very friendly and the other one? .....I don't remember, forgotten... ======================================== >Hello - > Mail Delivery System wrote: > > http://annevaleriejasmin.com/edit/yahoolink.php > >Thank you for writing. >The exploited site content has been taken offline. >-- > >- Glen J., Abuse Coordinator =================================== >Hello. > >Thank you for your report. > >We have contacted our direct client regarding your report and expect a prompt response, including action against the abuser. > >If you have any questions, please let us know. > >---- >Best Wishes, >Sreejith S >Systems Administration Support ___________________________ >Dear Sir: > >We thank you for your message and we inform you that we are taking measures to prevent the problem from happening again. > >We remember you our email. > >Faithfully. > >Nemesys Abuse Team >Telefonica de Espa?a S.A.U. _______________________________ > -----Original Message----- > From: woeber at cc.univie.ac.at > Sent: Mon, 08 Aug 2011 15:42:35 +0000 > To: ops.lists at gmail.com > Subject: Re: [anti-abuse-wg] Hijacked netblocks - any SOP for these? > > [Catching up after being out of office for a while...] > > Suresh Ramasubramanian wrote: > > [...] ============================================ >> >> Can we turn back to the question that was actually riased in the thread? > > Yes, please. :-) > > As Spamhouse was mentioned, and the term "hijacked" pointed at, > can anyone please provide me/us with (a pointer to) the definition of > "hijacked", in particular as used by Spamhouse? > > TIA, > Wilfried. ____________________________________________________________ Publish your photos in seconds for FREE TRY IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if4 From ops.lists at gmail.com Tue Aug 9 03:41:50 2011 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Tue, 9 Aug 2011 07:11:50 +0530 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: <4E402A9B.707@gmx.net> References: <4E402A9B.707@gmx.net> Message-ID: Those are not all hijacked. They're also assigned PI / PA netblocks sourced directly from the RIR RIPE has to bear the cross of Romania which alone is responsible for a substantial chunk of those too many to list - including several /15s There's also the rest of eastern europe and russia with smaller assigned PI and PA netblocks controlled by botmasters and such. In any case, too many to list. Never mind the "ISP" there - spamhaus used the same script they use to generate per ISP reports of SBL listings. On Mon, Aug 8, 2011 at 11:57 PM, Karl-Josef Ziegler wrote: > > RIPE: has far too many records to list. This ISP has an extremely > serious spam problem. > > http://www.spamhaus.org/sbl/listings.lasso?isp=arin > > Hmmm... 'extremely serious spam problem'? Only RIPE 'has far too many > records to list.' > > What's this? -- Suresh Ramasubramanian (ops.lists at gmail.com) From abuse at eunet.rs Tue Aug 9 00:44:01 2011 From: abuse at eunet.rs (abuse at eunet.rs) Date: Tue, 09 Aug 2011 00:44:01 +0200 Subject: [anti-abuse-wg] Abuse report. In-Reply-To: <4E402A95.3020409@eunet.rs> References: <4E402A95.3020409@eunet.rs> Message-ID: <1312843441.4e4066b1b95c2@support.eunet.rs> Dear colleagues, This is SPAM report from one of our users. It seems that message came from your server. We belive that you will find that user and that you will take appropriate measures against him. Due to privacy policy of our company, all information about our user is changed to "x". >From - Mon Aug 08 20:27:03 2011 X-Account-Key: account4 X-UIDL: 76e74b310924bc33 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 X-Mozilla-Keys: Return-Path: Received: from freeuk-outbound-smtp04.mail.eu.clara.net (freeuk-outbound-smtp04.mail.eu.clara.net [195.8.64.21]) by eunet.rs (8.13.6/8.13.6) with ESMTP id p786mrD8029683; Mon, 8 Aug 2011 08:48:59 +0200 Received: from webmail01.mail.eu.clara.net ([213.253.3.101]:39081 helo=webmail.freeuk.com) by relay04.mail.eu.clara.net (relay.freeuk.com [213.253.3.44]:1225) with esmtp id 1QqJcs-000724-DM (return-path); Mon, 08 Aug 2011 06:47:50 +0000 Received: from 41.138.188.115 (SquirrelMail authenticated user j.fawcett at freeuk.com) by ssl-webmail-vh.freeuk.com with HTTP; Mon, 8 Aug 2011 07:47:50 +0100 Message-ID: Date: Mon, 8 Aug 2011 07:47:50 +0100 Subject: You won in Yesterday Draws!!! From: "Coca-Cola Award Team" Reply-To: cocacolawebnetvet at w.cn User-Agent: SquirrelMail/1.4.21 MIME-Version: 1.0 Content-Type: text/plain;charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Squirrel-AuthUser: j.fawcett at freeuk.com X-EUNET-AVAS-Milter-Version: 2.0.0 X-AVAS-Virus-Status: clean X-AVAS-Virus-Status: clean X-AVAS-Spamd-Symbols: BAYES_80,DNS_FROM_RFC_ABUSE,DNS_FROM_RFC_POST,FORGED_RCVD_HELO,PLING_PLING,TO_CC_NONE,UNPARSEABLE_RELAY X-AVAS-Spam-Score: 4.5 X-AVAS-Spam-Level: xxxxxxxxx If You have any questions, please contact our Technical support, every day from 00.00 to 24.00 phone 0700 300 400, (011) 202 3636 or e-mail support at eunet.rs EUnet wishes You a nice day and good connections! Petar Orlovic , Support Agent -- YUnet International www.EUnet.rs Dubrovacka 35/III, 11000 Beograd, Serbia Tel: 0700 300 400 Tel: +381 11 202 3636, Fax: +381 11 330 5609 e-mail: support at eunet.rs www.eunet.rs -- This e-mail is confidential and intended only for the recipient. Unauthorized distribution, modification or disclosure of its contents is prohibited. If you have received this e-mail in error, please notify the sender by telephone +381 11 2023636. -- From thor.kottelin at turvasana.com Tue Aug 9 11:03:41 2011 From: thor.kottelin at turvasana.com (Thor Kottelin) Date: Tue, 9 Aug 2011 12:03:41 +0300 Subject: [anti-abuse-wg] Abuse report. In-Reply-To: <1312843441.4e4066b1b95c2@support.eunet.rs> References: <4E402A95.3020409@eunet.rs> <1312843441.4e4066b1b95c2@support.eunet.rs> Message-ID: > -----Original Message----- > From: anti-abuse-wg-admin at ripe.net [mailto:anti-abuse-wg- > admin at ripe.net] On Behalf Of abuse at eunet.rs > Sent: Tuesday, August 09, 2011 1:44 AM > To: anti-abuse-wg at ripe.net > This is SPAM report from one of our users. It seems that message > came from your server. We belive that you will find that user and > that you will take appropriate measures against him. > Received: from freeuk-outbound-smtp04.mail.eu.clara.net (freeuk- > outbound-smtp04.mail.eu.clara.net [195.8.64.21]) > by eunet.rs (8.13.6/8.13.6) with ESMTP id > p786mrD8029683; > Mon, 8 Aug 2011 08:48:59 +0200 The RIPE NCC is a regional Internet registry, analogous to e.g. ARIN and APNIC. You can use the RIPE NCC's Whois service (also available on the Web at http://www.db.ripe.net/whois) to find out that the IP address 195.8.64.21 has been assigned to Claranet in the United Kingdom. As that Whois output states, "All abuse reports to abuse at clara.net". -- Thor Kottelin http://www.anta.net/ From world.antispam.report at inbox.com Tue Aug 9 12:26:16 2011 From: world.antispam.report at inbox.com (abuse@localhost.com) Date: Tue, 9 Aug 2011 02:26:16 -0800 Subject: [anti-abuse-wg] Abuse report. In-Reply-To: <1312843441.4e4066b1b95c2@support.eunet.rs> References: <4e402a95.3020409@eunet.rs> Message-ID: <452D9C4CEEB.000000E3world.antispam.report@inbox.com> 250 OK RCPT TO: 250 Accepted RSET 250 Reset OK QUIT 221 mx00.mail.eu.clara.net closing connection [Connection closed] ====================== -That was "abuse at clara.net" (213.253.3.20) speaking... -Therefore, "abuse at clara.net" just couldn't care less? -Have you sent an email to them? -I canot state that I'm surprised! -I'll have a close look over that server. -If one of their IP# shows up again: Blacklist & refuse connection. -Thank! > -----Original Message----- > From: abuse at eunet.rs > Sent: Tue, 09 Aug 2011 00:44:01 +0200 > To: anti-abuse-wg at ripe.net > Subject: [anti-abuse-wg] Abuse report. > > Dear colleagues, > > This is SPAM report from one of our users. It seems that message came > from your server. We belive that you will find that user and that you > will take appropriate measures against him. > Due to privacy policy of our company, all information about our user is > changed to "x". > > From - Mon Aug 08 20:27:03 2011 > X-Account-Key: account4 > X-UIDL: 76e74b310924bc33 > X-Mozilla-Status: 0001 > X-Mozilla-Status2: 00000000 > X-Mozilla-Keys: > Return-Path: > Received: from freeuk-outbound-smtp04.mail.eu.clara.net > (freeuk-outbound-smtp04.mail.eu.clara.net [195.8.64.21]) > by eunet.rs (8.13.6/8.13.6) with ESMTP id p786mrD8029683; > Mon, 8 Aug 2011 08:48:59 +0200 > Received: from webmail01.mail.eu.clara.net ([213.253.3.101]:39081 > helo=webmail.freeuk.com) > by relay04.mail.eu.clara.net (relay.freeuk.com [213.253.3.44]:1225) > with esmtp id 1QqJcs-000724-DM > (return-path); Mon, 08 Aug 2011 06:47:50 +0000 > Received: from 41.138.188.115 > (SquirrelMail authenticated user j.fawcett at freeuk.com) > by ssl-webmail-vh.freeuk.com with HTTP; > Mon, 8 Aug 2011 07:47:50 +0100 > Message-ID: > Date: Mon, 8 Aug 2011 07:47:50 +0100 > Subject: You won in Yesterday Draws!!! > From: "Coca-Cola Award Team" > Reply-To: cocacolawebnetvet at w.cn > User-Agent: SquirrelMail/1.4.21 > MIME-Version: 1.0 > Content-Type: text/plain;charset=ISO-8859-1 > Content-Transfer-Encoding: 8bit > X-Priority: 3 (Normal) > Importance: Normal > X-Squirrel-AuthUser: j.fawcett at freeuk.com > X-EUNET-AVAS-Milter-Version: 2.0.0 > X-AVAS-Virus-Status: clean > X-AVAS-Virus-Status: clean > X-AVAS-Spamd-Symbols: > BAYES_80,DNS_FROM_RFC_ABUSE,DNS_FROM_RFC_POST,FORGED_RCVD_HELO,PLING_PLING,TO_CC_NONE,UNPARSEABLE_RELAY > X-AVAS-Spam-Score: 4.5 > X-AVAS-Spam-Level: xxxxxxxxx > > > If You have any questions, please contact our Technical support, every > day from 00.00 to 24.00 phone 0700 300 400, (011) 202 3636 or e-mail > support at eunet.rs > > EUnet wishes You a nice day and good connections! > > Petar Orlovic , Support Agent > -- > YUnet International www.EUnet.rs > Dubrovacka 35/III, 11000 Beograd, Serbia > Tel: 0700 300 400 > Tel: +381 11 202 3636, Fax: +381 11 330 5609 > e-mail: support at eunet.rs www.eunet.rs > -- > This e-mail is confidential and intended only for the > recipient. Unauthorized distribution, modification or disclosure of its > contents is prohibited. If you have received this e-mail in error, > please notify the sender by telephone +381 11 2023636. > -- ____________________________________________________________ Share photos & screenshots in seconds... TRY FREE IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if1 Works in all emails, instant messengers, blogs, forums and social networks. From james.davis at ja.net Tue Aug 9 12:42:52 2011 From: james.davis at ja.net (James Davis) Date: Tue, 9 Aug 2011 11:42:52 +0100 Subject: [anti-abuse-wg] Abuse report. In-Reply-To: <452D9C4CEEB.000000E3world.antispam.report@inbox.com> References: <4e402a95.3020409@eunet.rs> <452D9C4CEEB.000000E3world.antispam.report@inbox.com> Message-ID: <4E410F2C.7020206@ja.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 09/08/2011 11:26, abuse at localhost.com wrote: > -Therefore, "abuse at clara.net" just couldn't care less? -Have you sent > an email to them? -I canot state that I'm surprised! -I'll have a > close look over that server. -If one of their IP# shows up again: > Blacklist & refuse connection. Apologies for cluttering up the list with off-topic operational issues.... If you have problems contacting an ISP in the UK and getting an abuse issue dealt with then please feel free to contact myself or my colleagues and we'll make an effort to use our contacts within the UK ISP community to get it resolved on your behalf. That's an offer extended to any list members. I feel that would be a lot more constructive than this current discussion. I hope that helps, James - -- James Davis 0300 999 2340 (+44 1235 822340) Senior CSIRT Member Lumen House, Library Avenue, Didcot, Oxfordshire, OX11 0SG -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iF4EAREIAAYFAk5BDywACgkQjsS2Y6D6yLwbbAD/USMUrQrAaKrWKOS8gnYpE+Bt tGcQBn4nvKoSIksxu4QBAJKmJ3OfE6B0P3ukrMqxMu8sLngVTrj8hL2L8lDHeCEG =3xEM -----END PGP SIGNATURE----- JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG From brian.nisbet at heanet.ie Tue Aug 9 12:50:24 2011 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Tue, 09 Aug 2011 11:50:24 +0100 Subject: [anti-abuse-wg] Abuse report. In-Reply-To: <4E410F2C.7020206@ja.net> References: <4e402a95.3020409@eunet.rs> <452D9C4CEEB.000000E3world.antispam.report@inbox.com> <4E410F2C.7020206@ja.net> Message-ID: <4E4110F0.2010009@heanet.ie> James, "James Davis" wrote the following on 09/08/2011 11:42: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On 09/08/2011 11:26, abuse at localhost.com wrote: > >> -Therefore, "abuse at clara.net" just couldn't care less? -Have you sent >> an email to them? -I canot state that I'm surprised! -I'll have a >> close look over that server. -If one of their IP# shows up again: >> Blacklist& refuse connection. > > Apologies for cluttering up the list with off-topic operational issues.... Useful operational information is not off-topic at all. > If you have problems contacting an ISP in the UK and getting an abuse > issue dealt with then please feel free to contact myself or my > colleagues and we'll make an effort to use our contacts within the UK > ISP community to get it resolved on your behalf. That's an offer > extended to any list members. > > I feel that would be a lot more constructive than this current discussion. Thanks for that. I agree. Brian. From michele at blacknight.ie Tue Aug 9 12:53:34 2011 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Tue, 9 Aug 2011 10:53:34 +0000 Subject: [anti-abuse-wg] Abuse report. In-Reply-To: <452D9C4CEEB.000000E3world.antispam.report@inbox.com> References: <4e402a95.3020409@eunet.rs> <452D9C4CEEB.000000E3world.antispam.report@inbox.com> Message-ID: <2257F49D-886F-4511-89E2-E74860C99A87@blacknight.ie> And abuse at localhost.com refuses email .. What's your point? On 9 Aug 2011, at 11:26, abuse at localhost.com wrote: > 250 OK > RCPT TO: > 250 Accepted > RSET > 250 Reset OK > QUIT > 221 mx00.mail.eu.clara.net closing connection > [Connection closed] > ====================== > -That was "abuse at clara.net" (213.253.3.20) speaking... > -Therefore, "abuse at clara.net" just couldn't care less? > -Have you sent an email to them? > -I canot state that I'm surprised! > -I'll have a close look over that server. > -If one of their IP# shows up again: Blacklist & refuse connection. > > -Thank! >> -----Original Message----- >> From: abuse at eunet.rs >> Sent: Tue, 09 Aug 2011 00:44:01 +0200 >> To: anti-abuse-wg at ripe.net >> Subject: [anti-abuse-wg] Abuse report. >> >> Dear colleagues, >> >> This is SPAM report from one of our users. It seems that message came >> from your server. We belive that you will find that user and that you >> will take appropriate measures against him. >> Due to privacy policy of our company, all information about our user is >> changed to "x". >> >> From - Mon Aug 08 20:27:03 2011 >> X-Account-Key: account4 >> X-UIDL: 76e74b310924bc33 >> X-Mozilla-Status: 0001 >> X-Mozilla-Status2: 00000000 >> X-Mozilla-Keys: >> Return-Path: >> Received: from freeuk-outbound-smtp04.mail.eu.clara.net >> (freeuk-outbound-smtp04.mail.eu.clara.net [195.8.64.21]) >> by eunet.rs (8.13.6/8.13.6) with ESMTP id p786mrD8029683; >> Mon, 8 Aug 2011 08:48:59 +0200 >> Received: from webmail01.mail.eu.clara.net ([213.253.3.101]:39081 >> helo=webmail.freeuk.com) >> by relay04.mail.eu.clara.net (relay.freeuk.com [213.253.3.44]:1225) >> with esmtp id 1QqJcs-000724-DM >> (return-path); Mon, 08 Aug 2011 06:47:50 +0000 >> Received: from 41.138.188.115 >> (SquirrelMail authenticated user j.fawcett at freeuk.com) >> by ssl-webmail-vh.freeuk.com with HTTP; >> Mon, 8 Aug 2011 07:47:50 +0100 >> Message-ID: >> Date: Mon, 8 Aug 2011 07:47:50 +0100 >> Subject: You won in Yesterday Draws!!! >> From: "Coca-Cola Award Team" >> Reply-To: cocacolawebnetvet at w.cn >> User-Agent: SquirrelMail/1.4.21 >> MIME-Version: 1.0 >> Content-Type: text/plain;charset=ISO-8859-1 >> Content-Transfer-Encoding: 8bit >> X-Priority: 3 (Normal) >> Importance: Normal >> X-Squirrel-AuthUser: j.fawcett at freeuk.com >> X-EUNET-AVAS-Milter-Version: 2.0.0 >> X-AVAS-Virus-Status: clean >> X-AVAS-Virus-Status: clean >> X-AVAS-Spamd-Symbols: >> BAYES_80,DNS_FROM_RFC_ABUSE,DNS_FROM_RFC_POST,FORGED_RCVD_HELO,PLING_PLING,TO_CC_NONE,UNPARSEABLE_RELAY >> X-AVAS-Spam-Score: 4.5 >> X-AVAS-Spam-Level: xxxxxxxxx >> >> >> If You have any questions, please contact our Technical support, every >> day from 00.00 to 24.00 phone 0700 300 400, (011) 202 3636 or e-mail >> support at eunet.rs >> >> EUnet wishes You a nice day and good connections! >> >> Petar Orlovic , Support Agent >> -- >> YUnet International www.EUnet.rs >> Dubrovacka 35/III, 11000 Beograd, Serbia >> Tel: 0700 300 400 >> Tel: +381 11 202 3636, Fax: +381 11 330 5609 >> e-mail: support at eunet.rs www.eunet.rs >> -- >> This e-mail is confidential and intended only for the >> recipient. Unauthorized distribution, modification or disclosure of its >> contents is prohibited. If you have received this e-mail in error, >> please notify the sender by telephone +381 11 2023636. >> -- > > ____________________________________________________________ > Share photos & screenshots in seconds... > TRY FREE IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if1 > Works in all emails, instant messengers, blogs, forums and social networks. > > Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From Woeber at CC.UniVie.ac.at Tue Aug 9 12:55:05 2011 From: Woeber at CC.UniVie.ac.at (Wilfried Woeber, UniVie/ACOnet) Date: Tue, 09 Aug 2011 10:55:05 +0000 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: References: <4E402A9B.707@gmx.net> Message-ID: <4E411209.40204@CC.UniVie.ac.at> Suresh Ramasubramanian wrote: [...] > In any case, too many to list. ...where is this notion or quote coming from? Checking http://www.spamhaus.org/sbl/listings.lasso?isp=ripe gives me "There are no current SBL listings for ripe" > Never mind the "ISP" there - Sorry, IMHO we have to mind, considerably, because it misleads the folks with less insight, involvement or long-term exposure to the problem field. > spamhaus > used the same script they use to generate per ISP reports of SBL > listings. And I am nit-picking here, because Spamhaus tends to be pretty liberal and fuzzy sometimes, with terminology, categorisation and/or actions. Like - quoting from the FAQ: "...in ranges assigned by every Regional Internet Registry (RIR) including ARIN, RIPE, APNIC, and others." In fact the "every" are exacly *5*. So either explicitely quoting the 3 or using the phrase "and others." is again misleading. And btw, it silently ignores the fact that there are NIRs, too ;-) > On Mon, Aug 8, 2011 at 11:57 PM, Karl-Josef Ziegler wrote: > >>RIPE: has far too many records to list. This ISP has an extremely >>serious spam problem. >> >>http://www.spamhaus.org/sbl/listings.lasso?isp=arin >> >>Hmmm... 'extremely serious spam problem'? Only RIPE 'has far too many >>records to list.' >> >>What's this? Wilfried From ops.lists at gmail.com Tue Aug 9 13:09:00 2011 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Tue, 9 Aug 2011 16:39:00 +0530 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: <4E411209.40204@CC.UniVie.ac.at> References: <4E402A9B.707@gmx.net> <4E411209.40204@CC.UniVie.ac.at> Message-ID: On Tue, Aug 9, 2011 at 4:25 PM, Wilfried Woeber, UniVie/ACOnet wrote: > And btw, it silently ignores the fact that there are NIRs, too ;-) Sure, but the problem here seems to be extensively caused by LIRs. Which RIPE is rather over supplied with. -- Suresh Ramasubramanian (ops.lists at gmail.com) From world.antispam.report at inbox.com Tue Aug 9 13:11:08 2011 From: world.antispam.report at inbox.com (abuse@localhost.com) Date: Tue, 9 Aug 2011 03:11:08 -0800 Subject: [anti-abuse-wg] Athina.Fragkouli? about user "jorgen@hovland.cx"? :=> In-Reply-To: <44DBC68C-3F58-46A3-8879-54EE15B0A8AF@hovland.cx> References: <4e31225d.90607@powerweb.de> <864f93e1-d43c-4462-af64-073e8abe783f@blacknight.ie> <20110728111306.gj72014@space.net> <3c03cd5edcd.0000074fworld.antispam.report@inbox.com> <4e313b17.3010600@powerweb.de> <4e3119f6.7010703@powerweb.de> <20110728105311.gi72014@space.net> Message-ID: <4591E7163EE.00000161world.antispam.report@inbox.com> Could it be that most of the users of "anti-abuse-wg at ripe.net" mailing list are wrong? To begin with, why the name "ANTI-ABUSE"??? As explained by the absolutely brillant J?rgen Hovland (See here below) all the RIPE Internet community should simply "Get a (better) > spamfilter or stop reading your mail :)", quote. And the case is thus closed. All problems classified! Howerver, it would be a sure good thing to publish RIPE's decison regarding this topic since RIPE is for now, part of a world commonly known as humankind on planet earth. Meaning that if Wilfried from "cc.univie.ac.at" want & have time to care about the issues & last trends about trojans coded to send spam after intruding infecting a RIPE network, isn't its freedom to do so? And this, against the will of those who appeared and support the fact that this or that RIPE network gives RIPE erroneous datas so that this or that specific RIPE IP# allocated network is factually unreachable? If your IP# allocation isn't much more than a list of "Kinglon" outerspace residents, what's the reason to offer what the world's Internet authority once decided to provide? Take a lifetime vacation than? But as of now, does mail.netclient.no AKA www.mote.no do respect RIPE regulations from "A" to "Z"? In short, I'm asking you if the mailing list named anti-abuse-wg bare the right name or not? Thank you in advance. =================>>>>>>>>>>>>>>>>>>>>>> > -----Original Message----- > From: jorgen at hovland.cx > Sent: Mon, 8 Aug 2011 22:04:32 +0200 > To: anti-abuse-wg at ripe.net > Subject: Re: [anti-abuse-wg] Hijacked netblocks - any SOP for these? > > Mr World Antispam Report, > > Please stop complaining about your spam problems. > Get a (better) spam filter or stop reading your mail :) > > If you would like to send a comlaint regarding a resource assigned by > RIPE with inaccurate contactinformation I suggest you send it to the > provider (as in LIR or RIR) instead. > As always, anyone can decide not to read or reply to your complaint. > The type of people you are talking about in your mail will most > likely do just that. > > > Good luck, > ======================================= > > On Aug 8, 2011, at 6:56 PM, abuse at localhost.com wrote: > >> The problem is : Does any network operator wants to examine how does >> a Spamming Trojan that works on its own" works? >> Live, while in contact with the remote intruder with whom the >> infected trojan is in contact with? >> >> Please, let me give a specific example... >> I have this "Other" given mailbox for which maybe its exact email >> address was given to what is know as a "SPAM List". >> I decide to keep to keep that address instead of getting rid of it. >> Of course, if there was a SPAM to get on the Internet, rest assure >> that I'll get that SPAM at that email address! >> >> Anyhow, at one time (Rather many, many times), I get a SPAM that >> bares an HTLM link in its email body but the domain name is an >> absolute gibberish word inintellible in any language that anyone >> could dream of. >> So, I sent the complaint to both the abuse@ department from which the >> SPAM originated and to the other network website (IP#) where the >> gibberish domain name was located... >> If I remember well, the origin of the SPAM was from >> "Spain-Bada-Telecome", a very respectable & serious network and the >> other network hosting the "Gibberish" domain name (IP#...) was also a >> quite respectable network... >> I have kept their reply as some other "Same type" reply in which a >> given network operator thank me to advise him about this or that >> trojan using his own network for spamming purpose (Sort of an >> intrusion)... >> If you want I can send or post these thanfull dudes? >> >> Ok??? Let's go on... >> >> Some 2 days later, I get another SPAM baring the same gibberish HTML >> domain name but now located on a IP# located within the APNIC >> authority... >> Done complaint as usual and watched it for the whole day >> thereafter... >> For about 10 hours, the gibberish domain name disapeared from the >> APNIC network and re-appeared on a network located in Romania and >> for which close to none of the "RIPE registration datas" appeared to >> be valid. >> All email addies and civic addies appeared wrong, bounced back, >> etc... >> >> Now, about the question what does the term "hijacked Netwok or IP#" >> means to RiPE or to any Internet concerned individual? >> >> Within all the cases I seen up to now, all network operators of good >> faith and good will resolved the given problem in less than 6 hours. >> Aside from blacklisting the "Supposed" source of trojan intruders. >> >> In do time, if the infectuous network runs into problems because he's >> refused connection with this network elsewhere, he could always use >> another email address to reach the network that blacklisted him? >> No problem there! >> >> Got it? >>> -----Original Message----- >>> From: woeber at cc.univie.ac.at >>> Sent: Mon, 08 Aug 2011 15:42:35 +0000 >>> To: ops.lists at gmail.com >>> Subject: Re: [anti-abuse-wg] Hijacked netblocks - any SOP for these? >>> >>> [Catching up after being out of office for a while...] >>> >>> Suresh Ramasubramanian wrote: >>> >>> [...] >>>> >>>> Can we turn back to the question that was actually riased in the >>>> thread? >>> >>> Yes, please. :-) >>> >>> As Spamhouse was mentioned, and the term "hijacked" pointed at, >>> can anyone please provide me/us with (a pointer to) the definition of >>> "hijacked", in particular as used by Spamhouse? >>> >>> TIA, >>> Wilfried. >> >> ____________________________________________________________ ____________________________________________________________ FREE 3D EARTH SCREENSAVER - Watch the Earth right on your desktop! Check it out at http://www.inbox.com/earth From world.antispam.report at inbox.com Tue Aug 9 13:15:30 2011 From: world.antispam.report at inbox.com (abuse@localhost.com) Date: Tue, 9 Aug 2011 03:15:30 -0800 Subject: [anti-abuse-wg] Abuse report. In-Reply-To: <4E410F2C.7020206@ja.net> References: <4e402a95.3020409@eunet.rs> <452d9c4ceeb.000000e3world.antispam.report@inbox.com> Message-ID: <459BAB01B7D.0000016Bworld.antispam.report@inbox.com> James? Have you noticed the name of this present mailing list?\ Why would there be the word "anti-abuse" in it? Is an uncared for spam complaint "Off Topic"? I don't think so. ============================== > -----Original Message----- > From: james.davis at ja.net > Sent: Tue, 9 Aug 2011 11:42:52 +0100 > To: anti-abuse-wg at ripe.net > Subject: Re: [anti-abuse-wg] Abuse report. > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On 09/08/2011 11:26, abuse at localhost.com wrote: > >> -Therefore, "abuse at clara.net" just couldn't care less? -Have you sent >> an email to them? -I canot state that I'm surprised! -I'll have a >> close look over that server. -If one of their IP# shows up again: >> Blacklist & refuse connection. > > Apologies for cluttering up the list with off-topic operational > issues.... > > If you have problems contacting an ISP in the UK and getting an abuse > issue dealt with then please feel free to contact myself or my > colleagues and we'll make an effort to use our contacts within the UK > ISP community to get it resolved on your behalf. That's an offer > extended to any list members. > > I feel that would be a lot more constructive than this current > discussion. > > I hope that helps, > > James > > - -- > James Davis 0300 999 2340 (+44 1235 822340) > Senior CSIRT Member > Lumen House, Library Avenue, Didcot, Oxfordshire, OX11 0SG > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iF4EAREIAAYFAk5BDywACgkQjsS2Y6D6yLwbbAD/USMUrQrAaKrWKOS8gnYpE+Bt > tGcQBn4nvKoSIksxu4QBAJKmJ3OfE6B0P3ukrMqxMu8sLngVTrj8hL2L8lDHeCEG > =3xEM > -----END PGP SIGNATURE----- > > JANET(UK) is a trading name of The JNT Association, a company limited > by guarantee which is registered in England under No. 2881024 > and whose Registered Office is at Lumen House, Library Avenue, > Harwell Oxford, Didcot, Oxfordshire. OX11 0SG ____________________________________________________________ Send your photos by email in seconds... TRY FREE IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if3 Works in all emails, instant messengers, blogs, forums and social networks. From michele at blacknight.ie Tue Aug 9 13:16:02 2011 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Tue, 9 Aug 2011 11:16:02 +0000 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: References: <4E402A9B.707@gmx.net> <4E411209.40204@CC.UniVie.ac.at> Message-ID: On 9 Aug 2011, at 12:09, Suresh Ramasubramanian wrote: > On Tue, Aug 9, 2011 at 4:25 PM, Wilfried Woeber, UniVie/ACOnet > wrote: >> And btw, it silently ignores the fact that there are NIRs, too ;-) > > Sure, but the problem here seems to be extensively caused by LIRs. > Which RIPE is rather over supplied with. Huh? So there's too many of us? What on earth is that meant to mean? Is that an aspersion on LIRs or on RIPE or on both? Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From world.antispam.report at inbox.com Tue Aug 9 13:19:55 2011 From: world.antispam.report at inbox.com (abuse@localhost.com) Date: Tue, 9 Aug 2011 03:19:55 -0800 Subject: [anti-abuse-wg] Abuse report. In-Reply-To: <2257F49D-886F-4511-89E2-E74860C99A87@blacknight.ie> References: <4e402a95.3020409@eunet.rs> <452d9c4ceeb.000000e3world.antispam.report@inbox.com> Message-ID: <45A586EABC3.00000179world.antispam.report@inbox.com> 1) This is a mailing list. 2) As anyone can see, I get the list? 3) And I reply. Regards, LocalHost. > -----Original Message----- > From: michele at blacknight.ie > Sent: Tue, 9 Aug 2011 10:53:34 +0000 > To: abuse at localhost.com > Subject: Re: [anti-abuse-wg] Abuse report. > > And abuse at localhost.com refuses email .. > > What's your point? > > On 9 Aug 2011, at 11:26, abuse at localhost.com wrote: > >> 250 OK >> RCPT TO: >> 250 Accepted >> RSET >> 250 Reset OK >> QUIT >> 221 mx00.mail.eu.clara.net closing connection >> [Connection closed] >> ====================== >> -That was "abuse at clara.net" (213.253.3.20) speaking... >> -Therefore, "abuse at clara.net" just couldn't care less? >> -Have you sent an email to them? >> -I canot state that I'm surprised! >> -I'll have a close look over that server. >> -If one of their IP# shows up again: Blacklist & refuse connection. >> >> -Thank! >>> -----Original Message----- >>> From: abuse at eunet.rs >>> Sent: Tue, 09 Aug 2011 00:44:01 +0200 >>> To: anti-abuse-wg at ripe.net >>> Subject: [anti-abuse-wg] Abuse report. >>> >>> Dear colleagues, >>> >>> This is SPAM report from one of our users. It seems that message came >>> from your server. We belive that you will find that user and that you >>> will take appropriate measures against him. >>> Due to privacy policy of our company, all information about our user is >>> changed to "x". >>> >>> From - Mon Aug 08 20:27:03 2011 >>> X-Account-Key: account4 >>> X-UIDL: 76e74b310924bc33 >>> X-Mozilla-Status: 0001 >>> X-Mozilla-Status2: 00000000 >>> X-Mozilla-Keys: >>> Return-Path: >>> Received: from freeuk-outbound-smtp04.mail.eu.clara.net >>> (freeuk-outbound-smtp04.mail.eu.clara.net [195.8.64.21]) >>> by eunet.rs (8.13.6/8.13.6) with ESMTP id p786mrD8029683; >>> Mon, 8 Aug 2011 08:48:59 +0200 >>> Received: from webmail01.mail.eu.clara.net ([213.253.3.101]:39081 >>> helo=webmail.freeuk.com) >>> by relay04.mail.eu.clara.net (relay.freeuk.com [213.253.3.44]:1225) >>> with esmtp id 1QqJcs-000724-DM >>> (return-path); Mon, 08 Aug 2011 06:47:50 +0000 >>> Received: from 41.138.188.115 >>> (SquirrelMail authenticated user j.fawcett at freeuk.com) >>> by ssl-webmail-vh.freeuk.com with HTTP; >>> Mon, 8 Aug 2011 07:47:50 +0100 >>> Message-ID: >>> Date: Mon, 8 Aug 2011 07:47:50 +0100 >>> Subject: You won in Yesterday Draws!!! >>> From: "Coca-Cola Award Team" >>> Reply-To: cocacolawebnetvet at w.cn >>> User-Agent: SquirrelMail/1.4.21 >>> MIME-Version: 1.0 >>> Content-Type: text/plain;charset=ISO-8859-1 >>> Content-Transfer-Encoding: 8bit >>> X-Priority: 3 (Normal) >>> Importance: Normal >>> X-Squirrel-AuthUser: j.fawcett at freeuk.com >>> X-EUNET-AVAS-Milter-Version: 2.0.0 >>> X-AVAS-Virus-Status: clean >>> X-AVAS-Virus-Status: clean >>> X-AVAS-Spamd-Symbols: >>> BAYES_80,DNS_FROM_RFC_ABUSE,DNS_FROM_RFC_POST,FORGED_RCVD_HELO,PLING_PLING,TO_CC_NONE,UNPARSEABLE_RELAY >>> X-AVAS-Spam-Score: 4.5 >>> X-AVAS-Spam-Level: xxxxxxxxx >>> >>> >>> If You have any questions, please contact our Technical support, every >>> day from 00.00 to 24.00 phone 0700 300 400, (011) 202 3636 or e-mail >>> support at eunet.rs >>> >>> EUnet wishes You a nice day and good connections! >>> >>> Petar Orlovic , Support Agent >>> -- >>> YUnet International www.EUnet.rs >>> Dubrovacka 35/III, 11000 Beograd, Serbia >>> Tel: 0700 300 400 >>> Tel: +381 11 202 3636, Fax: +381 11 330 5609 >>> e-mail: support at eunet.rs www.eunet.rs >>> -- >>> This e-mail is confidential and intended only for the >>> recipient. Unauthorized distribution, modification or disclosure of its >>> contents is prohibited. If you have received this e-mail in error, >>> please notify the sender by telephone +381 11 2023636. >>> -- >> >> ____________________________________________________________ >> Share photos & screenshots in seconds... >> TRY FREE IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if1 >> Works in all emails, instant messengers, blogs, forums and social >> networks. >> >> > > Mr Michele Neylon > Blacknight Solutions > Hosting & Colocation, Brand Protection > ICANN Accredited Registrar > http://www.blacknight.com/ > http://blog.blacknight.com/ > http://blacknight.mobi/ > http://mneylon.tel > Intl. +353 (0) 59 9183072 > US: 213-233-1612 > UK: 0844 484 9361 > Locall: 1850 929 929 > Direct Dial: +353 (0)59 9183090 > Twitter: http://twitter.com/mneylon > ------------------------------- > Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business > Park,Sleaty > Road,Graiguecullen,Carlow,Ireland Company No.: 370845 ____________________________________________________________ FREE 3D MARINE AQUARIUM SCREENSAVER - Watch dolphins, sharks & orcas on your desktop! Check it out at http://www.inbox.com/marineaquarium From kzorba at otenet.gr Tue Aug 9 13:23:59 2011 From: kzorba at otenet.gr (Kostas Zorbadelos) Date: Tue, 09 Aug 2011 14:23:59 +0300 Subject: [anti-abuse-wg] Abuse report. In-Reply-To: <459BAB01B7D.0000016Bworld.antispam.report@inbox.com> References: <4e402a95.3020409@eunet.rs> <452d9c4ceeb.000000e3world.antispam.report@inbox.com> <459BAB01B7D.0000016Bworld.antispam.report@inbox.com> Message-ID: <4E4118CF.2050201@otenet.gr> On 08/09/2011 02:15 PM, abuse at localhost.com wrote: > James? Have you noticed the name of this present mailing list?\ > Why would there be the word "anti-abuse" in it? > Is an uncared for spam complaint "Off Topic"? > > I don't think so. > ============================== > http://www.ripe.net/ripe/groups/wg/anti-abuse Please, I think we should lower the noise of these threads. Regards, Kostas From ops.lists at gmail.com Tue Aug 9 13:27:40 2011 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Tue, 9 Aug 2011 16:57:40 +0530 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: References: <4E402A9B.707@gmx.net> <4E411209.40204@CC.UniVie.ac.at> Message-ID: Let us just say "on several LIRs". On Tue, Aug 9, 2011 at 4:46 PM, Michele Neylon :: Blacknight wrote: > > Huh? > > So there's too many of us? What on earth is that meant to mean? Is that an aspersion on LIRs or on RIPE or on both? -- Suresh Ramasubramanian (ops.lists at gmail.com) From ops.lists at gmail.com Tue Aug 9 13:32:25 2011 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Tue, 9 Aug 2011 17:02:25 +0530 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: References: <4E402A9B.707@gmx.net> <4E411209.40204@CC.UniVie.ac.at> Message-ID: So - let us get back to some very ancient history http://www.ripe.net/ripe/wg/ncc-services/r59-minutes.html > Uwe stated that there should be a check that organisations requesting resources actually exist before assigning to them. > > Nick Hilliard (INEX) pointed out that this check is already done by the RIPE NCC. However, there is little the RIPE NCC can do if documents are fake. The RIPE NCC is not the routing police. Is there anything being done to remedy this? [Yes, there is a process now to deregister LIRs for fraud. Is there fraud investigation built into the new LIR setup and netblock allocation through LIRs process? And some amount of auditability of existing LIRs? On Tue, Aug 9, 2011 at 4:57 PM, Suresh Ramasubramanian wrote: > Let us just say "on several LIRs". > > On Tue, Aug 9, 2011 at 4:46 PM, Michele Neylon :: Blacknight > wrote: >> >> Huh? >> >> So there's too many of us? What on earth is that meant to mean? Is that an aspersion on LIRs or on RIPE or on both? > > > > -- > Suresh Ramasubramanian (ops.lists at gmail.com) > -- Suresh Ramasubramanian (ops.lists at gmail.com) From brian.nisbet at heanet.ie Tue Aug 9 13:40:46 2011 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Tue, 09 Aug 2011 12:40:46 +0100 Subject: [anti-abuse-wg] Abuse report. In-Reply-To: <459BAB01B7D.0000016Bworld.antispam.report@inbox.com> References: <4e402a95.3020409@eunet.rs> <452d9c4ceeb.000000e3world.antispam.report@inbox.com> <459BAB01B7D.0000016Bworld.antispam.report@inbox.com> Message-ID: <4E411CBE.3070503@heanet.ie> "abuse at localhost.com" wrote the following on 09/08/2011 12:15: > James? Have you noticed the name of this present mailing list?\ > Why would there be the word "anti-abuse" in it? > Is an uncared for spam complaint "Off Topic"? > > I don't think so. Please look at the URL Kostas has posted, and sure I'll post it here again myself: http://www.ripe.net/ripe/groups/wg/anti-abuse This list is explicitly not the place to report spam. It is also not a place for seemingly random and extremely difficult to follow digressions and accusations. Could you please review the charter of the group and the behaviour of others on the mailing list before posting further. Thanks, Brian, Co-Chair RIPE AA-WG From tk at abusix.com Tue Aug 9 13:42:22 2011 From: tk at abusix.com (Tobias Knecht) Date: Tue, 09 Aug 2011 13:42:22 +0200 Subject: [anti-abuse-wg] VOTE: Mandatory Realname in this Mailinglist ;-) Message-ID: <4E411D1E.6040901@abusix.com> +1 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 307 bytes Desc: OpenPGP digital signature URL: From michele at blacknight.ie Tue Aug 9 13:51:20 2011 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Tue, 9 Aug 2011 11:51:20 +0000 Subject: [anti-abuse-wg] VOTE: Mandatory Realname in this Mailinglist ;-) In-Reply-To: <4E411D1E.6040901@abusix.com> References: <4E411D1E.6040901@abusix.com> Message-ID: <722E9276-18E1-403A-AEB0-F78228116BD9@blacknight.ie> On 9 Aug 2011, at 12:42, Tobias Knecht wrote: > +1 > +1 Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From P.Vissers at opta.nl Tue Aug 9 13:55:13 2011 From: P.Vissers at opta.nl (Vissers, Pepijn) Date: Tue, 9 Aug 2011 11:55:13 +0000 Subject: [anti-abuse-wg] VOTE: Mandatory Realname in this Mailinglist ;-) In-Reply-To: <722E9276-18E1-403A-AEB0-F78228116BD9@blacknight.ie> References: <4E411D1E.6040901@abusix.com> <722E9276-18E1-403A-AEB0-F78228116BD9@blacknight.ie> Message-ID: +1. > -----Oorspronkelijk bericht----- > Van: anti-abuse-wg-admin at ripe.net [mailto:anti-abuse-wg-admin at ripe.net] > Namens Michele Neylon :: Blacknight > Verzonden: dinsdag 9 augustus 2011 13:51 > Aan: > CC: > Onderwerp: Re: [anti-abuse-wg] VOTE: Mandatory Realname in this > Mailinglist ;-) > > > On 9 Aug 2011, at 12:42, Tobias Knecht wrote: > > > +1 > > > +1 > > Mr Michele Neylon > Blacknight Solutions > Hosting & Colocation, Brand Protection > ICANN Accredited Registrar > http://www.blacknight.com/ > http://blog.blacknight.com/ > http://blacknight.mobi/ > http://mneylon.tel > Intl. +353 (0) 59 9183072 > US: 213-233-1612 > UK: 0844 484 9361 > Locall: 1850 929 929 > Direct Dial: +353 (0)59 9183090 > Twitter: http://twitter.com/mneylon > ------------------------------- > Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business > Park,Sleaty > Road,Graiguecullen,Carlow,Ireland Company No.: 370845 > +++++++++++++++++++++++++++++++++++++++++++++ Disclaimer Dit e-mailbericht kan vertrouwelijke informatie bevatten of informatie die is beschermd door een beroepsgeheim. Indien dit bericht niet voor u is bestemd, wijzen wij u erop dat elke vorm van verspreiding, vermenigvuldiging of ander gebruik ervan niet is toegestaan. Indien dit bericht blijkbaar bij vergissing bij u terecht is gekomen, verzoeken wij u ons daarvan direct op de hoogte te stellen via tel.nr 070 315 3500 of e-mail mailto:mail at opta.nl en het bericht te vernietigen. Dit e-mailbericht is uitsluitend gecontroleerd op virussen. OPTA aanvaardt geen enkele aansprakelijkheid voor de feitelijke inhoud en juistheid van dit bericht en er kunnen geen rechten aan worden ontleend. This e-mail message may contain confidential information or information protected by professional privilege. If it is not intended for you, you should be aware that any distribution, copying or other form of use of this message is not permitted. If it has apparently reached you by mistake, we urge you to notify us by phone +31 70 315 3500 or e-mail mailto:mail at opta.nl and destroy the message immediately. This e-mail message has only been checked for viruses. The accuracy, relevance, timeliness or completeness of the information provided cannot be guaranteed. OPTA expressly disclaims any responsibility in relation to the information in this e-mail message. No rights can be derived from this message. From kzorba at otenet.gr Tue Aug 9 13:59:25 2011 From: kzorba at otenet.gr (Kostas Zorbadelos) Date: Tue, 09 Aug 2011 14:59:25 +0300 Subject: [anti-abuse-wg] VOTE: Mandatory Realname in this Mailinglist ;-) In-Reply-To: <4E411D1E.6040901@abusix.com> References: <4E411D1E.6040901@abusix.com> Message-ID: <4E41211D.9030100@otenet.gr> On 08/09/2011 02:42 PM, Tobias Knecht wrote: > +1 > ++ :) From tk at abusix.com Tue Aug 9 14:03:45 2011 From: tk at abusix.com (Tobias Knecht) Date: Tue, 09 Aug 2011 14:03:45 +0200 Subject: [anti-abuse-wg] VOTE: Mandatory Realname in this Mailinglist ;-) In-Reply-To: References: <4E411D1E.6040901@abusix.com> <722E9276-18E1-403A-AEB0-F78228116BD9@blacknight.ie> Message-ID: <4E412221.7070200@abusix.com> I hope everybody saw the ;-) behind my subject line. This was not a serious idea, it was just to show that it really would make sense to be as open as possible to get an as open as possible feedback. I hope this encourages some people here to start an open discussion. Thanks, Tobias Am 09.08.11 13:55, schrieb Vissers, Pepijn: > +1. > >> -----Oorspronkelijk bericht----- >> Van: anti-abuse-wg-admin at ripe.net [mailto:anti-abuse-wg-admin at ripe.net] >> Namens Michele Neylon :: Blacknight >> Verzonden: dinsdag 9 augustus 2011 13:51 >> Aan: >> CC: >> Onderwerp: Re: [anti-abuse-wg] VOTE: Mandatory Realname in this >> Mailinglist ;-) >> >> >> On 9 Aug 2011, at 12:42, Tobias Knecht wrote: >> >>> +1 >>> >> +1 >> >> Mr Michele Neylon >> Blacknight Solutions >> Hosting & Colocation, Brand Protection >> ICANN Accredited Registrar >> http://www.blacknight.com/ >> http://blog.blacknight.com/ >> http://blacknight.mobi/ >> http://mneylon.tel >> Intl. +353 (0) 59 9183072 >> US: 213-233-1612 >> UK: 0844 484 9361 >> Locall: 1850 929 929 >> Direct Dial: +353 (0)59 9183090 >> Twitter: http://twitter.com/mneylon >> ------------------------------- >> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business >> Park,Sleaty >> Road,Graiguecullen,Carlow,Ireland Company No.: 370845 >> > > +++++++++++++++++++++++++++++++++++++++++++++ > Disclaimer > Dit e-mailbericht kan vertrouwelijke informatie bevatten of informatie die is beschermd door een beroepsgeheim. > Indien dit bericht niet voor u is bestemd, wijzen wij u erop dat elke vorm van verspreiding, vermenigvuldiging > of ander gebruik ervan niet is toegestaan. > Indien dit bericht blijkbaar bij vergissing bij u terecht is gekomen, verzoeken wij u ons daarvan > direct op de hoogte te stellen via tel.nr 070 315 3500 of e-mail mailto:mail at opta.nl en het bericht te vernietigen. > Dit e-mailbericht is uitsluitend gecontroleerd op virussen. > OPTA aanvaardt geen enkele aansprakelijkheid voor de feitelijke inhoud en juistheid van dit bericht en er kunnen > geen rechten aan worden ontleend. > > > This e-mail message may contain confidential information or information protected by professional privilege. > If it is not intended for you, you should be aware that any distribution, copying or other form of use of > this message is not permitted. > If it has apparently reached you by mistake, we urge you to notify us by phone +31 70 315 3500 > or e-mail mailto:mail at opta.nl and destroy the message immediately. > This e-mail message has only been checked for viruses. > The accuracy, relevance, timeliness or completeness of the information provided cannot be guaranteed. > OPTA expressly disclaims any responsibility in relation to the information in this e-mail message. > No rights can be derived from this message. > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 307 bytes Desc: OpenPGP digital signature URL: From ripe-anti-spam-wg at powerweb.de Tue Aug 9 14:30:29 2011 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Tue, 09 Aug 2011 14:30:29 +0200 Subject: [anti-abuse-wg] VOTE: members and RIPE region only Message-ID: <4E412865.5040007@powerweb.de> Hi, I also like to start a vote, that this mailing list is only open for RIPE members or people from the RIPE region. Members could be proofed easily and for the RIPE region I would count on sender email addresses with a TLD from the RIPE region and a mailserver that has an RIPE IP address. Please vote know ... -- Kind regards, Frank -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank at powerweb.de From dave.wilson at heanet.ie Tue Aug 9 14:04:20 2011 From: dave.wilson at heanet.ie (Dave Wilson) Date: Tue, 09 Aug 2011 13:04:20 +0100 Subject: [anti-abuse-wg] no vote: Mandatory Realname in this Mailinglist ;-) In-Reply-To: <4E411D1E.6040901@abusix.com> References: <4E411D1E.6040901@abusix.com> Message-ID: <4E412244.2030304@heanet.ie> I'm sure we can take this as the joke it must have been intended to be - after all, we don't vote on decisions in the RIPE community, and a stream of +1s would only serve to clutter the list. Best, Dave -- Dave Wilson, Project Manager HEAnet Limited, Ireland's Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin 1 Registered in Ireland, no 275301 tel: +353-1-660 9040 fax: +353-1-660 3666 web: http://www.heanet.ie/ Calendar & PGP: http://people.heanet.ie/~davew/ From michele at blacknight.ie Tue Aug 9 14:35:02 2011 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Tue, 9 Aug 2011 12:35:02 +0000 Subject: [anti-abuse-wg] VOTE: members and RIPE region only In-Reply-To: <4E412865.5040007@powerweb.de> References: <4E412865.5040007@powerweb.de> Message-ID: On 9 Aug 2011, at 13:30, Frank Gadegast wrote: > > Hi, > > I also like to start a vote, that this > mailing list is only open for RIPE members > or people from the RIPE region. Um ok .. > > Members could be proofed easily and > for the RIPE region I would count > on sender email addresses with a TLD > from the RIPE region and a mailserver > that has an RIPE IP address. That won't work I can be in the RIPE region using a .whatever and send my mail via China if I want to .. > > Please vote know ... > -- > > Kind regards, Frank > -- > PHADE Software - PowerWeb http://www.powerweb.de > Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de > Schinkelstrasse 17 fon: +49 33200 52920 > 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 > ====================================================================== > Public PGP Key available for frank at powerweb.de > Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From brian.nisbet at heanet.ie Tue Aug 9 14:37:01 2011 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Tue, 09 Aug 2011 13:37:01 +0100 Subject: [anti-abuse-wg] VOTE: members and RIPE region only In-Reply-To: <4E412865.5040007@powerweb.de> References: <4E412865.5040007@powerweb.de> Message-ID: <4E4129ED.6080705@heanet.ie> Frank, "Frank Gadegast" wrote the following on 09/08/2011 13:30: > > Hi, > > I also like to start a vote, that this > mailing list is only open for RIPE members > or people from the RIPE region. > > Members could be proofed easily and > for the RIPE region I would count > on sender email addresses with a TLD > from the RIPE region and a mailserver > that has an RIPE IP address. This mailing list, just like the RIPE meetings, is part of the RIPE community and, as such, open to everyone. I'm not sure if you are being serious or sarcastic, to be honest, but I wanted to make that very plain indeed. Regards, Brian, Co-chair, RIPE AA-WG From kzorba at otenet.gr Tue Aug 9 14:41:11 2011 From: kzorba at otenet.gr (Kostas Zorbadelos) Date: Tue, 09 Aug 2011 15:41:11 +0300 Subject: [anti-abuse-wg] VOTE: members and RIPE region only In-Reply-To: <4E412865.5040007@powerweb.de> References: <4E412865.5040007@powerweb.de> Message-ID: <4E412AE7.3070502@otenet.gr> On 08/09/2011 03:30 PM, Frank Gadegast wrote: > > Hi, > > I also like to start a vote, that this > mailing list is only open for RIPE members > or people from the RIPE region. > Why would you want to do something like that? > Members could be proofed easily and > for the RIPE region I would count > on sender email addresses with a TLD > from the RIPE region and a mailserver > that has an RIPE IP address. > > Please vote know ... I think the list should remain open to all interested people and parties. Useful contributions could come from anywhere. Regards, Kostas From balla at spin.it Tue Aug 9 14:35:08 2011 From: balla at spin.it (Emanuele Balla) Date: Tue, 09 Aug 2011 14:35:08 +0200 Subject: [anti-abuse-wg] VOTE: members and RIPE region only In-Reply-To: <4E412865.5040007@powerweb.de> References: <4E412865.5040007@powerweb.de> Message-ID: <4E41297C.30605@spin.it> On 8/9/11 2:30 PM, Frank Gadegast wrote: > > Hi, > > I also like to start a vote, that this > mailing list is only open for RIPE members > or people from the RIPE region. > > Members could be proofed easily and > for the RIPE region I would count > on sender email addresses with a TLD > from the RIPE region and a mailserver > that has an RIPE IP address. > > Please vote know ... I'm absolutely against this one, sorry. -- # Emanuele Balla # # # System & Network Engineer # # # Spin s.r.l. - AS6734 # Phone: +39 040 9869090 # # Trieste # Email: balla at staff.spin.it # From kzorba at otenet.gr Tue Aug 9 14:48:04 2011 From: kzorba at otenet.gr (Kostas Zorbadelos) Date: Tue, 09 Aug 2011 15:48:04 +0300 Subject: [anti-abuse-wg] no vote: Mandatory Realname in this Mailinglist ;-) In-Reply-To: <4E412244.2030304@heanet.ie> References: <4E411D1E.6040901@abusix.com> <4E412244.2030304@heanet.ie> Message-ID: <4E412C84.50101@otenet.gr> On 08/09/2011 03:04 PM, Dave Wilson wrote: > I'm sure we can take this as the joke it must have been intended to be - after > all, we don't vote on decisions in the RIPE community, and a stream of +1s > would only serve to clutter the list. > However, it would be a good idea to have some sort of netiquette. Unless there is one somewhere and I have missed it. Regards, Kostas > Best, > Dave > From frank at altpeter.de Tue Aug 9 14:48:28 2011 From: frank at altpeter.de (Frank Altpeter) Date: Tue, 9 Aug 2011 14:48:28 +0200 Subject: [anti-abuse-wg] no vote: Mandatory Realname in this Mailinglist ;-) In-Reply-To: <4E412C84.50101@otenet.gr> References: <4E411D1E.6040901@abusix.com> <4E412244.2030304@heanet.ie> <4E412C84.50101@otenet.gr> Message-ID: <20110809124828.GE24760@crew-gmbh.de> Moin, on 2011-08-09 at 14:48:04 CEST, Kostas Zorbadelos wrote: > On 08/09/2011 03:04 PM, Dave Wilson wrote: > > I'm sure we can take this as the joke it must have been intended to be - after > > all, we don't vote on decisions in the RIPE community, and a stream of +1s > > would only serve to clutter the list. > > > > However, it would be a good idea to have some sort of netiquette. > Unless there is one somewhere and I have missed it. RFC 1855 should apply here automagically as well. I'm sometimes just not sure if that fact is known to every subscriber. Mit freundlichen Gr??en Frank Altpeter -- FA-RIPE || http://www.altpeter.de/ || http://gplus.to/frank42 | I'm proud of my humility. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 230 bytes Desc: not available URL: From ripe-anti-spam-wg at powerweb.de Tue Aug 9 14:49:56 2011 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Tue, 09 Aug 2011 14:49:56 +0200 Subject: [anti-abuse-wg] VOTE: members and RIPE region only In-Reply-To: <4E4129ED.6080705@heanet.ie> References: <4E412865.5040007@powerweb.de> <4E4129ED.6080705@heanet.ie> Message-ID: <4E412CF4.5020900@powerweb.de> Brian Nisbet wrote: > Frank, > > "Frank Gadegast" wrote the following on 09/08/2011 13:30: >> >> Hi, >> >> I also like to start a vote, that this >> mailing list is only open for RIPE members >> or people from the RIPE region. >> >> Members could be proofed easily and >> for the RIPE region I would count >> on sender email addresses with a TLD >> from the RIPE region and a mailserver >> that has an RIPE IP address. > > This mailing list, just like the RIPE meetings, is part of the RIPE > community and, as such, open to everyone. I'm not sure if you are being > serious or sarcastic, to be honest, but I wanted to make that very plain > indeed. Thats a basic question: why should anybody not associated with the RIPE region be part of the RIPE community ? A cannot vote in the Nederlands or influence the politics or law processes there, if Im not a legal entity in the Nederlands. > > Regards, > > Brian, > Co-chair, RIPE AA-WG > > > Kind regards, Frank -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank at powerweb.de From frank at altpeter.de Tue Aug 9 14:36:53 2011 From: frank at altpeter.de (Frank Altpeter) Date: Tue, 9 Aug 2011 14:36:53 +0200 Subject: [anti-abuse-wg] VOTE: members and RIPE region only In-Reply-To: <4E412865.5040007@powerweb.de> References: <4E412865.5040007@powerweb.de> Message-ID: <20110809123653.GD24760@crew-gmbh.de> Moin, on 2011-08-09 at 14:30:29 CEST, Frank Gadegast wrote: > > Hi, > > I also like to start a vote, that this > mailing list is only open for RIPE members > or people from the RIPE region. > > Members could be proofed easily and > for the RIPE region I would count > on sender email addresses with a TLD > from the RIPE region and a mailserver > that has an RIPE IP address. > > Please vote know ... First of all, I don't think that a mailing list is a feasible solution for votings. Such things should be done on services like doodle.com. Second: Your vote topic is also not feasable because it does only hit the innocent. You would block RIPE region users using freemailers like gmail.com and hotmail.com and you would allow non-RIPE region users using freemailers like web.de and freenet.de So: far from "proofed easily". Mit freundlichen Gr??en Frank Altpeter -- FA-RIPE || http://www.altpeter.de/ || http://gplus.to/frank42 | The best cure for insomnia is to get a lot of sleep. -W.C. Fields -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 230 bytes Desc: not available URL: From tk at abusix.com Tue Aug 9 14:53:36 2011 From: tk at abusix.com (Tobias Knecht) Date: Tue, 09 Aug 2011 14:53:36 +0200 Subject: [anti-abuse-wg] VOTE: members and RIPE region only In-Reply-To: <4E412CF4.5020900@powerweb.de> References: <4E412865.5040007@powerweb.de> <4E4129ED.6080705@heanet.ie> <4E412CF4.5020900@powerweb.de> Message-ID: <4E412DD0.4070205@abusix.com> > why should anybody not associated with the RIPE region be > part of the RIPE community ? Because we (abusix) for example have proposed policies to APNIC and AfriNIC. These policies are now in place and help solving problems worldwide. I guess that is reason enough. > A cannot vote in the Nederlands or influence the politics or > law processes there, if Im not a legal entity in the Nederlands. Isn't the internet a cool place? ;-) Tobias -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 307 bytes Desc: OpenPGP digital signature URL: From niall at blacknight.com Tue Aug 9 13:54:42 2011 From: niall at blacknight.com (Niall Donegan) Date: Tue, 09 Aug 2011 12:54:42 +0100 Subject: [anti-abuse-wg] Abuse report. In-Reply-To: <45A586EABC3.00000179world.antispam.report@inbox.com> References: <4e402a95.3020409@eunet.rs> <452d9c4ceeb.000000e3world.antispam.report@inbox.com> <45A586EABC3.00000179world.antispam.report@inbox.com> Message-ID: <4E412002.7020903@blacknight.com> On 09/08/11 12:19, abuse at localhost.com wrote: > 1) This is a mailing list. This is a mailing list with a specific charter, as Kostas and Brian have already pointed out. However, maybe third time is the charm: http://www.ripe.net/ripe/groups/wg/anti-abuse It is *NOT* your personal soap box. > 2) As anyone can see, I get the list? Congratulations. > 3) And I reply. Now all you need to do is see if you can figure out how to get your email client to put your real name on your emails. Niall. -- Niall Donegan ---------------- http://www.blacknight.com Blacknight Internet Solutions Ltd, Unit 12A, Barrowside Business Park, Sleaty Road, Graiguecullen, Carlow, Ireland Company No.: 370845 From frank+ripe at altpeter.de Tue Aug 9 14:01:35 2011 From: frank+ripe at altpeter.de (Frank Altpeter) Date: Tue, 9 Aug 2011 14:01:35 +0200 Subject: [anti-abuse-wg] VOTE: Mandatory Realname in this Mailinglist ;-) In-Reply-To: <4E41211D.9030100@otenet.gr> References: <4E411D1E.6040901@abusix.com> <4E41211D.9030100@otenet.gr> Message-ID: <20110809120134.GA24760@crew-gmbh.de> Moin, on 2011-08-09 at 13:59:25 CEST, Kostas Zorbadelos wrote: > On 08/09/2011 02:42 PM, Tobias Knecht wrote: > > +1 > > > > ++ > > :) > Please stop that or create a doodle[1] for it. [1] http://www.doodle.com/ Mit freundlichen Gr??en Frank Altpeter -- FA-RIPE || http://www.altpeter.de/ || http://gplus.to/frank42 | No one goes to that restaurant anymore-it's always too crowded. | (attributed to Yogi Berra) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 230 bytes Desc: not available URL: From michele at blacknight.ie Tue Aug 9 14:53:50 2011 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Tue, 9 Aug 2011 12:53:50 +0000 Subject: [anti-abuse-wg] no vote: Mandatory Realname in this Mailinglist ;-) In-Reply-To: <4E412C84.50101@otenet.gr> References: <4E411D1E.6040901@abusix.com> <4E412244.2030304@heanet.ie> <4E412C84.50101@otenet.gr> Message-ID: <74B1214B-C1A1-4835-9F7E-A81C50194A0E@blacknight.ie> On 9 Aug 2011, at 13:48, Kostas Zorbadelos wrote: > On 08/09/2011 03:04 PM, Dave Wilson wrote: >> I'm sure we can take this as the joke it must have been intended to be - after >> all, we don't vote on decisions in the RIPE community, and a stream of +1s >> would only serve to clutter the list. >> > > However, it would be a good idea to have some sort of netiquette. > Unless there is one somewhere and I have missed it. > > Regards, > > Kostas > >> Best, >> Dave >> > Dave / Kostas I'd be very much in favour of there being some basic rules established. I don't like engaging in discussions with people who won't provide their real names and I'm also a little bit tired of the attacks being made on me, RIPE, LIRs, Brian and others. They don't help anyone. regards Michele Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From esa.laitinen at iki.fi Tue Aug 9 14:47:11 2011 From: esa.laitinen at iki.fi (Esa Laitinen) Date: Tue, 9 Aug 2011 14:47:11 +0200 Subject: [anti-abuse-wg] VOTE: members and RIPE region only In-Reply-To: <4E412865.5040007@powerweb.de> References: <4E412865.5040007@powerweb.de> Message-ID: On Tue, Aug 9, 2011 at 2:30 PM, Frank Gadegast < ripe-anti-spam-wg at powerweb.de> wrote: > > I also like to start a vote, that this > mailing list is only open for RIPE members > or people from the RIPE region. > > From the gut feeling I would vote "no", but i would be interested in hearing why you think this restriction would be a good idea? Btw: I have no idea from which server on which continent my email pops out of Google network. Same applies to some of the other systems/addresses I use, so what you propose as how to limit the user group is very inaccurate indeed. To restrict the user community the way you propose requires manual verification, and wouldn't be very accurate even then. -- Mr. Esa Laitinen Tel. +41 76 200 2870 skype/yahoo: reunaesa Blog: http://happiloppuuahistaa.blogspot.