From vesely at tana.it Wed Aug 1 05:06:50 2012 From: vesely at tana.it (Alessandro Vesely) Date: Tue, 31 Jul 2012 20:06:50 -0700 Subject: [anti-abuse-wg] Legal concerns, was Manual vs automated reports In-Reply-To: <501824AB.8040304@abusix.com> References: <500EDD68.7070303@abusix.com> <07F26FFD-CE63-443C-A200-88F79BB96D67@isc.org> <500FB3C7.6070407@tana.it> <500FD694.6060005@tana.it> <500FE096.90303@abusix.com>, <500FFA13.2030307@powerweb.de>, <50100F86.4000106@telus.net> <2F6E914E-D9E1-4B92-BFD5-C359BD003456@blacknight.com>, <50101FA1.7020403@telus.net> <5010302E.1030103@telus.net> <50110755.6000204@ripe.net> <5011213A.60002@ripe.net> <501166A7.8000600@tana.it> <50117263.8030003@abusix.com> <50117FD1.5090005@tana.it> <50156938.9070204@abusix.com> <50181CA1.5000704@tana.it> <501824AB.8040304@abusix.com> Message-ID: <50189D4A.2070906@tana.it> On Tue 31/Jul/2012 11:32:11 -0700 Tobias Knecht wrote: > >>> That would mean that the a user has to click 50 times the spam >>> button, than 50 times "Yes I want to report this message!" and than >>> 50 times "I'm okay that this message will be sent to X!" >> >> And that, of course, does not leave you anything that a court would >> consider a proof that consent was granted. For contractual issues, I >> see telcos hire call-center staff in order to ask for user's consent >> at the phone, taping a formal question-and-answer sequence that can be >> kept as a proof. > > And now you have to answer only one question. Why should an ISP spend > tenth of thousands of Euros to give data away for free to institutions > that earn millions with it and not paying for it? > > I think we all know that there are ways to do it, but the questions is > more about how practical it is. And in this case it would even be > enough to call everybody and ask for consensus. With every new FBL > subscriber ISPs would have to call every customer and ask if the new > subscriber is okay for them. > > I'm always happy about new ideas, but on the other hand we are working > on this issue with ISPs, ESPs, legal institutions and all other > involved parties for more than 4 years now and we made good progress. > But as it is typically in politics it's taking time. Don't get me wrong, I was not suggesting that call-centers are the way to the future. I exemplified them as abnormal ways of conducts, which are the (possibly unintended) consequences of jurisprudential rules about privacy. Among their results, enterprises have powerful databases of private user data, while users have no aid whatsoever to remember when, if ever, did they grant their consent to a specific enterprise. >> If laws can be interpreted, it is not acceptable that interpretations >> only favor spammers :-/ > > And that is not the case. As already mentioned US legal frameworks is > fundamentally different from the European legal framework and in > reality it is not as spammer friendly as the US system. Yet, as far as I'd tell by casual news reading, spammers collect more sentences in the US than in the EU. From davide.migliavacca at contactlab.com Thu Aug 2 09:18:04 2012 From: davide.migliavacca at contactlab.com (Davide Migliavacca) Date: Thu, 2 Aug 2012 07:18:04 +0000 Subject: [anti-abuse-wg] 2011-06 Proposal comment Message-ID: Dear all, being a newcomer in this group I took some time to review the proposal and go through list archives for previous discussions on the 2011-06 policy proposal. I believe this proposal goes in the right direction to solve long-standing issues with RIPE resources whois data usability for abuse report routing, and I would love see the proposal move forward and become policy allowing the implementation phases to start. Thanks to all WG members for their work so far. Kind regards, Davide Migliavacca CTO, ContactLab ------------------- Milano, IT Tel +39 02 2831181 Fax +39 02 70030269 www.contactlab.com From tk at abusix.com Thu Aug 2 13:15:23 2012 From: tk at abusix.com (Tobias Knecht) Date: Thu, 02 Aug 2012 13:15:23 +0200 Subject: [anti-abuse-wg] the mandatory abuse field In-Reply-To: <41F6C547EA49EC46B4EE1EB2BC2F34185DB7DF56EB@EXVPMBX100-1.exc.icann.org> References: <50143B4A.6020006@powerweb.de> <6D0E4F77-A92B-4F4D-9545-FAFB4ED1B4B4@icann.org> <5017E5A0.3020907@powerweb.de> <443533B4-6A72-4FC9-B8FB-8B86FCC50CF6@icann.org> <5017F66C.6030703@powerweb.de> <41F6C547EA49EC46B4EE1EB2BC2F34185DB7DF56EB@EXVPMBX100-1.exc.icann.org> Message-ID: <501A614B.5010503@abusix.com> Hi, >> An option could be the following: >> the possibility to set the abuse-mailbox field to something like >> "non-responsive", a predefined value, thats valid according >> to the format of the field. The cleanup will happen, the resource owner >> makes a decision and the reporter could see, that the >> resource owner does not want to have reports (via email) ... > > That seems pretty reasonable to me. That could be an option. There is only one point I do not understand. We are talking only about the direct allocations, which in my opinion should all have an abuse address and handle their abuse. That is at least my opinion. As I understood Franks idea the resource holder would have to call himself "non-responsive" and publish this information, which will definitevely create problems in the future. Just thinking of blacklists using this information and so on, so at the end the unresponsive will add addresses that are deleting inbound messages. Which is of course not good either, but we could even proof that an unresponsive ISPs has accepted mail on his given address. This can be interesting in legal situations like Frank explained as well. So at the moment I think we have a solution that is easy and understandable for everybody and tries to solve a lot of possible scenarios. I would rather not change things into a direction that makes specific scenarios impossible just to make it "easier" for reporters to manage things from a bounce handling or deliverability perspective. And on the other hand, we (abusix) are sending more than 500k reports per day to different ISPs all over the world using whois information and yes around 30% are bouncing. So what? We are not even looking at the bounce messages. Next time we try again to deliver messages. This is at the end not a real problem for reporting parties. And I would not put to much attention on it. On the long end I would rather like to see something like ARIN is doing with wrong contact information. Tagging whois entries if the data that is provided is not accurate and resource holders are not cooperative. Thanks, Tobias From michele at blacknight.ie Thu Aug 2 13:26:28 2012 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Thu, 2 Aug 2012 11:26:28 +0000 Subject: [anti-abuse-wg] the mandatory abuse field In-Reply-To: <501811C5.6030007@telus.net> References: <50143B4A.6020006@powerweb.de> <20120731141514.40cdaa43@shane-desktop> <5017DEA3.8000603@abusix.com> <501811C5.6030007@telus.net> Message-ID: This conversation seems to be going round and round in circles and I'm getting quite confused. My understanding was that the object / field would be used / assigned in any allocations of IP space. Can someone please explain to me how it is possible that an organisation could have IPs but not have an email address or website? And if that is the case, then shouldn't the next level up be taking responsibility for abuse of the resources? Or am I missing something? I like the suggestion that the field be a URL that can be either a mailto or a http. I don't really care if some reporters have issues with this or not - I don't work for them and they're not paying me or anyone else - in fact many of them are getting paid .. so .. I also have issues with a lot of the automated reporting tools that some people insist on using, but that's off topic :) I strongly oppose any "non responsive" type label being used. That will cause a lot of issues for LIRs and will do little to advance the anti-abuse ethic Regards Michele Mr Michele Neylon Blacknight Solutions ? Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.co http://blog.blacknight.com/ http://blacknight.cat http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Facebook: http://fb.me/blacknight Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From tk at abusix.com Thu Aug 2 13:41:47 2012 From: tk at abusix.com (Tobias Knecht) Date: Thu, 02 Aug 2012 13:41:47 +0200 Subject: [anti-abuse-wg] the mandatory abuse field In-Reply-To: References: <50143B4A.6020006@powerweb.de> <20120731141514.40cdaa43@shane-desktop> <5017DEA3.8000603@abusix.com> <501811C5.6030007@telus.net> Message-ID: <501A677B.4090202@abusix.com> Hi, > My understanding was that the object / field would be used / assigned > in any allocations of IP space. Can someone please explain to me how > it is possible that an organisation could have IPs but not have an > email address or website? And if that is the case, then shouldn't the > next level up be taking responsibility for abuse of the resources? Or > am I missing something? Fully agree. Thats why for all direct allocations the abuse-c will be mandatory. For everybody else it will be optional. The hierarchy and the mandatory abuse-c at the top of the chain will give us at least one abuse contact per ip address, which is the absolute minimum. And I fully agree to the part with the responsibility. There must be one party that can and takes responsibility for abuseive behavior. If they feel they are the wrong persons they have to explain their subdelegation that they need to publish an abuse-c and handle the traffic themselves. > I like the suggestion that the field be a URL that can be either a > mailto or a http. I don't really care if some reporters have issues > with this or not - I don't work for them and they're not paying me or > anyone else - in fact many of them are getting paid .. so .. I also > have issues with a lot of the automated reporting tools that some > people insist on using, but that's off topic :) I really like this idea, but at the moment I would rather stay with abuse-mailbox as an email and add an abuse-url: or similar later. The reason is, that we can not foresee what will happen in the near future and nobody knows if API reporting is something that will show up. At the moment all institutions (maawg, IETF, APWG, ...) are working on reporting and use email based transport. So we should stay with that and not offer for publication of things that are not even here and not nearly standardized or even used in a real world scenario. > I strongly oppose any "non responsive" type label being used. That > will cause a lot of issues for LIRs and will do little to advance the > anti-abuse ethic Fully agree. Thanks, Tobias From ripe-anti-spam-wg at powerweb.de Thu Aug 2 13:42:31 2012 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Thu, 02 Aug 2012 13:42:31 +0200 Subject: [anti-abuse-wg] the mandatory abuse field In-Reply-To: <501A614B.5010503@abusix.com> References: <50143B4A.6020006@powerweb.de> <6D0E4F77-A92B-4F4D-9545-FAFB4ED1B4B4@icann.org> <5017E5A0.3020907@powerweb.de> <443533B4-6A72-4FC9-B8FB-8B86FCC50CF6@icann.org> <5017F66C.6030703@powerweb.de> <41F6C547EA49EC46B4EE1EB2BC2F34185DB7DF56EB@EXVPMBX100-1.exc.icann.org> <501A614B.5010503@abusix.com> Message-ID: <501A67A7.604@powerweb.de> Tobias Knecht wrote: > Hi, Hi, > >>> An option could be the following: >>> the possibility to set the abuse-mailbox field to something like >>> "non-responsive", a predefined value, thats valid according >>> to the format of the field. The cleanup will happen, the resource owner >>> makes a decision and the reporter could see, that the >>> resource owner does not want to have reports (via email) ... >> >> That seems pretty reasonable to me. > > That could be an option. There is only one point I do not understand. We > are talking only about the direct allocations, which in my opinion > should all have an abuse address and handle their abuse. That is at > least my opinion. Yes, I agree. This should only be only an option for subdelegations. > As I understood Franks idea the resource holder would have to call > himself "non-responsive" and publish this information, which will > definitevely create problems in the future. Just thinking of blacklists > using this information and so on, so at the end the unresponsive will > add addresses that are deleting inbound messages. Which is of course not Also true, we could not hide the abuse mailbox field, if its set to "non-responsive", because lots of software depends on the presents of the field and will depend on a well-formed email address. Humans will also be confused, when its communicated, that its mandatory and it will be missing in some cases. Setting it to an a kind of generic not-used email address might not be an option too. Maybe there will be or is already a blacklist, thats collecting non-responsive resource holders, they could provide an email address ;o) > good either, but we could even proof that an unresponsive ISPs has > accepted mail on his given address. This can be interesting in legal > situations like Frank explained as well. > > So at the moment I think we have a solution that is easy and > understandable for everybody and tries to solve a lot of possible > scenarios. I would rather not change things into a direction that makes > specific scenarios impossible just to make it "easier" for reporters to > manage things from a bounce handling or deliverability perspective. I think so too, its was just an idea that is not really leading to anything until somebody else come up with an idea how this non-responsive address could be formed ... > And on the other hand, we (abusix) are sending more than 500k reports > per day to different ISPs all over the world using whois information and > yes around 30% are bouncing. So what? We are not even looking at the > bounce messages. Next time we try again to deliver messages. This is at > the end not a real problem for reporting parties. And I would not put to > much attention on it. > > On the long end I would rather like to see something like ARIN is doing > with wrong contact information. Tagging whois entries if the data that > is provided is not accurate and resource holders are not cooperative. Well sayd. Kind regards, Frank > > > Thanks, > > Tobias > > > > > > > -- Mit freundlichen Gruessen, -- MOTD: "have you enabled SSL on a website or mailbox today ?" -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== From ripe-anti-spam-wg at powerweb.de Thu Aug 2 13:54:41 2012 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Thu, 02 Aug 2012 13:54:41 +0200 Subject: [anti-abuse-wg] the mandatory abuse field In-Reply-To: References: <50143B4A.6020006@powerweb.de> <20120731141514.40cdaa43@shane-desktop> <5017DEA3.8000603@abusix.com> <501811C5.6030007@telus.net> Message-ID: <501A6A81.1040201@powerweb.de> "Michele Neylon :: Blacknight" wrote: Hi, > This conversation seems to be going round and round in circles and I'm getting quite confused. > > My understanding was that the object / field would be used / assigned in any allocations of IP space. Sure, the direct allocation will have it first. Then its up to the member to communicate the new field to the subdelegation customers to get rid of all the reports :o) Its should be the goal, than any resource holder have its own abuse mailbox address. >Can someone please explain to me how it is possible that an organisation could have IPs but not have an email address or website? There are e.g. ISPs that provide VPN only, they tunnel everything, and there is no abuse happening at all. And there are other examples. Sure they have email themselve, but maybe they dont like to communicate it. > And if that is the case, then shouldn't the next level up be taking responsibility for abuse of the resources? Or am I missing something? That would be ideal and our final goal, but there are lots out there, that simply do not want to take responsibility for several reasons. And they dont care about blacklists, they fear the costs, work or whatever. > I like the suggestion that the field be a URL that can be either a mailto or a http. I really dont like to mix email address with URLs, even if they have a mailto:, email addresses are really easy to recognize, by software or by humans, its clear what to do with an email address, for everybody. Lots of end users dont even know what an URL is and might get confused. An URL should only be optional as a seperate field ... That could be another proposal ... >I don't really care if some reporters have issues with this or not - I don't work for them and they're not paying me or anyone else - in fact many of them are getting paid .. so .. I also have issues with a lot of the automated reporting tools that some people insist on using, but that's off topic :) > > I strongly oppose any "non responsive" type label being used. That will cause a lot of issues for LIRs and will do little to advance the anti-abuse ethic Good, so that idea is done. It was only a possibility to discuss ... Kind regards, Frank > > Regards > > Michele > > Mr Michele Neylon > Blacknight Solutions ? > Hosting & Colocation, Brand Protection > ICANN Accredited Registrar > http://www.blacknight.co > http://blog.blacknight.com/ > http://blacknight.cat > http://mneylon.tel > Intl. +353 (0) 59 9183072 > US: 213-233-1612 > Locall: 1850 929 929 > Direct Dial: +353 (0)59 9183090 > Facebook: http://fb.me/blacknight > Twitter: http://twitter.com/mneylon > ------------------------------- > Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty > Road,Graiguecullen,Carlow,Ireland Company No.: 370845 > > > > -- Mit freundlichen Gruessen, -- MOTD: "have you enabled SSL on a website or mailbox today ?" -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== From jorgen at hovland.cx Thu Aug 2 14:48:34 2012 From: jorgen at hovland.cx (Jørgen Hovland) Date: 02 Aug 2012 12:48:34 +0000 (GMT) Subject: [anti-abuse-wg] the mandatory abuse field Message-ID: <501a772210f9d507a70046ba8fca.jorgen@hovland.cx> An HTML attachment was scrubbed... URL: From tk at abusix.com Thu Aug 2 16:43:11 2012 From: tk at abusix.com (Tobias Knecht) Date: Thu, 02 Aug 2012 16:43:11 +0200 Subject: [anti-abuse-wg] the mandatory abuse field In-Reply-To: <501a772210f9d507a70046ba8fca.jorgen@hovland.cx> References: <501a772210f9d507a70046ba8fca.jorgen@hovland.cx> Message-ID: <501A91FF.9070408@abusix.com> Hi, > When you can't back up an email address requirement with any valid legal > requirement it will just degrade the data accuracy in the ripe database. > Should, perhaps, but it's not going to happen by making it mandatory. That is true. That's why we have the data accuracy part already on our agenda as one of the first next steps after this proposal. And by making it mandatory it is not truly a "legal" requirement, but it is a requirement by RIPE NCC and the community, which will give us some space. > The abuse-c proposal itself is good since the database structure would > improve. Thanks for your feedback. > I think you are misinformed about ARIN. They only require that the email > you put in ARINs whois database must be able to accept email from ARIN. > If you send an email to for example Googles email contact address you > receive an auto reply with "Thank you for your email. However, it will > not be read. Good bye.". That is true, but we have very often reported not working email addresses to ARIN and ARIN tried to contact the maintainer and solve the problem, as long as they can not resolve the problem with the maintainer they flag the complete whois entry as not accurate. It would be interesting what would happen if you report the google address with this comment. If you are going to test it, let me know what the outcome is. Thanks, Tobias From wiegert at telus.net Thu Aug 2 19:50:40 2012 From: wiegert at telus.net (Arnold) Date: Thu, 02 Aug 2012 10:50:40 -0700 Subject: [anti-abuse-wg] the mandatory abuse field In-Reply-To: <501A614B.5010503@abusix.com> References: <50143B4A.6020006@powerweb.de> <6D0E4F77-A92B-4F4D-9545-FAFB4ED1B4B4@icann.org> <5017E5A0.3020907@powerweb.de> <443533B4-6A72-4FC9-B8FB-8B86FCC50CF6@icann.org> <5017F66C.6030703@powerweb.de> <41F6C547EA49EC46B4EE1EB2BC2F34185DB7DF56EB@EXVPMBX100-1.exc.icann.org> <501A614B.5010503@abusix.com> Message-ID: <501ABDF0.8080902@telus.net> On 02/08/2012 4:15 AM, Tobias Knecht wrote: ------------8X-------------- > On the long end I would rather like to see something like > ARIN is doing with wrong contact information. Tagging > whois entries if the data that is provided is not accurate > and resource holders are not cooperative. > That raises the question for me: How does ARIN deal with these folks who are 'not cooperative'? Are they taking any action? Arnold -- Fight Spam - report it with wxSR http://www.columbinehoney.net/wxSR.shtml From bogus@does.not.exist.com Fri Aug 3 01:06:22 2012 From: bogus@does.not.exist.com () Date: 02 Aug 2012 23:06:22 +0000 (GMT) Subject: [anti-abuse-wg] the mandatory abuse field Message-ID: <501b07ee781752a4a7001c0ca67c.jorgen@hovland.cx> An HTML attachment was scrubbed... URL: From lists at help.org Fri Aug 3 05:09:11 2012 From: lists at help.org (lists at help.org) Date: Thu, 02 Aug 2012 23:09:11 -0400 Subject: [anti-abuse-wg] the mandatory abuse field In-Reply-To: <501ABDF0.8080902@telus.net> References: <50143B4A.6020006@powerweb.de> <6D0E4F77-A92B-4F4D-9545-FAFB4ED1B4B4@icann.org> <5017E5A0.3020907@powerweb.de> <443533B4-6A72-4FC9-B8FB-8B86FCC50CF6@icann.org> <5017F66C.6030703@powerweb.de> <41F6C547EA49EC46B4EE1EB2BC2F34185DB7DF56EB@EXVPMBX100-1.exc.icann.org> <501A614B.5010503@abusix.com> <501ABDF0.8080902@telus.net> Message-ID: <501B40D7.1090002@help.org> >That raises the question for me: How does ARIN deal with these folks who are 'not cooperative'? You have asked a question that most entities that operate whois database will not answer. They make big presentations about warning banners and discuss "mandatory" fields but when the data gets compromised nothing gets done. This is not limited to ARIN, RIPE, etc. it is true of just about all whois operators. For instance, everybody knows DomainTools.com is harvesting and reselling the data in these whois databases yet what formal action have any of these whois operators taken in response? The result of all these rules, restrictions, blocking, and policies is that it inconveniences the people who use