From erik at bais.name Wed Sep 5 12:37:00 2012 From: erik at bais.name (Erik Bais) Date: Wed, 5 Sep 2012 12:37:00 +0200 Subject: [anti-abuse-wg] 2011-06 Last Call for Comments (Abuse Contact Management in the RIPE NCC Database) In-Reply-To: <20120820101121.DAE763ACA7@oehoe.dcyb.net> References: <20120820101121.DAE763ACA7@oehoe.dcyb.net> Message-ID: <3D7F7C92CA8EEF458B7AC7BACD7D619102F1946D5868@EXVS002.netsourcing.lan> I support the proposal. Erik Bais From brian.nisbet at heanet.ie Mon Sep 10 13:23:35 2012 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Mon, 10 Sep 2012 12:23:35 +0100 Subject: [anti-abuse-wg] Updated AA-WG RIPE 65 Agenda Message-ID: <504DCDB7.1090205@heanet.ie> Colleagues, An updated agenda, with one additional talk from the RIPE NCC on "Requesting feedback about abuse-finder widget in RIPEstat". The WG meeting will take place on Thursday 27th September at 14:00 CEST. A. Administrative Matters * Welcome * Scribe, Jabber, Stenography * Microphone Etiquette * Approve Minutes from RIPE 64 * Finalise agenda B. Update * B1. Recent List Discussion * B2. CleanIT Project Update * B3. RIPE NCC Data Protection Legal Advice Update * B4. "Requesting feedback about abuse-finder widget in RIPEstat" * B5. Operation of "Copy Shops" C. Policies * RIPE Policy 2011-06 D. Interactions * D1. Working Groups * D3. RIPE NCC Gov/LEA Interactions Update X. A.O.B. Z. Agenda for RIPE 66 As always, if you have any comments or anything to add, please don't hesitate to get in contact. Regards, Brian & Tobias From brian.nisbet at heanet.ie Mon Sep 17 14:19:36 2012 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Mon, 17 Sep 2012 13:19:36 +0100 Subject: [anti-abuse-wg] RIPE 65 AA-WG Agenda ver 3.0 Message-ID: <50571558.8020008@heanet.ie> An updated agenda, with one additional talk from the RIPE NCC on "Re-allocation of address blocks". The WG meeting will take place on Thursday 27th September at 14:00 CEST. It looks now like we have a fairly packed agenda with lots to discuss. A. Administrative Matters * Welcome * Scribe, Jabber, Stenography * Microphone Etiquette * Approve Minutes from RIPE 64 * Finalise agenda B. Update * B1. Recent List Discussion * B2. CleanIT Project Update * B3. RIPE NCC Data Protection Legal Advice Update * B4. "Requesting feedback about abuse-finder widget in RIPEstat" * B5. "Re-allocation of address blocks" - RIPE NCC * B6. Operation of "Copy Shops" C. Policies * RIPE Policy 2011-06 D. Interactions * D1. Working Groups * D3. RIPE NCC Gov/LEA Interactions Update X. A.O.B. Z. Agenda for RIPE 66 As always, if you have any comments or anything to add, please don't hesitate to get in contact. Regards, Brian & Tobias From erik at bais.name Fri Sep 21 13:17:09 2012 From: erik at bais.name (Erik Bais) Date: Fri, 21 Sep 2012 13:17:09 +0200 Subject: [anti-abuse-wg] Update on the EU Clean-IT project Message-ID: <3D7F7C92CA8EEF458B7AC7BACD7D619102F1946D5886@EXVS002.netsourcing.lan> Hi, The EU Clean-IT project did a presentation on RIPE64. EDRI (European Digital Rights) was informed via a leaked document on the projects wishlist and planned (internal) discussion topics and current recommendations. They posted a summary on their website: http://www.edri.org/cleanIT The document itself can be found here: http://www.edri.org/files/cleanIT_sept2012.pdf If this is where the EU regulation is moving towards, under the umbrella of terrorism .... Oh boy ... Regards, Erik Bais -------------- next part -------------- An HTML attachment was scrubbed... URL: From ops.lists at gmail.com Fri Sep 21 13:50:14 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Fri, 21 Sep 2012 17:20:14 +0530 Subject: [anti-abuse-wg] Update on the EU Clean-IT project In-Reply-To: <3D7F7C92CA8EEF458B7AC7BACD7D619102F1946D5886@EXVS002.netsourcing.lan> References: <3D7F7C92CA8EEF458B7AC7BACD7D619102F1946D5886@EXVS002.netsourcing.lan> Message-ID: Some of this EDRI commentary is pure hype I don't suppose the EDRI is acquainted with hentai porn? > This already widespread approach results, for example, in Microsoft (as a wholly typical example > of current industry practice) having terms of service that would ban pictures of the always > trouserless Donald Duck as potential pornography (?depicts nudity of any sort ... > in non-human forms such as cartoons?). On Fri, Sep 21, 2012 at 4:47 PM, Erik Bais wrote: > Hi, > > > > The EU Clean-IT project did a presentation on RIPE64. > > EDRI (European Digital Rights) was informed via a leaked document on the > projects wishlist and planned (internal) discussion topics and current > recommendations. > > > > They posted a summary on their website: http://www.edri.org/cleanIT > > > > The document itself can be found here: > http://www.edri.org/files/cleanIT_sept2012.pdf > > > > If this is where the EU regulation is moving towards, under the umbrella of > terrorism ?. Oh boy ... > > > > Regards, > > Erik Bais -- Suresh Ramasubramanian (ops.lists at gmail.com) From brian.nisbet at heanet.ie Fri Sep 21 14:31:59 2012 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Fri, 21 Sep 2012 13:31:59 +0100 Subject: [anti-abuse-wg] Update on the EU Clean-IT project In-Reply-To: <3D7F7C92CA8EEF458B7AC7BACD7D619102F1946D5886@EXVS002.netsourcing.lan> References: <3D7F7C92CA8EEF458B7AC7BACD7D619102F1946D5886@EXVS002.netsourcing.lan> Message-ID: <505C5E3F.3070800@heanet.ie> Erik, Erik Bais wrote the following on 21/09/2012 12:17: > Hi, > > The EU Clean-IT project did a presentation on RIPE64. While I'm not going to comment