From security at mutluit.com  Wed Oct  3 12:21:24 2012
From: security at mutluit.com (U.Mutlu)
Date: Wed, 03 Oct 2012 12:21:24 +0200
Subject: [anti-abuse-wg] Abuse contact of 85.95.235.0 - 85.95.235.255 not
 working (emails bounce)
Message-ID: <506C11A4.30806@mutluit.com>

Abuse email contact of 85.95.235.0 - 85.95.235.255 not working (emails bounce):

The abuse contact email address of the the following RIPE member
isn't functioning for more than 3 weeks now as all mails to that address bounce:
"
SMAIL SMTP-Send MX = "mail.atalaybilisim.com." SMTP = "mutluit.com" From = "security at mutluit.com" To = 
"dns at atalaybilisim.com" Failed !
SMTP-Error = "550 Requested action not taken: mailbox unavailable or not local"
SMTP-Server = "mail.atalaybilisim.com."
"

Additionally, they have given their IP 85.95.235.101
the DNS hostname "localhost.mail.localdomain" .
The same with their second IP 85.95.235.102.

Is this legal? Isn't that an indication for a "mail server hacker collective"?

The above said two IPs are among the bounced abuse reports.


#############
# nslookup 85.95.235.101
Non-authoritative answer:
101.235.95.85.in-addr.arpa      name = localhost.mail.localdomain.

#############
# nslookup 85.95.235.102
Non-authoritative answer:
102.235.95.85.in-addr.arpa      name = localhost.mail.localdomain.

#############
# whois 85.95.235.101
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '85.95.235.0 - 85.95.235.255'

inetnum:         85.95.235.0 - 85.95.235.255
netname:         INETMAR
descr:           Turkhosting-Colocation Network
remarks:         *********************************************
remarks:         ***  Abuse Reports to: dns at atalaybilisim.com  ***
remarks:         *** This IP block is used for web hosting,***
remarks:         *** dedicated and co-located servers. In  ***
remarks:         ***  case of spam, please only deal with  ***
remarks:         ***  originator IP only.                  ***
remarks:         *** DO NOT DEAL WITH THE WHOLE IP BLOCK   ***
remarks:         *********************************************
country:         TR
admin-c:         OA1064-RIPE
tech-c:          OA1064-RIPE
status:          ASSIGNED PA
mnt-by:          TURKHOSTING-MNT
source:          RIPE # Filtered

person:         Oguz Atalay
address:        189 CADDE 270 SOKAK NO: 2/A
phone:          +903123187847
fax-no:         +903123187848
nic-hdl:        OA1064-RIPE
source:         RIPE # Filtered

% Information related to '85.95.235.0/24AS49467'

route:           85.95.235.0/24
descr:           INETMAR-IZMIR
origin:          AS49467
mnt-by:          INETMAR-MNT
source:          RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.19.9 (WHOIS4)
#############



From bengan at bag.org  Wed Oct  3 12:52:42 2012
From: bengan at bag.org (=?UTF-8?B?QmVuZ3QgR8O2cmTDqW4=?=)
Date: Wed, 03 Oct 2012 12:52:42 +0200
Subject: [anti-abuse-wg] Abuse contact of 85.95.235.0 - 85.95.235.255
 not working (emails bounce)
In-Reply-To: <506C11A4.30806@mutluit.com>
References: <506C11A4.30806@mutluit.com>
Message-ID: <506C18FA.5060201@bag.org>

2012-10-03 12:21, U.Mutlu skrev:
> Abuse email contact of 85.95.235.0 - 85.95.235.255 not working (emails 
> bounce):
>
> The abuse contact email address of the the following RIPE member
> isn't functioning for more than 3 weeks now as all mails to that 
> address bounce:
> "
> SMAIL SMTP-Send MX = "mail.atalaybilisim.com." SMTP = "mutluit.com" 
> From = "security at mutluit.com" To = "dns at atalaybilisim.com" Failed !
> SMTP-Error = "550 Requested action not taken: mailbox unavailable or 
> not local"
> SMTP-Server = "mail.atalaybilisim.com."
> "
>
> Additionally, they have given their IP 85.95.235.101
> the DNS hostname "localhost.mail.localdomain" .
> The same with their second IP 85.95.235.102.
>
> Is this legal? Isn't that an indication for a "mail server hacker 
> collective"?
>
> The above said two IPs are among the bounced abuse reports.

To be unreachable by email isn't illegal. However, according to RIPE-530 
it has to be correct at all times.

http://www.ripe.net/ripe/docs/ripe-530#----registration-requirements

/bengan



From peter at hk.ipsec.se  Wed Oct  3 14:34:34 2012
From: peter at hk.ipsec.se (peter h)
Date: Wed, 3 Oct 2012 14:34:34 +0200
Subject: [anti-abuse-wg] Abuse contact of 85.95.235.0 - 85.95.235.255
	not working (emails bounce)
In-Reply-To: <506C11A4.30806@mutluit.com>
References: <506C11A4.30806@mutluit.com>
Message-ID: <201210031434.35189.peter@hk.ipsec.se>

On Wednesday 03 October 2012 12.21, U.Mutlu wrote:
> Abuse email contact of 85.95.235.0 - 85.95.235.255 not working (emails bounce):

You man block 
route:          85.95.224.0/21
descr:          INETMAR-izmir

they belongs to the same spammer.



-- 
        Peter H?kanson   

        There's never money to do it right, but always money to do it
        again ... and again ... and again ... and again.
        ( Det ?r billigare att g?ra r?tt. Det ?r dyrt att laga fel. )



From peter.forsman at iis.se  Mon Oct  8 14:39:41 2012
From: peter.forsman at iis.se (Peter Forsman)
Date: Mon, 8 Oct 2012 14:39:41 +0200
Subject: [anti-abuse-wg] Counterfeit shops pres follow-up
Message-ID: <983F17705339E24699AA251B458249B5A11AACE879@EXCHANGE2K7.office.nic.se>

Hi AntiAbuse WG,

In my presentation at last weeks AntiAbuse-wg session [1][9], which was under time constraints, I would like add the following...


I would like to suggest that the community analyze some risks that might follow the growth of the counterfeit shops on the Internet, that I showed in my presentation. I'll try to give you some more input, while I'll let you do your own conclusions...

A brief history
---------------

The growth by this extremely advanced network(s) of counterfeit websites have been seen since about 3 years back in time. There is nothing that indicates that it would stop grow or decrease, rather the opposite, especially with the upcoming new gTLDs and the expected price war that they will bring into the domain market.

The current situation
---------------------

According to my findings (from the 46 TM:s I have studied) there are at least 100 000 active counterfeit shops under "the big five" gTLDs, using the TM:s in the domain name.
Most likely, we could add another 50 000 shops of this network under ccTLDs and websites using generic words in the domain name like "LAARZENNL.COM <http://LAARZENNL.COM/> " = "Laarzen" (Dutch for "Boots") + "NL" (Countrycode for "Netherlands").
With 150 000 active shops there are another 150 000 ones, without active content (to be used "in case of" an ADR (Alternative Domain Resolutions), UDRP (ICANN:s Uniform Domain-name Dispute-Resolution Policy) or takedown(s) of the active domain name(s).
According to SACG (Swedish Anti-Counterfeit Group) and "my other sources", this have become a (USD) billion industry.

About law enforcement
---------------------

To begin with, I only have experience from the Swedish law enforcement, and I'm not aware of if these numbers are applicable in other countries as well. 

At the Swedish police there is only 1% employees, that are classed as IT-forensics, and sadly, most of these 1% IT-forensics do not have any experience in "Internet forensics". 
OTOH, The fraud squad (in Stockholm City police area) claims that 90% of all fraud reports they receive today are related to the Internet. 
So this is already a serious problem, where many frauds are still unsolved, because lack of competence and resources.

Domain names
------------

Usually, the TM-holders and their IP-lawyers react upon infringing domain registrations, mostly through ADR/UDRP. Last year there has a new record of UDRP:s (dispute resolutions). 
If you visit the decisions at WIPO [2] you'll see that a majority of complaints over the last years concerning the domains for the counterfeit shops, like for example "Gucci" (89 domains) [3] and "Herm?s" (75 domains) [4]

And even if it's rare, we have also seen dangerous court decisions like the  Deckers/UGG case [5] some weeks ago (400+ domains) (Read 2, 3 and 5.) Further more, several of the shops does NOT even offer UGG-products, but uses a UGG-logo [6] The problem with American decisions like this restraining order, is that they also could be targetting European ISPs/hosting companies without any effect, while american companies may be forced to block or filter traffic.

