From lists-ripe at c4inet.net Tue Jun 4 21:28:59 2013 From: lists-ripe at c4inet.net (Sascha Luck) Date: Tue, 4 Jun 2013 20:28:59 +0100 Subject: [anti-abuse-wg] 2013-01 Discussion Period extended until 26 June 2013 (Openness about Policy Violations) Message-ID: <20130604192859.GA78676@cilantro.c4inet.net> All, please find below comments on 2013-01 v2.0. I refer to: https://www.ripe.net/ripe/policies/proposals/2013-01 > 1. Transparency on reported policy violations >The RIPE NCC accepts reports about Internet number resource >registrations such as violation of RIPE Policies and RIPE NCC >Procedures, provision of untruthful information to the RIPE NCC, >bankruptcy, liquidation or insolvency of resource holders and incorrect >contact information in the RIPE Database. >The RIPE NCC will handle all such reports and publish statistics about >such reports publicly. >The RIPE NCC will publish regularly statistics of the reports that have >been received but not yet closed. These statistics will show the number >of reports in each of the following categories: > 'new': Submitted but not being investigated yet > 'under-investigation': The RIPE NCC is investigating the report >In addition to these running totals the RIPE NCC publishes statistics >about how these reports have been closed. These statistics are divided >into the following categories: > 'closed, out-of-scope': The report is out of scope for the RIPE NCC >reporting system > 'closed, resolved-by-holder': The resource holder has resolved any >problems > 'closed, resources-returned': The report has led to resources being >returned to the RIPE NCC > 'closed, no-violation': After investigation the RIPE NCC could not >find any violation of policy The text needs to state explicitly that this reporting is anonymised, ie does not contain any information that can be used to identify either the resource or the holder. >2. Progress >The RIPE NCC will provide a way to follow the progress of the >investigation for both the person submitting a report and the >organization(s) mentioned in the report. >This information will not be published publicly. This is better than v1.0 but still leaves room for abuse, viz. there is no mechanism to ensure the information provided by the NCC is not published by the submitter. A possible solution would be to restrict submission of complaints to the LIRportal , thereby ensuring that the submitter is contractually obliged to the NCC and disclosure of this information can be appropriately sanctioned. Such sanctions would need to be enough to discourage abuse. >3. Transparency on reclaimed resources >As the 'delegated' files show the resources that the RIPE NCC has >delegated to others, so will the 'returned' files show the resources >delegated or returned to the RIPE NCC. The format of the 'returned' >files will be publicly published to facilitate automatic processing. >The reason for resources being returned can be: > 'returned': Returned by the holder > 'contact-lost': The RIPE NCC could not contact the holder > 'policy-violation': Reclaimed because of a policy violation I'd like to know more about the use-case for this, particularly under the aspect of "automated processing" On balance, this is better than the first attempt, however I still think that the rights of members are insufficiently safeguarded. Thus I remain opposed to this version too. Kind Regards, Sascha Luck From sander at steffann.nl Tue Jun 4 22:08:44 2013 From: sander at steffann.nl (Sander Steffann) Date: Tue, 4 Jun 2013 22:08:44 +0200 Subject: [anti-abuse-wg] 2013-01 Discussion Period extended until 26 June 2013 (Openness about Policy Violations) In-Reply-To: <20130604192859.GA78676@cilantro.c4inet.net> References: <20130604192859.GA78676@cilantro.c4inet.net> Message-ID: Hi Sascha, > The text needs to state explicitly that this reporting is anonymised, ie > does not contain any information that can be used to identify either the > resource or the holder. I have no problem with that. >> The RIPE NCC will provide a way to follow the progress of the >> investigation for both the person submitting a report and the >> organization(s) mentioned in the report. > >> This information will not be published publicly. > > This is better than v1.0 but still leaves room for abuse, viz. there is > no mechanism to ensure the information provided by the NCC is not > published by the submitter. A possible solution would be to restrict > submission of complaints to the LIRportal , thereby ensuring that the > submitter is contractually obliged to the NCC and disclosure of this > information can be appropriately sanctioned. Such sanctions would need > to be enough to discourage abuse. I don't see any further role for the RIPE NCC here. Certainly not in regard to defining 'sanctions'. The RIPE NCC is not the police. Maybe we have different ideas about what 'follow the progress' means. I certainly don't mean the content of every e-mail sent or received, but some kind of status indicator. The NCC will very probably define terms and conditions for any information they disclose. I certainly don't intend that the NCC breaks its confidentiality agreements etc. If you want to define more strictly in policy what should and should not be published then please provide text. >> 3. Transparency on reclaimed resources > >> As the 'delegated' files show the resources that the RIPE NCC has >> delegated to others, so will the 'returned' files show the resources >> delegated or returned to the RIPE NCC. The format of the 'returned' >> files will be publicly published to facilitate automatic processing. > >> The reason for resources being returned can be: > >> 'returned': Returned by the holder >> 'contact-lost': The RIPE NCC could not contact the holder >> 'policy-violation': Reclaimed because of a policy violation > > I'd like to know more about the use-case for this, particularly under > the aspect of "automated processing" It just says that the file format will be published in a well defined and publicly known format. What exactly is your point here? Cheers, Sander From lists-ripe at c4inet.net Fri Jun 7 20:57:41 2013 From: lists-ripe at c4inet.net (Sascha Luck) Date: Fri, 7 Jun 2013 19:57:41 +0100 Subject: [anti-abuse-wg] 2013-01 Discussion Period extended until 26 June 2013 (Openness about Policy Violations) In-Reply-To: References: <20130604192859.GA78676@cilantro.c4inet.net> Message-ID: <20130607185741.GA91468@cilantro.c4inet.net> Hi Sander, On Tue, Jun 04, 2013 at 10:08:44PM +0200, Sander Steffann wrote: >> submission of complaints to the LIRportal , thereby ensuring that the >> submitter is contractually obliged to the NCC and disclosure of this >> information can be appropriately sanctioned. Such sanctions would >> need to be enough to discourage abuse. > >I don't see any further role for the RIPE NCC here. Certainly not in >regard to defining 'sanctions'. The RIPE NCC is not the police. OK, forget about sanctions which, in any case, would only be related to possible breach of contract. The identity of the complainant must be known to, and verified by, the NCC though (LIRportal?) and discoverable in case of abuse. I don't want to leave room here for spurious complaints from fake at address.com that the NCC would be obliged to act on. >> I'd like to know more about the use-case for this, particularly under >> the aspect of "automated processing" > >It just says that the file format will be published in a well defined >and publicly known format. What exactly is your point here? I'm just wondering whether there is any use for this information besides idle curiosity. rgds, Sascha From michele at blacknight.com Tue Jun 11 16:20:27 2013 From: michele at blacknight.com (Michele Neylon :: Blacknight) Date: Tue, 11 Jun 2013 14:20:27 +0000 Subject: [anti-abuse-wg] 2013-01 Discussion Period extended until 26 June 2013 (Openness about Policy Violations) In-Reply-To: <20130604193716.470215A4010@merlin.blacknight.ie> References: <20130604193716.470215A4010@merlin.blacknight.ie> Message-ID: Sascha On 4 Jun 2013, at 21:28, Sascha Luck wrote: > A possible solution would be to restrict > submission of complaints to the LIRportal , thereby ensuring that the > submitter is contractually obliged to the NCC and disclosure of this > information can be appropriately sanctioned. Such sanctions would need > to be enough to discourage abuse. Unless I'm mistaken, which I could be, if submissions are restricted to the LIRportal then only RIPE members will be able to submit reports, which seems more than a little counterintuitive. LEA and security types etc., would probably want to submit reports as well, wouldn't they? I'd agree that the submission email address would have to be validated in some way, or there would be a lot of spurious / bogus complaints. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.com/ http://blog.blacknight.com/ http://mneylon.tel/ Intl. +353 (0) 59 9183072 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From staylormuz at ripe.net Thu Jun 13 11:59:53 2013 From: staylormuz at ripe.net (Suzanne Taylor Muzzin) Date: Thu, 13 Jun 2013 11:59:53 +0200 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website Message-ID: [Apologies for duplicate emails] Dear colleagues, The RIPE NCC receives a lot of inquiries from people dealing with network abuse, such as spamming, hacking and phishing. While we have several tools available to help victims of network abuse find appropriate contact information, in addition to FAQs and information about the Anti-Abuse Working Group, all of this information was previously scattered across the RIPE NCC website in different places and could be difficult to find. We're happy to announce that we have created a dedicated page about network abuse that contains all the information on this topic that the RIPE NCC has available. We've developed this page in cooperation with the Anti-Abuse Working Group Chairs and we hope that this resource will be helpful to anyone dealing with network abuse, regardless of their technical background. The page is linked from the RIPE NCC's homepage under the Data & Tools section, but you can also access it directly at: https://www.ripe.net/abuse We hope you will find this resource useful. Kind regards, Suzanne Taylor Muzzin Communications Writer RIPE NCC -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2640 bytes Desc: not available URL: From rfg at tristatelogic.com Fri Jun 14 01:22:38 2013 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Thu, 13 Jun 2013 16:22:38 -0700 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: Message-ID: <13612.1371165758@server1.tristatelogic.com> In message , Suzanne Taylor Muzzin wrote: >We're happy to announce that we have created a dedicated page about >network abuse... What is that, exactly? I mean "network abuse". -=-=-=-=-=-=-=-=-=-=- As should be obvious to anyone who has been here for awhile, or anyone who knows me, my question is at least somewhat retorical. I would like an answer, but am not expecting any to be forthcoming, certainly not from RIPE NCC (as opposed to RIPE itself), and certainly not in any sense either formal or binding upon anyone or any thing. I have previously stated my own extreme displeasure and concern about this entirely unsatisfactory state of affairs, in which no person or entity within the RIPE region or community is willing to offer up any specific definition of the term "network abuse", and my own meager attempts to instigate some process that would simply codify and formalize this key term of debate and policy have met with no success whatsoever, as everyone who has been on this list in recent months already knows. Regardless, I feel compelled by both history and my own innate sense of justice and fairness to try yet again to make my case. (And yes, despite any contentions to the contrary, the current lack of a formal definition of "network abuse" _is_ resulting in unfairness and injustice, even if that unfairness and injustice has not yet come for for any of the members of RIPE who still maintain the indefensible position that no proper definition of "network abuse" is either necessary or useful.) I will be the first to admit that we here in the United States of America have made a lot of mistakes, have gotten a lot of things wrong, and have often behaved badly in, among and towards others in the community of nations. One of the things that our founding fathers did not get wrong however was their commitment to forming a more perfect union based upon the rule of law, as opposed to the rule of men. The latter had historically, consistantly and inevitably degenerated into abject and unfettered tyranny. Our forefathers worked and fought to free both themselves and their posterity from exactly that injustice, forever. This was an unambiguous and self-evidently laudable goal. Now the