on the EDRI document as I haven't read it yet (and may still not after I do :) ), But Klassen will be speaking to the WG on Thursday next week at RIPE 65, so if there are relevant and genuine questions, that is the point to ask them. The session will, of course, be streamed live and coordinates for that will be posted. Brian. From erik at bais.name Fri Sep 21 14:55:25 2012 From: erik at bais.name (Erik Bais) Date: Fri, 21 Sep 2012 14:55:25 +0200 Subject: [anti-abuse-wg] Update on the EU Clean-IT project In-Reply-To: <505C5E3F.3070800@heanet.ie> References: <3D7F7C92CA8EEF458B7AC7BACD7D619102F1946D5886@EXVS002.netsourcing.lan> <505C5E3F.3070800@heanet.ie> Message-ID: <3D7F7C92CA8EEF458B7AC7BACD7D619102F1946D5887@EXVS002.netsourcing.lan> Thnx for that Brian. I'll save my questions on this topics for next Thursday. Erik From brian.nisbet at heanet.ie Fri Sep 21 17:02:02 2012 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Fri, 21 Sep 2012 16:02:02 +0100 Subject: [anti-abuse-wg] Update on the EU Clean-IT project In-Reply-To: <3D7F7C92CA8EEF458B7AC7BACD7D619102F1946D5887@EXVS002.netsourcing.lan> References: <3D7F7C92CA8EEF458B7AC7BACD7D619102F1946D5886@EXVS002.netsourcing.lan> <505C5E3F.3070800@heanet.ie> <3D7F7C92CA8EEF458B7AC7BACD7D619102F1946D5887@EXVS002.netsourcing.lan> Message-ID: <505C816A.9010606@heanet.ie> Erik, Erik Bais wrote the following on 21/09/2012 13:55: > Thnx for that Brian. > > I'll save my questions on this topics for next Thursday. Thanks. Also, the Clean IT project has just posted this reaction: http://www.cleanitproject.eu/edri-publishes-clean-it-discussion-document/ Brian. From security at mutluit.com Fri Sep 21 19:12:45 2012 From: security at mutluit.com (U.Mutlu) Date: Fri, 21 Sep 2012 19:12:45 +0200 Subject: [anti-abuse-wg] Update on the EU Clean-IT project In-Reply-To: <505C816A.9010606@heanet.ie> References: <3D7F7C92CA8EEF458B7AC7BACD7D619102F1946D5886@EXVS002.netsourcing.lan> <505C5E3F.3070800@heanet.ie> <3D7F7C92CA8EEF458B7AC7BACD7D619102F1946D5887@EXVS002.netsourcing.lan> <505C816A.9010606@heanet.ie> Message-ID: <505CA00D.6050705@mutluit.com> Brian Nisbet wrote, On 09/21/2012 05:02 PM: > Erik, > Erik Bais wrote the following on 21/09/2012 13:55: >> Thnx for that Brian. >> >> I'll save my questions on this topics for next Thursday. > > Thanks. Also, the Clean IT project has just posted this reaction: > > http://www.cleanitproject.eu/edri-publishes-clean-it-discussion-document/ The "press release" begins with this sentence: "However EDRI suggests otherwise, a posted document on their website does not provide concrete proposal to tackle terrorism on the internet." Do I need to brush up my english, or what is it saying exactly? :-) I don't think, and hope that such an anti-Islam-only paper (and anti-Islam organisation and web site they have set up under the RIPE umbrella with EU tax money), can or should ever get any ratification from the netizens. It even looks like a paper coming directly from Israel's foreign secret service Mossad... From ops.lists at gmail.com Sat Sep 22 02:02:33 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Sat, 22 Sep 2012 05:32:33 +0530 Subject: [anti-abuse-wg] Update on the EU Clean-IT project In-Reply-To: <505CA00D.6050705@mutluit.com> References: <3D7F7C92CA8EEF458B7AC7BACD7D619102F1946D5886@EXVS002.netsourcing.lan> <505C5E3F.3070800@heanet.ie> <3D7F7C92CA8EEF458B7AC7BACD7D619102F1946D5887@EXVS002.netsourcing.lan> <505C816A.9010606@heanet.ie> <505CA00D.6050705@mutluit.com> Message-ID: How or why do you say they are anti Islamic? --srs (htc one x) On Sep 21, 2012 10:52 PM, "U.Mutlu" wrote: > Brian Nisbet wrote, On 09/21/2012 05:02 PM: > >> Erik, >> Erik Bais wrote the following on 21/09/2012 13:55: >> >>> Thnx for that Brian. >>> >>> I'll save my questions on this topics for next Thursday. >>> >> >> Thanks. Also, the Clean IT project has just posted this reaction: >> >> http://www.cleanitproject.eu/**edri-publishes-clean-it-** >> discussion-document/ >> > > The "press release" begins with this sentence: > "However EDRI suggests otherwise, a posted document on their website > does not provide concrete proposal to tackle terrorism on the internet." > > Do I need to brush up my english, or what is it saying exactly? :-) > > I don't think, and hope that such an anti-Islam-only paper (and anti-Islam > organisation and web site they have set up under the RIPE umbrella with EU > tax money), > can or should ever get any ratification from the netizens. > It even looks like a paper coming directly from Israel's foreign secret > service Mossad... > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From security at mutluit.com Sat Sep 22 08:08:20 2012 From: security at mutluit.com (U.Mutlu) Date: Sat, 22 Sep 2012 08:08:20 +0200 Subject: [anti-abuse-wg] Update on the EU Clean-IT project In-Reply-To: References: <3D7F7C92CA8EEF458B7AC7BACD7D619102F1946D5886@EXVS002.netsourcing.lan> <505C5E3F.3070800@heanet.ie> <3D7F7C92CA8EEF458B7AC7BACD7D619102F1946D5887@EXVS002.netsourcing.lan> <505C816A.9010606@heanet.ie> <505CA00D.6050705@mutluit.com> Message-ID: <505D55D4.7020500@mutluit.com> Suresh Ramasubramanian wrote, On 09/22/2012 02:02 AM: > How or why do you say they are anti Islamic? Just look at this list on their web page http://www.cleanitproject.eu/documents/ : " Please find below a list of public papers, reports and articles about the terrorist use of the Internet: 2004 E-Terror 2006 Hezbollah use of the Internet 2006 Terrorism and Internet 2006 Jihadis and