the services normally while the people violating the policies continue unabated. This situation is rarely considered when all the policies and procedures are developed so much of that work ends up being useless and people get all bent out of shape because there is a policy in place that is not enforced. From ripe-anti-spam-wg at powerweb.de Fri Aug 3 09:02:20 2012 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Fri, 03 Aug 2012 09:02:20 +0200 Subject: [anti-abuse-wg] the mandatory abuse field In-Reply-To: <501B40D7.1090002@help.org> References: <50143B4A.6020006@powerweb.de> <6D0E4F77-A92B-4F4D-9545-FAFB4ED1B4B4@icann.org> <5017E5A0.3020907@powerweb.de> <443533B4-6A72-4FC9-B8FB-8B86FCC50CF6@icann.org> <5017F66C.6030703@powerweb.de> <41F6C547EA49EC46B4EE1EB2BC2F34185DB7DF56EB@EXVPMBX100-1.exc.icann.org> <501A614B.5010503@abusix.com> <501ABDF0.8080902@telus.net> <501B40D7.1090002@help.org> Message-ID: <501B777C.1040309@powerweb.de> lists at help.org wrote: > >That raises the question for me: How does ARIN deal with these folks > who are 'not cooperative'? > > You have asked a question that most entities that operate whois database > will not answer. They make big presentations about warning banners and > discuss "mandatory" fields but when the data gets compromised nothing > gets done. This is not limited to ARIN, RIPE, etc. it is true of just > about all whois operators. For instance, everybody knows DomainTools.com > is harvesting and reselling the data in these whois databases yet what > formal action have any of these whois operators taken in response? > > The result of all these rules, restrictions, blocking, and policies is > that it inconveniences the people who use the services normally while > the people violating the policies continue unabated. This situation is > rarely considered when all the policies and procedures are developed so > much of that work ends up being useless and people get all bent out of > shape because there is a policy in place that is not enforced. Only half true. 2011-06 is a big step into the right direction. First: Its a role-account with a mandatory field, every maintainer has to know, NOT to enter his personal address or one of his customer in there, but use his ticket system or the address of his educated abuse team a generic mailbox or whatever else non-personal he has. This will dramatically reduce the amount of personal addresses in the database, so ? Let the harvesters do there job and let the spammers send their spam to educated and expirienced people or teams, that probably have the best filters to presort there mail, have the best antispam techniques anyway and that are educated enought not to click any dangerous link. Second: its a mandatory field and only one place where to store the abuse contact RIPE NCC could then check the format and the availibility of all abuse contacts, this is the first time they CAN do it like described lately by the the people that wrote the abuse finder tool, simply because they will know, where to look for it. Third: it will be hard work to define what "responsiveness" realy is. You can check the syntax, the domain, if it exists, you could check, if its mailserver is responsive and you could even check, if the address exists or (I think) at last step, if an email does not bounce. But then ? how do you measure responsiveness ? By inserting a link, that has to be clicked ? How many times ? In what period ? Is a resource holder allowed to go on holidays or forget about his abuse mailbox for 3 weeks ? 4 weeks ? That are questions that differ from member to member. On the other end, I know systems where you have to "renew" your offers in the database every months or they will be inactive. And if you like to use there system you simply have to accept this. Even if I would love the punishment of abuse-ignorant ISPs, even by the RIPE NCC itself, I have no idea how that all could look like ... thats a big step and will need a lot of discussion. But: now there will be the technical background to do it. Kind regards, Frank -- MOTD: "Im happy about every ISP, that does not backscatter" -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== -- Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== From maildanrl at gmail.com Fri Aug 3 08:45:38 2012 From: maildanrl at gmail.com (Dan Luedtke) Date: Fri, 3 Aug 2012 08:45:38 +0200 Subject: [anti-abuse-wg] the mandatory abuse field In-Reply-To: <50143B4A.6020006@powerweb.de> References: <50143B4A.6020006@powerweb.de> Message-ID: On Sat, Jul 28, 2012 at 9:19 PM, Frank Gadegast wrote: > Anybody, who is against a mandatory abuse field, > is a professional spammer, abuser, maintains > a bot net or sells open proxies or other services > used for abusing others. > They are criminals to my opinion. Hopefully your opinion stays where it is, and you don't start calling people criminal for not supporting a mandatory field in a database that is full of fake data. In my country, calling people criminal in public violates the law. We happen to live in the same country, don't we, Frank? I know abuse sucks, and it's natural to become bitter and angry about those *&#(@ that eat up valued resources, but we re talking about a database change that would not help at all if we'd change it from "optional" to "mandatory". Just more mails bouncing back. It's not the "abuse field" I am against, it's the "mandatory" since it would impact workflows seriously and create much more trouble than it avoids. Regards, Dan From ripe-anti-spam-wg at powerweb.de Fri Aug 3 10:20:04 2012 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Fri, 03 Aug 2012 10:20:04 +0200 Subject: [anti-abuse-wg] the mandatory abuse field In-Reply-To: References: <50143B4A.6020006@powerweb.de> Message-ID: <501B89B4.8050700@powerweb.de> Dan Luedtke wrote: Hi, > On Sat, Jul 28, 2012 at 9:19 PM, Frank Gadegast > wrote: >> Anybody, who is against a mandatory abuse field, >> is a professional spammer, abuser, maintains >> a bot net or sells open proxies or other services >> used for abusing others. >> They are criminals to my opinion. > > Hopefully your opinion stays where it is, and you don't start calling > people criminal for not supporting a mandatory field in a database > that is full of fake data. Well, you have either none and fake data, like it is now or you make it mandatory and will have correct data (but a lot will be unread). Whats better ? > In my country, calling people criminal in public violates the law. > We happen to live in the same country, don't we, Frank? Sure, and its always puzzeling me, that a lot of people do not know the law in their country even when its regulating their profession. (btw: this list is not public at all, open to everybody, but not public, its like a big garden party and every friend is invited) > I know abuse sucks The abuse does not suck, the ignorance of responsible people does (next real life story below). > and it's natural to become bitter and angry about > those *&#(@ that eat up valued resources, but we re talking about a > database change that would not help at all if we'd change it from > "optional" to "mandatory". Just more mails bouncing back. > It's not the "abuse field" I am against, it's the "mandatory" since it > would impact workflows seriously and Hm, are you in trouble, that every member now has to ask his customer for an abuse address, when creating a subdelegation for them ? Thats not really changing the "workflow" a lot ... Or whatever else "workflow" do you mean ? And who cares how much additional work members and subdelegation admins have with additional abuse reports ? You have to prevent crime in a lot of countries in the RIPE region anyway, see below ... > create much more trouble than it avoids. Please explain that somehow generic argument. Please give us a summary of your point of view. And now the real live story: 2 days ago a customers nameserver serving a good bunch of domains was DDoSed through a botnet. The attackers did send UDP packets asking for always the same hostname but faked the sender address to DDoS a third party. Surely our customers nameserver did not answer, because its was not asked for a hostname they serve, so no third party was harmed, but the load was immense and troubling the server a lot until we could filter the real source IPs via NetFlow. The bots were mostly located in the usual countries, like India, China, Korea, Kazachstan and worldwide, we did send reports to the responsible admins (well there are nearly none in Kazachstan. Who knows, why they mostly have none there ? somebody from Kazachstan on the list here ?) There were also some in Germany, but only a few. One ISP (a quite big German ISP) wrote us back, that they are only forced by law to store, wich of their customer is using what address at a given time, if they would need it for billing. But they do not need it for billing, because they only offer flatrates. Thats why they cannot find out, wich customers PC has a bot and could not help. Well, wrong. In Germany you have to prevent computer crime, when its easy to detect and easy to prevent and you have knowledge, otherwise you are a "Mitstoerer". Sure you can argue, that you do not have to log anything in general to enforce data protection, but you will defny have to turn logging on, after you have knowledge and this attack is ungoing and the IP (well the IP changes daily, but there is still one IP from this ISP part of the attack). You can easily log, wich customer is logged in at a given time using what IP and you can change his logging password easily and wait for the customer to call to explain the situation to him. So, easy to detect and easy to prevent and you can log only after you are informed about the problem and only to prevent the crime. The case is already reported to the police, lets see how quick they will have a working abuse team in place ... Kind regards, Frank > > Regards, > > Dan > > > -- Mit freundlichen Gruessen, -- MOTD: "have you enabled SSL on a website or mailbox today ?" -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== From brian.nisbet at heanet.ie Fri Aug 3 15:38:47 2012 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Fri, 03 Aug 2012 14:38:47 +0100 Subject: [anti-abuse-wg] Public Status of AA-WG Mailing List (was Re: the mandatory abuse field) In-Reply-To: <501B89B4.8050700@powerweb.de> References: <50143B4A.6020006@powerweb.de> <501B89B4.8050700@powerweb.de> Message-ID: <501BD467.7010708@heanet.ie> Frank, One important point Frank Gadegast wrote the following on 03/08/2012 09:20: > > (btw: this list is not public at all, open to everybody, but not public, > its like a big garden party and every friend is invited) By any reasonable measure this list is public. Anyone can join and the archives are publicly accessible without login here: http://www.ripe.net/ripe/mail/archives/anti-abuse-wg/ From lists at help.org Sat Aug 4 05:31:06 2012 From: lists at help.org (lists at help.org) Date: Fri, 03 Aug 2012 23:31:06 -0400 Subject: [anti-abuse-wg] .ca whois harvesting/CIRA response In-Reply-To: <501B40D7.1090002@help.org> References: <50143B4A.6020006@powerweb.de> <6D0E4F77-A92B-4F4D-9545-FAFB4ED1B4B4@icann.org> <5017E5A0.3020907@powerweb.de> <443533B4-6A72-4FC9-B8FB-8B86FCC50CF6@icann.org> <5017F66C.6030703@powerweb.de> <41F6C547EA49EC46B4EE1EB2BC2F34185DB7DF56EB@EXVPMBX100-1.exc.icann.org> <501A614B.5010503@abusix.com> <501ABDF0.8080902@telus.net> <501B40D7.1090002@help.org> Message-ID: <501C977A.7060301@help.org> CIRA has received complaints about the harvesting and resale of historic whois data. While they maintain a TOS against this practice CIRA knows the policy is not being followed. CIRA would generally ignore complaints about this situation and would simply refuse to respond. Now the matter was brought up to the Privacy Commissioner's Office (along with the issue of the bogus lawsuit filed by DomainTools.com) so CIRA has finally responded and said they contacted DomainTools.com. However, CIRA is refusing to release the correspondent to the public and their lawyer is telling members of the public that if they want to see the letter they will have to take legal action against CIRA! So much for the openness and transparency claimed in their bylaws. At least ICANN publishes their correspondence. A web page has been set up to follow the issue at: http://whoissecurity.com/ca-whois-harvesting/ From brian.nisbet at heanet.ie Wed Aug 8 11:53:36 2012 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Wed, 08 Aug 2012 10:53:36 +0100 Subject: [anti-abuse-wg] Agenda Items - RIPE 65 - First Call Message-ID: <50223720.7030708@heanet.ie> Colleagues, I do hope you're all enjoying your summer holidays, but I wanted to mention that RIPE 65 is around six weeks away (give or take) and the Anti-Abuse Working Group session has space on the agenda for any items you may will to raise at the meeting. Please contact me on or off list if you think you might like to present on (or just talk about) any items of interest to the community. Regards, Brian. From jerry1upton at aol.com Wed Aug 15 04:31:17 2012 From: jerry1upton at aol.com (Jerry Upton) Date: Tue, 14 Aug 2012 22:31:17 -0400 (EDT) Subject: [anti-abuse-wg] Comments on Abuse Contact Management in the RIPE Database Message-ID: <8CF48A52E721148-1408-7BA85@webmail-d159.sysops.aol.com> The Messaging, Malware and Mobile Anti-Abuse Working Group(M3AAWG) is a global nonprofit organization founded to develop effective modelsand solutions to combat online abuse such as phishing, botnets, fraud, spam,viruses and denial-of-service attacks that can cause great harm to bothindividual and national economies. M3AAWG includes technical experts,researchers and policy specialists from a broad base of Internet serviceproviders and network operators representing over one billion email accounts,and from key technology providers, academia and volume messaging senderorganizations M3AAWG supports RIPE?s proposal to introduce a new contactattribute named "abuse-c:", which can be included in inetnum,inet6num and aut-num objects(https://www.ripe.net/ripe/policies/proposals/2011-06). The investigation and prosecution of criminal activity andabuse on the Internet would be greatly facilitated by the availability of suchdata being included in WHOIS. Theproliferation of spam and the transmission of malware of all types, which arethe fundamental target of the work undertaken by M3AAWG and its members, arethe most common and serious types of privacy intrusions, occurring billions oftimes a day, worldwide. ARIN Draft Policy ?Abuse Contact Management in the RIPE NCCDatabase? states ?abuse-c ? provides a more efficient way for maintainers toorganize their provided information and helps to increase accuracy andefficiency in routing abuse reports to the correct network contact. Inaddition, it helps all kinds of institutions to find the correct abuse contactinformation more easily.? For anti-abuse researchers, investigators and systemsoperators, WHOIS and a publicly available point of intercept identifying anabuse contact is essential and fundamental information. People who manage abuseof their networks need to easily, readily and accurately identify all entitieson a given network. Therefore,M3AAWG firmly supports the adoption of the RIPE Draft Policy ?Abuse ContactManagement in the RIPE NCC Database.? Sincerely, Jerry Upton, Executive Director Messaging, Malware and Mobile Anti-Abuse Working Group(M3AAWG) jerry.upton at m3aawg.org http://www.m3aawg.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From heather.skanks at gmail.com Wed Aug 15 15:21:33 2012 From: heather.skanks at gmail.com (Heather Schiller) Date: Wed, 15 Aug 2012 09:21:33 -0400 Subject: [anti-abuse-wg] Hold time for abused address space - DNSChanger IP's reallocated Message-ID: Last Friday, RIPE reallocated 2 address blocks involved in DNSChanger malware - one of them is already routed. Infected users are still sending DNS queries to this address space. The new holders of this space are getting a lot of DNS queries - they are in the position to see who is infected, what they are querying for and provide any DNS response they wish to those queries. News article: http://www.cso.com.au/article/433502/new_hijack_threat_emerges_dns_changer_victims/ RIPE's response: https://www.ripe.net/internet-coordination/news/clarification-on-reallocated-ipv4-address-space-related-to-dutch-police-order I think reallocation of this address space so quickly, is irresponsible and puts users at risk. The RIR's debogonize other address ranges and check their status before allocation. The court appointed honest DNS service was only turned down a month ago, with thousands of users still infected. While users have had plenty of opportunity to clean up their computers, many are still infected. In some cases, providers have intentionally chosen not to notify their customers. I asked on the address-policy list, how long RIPE holds back netblocks before allocation. From RIPE's response above, they hold address blocks for 6 weeks and it sounds as though they would have reallocated it while the court appointed honest DNS service was running had that 6 weeks expired before the court ordered honest service ended. Court order or not, should there be a policy/process to give guidance to RIR's on how to handle abused address space? Should address space that has been "poisoned" where it continues to get traffic from infected hosts long after the servers/malware/domains are removed be reallocated to new unsuspecting organizations? Should the space be held for some specified amount of time? Or until it drops below some threshold of traffic? Should a research or security organization be contracted to work on cleaning up the space? should the RIR do that? --Heather From michele at blacknight.ie Wed Aug 15 15:47:02 2012 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Wed, 15 Aug 2012 13:47:02 +0000 Subject: [anti-abuse-wg] Hold time for abused address space - DNSChanger IP's reallocated In-Reply-To: <20120815133107.BA23F5A403A@merlin.blacknight.ie> References: <20120815133107.BA23F5A403A@merlin.blacknight.ie> Message-ID: We've ended up with IP space that had a "reputation" in the past It's quite annoying to discover that you IP block, or a part of it, is blacklisted before you even get a chance to use it .. Though I wonder is the overall scarcity of IPv4 space going to mean that IP blocks will end up being reassigned more quickly as there's fewer and fewer .. Mr Michele Neylon Blacknight Solutions ? Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.co http://blog.blacknight.com/ http://blacknight.cat http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Facebook: http://fb.me/blacknight Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From heather.skanks at gmail.com Wed Aug 15 17:30:54 2012 From: heather.skanks at gmail.com (Heather Schiller) Date: Wed, 15 Aug 2012 11:30:54 -0400 Subject: [anti-abuse-wg] Hold time for abused address space - DNSChanger IP's reallocated In-Reply-To: References: <20120815133107.BA23F5A403A@merlin.blacknight.ie> Message-ID: Blacklisted space is really quite different though, isn't it? There is a big difference between the new address holder's email being rejected somewhere because of an RBL and the new address holder being able to amass a list of infected/vulnerable users based on traffic they are passively receiving, just by routing the prefix. In the RBL case you know who you are trying to send mail to and you may know what blacklist is being used - the new address block holder has tools to help resolve their problem. These infected users don't know they are sending this traffic, they don't know who its going to, be it the original bad guys or some new guys. The new org that has the netblock can't do anything to stop this traffic from coming, which means they'll have to pay for it in bandwidth consumption, resources on the host when they put the IP's into service, and resources to filter. (Not every IP in the netblock is getting DNSChanger traffic) I fully get that receiving unwanted traffic is just part of being on the internet - but I think the volume and type of traffic that DNSChanger IP's are getting, and what it reveals, is something quite different than what we've seen in the past, for both the resource holder and the infected users. Yes, the scarcity of v4 space WILL mean that IP blocks will be assigned more quickly. ARIN has said as much in a public statement that outlines their plans for depletion. I don't know what RIPE's policy had been - or if it had always been 6 weeks. --Heather On Wed, Aug 15, 2012 at 9:47 AM, "Michele Neylon :: Blacknight" wrote: > We've ended up with IP space that had a "reputation" in the past > > It's quite annoying to discover that you IP block, or a part of it, is blacklisted before you even get a chance to use it .. > > Though I wonder is the overall scarcity of IPv4 space going to mean that IP blocks will end up being reassigned more quickly as there's fewer and fewer .. > > > Mr Michele Neylon > Blacknight Solutions ? > Hosting & Colocation, Brand Protection > ICANN Accredited Registrar > http://www.blacknight.co > http://blog.blacknight.com/ > http://blacknight.cat > http://mneylon.tel > Intl. +353 (0) 59 9183072 > US: 213-233-1612 > Locall: 1850 929 929 > Direct Dial: +353 (0)59 9183090 > Facebook: http://fb.me/blacknight > Twitter: http://twitter.com/mneylon > ------------------------------- > Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty > Road,Graiguecullen,Carlow,Ireland Company No.: 370845 > From lists at help.org Wed Aug 15 17:46:54 2012 From: lists at help.org (lists at help.org) Date: Wed, 15 Aug 2012 11:46:54 -0400 Subject: [anti-abuse-wg] Hold time for abused address space - DNSChanger IP's reallocated In-Reply-To: References: <20120815133107.BA23F5A403A@merlin.blacknight.ie> Message-ID: <502BC46E.4060300@help.org> > We've ended up with IP space that had a "reputation" in the past Many of the "blacklist" operators are unreliable when correcting errors/outdated info in their system. The reports I get from people are that blacklist operators are often arrogant and accusatory and they often disregard explanations because they think they know better. Often these operators have anointed themselves as some type of authority but they rarely have any legal training and they often disregard other policies (such as privacy policies) because they think their issues trumps everything else. These types often think their technical knowledge gives some some type of elevated status and they accuse everyone else of being spammers, too stupid to be on the Internet, and demand everyone follow their rules, etc. From lem at isc.org Wed Aug 15 17:55:53 2012 From: lem at isc.org (=?ISO-8859-1?Q?Luis_Mu=F1oz?