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From niall at blacknight.com Tue Aug 9 14:55:35 2011 From: niall at blacknight.com (Niall Donegan) Date: Tue, 09 Aug 2011 13:55:35 +0100 Subject: [anti-abuse-wg] VOTE: members and RIPE region only In-Reply-To: <4E412CF4.5020900@powerweb.de> References: <4E412865.5040007@powerweb.de> <4E4129ED.6080705@heanet.ie> <4E412CF4.5020900@powerweb.de> Message-ID: <4E412E47.3020000@blacknight.com> On 09/08/11 13:49, Frank Gadegast wrote: > Thats a basic question: > why should anybody not associated with the RIPE region be > part of the RIPE community ? Possibly because abuse is a world wide issue, and having input from people in other regions under other RIRs is no bad thing? RIPE doesn't exist in a vacuum. Niall. -- Niall Donegan ---------------- http://www.blacknight.com Blacknight Internet Solutions Ltd, Unit 12A, Barrowside Business Park, Sleaty Road, Graiguecullen, Carlow, Ireland Company No.: 370845 From michele at blacknight.ie Tue Aug 9 14:55:57 2011 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Tue, 9 Aug 2011 12:55:57 +0000 Subject: [anti-abuse-wg] VOTE: members and RIPE region only In-Reply-To: <4E412CF4.5020900@powerweb.de> References: <4E412865.5040007@powerweb.de> <4E4129ED.6080705@heanet.ie> <4E412CF4.5020900@powerweb.de> Message-ID: On 9 Aug 2011, at 13:49, Frank Gadegast wrote: > Brian Nisbet wrote: >> Frank, >> >> "Frank Gadegast" wrote the following on 09/08/2011 13:30: >>> >>> Hi, >>> >>> I also like to start a vote, that this >>> mailing list is only open for RIPE members >>> or people from the RIPE region. >>> >>> Members could be proofed easily and >>> for the RIPE region I would count >>> on sender email addresses with a TLD >>> from the RIPE region and a mailserver >>> that has an RIPE IP address. >> >> This mailing list, just like the RIPE meetings, is part of the RIPE >> community and, as such, open to everyone. I'm not sure if you are being >> serious or sarcastic, to be honest, but I wanted to make that very plain >> indeed. > > Thats a basic question: > why should anybody not associated with the RIPE region be > part of the RIPE community ? The internet is global I'm involved in a lot of regional mailing lists for regions that I don't live in and I don't ever need to justify myself > > A cannot vote in the Nederlands or influence the politics or > law processes there, if Im not a legal entity in the Nederlands. That's not true. You're an EU citizen :) EU law is binding in both jurisdictions .. (sorry - you chose the analogy) > > >> >> Regards, >> >> Brian, >> Co-chair, RIPE AA-WG >> >> >> > > > Kind regards, Frank > -- > PHADE Software - PowerWeb http://www.powerweb.de > Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de > Schinkelstrasse 17 fon: +49 33200 52920 > 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 > ====================================================================== > Public PGP Key available for frank at powerweb.de > Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From pk at DENIC.DE Tue Aug 9 14:15:10 2011 From: pk at DENIC.DE (Peter Koch) Date: Tue, 9 Aug 2011 14:15:10 +0200 Subject: [anti-abuse-wg] VOTE: Mandatory Realname in this Mailinglist ;-) In-Reply-To: <4E411D1E.6040901@abusix.com> References: <4E411D1E.6040901@abusix.com> Message-ID: <20110809121510.GD23694@x27.adm.denic.de> Tobias, On Tue, Aug 09, 2011 at 01:42:22PM +0200, Tobias Knecht wrote: > +1 while the smiley in the subject probably refers to this recent demonstration of special expertise, I do believe our challenge is about incomprehensible (at least to me) content rather than absence of a reasonable From: field and also there is more than one source of this confusion. -Peter From ripe-anti-spam-wg at powerweb.de Tue Aug 9 15:16:15 2011 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Tue, 09 Aug 2011 15:16:15 +0200 Subject: [anti-abuse-wg] VOTE: members and RIPE region only In-Reply-To: <402D5E48-5D5A-4589-B0F9-7E81FFEC5FE6@nosc.ja.net> References: <4E412865.5040007@powerweb.de> <4E4129ED.6080705@heanet.ie> <4E412CF4.5020900@powerweb.de> <402D5E48-5D5A-4589-B0F9-7E81FFEC5FE6@nosc.ja.net> Message-ID: <4E41331F.4020002@powerweb.de> Rob Evans wrote: >> why should anybody not associated with the RIPE region be >> part of the RIPE community ? > > Because the Internet is global. Ahhh, I did not think about that (*godsake*) > Sorry, thats confusing. RIR stand for "regional" not world-wide. The community should also be a regional community. RIPE NCC defines itself as: The RIPE NCC is an independent, not-for-profit membership organisation that supports the infrastructure of the Internet through technical coordination in its service region. "Service region" ! At least RIPE is worldwide in the way, that its resources are globaly routed and misused worldwide ... I dont think that RIPE and RIPE NCC should not listen to users and organisations world-wide, but descissions should only be made be users from the RIPE region. Thats the same with the spamhause discussion we had. RIPE NCC has to check everything to its own regulations, but they could listen to important sources like spamhaus. And we are here to discuss definitions and regulations for the RIPE region, to discuss drafts and give advice to boards and descission makers in the RIPE region. We do not have to discuss them with people that hide behind anonymous services offered world wide. We could listen to them, but progress should only be defined by members. > > Rob > > > Kind regards, Frank -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank at powerweb.de From Woeber at CC.UniVie.ac.at Tue Aug 9 15:19:16 2011 From: Woeber at CC.UniVie.ac.at (Wilfried Woeber, UniVie/ACOnet) Date: Tue, 09 Aug 2011 13:19:16 +0000 Subject: [anti-abuse-wg] no vote: Mandatory Realname in this Mailinglist ;-) In-Reply-To: <20110809124828.GE24760@crew-gmbh.de> References: <4E411D1E.6040901@abusix.com> <4E412244.2030304@heanet.ie> <4E412C84.50101@otenet.gr> <20110809124828.GE24760@crew-gmbh.de> Message-ID: <4E4133D4.2000407@CC.UniVie.ac.at> Frank Altpeter wrote: [...] > RFC 1855 should apply here automagically as well. I'm sometimes just not > sure if that fact is known to every subscriber. Ahem, sorry, bear with me for a moment, but what is an RFC? :-) Honestly, Frank, thanks for that pointer. I guess it would be Good Thing[TM) to include a reference on the appropriate RIPE WG Web Page that helps with working group and mailing list management. > Mit freundlichen Gr??en > > Frank Altpeter Thanks, Wilfried. From Woeber at CC.UniVie.ac.at Tue Aug 9 15:34:35 2011 From: Woeber at CC.UniVie.ac.at (Wilfried Woeber, UniVie/ACOnet) Date: Tue, 09 Aug 2011 13:34:35 +0000 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: References: <4E402A9B.707@gmx.net> <4E411209.40204@CC.UniVie.ac.at> Message-ID: <4E41376B.6020702@CC.UniVie.ac.at> Suresh Ramasubramanian wrote: [...] > [...]Is there fraud investigation built > into the new LIR setup and netblock allocation through LIRs process? > And some amount of auditability of existing LIRs? Yes there is. And very painstakingly so. Like when we (a LIR that exists since 1993 under the same identity) had to sign a new service contract, the NCC wanted to get a copy of the legal document that proves our existence. Again within the framework of PI stuff. Interestingly enough, a university that was established in the 14th century does not have an entry in the current business register. Also, a publicly funded university in our little country is not a regular legal entity, but exists due to a law passed by national parliament. Even a reference to the official website of our government, offering the auhoritative version of the law, was not enough. I had to print the respective law, have it signed by a ministry rep. and have it scanned and shipped to Amsterdam. So, yes checks are made, regularly. But if you succeed in forging that type of documents, or if you succeed to get some "official entity" to help in doing that, the NCC is at the loosing end of the stick :-( Wilfried. From ops.lists at gmail.com Tue Aug 9 15:37:13 2011 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Tue, 9 Aug 2011 19:07:13 +0530 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: <4E41376B.6020702@CC.UniVie.ac.at> References: <4E402A9B.707@gmx.net> <4E411209.40204@CC.UniVie.ac.at> <4E41376B.6020702@CC.UniVie.ac.at> Message-ID: Which is what is sought to be addressed. Granted the due diligence exists, but the fact remains that there are botmasters and spammers who manage to game this process. While the LIR revocation process exists, a more "user friendly" / transparent complaint handling mechanism and periodic audits might make things interesting On Tue, Aug 9, 2011 at 7:04 PM, Wilfried Woeber, UniVie/ACOnet wrote: > > But if you succeed in forging that type of documents, or if you succeed to > get some "official entity" to help in doing that, the NCC is at the loosing > end of the stick :-( -- Suresh Ramasubramanian (ops.lists at gmail.com) From world.antispam.report at inbox.com Tue Aug 9 15:43:15 2011 From: world.antispam.report at inbox.com (abuse@localhost.com) Date: Tue, 9 Aug 2011 05:43:15 -0800 Subject: [anti-abuse-wg] Abuse report. In-Reply-To: <4E411CBE.3070503@heanet.ie> References: <459bab01b7d.0000016bworld.antispam.report@inbox.com> <4e402a95.3020409@eunet.rs> <452d9c4ceeb.000000e3world.antispam.report@inbox.com> Message-ID: <46E5E64B838.00000088world.antispam.report@inbox.com> Thank you for the precisions. That settle it. I'm sorry for disturbing. As meaningfull as it can be. It's just that last month I noticed a few invalid RIPE registrations. What some call (Justified or not) "Faked" RIPE registrations. Since RIPE contacts that would handle such a case is (Are) that much of a "Rarity" and kept in a way, hidden, I simply through that it could be reported in this anti-abuse mail mail list. To summrarise the whole, anti-abuse-wg at ripe.net is not way a place to talk about methods some automated trojans take over IP# to register their exploit websites and send spam from unaware network operators. This being so, the only option left when the e-mails or phone numbers, all RIPE datas that were provided by a given allocated IP block# is erroneous for any reason is; Blacklist the whole IP block number directly in the router filter. Brian? Thank you for the information! I'm out of this mailing list. > -----Original Message----- > From: brian.nisbet at heanet.ie > Sent: Tue, 09 Aug 2011 12:40:46 +0100 > To: anti-abuse-wg at ripe.net > Subject: Re: [anti-abuse-wg] Abuse report. > > "abuse at localhost.com" wrote the following on 09/08/2011 12:15: >> James? Have you noticed the name of this present mailing list?\ >> Why would there be the word "anti-abuse" in it? >> Is an uncared for spam complaint "Off Topic"? >> >> I don't think so. > > Please look at the URL Kostas has posted, and sure I'll post it here > again myself: > > http://www.ripe.net/ripe/groups/wg/anti-abuse > > This list is explicitly not the place to report spam. It is also not a > place for seemingly random and extremely difficult to follow digressions > and accusations. Could you please review the charter of the group and > the behaviour of others on the mailing list before posting further. > > Thanks, > > Brian, > Co-Chair RIPE AA-WG ____________________________________________________________ Send your photos by email in seconds... TRY FREE IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if3 Works in all emails, instant messengers, blogs, forums and social networks. From P.Vissers at opta.nl Tue Aug 9 15:53:42 2011 From: P.Vissers at opta.nl (Vissers, Pepijn) Date: Tue, 9 Aug 2011 13:53:42 +0000 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: <4E41376B.6020702@CC.UniVie.ac.at> References: <4E402A9B.707@gmx.net> <4E411209.40204@CC.UniVie.ac.at> <4E41376B.6020702@CC.UniVie.ac.at> Message-ID: > But if you succeed in forging that type of documents, or if you succeed > to > get some "official entity" to help in doing that, the NCC is at the > loosing > end of the stick :-( You hit the nail on the head. And unfortunately the results of those successful forgeries (and consequently the lack of proper registration at the CIDR level) are popping up as fresh grass after rain. Maybe RIPE (or trans-RIR maybe) should hire some dedicated personnel with teeth that can do high volumes of proper audits based on complaints about lack of documents. A team that actually has the power to de-register a LIR/resources. The RIR's are simply being too nice to entities that successfully say FFFFUUU to the policies while being seemingly over-accomplishing to the good guys, as I deduct from your story. Mr. abuse@ raised a valid point, though not in a very polite matter. Which ultimately draws more attention than the issue at hand. Yes, I noticed the smiley :) Pepijn Vissers Team Internetsafety OPTA +++++++++++++++++++++++++++++++++++++++++++++ Disclaimer Dit e-mailbericht kan vertrouwelijke informatie bevatten of informatie die is beschermd door een beroepsgeheim. Indien dit bericht niet voor u is bestemd, wijzen wij u erop dat elke vorm van verspreiding, vermenigvuldiging of ander gebruik ervan niet is toegestaan. Indien dit bericht blijkbaar bij vergissing bij u terecht is gekomen, verzoeken wij u ons daarvan direct op de hoogte te stellen via tel.nr 070 315 3500 of e-mail mailto:mail at opta.nl en het bericht te vernietigen. Dit e-mailbericht is uitsluitend gecontroleerd op virussen. OPTA aanvaardt geen enkele aansprakelijkheid voor de feitelijke inhoud en juistheid van dit bericht en er kunnen geen rechten aan worden ontleend. This e-mail message may contain confidential information or information protected by professional privilege. If it is not intended for you, you should be aware that any distribution, copying or other form of use of this message is not permitted. If it has apparently reached you by mistake, we urge you to notify us by phone +31 70 315 3500 or e-mail mailto:mail at opta.nl and destroy the message immediately. This e-mail message has only been checked for viruses. The accuracy, relevance, timeliness or completeness of the information provided cannot be guaranteed. OPTA expressly disclaims any responsibility in relation to the information in this e-mail message. No rights can be derived from this message. From frank at altpeter.de Tue Aug 9 15:55:09 2011 From: frank at altpeter.de (Frank Altpeter) Date: Tue, 9 Aug 2011 15:55:09 +0200 Subject: [anti-abuse-wg] no vote: Mandatory Realname in this Mailinglist ;-) In-Reply-To: <4E4133D4.2000407@CC.UniVie.ac.at> References: <4E411D1E.6040901@abusix.com> <4E412244.2030304@heanet.ie> <4E412C84.50101@otenet.gr> <20110809124828.GE24760@crew-gmbh.de> <4E4133D4.2000407@CC.UniVie.ac.at> Message-ID: <20110809135509.GF24760@crew-gmbh.de> Moin, on 2011-08-09 at 15:19:16 CEST, Wilfried Woeber, UniVie/ACOnet wrote: > Frank Altpeter wrote: > [...] > > RFC 1855 should apply here automagically as well. I'm sometimes just not > > sure if that fact is known to every subscriber. > > Ahem, sorry, bear with me for a moment, but what is an RFC? :-) The term RFC stands for "Ready For Coffee" and it's protocol implementation 1855 says that you always should be prepared to offer coffee to a visitor if it's before 1855 GMT :-) > Honestly, Frank, thanks for that pointer. I guess it would be Good Thing[TM) > to include a reference on the appropriate RIPE WG Web Page that helps with > working group and mailing list management. I'm not sure if that helps, but it might be worth a try. Mit freundlichen Gr??en Frank Altpeter -- FA-RIPE || http://www.altpeter.de/ || http://gplus.to/frank42 | Fortune's current rates: | | Answers .10 | Long answers .25 | Answers requiring thought .50 | Correct answers $1.00 | | Dumb looks are still free. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 230 bytes Desc: not available URL: From kzorba at otenet.gr Tue Aug 9 15:59:43 2011 From: kzorba at otenet.gr (Kostas Zorbadelos) Date: Tue, 09 Aug 2011 16:59:43 +0300 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: References: <4E402A9B.707@gmx.net> <4E411209.40204@CC.UniVie.ac.at> <4E41376B.6020702@CC.UniVie.ac.at> Message-ID: <4E413D4F.3090702@otenet.gr> On 08/09/2011 04:37 PM, Suresh Ramasubramanian wrote: > Which is what is sought to be addressed. Granted the due diligence > exists, but the fact remains that there are botmasters and spammers > who manage to game this process. > > While the LIR revocation process exists, a more "user friendly" / > transparent complaint handling mechanism and periodic audits might > make things interesting > Do you Suresh, or anyone else, know what, if any, are the policies in other RIRs in respect to the problem of faked evidence to get IP number resources? Do other RIRs have audit rules or policies that work well? And in any case what seems to be the problem (if any) in the RIPE region specifically? I remember Richard Cox of Spamhaus keep repeating problems in the RIPE region but no policies or proposals ever came. I am far from expert, but it would be a good thing if someone could summarize what seem to be problem areas in the RIPE region and what other RIRs are doing. Kostas > On Tue, Aug 9, 2011 at 7:04 PM, Wilfried Woeber, UniVie/ACOnet > wrote: >> >> But if you succeed in forging that type of documents, or if you succeed to >> get some "official entity" to help in doing that, the NCC is at the loosing >> end of the stick :-( > > > From ripe-anti-spam-wg at powerweb.de Tue Aug 9 16:10:26 2011 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Tue, 09 Aug 2011 16:10:26 +0200 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: <4E413D4F.3090702@otenet.gr> References: <4E402A9B.707@gmx.net> <4E411209.40204@CC.UniVie.ac.at> <4E41376B.6020702@CC.UniVie.ac.at> <4E413D4F.3090702@otenet.gr> Message-ID: <4E413FD2.2050802@powerweb.de> Kostas Zorbadelos wrote: > On 08/09/2011 04:37 PM, Suresh Ramasubramanian wrote: >> Which is what is sought to be addressed. Granted the due diligence >> exists, but the fact remains that there are botmasters and spammers >> who manage to game this process. >> >> While the LIR revocation process exists, a more "user friendly" / >> transparent complaint handling mechanism and periodic audits might >> make things interesting >> > > Do you Suresh, or anyone else, know what, if any, are the policies in > other RIRs in respect to the problem of faked evidence to get IP number > resources? > Do other RIRs have audit rules or policies that work well? > And in any case what seems to be the problem (if any) in the RIPE region > specifically? I remember Richard Cox of Spamhaus keep repeating problems > in the RIPE region but no policies or proposals ever came. Well, there are none or they are not communicated or not looked after from RIPE NCC. And its no wonder, if anybody in the world (community) can influence progress in the development of RFCs and rules for the NCC (e.g. via this list). This way they can even influence how NCC spends its money. There are simply too many opinions on this list and too many mails and discussions that have nothing to do with this list (what does not mean that a dicision process CAN listen to to comments from the world community). And thats no wonder, if the range goes from uneducated end users, smalls ISP, big organisations, spam friendly providers or even people that attacks from group like "Anonymous" are ok (well, they might in some weird and small foreign countries, but they are crime in (what I think) every country in the RIPE region). So: I would like an additional abuse mailling-list only for RIPE members to get things going. And I also like to dedicate more money to RIPE NCC staff to stop abuse. Kind regards, Frank > I am far from expert, but it would be a good thing if someone could > summarize what seem to be problem areas in the RIPE region and what > other RIRs are doing. > > Kostas > >> On Tue, Aug 9, 2011 at 7:04 PM, Wilfried Woeber, UniVie/ACOnet >> wrote: >>> >>> But if you succeed in forging that type of documents, or if you >>> succeed to >>> get some "official entity" to help in doing that, the NCC is at the >>> loosing >>> end of the stick :-( >> >> >> > > > -- Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank at powerweb.de From Woeber at CC.UniVie.ac.at Tue Aug 9 16:27:11 2011 From: Woeber at CC.UniVie.ac.at (Wilfried Woeber, UniVie/ACOnet) Date: Tue, 09 Aug 2011 14:27:11 +0000 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: References: <4E402A9B.707@gmx.net> <4E411209.40204@CC.UniVie.ac.at> <4E41376B.6020702@CC.UniVie.ac.at> Message-ID: <4E4143BF.40903@CC.UniVie.ac.at> Suresh Ramasubramanian wrote: > Which is what is sought to be addressed. Granted the due diligence > exists, but the fact remains that there are botmasters and spammers > who manage to game this process. > > While the LIR revocation process exists, a more "user friendly" / > transparent complaint handling mechanism and periodic audits might > make things interesting Again, the mechanism of audits does exist (since at least 1996) and is documented here: http://www.ripe.net/ripe/docs/ripe-423?searchterm=lir+audit See section 4. Types, 3rd type: Reported Regarding "user friendly", I guess you do have a point here, as the AudiT Procedure document is maybe not easy to find, or the description of the technical procedue to use for "Reported" is not documented. > On Tue, Aug 9, 2011 at 7:04 PM, Wilfried Woeber, UniVie/ACOnet > wrote: > >>But if you succeed in forging that type of documents, or if you succeed to >>get some "official entity" to help in doing that, the NCC is at the loosing >>end of the stick :-( Actually, it might even be more useful to emphasise the "Reported" type over the "Random" type; assuming that the Community does exercise that channel responsibly and that this mechanism is not abused to bully some parties (and the NCC) for whatever unrelated reason. Hth, Wilfried. From P.Vissers at opta.nl Tue Aug 9 16:27:24 2011 From: P.Vissers at opta.nl (Vissers, Pepijn) Date: Tue, 9 Aug 2011 14:27:24 +0000 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: <4E413FD2.2050802@powerweb.de> References: <4E402A9B.707@gmx.net> <4E411209.40204@CC.UniVie.ac.at> <4E41376B.6020702@CC.UniVie.ac.at> <4E413D4F.3090702@otenet.gr> <4E413FD2.2050802@powerweb.de> Message-ID: > So: I would like an additional abuse mailling-list only for > RIPE members to get things going. > And I also like to dedicate more money to RIPE NCC staff > to stop abuse. Agreed; does anyone have an overview of audits that has been conducted by RIPE NCC and their outcome? Or are those reports non-public? Question: the audit procedure is documented in http://www.ripe.net/ripe/docs/ripe-423. Are the audit criteria documented in http://www.ripe.net/lir-services/member-support/audit? Because the latter document does not say anything about the presumed correctness of most of the records? Kind regards, Pepijn +++++++++++++++++++++++++++++++++++++++++++++ Disclaimer Dit e-mailbericht kan vertrouwelijke informatie bevatten of informatie die is beschermd door een beroepsgeheim. Indien dit bericht niet voor u is bestemd, wijzen wij u erop dat elke vorm van verspreiding, vermenigvuldiging of ander gebruik ervan niet is toegestaan. Indien dit bericht blijkbaar bij vergissing bij u terecht is gekomen, verzoeken wij u ons daarvan direct op de hoogte te stellen via tel.nr 070 315 3500 of e-mail mailto:mail at opta.nl en het bericht te vernietigen. Dit e-mailbericht is uitsluitend gecontroleerd op virussen. OPTA aanvaardt geen enkele aansprakelijkheid voor de feitelijke inhoud en juistheid van dit bericht en er kunnen geen rechten aan worden ontleend. This e-mail message may contain confidential information or information protected by professional privilege. If it is not intended for you, you should be aware that any distribution, copying or other form of use of this message is not permitted. If it has apparently reached you by mistake, we urge you to notify us by phone +31 70 315 3500 or e-mail mailto:mail at opta.nl and destroy the message immediately. This e-mail message has only been checked for viruses. The accuracy, relevance, timeliness or completeness of the information provided cannot be guaranteed. OPTA expressly disclaims any responsibility in relation to the information in this e-mail message. No rights can be derived from this message. From ops.lists at gmail.com Tue Aug 9 16:31:56 2011 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Tue, 9 Aug 2011 20:01:56 +0530 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: References: <4E402A9B.707@gmx.net> <4E411209.40204@CC.UniVie.ac.at> <4E41376B.6020702@CC.UniVie.ac.at> <4E413D4F.3090702@otenet.gr> <4E413FD2.2050802@powerweb.de> Message-ID: This is a question I have, as well. On Tue, Aug 9, 2011 at 7:57 PM, Vissers, Pepijn wrote: > > Agreed; does anyone have an overview of audits that has been conducted by RIPE NCC and their outcome? Or are those reports non-public? > > Question: the audit procedure is documented in http://www.ripe.net/ripe/docs/ripe-423. Are the audit criteria documented in http://www.ripe.net/lir-services/member-support/audit? Because the latter document does not say anything about the presumed correctness of most of the records? -- Suresh Ramasubramanian (ops.lists at gmail.com) From info at webservice.be Tue Aug 9 16:56:32 2011 From: info at webservice.be (Webservice) Date: Tue, 09 Aug 2011 16:56:32 +0200 Subject: [anti-abuse-wg] Correct info in RIPE-database Message-ID: <4E414AA0.10104@webservice.be> Dear members. Last weekend I stumbled on a problem: We had problems in on of our BGP-prefixes. As the RIS Dashboard showed there was an overlapping Network in the same range as our prefix. We then wanted to contact the ISP, so the route could be redrawn (or sort this issue out), however: on the RIPE database we found: - no adress - no telephone-number - a wrong emailadress There was a link to a website, but after 4 phone-calls (where 1 has moved to another location, all the others where voice-mails), we gave up! The ISP that I couldn't reach was telefonica, see it yourself at: http://www.db.ripe.net/whois?form_type=simple&full_query_string=&searchtext=AS12956&do_search=Search Now to tackle this problem: Shouldn't there be a phone-number or a hotline for BGP-issues? Especially with big problems it's a real problem to get to the right helpdesk/support. I know that some endusers who receive a spam email would contact that hotline also, however: is it possible to show that info only if a person is logged in into the LIR-portal? Best regards, Pascal Nobus -- www.webservice.be Amelsdorp 72, 3740 Bilzen, Belgium Tel: +32.89257404, Fax: +32.70423475 From Woeber at CC.UniVie.ac.at Tue Aug 9 17:09:22 2011 From: Woeber at CC.UniVie.ac.at (Wilfried Woeber, UniVie/ACOnet) Date: Tue, 09 Aug 2011 15:09:22 +0000 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: References: <4E402A9B.707@gmx.net> <4E411209.40204@CC.UniVie.ac.at> <4E41376B.6020702@CC.UniVie.ac.at> <4E413D4F.3090702@otenet.gr> <4E413FD2.2050802@powerweb.de> Message-ID: <4E414DA2.9030004@CC.UniVie.ac.at> Hi Pepijn, Vissers, Pepijn wrote: >>So: I would like an additional abuse mailling-list only for >>RIPE members to get things going. >>And I also like to dedicate more money to RIPE NCC staff >>to stop abuse. > > > Agreed; does anyone have an overview of audits that has been conducted by RIPE NCC I don't have an overview, but personal experience, maybe this is useful, too. My LIR was subject to the audit process twice already (and passed successfully - so if a LIR has its act together, this is pretty easy to survive!). Plus the extended verification of existence and identity that was triggered (automatically, I presume) by some clerial inconsistencies. This involved the Service Contract stuff between the LIR and the NCC, and was again triggered by the request of Direct End-User Resources. > and their outcome? Or are those reports non-public? On a more general level, I am not aware from the top of my head, that I would have seen such a report. That doesn't imply that it doesn't exist, though! I am pretty sure that the NCC would be happy to point to or provide such a report, probably in some anonymised format. Brian - would you be willing to talk to the NCC and ask for help with this? Alternatively, I think we could equally well pass that to the NCC