Internet itself in engaged in a great civil war, testing whether any distributed any decentralized amalgam and association of communicating but otherwise independent networks, each answerable to no law but their own, can long endure. At present, almost daily reports of various highly de- structive Distributed Denial of Service attacks flood the news, spammers run free and largely unchecked by anyone or anything, skript kiddies can and do invest mere minutes, and by so doing can and do cost reputable firms and individuals countless hours and euros in defense and cleanup costs, and both companies and nation states have now, by all accounts, formalized their own ongoing policies of either mass intellectual property theft or Denial of Service attacks, or both, against perceived commercial competitors or perceived national enemies. Whereas the costs and implications of all these issues and problems are everwhere clear and apparent, organizations such as RIPE continue to maintain in public a studied and all-encompassing position of utter ignorance regarding the very nature of these problems, even as mainstream journalists with far more compelling claims to techno- logical ignorance report, often clearly and correctly, on these events essentally every day now. If RIPE still does not know what "network abuse" is, then it is virtually alone in the industralized portions of the modern world in its abject ignorance of the nature of these problems. RIPE's current and ongoing policy of refraining from any attempts to codify any formal or even any working definition of the term "network abuse" is not a shining example of leadership. Rather, it is an abdication. Worse, it amounts in practice to a tacit endorsement of the current defacto "anything goes" environment and ethos which has, which does now, and which will continue to be so costly to so many of RIPEs own members. This turing of a blind eye is defensible only in the minds of those members who harbor a misplaced fear of one day finding themselves and their own actions on the wrong side of some formalized definition of "network abuse", and then being subjected to some form of community sanction on that basis. What I believe those members do not realize is that they run a greater risk of being _unjustly_ sanctioned on othe basis of a fluid, ill-defined, and constantly changing community conception of what is and isn't "network abuse" than they would if the definition of this term were codified, clear, public, and unchangable other than by community vote. For all of the above reasons I again implore the RIPE community as a whole, and specifically the ambiguously named Anti-Abuse Working Group to begin work immediately to develop and codify a consensus-driven formal definition of the term "network abuse". Any failure to do so will, in time, be under- stood by all to have been an error of historic proportions. This is a choice that the membership must make and _is_ making, including even those members who naively believe that the community is deferring and demurring from any choice. Not to decide is to decide. A choice not to decide, in this instance, is tantamount to nothing less than a choice of the rule of men over the rule of law. Regards, rfg From gert at space.net Fri Jun 14 10:18:12 2013 From: gert at space.net (Gert Doering) Date: Fri, 14 Jun 2013 10:18:12 +0200 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <13612.1371165758@server1.tristatelogic.com> References: <13612.1371165758@server1.tristatelogic.com> Message-ID: <20130614081812.GB2504@Space.Net> Hi, On Thu, Jun 13, 2013 at 04:22:38PM -0700, Ronald F. Guilmette wrote: > Now the Internet itself in engaged in a great civil war, testing whether > any distributed any decentralized amalgam and association of communicating > but otherwise independent networks, each answerable to no law but their own, > can long endure. I challenge that "answerable to no law". We all are operating in the boundaries of the national legal system that governs where an entity is located (easier for national ISPs, might be interesting for international networks, but still, laws *do* govern and ISPs are answerable to them). What people seem to overlook when looking across the great waters is that there's a large number of countries in europe, and each has their own legal system - so whatever is illegal across all of the US might be legal in one of the non-US states around the world - and that's actually what makes defining "network abuse" *that stands up to law* in a RIPE-wide manner somewhat tricky. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 306 bytes Desc: not available URL: From rfg at tristatelogic.com Fri Jun 14 15:26:42 2013 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Fri, 14 Jun 2013 06:26:42 -0700 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <20130614081812.GB2504@Space.Net> Message-ID: <18822.1371216402@server1.tristatelogic.com> In message <20130614081812.GB2504 at Space.Net>, Gert Doering wrote: >On Thu, Jun 13, 2013 at 04:22:38PM -0700, Ronald F. Guilmette wrote: >> Now the Internet itself in engaged in a great civil war, testing whether >> any distributed any decentralized amalgam and association of communicating >> but otherwise independent networks, each answerable to no law but their own, >> can long endure. > >I challenge that "answerable to no law". > >We all are operating in the boundaries of the national legal system that >governs where an entity is located (easier for national ISPs, might be >interesting for international networks, but still, laws *do* govern and >ISPs are answerable to them). OK, two points: First, you're right and perhaps I should have said no "common" law, which holds sway in all parts of the RIPE region. Second, I hope and believe that it is beyond question that some nations within the RIPE region, either on paper or as a results of non-enforcement, do have, in effect, essentially no law whatsoever that would or does govern any uses or abuses of any network of computer networks or any parts or portions thereof. That lowest common denominator may suit the interests of criminals. It does less well as a basis for an organized cooperative association bent on something other that the perpetration of crime. >What people seem to overlook when looking across the great waters is that >there's a large number of countries in europe, and each has their own legal >system I, for one, do not overlook this key fact. And indeed, by stating it, you are helping to make my case for me. There are laws whose application and jurisdiction are various nations and their inhabitants. There are no laws whose jurisdiction is The Internet, save for those promulgated by RIPE, ARIN, APNIC, LACNIC, AFRINIC, IANA, and ICANN, and at present those laws say essentially nothing other than "Thou shalt not fail to pay, or defraud thy applicable RiR out of any fees reasonably owed, on penalty of forfeiture of any and all number resources registered." Yes, there are also numerous codifications of the clerical minutiae of seemingly innumerable processes and procedures by which number resources are allocated, deallocated, reallocated, reclaimed, and redistributed, but as we know, none of these say word one about the nature, character, or intent of the bits any member might or might not elect to send down the wire, once applicable fees have been paid and connections established, nor about any community sanctions that might be applied in the event of behavior which, while possibly obeying all applicable national laws, materially does damage to the relevant RiR community and/or other members thereof. >so whatever is illegal across all of the US might be legal in >one of the non-US states around the world - and that's actually what makes >defining "network abuse" *that stands up to law* in a RIPE-wide manner >somewhat tricky. Tricky it may be, however the time during which it might be viewed as optional has passed. History has killed it. Regards, rfg From Pepijn.Vissers at acm.nl Sat Jun 15 09:24:08 2013 From: Pepijn.Vissers at acm.nl (Vissers, Pepijn) Date: Sat, 15 Jun 2013 07:24:08 +0000 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website[Decrypted by ACM Verified] In-Reply-To: References: Message-ID: <612FDD73642D544098B908E8AA1665D91BB7AEE2@ex2087.acm.local> Dear all, I welcome this initiative. Thanks. Kind regards, P. Vissers Authority for Consumers and Markets -----Oorspronkelijk bericht----- Van: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg-bounces at ripe.net] Namens Suzanne Taylor Muzzin Verzonden: donderdag 13 juni 2013 12:00 Aan: anti-abuse-wg at ripe.net Onderwerp: [anti-abuse-wg] New Abuse Information on RIPE NCC Website[Decrypted by ACM Verified] [Apologies for duplicate emails] Dear colleagues, The RIPE NCC receives a lot of inquiries from people dealing with network abuse, such as spamming, hacking and phishing. While we have several tools available to help victims of network abuse find appropriate contact information, in addition to FAQs and information about the Anti-Abuse Working Group, all of this information was previously scattered across the RIPE NCC website in different places and could be difficult to find. We're happy to announce that we have created a dedicated page about network abuse that contains all the information on this topic that the RIPE NCC has available. We've developed this page in cooperation with the Anti-Abuse Working Group Chairs and we hope that this resource will be helpful to anyone dealing with network abuse, regardless of their technical background. The page is linked from the RIPE NCC's homepage under the Data & Tools section, but you can also access it directly at: https://www.ripe.net/abuse We hope you will find this resource useful. Kind regards, Suzanne Taylor Muzzin Communications Writer RIPE NCC From lists-ripe at c4inet.net Sun Jun 16 19:18:36 2013 From: lists-ripe at c4inet.net (Sascha Luck) Date: Sun, 16 Jun 2013 18:18:36 +0100 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <18822.1371216402@server1.tristatelogic.com> References: <20130614081812.GB2504@Space.Net> <18822.1371216402@server1.tristatelogic.com> Message-ID: <20130616171836.GA37499@cilantro.c4inet.net> On Fri, Jun 14, 2013 at 06:26:42AM -0700, Ronald F. Guilmette wrote: >laws whose jurisdiction is The Internet, save for those promulgated by >RIPE, ARIN, APNIC, LACNIC, AFRINIC, IANA, and ICANN, and at present those >laws say essentially nothing other than "Thou shalt not fail to pay, or >defraud thy applicable RiR out of any fees reasonably owed, on penalty >of forfeiture of any and all number resources registered." Yes, there Yes. And long may it continue to be so. >are also numerous codifications of the clerical minutiae of seemingly >innumerable processes and procedures by which number resources are >allocated, deallocated, reallocated, reclaimed, and redistributed, but >as we know, none of these say word one about the nature, character, or >intent of the bits any member might or might not elect to send down the >wire, once applicable fees have been paid and connections established, Yes. And long may it continue to be so. My membership fees will *not ever* go towards establishing the RIPE NCC as the Internet Censor. >nor about any community sanctions that might be applied in the event of >behavior which, while possibly obeying all applicable national laws, >materially does damage to the relevant RiR community and/or other >members thereof.o Wrong. Attempts to establish the RIR as a censorship authority do damage to the RIR and its community. I do not think a RIR can survive any other way than by being a "disinterested party" that engages in registry duties, and none other. /ends Sascha Luck From rfg at tristatelogic.com Sun Jun 16 21:42:53 2013 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Sun, 16 Jun 2013 12:42:53 -0700 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website Message-ID: <39804.1371411773@server1.tristatelogic.com> Sascha Luck wrote: >Attempts to establish the RIR as a censorship authority do >damage to the RIR and its community. You have an interestingly pervasive definition of "censorship". By your definition, anyone attempting to even disipline, after the fact, a person who had shouted "fire" in a crowded theater, in par- tcular one that had not in fact been on fire, would be guilt of unwarranted "censorship". >I do not think a RIR can survive any other way than by being a >"disinterested party" that engages in registry duties, and none other. Assuming, for the sake of argument, that I and every other member of RIPE agreed with that exact assertion, then I would be forced to ask the obvious question: What then are the goals, missions, and responsibilities of the RIPE Anti-Abuse working group? From rezaf at mindspring.com Mon Jun 17 13:18:21 2013 From: rezaf at