Internet 2007 Jihadism online 2008 Terrorist use of the Internet 2008 Virtual Caliphate 2009 Internet radicalisation South East Asia 2009 Online Radicalisation 2009 Recruitment and Radicalisation 2009 Terrorism and the Internet 2009 Jihadis and the Internet update 2009 How Jihadis adapt to the web 2009 Terrorist financing on the Internet 2009 Online propaganda by Jihadis (in Spanish) 2010 Global Extremist Organisations 2010 Radical websites in Indonesia 2010 Virtual Jihad (in German) 2011 Use of the Internet for Counter Terrorist purposes 2011 Role of Internet for terrorists (in Spanish) 2012 Jihadism on the Web 2012 Terrorists Using Social Online Networking " Do you see in the list any document against nazi websites, or of jewish fanatics, or of christian fundamentalists?... Very suspicious... > --srs (htc one x) > On Sep 21, 2012 10:52 PM, "U.Mutlu" wrote: > >> Brian Nisbet wrote, On 09/21/2012 05:02 PM: >> >>> Erik, >>> Erik Bais wrote the following on 21/09/2012 13:55: >>> >>>> Thnx for that Brian. >>>> >>>> I'll save my questions on this topics for next Thursday. >>>> >>> >>> Thanks. Also, the Clean IT project has just posted this reaction: >>> >>> http://www.cleanitproject.eu/**edri-publishes-clean-it-** >>> discussion-document/ >>> >> >> The "press release" begins with this sentence: >> "However EDRI suggests otherwise, a posted document on their website >> does not provide concrete proposal to tackle terrorism on the internet." >> >> Do I need to brush up my english, or what is it saying exactly? :-) >> >> I don't think, and hope that such an anti-Islam-only paper (and anti-Islam >> organisation and web site they have set up under the RIPE umbrella with EU >> tax money), >> can or should ever get any ratification from the netizens. >> It even looks like a paper coming directly from Israel's foreign secret >> service Mossad... From julien at tayon.net Sat Sep 22 16:52:30 2012 From: julien at tayon.net (julien tayon) Date: Sat, 22 Sep 2012 16:52:30 +0200 Subject: [anti-abuse-wg] Update on the EU Clean-IT project In-Reply-To: <505D55D4.7020500@mutluit.com> References: <3D7F7C92CA8EEF458B7AC7BACD7D619102F1946D5886@EXVS002.netsourcing.lan> <505C5E3F.3070800@heanet.ie> <3D7F7C92CA8EEF458B7AC7BACD7D619102F1946D5887@EXVS002.netsourcing.lan> <505C816A.9010606@heanet.ie> <505CA00D.6050705@mutluit.com> <505D55D4.7020500@mutluit.com> Message-ID: Could we add the following corporate terrorism (using threats to achieve what you do not wish to achieve through democratic means): - using libel as a way to shut down consumer's voice (mc libel/Danone/Monstanto); - EDF spying on greenpeace; - the corporate companies (MS, amnesys) helping lybia/tunisia dictatorship spy on their people; - the more than probable help of companies in cyber warfare (dassault desactivating iraqui's IFF on mirage, flame malware?); - the clearly wtf TOS for social services specifying legal content as not being sharable (nude is wrong (but legal), nazis stuff are right (but sometimes illegal)); Terror is all about short circuiting democratic means to achieve your goals by the means of fear. Libelling and copyright laws are being used as a clear threat to freedom of speech, thus as democracy by the mean of terrorizing people willing to launch debates. How can I trust someone using terror on the internet to fight the terror? I am not willing to fight any terrorists by supporting other terrorists. No Terrorism is acceptable. Even terrorism made by people in nice suits and driving fast sport cars. 2012/9/22 U.Mutlu : > Suresh Ramasubramanian wrote, On 09/22/2012 02:02 AM: > >> How or why do you say they are anti Islamic? > > > Just look at this list on their web page > http://www.cleanitproject.eu/documents/ : > > " > Please find below a list of public papers, reports and articles about the > terrorist use of the Internet: > 2004 E-Terror > 2006 Hezbollah use of the Internet > 2006 Terrorism and Internet > 2006 Jihadis and Internet > 2007 Jihadism online > 2008 Terrorist use of the Internet > 2008 Virtual Caliphate > 2009 Internet radicalisation South East Asia > 2009 Online Radicalisation > 2009 Recruitment and Radicalisation > 2009 Terrorism and the Internet > 2009 Jihadis and the Internet update > 2009 How Jihadis adapt to the web > 2009 Terrorist financing on the Internet > 2009 Online propaganda by Jihadis (in Spanish) > 2010 Global Extremist Organisations > 2010 Radical websites in Indonesia > 2010 Virtual Jihad (in German) > 2011 Use of the Internet for Counter Terrorist purposes > 2011 Role of Internet for terrorists (in Spanish) > 2012 Jihadism on the Web > 2012 Terrorists Using Social Online Networking > " > > Do you see in the list any document against nazi websites, > or of jewish fanatics, or of christian fundamentalists?... > Very suspicious... > > >> --srs (htc one x) >> On Sep 21, 2012 10:52 PM, "U.Mutlu" wrote: >> >>> Brian Nisbet wrote, On 09/21/2012 05:02 PM: >>> >>>> Erik, >>>> Erik Bais wrote the following on 21/09/2012 13:55: >>>> >>>>> Thnx for that Brian. >>>>> >>>>> I'll save my questions on this topics for next Thursday. >>>>> >>>> >>>> Thanks. Also, the Clean IT project has just posted this reaction: >>>> >>>> http://www.cleanitproject.eu/**edri-publishes-clean-it-** >>>> >>>> discussion-document/ >>>> >>> >>> The "press release" begins with this sentence: >>> "However EDRI suggests otherwise, a posted document on their website >>> does not provide concrete proposal to tackle terrorism on the >>> internet." >>> >>> Do I need to