From brian.nisbet at heanet.ie Fri Jul 1 16:24:52 2011 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Fri, 01 Jul 2011 15:24:52 +0100 Subject: [anti-abuse-wg] Draft Minutes - RIPE 63 Message-ID: <4E0DD8B4.4080802@heanet.ie> Colleagues, These are the draft minutes from RIPE 53, apologies for the delay, the lovely folk from the NCC had them a while ago, I was just slow in reviewing them and passing them on. As always, please let me know if you have any comments or corrections: RIPE Anti-Abuse Working Group: Draft Minutes ? RIPE 62 Thursday, 4 May 2011 14:00-15:30 Co-Chairs: Brian Nisbet and Tobias Knecht Scribe: Fergal Cunningham Chat Monitor: Sandra Br?s A. Administrative Matters ?Welcome Working Group co-Chair Brian Nisbet welcomed attendees. He thanked the scribe, chat monitor and stenographer, and he asked that those asking questions clearly state their name and affiliation. ?Approve Minutes from RIPE 61 Brian noted that there were some initial comments and the minutes were updated accordingly. He asked if there were any further comments. There were none and Brian deemed the minutes from RIPE 61 to be formally approved. ?New Working Group Co-Chair Tobias Knecht was formally approved as the new Anti-Abuse Working Group co-Chair. Brian said that Tobias would help to resurrect the best common practice document process. Brian said two documents would be produced ? an administrative document and a technical document. ?Finalise agenda There were no additions to the agenda. B. Update B1. Recent List Discussion Brian noted that there was a lot of discussion in the past few months. He said the Abuse Contact Task Force was addressing some issues and some were being addressed by the ripe-517 Closure and Deregistration document. He proposed that the working group not delve into those issues at that time. B2. Admin Tools for Blackhole Administration - Ingvar Mattsson, Google The presentation is available at: http://ripe62.ripe.net/presentations/155-blackholeslides.pdf David Freedman from Claranet said this approach was to be commended. He said he had a similar in-house tool and if anyone wanted to know more about that he could show them afterwards. He said the main problem is if prefixes are not reaped and remain in blackholing. He said the support team needs to be aware of what?s going on and it must be done in an intelligent way. Ignvar asked if it was more pleasant to use blackholing and David said it was. B3. Arbor 2010 Infrastructure Security Report - Darren Anstee, Arbor Networks The presentation is available at: http://ripe62.ripe.net/presentations/88-Darren-Anstee-AA-RIPE-2011-DDoS_Trends.ppt.pdf Ian Meikle, RIPE Measurement, Analysis and Tools (MAT) Working Group co-Chair, noted that Darren would talk about the ATLAS initiative at the MAT Working Group session. Wout de Natris, Chair of the Cybercrime Working Party, asked if the rise of DDoS attacks was down to criminal or political reasons. Darren said he was not sure. He thought there might be a fair mixture of both, but he said people could look and draw their own conclusions. Wout said he attended a meeting on botnets, where it was noted that attacks from mobile devices were not a problem yet. He asked if this was becoming a problem. Darren said more attack traffic was coming from mobile devices. He said Symantec have seen a growth in malware targeted at smart devices and it is probably only a matter time before we see attacks coming from smart devices. Wout asked if Darren had tips for developing countries. Darren said diagnostic ACLs and flow tools could be used if these countries did not want to use commercial products to detect DDoS attacks. Daniel Karrenberg, Chief Scientist at the RIPE NCC, asked if on the Port 53 attacks there was any differentiation on whether the attack traffic was queries or responses. Darren said there was not. Daniel asked for more details, saying it would be interesting to see how the relative proportion was reflected in the attacks. He said he suspected a fair amount of reflection was going on. Darren said he would be asking what people wanted to see from the Atlas initiative, and he said this is one area they would be looking at. Paul Germano, Google, asked if the data received was just megabits per second and Darren said this was indeed the case. C. Policies ?Abuse Contact Management Task Force Brian said that the three proposals (2010-08, 2010-09 and 2010-10) that were presented at RIPE 61 were withdrawn and that the Abuse Contact Management Task Force was formed to look at the issues or concerns in the three proposals. Brian gave an update from the task force, which is available at: http://ripe62.ripe.net/presentations/175-acm_tf_ripe62.ppt Brian asked if there were any questions. There were no questions, and Brian took this to be approval to continue with the work of the task force. D. Interactions D1. Working Groups Brian said the Database Working Group was the one the Anti-Abuse Working Group interacted with the most. He said that the main interaction with that group currently was concerned with the work of the Abuse Contact Management Task Force. D2. Cybercrime Working Party Update - Wout de Natris (No presentation was uploaded) Wout de Natris, Chair of the Cybercrime Working Party (CCWP), described the meetings he attended and presented at on behalf of the CCWP. He said that the main area the CCWP was looking into was training law enforcement agencies (LEAs) on the use of tools and databases that would help them in their work. He said a template for information requests would be created to send requests to the RIPE NCC. He said a list of LEA contacts would enable LEA officials to easily contact each other and share experiences. He said LEAs would look at coming up with a list of topics that they would want to discuss with the RIPE community. Wout asked the RIPE community what it would like to discuss with LEAs. He said people should bring issues to the CCWP if they wanted clarification from LEAs. Wout concluded by noting that the CCWP was making progress, and he reiterated that the process was a two-way street. He said LEAs could use the group to bring forward their concerns and the RIPE community could do likewise. Frank Salanitri, APNIC, said APNIC?s IRT object contact address received up to 30,000 abuse mails and that it was impossible to check these on an individual basis. He suggested they might be used for IP reputation services. He said, potentially, they could show the most abused allocations and the countries the abuse came from. He said this information could be logged in a database that could be made available to researchers. Wout asked if APNIC had contacted the Australian and New Zealand active anti-spam LEAs. Pablo Hinojosa, APNIC Public Affairs Officer, said APNIC was corresponding with these groups and was actively looking for ways to increase cooperation. D3. RIPE NCC Government/LEA Interactions Update Brian said a number of things have happened to give encouragement to RIPE and the RIPE NCC?s interactions with LEAs. He said the engagement of LEAs with the RIPE community has increased, and they have shown a greater understanding of the issues at hand. He said LEAs recognised the need to keep a good registry database. Brian said LEAs were happy with RIPE Policy Proposal 2010-06 on registration of IPv6 in the RIPE Database. He said the RIPE NCC procedural document, ripe-517, on closure and deregistration of LIRs was a positive step because it reduces the ability to abuse mechanisms there. Brian added that they also talked about what is likely to happen following the exhaustion of the IPv4 address pool. He said interaction with both LEAs and government agencies would continue. Brian noted that there are issues being discussed on the RIPE Address Policy Working Group mailing list that the Anti-Abuse Working Group should look at. He said the RPKI discussion should be of particular note and he asked everyone to pay close attention to these issues. X. AOB There was no other business to attend to. Brian asked for items for RIPE 63. He noted that Tobias would talk about the best common practice documents at RIPE 63 and he promised to have those documents posted to the mailing list. Brian thanked the attendees and said he looked forward to the next meeting in Vienna. Recordings of all presentations and discussion in the RIPE Anti-Abuse Working Group session at RIPE 62 are available at: http://ripe62.ripe.net/archives#Thursday From brian.nisbet at heanet.ie Fri Jul 1 17:11:25 2011 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Fri, 01 Jul 2011 16:11:25 +0100 Subject: [anti-abuse-wg] Draft Minutes - RIPE 62 In-Reply-To: <4E0DD8B4.4080802@heanet.ie> References: <4E0DD8B4.4080802@heanet.ie> Message-ID: <4E0DE39D.5080601@heanet.ie> And apparently I don't know when I am. No matter what I might claim in the subject or even in the text below, these are the minutes for RIPE 62, held in Amsterdam in May 2011! Brian. "Brian Nisbet" wrote the following on 01/07/2011 15:24: > Colleagues, > > These are the draft minutes from RIPE 53, apologies for the delay, the > lovely folk from the NCC had them a while ago, I was just slow in > reviewing them