From h.lu at anytimechinese.com Wed May 2 10:47:56 2012 From: h.lu at anytimechinese.com (Lu Heng) Date: Wed, 2 May 2012 10:47:56 +0200 Subject: [anti-abuse-wg] How to monitor any of my IP range being blacklisted? Message-ID: Hi Does any body now how to monitor all the ranges, to see if they are black listed, check one by one is not an good idea as an ISP. Anybody know a way to check a block of IP like /19 or something. Thanks in advance! -- -- Kind regards. Lu This transmission is intended solely for the addressee(s) shown above. It may contain information that is privileged, confidential or otherwise protected from disclosure. Any review, dissemination or use of this transmission or its contents by persons other than the intended addressee(s) is strictly prohibited. If you have received this transmission in error, please notify this office immediately and e-mail the original at the sender's address above by replying to this message and including the text of the transmission received. From andreas.schulze at datev.de Wed May 2 11:05:03 2012 From: andreas.schulze at datev.de (Andreas Schulze) Date: Wed, 2 May 2012 11:05:03 +0200 Subject: [anti-abuse-wg] How to monitor any of my IP range being blacklisted? In-Reply-To: References: Message-ID: <20120502090503.GB4360@spider.services.datevnet.de> Am 02.05.2012 10:47 schrieb Lu Heng: > Anybody know a way to check a block of IP like /19 or something. - You may mirror the rbl of interest. lookup in to your local copy should be fine. - Or you ask the rbl provider for a notification. That may also cost money. - capture all packets, identify SMTP-Responses and check the result strings. Andreas -- Andreas Schulze Internetdienste | P252 DATEV eG 90329 N?rnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196 E-Mail info @datev.de | Internet www.datev.de Sitz: 90429 N?rnberg, Paumgartnerstr. 6-14 | Registergericht N?rnberg, GenReg Nr.70 Vorstand Prof. Dieter Kempf (Vorsitzender) Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender) Dipl.-Kfm. Michael Leistenschneider Dipl.-Kfm. Dr. Robert Mayr J?rg Rabe v. Pappenheim Dipl.-Vw. Eckhard Schwarzer Vorsitzender des Aufsichtsrates: Reinhard Verholen From jernej.porenta at arnes.si Wed May 2 11:33:33 2012 From: jernej.porenta at arnes.si (Jernej Porenta) Date: Wed, 2 May 2012 11:33:33 +0200 Subject: [anti-abuse-wg] How to monitor any of my IP range being blacklisted? In-Reply-To: <20120502090503.GB4360@spider.services.datevnet.de> References: <20120502090503.GB4360@spider.services.datevnet.de> Message-ID: <792E4CE4-5D78-470D-A547-A2C71257C367@arnes.si> On May 2, 2012, at 11:05 AM, Andreas Schulze wrote: > Am 02.05.2012 10:47 schrieb Lu Heng: >> Anybody know a way to check a block of IP like /19 or something. > - You may mirror the rbl of interest. lookup in to your local copy should be fine. > - Or you ask the rbl provider for a notification. That may also cost money. > - capture all packets, identify SMTP-Responses and check the result strings. - signup for feedback loops with major email providers (http://blog.wordtothewise.com/isp-information/) - use grepcidr for lookups in local dbs (http://www.pc-tools.net/unix/grepcidr/) - read and act upon abuse@ emails ;) - check with major RBLs for your outgoing SMTP servers being listed (nagios check_rbl plugin) cheers, Jernej From ripe-anti-spam-wg at powerweb.de Wed May 2 11:51:34 2012 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Wed, 02 May 2012 11:51:34 +0200 Subject: [anti-abuse-wg] How to monitor any of my IP range being blacklisted? In-Reply-To: References: Message-ID: <4FA103A6.8090506@powerweb.de> Lu Heng wrote: > Hi > Hi, I guess you are also scanning incoming email already with an antispam software and that your are using the rbl's of interest already. We realized that spammer usually also send spam to email addresses captured from outlook address books an the spambotted PC or relay through your mailservers, if they spambotted a PC of your own customer. So: if there is one of your dialin customers PCs captured with a spambot, you will also receive spam from this PC to your other customers email addresses, to the email address of the customer himself or your own mailservers. So: check your own anti spam results for your own IP address range. If your other customers receive spam from your own IPs, or your mailserver relay with an IP of your own IP range and the scoe is very high, you can surely - be sure that your IP will end up on other rbls, if you are not acting quick enough and try a multi rbl list like http://multirbl.valli.org/ to check that IP and fix the rbls, that already list your IP - inform your customer, that his PC is captured and block outgoing smtp for him (we simply change his dial-in password and log him out, if some thresholds are reached ;o) This surely only works, if you have enough dialin customers and enough other customer domains that are receiving mail and works even better, if your customers are using your own mailservers as outgoing mailservers (ok, this only works, if the spambot