Domain names vs. Content vs. Source
-----------------------------------

Be aware of the differences of registering a free domain name (that includes someone elses registered rights, like a TM) aka "Cybersquatting" or other disputes, from actually hosting a infringing content like my example where the "chinashops" offering fake products or scraped content from other websites.
To register a free domain name is in other words is NOT illegal by any law or other regulations.
Cyberquatted domains or "unintended infringments" that leads to domain disputes are handled by an ADR or an UDRP. Trademark infringements are usually tried legally in a civil court, while counterfeit products are illegal in most parts of the world. 

More problems - the new gTLDs
-----------------------------

ICANN already have a problem with 5 gTLDs. ICANNs own study shows that 29% of WHOIS data is junk [7] Then imagine when 1000+ new gTLDs will reach the market, there will most likely be a aggressive price war, where consumers are offered very cheap to free domain names.

The Future - Internet population and growth
-------------------------------------------

Population in short:
China (513 m) alone have more Internet users then the whole of Europe (500 m), and Europe have more then twice as many as the US (245 m).

Internet growth in short:
Between Q2-Q4 2011, Internet had 626 283 new users each day. 
Asia stands for 54,8% (346 526 new users per day), Europe 14,2% (89 126 new users per day), North America 0,37% (3 642 new users per day) (USA 0,001% (739 new users per day)

(For statistics 2004-2001, see [8] (In Swedish)): 

Final note
----------

The question is if the lack of tools to stop illegal businesses, will bring more attempts to filter and regulate Internet, just like SOPA/PIPA/ACTA etc. 

In my studies, about 50 000 different IP address have been used to host these web shops worldwide.



References:
[1] https://ripe65.ripe.net/presentations/73-counterfeitwebsites.pdf <https://ripe65.ripe.net/presentations/73-counterfeitwebsites.pdf>
[2] http://www.wipo.int/amc/en/domains/casesx/index.html <http://www.wipo.int/amc/en/domains/casesx/index.html>
[3] http://www.wipo.int/amc/en/domains/search/text.jsp?case=D2012-0342 <http://www.wipo.int/amc/en/domains/search/text.jsp?case=D2012-0342>
[4] http://www.wipo.int/amc/en/domains/search/text.jsp?case=D2012-0264 <http://www.wipo.int/amc/en/domains/search/text.jsp?case=D2012-0264>
[5] http://gbclaw.net/files/caseNo-12-cv-7297/Temporary%20Restraining%20Order.PDF <http://gbclaw.net/files/caseNo-12-cv-7297/Temporary%20Restraining%20Order.PDF>
[6] http://www.ilovetoshopping.com/upload/9.jpg <http://www.ilovetoshopping.com/upload/9.jpg>
[7] http://www.icann.org/en/news/public-comment/whois-accuracy-study-15feb10-en.htm <http://www.icann.org/en/news/public-comment/whois-accuracy-study-15feb10-en.htm>
[8] http://www.internetsweden.se/analys-av-internets-tillvaxt-infor-nya-gtlder/ <http://www.internetsweden.se/analys-av-internets-tillvaxt-infor-nya-gtlder/>  
[9] https://ripe65.ripe.net/archives/video/141


Peter Forsman
Abuse Manager .SE (The Internet Infrastructure Foundation)
+46(0)8-452 35 80
PO Box 7399, SE-103 91 Stockholm, Sweden http://www.iis.se

From ops.lists at gmail.com  Mon Oct  8 15:52:10 2012
From: ops.lists at gmail.com (Suresh Ramasubramanian)
Date: Mon, 8 Oct 2012 19:22:10 +0530
Subject: [anti-abuse-wg] Counterfeit shops pres follow-up
In-Reply-To: <983F17705339E24699AA251B458249B5A11AACE879@EXCHANGE2K7.office.nic.se>
References: <983F17705339E24699AA251B458249B5A11AACE879@EXCHANGE2K7.office.nic.se>
Message-ID: <CAArzuouZftHUF=Ws_nSFkDd_KOg7M5B6NZNNxY-9Q36sO6EOmg@mail.gmail.com>

The data is out there and has been analyzed in multiple places.

However, in the interests of sanity - and so that this issue does not
get ignored by pointing out where all it is not relevant to RIPE NCC's
mandate or out of scope of any RIR .. [such as domain names for
example, you want ICANN for that, and the UDRP] ..

Can you please focus on

1. How many of these resolve to IPs in the RIPE coverage area
2. How many of them are actual RIPE allocations to malicious entities,
rather than compromised IPs for example?

#2 in particular.

thank you
--srs

On Mon, Oct 8, 2012 at 6:09 PM, Peter Forsman <peter.forsman at iis.se> wrote:
> Hi AntiAbuse WG,
>
> In my presentation at last weeks AntiAbuse-wg session [1][9], which was under time constraints, I would like add the following...
>
>
> I would like to suggest that the community analyze some risks that might follow the growth of the counterfeit shops on the Internet, that I showed in my presentation. I'll try to give you some more input, while I'll let you do your own conclusions...
>
> A brief history
> ---------------
>
> The growth by this extremely advanced network(s) of counterfeit websites have been seen since about 3 years back in time. There is nothing that indicates that it would stop grow or decrease, rather the opposite, especially with the upcoming new gTLDs and the expected price war that they will bring into the domain market.
>
> The current situation
> ---------------------
>
> According to my findings (from the 46 TM:s I have studied) there are at least 100 000 active counterfeit shops under "the big five" gTLDs, using the TM:s in the domain name.
> Most likely, we could add another 50 000 shops of this network under ccTLDs and websites using generic words in the domain name like "LAARZENNL.COM <http://LAARZENNL.COM/> " = "Laarzen" (Dutch for "Boots") + "NL" (Countrycode for "Netherlands").
> With 150 000 active shops there are another 150 000 ones, without active content (to be used "in case of" an ADR (Alternative Domain Resolutions), UDRP (ICANN:s Uniform Domain-name Dispute-Resolution Policy) or takedown(s) of the active domain name(s).
> According to SACG (Swedish Anti-Counterfeit Group) and "my other sources", this have become a (USD) billion industry.
>
> About law enforcement
> ---------------------
>
> To begin with, I only have experience from the Swedish law enforcement, and I'm not aware of if these numbers are applicable in other countries as well.
>
> At the Swedish police there is only 1% employees, that are classed as IT-forensics, and sadly, most of these 1% IT-forensics do not have any experience in "Internet forensics".
> OTOH, The fraud squad (in Stockholm City police area) claims that 90% of all fraud reports they receive today are related to the Internet.
> So this is already a serious problem, where many frauds are still unsolved, because lack of competence and resources.
>
> Domain names
> ------------
>
> Usually, the TM-holders and their IP-lawyers react upon infringing domain registrations, mostly through ADR/UDRP. Last year there has a new record of UDRP:s (dispute resolutions).
> If you visit the decisions at WIPO [2] you'll see that a majority of complaints over the last years concerning the domains for the counterfeit shops, like for example "Gucci" (89 domains) [3] and "Herm?s" (75 domains) [4]
>
> And even if it's rare, we have also seen dangerous court decisions like the  Deckers/UGG case [5] some weeks ago (400+ domains) (Read 2, 3 and 5.) Further more, several of the shops does NOT even offer UGG-products, but uses a UGG-logo [6] The problem with American decisions like this restraining order, is that they also could be targetting European ISPs/hosting companies without any effect, while american companies may be forced to block or filter traffic.
>
> Domain names vs. Content vs. Source
> -----------------------------------
>
> Be aware of the differences of registering a free domain name (that includes someone elses registered rights, like a TM) aka "Cybersquatting" or other disputes, from actually hosting a infringing content like my example where the "chinashops" offering fake products or scraped content from other websites.
> To register a free domain name is in other words is NOT illegal by any law or other regulations.
> Cyberquatted domains or "unintended infringments" that leads to domain disputes are handled by an ADR or an UDRP. Trademark infringements are usually tried legally in a civil court, while counterfeit products are illegal in most parts of the world.
>
> More problems - the new gTLDs
> -----------------------------
>
> ICANN already have a problem with 5 gTLDs. ICANNs own study shows that 29% of WHOIS data is junk [7] Then imagine when 1000+ new gTLDs will reach the market, there will most likely be a aggressive price war, where consumers are offered very cheap to free domain names.
>
> The Future - Internet population and growth
> -------------------------------------------
>
> Population in short:
> China (513 m) alone have more Internet users then the whole of Europe (500 m), and Europe have more then twice as many as the US (245 m).
>
> Internet growth in short:
> Between Q2-Q4 2011, Internet had 626 283 new users each day.
> Asia stands for 54,8% (346 526 new users per day), Europe 14,2% (89 126 new users per day), North America 0,37% (3 642 new users per day) (USA 0,001% (739 new users per day)
>
> (For statistics 2004-2001, see [8] (In Swedish)):
>
> Final note
> ----------
>
> The question is if the lack of tools to stop illegal businesses, will bring more attempts to filter and regulate Internet, just like SOPA/PIPA/ACTA etc.
>
> In my studies, about 50 000 different IP address have been used to host these web shops worldwide.
>
>
>
> References:
> [1] https://ripe65.ripe.net/presentations/73-counterfeitwebsites.pdf <https://ripe65.ripe.net/presentations/73-counterfeitwebsites.pdf>
> [2] http://www.wipo.int/amc/en/domains/casesx/index.html <http://www.wipo.int/amc/en/domains/casesx/index.html>
> [3] http://www.wipo.int/amc/en/domains/search/text.jsp?case=D2012-0342 <http://www.wipo.int/amc/en/domains/search/text.jsp?case=D2012-0342>
> [4] http://www.wipo.int/amc/en/domains/search/text.jsp?case=D2012-0264 <http://www.wipo.int/amc/en/domains/search/text.jsp?case=D2012-0264>
> [5] http://gbclaw.net/files/caseNo-12-cv-7297/Temporary%20Restraining%20Order.PDF <http://gbclaw.net/files/caseNo-12-cv-7297/Temporary%20Restraining%20Order.PDF>
> [6] http://www.ilovetoshopping.com/upload/9.jpg <http://www.ilovetoshopping.com/upload/9.jpg>
> [7] http://www.icann.org/en/news/public-comment/whois-accuracy-study-15feb10-en.htm <http://www.icann.org/en/news/public-comment/whois-accuracy-study-15feb10-en.htm>
> [8] http://www.internetsweden.se/analys-av-internets-tillvaxt-infor-nya-gtlder/ <http://www.internetsweden.se/analys-av-internets-tillvaxt-infor-nya-gtlder/>
> [9] https://ripe65.ripe.net/archives/video/141
>
>
> Peter Forsman
> Abuse Manager .SE (The Internet Infrastructure Foundation)
> +46(0)8-452 35 80
> PO Box 7399, SE-103 91 Stockholm, Sweden http://www.iis.se