and passing them on. As always, please let me know if you > have any comments or corrections: > > RIPE Anti-Abuse Working Group: Draft Minutes ? RIPE 62 > > Thursday, 4 May 2011 > 14:00-15:30 > Co-Chairs: Brian Nisbet and Tobias Knecht > Scribe: Fergal Cunningham > Chat Monitor: Sandra Br?s > > A. Administrative Matters > > ?Welcome > > Working Group co-Chair Brian Nisbet welcomed attendees. He thanked the > scribe, chat monitor and stenographer, and he asked that those asking > questions clearly state their name and affiliation. > > ?Approve Minutes from RIPE 61 > > Brian noted that there were some initial comments and the minutes were > updated accordingly. He asked if there were any further comments. There > were none and Brian deemed the minutes from RIPE 61 to be formally > approved. > > ?New Working Group Co-Chair > > Tobias Knecht was formally approved as the new Anti-Abuse Working Group > co-Chair. Brian said that Tobias would help to resurrect the best common > practice document process. Brian said two documents would be produced ? > an administrative document and a technical document. > > ?Finalise agenda > > There were no additions to the agenda. > > B. Update > > B1. Recent List Discussion > > Brian noted that there was a lot of discussion in the past few months. > He said the Abuse Contact Task Force was addressing some issues and some > were being addressed by the ripe-517 Closure and Deregistration > document. He proposed that the working group not delve into those issues > at that time. > > B2. Admin Tools for Blackhole Administration - Ingvar Mattsson, Google > > The presentation is available at: > http://ripe62.ripe.net/presentations/155-blackholeslides.pdf > > David Freedman from Claranet said this approach was to be commended. He > said he had a similar in-house tool and if anyone wanted to know more > about that he could show them afterwards. He said the main problem is if > prefixes are not reaped and remain in blackholing. He said the support > team needs to be aware of what?s going on and it must be done in an > intelligent way. > > Ignvar asked if it was more pleasant to use blackholing and David said > it was. > > B3. Arbor 2010 Infrastructure Security Report - Darren Anstee, Arbor > Networks > > The presentation is available at: > http://ripe62.ripe.net/presentations/88-Darren-Anstee-AA-RIPE-2011-DDoS_Trends.ppt.pdf > > > Ian Meikle, RIPE Measurement, Analysis and Tools (MAT) Working Group > co-Chair, noted that Darren would talk about the ATLAS initiative at the > MAT Working Group session. > > Wout de Natris, Chair of the Cybercrime Working Party, asked if the rise > of DDoS attacks was down to criminal or political reasons. > > Darren said he was not sure. He thought there might be a fair mixture of > both, but he said people could look and draw their own conclusions. > > Wout said he attended a meeting on botnets, where it was noted that > attacks from mobile devices were not a problem yet. He asked if this was > becoming a problem. > > Darren said more attack traffic was coming from mobile devices. He said > Symantec have seen a growth in malware targeted at smart devices and it > is probably only a matter time before we see attacks coming from smart > devices. > > Wout asked if Darren had tips for developing countries. > > Darren said diagnostic ACLs and flow tools could be used if these > countries did not want to use commercial products to detect DDoS attacks. > > Daniel Karrenberg, Chief Scientist at the RIPE NCC, asked if on the Port > 53 attacks there was any differentiation on whether the attack traffic > was queries or responses. > > Darren said there was not. > > Daniel asked for more details, saying it would be interesting to see how > the relative proportion was reflected in the attacks. He said he > suspected a fair amount of reflection was going on. > > Darren said he would be asking what people wanted to see from the Atlas > initiative, and he said this is one area they would be looking at. > > Paul Germano, Google, asked if the data received was just megabits per > second and Darren said this was indeed the case. > > C. Policies > > ?Abuse Contact Management Task Force > > Brian said that the three proposals (2010-08, 2010-09 and 2010-10) that > were presented at RIPE 61 were withdrawn and that the Abuse Contact > Management Task Force was formed to look at the issues or concerns in > the three proposals. Brian gave an update from the task force, which is > available at: > http://ripe62.ripe.net/presentations/175-acm_tf_ripe62.ppt > > Brian asked if there were any questions. There were no questions, and > Brian took this to be approval to continue with the work of the task force. > > D. Interactions > > D1. Working Groups > > Brian said the Database Working Group was the one the Anti-Abuse Working > Group interacted with the most. He said that the main interaction with > that group currently was concerned with the work of the Abuse Contact > Management Task Force. > > D2. Cybercrime Working Party Update - Wout de Natris > > (No presentation was uploaded) > > Wout de Natris, Chair of the Cybercrime Working Party (CCWP), described > the meetings he attended and presented at on behalf of the CCWP. He said > that the main area the CCWP was looking into was training law > enforcement agencies (LEAs) on the use of tools and databases that would > help them in their work. He said a template for information requests > would be created to send requests to the RIPE NCC. He said a list of LEA > contacts would enable LEA officials to easily contact each other and > share experiences. He said LEAs would look at coming up with a list of > topics that they would want to discuss with the RIPE community. > > Wout asked the RIPE community what it would like to discuss with LEAs. > He said people should bring issues to the CCWP if they wanted > clarification from LEAs. > > Wout concluded by noting that the CCWP was making progress, and he > reiterated that the process was a two-way street. He said LEAs could use > the group to bring forward their concerns and the RIPE community could > do likewise. > > Frank Salanitri, APNIC, said APNIC?s IRT object contact address received > up to 30,000 abuse mails and that it was impossible to check these on an > individual basis. He suggested they might be used for IP reputation > services. He said, potentially, they could show the most abused > allocations and the countries the abuse came from. He said this > information could be logged in a database that could be made available > to researchers. > > Wout asked if APNIC had contacted the Australian and New Zealand active > anti-spam LEAs. > > Pablo Hinojosa, APNIC Public Affairs Officer, said APNIC was > corresponding with these groups and was actively looking for ways to > increase cooperation. > > D3. RIPE NCC Government/LEA Interactions Update > > Brian said a number of things have happened to give encouragement to > RIPE and the RIPE NCC?s interactions with LEAs. He said the engagement > of LEAs with the RIPE community has increased, and they have shown a > greater understanding of the issues at hand. He said LEAs recognised the > need to keep a good registry database. > > Brian said LEAs were happy with RIPE Policy Proposal 2010-06 on > registration of IPv6 in the RIPE Database. > > He said the RIPE NCC procedural document, ripe-517, on closure and > deregistration of LIRs was a positive step because it reduces the > ability to abuse mechanisms there. > > Brian added that they also talked about what is likely to happen > following the exhaustion of the IPv4 address pool. He said interaction > with both LEAs and government agencies would continue. > > Brian noted that there are issues being discussed on the RIPE Address > Policy Working Group mailing list that the Anti-Abuse Working Group > should look at. He said the RPKI discussion should be of particular note > and he asked everyone to pay close attention to these issues. > > X. AOB > > There was no other business to attend to. Brian asked for items for RIPE > 63. He noted that Tobias would talk about the best common practice > documents at RIPE 63 and he promised to have those documents posted to > the mailing list. Brian thanked the attendees and said he looked forward > to the next meeting in Vienna. > > Recordings of all presentations and discussion in the RIPE Anti-Abuse > Working Group session at RIPE 62 are available at: > http://ripe62.ripe.net/archives#Thursday > > From pettai at nordu.net Mon Jul 4 22:48:18 2011 From: pettai at nordu.net (Fredrik Pettai) Date: Mon, 4 Jul 2011 22:48:18 +0200 Subject: [anti-abuse-wg] Draft Minutes - RIPE 62 In-Reply-To: <4E0DE39D.5080601@heanet.ie> References: <4E0DD8B4.4080802@heanet.ie> <4E0DE39D.5080601@heanet.ie> Message-ID: <4C3BD356-4A3F-4A55-B731-4F004D23BA12@nordu.net> Working from the local pub again, are we? :-) Cheers, /P On Jul 1, 2011, at 5:11 PM, Brian Nisbet wrote: > And apparently I don't know when I am. > > No matter what I might claim in the subject or even in the text below, these are the minutes for RIPE 62, held in Amsterdam in May 2011! > > Brian. From world.antispam.report at inbox.com Sun Jul 24 18:43:28 