mindspring.com (Reza Farzan) Date: Mon, 17 Jun 2013 07:18:21 -0400 Subject: [anti-abuse-wg] vps1233-cloud.dns26.com ([92.39.242.8]) Message-ID: <2F8FF5E4EB9344B38043F20D3812C419@admin36565265a> Hello, Does anyone know whom this domain and IP (vps1233-cloud.dns26.com ([92.39.242.8]) belongs to? I have been receiving Spam messages from this source for weeks, and of course reporting them directly and via Spam Cop. But, there is no clear or correct contact for this domain or it's IP [92.39.242.8]. The net range of 92.39.242.0 - 92.39.242.255 appears to belong to CLOUD ELB, ITALY, with the only contact listed as contact at elb.it. But of course this address is invalid. The other contact, contact at netissime.com offers no help either. I appreciate any assistance that you may offer about this matter. Thank you, Reza Farzan -------------- next part -------------- An HTML attachment was scrubbed... URL: From MRichter at sasag.ch Mon Jun 17 13:25:05 2013 From: MRichter at sasag.ch (Michael Richter) Date: Mon, 17 Jun 2013 11:25:05 +0000 Subject: [anti-abuse-wg] vps1233-cloud.dns26.com ([92.39.242.8]) In-Reply-To: <2F8FF5E4EB9344B38043F20D3812C419@admin36565265a> References: <2F8FF5E4EB9344B38043F20D3812C419@admin36565265a> Message-ID: <6A1B0F2AE603944A84F7F99010C3036928CB8C3F@VS-W08-KEWV-EXC.sasag.intra> There is an abuse Mailbox, have you tried that one: remarks: *************************************************** remarks: In case of abuse or spam, please use : remarks: Web : http://www.elb.it remarks: *************************************************** abuse-mailbox: abuse at elb.it cheers michael ________________________________ Von: anti-abuse-wg-bounces at ripe.net [anti-abuse-wg-bounces at ripe.net]" im Auftrag von "Reza Farzan [rezaf at mindspring.com] Gesendet: Montag, 17. Juni 2013 13:18 An: RIPE Anti-Abuse WG Cc: abuse at iliad-entreprises.fr; info at secure26.com; contact at netissime.com Betreff: [anti-abuse-wg] vps1233-cloud.dns26.com ([92.39.242.8]) Hello, Does anyone know whom this domain and IP (vps1233-cloud.dns26.com ([92.39.242.8]) belongs to? I have been receiving Spam messages from this source for weeks, and of course reporting them directly and via Spam Cop. But, there is no clear or correct contact for this domain or it?s IP [92.39.242.8]. The net range of 92.39.242.0 - 92.39.242.255 appears to belong to CLOUD ELB, ITALY, with the only contact listed as contact at elb.it. But of course this address is invalid. The other contact, contact at netissime.com offers no help either. I appreciate any assistance that you may offer about this matter. Thank you, Reza Farzan -------------- next part -------------- An HTML attachment was scrubbed... URL: From rezaf at mindspring.com Mon Jun 17 13:31:46 2013 From: rezaf at mindspring.com (Reza Farzan) Date: Mon, 17 Jun 2013 07:31:46 -0400 Subject: [anti-abuse-wg] vps1233-cloud.dns26.com ([92.39.242.8]) In-Reply-To: <6A1B0F2AE603944A84F7F99010C3036928CB8C3F@VS-W08-KEWV-EXC.sasag.intra> References: <2F8FF5E4EB9344B38043F20D3812C419@admin36565265a> <6A1B0F2AE603944A84F7F99010C3036928CB8C3F@VS-W08-KEWV-EXC.sasag.intra> Message-ID: <8B600B58C405438689ECDFBEB7C7AD8E@admin36565265a> Hi Micahel, I did send my report to this address, abuse at elb.it, but it is an invalid address. Reza _____ From: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg-bounces at ripe.net] On Behalf Of Michael Richter Sent: Monday, June 17, 2013 7:25 AM To: rezaf at mindspring.com; RIPE Anti-Abuse WG Cc: abuse at iliad-entreprises.fr; info at secure26.com; contact at netissime.com Subject: Re: [anti-abuse-wg] vps1233-cloud.dns26.com ([92.39.242.8]) There is an abuse Mailbox, have you tried that one: remarks: *************************************************** remarks: In case of abuse or spam, please use : remarks: Web : http://www.elb.it remarks: *************************************************** abuse-mailbox: abuse at elb.it cheers michael _____ Von: anti-abuse-wg-bounces at ripe.net [anti-abuse-wg-bounces at ripe.net]" im Auftrag von "Reza Farzan [rezaf at mindspring.com] Gesendet: Montag, 17. Juni 2013 13:18 An: RIPE Anti-Abuse WG Cc: abuse at iliad-entreprises.fr; info at secure26.com; contact at netissime.com Betreff: [anti-abuse-wg] vps1233-cloud.dns26.com ([92.39.242.8]) Hello, Does anyone know whom this domain and IP (vps1233-cloud.dns26.com ([92.39.242.8]) belongs to? I have been receiving Spam messages from this source for weeks, and of course reporting them directly and via Spam Cop. But, there is no clear or correct contact for this domain or it's IP [92.39.242.8]. The net range of 92.39.242.0 - 92.39.242.255 appears to belong to CLOUD ELB, ITALY, with the only contact listed as contact at elb.it. But of course this address is invalid. The other contact, contact at netissime.com offers no help either. I appreciate any assistance that you may offer about this matter. Thank you, Reza Farzan -------------- next part -------------- An HTML attachment was scrubbed... URL: From rezaf at mindspring.com Mon Jun 17 14:23:02 2013 From: rezaf at mindspring.com (Reza Farzan) Date: Mon, 17 Jun 2013 08:23:02 -0400 Subject: [anti-abuse-wg] vps1233-cloud.dns26.com ([92.39.242.8]) In-Reply-To: <6A1B0F2AE603944A84F7F99010C3036928CB8C3F@VS-W08-KEWV-EXC.sasag.intra> References: <2F8FF5E4EB9344B38043F20D3812C419@admin36565265a> <6A1B0F2AE603944A84F7F99010C3036928CB8C3F@VS-W08-KEWV-EXC.sasag.intra> Message-ID: <824F2ACF12304BB99A9500E89E884933@admin36565265a> Hello Michael, Here it is: --------------- Delivery has failed to these recipients or groups: abuse at elb.it The e-mail address you entered couldn't be found. Please check the recipient's e-mail address and try to resend the message. If the problem continues, please contact your helpdesk. +++++ Reza Farzan _____ From: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg-bounces at ripe.net] On Behalf Of Michael Richter Sent: Monday, June 17, 2013 7:25 AM To: rezaf at mindspring.com; RIPE Anti-Abuse WG Cc: abuse at iliad-entreprises.fr; info at secure26.com; contact at netissime.com Subject: Re: [anti-abuse-wg] vps1233-cloud.dns26.com ([92.39.242.8]) There is an abuse Mailbox, have you tried that one: remarks: *************************************************** remarks: In case of abuse or spam, please use : remarks: Web : http://www.elb.it remarks: *************************************************** abuse-mailbox: abuse at elb.it cheers michael _____ Von: anti-abuse-wg-bounces at ripe.net [anti-abuse-wg-bounces at ripe.net]" im Auftrag von "Reza Farzan [rezaf at mindspring.com] Gesendet: Montag, 17. Juni 2013 13:18 An: RIPE Anti-Abuse WG Cc: abuse at iliad-entreprises.fr; info at secure26.com; contact at netissime.com Betreff: [anti-abuse-wg] vps1233-cloud.dns26.com ([92.39.242.8]) Hello, Does anyone know whom this domain and IP (vps1233-cloud.dns26.com ([92.39.242.8]) belongs to? I have been receiving Spam messages from this source for weeks, and of course reporting them directly and via Spam Cop. But, there is no clear or correct contact for this domain or it's IP [92.39.242.8]. The net range of 92.39.242.0 - 92.39.242.255 appears to belong to CLOUD ELB, ITALY, with the only contact listed as contact at elb.it. But of course this address is invalid. The other contact, contact at netissime.com offers no help either. I appreciate any assistance that you may offer about this matter. Thank you, Reza Farzan -------------- next part -------------- An HTML attachment was scrubbed... URL: From jahlen at ripe.net Mon Jun 17 14:48:23 2013 From: jahlen at ripe.net (=?iso-8859-1?Q?Johan_=C5hl=E9n?=) Date: Mon, 17 Jun 2013 14:48:23 +0200 Subject: [anti-abuse-wg] Update on abuse-c coverage in RIPE Database Message-ID: <0EBD9BD0-630A-40AF-9434-83A74B35260F@ripe.net> Dear Colleagues, With this email I would like to give you an update on the current coverage of abuse-c in the RIPE Database, for your reference the last update we gave you was sent to this list in the end of April (http://www.ripe.net/ripe/mail/archives/anti-abuse-wg/2013-April/002244.html). -------- NETWORK NUMBERS: Total Number of v4 allocations listed: 20,735 Number of v4 allocations covered with abuse-c: 8,283 or 39.9% of v4 allocations Total Number of v4 PI assignments listed: 28,654 Number of v4 PI assignments covered with abuse-c: 1,091 or 3.8% of v4 assignments Total Number of v6 allocations listed: 5,773 Number of v6 allocations covered with abuse-c: 2,343 or 40.6% of v6 allocations Total Number of v6 assignments: 1,426 Number of v6 assignments covered with abuse-c: 133 or 9.3% of v6 assignments Total Number of objects: 56,588 (IPv4: 49,389 IPv6: 7,199) Number of objects covered with abuse-c: 11,850 or 20.9% (IPv4: 19.0% IPv6: 34.4%) -------- IPv4 NETWORK SIZES: Total size of v4 allocation listed: 594,471,936 Size of v4 allocations covered with abuse-c: 244,133,888 or 41.1% Total size of v4 PI assigned listed: 169,812,536 Size of v4 PI assigned covered with abuse-c: 12,077,344 or 7.1% Total size of listed v4 addresses: 764,284,472 Size of listed v4 addressed covered with abuse-c: 256,211,232 or 33.5% From this we can see that the current abuse-c coverage for IPv4 allocations is at 41.1%, up from 31.3% as reported in the end of April. For more information about these figures please see the link above to Kaveh's previous mail and if you have any further questions feel free to contact me. We just finished sending out the first batch of reminders and are currently busy with preparing the next set. In the beginning of July we will inform about the consequences of not adding the abuse-c and hopefully that will give increased attention. Kind regards, Johan ?hl?n Assistant Database Team Manager RIPE NCC Database Team -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2616 bytes Desc: not available URL: From erik at bais.name Mon Jun 17 14:29:33 2013 From: erik at bais.name (Erik Bais) Date: Mon, 17 Jun 2013 12:29:33 +0000 Subject: [anti-abuse-wg] vps1233-cloud.dns26.com ([92.39.242.8]) In-Reply-To: <8B600B58C405438689ECDFBEB7C7AD8E@admin36565265a> References: <2F8FF5E4EB9344B38043F20D3812C419@admin36565265a> <6A1B0F2AE603944A84F7F99010C3036928CB8C3F@VS-W08-KEWV-EXC.sasag.intra> <8B600B58C405438689ECDFBEB7C7AD8E@admin36565265a> Message-ID: <862A73D42343AE49B2FC3C32FDDFE91C5A6C7601@E2010-MBX04.exchange2010.nl> Hi Reza Have you looked at the AS number info and the contacts there? organisation: ORG-Em1-RIPE org-name: ELB multimedia org-type: LIR address: ELB multimedia Hichem Boulahbel Jean Bourgey 17 69100 Villeurbanne FRANCE phone: +33 437 430 037 fax-no: +33 437 430 038 e-mail: pb at netissime.com admin-c: FR6900-RIPE admin-c: DE1803-RIPE person: Boulahbel hichem address: 17 rue jean bourgey Villeurbanne 69100 phone: +33437430037 nic-hdl: Bh1182-RIPE changed: bh at netissime.com 20041027 aut-num: AS34274 as-name: ELBMULTIMEDIA descr: ELB MULTIMEDIA descr: Designed by BOULAHBEL Hichem Directeur technique bh at netissime.com remarks: -------------------------------------------------------------------- Admin-c for the provided prefix: person : dave elbaze address : 12 rue du 4 aout address : 69100 villeurbanne address : France phone : +33 4 37 43 00 37 fax-no : +33 4 37 43 00 38 e-mail : elbaze at elb.fr nic-hdl : DE1803-RIPE Good luck. Regards, Erik From: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg-bounces at ripe.net] On Behalf Of Reza Farzan Sent: maandag 17 juni 2013 13:32 To: 'Michael Richter'; 'RIPE Anti-Abuse WG' Cc: abuse at iliad-entreprises.fr; info at secure26.com; contact at netissime.com Subject: Re: [anti-abuse-wg] vps1233-cloud.dns26.com ([92.39.242.8]) Hi Micahel, I did send my report to this address, abuse at elb.it, but it is an invalid address. Reza ________________________________ From: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg-bounces at ripe.net] On Behalf Of Michael Richter Sent: Monday, June 17, 2013 7:25 AM To: rezaf at mindspring.com; RIPE Anti-Abuse WG Cc: abuse at iliad-entreprises.fr; info at secure26.com; contact at netissime.com Subject: Re: [anti-abuse-wg] vps1233-cloud.dns26.com ([92.39.242.8]) There is an abuse Mailbox, have you tried that one: remarks: *************************************************** remarks: In case of abuse or spam, please use : remarks: Web : http://www.elb.it remarks: *************************************************** abuse-mailbox: abuse at elb.it cheers michael ________________________________ Von: anti-abuse-wg-bounces at ripe.net [anti-abuse-wg-bounces at ripe.net]" im Auftrag von "Reza Farzan [rezaf at mindspring.com] Gesendet: Montag, 17. Juni 2013 13:18 An: RIPE Anti-Abuse WG Cc: abuse at iliad-entreprises.fr; info at secure26.com; contact at netissime.com Betreff: [anti-abuse-wg] vps1233-cloud.dns26.com ([92.39.242.8]) Hello, Does anyone know whom this domain and IP (vps1233-cloud.dns26.com ([92.39.242.8]) belongs to? I