brush up my english, or what is it saying exactly? :-) >>> >>> I don't think, and hope that such an anti-Islam-only paper (and >>> anti-Islam >>> organisation and web site they have set up under the RIPE umbrella with >>> EU >>> tax money), >>> can or should ever get any ratification from the netizens. >>> It even looks like a paper coming directly from Israel's foreign secret >>> service Mossad... > > > From security at mutluit.com Sat Sep 22 19:23:04 2012 From: security at mutluit.com (U.Mutlu) Date: Sat, 22 Sep 2012 19:23:04 +0200 Subject: [anti-abuse-wg] Update on the EU Clean-IT project In-Reply-To: References: <3D7F7C92CA8EEF458B7AC7BACD7D619102F1946D5886@EXVS002.netsourcing.lan> <505C5E3F.3070800@heanet.ie> <3D7F7C92CA8EEF458B7AC7BACD7D619102F1946D5887@EXVS002.netsourcing.lan> <505C816A.9010606@heanet.ie> <505CA00D.6050705@mutluit.com> <505D55D4.7020500@mutluit.com> Message-ID: <505DF3F8.4040506@mutluit.com> Julien, you seem to have misinterpreted what I said. It can not be the job of RIPE to make Anti-Terror-Laws. Such laws already exist. The proposed paper looks like to aim only the radical islamists whereas there are more dangerous idiots out there, like the nazis, christian fundamentalists, jewish fanatics etc. They all should have been addressed, and not only the radical islamists. We don't want have a totalitarian Internet, a Big Brother RIPE. RIPE should be responsible for the technical and administrative issues of the Internet, not political or religious issues. Here's a good analysis about terrorists and the terrorist makers: http://presstv.com/detail/2012/09/20/262683/israel-seeks-iran-war-to-keep-lid-on-911/ julien tayon wrote, On 09/22/2012 04:52 PM: > Could we add the following corporate terrorism (using threats to > achieve what you do not wish to achieve through democratic means): > > - using libel as a way to shut down consumer's voice (mc > libel/Danone/Monstanto); > - EDF spying on greenpeace; > - the corporate companies (MS, amnesys) helping lybia/tunisia > dictatorship spy on their people; > - the more than probable help of companies in cyber warfare (dassault > desactivating iraqui's IFF on mirage, flame malware?); > - the clearly wtf TOS for social services specifying legal content as > not being sharable (nude is wrong (but legal), nazis stuff are right > (but sometimes illegal)); > > > Terror is all about short circuiting democratic means to achieve your > goals by the means of fear. > Libelling and copyright laws are being used as a clear threat to > freedom of speech, thus as democracy by the mean of terrorizing people > willing to launch debates. > > How can I trust someone using terror on the internet to fight the terror? > > I am not willing to fight any terrorists by supporting other > terrorists. No Terrorism is acceptable. Even terrorism made by people > in nice suits and driving fast sport cars. > > 2012/9/22 U.Mutlu : >> Suresh Ramasubramanian wrote, On 09/22/2012 02:02 AM: >> >>> How or why do you say they are anti Islamic? >> >> >> Just look at this list on their web page >> http://www.cleanitproject.eu/documents/ : >> >> " >> Please find below a list of public papers, reports and articles about the >> terrorist use of the Internet: >> 2004 E-Terror >> 2006 Hezbollah use of the Internet >> 2006 Terrorism and Internet >> 2006 Jihadis and Internet >> 2007 Jihadism online >> 2008 Terrorist use of the Internet >> 2008 Virtual Caliphate >> 2009 Internet radicalisation South East Asia >> 2009 Online Radicalisation >> 2009 Recruitment and Radicalisation >> 2009 Terrorism and the Internet >> 2009 Jihadis and the Internet update >> 2009 How Jihadis adapt to the web >> 2009 Terrorist financing on the Internet >> 2009 Online propaganda by Jihadis (in Spanish) >> 2010 Global Extremist Organisations >> 2010 Radical websites in Indonesia >> 2010 Virtual Jihad (in German) >> 2011 Use of the Internet for Counter Terrorist purposes >> 2011 Role of Internet for terrorists (in Spanish) >> 2012 Jihadism on the Web >> 2012 Terrorists Using Social Online Networking >> " >> >> Do you see in the list any document against nazi websites, >> or of jewish fanatics, or of christian fundamentalists?... >> Very suspicious... >> >> >>> --srs (htc one x) >>> On Sep 21, 2012 10:52 PM, "U.Mutlu" wrote: >>> >>>> Brian Nisbet wrote, On 09/21/2012 05:02 PM: >>>> >>>>> Erik, >>>>> Erik Bais wrote the following on 21/09/2012 13:55: >>>>> >>>>>> Thnx for that Brian. >>>>>> >>>>>> I'll save my questions on this topics for next Thursday. >>>>>> >>>>> >>>>> Thanks. Also, the Clean IT project has just posted this reaction: >>>>> >>>>> http://www.cleanitproject.eu/**edri-publishes-clean-it-** >>>>> >>>>> discussion-document/ >>>>> >>>> >>>> The "press release" begins with this sentence: >>>> "However EDRI suggests otherwise, a posted document on their website >>>> does not provide concrete proposal to tackle terrorism on the >>>> internet." >>>> >>>> Do I need to brush up my english, or what is it saying exactly? :-) >>>> >>>> I don't think, and hope that such an anti-Islam-only paper (and >>>> anti-Islam >>>> organisation and web site they have set up under the RIPE umbrella with >>>> EU >>>> tax money), >>>> can or should ever get any ratification from the netizens. >>>> It even looks like a paper coming directly from Israel's foreign secret >>>> service Mossad... >> >> >> > From thor at anta.net Sat Sep 22 19:58:58 2012 From: thor at anta.net (Thor Kottelin) Date: Sat, 22 Sep 2012 20:58:58 +0300 Subject: [anti-abuse-wg] Update on the EU Clean-IT project In-Reply-To: <505DF3F8.4040506@mutluit.com> References: <3D7F7C92CA8EEF458B7AC7BACD7D619102F1946D5886@EXVS002.netsourcing.lan> <505C5E3F.3070800@heanet.ie> <3D7F7C92CA8EEF458B7AC7BACD7D619102F1946D5887@EXVS002.netsourcing.lan> <505C816A.9010606@heanet.ie> <505CA00D.6050705@mutluit.com> <505D55D4.7020500@mutluit.com> <505DF3F8.4040506@mutluit.com> Message-ID: > -----Original Message----- > From: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg- > bounces at ripe.net] On Behalf Of U.Mutlu > Sent: Saturday, September 22, 2012 8:23 PM > To: julien tayon > Cc: Suresh Ramasubramanian; anti-abuse-wg at ripe.net > The proposed paper looks like to aim only the radical islamists > whereas there are more dangerous idiots out there, like the nazis, > christian fundamentalists, jewish fanatics etc. I believe discussion of the extent to which any given religious or political group might include e.g. 'idiots' or 'fanatics' is off topic for this working group. -- Thor Kottelin http://www.anta.net/ From kjz at gmx.net Sun Sep 23 14:53:49 2012 From: kjz at gmx.net (Karl-Josef Ziegler) Date: Sun, 23 Sep 2012 14:53:49 +0200 Subject: [anti-abuse-wg] IP Block wirh no contact details Message-ID: <505F065D.6080109@gmx.net> Hello! How is such a 'whois' handled by RIPE: inetnum: 84.22.127.40 - 84.22.127.47 address: Customer did not enter their own contact details yet see also: http://www.spamhaus.org/sbl/query/SBL99505 'Spammer & cybercriminal hosting (escalation)' http://www.spamhaus.org/sbl/query/SBL154878 'illegal pharma botnet spammer hosting' So this block seems to be used since October 2011 for cybercriminal activities and has no real contact details yet in whois database? Best regards, - Karl-Josef Ziegler From tkraft at cyscon.de Sun Sep 23 15:07:33 2012 From: tkraft at cyscon.de (Thorsten Kraft) Date: Sun, 23 Sep 2012 15:07:33 +0200 Subject: [anti-abuse-wg] IP Block wirh no contact details In-Reply-To: <505F065D.6080109@gmx.net> References: <505F065D.6080109@gmx.net> Message-ID: <5A36D774-5872-4615-92F5-3DF4E2B9701B@cyscon.de> The complete AS is strange: http://www.c-sirt.org/reputationindex?asn=34109 Rgds, Thorsten Am 23.09.2012 um 14:53 schrieb Karl-Josef Ziegler: > Hello! > > How is such a 'whois' handled by RIPE: > > inetnum: 84.22.127.40 - 84.22.127.47 > > address: Customer did not enter their own contact details yet > > see also: > > http://www.spamhaus.org/sbl/query/SBL99505 > 'Spammer & cybercriminal hosting (escalation)' > > http://www.spamhaus.org/sbl/query/SBL154878 > 'illegal pharma botnet spammer hosting' > > So this block seems to be used since October 2011 for cybercriminal > activities and has no real contact details yet in whois database? > > Best regards, > > - Karl-Josef Ziegler > > > > > > -- Thorsten Kraft cyscon GmbH Poststra?e 9 ? DE-40213 D?sseldorf http://www.cyscon.de Amtsgericht D?sseldorf / HRB 66749 Gesch?ftsf?hrung: Thorsten Kraft, Thomas Wolf From denis at ripe.net Mon Sep 24 00:23:38 2012 From: denis at ripe.net (Denis Walker) Date: Mon, 24 Sep 2012 00:23:38 +0200 Subject: [anti-abuse-wg] IP Block wirh no contact details In-Reply-To: <505F065D.6080109@gmx.net> References: <505F065D.6080109@gmx.net> Message-ID: <505F8BEA.3040604@ripe.net> On 23/09/2012 14:53, Karl-Josef Ziegler wrote: > Hello! > > How is such a 'whois' handled by RIPE: > > inetnum: 84.22.127.40 - 84.22.127.47 > > address: Customer did not enter their own contact details yet > > see also: > > http://www.spamhaus.org/sbl/query/SBL99505 > 'Spammer & cybercriminal hosting (escalation)' > > http://www.spamhaus.org/sbl/query/SBL154878 > 'illegal pharma botnet spammer hosting' > > So this block seems to be used since October 2011 for cybercriminal > activities and has no real contact details yet in whois database? If you look at this assignment and it's parent allocation object and all the maintainers, they all point the "admin-c:" and "tech-c:" to self referencing ROLE objects with minimal contact details. The only references to PERSON objects are in the ORGANISATION object referenced in the allocation object. The issue of self referencing ROLE objects and if there should always be a PERSON object at the end of the chain of references was brought up very recently on this list. Currently the syntax and business rules allow this for any user input data. There was some discussion but no conclusion. Regards Denis Walker Business Analyst RIPE NCC Database Group > > Best regards, > > - Karl-Josef Ziegler > > > > > > > From nibbler at nibbler.de Mon Sep 24 12:03:54 2012 From: nibbler at nibbler.de (Michael Horn) Date: Mon, 24 Sep 2012 12:03:54 +0200 Subject: [anti-abuse-wg] IP Block wirh no contact details In-Reply-To: <5A36D774-5872-4615-92F5-3DF4E2B9701B@cyscon.de> References: <505F065D.6080109@gmx.net> <5A36D774-5872-4615-92F5-3DF4E2B9701B@cyscon.de> Message-ID: <20120924120354.7494fd3d@x200s> On Sun, 23 Sep 2012 15:07:33 +0200 Thorsten Kraft wrote: > The complete AS is strange: > http://www.c-sirt.org/reputationindex?asn=34109 not only the AS, but the whole 84.22.96.0/19 seems to be "registered" to this "placeholder" handle: https://apps.db.ripe.net/search/query.html?searchtext=84.22.96.0%2F19&flags=M or to: https://apps.db.ripe.net/search/query.html?searchtext=CBMT1-RIPE&inverse=ADMIN_C%3BTECH_C what is this? i don't even... -mh From ops.lists at gmail.com Mon Sep 24 12:18:45 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Mon, 24 Sep 2012 15:48:45 +0530 Subject: [anti-abuse-wg] IP Block