2011 From: world.antispam.report at inbox.com (Pierre Tanguay) Date: Sun, 24 Jul 2011 08:43:28 -0800 Subject: [anti-abuse-wg] A simple question about RIPE registrations:=> In-Reply-To: <20110724160701.22916.35967.Mailman@postboy.ripe.net> Message-ID: <7F4E51FF130.00000421world.antispam.report@inbox.com> When we see that one network who got its IP block numbers through RIPE, and has obviously false and misleading informations and datas such as bogus email addresses, bogus civic address as well as for any other data informations, does RIPE have any regulation concerning the datas that their customers agree upon when give them those infos and datas through any means which includes Internet based emails? Because, if anybody located in the Internet territory mananaged by RIPE may represent a much lower value. In the sense: -What's the interest for RIPE to cumulate and manage false & misleading datas? Second, how many times either per second, per minutes, per days or per month can any RIPE IP# block assigned person or corporate can change his/her datas on RIPE registration? Otherwise said, can it be done "On line"? Thank in advance. Pierre. ____________________________________________________________ Share photos & screenshots in seconds... TRY FREE IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if1 Works in all emails, instant messengers, blogs, forums and social networks. From michele at blacknight.ie Sun Jul 24 19:04:37 2011 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Sun, 24 Jul 2011 17:04:37 +0000 Subject: [anti-abuse-wg] A simple question about RIPE registrations:=> In-Reply-To: <7F4E51FF130.00000421world.antispam.report@inbox.com> References: <7F4E51FF130.00000421world.antispam.report@inbox.com> Message-ID: <629FD55A-A073-46A7-8800-28A67D0351D6@blacknight.ie> On 24 Jul 2011, at 17:43, Pierre Tanguay wrote: > When we see that one network who got its IP block numbers through RIPE, and has obviously false and misleading informations and datas such as bogus email addresses, bogus civic address as well as for any other data informations, does RIPE have any regulation concerning the datas that their customers agree upon when give them those infos and datas through any means which includes Internet based emails? Pierre Are you taking about LIRs ? Or are you simply talking about IP assignments? ie. if LIR X allocated a block of IPs to one of their customers? If the LIR's data is invalid then I'd probably raise the issue with RIPE, but if it's an assignment by a LIR to a customer then I suspect you need to talk to the LIR .. Regards Michele Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From world.antispam.report at inbox.com Tue Jul 26 02:16:18 2011 From: world.antispam.report at inbox.com (abuse@localhost.com) Date: Mon, 25 Jul 2011 16:16:18 -0800 Subject: [anti-abuse-wg] 1St bogus RIPE reggies fact:=> In-Reply-To: <11072411041047_B93@oregon.uoregon.edu> Message-ID: <8FD51F368F2.00000375world.antispam.report@inbox.com> Take note! The present is BCC'ed to concerned persons. We first go with the original SPAM. Take note that I still possess the original in a given mailbox. After, below that spam datas will come the "Questions", Ok?... ========================================== Received: from simonbutcher73 at aol.com by (64.135.83.95:25) via ims-m14.mx.aol.com (64.12.207.147:58265) with [InBox.Com SMTP Server] id 1107232150020.WH95 for XXXX at inbox.com; Sat, 23 Jul 2011 21:50:06 -0800 Received: from oms-db01.r1000.mx.aol.com (oms-db01.r1000.mx.aol.com [205.188.58.1]) by ims-m14.mx.aol.com (8.14.1/8.14.1) with ESMTP id p6O5nQQt023644; Sun, 24 Jul 2011 01:49:26 -0400 Received: from mtaomg-ma03.r1000.mx.aol.com (mtaomg-ma03.r1000.mx.aol.com [172.29.41.10]) by oms-db01.r1000.mx.aol.com (AOL Outbound OMS Interface) with ESMTP id B2A751C000081; Sun, 24 Jul 2011 01:49:26 -0400 (EDT) Received: from core-mua004b.r1000.mail.aol.com (core-mua004.r1000.mail.aol.com [172.29.237.141]) by mtaomg-ma03.r1000.mx.aol.com (OMAG/Core Interface) with ESMTP id 73A6EE000081; Sun, 24 Jul 2011 01:49:26 -0400 (EDT) To: bradanddebs at blueyonder.co.uk, greg at hartworks.go-plus.net, fonida at tiscali.it, alessandralabate at hotmail.com, hugandas at hotmail.com, gansklos at gmail.com, wyn at doke.fsnet.co.uk, lyricals at hotmail.com, aholden1 at blueyonder.co.uk, XXXXX at inbox.com Content-Transfer-Encoding: 8bit Subject: X-MB-Message-Source: WebUI X-AOL-IP: 110.55.218.190 X-MB-Message-Type: User MIME-Version: 1.0 From: Simon Heale Content-Type: text/plain; charset="us-ascii"; format=flowed X-Mailer: Webmail 33996-STANDARD Received: from 110.55.218.190 by webmail-m061.sysops.aol.com (64.12.158.161) with HTTP (WebMailUI); Sun, 24 Jul 2011 01:49:26 -0400 Message-Id: <8CE17DC94DC726E-BB8-20321 at webmail-m061.sysops.aol.com> X-Originating-IP: [110.55.218.190] Date: Sun, 24 Jul 2011 01:49:26 -0400 (EDT) x-aol-global-disposition: S X-SPAM-FLAG:YES X-AOL-SCOLL-SCORE: 0:2:142936448:93952408 X-AOL-SCOLL-URL_COUNT: 0 X-AOL-REROUTE: YES x-aol-sid: 3039ac1d290a4e2bb2662c2a X-Spam-Ratio: 3.41 http://0331c66.netsolhost.com/nopl.php ========================================== Anybody can tell me please what "X-Originating-IP: [110.55.218.190]" means? Could it ever means what I can read on that website:=> http://network-tools.com/default.asp?prog=network&host=110.55.218.190 Quite a "Standard Usual" SPAM emaning from abuse at bayan.com.ph who gave a right valid abuse email address! No problem! Next... What was that SPAM advertise about? I'd be curious to know if the SPAM was sent by human being or a trojan? Thus, the SPAM requested me to visit this specific website:=> 0331c66.netsolhost.com/nopl.php for which my browser was redirected toward the website: adurgomas.com... Ok! "Who" are these persons? -adurgomas.com = [95.64.61.92] Romanian netserv.ro & hostingfrenzy.org. Registered at RIPE by Mr."Noreply Mozzart SRL" residing in Bucurest. Let's now have a look how this "RIPE" network behave on the Internet:=> http://www.senderbase.org/senderbase_queries/detailip?search_string=95.64.61.92 Every IPs are blacklisted for "X" reasons! Ahum! Ok! Let's help the poor guy by advising him that most if not all of his computers are obviously infected by trojans! Mail to : abuse-mailbox:=> noc at hostingfrenzy.org as specified by "RIPE" registrations of that network... You know what?... This under:=> -----Original Message----- From: recycle at inbox.com Sent: Mon, 25 Jul 2011 08:28:52 +0000 To: XXXXX at inbox.com Subject: Error sending message [1107240655006.WM29] from [WM29.inbox.com] Error sending message [1107240655006.WM29] from [WM29.inbox.com]. Mail From: Rcpt To: Repeated: <7> Last Try: <7/25/2011 8:28:31 AM> The reason of the delivery failure was: Can not connect to SMTP server . Here is listed the initial part of the message: Received: from inbox.com (127.0.0.1:25) by inbox.com with [InBox.Com SMTP Server] id <1107240655006.WM29> for from ; Sun, 24 Jul 2011 06:55:39 -0800 Mime-Version: 1.0 Date: Sun, 24 Jul 2011 06:55:39 -0800 Message-ID: <7E5D5003F8E.00000119XXXXX at inbox.com> From: Mail Delivery System Reply-To: abuse at localhost.com Subject: AOL trojan Origin = Skyinet.net on redirecting toward romanian (RIPE) customer?:=> To: reportspam at networksolutions.com Cc: abuse at skyinet.net, ripe at netserv.ro, noc at hostingfrenzy.org, aa-wg-chairs at ripe.net X-Mailer: INBOX.COM X-Originating-IP: 66.158.156.184 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-IWM-ACU: REl3BNnDDtYo_Gixnf_X636zN3IcUjM7X2Uq_c5rDLG6_-tGybg_57M_8HqL GIO69kAPSNwT-VbpnNWH3dXO-aLNWa-8bs2_dHluQcZwtHdRl0OrdcPgL81j kSGLDlBA59M-5Y78y Tagalog bersyon ay dito sa ibaba: =3D> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D ================================= In conclusion, I repeat my question:=> Is it a fact that anybody can give any false and misleading informations to RIPE about registration of IP# block numbers? Because if RIPE do not have any rule of conduct, that becomes an ideal tool to carry all kind of criminal activities. Second question, does any IP# block number recipient who paid fees ($) to obtain a given block number is authorized to resell subnets (Part of block numbers) to evade his responsibilities toward any RIPE regulations if any does exist in fact? In closing this e-mail, I would like to mention that I have in archive quite a few SPAM for which the given network provided forged & misleading datas to RIPE. What is worst is that RIPE do not appear to have a webpage where such forgeries can be reported. That was that! antispam.report at inbox.com ____________________________________________________________ Publish your photos in seconds for FREE TRY IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if4 From michele at blacknight.ie Tue Jul 26 11:09:11 2011 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Tue, 26 Jul 2011 09:09:11 +0000 Subject: [anti-abuse-wg] 1St bogus RIPE reggies fact:=> In-Reply-To: <8FD51F368F2.00000375world.antispam.report@inbox.com> References: <8FD51F368F2.00000375world.antispam.report@inbox.com> Message-ID: <36D7F098-7577-43C0-A02A-A9EC8EDBB3C1@blacknight.ie> OK, so why don't you make a constructive proposal? Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://invadeeurope.eu http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From ops.lists at gmail.com Tue Jul 26 11:33:07 2011 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Tue, 26 Jul 2011 15:03:07 +0530 Subject: [anti-abuse-wg] 1St bogus RIPE reggies fact:=> In-Reply-To: <36D7F098-7577-43C0-A02A-A9EC8EDBB3C1@blacknight.ie> References: <8FD51F368F2.00000375world.antispam.report@inbox.com> <36D7F098-7577-43C0-A02A-A9EC8EDBB3C1@blacknight.ie> Message-ID: On Tue, Jul 26, 2011 at 2:39 PM, Michele Neylon :: Blacknight wrote: > OK, so why don't you make a constructive proposal? Is it actually worthwhile complaining about fake romanian LIRs - and are there any legitimate LIRs at all in that country would be the two followup questions :) More seriously - a complaint mechanism like ICANN's WDPRS might be an idea here. -- Suresh Ramasubramanian (ops.lists at gmail.com) From world.antispam.report at inbox.com Wed Jul 27 03:11:04 2011 From: world.antispam.report at inbox.com (abuse@localhost.com) Date: Tue, 26 Jul 2011 17:11:04 -0800 Subject: [anti-abuse-wg] Michele? (Was:1St bogus RIPE reggies fact):=> In-Reply-To: <36D7F098-7577-43C0-A02A-A9EC8EDBB3C1@blacknight.ie> References: <8fd51f368f2.00000375world.antispam.report@inbox.com> Message-ID: <9CE229AFE95.00000877world.antispam.report@inbox.com> I never thought that it I would be the one who's have to make a "Proposal". I rather thougtht that that already been regulations in that matter? Beside, I am not a "Pro" in Internet, you guys are! But, how long did your fingers began to bang a keyboard connected to the Internet? -Me, over 14 years. Here, I only mean that during the (Over) ~15 years that went by, nobody had the weird feeling that it had to show up? What was done during the last 2 years regarding the hoaxed IP Block Block# assignment? Bogus registrations? What if someone serious who's earning his bread & butter with Internet, wants to report a clown that don't stop giving false and misleading datas times after time to RIPE and ICANN? From what I can understand out if your reaction, nothing's done yet? 'Coze, if nothing exist, the only oher choice is to blacklist directly whole IP block# directly in the router. The easiest way to proceed. If nobody has time to care, how come a few SPAMMED one would take time? Does the rest of world care much about what's on line in Bucharest? Anyhow, since RIPE is absolutely useless, I'll think of something else. Later. ================================ > -----Original Message----- > From: michele at blacknight.ie > Sent: Tue, 26 Jul 2011 09:09:11 +0000 > To: abuse at localhost.com > Subject: Re: [anti-abuse-wg] 1St bogus RIPE reggies fact:=> > > OK, so why don't you make a constructive proposal? > > > > Mr Michele Neylon > Blacknight Solutions > Hosting & Colocation, Brand Protection > ICANN Accredited Registrar > http://www.blacknight.com/ > http://invadeeurope.eu > http://blog.blacknight.com/ > http://blacknight.mobi/ > http://mneylon.tel > Intl. +353 (0) 59 9183072 > US: 213-233-1612 > UK: 0844 484 9361 > Locall: 1850 929 929 > Twitter: http://twitter.com/mneylon > ------------------------------- > Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business > Park,Sleaty > Road,Graiguecullen,Carlow,Ireland Company No.: 370845 ____________________________________________________________ Share photos & screenshots in seconds... TRY FREE IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if1 Works in all emails, instant messengers, blogs, forums and social networks. From athina.fragkouli at ripe.net Wed Jul 27 10:46:49 2011 From: athina.fragkouli at ripe.net (Athina Fragkouli) Date: Wed, 27 Jul 2011 10:46:49 +0200 Subject: [anti-abuse-wg] RIPE NCC Procedure Regarding LIR Information in the RIPE Database Message-ID: <4E2FD079.8040803@ripe.net> Dear Pierre, all, In response to your emails, here is some general information on this matter. The RIPE NCC requests that the LIRs provide the RIPE NCC with truthful information, as well as correctly maintain their registration in the RIPE Database at all times. If an LIR fails to do so, the RIPE NCC will terminate the service agreement with this LIR and deregister the Internet number resources allocated to it. More information about this procedure can be found in the RIPE NCC procedural document "Closure of LIR and Deregistration of Internet Number Resources", available at: https://www.ripe.net/ripe/docs/ripe-517 The RIPE NCC handles abuse complaints sent by third parties. Anyone can send a complaint to abuse at ripe.net. As well as the procedures already in place, the RIPE community recently formed the Abuse Contact Management Task Force (ACM-TF), which is examining policy proposals around the issue of managing the abuse contact field in the RIPE Database. More information about the task force can be found at: https://www.ripe.net/ripe/groups/tf/abuse-contact Hope this clarifies the existing procedures, if you have any further questions, please do not hesitate to contact us. Kind regards, Athina Fragkouli RIPE NCC From thor.kottelin at turvasana.com Wed Jul 27 13:12:30 2011 From: thor.kottelin at turvasana.com (Thor Kottelin) Date: Wed, 27 Jul 2011 14:12:30 +0300 Subject: [anti-abuse-wg] RIPE NCC Procedure Regarding LIR Information in the RIPE Database In-Reply-To: <4E2FD079.8040803@ripe.net> References: <4E2FD079.8040803@ripe.net> Message-ID: > -----Original Message----- > From: anti-abuse-wg-admin at ripe.net [mailto:anti-abuse-wg- > admin at ripe.net] On Behalf Of Athina Fragkouli > Sent: Wednesday, July 27, 2011 11:47 AM > To: anti-abuse-wg at ripe.net > The RIPE NCC requests that the LIRs provide the RIPE NCC with > truthful > information, as well as correctly maintain their registration in > the > RIPE Database at all times. If an LIR fails to do so, the RIPE NCC > will > terminate the service agreement with this LIR and deregister the > Internet number resources allocated to it. > > More information about this procedure can be found in the RIPE NCC > procedural document "Closure of LIR and Deregistration of Internet > Number Resources", available at: > https://www.ripe.net/ripe/docs/ripe-517 > > The RIPE NCC handles abuse complaints sent by third parties. Anyone > can > send a complaint to abuse at ripe.net. Can you estimate how many cases of incorrect registration data third parties have reported to the RIPE NCC since RIPE-517 became effective and how the final results of those reports are distributed between e.g. compliance and deregistration? -- Thor Kottelin http://www.anta.net/ From ops.lists at gmail.com Wed Jul 27 13:50:44 2011 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Wed, 27 Jul 2011 17:20:44 +0530 Subject: [anti-abuse-wg] RIPE NCC Procedure Regarding LIR Information in the RIPE Database In-Reply-To: References: <4E2FD079.8040803@ripe.net> Message-ID: And if possible a geographical breakdown of regions from which LIRs were de-registered. On Wed, Jul 27, 2011 at 4:42 PM, Thor Kottelin wrote: > > Can you estimate how many cases of incorrect registration data third parties > have reported to the RIPE NCC since RIPE-517 became effective and how the > final results of those reports are distributed between e.g. compliance and > deregistration? > -- Suresh Ramasubramanian (ops.lists at gmail.com) From world.antispam.report at inbox.com Wed Jul 27 15:20:50 2011 From: world.antispam.report at inbox.com (abuse@localhost.com) Date: Wed, 27 Jul 2011 05:20:50 -0800 Subject: [anti-abuse-wg] RIPE NCC Procedure Regarding LIR Information in the RIPE Database In-Reply-To: <4E2FD079.8040803@ripe.net> Message-ID: Thank you so much Dear Athina. You sure made all this very consise. However, I guess that I don't have so many of these "Erroneous" registration datas. Simply because as all societies of homosapiens on planet earth are quite a bit of the same thing: -Most are the "Simple Average" individual. Croocked minds amount to much less than 5% of any given population, at most.. In short, I do not expect to submit more than (1-3) "Request for data update" for any network to whom RIPE would have allocated IP#. More over, before doing so, I would subtanciate my claim in a formal manner so that the claim cannot be denied. The only thing left to do would be to verify the whole. Otherwise, RIPE could be flooded by complaints? And organized abusers would have reasons to flood abuse (at) RIPE? This is why that in my thoughts, I feel it is a good thing that such complaints are signified by peoples who possess a minimal amount of skills within that matter? H owever, I will simply follow the rules as long that there are rules, I am happy! In hope that all Internet IP registration organisms such as RIPE will jump aboard, which may not be the case at present time because of language, I sincerly thank you, Athina. antispam.reporter. > -----Original Message----- > From: athina.fragkouli at ripe.net > Sent: Wed, 27 Jul 2011 10:46:49 +0200 > To: anti-abuse-wg at ripe.net > Subject: [anti-abuse-wg] RIPE NCC Procedure Regarding LIR Information in > the RIPE Database > > Dear Pierre, all, > > In response to your emails, here is some general information on this > matter. > > The RIPE NCC requests that the LIRs