-- 
Suresh Ramasubramanian (ops.lists at gmail.com)



From shane at time-travellers.org  Tue Oct  9 10:55:46 2012
From: shane at time-travellers.org (Shane Kerr)
Date: Tue, 9 Oct 2012 10:55:46 +0200
Subject: [anti-abuse-wg] Counterfeit shops pres follow-up
In-Reply-To: <CAArzuouZftHUF=Ws_nSFkDd_KOg7M5B6NZNNxY-9Q36sO6EOmg@mail.gmail.com>
References: <983F17705339E24699AA251B458249B5A11AACE879@EXCHANGE2K7.office.nic.se>
	<CAArzuouZftHUF=Ws_nSFkDd_KOg7M5B6NZNNxY-9Q36sO6EOmg@mail.gmail.com>
Message-ID: <20121009105546.1cc7431e@shane-desktop>

Suresh,

On Monday, 2012-10-08 19:22:10 +0530, 
Suresh Ramasubramanian <ops.lists at gmail.com> wrote:
> The data is out there and has been analyzed in multiple places.
> 
> However, in the interests of sanity - and so that this issue does not
> get ignored by pointing out where all it is not relevant to RIPE NCC's
> mandate or out of scope of any RIR .. [such as domain names for
> example, you want ICANN for that, and the UDRP] ..

While the anti-abuse working group does help create RIPE policy, that
is not the only thing it does.

I had a quick look at the charter:

http://www.ripe.net/ripe/groups/wg/anti-abuse

And I didn't see anything about limiting discussion or work to issues
related to the RIPE NCC.

I think that the working group is free to discuss anything the
participants want to, as long as it is related to abuse on the
Internet.

> Can you please focus on
> 
> 1. How many of these resolve to IPs in the RIPE coverage area
> 2. How many of them are actual RIPE allocations to malicious entities,
> rather than compromised IPs for example?
> 
> #2 in particular.

Having said that, I do agree that your questions are interesting. They
point to an area that might result in the RIPE NCC being able to help
reduce this kind of shady marketing! :)

Cheers,

--
Shane



From ops.lists at gmail.com  Tue Oct  9 11:30:21 2012
From: ops.lists at gmail.com (Suresh Ramasubramanian)
Date: Tue, 9 Oct 2012 15:00:21 +0530
Subject: [anti-abuse-wg] Counterfeit shops pres follow-up
In-Reply-To: <20121009105546.1cc7431e@shane-desktop>
References: <983F17705339E24699AA251B458249B5A11AACE879@EXCHANGE2K7.office.nic.se>
	<CAArzuouZftHUF=Ws_nSFkDd_KOg7M5B6NZNNxY-9Q36sO6EOmg@mail.gmail.com>
	<20121009105546.1cc7431e@shane-desktop>
Message-ID: <CAArzuotaNJ+Rs3g5sgzroJ8xH5jn_caugtnGvZxyaU5G=L52_A@mail.gmail.com>

On Tuesday, October 9, 2012, Shane Kerr wrote:

> And I didn't see anything about limiting discussion or work to issues
> related to the RIPE NCC.
>
> I think that the working group is free to discuss anything the
> participants want to, as long as it is related to abuse on the
> Internet.
>
>
Sure.  I could think of a few other more relevant abuse focused forums to
raise this in, where you might actually see some good come out of sharing
the data.  Perhaps not in a group of, by and large, people with IP
allocation / db / dns type backgrounds as opposed to security and abuse
mitigation.

--srs


-- 
Suresh Ramasubramanian (ops.lists at gmail.com)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ripe.net/ripe/mail/archives/anti-abuse-wg/attachments/20121009/93631dae/attachment.html>

From Woeber at CC.UniVie.ac.at  Tue Oct  9 14:31:17 2012
From: Woeber at CC.UniVie.ac.at (Wilfried Woeber)
Date: Tue, 09 Oct 2012 14:31:17 +0200
Subject: [anti-abuse-wg] Counterfeit shops pres follow-up
In-Reply-To: <CAArzuotaNJ+Rs3g5sgzroJ8xH5jn_caugtnGvZxyaU5G=L52_A@mail.gmail.com>
References: <983F17705339E24699AA251B458249B5A11AACE879@EXCHANGE2K7.office.nic.se>	<CAArzuouZftHUF=Ws_nSFkDd_KOg7M5B6NZNNxY-9Q36sO6EOmg@mail.gmail.com>	<20121009105546.1cc7431e@shane-desktop>
	<CAArzuotaNJ+Rs3g5sgzroJ8xH5jn_caugtnGvZxyaU5G=L52_A@mail.gmail.com>
Message-ID: <50741915.5090707@CC.UniVie.ac.at>

Suresh Ramasubramanian wrote:

> On Tuesday, October 9, 2012, Shane Kerr wrote:
> 
> 
>>And I didn't see anything about limiting discussion or work to issues
>>related to the RIPE NCC.
>>
>>I think that the working group is free to discuss anything the
>>participants want to, as long as it is related to abuse on the
>>Internet.
>>
>>
> 
> Sure.  I could think of a few other more relevant abuse focused forums to
> raise this in, where you might actually see some good come out of sharing
> the data.

I agree.
Like e.g. FIRST, as it obviously involves parties scattered around the world.

>  Perhaps not in a group of, by and large, people with IP
> allocation / db / dns type backgrounds as opposed to security and abuse
> mitigation.

Correct. Although I think it is not a bad idea to get those people involved,
too. It is a matter of expectation - and good will -, on both sides, I guess...

> --srs

Wilfried.



From bengan at resilans.se  Tue Oct  9 14:50:46 2012
From: bengan at resilans.se (=?ISO-8859-1?Q?Bengt_G=F6rd=E9n?=)
Date: Tue, 09 Oct 2012 14:50:46 +0200
Subject: [anti-abuse-wg] 2011-06 Proposal Accepted (Abuse Contact
 Management in the RIPE NCC Database)
In-Reply-To: <20120927105504.BD370A805F@nic.bag.org>
References: <20120927105504.BD370A805F@nic.bag.org>
Message-ID: <50741DA6.1020203@resilans.se>

2012-09-27 12:54, Emilio Madaio skrev:
> Dear Colleagues,
>
>
> Consensus has been reached, and the proposal described in 2011-06 has
> been accepted by the RIPE community.
>
>
> You can find the full proposal at:
>
>      https://www.ripe.net/ripe/policies/proposals/2011-06
>
>
> The new RIPE document is ripe-563 and it is available at:
>
>      https://www.ripe.net/ripe/docs/current-ripe-documents/ripe-563
Hi,

Is there an ETA when it will be implemented? I would like to start use 
this as fast as possible for our customers.

regards,


/bengan





From security at mutluit.com  Fri Oct 19 13:15:43 2012
From: security at mutluit.com (U.Mutlu)
Date: Fri, 19 Oct 2012 13:15:43 +0200
Subject: [anti-abuse-wg] whois servers spinning today
Message-ID: <5081365F.4070306@mutluit.com>

The whois servers whois.ripe.net and whois.arin.net seem to have problems today
as they either don't respond, or when they respond then with empty results:


########################################
# whois -h whois.ripe.net google.de
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

%ERROR:101: no entries found
%
% No entries found in source RIPE.

