From russ at consumer.net Wed Feb 1 00:05:58 2012 From: russ at consumer.net (russ at consumer.net) Date: Tue, 31 Jan 2012 18:05:58 -0500 Subject: [anti-abuse-wg] no whois record for another crappy ISP In-Reply-To: <4F2870A8.4040900@mutluit.com> References: <4F2870A8.4040900@mutluit.com> Message-ID: <4F2873D6.8090404@consumer.net> >so-called ISP named "jazztel.es" ? They seem to be home to bots and zombies for at least 5 years. They never answer or do anything about it. From security at mutluit.com Wed Feb 1 00:15:23 2012 From: security at mutluit.com (U.Mutlu) Date: Wed, 01 Feb 2012 00:15:23 +0100 Subject: [anti-abuse-wg] no whois record for another crappy ISP In-Reply-To: References: <4F2870A8.4040900@mutluit.com> Message-ID: <4F28760B.70008@mutluit.com> I need functioning contact data of them (abuse email address or fax), such data is not available there. abuse at jazztel.es always bounces, and the fax number +34 91 291 7570 isn't available (those I got indirectly from other records). Michele Neylon :: Blacknight wrote, On 01/31/12 23:56: > Go to nic.es > > Mr. Michele Neylon > Blacknight > http://Blacknight.tel > > Via iPhone so excuse typos and brevity > > On 31 Jan 2012, at 22:53, "U.Mutlu" wrote: > >> Hi, >> >> does anybody know why there is no whois record >> for the so-called ISP named "jazztel.es" ? >> >> It just says: "This TLD has no whois server" >> How is such possible? From russ at consumer.net Wed Feb 1 00:20:58 2012 From: russ at consumer.net (russ at consumer.net) Date: Tue, 31 Jan 2012 18:20:58 -0500 Subject: [anti-abuse-wg] no whois record for another crappy ISP In-Reply-To: <4F28760B.70008@mutluit.com> References: <4F2870A8.4040900@mutluit.com> <4F28760B.70008@mutluit.com> Message-ID: <4F28775A.7020409@consumer.net> they use jazztel.com On 1/31/2012 6:15 PM, U.Mutlu wrote: > I need functioning contact data of them (abuse email address or fax), > such data is not available there. > > abuse at jazztel.es always bounces, and the fax number +34 91 291 7570 > isn't available > (those I got indirectly from other records). > > > Michele Neylon :: Blacknight wrote, On 01/31/12 23:56: >> Go to nic.es >> >> Mr. Michele Neylon >> Blacknight >> http://Blacknight.tel >> >> Via iPhone so excuse typos and brevity >> >> On 31 Jan 2012, at 22:53, "U.Mutlu" wrote: >> >>> Hi, >>> >>> does anybody know why there is no whois record >>> for the so-called ISP named "jazztel.es" ? >>> >>> It just says: "This TLD has no whois server" >>> How is such possible? > From security at mutluit.com Wed Feb 1 00:22:47 2012 From: security at mutluit.com (U.Mutlu) Date: Wed, 01 Feb 2012 00:22:47 +0100 Subject: [anti-abuse-wg] no whois record for another crappy ISP In-Reply-To: <4F2873D6.8090404@consumer.net> References: <4F2870A8.4040900@mutluit.com> <4F2873D6.8090404@consumer.net> Message-ID: <4F2877C7.2000805@mutluit.com> russ at consumer.net wrote, On 02/01/12 00:05: > >so-called ISP named "jazztel.es" ? > > They seem to be home to bots and zombies for at least 5 years. > They never answer or do anything about it. Yeah, at least 10 abuse reports bounced: Subject: Error sending message [1328043607957.b6f31b70.7798.1063d2.s2] from [mutluit.com] Date: Tue, 31 Jan 2012 22:00:14 +0100 From: mutluit.com PostMaster To: security at mutluit.com [<00>] XMail bounce: Rcpt=[abuse at jazztel.es];Error=[550 Usuario desconocido.] [<01>] Error sending message [1328043607957.b6f31b70.7798.1063d2.s2] from [mutluit.com]. ID: Mail From: Rcpt To: Server: [62.14.3.193] [<02>] The reason of the delivery failure was: 550 Usuario desconocido. What does "Usuario desconocido" mean? :-) Am I supposed to know that language? :-) Silly practice of making such essential data something different than english. Worst is Chinese and similar crap. I wonder if such people can't think a little bit globally. From michele at blacknight.ie Wed Feb 1 00:35:36 2012 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Tue, 31 Jan 2012 23:35:36 +0000 Subject: [anti-abuse-wg] no whois record for another crappy ISP In-Reply-To: <4F28760B.70008@mutluit.com> References: <4F2870A8.4040900@mutluit.com> <4F28760B.70008@mutluit.com> Message-ID: <3E23EF5F-634B-4885-AF57-9EB2C1394F67@blacknight.ie> They've got full contact details on their website. Here's their postal address: http://www.jazztel.com/aviso-legal Telephone numbers are here: http://soporte.jazztel.com/contactar They clearly list their abuse address as abuse at jazztel.com in the RIPE DB I don't see any record of abuse at jazztel.es On 31 Jan 2012, at 23:15, U.Mutlu