provide the RIPE NCC with truthful > information, as well as correctly maintain their registration in the > RIPE Database at all times. If an LIR fails to do so, the RIPE NCC will > terminate the service agreement with this LIR and deregister the > Internet number resources allocated to it. > > More information about this procedure can be found in the RIPE NCC > procedural document "Closure of LIR and Deregistration of Internet > Number Resources", available at: > https://www.ripe.net/ripe/docs/ripe-517 > > The RIPE NCC handles abuse complaints sent by third parties. Anyone can > send a complaint to abuse at ripe.net. > > As well as the procedures already in place, the RIPE community recently > formed the Abuse Contact Management Task Force (ACM-TF), which is > examining policy proposals around the issue of managing the abuse > contact field in the RIPE Database. More information about the task > force can be found at: > https://www.ripe.net/ripe/groups/tf/abuse-contact > > Hope this clarifies the existing procedures, if you have any further > questions, please do not hesitate to contact us. > > Kind regards, > Athina Fragkouli > RIPE NCC ____________________________________________________________ Send any screenshot to your friends in seconds... Works in all emails, instant messengers, blogs, forums and social networks. TRY IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if2 for FREE From world.antispam.report at inbox.com Wed Jul 27 15:33:22 2011 From: world.antispam.report at inbox.com (abuse@localhost.com) Date: Wed, 27 Jul 2011 05:33:22 -0800 Subject: [anti-abuse-wg] RIPE NCC Procedure Regarding LIR Information in the RIPE Database In-Reply-To: References: <4e2fd079.8040803@ripe.net> Message-ID: I personally find this (By region) segregative. It only can lead to segregation. Againt all concepts of the Internet. If Martians want to access the Internet? Ok! No problem but as long as they behave in a civil manner. Same thing for the "Kinglons" from planet #45067. No single individual has ever been the basic mold for all of us. That was proven false so very often in history. Do not initiate this here please? antispam.report > -----Original Message----- > From: ops.lists at gmail.com > Sent: Wed, 27 Jul 2011 17:20:44 +0530 > To: thor.kottelin at turvasana.com > Subject: Re: [anti-abuse-wg] RIPE NCC Procedure Regarding LIR Information > in the RIPE Database > > And if possible a geographical breakdown of regions from which LIRs > were de-registered. > > On Wed, Jul 27, 2011 at 4:42 PM, Thor Kottelin > wrote: >> >> Can you estimate how many cases of incorrect registration data third >> parties >> have reported to the RIPE NCC since RIPE-517 became effective and how >> the >> final results of those reports are distributed between e.g. compliance >> and >> deregistration? >> > > > > -- > Suresh Ramasubramanian (ops.lists at gmail.com) ____________________________________________________________ Send any screenshot to your friends in seconds... Works in all emails, instant messengers, blogs, forums and social networks. TRY IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if2 for FREE From world.antispam.report at inbox.com Wed Jul 27 15:46:19 2011 From: world.antispam.report at inbox.com (abuse@localhost.com) Date: Wed, 27 Jul 2011 05:46:19 -0800 Subject: [anti-abuse-wg] RIPE NCC Procedure Regarding LIR Information in the RIPE Database In-Reply-To: References: <4e2fd079.8040803@ripe.net> Message-ID: I would personnaly expect a number at most. "Who, Where, what region" is to my view, confidential. It was already said by Athina Fragkouli that RIPE just acquired that new bike not so long ago. Got it approved, put licenses plate on it and began to take its first rides on it... What do you expect? 10,000 deregistrations? I don't think that the best one can do just as he receives his brand new care is to ride it top speed. In short, just file well corroborated complaints for filthy registrations to begin with, and let them go! If the weird filthy registration come back over & over even after months that the complaint was forwarded to RIPE, we'll see... But for now... Why wouldn't you give it a little push forward, Hum? antispam.report > -----Original Message----- > From: thor.kottelin at turvasana.com > Sent: Wed, 27 Jul 2011 14:12:30 +0300 > To: anti-abuse-wg at ripe.net > Subject: RE: [anti-abuse-wg] RIPE NCC Procedure Regarding LIR Information > in the RIPE Database > >> -----Original Message----- >> From: anti-abuse-wg-admin at ripe.net [mailto:anti-abuse-wg- >> admin at ripe.net] On Behalf Of Athina Fragkouli >> Sent: Wednesday, July 27, 2011 11:47 AM >> To: anti-abuse-wg at ripe.net > >> The RIPE NCC requests that the LIRs provide the RIPE NCC with >> truthful >> information, as well as correctly maintain their registration in >> the >> RIPE Database at all times. If an LIR fails to do so, the RIPE NCC >> will >> terminate the service agreement with this LIR and deregister the >> Internet number resources allocated to it. >> >> More information about this procedure can be found in the RIPE NCC >> procedural document "Closure of LIR and Deregistration of Internet >> Number Resources", available at: >> https://www.ripe.net/ripe/docs/ripe-517 >> >> The RIPE NCC handles abuse complaints sent by third parties. Anyone >> can >> send a complaint to abuse at ripe.net. > > Can you estimate how many cases of incorrect registration data third > parties > have reported to the RIPE NCC since RIPE-517 became effective and how the > final results of those reports are distributed between e.g. compliance > and > deregistration? > > -- > Thor Kottelin > http://www.anta.net/ ____________________________________________________________ Send any screenshot to your friends in seconds... Works in all emails, instant messengers, blogs, forums and social networks. TRY IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if2 for FREE From ops.lists at gmail.com Thu Jul 28 04:39:43 2011 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Thu, 28 Jul 2011 08:09:43 +0530 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? Message-ID: Freshly added to spamhaus - SBL114471 83.223.224.0/19 RIPE 28-Jul 02:24 GMT zombies : hijkacked ip block / spam ip block SBL114472 94.250.128.0/18 RIPE 28-Jul 02:24 GMT zombies : hijacked IP block / spammer IP block SBL114473 46.96.0.0/16 RIPE 28-Jul 02:22 GMT zombies : hijacked IP block / spammer IP block SBL114470 188.164.0.0/16 RIPE 28-Jul 02:21 GMT zombies : hijacked ip block / spammer ip block -- Suresh Ramasubramanian (ops.lists at gmail.com) From ripe-anti-spam-wg at powerweb.de Thu Jul 28 10:12:38 2011 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Thu, 28 Jul 2011 10:12:38 +0200 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: References: Message-ID: <4E3119F6.7010703@powerweb.de> Suresh Ramasubramanian wrote: > Freshly added to spamhaus - > > SBL114471 83.223.224.0/19 RIPE > 28-Jul 02:24 GMT zombies : hijkacked ip block / spam ip block > > > SBL114472 94.250.128.0/18 RIPE > 28-Jul 02:24 GMT zombies : hijacked IP block / spammer IP block > > > SBL114473 46.96.0.0/16 RIPE > 28-Jul 02:22 GMT zombies : hijacked IP block / spammer IP block > > > SBL114470 188.164.0.0/16 RIPE > 28-Jul 02:21 GMT zombies : hijacked ip block / spammer ip block > Looks like to me, that RIPE NCC should defny compare RIPEs netblocks to several blacklists. This will indicate highjacked or misused netblocks quite easily. Also looks like to me, that we could keep IPv4 much longer, if all those blocks could be reallocated. Kind regards, Frank -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank at powerweb.de From ops.lists at gmail.com Thu Jul 28 10:24:31 2011 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Thu, 28 Jul 2011 13:54:31 +0530 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: <4E3119F6.7010703@powerweb.de> References: <4E3119F6.7010703@powerweb.de> Message-ID: Not a bad idea which is why I suggested something like the WDPRS to deal with this sort of case. It is not like hijacking netblocks is anything new .. is there already some RIPE policy document on dealing with these? On Thu, Jul 28, 2011 at 1:42 PM, Frank Gadegast wrote: > > Looks like to me, that RIPE NCC should defny compare RIPEs netblocks > to several blacklists. This will indicate highjacked or misused > netblocks quite easily. > > Also looks like to me, that we could keep IPv4 much longer, if > all those blocks could be reallocated. > > -- Suresh Ramasubramanian (ops.lists at gmail.com) From michele at blacknight.ie Thu Jul 28 10:37:17 2011 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Thu, 28 Jul 2011 08:37:17 +0000 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: <4E3119F6.7010703@powerweb.de> References: <4E3119F6.7010703@powerweb.de> Message-ID: On 28 Jul 2011, at 09:12, Frank Gadegast wrote: > > Looks like to me, that RIPE NCC should defny compare RIPEs netblocks > to several blacklists. This will indicate highjacked or misused > netblocks quite easily. That's out of scope for RIPE Just because a netblock is blacklisted by a list doesn't actually mean much and as a RIPE member I would be very annoyed if they started getting into