% This query was served by the RIPE Database Query Service version 1.35 (WHOIS4)


########################################
# whois -h whois.arin.net sprint.net
#
# Query terms are ambiguous.  The query is assumed to be:
#     "e / sprint.net"
#
# Use "?" to get help.
#

No match found for sprint.net.

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#


########################################
# whois sprint.net
getaddrinfo(whois.crsnic.net): Name or service not known

########################################



From denis at ripe.net  Fri Oct 19 13:26:57 2012
From: denis at ripe.net (Denis Walker)
Date: Fri, 19 Oct 2012 13:26:57 +0200
Subject: [anti-abuse-wg] whois servers spinning today
In-Reply-To: <5081365F.4070306@mutluit.com>
References: <5081365F.4070306@mutluit.com>
Message-ID: <50813901.1030708@ripe.net>

Dear Colleague,

The RIPE Database does not hold any forward domain data. So it is 
correct when it returns "no entries found" for this query. We are not 
experiencing any problems today with response times on accessing the 
RIPE Database.

Regards
Denis Walker
Business Analyst
RIPE NCC Database Group

On 19/10/2012 13:15, U.Mutlu wrote:
> The whois servers whois.ripe.net and whois.arin.net seem to have
> problems today
> as they either don't respond, or when they respond then with empty results:
>
>
> ########################################
> # whois -h whois.ripe.net google.de
> % This is the RIPE Database query service.
> % The objects are in RPSL format.
> %
> % The RIPE Database is subject to Terms and Conditions.
> % See http://www.ripe.net/db/support/db-terms-conditions.pdf
>
> %ERROR:101: no entries found
> %
> % No entries found in source RIPE.
>
> % This query was served by the RIPE Database Query Service version 1.35
> (WHOIS4)
>
>
> ########################################
> # whois -h whois.arin.net sprint.net
> #
> # Query terms are ambiguous.  The query is assumed to be:
> #     "e / sprint.net"
> #
> # Use "?" to get help.
> #
>
> No match found for sprint.net.
>
> #
> # ARIN WHOIS data and services are subject to the Terms of Use
> # available at: https://www.arin.net/whois_tou.html
> #
>
>
> ########################################
> # whois sprint.net
> getaddrinfo(whois.crsnic.net): Name or service not known
>
> ########################################
>
>



From thor at anta.net  Fri Oct 19 13:27:45 2012
From: thor at anta.net (Thor Kottelin)
Date: Fri, 19 Oct 2012 14:27:45 +0300
Subject: [anti-abuse-wg] whois servers spinning today
In-Reply-To: <5081365F.4070306@mutluit.com>
References: <5081365F.4070306@mutluit.com>
Message-ID: <!&!AAAAAAAAAAAYAAAAAAAAADs1SQBfrQFIidqBOlhIPRTCgAAAEAAAAFsALIYcW5lIqiqp9ioOJ4IBAAAAAA==@anta.net>

> -----Original Message-----
> From: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg-
> bounces at ripe.net] On Behalf Of U.Mutlu
> Sent: Friday, October 19, 2012 2:16 PM
> To: anti-abuse-wg at ripe.net

> The whois servers whois.ripe.net and whois.arin.net seem to have
> problems today
> as they either don't respond, or when they respond then with empty
> results:

> # whois -h whois.ripe.net google.de

> %ERROR:101: no entries found

.de domains are handled by DENIC: whois -h whois.denic.de google.de

> # whois -h whois.arin.net sprint.net

> No match found for sprint.net.

InterNIC says that the registrar for sprint.net is CSC Corporate Domains, 
Inc. Ergo: whois -h whois.corporatedomains.com sprint.net

-- 
Thor Kottelin
http://www.anta.net/





From security at mutluit.com  Fri Oct 19 13:48:41 2012
From: security at mutluit.com (U.Mutlu)
Date: Fri, 19 Oct 2012 13:48:41 +0200
Subject: [anti-abuse-wg] whois servers spinning today
In-Reply-To: <5081365F.4070306@mutluit.com>
References: <5081365F.4070306@mutluit.com>
Message-ID: <50813E19.4010500@mutluit.com>

There definitely was an error with the whois servers, observed on many
of our servers at different hosters.
Now the previously not-working query is suddenly working on all our servers:

 > # whois sprint.net
 > getaddrinfo(whois.crsnic.net): Name or service not known


# whois sprint.net
Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

    Server Name: SPRINT.NET.JCHOLLOWAY.COM
    IP Address: 199.0.233.22
    Registrar: DOMAIN.COM, LLC
    Whois Server: whois.domain.com
    Referral URL: http://www.domain.com

    Domain Name: SPRINT.NET
    Registrar: CSC CORPORATE DOMAINS, INC.
    Whois Server: whois.corporatedomains.com
    Referral URL: http://www.cscglobal.com
    Name Server: NS1-AUTH.SPRINTLINK.NET
    Name Server: NS2-AUTH.SPRINTLINK.NET
    Name Server: NS3-AUTH.SPRINTLINK.NET
    Status: clientTransferProhibited
    Updated Date: 10-oct-2012
    Creation Date: 15-feb-1994
    Expiration Date: 16-feb-2013

 >>> Last update of whois database: Fri, 19 Oct 2012 11:43:42 UTC <<<
<snip>


U.Mutlu wrote, On 10/19/2012 01:15 PM:
> The whois servers whois.ripe.net and whois.arin.net seem to have problems today
> as they either don't respond, or when they respond then with empty results:
>
>
> ########################################
> # whois -h whois.ripe.net google.de
> % This is the RIPE Database query service.
> % The objects are in RPSL format.
> %
> % The RIPE Database is subject to Terms and Conditions.
> % See http://www.ripe.net/db/support/db-terms-conditions.pdf
>
> %ERROR:101: no entries found
> %
> % No entries found in source RIPE.
>
> % This query was served by the RIPE Database Query Service version 1.35 (WHOIS4)
>
>
> ########################################
> # whois -h whois.arin.net sprint.net
> #
> # Query terms are ambiguous.  The query is assumed to be:
> #     "e / sprint.net"
> #
> # Use "?" to get help.
> #
>
> No match found for sprint.net.
>
> #
> # ARIN WHOIS data and services are subject to the Terms of Use
> # available at: https://www.arin.net/whois_tou.html
> #
>
>
> ########################################
> # whois sprint.net
> getaddrinfo(whois.crsnic.net): Name or service not known
>
> ########################################
>




From security at mutluit.com  Fri Oct 19 23:26:07 2012
From: security at mutluit.com (U.Mutlu)
Date: Fri, 19 Oct 2012 23:26:07 +0200
Subject: [anti-abuse-wg] whois.afrinic.net down or in maint mode (refuses
	all connections)
Message-ID: <5081C56F.1060802@mutluit.com>

FYI: whois.afrinic.net is down or is in maintenance mode as it refuses all connections

# geoiplookup 196.25.223.93
GeoIP Country Edition: ZA, South Africa
GeoIP City Edition, Rev 1: ZA, 11, Bellville, N/A, -33.900200, 18.628500, 0, 0
GeoIP City Edition, Rev 0: ZA, 11, Bellville, N/A, -33.900200, 18.628500
GeoIP ASNum Edition: AS5713 SAIX-NET

# whois -h whois.afrinic.net 196.25.223.93
connect: Connection refused

# telnet whois.afrinic.net 43
Trying 196.216.2.130...
telnet: Unable to connect to remote host: Connection refused




From Woeber at CC.UniVie.ac.at  Sun Oct 21 12:58:39 2012
From: Woeber at CC.UniVie.ac.at (Wilfried Woeber)
Date: Sun, 21 Oct 2012 12:58:39 +0200
Subject: [anti-abuse-wg] whois.afrinic.net down or in maint mode
 (refuses all connections)
In-Reply-To: <5081C56F.1060802@mutluit.com>
References: <5081C56F.1060802@mutluit.com>
Message-ID: <5083D55F.6040303@CC.UniVie.ac.at>

U.Mutlu wrote:

> FYI: whois.afrinic.net is down or is in maintenance mode as it refuses
> all connections

Thanks for letting us know!

Out of curiosity -
did you check with them whether it was planned or is it just an outage?