=) Date: Wed, 15 Aug 2012 11:55:53 -0400 Subject: [anti-abuse-wg] Hold time for abused address space - DNSChanger IP's reallocated In-Reply-To: <502BC46E.4060300@help.org> References: <20120815133107.BA23F5A403A@merlin.blacknight.ie> <502BC46E.4060300@help.org> Message-ID: <66e5b465-8093-4502-a76f-6981e34d4195@email.android.com> In my experience, lists managed through those principles tend to fall out of use relatively quickly and are therefore rather inconsequential for mail delivery. Best regards -lem "lists at help.org" wrote: >> We've ended up with IP space that had a "reputation" in the past > >Many of the "blacklist" operators are unreliable when correcting >errors/outdated info in their system. The reports I get from people >are that blacklist operators are often arrogant and accusatory and they > >often disregard explanations because they think they know better. >Often >these operators have anointed themselves as some type of authority but >they rarely have any legal training and they often disregard other >policies (such as privacy policies) because they think their issues >trumps everything else. These types often think their technical >knowledge gives some some type of elevated status and they accuse >everyone else of being spammers, too stupid to be on the Internet, and >demand everyone follow their rules, etc. From lists at help.org Wed Aug 15 19:01:23 2012 From: lists at help.org (lists at help.org) Date: Wed, 15 Aug 2012 13:01:23 -0400 Subject: [anti-abuse-wg] Hold time for abused address space - DNSChanger IP's reallocated In-Reply-To: <66e5b465-8093-4502-a76f-6981e34d4195@email.android.com> References: <20120815133107.BA23F5A403A@merlin.blacknight.ie> <502BC46E.4060300@help.org> <66e5b465-8093-4502-a76f-6981e34d4195@email.android.com> Message-ID: <502BD5E3.5030107@help.org> On 8/15/2012 11:55 AM, Luis Mu?oz wrote: > In my experience, lists managed through those principles tend to fall out of use relatively quickly and are therefore rather inconsequential for mail delivery. That is not my experience. For instance, you can readily find complaints about Microsoft and Cisco as well as some of the contributors to this list. This is the norm and any place that does a good job is the exception. it is interesting how people heavily involved in "abuse" respond the way you have responded yet when you ask small businesses or non-technical experts who have been subject to false alarms respond in a completely different manner. This is because the people heavily involved in abuse are often out of touch with the rest of the world and only circulate amoong a small group of systems administrators. One guy told me I could not have known what I was talking about because he had never met me at one one of the conferences he goes to. Another very well known ant-spammer who acts as an expert witness never heard of the CISSP certification and claimed it was some kind of worthless certification. This is the same guy who says ISP's should be scanning everyone's email but when it is pointed out this violates the privacy policies he never answers. Then these types often go around calling everyone else "clueless." From thor.kottelin at turvasana.com Wed Aug 15 19:43:03 2012 From: thor.kottelin at turvasana.com (Thor Kottelin) Date: Wed, 15 Aug 2012 20:43:03 +0300 Subject: [anti-abuse-wg] Hold time for abused address space - DNSChanger IP's reallocated In-Reply-To: <502BD5E3.5030107@help.org> References: <20120815133107.BA23F5A403A@merlin.blacknight.ie> <502BC46E.4060300@help.org> <66e5b465-8093-4502-a76f-6981e34d4195@email.android.com> <502BD5E3.5030107@help.org> Message-ID: > -----Original Message----- > From: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg- > bounces at ripe.net] On Behalf Of lists at help.org > Sent: Wednesday, August 15, 2012 8:01 PM > To: > On 8/15/2012 11:55 AM, Luis Mu?oz wrote: > > In my experience, lists managed through those principles tend to > fall out of use relatively quickly and are therefore rather > inconsequential for mail delivery. > > That is not my experience. For instance, you can readily find > complaints about Microsoft and Cisco as well as some of the > contributors > to this list. One can probably 'find complaints' about whichever matter in existence. Highly useful and widely used DNSBLs tend to draw particularly large amounts of irate complaints from people whose resources have been listed. The bottom line is that mail server administrators use such DNSBLs as have proven to be valuable. If a list causes excessive false positives, e.g. due to bad management, dropping it is a simple matter of adding a comment delimiter to a configuration file. > people heavily > involved in abuse are often out of touch with the rest of the world Thank you for your incessant efforts in pointing this out. -- Thor Kottelin http://www.anta.net/ From peter at hk.ipsec.se Wed Aug 15 20:26:53 2012 From: peter at hk.ipsec.se (peter h) Date: Wed, 15 Aug 2012 20:26:53 +0200 Subject: [anti-abuse-wg] Hold time for abused address space - DNSChanger IP's reallocated In-Reply-To: <502BC46E.4060300@help.org> References: <20120815133107.BA23F5A403A@merlin.blacknight.ie> <502BC46E.4060300@help.org> Message-ID: <201208152026.53880.peter@hk.ipsec.se> On Wednesday 15 August 2012 17.46, lists at help.org wrote: > > We've ended up with IP space that had a "reputation" in the past > > Many of the "blacklist" operators are unreliable when correcting > errors/outdated info in their system. The reports I get from people > are that blacklist operators are often arrogant and accusatory and they > often disregard explanations because they think they know better. Often > these operators have anointed themselves as some type of authority but > they rarely have any legal training and they often disregard other > policies (such as privacy policies) because they think their issues > trumps everything else. These types often think their technical > knowledge gives some some type of elevated status and they accuse > everyone else of being spammers, too stupid to be on the Internet, and > demand everyone follow their rules, etc. This sounds that a biased opinion to me ... Blacklists exists for a reason, the reason is that spam has been neglected for so long and so little has benn done by those that _should_ take action. This very group is a good example, once created to fight spam, but when very little got effected the list was renamed to anti-abuse. Today it deals mostly with whois-enhancements. Sorry, but this is my personal experience. When nothing else works, blocking a range is what remains. Yes, blocking could be made better, for example some feedback from registries when a block has been reallocated might be of value. This info could be announced in by RIPE et.al. so blocklist operators may pick up this info. > > > > > -- Peter H?kanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det ?r billigare att g?ra r?tt. Det ?r dyrt att laga fel. ) From tk at abusix.com Wed Aug 15 21:42:24 2012 From: tk at abusix.com (Tobias Knecht) Date: Wed, 15 Aug 2012 21:42:24 +0200 Subject: [anti-abuse-wg] Hold time for abused address space - DNSChanger IP's reallocated In-Reply-To: <201208152026.53880.peter@hk.ipsec.se> References: <20120815133107.BA23F5A403A@merlin.blacknight.ie> <502BC46E.4060300@help.org> <201208152026.53880.peter@hk.ipsec.se> Message-ID: <502BFBA0.5000807@abusix.com> Hi everybody, > When nothing else works, blocking a range is what remains. Yes, > blocking could be made better, for example some feedback from > registries when a block has been reallocated might be of value. This > info could be announced in by RIPE et.al. so blocklist operators may > pick up this info. This is a great idea and an option that has been discussed at other institutions already. I will put this on my list for future discussion and I bet this would really help a lot if blacklists are willed to use the offered information. Thanks, Tobias -- AA-WG Co-Chair From heather.skanks at gmail.com Wed Aug 15 21:51:32 2012 From: heather.skanks at gmail.com (Heather Schiller) Date: Wed, 15 Aug 2012 15:51:32 -0400 Subject: [anti-abuse-wg] Hold time for abused address space - DNSChanger IP's reallocated In-Reply-To: <502BFBA0.5000807@abusix.com> References: <20120815133107.BA23F5A403A@merlin.blacknight.ie> <502BC46E.4060300@help.org> <201208152026.53880.peter@hk.ipsec.se> <502BFBA0.5000807@abusix.com> Message-ID: We've kind of veered away from the topic/questions I had about reallocating actively abused address space.. but.. I thought it was odd that I could not find a registration date in the RIPE db - at the time I thought I just couldn't find it, maybe it's not actually published? In the ARIN region both registration date and last updated on, are provided - something similar might be helpful? ARIN example: NetRange 63.72.0.0 - 63.72.3.255 CIDR 63.72.0.0/22 Name UU-63-72 Handle NET-63-72-0-0-1 Parent UUNET63 (NET-63-64-0-0-1) Net Type Reassigned Origin AS Customer Disney Regional Entertainment (C00576500) Registration Date 1999-06-02 Last Updated 2003-05-30 --Heather On Wed, Aug 15, 2012 at 3:42 PM, Tobias Knecht wrote: > Hi everybody, > > >> When nothing else works, blocking a range is what remains. Yes, >> blocking could be made better, for example some feedback from >> registries when a block has been reallocated might be of value. This >> info could be announced in by RIPE et.al. so blocklist operators may >> pick up this info. > > > This is a great idea and an option that has been discussed at other > institutions already. I will put this on my list for future discussion and I > bet this would really help a lot if blacklists are willed to use the offered > information. > > Thanks, > > Tobias > > -- > AA-WG Co-Chair > From lists at help.org Wed Aug 15 22:10:49 2012 From: lists at help.org (lists at help.org) Date: Wed, 15 Aug 2012 16:10:49 -0400 Subject: [anti-abuse-wg] Hold time for abused address space - DNSChanger IP's reallocated In-Reply-To: <201208152026.53880.peter@hk.ipsec.se> References: <20120815133107.BA23F5A403A@merlin.blacknight.ie> <502BC46E.4060300@help.org> <201208152026.53880.peter@hk.ipsec.se> Message-ID: <502C0249.6090304@help.org> >Blacklists exists for a reason, the reason is that spam has been neglected for so long and so little has benn done by those that _should_ take action. This very group is a good example, once created to fight spam, but when very little got effected the list was renamed to anti-abuse. Today it deals mostly with whois-enhancements. Spam is one of many problems facing Internet users and I have never heard that spam is "neglected." You just have spam as a pet peeve so you disregard all the other problems and think everyone else should too. Spam is a problem but so are people running around haphazardly blocking Internet traffic. You brought up another interesting point. This group is called anti-abuse but there is no real definition of "abuse" and even if there were this list doesn't really do anything to stop it. Maybe the name should be changed to whois standards or something like that. From ripe-anti-spam-wg at powerweb.de Thu Aug 16 08:49:52 2012 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Thu, 16 Aug 2012 08:49:52 +0200 Subject: [anti-abuse-wg] Hold time for abused address space - DNSChanger IP's reallocated In-Reply-To: <502BFBA0.5000807@abusix.com> References: <20120815133107.BA23F5A403A@merlin.blacknight.ie> <502BC46E.4060300@help.org> <201208152026.53880.peter@hk.ipsec.se> <502BFBA0.5000807@abusix.com> Message-ID: <502C9810.5080903@powerweb.de> Tobias Knecht wrote: > Hi everybody, Hi, as a blocklist operator, we simply drop every record for an allocation, if the abuse email address changes. Its kind of fuzzy, but works, new records will appear quick enough from an allocation, if its still the same abuser, only with a new abuse email address. And no records will appear, if its a real re-allocation hardly used so far. Other operators might use other fields, but the method is the same, keep track of the fields you are interested in and drop your records, reputation history or spam count or whatever for this allocation, if it changes. You dont even have to store the real information, you can simply store a hash value :o) Kind regards, Frank > >> When nothing else works, blocking a range is what remains. Yes, >> blocking could be made better, for example some feedback from >> registries when a block has been reallocated might be of value. This >> info could be announced in by RIPE et.al. so blocklist operators may >> pick up this info. > > This is a great idea and an option that has been discussed at other > institutions already. I will put this on my list for future discussion > and I bet this would really help a lot if blacklists are willed to use > the offered information. > > Thanks, > > Tobias > -- Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== From brian.nisbet at heanet.ie Thu Aug 16 11:17:06 2012 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Thu, 16 Aug 2012 10:17:06 +0100 Subject: [anti-abuse-wg] Hold time for abused address space - DNSChanger IP's reallocated In-Reply-To: References: <20120815133107.BA23F5A403A@merlin.blacknight.ie> <502BC46E.4060300@help.org> <201208152026.53880.peter@hk.ipsec.se> <502BFBA0.5000807@abusix.com> Message-ID: <502CBA92.4030901@heanet.ie> Heather, Heather Schiller wrote the following on 15/08/2012 20:51: > We've kind of veered away from the topic/questions I had about > reallocating actively abused address space.. but.. Yes indeed. However I'm not sure this is exactly the best place to discuss that matter. Space can be reclaimed and reallocated for a variety of reasons and while space that has been used for abusive behaviour may well require careful handling, I do not believe policies should be based on a subset of cases. Also, please see previous conversations about definition of "abuse" sadly. I think there may well be questions to ask around the reallocation of the space and the speed at which it was done, however I think those questions may be better asked in the NCC Services WG than here. Brian, Co-Chair, Anti-Abuse Working Group From lists at help.org Thu Aug 16 18:52:49 2012 From: lists at help.org (lists at help.org) Date: Thu, 16 Aug 2012 12:52:49 -0400 Subject: [anti-abuse-wg] Hold time for abused address space - DNSChanger IP's reallocated In-Reply-To: <502CBA92.4030901@heanet.ie> References: <20120815133107.BA23F5A403A@merlin.blacknight.ie> <502BC46E.4060300@help.org> <201208152026.53880.peter@hk.ipsec.se> <502BFBA0.5000807@abusix.com> <502CBA92.4030901@heanet.ie> Message-ID: <502D2561.9060905@help.org> >Also, please see previous conversations about definition of "abuse" sadly. The definitions and purpose of this list should be explained when someone signs up for this list. From lists at help.org Thu Aug 16 19:06:09 2012 From: lists at help.org (lists at help.org) Date: Thu, 16 Aug 2012 13:06:09 -0400 Subject: [anti-abuse-wg] Hold time for abused address space - DNSChanger IP's reallocated In-Reply-To: <502C9810.5080903@powerweb.de> References: <20120815133107.BA23F5A403A@merlin.blacknight.ie> <502BC46E.4060300@help.org> <201208152026.53880.peter@hk.ipsec.se> <502BFBA0.5000807@abusix.com> <502C9810.5080903@powerweb.de> Message-ID: <502D2881.4090709@help.org> >if its still the same abuser This is why many of the blacklists are all screwed up. There is no standards and people are are put into 2 classes, abusers, and non-abusers. If you ask 100 people to define abuser you get 100 different answers. If you ask a blacklist operator to define the term they will either ignore you or scoff at you. Then they will give a childish argument that networks are private property and they can block what they want that disregards the actual issues that operators normally have contracts with their users and labeling people as "abusers" with no real definition can lead to legal liabilities. Of course anyone who brings up these issues is labeled a spammer which is why these issues never get corrected and why most blacklists are not legitimately operated. A blacklist operator should have standards for putting people on the list, as well as an appeal and review process. From Adam_Wosotowsky at McAfee.com Thu Aug 16 19:07:35 2012 From: Adam_Wosotowsky at McAfee.com (Adam_Wosotowsky at McAfee.com) Date: Thu, 16 Aug 2012 10:07:35 -0700 Subject: [anti-abuse-wg] Hold time for abused address space - DNSChanger IP's reallocated In-Reply-To: <502D2561.9060905@help.org> References: <20120815133107.BA23F5A403A@merlin.blacknight.ie> <502BC46E.4060300@help.org> <201208152026.53880.peter@hk.ipsec.se> <502BFBA0.5000807@abusix.com> <502CBA92.4030901@heanet.ie> <502D2561.9060905@help.org> Message-ID: <0FA7454E4511C048B3BF5CE9C94F7ED2807091CECC@SNCEXAPENG> > > The definitions and purpose of this list should be explained when > someone signs up for this list. > You'll have to forgive us Mr. Lists, the internet is hard: http://www.ripe.net/ripe/groups/wg/anti-abuse --adam From lists at help.org Thu Aug 16 19:23:34 2012 From: lists at help.org (lists at help.org) Date: Thu, 16 Aug 2012 13:23:34 -0400 Subject: [anti-abuse-wg] Hold time for abused address space - DNSChanger IP's reallocated In-Reply-To: <502D2881.4090709@help.org> References: <20120815133107.BA23F5A403A@merlin.blacknight.ie> <502BC46E.4060300@help.org> <201208152026.53880.peter@hk.ipsec.se> <502BFBA0.5000807@abusix.com> <502C9810.5080903@powerweb.de> <502D2881.4090709@help.org> Message-ID: <502D2C96.20809@help.org> >http://www.ripe.net/ripe/groups/wg/anti-abuse I am aware of this but it simply uses another unidentified term "spam." Using one undefined term to define another undefined term is not a standard. As an official spokesperson for a major security company you should know that. This is why most of these abuse groups look like they are run out of someone's Mother's basement. I think some people posting large signatures for a 3-word reply is spam so should they be blacklisted because I have that opinion? Should they be labeled an "abuser" or "spammer" or some other undefined term? From thor.kottelin at turvasana.com Thu Aug 16 20:36:41 2012 From: thor.kottelin at turvasana.com (Thor Kottelin) Date: Thu, 16 Aug 2012 21:36:41 +0300 Subject: [anti-abuse-wg] Hold time for abused address space - DNSChanger IP's reallocated In-Reply-To: <502D2C96.20809@help.org> References: <20120815133107.BA23F5A403A@merlin.blacknight.ie> <502BC46E.4060300@help.org> <201208152026.53880.peter@hk.ipsec.se> <502BFBA0.5000807@abusix.com> <502C9810.5080903@powerweb.de> <502D2881.4090709@help.org> <502D2C96.20809@help.org> Message-ID: > -----Original Message----- > From: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg- > bounces at ripe.net] On Behalf Of lists at help.org > Sent: Thursday, August 16, 2012 8:24 PM > To: anti-abuse-wg at ripe.net > >http://www.ripe.net/ripe/groups/wg/anti-abuse > > I am aware of this but it simply uses another unidentified term > "spam." > Using one undefined term to define another undefined term is not a > standard. Email spam is universally defined as unsolicited bulk email. It must be extremely rare for someone to join an anti-abuse *working* group without knowing basic concepts such as this one. > I think some people > posting > large signatures for a 3-word reply is spam so should they be > blacklisted because I have that opinion? Yes, I think you should publish a DNSBL consisting of IP addresses from which people have sent email messages that contain signatures. That would help you realise that a DNSBL only becomes relevant if server administrators find it useful and that generalisations such as 'blacklist operators are $this-and-that' are gratuitous. -- Thor Kottelin http://www.anta.net/ From lists at help.org Thu Aug 16 22:07:02 2012 From: lists at help.org (lists at help.org) Date: Thu, 16 Aug 2012 16:07:02 -0400 Subject: [anti-abuse-wg] Hold time for abused address space - DNSChanger IP's reallocated In-Reply-To: References: <20120815133107.BA23F5A403A@merlin.blacknight.ie> <502BC46E.4060300@help.org> <201208152026.53880.peter@hk.ipsec.se> <502BFBA0.5000807@abusix.com> <502C9810.5080903@powerweb.de> <502D2881.4090709@help.org> <502D2C96.20809@help.org> Message-ID: <502D52E6.4060603@help.org> >Email spam is universally defined as unsolicited bulk email. You need a definition that can withstand a court challenge. Grouping vague, undefined terms does not do the trick. If I post my e-mail address in a whois database or post it on a web site am I soliciting e-mail? How many is "bulk"? So if I send you, and only you, an ad after I collect your address from this list it is not "spam" because I did not send it in bulk? When you get a single message, using your definition, you can't tell if it is spam because you don't know if it was sent in "bulk" (whatever that means). Even if you see similar reports from many different sources if they came from different IP's you still can't tell if it was spam because if different people sent the messages it may not qualify as "bulk." I don't know anyone that actually uses such a standard, in practice, to define "spam." From joe at oregon.uoregon.edu Thu Aug 16 21:47:10 2012 From: joe at oregon.uoregon.edu (Joe St Sauver) Date: Thu, 16 Aug 2012 12:47:10 -0700 (PDT) Subject: [anti-abuse-wg] Hold time for abused address space - DNSChanger IP's reallocated Message-ID: <12081612471024_F72E@oregon.uoregon.edu> Thor commented: #Email spam is universally defined as unsolicited bulk email. It must be #extremely rare for someone to join an anti-abuse *working* group without #knowing basic concepts such as this one. Actually, the question of "what's spam?" can be surprisingly tricky when things like national and local legislation gets factored in, to the point that some organizations prefer to refer to "unwanted email" or "abusive email" instead of "spam" instead. See, for example, reports from the MAAWG Email Metrics Program, e.g., www.maawg.org/sites/maawg/files/news/MAAWG_2011_Q1Q2Q3_Metrics_Report_15.pdf which reports industry percentages for "abusive email" Regards, Joe From lists at help.org Thu Aug 16 22:32:47 2012 From: lists at help.org (lists at help.org) Date: Thu, 16 Aug 2012 16:32:47 -0400 Subject: [anti-abuse-wg] Hold time for abused address space - DNSChanger IP's reallocated In-Reply-To: <502D2C96.20809@help.org> References: <20120815133107.BA23F5A403A@merlin.blacknight.ie> <502BC46E.4060300@help.org> <201208152026.53880.peter@hk.ipsec.se> <502BFBA0.5000807@abusix.com> <502C9810.5080903@powerweb.de> <502D2881.4090709@help.org> <502D2C96.20809@help.org> Message-ID: <502D58EF.9090304@help.org> If I ran a blacklist and said I am posting a list of people who post to mailing lists with signatures that were greater than 6 lines then I don't see that as a problem. If I ran the same list and just claimed those people on the list were "spammers" or "internet abusers" without explaining that they posted a sig with more than 6 lines and I personally defined that as "abuse" then that is a poorly run list. For instance, http://www.spamhaus.org/consumer/definition/ is not a usable definition to be a standard because it is just a collection of vague, undefined terms. Of course all others who are not system admins, including all courts and judges, are all "clueless" and all legal threats are unfounded and anyone who brings up the issue must be spammer. From thor.kottelin at turvasana.com Thu Aug 16 22:43:28 2012 From: thor.kottelin at turvasana.com (Thor Kottelin) Date: Thu, 16 Aug 2012 23:43:28 +0300 Subject: [anti-abuse-wg] Hold time for abused address space - DNSChanger IP's reallocated In-Reply-To: <12081612471024_F72E@oregon.uoregon.edu> References: <12081612471024_F72E@oregon.uoregon.edu> Message-ID: > -----Original Message----- > From: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg- > bounces at ripe.net] On Behalf Of Joe St Sauver > Sent: Thursday, August 16, 2012 10:47 PM > To: thor.kottelin at turvasana.com > Cc: anti-abuse-wg at ripe.net > Thor commented: > > #Email spam is universally defined as unsolicited bulk email. It > must be > #extremely rare for someone to join an anti-abuse *working* group > without > #knowing basic concepts such as this one. > > Actually, the question of "what's spam?" can be surprisingly tricky > when > things like national and local legislation gets factored in Yes. As an example, Finland's principal anti-spam law (the Act on the Protection of Privacy in Electronic Communications, 516/2004) applies only to marketing, not to e.g. political or religious advocacy. In addition, it is legally permissible here to spam legal persons that have not specifically opted out. Although these provisions do not imply that email messages may not be legally rejected by, or on behalf of, the intended recipient, national quirks may have to be considered when spam control measures are implemented in each nation. However, this working group and the numerous other organisations that combat email abuse internationally need a common definition of what constitutes email spam, and such a definition we do have. -- Thor Kottelin http://www.anta.net/ From lem at isc.org Fri Aug 17 00:38:09 2012 From: lem at isc.org (=?iso-8859-1?Q?Luis_Mu=F1oz?