have been receiving Spam messages from this source for weeks, and of course reporting them directly and via Spam Cop. But, there is no clear or correct contact for this domain or it?s IP [92.39.242.8]. The net range of 92.39.242.0 - 92.39.242.255 appears to belong to CLOUD ELB, ITALY, with the only contact listed as contact at elb.it. But of course this address is invalid. The other contact, contact at netissime.com offers no help either. I appreciate any assistance that you may offer about this matter. Thank you, Reza Farzan -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at hk.ipsec.se Mon Jun 17 16:19:13 2013 From: peter at hk.ipsec.se (peter h) Date: Mon, 17 Jun 2013 16:19:13 +0200 Subject: [anti-abuse-wg] vps1233-cloud.dns26.com ([92.39.242.8]) In-Reply-To: <2F8FF5E4EB9344B38043F20D3812C419@admin36565265a> References: <2F8FF5E4EB9344B38043F20D3812C419@admin36565265a> Message-ID: <201306171619.14290.peter@hk.ipsec.se> On Monday 17 June 2013 13.18, Reza Farzan wrote: > Hello, > > > > Does anyone know whom this domain and IP (vps1233-cloud.dns26.com > ([92.39.242.8]) belongs to? > Thanks for the report. Yes it looks loke a sleazy provider. I have now added it to my blocklist peter h -- Peter H?kanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det ?r billigare att g?ra r?tt. Det ?r dyrt att laga fel. ) From rezaf at mindspring.com Mon Jun 17 16:52:25 2013 From: rezaf at mindspring.com (Reza Farzan) Date: Mon, 17 Jun 2013 10:52:25 -0400 (GMT-04:00) Subject: [anti-abuse-wg] vps1233-cloud.dns26.com ([92.39.242.8]) Message-ID: <20867369.1371480746170.JavaMail.root@elwamui-karabash.atl.sa.earthlink.net> Hello Peter, They are indeed a "sleazy provider", as their contacts (all invalid) leads you to Italy, France, and other countries. Criminals have been using this source "vps1233-cloud.dns26.com" to send out malicious Zip file on behalf of Paypal. I will follow up with RIPE about this sleazy provider. Thank you, Reza Farzan ==== -----Original Message----- >From: peter h >Sent: Jun 17, 2013 10:19 AM >To: anti-abuse-wg at ripe.net >Subject: Re: [anti-abuse-wg] vps1233-cloud.dns26.com ([92.39.242.8]) > >On Monday 17 June 2013 13.18, Reza Farzan wrote: >> Hello, >> >> >> >> Does anyone know whom this domain and IP (vps1233-cloud.dns26.com >> ([92.39.242.8]) belongs to? >> > >Thanks for the report. >Yes it looks like a sleazy provider. I have now added it to my blocklist > >peter h From Woeber at CC.UniVie.ac.at Tue Jun 18 07:10:03 2013 From: Woeber at CC.UniVie.ac.at (Wilfried Woeber) Date: Tue, 18 Jun 2013 07:10:03 +0200 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <39804.1371411773@server1.tristatelogic.com> References: <39804.1371411773@server1.tristatelogic.com> Message-ID: <51BFEBAB.4010708@CC.UniVie.ac.at> A couple of observations... The first one being: you still seem to *not* get the difference between RIPE (the community, rather fuzzily defined, both geogrpahically as well as structurally) and the NCC (the entity formed and founded by its members to do just *one* thing: run the numbers registry on behalf of the members). Ronald F. Guilmette wrote: [...] >>I do not think a RIR can survive any other way than by being a >>"disinterested party" that engages in registry duties, and none other. > > > Assuming, for the sake of argument, that I and every other member of > RIPE agreed with that exact assertion, then I would be forced to ask the > obvious question: What then are the goals, missions, and responsibilities > of the RIPE Anti-Abuse working group? May I suggest this description: http://www.ripe.net/ripe/groups/wg/anti-abuse On a more general aspect, please try to relate to the general raos traffic: In most countries, I presume, the unique license plates are managed and issued by one or even more entities. Those entities do not accept any responsibility for the behaviour of the person using a uniquely identified vehicle. It is a task for the police or traffic wardens or whatever applies to your jurisdiction, to oversee the use of the vehicle according to *local* law. If a violation is observed or reported, it is the job of the regular legal system to follow up. If "someone" shouts to the maintainer of the unique license plate numbers "stop what I don't like", instead of getting in touch with the police, you will have see limited success. Is this something you can relate to? To finish off, may I state here (again) that there is infrastructure around to properly and usefully report (perceived) "network abuse"[1]. It is either your local law enforcement agency and/or your (own, local ISP, industry sector or national CSIRT). Those parties do have the mandate, the means and tools, etc. to follow up and take the appropriate steps. Hth, regards, Wilfried. [1] in order to use those services, having a "common" "definition" of "network abuse" is not even necessary :-) From niall.oreilly at ucd.ie Tue Jun 18 09:52:19 2013 From: niall.oreilly at ucd.ie (Niall O'Reilly) Date: Tue, 18 Jun 2013 08:52:19 +0100 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <51BFEBAB.4010708@CC.UniVie.ac.at> References: <39804.1371411773@server1.tristatelogic.com> <51BFEBAB.4010708@CC.UniVie.ac.at> Message-ID: <20130618085219.2fce5e9a.Niall.oReilly@ucd.ie> On Tue, 18 Jun 2013 07:10:03 +0200 Wilfried Woeber wrote: > A couple of observations... Great! /N From furio+as at spin.it Tue Jun 18 15:29:23 2013 From: furio+as at spin.it (furio ercolessi) Date: Tue, 18 Jun 2013 15:29:23 +0200 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <51BFEBAB.4010708@CC.UniVie.ac.at> References: <39804.1371411773@server1.tristatelogic.com> <51BFEBAB.4010708@CC.UniVie.ac.at> Message-ID: <20130618132923.GA4854@spin.it> On Tue, Jun 18, 2013 at 07:10:03AM +0200, Wilfried Woeber wrote: > [...] > May I suggest this description: > > http://www.ripe.net/ripe/groups/wg/anti-abuse > > On a more general aspect, please try to relate to the general raos traffic: > In most countries, I presume, the unique license plates are managed and issued > by one or even more entities. Those entities do not accept any responsibility > for the behaviour of the person using a uniquely identified vehicle. > > It is a task for the police or traffic wardens or whatever applies to your > jurisdiction, to oversee the use of the vehicle according to *local* law. > > If a violation is observed or reported, it is the job of the regular legal > system to follow up. If "someone" shouts to the maintainer of the unique > license plate numbers "stop what I don't like", instead of getting in touch > with the police, you will have see limited success. > > Is this something you can relate to? I think it is quite safe to assume that most readers here are well aware of what a RIR is, certainly including Ron who has been fighting network abuse for about two decades now - and I take this opportunity to thank him for working tirelessly during all this time. During this time, we all have learnt that criminals are getting more and more organized, that their creativity and ability should not be underestimated, that we can contribute to defend the Internet from their destructive behavior in many different ways and that, last but not least, that 'reporting to the police' does not scale well, due to a chronic lack of resources (time, skills, adequate international cooperation) on the law enforcement side. I do not believe that anybody is asking RIPE NCC to take actions that are pertinence of law enforcement. I do believe, however, that the RIPE area has a problem with respect to other RIRs, and that some changes (in policies, enforcement of rules, etc) could be made to mitigate the problem somehow, still remaining within the limits of the RIR mandate. One could have a fairly good idea of 'The Problem' by looking at the Spamhaus SBL listings attributed to the RIRs (as far as I understood, Spamhaus does that when the resources are directly allocated by the RIR to criminal groups and therefore no ISP can be accounted for them - the resources are freely moved from one ISP to another). Today: http://www.spamhaus.org/sbl/listings/AFRINIC ...... 4 listings [13] http://www.spamhaus.org/sbl/listings/APNIC ........ 19 listings [55] http://www.spamhaus.org/sbl/listings/ARIN ......... 289 listings [84] http://www.spamhaus.org/sbl/listings/LACNIC ....... 10 listings [20] http://www.spamhaus.org/sbl/listings/RIPE ......... 307 listings [49] The number in brackets is the approximate total allocation size of the RIR in units of /8, extracted from http://labs.apnic.net/ipv4/report.html . ARIN clearly has a serious problem too, but when the number of problem is normalized with the allocation size we obtain (number of problems per /8): AFRINIC ..... 0.31 APNIC ....... 0.35 ARIN ........ 3.44 LACNIC ...... 0.50 RIPENCC ..... 6.27 Certainly one could argue that this is not the best possible metrics as it reflects the point of view of a single actor, and I am sure one could find better metrics. Yet, the normalized result is a factor 2 worse than ARIN, and more than an order of magnitude worse than APNIC. I would doubt that other data could change the RIR order. It may be that this result is simply due to a higher concentration of criminals in the RIPE area than in other areas. In all cases, as an european and a RIPE community member I feel ashamed of this outcome, knowing that I am also in part responsible for it for not having dedicated enough time and thought to this problem. If you look at those Spamhaus listings, you will notice that a good fraction of them is due to 'snowshoe' spamming, where thousands of IP addresses are used as cannons to send unsolicited mail. There are networks as large as /14's used for this purpose. Is anyone here really thinking that this is a valid usage of scarce resources, considering that a well-behaved, opt-in based ESP can usually carry on its activity out of a /24 ? If snowshoe spamming is not an acceptable motivation to get an assignment when asking for it - and I really hope this to be the case - then people could use a network to do that only if they make a false statement when asking for the assignment. Now, RIPE-582 (February 2013) contains the following text: "6.6 Validity of an Assignment All assignments are valid as long as the original criteria on which the assignment was based are still valid and the assignment is properly registered in the RIPE Database. If an assignment is made for a specific purpose and that purpose no longer exists, the assignment is no longer valid." Therefore, if the above premises are correct, spamming ranges are classified "not valid" - simply because snowshoe spam was not the motivation given to get the assignment. Then the RIPENCC problem, it seems to me, is that "no longer valid" ranges remain in use for a long period of time. This seems to indicate that there is no effective mechanism to enforce the rules. Indeed, what is the semantic meaning of "no longer valid" if people continue to use those ranges for extended periods of time ? "Invalid" with respect to what ? RIPE-582 does not seem to address this point. If it does, please point me to the relevant section, or to another document that discuss this point. At the end, the problem seems to boil down to these questions: "Does the RIPE Community really want to have resources defined as "invalid", yet live without a real working mechanism to have these invalid resources claimed back and reassigned ? If not, would the introduction of such an enforcement mechanism go against the acceptable operational limits for a RIR ? And if yes, what is the purpose of defining rules that can not be enforced, and hence resulting in bad guys getting as much resources as they like by making false statements ?" Investigation on what other RIRs are doing in terms of reclaiming invalid resources could perhaps also be of help. Thanks for the attention furio ercolessi From gert at space.net Tue Jun 18 15:44:46 2013 From: gert at space.net (Gert Doering) Date: Tue, 18 Jun 2013 15:44:46 +0200 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <20130618132923.GA4854@spin.it> References: <39804.1371411773@server1.tristatelogic.com> <51BFEBAB.4010708@CC.UniVie.ac.at> <20130618132923.GA4854@spin.it> Message-ID: <20130618134446.GN2504@Space.Net> Hi, On Tue, Jun 18, 2013 at 03:29:23PM +0200, furio ercolessi wrote: > The number in brackets is the approximate total allocation size of the RIR > in units of /8, extracted from http://labs.apnic.net/ipv4/report.html . > > ARIN clearly has a serious problem too, but when the number of > problem is normalized with the allocation size we obtain (number > of problems per /8): > > AFRINIC ..... 0.31 > APNIC ....... 0.35 > ARIN ........ 3.44 > LACNIC ...... 0.50 > RIPENCC ..... 