by way of the NCC Services WG Chairs. > Question: the audit procedure is documented in http://www.ripe.net/ripe/docs/ripe-423. > Are the audit criteria documented in http://www.ripe.net/lir-services/member-support/audit? This document lists the aspects of an audit as a checklist for both sides during an audit. I do agree, that the focus here is on the management of resources and the registration thereof. But I'd guess it would be very easy to amend that to actively include the formal and contractual aspects. > Because the latter document does not say anything about the presumed correctness > of most of the records? I think it does, indirectly, by way of the "Standard Service Agreement" and the "RIPE NCC Standard Terms and Conditions", list of relevant documents: "...making sure that assignment guidelines are applied equally." Similarly, in http://www.ripe.net/ripe/docs/ripe-452 please see towards the end of Section 2.0 I openly admit that I did not go through the full list of ref'd doc.s in the Std Terms&Conds document to find the equivalent provisions. As a last reminder, we have to keep in mind that the formal coverage and "power" of the NCC to enforce all of that stuff is limited to the resources that have been distributed by way of the RIR and LIR system hierarchy. Legacy Stuff, aka ERX (early registration xfer resources) are not covered - yet. The 2007-01 activities should be seen, imho, as the initial steps towards closing that gap, maybe in a similar way, for the legacy blocks. That's up for a nice PDP exercise, as soon as 2007-01-Phase3 is converging, and/or for progress with the "legacy resource registration service" (or whatever the name finally may be). > Kind regards, > Pepijn Best regards, Wilfried. From thor.kottelin at turvasana.com Tue Aug 9 17:17:33 2011 From: thor.kottelin at turvasana.com (Thor Kottelin) Date: Tue, 9 Aug 2011 18:17:33 +0300 Subject: [anti-abuse-wg] Correct info in RIPE-database In-Reply-To: <4E414AA0.10104@webservice.be> References: <4E414AA0.10104@webservice.be> Message-ID: > -----Original Message----- > From: anti-abuse-wg-admin at ripe.net [mailto:anti-abuse-wg- > admin at ripe.net] On Behalf Of Webservice > Sent: Tuesday, August 09, 2011 5:57 PM > To: anti-abuse-wg at ripe.net > Cc: Kurt Ghekiere > We then wanted to contact the ISP, so the route could be redrawn > (or > sort this issue out), however: > on the RIPE database we found: > - no adress > - no telephone-number > - a wrong emailadress > The ISP that I couldn't reach was telefonica, see it yourself at: > http://www.db.ripe.net/whois?form_type=simple&full_query_string=&se > archtext=AS12956&do_search=Search I see a bunch of addresses, telephone numbers and email addresses for AS12956 technical contacts. OOM-RIPE: address, phone, e-mail RSB20-RIPE: address, phone, e-mail NSA20-RIPE: address, phone, e-mail HNM15-RIPE: address, phone, e-mail COO5-RIPE: address, phone, e-mail CSIR1-RIPE: address, e-mail Note that you must specify -B to see the email addresses. -- Thor Kottelin http://www.anta.net/ From brian.nisbet at heanet.ie Tue Aug 9 17:20:32 2011 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Tue, 09 Aug 2011 16:20:32 +0100 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: <4E414DA2.9030004@CC.UniVie.ac.at> References: <4E402A9B.707@gmx.net> <4E411209.40204@CC.UniVie.ac.at> <4E41376B.6020702@CC.UniVie.ac.at> <4E413D4F.3090702@otenet.gr> <4E413FD2.2050802@powerweb.de> <4E414DA2.9030004@CC.UniVie.ac.at> Message-ID: <4E415040.8080907@heanet.ie> Wilfried, Pepijn >> and their outcome? Or are those reports non-public? > > On a more general level, I am not aware from the top of my head, that I would > have seen such a report. That doesn't imply that it doesn't exist, though! > > I am pretty sure that the NCC would be happy to point to or provide such a > report, probably in some anonymised format. > > Brian - would you be willing to talk to the NCC and ask for help with this? > Alternatively, I think we could equally well pass that to the NCC by way of > the NCC Services WG Chairs. No, I'm more than happy to talk to the NCC about this. I will do so and get back to the WG. Brian. From ripe-anti-spam-wg at powerweb.de Tue Aug 9 17:22:10 2011 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Tue, 09 Aug 2011 17:22:10 +0200 Subject: [anti-abuse-wg] Correct info in RIPE-database - YES In-Reply-To: <4E414AA0.10104@webservice.be> References: <4E414AA0.10104@webservice.be> Message-ID: <4E4150A2.5070402@powerweb.de> Webservice wrote: > Now to tackle this problem: > Shouldn't there be a phone-number or a hotline for BGP-issues? > Especially with big problems it's a real problem to get to the right > helpdesk/support. > I know that some endusers who receive a spam email would contact that > hotline also, however: is it possible to show that info only if a person > is logged in into the LIR-portal? Just what Im asking for years now for. More easier would be an anonymous abuse contact wich could only by emailed to from registered email addresses from other RIPE members. So: every member would simply enter too email addresses and one (or more) IPs into their basic data at the portal. - one abuse contact - one sender email address - one or more IP address of the own sending mailservers And the Mailserver at RIPE will e.g. redirected a general as1234 at members.ripe.net to the right abuse contact of that member. And: RIPE could even monitor outbreaks to one or the other member address to get an indication if there is an eval or non-responsive member (e.g. with not working mail addresses, full mailboxes aso). RIPE NCC could also monitor if a member becomes a bit to active or tries to flood other members. Telephone numbers seem to spread, so they will not be hidden after a while, but email is cool, because the receiver could handle these emails much quicker, because they could be more sure, that its coming from qualified other members, hopefully resulting in a much quicker action. Just an example: we filed a report at the usual abuse address of a bigger server housing provider in Germany arround 3 weeks ago , that one of their servers seemed to be captured and started to guess passwords on some of our POP3 servers. Now: after 3 weeks, be received a note, that our report will now be analysed. Whats about all those spam, all those DDoS attacks, pishing sites, whatever abuse, this server was causing the last 3 weeks to others ? And: just fiddled with our firewalls and can see, that this server is still trying to attack us ! Kind regards, Frank > > > Best regards, > Pascal Nobus > -- > www.webservice.be > Amelsdorp 72, 3740 Bilzen, Belgium > Tel: +32.89257404, Fax: +32.70423475 > > > -- Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank at powerweb.de From world.antispam.report at inbox.com Tue Aug 9 17:40:21 2011 From: world.antispam.report at inbox.com (abuse@localhost.com) Date: Tue, 9 Aug 2011 07:40:21 -0800 Subject: [anti-abuse-wg] Correct info in RIPE-database In-Reply-To: <4E414AA0.10104@webservice.be> Message-ID: <47EBA131ACC.00000248world.antispam.report@inbox.com> See the official reply of RIPE officials here below. The charter of the present mailing list explicitly state:=> -"This anti-abuse-wg list is explicitly not the place to report spam". Or to give factual examples of new trends related to methods either of either spammers or trojans can be "Tools" to abusives end-uses like I once did. Need to find another way...! By doing so, it potentially can be understood as a suggestion, that this network you have mentioned here below did omited or forged the RIPE's datas with a deliberate and intentional crooked intention. while it could also be that the network operator has a heck of a wild time fighting trojans or virus intruding his network. And that he just simply happened lately that he forgot to update his registration datas at RIPE. There may be a more diplomatic method that would resolve the case? For instance, why whouldn't blacklist the whole IP# block numbers until that network finds it strange that he cannot connect to your allocated IPs? And he never does, everything's is for the best, isn't it? ============================== > Sent: Tue, 09 Aug 2011 12:40:46 +0100 > To: anti-abuse-wg at ripe.net > Subject: Re: [anti-abuse-wg] Abuse report. > > "abuse at localhost.com" wrote the following on 09/08/2011 12:15: >> James? Have you noticed the name of this present mailing list? >> Why would there be the word "anti-abuse" in it? >> Is an uncared for spam complaint "Off Topic"? >> >> I don't think so. > > Please look at the URL Kostas has posted, and sure I'll post it here > again myself: > > http://www.ripe.net/ripe/groups/wg/anti-abuse > > This list is explicitly not the place to report spam. It is also not a > place for seemingly random and extremely difficult to follow digressions > and accusations. Could you please review the charter of the group and > the behaviour of others on the mailing list before posting further. > > Thanks, > > Brian, > -----Original Message----- > From: info at webservice.be > Sent: Tue, 09 Aug 2011 16:56:32 +0200 > To: anti-abuse-wg at ripe.net > Subject: [anti-abuse-wg] Correct info in RIPE-database > > Dear members. > > Last weekend I stumbled on a problem: > We had problems in on of our BGP-prefixes. > As the RIS Dashboard showed there was an overlapping Network in the same > range as our prefix. > > We then wanted to contact the ISP, so the route could be redrawn (or > sort this issue out), however: > on the RIPE database we found: > - no adress > - no telephone-number > - a wrong emailadress > > There was a link to a website, but after 4 phone-calls (where 1 has > moved to another location, all the others where voice-mails), we gave up! > > The ISP that I couldn't reach was telefonica, see it yourself at: > http://www.db.ripe.net/whois?form_type=simple&full_query_string=&searchtext=AS12956&do_search=Search > > > > Now to tackle this problem: > Shouldn't there be a phone-number or a hotline for BGP-issues? > Especially with big problems it's a real problem to get to the right > helpdesk/support. > I know that some endusers who receive a spam email would contact that > hotline also, however: is it possible to show that info only if a person > is logged in into the LIR-portal? > > > Best regards, > Pascal Nobus > -- > www.webservice.be > Amelsdorp 72, 3740 Bilzen, Belgium > Tel: +32.89257404, Fax: +32.70423475 ____________________________________________________________ FREE 3D MARINE AQUARIUM SCREENSAVER - Watch dolphins, sharks & orcas on your desktop! Check it out at http://www.inbox.com/marineaquarium From world.antispam.report at inbox.com Tue Aug 9 18:01:35 2011 From: world.antispam.report at inbox.com (abuse@localhost.com) Date: Tue, 9 Aug 2011 08:01:35 -0800 Subject: [anti-abuse-wg] Correct info in RIPE-database In-Reply-To: References: <4e414aa0.10104@webservice.be> Message-ID: <481B1B7648C.00000299world.antispam.report@inbox.com> Reply from "abuse.tiws at telefonica.com";=> 10 smtpus.telefonica.com [216.177.207.223]. 550 5.1.1 : Recipient address rejected: User unknown in local recipient table. Undersandingly, they are quite a bit far away from you, geographically! Telefonica, Miami, Florida. USA. See the details at that website:=> http://www.senderbase.org/senderbase_queries/detailip?search_string=216.177.207.223 Best of luck to you. =========================== > -----Original Message----- > From: thor.kottelin at turvasana.com > Sent: Tue, 9 Aug 2011 18:17:33 +0300 > To: anti-abuse-wg at ripe.net > Subject: RE: [anti-abuse-wg] Correct info in RIPE-database > >> -----Original Message----- >> From: anti-abuse-wg-admin at ripe.net [mailto:anti-abuse-wg- >> admin at ripe.net] On Behalf Of Webservice >> Sent: Tuesday, August 09, 2011 5:57 PM >> To: anti-abuse-wg at ripe.net >> Cc: Kurt Ghekiere > >> We then wanted to contact the ISP, so the route could be redrawn >> (or >> sort this issue out), however: >> on the RIPE database we found: >> - no adress >> - no telephone-number >> - a wrong emailadress > >> The ISP that I couldn't reach was telefonica, see it yourself at: >> http://www.db.ripe.net/whois?form_type=simple&full_query_string=&se >> archtext=AS12956&do_search=Search > > I see a bunch of addresses, telephone numbers and email addresses for > AS12956 technical contacts. > > OOM-RIPE: address, phone, e-mail > RSB20-RIPE: address, phone, e-mail > NSA20-RIPE: address, phone, e-mail > HNM15-RIPE: address, phone, e-mail > COO5-RIPE: address, phone, e-mail > CSIR1-RIPE: address, e-mail > > Note that you must specify -B to see the email addresses. > > -- > Thor Kottelin > http://www.anta.net/ ____________________________________________________________ FREE 3D MARINE AQUARIUM SCREENSAVER - Watch dolphins, sharks & orcas on your desktop! Check it out at http://www.inbox.com/marineaquarium From niall at blacknight.com Tue Aug 9 18:17:56 2011 From: niall at blacknight.com (Niall Donegan) Date: Tue, 09 Aug 2011 17:17:56 +0100 Subject: [anti-abuse-wg] Correct info in RIPE-database In-Reply-To: <481B1B7648C.00000299world.antispam.report@inbox.com> References: <4e414aa0.10104@webservice.be> <481B1B7648C.00000299world.antispam.report@inbox.com> Message-ID: <4E415DB4.5080300@blacknight.com> On 09/08/11 17:01, abuse at localhost.com wrote: > Reply from "abuse.tiws at telefonica.com";=> > 10 smtpus.telefonica.com [216.177.207.223]. > 550 5.1.1 : > Recipient address rejected: User unknown in local recipient table. I don't know how you're testing but please check your methods: niall at ernie:~$ dig mx telefonica.com +short 10 smtpar.telefonica.com. 10 smtpus.telefonica.com. niall at ernie:~$ telnet smtpus.telefonica.com. 25 Trying 216.177.207.223... Connected to smtpus.telefonica.com. Escape character is '^]'. 220 ESMTP IMSVA EHLO ernie.blacknight.ie 250-USHASGWP002.ustdata.net 250-PIPELINING 250-SIZE 20971520 250-VRFY 250-ETRN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN MAIL FROM: 250 2.1.0 Ok RCPT TO: 250 2.1.5 Ok quit 221 2.0.0 Bye niall at ernie:~$ telnet smtpar.telefonica.com. 25 Trying 200.51.80.21... Connected to smtpar.telefonica.com. Escape character is '^]'. 220 ESMTP IMSVA EHLO ernie.blacknight.ie 250-artasgw002.latam.telefonica.corp 250-PIPELINING 250-SIZE 20971520 250-VRFY 250-ETRN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN MAIL FROM: 250 2.1.0 Ok RCPT TO: 250 2.1.5 Ok quit 221 2.0.0 Bye niall at ernie:~$ Niall. > > Undersandingly, they are quite a bit far away from you, geographically! > Telefonica, Miami, Florida. USA. > > See the details at that website:=> > http://www.senderbase.org/senderbase_queries/detailip?search_string=216.177.207.223 > > Best of luck to you. > =========================== >> -----Original Message----- >> From: thor.kottelin at turvasana.com >> Sent: Tue, 9 Aug 2011 18:17:33 +0300 >> To: anti-abuse-wg at ripe.net >> Subject: RE: [anti-abuse-wg] Correct info in RIPE-database >> >>> -----Original Message----- >>> From: anti-abuse-wg-admin at ripe.net [mailto:anti-abuse-wg- >>> admin at ripe.net] On Behalf Of Webservice >>> Sent: Tuesday, August 09, 2011 5:57 PM >>> To: anti-abuse-wg at ripe.net >>> Cc: Kurt Ghekiere >> >>> We then wanted to contact the ISP, so the route could be redrawn >>> (or >>> sort this issue out), however: >>> on the RIPE database we found: >>> - no adress >>> - no telephone-number >>> - a wrong emailadress >> >>> The ISP that I couldn't reach was telefonica, see it yourself at: >>> http://www.db.ripe.net/whois?form_type=simple&full_query_string=&se >>> archtext=AS12956&do_search=Search >> >> I see a bunch of addresses, telephone numbers and email addresses for >> AS12956 technical contacts. >> >> OOM-RIPE: address, phone, e-mail >> RSB20-RIPE: address, phone, e-mail >> NSA20-RIPE: address, phone, e-mail >> HNM15-RIPE: address, phone, e-mail >> COO5-RIPE: address, phone, e-mail >> CSIR1-RIPE: address, e-mail >> >> Note that you must specify -B to see the email addresses. >> >> -- >> Thor Kottelin >> http://www.anta.net/ > > ____________________________________________________________ > FREE 3D MARINE AQUARIUM SCREENSAVER - Watch dolphins, sharks & orcas on your desktop! > Check it out at http://www.inbox.com/marineaquarium > > -- Niall Donegan ---------------- http://www.blacknight.com Blacknight Internet Solutions Ltd, Unit 12A, Barrowside Business Park, Sleaty Road, Graiguecullen, Carlow, Ireland Company No.: 370845 From rezaf at mindspring.com Tue Aug 9 18:09:32 2011 From: rezaf at mindspring.com (Reza Farzan) Date: Tue, 9 Aug 2011 12:09:32 -0400 Subject: [anti-abuse-wg] Correct info in RIPE-database In-Reply-To: <481B1B7648C.00000299world.antispam.report@inbox.com> References: <4e414aa0.10104@webservice.be> <481B1B7648C.00000299world.antispam.report@inbox.com> Message-ID: <7B67EE7B84DC4955A3E6C5C648D8088E@reza> Dear All, Fir the IP address 216.177.207.223, you send your report to [netops.us at telefonica.com] OR to [ventanillaunica.cpdv at telefonica.es] Thank you, Reza Farzan ============= > -----Original Message----- > From: anti-abuse-wg-admin at ripe.net > [mailto:anti-abuse-wg-admin at ripe.net] On Behalf Of abuse at localhost.com > Sent: Tuesday, August 09, 2011 12:02 PM > To: anti-abuse-wg at ripe.net > Subject: RE: [anti-abuse-wg] Correct info in RIPE-database > > Reply from "abuse.tiws at telefonica.com";=> 10 > smtpus.telefonica.com [216.177.207.223]. > 550 5.1.1 : > Recipient address rejected: User unknown in local recipient table. > > Undersandingly, they are quite a bit far away from you, > geographically! > Telefonica, Miami, Florida. USA. > > See the details at that website:=> > http://www.senderbase.org/senderbase_queries/detailip?search_s > tring=216.177.207.223 > > Best of luck to you. > =========================== > > -----Original Message----- > > From: thor.kottelin at turvasana.com > > Sent: Tue, 9 Aug 2011 18:17:33 +0300 > > To: anti-abuse-wg at ripe.net > > Subject: RE: [anti-abuse-wg] Correct info in RIPE-database > > > >> -----Original Message----- > >> From: anti-abuse-wg-admin at ripe.net [mailto:anti-abuse-wg- > >> admin at ripe.net] On Behalf Of Webservice > >> Sent: Tuesday, August 09, 2011 5:57 PM > >> To: anti-abuse-wg at ripe.net > >> Cc: Kurt Ghekiere > > > >> We then wanted to contact the ISP, so the route could be > redrawn (or > >> sort this issue out), however: > >> on the RIPE database we found: > >> - no adress > >> - no telephone-number > >> - a wrong emailadress > > > >> The ISP that I couldn't reach was telefonica, see it yourself at: > >> http://www.db.ripe.net/whois?form_type=simple&full_query_string=&se > >> archtext=AS12956&do_search=Search > > > > I see a bunch of addresses, telephone numbers and email > addresses for > > AS12956 technical contacts. > > > > OOM-RIPE: address, phone, e-mail > > RSB20-RIPE: address, phone, e-mail > > NSA20-RIPE: address, phone, e-mail > > HNM15-RIPE: address, phone, e-mail > > COO5-RIPE: address, phone, e-mail > > CSIR1-RIPE: address, e-mail > > > > Note that you must specify -B to see the email addresses. > > > > -- > > Thor Kottelin > > http://www.anta.net/ > > ____________________________________________________________ > FREE 3D MARINE AQUARIUM SCREENSAVER - Watch dolphins, sharks > & orcas on your desktop! > Check it out at http://www.inbox.com/marineaquarium > > > > > > > ======= > Email scanned by PC Tools - No viruses or spyware found. > (Email Guard: 7.0.0.26, Virus/Spyware Database: 6.18090) > http://www.pctools.com/ ======= > From P.Vissers at opta.nl Tue Aug 9 18:47:32 2011 From: P.Vissers at opta.nl (Vissers, Pepijn) Date: Tue, 9 Aug 2011 16:47:32 +0000 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: <4E415040.8080907@heanet.ie> References: <4E402A9B.707@gmx.net> <4E411209.40204@CC.UniVie.ac.at> <4E41376B.6020702@CC.UniVie.ac.at> <4E413D4F.3090702@otenet.gr> <4E413FD2.2050802@powerweb.de> <4E414DA2.9030004@CC.UniVie.ac.at> <4E415040.8080907@heanet.ie> Message-ID: > No, I'm more than happy to talk to the NCC about this. I will do so and > get back to the WG. Thanks Brian and Wilfried, that will definitely add to the understanding of the audit process; it would be nice to know what is covered and what not and what steps the community would have to take to initiate an audit towards a LIR with (or that allows) obvious bogus registration information. Could be a cautious step towards a dedicated audit team focusing on these LIRs. Thanks, Pepijn +++++++++++++++++++++++++++++++++++++++++++++ Disclaimer Dit e-mailbericht kan vertrouwelijke informatie bevatten of informatie die is beschermd door een beroepsgeheim. Indien dit bericht niet voor u is bestemd, wijzen wij u erop dat elke vorm van verspreiding, vermenigvuldiging of ander gebruik ervan niet is toegestaan. Indien dit bericht blijkbaar bij vergissing bij u terecht is gekomen, verzoeken wij u ons daarvan direct op de hoogte te stellen via tel.nr 070 315 3500 of e-mail mailto:mail at opta.nl en het bericht te vernietigen. Dit e-mailbericht is uitsluitend gecontroleerd op virussen. OPTA aanvaardt geen enkele aansprakelijkheid voor de feitelijke inhoud en juistheid van dit bericht en er kunnen geen rechten aan worden ontleend. This e-mail message may contain confidential information or information protected by professional privilege. If it is not intended for you, you should be aware that any distribution, copying or other form of use of this message is not permitted. If it has apparently reached you by mistake, we urge you to notify us by phone +31 70 315 3500 or e-mail mailto:mail at opta.nl and destroy the message immediately. This e-mail message has only been checked for viruses. The accuracy, relevance, timeliness or completeness of the information provided cannot be guaranteed. OPTA expressly disclaims any responsibility in relation to the information in this e-mail message. No rights can be derived from this message. From thor.kottelin at turvasana.com Tue Aug 9 18:59:32 2011 From: thor.kottelin at turvasana.com (Thor Kottelin) Date: Tue, 9 Aug 2011 19:59:32 +0300 Subject: [anti-abuse-wg] Correct info in RIPE-database In-Reply-To: <481B1B7648C.00000299world.antispam.report@inbox.com> References: <4e414aa0.10104@webservice.be> <481B1B7648C.00000299world.antispam.report@inbox.com> Message-ID: > -----Original Message----- > From: anti-abuse-wg-admin at ripe.net [mailto:anti-abuse-wg- > admin at ripe.net] On Behalf Of abuse at localhost.com > Sent: Tuesday, August 09, 2011 7:02 PM > To: anti-abuse-wg at ripe.net > Reply from "abuse.tiws at telefonica.com";=> > 10 smtpus.telefonica.com [216.177.207.223]. > 550 5.1.1 : > Recipient address rejected: User unknown in local recipient table. rcpt to: 250 2.1.5 Ok Did you, by any chance, omit the domain name (as "" would seem to indicate), or did you actually send mail and receive a bounce afterwards? If the address is incorrect, you could report the matter to the RIPE NCC, as Ms Fragkouli explained a few days ago. The remaining addresses also seem to work: > > -----Original Message----- > > From: thor.kottelin at turvasana.com > > Sent: Tue, 9 Aug 2011 18:17:33 +0300 > > To: anti-abuse-wg at ripe.net > > OOM-RIPE 250 2.1.5 Ok > > RSB20-RIPE 250 2.1.5 Ok > > NSA20-RIPE 250 2.1.5 Ok > > HNM15-RIPE 250 2.1.5 Ok > > COO5-RIPE 250 2.1.5 Ok -- Thor Kottelin http://www.anta.net/ From info at webservice.be Tue Aug 9 19:07:30 2011 From: info at webservice.be (Webservice) Date: Tue, 09 Aug 2011 19:07:30 +0200 Subject: [anti-abuse-wg] Correct info in RIPE-database In-Reply-To: References: <4e414aa0.10104@webservice.be> <481B1B7648C.00000299world.antispam.report@inbox.com> Message-ID: <4E416952.9010601@webservice.be> The emailadress I contacted was the one where they mention the AS-number remarks: Any Notification about AS12956 security please e-mail to : remarks: security.tiws at telefonica.com I got a bounce from it: Generating server: latam.telefonica.corp security.tiws at telefonica.com #550 5.1.1 RESOLVER.ADR.RecipNotFound; not found ##rfc822;security.tiws at telefonica.com Original message headers: Received: from ARTASMSP072.latam.telefonica.corp (10.213.2.21) by ARTASMSP063.latam.telefonica.corp (10.213.1.32) with Microsoft SMTP Server (TLS) id 8.3.83.0; Mon, 8 Aug 2011 09:12:06 -0300 Received: from artasgw002.latam.telefonica.corp (192.168.200.7) by ARTASMSP072.latam.telefonica.corp (10.213.2.21) with Microsoft SMTP Server id 8.3.83.0; Mon, 8 Aug 2011 09:16:14 -0300 Received: from artasgw002.latam.telefonica.corp (unknown [127.0.0.1]) by IMSA (Postfix) with ESMTP id C35D02C8065 for ; Mon, 8 Aug 2011 11:56:46 -0300 (ART) Received: from smtpauth.pi-group.net (unknown [94.126.48.65]) by artasgw002.latam.telefonica.corp (Postfix) with ESMTP id 5341C2C8059 for ; Mon, 8 Aug 2011 11:56:45 -0300 (ART) Received: from [192.168.0.129] (d54C0DB02.access.telenet.be [84.192.219.2]) (Authenticated sender: admingent) by smtpauth.pi-group.net (Postfix) with ESMTPA id B96A01D4175; Mon, 8 Aug 2011 14:11:54 +0200 (CEST) Message-ID: <4E3FD2A2.4050605 at webservice.be> Date: Mon, 8 Aug 2011 14:12:18 +0200 From: Webservice User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110617 Lightning/1.0b2 Thunderbird/3.1.11 MIME-Version: 1.0 To: CC: Cloudforce Subject: BGP conflict Op 09-08-11 18:59, Thor Kottelin schreef: >> -----Original Message----- >> From: anti-abuse-wg-admin at ripe.net [mailto:anti-abuse-wg- >> admin at ripe.net] On Behalf Of abuse at localhost.com >> Sent: Tuesday, August 09, 2011 7:02 PM >> To: anti-abuse-wg at ripe.net > >> Reply from "abuse.tiws at telefonica.com";=> >> 10 smtpus.telefonica.com [216.177.207.223]. >> 550 5.1.1 : >> Recipient address rejected: User unknown in local recipient table. > > rcpt to: > 250 2.1.5 Ok > > Did you, by any chance, omit the domain name (as "" would seem > to indicate), or did you actually send mail and receive a bounce afterwards? > > If the address is incorrect, you could report the matter to the RIPE NCC, as > Ms Fragkouli explained a few days ago. > > The remaining addresses also seem to work: > >>> -----Original Message----- >>> From: thor.kottelin at turvasana.com >>> Sent: Tue, 9 Aug 2011 18:17:33 +0300 >>> To: anti-abuse-wg at ripe.net > >>> OOM-RIPE > > 250 2.1.5 Ok > >>> RSB20-RIPE > > 250 2.1.5 Ok > >>> NSA20-RIPE > > 250 2.1.5 Ok > >>> HNM15-RIPE > > 250 2.1.5 Ok > >>> COO5-RIPE > > 250 2.1.5 Ok > -- -- www.webservice.be Amelsdorp 72, 3740 Bilzen, Belgium Tel: +32.89257404, Fax: +32.70423475 From world.antispam.report at inbox.com Tue Aug 9 19:30:15 2011 From: world.antispam.report at inbox.com (abuse@localhost.com) Date: Tue, 9 Aug 2011 09:30:15 -0800 Subject: [anti-abuse-wg] Nial & Thor... In-Reply-To: References: <481b1b7648c.00000299world.antispam.report@inbox.com> <4e414aa0.10104@webservice.be> Message-ID: <48E14918E1D.00000417world.antispam.report@inbox.com> Yes, I sure did used the whole email address and repeated once the first time I seen the post. Then, when I saw Nial post getting the server "Live" reply, I repeated that email abuse.tiws at telefonica.com testing. Same reply: "550 5.1.1 Recipient address rejected: User unknown in local recipient table". However, I used a webased engine for the testing since I didn't had time to install all my tools on this little puter I use. I mean, and I know for a fact that many networks that offer that type of tool (Testing email addresses) can be blocked, blacklisted AKA refused connection with given networks. And misery! For now, it's the only website that I have a bookmark on my present puter. "I" wouldn't file a complaint to any RIPE official 'cause I went to see the main webage of that network and it is rather easy to see that it is an Europeen network that initiated a USA based outlet. In short, we ain't talking 'bout rogue abusers!... Maybe the tech. over there had things to do and got a little late? I feel that if there was no mention of virus or trojan source in the first post talking about that topic, I wouldn't like to be in the same situation and be brought down. That is one of the reason I rather remain confidential. Relax & enjoy! ========================================= > -----Original Message----- > From: thor.kottelin at turvasana.com > Sent: Tue, 9 Aug 2011 19:59:32 +0300 > To: anti-abuse-wg at ripe.net > Subject: RE: [anti-abuse-wg] Correct info in RIPE-database > >> -----Original Message----- >> From: anti-abuse-wg-admin at ripe.net [mailto:anti-abuse-wg- >> admin at ripe.net] On Behalf Of abuse at localhost.com >> Sent: Tuesday, August 09, 2011 7:02 PM >> To: anti-abuse-wg at ripe.net > >> Reply from "abuse.tiws at telefonica.com";=> >> 10 smtpus.telefonica.com [216.177.207.223]. >> 550 5.1.1 : >> Recipient address rejected: User unknown in local recipient table. > > rcpt to: > 250 2.1.5 Ok > > Did you, by any chance, omit the domain name (as "" would > seem > to indicate), or did you actually send mail and receive a bounce > afterwards? > > If the address is incorrect, you could report the matter to the RIPE NCC, > as > Ms Fragkouli explained a few days ago. > > The remaining addresses also seem to work: > >>> -----Original Message----- >>> From: thor.kottelin at turvasana.com >>> Sent: Tue, 9 Aug 2011 18:17:33 +0300 >>> To: anti-abuse-wg at ripe.net > >>> OOM-RIPE > > 250 2.1.5 Ok > >>> RSB20-RIPE > > 250 2.1.5 Ok > >>> NSA20-RIPE > > 250 2.1.5 Ok > >>> HNM15-RIPE > > 250 2.1.5 Ok > >>> COO5-RIPE > > 250 2.1.5 Ok > > -- > Thor Kottelin > http://www.anta.net/ ____________________________________________________________ TRY FREE IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if5 Capture screenshots, upload images, edit and send them to your friends through IMs, post on Twitter?, Facebook?, MySpace?, LinkedIn? ? FAST! From world.antispam.report at inbox.com Tue Aug 9 19:54:37 2011 From: world.antispam.report at inbox.com (abuse@localhost.com) Date: Tue, 9 Aug 2011 09:54:37 -0800 Subject: [anti-abuse-wg] Correct info in RIPE-database In-Reply-To: <4E416952.9010601@webservice.be> References: <481b1b7648c.00000299world.antispam.report@inbox.com> <4e414aa0.10104@webservice.be> Message-ID: <4917BB551EB.00000475world.antispam.report@inbox.com> Nial & me tested "abuse.tiws at telefonica.com" which as well mentioned on the RIPE webpage you mentioned on your 1st thread. In any events, an abuse@ given to RIPE authority by an allocated network should be working for any IP# on planet earth. Then you come up with security.tiws? I get the same reply:550 5.1.1 : Recipient address rejected. This time, that IP# isn't located in Miami USA but rather in Buenos Aires, Bresil. South America. A heck of a nice little walk from where you are. No mistake there, the language over there is Portuguese and not Spanish. Beside, any idea of the distance between those 2 cities? Still, as of now, i didn't seen any threat related to the lack of replies from these peoples? They may be busy fighthing something? Or simply reconfigurating their things with "Trial" IP# ? They seem to establish networks worlwide... Maybe they're using IP# normally under RIPE authority but they'll be back! Who knows? Why would one be so severe? ================================= Resolving smtpar.telefonica.com...] [Contacting smtpar.telefonica.com [200.51.80.21]...] [Connected] 220 ESMTP IMSVA EHLO Network-Tools.com 250-artasgw002.latam.telefonica.corp 250-PIPELINING 250-SIZE 20971520 250-VRFY 250-ETRN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN VRFY security.tiws 550 5.1.1 : Recipient address rejected: User unknown in local recipient table RSET ============================ > -----Original Message----- > From: info at webservice.be > Sent: Tue, 09 Aug 2011 19:07:30 +0200 > To: anti-abuse-wg at ripe.net > Subject: Re: [anti-abuse-wg] Correct info in RIPE-database > > > The emailadress I contacted was the one where they mention the AS-number > remarks: Any Notification about AS12956 security please e-mail to : > remarks: security.tiws at telefonica.com > > > > I got a bounce from it: > > Generating server: latam.telefonica.corp > > security.tiws at telefonica.com > #550 5.1.1 RESOLVER.ADR.RecipNotFound; not found > ##rfc822;security.tiws at telefonica.com > > Original message headers: > > Received: from ARTASMSP072.latam.telefonica.corp (10.213.2.21) by > ARTASMSP063.latam.telefonica.corp (10.213.1.32) with Microsoft SMTP > Server > (TLS) id 8.3.83.0; Mon, 8 Aug 2011 09:12:06 -0300 > Received: from artasgw002.latam.telefonica.corp (192.168.200.7) by > ARTASMSP072.latam.telefonica.corp (10.213.2.21) with Microsoft SMTP > Server id > 8.3.83.0; Mon, 8 Aug 2011 09:16:14 -0300 > Received: from artasgw002.latam.telefonica.corp (unknown [127.0.0.1]) by > IMSA > (Postfix) with ESMTP id C35D02C8065 for ; > Mon, > 8 Aug 2011 11:56:46 -0300 (ART) > Received: from smtpauth.pi-group.net (unknown [94.126.48.65]) by > artasgw002.latam.telefonica.corp (Postfix) with ESMTP id 5341C2C8059 for > ; Mon, 8 Aug 2011 11:56:45 -0300 (ART) > Received: from [192.168.0.129] (d54C0DB02.access.telenet.be > [84.192.219.2]) > (Authenticated sender: admingent) by smtpauth.pi-group.net (Postfix) > with > ESMTPA id B96A01D4175; Mon, 8 Aug 2011 14:11:54 +0200 (CEST) > Message-ID: <4E3FD2A2.4050605 at webservice.be> > Date: Mon, 8 Aug 2011 14:12:18 +0200 > From: Webservice > User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) > Gecko/20110617 Lightning/1.0b2 Thunderbird/3.1.11 > MIME-Version: 1.0 > To: > CC: Cloudforce > Subject: BGP conflict > > > > > Op 09-08-11 18:59, Thor Kottelin schreef: >>> -----Original Message----- >>> From: anti-abuse-wg-admin at ripe.net [mailto:anti-abuse-wg- >>> admin at ripe.net] On Behalf Of abuse at localhost.com >>> Sent: Tuesday, August 09, 2011 7:02 PM >>> To: anti-abuse-wg at ripe.net >> >>> Reply from "abuse.tiws at telefonica.com";=> >>> 10 smtpus.telefonica.com [216.177.207.223]. >>> 550 5.1.1 : >>> Recipient address rejected: User unknown in local recipient table. >> >> rcpt to: >> 250 2.1.5 Ok >> >> Did you, by any chance, omit the domain name (as "" would >> seem >> to indicate), or did you actually send mail and receive a bounce >> afterwards? >> >> If the address is incorrect, you could report the matter to the RIPE >> NCC, as >> Ms Fragkouli explained a few days ago. >> >> The remaining addresses also seem to work: >> >>>> -----Original Message----- >>>> From: thor.kottelin at turvasana.com >>>> Sent: Tue, 9 Aug 2011 18:17:33 +0300 >>>> To: anti-abuse-wg at ripe.net >> >>>> OOM-RIPE >> >> 250 2.1.5 Ok >> >>>> RSB20-RIPE >> >> 250 2.1.5 Ok >> >>>> NSA20-RIPE >> >> 250 2.1.5 Ok >> >>>> HNM15-RIPE >> >> 250 2.1.5 Ok >> >>>> COO5-RIPE >> >> 250 2.1.5 Ok >> > > -- > -- > www.webservice.be > Amelsdorp 72, 3740 Bilzen, Belgium > Tel: +32.89257404, Fax: +32.70423475 ____________________________________________________________ Receive Notifications of Incoming Messages Easily monitor multiple email accounts & access them with a click. Visit http://www.inbox.com/notifier and check it out! From michele at blacknight.ie Tue Aug 9 20:28:54 2011 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Tue, 9 Aug 2011 18:28:54 +0000 Subject: [anti-abuse-wg] Nial & Thor... In-Reply-To: <48E14918E1D.00000417world.antispam.report@inbox.com> References: <481b1b7648c.00000299world.antispam.report@inbox.com> <4e414aa0.10104@webservice.be> <48E14918E1D.00000417world.antispam.report@inbox.com> Message-ID: On 9 Aug 2011, at 18:30, abuse at localhost.com wrote: > Yes, I sure did used the whole email address and repeated once the first time I seen the post. > Then, when I saw Nial post getting the server "Live" reply, I repeated that email abuse.tiws at telefonica.com testing. > Same reply: "550 5.1.1 Recipient address rejected: User unknown in local recipient table". > > However, I used a webased engine for the testing since I didn't had time to install all my tools on this little puter I use. Niall used telnet - it's been available on pretty much any computer I've ever used since Windows 3.1 Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From aftab.siddiqui at gmail.com Tue Aug 9 20:50:07 2011 From: aftab.siddiqui at gmail.com (Aftab Siddiqui) Date: Tue, 9 Aug 2011 23:50:07 +0500 Subject: [anti-abuse-wg] VOTE: members and RIPE region only In-Reply-To: <4E41331F.4020002@powerweb.de> References: <4E412865.5040007@powerweb.de> <4E4129ED.6080705@heanet.ie> <4E412CF4.5020900@powerweb.de> <402D5E48-5D5A-4589-B0F9-7E81FFEC5FE6@nosc.ja.net> <4E41331F.4020002@powerweb.de> Message-ID: Hi Frank, APNIC community voted and accepted a policy on IRT object by Tobias, not by Abusix. But he shared his very valid experience from abusix while defending the prop. Same goes to Mr. X of spamhaus (if he is), though he should come up with something tangible to discuss. Secondly, we've to filter around a million spam every day and a big amount of it source from RIPE region so it's my right to be here and give whatever input I can to make my life easy while living in other RIR. (sorry for not being in line) On Tuesday, August 9, 2011, Frank Gadegast wrote: > Rob Evans wrote: > > why should anybody not associated with the RIPE region be > part of the RIPE community ? > > > Because the Internet is global. > > > Ahhh, I did not think about that (*godsake*) > > > > > > Sorry, thats confusing. > > RIR stand for "regional" not world-wide. > The community should also be a regional community. > > RIPE NCC defines itself as: > The RIPE NCC is an independent, not-for-profit membership organisation that supports the infrastructure of the Internet through technical coordination in its service region. > > "Service region" ! > > At least RIPE is worldwide in the way, that its resources are globaly > routed and misused worldwide ... > > > I dont think that RIPE and RIPE NCC should not listen > to users and organisations world-wide, but descissions > should only be made be users from the RIPE region. > > Thats the same with the spamhause discussion we had. > RIPE NCC has to check everything to its own regulations, > but they could listen to important sources like spamhaus. > > And we are here to discuss definitions and regulations > for the RIPE region, to discuss drafts and give > advice to boards and descission makers in the RIPE region. > We do not have to discuss them with people that hide > behind anonymous services offered world wide. > We could listen to them, but progress should only > be defined by members. > > > > Rob > > > > > > Kind regards, Frank > -- > PHADE Software - PowerWeb ? ? ? ? ? ? ? ? ? ? ? http://www.powerweb.de > Inh. Dipl.-Inform. Frank Gadegast ? ? ? ? ? ? mailto:frank at powerweb.de > Schinkelstrasse 17 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?fon: +49 33200 52920 > 14558 Nuthetal OT Rehbruecke, Germany ? ? ? ? ? ? fax: +49 33200 52921 > ====================================================================== > Public PGP Key available for frank at powerweb.de > > -- Regards, Aftab A. Siddiqui From Woeber at CC.UniVie.ac.at Tue Aug 9 21:11:57 2011 From: Woeber at CC.UniVie.ac.at (Wilfried Woeber, UniVie/ACOnet) Date: Tue, 09 Aug 2011 19:11:57 +0000 Subject: [anti-abuse-wg] Correct info in RIPE-database In-Reply-To: <4917BB551EB.00000475world.antispam.report@inbox.com> References: <481b1b7648c.00000299world.antispam.report@inbox.com> <4e414aa0.10104@webservice.be> <4917BB551EB.00000475world.antispam.report@inbox.com> Message-ID: <4E41867D.6070309@CC.UniVie.ac.at> I'm a tad puzzled... abuse at localhost.com wrote: [...] Trying to help with geography, and due to this being OT, trying to do an individual reply to the sender, I get: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Subject: Mail delivery failed: returning message to sender [...] This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: abuse at localhost.com all relevant MX records point to non-existent hosts ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Hm, I think I can draw some conclusions for my end? Wilfrid. From world.antispam.report at inbox.com Tue Aug 9 23:06:19 2011 From: world.antispam.report at inbox.com (abuse@localhost.com) Date: Tue, 9 Aug 2011 13:06:19 -0800 Subject: [anti-abuse-wg] Correct info in RIPE-database In-Reply-To: <4E41867D.6070309@CC.UniVie.ac.at> References: <4917bb551eb.00000475world.antispam.report@inbox.com> <481b1b7648c.00000299world.antispam.report@inbox.com> <4e414aa0.10104@webservice.be> Message-ID: <4AC43EFBC42.000002D0world.antispam.report@inbox.com> Yes Wilfried. The thing is that I use this present email box only to read the "anti-abuse-wg at ripe.net" mailing list. Nothing else. I don't use this email address as an email client. So? If anyone wants to contact me for "X" reason, it can be done through the anti-abuse-wg at ripe.net mailing list. And I try as much as possible to respect the mailing list regulations. You may well have noted (I hope) that I stopped reporting "Bizarre" RIPE datas that some allocated IP allocated network have given to RIPE? It just happened that I never seen the place on RIPE's wdbsite where we can request RIPE to check this or that "Bizarre" registraton data. It took a few days and I got the answer. But then, you seen as much as me that there was another RIPE network operator who asked about the same question as me a little while after me? So, it could be that it ain't so simple and obvious to find the right place on RIPE website where one can request a verification of registration datas? But frankly, I'd prefer to remain sort of a little confidential if I'd have to request a registration verification to RIPE authority. Coze in any events, I take RIPE decisions as they are just like any other netizens on planet earth. If they decide that this or that is OK or not, I'd even never hear about it after I request a reggy verification. For the rest, I prefer to just sit and watch. I have the weird feeling that other net-ops will keep on asking questions on this very same topic: Non updated reggy datas or erroneous ones. Even though it is explicitly expressed in this mailing list charter that this group is not the place to do that! In addition, giving a specific example can be understood as a blame. We may well be all human beings. > -----Original Message----- > From: woeber at cc.univie.ac.at > Sent: Tue, 09 Aug 2011 19:11:57 +0000 > To: anti-abuse-wg at ripe.net > Subject: Re: [anti-abuse-wg] Correct info in RIPE-database > > I'm a tad puzzled... > > abuse at localhost.com wrote: > [...] > > Trying to help with geography, and due to this being OT, > trying to do an individual reply to the sender, I get: > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Subject: Mail delivery failed: returning message to sender > [...] > This message was created automatically by mail delivery software. > > A message that you sent could not be delivered to one or more of its > recipients. This is a permanent error. The following address(es) failed: > > abuse at localhost.com > all relevant MX records point to non-existent hosts > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Hm, I think I can draw some conclusions for my end? > Wilfrid. ____________________________________________________________ Send any screenshot to your friends in seconds... Works in all emails, instant messengers, blogs, forums and social networks. TRY IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if2 for FREE From gert at space.net Tue Aug 9 23:22:32 2011 From: gert at space.net (Gert Doering) Date: Tue, 9 Aug 2011 23:22:32 +0200 Subject: [anti-abuse-wg] Abuse report. In-Reply-To: <46E5E64B838.00000088world.antispam.report@inbox.com> References: <459bab01b7d.0000016bworld.antispam.report@inbox.com> <4e402a95.3020409@eunet.rs> <452d9c4ceeb.000000e3world.antispam.report@inbox.com> <46E5E64B838.00000088world.antispam.report@inbox.com> Message-ID: <20110809212232.GS72014@Space.Net> Hi, On Tue, Aug 09, 2011 at 05:43:15AM -0800, abuse at localhost.com wrote: > I'm out of this mailing list. Now that's good news. Gert Doering -- still trying to figure out what this was all about -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 From Woeber at CC.UniVie.ac.at Wed Aug 10 00:03:31 2011 From: Woeber at CC.UniVie.ac.at (Wilfried Woeber, UniVie/ACOnet) Date: Tue, 09 Aug 2011 22:03:31 +0000 Subject: [anti-abuse-wg] Correct info in RIPE-database In-Reply-To: <4e419c042b221a7dc7107a7fc2f.jorgen@hovland.cx> References: <4e419c042b221a7dc7107a7fc2f.jorgen@hovland.cx> Message-ID: <4E41AEB3.4010804@CC.UniVie.ac.at> JXXrgen Hovland wrote: > You have to send to Mr World.Antispam.Report at inbox.com > Really? ;-) Sorry, too much complexity and lack of credibility - if reply destination as offered in the mail headers doesn't work, I consider the data provided, and the identity used, as fake/fraudulent and draw my local conclusions ;-) Respectfully yours, for a moment wearing my CERT Team's Membership hat, Wilfried. > At 19:11 09/08/2011 (UTC), Wilfried Woeber, UniVie/ACOnet wrote: > > I'm a tad puzzled... > > abuse at localhost.com wrote: > [...] > > Trying to help with geography, and due to this being OT, > trying to do an individual reply to the sender, I get: > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Subject: Mail delivery failed: returning message to sender > [...] > This message was created automatically by mail delivery software. > > A message that you sent could not be delivered to one or more of its > recipients. This is a permanent error. The following address(es) failed: > > abuse at localhost.com > all relevant MX records point to non-existent hosts > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Hm, I think I can draw some conclusions for my end? > Wilfrid. > > > From ripe-anti-spam-wg at powerweb.de Wed Aug 10 11:54:16 2011 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Wed, 10 Aug 2011 11:54:16 +0200 Subject: [anti-abuse-wg] Correct info in RIPE-database - YES Message-ID: <4E425548.7080304@powerweb.de> Webservice wrote: > Now to tackle this problem: > Shouldn't there be a phone-number or a hotline for BGP-issues? > Especially with big problems it's a real problem to get to the right > helpdesk/support. > I know that some endusers who receive a spam email would contact that > hotline also, however: is it possible to show that info only if a person > is logged in into the LIR-portal? Just what Im asking for years now for. More easier would be an anonymous abuse contact wich could only by emailed to from registered email addresses from other RIPE members. So: every member would simply enter too email addresses and one (or more) IPs into their basic data at the portal. - one abuse contact - one sender email address - one or more IP address of the own sending mailservers And the Mailserver at RIPE will e.g. redirected a general as1234 at members.ripe.net to the right abuse contact of that member. And: RIPE could even monitor outbreaks to one or the other member address to get an indication if there is an eval or non-responsive member (e.g. with not working mail addresses, full mailboxes aso). RIPE NCC could also monitor if a member becomes a bit to active or tries to flood other members. Telephone numbers seem to spread, so they will not be hidden after a while, but email is cool, because the receiver could handle these emails much quicker, because they could be more sure, that its coming from qualified other members, hopefully resulting in a much quicker action. Just an example: we filed a report at the usual abuse address of a bigger server housing provider in Germany arround 3 weeks ago , that one of their servers seemed to be captured and started to guess passwords on some of our POP3 servers. Now: after 3 weeks, be received a note, that our report will now be analysed. Whats about all those spam, all those DDoS attacks, pishing sites, whatever abuse, this server was causing the last 3 weeks to others ? And: just fiddled with our firewalls and can see, that this server is still trying to attack us ! Kind regards, Frank > > > Best regards, > Pascal Nobus > -- > www.webservice.be > Amelsdorp 72, 3740 Bilzen, Belgium > Tel: +32.89257404, Fax: +32.70423475 > > > -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank at powerweb.de From michele at blacknight.ie Wed Aug 10 12:11:39 2011 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Wed, 10 Aug 2011 10:11:39 +0000 Subject: [anti-abuse-wg] Correct info in RIPE-database - YES In-Reply-To: <4E425548.7080304@powerweb.de> References: <4E425548.7080304@powerweb.de> Message-ID: <1547A07F-E5E9-437E-9213-6CC944A69F44@blacknight.ie> On 10 Aug 2011, at 10:54, Frank Gadegast wrote: > > > Just an example: > we filed a report at the usual abuse address > of a bigger server housing provider in Germany > arround 3 weeks ago , that one of their servers > seemed to be captured and started to guess > passwords on some of our POP3 servers. > > Now: after 3 weeks, be received a note, that > our report will now be analysed. > > Whats about all those spam, all those DDoS attacks, > pishing sites, whatever abuse, this server was > causing the last 3 weeks to others ? > And: just fiddled with our firewalls and can > see, that this server is still trying to attack us ! Frank So why don't you blackhole their network? You cannot force anyone to respond to abuse reports and you cannot force anyone to act on them either. All you can hope to do is educate people so that: - providers believe it's in their interest to act - buyers choose vendors (providers) who act I went into this during my presentation in Rome :) Regards Michele Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From P.Vissers at opta.nl Wed Aug 10 12:31:58 2011 From: P.Vissers at opta.nl (Vissers, Pepijn) Date: Wed, 10 Aug 2011 10:31:58 +0000 Subject: [anti-abuse-wg] Correct info in RIPE-database - YES In-Reply-To: <1547A07F-E5E9-437E-9213-6CC944A69F44@blacknight.ie> References: <4E425548.7080304@powerweb.de> <1547A07F-E5E9-437E-9213-6CC944A69F44@blacknight.ie> Message-ID: > > Now: after 3 weeks, be received a note, that > > our report will now be analysed. <..> > All you can hope to do is educate people so that: > - providers believe it's in their interest to act This is exactly the mechanism on which we (OPTA) recently developed an enforcement strategy; educate hosting ISP's in NL from which we see abuse that is within our enforcement range: spam and malware. If the normal abuse mechanisms do not work the way they should we start to use our LEA capabilities to apply pressure. This has proven to be very effective: lots of cases solved with small efforts. In most cases this pressure moved the ISPs started to gather reports on their own networks and act by themselves. Of course, we can only do this within our jurisdiction, but it would be nice if other spam/malware legislative bodies start doing this too, or any body that can apply some real pressure. Pepijn +++++++++++++++++++++++++++++++++++++++++++++ Disclaimer Dit e-mailbericht kan vertrouwelijke informatie bevatten of informatie die is beschermd door een beroepsgeheim. Indien dit bericht niet voor u is bestemd, wijzen wij u erop dat elke vorm van verspreiding, vermenigvuldiging of ander gebruik ervan niet is toegestaan. Indien dit bericht blijkbaar bij vergissing bij u terecht is gekomen, verzoeken wij u ons daarvan direct op de hoogte te stellen via tel.nr 070 315 3500 of e-mail mailto:mail at opta.nl en het bericht te vernietigen. Dit e-mailbericht is uitsluitend gecontroleerd op virussen. OPTA aanvaardt geen enkele aansprakelijkheid voor de feitelijke inhoud en juistheid van dit bericht en er kunnen geen rechten aan worden ontleend. This e-mail message may contain confidential information or information protected by professional privilege. If it is not intended for you, you should be aware that any distribution, copying or other form of use of this message is not permitted. If it has apparently reached you by mistake, we urge you to notify us by phone +31 70 315 3500 or e-mail mailto:mail at opta.nl and destroy the message immediately. This e-mail message has only been checked for viruses. The accuracy, relevance, timeliness or completeness of the information provided cannot be guaranteed. OPTA expressly disclaims any responsibility in relation to the information in this e-mail message. No rights can be derived from this message. From niall at blacknight.com Wed Aug 10 12:41:02 2011 From: niall at blacknight.com (Niall Donegan) Date: Wed, 10 Aug 2011 11:41:02 +0100 Subject: [anti-abuse-wg] Correct info in RIPE-database In-Reply-To: <4E414AA0.10104@webservice.be> References: <4E414AA0.10104@webservice.be> Message-ID: <4E42603E.70603@blacknight.com> On 09/08/11 15:56, Webservice wrote: > Shouldn't there be a phone-number or a hotline for BGP-issues? There's already an attempt being made at such a system, have a look at http://www.pch.net/inoc-dba/, or the explanation at https://www.pch.net/inoc-dba/docs/qanda.html > I know that some endusers who receive a spam email would contact that > hotline also, however: is it possible to show that info only if a person > is logged in into the LIR-portal? After seeing our AOL Scomp feed and the obviously legit email that often gets reported as spam by their users, I'm not sure if I'd like it to be made too easy for the mass unwashed to report "spam" or "abuse". Niall. -- Niall Donegan ---------------- http://www.blacknight.com Blacknight Internet Solutions Ltd, Unit 12A, Barrowside Business Park, Sleaty Road, Graiguecullen, Carlow, Ireland Company No.: 370845 From michele at blacknight.ie Wed Aug 10 12:42:11 2011 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Wed, 10 Aug 2011 10:42:11 +0000 Subject: Education - was Re: [anti-abuse-wg] Correct info in RIPE-database - YES In-Reply-To: References: <4E425548.7080304@powerweb.de> <1547A07F-E5E9-437E-9213-6CC944A69F44@blacknight.ie> Message-ID: Pepijn > > This is exactly the mechanism on which we (OPTA) recently developed an enforcement strategy; educate hosting ISP's in NL from which we see abuse that is within our enforcement range: spam and malware. If the normal abuse mechanisms do not work the way they should we start to use our LEA capabilities to apply pressure. This has proven to be very effective: lots of cases solved with small efforts. In most cases this pressure moved the ISPs started to gather reports on their own networks and act by themselves. > > Of course, we can only do this within our jurisdiction, but it would be nice if other spam/malware legislative bodies start doing this too, or any body that can apply some real pressure. I'm a strong believer in self-regulation - so education is always going to be the preferred route for me - LEA can be too heavyhanded Regards Michele Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From ops.lists at gmail.com Wed Aug 10 12:45:44 2011 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Wed, 10 Aug 2011 16:15:44 +0530 Subject: [anti-abuse-wg] Correct info in RIPE-database In-Reply-To: <4E42603E.70603@blacknight.com> References: <4E414AA0.10104@webservice.be> <4E42603E.70603@blacknight.com> Message-ID: A common fallacy Think on the lines of "there are lots of people who vote for a politician you consider a jackass, but he hardly ever wins an election anyway" Then think how many complaints about a valid user you get when just one or two stray emails of his get misreported, compared to when that user gets his password compromised by a nigerian or has his PC infected by a virus. Clear enough now? It becomes crystal clear when you have a userbase of, say, a couple of million like I do now, or 40 million ++ like I had till about 2009. Becomes even clearer when you offer feedback loops yourself based on spam reported by your users. --srs On Wed, Aug 10, 2011 at 4:11 PM, Niall Donegan wrote: > > After seeing our AOL Scomp feed and the obviously legit email that often > gets reported as spam by their users, I'm not sure if I'd like it to be > made too easy for the mass unwashed to report "spam" or "abuse". -- Suresh Ramasubramanian (ops.lists at gmail.com) From Woeber at CC.UniVie.ac.at Wed Aug 10 12:45:56 2011 From: Woeber at CC.UniVie.ac.at (Wilfried Woeber, UniVie/ACOnet) Date: Wed, 10 Aug 2011 10:45:56 +0000 Subject: [anti-abuse-wg] Correct info in RIPE-database - YES In-Reply-To: References: <4E425548.7080304@powerweb.de> <1547A07F-E5E9-437E-9213-6CC944A69F44@blacknight.ie> Message-ID: <4E426164.4020308@CC.UniVie.ac.at> Vissers, Pepijn wrote: [...] > This is exactly the mechanism on which we (OPTA) recently developed an > enforcement strategy; educate hosting ISP's in NL from which we see abuse > that is within our enforcement range: spam and malware. If the normal abuse > mechanisms do not work the way they should we start to use our LEA > capabilities to apply pressure. This has proven to be very effective: lots > of cases solved with small efforts. In most cases this pressure moved the > ISPs started to gather reports on their own networks and act by themselves. > > Of course, we can only do this within our jurisdiction, but it would be nice > if other spam/malware legislative bodies start doing this too, or any body > that can apply some real pressure. I think the FICORA approach and environment would be another good example. > Pepijn Such activities are probably considerably more successful than trying to turn the RIPE NCC into a "Super-NOC" or Incident Coordination HotSpot. Wilfried. From ops.lists at gmail.com Wed Aug 10 12:46:45 2011 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Wed, 10 Aug 2011 16:16:45 +0530 Subject: Education - was Re: [anti-abuse-wg] Correct info in RIPE-database - YES In-Reply-To: References: <4E425548.7080304@powerweb.de> <1547A07F-E5E9-437E-9213-6CC944A69F44@blacknight.ie> Message-ID: Of course. Please do try to educate a botmaster, snowshoe spammer, nigerian scam artist etc. LEA has their place in the larger scheme of things. It wouldnt be a bright idea to underrate, or underestimate them. On Wed, Aug 10, 2011 at 4:12 PM, Michele Neylon :: Blacknight wrote: > > I'm a strong believer in self-regulation - so education is always going to be the preferred route for me - LEA can be too heavyhanded -- Suresh Ramasubramanian (ops.lists at gmail.com) From michele at blacknight.ie Wed Aug 10 12:57:15 2011 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Wed, 10 Aug 2011 10:57:15 +0000 Subject: Education - was Re: [anti-abuse-wg] Correct info in RIPE-database - YES In-Reply-To: References: <4E425548.7080304@powerweb.de> <1547A07F-E5E9-437E-9213-6CC944A69F44@blacknight.ie> Message-ID: On 10 Aug 2011, at 11:46, Suresh Ramasubramanian wrote: > Of course. Please do try to educate a botmaster, snowshoe spammer, > nigerian scam artist etc. We are talking about ISPs and LIRs *not* about network abusers > > LEA has their place in the larger scheme of things. It wouldnt be a > bright idea to underrate, or underestimate them. *Sigh* > > On Wed, Aug 10, 2011 at 4:12 PM, Michele Neylon :: Blacknight > wrote: >> >> I'm a strong believer in self-regulation - so education is always going to be the preferred route for me - LEA can be too heavyhanded > > > > -- > Suresh Ramasubramanian (ops.lists at gmail.com) Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From P.Vissers at opta.nl Wed Aug 10 13:00:14 2011 From: P.Vissers at opta.nl (Vissers, Pepijn) Date: Wed, 10 Aug 2011 11:00:14 +0000 Subject: Education - was Re: [anti-abuse-wg] Correct info in RIPE-database - YES In-Reply-To: References: <4E425548.7080304@powerweb.de> <1547A07F-E5E9-437E-9213-6CC944A69F44@blacknight.ie> Message-ID: > > I'm a strong believer in self-regulation - so education is always > > going to be the preferred route for me - LEA can be too heavyhanded Agreed. That is why the strategy is based on