=) Date: Thu, 16 Aug 2012 18:38:09 -0400 Subject: [anti-abuse-wg] Hold time for abused address space - DNSChanger IP's reallocated In-Reply-To: <502D58EF.9090304@help.org> References: <20120815133107.BA23F5A403A@merlin.blacknight.ie> <502BC46E.4060300@help.org> <201208152026.53880.peter@hk.ipsec.se> <502BFBA0.5000807@abusix.com> <502C9810.5080903@powerweb.de> <502D2881.4090709@help.org> <502D2C96.20809@help.org> <502D58EF.9090304@help.org> Message-ID: <10D11B4C-093E-4119-B252-B1A7484C9526@isc.org> On Aug 16, 2012, at 4:32 PM, lists at help.org wrote: > If I ran the same list and just claimed those people on the list were "spammers" or "internet abusers" without explaining that they posted a sig with more than 6 lines and I personally defined that as "abuse" then that is a poorly run list. Well, they would be spammers or abusers according to your definition. As long as the contents of your list were consistent with whatever you define, then the list would be "well maintained". That list would be expressing *your* opinion. If you ask most people on this list whether they agree with the implicit definition of spam you used for this hypothetical list, I'm fairly certain most would disagree. Now, mail system administrators would also have to agree with your definition (or at least, consider your list as a useful resource) in order to add it to their own filtering systems. Until that happens, a listing in your list has no consequence for the mail flow. And mail system administrators' opinions will be heavily biased with the customers they serve. If an admin deploys a list that blocks legitimate spam (or that does not block enough of it) customers will complain and eventually leave. This is evolution at work. > For instance,http://www.spamhaus.org/consumer/definition/ is not a usable definition to be a standard because it is just a collection of vague, undefined terms. Yet that definition is good enough to be used by the community at large, so I would call it a de facto standard. Chances are this message will have to pass through a bunch of mail filters whose inputs are based on that precise definition. Best regards -lem From lists at help.org Fri Aug 17 06:59:09 2012 From: lists at help.org (lists at help.org) Date: Fri, 17 Aug 2012 00:59:09 -0400 Subject: [anti-abuse-wg] Hold time for abused address space - DNSChanger IP's reallocated In-Reply-To: <10D11B4C-093E-4119-B252-B1A7484C9526@isc.org> References: <20120815133107.BA23F5A403A@merlin.blacknight.ie> <502BC46E.4060300@help.org> <201208152026.53880.peter@hk.ipsec.se> <502BFBA0.5000807@abusix.com> <502C9810.5080903@powerweb.de> <502D2881.4090709@help.org> <502D2C96.20809@help.org> <502D58EF.9090304@help.org> <10D11B4C-093E-4119-B252-B1A7484C9526@isc.org> Message-ID: <502DCF9D.8090406@help.org> >Yet that definition is good enough to be used by the community at large, What I am saying is that definition is not really used in practice. A recent e-mail was sent to this list that contained a different charter set which i think most people would define as "spam", Unwanted e-mail, etc. However, I have no knowledge that it was sent in "bulk" and because it had an alternate charter set I don't even know if it was a solicitation. The message does not fit the definition yet I would define it as "spam". once you look at filtering algorithms you can see how tricky it is and no spam filters works 100% correctly and the parameters change all the time based on conditions. If you start accusing people of something without having a clear definition of what they did then you are running into trouble. Think of credit reporting agencies and all the associated problems if such a database is not run correctly. they don't say "this is a list of deadbeats" they say something like "This person is delinquent on their electric bill by 90 days." If the person pays the electric bill then they are removed from the list. If you just say "the person is a deadbeat" then there is no clear definition of what the person did to get on the list and the person does not know what to do to get off the list. This is how most blacklists are run now. Comcast is a good example. once when they incorrectly blocked ports on my connection. When I asked them why they told me they were not to tell me the reason ... but they added if I did it gain I would be permanently blocked! These are the kind of crazy statements you get from some blacklist operators who think their security issues trump every other issue in the world. From lists at help.org Fri Aug 17 07:29:10 2012 From: lists at help.org (lists at help.org) Date: Fri, 17 Aug 2012 01:29:10 -0400 Subject: [anti-abuse-wg] Hold time for abused address space - DNSChanger IP's reallocated In-Reply-To: <502DCF9D.8090406@help.org> References: <20120815133107.BA23F5A403A@merlin.blacknight.ie> <502BC46E.4060300@help.org> <201208152026.53880.peter@hk.ipsec.se> <502BFBA0.5000807@abusix.com> <502C9810.5080903@powerweb.de> <502D2881.4090709@help.org> <502D2C96.20809@help.org> <502D58EF.9090304@help.org> <10D11B4C-093E-4119-B252-B1A7484C9526@isc.org> <502DCF9D.8090406@help.org> Message-ID: <502DD6A6.9010800@help.org> I dug out an e-mail someone sent me after dealing with Cisco's Senderbase.org reputation site: "We are having the same problem with Senderbase. Their information is inaccurate and they will not tell us why we don't have a good rating. We are not on any blacklists, send 150,000 emails per day and have had the same IP addresses for seven years. They do respond but in an arrogant, rude, and accusatory manner." (Senderbase.org claims they are a credit reporting agency for IP addresses. ) Many abuse people operating these blacklists think that once they detect something they "know" the person is an "abuser" and, therefore, they have no rights and any of their objections should be disregarded. Either that or the person is regarded as "clueless" and any related legal threat is a "cartooney." From peter at hk.ipsec.se Fri Aug 17 08:30:36 2012 From: peter at hk.ipsec.se (peter h) Date: Fri, 17 Aug 2012 08:30:36 +0200 Subject: [anti-abuse-wg] Hold time for abused address space - DNSChanger IP's reallocated In-Reply-To: <502D52E6.4060603@help.org> References: <20120815133107.BA23F5A403A@merlin.blacknight.ie> <502D52E6.4060603@help.org> Message-ID: <201208170830.37394.peter@hk.ipsec.se> On Thursday 16 August 2012 22.07, lists at help.org wrote: > >Email spam is universally defined as unsolicited bulk email. > > You need a definition that can withstand a court challenge. Grouping > vague, undefined terms does not do the trick. If I post my e-mail > address in a whois database or post it on a web site am I soliciting > e-mail? How many is "bulk"? So if I send you, and only you, an ad > after I collect your address from this list it is not "spam" because I > did not send it in bulk? When you get a single message, using your > definition, you can't tell if it is spam because you don't know if it > was sent in "bulk" (whatever that means). Even if you see similar > reports from many different sources if they came from different IP's you > still can't tell if it was spam because if different people sent the > messages it may not qualify as "bulk." I don't know anyone that > actually uses such a standard, in practice, to define "spam." > One advetsiment sent without my explicit demand is by definition spam. There is no greyzone! > > -- Peter H?kanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det ?r billigare att g?ra r?tt. Det ?r dyrt att laga fel. ) From ripe-anti-spam-wg at powerweb.de Fri Aug 17 08:50:39 2012 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Fri, 17 Aug 2012 08:50:39 +0200 Subject: [anti-abuse-wg] definition of abuse In-Reply-To: <502D2C96.20809@help.org> References: <20120815133107.BA23F5A403A@merlin.blacknight.ie> <502BC46E.4060300@help.org> <201208152026.53880.peter@hk.ipsec.se> <502BFBA0.5000807@abusix.com> <502C9810.5080903@powerweb.de> <502D2881.4090709@help.org> <502D2C96.20809@help.org> Message-ID: <502DE9BF.6030007@powerweb.de> lists at help.org wrote: > >http://www.ripe.net/ripe/groups/wg/anti-abuse > Hello Mr. Lists, well, you kind of forgot the discussion about this topic you started a while ago ... its all in the archives. first, this list changed its name from anti-spam-wg to anti-abuse-wg, guess why ? spam defines the problem on the senders side, and your right, you cannot define spam because of different personal and legal definitions, you can only use it as a more general term, most people simply know what it is. (you can try and defined "live". I will be happy, if you could, most people cannot and also have different definitions, but most people also have the same ideas, when they talk about "live". You can also try and define "red" ...) second, we are talking about abuse here abuse is clearly definable, it happens on the receivers side, its either abusing somebody personally and could have various reasons or legal background, defined by different countries law, organisation rules, whatever ... third, the same email could be abusive in one country or when received by one person or organization or whatever entity and could be ok with others fourth, there is NO clear definition of abuse at the receivers side because of those different "feelings" or laws, but this one: ITS ABUSING HIM Therefore the definition of spam is pretty easy: a spam email is an unwanted email that abusing the receiver Its disturbing him, tricking him, forcing him to do illegal things, forcing him to buy things, he does not want, using his resources in a way, he did not intent, using his time, forcing him to learn and use techniques to get rid of it or whatever. He feels abused. And thats it. And this group simply tries to make it easy to prevent abuse, if the abused one wants it ... > I am aware of this but it simply uses another unidentified term "spam." > Using one undefined term to define another undefined term is not a > standard. As an official spokesperson for a major security company you > should know that. This is why most of these abuse groups look like they > are run out of someone's Mother's basement. I think some people posting > large signatures for a 3-word reply is spam so should they be > blacklisted because I have that opinion? Should they be labeled an Well, I personally feel abused by people joining a discussion without telling their name, dont reveal their background and kind of hide. I feel uncomfortable with it, because I do not get enough context to argue. Furthermore I think, its rude ... I also feel abused by discussing the same things all over again ... And so: I do not want most of your comments and mails, they are unwanted and unsolicited to me personally, they are using my time and energy to read and answer, they are making me angry, because they are rude and thats stopping me from arguing without fellings and only using facts, and thats making me even more angry, and according to my definition: I would call them spam ... And you can come with whatever argument, it will not count, cause you already abused me and you cannot take that back. > "abuser" or "spammer" or some other undefined term? > > > Kind regards, Frank -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== -- Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== From brian.nisbet at heanet.ie Fri Aug 17 10:40:03 2012 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Fri, 17 Aug 2012 09:40:03 +0100 Subject: [anti-abuse-wg] definition of abuse In-Reply-To: <502DE9BF.6030007@powerweb.de> References: <20120815133107.BA23F5A403A@merlin.blacknight.ie> <502BC46E.4060300@help.org> <201208152026.53880.peter@hk.ipsec.se> <502BFBA0.5000807@abusix.com> <502C9810.5080903@powerweb.de> <502D2881.4090709@help.org> <502D2C96.20809@help.org> <502DE9BF.6030007@powerweb.de> Message-ID: <502E0363.6040405@heanet.ie> Folks, I'm picking this email as the end of the thread (right now). We've gone far from our original starting point on this conversation. As Joe pointed out yesterday evening, this is not an easy conversation. There are many, many factors that go into defining "spam" and even "abuse". This working group could spend the rest of its existence trying to define them and do nothing else, so let's not try and do that. Thanks, Brian, Co-Chair AA WG Frank Gadegast wrote the following on 17/08/2012 07:50: > lists at help.org wrote: >> >http://www.ripe.net/ripe/groups/wg/anti-abuse >> > > Hello Mr. Lists, > > well, you kind of forgot the discussion about this topic > you started a while ago ... its all in the archives. > > > first, this list changed its name from anti-spam-wg to > anti-abuse-wg, guess why ? > spam defines the problem on the senders side, and your right, > you cannot define spam because of different personal and legal > definitions, you can only use it as a more general term, > most people simply know what it is. > > (you can try and defined "live". I will be happy, if you could, > most people cannot and also have different definitions, > but most people also have the same ideas, when they talk > about "live". You can also try and define "red" ...) > > second, we are talking about abuse here > abuse is clearly definable, it happens on the receivers > side, its either abusing somebody personally and could > have various reasons or legal background, defined by different > countries law, organisation rules, whatever ... > > third, the same email could be abusive in one country or > when received by one person or organization or > whatever entity and could be ok with others > > fourth, there is NO clear definition of abuse at the receivers > side because of those different "feelings" or laws, but this one: > ITS ABUSING HIM > > Therefore the definition of spam is pretty easy: > a spam email is an unwanted email that abusing the receiver > > Its disturbing him, tricking him, forcing him to do illegal > things, forcing him to buy things, he does not want, using > his resources in a way, he did not intent, using his time, > forcing him to learn and use techniques to get rid of it > or whatever. > He feels abused. > > And thats it. > > And this group simply tries to make it easy to prevent abuse, > if the abused one wants it ... > >> I am aware of this but it simply uses another unidentified term "spam." >> Using one undefined term to define another undefined term is not a >> standard. As an official spokesperson for a major security company you >> should know that. This is why most of these abuse groups look like they >> are run out of someone's Mother's basement. I think some people posting >> large signatures for a 3-word reply is spam so should they be >> blacklisted because I have that opinion? Should they be labeled an > > Well, I personally feel abused by people joining a discussion > without telling their name, dont reveal their background and > kind of hide. I feel uncomfortable with it, because I > do not get enough context to argue. > Furthermore I think, its rude ... > > I also feel abused by discussing the same things all > over again ... > > And so: I do not want most of your comments and mails, > they are unwanted and unsolicited to me personally, > they are using my time and energy to read and answer, > they are making me angry, because they are rude and > thats stopping me from arguing without fellings and > only using facts, and thats making me even more > angry, and according to my definition: > I would call them spam ... > > And you can come with whatever argument, it will > not count, cause you already abused me and you > cannot take that back. > >> "abuser" or "spammer" or some other undefined term? >> >> >> > > > Kind regards, Frank > -- > PHADE Software - PowerWeb http://www.powerweb.de > Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de > Schinkelstrasse 17 fon: +49 33200 52920 > 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 > ====================================================================== > From shane at time-travellers.org Fri Aug 17 11:14:21 2012 From: shane at time-travellers.org (Shane Kerr) Date: Fri, 17 Aug 2012 11:14:21 +0200 Subject: [anti-abuse-wg] Metrics for quality of BL or other abuse sites, was Hold time for abused address space - DNSChanger IP's reallocated In-Reply-To: References: <20120815133107.BA23F5A403A@merlin.blacknight.ie> <502BC46E.4060300@help.org> <66e5b465-8093-4502-a76f-6981e34d4195@email.android.com> <502BD5E3.5030107@help.org> Message-ID: <20120817111421.71dad7c1@shane-desktop> Thor, On Wednesday, 2012-08-15 20:43:03 +0300, "Thor Kottelin" wrote: > > -----Original Message----- > > From: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg- > > bounces at ripe.net] On Behalf Of lists at help.org > > Sent: Wednesday, August 15, 2012 8:01 PM > > To: > > > On 8/15/2012 11:55 AM, Luis Mu?oz wrote: > > > In my experience, lists managed through those principles tend to > > fall out of use relatively quickly and are therefore rather > > inconsequential for mail delivery. > > > > That is not my experience. For instance, you can readily find > > complaints about Microsoft and Cisco as well as some of the > > contributors > > to this list. > > One can probably 'find complaints' about whichever matter in > existence. Highly useful and widely used DNSBLs tend to draw > particularly large amounts of irate complaints from people whose > resources have been listed. "The plural of anecdote is not data."