6.27 I'm not sure what good is "normalizing by amount of /8s", as that is easily skewed by a few early and large allocations, of which ARIN has quite a lot. Normalizing by *number of LIRs* seems to be a much more interesting metric to see "what percentage of the LIRs under a given RIR umbrella are problematic". I do not have today's membership numbers at hand - last time I collected the figures (end of 2008), RIPE had 6428 members, ARIN had 3465. As far as I have followed the regions, the ratio of growth has been similar, so roughly, RIPE has about 2 times the amount of LIRs that ARIN has. Now, with about the same entries in the Spamhaus RBL, distributed to *twice* the amount of "customers", I think the evil/good ratio in RIPE land is much better... > Certainly one could argue that this is not the best possible metrics > as it reflects the point of view of a single actor, and I am sure one > could find better metrics. Yet, the normalized result is a factor 2 worse > than ARIN, and more than an order of magnitude worse than APNIC. > I would doubt that other data could change the RIR order. It really depends on what you're trying to prove. Of course there are bad actors in the RIPE region - but there are *many* actors here, and the percentage of bad actors is actually *lower* by a factor of 2 than in ARIN land. (That APNIC has so few entries is surprising, but if, for example, all Spam from .cn comes from a single APNIC member, it just shows that just looking at "how many LIRs in a given region are bad?" is not an overly useful metric). > It may be that this result is simply due to a higher concentration > of criminals in the RIPE area than in other areas. No, it's due to "completely useless math". There are just many more actors in the RIPE area, so the same amount of criminals spread over *twice* the amount of RIR members is not "higher concentration" but "lower". The number of "criminals per IP address" is indeed higher, yes. But what exactly is the use of that metric, except to show "ARIN has a larger share from the hoard of /8s"? Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 306 bytes Desc: not available URL: From ops.lists at gmail.com Tue Jun 18 16:22:23 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Tue, 18 Jun 2013 19:52:23 +0530 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <20130618134446.GN2504@Space.Net> References: <39804.1371411773@server1.tristatelogic.com> <51BFEBAB.4010708@CC.UniVie.ac.at> <20130618132923.GA4854@spin.it> <20130618134446.GN2504@Space.Net> Message-ID: As a thought experiment, if Furio were to remove LIRs from Eastern Europe, in particular, Romania, from his list below, what would RIPE NCC's figures fall to? Most of those /14s are swipped and then re-swipped to a succession of shell companies that appear to remain valid for the minimum possible duration - and are typically (as creating a shell company in romania requires valid ID) set up by the simple expedient of walking into a bar and paying a guy there a few euro to get him to use his ID to set up the shell company. So even "a much larger number of customers in the RIPE region" is a figure that you would have to allow for substantial inflation in, when you consider these numbers. --srs On Tuesday, June 18, 2013, Gert Doering wrote: > > > ARIN clearly has a serious problem too, but when the number of > > problem is normalized with the allocation size we obtain (number > > of problems per /8): > > > > AFRINIC ..... 0.31 > > APNIC ....... 0.35 > > ARIN ........ 3.44 > > LACNIC ...... 0.50 > > RIPENCC ..... 6.27 > > I'm not sure what good is "normalizing by amount of /8s", as that is > easily skewed by a few early and large allocations, of which ARIN has > quite a lot. > > Normalizing by *number of LIRs* seems to be a much more interesting metric > to see "what percentage of the LIRs under a given RIR umbrella are > problematic". > > > -- --srs (iPad) -------------- next part -------------- An HTML attachment was scrubbed... URL: From brian.nisbet at heanet.ie Tue Jun 18 17:09:48 2013 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Tue, 18 Jun 2013 16:09:48 +0100 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: References: <39804.1371411773@server1.tristatelogic.com> <51BFEBAB.4010708@CC.UniVie.ac.at> <20130618132923.GA4854@spin.it> <20130618134446.GN2504@Space.Net> Message-ID: <51C0783C.7010708@heanet.ie> Suresh Ramasubramanian wrote the following on 18/06/2013 15:22: > As a thought experiment, if Furio were to remove LIRs from Eastern > Europe, in particular, Romania, from his list below, what would RIPE > NCC's figures fall to? > > Most of those /14s are swipped and then re-swipped to a succession of > shell companies that appear to remain valid for the minimum possible > duration - and are typically (as creating a shell company in romania > requires valid ID) set up by the simple expedient of walking into a bar > and paying a guy there a few euro to get him to use his ID to set up the > shell company. > > So even "a much larger number of customers in the RIPE region" is a > figure that you would have to allow for substantial inflation in, when > you consider these numbers. There is no question in my mind that there is a massive problem in the RIPE NCC service region, just as there is elsewhere. I'm not convinced that there's any good in comparing them, rather we should admit that there is such a problem. I remain to be convinced that we will ever reach an agreed definition of network abuse, but I do think there are types of activity that are generally agreed to be abusive. But even with these, do we want the NCC to say "Ah, you have operated a botnet to crack credit card numbers, we will now deregulate!" I do not believe we will ever reach consensus on such a policy. I *do* believe that there should be more rigour involved in obtaining addresses, but there you also have a problem of national law. If a state says "this company is a legitimate company" does the NCC have any right to argue? Ronald, I ask this sincerely, and I apologise if I missed it before, but what is your definition of 'network abuse'? I'm not asking this to call you out, I'm genuinely interested. I know why definitions are important, but I also know how hard they can be and given the limitations of what the NCC can do (and what I, as an operator, want it to do) I'm not sure how much use it will actually be to pursue such a thing. Are there other ways of looking at this, of tackling it, that have more chance of success? Brian From h.lu at anytimechinese.com Tue Jun 18 17:21:26 2013 From: h.lu at anytimechinese.com (Lu Heng) Date: Tue, 18 Jun 2013 17:21:26 +0200 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <51C0783C.7010708@heanet.ie> References: <39804.1371411773@server1.tristatelogic.com> <51BFEBAB.4010708@CC.UniVie.ac.at> <20130618132923.GA4854@spin.it> <20130618134446.GN2504@Space.Net> <51C0783C.7010708@heanet.ie> Message-ID: Ripe is a bookkeeper, not a law enforcer. and I guess we had enough law enforcer around every of us. On Tue, Jun 18, 2013 at 5:09 PM, Brian Nisbet wrote: > > Suresh Ramasubramanian wrote the following on 18/06/2013 15:22: > >> As a thought experiment, if Furio were to remove LIRs from Eastern >> Europe, in particular, Romania, from his list below, what would RIPE >> NCC's figures fall to? >> >> Most of those /14s are swipped and then re-swipped to a succession of >> shell companies that appear to remain valid for the minimum possible >> duration - and are typically (as creating a shell company in romania >> requires valid ID) set up by the simple expedient of walking into a bar >> and paying a guy there a few euro to get him to use his ID to set up the >> shell company. >> >> So even "a much larger number of customers in the RIPE region" is a >> figure that you would have to allow for substantial inflation in, when >> you consider these numbers. > > > There is no question in my mind that there is a massive problem in the RIPE > NCC service region, just as there is elsewhere. I'm not convinced that > there's any good in comparing them, rather we should admit that there is > such a problem. > > I remain to be convinced that we will ever reach an agreed definition of > network abuse, but I do think there are types of activity that are generally > agreed to be abusive. But even with these, do we want the NCC to say "Ah, > you have operated a botnet to crack credit card numbers, we will now > deregulate!" I do not believe we will ever reach consensus on such a policy. > > I *do* believe that there should be more rigour involved in obtaining > addresses, but there you also have a problem of national law. If a state > says "this company is a legitimate company" does the NCC have any right to > argue? > > Ronald, I ask this sincerely, and I apologise if I missed it before, but > what is your definition of 'network abuse'? I'm not asking this to call you > out, I'm genuinely interested. I know why definitions are important, but I > also know how hard they can be and given the limitations of what the NCC can > do (and what I, as an operator, want it to do) I'm not sure how much use it > will actually be to pursue such a thing. > > Are there other ways of looking at this, of tackling it, that have more > chance of success? > > Brian > -- -- Kind regards. Lu This transmission is intended solely for the addressee(s) shown above. It may contain information that is privileged, confidential or otherwise protected from disclosure. Any review, dissemination or use of this transmission or its contents by persons other than the intended addressee(s) is strictly prohibited. If you have received this transmission in error, please notify this office immediately and e-mail the original at the sender's address above by replying to this message and including the text of the transmission received. From ops.lists at gmail.com Tue Jun 18 17:29:14 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Tue, 18 Jun 2013 20:59:14 +0530 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <51C0783C.7010708@heanet.ie> References: <39804.1371411773@server1.tristatelogic.com> <51BFEBAB.4010708@CC.UniVie.ac.at> <20130618132923.GA4854@spin.it> <20130618134446.GN2504@Space.Net> <51C0783C.7010708@heanet.ie> Message-ID: In general, a consensus definition of spam HAS evolved - and more to the point, a consensus on best practices for ISPs and marketers has evolved. Whether or not some of the spam ronald is concerned about is illegal - most of it tends to skate on the borderline between legal and illegal (and some of the gray areas keep getting plugged by regulatory action, court rulings etc - a substantial part of it is the sort that leaves the IP space such customers acquired polluted and unusable by other customers, after it is abandoned by the spammers after being blacklisted and nullrouted beyond any viable further use. The objective furio has for these numbers is not as much to name and shame as to highlight just where the problem exists, and provide actionable metrics that can be used to zero in on and address the problem. If you think Furio's math is bad, it might be a way forward to actually share usable metrics and discuss a statistical approach (possibly using as a platform a neutral third party like maawg - which the oecd and others have used for metrics data, and which represents a sizeable chunk of the isp / antispam research and product / legitimate email marketer community). I wish there was RIPE NCC representation at the recent Vienna MAAWG .. it'd have been good to discuss these and other ways forward. thanks srs On Tuesday, June 18, 2013, Brian Nisbet wrote: > > Suresh Ramasubramanian wrote the following on 18/06/2013 15:22: > >> As a thought experiment, if Furio were to remove LIRs from Eastern >> Europe, in particular, Romania, from his list below, what would RIPE >> NCC's figures fall to? >> >> Most of those /14s are swipped and then re-swipped to a succession of >> shell companies that appear to remain valid for the minimum possible >> duration - and are typically (as creating a shell company in romania >> requires valid ID) set up by the simple expedient of walking into a bar >> and paying a guy there a few euro to get him to use his ID to set up the >> shell company. >> >> So even "a much larger number of customers in the RIPE region" is a >> figure that you would have to allow for substantial inflation in, when >> you consider these numbers. >> > > There is no question in my mind that there is a massive problem in the > RIPE NCC service region, just as there is elsewhere. I'm not convinced that > there's any good in comparing them, rather we should admit that there is > such a problem. > > I remain to be convinced that we will ever reach an agreed definition of > network abuse, but I do think there are types of activity that are > generally agreed to be abusive. But even with these, do we want the NCC to > say "Ah, you have operated a botnet to crack credit