this kind of thing Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From ops.lists at gmail.com Thu Jul 28 10:46:11 2011 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Thu, 28 Jul 2011 14:16:11 +0530 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: References: <4E3119F6.7010703@powerweb.de> Message-ID: Let us put it this way - RIPE should check those lists for hijacked netblocks. And evidence of other fraudulent behavior exhibited during the RIPE registration process (eg : the numerous fake LIRs, assigned PI / PA netblocks allocated to botmasters with fake whois etc) On Thu, Jul 28, 2011 at 2:07 PM, Michele Neylon :: Blacknight wrote: > > On 28 Jul 2011, at 09:12, Frank Gadegast wrote: > >> >> Looks like to me, that RIPE NCC should defny compare RIPEs netblocks >> to several blacklists. This will indicate highjacked or misused >> netblocks quite easily. > > > That's out of scope for RIPE > > Just because a netblock is blacklisted by a list doesn't actually mean much and as a RIPE member I would be very annoyed if they started getting into this kind of thing -- Suresh Ramasubramanian (ops.lists at gmail.com) From ripe-anti-spam-wg at powerweb.de Thu Jul 28 10:48:29 2011 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Thu, 28 Jul 2011 10:48:29 +0200 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: References: <4E3119F6.7010703@powerweb.de> Message-ID: <4E31225D.90607@powerweb.de> Michele Neylon :: Blacknight wrote: > > On 28 Jul 2011, at 09:12, Frank Gadegast wrote: > >> >> Looks like to me, that RIPE NCC should defny compare RIPEs netblocks >> to several blacklists. This will indicate highjacked or misused >> netblocks quite easily. > > > That's out of scope for RIPE Not at all out of scope. You are right saying, that a listing does not proof anything, but its a good indication (like I sayd above). RIPE NCC could ask the member, whats going on with that netblock, if they see a listing. I guess a lot of members do not even realize, that their old netblocks are routed somewhere else. RIPE NCC has to check the use of assigned netblocks anyway (if I understand some rules right). It cannot be that assigned netblocks are used by non-members or members the netblock wasnt assigned to ... Kind regards, Frank > > Just because a netblock is blacklisted by a list doesn't actually mean much and as a RIPE member I would be very annoyed if they started getting into this kind of thing > > > Mr Michele Neylon > Blacknight Solutions > Hosting& Colocation, Brand Protection > ICANN Accredited Registrar > http://www.blacknight.com/ > http://blog.blacknight.com/ > http://blacknight.mobi/ > http://mneylon.tel > Intl. +353 (0) 59 9183072 > US: 213-233-1612 > UK: 0844 484 9361 > Locall: 1850 929 929 > Twitter: http://twitter.com/mneylon > ------------------------------- > Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty > Road,Graiguecullen,Carlow,Ireland Company No.: 370845 > > > > -- Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank at powerweb.de From michele at blacknight.ie Thu Jul 28 11:46:52 2011 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Thu, 28 Jul 2011 09:46:52 +0000 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: <4E31225D.90607@powerweb.de> References: <4E3119F6.7010703@powerweb.de> <4E31225D.90607@powerweb.de> Message-ID: <864F93E1-D43C-4462-AF64-073E8ABE783F@blacknight.ie> On 28 Jul 2011, at 09:48, Frank Gadegast wrote: >> > > Not at all out of scope. I think it is out of scope It is a slippery slope Next you'll have people demanding that RIPE check what content is published on IP blocks .. > > You are right saying, that a listing does not proof anything, > but its a good indication (like I sayd above). Not necessarily. There are a multitude of reasons why an IP block can get listed - while it *might* be an indicator that you or I can use for our own *private* networks, it is not something that an organization like RIPE should be doing, as there is absolutely no standard or certification of DNS blacklists. > > RIPE NCC could ask the member, whats going on with that netblock, > if they see a listing. I guess a lot of members do not > even realize, that their old netblocks are routed > somewhere else. > > RIPE NCC has to check the use of assigned netblocks anyway > (if I understand some rules right). No - the "usage" is related to the assignment rules > It cannot be that > assigned netblocks are used by non-members or members > the netblock wasnt assigned to ? Sorry, but I don't understand what you mean here regards Michele Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From ops.lists at gmail.com Thu Jul 28 12:19:17 2011 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Thu, 28 Jul 2011 15:49:17 +0530 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: <864F93E1-D43C-4462-AF64-073E8ABE783F@blacknight.ie> References: <4E3119F6.7010703@powerweb.de> <4E31225D.90607@powerweb.de> <864F93E1-D43C-4462-AF64-073E8ABE783F@blacknight.ie> Message-ID: Slippery slope is a rather poor logical fallacy to bring up Nobody is obligating RIPE to treat anything as conclusive evidence Simply that they do some proactive monitoring instead of waiting for complaints And that they have some published SOP for dealing with and recovering hijacked ranges, or those obtained under false pretences [SOP != policy, goes a bit beyond that] On Thu, Jul 28, 2011 at 3:16 PM, Michele Neylon :: Blacknight wrote: > > On 28 Jul 2011, at 09:48, Frank Gadegast wrote: >>> >> >> Not at all out of scope. > > I think it is out of scope > > It is a slippery slope > > Next you'll have people demanding that RIPE check what content is published on IP blocks .. > > > >> >> You are right saying, that a listing does not proof anything, >> but its a good indication (like I sayd above). > > Not necessarily. > > There are a multitude of reasons why an IP block can get listed - while it *might* be an indicator that you or I can use for our own *private* networks, it is not something that an organization like RIPE should be doing, as there is absolutely no standard or certification of DNS blacklists. > > >> >> RIPE NCC could ask the member, whats going on with that netblock, >> if they see a listing. I guess a lot of members do not >> even realize, that their old netblocks are routed >> somewhere else. >> >> RIPE NCC has to check the use of assigned netblocks anyway >> (if I understand some rules right). > > No - the "usage" is related to the assignment rules > > >> It cannot be that >> assigned netblocks are used by non-members or members >> the netblock wasnt assigned to ? > > Sorry, but I don't understand what you mean here > > regards > > Michele > > Mr Michele Neylon > Blacknight Solutions > Hosting & Colocation, Brand Protection > ICANN Accredited Registrar > http://www.blacknight.com/ > http://blog.blacknight.com/ > http://blacknight.mobi/ > http://mneylon.tel > Intl. +353 (0) 59 ?9183072 > US: 213-233-1612 > UK: 0844 484 9361 > Locall: 1850 929 929 > Direct Dial: +353 (0)59 9183090 > Twitter: http://twitter.com/mneylon > ------------------------------- > Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty > Road,Graiguecullen,Carlow,Ireland ?Company No.: 370845 > > -- Suresh Ramasubramanian (ops.lists at gmail.com) From ripe-anti-spam-wg at powerweb.de Thu Jul 28 12:33:59 2011 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Thu, 28 Jul 2011 12:33:59 +0200 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: <864F93E1-D43C-4462-AF64-073E8ABE783F@blacknight.ie> References: <4E3119F6.7010703@powerweb.de> <4E31225D.90607@powerweb.de> <864F93E1-D43C-4462-AF64-073E8ABE783F@blacknight.ie> Message-ID: <4E313B17.3010600@powerweb.de> Michele Neylon :: Blacknight wrote: > > On 28 Jul 2011, at 09:48, Frank Gadegast wrote: >>> >> >> Not at all out of scope. > > I think it is out of scope > > It is a slippery slope > > Next you'll have people demanding that RIPE check what content is published on IP blocks .. Good idea. Other organisations are monitoring content too to prevent abuse, like search engines that do not even want results from hacked sites in their index. RIPE is defny responsible for any abuse, whatever it is. Lets have an example: A highjacker is using some netblocks to attack a big bank. They are flodded from this IP block and the attacker also sets up a lot of pishing servers using these IPs. Will RIPE ask the LIR about whats going on with his assignment ? Will RIPE deroute this netblock at all ? Just after the bank complaints ? After somebody complains to RIPE that there are pishing servers on this netblock ? What will happen ? Cant be, that RIPE is doing nothing (to my opinion). And it would be very interesting what RIPE would do right now in this scenario. Who knows more ? Kind regards, Frank > > > >> >> You are right saying, that a listing does not proof anything, >> but its a good indication (like I sayd above). > > Not necessarily. > > There are a multitude of reasons why an IP block can get listed - while it *might* be an indicator that you or I can use for our own *private* networks, it is not something that an organization like RIPE should be doing, as there is absolutely no standard or certification of DNS blacklists. > > >> >> RIPE