(*) I find this particular bit of the exchange interesting. I wonder if there are metrics - preferably open and peer-reviewed metrics - for the quality of black list or other abuse reporting sites? This seems like it could be useful, and not only for arguments on the anti-abuse mailing list. :) -- Shane (*) I was going to attribute this, but it's not clear where this originated from: http://bearcastle.com/blog/?p=408 From shane at time-travellers.org Fri Aug 17 11:21:31 2012 From: shane at time-travellers.org (Shane Kerr) Date: Fri, 17 Aug 2012 11:21:31 +0200 Subject: [anti-abuse-wg] Hold time for abused address space - DNSChanger IP's reallocated In-Reply-To: <502D52E6.4060603@help.org> References: <20120815133107.BA23F5A403A@merlin.blacknight.ie> <502BC46E.4060300@help.org> <201208152026.53880.peter@hk.ipsec.se> <502BFBA0.5000807@abusix.com> <502C9810.5080903@powerweb.de> <502D2881.4090709@help.org> <502D2C96.20809@help.org> <502D52E6.4060603@help.org> Message-ID: <20120817112131.6b3b6e5c@shane-desktop> Dear $PERSON, On Thursday, 2012-08-16 16:07:02 -0400, "lists at help.org" wrote: > >Email spam is universally defined as unsolicited bulk email. > > You need a definition that can withstand a court challenge. Why? -- Shane From peter at hk.ipsec.se Fri Aug 17 15:28:44 2012 From: peter at hk.ipsec.se (peter h) Date: Fri, 17 Aug 2012 15:28:44 +0200 Subject: [anti-abuse-wg] definition of abuse In-Reply-To: <502DE9BF.6030007@powerweb.de> References: <20120815133107.BA23F5A403A@merlin.blacknight.ie> <502D2C96.20809@help.org> <502DE9BF.6030007@powerweb.de> Message-ID: <201208171528.44625.peter@hk.ipsec.se> On Friday 17 August 2012 08.50, Frank Gadegast wrote: > lists at help.org wrote: > > >http://www.ripe.net/ripe/groups/wg/anti-abuse > > > > Hello Mr. Lists, > > well, you kind of forgot the discussion about this topic > you started a while ago ... its all in the archives. > > > first, this list changed its name from anti-spam-wg to > anti-abuse-wg, guess why ? > spam defines the problem on the senders side, and your right, > you cannot define spam because of different personal and legal > definitions, you can only use it as a more general term, > most people simply know what it is. A disagree. spam is a well defined thing. It's unsolcitated commercial email. What is lacking in many countries is a legal definition and sanctions for sending spam. We ought to be able to fight spam ( as an international problem) even if some countries does not have specific laws against it. > > (you can try and defined "live". I will be happy, if you could, > most people cannot and also have different definitions, > but most people also have the same ideas, when they talk > about "live". You can also try and define "red" ...) > > second, we are talking about abuse here > abuse is clearly definable, it happens on the receivers > side, its either abusing somebody personally and could > have various reasons or legal background, defined by different > countries law, organisation rules, whatever ... > > third, the same email could be abusive in one country or > when received by one person or organization or > whatever entity and could be ok with others You must diffrentiate between acts illegal in some country and spam. It's 2 completeley different things. Note that even person-to-person messages containg for instance childporn is illegal in many countries, but it is not spam. > > fourth, there is NO clear definition of abuse at the receivers > side because of those different "feelings" or laws, but this one: > ITS ABUSING HIM > > Therefore the definition of spam is pretty easy: > a spam email is an unwanted email that abusing the receiver > Now you have invented a "kitchen-variant" of definition os spam which most people disagrees with. Spam has nothing to do with any receiver beeing abused, it's only unsolicited commercial email(s). > Its disturbing him, tricking him, forcing him to do illegal > things, forcing him to buy things, he does not want, using > his resources in a way, he did not intent, using his time, > forcing him to learn and use techniques to get rid of it > or whatever. > He feels abused. Whats really annoying is that spam is delivered with stolen resources ( abusing peoples computers and tricking them in delivering their spews). So with spam there is two victims. the person who's resources is unknowingly abused to send spam , and the recipient that has to pay for receiving spam. > > And thats it. > > And this group simply tries to make it easy to prevent abuse, > if the abused one wants it ... > > > I am aware of this but it simply uses another unidentified term "spam." > > Using one undefined term to define another undefined term is not a > > standard. As an official spokesperson for a major security company you > > should know that. This is why most of these abuse groups look like they > > are run out of someone's Mother's basement. I think some people posting > > large signatures for a 3-word reply is spam so should they be > > blacklisted because I have that opinion? Should they be labeled an > > Well, I personally feel abused by people joining a discussion > without telling their name, dont reveal their background and > kind of hide. I feel uncomfortable with it, because I > do not get enough context to argue. > Furthermore I think, its rude ... Good day sir, my name is peter h?kanson, which clearly was in my .sig. > > I also feel abused by discussing the same things all > over again ... If nothing happens then the same issues will come up again and again .. > > And so: I do not want most of your comments and mails, > they are unwanted and unsolicited to me personally, > they are using my time and energy to read and answer, > they are making me angry, because they are rude and > thats stopping me from arguing without fellings > only using facts, and thats making me even more > angry, and according to my definition: > I would call them spam ... Then please unsubscribe. Remember that thisis a opt-in list. > btw > And you can come with whatever argument, it will > not count, cause you already abused me and you > cannot take that back. > > > "abuser" or "spammer" or some other undefined term? > > > > > > > > > Kind regards, Frank > -- > PHADE Software - PowerWeb http://www.powerweb.de > Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de > Schinkelstrasse 17 fon: +49 33200 52920 > 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 > ====================================================================== > -- Peter H?kanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det ?r billigare att g?ra r?tt. Det ?r dyrt att laga fel. ) From ripe-anti-spam-wg at powerweb.de Fri Aug 17 15:45:10 2012 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Fri, 17 Aug 2012 15:45:10 +0200 Subject: [anti-abuse-wg] definition of abuse In-Reply-To: <201208171528.44625.peter@hk.ipsec.se> References: <20120815133107.BA23F5A403A@merlin.blacknight.ie> <502D2C96.20809@help.org> <502DE9BF.6030007@powerweb.de> <201208171528.44625.peter@hk.ipsec.se> Message-ID: <502E4AE6.3090708@powerweb.de> peter h wrote: Hello Peter, >> you cannot define spam because of different personal and legal >> definitions, you can only use it as a more general term, >> most people simply know what it is. > > A disagree. > > spam is a well defined thing. It's unsolcitated commercial email. Sure, but its not a worldwide and lawfull definition. Its only commonly used like this ... > What is lacking in many countries is a legal definition and > sanctions for sending spam. And thats the point (we already know). So: you cannot judge anything as spam, simply because definition and laws differ. > We ought to be able to fight spam ( as an international problem) even if some > countries does not have specific laws against it. Thats surely true. >> (you can try and defined "live". I will be happy, if you could, >> most people cannot and also have different definitions, >> but most people also have the same ideas, when they talk >> about "live". You can also try and define "red" ...) >> >> second, we are talking about abuse here >> abuse is clearly definable, it happens on the receivers >> side, its either abusing somebody personally and could >> have various reasons or legal background, defined by different >> countries law, organisation rules, whatever ... >> >> third, the same email could be abusive in one country or >> when received by one person or organization or >> whatever entity and could be ok with others > You must diffrentiate between acts illegal in some country and spam. It's > 2 completeley different things. Just what I sayd. > Note that even person-to-person messages containg for instance childporn > is illegal in many countries, but it is not spam. That why we are not focusing on spam, we are focusing on abuse, what makes things much easier. >> fourth, there is NO clear definition of abuse at the receivers >> side because of those different "feelings" or laws, but this one: >> ITS ABUSING HIM >> >> Therefore the definition of spam is pretty easy: >> a spam email is an unwanted email that abusing the receiver >> > Now you have invented a "kitchen-variant" of definition os spam which most > people disagrees with. Spam has nothing to do with any receiver > beeing abused, it's only unsolicited commercial email(s). But it would be a much better definition ;o) > Whats really annoying is that spam is delivered with stolen resources ( abusing > peoples computers and tricking them in delivering their spews). So > with spam there is two victims. the person who's resources is unknowingly > abused to send spam , and the recipient that has to pay for receiving spam. You are downgrade this on abuse again, and forget the word "spam" completely. If there are laws in the country of the abused resources, you can fight it and if if there are laws in the receivers country you can do the same. > Good day sir, my name is peter h?kanson, which clearly was in my .sig. Thnx for that. > Then please unsubscribe. Remember that thisis a opt-in list. Hm, difficult. I like the tone of arround 99,9% of the mails coming through and Im pretty sure, that there is something like a netiquette for this list (we all maybe agreed to when signing in). I would prever, that most people do not hide instead of missing all the valuable other mails. Kind regards, Frnak -- MOTD: "have you enabled SSL on a website or mailbox today ?" -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== From lists at help.org Fri Aug 17 18:01:10 2012 From: lists at help.org (lists at help.org) Date: Fri, 17 Aug 2012 12:01:10 -0400 Subject: [anti-abuse-wg] definition of abuse In-Reply-To: <502E0363.6040405@heanet.ie> References: <20120815133107.BA23F5A403A@merlin.blacknight.ie> <502BC46E.4060300@help.org> <201208152026.53880.peter@hk.ipsec.se> <502BFBA0.5000807@abusix.com> <502C9810.5080903@powerweb.de> <502D2881.4090709@help.org> <502D2C96.20809@help.org> <502DE9BF.6030007@powerweb.de> <502E0363.6040405@heanet.ie> Message-ID: <502E6AC6.5090602@help.org> > This working group could spend the rest of its existence trying to define them and do nothing else, so let's not try and do that. Then the list should be shut down as worthless if you cannot even define what you are doing. From Adam_Wosotowsky at McAfee.com Fri Aug 17 18:10:40 2012 From: Adam_Wosotowsky at McAfee.com (Adam_Wosotowsky at McAfee.com) Date: Fri, 17 Aug 2012 09:10:40 -0700 Subject: [anti-abuse-wg] definition of abuse In-Reply-To: <502E6AC6.5090602@help.org> References: <20120815133107.BA23F5A403A@merlin.blacknight.ie> <502BC46E.4060300@help.org> <201208152026.53880.peter@hk.ipsec.se> <502BFBA0.5000807@abusix.com> <502C9810.5080903@powerweb.de> <502D2881.4090709@help.org> <502D2C96.20809@help.org> <502DE9BF.6030007@powerweb.de> <502E0363.6040405@heanet.ie> <502E6AC6.5090602@help.org> Message-ID: <0FA7454E4511C048B3BF5CE9C94F7ED280709DF3B1@SNCEXAPENG> How old are you? --adam > -----Original Message----- > From: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg- > bounces at ripe.net] On Behalf Of lists at help.org > Sent: Friday, August 17, 2012 12:01 PM > To: anti-abuse-wg at ripe.net > Subject: Re: [anti-abuse-wg] definition of abuse > > > This working group could spend the rest of its existence trying to > define them and do nothing else, so let's not try and do that. > > Then the list should be shut down as worthless if you cannot even > define what you are doing. > From lists at help.org Fri Aug 17 19:31:29 2012 From: lists at help.org (lists at help.org) Date: Fri, 17 Aug 2012 13:31:29 -0400 Subject: [anti-abuse-wg] definition of abuse In-Reply-To: <0FA7454E4511C048B3BF5CE9C94F7ED280709DF3B1@SNCEXAPENG> References: <20120815133107.BA23F5A403A@merlin.blacknight.ie> <502BC46E.4060300@help.org> <201208152026.53880.peter@hk.ipsec.se> <502BFBA0.5000807@abusix.com> <502C9810.5080903@powerweb.de> <502D2881.4090709@help.org> <502D2C96.20809@help.org> <502DE9BF.6030007@powerweb.de> <502E0363.6040405@heanet.ie> <502E6AC6.5090602@help.org> <0FA7454E4511C048B3BF5CE9C94F7ED280709DF3B1@SNCEXAPENG> Message-ID: <502E7FF1.4090805@help.org> When you bring up an issue about following standards these are the kind of screwball messages you get from the so-called abuse community. You have the people running the list trying to end a valid discussion. That is because they if they have standards these people cannot run around making stuff up as they go along to fit their personal agenda. Of course the one fellow has a home page where he wraps himself in a curtain and calls himself "emperor Shane" http://www.time-travellers.org/. I think that about sums up the abuse "community" running this list. On 8/17/2012 12:10 PM, Adam_Wosotowsky at McAfee.com wrote: > How old are you? > > --adam > You need a definition that can withstand a court challenge. Why? -- Shane let's not try and do that. Thanks, Brian, Co-Chair AA WG From lem at isc.org Fri Aug 17 20:04:58 2012 From: lem at isc.org (=?iso-8859-1?Q?Luis_Mu=F1oz?=) Date: Fri, 17 Aug 2012 14:04:58 -0400 Subject: [anti-abuse-wg] definition of abuse In-Reply-To: <502E7FF1.4090805@help.org> References: <20120815133107.BA23F5A403A@merlin.blacknight.ie> <502BC46E.4060300@help.org> <201208152026.53880.peter@hk.ipsec.se> <502BFBA0.5000807@abusix.com> <502C9810.5080903@powerweb.de> <502D2881.4090709@help.org> <502D2C96.20809@help.org> <502DE9BF.6030007@powerweb.de> <502E0363.6040405@heanet.ie> <502E6AC6.5090602@help.org> <0FA7454E4511C048B3BF5CE9C94F7ED280709DF3B1@SNCEXAPENG> <502E7FF1.4090805@help.org> Message-ID: <872A52B8-AE11-4505-92D2-82EBF1536FE7@isc.org> On Aug 17, 2012, at 1:31 PM, lists at help.org wrote: > When you bring up an issue about following standards these are the kind of screwball messages you get from the so-called abuse community. You have the people running the list trying to end a valid discussion. That is because they if they have standards these people cannot run around making stuff up as they go along to fit their personal agenda. Of course the one fellow has a home page where he wraps himself in a curtain and calls himself "emperor Shane" http://www.time-travellers.org/. I think that about sums up the abuse "community" running this list. I think you are the one trying to end a valid discussion. Shane's question is perfectly valid: Why does a working, widely accepted, "de facto" standard definition needs to stand out in court? -lem From lists at help.org Fri Aug 17 23:14:56 2012 From: lists at help.org (lists at help.org) Date: Fri, 17 Aug 2012 17:14:56 -0400 Subject: [anti-abuse-wg] definition of abuse In-Reply-To: <872A52B8-AE11-4505-92D2-82EBF1536FE7@isc.org> References: <20120815133107.BA23F5A403A@merlin.blacknight.ie> <502BC46E.4060300@help.org> <201208152026.53880.peter@hk.ipsec.se> <502BFBA0.5000807@abusix.com> <502C9810.5080903@powerweb.de> <502D2881.4090709@help.org> <502D2C96.20809@help.org> <502DE9BF.6030007@powerweb.de> <502E0363.6040405@heanet.ie> <502E6AC6.5090602@help.org> <0FA7454E4511C048B3BF5CE9C94F7ED280709DF3B1@SNCEXAPENG> <502E7FF1.4090805@help.org> <872A52B8-AE11-4505-92D2-82EBF1536FE7@isc.org> Message-ID: <502EB450.2030506@help.org> >I think you are the one trying to end a valid discussion. Shane's question is perfectly valid: Why does a working, widely accepted, "de facto" standard definition needs to stand out in court? -lem As I pointed out it is often not actually used in practice. It works to a certain extent. it needs to stand up in court because there has been and most likely will be lawsuits when reputations and blacklists are published. If there are valid standards and procedures then there is a much less likelihood of getting sued. Often what you have now is people making stuff up as they go along and these are the ones who don't want standards. A few years back I tried to answer someone's e-mail and my reply was blocked. The abuse person told me my IP address block had issues and I was supposed to go back to my ISP and tell them to stop it. I asked what the issue was and they said they were not going to tell me ... but I was going to continue to be blocked until I somehow made this ISP stop some unknown activity that I knew nothing about. (The person contributes to this list but they always claim they don't remember it). Entities who do stuff like this are going to get sued sooner or later and without standards they will have problems. From peter at hk.ipsec.se Sat Aug 18 14:17:35 2012 From: peter at hk.ipsec.se (peter h) Date: Sat, 18 Aug 2012 14:17:35 +0200 Subject: [anti-abuse-wg] Hold time for abused address space - DNSChanger IP's reallocated In-Reply-To: <502D2881.4090709@help.org> References: <20120815133107.BA23F5A403A@merlin.blacknight.ie> <502C9810.5080903@powerweb.de> <502D2881.4090709@help.org> Message-ID: <201208181417.36022.peter@hk.ipsec.se> On Thursday 16 August 2012 19.06, lists at help.org wrote: > >if its still the same abuser > > This is why many of the blacklists are all screwed up. Please clarify. in what way ? > There is no > standards and people are are put into 2 classes, abusers, and > non-abusers. If you ask 100 people to define abuser you get 100 > different answers. If you ask a blacklist operator to define the term > they will either ignore you or scoff at you. Then they will give a > childish argument that networks are private property and they can block > what they want that disregards the actual issues that operators normally > have contracts with their users and labeling people as "abusers" with no > real definition can lead to legal liabilities. If you think that there is an obligation to receive whatever comes into a mailbox you are utterly wrong. My mailserver is my property and i block whatever i want for whatever obscure reason. > Of course any.one who > brings up these issues is labeled a spammer which is why these issues > never get corrected and why most blacklists are not legitimately operated. > > A blacklist operator should have standards for putting people on the > list, as well as an appeal and review process. I assume that any blacklist operator has a "standard", usually it's a listing done by some offending soam. The good thing with blacklists is that ISP's might interact with the blacklist operator and remove ranges that no longer spam. If admin instead listed in their "access-files" then chances are that those listning will never be removed, and there is no visible authority to discuss them with. Thanks for spamcop et.al, they are the only thing that kees email still alive. > > > -- Peter H?kanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det ?r billigare att g?ra r?tt. Det ?r dyrt att laga fel. ) From brian.nisbet at heanet.ie Mon Aug 20 09:55:07 2012 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Mon, 20 Aug 2012 08:55:07 +0100 Subject: [anti-abuse-wg] 2011-06 Move to Last Call (Abuse Contact Management in the RIPE NCC Database) Message-ID: <5031ED5B.6090905@heanet.ie> Colleagues, RIPE Proposal 2011-06 (Abuse Contact Management in the RIPE NCC Database) has reached the end of its extended Review Phase and a decision must now be made regarding the next steps. I (Tobias, as the main proposer, has, as agreed & discussed stepped back from his co-chair duties on this one) have gone through the various mails and discussions from the the review phase, a short summary of which is below. I feel that the main thrust of the discussion on 2011-06 gave support to the proposal. The initial discussion phase lead to a redrafting of the proposal and some questions over the mandatory nature of the attribute and the future of the IRTs. It was also clarified that while there may be further output from the ACM-TF and/or further proposals in this space, 2011-06 was considered to be standalone. The second version was published on 16th April 2012, addressing, I believe, a number of points raised during the initial discussion phase. Some objections remained, such as opinions on the mandatory nature of the object and the lack of a wider plan. In May 2012 it was decided to go ahead and move the proposal to Review Phase, during which the RIPE NCC presented their impact analysis. This gave rise to discussion regarding the future of the IRT object. I believe that it has been clarified that while the NCC will put plans in place to deal with the decommissioning of the IRT object, they will, of course, only do so if the community proposes this. They have acknowledged that 2011-06 does not contain this proposal and so no action regarding the IRT object will be taken on foot of this proposal. I believe that the wider IRT community are happy with this. There was relatively little discussion during Review Phase, so it was extended for a further four weeks. During this time a number of objections were restated (mandatory nature and data protection issues) and discussed and a few new expressions of support were made. Overall it appears that there are three sustained objections to the proposal and twelve clear expressions of support. The opinion of some members of the list (who have commented) is unclear, however I feel there is sufficient consensus to move this proposal to Last Call. Emilio will made the formal announcement from the RIPE NCC PDO. If you disagree with this interpretation, please let me know. Brian Co-Chair, Anti-Abuse WG From emadaio at ripe.net Mon Aug 20 12:10:35 2012 From: emadaio at ripe.net (Emilio Madaio) Date: Mon, 20 Aug 2012 12:10:35 +0200 Subject: [anti-abuse-wg] 2011-06 Last Call for Comments (Abuse Contact Management in the RIPE NCC Database) Message-ID: Dear Colleagues, The proposal described in 2011-06, "Abuse Contact Management in the RIPE NCC Database", is now at its Concluding Phase. You can find the full proposal at: https://www.ripe.net/ripe/policies/proposals/2011-06 Please e-mail any final comments about this proposal to anti-abuse-wg at ripe.net before 17 September 2012. Regards Emilio Madaio Policy Development Officer RIPE NCC From denatrisconsult at hotmail.nl Mon Aug 20 12:20:39 2012 From: denatrisconsult at hotmail.nl (Wout de Natris) Date: Mon, 20 Aug 2012 12:20:39 +0200 Subject: [anti-abuse-wg] anti-abuse-wg Digest, Vol 12, Issue 16 In-Reply-To: References: Message-ID: Brian, >From my side a full support for the proposal. Without any obligations the proposal may never work as foreseen. And I would like to stress that Jerry Upton wrote on behalf of M3AAWG and in function as director, so representing the M3AAWG members. Looking at who those members are, I venture to see this as a very large support on behalf of the proposal. Best, Wout > From: anti-abuse-wg-request at ripe.net > Subject: anti-abuse-wg Digest, Vol 12, Issue 16 > To: anti-abuse-wg at ripe.net > Date: Mon, 20 Aug 2012 12:00:02 +0200 > > Send anti-abuse-wg mailing list submissions to > anti-abuse-wg at ripe.net > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.ripe.net/mailman/listinfo/anti-abuse-wg > or, via email, send a message with subject or body 'help' to > anti-abuse-wg-request at ripe.net > > You can reach the person managing the list at > anti-abuse-wg-owner at ripe.net > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of anti-abuse-wg digest..." > > > Today's Topics: > > 1. 