card numbers, we will > now deregulate!" I do not believe we will ever reach consensus on such a > policy. > > I *do* believe that there should be more rigour involved in obtaining > addresses, but there you also have a problem of national law. If a state > says "this company is a legitimate company" does the NCC have any right to > argue? > > Ronald, I ask this sincerely, and I apologise if I missed it before, but > what is your definition of 'network abuse'? I'm not asking this to call you > out, I'm genuinely interested. I know why definitions are important, but I > also know how hard they can be and given the limitations of what the NCC > can do (and what I, as an operator, want it to do) I'm not sure how much > use it will actually be to pursue such a thing. > > Are there other ways of looking at this, of tackling it, that have more > chance of success? > > Brian > -- --srs (iPad) -------------- next part -------------- An HTML attachment was scrubbed... URL: From ops.lists at gmail.com Tue Jun 18 18:46:35 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Tue, 18 Jun 2013 22:16:35 +0530 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: References: <39804.1371411773@server1.tristatelogic.com> <51BFEBAB.4010708@CC.UniVie.ac.at> <20130618132923.GA4854@spin.it> <20130618134446.GN2504@Space.Net> <51C0783C.7010708@heanet.ie> Message-ID: I prefer to use the analogy of a bank manager disbursing loans. He has a fiduciary duty to ensure deadbeats don't get loans .. And any fraud .. He detects it, takes proactive action within his sphere of influence and passes it to law enforcement for actual punishment. But not granting or revoking the loan isn't something he leaves to the police. On Tuesday, June 18, 2013, Lu Heng wrote: > Ripe is a bookkeeper, not a law enforcer. and I guess we had enough > law enforcer around every of us. > > On Tue, Jun 18, 2013 at 5:09 PM, Brian Nisbet > > wrote: > > -- --srs (iPad) -------------- next part -------------- An HTML attachment was scrubbed... URL: From gert at space.net Tue Jun 18 22:07:23 2013 From: gert at space.net (Gert Doering) Date: Tue, 18 Jun 2013 22:07:23 +0200 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: References: <39804.1371411773@server1.tristatelogic.com> <51BFEBAB.4010708@CC.UniVie.ac.at> <20130618132923.GA4854@spin.it> <20130618134446.GN2504@Space.Net> <51C0783C.7010708@heanet.ie> Message-ID: <20130618200723.GO2504@Space.Net> Hi, On Tue, Jun 18, 2013 at 10:16:35PM +0530, Suresh Ramasubramanian wrote: > I prefer to use the analogy of a bank manager disbursing loans. He has a > fiduciary duty to ensure deadbeats don't get loans .. And any fraud .. He > detects it, takes proactive action within his sphere of influence and > passes it to law enforcement for actual punishment. But not granting or > revoking the loan isn't something he leaves to the police. Banks, in the western world of these days, are not exactly a good example for "trusted entities". I'd prefer the NCC to not turn into something that is very difficult to work with if you need their service, annoys you with advertising when you *don't* need their service, and if you give them your money, they spend it on casino activities and then need the taxpayer to bail them out... Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 306 bytes Desc: not available URL: From ops.lists at gmail.com Wed Jun 19 00:02:46 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Wed, 19 Jun 2013 03:32:46 +0530 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <20130618200723.GO2504@Space.Net> References: <39804.1371411773@server1.tristatelogic.com> <51BFEBAB.4010708@CC.UniVie.ac.at> <20130618132923.GA4854@spin.it> <20130618134446.GN2504@Space.Net> <51C0783C.7010708@heanet.ie> <20130618200723.GO2504@Space.Net> Message-ID: Which isn't quite a shining example of fiduciary duty but well, if we are to split hairs over an analogy rather than discuss what sort of fiduciary duty ripe NCC has towards being a custodian of v4 space .. On Wednesday, June 19, 2013, Gert Doering wrote: > > Banks, in the western world of these days, are not exactly a good example > for "trusted entities". > > I'd prefer the NCC to not turn into something that is very difficult to > work with if you need their service, annoys you with advertising when you > *don't* need their service, and if you give them your money, they spend it > on casino activities and then need the taxpayer to bail them out... > > > -- --srs (iPad) -------------- next part -------------- An HTML attachment was scrubbed... URL: From rfg at tristatelogic.com Wed Jun 19 01:39:26 2013 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Tue, 18 Jun 2013 16:39:26 -0700 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <51BFEBAB.4010708@CC.UniVie.ac.at> Message-ID: <67158.1371598766@server1.tristatelogic.com> In message <51BFEBAB.4010708 at CC.UniVie.ac.at>, Woeber at CC.UniVie.ac.at wrote: >May I suggest this description: > > http://www.ripe.net/ripe/groups/wg/anti-abuse So basically JUST spamming. Nothing about hacking, nothing about phishing or spear phishing, nothing about IP space hijacking (e.g. for SEO purposes only and NOT any spamming), nothing about credit card or other financial crimes, nothing about defrauding RIPE and/or entering deliberately bogus information into the RIPE data base. Is that about the size of it? From rfg at tristatelogic.com Wed Jun 19 03:31:30 2013 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Tue, 18 Jun 2013 18:31:30 -0700 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: Message-ID: <68194.1371605490@server1.tristatelogic.com> In message Suresh Ramasubramanian wrote: >As a thought experiment, if Furio were to remove LIRs from Eastern Europe, >in particular, Romania, from his list below, what would RIPE NCC's figures >fall to? Gentlemen, Please excuse me for saying that this discussion seems to be veering rather dramatically away from where it began. Personally, I don't care how many crooks there are in this region or that region. As far as I am concerned a single crook (or spammer) in _any_ region is one too many, and indicates a failure of something. What, I'm not so sure. I understand that my friend Furio Ercolessi was attempting to spur this group, and/or RIPE NCC and/or RIPE generally to action, based upon some comparative numbers, and I applaud him for that effort, even if, as has been noted, both his methodology and the proper interpretation of his numbers can be (and now have been) questioned. >From my perspective, even if Furio had crunched the numbers and found RIPE to come out as having the least issues/problems of any RiR, I, for one, would still be asking for what I have asked for, a mere definition of "network abuse", and one which may be viewed as being binding within the RIPE region. The charter, such as it is, of this working group, appears to focus fairly exclusively on the issue of spamming. If this was arrived at by explicit intent of the RIPE membership then I will say here and now that I can live with that (and indeed, it isn't as if I would have any other choice). I would like to point out however that within the document alluded to earlier which contains what passes for a charter of this group, the terms "spam" and "spamming" are mentioned, but it isn't even clear whose definition of "spam" is being relied upon in this context, within that document, or within this group. This may seem to some as a petty point, but based upon long personal experience I can assure everyone most solemnly that (a) there are almost as many definitions of "spam" as there are people and (b) spammers themselves invariably define the term self-referentially as "that which I myself do not do". In short, this group could do worse things with its time than to at least develop a clear definition of the one and only particular kind of network abuse which, it seems, this group was formed to focus its attentions on, i.e. "spam". Regards, rfg From rfg at tristatelogic.com Wed Jun 19 04:55:48 2013 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Tue, 18 Jun 2013 19:55:48 -0700 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <51C0783C.7010708@heanet.ie> Message-ID: <69263.1371610548@server1.tristatelogic.com> In message <51C0783C.7010708 at heanet.ie>, Brian Nisbet wrote: >There is no question in my mind that there is a massive problem in the >RIPE NCC service region, just as there is elsewhere. I'm not convinced >that there's any good in comparing them, rather we should admit that >there is such a problem. As noted in my prior post, I agree entirely with Brian on this. >I remain to be convinced that we will ever reach an agreed definition of >network abuse... Please excuse me for stating the obvious, but the most certain way to insure that we will never succeed in such an effort is never to even try. >I *do* believe that there should be more rigour involved in obtaining >addresses, but there you also have a problem of national law. If a state >says "this company is a legitimate company" does the NCC have any right >to argue? An excellent question if ever there was one. Please allow me two responses. Firstly, this sort-of reminds me of various classic and generally archetypal discussions/disagreements/confrontations that I had with various adult authority figures when I was growing up, in particular, my mother. I would begin by saying something like "Gee, ma, but all of the other kids are having fun, sniffing the fumes from felt-tip pens and then skateboarding down Lombard Street! So why can't I??" to which she would provide the stock pre-canned stadard adult response "So, if Johnny jumped off a cliff would you do the same thing?" If a given nation, or even a given municipality within the admirably diverse RIPE region decided to make criminality a virtue, would RIPE be in any sense, either legally, morally, or ethically obliged to follow suit? I don't think so. Would it be wise to do so? Again, I don't think so. If Upper Volta decides tomorrow to diversify its flagging economy by making it 100% legal, within that jurisdiction, to offer DDoS-for-hire services, then should (or must) all nations and munici- palities within the RIPE region then automatically ascent to that lowest common denominator of sanity? (We have a saying that covers exactly such self-destructive outcomes in this country... "The Constitution is NOT a suicide pact.") Secondly, although not probable, it is certainly possible that at some point the express laws of some nation or municipality within the RIPE region might come into direct conflict with what _already_ seems to be against the rules... or at the very least seriously frowned upon... within RIPE's jurisdiction, i.e. spamming. In such a case, whose rules should give way to whose? Here in the United States, there are many who advocate for, and take the view that society would be safer if each and every last one of us owned and carried a gun around all of the time. This is certainly a debatable point, but every now and again some small municipality, usually somewhere in Texas, passes or tries to pass a law _requiring_ all citizens to own firearms. Now, imagine for a moment that The Duchy of Grand Fenwick (google it) has just passed a law _requiring_ all of its citizens to spam. What is RIPE going to do? Issue each citizen of Grand Fenwick his or her own /24? In short, at what point does respect for the individuality and authority of the constituent nations and municipalities of the entire RIPE region cross over into unambiguous lunacy? At the birth of my own nation, there existed 13 totally independent colonies, none of which could even stand to be in the same room with any of the others for any length of time. They all hated each other and each had their own preferred ways of doing things. In the end, they found a sufficently motivating external threat that was enough to force them at least into a loose confederation. I suggest that the kinds of threats to network stability and usefulness that we all know exist on the Internet today, and which we can reasonably anticipate are only likely to worsen in the future, are and should be enough for the RIPE membership to assert, at least to some minimal resonable extent, its own independent authority, at least within that very limited jurisdiction which is, by all rights, more the property and province of RIPE than it is of any nation state, i.e. that portion of "cyberspace" which hovers like an unseen aether at all times over the RIPE geographic region. This portion of cyberspace is in some ways more important than any of the individual nation states that happen to lie under it, and its continued stability and usefulness is most definitely _not_ the primary responsibility of any of those individual nation states, nor even all of them put together. As it is not their