wrote: > I need functioning contact data of them (abuse email address or fax), > such data is not available there. > > abuse at jazztel.es always bounces, and the fax number +34 91 291 7570 isn't available > (those I got indirectly from other records). > > > Michele Neylon :: Blacknight wrote, On 01/31/12 23:56: >> Go to nic.es >> >> Mr. Michele Neylon >> Blacknight >> http://Blacknight.tel >> >> Via iPhone so excuse typos and brevity >> >> On 31 Jan 2012, at 22:53, "U.Mutlu" wrote: >> >>> Hi, >>> >>> does anybody know why there is no whois record >>> for the so-called ISP named "jazztel.es" ? >>> >>> It just says: "This TLD has no whois server" >>> How is such possible? Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From security at mutluit.com Wed Feb 1 00:35:59 2012 From: security at mutluit.com (U.Mutlu) Date: Wed, 01 Feb 2012 00:35:59 +0100 Subject: [anti-abuse-wg] no whois record for another crappy ISP In-Reply-To: <4F2877C7.2000805@mutluit.com> References: <4F2870A8.4040900@mutluit.com> <4F2873D6.8090404@consumer.net> <4F2877C7.2000805@mutluit.com> Message-ID: <4F287ADF.6010003@mutluit.com> U.Mutlu wrote, On 02/01/12 00:22: > > 550 Usuario desconocido. > > What does "Usuario desconocido" mean? :-) Am I supposed to know that language? :-) > Silly practice of making such essential data something different than english. > Worst is Chinese and similar crap. I wonder if such people can't think a little bit globally. Here's another example full with garbage characters: -------- Original Message -------- Subject: ???? Date: Tue, 31 Jan 2012 15:59:15 +0800 (CST) From: ????? To: security at mutluit.com *????????????????????????????????? FE??????? * *?????* ?Returned Mail? ???Subject??[MIT-s2-CN2S254E50MP] Net Abuse: illegal ssh login attempt (hacker activity) from IP 113.105.128.254 ???Date??Tue, 31 Jan 2012 15:59:08 +0800 ???Size??397 *?????*?Unable to send??*< 02087188578 at 189.cn >* *????* ?The Reasons For Bounce? ????????????????????? host 127.0.0.1[127.0.0.1] said: 550 amount exceed mailbox quota (in reply to end of DATA command) *????* ?Solutions?? ??????????????????????????? ???????????????? ? From michele at blacknight.ie Wed Feb 1 00:38:42 2012 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Tue, 31 Jan 2012 23:38:42 +0000 Subject: [anti-abuse-wg] no whois record for another crappy ISP In-Reply-To: <4F2877C7.2000805@mutluit.com> References: <4F2870A8.4040900@mutluit.com> <4F2873D6.8090404@consumer.net> <4F2877C7.2000805@mutluit.com> Message-ID: <9CD76DC5-D2ED-4978-B0A6-D713D411549A@blacknight.ie> On 31 Jan 2012, at 23:22, U.Mutlu wrote: > > > > What does "Usuario desconocido" mean? :-) User unknown > Am I supposed to know that language? :-) If you want to communicate with a company based in Spain then yes > Silly practice of making such essential data something different than english. A simple counter-argument to that is that not everybody speaks English. Why would a Spanish speaker want to deal with an error message in English? > Worst is Chinese and similar crap. I wonder if such people can't think a little bit globally. Globally does not mean English only Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From security at mutluit.com Wed Feb 1 00:56:43 2012 From: security at mutluit.com (U.Mutlu) Date: Wed, 01 Feb 2012 00:56:43 +0100 Subject: [anti-abuse-wg] no whois record for another crappy ISP In-Reply-To: <9CD76DC5-D2ED-4978-B0A6-D713D411549A@blacknight.ie> References: <4F2870A8.4040900@mutluit.com> <4F2873D6.8090404@consumer.net> <4F2877C7.2000805@mutluit.com> <9CD76DC5-D2ED-4978-B0A6-D713D411549A@blacknight.ie> Message-ID: <4F287FBB.5040500@mutluit.com> Michele Neylon :: Blacknight wrote, On 02/01/12 00:38: > On 31 Jan 2012, at 23:22, U.Mutlu wrote: >> >> What does "Usuario desconocido" mean? :-) > > User unknown > >> Am I supposed to know that language? :-) > > If you want to communicate with a company based in Spain then yes No thanks! I don't need to learn all the sh*tty languages of all the 200 or so countries of the world. >> Silly practice of making such essential data something different than english. > > A simple counter-argument to that is that not everybody speaks English. > Why would a Spanish speaker want to deal with an error message in English? In a global communications infrasture we have to agree on a common technical language, and that is de-facto English. Unfortunately some prefer their national idiosyncrasies. An admin who does not know technical english is for me not worth a cent. From ops.lists at gmail.com