2011-06 Move to Last Call (Abuse Contact Management in the > RIPE NCC Database) (Brian Nisbet) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 20 Aug 2012 08:55:07 +0100 > From: Brian Nisbet > Subject: [anti-abuse-wg] 2011-06 Move to Last Call (Abuse Contact > Management in the RIPE NCC Database) > To: anti-abuse-wg at ripe.net > Message-ID: <5031ED5B.6090905 at heanet.ie> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Colleagues, > > RIPE Proposal 2011-06 (Abuse Contact Management in the RIPE NCC > Database) has reached the end of its extended Review Phase and a > decision must now be made regarding the next steps. I (Tobias, as the > main proposer, has, as agreed & discussed stepped back from his co-chair > duties on this one) have gone through the various mails and discussions > from the the review phase, a short summary of which is below. > > I feel that the main thrust of the discussion on 2011-06 gave support to > the proposal. > > The initial discussion phase lead to a redrafting of the proposal and > some questions over the mandatory nature of the attribute and the future > of the IRTs. It was also clarified that while there may be further > output from the ACM-TF and/or further proposals in this space, 2011-06 > was considered to be standalone. > > The second version was published on 16th April 2012, addressing, I > believe, a number of points raised during the initial discussion phase. > Some objections remained, such as opinions on the mandatory nature of > the object and the lack of a wider plan. > > In May 2012 it was decided to go ahead and move the proposal to Review > Phase, during which the RIPE NCC presented their impact analysis. This > gave rise to discussion regarding the future of the IRT object. I > believe that it has been clarified that while the NCC will put plans in > place to deal with the decommissioning of the IRT object, they will, of > course, only do so if the community proposes this. They have > acknowledged that 2011-06 does not contain this proposal and so no > action regarding the IRT object will be taken on foot of this proposal. > I believe that the wider IRT community are happy with this. > > There was relatively little discussion during Review Phase, so it was > extended for a further four weeks. During this time a number of > objections were restated (mandatory nature and data protection issues) > and discussed and a few new expressions of support were made. > > Overall it appears that there are three sustained objections to the > proposal and twelve clear expressions of support. The opinion of some > members of the list (who have commented) is unclear, however I feel > there is sufficient consensus to move this proposal to Last Call. > > Emilio will made the formal announcement from the RIPE NCC PDO. > > If you disagree with this interpretation, please let me know. > > Brian > Co-Chair, Anti-Abuse WG > > > > End of anti-abuse-wg Digest, Vol 12, Issue 16 > ********************************************* -------------- next part -------------- An HTML attachment was scrubbed... URL: From brian.nisbet at heanet.ie Mon Aug 20 12:26:57 2012 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Mon, 20 Aug 2012 11:26:57 +0100 Subject: [anti-abuse-wg] anti-abuse-wg Digest, Vol 12, Issue 16 In-Reply-To: References: Message-ID: <503210F1.1070800@heanet.ie> Wout, Wout de Natris wrote the following on 20/08/2012 11:20: > Brian, > > From my side a full support for the proposal. Without any obligations > the proposal may never work as foreseen. > > And I would like to stress that Jerry Upton wrote on behalf of M3AAWG > and in function as director, so representing the M3AAWG members. Looking > at who those members are, I venture to see this as a very large support > on behalf of the proposal. Thanks for that, however it should be noted that the mailing list is made up of individuals. While Jerry's email was noted as coming from M3AAWG and it is good that the group are involved in what we're doing here, the email carries the same weight, from a consensus point of view, as any other comment on the proposal. This is the same across all RIPE Working Groups. Brian. From ops.lists at gmail.com Mon Aug 20 13:00:38 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Mon, 20 Aug 2012 19:00:38 +0800 Subject: [anti-abuse-wg] anti-abuse-wg Digest, Vol 12, Issue 16 In-Reply-To: References: Message-ID: +1 to what Wout said. Based on the M3AAWG endorsement of this proposal, it has support from the largest ISPs and messaging providers from around the world. +1 to the proposal from me personally. --srs On Mon, Aug 20, 2012 at 6:20 PM, Wout de Natris wrote: > Brian, > > From my side a full support for the proposal. Without any obligations the > proposal may never work as foreseen. > > And I would like to stress that Jerry Upton wrote on behalf of M3AAWG and in > function as director, so representing the M3AAWG members. Looking at who > those members are, I venture to see this as a very large support on behalf > of the proposal. > > Best, > > Wout > >> From: anti-abuse-wg-request at ripe.net >> Subject: anti-abuse-wg Digest, Vol 12, Issue 16 >> To: anti-abuse-wg at ripe.net >> Date: Mon, 20 Aug 2012 12:00:02 +0200 >> >> Send anti-abuse-wg mailing list submissions to >> anti-abuse-wg at ripe.net >> >> To subscribe or unsubscribe via the World Wide Web, visit >> https://www.ripe.net/mailman/listinfo/anti-abuse-wg >> or, via email, send a message with subject or body 'help' to >> anti-abuse-wg-request at ripe.net >> >> You can reach the person managing the list at >> anti-abuse-wg-owner at ripe.net >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of anti-abuse-wg digest..." >> >> >> Today's Topics: >> >> 1. 2011-06 Move to Last Call (Abuse Contact Management in the >> RIPE NCC Database) (Brian Nisbet) >> >> >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Mon, 20 Aug 2012 08:55:07 +0100 >> From: Brian Nisbet >> Subject: [anti-abuse-wg] 2011-06 Move to Last Call (Abuse Contact >> Management in the RIPE NCC Database) >> To: anti-abuse-wg at ripe.net >> Message-ID: <5031ED5B.6090905 at heanet.ie> >> Content-Type: text/plain; charset=ISO-8859-1; format=flowed >> >> Colleagues, >> >> RIPE Proposal 2011-06 (Abuse Contact Management in the RIPE NCC >> Database) has reached the end of its extended Review Phase and a >> decision must now be made regarding the next steps. I (Tobias, as the >> main proposer, has, as agreed & discussed stepped back from his co-chair >> duties on this one) have gone through the various mails and discussions >> from the the review phase, a short summary of which is below. >> >> I feel that the main thrust of the discussion on 2011-06 gave support to >> the proposal. >> >> The initial discussion phase lead to a redrafting of the proposal and >> some questions over the mandatory nature of the attribute and the future >> of the IRTs. It was also clarified that while there may be further >> output from the ACM-TF and/or further proposals in this space, 2011-06 >> was considered to be standalone. >> >> The second version was published on 16th April 2012, addressing, I >> believe, a number of points raised during the initial discussion phase. >> Some objections remained, such as opinions on the mandatory nature of >> the object and the lack of a wider plan. >> >> In May 2012 it was decided to go ahead and move the proposal to Review >> Phase, during which the RIPE NCC presented their impact analysis. This >> gave rise to discussion regarding the future of the IRT object. I >> believe that it has been clarified that while the NCC will put plans in >> place to deal with the decommissioning of the IRT object, they will, of >> course, only do so if the community proposes this. They have >> acknowledged that 2011-06 does not contain this proposal and so no >> action regarding the IRT object will be taken on foot of this proposal. >> I believe that the wider IRT community are happy with this. >> >> There was relatively little discussion during Review Phase, so it was >> extended for a further four weeks. During this time a number of >> objections were restated (mandatory nature and data protection issues) >> and discussed and a few new expressions of support were made. >> >> Overall it appears that there are three sustained objections to the >> proposal and twelve clear expressions of support. The opinion of some >> members of the list (who have commented) is unclear, however I feel >> there is sufficient consensus to move this proposal to Last Call. >> >> Emilio will made the formal announcement from the RIPE NCC PDO. >> >> If you disagree with this interpretation, please let me know. >> >> Brian >> Co-Chair, Anti-Abuse WG >> >> >> >> End of anti-abuse-wg Digest, Vol 12, Issue 16 >> ********************************************* -- Suresh Ramasubramanian (ops.lists at gmail.com) From ABonar at Emailvision.com Mon Aug 20 13:03:09 2012 From: ABonar at Emailvision.com (Andrew Bonar) Date: Mon, 20 Aug 2012 13:03:09 +0200 Subject: [anti-abuse-wg] anti-abuse-wg Digest, Vol 12, Issue 16 In-Reply-To: References: Message-ID: <9676711035B52642A190C7FDA4A44ED58989A0612C@EXCHCCR.Emailvision.com> Not currently members of M3AAWG however Emailvision (6bn + email messages per month) also supports this proposal +1 from me personally best Andrew Bonar Deliverability Director Emailvision -----Original Message----- From: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg-bounces at ripe.net] On Behalf Of Suresh Ramasubramanian Sent: 20 August 2012 13:01 To: Wout de Natris Cc: anti-abuse-wg at ripe.net Subject: Re: [anti-abuse-wg] anti-abuse-wg Digest, Vol 12, Issue 16 +1 to what Wout said. Based on the M3AAWG endorsement of this proposal, it has support from the largest ISPs and messaging providers from around the world. +1 to the proposal from me personally. --srs On Mon, Aug 20, 2012 at 6:20 PM, Wout de Natris wrote: > Brian, > > From my side a full support for the proposal. Without any obligations > the proposal may never work as foreseen. > > And I would like to stress that Jerry Upton wrote on behalf of M3AAWG > and in function as director, so representing the M3AAWG members. > Looking at who those members are, I venture to see this as a very > large support on behalf of the proposal. > > Best, > > Wout > >> From: anti-abuse-wg-request at ripe.net >> Subject: anti-abuse-wg Digest, Vol 12, Issue 16 >> To: anti-abuse-wg at ripe.net >> Date: Mon, 20 Aug 2012 12:00:02 +0200 >> >> Send anti-abuse-wg mailing list submissions to anti-abuse-wg at ripe.net >> >> To subscribe or unsubscribe via the World Wide Web, visit >> https://www.ripe.net/mailman/listinfo/anti-abuse-wg >> or, via email, send a message with subject or body 'help' to >> anti-abuse-wg-request at ripe.net >> >> You can reach the person managing the list at >> anti-abuse-wg-owner at ripe.net >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of anti-abuse-wg digest..." >> >> >> Today's Topics: >> >> 1. 2011-06 Move to Last Call (Abuse Contact Management in the RIPE >> NCC Database) (Brian Nisbet) >> >> >> --------------------------------------------------------------------- >> - >> >> Message: 1 >> Date: Mon, 20 Aug 2012 08:55:07 +0100 >> From: Brian Nisbet >> Subject: [anti-abuse-wg] 2011-06 Move to Last Call (Abuse Contact >> Management in the RIPE NCC Database) >> To: anti-abuse-wg at ripe.net >> Message-ID: <5031ED5B.6090905 at heanet.ie> >> Content-Type: text/plain; charset=ISO-8859-1; format=flowed >> >> Colleagues, >> >> RIPE Proposal 2011-06 (Abuse Contact Management in the RIPE NCC >> Database) has reached the end of its extended Review Phase and a >> decision must now be made regarding the next steps. I (Tobias, as the >> main proposer, has, as agreed & discussed stepped back from his >> co-chair duties on this one) have gone through the various mails and >> discussions from the the review phase, a short summary of which is below. >> >> I feel that the main thrust of the discussion on 2011-06 gave support >> to the proposal. >> >> The initial discussion phase lead to a redrafting of the proposal and >> some questions over the mandatory nature of the attribute and the >> future of the IRTs. It was also clarified that while there may be >> further output from the ACM-TF and/or further proposals in this >> space, 2011-06 was considered to be standalone. >> >> The second version was published on 16th April 2012, addressing, I >> believe, a number of points raised during the initial discussion phase. >> Some objections remained, such as opinions on the mandatory nature of >> the object and the lack of a wider plan. >> >> In May 2012 it was decided to go ahead and move the proposal to >> Review Phase, during which the RIPE NCC presented their impact >> analysis. This gave rise to discussion regarding the future of the >> IRT object. I believe that it has been clarified that while the NCC >> will put plans in place to deal with the decommissioning of the IRT >> object, they will, of course, only do so if the community proposes >> this. They have acknowledged that 2011-06 does not contain this >> proposal and so no action regarding the IRT object will be taken on foot of this proposal. >> I believe that the wider IRT community are happy with this. >> >> There was relatively little discussion during Review Phase, so it was >> extended for a further four weeks. During this time a number of >> objections were restated (mandatory nature and data protection >> issues) and discussed and a few new expressions of support were made. >> >> Overall it appears that there are three sustained objections to the >> proposal and twelve clear expressions of support. The opinion of some >> members of the list (who have commented) is unclear, however I feel >> there is sufficient consensus to move this proposal to Last Call. >> >> Emilio will made the formal announcement from the RIPE NCC PDO. >> >> If you disagree with this interpretation, please let me know. >> >> Brian >> Co-Chair, Anti-Abuse WG >> >> >> >> End of anti-abuse-wg Digest, Vol 12, Issue 16 >> ********************************************* -- Suresh Ramasubramanian (ops.lists at gmail.com) From davide.migliavacca at contactlab.com Mon Aug 20 16:31:47 2012 From: davide.migliavacca at contactlab.com (Davide Migliavacca) Date: Mon, 20 Aug 2012 14:31:47 +0000 Subject: [anti-abuse-wg] 2011-06 Last Call for Comments (Abuse Contact Management in the RIPE NCC Database) Message-ID: > Please e-mail any final comments about this proposal to anti-abuse- > wg at ripe.net > before 17 September 2012. I fully support the proposal 2011-06 in its current form. Kind regards, Davide Migliavacca Cto, contactlab From wiegert at telus.net Mon Aug 20 19:15:11 2012 From: wiegert at telus.net (Arnold) Date: Mon, 20 Aug 2012 10:15:11 -0700 Subject: [anti-abuse-wg] 2011-06 Last Call for Comments (Abuse Contact Management in the RIPE NCC Database) In-Reply-To: <20120820101117.WGQW14610.priv-edmwes23.telusplanet.net@edmwcm03> References: <20120820101117.WGQW14610.priv-edmwes23.telusplanet.net@edmwcm03> Message-ID: <5032709F.5000905@telus.net> On 20/08/2012 3:10 AM, Emilio Madaio wrote: > Dear Colleagues, > > The proposal described in 2011-06, "Abuse Contact Management in the > RIPE NCC Database", is now at its Concluding Phase. > > > You can find the full proposal at: > > https://www.ripe.net/ripe/policies/proposals/2011-06 > > Please e-mail any final comments about this proposal to anti-abuse-wg at ripe.net > before 17 September 2012. > > > Regards > > Emilio Madaio > Policy Development Officer > RIPE NCC > > > FWIW, as a plain old 'net citizen interested in reporting and reducing SPAM, I wholeheartedly endorse the proposal Arnold -- Fight Spam - report it with the latest wxSR 0.5 http://www.columbinehoney.net/wxSR.shtml From brian.nisbet at heanet.ie Tue Aug 21 16:18:34 2012 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Tue, 21 Aug 2012 15:18:34 +0100 Subject: [anti-abuse-wg] RIPE 65 Draft Agenda Message-ID: <503398BA.9040206@heanet.ie> Colleagues, We have just over a month to go before RIPE65, so I wanted to share the draft WG agenda. The WG meeting will take place on Thursday 27th September at 14:00 CEST. A. Administrative Matters * Welcome * Scribe, Jabber, Stenography * Microphone Etiquette * Approve Minutes from RIPE 64 * Finalise agenda B. Update * B1. Recent List Discussion * B2. CleanIT Project Update * B3. RIPE NCC Data Protection Legal Advice Update C. Policies * RIPE Policy 2011-06 D. Interactions * D1. Working Groups * D3. RIPE NCC Gov/LEA Interactions Update E. Presentation * E1. Operation of "Copy Shops" X. A.O.B. Z. Agenda for RIPE 66 As always, if you have any comments or anything to add, please don't hesitate to get in contact. Regards, Brian & Tobias From michieldeweger at centuryconsulting.nl Tue Aug 21 16:24:25 2012 From: michieldeweger at centuryconsulting.nl (Dr Michiel de Weger) Date: Tue, 21 Aug 2012 16:24:25 +0200 Subject: [anti-abuse-wg] new draft Clean IT cyber terrorism Message-ID: <58CB38FD93D44797ABF4731924672651.MAI@hostingenregistratie.nl> An HTML attachment was scrubbed... URL: From security at mutluit.com Tue Aug 21 16:44:40 2012 From: security at mutluit.com (U.Mutlu) Date: Tue, 21 Aug 2012 16:44:40 +0200 Subject: [anti-abuse-wg] 2011-06 Last Call for Comments (Abuse Contact Management in the RIPE NCC Database) Message-ID: <50339ED8.9000905@mutluit.com> Emilio Madaio wrote, On 08/20/2012 12:10 PM: > Dear Colleagues, > > The proposal described in 2011-06, "Abuse Contact Management in the > RIPE NCC Database", is now at its Concluding Phase. > > You can find the full proposal at: > > https://www.ripe.net/ripe/policies/proposals/2011-06 > > Please e-mail any final comments about this proposal to anti-abuse-wg at ripe.net > before 17 September 2012. I fully support this proposal. Kind regards, U.Mutlu mutluit.com From security at mutluit.com Tue Aug 21 16:58:05 2012 From: security at mutluit.com (U.Mutlu) Date: Tue, 21 Aug 2012 16:58:05 +0200 Subject: [anti-abuse-wg] new draft Clean IT cyber terrorism In-Reply-To: <58CB38FD93D44797ABF4731924672651.MAI@hostingenregistratie.nl> References: <58CB38FD93D44797ABF4731924672651.MAI@hostingenregistratie.nl> Message-ID: <5033A1FD.9030508@mutluit.com> Dr Michiel de Weger wrote, On 08/21/2012 04:24 PM: > New draft has been published. Comments to: editorialboard at cleanitproject.eu > > http://www.cleanitproject.eu/new-clean-it-draft-document-available/ Is the term "terrorist" clearly defined? Does this proposal mean that for example web sites belonging to such listed terrorist organizations like the PKK, or their supporters, will be shut down in the EU? From security at mutluit.com Sun Aug 26 21:57:28 2012 From: security at mutluit.com (U.Mutlu) Date: Sun, 26 Aug 2012 21:57:28 +0200 Subject: [anti-abuse-wg] mynet.com - A spam network without any abuse contact Message-ID: <503A7FA8.6030002@mutluit.com> Hi, how come that for the domain mynet.com, clearly a spam network, there is no abuse-contact in the whois database? whois mynet.com gives: " Domain Name: MYNET.COM ------------------------------------------------------------------------ Promote your business to millions of viewers for only $1 a month Learn how you can get an Enhanced Business Listing here for your domain name. Learn more at http://www.NetworkSolutions.com/ ------------------------------------------------------------------------ " ie. a spam network... From thor.kottelin at turvasana.com Sun Aug 26 22:23:27 2012 From: thor.kottelin at turvasana.com (Thor Kottelin) Date: Sun, 26 Aug 2012 23:23:27 +0300 Subject: [anti-abuse-wg] mynet.com - A spam network without any abuse contact In-Reply-To: <503A7FA8.6030002@mutluit.com> References: <503A7FA8.6030002@mutluit.com> Message-ID: > -----Original Message----- > From: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg- > bounces at ripe.net] On Behalf Of U.Mutlu > Sent: Sunday, August 26, 2012 10:57 PM > To: anti-abuse-wg at ripe.net > how come that for the domain mynet.com, clearly a spam network, > there is no abuse-contact in the whois database? There is [1], but 'private registration' services such as this one are basically spam support services. Creating a policy that requires registrants to publish abuse contact information is much easier than forcing them to act on abuse reports. -- Thor Kottelin http://www.anta.net/ [1] [whois.networksolutions.com] NOTICE AND TERMS OF USE: You are not authorized to access or query our WHOIS database through the use of high-volume, automated, electronic processes. The Data in Network Solutions' WHOIS database is provided by Network Solutions for information purposes only, and to assist persons in obtaining information about or related to a domain name registration record. Network Solutions does not guarantee its accuracy. By submitting a WHOIS query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to Network Solutions (or its computer systems). The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of Network Solutions. You agree not to use high-volume, automated, electronic processes to access or query the WHOIS database. Network Solutions reserves the right to terminate your access to the WHOIS database in its sole discretion, including without limitation, for excessive querying of the WHOIS database or for failure to otherwise abide by this policy. Network Solutions reserves the right to modify these terms at any time. Get a FREE domain name registration, transfer, or renewal with any annual hosting package. http://www.networksolutions.com Visit AboutUs.org for more information about MYNET.COM AboutUs: MYNET.COM Registrant: Mynet Medya Yayincilik Uluslararasi Elektronik Bilgilendirme ve Haberlesme Hizmetleri A.S ATTN MYNET.COM care of Network Solutions PO Box 459 Drums, PA. US 18222 Domain Name: MYNET.COM ------------------------------------------------------------------------ Promote your business to millions of viewers for only $1 a month Learn how you can get an Enhanced Business Listing here for your domain name. Learn more at http://www.NetworkSolutions.com/ ------------------------------------------------------------------------ Administrative Contact, Technical Contact: Kurttepeli, Emre au7qj8xu3j6 at networksolutionsprivateregistration.com Mynet Medya Yayincilik