responsibility, what sense would it make (or what sense does it make) to defer exclusively to _their_ authority? The answer is simple. It makes no sense at all. RIPE must have its own rules for the protection and stability of what is, after all, its own special dominion. (Notwithstanding all of the above having being said, I want to be clear that I am not fundamentally an "internationalist". Nor would I by any means or on any occasion make any attempt to defend the so-called "Euro Project", let alone its now evident tragic consequences. I am an advocate only of pragmatism, of what makes sense, and of what works. The Euro does not. The Internet must.) >Ronald, I ask this sincerely, and I apologise if I missed it before, but >what is your definition of 'network abuse'? Everything I don't like that goes on every day on the Internet. I could drag out the whole list, but I don't want to bore you. It's as long as your arm, and most definitely includes a LOT more than spamming. But my own views on this are neither here nor there. I think that you and I agree that only that set of things that the community as a whole says are "network abuse" should be construed, for any practical purpose, to be such, and in this crowd I'm only one... or, as I myself would advocate, perhaps only 1/2 or 1/4 vote, as I neither reside in RIPE-land, nor do any substantial business there, nor, most importantly, do I operate an Internet-connected network there. >I'm not asking this to call you out, I'm genuinely interested. I am not offended and wll be happy to give you a more detailed expose of my personal defintion of "network abuse" off list. >I know why definitions are important, >but I also know how hard they can be and given the limitations of what >the NCC can do (and what I, as an operator, want it to do) I'm not sure >how much use it will actually be to pursue such a thing. See above. What is RIPE going to do when Grand Fenwick starts _encouraging_ its citizens to spam, hack, and DDoS? All things considered, it would be Better if RIPE had an answer to this question well _before_ it comes to this, because I can assure you that eventually it _will_ come to this. It will be an inevitable result of the fact that money is involved, and lots of it. >Are there other ways of looking at this, of tackling it, that have more >chance of success? None whatsoever. It is always politically expedient not to decide anything, but as I said earlier, not to decide is to decide. Regards, rfg P.S. In the early 1970's, somehow and for some reason I cannot even remember now, I aquired a thin little paperback book that described what I dimly remember was probably the instruction set of the early PDP-11's. (This was before I had even touched any actual computer, let alone any PDP.) Anyway, in the first few pages, probably just after the title page of the book, I think, DEC had inserted a small quote from a poem. I have thought about that many times since. I don't know if I can even quote it accurately anymore... I somehow lost the book decades ago... but I'll try. He took the wheel in a lashing raging storm. "My plan is to have no plan!" he said. And six months later, "I have been driven by events." -- The People, Yes Carl Sandburg From furio+as at spin.it Wed Jun 19 09:05:11 2013 From: furio+as at spin.it (furio ercolessi) Date: Wed, 19 Jun 2013 09:05:11 +0200 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <20130618134446.GN2504@Space.Net> References: <39804.1371411773@server1.tristatelogic.com> <51BFEBAB.4010708@CC.UniVie.ac.at> <20130618132923.GA4854@spin.it> <20130618134446.GN2504@Space.Net> Message-ID: <20130619070511.GA30693@spin.it> On Tue, Jun 18, 2013 at 03:44:46PM +0200, Gert Doering wrote: > > No, it's due to "completely useless math". There are just many more > actors in the RIPE area, so the same amount of criminals spread over > *twice* the amount of RIR members is not "higher concentration" but > "lower". > > The number of "criminals per IP address" is indeed higher, yes. But > what exactly is the use of that metric, except to show "ARIN has a > larger share from the hoard of /8s"? Not going to argue with that. That indicator was just one like many others. I clearly failed to make my main point across: my main purpose was not to state that the RIPE area is "worse" than the ARIN area, and actually it do not think it really matters which one is worse. Let us just say that the situation is bad (and there seems to be consensus on this). My main point was in the second half of the post, and concerned the meaning of "invalid resources", their long lifetime, the fact that the current system is favoring people that lie about resource usage, while in fact the opposite should be the case. furio ercolessi From brian.nisbet at heanet.ie Wed Jun 19 10:24:58 2013 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Wed, 19 Jun 2013 09:24:58 +0100 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <67158.1371598766@server1.tristatelogic.com> References: <67158.1371598766@server1.tristatelogic.com> Message-ID: <51C16ADA.10806@heanet.ie> Ronald F. Guilmette wrote the following on 19/06/2013 00:39: > In message <51BFEBAB.4010708 at CC.UniVie.ac.at>, > Woeber at CC.UniVie.ac.at wrote: > >> May I suggest this description: >> >> http://www.ripe.net/ripe/groups/wg/anti-abuse > > So basically JUST spamming. > > Nothing about hacking, nothing about phishing or spear phishing, nothing > about IP space hijacking (e.g. for SEO purposes only and NOT any spamming), > nothing about credit card or other financial crimes, nothing about defrauding > RIPE and/or entering deliberately bogus information into the RIPE data base. > > Is that about the size of it? No, not really. I do note your comments about definitions, but I would also point out a couple of things. First off the important line in the charter is: "It is considered difficult for this charter to include an exhaustive list of abuse types that would be considered within the scope of this working group, not least because this is expected to change over time. However an initial list can be stated and any necessary additions can be made." The list that follows almost entirely touches on spam, unquestionably, but the WG itself has discussed and dealt with a range of other abuses. Additionally phishing (spear or otherwise) was certainly intended to be covered by Spam via SMTP. The aim was to start with a non-exhaustive list and not have a charter full of bullet points. The second point is that in Dublin in May Tobias and I undertook to review the charter and to see if we could usefully expand the list and the charter in general. Thirdly the WG has worked with the NCC on the Closure and Deregistration document http://www.ripe.net/ripe/docs/ripe-578 which I think covers some of your points above. There are definitely things missing, but I think it would be wrong to look at the charter in isolation, especially as that page also links to the minutes of the WG sessions that clearly show what else is going on. Brian From ops.lists at gmail.com Wed Jun 19 13:12:09 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Wed, 19 Jun 2013 16:42:09 +0530 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <20130619070511.GA30693@spin.it> References: <39804.1371411773@server1.tristatelogic.com> <51BFEBAB.4010708@CC.UniVie.ac.at> <20130618132923.GA4854@spin.it> <20130618134446.GN2504@Space.Net> <20130619070511.GA30693@spin.it> Message-ID: On Wednesday, June 19, 2013, furio ercolessi wrote: > My main point was in the second half of the post, and concerned > the meaning of "invalid resources", their long lifetime, the fact that > the current system is favoring people that lie about resource usage, > while in fact the opposite should be the case. > > This is correct - and actionable metrics should be straightforward to provide. What remains is policy proposals that are effective in getting such allocation requests denied and/or revoked. Which seems to be more of a can of worms here than in any other RIR. --srs -- --srs (iPad) -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists-ripe at c4inet.net Wed Jun 19 22:30:57 2013 From: lists-ripe at c4inet.net (Sascha Luck) Date: Wed, 19 Jun 2013 21:30:57 +0100 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <67158.1371598766@server1.tristatelogic.com> References: <51BFEBAB.4010708@CC.UniVie.ac.at> <67158.1371598766@server1.tristatelogic.com> Message-ID: <20130619203057.GA55051@cilantro.c4inet.net> On Tue, Jun 18, 2013 at 04:39:26PM -0700, Ronald F. Guilmette wrote: >nothing about defrauding RIPE and/or entering deliberately bogus >information into the RIPE data base. Both of those *already* result in resource de-registration and closure of the LIR if found to have occurred. https://www.ripe.net/ripe/docs/ripe-578 rgds, Sascha Luck From lists-ripe at c4inet.net Wed Jun 19 22:42:55 2013 From: lists-ripe at c4inet.net (Sascha Luck) Date: Wed, 19 Jun 2013 21:42:55 +0100 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <69263.1371610548@server1.tristatelogic.com> References: <51C0783C.7010708@heanet.ie> <69263.1371610548@server1.tristatelogic.com> Message-ID: <20130619204255.GB55051@cilantro.c4inet.net> On Tue, Jun 18, 2013 at 07:55:48PM -0700, Ronald F. Guilmette wrote: >What is RIPE going to do when Grand Fenwick starts _encouraging_ its >citizens to spam, hack, and DDoS? Nothing. That is, nothing beyond making sure that the resource holder is registered in the ripedb -which it does- and that there is a contact to report abuse to -which it now also does-. What the resource holder does with these resources is between them and their relevant legal authorities. rgds, Sascha Luck From rfg at tristatelogic.com Wed Jun 19 23:47:31 2013 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Wed, 19 Jun 2013 14:47:31 -0700 Subject: [anti-abuse-wg] Authorities, or lack thereof Message-ID: <17142.1371678451@server1.tristatelogic.com> Suresh Ramasubramanian wrote: >What remains is policy proposals that are effective in getting such >allocation requests denied and/or revoked. Which seems to be more of a can >of worms here than in any other RIR. I thank my friend Suresh for bringing to my attention a really more important issue, and one that I should have really considered before I made any of my recent posts imploring all within the Working Group to work on solidifying a firmer and more complete defintion of "abuse". As the Chair has courteously pointed out to me, the charter of this Working Group, such as it is, already is fairly clear that "spam" and "spamming" are most definitely issues within the remit of this Working Group. But that begs the larger question: Assuming for the moment that there existed a case in which all or a majority of this Working Group were convinced that a given particular allocation of number resources was registered for, and was being used exclusively and com- pletely for the production and distribution of spam, then at that point would either the Working Group, or its Chair, have either the authority or the responsibility to (a) direct or (b) request or (c) suggest that RIPE NCC withdraw/cancel/retract said allocation? If neither (a) nor (b) nor even (c) applies, then regardless of the formal or working definition of "abuse", it would seem to me... in- tending no offense to any person here present... that the Working Group could not reasonably be viewed as anything other than a paper tiger, utterly devoid of teeth and/or authority, and thus of no particular value or use or significance to anyone or any thing... but I am more than willing to be convinced otherwise. Regards, rfg From furio+as at spin.it Wed Jun 19 23:53:17 2013 From: furio+as at spin.it (furio ercolessi) Date: Wed, 19 Jun 2013 23:53:17 +0200 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <20130619204255.GB55051@cilantro.c4inet.net> References: <51C0783C.7010708@heanet.ie> <69263.1371610548@server1.tristatelogic.com> <20130619204255.GB55051@cilantro.c4inet.net> Message-ID: <20130619215317.GA11346@spin.it> On Wed, Jun 19, 2013 at 09:42:55PM +0100, Sascha Luck wrote: > On Tue, Jun 18, 2013 at 07:55:48PM -0700, Ronald F. Guilmette wrote: > > >What is RIPE going to do when Grand Fenwick starts _encouraging_ its > >citizens to spam, hack, and DDoS? > > Nothing. That is, nothing beyond making sure that the resource holder > is registered in the ripedb -which it does- and that there is a > contact to report abuse to -which it now also does-. > > What the resource holder does with these resources is between them and > their relevant legal authorities. http://www.ripe.net/ripe/docs/ripe-584#addressing-plan indicates that RIPENCC _wants_ to know. I would really like to know if an Assignment Request Form for a /19 with 'snowshoe spamming' indicated in the 'Purpose' field would be accepted by RIPENCC. If not, I would really like to