Wed Feb 1 02:23:52 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Wed, 1 Feb 2012 06:53:52 +0530 Subject: [anti-abuse-wg] no whois record for another crappy ISP In-Reply-To: <4F287FBB.5040500@mutluit.com> References: <4F2870A8.4040900@mutluit.com> <4F2873D6.8090404@consumer.net> <4F2877C7.2000805@mutluit.com> <9CD76DC5-D2ED-4978-B0A6-D713D411549A@blacknight.ie> <4F287FBB.5040500@mutluit.com> Message-ID: They dont need to hear complaints from you either. I have a lovely suggestion - take a pair of wire cutters and snip that long, glass tipped cable that feeds into your servers ethernet port .. you know, that square hole with a small slot above it. See, no spam at all! 100% guaranteed solution. On Wed, Feb 1, 2012 at 5:26 AM, U.Mutlu wrote: > > No thanks! I don't need to learn all the sh*tty languages of all > the 200 or so countries of the world. -- Suresh Ramasubramanian (ops.lists at gmail.com) From peter at hk.ipsec.se Wed Feb 1 08:14:26 2012 From: peter at hk.ipsec.se (peter h) Date: Wed, 1 Feb 2012 08:14:26 +0100 Subject: [anti-abuse-wg] no whois record for another crappy ISP In-Reply-To: References: <4F2870A8.4040900@mutluit.com> <4F287FBB.5040500@mutluit.com> Message-ID: <201202010814.27602.peter@hk.ipsec.se> On Wednesday 01 February 2012 02.23, Suresh Ramasubramanian wrote: > They dont need to hear complaints from you either. > > I have a lovely suggestion - take a pair of wire cutters and snip that > long, glass tipped cable that feeds into your servers ethernet port .. > you know, that square hole with a small slot above it. > > See, no spam at all! 100% guaranteed solution. An even better solution is to block all traffic from spain. This will preserve connectivity with "those that care" -- Peter H?kanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det ?r billigare att g?ra r?tt. Det ?r dyrt att laga fel. ) From brian.nisbet at heanet.ie Wed Feb 1 10:27:25 2012 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Wed, 01 Feb 2012 09:27:25 +0000 Subject: [anti-abuse-wg] no whois record for another crappy ISP In-Reply-To: <4F287FBB.5040500@mutluit.com> References: <4F2870A8.4040900@mutluit.com> <4F2873D6.8090404@consumer.net> <4F2877C7.2000805@mutluit.com> <9CD76DC5-D2ED-4978-B0A6-D713D411549A@blacknight.ie> <4F287FBB.5040500@mutluit.com> Message-ID: <4F29057D.2050601@heanet.ie> U.Mutlu wrote, On 31/01/2012 23:56: > Michele Neylon :: Blacknight wrote, On 02/01/12 00:38: >> On 31 Jan 2012, at 23:22, U.Mutlu wrote: >>> >>> What does "Usuario desconocido" mean? :-) >> >> User unknown >> >>> Am I supposed to know that language? :-) >> >> If you want to communicate with a company based in Spain then yes > > No thanks! I don't need to learn all the sh*tty languages of all > the 200 or so countries of the world. While the default language for use on RIPE mailing lists and at RIPE meetings is English, neither that nor any other reason you could come up with make the rest of the languages in any way inferior. >>> Silly practice of making such essential data something different than >>> english. >> >> A simple counter-argument to that is that not everybody speaks English. >> Why would a Spanish speaker want to deal with an error message in >> English? > > In a global communications infrasture we have to agree on a > common technical language, and that is de-facto English. > Unfortunately some prefer their national idiosyncrasies. > An admin who does not know technical english is for me not worth a cent. That is up to you, but it's not a topic of conversation for this mailing list. Brian Co-Chair, RIPE AA-WG From h.lu at anytimechinese.com Thu Feb 2 19:38:39 2012 From: h.lu at anytimechinese.com (Lu Heng) Date: Thu, 2 Feb 2012 19:38:39 +0100 Subject: [anti-abuse-wg] Can they really demand on customer data? Message-ID: Hi colleagues: I have notice an interesting part of the DCMA claim, most them looks like "Nike also demands that you provide the names, postal addresses, e-mail addresses, and telephone numbers of the registrants of XXX". But the important thing is, doesn't that conflict with privacy laws, can they really demand private data without court order? How do you think about it? -- -- Kind regards. Lu This transmission is intended solely for the addressee(s) shown above. It may contain information that is privileged, confidential or otherwise protected from disclosure. Any review, dissemination or use of this transmission or its contents by persons other than the intended addressee(s) is strictly prohibited. If you have received this