-W



From security at mutluit.com  Sun Oct 21 15:31:24 2012
From: security at mutluit.com (U.Mutlu)
Date: Sun, 21 Oct 2012 15:31:24 +0200
Subject: [anti-abuse-wg] whois.afrinic.net down or in maint mode
 (refuses all connections)
In-Reply-To: <5083D55F.6040303@CC.UniVie.ac.at>
References: <5081C56F.1060802@mutluit.com> <5083D55F.6040303@CC.UniVie.ac.at>
Message-ID: <5083F92C.5030909@mutluit.com>

Wilfried Woeber wrote, On 10/21/2012 12:58 PM:
> U.Mutlu wrote:
>
>> FYI: whois.afrinic.net is down or is in maintenance mode as it refuses
>> all connections
>
> Thanks for letting us know!
>
> Out of curiosity -
> did you check with them whether it was planned or is it just an outage?

Unfortunately I haven't contacted them - I should have done it.
In their mailing list archives on the web the last announcement
for a planned maintenance was back in Feb 2012 (s.b.),
so the recent outage could be a network problem (DoS attack etc).


BTW, ARIN is best prepared for whois server attacks as they operate
multiple whois servers under the same hostname (whois.arin.net),
all the other RIR's seem to operate each just one whois server.
I would suggest RIPE to add at least a second whois server.

# nslookup whois.arin.net
Name:   whois.arin.net
Address: 199.71.0.48
Address: 199.71.0.46
Address: 199.212.0.48
Address: 199.212.0.46
Address: 199.212.0.47
Address: 199.71.0.47

# nslookup whois.ripe.net
Name:   whois.ripe.net
Address: 193.0.6.135

# nslookup whois.apnic.net
Name:   whois.apnic.net
Address: 202.12.29.220

# nslookup whois.lacnic.net
whois.lacnic.net        canonical name = lacnic.net.
Name:   lacnic.net
Address: 200.3.14.10

# nslookup whois.afrinic.net
Name:   whois.afrinic.net
Address: 196.216.2.130



########################
https://lists.afrinic.net/pipermail/announce/2012/000823.html
"
Dear Colleagues,

Starting Friday 17 Feb at 1400UTC, we shall be doing maintenance
works on the whois and MyAfriNIC services to take care of some key
upgrades.

This may continue through the entire weekend, during which time,
there could be intermittent lack of access to these services - which
should be fully restored by Sunday 19 Feb 2000 UTC.

Should you notice any issues, or if you have any concerns or
comments, please feel free to contact helpdesk at afrinic.net
"
########################




From kranjbar at ripe.net  Sun Oct 21 18:01:37 2012
From: kranjbar at ripe.net (Kaveh Ranjbar)
Date: Sun, 21 Oct 2012 18:01:37 +0200
Subject: [anti-abuse-wg] whois.afrinic.net down or in maint mode
	(refuses all connections)
In-Reply-To: <5083F92C.5030909@mutluit.com>
References: <5081C56F.1060802@mutluit.com> <5083D55F.6040303@CC.UniVie.ac.at>
	<5083F92C.5030909@mutluit.com>
Message-ID: <36E8658E-3E4F-4EE5-B60C-AB7869477571@ripe.net>


On Oct 21, 2012, at 3:31 PM, U.Mutlu <security at mutluit.com> wrote:

> all the other RIR's seem to operate each just one whois server.
> I would suggest RIPE to add at least a second whois server.

Hello,

At RIPE NCC, we run multiple instances of whois query servers and they are all behind a (redundant) load balancer. The one IP Address you are referring to is the address of the active load balancer.

Kind Regards,
Kaveh.

---
Kaveh Ranjbar,
RIPE NCC Database Group Manager
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ripe.net/ripe/mail/archives/anti-abuse-wg/attachments/20121021/ebe425b7/attachment.html>

From carlosm3011 at gmail.com  Sun Oct 21 18:02:09 2012
From: carlosm3011 at gmail.com (Carlos Martinez)
Date: Sun, 21 Oct 2012 14:02:09 -0200
Subject: [anti-abuse-wg] whois.afrinic.net down or in maint mode
	(refuses all connections)
In-Reply-To: <5083F92C.5030909@mutluit.com>
References: <5081C56F.1060802@mutluit.com> <5083D55F.6040303@CC.UniVie.ac.at>
	<5083F92C.5030909@mutluit.com>
Message-ID: <E0493DB8-7AF1-4165-B216-D88563DD3B44@gmail.com>

It's hard to guess the # of servers just by looking at the number of different IP addresses in the DNS. 

Carlos

Sent from a mobile device

On Oct 21, 2012, at 11:31 AM, "U.Mutlu" <security at mutluit.com> wrote:

> Wilfried Woeber wrote, On 10/21/2012 12:58 PM:
>> U.Mutlu wrote:
>> 
>>> FYI: whois.afrinic.net is down or is in maintenance mode as it refuses
>>> all connections
>> 
>> Thanks for letting us know!
>> 
>> Out of curiosity -
>> did you check with them whether it was planned or is it just an outage?
> 
> Unfortunately I haven't contacted them - I should have done it.
> In their mailing list archives on the web the last announcement
> for a planned maintenance was back in Feb 2012 (s.b.),
> so the recent outage could be a network problem (DoS attack etc).
> 
> 
> BTW, ARIN is best prepared for whois server attacks as they operate
> multiple whois servers under the same hostname (whois.arin.net),
> all the other RIR's seem to operate each just one whois server.
> I would suggest RIPE to add at least a second whois server.
> 
> # nslookup whois.arin.net
> Name:   whois.arin.net
> Address: 199.71.0.48
> Address: 199.71.0.46
> Address: 199.212.0.48
> Address: 199.212.0.46
> Address: 199.212.0.47
> Address: 199.71.0.47
> 
> # nslookup whois.ripe.net
> Name:   whois.ripe.net
> Address: 193.0.6.135
> 
> # nslookup whois.apnic.net
> Name:   whois.apnic.net
> Address: 202.12.29.220
> 
> # nslookup whois.lacnic.net
> whois.lacnic.net        canonical name = lacnic.net.
> Name:   lacnic.net
> Address: 200.3.14.10
> 
> # nslookup whois.afrinic.net
> Name:   whois.afrinic.net
> Address: 196.216.2.130
> 
> 
> 
> ########################
> https://lists.afrinic.net/pipermail/announce/2012/000823.html
> "
> Dear Colleagues,
> 
> Starting Friday 17 Feb at 1400UTC, we shall be doing maintenance
> works on the whois and MyAfriNIC services to take care of some key
> upgrades.
> 
> This may continue through the entire weekend, during which time,
> there could be intermittent lack of access to these services - which
> should be fully restored by Sunday 19 Feb 2000 UTC.
> 
> Should you notice any issues, or if you have any concerns or
> comments, please feel free to contact helpdesk at afrinic.net
> "
> ########################
> 
> 



From rezaf at mindspring.com  Sun Oct 21 23:29:39 2012
From: rezaf at mindspring.com (Reza Farzan)
Date: Sun, 21 Oct 2012 14:29:39 -0700 (GMT-07:00)
Subject: [anti-abuse-wg] Benin Telecom - http://www.benintelecoms.bj/
Message-ID: <13477428.1350854979929.JavaMail.root@elwamui-muscovy.atl.sa.earthlink.net>

Hello All,

Does anyone know what is going on at Benin Telecom - http://www.benintelecoms.bj/?

As most of you know, many Nigerian scammers have now moved to the Republic of Benin where they are utilizing Benin Telecom servers to send out their scam e-mails. Benin Telecom, however, does not provide any Abuse/Spam reporting channel, and the ones that are listed in their Whois record all come back with a permanent error, like the ones here:

============

This is a permanent error. The following address(es) failed:

  msah at benintelecoms.bj
    retry timeout exceeded
  aguidi at benintelecoms.bj
    retry timeout exceeded
  postmaster at benintelecoms.bj
    retry timeout exceeded
  abuse at benintelecoms.bj
    retry timeout exceeded
  aadjibola at benintelecoms.bj
    retry timeout exceeded


============


I have contacted AfriNIC - (The African Network Information Centre), but they only send out automated messages.

Does anyone know how to contact Benin Telecom, and report Spam activities that are originated from their servers?

I appreciate any information that you could provide.