Uluslararasi ATTN MYNET.COM care of Network Solutions PO Box 459 Drums, PA 18222 US 570-708-8780 Record expires on 18-Dec-2015. Record created on 19-Dec-1994. Database last updated on 26-Aug-2012 15:51:40 EDT. Domain servers in listed order: DNS1.MYNET.COM 212.101.97.6 DNS2.MYNET.COM 212.101.97.7 This listing is a Network Solutions Private Registration. Mail correspondence to this address must be sent via USPS Express Mail(TM) or USPS Certified Mail(R); all other mail will not be processed. Be sure to include the registrant's domain name in the address. From ABonar at Emailvision.com Sun Aug 26 22:28:39 2012 From: ABonar at Emailvision.com (Andrew Bonar) Date: Sun, 26 Aug 2012 22:28:39 +0200 Subject: [anti-abuse-wg] mynet.com - A spam network without any abuse contact In-Reply-To: <503A7FA8.6030002@mutluit.com> References: <503A7FA8.6030002@mutluit.com> Message-ID: <9676711035B52642A190C7FDA4A44ED5898D98B608@EXCHCCR.Emailvision.com> If you are wanting to report abuse about MYNET, please feel free to contact me off-list and I may be able to facilitate. I would be interested to hear about spam problems people may have about MyNet best Andrew Bonar Deliverability Director, Emailvision? -----Original Message----- From: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg-bounces at ripe.net] On Behalf Of U.Mutlu Sent: 26 August 2012 21:57 To: anti-abuse-wg at ripe.net Subject: [anti-abuse-wg] mynet.com - A spam network without any abuse contact Hi, how come that for the domain mynet.com, clearly a spam network, there is no abuse-contact in the whois database? whois mynet.com gives: " Domain Name: MYNET.COM ------------------------------------------------------------------------ Promote your business to millions of viewers for only $1 a month Learn how you can get an Enhanced Business Listing here for your domain name. Learn more at http://www.NetworkSolutions.com/ ------------------------------------------------------------------------ " ie. a spam network... From security at mutluit.com Sun Aug 26 22:49:43 2012 From: security at mutluit.com (U.Mutlu) Date: Sun, 26 Aug 2012 22:49:43 +0200 Subject: [anti-abuse-wg] mynet.com - A spam network without any abuse contact In-Reply-To: <9676711035B52642A190C7FDA4A44ED5898D98B608@EXCHCCR.Emailvision.com> References: <503A7FA8.6030002@mutluit.com> <9676711035B52642A190C7FDA4A44ED5898D98B608@EXCHCCR.Emailvision.com> Message-ID: <503A8BE7.2040002@mutluit.com> Attached please find 4 spam mails from mynet.com The spammers have posted from these IP addresses: # grep -i "Received" spam*.eml spam1.eml:Received: from mail.yt.com ([85.95.235.102]:3664) spam1.eml:Received: from zurt931.local ([85.95.235.102]) spam2.eml:Received: from mail.030.com ([85.95.235.103]:2110) spam2.eml:Received: from mahser83.local ([85.95.235.103]) spam3.eml:Received: from mail.yt.com ([85.95.235.102]:1409) spam3.eml:Received: from zurt931.local ([85.95.235.102]) spam4.eml:Received: from mail.030.com ([85.95.235.103]:4200) spam4.eml:Received: from mahser83.local ([85.95.235.103]) Ie. an organized spam network... Andrew Bonar wrote, On 08/26/2012 10:28 PM: > If you are wanting to report abuse about MYNET, please feel free to contact me off-list and I may be able to facilitate. > I would be interested to hear about spam problems people may have about MyNet > > best > > > Andrew Bonar > Deliverability Director, Emailvision > > > > > -----Original Message----- > From: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg-bounces at ripe.net] On Behalf Of U.Mutlu > Sent: 26 August 2012 21:57 > To: anti-abuse-wg at ripe.net > Subject: [anti-abuse-wg] mynet.com - A spam network without any abuse contact > > Hi, > how come that for the domain mynet.com, clearly a spam network, there is no abuse-contact in the whois database? > > whois mynet.com gives: > " > Domain Name: MYNET.COM > ------------------------------------------------------------------------ > Promote your business to millions of viewers for only $1 a month > Learn how you can get an Enhanced Business Listing here for your domain name. > Learn more at http://www.NetworkSolutions.com/ > ------------------------------------------------------------------------ > " > > ie. a spam network... > -------------- next part -------------- An embedded message was scrubbed... From: "=?iso-8859-9?B?QXJpYSBF8Gl0aW0gSGl6bWV0bGVyaQ==?=" Subject: Sat?? ve Sat?n Alma / G?r?nt?l? E?itim DVD Date: Fri, 24 Aug 2012 22:23:52 +0300 Size: 8761 URL: -------------- next part -------------- An embedded message was scrubbed... From: "=?iso-8859-9?B?QWxlbmEgRGFu/f5tYW5s/WsgSGl6bWV0bGVyaQ==?=" Subject: M??teri ve Halkla ?li?kiler E?itim DVDsi Date: Fri, 24 Aug 2012 21:29:33 +0300 Size: 7635 URL: -------------- next part -------------- An embedded message was scrubbed... From: "MEDYAWEB REKLAM TANITIM" Subject: 2012 T?rkiye Sekt?rel EMail Rehberi - CD Date: Wed, 22 Aug 2012 16:55:58 +0300 Size: 4916 URL: -------------- next part -------------- An embedded message was scrubbed... From: "Vizyon Dil Hizmetleri" Subject: RUS?A E??T?M DVDsi Date: Tue, 21 Aug 2012 14:16:58 +0300 Size: 3760 URL: From rezaf at mindspring.com Sun Aug 26 22:57:56 2012 From: rezaf at mindspring.com (Reza Farzan) Date: Sun, 26 Aug 2012 16:57:56 -0400 Subject: [anti-abuse-wg] mynet.com - A spam network without any abuse contact Message-ID: <003e01cd83cd$780e9b90$682bd2b0$@com> Hello, MYNET (Mynet Medya Yay. Ulus. Elek.) is a Turkish based domain with these IP addresses: addresses 212.101.97.6 212.101.97.7 212.101.97.8 212.101.122.35 True, this domain does not have a designated Abuse contact, but you may want to send your request to any or all of these addresses: - ripeteknik at mynet.com.tr - ripeinfo at mynet.com.tr - hakan.turkoner at mynet.com - admin at mynet.com - administrator at mynet.com When reporting any Spam, please make sure that you include its header as well. Thank you, Reza Farzan rezaf at mindspring.com -----Original Message----- From: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg-bounces at ripe.net] On Behalf Of U.Mutlu Sent: Sunday, August 26, 2012 3:57 PM To: anti-abuse-wg at ripe.net Subject: [anti-abuse-wg] mynet.com - A spam network without any abuse contact Hi, how come that for the domain mynet.com, clearly a spam network, there is no abuse-contact in the whois database? whois mynet.com gives: " Domain Name: MYNET.COM ------------------------------------------------------------------------ Promote your business to millions of viewers for only $1 a month Learn how you can get an Enhanced Business Listing here for your domain name. Learn more at http://www.NetworkSolutions.com/ ------------------------------------------------------------------------ " ie. a spam network... From ABonar at Emailvision.com Sun Aug 26 23:46:10 2012 From: ABonar at Emailvision.com (Andrew Bonar) Date: Sun, 26 Aug 2012 23:46:10 +0200 Subject: [anti-abuse-wg] mynet.com - A spam network without any abuse contact In-Reply-To: <503A8BE7.2040002@mutluit.com> References: <503A7FA8.6030002@mutluit.com> <9676711035B52642A190C7FDA4A44ED5898D98B608@EXCHCCR.Emailvision.com> <503A8BE7.2040002@mutluit.com> Message-ID: <9676711035B52642A190C7FDA4A44ED5898D98B617@EXCHCCR.Emailvision.com> I will reach out to my contact with the details. They are Turkeys largest ISP so prone to having their free services abused I imagine, much like Yahoo or Hotmail. Will keep you posted best ? Andrew Bonar Deliverability Director, Emailvision? -----Original Message----- From: U.Mutlu [mailto:security at mutluit.com] Sent: 26 August 2012 22:50 To: Andrew Bonar Cc: anti-abuse-wg at ripe.net Subject: Re: [anti-abuse-wg] mynet.com - A spam network without any abuse contact Attached please find 4 spam mails from mynet.com The spammers have posted from these IP addresses: # grep -i "Received" spam*.eml spam1.eml:Received: from mail.yt.com ([85.95.235.102]:3664) spam1.eml:Received: from zurt931.local ([85.95.235.102]) spam2.eml:Received: from mail.030.com ([85.95.235.103]:2110) spam2.eml:Received: from mahser83.local ([85.95.235.103]) spam3.eml:Received: from mail.yt.com ([85.95.235.102]:1409) spam3.eml:Received: from zurt931.local ([85.95.235.102]) spam4.eml:Received: from mail.030.com ([85.95.235.103]:4200) spam4.eml:Received: from mahser83.local ([85.95.235.103]) Ie. an organized spam network... Andrew Bonar wrote, On 08/26/2012 10:28 PM: > If you are wanting to report abuse about MYNET, please feel free to contact me off-list and I may be able to facilitate. > I would be interested to hear about spam problems people may have about MyNet > > best > > > Andrew Bonar > Deliverability Director, Emailvision > > > > > -----Original Message----- > From: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg-bounces at ripe.net] On Behalf Of U.Mutlu > Sent: 26 August 2012 21:57 > To: anti-abuse-wg at ripe.net > Subject: [anti-abuse-wg] mynet.com - A spam network without any abuse contact > > Hi, > how come that for the domain mynet.com, clearly a spam network, there is no abuse-contact in the whois database? > > whois mynet.com gives: > " > Domain Name: MYNET.COM > ------------------------------------------------------------------------ > Promote your business to millions of viewers for only $1 a month > Learn how you can get an Enhanced Business Listing here for your domain name. > Learn more at http://www.NetworkSolutions.com/ > ------------------------------------------------------------------------ > " > > ie. a spam network... > From security at mutluit.com Mon Aug 27 00:20:51 2012 From: security at mutluit.com (U.Mutlu) Date: Mon, 27 Aug 2012 00:20:51 +0200 Subject: [anti-abuse-wg] mynet.com - A spam network without any abuse contact In-Reply-To: <9676711035B52642A190C7FDA4A44ED5898D98B617@EXCHCCR.Emailvision.com> References: <503A7FA8.6030002@mutluit.com> <9676711035B52642A190C7FDA4A44ED5898D98B608@EXCHCCR.Emailvision.com> <503A8BE7.2040002@mutluit.com> <9676711035B52642A190C7FDA4A44ED5898D98B617@EXCHCCR.Emailvision.com> Message-ID: <503AA143.70604@mutluit.com> Andrew Bonar wrote, On 08/26/2012 11:46 PM: > I will reach out to my contact with the details. > > They are Turkeys largest ISP so prone to having their free services abused I imagine, much like Yahoo or Hotmail. Really an ISP? And then w/o an offical abuse dept? Very suspicious... :-) Hmm.... www.mynet.com doesn't look like an ISP. > Will keep you posted > > best > > > Andrew Bonar > Deliverability Director, Emailvision > > > > -----Original Message----- > From: U.Mutlu [mailto:security at mutluit.com] > Sent: 26 August 2012 22:50 > To: Andrew Bonar > Cc: anti-abuse-wg at ripe.net > Subject: Re: [anti-abuse-wg] mynet.com - A spam network without any abuse contact > > Attached please find 4 spam mails from mynet.com From ABonar at Emailvision.com Mon Aug 27 01:06:51 2012 From: ABonar at Emailvision.com (Andrew Bonar) Date: Mon, 27 Aug 2012 01:06:51 +0200 Subject: [anti-abuse-wg] mynet.com - A spam network without any abuse contact In-Reply-To: <503AA143.70604@mutluit.com> References: <503A7FA8.6030002@mutluit.com> <9676711035B52642A190C7FDA4A44ED5898D98B608@EXCHCCR.Emailvision.com> <503A8BE7.2040002@mutluit.com> <9676711035B52642A190C7FDA4A44ED5898D98B617@EXCHCCR.Emailvision.com> <503AA143.70604@mutluit.com> Message-ID: <9676711035B52642A190C7FDA4A44ED5898D98B618@EXCHCCR.Emailvision.com> Just to be clear I am in no way affiliated and not trying to defend, just reach out to a contact on your behalf who may be able to help. To satisfy any curiosity, a little more on myNet http://www.linkedin.com/company/17968?goback=%2Efcs_GLHD_mynet_false_*2_*2_*2_*2_*2_*2_*2_*2_*2_*2_*2_*2&trk=ncsrch_hits http://en.wikipedia.org/wiki/Internet_in_Turkey http://www.commtouch.com/press-releases/turkey%E2%80%99s-largest-internet-portal-protects-inboxes-commtouch-technology An internet service provider in the same way as Yahoo would be considered an ISP ie major portal, offers free webmail, etc.. as well as commercial offerings here: http://proservis.mynet.com/ You can lodge a complaint here (if you spoke Turkish) here http://www.mynet.com/iletisim/iletisim.aspx and I believe Abuse@ and postmaster@ should both function best Andrew -----Original Message----- From: U.Mutlu [mailto:security at mutluit.com] Sent: 27 August 2012 00:21 To: Andrew Bonar Cc: anti-abuse-wg at ripe.net Subject: Re: [anti-abuse-wg] mynet.com - A spam network without any abuse contact Andrew Bonar wrote, On 08/26/2012 11:46 PM: > I will reach out to my contact with the details. > > They are Turkeys largest ISP so prone to having their free services abused I imagine, much like Yahoo or Hotmail. Really an ISP? And then w/o an offical abuse dept? Very suspicious... :-) Hmm.... www.mynet.com doesn't look like an ISP. > Will keep you posted > > best > > > Andrew Bonar > Deliverability Director, Emailvision > > > > -----Original Message----- > From: U.Mutlu [mailto:security at mutluit.com] > Sent: 26 August 2012 22:50 > To: Andrew Bonar > Cc: anti-abuse-wg at ripe.net > Subject: Re: [anti-abuse-wg] mynet.com - A spam network without any > abuse contact > > Attached please find 4 spam mails from mynet.com From security at mutluit.com Tue Aug 28 14:10:56 2012 From: security at mutluit.com (U.Mutlu) Date: Tue, 28 Aug 2012 14:10:56 +0200 Subject: [anti-abuse-wg] Loop error in APNIC whois database Message-ID: <503CB550.8080501@mutluit.com> What do you think about the following technical conversation with APNIC: My last reply, no answer yet: But then how cany I query the content of tech-c handle RCNP1-AP ? As demonstrated below, when I do "whois -h whois.apnic.net RCNP1-AP" then it again shows the same handle, ie. an error loop... XXXXX XXXXX via RT wrote, On 08/28/2012 10:27 AM: > Dear U.Mutlu, > > This is not an error. The role object admic-c and tech-c can use > nic-handle of other person objects or the nic-handle of the role object > itself. > > Thanks, > -- XXXXX ________________________________________________________________________ APNIC Helpdesk > helpdesk at apnic.net Asia Pacific Network Information Centre (APNIC) Tel: +61 7 3858 3188 PO Box 3646 South > Brisbane, QLD 4101 Australia Fax: +61 7 3858 3199 6 Cordelia Street, South Brisbane, QLD http://www.apnic.net > ________________________________________________________________________ * Sent by email to save paper. Print > only if necessary. On Tue Aug 28 01:00:01 2012, security at mutluit.com wrote: >> >Hello, >> >there is a loop (error) in the whois database for the handle RCNP1-AP >> >as it doesn't get resolved, instead it again returns the same >> >handle...: >> > >> ># whois -h whois.apnic.net RCNP1-AP >> > >> >% [whois.apnic.net node-1] >> >% Whois data copyright terms >> >http://www.apnic.net/db/dbcopyright.html >> > >> >role: RK CABLE NET PRIVATE LIMITED - network administr >> >address: Block No 1-2, & 13-18, 1st & 2nd Floor,Annapurna >> >Shopping Centre, Adajan Patiya Circle, Rander >> >Road, >> >country: IN >> >phone: +91-261-2780343 >> >fax-no: +91-261-2787879 >> >e-mail:abuse at rkinfratel.com >> >admin-c: RCNP1-AP >> >tech-c: RCNP1-AP >> >nic-hdl: RCNP1-AP >> >mnt-by: MAINT-RKCABLENET-IN >> >changed:hm-changed at apnic.net 20120523 >> >source: APNIC >> > >> > >> >Regards, >> >U.Mutlu From ij at beevpn.com Tue Aug 28 14:16:17 2012 From: ij at beevpn.com (Ian Johannesen) Date: Tue, 28 Aug 2012 14:16:17 +0200 Subject: [anti-abuse-wg] Loop error in APNIC whois database In-Reply-To: <503CB550.8080501@mutluit.com> References: <503CB550.8080501@mutluit.com> Message-ID: <6E55584D-F3E3-487E-88E0-5C24F5F8B694@beevpn.com> Hi, I don't quite see the error you keep mentioning. If there's no wish to have any person objects bound to the role object, then it's perfectly valid. What's the problem you keep on pointing towards? -- Med venlig hilsen / Best regards, Ian Johannesen BeeVPN ApS mai: ij at beevpn.com On Aug 28, 2012, at 2:10 PM, "U.Mutlu" wrote: > What do you think about the following technical conversation with APNIC: > > > > My last reply, no answer yet: > > But then how cany I query the content of tech-c handle RCNP1-AP ? > As demonstrated below, when I do "whois -h whois.apnic.net RCNP1-AP" > then it again shows the same handle, ie. an error loop... > > XXXXX XXXXX via RT wrote, On 08/28/2012 10:27 AM: > > Dear U.Mutlu, > > > > This is not an error. The role object admic-c and tech-c can use > > nic-handle of other person objects or the nic-handle of the role object > > itself. > > > > Thanks, > > -- XXXXX ________________________________________________________________________ APNIC Helpdesk > > helpdesk at apnic.net Asia Pacific Network Information Centre (APNIC) Tel: +61 7 3858 3188 PO Box 3646 South > > Brisbane, QLD 4101 Australia Fax: +61 7 3858 3199 6 Cordelia Street, South Brisbane, QLD http://www.apnic.net > > ________________________________________________________________________ * Sent by email to save paper. Print > > only if necessary. > > On Tue Aug 28 01:00:01 2012, security at mutluit.com wrote: > >> >Hello, > >> >there is a loop (error) in the whois database for the handle RCNP1-AP > >> >as it doesn't get resolved, instead it again returns the same > >> >handle...: > >> > > >> ># whois -h whois.apnic.net RCNP1-AP > >> > > >> >% [whois.apnic.net node-1] > >> >% Whois data copyright terms > >> >http://www.apnic.net/db/dbcopyright.html > >> > > >> >role: RK CABLE NET PRIVATE LIMITED - network administr > >> >address: Block No 1-2, & 13-18, 1st & 2nd Floor,Annapurna > >> >Shopping Centre, Adajan Patiya Circle, Rander > >> >Road, > >> >country: IN > >> >phone: +91-261-2780343 > >> >fax-no: +91-261-2787879 > >> >e-mail:abuse at rkinfratel.com > >> >admin-c: RCNP1-AP > >> >tech-c: RCNP1-AP > >> >nic-hdl: RCNP1-AP > >> >mnt-by: MAINT-RKCABLENET-IN > >> >changed:hm-changed at apnic.net 20120523 > >> >source: APNIC > >> > > >> > > >> >Regards, > >> >U.Mutlu > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From security at mutluit.com Tue Aug 28 14:30:16 2012 From: security at mutluit.com (U.Mutlu) Date: Tue, 28 Aug 2012 14:30:16 +0200 Subject: [anti-abuse-wg] Loop error in APNIC whois database In-Reply-To: <6E55584D-F3E3-487E-88E0-5C24F5F8B694@beevpn.com> References: <503CB550.8080501@mutluit.com> <6E55584D-F3E3-487E-88E0-5C24F5F8B694@beevpn.com> Message-ID: <503CB9D8.3090205@mutluit.com> I need to know the tech-c contact, how do I get it? Ian Johannesen wrote, On 08/28/2012 02:16 PM: > Hi, > > I don't quite see the error you keep mentioning. If there's no wish to have any person objects bound to the role object, then it's perfectly valid. What's the problem you keep on pointing towards? > > -- > Med venlig hilsen / Best regards, > > Ian Johannesen > BeeVPN ApS > > mai: ij at beevpn.com > > On Aug 28, 2012, at 2:10 PM, "U.Mutlu" wrote: > >> What do you think about the following technical conversation with APNIC: >> >> >> >> My last reply, no answer yet: >> >> But then how cany I query the content of tech-c handle RCNP1-AP ? >> As demonstrated below, when I do "whois -h whois.apnic.net RCNP1-AP" >> then it again shows the same handle, ie. an error loop... >> >> XXXXX XXXXX via RT wrote, On 08/28/2012 10:27 AM: >>> Dear U.Mutlu, >>> >>> This is not an error. The role object admic-c and tech-c can use >>> nic-handle of other person objects or the nic-handle of the role object >>> itself. >>> >>> Thanks, >>> -- XXXXX ________________________________________________________________________ APNIC Helpdesk >>> helpdesk at apnic.net Asia Pacific Network Information Centre (APNIC) Tel: +61 7 3858 3188 PO Box 3646 South >>> Brisbane, QLD 4101 Australia Fax: +61 7 3858 3199 6 Cordelia Street, South Brisbane, QLD http://www.apnic.net >>> ________________________________________________________________________ * Sent by email to save paper. Print >>> only if necessary. >> >> On Tue Aug 28 01:00:01 2012, security at mutluit.com wrote: >>>>> Hello, >>>>> there is a loop (error) in the whois database for the handle RCNP1-AP >>>>> as it doesn't get resolved, instead it again returns the same >>>>> handle...: >>>>> >>>>> # whois -h whois.apnic.net RCNP1-AP >>>>> >>>>> % [whois.apnic.net node-1] >>>>> % Whois data copyright terms >>>>> http://www.apnic.net/db/dbcopyright.html >>>>> >>>>> role: RK CABLE NET PRIVATE LIMITED - network administr >>>>> address: Block No 1-2, & 13-18, 1st & 2nd Floor,Annapurna >>>>> Shopping Centre, Adajan Patiya Circle, Rander >>>>> Road, >>>>> country: IN >>>>> phone: +91-261-2780343 >>>>> fax-no: +91-261-2787879 >>>>> e-mail:abuse at rkinfratel.com >>>>> admin-c: RCNP1-AP >>>>> tech-c: RCNP1-AP >>>>> nic-hdl: RCNP1-AP >>>>> mnt-by: MAINT-RKCABLENET-IN >>>>> changed:hm-changed at apnic.net 20120523 >>>>> source: APNIC >>>>> >>>>> >>>>> Regards, >>>>> U.Mutlu From thor.kottelin at turvasana.com Tue Aug 28 14:31:27 2012 From: thor.kottelin at turvasana.com (Thor Kottelin) Date: Tue, 28 Aug 2012 15:31:27 +0300 Subject: [anti-abuse-wg] Loop error in APNIC whois database In-Reply-To: <503CB550.8080501@mutluit.com> References: <503CB550.8080501@mutluit.com> Message-ID: > -----Original Message----- > From: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg- > bounces at ripe.net] On Behalf Of U.Mutlu > Sent: Tuesday, August 28, 2012 3:11 PM > To: anti-abuse-wg at ripe.net > when I do "whois -h whois.apnic.net RCNP1- > AP" > then it again shows the same handle, ie. an error loop... role: RK CABLE NET PRIVATE LIMITED - network administr address: Block No 1-2, & 13-18, 1st & 2nd Floor,Annapurna Shopping Centre, Adajan Patiya Circle, Rander Road, country: IN phone: +91-261-2780343 fax-no: +91-261-2787879 e-mail: abuse at rkinfratel.com admin-c: RCNP1-AP tech-c: RCNP1-AP nic-hdl: RCNP1-AP mnt-by: MAINT-RKCABLENET-IN changed: hm-changed at apnic.net 20120523 source: APNIC I see this as a way of saying 'for administrative or technical issues, use this same contact information, such as the email address abuse at rkinfratel.com'. Why do you consider it an error? -- Thor Kottelin http://www.anta.net/ From ij at beevpn.com Tue Aug 28 14:35:09 2012 From: ij at beevpn.com (Ian Johannesen) Date: Tue, 28 Aug 2012 14:35:09 +0200 Subject: [anti-abuse-wg] Loop error in APNIC whois database In-Reply-To: <503CB9D8.3090205@mutluit.com> References: <503CB550.8080501@mutluit.com> <6E55584D-F3E3-487E-88E0-5C24F5F8B694@beevpn.com> <503CB9D8.3090205@mutluit.com> Message-ID: <4A9D281B-5FE6-4CAF-AD82-0C3FD2133835@as51432.net> Hi, Well you just use the data in the role