transmission in error, please notify this office immediately and e-mail the original at the sender's address above by replying to this message and including the text of the transmission received. From michele at blacknight.ie Thu Feb 2 20:07:48 2012 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Thu, 2 Feb 2012 19:07:48 +0000 Subject: [anti-abuse-wg] Can they really demand on customer data? In-Reply-To: References: Message-ID: <4F2538C315ACAC42AD334C533C247C47260E9425@bkexchmbx01.blacknight.local> Lu They can ask for lots of things. You're not obliged to supply them We get asked for customer data all the time as part of phishing notifications etc., Apart from anything else our customers usually aren't the perpetrators, so I fail to understand why they even ask Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.com/ http://blog.blacknight.com/ http://mneylon.tel/ Intl. +353 (0) 59 9183072 Locall: 1850 929 929 Fax. +353 (0) 1 4811 763 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 ________________________________________ From: anti-abuse-wg-bounces at ripe.net [anti-abuse-wg-bounces at ripe.net] on behalf of Lu Heng [h.lu at anytimechinese.com] Sent: 02 February 2012 18:38 To: anti-abuse-wg at ripe.net Subject: [anti-abuse-wg] Can they really demand on customer data? Hi colleagues: I have notice an interesting part of the DCMA claim, most them looks like "Nike also demands that you provide the names, postal addresses, e-mail addresses, and telephone numbers of the registrants of XXX". But the important thing is, doesn't that conflict with privacy laws, can they really demand private data without court order? How do you think about it? -- -- Kind regards. Lu This transmission is intended solely for the addressee(s) shown above. It may contain information that is privileged, confidential or otherwise protected from disclosure. Any review, dissemination or use of this transmission or its contents by persons other than the intended addressee(s) is strictly prohibited. If you have received this transmission in error, please notify this office immediately and e-mail the original at the sender's address above by replying to this message and including the text of the transmission received. From peter at hk.ipsec.se Thu Feb 2 21:26:44 2012 From: peter at hk.ipsec.se (peter h) Date: Thu, 2 Feb 2012 21:26:44 +0100 Subject: [anti-abuse-wg] Can they really demand on customer data? In-Reply-To: References: Message-ID: <201202022126.45122.peter@hk.ipsec.se> On Thursday 02 February 2012 19.38, Lu Heng wrote: > Hi colleagues: > > I have notice an interesting part of the DCMA claim, most them looks > like "Nike also demands that you provide the names, postal addresses, > e-mail addresses, and telephone numbers of the registrants of XXX". > But the important thing is, doesn't that conflict with privacy laws, > can they really demand private data without court order? How do you > think about it? There is no need for you to answer at all. If they have valid legal claims they will come back with proper authority. And as this does not seem to be an abuse-issue it's not you call. ( remember that everything received by email might have been lost in transport :-), unless you answer there is nothing that can prove that you received it. ( of course you MUS does not return message notifications, but that is moot anyway since it does not prove that you actually got the mail) Just relay and ignore. Reacting abuse issues is another issue. The must be dealth with swift and with result. Termination is an effective way of dealing with abuse. > -- Peter H?kanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det ?r billigare att g?ra r?tt. Det ?r dyrt att laga fel. ) From noijam at aim.com Thu Feb 2 23:59:02 2012 From: noijam at aim.com (NoiJam) Date: Thu, 2 Feb 2012 17:59:02 -0500 (EST) Subject: [anti-abuse-wg] Can they really demand on customer data? In-Reply-To: <201202022126.45122.peter@hk.ipsec.se> References: <201202022126.45122.peter@hk.ipsec.se> Message-ID: <8CEB0156375E80E-E80-CA1F@webmail-m044.sysops.aol.com> Yes. Termination is an effective way to get rid off abuse and fraud. Together we fight against scam and fraud. ISPs should take immediate actions to curb these evil activities. scam fighter -----Original Message----- From: peter h To: anti-abuse-wg Sent: Fri, Feb 3, 2012 4:27 am Subject: Re: [anti-abuse-wg] Can they really demand on customer data? On Thursday 02 February 2012 19.38, Lu Heng wrote: > Hi colleagues: > > I have notice an interesting part of the DCMA