wirh no contact details In-Reply-To: <20120924120354.7494fd3d@x200s> References: <505F065D.6080109@gmx.net> <5A36D774-5872-4615-92F5-3DF4E2B9701B@cyscon.de> <20120924120354.7494fd3d@x200s> Message-ID: cb3rob is sven olaf kamphuis, who you can see around on nanog mostly because he hosts the piratebay, but there's other funniness around as this thread says. Spamhaus lists 30 entries on cb3rob - most if not all for crimeware. http://www.spamhaus.org/sbl/listings/cb3rob.net --srs On Monday, September 24, 2012, Michael Horn wrote: > On Sun, 23 Sep 2012 15:07:33 +0200 > Thorsten Kraft > wrote: > > > The complete AS is strange: > > http://www.c-sirt.org/reputationindex?asn=34109 > > not only the AS, but the whole 84.22.96.0/19 seems to be "registered" > to this "placeholder" handle: > > https://apps.db.ripe.net/search/query.html?searchtext=84.22.96.0%2F19&flags=M > or to: > > https://apps.db.ripe.net/search/query.html?searchtext=CBMT1-RIPE&inverse=ADMIN_C%3BTECH_C > what is this? i don't even... > > -mh > > > -- Suresh Ramasubramanian (ops.lists at gmail.com) -------------- next part -------------- An HTML attachment was scrubbed... URL: From nibbler at nibbler.de Mon Sep 24 12:28:44 2012 From: nibbler at nibbler.de (Michael Horn) Date: Mon, 24 Sep 2012 12:28:44 +0200 Subject: [anti-abuse-wg] IP Block wirh no contact details In-Reply-To: References: <505F065D.6080109@gmx.net> <5A36D774-5872-4615-92F5-3DF4E2B9701B@cyscon.de> <20120924120354.7494fd3d@x200s> Message-ID: <20120924122844.06092f4d@x200s> On Mon, 24 Sep 2012 15:48:45 +0530 Suresh Ramasubramanian wrote: > mostly because he hosts the piratebay now that would be new to me. i thought that tpb has been residing behind port80 (or what their name is these days) and portlane for quite a while. -mh From ops.lists at gmail.com Mon Sep 24 12:36:13 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Mon, 24 Sep 2012 16:06:13 +0530 Subject: [anti-abuse-wg] IP Block wirh no contact details In-Reply-To: <20120924122844.06092f4d@x200s> References: <505F065D.6080109@gmx.net> <5A36D774-5872-4615-92F5-3DF4E2B9701B@cyscon.de> <20120924120354.7494fd3d@x200s> <20120924122844.06092f4d@x200s> Message-ID: Used to host tpb I mean, before they got booted off by a court order and moved in 2011 http://gigaom.com/video/the-pirate-bay-forced-offline-trading-continues/ On Monday, September 24, 2012, Michael Horn wrote: > On Mon, 24 Sep 2012 15:48:45 +0530 > Suresh Ramasubramanian > wrote: > > > mostly because he hosts the piratebay > > now that would be new to me. i thought that tpb has been residing behind > port80 (or what their name is these days) and portlane for quite a while. > > -mh > > -- Suresh Ramasubramanian (ops.lists at gmail.com) -------------- next part -------------- An HTML attachment was scrubbed... URL: From ops.lists at gmail.com Mon Sep 24 12:40:07 2012 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Mon, 24 Sep 2012 16:10:07 +0530 Subject: [anti-abuse-wg] IP Block wirh no contact details In-Reply-To: References: <505F065D.6080109@gmx.net> <5A36D774-5872-4615-92F5-3DF4E2B9701B@cyscon.de> <20120924120354.7494fd3d@x200s> <20120924122844.06092f4d@x200s> Message-ID: Or as this /. post claims (please add salt to taste), because tpb themselves bailed on cb3rob http://slashdot.org/submission/1239394/Pirate-Bay-Abandons-Cyberbunker-ISP --srs On Monday, September 24, 2012, Suresh Ramasubramanian wrote: > Used to host tpb I mean, before they got booted off by a court order and > moved in 2011 > > http://gigaom.com/video/the-pirate-bay-forced-offline-trading-continues/ > > On Monday, September 24, 2012, Michael Horn wrote: > >> On Mon, 24 Sep 2012 15:48:45 +0530 >> Suresh Ramasubramanian wrote: >> >> > mostly because he hosts the piratebay >> >> now that would be new to me. i thought that tpb has been residing behind >> port80 (or what their name is these days) and portlane for quite a while. >> >> -mh >> >> > > -- > Suresh Ramasubramanian (ops.lists at gmail.com 'ops.lists at gmail.com');>) > -- Suresh Ramasubramanian (ops.lists at gmail.com) -------------- next part -------------- An HTML attachment was scrubbed... URL: From brian.nisbet at heanet.ie Mon Sep 24 14:03:08 2012 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Mon, 24 Sep 2012 13:03:08 +0100 Subject: [anti-abuse-wg] Update on the EU Clean-IT project In-Reply-To: <505DF3F8.4040506@mutluit.com> References: <3D7F7C92CA8EEF458B7AC7BACD7D619102F1946D5886@EXVS002.netsourcing.lan> <505C5E3F.3070800@heanet.ie> <3D7F7C92CA8EEF458B7AC7BACD7D619102F1946D5887@EXVS002.netsourcing.lan> <505C816A.9010606@heanet.ie> <505CA00D.6050705@mutluit.com> <505D55D4.7020500@mutluit.com> <505DF3F8.4040506@mutluit.com> Message-ID: <50604BFC.1030704@heanet.ie> U.Mutlu wrote, On 22/09/2012 18:23: > Julien, you seem to have misinterpreted what I said. > It can not be the job of RIPE to make Anti-Terror-Laws. I'd like to be very clear that the CleanIT project is not part of RIPE. Due to the work they are doing and the area in which they are operating we thought (and continue to think) that they have some interesting things to say and that it is a good thing that they are bringing their ideas to the community. By inviting the project to speak at the meeting, neither the AA-WG nor the community (and especially not the NCC) explicitly or implicitly endorses the full project. We have said that we feel this is an area that requires more investigation and work, but that doesn't mean that we agree with everything they say. Needless to say, this