Thank you,

Reza Farzan



From peter at hk.ipsec.se  Mon Oct 22 00:05:57 2012
From: peter at hk.ipsec.se (peter h)
Date: Mon, 22 Oct 2012 00:05:57 +0200
Subject: [anti-abuse-wg] Benin Telecom - http://www.benintelecoms.bj/
In-Reply-To: <13477428.1350854979929.JavaMail.root@elwamui-muscovy.atl.sa.earthlink.net>
References: <13477428.1350854979929.JavaMail.root@elwamui-muscovy.atl.sa.earthlink.net>
Message-ID: <201210220005.57550.peter@hk.ipsec.se>

On Sunday 21 October 2012 23.29, Reza Farzan wrote:
> Hello All,
> 
> Does anyone know what is going on at Benin Telecom - http://www.benintelecoms.bj/?
> 
> As most of you know, many Nigerian scammers have now moved to the Republic of Benin where they are utilizing Benin Telecom servers to send out their scam e-mails. Benin Telecom, however, does not provide any Abuse/Spam reporting channel, and the ones that are listed in their Whois record all come back with a permanent error, like the ones here:
> 
Can't help with contact information. But like most infected networks, the best You
can do is block them, thus preventing any frauds from that network.

What ip addresses are you experiencing problems with ?


-- 
        Peter H?kanson   

        There's never money to do it right, but always money to do it
        again ... and again ... and again ... and again.
        ( Det ?r billigare att g?ra r?tt. Det ?r dyrt att laga fel. )



From security at mutluit.com  Mon Oct 22 05:33:32 2012
From: security at mutluit.com (U.Mutlu)
Date: Mon, 22 Oct 2012 05:33:32 +0200
Subject: [anti-abuse-wg] Benin Telecom - http://www.benintelecoms.bj/
In-Reply-To: <13477428.1350854979929.JavaMail.root@elwamui-muscovy.atl.sa.earthlink.net>
References: <13477428.1350854979929.JavaMail.root@elwamui-muscovy.atl.sa.earthlink.net>
Message-ID: <5084BE8C.3030702@mutluit.com>

Hi,
try this from whois:
   agbaholou at benintelecoms.bj


#########################################
# dig  benintelecoms.bj MX

; <<>> DiG 9.8.1-P1 <<>> benintelecoms.bj MX
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33108
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;benintelecoms.bj.              IN      MX

;; ANSWER SECTION:
benintelecoms.bj.       86400   IN      MX      10 webmail.benintelecoms.bj.

;; ADDITIONAL SECTION:
webmail.benintelecoms.bj. 86400 IN      A       81.91.225.6

;; Query time: 423 msec
;; SERVER: 192.168.66.254#53(192.168.66.254)
;; WHEN: Mon Oct 22 05:29:22 2012
;; MSG SIZE  rcvd: 74


#########################################
# telnet webmail.benintelecoms.bj 25
Trying 81.91.225.6...
Connected to webmail.benintelecoms.bj.
Escape character is '^]'.
220 webmail.benintelecoms.bj ESMTP Postfix (Debian/GNU)
quit
221 2.0.0 Bye
Connection closed by foreign host.

#########################################


Reza Farzan wrote, On 10/21/2012 11:29 PM:
> Hello All,
>
> Does anyone know what is going on at Benin Telecom - http://www.benintelecoms.bj/?
>
> As most of you know, many Nigerian scammers have now moved to the Republic of Benin where they are utilizing Benin Telecom servers to send out their scam e-mails. Benin Telecom, however, does not provide any Abuse/Spam reporting channel, and the ones that are listed in their Whois record all come back with a permanent error, like the ones here:
>
> ============
>
> This is a permanent error. The following address(es) failed:
>
>    msah at benintelecoms.bj
>      retry timeout exceeded
>    aguidi at benintelecoms.bj
>      retry timeout exceeded
>    postmaster at benintelecoms.bj
>      retry timeout exceeded
>    abuse at benintelecoms.bj
>      retry timeout exceeded
>    aadjibola at benintelecoms.bj
>      retry timeout exceeded
>
>
> ============
>
>
> I have contacted AfriNIC - (The African Network Information Centre), but they only send out automated messages.
>
> Does anyone know how to contact Benin Telecom, and report Spam activities that are originated from their servers?
>
> I appreciate any information that you could provide.
>
> Thank you,
>
> Reza Farzan
>
>




From security at mutluit.com  Mon Oct 22 09:58:34 2012
From: security at mutluit.com (U.Mutlu)
Date: Mon, 22 Oct 2012 09:58:34 +0200
Subject: [anti-abuse-wg] abuse-c mandatory
In-Reply-To: <E1TQBYx-0000u2-Gp@puppy.ripe.net>
References: <E1TQBYx-0000u2-Gp@puppy.ripe.net>
Message-ID: <5084FCAA.6040408@mutluit.com>

As everybody knows, the proposal "Abuse Contact Management in the RIPE NCC Database"
has already been ratified/accepted more than a month ago, but still some RIPE workers
seem not to know this fact:

https://www.ripe.net/ripe/policies/proposals/2011-06
  Authors: Tobias Knecht, abusix
  Proposal Version: 3.0 06 June 2012
  Accepted: 17 September 2012
  Working Group: Anti-Abuse Working Group
  Proposal type: New
  Policy term: Indefinite
  New RIPE Document: ripe-563

Under ?1.0 it says
"The "abuse-c:" will be mandatory for all aut-nums.
Due the hierarchical nature of IP address objects, at least every direct allocated
inetnum and inet6num needs to have an "abuse-c:". Inherited objects might have their
own "abuse-c:" attribute or they will be covered by the higher level objects.
"

Today I got the following reply from RIPE (I removed the name of the sender with XXX,
but can give it if required). Why is this person at RIPE still saying this:
  "At this moment is the 'abuse-c' not yet a mandatory field.
  There is currently a discussion on our mailing list in order to make this a
  mandatory field, but this policy proposal is still under discussion."

???
An official from RIPE please explain to the community what this RIPE person
means with such a statement...:


-------- Original Message --------
Subject: Re: NCC#2012103209 abuse-c for inetnum 84.200.75.0 - 84.200.75.127 missing
Date: Mon, 22 Oct 2012 08:32:35 +0200
From: RIPE NCC <ncc at ripe.net>
Reply-To: RIPE NCC <ncc at ripe.net>
To: U.Mutlu <security at mutluit.com>


Dear madam/sir,

Thank you for your e-mail.

At this moment is the 'abuse-c' not yet a mandatory field. There is
currently a discussion on our mailing list in order to make this a
mandatory field, but this policy proposal is still under discussion.

You can find the contact details that we have on file at:

http://apps.db.ripe.net/whois/lookup/ripe/person-role/ACC-RIPE.html

And:

https://apps.db.ripe.net/whois/lookup/ripe/mntner/IWERK-MNT.html
-- 
If you have any questions, please feel free to contact us.

Best regards,

XXXXXXX XXXXXXXXXXX
Customer Services
RIPE NCC

============================================================
RIPE NCC Customer Satisfaction Survey

Tell us about your customer services experience by filling out the
anonymous, one-minute RIPE NCC customer satisfaction survey:

https://www.ripe.net/contact/survey/satisfaction-cs/

============================================================


On Sat, 20 Oct 2012 14:20:19 +0200, U.Mutlu wrote:
> Hello,
> this is to inform you that the "abuse-c" entry for inetnum 84.200.75.0 - 84.200.75.127
> is missing in the RIPE WHOIS database.
>
> Regards,
> U.Mutlu
> security at mutluit.com




From jorgen at hovland.cx  Mon Oct 22 10:12:39 2012
From: jorgen at hovland.cx (=?UTF-8?B?SsO4cmdlbiBIb3ZsYW5k?=)
Date: Mon, 22 Oct 2012 10:12:39 +0200
Subject: [anti-abuse-wg] abuse-c mandatory
In-Reply-To: <5084FCAA.6040408@mutluit.com>
References: <E1TQBYx-0000u2-Gp@puppy.ripe.net> <5084FCAA.6040408@mutluit.com>
Message-ID: <5084FFF7.2050003@hovland.cx>

  Hello,

I think you might be misunderstanding how mandatory contact information 
works.
As you can see, the mandatory e-mail field is set to nobody at accelerated.de
When abuse-c e-mail will become mandatory, their abuse-c e-mail will 
continue to be nobody at accelerated.de.