claim, most them looks > like "Nike also demands that you provide the names, postal addresses, > e-mail addresses, and telephone numbers of the registrants of XXX". > But the important thing is, doesn't that conflict with privacy laws, > can they really demand private data without court order? How do you > think about it? There is no need for you to answer at all. If they have valid legal claims they will come back with proper authority. And as this does not seem to be an abuse-issue it's not you call. ( remember that everything received by email might have been lost in transport :-), unless you answer there is nothing that can prove that you received it. ( of course you MUS does not return message notifications, but that is moot anyway since it does not prove that you actually got the mail) Just relay and ignore. Reacting abuse issues is another issue. The must be dealth with swift and with result. Termination is an effective way of dealing with abuse. > -- Peter H?kanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det ?r billigare att g?ra r?tt. Det ?r dyrt att laga fel. ) -------------- next part -------------- An HTML attachment was scrubbed... URL: From security at mutluit.com Mon Feb 20 07:09:45 2012 From: security at mutluit.com (U.Mutlu) Date: Mon, 20 Feb 2012 07:09:45 +0100 Subject: [anti-abuse-wg] no traffic? banned? Message-ID: <4F41E3A9.4010304@mutluit.com> I have got no new posting in this list since 2/2. Is here really no traffic anymore, or have I maybe been removed/banned from the list? :-) From peter at hk.ipsec.se Mon Feb 20 07:23:37 2012 From: peter at hk.ipsec.se (peter h) Date: Mon, 20 Feb 2012 07:23:37 +0100 Subject: [anti-abuse-wg] no traffic? banned? In-Reply-To: <4F41E3A9.4010304@mutluit.com> References: <4F41E3A9.4010304@mutluit.com> Message-ID: <201202200723.39362.peter@hk.ipsec.se> On Monday 20 February 2012 07.09, U.Mutlu wrote: > I have got no new posting in this list since 2/2. > Is here really no traffic anymore, or have I maybe been removed/banned from the list? :-) > > Oh no, it's all abuse that is eliminated :-) -- Peter H?kanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det ?r billigare att g?ra r?tt. Det ?r dyrt att laga fel. ) From brian.nisbet at heanet.ie Thu Feb 23 09:27:42 2012 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Thu, 23 Feb 2012 08:27:42 +0000 Subject: [anti-abuse-wg] RIPE 64 Agenda Items Message-ID: <4F45F87E.6000309@heanet.ie> Colleagues, It is now just under two months to the next RIPE meeting in Ljubljana, Slovenia. RIPE 64 will be held from the 16th - 20th April 2012. Currently the AA-WG meeting should take place at 11:00 CET on Thursday April 19th. We are currently seeking agenda items for the working group session in any area relating to network abuse, law enforcement or associated matters and anything else you may feel is of interest to the group. Please mail any proposals to aa-wg-chairs at ripe.net, preferably before the 9th of March. Thanks, Brian. From brian.nisbet at heanet.ie Thu Feb 23 10:13:04 2012 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Thu, 23 Feb 2012 09:13:04 +0000 Subject: [anti-abuse-wg] AA-WG RIPE 63 Minutes Message-ID: <4F460320.6030704@heanet.ie> Colleagues, Here are the minutes from the AA-WG meeting at RIPE 63. If you have any questions, objections or corrections, please let me know. Draft RIPE Anti-Abuse Working Group Minutes ? RIPE 63 Tuesday, 1 November 2011, 16:00-17:30, Vienna Co-Chairs: Brian Nisbet and Tobias Knecht Scribe: Fergal Cunningham Chat Monitor: Ingrid Wijte A: Administrative Matters Welcome The Anti-Abuse Working Group Co-Chair Brian Nisbet opened the session and welcomed the attendees. He thanked the scribe, chat monitor and stenographers and then introduced his co-chair, Tobias Knecht. Approve Minutes from RIPE 62 Brian noted that there was an initial comment on the draft minutes from RIPE 62. He said some small amendments were made and the minutes were then approved. Finalise agenda There were no additions to the agenda. B. Update B1: Recent List Discussion Brian noted there was a lot of recent list discussion, not all of it constructive. He said reporting abuse to the RIPE NCC was a main issue and that it would be addressed later in this session with a presentation from the RIPE NCC. B2: Passive DNS ? Joao Damas, ISC Joao Damas from ISC gave a presentation on passive DNS. The presentation is available at: http://ripe63.ripe.net/presentations/64-PassiveDNS-ISC-RIPE63.pdf Aaron Kaplan, CERT.at, said there were passive DNS