goes not just for the CleanIT project but anyone who comes to talk to the community. Indeed, if you look at the projects page on partners and participants (http://www.cleanitproject.eu/partners-and-participants/) it explicitly states "These persons or organisations attended Clean IT events and/or exchanged views to contribute to the project. This does not implicate any commitment to temporary or future results from the individuals or their organization." I hope this clears things up to some extent. Brian. Co-chair, RIPE AA-WG From Woeber at CC.UniVie.ac.at Mon Sep 24 14:14:09 2012 From: Woeber at CC.UniVie.ac.at (Wilfried Woeber) Date: Mon, 24 Sep 2012 14:14:09 +0200 Subject: [anti-abuse-wg] IP Block wirh no contact details In-Reply-To: <20120924120354.7494fd3d@x200s> References: <505F065D.6080109@gmx.net> <5A36D774-5872-4615-92F5-3DF4E2B9701B@cyscon.de> <20120924120354.7494fd3d@x200s> Message-ID: <50604E91.8010203@CC.UniVie.ac.at> Michael Horn wrote: [...] > what is this? i don't even... I am wondering: was this "forged use" of the NCC's hostmaster "identity"? inetnum: 84.22.100.0 - 84.22.100.255 netname: A84-22-100-0 descr: Republic CyberBunker National Network 100 admin-c: CBMT1-RIPE tech-c: CBMT1-RIPE country: AQ <------- Antarctica :-) status: ASSIGNED PA mnt-by: MNT-CB3ROB mnt-lower: MNT-CB3ROB mnt-routes: MNT-CB3ROB changed: hostmaster at ripe.net 20120831 <------------------------ source: RIPE > -mh Wilfried From emadaio at ripe.net Thu Sep 27 12:54:37 2012 From: emadaio at ripe.net (Emilio Madaio) Date: Thu, 27 Sep 2012 12:54:37 +0200 Subject: [anti-abuse-wg] 2011-06 Proposal Accepted (Abuse Contact Management in the RIPE NCC Database) Message-ID: Dear Colleagues, Consensus has been reached, and the proposal described in 2011-06 has been accepted by the RIPE community. You can find the full proposal at: https://www.ripe.net/ripe/policies/proposals/2011-06 The new RIPE document is ripe-563 and it is available at: https://www.ripe.net/ripe/docs/current-ripe-documents/ripe-563 Thank you for your input. Regards Emilio Madaio Policy Development Officer RIPE NCC From tk at abusix.com Fri Sep 28 12:41:49 2012 From: tk at abusix.com (Tobias Knecht) Date: Fri, 28 Sep 2012 12:41:49 +0200 Subject: [anti-abuse-wg] CleanIT: Unanswered question from chat Message-ID: <50657EED.1030500@abusix.com> Hi there, since we have been a bit short in time yesterday, we were not able to bring up all the questions asked in the chat. So I thought let's send them over to But Klaasen and ask for response. Questions was: (and sorry can't remember the username who asked it) "Given that some of the proposal have a clear impact on the fundamental rights of internet users and given the fact that several government institutions are involved in delivering objectives, shouldn't these proposed restrictions based on formal law? Such rules must be created in full transparency and the parliament must be able to reject proposals w/ restrictions on freedom of communications and privacy when it sees fit." Answer from But Klaasen: In the first place the clean IT project does not create formal rules. But we might come up with a call for better regulation. In that case governments will follow formal procedures and parliament is always involved. No misunderstanding about that. With regard to the best practices: any action taken to reduce the terrorist use of the internet, will respect fundamental rights and freedoms, including access to the Internet, freedoms of assembly and expression, privacy and data protection. This is clearly stated in general principle nr. 11 in our draft document (version august 14). But I am not sure that this is the real issue here. It seems like there are two questions at stake: 1. Will the best practices in the final document comply with this general principle #11? 2. Is the Clean IT group powered to judge on that? Is this the right interpretation of the question? If not, could you ask to specify the question? Anyway we will be happy to take this question into the group. Maybe we can invite the one(s) that have posed this question to participate in the discussion about this? Hope this answers is helpful. Thanks, Tobias -- AA-WG Co-Chair From security at mutluit.com Sat Sep 29 11:26:23 2012 From: security at mutluit.com (U.Mutlu) Date: Sat, 29 Sep 2012 11:26:23 +0200 Subject: [anti-abuse-wg] DNS DoS attacks by 91.235.143.158 and 69.162.110.100 Message-ID: <5066BEBF.60209@mutluit.com> For several weeks now our DNS server gets attacked by the following 2 systems. It's a DoS attack. We have DNS recursion disabled, but these systems countlessly send recursion queries. We now are blocking them at the firewall level: pkts bytes target prot opt in out source destination 1845K 118M DROP all -- * * 91.235.143.158 0.0.0.0/0 1518K 100M DROP all -- * * 69.162.110.100 0.0.0.0/0 We have sent the first one 4 Abuse Reports, and the seconds one 10 (!) ARs, and also had email contact to both their admins/abuse team. But nothing changes. Their cheap excuse is by saying that our DNS server is allegedly an open resolver (this is total BS! it's untrue), and the attack would be a so called "reflected UDP DNS attack" carried out by someone else using forged IP headers (IMO again cheap BS excuse as nowadays every ISP uses egress/ingress filtering to block such SenderIP-forgeries). My suspicion is that these companies are maybe specialized (and get paid for) to carry out such DNS attacks to bring down the network infrastructure of target systems. It