On 10/22/12 09:58, U.Mutlu wrote:
> As everybody knows, the proposal "Abuse Contact Management in the RIPE 
> NCC Database"
> has already been ratified/accepted more than a month ago, but still 
> some RIPE workers
> seem not to know this fact:
>
> https://www.ripe.net/ripe/policies/proposals/2011-06
>  Authors: Tobias Knecht, abusix
>  Proposal Version: 3.0 06 June 2012
>  Accepted: 17 September 2012
>  Working Group: Anti-Abuse Working Group
>  Proposal type: New
>  Policy term: Indefinite
>  New RIPE Document: ripe-563
>
> Under ?1.0 it says
> "The "abuse-c:" will be mandatory for all aut-nums.
> Due the hierarchical nature of IP address objects, at least every 
> direct allocated
> inetnum and inet6num needs to have an "abuse-c:". Inherited objects 
> might have their
> own "abuse-c:" attribute or they will be covered by the higher level 
> objects.
> "
>
> Today I got the following reply from RIPE (I removed the name of the 
> sender with XXX,
> but can give it if required). Why is this person at RIPE still saying 
> this:
>  "At this moment is the 'abuse-c' not yet a mandatory field.
>  There is currently a discussion on our mailing list in order to make 
> this a
>  mandatory field, but this policy proposal is still under discussion."
>
> ???
> An official from RIPE please explain to the community what this RIPE 
> person
> means with such a statement...:
>
>
> -------- Original Message --------
> Subject: Re: NCC#2012103209 abuse-c for inetnum 84.200.75.0 - 
> 84.200.75.127 missing
> Date: Mon, 22 Oct 2012 08:32:35 +0200
> From: RIPE NCC <ncc at ripe.net>
> Reply-To: RIPE NCC <ncc at ripe.net>
> To: U.Mutlu <security at mutluit.com>
>
>
> Dear madam/sir,
>
> Thank you for your e-mail.
>
> At this moment is the 'abuse-c' not yet a mandatory field. There is
> currently a discussion on our mailing list in order to make this a
> mandatory field, but this policy proposal is still under discussion.
>
> You can find the contact details that we have on file at:
>
> http://apps.db.ripe.net/whois/lookup/ripe/person-role/ACC-RIPE.html
>
> And:
>
> https://apps.db.ripe.net/whois/lookup/ripe/mntner/IWERK-MNT.html






From ops.lists at gmail.com  Mon Oct 22 10:10:26 2012
From: ops.lists at gmail.com (Suresh Ramasubramanian)
Date: Mon, 22 Oct 2012 13:40:26 +0530
Subject: [anti-abuse-wg] abuse-c mandatory
In-Reply-To: <5084FFF7.2050003@hovland.cx>
References: <E1TQBYx-0000u2-Gp@puppy.ripe.net> <5084FCAA.6040408@mutluit.com>
	<5084FFF7.2050003@hovland.cx>
Message-ID: <CAArzuouYwjXXLKh3SdSoDadyss_TN4k=1Ny6SbBBn6LzoWq5fg@mail.gmail.com>

Which, considering what nobody implies, is a lovely way to circumvent the
grand intentions this proposal has.   Talk about leading horses to water
versus making them drink

--srs (htc one x)
On Oct 22, 2012 1:37 PM, "J?rgen Hovland" <jorgen at hovland.cx> wrote:

>  Hello,
>
> I think you might be misunderstanding how mandatory contact information
> works.
> As you can see, the mandatory e-mail field is set to nobody at accelerated.de
> When abuse-c e-mail will become mandatory, their abuse-c e-mail will
> continue to be nobody at accelerated.de.
>
>
>
> On 10/22/12 09:58, U.Mutlu wrote:
>
>> As everybody knows, the proposal "Abuse Contact Management in the RIPE
>> NCC Database"
>> has already been ratified/accepted more than a month ago, but still some
>> RIPE workers
>> seem not to know this fact:
>>
>> https://www.ripe.net/ripe/**policies/proposals/2011-06<https://www.ripe.net/ripe/policies/proposals/2011-06>
>>  Authors: Tobias Knecht, abusix
>>  Proposal Version: 3.0 06 June 2012
>>  Accepted: 17 September 2012
>>  Working Group: Anti-Abuse Working Group
>>  Proposal type: New
>>  Policy term: Indefinite
>>  New RIPE Document: ripe-563
>>
>> Under ?1.0 it says
>> "The "abuse-c:" will be mandatory for all aut-nums.
>> Due the hierarchical nature of IP address objects, at least every direct
>> allocated
>> inetnum and inet6num needs to have an "abuse-c:". Inherited objects might
>> have their
>> own "abuse-c:" attribute or they will be covered by the higher level
>> objects.
>> "
>>
>> Today I got the following reply from RIPE (I removed the name of the
>> sender with XXX,
>> but can give it if required). Why is this person at RIPE still saying
>> this:
>>  "At this moment is the 'abuse-c' not yet a mandatory field.
>>  There is currently a discussion on our mailing list in order to make
>> this a
>>  mandatory field, but this policy proposal is still under discussion."
>>
>> ???
>> An official from RIPE please explain to the community what this RIPE
>> person
>> means with such a statement...:
>>
>>
>> -------- Original Message --------
>> Subject: Re: NCC#2012103209 abuse-c for inetnum 84.200.75.0 -
>> 84.200.75.127 missing
>> Date: Mon, 22 Oct 2012 08:32:35 +0200
>> From: RIPE NCC <ncc at ripe.net>
>> Reply-To: RIPE NCC <ncc at ripe.net>
>> To: U.Mutlu <security at mutluit.com>
>>
>>
>> Dear madam/sir,
>>
>> Thank you for your e-mail.
>>
>> At this moment is the 'abuse-c' not yet a mandatory field. There is
>> currently a discussion on our mailing list in order to make this a
>> mandatory field, but this policy proposal is still under discussion.
>>
>> You can find the contact details that we have on file at:
>>
>> http://apps.db.ripe.net/whois/**lookup/ripe/person-role/ACC-**RIPE.html<http://apps.db.ripe.net/whois/lookup/ripe/person-role/ACC-RIPE.html>
>>
>> And:
>>
>> https://apps.db.ripe.net/**whois/lookup/ripe/mntner/**IWERK-MNT.html<https://apps.db.ripe.net/whois/lookup/ripe/mntner/IWERK-MNT.html>
>>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ripe.net/ripe/mail/archives/anti-abuse-wg/attachments/20121022/2bc258d5/attachment.html>

From ripe-anti-spam-wg at powerweb.de  Mon Oct 22 10:22:24 2012
From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast)
Date: Mon, 22 Oct 2012 10:22:24 +0200
Subject: [anti-abuse-wg] abuse-c implementation schedule
In-Reply-To: <CAArzuouYwjXXLKh3SdSoDadyss_TN4k=1Ny6SbBBn6LzoWq5fg@mail.gmail.com>
References: <E1TQBYx-0000u2-Gp@puppy.ripe.net> <5084FCAA.6040408@mutluit.com>
	<5084FFF7.2050003@hovland.cx>
	<CAArzuouYwjXXLKh3SdSoDadyss_TN4k=1Ny6SbBBn6LzoWq5fg@mail.gmail.com>
Message-ID: <50850240.3020600@powerweb.de>


Hi all,

I would be interested, when its possible to create an abuse-c
using the webtools in the LIR portal and when its possible to
add the attribute to inetnums ...

Any implementation schedule available at RIPE NCC ?


Kind regards, Frank
--
MOTD: "have you enabled SSL on a website or mailbox today ?"
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================




From frank at altpeter.de  Mon Oct 22 10:23:08 2012
From: frank at altpeter.de (Frank Altpeter)
Date: Mon, 22 Oct 2012 10:23:08 +0200
Subject: [anti-abuse-wg] abuse-c mandatory
In-Reply-To: <CAArzuouYwjXXLKh3SdSoDadyss_TN4k=1Ny6SbBBn6LzoWq5fg@mail.gmail.com>
References: <E1TQBYx-0000u2-Gp@puppy.ripe.net> <5084FCAA.6040408@mutluit.com>
	<5084FFF7.2050003@hovland.cx>
	<CAArzuouYwjXXLKh3SdSoDadyss_TN4k=1Ny6SbBBn6LzoWq5fg@mail.gmail.com>
Message-ID: <20121022082307.GA4315@crew-gmbh.de>

Moin,

on 2012-10-22 at 10:10:26 CEST, Suresh Ramasubramanian wrote:
> Which, considering what nobody implies, is a lovely way to circumvent the
> grand intentions this proposal has.   Talk about leading horses to water
> versus making them drink

The last time I tried to update my handle, the auto-dbm told me that the
field "abuse-c" is unknown and rejected the update. So I'm waiting for a
notice that the technical details for using the abuse-c field is
available.

 

Mit freundlichen Gr??en

	Frank Altpeter

-- 
FA-RIPE || http://www.altpeter.de/ || http://gplus.to/frank42

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <https://lists.ripe.net/ripe/mail/archives/anti-abuse-wg/attachments/20121022/fdf2bc79/attachment.sig>

From security at mutluit.com  Mon Oct 22 11:57:43 2012
From: security at mutluit.com (U.Mutlu)
Date: Mon, 22 Oct 2012 11:57:43 +0200
Subject: [anti-abuse-wg] Fwd: NCC#2012103307 abuse-c
In-Reply-To: <E1TQDtR-0006UE-5m@puppy.ripe.net>
References: <E1TQDtR-0006UE-5m@puppy.ripe.net>
Message-ID: <50851897.4010905@mutluit.com>

Here's a correction by the RIPE person (XXX is by me):


-------- Original Message --------
Subject: NCC#2012103307 abuse-c
Date: Mon, 22 Oct 2012 11:01:53 +0200
From: RIPE NCC <ncc at ripe.net>
Reply-To: RIPE NCC <ncc at ripe.net>
To: U.Mutlu <security at mutluit.com>


Dear U. Mutlu,

Earlier today I sent you an e-mail in regards to the abuse-c contact
e-mail address. Unfortunately was I not aware that the policy was
already accepted because this happened during my vacation. My
apologies for this.