NCC could ask the member, whats going on with that netblock, >> if they see a listing. I guess a lot of members do not >> even realize, that their old netblocks are routed >> somewhere else. >> >> RIPE NCC has to check the use of assigned netblocks anyway >> (if I understand some rules right). > > No - the "usage" is related to the assignment rules > > >> It cannot be that >> assigned netblocks are used by non-members or members >> the netblock wasnt assigned to ? > > Sorry, but I don't understand what you mean here > > regards > > Michele > > Mr Michele Neylon > Blacknight Solutions > Hosting& Colocation, Brand Protection > ICANN Accredited Registrar > http://www.blacknight.com/ > http://blog.blacknight.com/ > http://blacknight.mobi/ > http://mneylon.tel > Intl. +353 (0) 59 9183072 > US: 213-233-1612 > UK: 0844 484 9361 > Locall: 1850 929 929 > Direct Dial: +353 (0)59 9183090 > Twitter: http://twitter.com/mneylon > ------------------------------- > Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty > Road,Graiguecullen,Carlow,Ireland Company No.: 370845 > > > > -- Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank at powerweb.de From gert at space.net Thu Jul 28 12:53:11 2011 From: gert at space.net (Gert Doering) Date: Thu, 28 Jul 2011 12:53:11 +0200 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: <4E313B17.3010600@powerweb.de> References: <4E3119F6.7010703@powerweb.de> <4E31225D.90607@powerweb.de> <864F93E1-D43C-4462-AF64-073E8ABE783F@blacknight.ie> <4E313B17.3010600@powerweb.de> Message-ID: <20110728105311.GI72014@Space.Net> Hi, On Thu, Jul 28, 2011 at 12:33:59PM +0200, Frank Gadegast wrote: > RIPE is defny responsible for any abuse, whatever it is. So if you are hosting porn on your web site, and making it accessible to minors, why exactly would the RIPE NCC be responsible for that? Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 From aftab.siddiqui at gmail.com Thu Jul 28 12:55:38 2011 From: aftab.siddiqui at gmail.com (Aftab Siddiqui) Date: Thu, 28 Jul 2011 15:55:38 +0500 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: <4E313B17.3010600@powerweb.de> References: <4E3119F6.7010703@powerweb.de> <4E31225D.90607@powerweb.de> <864F93E1-D43C-4462-AF64-073E8ABE783F@blacknight.ie> <4E313B17.3010600@powerweb.de> Message-ID: If you check the weekly CIDR-Report than you will find certain prefixes in bogus adv head for many many months. NO RIR cares about it. we've been attacked/spammed/phished by such bogus prefix adv in past. Regards, Aftab A. Siddiqui On Thu, Jul 28, 2011 at 3:33 PM, Frank Gadegast < ripe-anti-spam-wg at powerweb.de> wrote: > Michele Neylon :: Blacknight wrote: > >> >> On 28 Jul 2011, at 09:48, Frank Gadegast wrote: >> >>> >>>> >>> Not at all out of scope. >>> >> >> I think it is out of scope >> >> It is a slippery slope >> >> Next you'll have people demanding that RIPE check what content is >> published on IP blocks .. >> > > Good idea. > > Other organisations are monitoring content too to prevent abuse, like > search engines that do not even want results from hacked sites > in their index. > > RIPE is defny responsible for any abuse, whatever it is. > > Lets have an example: > A highjacker is using some netblocks to attack a big bank. > They are flodded from this IP block and the attacker also > sets up a lot of pishing servers using these IPs. > > Will RIPE ask the LIR about whats going on with his assignment ? > Will RIPE deroute this netblock at all ? > Just after the bank complaints ? > After somebody complains to RIPE that there are pishing servers on this > netblock ? > > What will happen ? > > Cant be, that RIPE is doing nothing (to my opinion). > And it would be very interesting what RIPE would do right now > in this scenario. > Who knows more ? > > > Kind regards, Frank > > > >> >> >> >>> You are right saying, that a listing does not proof anything, >>> but its a good indication (like I sayd above). >>> >> >> Not necessarily. >> >> There are a multitude of reasons why an IP block can get listed - while it >> *might* be an indicator that you or I can use for our own *private* >> networks, it is not something that an organization like RIPE should be >> doing, as there is absolutely no standard or certification of DNS >> blacklists. >> >> >> >>> RIPE NCC could ask the member, whats going on with that netblock, >>> if they see a listing. I guess a lot of members do not >>> even realize, that their old netblocks are routed >>> somewhere else. >>> >>> RIPE NCC has to check the use of assigned netblocks anyway >>> (if I understand some rules right). >>> >> >> No - the "usage" is related to the assignment rules >> >> >> It cannot be that >>> assigned netblocks are used by non-members or members >>> the netblock wasnt assigned to ? >>> >> >> Sorry, but I don't understand what you mean here >> >> regards >> >> Michele >> >> Mr Michele Neylon >> Blacknight Solutions >> Hosting& Colocation, Brand Protection >> ICANN Accredited Registrar >> http://www.blacknight.com/ >> http://blog.blacknight.com/ >> http://blacknight.mobi/ >> http://mneylon.tel >> Intl. +353 (0) 59 9183072 >> US: 213-233-1612 >> UK: 0844 484 9361 >> Locall: 1850 929 929 >> Direct Dial: +353 (0)59 9183090 >> Twitter: http://twitter.com/mneylon >> ------------------------------**- >> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business >> Park,Sleaty >> Road,Graiguecullen,Carlow,**Ireland Company No.: 370845 >> >> >> >> >> > > -- > > Mit freundlichen Gruessen, > -- > PHADE Software - PowerWeb http://www.powerweb.de > Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de > Schinkelstrasse 17 fon: +49 33200 52920 > 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 > ==============================**==============================**========== > Public PGP Key available for frank at powerweb.de > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From brian.nisbet at heanet.ie Thu Jul 28 13:04:12 2011 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Thu, 28 Jul 2011 12:04:12 +0100 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: <20110728105311.GI72014@Space.Net> References: <4E3119F6.7010703@powerweb.de> <4E31225D.90607@powerweb.de> <864F93E1-D43C-4462-AF64-073E8ABE783F@blacknight.ie> <4E313B17.3010600@powerweb.de> <20110728105311.GI72014@Space.Net> Message-ID: <4E31422C.1030602@heanet.ie> "Gert Doering" wrote the following on 28/07/2011 11:53: > Hi, > > On Thu, Jul 28, 2011 at 12:33:59PM +0200, Frank Gadegast wrote: >> RIPE is defny responsible for any abuse, whatever it is. > > So if you are hosting porn on your web site, and making it accessible > to minors, why exactly would the RIPE NCC be responsible for that? Before this particular thread of the discussion goes any further can I please remind people that neither the RIPE NCC nor the charter of this WG deals with content. If content breaks laws, then there are systems in place to deal with that on a per country basis and the NCC assists law enforcement when requested, however this mailing list is not the right place to debate matters of content. Brian. From ops.lists at gmail.com Thu Jul 28 13:08:40 2011 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Thu, 28 Jul 2011 16:38:40 +0530 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: <20110728105311.GI72014@Space.Net> References: <4E3119F6.7010703@powerweb.de> <4E31225D.90607@powerweb.de> <864F93E1-D43C-4462-AF64-073E8ABE783F@blacknight.ie> <4E313B17.3010600@powerweb.de> <20110728105311.GI72014@Space.Net> Message-ID: Hi Gert This discussion started off about netblocks allocated based on fake documentation, and hijacked netblocks Can we please not stray out of this scope? thanks suresh On Thu, Jul 28, 2011 at 4:23 PM, Gert Doering wrote: > > On Thu, Jul 28, 2011 at 12:33:59PM +0200, Frank Gadegast wrote: >> RIPE is defny responsible for any abuse, whatever it is. > > So if you are hosting porn on your web site, and making it accessible > to minors, why exactly would the RIPE NCC be responsible for that? > -- Suresh Ramasubramanian (ops.lists at gmail.com) From aftab.siddiqui at gmail.com Thu Jul 28 13:09:32 2011 From: aftab.siddiqui at gmail.com (Aftab Siddiqui) Date: Thu, 28 Jul 2011 16:09:32 +0500 Subject: [anti-abuse-wg] RIPE NCC Procedure Regarding LIR Information in the RIPE Database In-Reply-To: <4E2FD079.8040803@ripe.net> References: <4E2FD079.8040803@ripe.net> Message-ID: On Wed, Jul 27, 2011 at 1:46 PM, Athina Fragkouli wrote: > Dear Pierre, all, > > In response to your emails, here is some general information on this > matter. > > The RIPE NCC requests that the LIRs provide the RIPE NCC with truthful > information, as well as correctly maintain their registration in the RIPE > Database at all times. If an LIR fails to do so, the RIPE NCC will terminate > the service agreement with this LIR and deregister the > Internet number resources allocated to it. > What is the procedure to check if the information is valid or not? How RIPE can make a judgement? > > More information about this procedure can be found in the RIPE NCC > procedural document "Closure of LIR and Deregistration of Internet Number > Resources", available at: > https://www.ripe.net/ripe/**docs/ripe-517 > > The RIPE NCC