seems they try to poison our DNS cache. This of course would affect our whole infrastructure. The IPs belong to these domains/companies: 91.235.143.158 (Ukraine --> RIPE): belongs to the operators of www.irishindependentescorts.com , a porno site operated/administered by a David Walsh and davidwalsheire at gmail.com, AbuseAdress: support at v-sys.org 69.162.110.100 (US --> ARIN): www.limestonenetworks.com, an ISP, AbuseAdress: abuseteam at limestonenetworks.com and abuse at lstn.net This ISP seems to be well known for doing nothing against such attacks either carried out by its own staff or by its clients as can be seen in the postings of admins of other attacked systems: http://www.webhostingstuff.com/review/LimestoneNetworks.html http://www.webhostingtalk.com/showthread.php?t=1159070 http://www.webhostingtalk.com/showthread.php?t=1183580 Anybody else get attacked by the above systems? What else can be done in such a case? Is this a case for CERT's ? Anybody have experience with CERT's and can give tips? The attacks look like the following excerpts from the DNS log (before blocking them in the firewall): # Log evidence: # # AR BC=BC48b Logfile=/var/log/named/named_misc.log GenTime=20120925-095445 ToAbuseEMA: support at v-sys.org # AttackerIP=91.235.143.158 Hostname(rDNS)= IPfromHN(DNS)= # cAT=14869 cAS=7 cAR=4 CC=UA RIR=RIPE ASN=AS6849 JSC UKRTELECOM, # AttackedServerIP(s)=82.211.8.197 84.200.248.120 84.201.4.43 84.200.248.111 84.200.20.194 84.200.43.148 # LogExcerpt (timezone: UTC+02 = GMT+02, syncd via NTP): 2012-09-22 16:06:52.905 security: info: client 91.235.143.158#80: query (cache) 'isc.org/ANY/IN' denied 2012-09-22 16:06:52.934 security: info: client 91.235.143.158#80: query (cache) 'isc.org/ANY/IN' denied 2012-09-22 16:06:52.956 security: info: client 91.235.143.158#80: query (cache) 'isc.org/ANY/IN' denied 2012-09-25 09:46:08.661 security: info: client 91.235.143.158#8775: query (cache) 'google.com/A/IN' denied 2012-09-25 09:46:08.663 security: info: client 91.235.143.158#52882: query (cache) 'google.com/A/IN' denied 2012-09-25 09:46:08.754 security: info: client 91.235.143.158#31714: query (cache) 'google.com/A/IN' denied 2012-09-25 09:46:08.794 security: info: client 91.235.143.158#7089: query (cache) 'google.com/A/IN' denied 2012-09-25 09:46:08.827 security: info: client 91.235.143.158#7064: query (cache) 'google.com/A/IN' denied 2012-09-25 09:46:08.833 security: info: client 91.235.143.158#16716: query (cache) 'google.com/A/IN' denied 2012-09-25 09:46:08.868 security: info: client 91.235.143.158#80: query (cache) 'isc.org/ANY/IN' denied # Log evidence: # # AR BC=BC48b Logfile=/var/log/named/named_misc.log GenTime=20120923-022150 ToAbuseEMA: abuse at limestonenetworks.com # AttackerIP=69.162.110.100 Hostname(rDNS)=100-110-162-69.static.reverse.lstn.net # cAT=2324432 cAS=300 cAR=10 CC=US RIR=ARIN ASN=AS46475 Limestone Networks, Inc. # AttackedServerIP(s)=82.211.8.197 84.200.248.120 84.201.4.43 84.200.248.111 84.200.20.194 84.200.43.148 # LogExcerpt (timezone: UTC+02 = GMT+02, syncd via NTP): 2012-09-22 16:25:36.969 security: info: client 69.162.110.100#53: query (cache) 'ripe.net/ANY/IN' denied 2012-09-22 16:25:36.969 security: info: client 69.162.110.100#53: query (cache) 'ripe.net/ANY/IN' denied 2012-09-22 16:25:37.144 security: info: client 69.162.110.100#53: query (cache) 'ripe.net/ANY/IN' denied 2012-09-22 16:25:37.144 security: info: client 69.162.110.100#53: query (cache) 'ripe.net/ANY/IN' denied 2012-09-22 16:25:37.144 security: info: client 69.162.110.100#53: query (cache) 'ripe.net/ANY/IN' denied 2012-09-22 16:25:37.144 security: info: client 69.162.110.100#53: query (cache) 'ripe.net/ANY/IN' denied 2012-09-22 16:25:37.144 security: info: client 69.162.110.100#53: query (cache) 'ripe.net/ANY/IN' denied 2012-09-22 16:25:37.322 security: info: client 69.162.110.100#53: query (cache) 'ripe.net/ANY/IN' denied 2012-09-22 16:25:37.322 security: info: client 69.162.110.100#53: query (cache) 'ripe.net/ANY/IN' denied 2012-09-22 16:25:37.322 security: info: client 69.162.110.100#53: query (cache) 'ripe.net/ANY/IN' denied 2012-09-22 16:25:37.322 security: info: client 69.162.110.100#53: query (cache) 'ripe.net/ANY/IN' denied 2012-09-22 16:25:37.322 security: info: client 69.162.110.100#53: query (cache) 'ripe.net/ANY/IN' denied From Woeber at CC.UniVie.ac.at Sat Sep 29 12:00:27 2012 From: Woeber at CC.UniVie.ac.at (Wilfried Woeber) Date: Sat, 29 Sep 2012 12:00:27 +0200 Subject: [anti-abuse-wg] DNS DoS attacks by 91.235.143.158 and 69.162.110.100 In-Reply-To: <5066BEBF.60209@mutluit.com> References: <5066BEBF.60209@mutluit.com> Message-ID: <5066C6BB.2090105@CC.UniVie.ac.at> U.Mutlu wrote: [...] > ... and the attack would > be a so called "reflected UDP DNS attack" carried out by someone else > using forged IP headers Even authoritative nameservers are vulnerable to some degree. > (IMO again cheap BS excuse as nowadays > every ISP uses egress/ingress filtering to block such SenderIP-forgeries). I rate this statement/expectation as wishful thinking, sorry. > Is this a case for CERT's ? Definitely! > Anybody have experience with CERT's and can give tips? Depending on "where" you are based, or what your existing relationships to CERTs are, you may want to get in touch with the one that covers the constitency you are in, or try to get in touch with other CERTs that my have working relationships with the ISPs providing connectivity to those address blocks or sources of the offending packets. Hth, Wilfried.