education, not on enforcement. But it is clear from the beginning that if the right lessons are not learnt, enforcement is a very real option. But in practice we rarely meet uncooperative 'students'; most of them are eager to learn. > Of course. Please do try to educate a botmaster, snowshoe spammer, > nigerian scam artist etc. That is exactly why we focus on the facilitators, in this case the hosting providers, and their need to act quickly on badness in their networks. And that is why we badly need correct WHOIS records, to bring the discussion back to that topic. Although we can mostly work around incorrect WHOIS records, it is annoying. Pepijn +++++++++++++++++++++++++++++++++++++++++++++ Disclaimer Dit e-mailbericht kan vertrouwelijke informatie bevatten of informatie die is beschermd door een beroepsgeheim. Indien dit bericht niet voor u is bestemd, wijzen wij u erop dat elke vorm van verspreiding, vermenigvuldiging of ander gebruik ervan niet is toegestaan. Indien dit bericht blijkbaar bij vergissing bij u terecht is gekomen, verzoeken wij u ons daarvan direct op de hoogte te stellen via tel.nr 070 315 3500 of e-mail mailto:mail at opta.nl en het bericht te vernietigen. Dit e-mailbericht is uitsluitend gecontroleerd op virussen. OPTA aanvaardt geen enkele aansprakelijkheid voor de feitelijke inhoud en juistheid van dit bericht en er kunnen geen rechten aan worden ontleend. This e-mail message may contain confidential information or information protected by professional privilege. If it is not intended for you, you should be aware that any distribution, copying or other form of use of this message is not permitted. If it has apparently reached you by mistake, we urge you to notify us by phone +31 70 315 3500 or e-mail mailto:mail at opta.nl and destroy the message immediately. This e-mail message has only been checked for viruses. The accuracy, relevance, timeliness or completeness of the information provided cannot be guaranteed. OPTA expressly disclaims any responsibility in relation to the information in this e-mail message. No rights can be derived from this message. From ripe-anti-spam-wg at powerweb.de Wed Aug 10 13:21:28 2011 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Wed, 10 Aug 2011 13:21:28 +0200 Subject: Education - was Re: [anti-abuse-wg] Correct info in RIPE-database - YES In-Reply-To: References: <4E425548.7080304@powerweb.de> <1547A07F-E5E9-437E-9213-6CC944A69F44@blacknight.ie> Message-ID: <4E4269B8.20605@powerweb.de> Michele Neylon :: Blacknight wrote: > > On 10 Aug 2011, at 11:46, Suresh Ramasubramanian wrote: > >> Of course. Please do try to educate a botmaster, snowshoe spammer, >> nigerian scam artist etc. > > We are talking about ISPs and LIRs *not* about network abusers Disagreed. We have to talk about both, abusers and ISPs/LIRs. You cannot educate abusers, simply because they do it on effort. But we have to educate or raise the communication level between ISPs/LIRs. Like my example described: most abuse NOCs or very, very slow, uneducated, not interested, do not want to spend money aso. I system that raises the level or trusted report sources, that only works between LIRs, could help, because - any LIR could be force to enter his details, so he will READ any description, why this system was introduced - reports from other, experienced LIRs/ISPs could be trusted, simply because they are experienced, they will not behave like normal end users, will try to use standarized reporting formats, present all needed infos and detailed log excerpts e.g and simply because they also want the same kind of qualified reports from others An introduction of such a anonymous communication server via RIPE NCCs servers could also be accompanied with snail mail, email, announcements, in the regulary RIPE reports, meetings aso ... >> LEA has their place in the larger scheme of things. It wouldnt be a >> bright idea to underrate, or underestimate them. LEA actions only works, if the abusing server and the administrator of the attacked service are located in the same country and surely are last resort (well, works in Germany quite well, very ignorant ISPs could be brought to court, if they ignore reports, because everybody in Germany is urged to prevent crime from others, if he has knowledge and the possibility to prevent it). Kind regards, Frank > > > *Sigh* > >> >> On Wed, Aug 10, 2011 at 4:12 PM, Michele Neylon :: Blacknight >> wrote: >>> >>> I'm a strong believer in self-regulation - so education is always going to be the preferred route for me - LEA can be too heavyhanded >> >> >> >> -- >> Suresh Ramasubramanian (ops.lists at gmail.com) > > Mr Michele Neylon > Blacknight Solutions > Hosting& Colocation, Brand Protection > ICANN Accredited Registrar > http://www.blacknight.com/ > http://blog.blacknight.com/ > http://blacknight.mobi/ > http://mneylon.tel > Intl. +353 (0) 59 9183072 > US: 213-233-1612 > UK: 0844 484 9361 > Locall: 1850 929 929 > Direct Dial: +353 (0)59 9183090 > Twitter: http://twitter.com/mneylon > ------------------------------- > Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty > Road,Graiguecullen,Carlow,Ireland Company No.: 370845 > > > > -- Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank at powerweb.de From P.Vissers at opta.nl Wed Aug 10 13:28:51 2011 From: P.Vissers at opta.nl (Vissers, Pepijn) Date: Wed, 10 Aug 2011 11:28:51 +0000 Subject: Education - was Re: [anti-abuse-wg] Correct info in RIPE-database - YES In-Reply-To: <4E4269B8.20605@powerweb.de> References: <4E425548.7080304@powerweb.de> <1547A07F-E5E9-437E-9213-6CC944A69F44@blacknight.ie> <4E4269B8.20605@powerweb.de> Message-ID: > LEA actions only works, if the abusing server and the administrator > of the attacked service are located in the same country and > surely are last resort (well, works in Germany quite well, > very ignorant ISPs could be brought to court, if they > ignore reports, because everybody in Germany is urged > to prevent crime from others, if he has knowledge > and the possibility to prevent it). Not every LEA operates in criminal law. OPTA works under administrative law as an *independent* regulatory body (but with serious capabilities, like 'subpoena' and 'search warrant' equivalents), and as such has several degrees of freedom more than 'the police'. That being said, the strategy I've talked about earlier could just as easy be deployed by a small 'internet police' team. It's about proactivity and education (which is fast), not about court cases (which are painfully slow). It is however not a way of working traditional LEA is accustomed to. Pepijn +++++++++++++++++++++++++++++++++++++++++++++ Disclaimer Dit e-mailbericht kan vertrouwelijke informatie bevatten of informatie die is beschermd door een beroepsgeheim. Indien dit bericht niet voor u is bestemd, wijzen wij u erop dat elke vorm van verspreiding, vermenigvuldiging of ander gebruik ervan niet is toegestaan. Indien dit bericht blijkbaar bij vergissing bij u terecht is gekomen, verzoeken wij u ons daarvan direct op de hoogte te stellen via tel.nr 070 315 3500 of e-mail mailto:mail at opta.nl en het bericht te vernietigen. Dit e-mailbericht is uitsluitend gecontroleerd op virussen. OPTA aanvaardt geen enkele aansprakelijkheid voor de feitelijke inhoud en juistheid van dit bericht en er kunnen geen rechten aan worden ontleend. This e-mail message may contain confidential information or information protected by professional privilege. If it is not intended for you, you should be aware that any distribution, copying or other form of use of this message is not permitted. If it has apparently reached you by mistake, we urge you to notify us by phone +31 70 315 3500 or e-mail mailto:mail at opta.nl and destroy the message immediately. This e-mail message has only been checked for viruses. The accuracy, relevance, timeliness or completeness of the information provided cannot be guaranteed. OPTA expressly disclaims any responsibility in relation to the information in this e-mail message. No rights can be derived from this message. From michele at blacknight.ie Wed Aug 10 13:35:23 2011 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Wed, 10 Aug 2011 11:35:23 +0000 Subject: Education - was Re: [anti-abuse-wg] Correct info in RIPE-database - YES In-Reply-To: <4E4269B8.20605@powerweb.de> References: <4E425548.7080304@powerweb.de> <1547A07F-E5E9-437E-9213-6CC944A69F44@blacknight.ie> <4E4269B8.20605@powerweb.de> Message-ID: <318F6186-6936-46C1-993C-4238DF793FB5@blacknight.ie> On 10 Aug 2011, at 12:21, Frank Gadegast wrote: > Michele Neylon :: Blacknight wrote: >> >> On 10 Aug 2011, at 11:46, Suresh Ramasubramanian wrote: >> >>> Of course. Please do try to educate a botmaster, snowshoe spammer, >>> nigerian scam artist etc. >> >> We are talking about ISPs and LIRs *not* about network abusers > > Disagreed. > We have to talk about both, abusers and ISPs/LIRs. I don't think you understood what I was talking about.. > > You cannot educate abusers, simply because they do it on effort. > > But we have to educate or raise the communication level between > ISPs/LIRs. > > Like my example described: most abuse NOCs or very, very slow, > uneducated, not interested, do not want to spend money aso. Which isn't helped by a lot of the abuse reports that they get sent .. Something which could actually help would be work on better abuse report formats .. > > I system that raises the level or trusted report sources, that > only works between LIRs, could help, because > - any LIR could be force to enter his details, so he will > READ any description, why this system was introduced > - reports from other, experienced LIRs/ISPs could be trusted, > simply because they are experienced, they will not > behave like normal end users, will try to use standarized > reporting formats, present all needed infos and detailed > log excerpts e.g and simply because they also want > the same kind of qualified reports from others There's a lot of this stuff going on already in "trusted" circles. > > An introduction of such a anonymous communication server > via RIPE NCCs servers could also be accompanied with > snail mail, email, announcements, in the regulary RIPE reports, > meetings aso ? You have to be very very careful how that is handled .. > >>> LEA has their place in the larger scheme of things. It wouldnt be a >>> bright idea to underrate, or underestimate them. > > LEA actions only works, if the abusing server and the administrator > of the attacked service are located in the same country Not true Sure it's easier if they are in the same country, but if LEA works with their counterparts there's no reason why it cannot cross borders .. > Regards Michele Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From ops.lists at gmail.com Wed Aug 10 16:11:40 2011 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Wed, 10 Aug 2011 19:41:40 +0530 Subject: Education - was Re: [anti-abuse-wg] Correct info in RIPE-database - YES In-Reply-To: References: <4E425548.7080304@powerweb.de> <1547A07F-E5E9-437E-9213-6CC944A69F44@blacknight.ie> Message-ID: On Wed, Aug 10, 2011 at 4:27 PM, Michele Neylon :: Blacknight wrote: > > On 10 Aug 2011, at 11:46, Suresh Ramasubramanian wrote: > >> Of course. ?Please do try to educate a botmaster, snowshoe spammer, >> nigerian scam artist etc. > > We are talking about ISPs and LIRs *not* about network abusers > Au contraire. We are talking about one and the same thing, when you look at the sort of issue that's been plaguing RIPE over the past few years - fake LIRs, RBN fronts getting themselves PI / PA blocks etc. -- Suresh Ramasubramanian (ops.lists at gmail.com) From ops.lists at gmail.com Wed Aug 10 16:17:08 2011 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Wed, 10 Aug 2011 19:47:08 +0530 Subject: Education - was Re: [anti-abuse-wg] Correct info in RIPE-database - YES In-Reply-To: References: <4E425548.7080304@powerweb.de> <1547A07F-E5E9-437E-9213-6CC944A69F44@blacknight.ie> Message-ID: As for educating SPs, please do turn up at the upcoming MAAWG meeting in Paris - Oct 24-27. And before that, please talk, on a regular basis, to the people who actually run abuse desks in your organizations. On Wed, Aug 10, 2011 at 7:41 PM, Suresh Ramasubramanian wrote: > On Wed, Aug 10, 2011 at 4:27 PM, Michele Neylon :: Blacknight > wrote: >> >> On 10 Aug 2011, at 11:46, Suresh Ramasubramanian wrote: >> >>> Of course. ?Please do try to educate a botmaster, snowshoe spammer, >>> nigerian scam artist etc. >> >> We are talking about ISPs and LIRs *not* about network abusers >> > > Au contraire. ?We are talking about one and the same thing, when you > look at the sort of issue that's been plaguing RIPE over the past few > years - fake LIRs, RBN fronts getting themselves PI / PA blocks etc. > > -- > Suresh Ramasubramanian (ops.lists at gmail.com) > -- Suresh Ramasubramanian (ops.lists at gmail.com) From leo.vegoda at icann.org Wed Aug 10 16:24:21 2011 From: leo.vegoda at icann.org (Leo Vegoda) Date: Wed, 10 Aug 2011 07:24:21 -0700 Subject: Education - was Re: [anti-abuse-wg] Correct info in RIPE-database - YES In-Reply-To: References: <4E425548.7080304@powerweb.de> <1547A07F-E5E9-437E-9213-6CC944A69F44@blacknight.ie> Message-ID: <41F6C547EA49EC46B4EE1EB2BC2F341824F421A0A9@EXVPMBX100-1.exc.icann.org> You wrote: [...] > Au contraire. We are talking about one and the same thing, when you > look at the sort of issue that's been plaguing RIPE over the past few > years - fake LIRs, RBN fronts getting themselves PI / PA blocks etc. To be fair, I think it has been very hard to follow what has been written to the list over the last week or so. A significant number of messages have not been clearly written and may well not have been thought through before being sent. Focusing on the definitions issue, it would be useful to have an agreed set of definitions for some of the terms used. Is there a commonly agreed list? Thanks, Leo From ops.lists at gmail.com Wed Aug 10 16:26:49 2011 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Wed, 10 Aug 2011 19:56:49 +0530 Subject: Education - was Re: [anti-abuse-wg] Correct info in RIPE-database - YES In-Reply-To: <41F6C547EA49EC46B4EE1EB2BC2F341824F421A0A9@EXVPMBX100-1.exc.icann.org> References: <4E425548.7080304@powerweb.de> <1547A07F-E5E9-437E-9213-6CC944A69F44@blacknight.ie> <41F6C547EA49EC46B4EE1EB2BC2F341824F421A0A9@EXVPMBX100-1.exc.icann.org> Message-ID: Hi I would be happy to focus on what Pepijn proposed, and what Brian Nisbet promised to take to the NCC - detailed stats on LIR audits. I would also welcome some input from ICANN on (for example) the SSAC and other related work on whois accuracy, cooperation and engagement with the various registries on mitigating abuse .. thanks --srs On Wed, Aug 10, 2011 at 7:54 PM, Leo Vegoda wrote: > > To be fair, I think it has been very hard to follow what has been written to the list over the last week or so. A significant number of messages have not been clearly written and may well not have been thought through before being sent. > > Focusing on the definitions issue, it would be useful to have an agreed set of definitions for some of the terms used. Is there a commonly agreed list? -- Suresh Ramasubramanian (ops.lists at gmail.com) From brian.nisbet at heanet.ie Wed Aug 10 16:30:14 2011 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Wed, 10 Aug 2011 15:30:14 +0100 Subject: Education - was Re: [anti-abuse-wg] Correct info in RIPE-database - YES In-Reply-To: References: <4E425548.7080304@powerweb.de> <1547A07F-E5E9-437E-9213-6CC944A69F44@blacknight.ie> <41F6C547EA49EC46B4EE1EB2BC2F341824F421A0A9@EXVPMBX100-1.exc.icann.org> Message-ID: <4E4295F6.9070306@heanet.ie> "Suresh Ramasubramanian" wrote the following on 10/08/2011 15:26: > Hi > > I would be happy to focus on what Pepijn proposed, and what Brian > Nisbet promised to take to the NCC - detailed stats on LIR audits. In relation to this, as an update, I started talking to the NCC about this. I don't know when I'll have an answer right now, but hopefully I shall have some more information for you tomorrow. > On Wed, Aug 10, 2011 at 7:54 PM, Leo Vegoda wrote: >> >> Focusing on the definitions issue, it would be useful to have an agreed set of definitions for some of the terms used. Is there a commonly agreed list? Leo, that is a... complicated conversation at best. While I agree that more clarity and coherence would be very useful, what definitions are you actually looking for? Brian. From P.Vissers at opta.nl Wed Aug 10 16:33:18 2011 From: P.Vissers at opta.nl (Vissers, Pepijn) Date: Wed, 10 Aug 2011 14:33:18 +0000 Subject: Education - was Re: [anti-abuse-wg] Correct info in RIPE-database - YES In-Reply-To: References: <4E425548.7080304@powerweb.de> <1547A07F-E5E9-437E-9213-6CC944A69F44@blacknight.ie> <41F6C547EA49EC46B4EE1EB2BC2F341824F421A0A9@EXVPMBX100-1.exc.icann.org> Message-ID: > I would be happy to focus on what Pepijn proposed, ...erm... what did I propose? :) +++++++++++++++++++++++++++++++++++++++++++++ Disclaimer Dit e-mailbericht kan vertrouwelijke informatie bevatten of informatie die is beschermd door een beroepsgeheim. Indien dit bericht niet voor u is bestemd, wijzen wij u erop dat elke vorm van verspreiding, vermenigvuldiging of ander gebruik ervan niet is toegestaan. Indien dit bericht blijkbaar bij vergissing bij u terecht is gekomen, verzoeken wij u ons daarvan direct op de hoogte te stellen via tel.nr 070 315 3500 of e-mail mailto:mail at opta.nl en het bericht te vernietigen. Dit e-mailbericht is uitsluitend gecontroleerd op virussen. OPTA aanvaardt geen enkele aansprakelijkheid voor de feitelijke inhoud en juistheid van dit bericht en er kunnen geen rechten aan worden ontleend. This e-mail message may contain confidential information or information protected by professional privilege. If it is not intended for you, you should be aware that any distribution, copying or other form of use of this message is not permitted. If it has apparently reached you by mistake, we urge you to notify us by phone +31 70 315 3500 or e-mail mailto:mail at opta.nl and destroy the message immediately. This e-mail message has only been checked for viruses. The accuracy, relevance, timeliness or completeness of the information provided cannot be guaranteed. OPTA expressly disclaims any responsibility in relation to the information in this e-mail message. No rights can be derived from this message. From michele at blacknight.ie Wed Aug 10 16:35:52 2011 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Wed, 10 Aug 2011 14:35:52 +0000 Subject: Education - was Re: [anti-abuse-wg] Correct info in RIPE-database - YES In-Reply-To: <4E4295F6.9070306@heanet.ie> References: <4E425548.7080304@powerweb.de> <1547A07F-E5E9-437E-9213-6CC944A69F44@blacknight.ie> <41F6C547EA49EC46B4EE1EB2BC2F341824F421A0A9@EXVPMBX100-1.exc.icann.org> <4E4295F6.9070306@heanet.ie> Message-ID: <7C06C41B-71F6-41D6-A08F-D8FC8F469ECC@blacknight.ie> On 10 Aug 2011, at 15:30, Brian Nisbet wrote: > "Suresh Ramasubramanian" wrote the following on 10/08/2011 15:26: >> Hi >> >> I would be happy to focus on what Pepijn proposed, and what Brian >> Nisbet promised to take to the NCC - detailed stats on LIR audits. > > In relation to this, as an update, I started talking to the NCC about this. I don't know when I'll have an answer right now, but hopefully I shall have some more information for you tomorrow. > >> On Wed, Aug 10, 2011 at 7:54 PM, Leo Vegoda wrote: >>> >>> Focusing on the definitions issue, it would be useful to have an agreed set of definitions for some of the terms used. Is there a commonly agreed list? > > Leo, that is a... complicated conversation at best. While I agree that more clarity and coherence would be very useful, what definitions are you actually looking for? Odd that it came up here as well .. there's a similar-ish discussion about definitions going on in APWG as well .. > > Brian. > Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From ops.lists at gmail.com Wed Aug 10 16:38:29 2011 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Wed, 10 Aug 2011 20:08:29 +0530 Subject: Education - was Re: [anti-abuse-wg] Correct info in RIPE-database - YES In-Reply-To: <7C06C41B-71F6-41D6-A08F-D8FC8F469ECC@blacknight.ie> References: <4E425548.7080304@powerweb.de> <1547A07F-E5E9-437E-9213-6CC944A69F44@blacknight.ie> <41F6C547EA49EC46B4EE1EB2BC2F341824F421A0A9@EXVPMBX100-1.exc.icann.org> <4E4295F6.9070306@heanet.ie> <7C06C41B-71F6-41D6-A08F-D8FC8F469ECC@blacknight.ie> Message-ID: On Wed, Aug 10, 2011 at 8:05 PM, Michele Neylon :: Blacknight wrote: > Odd that it came up here as well .. there's a similar-ish discussion about definitions going on in APWG as well .. There have been periodic threads on this in just about every antispam mailing list and newsgroup that I have been part of, for over 15 years now. The more mature lists soon grow out of it, or at least reduce the frequency of this discussion which speedily goes into a quibbling and hair splitting exercise engaged in by like three or four people [often the same 3 or 4 people each time, go figure] -- Suresh Ramasubramanian (ops.lists at gmail.com) From brian.nisbet at heanet.ie Wed Aug 10 16:40:42 2011 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Wed, 10 Aug 2011 15:40:42 +0100 Subject: Education - was Re: [anti-abuse-wg] Correct info in RIPE-database - YES In-Reply-To: References: <4E425548.7080304@powerweb.de> <1547A07F-E5E9-437E-9213-6CC944A69F44@blacknight.ie> <41F6C547EA49EC46B4EE1EB2BC2F341824F421A0A9@EXVPMBX100-1.exc.icann.org> <4E4295F6.9070306@heanet.ie> <7C06C41B-71F6-41D6-A08F-D8FC8F469ECC@blacknight.ie> Message-ID: <4E42986A.1080608@heanet.ie> "Suresh Ramasubramanian" wrote the following on 10/08/2011 15:38: > On Wed, Aug 10, 2011 at 8:05 PM, Michele Neylon :: Blacknight > wrote: >> Odd that it came up here as well .. there's a similar-ish discussion about definitions going on in APWG as well .. > > There have been periodic threads on this in just about every antispam > mailing list and newsgroup that I have been part of, for over 15 years > now. > > The more mature lists soon grow out of it, or at least reduce the > frequency of this discussion which speedily goes into a quibbling and > hair splitting exercise engaged in by like three or four people [often > the same 3 or 4 people each time, go figure] Thank you for answering that, Suresh. While I do wonder what definitions people are looking for, you have just said, in an excellent way, what I was thinking of saying. Brian. From aftab.siddiqui at gmail.com Thu Aug 11 02:05:24 2011 From: aftab.siddiqui at gmail.com (Aftab Siddiqui) Date: Thu, 11 Aug 2011 05:05:24 +0500 Subject: Education - was Re: [anti-abuse-wg] Correct info in RIPE-database - YES In-Reply-To: <4E42986A.1080608@heanet.ie> References: <4E425548.7080304@powerweb.de> <1547A07F-E5E9-437E-9213-6CC944A69F44@blacknight.ie> <41F6C547EA49EC46B4EE1EB2BC2F341824F421A0A9@EXVPMBX100-1.exc.icann.org> <4E4295F6.9070306@heanet.ie> <7C06C41B-71F6-41D6-A08F-D8FC8F469ECC@blacknight.ie> <4E42986A.1080608@heanet.ie> Message-ID: So Brian, being the chair, is there any possibility to sum up few things here like the problem statement (I guess it was fake Whois initially) because as suresh said 3-4 ppl will always going to debate on the same issues again n again than why not these ppl can come up with a suggestion towards solution. M2C On Wednesday, August 10, 2011, Brian Nisbet wrote: > ?"Suresh Ramasubramanian" wrote the following on 10/08/2011 15:38: > > On Wed, Aug 10, 2011 at 8:05 PM, Michele Neylon :: Blacknight > ?wrote: > > Odd that it came up here as well .. there's a similar-ish discussion about definitions going on in APWG as well .. > > > There have been periodic threads on this in just about every antispam > mailing list and newsgroup that I have been part of, for over 15 years > now. > > The more mature lists soon grow out of it, or at least reduce the > frequency of this discussion which speedily goes into a quibbling and > hair splitting exercise engaged in by like three or four people [often > the same 3 or 4 people each time, go figure] > > > Thank you for answering that, Suresh. While I do wonder what definitions people are looking for, you have just said, in an excellent way, what I was thinking of saying. > > Brian. > > -- Regards, Aftab A. Siddiqui From kzorba at otenet.gr Thu Aug 11 08:17:57 2011 From: kzorba at otenet.gr (Kostas Zorbadelos) Date: Thu, 11 Aug 2011 09:17:57 +0300 Subject: Education - was Re: [anti-abuse-wg] Correct info in RIPE-database - YES In-Reply-To: References: <4E425548.7080304@powerweb.de> <1547A07F-E5E9-437E-9213-6CC944A69F44@blacknight.ie> <41F6C547EA49EC46B4EE1EB2BC2F341824F421A0A9@EXVPMBX100-1.exc.icann.org> <4E4295F6.9070306@heanet.ie> <7C06C41B-71F6-41D6-A08F-D8FC8F469ECC@blacknight.ie> <4E42986A.1080608@heanet.ie> Message-ID: <4E437415.4080701@otenet.gr> On 08/11/2011 03:05 AM, Aftab Siddiqui wrote: > So Brian, being the chair, is there any possibility to sum up few > things here like the problem statement (I guess it was fake Whois > initially) because as suresh said 3-4 ppl will always going to debate > on the same issues again n again than why not these ppl can come up > with a suggestion towards solution. > I totally agree with this one. A summary of the problem statement(s) would be a good thing because I think I am not the only one that lost track of the recent conversations. Kostas PS: Am I the only one that received some bounces from this list? Example follows: ------------------------------------------------------------------------ Return-Path: <> X-Original-To: kzorba at noc.otenet.gr Delivered-To: kzorba at noc.otenet.gr Received: from sirius.otenet.gr (sirius.otenet.gr [83.235.66.60]) by noc.otenet.gr (Postfix) with ESMTP id 22C568B8030 for ; Wed, 10 Aug 2011 13:21:57 +0300 (EEST) Received: from postboy.ripe.net (postboy.ripe.net [193.0.19.3]) by sirius.otenet.gr (8.13.8/8.13.8) with ESMTP id p7AALq3C025591 for ; Wed, 10 Aug 2011 13:21:55 +0300 Received: by postboy.ripe.net (Postfix) id A01FE6A11F; Wed, 10 Aug 2011 12:21:52 +0200 (CEST) Date: Wed, 10 Aug 2011 12:21:52 +0200 (CEST) From: MAILER-DAEMON at ripe.net (Mail Delivery System) Subject: Undelivered Mail Returned to Sender To: kzorba at otenet.gr MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="98DBC6A11C.1312971712/postboy.ripe.net" Message-Id: <20110810102152.A01FE6A11F at postboy.ripe.net> This is a MIME-encapsulated message. --98DBC6A11C.1312971712/postboy.ripe.net Content-Description: Notification Content-Type: text/plain This is the Postfix program at host postboy.ripe.net. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to If you do so, please include this problem report. You can delete your own text from the attached returned message. The Postfix program : mail forwarding loop for anti-abuse-wg at lists.ripe.net --98DBC6A11C.1312971712/postboy.ripe.net Content-Description: Delivery report Content-Type: message/delivery-status Reporting-MTA: dns; postboy.ripe.net X-Postfix-Queue-ID: 98DBC6A11C X-Postfix-Sender: rfc822; kzorba at otenet.gr Arrival-Date: Wed, 10 Aug 2011 12:21:52 +0200 (CEST) Final-Recipient: rfc822; anti-abuse-wg at lists.ripe.net Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; mail forwarding loop for anti-abuse-wg at lists.ripe.net --98DBC6A11C.1312971712/postboy.ripe.net Content-Description: Undelivered Message Content-Type: message/rfc822 Received: from postgirl.ripe.net (postgirl.ripe.net [193.0.19.66]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by postboy.ripe.net (Postfix) with ESMTP id 98DBC6A11C for ; Wed, 10 Aug 2011 12:21:52 +0200 (CEST) Received: from r-mail1.rd.francetelecom.com ([217.108.152.41]) by postgirl.ripe.net with esmtp (Exim 4.72) (envelope-from ) id 1Qr5v4-0003JH-7T for anti-abuse-wg at ripe.net; Wed, 10 Aug 2011 12:21:52 +0200 Received: from r-mail1.rd.francetelecom.com (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 8CC2A738009 for ; Wed, 10 Aug 2011 12:23:09 +0200 (CEST) Received: from ftrdsmtp1.rd.francetelecom.fr (unknown [10.192.128.46]) by r-mail1.rd.francetelecom.com (Postfix) with ESMTP id 83AE07B8010 for ; Wed, 10 Aug 2011 12:23:09 +0200 (CEST) Received: from ftrdsmtp4.rd.francetelecom.fr ([10.192.128.49]) by ftrdsmtp1.rd.francetelecom.fr with Microsoft SMTPSVC(6.0.3790.4675); Wed, 10 Aug 2011 11:57:46 +0200 Received: from mail pickup service by ftrdsmtp4.rd.francetelecom.fr with Microsoft SMTPSVC; Wed, 10 Aug 2011 02:13:41 +0200 Received: from omfeda08.si.francetelecom.fr ([10.98.3.82]) by ftrdsmtp4.rd.francetelecom.fr with Microsoft SMTPSVC(6.0.3790.4675); Tue, 9 Aug 2011 13:22:37 +0200 Received: from omfeda13.si.francetelecom.fr (unknown [10.98.77.165]) by omfeda08.si.francetelecom.fr (ESMTP service) with ESMTP id 1B72C38404A for ; Tue, 9 Aug 2011 13:22:07 +0200 (CEST) Received: from omfeda13.si.francetelecom.fr (localhost.localdomain [127.0.0.1]) by omfeda13.si.francetelecom.fr (ESMTP service) with SMTP id 07C411905F3 for ; Tue, 9 Aug 2011 13:22:07 +0200 (CEST) Received: from postboy.ripe.net (postboy.ripe.net [193.0.19.3]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by relais-inet.francetelecom.com (ESMTP service) with ESMTPS id 902A01905F0 for ; Tue, 9 Aug 2011 13:22:06 +0200 (CEST) Received: from postboy.ripe.net (localhost [127.0.0.1]) by postboy.ripe.net (Postfix) with ESMTP id BBDB36A09A; Tue, 9 Aug 2011 13:22:02 +0200 (CEST) X-Original-To: anti-abuse-wg at lists.ripe.net Delivered-To: anti-abuse-wg at lists.ripe.net Received: from postgirl.ripe.net (postgirl.ripe.net [193.0.19.66]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by postboy.ripe.net (Postfix) with ESMTP id AF9D06A099 for ; Tue, 9 Aug 2011 13:21:34 +0200 (CEST) Received: from noc.otenet.gr ([195.170.0.29]) by postgirl.ripe.net with esmtp (Exim 4.72) (envelope-from ) id 1QqkNI-00040Y-JN for anti-abuse-wg at ripe.net; Tue, 09 Aug 2011 13:21:34 +0200 Received: from [212.205.221.137] (enigma.otenet.gr [212.205.221.137]) by noc.otenet.gr (Postfix) with ESMTP id A8ADB8B8030 for ; Tue, 9 Aug 2011 14:21:31 +0300 (EEST) Message-ID: <4E4118CF.2050201 at otenet.gr> From: Kostas Zorbadelos User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.18) Gecko/20110617 Lightning/1.0b2 Thunderbird/3.1.11 MIME-Version: 1.0 To: anti-abuse-wg at ripe.net Subject: Re: [anti-abuse-wg] Abuse report. References: <4e402a95.3020409 at eunet.rs> <452d9c4ceeb.000000e3world.antispam.report at inbox.com> <459BAB01B7D.0000016Bworld.antispam.report at inbox.com> In-Reply-To: <459BAB01B7D.0000016Bworld.antispam.report at inbox.