installations in Estonia, Austria and Luxembourg. He said there was effort between them to have a common query interface for passive DNS databases and he asked Joao if he would be interested in participating. Joao said that sounded like a good idea and he would ask his colleague to contact Aaron. Aaron asked if Joao thought about the data collection as being sensitive from a data protection point of view. He thought there was no easy answer for this. Joao agreed and said he also had no answer for that. He said most of the queries so far were from people they know so there hasn?t so far been a need to perform much verification. B3. RIPE NCC Abuse Contact Procedures Laura Cobley, Customer Services Manager at the RIPE NCC, gave a presentation on the procedures used to report abuse to the RIPE NCC. Her presentation is available at: http://ripe63.ripe.net/presentations/112-lauracobley.pdf Michele Neylon, Blacknight, asked where he could find the webform to report abuse and how to report abuse in the absence of the webform. Laura said the webform was a proposal and was not available yet, and people could send their reports to abuse at ripe.net. She added that she would ensure this information would be available on the RIPE NCC website. Peter Koch, DENIC, asked if the RIPE NCC would scrutinise the person making the report. Laura said there would be scrutiny of the reporter but that anyone could make a report. She said there could be an email verification check used in combination with the webform. Peter asked if, in that case, people could make reports with an anonymised name as long as they had a valid email address. Laura said there were no plans to keep track of identities but that there did need to be a way to communicate with the reporter. Sascha Luck, Cork Internet Exchange, asked if it would be better to have the webform available from the LIR Portal to prevent such things as DDoS attacks. Laura said this would limit it to only RIPE NCC members. Brian agreed with this and said he would not want it to be available only to members. Kaveh Ranjbar, Database Manager at the RIPE NCC, said that there is a list of email contacts, including abuse at ripe.net, on the RIPE NCC website. He said there is also a simple webform for contact the RIPE NCC although this does not contain all the options presented by Laura. Wilfried Woeber, Vienna Univerity/ACOnet, said he did not object to webforms but said there should be some safeguards to ensure that the identity of the person is verifiable and that the complaints are genuine. Wilfried added that many people used email and ticketing systems and it would be a good idea to consider this. Tobias Knecht, Abusix, said that there are email formats that can be set up to hold the same information as a webform and can be partly automated. He said he would send Laura information on these formats. Laura thanked Tobias and noted that the format has not been finalised so it would be good to get that information from Tobias. Brian asked what would happen to abuse at ripe.net when the webform became available. Laura said that the address is used for a range of issues and that it would remain available. Brian asked when the webform might become available. Laura said she did not have an exact date yet and the RIPE NCC was still gathering feedback. She said she hoped to be able to establish a production timeline soon after the RIPE 63 Meeting. B4. Hosters v Malware: Tools & Best Practice Michele Neylon, Blacknight, gave a presentation on tools and best practices from a hosting provider?s point of view. The presentation is available at: http://ripe63.ripe.net/presentations/70-blacknight-ripe-vienna.pdf During the presentation, Michele asked for a show of hands on the following questions: ? Who is involved with hosting in some way? ? Who provides dial-up or DSL-type services? ? Who deals with abuse reports on a daily basis? ? Are you taking proactive measures to deal with the abuse reports? Several people raised their hands for all these questions. There were no questions for Michele from the floor. C. Policies C1: Abuse Contact Management Task Force Brian said the Abuse Contact Management Task Force was formed after the RIPE 61 Meeting. He said there were a number of policies proposed there and the task force was formed with the intention of combining common issues from a number of those policies. He noted that the task force concentrated on abuse contact management issues. Tobias gave an update on the work of the task force. He said they were close