Our database department is currently working on the implementation of
this policy. You can find the policy document at:

https://www.ripe.net/ripe/policies/proposals/2011-06

Unfortunately am I not able to give you an exact timeline at this
moment. I can advise you to keep an eye on the mailing list. We will
publish more information as soon as we have it.

Again, my apologies for the inconvenience.
-- 
If you have any questions, please feel free to contact us.

Best regards,

XXXXXXX XXXXXXXXXXX
Customer Services
RIPE NCC

============================================================
RIPE NCC Customer Satisfaction Survey

Tell us about your customer services experience by filling out the
anonymous, one-minute RIPE NCC customer satisfaction survey:

https://www.ripe.net/contact/survey/satisfaction-cs/

============================================================





From denis at ripe.net  Mon Oct 22 17:59:56 2012
From: denis at ripe.net (Denis Walker)
Date: Mon, 22 Oct 2012 17:59:56 +0200
Subject: [anti-abuse-wg] abuse-c implementation schedule
In-Reply-To: <50850240.3020600@powerweb.de>
References: <E1TQBYx-0000u2-Gp@puppy.ripe.net> <5084FCAA.6040408@mutluit.com>
	<5084FFF7.2050003@hovland.cx>
	<CAArzuouYwjXXLKh3SdSoDadyss_TN4k=1Ny6SbBBn6LzoWq5fg@mail.gmail.com>
	<50850240.3020600@powerweb.de>
Message-ID: <50856D7C.90606@ripe.net>

Dear Colleagues,

The RIPE NCC is working on the implementation plan. It requires changes 
to the core RIPE Database as well as several tools, such as Webupdates 
and the LIR Portal, and then finally the Abuse Finder Tool. Also some 
internal processes managed by the Registration and Customer Services 
Departments need modifying to include a check that an "abuse-c:" has 
been provided by a resource holder when requesting services.

The RIPE NCC expects to have the plan ready for publishing to the 
community by mid November 2012.

Regards,
Denis Walker
Business Analyst
RIPE NCC Database Group


On 22/10/2012 10:22, Frank Gadegast wrote:
>
> Hi all,
>
> I would be interested, when its possible to create an abuse-c
> using the webtools in the LIR portal and when its possible to
> add the attribute to inetnums ...
>
> Any implementation schedule available at RIPE NCC ?
>
>
> Kind regards, Frank
> --
> MOTD: "have you enabled SSL on a website or mailbox today ?"
> --
> PHADE Software - PowerWeb                       http://www.powerweb.de
> Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
> Schinkelstrasse 17                                fon: +49 33200 52920
> 14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
> ======================================================================
>
>
>



From wiegert at telus.net  Mon Oct 22 19:47:03 2012
From: wiegert at telus.net (Arnold)
Date: Mon, 22 Oct 2012 10:47:03 -0700
Subject: [anti-abuse-wg] abuse-c implementation schedule
In-Reply-To: <50856D7C.90606@ripe.net>
References: <E1TQBYx-0000u2-Gp@puppy.ripe.net> <5084FCAA.6040408@mutluit.com>
	<5084FFF7.2050003@hovland.cx>
	<CAArzuouYwjXXLKh3SdSoDadyss_TN4k=1Ny6SbBBn6LzoWq5fg@mail.gmail.com>
	<50850240.3020600@powerweb.de> <50856D7C.90606@ripe.net>
Message-ID: <50858697.4050103@telus.net>

On 22/10/2012 8:59 AM, Denis Walker wrote:
> Dear Colleagues,
>
> The RIPE NCC is working on the implementation plan. It 
> requires changes to the core RIPE Database as well as 
> several tools, such as Webupdates and the LIR Portal, and 
> then finally the Abuse Finder Tool. Also some internal 
> processes managed by the Registration and Customer 
> Services Departments need modifying to include a check 
> that an "abuse-c:" has been provided by a resource holder 
> when requesting services.
Please also try to ensure that the abuse-c field - aside 
from being non-blank -
  represents a usable, useful and monitored contact :-)

Arnold
>
> The RIPE NCC expects to have the plan ready for publishing 
> to the community by mid November 2012.
>
> Regards,
> Denis Walker
> Business Analyst
> RIPE NCC Database Group
>
>
> On 22/10/2012 10:22, Frank Gadegast wrote:
>>
>> Hi all,
>>
>> I would be interested, when its possible to create an 
>> abuse-c
>> using the webtools in the LIR portal and when its 
>> possible to
>> add the attribute to inetnums ...
>>
>> Any implementation schedule available at RIPE NCC ?
>>
>>
>> Kind regards, Frank
>> -- 
>> MOTD: "have you enabled SSL on a website or mailbox today ?"
>> -- 
>> PHADE Software - PowerWeb http://www.powerweb.de
>> Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de
>> Schinkelstrasse 17                                fon: 
>> +49 33200 52920
>> 14558 Nuthetal OT Rehbruecke, Germany             fax: 
>> +49 33200 52921
>> ====================================================================== 
>>
>>
>>
>>
>
>


-- 
Fight Spam - report it with wxSR 0.5 - ready for Vista & Win7
http://www.columbinehoney.net/wxSR.shtml




From shane at time-travellers.org  Mon Oct 22 20:29:46 2012
From: shane at time-travellers.org (Shane Kerr)
Date: Mon, 22 Oct 2012 20:29:46 +0200
Subject: [anti-abuse-wg] abuse-c implementation schedule
In-Reply-To: <50858697.4050103@telus.net>
References: <E1TQBYx-0000u2-Gp@puppy.ripe.net> <5084FCAA.6040408@mutluit.com>
	<5084FFF7.2050003@hovland.cx>
	<CAArzuouYwjXXLKh3SdSoDadyss_TN4k=1Ny6SbBBn6LzoWq5fg@mail.gmail.com>
	<50850240.3020600@powerweb.de> <50856D7C.90606@ripe.net>
	<50858697.4050103@telus.net>
Message-ID: <20121022202946.6d1e569d@shane-desktop>

Arnold,

On Monday, 2012-10-22 10:47:03 -0700, 
Arnold <wiegert at telus.net> wrote:
> Please also try to ensure that the abuse-c field - aside 
> from being non-blank -
>   represents a usable, useful and monitored contact :-)

That is outside of the scope of the current policy change.

I do support this idea though. :)

Cheers,

--
Shane



From hrobert at iservices.tg  Tue Oct 23 10:20:46 2012
From: hrobert at iservices.tg (hrobert at iservices.tg)
Date: Tue, 23 Oct 2012 10:20:46 +0200
Subject: [anti-abuse-wg] Benin Telecom - http://www.benintelecoms.bj/
In-Reply-To: <201210220005.57550.peter@hk.ipsec.se>
References: <13477428.1350854979929.JavaMail.root@elwamui-muscovy.atl.sa.earthlink.net>
	<201210220005.57550.peter@hk.ipsec.se>
Message-ID: <20121023102046.57775ojots46mgkc@www.iservices.tg>

AfricaCERT has contacted Benin Telecom officially for them to  
investigate and  take action.

Thank you

Jean Robert Hountomey
AfricaCERT

> On Sunday 21 October 2012 23.29, Reza Farzan wrote:
>> Hello All,
>>
>> Does anyone know what is going on at Benin Telecom -  
>> http://www.benintelecoms.bj/?
>>
>> As most of you know, many Nigerian scammers have now moved to the  
>> Republic of Benin where they are utilizing Benin Telecom servers to  
>> send out their scam e-mails. Benin Telecom, however, does not  
>> provide any Abuse/Spam reporting channel, and the ones that are  
>> listed in their Whois record all come back with a permanent error,  
>> like the ones here:
>>
> Can't help with contact information. But like most infected  
> networks, the best You
> can do is block them, thus preventing any frauds from that network.
>
> What ip addresses are you experiencing problems with ?
>
>
> --
>         Peter H?kanson
>
>         There's never money to do it right, but always money to do it
>         again ... and again ... and again ... and again.
>         ( Det ?r billigare att g?ra r?tt. Det ?r dyrt att laga fel. )
>
>