handles abuse complaints sent by third parties. Anyone can > send a complaint to abuse at ripe.net. > Never received a positive response from abuse at ripe > > As well as the procedures already in place, the RIPE community recently > formed the Abuse Contact Management Task Force (ACM-TF), which is examining > policy proposals around the issue of managing the abuse contact field in the > RIPE Database. More information about the task force can be found at: > https://www.ripe.net/ripe/**groups/tf/abuse-contact > > Hope this clarifies the existing procedures, if you have any further > questions, please do not hesitate to contact us. > > Kind regards, > Athina Fragkouli > RIPE NCC > > Regards, Aftab A. Siddiqui -------------- next part -------------- An HTML attachment was scrubbed... URL: From gert at space.net Thu Jul 28 13:13:06 2011 From: gert at space.net (Gert Doering) Date: Thu, 28 Jul 2011 13:13:06 +0200 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: References: <4E3119F6.7010703@powerweb.de> <4E31225D.90607@powerweb.de> <864F93E1-D43C-4462-AF64-073E8ABE783F@blacknight.ie> <4E313B17.3010600@powerweb.de> <20110728105311.GI72014@Space.Net> Message-ID: <20110728111306.GJ72014@Space.Net> Hi, On Thu, Jul 28, 2011 at 04:38:40PM +0530, Suresh Ramasubramanian wrote: > This discussion started off about netblocks allocated based on fake > documentation, and hijacked netblocks > > Can we please not stray out of this scope? I wasn't the one that said "RIPE is ... responsible for any abuse". I just tried to point out how ridiculous that is. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 306 bytes Desc: not available URL: From ops.lists at gmail.com Thu Jul 28 13:15:15 2011 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Thu, 28 Jul 2011 16:45:15 +0530 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: <20110728111306.GJ72014@Space.Net> References: <4E3119F6.7010703@powerweb.de> <4E31225D.90607@powerweb.de> <864F93E1-D43C-4462-AF64-073E8ABE783F@blacknight.ie> <4E313B17.3010600@powerweb.de> <20110728105311.GI72014@Space.Net> <20110728111306.GJ72014@Space.Net> Message-ID: Thanks for making that clear - but maybe fighting fire with fire isnt going to work here. Can we turn back to the question that was actually riased in the thread? 1. A complaint mechanism 2. Sources for RIPE NCC to do proactive research on misallocations / hijacks On Thu, Jul 28, 2011 at 4:43 PM, Gert Doering wrote: > > I wasn't the one that said "RIPE is ... responsible for any abuse". > > I just tried to point out how ridiculous that is. -- Suresh Ramasubramanian (ops.lists at gmail.com) From ebais at a2b-internet.com Thu Jul 28 14:12:57 2011 From: ebais at a2b-internet.com (Erik Bais) Date: Thu, 28 Jul 2011 14:12:57 +0200 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: <20110728105311.GI72014@Space.Net> References: <4E3119F6.7010703@powerweb.de> <4E31225D.90607@powerweb.de> <864F93E1-D43C-4462-AF64-073E8ABE783F@blacknight.ie> <4E313B17.3010600@powerweb.de> <20110728105311.GI72014@Space.Net> Message-ID: <003c01cc4d1f$afa65420$0ef2fc60$@com> Hi Gert, > So if you are hosting porn on your web site, and making it accessible > to minors, why exactly would the RIPE NCC be responsible for that? I don't think that the RIPE NCC has anything to do with it in that case, local authorities would suffice imho. However if you share that sort of info on this mailing list, you might attract some extra visitors ;-) Regards, Erik Bais From athina.fragkouli at ripe.net Thu Jul 28 17:57:46 2011 From: athina.fragkouli at ripe.net (Athina Fragkouli) Date: Thu, 28 Jul 2011 17:57:46 +0200 Subject: [anti-abuse-wg] RIPE NCC Procedure Regarding LIR Information in the RIPE Database Message-ID: <4E3186FA.3060501@ripe.net> Dear all, Thank you very much for your feedback. Regarding the abuse at ripe.net auto-reply: ---------------------------------------- The RIPE NCC provides the abuse at ripe.net email address for third parties to direct abuse complaints to. The abuse complaints that we receive are usually not related in any way to any of the RIPE NCC's activities. The auto-reply from the abuse mailbox clarifies: - What the RIPE NCC is responsible for - What kind of abuse complaints cannot be handled by the RIPE NCC (i.e. complaints related to the use of Internet number resources) - How the RIPE Database can be used to find the appropriate person/organisation to direct the complaint to - How to file a further complaint in case the information provided does not cover the particular situation. The abuse complaints handling procedure is currently being documented and will be published on www.ripe.net . Regarding the requested figures: --------------------------------- The RIPE NCC receives a large number of abuse complaints. In the period since the RIPE NCC's procedural document, "Closure of LIR and Deregistration of Internet number resources", became effective on 7 March, 2011, only six out of 140 complaints received were related to the RIPE NCC's responsibilities. These six complaints referred to cases of non-compliance with RIPE policies. From the relevant audits we performed two of these complaints are still under investigation, two of the abuse cases complied with the audit's instructions and two of them did not comply. As a result the RIPE NCC de-registered seven PI assignments, one PA allocation. Kind regards, Athina Fragkouli RIPE NCC -------------- next part -------------- An HTML attachment was scrubbed... URL: From fw at deneb.enyo.de Thu Jul 28 20:44:12 2011 From: fw at deneb.enyo.de (Florian Weimer) Date: Thu, 28 Jul 2011 20:44:12 +0200 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: (Suresh Ramasubramanian's message of "Thu, 28 Jul 2011 08:09:43 +0530") References: Message-ID: <87zkjys0sj.fsf@mid.deneb.enyo.de> * Suresh Ramasubramanian: > Freshly added to spamhaus - My personal problem with these reports is that they are totally incomprehensible to me. Why do you think the netblocks have been hijacked? Maybe the documentation in the WHOIS database is outdated, and Link Telecom still enjoys full control over those prefixes. From ops.lists at gmail.com Fri Jul 29 03:20:58 2011 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Fri, 29 Jul 2011 06:50:58 +0530 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: <87zkjys0sj.fsf@mid.deneb.enyo.de> References: <87zkjys0sj.fsf@mid.deneb.enyo.de> Message-ID: Spamhaus might be able to explain better But when I see that and want more information I'd ask them rather than doubt them. Just saying. On Fri, Jul 29, 2011 at 12:14 AM, Florian Weimer wrote: > > >> Freshly added to spamhaus - > > My personal problem with these reports is that they are totally > incomprehensible to me. ?Why do you think the netblocks have been > hijacked? ?Maybe the documentation in the WHOIS database is outdated, > and Link Telecom still enjoys full control over those prefixes. -- Suresh Ramasubramanian (ops.lists at gmail.com) From fw at deneb.enyo.de Fri Jul 29 09:24:09 2011 From: fw at deneb.enyo.de (Florian Weimer) Date: Fri, 29 Jul 2011 09:24:09 +0200 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: (Suresh Ramasubramanian's message of "Fri, 29 Jul 2011 06:50:58 +0530") References: <87zkjys0sj.fsf@mid.deneb.enyo.de> Message-ID: <878vrh8s86.fsf@mid.deneb.enyo.de> * Suresh Ramasubramanian: > Spamhaus might be able to explain better > > But when I see that and want more information I'd ask them rather than > doubt them. Just saying. Sorry, you can't expect a constructive discussion if you just dump unstructured information and claim that is evidence of some policy violation, when other participants are not able to recognize your data as evidence (and I'm pretty sure I'm not alone in this regard). The Spamhaus report you referenced (rather indirectly) is not very illuminating, either. It says, "This block is to be returned to RIPE". What does this mean? Is it in the process of being returned? Has Spamhaus suggested (to whom?) that it should be returned? Is this some sort of demand? From ops.lists at gmail.com Fri Jul 29 09:47:39 2011 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Fri, 29 Jul 2011 13:17:39 +0530 Subject: [anti-abuse-wg] Hijacked netblocks - any SOP for these? In-Reply-To: <878vrh8s86.fsf@mid.deneb.enyo.de> References: <87zkjys0sj.fsf@mid.deneb.enyo.de> <878vrh8s86.fsf@mid.deneb.enyo.de> Message-ID: The usual way this goes is that spamhaus has some further evidence available, which they don't expose publicly. They would make it available to vetted security contacts at RIPE, or LE that are interested, for example. The data point isn't unstructured beyond what you'd expect, and most abuse complaints you'd get are far less structured. Right now, it is simply a statement "CIDRs x, y and z are suspected to be hijacked". On Fri, Jul 29, 2011 at 12:54 PM, Florian Weimer wrote: > > The Spamhaus report you referenced (rather indirectly) is not very > illuminating, either. ?It says, "This block is to be returned to > RIPE". ?What does this mean? ?Is it in the process of being returned? > Has Spamhaus suggested (to whom?) that it should be returned? ?Is this > some sort of demand? -- Suresh Ramasubramanian (ops.lists at gmail.com)