to making a proposal that addresses most of the issues seen. He said the proposal would include a request for an abuse-c contact in RIPE Database objects that is like the admin-c contact. He said the task force wants to ensure that everything is done in a way that makes life easy for maintainers. He said he hoped that the proposal could be published well in advance of the RIPE 64 Meeting. Brian said he didn?t want to have a discussion on the proposal until it was issued. He said that Policy Proposal 2011-06 would pass through the Policy Development Process and hopefully consensus would be reached. He said they would then determine whether the task force should continue or be discontinued. He said information on the task force is published on the Anti-Abuse Working Group webpages. He said the task force would work on the proposal together with the RIPE Database Working Group. He concluded by asking that people give a clear opinion on the proposal on the Anti-Abuse mailing list when it is posted. D. Interactions D1. Working Groups Brian said there would be interaction with the RIPE Database Working Group, as noted in agenda point C1. D3. RIPE NCC Gov/LEA Interactions Update Brian noted that legal enforcement agencies (LEAs) and governments are becoming more aware of how people are using the Internet. He said the RIPE NCC has done an excellent job of getting LEAs around table and there has been a noticeably more collegiate atmosphere between representatives of LEAs and the Internet community of late. He said LEAs have not been as visible lately because they better understanding of the work of the RIPE community and are concentrating on other things at the moment. Brian said he went to Europol with Jochem de Ruig and Marco Hogewoning from the RIPE NCC to talk about security issues. They have started to look at training investigators on IPv6 issues. He said there was also a Cyber Crime Working Party (CCWP) meeting in Paris the week before the RIPE 63 Meeting. Brian said RIPE community representatives would go to the SOCA meeting in London in March 2012 to maintain that relationship. He also noted that governments have some ideas on web filtering but they are trying to steer them in the right direction where possible. Aaron Kaplan, CERT.at, asked if anyone thought about collecting statistics from each country on IRT object entries. Wilfried Woeber, RIPE Database Working Group Co-Chair, he thought the Anti-Abuse Policy Proposal should be set in motion first to see what then happens. Brian reiterated that the proposal would go into the PDP as soon as possible. Michele Neylon, Blacknight, said that a problem LEAs had was that registrars were slow to have something official available for the LEAs. He recommended that this group learn from that lesson. Sasha Luck, Cork Internet Exchange, asked if the content of the discussion with LEAs would be published anywhere. Brian said that the discussions are usually confidential but it was agreed with that people involved with the CCWP could report back to their communities on the issues were discussed. Wilfried said that he has seen LEAs become more involved with Internet number resource issues. He said the Internet community should work with them as much as possible. Tobias said that he wanted a RIPE Policy in place as soon as possible for those very reasons. X. A.O.B. There was no other business to attend to. Z. Agenda for RIPE 64 Brian said the working group tries to have a good mix of technical and anti-abuse-related discussions. He concluded that if people wanted different areas discussed or if they wanted to present at RIPE 64, they should contact one of the working group chairs. Brian thanked everyone for attending and closed the session at 17:28 (UTC +1). From russ at consumer.net Thu Feb 23 14:04:29 2012 From: russ at consumer.net (russ at consumer.net) Date: Thu, 23 Feb 2012 08:04:29 -0500 Subject: [anti-abuse-wg] AA-WG RIPE 63 Minutes In-Reply-To: <4F460320.6030704@heanet.ie> References: <4F460320.6030704@heanet.ie> Message-ID: <4F46395D.5050103@consumer.net> >Brian noted there was a lot of recent list discussion, not all of it constructive. He said reporting abuse to the RIPE >NCC was a main issue and that it would be addressed later in this session with a presentation from the RIPE NCC. Anyone who points out the deficiencies in the system is not being "constructive." Being "constructive" all depends on your point of view. The people involved want to spin things so they get a personal benefit from the situation.