is not having an own SMTP engine). We automated this and do not have a lot of botted customers, but we find them and turn them off, before the IPs end up on any other RBL. I bet it also works great, if a webspace or housingserver is misused. There are nice spamassassin modules, that insert the AS of the sender IP into the header, so you can easily scan for this header-field. In SA is also a mechanism called ALL_TRUSTED, that inserts this flag, if the user also identified via POP3 oder SMTP-Auth, if you ever receive an email with a very high score and its all ALL_TRUSTED, you can also be sure, that your own customers PC is spambotted. Surely you will not get any rbl listings because of webvertized URLs or the like ... Kind regards, Frank > Does any body now how to monitor all the ranges, to see if they are > black listed, check one by one is not an good idea as an ISP. > > Anybody know a way to check a block of IP like /19 or something. > > Thanks in advance! -- MOTD: "have you enabled SSL on a website or mailbox today ?" -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== From BECHA at ripe.net Mon May 7 17:21:20 2012 From: BECHA at ripe.net (Vesna Manojlovic) Date: Mon, 07 May 2012 17:21:20 +0200 Subject: [anti-abuse-wg] How to monitor any of my IP range being blacklisted? In-Reply-To: References: Message-ID: <4FA7E870.4040104@ripe.net> Dear Lu, all, On 5/2/12 10:47 AM, Lu Heng wrote: > Hi > > Does any body now how to monitor all the ranges, to see if they are > black listed, check one by one is not an good idea as an ISP. > > Anybody know a way to check a block of IP like /19 or something. Yes, you can use "blacklist" widget of RIPEstat: https://stat.ripe.net It finds periods when parts of a pre?x featured in one of several blacklists: so far, we are using data from Spamhaus DROP and UCE PROTECT. Example (sorry, random IP range, it has to belong to someone...) https://stat.ripe.net/212.15.240.0/24#blacklist Please let me know if this serves your purpose, and any feedback that you have. Regards, Vesna -- Vesna Manojlovic BECHA at ripe.net Senior Community Builder +31205354444 for Measurements Tools RIPE NCC http://ripe.net From wiegert at telus.net Mon May 7 20:17:27 2012 From: wiegert at telus.net (Arnold) Date: Mon, 07 May 2012 11:17:27 -0700 Subject: [anti-abuse-wg] no abuse e-mail address for so many of RIPE's entries In-Reply-To: <4FA7E870.4040104@ripe.net> References: <4FA7E870.4040104@ripe.net> Message-ID: <4FA811B7.6070304@telus.net> Hi all, I am new to this list, but have a - to me very important - question. For a good number of years I have made a serious effort to report SPAM, in fact I have built and published a handy-dandy SPAM reporting tool for Windows - see my tag line. Over the years I have consistently found that of all the databases RIPE is the one with by far the fewest entries with a proper e-mail address for reporting SPAM. Can anyone give me some reasons for this and even more importantly what I can do or whom to address to get something done about it? Arnold -- Fight Spam - report it with wxSR http://www.columbinehoney.net/wxSR.shtml From michele at blacknight.ie Mon May 7 20:42:45 2012 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Mon, 7 May 2012 18:42:45 +0000 Subject: [anti-abuse-wg] no abuse e-mail address for so many of RIPE's entries In-Reply-To: <4FA811B7.6070304@telus.net> References: <4FA7E870.4040104@ripe.net>,<4FA811B7.6070304@telus.net> Message-ID: <4F2538C315ACAC42AD334C533C247C47264A0D77@bkexchmbx01.blacknight.local> Arnold I'd strongly recommend you read this WG's email archives for extensive discussion on this topic Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting & Colocation http://www.blacknight.com/ http://blog.blacknight.com/ http://mneylon.tel/ Intl. +353 (0) 59 9183072 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 ________________________________________ From: anti-abuse-wg-bounces at ripe.net [anti-abuse-wg-bounces at ripe.net] on behalf of Arnold [wiegert at telus.net] Sent: 07 May 2012 19:17 To: anti-abuse-wg at ripe.net Subject: [anti-abuse-wg] no abuse e-mail address for so many of RIPE's entries Hi all, I am new to this list, but have a - to me very important - question. For a good number of years I have made a serious effort to report SPAM, in fact I have built and published a handy-dandy SPAM reporting tool for Windows - see my tag line. Over the years I have consistently found that of all the databases RIPE is the one with by far the fewest entries with a proper e-mail address for reporting SPAM. Can anyone give me some reasons for this and even more importantly what I can do or whom to address to get something done about it? Arnold -- Fight Spam - report it with wxSR http://www.columbinehoney.net/wxSR.shtml From wiegert at telus.net Mon May 7 21:52:10 2012 From: wiegert at telus.net (Arnold) Date: Mon, 07 May 2012 12:52:10 -0700 Subject: [anti-abuse-wg] no abuse e-mail address for so many of RIPE's entries In-Reply-To: <4F2538C315ACAC42AD334C533C247C47264A0D77@bkexchmbx01.blacknight.local> References: <4FA7E870.4040104@ripe.net>, <4FA811B7.6070304@telus.net> <4F2538C315ACAC42AD334C533C247C47264A0D77@bkexchmbx01.blacknight.local> Message-ID: <4FA827EA.5090904@telus.net> On 07/05/2012 11:42 AM, Michele Neylon :: Blacknight wrote: > Arnold > > I'd strongly recommend you read this WG's email archives for extensive discussion on this topic Thank you, Michele, I will do so. Before signing up, I looked for the archives, but what I found at the time seemed several years old, which led me to believe the list was very quiet - and possibly dormant. When I looked again after receiving your reply, I did find what looks like the current archive which shows the list to be quite active :-) But, from the looks of things - at least the archive I did find http://www.ripe.net/ripe/mail/archives/anti-abuse-wg/ - I will I have to download the archive to be able to search for the thread of interest. Could you please point me to an approximate date - at least a year or month - where I should start looking? TIA, Arnold > > Regards > > Michele > -- > Mr Michele Neylon > Blacknight Solutions > Hosting& Colocation > http://www.blacknight.com/ > http://blog.blacknight.com/ > http://mneylon.tel/ > Intl. +353 (0) 59 9183072 > Locall: 1850 929 929 > Direct Dial: +353 (0)59 9183090 > Fax. +353 (0) 1 4811 763 > Twitter: http://twitter.com/mneylon > ------------------------------- > Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty > Road,Graiguecullen,Carlow,Ireland Company No.: 370845 > > ________________________________________ > From: anti-abuse-wg-bounces at ripe.net [anti-abuse-wg-bounces at ripe.net] on behalf of Arnold [wiegert at telus.net] > Sent: 07 May 2012 19:17 > To: anti-abuse-wg at ripe.net > Subject: [anti-abuse-wg] no abuse e-mail address for so many of RIPE's entries > > Hi all, > > I am new to this list, but have a - to me very important - > question. > > For a good number of years I have made a serious effort to > report SPAM, > in fact I have built and published a handy-dandy SPAM > reporting tool for Windows > - see my tag line. > > Over the years I have consistently found that of all the > databases RIPE is > the one with by far the fewest entries with a proper e-mail > address for reporting SPAM. > > Can anyone give me some reasons for this and even more > importantly > what I can do or whom to address to get something done about it? > > Arnold > > -- > Fight Spam - report it with wxSR > http://www.columbinehoney.net/wxSR.shtml > > > -- Fight Spam - report it with wxSR http://www.columbinehoney.net/wxSR.shtml From michieldeweger at centuryconsulting.nl Tue May 8 15:48:39 2012 From: michieldeweger at centuryconsulting.nl (Dr Michiel de Weger) Date: Tue, 8 May 2012 15:48:39 +0200 Subject: [anti-abuse-wg] CleanIT project Message-ID: <98DF114027A3440D80A7D1FB26DCDE0D.MAI@hostingenregistratie.nl> An HTML attachment was scrubbed... URL: From brian.nisbet at heanet.ie Wed May 16 12:31:37 2012 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Wed, 16 May 2012 11:31:37 +0100 Subject: [anti-abuse-wg] 2011-06 Moving to Review Phase Message-ID: <4FB38209.6000508@heanet.ie> Colleagues, The Discussion Phase for 2011-06 (Abuse Contact Management in the RIPE NCC Database) has ended and thank you all for your input so far. The next step is to move to Review Phase and to ask the NCC to provide an Impact Analysis for the policy. This has been requested and while we don't have an estimated delivery date for this report, I hope to be able to set expectations soon. The move to Review Phase does not mean that discussion should stop, indeed I encourage you to continue to discuss the policy and certainly I hope that the input from the NCC will answer some of the questions that have already been raised. Thanks, Brian, Co-Chair, AA-WG From emadaio at ripe.net Fri May 18 15:37:44 2012 From: emadaio at ripe.net (Emilio Madaio) Date: Fri, 18 May 2012 15:37:44 +0200 Subject: [anti-abuse-wg] 2011-06 Draft Document will be produced (Abuse Contact Management in the RIPE NCC Database) Message-ID: Dear Colleagues, The discussion period for the proposal described in 2011-06, "Abuse Contact Management in the RIPE NCC Database", has ended. A draft document and the RIPE NCC Impact Analysis will now be prepared for review. We will publish the documents shortly and we will make an announcement. You can find the full proposal at: http://www.ripe.net/ripe/policies/proposals/2011-06 Regards Emilio Madaio Policy Development Officer RIPE NCC From mir at ripe.net Tue May 22 16:25:22 2012 From: mir at ripe.net (Mirjam Kuehne) Date: Tue, 22 May 2012 16:25:22 +0200 Subject: [anti-abuse-wg] New on RIPE Labs: A Year of Medical SpamRankings.net: Medical Organizations Message-ID: <4FBBA1D2.5050409@ripe.net> Hello, Please find a new article contributed by John S. Quarterman on RIPE Labs: A Year of Medical SpamRankings.net: Medical Organizations https://labs.ripe.net/Members/jsq/a-year-of-medical-spamrankings.net-medical-organizations-1 Kind regards, Mirjam Kuehne RIPE NCC