object - as it is the tech-c (as it's also marked). -- Med venlig hilsen / Best regards, Ian Johannesen BeeVPN ApS mai: ij at beevpn.com On Aug 28, 2012, at 2:30 PM, "U.Mutlu" wrote: > I need to know the tech-c contact, how do I get it? > > > Ian Johannesen wrote, On 08/28/2012 02:16 PM: >> Hi, >> >> I don't quite see the error you keep mentioning. If there's no wish to have any person objects bound to the role object, then it's perfectly valid. What's the problem you keep on pointing towards? >> >> -- >> Med venlig hilsen / Best regards, >> >> Ian Johannesen >> BeeVPN ApS >> >> mai: ij at beevpn.com >> >> On Aug 28, 2012, at 2:10 PM, "U.Mutlu" wrote: >> >>> What do you think about the following technical conversation with APNIC: >>> >>> >>> >>> My last reply, no answer yet: >>> >>> But then how cany I query the content of tech-c handle RCNP1-AP ? >>> As demonstrated below, when I do "whois -h whois.apnic.net RCNP1-AP" >>> then it again shows the same handle, ie. an error loop... >>> >>> XXXXX XXXXX via RT wrote, On 08/28/2012 10:27 AM: >>>> Dear U.Mutlu, >>>> >>>> This is not an error. The role object admic-c and tech-c can use >>>> nic-handle of other person objects or the nic-handle of the role object >>>> itself. >>>> >>>> Thanks, >>>> -- XXXXX ________________________________________________________________________ APNIC Helpdesk >>>> helpdesk at apnic.net Asia Pacific Network Information Centre (APNIC) Tel: +61 7 3858 3188 PO Box 3646 South >>>> Brisbane, QLD 4101 Australia Fax: +61 7 3858 3199 6 Cordelia Street, South Brisbane, QLD http://www.apnic.net >>>> ________________________________________________________________________ * Sent by email to save paper. Print >>>> only if necessary. >>> >>> On Tue Aug 28 01:00:01 2012, security at mutluit.com wrote: >>>>>> Hello, >>>>>> there is a loop (error) in the whois database for the handle RCNP1-AP >>>>>> as it doesn't get resolved, instead it again returns the same >>>>>> handle...: >>>>>> >>>>>> # whois -h whois.apnic.net RCNP1-AP >>>>>> >>>>>> % [whois.apnic.net node-1] >>>>>> % Whois data copyright terms >>>>>> http://www.apnic.net/db/dbcopyright.html >>>>>> >>>>>> role: RK CABLE NET PRIVATE LIMITED - network administr >>>>>> address: Block No 1-2, & 13-18, 1st & 2nd Floor,Annapurna >>>>>> Shopping Centre, Adajan Patiya Circle, Rander >>>>>> Road, >>>>>> country: IN >>>>>> phone: +91-261-2780343 >>>>>> fax-no: +91-261-2787879 >>>>>> e-mail:abuse at rkinfratel.com >>>>>> admin-c: RCNP1-AP >>>>>> tech-c: RCNP1-AP >>>>>> nic-hdl: RCNP1-AP >>>>>> mnt-by: MAINT-RKCABLENET-IN >>>>>> changed:hm-changed at apnic.net 20120523 >>>>>> source: APNIC >>>>>> >>>>>> >>>>>> Regards, >>>>>> U.Mutlu > From ops.lists at gmail.com Tue Aug 28 14:38:25 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Tue, 28 Aug 2012 18:08:25 +0530 Subject: [anti-abuse-wg] Loop error in APNIC whois database In-Reply-To: References: <503CB550.8080501@mutluit.com> Message-ID: I would say "also check the domain's whois contacts" but .. ugh. Domain Name: RKINFRATEL.COM Registrant: PrivacyProtect.org Domain Admin (contact at privacyprotect.org) ID#10760, PO Box 16 Note - All Postal Mails Rejected, visit Privacyprotect.org Nobby Beach null,QLD 4218 AU Tel. +45.36946676 Creation Date: 20-Oct-2011 Expiration Date: 20-Oct-2012 On Tue, Aug 28, 2012 at 6:01 PM, Thor Kottelin wrote: >> -----Original Message----- >> From: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg- >> bounces at ripe.net] On Behalf Of U.Mutlu >> Sent: Tuesday, August 28, 2012 3:11 PM >> To: anti-abuse-wg at ripe.net > >> when I do "whois -h whois.apnic.net RCNP1- >> AP" >> then it again shows the same handle, ie. an error loop... > > role: RK CABLE NET PRIVATE LIMITED - network administr > address: Block No 1-2, & 13-18, 1st & 2nd Floor,Annapurna Shopping > Centre, Adajan Patiya Circle, Rander Road, > country: IN > phone: +91-261-2780343 > fax-no: +91-261-2787879 > e-mail: abuse at rkinfratel.com > admin-c: RCNP1-AP > tech-c: RCNP1-AP > nic-hdl: RCNP1-AP > mnt-by: MAINT-RKCABLENET-IN > changed: hm-changed at apnic.net 20120523 > source: APNIC > > I see this as a way of saying 'for administrative or technical issues, use > this same contact information, such as the email address > abuse at rkinfratel.com'. Why do you consider it an error? > > -- > Thor Kottelin > http://www.anta.net/ > > > -- Suresh Ramasubramanian (ops.lists at gmail.com) From security at mutluit.com Tue Aug 28 14:55:55 2012 From: security at mutluit.com (U.Mutlu) Date: Tue, 28 Aug 2012 14:55:55 +0200 Subject: [anti-abuse-wg] Loop error in APNIC whois database In-Reply-To: References: <503CB550.8080501@mutluit.com> Message-ID: <503CBFDB.6080006@mutluit.com> Because of errors in their DNS server I need to contact their tech-c, not their abuse dept. Suresh Ramasubramanian wrote, On 08/28/2012 02:38 PM: > I would say "also check the domain's whois contacts" but .. ugh. > > Domain Name: RKINFRATEL.COM > > Registrant: > PrivacyProtect.org > Domain Admin (contact at privacyprotect.org) > ID#10760, PO Box 16 > Note - All Postal Mails Rejected, visit Privacyprotect.org > Nobby Beach > null,QLD 4218 > AU > Tel. +45.36946676 > > Creation Date: 20-Oct-2011 > Expiration Date: 20-Oct-2012 > > On Tue, Aug 28, 2012 at 6:01 PM, Thor Kottelin > wrote: >>> -----Original Message----- >>> From: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg- >>> bounces at ripe.net] On Behalf Of U.Mutlu >>> Sent: Tuesday, August 28, 2012 3:11 PM >>> To: anti-abuse-wg at ripe.net >> >>> when I do "whois -h whois.apnic.net RCNP1- >>> AP" >>> then it again shows the same handle, ie. an error loop... >> >> role: RK CABLE NET PRIVATE LIMITED - network administr >> address: Block No 1-2, & 13-18, 1st & 2nd Floor,Annapurna Shopping >> Centre, Adajan Patiya Circle, Rander Road, >> country: IN >> phone: +91-261-2780343 >> fax-no: +91-261-2787879 >> e-mail: abuse at rkinfratel.com >> admin-c: RCNP1-AP >> tech-c: RCNP1-AP >> nic-hdl: RCNP1-AP >> mnt-by: MAINT-RKCABLENET-IN >> changed: hm-changed at apnic.net 20120523 >> source: APNIC >> >> I see this as a way of saying 'for administrative or technical issues, use >> this same contact information, such as the email address >> abuse at rkinfratel.com'. Why do you consider it an error? >> >> -- >> Thor Kottelin >> http://www.anta.net/ >> >> >> > > > From thor.kottelin at turvasana.com Tue Aug 28 15:08:55 2012 From: thor.kottelin at turvasana.com (Thor Kottelin) Date: Tue, 28 Aug 2012 16:08:55 +0300 Subject: [anti-abuse-wg] Loop error in APNIC whois database In-Reply-To: <503CBFDB.6080006@mutluit.com> References: <503CB550.8080501@mutluit.com> <503CBFDB.6080006@mutluit.com> Message-ID: > -----Original Message----- > From: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg- > bounces at ripe.net] On Behalf Of U.Mutlu > Sent: Tuesday, August 28, 2012 3:56 PM > To: Suresh Ramasubramanian > Cc: Thor Kottelin; anti-abuse-wg at ripe.net > Because of errors in their DNS server I need to contact > their tech-c, not their abuse dept. The Whois information for your domain name mutluit.com shows that several roles share the same NIC handle. Similarly, 'RK CABLE NET PRIVATE LIMITED' has chosen to use RCNP1-AP as both its admin-c and tech-c contact. What would you say if someone objected to your choice, saying 'I need to contact the mutluit.com abuse department, not the hostmaster'? -- Thor Kottelin http://www.anta.net/ From Woeber at CC.UniVie.ac.at Tue Aug 28 16:14:06 2012 From: Woeber at CC.UniVie.ac.at (Wilfried Woeber, UniVie/ACOnet) Date: Tue, 28 Aug 2012 16:14:06 +0200 Subject: [anti-abuse-wg] Loop error in APNIC whois database In-Reply-To: <503CBFDB.6080006@mutluit.com> References: <503CB550.8080501@mutluit.com> <503CBFDB.6080006@mutluit.com> Message-ID: <503CD22E.8050000@CC.UniVie.ac.at> U.Mutlu wrote: > Because of errors in their DNS server I need to contact > their tech-c, not their abuse dept. I was under the impression that the contact for (technical) errors regarding DNS zone configuration is to be found in the zone's SOA record, as an RFC822 (or newer) field. And/or by way of the name registry and/or registrar. Where does the numbers registry information come into the picture? Wilfried From denis at ripe.net Tue Aug 28 18:03:48 2012 From: denis at ripe.net (Denis Walker) Date: Tue, 28 Aug 2012 18:03:48 +0200 Subject: [anti-abuse-wg] Loop error in APNIC whois database In-Reply-To: <503CD22E.8050000@CC.UniVie.ac.at> References: <503CB550.8080501@mutluit.com> <503CBFDB.6080006@mutluit.com> <503CD22E.8050000@CC.UniVie.ac.at> Message-ID: <503CEBE4.5070505@ripe.net> Dear Wilfried, Putting aside the specific reason for looking up a contact in this case and look at the wider consequence for the RIPE Database. I thought we disallowed self referencing ROLE objects. But we only disallow creation of self referencing ROLEs using 'AUTO-' and circular references with ROLE A -> ROLE B -> ROLE A. The way the rules are now, taken to an extreme, the entire RIPE Database could exist without a single 'real' PERSON listed. All number resources could be anonymised by referencing self referencing ROLE objects. All allocations, mandatory organisations for allocations, ASNs, PI resources, routing data could be set up so that no real person takes any responsibility for any resource, publicly. Of course real people still need to sign contracts to become members and get resources, but from a public perspective everything can be totally anonymised as the rules are now. Regards Denis Walker Business Analyst RIPE NCC Database Group On 28/08/2012 16:14, Wilfried Woeber, UniVie/ACOnet wrote: > U.Mutlu wrote: > >> Because of errors in their DNS server I need to contact >> their tech-c, not their abuse dept. > > I was under the impression that the contact for (technical) errors > regarding DNS zone configuration is to be found in the zone's SOA > record, as an RFC822 (or newer) field. > > And/or by way of the name registry and/or registrar. > > Where does the numbers registry information come into the picture? > > Wilfried > > From um at mutluit.com Tue Aug 28 17:39:55 2012 From: um at mutluit.com (U.Mutlu) Date: Tue, 28 Aug 2012 17:39:55 +0200 Subject: [anti-abuse-wg] Loop error in APNIC whois database In-Reply-To: <503CD22E.8050000@CC.UniVie.ac.at> References: <503CB550.8080501@mutluit.com> <503CBFDB.6080006@mutluit.com> <503CD22E.8050000@CC.UniVie.ac.at> Message-ID: <503CE64B.5010402@mutluit.com> Wilfried Woeber, UniVie/ACOnet wrote, On 08/28/2012 04:14 PM: > U.Mutlu wrote: > >> Because of errors in their DNS server I need to contact >> their tech-c, not their abuse dept. > > I was under the impression that the contact for (technical) errors > regarding DNS zone configuration is to be found in the zone's SOA > record, as an RFC822 (or newer) field. Oops! :-) Yes, you are right. Thx for reminding me of this simple fact :-) > And/or by way of the name registry and/or registrar. > > Where does the numbers registry information come into the picture? > > Wilfried From Woeber at CC.UniVie.ac.at Tue Aug 28 18:34:06 2012 From: Woeber at CC.UniVie.ac.at (Wilfried Woeber, UniVie/ACOnet) Date: Tue, 28 Aug 2012 18:34:06 +0200 Subject: [anti-abuse-wg] Loop error in APNIC whois database In-Reply-To: <503CEBE4.5070505@ripe.net> References: <503CB550.8080501@mutluit.com> <503CBFDB.6080006@mutluit.com> <503CD22E.8050000@CC.UniVie.ac.at> <503CEBE4.5070505@ripe.net> Message-ID: <503CF2FE.8050704@CC.UniVie.ac.at> Hi Denis, thanks for the clarification! I do see 3 aspects here: 1. the registration is in the APNIC DB. While I do not see any problem at all, discussing abuse issues on the RIPE Community's anti-abuse mailing list, I am a bit hesitant to accept the potential implication that the RIPE community, or the RIPE NCC, should take the blame for something it/we do not have control of. 2. I was under the impression that in the RIPE DB, a reference to a person object was enforced, at the end of the food chain. If this is not the case right now, we MAY|SHOULD discuss the need for an amendment - but read on! 3. (violating my own item 1. :-) and) looking at the entry as quoted: there is the company's name, the postal address, an abuse@ email: and both a tel. and fax. number. So - what is the added benefit of a person's name (which could easily be Mr. Micky Mouse for the whois record :-) The reason why I am nit-picking here is as follows: imho we should encourage all parties to provide correct and useable information to get in contact if and when there's a good reason for trying to. Requiring, as a strict formality, to provide any and all particular pieces of data and in a very strict format, potentially violating good reasons for not identifying individual persons, may actually impede achievement of our goal. Wilfried. Denis Walker wrote: > Dear Wilfried, > > Putting aside the specific reason for looking up a contact in this case > and look at the wider consequence for the RIPE Database. I thought we > disallowed self referencing ROLE objects. But we only disallow creation > of self referencing ROLEs using 'AUTO-' and circular references with > ROLE A -> ROLE B -> ROLE A. > > The way the rules are now, taken to an extreme, the entire RIPE Database > could exist without a single 'real' PERSON listed. All number resources > could be anonymised by referencing self referencing ROLE objects. All > allocations, mandatory organisations for allocations, ASNs, PI > resources, routing data could be set up so that no real person takes any > responsibility for any resource, publicly. > > Of course real people still need to sign contracts to become members and > get resources, but from a public perspective everything can be totally > anonymised as the rules are now. > > Regards > Denis Walker > Business Analyst > RIPE NCC Database Group > > > On 28/08/2012 16:14, Wilfried Woeber, UniVie/ACOnet wrote: > >> U.Mutlu wrote: >> >>> Because of errors in their DNS server I need to contact >>> their tech-c, not their abuse dept. >> >> >> I was under the impression that the contact for (technical) errors >> regarding DNS zone configuration is to be found in the zone's SOA >> record, as an RFC822 (or newer) field. >> >> And/or by way of the name registry and/or registrar. >> >> Where does the numbers registry information come into the picture? >> >> Wilfried >> >> > From rezaf at mindspring.com Wed Aug 29 14:26:14 2012 From: rezaf at mindspring.com (Reza Farzan) Date: Wed, 29 Aug 2012 08:26:14 -0400 Subject: [anti-abuse-wg] vacancesloisirs.fr Message-ID: <005901cd85e1$7baeee10$730cca30$@com> Hello All, This domain, vacancesloisirs.fr, has been promoting itself in spamvertised that sends out. Based on my rudimentary research, the spamvertised website "vacancesloisirs.fr" resides on this IP address: 193.238.229.26 which belongs to Hostway in Germany: inetnum: 193.238.228.0 - 193.238.231.255 netname: HOSTWAY-1 descr: Hostway Deutschland GmbH Their NOC, however, denies that the IP is theirs, and they are not responsible for this domain. I have sent reports to these two addresses, abuse at hostway.de and abuse at as24679.net, is there another ISP that is responsible for this website, "vacancesloisirs.fr"? Any information would be appreciated. Thank you, Reza Farzan rezaf at mindspring.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From ABonar at Emailvision.com Wed Aug 29 14:32:43 2012 From: ABonar at Emailvision.com (Andrew Bonar) Date: Wed, 29 Aug 2012 14:32:43 +0200 Subject: [anti-abuse-wg] vacancesloisirs.fr In-Reply-To: <005901cd85e1$7baeee10$730cca30$@com> References: <005901cd85e1$7baeee10$730cca30$@com> Message-ID: <9676711035B52642A190C7FDA4A44ED5898D98B673@EXCHCCR.Emailvision.com> You can try the DNS administrator abuse at hostway.fr [cid:image001.png at 01CD85F3.264E8680] [cid:image002.png at 01CD85F3.264E8680] Andrew Bonar Deliverability Director Direct: +44 20 7554 4594 Mobile: +44 7557 038 058 From: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg-bounces at ripe.net] On Behalf Of Reza Farzan Sent: 29 August 2012 14:26 To: anti-abuse-wg at ripe.net Cc: info at vacancesloisirs.fr Subject: [anti-abuse-wg] vacancesloisirs.fr Hello All, This domain, vacancesloisirs.fr, has been promoting itself in spamvertised that sends out. Based on my rudimentary research, the spamvertised website "vacancesloisirs.fr" resides on this IP address: 193.238.229.26 which belongs to Hostway in Germany: inetnum: 193.238.228.0 - 193.238.231.255 netname: HOSTWAY-1 descr: Hostway Deutschland GmbH Their NOC, however, denies that the IP is theirs, and they are not responsible for this domain. I have sent reports to these two addresses, abuse at hostway.de and abuse at as24679.net, is there another ISP that is responsible for this website, "vacancesloisirs.fr"? Any information would be appreciated. Thank you, Reza Farzan rezaf at mindspring.com -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 47086 bytes Desc: image001.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.png Type: image/png Size: 8077 bytes Desc: image002.png URL: From thor.kottelin at turvasana.com Wed Aug 29 14:44:26 2012 From: thor.kottelin at turvasana.com (Thor Kottelin) Date: Wed, 29 Aug 2012 15:44:26 +0300 Subject: [anti-abuse-wg] vacancesloisirs.fr In-Reply-To: <005901cd85e1$7baeee10$730cca30$@com> References: <005901cd85e1$7baeee10$730cca30$@com> Message-ID: > -----Original Message----- > From: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg- > bounces at ripe.net] On Behalf Of Reza Farzan > Sent: Wednesday, August 29, 2012 3:26 PM > To: anti-abuse-wg at ripe.net > Cc: info at vacancesloisirs.fr > Based on my rudimentary research, the spamvertised website > "vacancesloisirs.fr" resides on this IP address: 193.238.229.26 > which belongs to Hostway in Germany: > inetnum: 193.238.228.0 - 193.238.231.255 > > netname: HOSTWAY-1 > > descr: Hostway Deutschland GmbH > Their NOC, however, denies that the IP is theirs, and they are not > responsible for this domain. The sites vacancesloisirs.fr and www.vacancesloisirs.fr are clearly live on 193.238.229.26, i.e. on the Hostway Deutschland GmbH network you mention. Spam support providers often lie. -- Thor Kottelin http://www.anta.net/ From thor.kottelin at turvasana.com Wed Aug 29 14:48:02 2012 From: thor.kottelin at turvasana.com (Thor Kottelin) Date: Wed, 29 Aug 2012 15:48:02 +0300 Subject: [anti-abuse-wg] vacancesloisirs.fr In-Reply-To: References: <005901cd85e1$7baeee10$730cca30$@com> Message-ID: > -----Original Message----- > From: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg- > bounces at ripe.net] On Behalf Of Thor Kottelin > Sent: Wednesday, August 29, 2012 3:44 PM > To: anti-abuse-wg at ripe.net > > -----Original Message----- > > From: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg- > > bounces at ripe.net] On Behalf Of Reza Farzan > > Sent: Wednesday, August 29, 2012 3:26 PM > > To: anti-abuse-wg at ripe.net > > Cc: info at vacancesloisirs.fr > > > Based on my rudimentary research, the spamvertised website > > "vacancesloisirs.fr" resides on this IP address: 193.238.229.26 > > which belongs to Hostway in Germany: > > > inetnum: 193.238.228.0 - 193.238.231.255 > > > > netname: HOSTWAY-1 > > > > descr: Hostway Deutschland GmbH > > > Their NOC, however, denies that the IP is theirs, and they are > not > > responsible for this domain. > > The sites vacancesloisirs.fr and www.vacancesloisirs.fr are clearly > live on > 193.238.229.26, i.e. on the Hostway Deutschland GmbH network you > mention. > Spam support providers often lie. PS. That IP address has been on Spamhaus' SBL blacklist for more than two weeks now: http://www.spamhaus.org/sbl/query/SBL150849. This makes it particularly difficult to believe that the provider would be unaware of the problem. -- Thor Kottelin http://www.anta.net/ From ABonar at Emailvision.com Wed Aug 29 14:51:17 2012 From: ABonar at Emailvision.com (Andrew Bonar) Date: Wed, 29 Aug 2012 14:51:17 +0200 Subject: [anti-abuse-wg] vacancesloisirs.fr In-Reply-To: References: <005901cd85e1$7baeee10$730cca30$@com> Message-ID: <9676711035B52642A190C7FDA4A44ED5898D98B676@EXCHCCR.Emailvision.com> Look pretty spammer friendly http://www.spamhaus.org/sbl/listings/as24679.net http://www.spamhaus.org/sbl/listings/hostway.com http://www.spamhaus.org/sbl/listings/hostway.de -----Original Message----- From: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg-bounces at ripe.net] On Behalf Of Thor Kottelin Sent: 29 August 2012 14:48 To: anti-abuse-wg at ripe.net Subject: Re: [anti-abuse-wg] vacancesloisirs.fr > -----Original Message----- > From: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg- > bounces at ripe.net] On Behalf Of Thor Kottelin > Sent: Wednesday, August 29, 2012 3:44 PM > To: anti-abuse-wg at ripe.net > > -----Original Message----- > > From: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg- > > bounces at ripe.net] On Behalf Of Reza Farzan > > Sent: Wednesday, August 29, 2012 3:26 PM > > To: anti-abuse-wg at ripe.net > > Cc: info at vacancesloisirs.fr > > > Based on my rudimentary research, the spamvertised website > > "vacancesloisirs.fr" resides on this IP address: 193.238.229.26 > > which belongs to Hostway in Germany: > > > inetnum: 193.238.228.0 - 193.238.231.255 > > > > netname: HOSTWAY-1 > > > > descr: Hostway Deutschland GmbH > > > Their NOC, however, denies that the IP is theirs, and they are > not > > responsible for this domain. > > The sites vacancesloisirs.fr and www.vacancesloisirs.fr are clearly > live on 193.238.229.26, i.e. on the Hostway Deutschland GmbH network > you mention. > Spam support providers often lie. PS. That IP address has been on Spamhaus' SBL blacklist for more than two weeks now: http://www.spamhaus.org/sbl/query/SBL150849. This makes it particularly difficult to believe that the provider would be unaware of the problem. -- Thor Kottelin http://www.anta.net/ From vesely at tana.it Thu Aug 30 16:25:38 2012 From: vesely at tana.it (Alessandro Vesely) Date: Thu, 30 Aug 2012 16:25:38 +0200 Subject: [anti-abuse-wg] 2011-06 Last Call for Comments (Abuse Contact Management in the RIPE NCC Database) Message-ID: <503F77E2.7070502@tana.it> On Mon 20/Aug/2012 12:10:35 +0200 Emilio Madaio wrote: > > Please e-mail any final comments about this proposal to anti-abuse-wg at ripe.net > before 17 September 2012. As an Internet user, I fully support the proposal 2011-06 "Abuse Contact Management in the RIPE NCC Database" --