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-RIPE-Spam-Level: -- X-RIPE-Spam-Report: Spam Total Points: -2.7 points pts rule name description ---- ---------------------- ------------------------------------ -0.8 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-RIPE-Signature: e75c1e1f8fb33358b75e61b940efb654473ccce5d76a543f49de81d3f8adb7a7 Sender: anti-abuse-wg-admin at ripe.net Errors-To: anti-abuse-wg-admin at ripe.net X-BeenThere: anti-abuse-wg at ripe.net X-Mailman-Version: 2.0.13 Precedence: bulk List-Id: Discussion of anti-abuse measures List-Post: X-RIPE-Lists: Discussion of anti-abuse measures List-Subscribe: , List-Unsubscribe: , List-Help: List-Archive: https://www.ripe.net/ripe/maillists/archives/ Date: Tue, 09 Aug 2011 14:23:59 +0300 X-PMX-Version: 5.5.9.395186, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2011.8.9.111515 X-PerlMx-Spam: Gauge=X, Probability=10%, Report=' TO_IN_SUBJECT 0.5, BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_1000_LESS 0, BODY_SIZE_2000_LESS 0, BODY_SIZE_400_499 0, BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, SPF_NONE 0, __ANY_URI 0, __BOUNCE_CHALLENGE_SUBJ 0, __BOUNCE_NDR_SUBJ_EXEMPT 0, __CP_URI_IN_BODY 0, __CT 0, __CTE 0, __CT_TEXT_PLAIN 0, __DATE_TZ_RU 0, __HAS_LIST_HEADER 0, __HAS_LIST_HELP 0, __HAS_LIST_SUBSCRIBE 0, __HAS_LIST_UNSUBSCRIBE 0, __HAS_MSGID 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __MOZILLA_MSGID 0, __SANE_MSGID 0, __TO_MALFORMED_2 0, __TO_NO_NAME 0, __URI_NS , __USER_AGENT 0' X-OriginalArrivalTime: 09 Aug 2011 11:22:37.0321 (UTC) FILETIME=[A48CF790:01CC5686] X-RIPE-Spam-Level: - X-RIPE-Spam-Report: Spam Total Points: -1.9 points pts rule name description ---- ---------------------- ------------------------------------ -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-RIPE-Signature: e75c1e1f8fb33358b75e61b940efb654473ccce5d76a543f49de81d3f8adb7a7 On 08/09/2011 02:15 PM, abuse at localhost.com wrote: > James? Have you noticed the name of this present mailing list?\ > Why would there be the word "anti-abuse" in it? > Is an uncared for spam complaint "Off Topic"? > > I don't think so. > ============================== > http://www.ripe.net/ripe/groups/wg/anti-abuse Please, I think we should lower the noise of these threads. Regards, Kostas --98DBC6A11C.1312971712/postboy.ripe.net-- ------------------------------------------------------------------------ > M2C > > On Wednesday, August 10, 2011, Brian Nisbet wrote: >> "Suresh Ramasubramanian" wrote the following on 10/08/2011 15:38: >> >> On Wed, Aug 10, 2011 at 8:05 PM, Michele Neylon :: Blacknight >> wrote: >> >> Odd that it came up here as well .. there's a similar-ish discussion about definitions going on in APWG as well .. >> >> >> There have been periodic threads on this in just about every antispam >> mailing list and newsgroup that I have been part of, for over 15 years >> now. >> >> The more mature lists soon grow out of it, or at least reduce the >> frequency of this discussion which speedily goes into a quibbling and >> hair splitting exercise engaged in by like three or four people [often >> the same 3 or 4 people each time, go figure] >> >> >> Thank you for answering that, Suresh. While I do wonder what definitions people are looking for, you have just said, in an excellent way, what I was thinking of saying. >> >> Brian. >> >> > From michele at blacknight.ie Thu Aug 11 10:17:43 2011 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Thu, 11 Aug 2011 08:17:43 +0000 Subject: Education - was Re: [anti-abuse-wg] Correct info in RIPE-database - YES In-Reply-To: <4E437415.4080701@otenet.gr> References: <4E425548.7080304@powerweb.de> <1547A07F-E5E9-437E-9213-6CC944A69F44@blacknight.ie> <41F6C547EA49EC46B4EE1EB2BC2F341824F421A0A9@EXVPMBX100-1.exc.icann.org> <4E4295F6.9070306@heanet.ie> <7C06C41B-71F6-41D6-A08F-D8FC8F469ECC@blacknight.ie> <4E42986A.1080608@heanet.ie> ,<4E437415.4080701@otenet.gr> Message-ID: <4339452F-EBA2-4459-B041-F23E18A87E15@blacknight.com> Re bounces - I got them too Mr. Michele Neylon Blacknight http://Blacknight.tel Via iPhone so excuse typos and brevity On 11 Aug 2011, at 07:16, "Kostas Zorbadelos" wrote: > On 08/11/2011 03:05 AM, Aftab Siddiqui wrote: >> So Brian, being the chair, is there any possibility to sum up few >> things here like the problem statement (I guess it was fake Whois >> initially) because as suresh said 3-4 ppl will always going to debate >> on the same issues again n again than why not these ppl can come up >> with a suggestion towards solution. >> > > I totally agree with this one. A summary of the problem statement(s) would be a > good thing because I think I am not the only one that lost track of the recent > conversations. > > Kostas > > PS: Am I the only one that received some bounces from this list? > Example follows: > > ------------------------------------------------------------------------ > Return-Path: <> > X-Original-To: kzorba at noc.otenet.gr > Delivered-To: kzorba at noc.otenet.gr > Received: from sirius.otenet.gr (sirius.otenet.gr [83.235.66.60]) > by noc.otenet.gr (Postfix) with ESMTP id 22C568B8030 > for ; Wed, 10 Aug 2011 13:21:57 +0300 (EEST) > Received: from postboy.ripe.net (postboy.ripe.net [193.0.19.3]) > by sirius.otenet.gr (8.13.8/8.13.8) with ESMTP id p7AALq3C025591 > for ; Wed, 10 Aug 2011 13:21:55 +0300 > Received: by postboy.ripe.net (Postfix) > id A01FE6A11F; Wed, 10 Aug 2011 12:21:52 +0200 (CEST) > Date: Wed, 10 Aug 2011 12:21:52 +0200 (CEST) > From: MAILER-DAEMON at ripe.net (Mail Delivery System) > Subject: Undelivered Mail Returned to Sender > To: kzorba at otenet.gr > MIME-Version: 1.0 > Content-Type: multipart/report; report-type=delivery-status; > boundary="98DBC6A11C.1312971712/postboy.ripe.net" > Message-Id: <20110810102152.A01FE6A11F at postboy.ripe.net> > > This is a MIME-encapsulated message. > > --98DBC6A11C.1312971712/postboy.ripe.net > Content-Description: Notification > Content-Type: text/plain > > This is the Postfix program at host postboy.ripe.net. > > I'm sorry to have to inform you that your message could not > be delivered to one or more recipients. It's attached below. > > For further assistance, please send mail to > > If you do so, please include this problem report. You can > delete your own text from the attached returned message. > > The Postfix program > > : mail forwarding loop for > anti-abuse-wg at lists.ripe.net > > --98DBC6A11C.1312971712/postboy.ripe.net > Content-Description: Delivery report > Content-Type: message/delivery-status > > Reporting-MTA: dns; postboy.ripe.net > X-Postfix-Queue-ID: 98DBC6A11C > X-Postfix-Sender: rfc822; kzorba at otenet.gr > Arrival-Date: Wed, 10 Aug 2011 12:21:52 +0200 (CEST) > > Final-Recipient: rfc822; anti-abuse-wg at lists.ripe.net > Action: failed > Status: 5.0.0 > Diagnostic-Code: X-Postfix; mail forwarding loop for > anti-abuse-wg at lists.ripe.net > > --98DBC6A11C.1312971712/postboy.ripe.net > Content-Description: Undelivered Message > Content-Type: message/rfc822 > > Received: from postgirl.ripe.net (postgirl.ripe.net [193.0.19.66]) > (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) > (No client certificate requested) > by postboy.ripe.net (Postfix) with ESMTP id 98DBC6A11C > for ; Wed, 10 Aug 2011 12:21:52 +0200 (CEST) > Received: from r-mail1.rd.francetelecom.com ([217.108.152.41]) > by postgirl.ripe.net with esmtp (Exim 4.72) > (envelope-from ) > id 1Qr5v4-0003JH-7T > for anti-abuse-wg at ripe.net; Wed, 10 Aug 2011 12:21:52 +0200 > Received: from r-mail1.rd.francetelecom.com (localhost.localdomain [127.0.0.1]) > by localhost (Postfix) with SMTP id 8CC2A738009 > for ; Wed, 10 Aug 2011 12:23:09 +0200 (CEST) > Received: from ftrdsmtp1.rd.francetelecom.fr (unknown [10.192.128.46]) > by r-mail1.rd.francetelecom.com (Postfix) with ESMTP id 83AE07B8010 > for ; Wed, 10 Aug 2011 12:23:09 +0200 (CEST) > Received: from ftrdsmtp4.rd.francetelecom.fr ([10.192.128.49]) by ftrdsmtp1.rd.francetelecom.fr with Microsoft SMTPSVC(6.0.3790.4675); > Wed, 10 Aug 2011 11:57:46 +0200 > Received: from mail pickup service by ftrdsmtp4.rd.francetelecom.fr with Microsoft SMTPSVC; > Wed, 10 Aug 2011 02:13:41 +0200 > Received: from omfeda08.si.francetelecom.fr ([10.98.3.82]) by ftrdsmtp4.rd.francetelecom.fr with Microsoft SMTPSVC(6.0.3790.4675); > Tue, 9 Aug 2011 13:22:37 +0200 > Received: from omfeda13.si.francetelecom.fr (unknown [10.98.77.165]) > by omfeda08.si.francetelecom.fr (ESMTP service) with ESMTP id 1B72C38404A > for ; Tue, 9 Aug 2011 13:22:07 +0200 (CEST) > Received: from omfeda13.si.francetelecom.fr (localhost.localdomain [127.0.0.1]) > by omfeda13.si.francetelecom.fr (ESMTP service) with SMTP id 07C411905F3 > for ; Tue, 9 Aug 2011 13:22:07 +0200 (CEST) > Received: from postboy.ripe.net (postboy.ripe.net [193.0.19.3]) > (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) > (No client certificate requested) > by relais-inet.francetelecom.com (ESMTP service) with ESMTPS id 902A01905F0 > for ; Tue, 9 Aug 2011 13:22:06 +0200 (CEST) > Received: from postboy.ripe.net (localhost [127.0.0.1]) > by postboy.ripe.net (Postfix) with ESMTP id BBDB36A09A; > Tue, 9 Aug 2011 13:22:02 +0200 (CEST) > X-Original-To: anti-abuse-wg at lists.ripe.net > Delivered-To: anti-abuse-wg at lists.ripe.net > Received: from postgirl.ripe.net (postgirl.ripe.net [193.0.19.66]) > (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) > (No client certificate requested) > by postboy.ripe.net (Postfix) with ESMTP id AF9D06A099 > for ; Tue, 9 Aug 2011 13:21:34 +0200 (CEST) > Received: from noc.otenet.gr ([195.170.0.29]) > by postgirl.ripe.net with esmtp (Exim 4.72) > (envelope-from ) > id 1QqkNI-00040Y-JN > for anti-abuse-wg at ripe.net; Tue, 09 Aug 2011 13:21:34 +0200 > Received: from [212.205.221.137] (enigma.otenet.gr [212.205.221.137]) > by noc.otenet.gr (Postfix) with ESMTP id A8ADB8B8030 > for ; Tue, 9 Aug 2011 14:21:31 +0300 (EEST) > Message-ID: <4E4118CF.2050201 at otenet.gr> > From: Kostas Zorbadelos > User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.18) Gecko/20110617 Lightning/1.0b2 Thunderbird/3.1.11 > MIME-Version: 1.0 > To: anti-abuse-wg at ripe.net > Subject: Re: [anti-abuse-wg] Abuse report. > References: <4e402a95.3020409 at eunet.rs> <452d9c4ceeb.000000e3world.antispam.report at inbox.com> <459BAB01B7D.0000016Bworld.antispam.report at inbox.com> > In-Reply-To: <459BAB01B7D.0000016Bworld.antispam.report at inbox.com> > Content-Type: text/plain; charset=UTF-8; format=flowed > Content-Transfer-Encoding: 7bit > X-RIPE-Spam-Level: -- > X-RIPE-Spam-Report: Spam Total Points: -2.7 points > pts rule name description > ---- ---------------------- ------------------------------------ > -0.8 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain > -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% > [score: 0.0000] > X-RIPE-Signature: e75c1e1f8fb33358b75e61b940efb654473ccce5d76a543f49de81d3f8adb7a7 > Sender: anti-abuse-wg-admin at ripe.net > Errors-To: anti-abuse-wg-admin at ripe.net > X-BeenThere: anti-abuse-wg at ripe.net > X-Mailman-Version: 2.0.13 > Precedence: bulk > List-Id: Discussion of anti-abuse measures > List-Post: > X-RIPE-Lists: Discussion of anti-abuse measures > List-Subscribe: , > > List-Unsubscribe: , > > List-Help: > List-Archive: https://www.ripe.net/ripe/maillists/archives/ > Date: Tue, 09 Aug 2011 14:23:59 +0300 > X-PMX-Version: 5.5.9.395186, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2011.8.9.111515 > X-PerlMx-Spam: Gauge=X, Probability=10%, Report=' > TO_IN_SUBJECT 0.5, BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_1000_LESS 0, BODY_SIZE_2000_LESS 0, BODY_SIZE_400_499 0, BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, SPF_NONE 0, __ANY_URI 0, __BOUNCE_CHALLENGE_SUBJ 0, __BOUNCE_NDR_SUBJ_EXEMPT 0, __CP_URI_IN_BODY 0, __CT 0, __CTE 0, __CT_TEXT_PLAIN 0, __DATE_TZ_RU 0, __HAS_LIST_HEADER 0, __HAS_LIST_HELP 0, __HAS_LIST_SUBSCRIBE 0, __HAS_LIST_UNSUBSCRIBE 0, __HAS_MSGID 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __MOZILLA_MSGID 0, __SANE_MSGID 0, __TO_MALFORMED_2 0, __TO_NO_NAME 0, __URI_NS , __USER_AGENT 0' > X-OriginalArrivalTime: 09 Aug 2011 11:22:37.0321 (UTC) FILETIME=[A48CF790:01CC5686] > X-RIPE-Spam-Level: - > X-RIPE-Spam-Report: Spam Total Points: -1.9 points > pts rule name description > ---- ---------------------- ------------------------------------ > -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% > [score: 0.0000] > X-RIPE-Signature: e75c1e1f8fb33358b75e61b940efb654473ccce5d76a543f49de81d3f8adb7a7 > > On 08/09/2011 02:15 PM, abuse at localhost.com wrote: >> James? Have you noticed the name of this present mailing list?\ >> Why would there be the word "anti-abuse" in it? >> Is an uncared for spam complaint "Off Topic"? >> >> I don't think so. >> ============================== >> > > http://www.ripe.net/ripe/groups/wg/anti-abuse > > Please, I think we should lower the noise of these threads. > > Regards, > > Kostas > > > --98DBC6A11C.1312971712/postboy.ripe.net-- > ------------------------------------------------------------------------ > >> M2C >> >> On Wednesday, August 10, 2011, Brian Nisbet wrote: >>> "Suresh Ramasubramanian" wrote the following on 10/08/2011 15:38: >>> >>> On Wed, Aug 10, 2011 at 8:05 PM, Michele Neylon :: Blacknight >>> wrote: >>> >>> Odd that it came up here as well .. there's a similar-ish discussion about definitions going on in APWG as well .. >>> >>> >>> There have been periodic threads on this in just about every antispam >>> mailing list and newsgroup that I have been part of, for over 15 years >>> now. >>> >>> The more mature lists soon grow out of it, or at least reduce the >>> frequency of this discussion which speedily goes into a quibbling and >>> hair splitting exercise engaged in by like three or four people [often >>> the same 3 or 4 people each time, go figure] >>> >>> >>> Thank you for answering that, Suresh. While I do wonder what definitions people are looking for, you have just said, in an excellent way, what I was thinking of saying. >>> >>> Brian. >>> >>> >> > From sander at steffann.nl Thu Aug 11 10:40:31 2011 From: sander at steffann.nl (Sander Steffann) Date: Thu, 11 Aug 2011 10:40:31 +0200 Subject: Education - was Re: [anti-abuse-wg] Correct info in RIPE-database - YES In-Reply-To: <4339452F-EBA2-4459-B041-F23E18A87E15@blacknight.com> References: <4E425548.7080304@powerweb.de> <1547A07F-E5E9-437E-9213-6CC944A69F44@blacknight.ie> <41F6C547EA49EC46B4EE1EB2BC2F341824F421A0A9@EXVPMBX100-1.exc.icann.org> <4E4295F6.9070306@heanet.ie> <7C06C41B-71F6-41D6-A08F-D8FC8F469ECC@blacknight.ie> <4E42986A.1080608@heanet.ie> ,<4E437415.4080701@otenet.gr> <4339452F-EBA2-4459-B041-F23E18A87E15@blacknight.com> Message-ID: <8CE41925-0561-4CB9-9CF9-5CC83863CF1F@steffann.nl> Hi, > Re bounces - I got them too I already notified ops at ripe.net Sander From brian.nisbet at heanet.ie Thu Aug 11 11:01:25 2011 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Thu, 11 Aug 2011 10:01:25 +0100 Subject: [anti-abuse-wg] Recent Discussion & RIPE NCC Issues Message-ID: <4E439A65.1070004@heanet.ie> Morning, There's been some very interesting discussion on the list recently, raising all sorts of point, with the odd diversion here and there. There are a few main points I'd like to address, with updates from the RIPE NCC, with whom I had a very useful conversation this morning. RIPE NCC Audits & Reporting Currently the NCC reports on audits to the NCC Services working group and they prepare a report for the community. While this overall reporting method won't change, they have agreed to send the latest copy of the report to the AA-WG and to send a copy of future reports to the list. Education/BCP As previously mentioned, this is an action on the AA-WG Chairs and we will be reporting back to you on this in the run up to and during RIPE 63. RIPE NCC Abuse Complain Procedure Along with more information on the Audits the NCC will be mailing the list, likely before the middle of next week, on their plans for the abuse complaint procedure. They will be outlining improvements to how abuse can be reported, what those reporting incidents should expect and what will be accepted. While information will, of course, be sent to the list, there will also be a presentation on this matter at RIPE 63. All of this is part of an ongoing plan to deal with issues with inconsistencies (deliberate or accidental) in the Database. The work of the ACM-TF also touches on this. This email is not meant as a full description of the NCC and WG activities, as I said, more information will be made available next week, so I would ask you to hold any questions until then. If it is felt that there is a requirement for further changes or expansion of activities, then we get into the territory of proposals and the NCC budget and both the AA-WG chairs and the NCC will render any assistance they can to anyone who would like to examine the possibilities there. One additional point, this mailing list, and the WG as a whole, will remain open to anyone in the RIPE community. As has been mentioned, we cannot work in isolation, nor should we. As regards the bounces, I'll pass them on to the relevant folk. Thanks again for your robust participation over the last two weeks and hopefully both this email and the NCC's response next week will go a long way to answering your points. Regards, Brian. From vesely at tana.it Sat Aug 13 19:46:49 2011 From: vesely at tana.it (Alessandro Vesely) Date: Sat, 13 Aug 2011 19:46:49 +0200 Subject: [anti-abuse-wg] Correct info in RIPE-database In-Reply-To: References: <4E414AA0.10104@webservice.be> <4E42603E.70603@blacknight.com> Message-ID: <4E46B889.2000008@tana.it> On 10.08.2011 12:45, Suresh Ramasubramanian wrote: > Think on the lines of "there are lots of people who vote for a > politician you consider a jackass, but he hardly ever wins an election > anyway" > > Then think how many complaints about a valid user you get when just > one or two stray emails of his get misreported, compared to when that > user gets his password compromised by a nigerian or has his PC > infected by a virus. This comparison apparently suggests that misreports ought to be handled and repaired, just like viruses or compromised passwords, however statistically negligible they might be. (It could even possible to devise methods to handle misreports so as to minimize the amount of time that the relevant abuse team has to spend on manual investigation.) Is that what you meant? From ops.lists at gmail.com Sun Aug 14 03:43:44 2011 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Sun, 14 Aug 2011 07:13:44 +0530 Subject: [anti-abuse-wg] Correct info in RIPE-database In-Reply-To: <4E46B889.2000008@tana.it> References: <4E414AA0.10104@webservice.be> <4E42603E.70603@blacknight.com> <4E46B889.2000008@tana.it> Message-ID: This doesn't suggest "repairing" misreports, it suggests ignoring them as not statistically significant enough to affect a particular account's reputation. So, your automated FBL processing doesn't freeze the account, while the guy with a virus or a compromise gets his account detected and frozen by that very same script. "Handling" or "repairing" misreports any further is just not needed when you look at it that way. --srs On Sat, Aug 13, 2011 at 11:16 PM, Alessandro Vesely wrote: > > > This comparison apparently suggests that misreports ought to be handled and > repaired, just like viruses or compromised passwords, however statistically > negligible they might be. ?(It could even possible to devise methods to > handle misreports so as to minimize the amount of time that the relevant > abuse team has to spend on manual investigation.) > > Is that what you meant? -- Suresh Ramasubramanian (ops.lists at gmail.com) From athina.fragkouli at ripe.net Wed Aug 17 15:29:20 2011 From: athina.fragkouli at ripe.net (Athina Fragkouli) Date: Wed, 17 Aug 2011 15:29:20 +0200 Subject: [anti-abuse-wg] RIPE NCC Abuse Complaints, Audits and Reports Message-ID: <4E4BC230.2030707@ripe.net> Dear colleagues, Following discussions and comments on the mailing list, we would like to inform you about the current status of audits and handling abuse complaints, and on plans to improve the way we deal with these. Currently, abuse complaints come in via abuse at ripe.net. When this is a valid complaint, we investigate the matter, we contact the relevant LIR and we execute an audit on the LIR. Apart from audits initiated by complaints, we also execute audits of randomly selected LIRs as well as LIRs in whose registration records we notice inconsistencies. Here are some statistics on the number of audits and on the outcomes of those audits: - 2009: 319 audits, all LIRs were in order or complied with auditors? instructions - 2010: 447 audits, seven PI assignments were deregistered - 2011: 234 audits, 124 are complete, two LIRs were closed as a result of the audits, two PI assignments were deregistered, 110 audits are ongoing For confidentiality reasons, the RIPE NCC does not report on individual audits, on the changes/amendments made in the audits or on the comments/communication with the LIR during the audit. Reports on audits will take place during the update from the RIPE NCC at the RIPE NCC Services Working Group at every RIPE Meeting. We acknowledge there is a lack of clarity and transparency on our abuse and complaint procedure. We are in the process of redeveloping this process to improve our services in this area. We will present the revised process during the RIPE 63 Meeting in Vienna. Because we are in the process of setting this up, we welcome your feedback and any experiences you would like to share on this mailing list. We will not comment on each and every suggestion, but we will take the feedback/comments into account in developing this new procedure. Kind regards, Athina Fragkouli RIPE NCC From james.davis at ja.net Wed Aug 17 16:20:23 2011 From: james.davis at ja.net (James Davis) Date: Wed, 17 Aug 2011 15:20:23 +0100 Subject: [anti-abuse-wg] RIPE NCC Abuse Complaints, Audits and Reports In-Reply-To: <4E4BC230.2030707@ripe.net> References: <4E4BC230.2030707@ripe.net> Message-ID: <4E4BCE27.1020702@ja.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 17/08/2011 14:29, Athina Fragkouli wrote: > - 2011: 234 audits, 124 are complete, two LIRs were closed as a > result of the audits, two PI assignments were deregistered, 110 > audits are ongoing > > For confidentiality reasons, the RIPE NCC does not report on > individual audits, on the changes/amendments made in the audits or on > the comments/communication with the LIR during the audit. I think that there needs to be a balance between the privacy and transparency in the process. In another community I participate in, when a member doesn't meet the requirements for membership and is formally investigated for that failure - a concise and factual e-mail is sent to the rest of the community so that we understand why they have left. The statements are never defamatory - usually something like 'Following a complaint about y, Foo failed to meet requirement x, and since they did not respond to our concerns or correct this issue within the time given, they have been removed.' I've noticed that a LIR and PI assignment I complained about earlier in the year have disappeared. I can't be sure that it's one of those, but I'm assuming that it is. The LIR seemed to exist only to provide a single PI assignment to a company that didn't exist, and the allocation was being used for abuse. > Because we are in the process of setting this up, we welcome your > feedback and any experiences you would like to share on this mailing > list. We will not comment on each and every suggestion, but we will > take the feedback/comments into account in developing this new > procedure. If I can confirm with you that my report was related to one of these cases, would it be useful for me to give an account of my experience here? Regards, James - -- James Davis 0300 999 2340 (+44 1235 822340) Senior CSIRT Member Lumen House, Library Avenue, Didcot, Oxfordshire, OX11 0SG -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iF4EAREIAAYFAk5LzicACgkQjsS2Y6D6yLzROAEAm6AIdhM0mma2VHYcPVnGRiwF eI4pbsrqAjajlowSsU8A/1MMhwkcN8EHyjZPlRJlpjkMsWD4vE96BAtFPV+MF9F4 =x1NE -----END PGP SIGNATURE----- JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG From michele at blacknight.ie Wed Aug 17 16:29:02 2011 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Wed, 17 Aug 2011 14:29:02 +0000 Subject: [anti-abuse-wg] RIPE NCC Abuse Complaints, Audits and Reports In-Reply-To: <4E4BC230.2030707@ripe.net> References: <4E4BC230.2030707@ripe.net> Message-ID: <9E70B471-A219-40FF-B5AB-2EEB0A4E8B87@blacknight.ie> Athina Thanks for sharing this information - it's useful Regards Michele On 17 Aug 2011, at 14:29, Athina Fragkouli wrote: > Dear colleagues, > > Following discussions and comments on the mailing list, we would like to inform you about the current status of audits and handling abuse complaints, and on plans to improve the way we deal with these. > > Currently, abuse complaints come in via abuse at ripe.net. When this is a valid complaint, we investigate the matter, we contact the relevant LIR and we execute an audit on the LIR. > > Apart from audits initiated by complaints, we also execute audits of randomly selected LIRs as well as LIRs in whose registration records we notice inconsistencies. > > Here are some statistics on the number of audits and on the outcomes of those audits: > - 2009: 319 audits, all LIRs were in order or complied with auditors? instructions > - 2010: 447 audits, seven PI assignments were deregistered > - 2011: 234 audits, 124 are complete, two LIRs were closed as a result of the audits, two PI assignments were deregistered, 110 audits are ongoing > > For confidentiality reasons, the RIPE NCC does not report on individual audits, on the changes/amendments made in the audits or on the comments/communication with the LIR during the audit. > > Reports on audits will take place during the update from the RIPE NCC at the RIPE NCC Services Working Group at every RIPE Meeting. > > We acknowledge there is a lack of clarity and transparency on our abuse and complaint procedure. We are in the process of redeveloping this process to improve our services in this area. We will present the revised process during the RIPE 63 Meeting in Vienna. > > Because we are in the process of setting this up, we welcome your feedback and any experiences you would like to share on this mailing list. We will not comment on each and every suggestion, but we will take the feedback/comments into account in developing this new procedure. > > Kind regards, > Athina Fragkouli > RIPE NCC > Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From ops.lists at gmail.com Wed Aug 17 16:51:57 2011 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Wed, 17 Aug 2011 20:21:57 +0530 Subject: [anti-abuse-wg] RIPE NCC Abuse Complaints, Audits and Reports In-Reply-To: <4E4BC230.2030707@ripe.net> References: <4E4BC230.2030707@ripe.net> Message-ID: Thank you Athina Is it possible to share the total amount of IP space reclaimed? eg: so many /16s, etc. Aggregate stats like that shouldn't violate confidentiality clauses in your audit, I think thanks suresh On Wed, Aug 17, 2011 at 6:59 PM, Athina Fragkouli wrote: > > Here are some statistics on the number of audits and on the outcomes of > those audits: > - 2009: 319 audits, all LIRs were in order or complied with auditors? > instructions > - 2010: 447 audits, seven PI assignments were deregistered > - 2011: 234 audits, 124 are complete, two LIRs were closed as a result of > the audits, two PI assignments were deregistered, 110 audits are ongoing -- Suresh Ramasubramanian (ops.lists at gmail.com) From pk at DENIC.DE Wed Aug 17 19:08:34 2011 From: pk at DENIC.DE (Peter Koch) Date: Wed, 17 Aug 2011 19:08:34 +0200 Subject: [anti-abuse-wg] RIPE NCC Abuse Complaints, Audits and Reports In-Reply-To: <4E4BC230.2030707@ripe.net> References: <4E4BC230.2030707@ripe.net> Message-ID: <20110817170834.GI25053@x27.adm.denic.de> Hello Athina, many thanks for this report. > Currently, abuse complaints come in via abuse at ripe.net. When this is a > valid complaint, we investigate the matter, we contact the relevant LIR > and we execute an audit on the LIR. This, read in isolation, could support misunderstandings, at least I'm about to be confused. What nature of "complaints" would initiate an audit? I'm confident that "valid" above means that the complaint has significant indication that either the LIR as such has issues with its existence or legal status or the object maintained by the LIR or the respective assignee has such issues or raises serious doubts, failure to clear which would raise a process violation by the LIR. I'd not read this as "a customer of LIR x sent me spam and therefore the LIR is now undergoing an audit. Thanks, Peter From Woeber at CC.UniVie.ac.at Wed Aug 17 19:59:49 2011 From: Woeber at CC.UniVie.ac.at (Wilfried Woeber, UniVie/ACOnet) Date: Wed, 17 Aug 2011 17:59:49 +0000 Subject: [anti-abuse-wg] RIPE NCC Abuse Complaints, Audits and Reports In-Reply-To: <4E4BC230.2030707@ripe.net> References: <4E4BC230.2030707@ripe.net> Message-ID: <4E4C0195.1020002@CC.UniVie.ac.at> Athina Fragkouli wrote: > Dear colleagues, > > Following discussions and comments on the mailing list, we would like to > inform you about the current status of audits and handling abuse > complaints, and on plans to improve the way we deal with these. Thanks for the numbers! > Currently, abuse complaints come in via abuse at ripe.net. Just wondering.... On the sender's end, an address of "abuse at something.tld" usually, raises some semantic expectations, in some environments. I am not proposing to abandon or to replace "abuse at ripe.net", because it probably does serve a valid purpose, within the fremawork of the assumed semantics (as Peter has pointed out already!), but rather to create a sort of formal complaints process against an LIR. This process of course SHOULD include some serious safeguards (When this is a valid complaint), to avoid beeing misused for DoS attacks on the administrative plane ;-) Wilfried. > When this is a > valid complaint, we investigate the matter, we contact the relevant LIR > and we execute an audit on the LIR. > > Apart from audits initiated by complaints, we also execute audits of > randomly selected LIRs as well as LIRs in whose registration records we > notice inconsistencies. > > Here are some statistics on the number of audits and on the outcomes of > those audits: > - 2009: 319 audits, all LIRs were in order or complied with auditors? > instructions > - 2010: 447 audits, seven PI assignments were deregistered > - 2011: 234 audits, 124 are complete, two LIRs were closed as a result > of the audits, two PI assignments were deregistered, 110 audits are ongoing > > For confidentiality reasons, the RIPE NCC does not report on individual > audits, on the changes/amendments made in the audits or on the > comments/communication with the LIR during the audit. > > Reports on audits will take place during the update from the RIPE NCC at > the RIPE NCC Services Working Group at every RIPE Meeting. > > We acknowledge there is a lack of clarity and transparency on our abuse > and complaint procedure. We are in the process of redeveloping this > process to improve our services in this area. We will present the > revised process during the RIPE 63 Meeting in Vienna. > > Because we are in the process of setting this up, we welcome your > feedback and any experiences you would like to share on this mailing > list. We will not comment on each and every suggestion, but we will take > the feedback/comments into account in developing this new procedure. > > Kind regards, > Athina Fragkouli > RIPE NCC > > From ops.lists at gmail.com Thu Aug 18 03:32:32 2011 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Thu, 18 Aug 2011 07:02:32 +0530 Subject: [anti-abuse-wg] RIPE NCC Abuse Complaints, Audits and Reports In-Reply-To: <4E4C0195.1020002@CC.UniVie.ac.at> References: <4E4BC230.2030707@ripe.net> <4E4C0195.1020002@CC.UniVie.ac.at> Message-ID: I'd actually support a form (and maybe also a word / rtf doc with questions, for those who reach out over email) with a detailed questionnaire that helps you ask the most important questions you need to determine whether an audit should be carried out. --srs On Wed, Aug 17, 2011 at 11:29 PM, Wilfried Woeber, UniVie/ACOnet wrote: > > I am not proposing to abandon or to replace "abuse at ripe.net", because it > probably does serve a valid purpose, within the fremawork of the assumed > semantics (as Peter has pointed out already!), > but rather to create a sort of formal complaints process against an LIR. -- Suresh Ramasubramanian (ops.lists at gmail.com) From kzorba at otenet.gr Thu Aug 18 08:08:32 2011 From: kzorba at otenet.gr (Kostas Zorbadelos) Date: Thu, 18 Aug 2011 09:08:32 +0300 Subject: [anti-abuse-wg] RIPE NCC Abuse Complaints, Audits and Reports In-Reply-To: <20110817170834.GI25053@x27.adm.denic.de> References: <4E4BC230.2030707@ripe.net> <20110817170834.GI25053@x27.adm.denic.de> Message-ID: <4E4CAC60.2000003@otenet.gr> On 08/17/2011 08:08 PM, Peter Koch wrote: As Peter mentioned, I think we need to hear and understand what exactly is "a valid complaint" that can initiate a LIR audit. This also should be in an open published document that describes the entire "abuse handling" procedure of RIPE NCC. As Athina said, we should expect a relevant presentation at RIPE 63. Regards, Kostas From P.Vissers at opta.nl Thu Aug 18 09:06:04 2011 From: P.Vissers at opta.nl (Vissers, Pepijn) Date: Thu, 18 Aug 2011 07:06:04 +0000 Subject: [anti-abuse-wg] RIPE NCC Abuse Complaints, Audits and Reports In-Reply-To: <4E4BC230.2030707@ripe.net> References: <4E4BC230.2030707@ripe.net> Message-ID: Thanks Athina, this information is very much appreciated. And it of course raises a few questions, some of which have already been mentioned by others in this thread. I do have a few of my own though. > Currently, abuse complaints come in via abuse at ripe.net. When this is a > valid complaint, we investigate the matter, we contact the relevant LIR > and we execute an audit on the LIR. As mentioned by others: what is a 'valid complaint'? > Apart from audits initiated by complaints, we also execute audits of > randomly selected LIRs as well as LIRs in whose registration records we > notice inconsistencies. What are these 'inconsistencies' and how do you come to notice these? > Here are some statistics on the number of audits and on the outcomes of > those audits: > - 2009: 319 audits, all LIRs were in order or complied with auditors' > instructions Just wondering: no audits have been done before 2009? Does RIPE have an 'audit team'? Of how many people? Are they located (and thus bound by law in) the Netherlands? > We acknowledge there is a lack of clarity and transparency on our abuse > and complaint procedure. We are in the process of redeveloping this > process to improve our services in this area. We will present the > revised process during the RIPE 63 Meeting in Vienna. Great. Sounds like a reason to be there :) Thanks again Athina. +++++++++++++++++++++++++++++++++++++++++++++ Disclaimer Dit e-mailbericht kan vertrouwelijke informatie bevatten of informatie die is beschermd door een beroepsgeheim. Indien dit bericht niet voor u is bestemd, wijzen wij u erop dat elke vorm van verspreiding, vermenigvuldiging of ander gebruik ervan niet is toegestaan. Indien dit bericht blijkbaar bij vergissing bij u terecht is gekomen, verzoeken wij u ons daarvan direct op de hoogte te stellen via tel.nr 070 315 3500 of e-mail mailto:mail at opta.nl en het bericht te vernietigen. Dit e-mailbericht is uitsluitend gecontroleerd op virussen. OPTA aanvaardt geen enkele aansprakelijkheid voor de feitelijke inhoud en juistheid van dit bericht en er kunnen geen rechten aan worden ontleend. This e-mail message may contain confidential information or information protected by professional privilege. If it is not intended for you, you should be aware that any distribution, copying or other form of use of this message is not permitted. If it has apparently reached you by mistake, we urge you to notify us by phone +31 70 315 3500 or e-mail mailto:mail at opta.nl and destroy the message immediately. This e-mail message has only been checked for viruses. The accuracy, relevance, timeliness or completeness of the information provided cannot be guaranteed. OPTA expressly disclaims any responsibility in relation to the information in this e-mail message. No rights can be derived from this message. From Woeber at CC.UniVie.ac.at Thu Aug 18 09:07:12 2011 From: Woeber at CC.UniVie.ac.at (Wilfried Woeber, UniVie/ACOnet) Date: Thu, 18 Aug 2011 07:07:12 +0000 Subject: Education - was Re: [anti-abuse-wg] Correct info in RIPE-database - YES In-Reply-To: References: <4E425548.7080304@powerweb.de> <1547A07F-E5E9-437E-9213-6CC944A69F44@blacknight.ie> <41F6C547EA49EC46B4EE1EB2BC2F341824F421A0A9@EXVPMBX100-1.exc.icann.org> Message-ID: <4E4CBA20.5020809@CC.UniVie.ac.at> Suresh Ramasubramanian wrote: [...] > I would also welcome some input from ICANN on (for example) the SSAC > and other related work on whois accuracy, cooperation and engagement > with the various registries on mitigating abuse .. As an aside and fyi, I *may* and hope to be in a position to report about the state of affairs and issues, or even emerging results, of ICANN's RT4 on "whois policy"[1] at RIPE63. While this activity is primarily targetting the names whois, my expectation is that some of the findings (and inputs, like from LEA and data protection support) may also be of interest to the IP resource registry whois environment. The target date for delivery of the RT's report is before the end of 2011. I am on this RT as endorsed by the Address Council, as well as trying to contribute my experience with registry issues from the RIPE DB-WG and some CERT stuff. The RT's next major F2F meeting is scheduled for September in Los Angeles. > thanks > --srs > > On Wed, Aug 10, 2011 at 7:54 PM, Leo Vegoda wrote: > >>To be fair, I think it has been very hard to follow what has been written to the list over the last week or so. A significant number of messages have not been clearly written and may well not have been thought through before being sent. >> >>Focusing on the definitions issue, it would be useful to have an agreed set of definitions for some of the terms used. Is there a commonly agreed list? Regards, Wilfried. [1] https://community.icann.org/display/whoisreview/WHOIS+Policy+Review+Team From Woeber at CC.UniVie.ac.at Thu Aug 18 09:36:38 2011 From: Woeber at CC.UniVie.ac.at (Wilfried Woeber, UniVie/ACOnet) Date: Thu, 18 Aug 2011 07:36:38 +0000 Subject: [anti-abuse-wg] RIPE NCC Abuse Complaints, Audits and Reports In-Reply-To: References: <4E4BC230.2030707@ripe.net> Message-ID: <4E4CC106.2090202@CC.UniVie.ac.at> Vissers, Pepijn wrote: [...] > Just wondering: no audits have been done before 2009? Oh, definitely yes! Just have a look at this document http://www.ripe.net/ripe/docs/ripe-423 dated "Nov 2007", which already was a sort of iteration to "properly" describe what the usual approach for, and framework of, an audit was. I'll leave the rest of your questions to be answered by the NCC :-) > Does RIPE have an 'audit team'? Of how many people? Are they located > (and thus bound by law in) the Netherlands? > > >>We acknowledge there is a lack of clarity and transparency on our abuse >>and complaint procedure. We are in the process of redeveloping this >>process to improve our services in this area. We will present the >>revised process during the RIPE 63 Meeting in Vienna. > > > Great. Sounds like a reason to be there :) > > Thanks again Athina. > +++++++++++++++++++++++++++++++++++++++++++++ From ripe-anti-spam-wg at powerweb.de Thu Aug 18 09:55:30 2011 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Thu, 18 Aug 2011 09:55:30 +0200 Subject: [anti-abuse-wg] RIPE NCC Abuse Complaints, Audits and Reports In-Reply-To: References: <4E4BC230.2030707@ripe.net> Message-ID: <4E4CC572.6000104@powerweb.de> Vissers, Pepijn wrote: > > As mentioned by others: what is a 'valid complaint'? Just wondering, if we really want to tell those members, that are misusing RIPEs resources on effort, how to prevent audits and how to hide even better ... Maybe RIPE should keep the whole procedure secret. Kind regards, Frank -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank at powerweb.de From athina.fragkouli at ripe.net Thu Aug 18 14:32:49 2011 From: athina.fragkouli at ripe.net (Athina Fragkouli) Date: Thu, 18 Aug 2011 14:32:49 +0200 Subject: [anti-abuse-wg] RIPE NCC Abuse Complaints, Audits and Reports Message-ID: <4E4D0671.1030705@ripe.net> Dear all, Thank you very much for your comments. Regarding the nature of a valid complaint and the inconsistent registration: A complaint sent to the RIPE NCC is valid if it refers to a matter the RIPE NCC is responsible for. The RIPE NCC is responsible for implementing RIPE Policies and for making sure that LIRs and End Users with independent resources comply with RIPE Policies. Accordingly, a registration is inconsistent if it is not correct and updated. Regarding audits before 2009: The RIPE NCC reported on audits (including audits before 2009) at RIPE 61: http://ripe61.ripe.net/presentations/331-Update_RIPE_NCC_R61.pdf (see slide 10) Regarding the total amount of IP addresses deregistered as a result of audits: Deregistered allocations: one /21 and one /17 Deregistered PI assignments: one /22, four /23s and four /24s Kind regards, Athina Fragkouli RIPE NCC From ops.lists at gmail.com Thu Aug 18 16:05:09 2011 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Thu, 18 Aug 2011 19:35:09 +0530 Subject: [anti-abuse-wg] RIPE NCC Abuse Complaints, Audits and Reports In-Reply-To: <4E4D0671.1030705@ripe.net> References: <4E4D0671.1030705@ripe.net> Message-ID: And was this just assigned PI/PA netblocks, or also the netblocks assigned through the LIRs you deregistered? thanks suresh On Thu, Aug 18, 2011 at 6:02 PM, Athina Fragkouli wrote: > > Regarding the total amount of IP addresses deregistered as a result of > audits: > Deregistered allocations: one /21 and one /17 > Deregistered PI assignments: one /22, four /23s and four /24s -- Suresh Ramasubramanian (ops.lists at gmail.com) From vesely at tana.it Thu Aug 18 19:34:08 2011 From: vesely at tana.it (Alessandro Vesely) Date: Thu, 18 Aug 2011 19:34:08 +0200 Subject: [anti-abuse-wg] RIPE NCC Abuse Complaints, Audits and Reports In-Reply-To: <4E4BCE27.1020702@ja.net> References: <4E4BC230.2030707@ripe.net> <4E4BCE27.1020702@ja.net> Message-ID: <4E4D4D10.5070108@tana.it> On 17.08.2011 16:20, James Davis wrote: > On 17/08/2011 14:29, Athina Fragkouli wrote: >> For confidentiality reasons, the RIPE NCC does not report on >> individual audits, on the changes/amendments made in the audits or on >> the comments/communication with the LIR during the audit. > > I think that there needs to be a balance between the privacy and > transparency in the process. > > I've noticed that a LIR and PI assignment I complained about earlier in > the year have disappeared. I can't be sure that it's one of those, but > I'm assuming that it is. Some feedback --e.g. "thanks, your complaint was useful: we closed that LIR", or "your complaint was useless, please avoid sending x in the future"-- might educate complainants and thus optimize the time spent on these issues by abuse teams at both RIPE's and complainants'. Of course, the more restricted the senders base, the higher the percent-wise effect of educating a single one of them. Should abuse at RIPE only be used by LIRs? In this case, users at deeper branches of the delegation tree would send to abuse at LIR and so forth, provided that valid abuse teams are available at those levels. (This approach is consistent with the currently advised hierarchical procedure for locating an abuse-mailbox for a given IP address.) >> Because we are in the process of setting this up, we welcome your >> feedback and any experiences you would like to share on this mailing >> list. We will not comment on each and every suggestion, but we will >> take the feedback/comments into account in developing this new >> procedure. Thanks. From ops.lists at gmail.com Sun Aug 21 04:47:18 2011 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Sun, 21 Aug 2011 08:17:18 +0530 Subject: [anti-abuse-wg] Fwd: Prefix hijacking by Michael Lindsay via Internap In-Reply-To: References: Message-ID: Nice little thread on nanog that is rather a propos to what we're discussing. ---------- Forwarded message ---------- From: Denis Spirin Date: Sun, Aug 21, 2011 at 6:35 AM Subject: Prefix hijacking by Michael Lindsay via Internap To: nanog at nanog.org Hello All, I was hired by the Russian ISP company to get it back to the business. Due to impact of the financial crisis, the company was almost bankrupt, but then found the investor and have a big wish to life again. When I tried to announce it's networks, upstreams rejected to accept it because of Spamhaus listings. But our employer sworn there is not and was not any spamming from the company. The Spamhaus lists all our networks as spamming Zombies. And it IS announced and used now!!! The announce is from American based company Internap (AS12182). I wrote the abuse report them, but instead of stop unauthorized announces of our networks, I was contacted by a person named 'Michael Lindsay' - he tell me he buy our networks from some other people and demand we get back our abuse reports. Of course, we don't. After a short googling, I found this is well-known cyber crime person: http://www.spamhaus.org/rokso/listing.lasso?file=818&skip=0, and he did IP hijacking with the fake letter of authorization before: http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK8686 so our company is not a first victim of him. Yes, our company "help" him with the mistake of loosing old domain link-telecom.biz he was also squatted. This domain was listed as contact at RIPE Database. It is a good topic why these easy-to-forge LOAs is still in use, as RADB/RIPE DB/other routing database with the password access is a common thing. But this is not the main thing. The main thing is why Internap helps to commit a crime to the well-known felony person, and completely ignores our requests? Is there any way to push them to stop doing that immediately? If anybody can - please help... -- Suresh Ramasubramanian (ops.lists at gmail.com) From eric.freyssinet at m4x.org Wed Aug 24 00:23:14 2011 From: eric.freyssinet at m4x.org (Eric Freyssinet) Date: Wed, 24 Aug 2011 00:23:14 +0200 Subject: [anti-abuse-wg] Introduction - Eric FREYSSINET Message-ID: Hello ! This short message to introduce myself to the list. I have registered to follow your discussions after a presentation at Europol where Brian Nisbet made a presentation. I am Eric FREYSSINET, and I work for the gendarmerie nationale in France, which is one of our two national police forces. Currently, I am the head of our national cybercrime division. I have been working since 1998 in the field of IT investigations, first as the head of our IT forensics lab, then at our headquarters in a coordination function, and now as the head of an Internet invesitigations unit. I look forward to exchanging with the community. Best regards, -- Eric Freyssinet perso: eric.freyssinet at m4x.org pro: eric.freyssinet at gendarmerie.interieur.gouv.fr blog: http://blog.crimenumerique.fr/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From michele at blacknight.ie Wed Aug 24 02:04:43 2011 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Wed, 24 Aug 2011 00:04:43 +0000 Subject: [anti-abuse-wg] Introduction - Eric FREYSSINET In-Reply-To: References: Message-ID: <2F66109A-B464-476B-8893-25AABBD75985@blacknight.com> Eric Nice to see someone from LEA on the list Regards Michele Mr. Michele Neylon Blacknight http://Blacknight.tel Via iPhone so excuse typos and brevity On 23 Aug 2011, at 23:31, "Eric Freyssinet" > wrote: Hello ! This short message to introduce myself to the list. I have registered to follow your discussions after a presentation at Europol where Brian Nisbet made a presentation. I am Eric FREYSSINET, and I work for the gendarmerie nationale in France, which is one of our two national police forces. Currently, I am the head of our national cybercrime division. I have been working since 1998 in the field of IT investigations, first as the head of our IT forensics lab, then at our headquarters in a coordination function, and now as the head of an Internet invesitigations unit. I look forward to exchanging with the community. Best regards, -- Eric Freyssinet perso: eric.freyssinet at m4x.org pro: eric.freyssinet at gendarmerie.interieur.gouv.fr blog: http://blog.crimenumerique.fr/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From brian.nisbet at heanet.ie Mon Aug 29 15:00:40 2011 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Mon, 29 Aug 2011 14:00:40 +0100 Subject: [anti-abuse-wg] Call For Agenda Items Message-ID: <4E5B8D78.5050901@heanet.ie> Colleagues, Now that registration for RIPE63 has opened, it seems timely to make a call for further agenda items for the Anti-Abuse WG session. If you have any proposals you would like to make, or presentations you would like to give, please let Tobias or I know. Thanks, Brian. Co-Chair, RIPE AA-WG From vijaye at google.com Wed Aug 31 21:15:31 2011 From: vijaye at google.com (=?UTF-8?B?VmlqYXkgIEVyYW50aSAo4pyMIOCwteCwv+CwnOCwr+CxjSAg4LCI4LCw4LCC4LCf4LC/KSA=?=) Date: Wed, 31 Aug 2011 12:15:31 -0700 Subject: [anti-abuse-wg] regarding very persistent spammy isps on ripe Message-ID: hi ripe folks, I work on spam filter and we notice very gross abuse of very large internet ranges by blatant spammers posing as ISPs - all of which are allocated by ripe. I totally understand that ripe is not to deal with the spam but it will be totally unjust to say they will allocate a /13 to a spammer and have spammer wreak havoc or do what ever crap he wants to do. I posted a couple of messages to ripe and all I get is the same routine message saying they wont police this. But, why are they giving the address ranges of such huge magnitude to criminals if they cannot police it ? It will be a great disservice if this continues to happen. We always notice the spammer is always from same place or address We already blocked a bunch of /13s allocated by ripe to spammers and at some point may have to block even wider range since all we see from every ip in that range is spam or phishing or no activity. Always, the whois refers to a guy with address in sector 3, bucharest, romania. I know ipv4 addresses are running out but even ipv6 will run out if we do same thing like allocating like crazy very large netblock ranges to spammers. Can ripe do anything here or of any help here other than just saying they just give away ip addresses ranges to ISPs (which inturn some are criminals) but do not police ? The thing that changes is the name of the person - either berar george or somethign else etc.,. for instance today the spammer is using range : vijaye at veranti:~$ whois 193.254.53.34 % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '193.254.48.0 - 193.254.63.255' inetnum: 193.254.48.0 - 193.254.63.255 netname: COMTEL-SUPERNET descr: COMTEL Supernet srl descr: COMTEL dedicated customers country: RO tech-c: GDG620-RIPE admin-c: GDG620-RIPE admin-c: CT19-RIPE tech-c: CT19-RIPE status: ASSIGNED PA mnt-by: COMTEL-MNT source: RIPE # Filtered person: Corneliu Tanasa address: COMTEL TELECOM NETWORK SRL address: 18 Decebal Blvd., Sector 3 address: Bucharest, ROMANIA phone: +40-21-3229390 fax-no: +40-21-3229391 e-mail: ggoran at comtelnetworks.ro mnt-by: COMTEL-MNT nic-hdl: CT19-RIPE source: RIPE # Filtered -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at hk.ipsec.se Wed Aug 31 21:58:15 2011 From: peter at hk.ipsec.se (peter h) Date: Wed, 31 Aug 2011 21:58:15 +0200 Subject: [anti-abuse-wg] regarding very persistent spammy isps on ripe In-Reply-To: References: Message-ID: <201108312158.17370.peter@hk.ipsec.se> On Wednesday 31 August 2011 21.15, Vijay Eranti wrote: > hi ripe folks, > > I work on spam filter and we notice very gross abuse of very large internet > ranges by blatant spammers posing as ISPs - all of which are allocated by > ripe. I totally understand that ripe is not to deal with the spam but it > will be totally unjust to say they will allocate a /13 to a spammer and have > spammer wreak havoc or do what ever crap he wants to do. I posted a couple > of messages to ripe and all I get is the same routine message saying they > wont police this. But, why are they giving the address ranges of such huge > magnitude to criminals if they cannot police it ? It will be a great > disservice if this continues to happen. We always notice the spammer is > always from same place or address RIPE ( and others ) has an assymmetrical role, the are supposed to give never to reclaim. > > We already blocked a bunch of /13s allocated by ripe to spammers and at some > point may have to block even wider range since all we see from every ip in > that range is spam or phishing or no activity. By all means continue blocking. > > Always, the whois refers to a guy with address in sector 3, bucharest, > romania. > > I know ipv4 addresses are running out but even ipv6 will run out if we do > same thing like allocating like crazy very large netblock ranges to > spammers. the solution is surpricingly easy ( and old) : lease out ip-addresses, as long as the customer pays it will function, when the lease terminates the range will be leased to someone else. Thus it's no longer a free resource that can be polluted ( and replaced at no cost when blocked). This would give income to IETF that could pay for a substantial part of Internet infrastructure & services including BGB4 route announcements globally. Note that any resource that is *free* will be exhausted, let it be air, clean water or fish in the sea. Setting a price on a scarce resource will create pressure on usage. > Can ripe do anything here or of any help here other than just saying they > just give away ip addresses ranges to ISPs (which inturn some are criminals) > but do not police ? > > The thing that changes is the name of the person - either berar george or > somethign else etc.,. > for instance today the spammer is using range : > > vijaye at veranti:~$ whois 193.254.53.34 > % This is the RIPE Database query service. > % The objects are in RPSL format. > % > % The RIPE Database is subject to Terms and Conditions. > % See http://www.ripe.net/db/support/db-terms-conditions.pdf > > % Note: this output has been filtered. > % To receive output for a database update, use the "-B" flag. > > % Information related to '193.254.48.0 - 193.254.63.255' > > inetnum: 193.254.48.0 - 193.254.63.255 > netname: COMTEL-SUPERNET > descr: COMTEL Supernet srl > descr: COMTEL dedicated customers > country: RO > tech-c: GDG620-RIPE > admin-c: GDG620-RIPE > admin-c: CT19-RIPE > tech-c: CT19-RIPE > status: ASSIGNED PA > mnt-by: COMTEL-MNT > source: RIPE # Filtered > > person: Corneliu Tanasa > address: COMTEL TELECOM NETWORK SRL > address: 18 Decebal Blvd., Sector 3 > address: Bucharest, ROMANIA > phone: +40-21-3229390 > fax-no: +40-21-3229391 > e-mail: ggoran at comtelnetworks.ro > mnt-by: COMTEL-MNT > nic-hdl: CT19-RIPE > source: RIPE # Filtered > This range was new to me, now it's included in my blocklist ( we had a block on : 193.254.32.0/19 ) regards -- Peter H?kanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det ?r billigare att g?ra r?tt. Det ?r dyrt att laga fel. ) From thor.kottelin at turvasana.com Wed Aug 31 22:32:14 2011 From: thor.kottelin at turvasana.com (Thor Kottelin) Date: Wed, 31 Aug 2011 23:32:14 +0300 Subject: [anti-abuse-wg] regarding very persistent spammy isps on ripe In-Reply-To: References: Message-ID: > -----Original Message----- > From: anti-abuse-wg-admin at ripe.net [mailto:anti-abuse-wg- > admin at ripe.net] On Behalf Of Vijay Eranti (? ????? ?????) > Sent: Wednesday, August 31, 2011 10:16 PM > To: anti-abuse-wg at ripe.net > I work on spam filter and we notice very gross abuse of very large > internet ranges by blatant spammers posing as ISPs - all of which > are allocated by ripe. This kind of issue has been discussed here many times previously. I am not saying it should not be discussed again, just that some archive browsing may be a good way to determine the stands various participants have taken on this general subject. > Can ripe do anything here or of any help here other than just > saying they just give away ip addresses ranges to ISPs (which > inturn some are criminals) but do not police ? You are a member of this working group; in other words, RIPE is you. Will you be the person who actually creates a useful proposal that can be implemented as RIPE policy? Instructions are available at http://www.ripe.net/ripe/docs/ripe-500. -- Thor Kottelin http://www.anta.net/ From gert at space.net Wed Aug 31 22:37:33 2011 From: gert at space.net (Gert Doering) Date: Wed, 31 Aug 2011 22:37:33 +0200 Subject: [anti-abuse-wg] regarding very persistent spammy isps on ripe In-Reply-To: <201108312158.17370.peter@hk.ipsec.se> References: <201108312158.17370.peter@hk.ipsec.se> Message-ID: <20110831203733.GY72014@Space.Net> Hi, On Wed, Aug 31, 2011 at 09:58:15PM +0200, peter h wrote: > RIPE ( and others ) has an assymmetrical role, the are supposed to give never to reclaim. If you would actually *read* what people from the RIPE NCC are posting here, you'd know that this is not true. But that would destroy the nice soapbox you're ranting from, so I can understand that you don't want that. [..] > the solution is surpricingly easy ( and old) : lease out ip-addresses, as > long as the customer pays it will function, when the lease terminates the > range will be leased to someone else. Thus it's no longer a free > resource that can be polluted ( and replaced at no cost when blocked). If a LIR stops paying their LIR fees, the resources will be reclaimed. What exactly was it that you were asking for? Gert Doering -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 From brian.nisbet at heanet.ie Mon Aug 29 15:00:40 2011 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Mon, 29 Aug 2011 14:00:40 +0100 Subject: [anti-abuse-wg] Call For Agenda Items Message-ID: <4E5B8D78.5050901@heanet.ie> Colleagues, Now that registration for RIPE63 has opened, it seems timely to make a call for further agenda items for the Anti-Abuse WG session. If you have any proposals you would like to make, or presentations you would like to give, please let Tobias or I know. Thanks, Brian. Co-Chair, RIPE AA-WG