know what, for instance, the gentlemen that control 91.90.192.0/19 told RIPENCC about the intended purpose, and whether their statements are compatible with the PTR records defined on that block. furio From rfg at tristatelogic.com Thu Jun 20 00:20:39 2013 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Wed, 19 Jun 2013 15:20:39 -0700 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <20130619204255.GB55051@cilantro.c4inet.net> Message-ID: <17498.1371680439@server1.tristatelogic.com> In message <20130619204255.GB55051 at cilantro.c4inet.net>, Sascha Luck wrote: >On Tue, Jun 18, 2013 at 07:55:48PM -0700, Ronald F. Guilmette wrote: > >>What is RIPE going to do when Grand Fenwick starts _encouraging_ its >>citizens to spam, hack, and DDoS? > >Nothing. That is, nothing beyond making sure that the resource holder >is registered in the ripedb -which it does- and that there is a >contact to report abuse to -which it now also does-. > >What the resource holder does with these resources is between them and >their relevant legal authorities. Well, I'm sure glad that we got that cleared up. Regards, rfg From rfg at tristatelogic.com Thu Jun 20 04:17:57 2013 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Wed, 19 Jun 2013 19:17:57 -0700 Subject: [anti-abuse-wg] Not entirely Off-Topic Message-ID: <20574.1371694677@server1.tristatelogic.com> By the way, would any of you happen to know where I might be able to purchase one of these t-shirts? http://www.flickr.com/photos/philwolff/96987427/ From ops.lists at gmail.com Thu Jun 20 04:22:02 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Thu, 20 Jun 2013 07:52:02 +0530 Subject: [anti-abuse-wg] Not entirely Off-Topic In-Reply-To: <20574.1371694677@server1.tristatelogic.com> References: <20574.1371694677@server1.tristatelogic.com> Message-ID: A serious question deserves a serious answer Cafepress On Jun 20, 2013 7:48 AM, "Ronald F. Guilmette" wrote: > > > By the way, would any of you happen to know where I might be able to > purchase one of these t-shirts? > > http://www.flickr.com/photos/philwolff/96987427/ > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Woeber at CC.UniVie.ac.at Thu Jun 20 06:12:46 2013 From: Woeber at CC.UniVie.ac.at (Wilfried Woeber) Date: Thu, 20 Jun 2013 06:12:46 +0200 Subject: [anti-abuse-wg] Not entirely Off-Topic In-Reply-To: References: <20574.1371694677@server1.tristatelogic.com> Message-ID: <51C2813E.7000003@CC.UniVie.ac.at> Suresh Ramasubramanian wrote: > A serious question deserves a serious answer Yes. Here goes: I presume before it should be sold in any additional copies, the graphics SHOULD be amended by adding another brick on top: Religion. And the blurb with the "I am here" also needs to be moved up one brick. > Cafepress > On Jun 20, 2013 7:48 AM, "Ronald F. Guilmette" > wrote: > > >> >>By the way, would any of you happen to know where I might be able to >>purchase one of these t-shirts? >> >>http://www.flickr.com/photos/philwolff/96987427/ >> >> >> > > From ml at vdspek.org Thu Jun 20 10:08:24 2013 From: ml at vdspek.org (Olaf van der Spek) Date: Thu, 20 Jun 2013 10:08:24 +0200 Subject: [anti-abuse-wg] Automatic IP -> abuse email address mapping Message-ID: Hi, I hope this is the right list for such a question. How does one map an IP address to an abuse email address in an automated way? I assume scripts exist, but I haven't found any. Does everyone roll their own? -- Olaf -------------- next part -------------- An HTML attachment was scrubbed... URL: From erik at bais.name Thu Jun 20 10:58:17 2013 From: erik at bais.name (Erik Bais) Date: Thu, 20 Jun 2013 08:58:17 +0000 Subject: [anti-abuse-wg] Automatic IP -> abuse email address mapping In-Reply-To: References: Message-ID: <862A73D42343AE49B2FC3C32FDDFE91C5A6C9821@E2010-MBX04.exchange2010.nl> Hi Olaf, I use the API from ISC SANS (http://isc.sans.edu/api ) to do some parsing for me if needed. cat send_abusemsg.sh #!/bin/sh for i in `cat uniq_IP_list` do abuse=`wget -O - http://isc.sans.edu/api/ip/"$i"?text | grep 'abusecontact' | cut -f2 -d'>' | tr -d ' '` cat template.txt | sed "s/%%ip%%/$i/" | sed "s/%%email%%/$abuse/" | sendmail -oi -t done the uniq_IP_list is a file that has the offending IP addresses. 1 IP per line. and the mail template that I use looks something like : cat template.txt | more To: %%email%% Cc: noc@ From: abuse@ Subject: IP Address %%ip%% involved in DDoS attack Dear abusedesk, Please take action on the following IP address: %%ip%% due to an DDoS on an IP in our network. The mentioned server with IP address: %%ip%% should be looked at directly as it is probably hacked or misconfigured to be abused. Regards, Does that answer your question? Regards, Erik Bais From: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg-bounces at ripe.net] On Behalf Of Olaf van der Spek Sent: donderdag 20 juni 2013 10:08 To: anti-abuse-wg at ripe.net Subject: [anti-abuse-wg] Automatic IP -> abuse email address mapping Hi, I hope this is the right list for such a question. How does one map an IP address to an abuse email address in an automated way? I assume scripts exist, but I haven't found any. Does everyone roll their own? -- Olaf -------------- next part -------------- An HTML attachment was scrubbed... URL: From ripe-anti-spam-wg at powerweb.de Thu Jun 20 11:17:01 2013 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Thu, 20 Jun 2013 11:17:01 +0200 Subject: [anti-abuse-wg] Automatic IP -> abuse email address mapping In-Reply-To: References: Message-ID: <51C2C88D.9090704@powerweb.de> Olaf van der Spek wrote: > Hi, > > I hope this is the right list for such a question. > How does one map an IP address to an abuse email address in an automated > way? > I assume scripts exist, but I haven't found any. Does everyone roll > their own? There are no public script to my knowledge This kind of automatic mapping is quite complicated and mostly internal know-how of f.e. blacklists, that do automatic reporting. The steps to do it are something like this: - first you need to identify, wich RIR is responsible for the IP/netblock, this is tricky, because there more RIRs like only RIPE, ARIN, LACNIC, AFRNINIC and APNIC, that actually hold the information you need (f.e. KRNIC and BRNIC aso) and because there are early registration networks, that usally do not belong to the RIR you would expect - all whois interfaces at the RIRs are different, parsing is difficult, different options too and all have different regulations and fields with even dubled content - then there are limits, how many whois queries you can do We have a pearl-script doing all this with over 3000 lines of code, and this code has to be adjusted nearly every month ... It would be a dream, if this group could discuss a standard whois output format for all RIRs. And the final step could be a centralized whois, anybody could ask for the abuse contact covering the data of all RIRs. Kind regards, Frank Network Operation Center - PowerWeb -- MOTD: "have you enabled SSL on a website or mailbox today ?" -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== > > > -- > Olaf From ripe-anti-spam-wg at powerweb.de Thu Jun 20 11:17:45 2013 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Thu, 20 Jun 2013 11:17:45 +0200 Subject: [anti-abuse-wg] Automatic IP -> abuse email address mapping In-Reply-To: <862A73D42343AE49B2FC3C32FDDFE91C5A6C9821@E2010-MBX04.exchange2010.nl> References: <862A73D42343AE49B2FC3C32FDDFE91C5A6C9821@E2010-MBX04.exchange2010.nl> Message-ID: <51C2C8B9.7030200@powerweb.de> Erik Bais wrote: > Hi Olaf, Hi, this interface does not find all possible abuse contacts, an example for http://isc.sans.edu/api/ip/5.76.13.127 5.76.13.12700000 KZ 9198 KAZTELECOM-AS JSC Kazakhtelecom 5.76.0.0/16 no abuse contact, where a # whois.ripe -b 5.76.13.127 % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf inetnum: 5.76.8.0 - 5.76.15.255 abuse-mailbox: abuse.spam at telecom.kz finds one ... Kind regards, Frank > > I use the API from ISC SANS (http://isc.sans.edu/api ) to do some > parsing for me if needed. > > cat send_abusemsg.sh > > #!/bin/sh > > for i in `cat uniq_IP_list` > > do > > abuse=`wget -O - http://isc.sans.edu/api/ip/"$i"?text | grep > 'abusecontact' | cut -f2 -d'>' | tr -d ' '` > > cat template.txt | sed "s/%%ip%%/$i/" | sed > "s/%%email%%/$abuse/" | sendmail -oi -t > > done > > the uniq_IP_list is a file that has the offending IP addresses. 1 IP per > line. > > and the mail template that I use looks something like : > > cat template.txt | more > > To: %%email%% > > Cc: noc@ > > From: abuse@ > > Subject: IP Address %%ip%% involved in DDoS attack > > Dear abusedesk, > > Please take action on the following IP address: %%ip%% due to an DDoS > on an IP in our network. > > > > The mentioned server with IP address: %%ip%% should be looked at > directly as it is probably hacked or misconfigured to be abused. > > Regards, > > > > Does that answer your question? > > Regards, > > Erik Bais > > *From:*anti-abuse-wg-bounces at ripe.net > [mailto:anti-abuse-wg-bounces at ripe.net] *On Behalf Of *Olaf van der Spek > *Sent:* donderdag 20 juni 2013 10:08 > *To:* anti-abuse-wg at ripe.net > *Subject:* [anti-abuse-wg] Automatic IP -> abuse email address mapping > > Hi, > > I hope this is the right list for such a question. > > How does one map an IP address to an abuse email address in an automated > way? > > I assume scripts exist, but I haven't found any. Does everyone roll > their own? > > > -- > Olaf > From tk at abusix.com Thu Jun 20 11:23:05 2013 From: tk at abusix.com (Tobias Knecht) Date: Thu, 20 Jun 2013 11:23:05 +0200 Subject: [anti-abuse-wg] Automatic IP -> abuse email address mapping In-Reply-To: References: Message-ID: <51C2C9F9.9020502@abusix.com> Hi, http://abusix.com/contactdb.html We are at the moment working on getting the new abuse-c in place as well. Thanks, Tobias Olaf van der Spek schrieb: > Hi, > > I hope this is the right list for such a question. > How does one map an IP address to an abuse email address in an automated > way? > I assume scripts exist, but I haven't found any. Does everyone roll > their own? > > > -- > Olaf From niall.oreilly at ucd.ie Thu Jun 20 13:13:52 2013 From: niall.oreilly at ucd.ie (Niall O'Reilly) Date: Thu, 20 Jun 2013 12:13:52 +0100 Subject: [anti-abuse-wg] Automatic IP -> abuse email address mapping In-Reply-To: <51C2C88D.9090704@powerweb.de> References: <51C2C88D.9090704@powerweb.de> Message-ID: <1AB6D761-D453-4F2B-AA25-19A934B29F1C@ucd.ie> On 20 Jun 2013, at 10:17, Frank Gadegast wrote: > And the final step could be a centralized whois, anybody > could ask for the abuse contact covering the data > of all RIRs. Distributed, or actually centralized? Perhaps it would be useful to consider generalizing the referral mechanism described in 2.11 of the RIPE Database Query Reference Manual? /Niall From ripe-anti-spam-wg at powerweb.de Thu Jun 20 13:24:16 2013 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Thu, 20 Jun 2013 13:24:16 +0200 Subject: [anti-abuse-wg] Automatic IP -> abuse email address mapping In-Reply-To: <1AB6D761-D453-4F2B-AA25-19A934B29F1C@ucd.ie> References: <51C2C88D.9090704@powerweb.de> <1AB6D761-D453-4F2B-AA25-19A934B29F1C@ucd.ie> Message-ID: <51C2E660.1000505@powerweb.de> > Distributed, or actually centralized? One souce, but could be distributed and mirror anyway ... > Perhaps it would be useful to consider generalizing the > referral mechanism described in 2.11 of the RIPE Database > Query Reference Manual? The main problem is, that IANA should be responsible for that, but they will not create a technical service for the public. A local RIR should not be responsible for abuse contacts for the worlds networks, but we do need a single starting point for all who like to report abuse. One whois covering all RIRs whois services at one place would be great, distributed per DNS even better ... Kind regards, Frank /Niall From denis at ripe.net Thu Jun 20 13:30:48 2013 From: denis at ripe.net (Denis Walker) Date: Thu, 20 Jun 2013 13:30:48 +0200 Subject: [anti-abuse-wg] Automatic IP -> abuse email address mapping In-Reply-To: <51C2C88D.9090704@powerweb.de> References: <51C2C88D.9090704@powerweb.de> Message-ID: <51C2E7E8.9080304@ripe.net> Dear Frank, The RIPE NCC has a Global Resource Service (GRS) where you can perform unlimited queries on operational data from all the 5 RIRs and all responses are returned in RIPE RPSL format. You can script your queries against the RIPE GRS using our API. I am, at this very moment, writing a new RIPE Labs article with all the latest details and improvements we have made recently to this service. We expect to publish this article next week. Regards Denis Walker Business Analyst RIPE NCC Database Team On 20/06/2013 11:17, Frank Gadegast wrote: > Olaf van der Spek wrote: >> Hi, >> >> I hope this is the right list for such a question. >> How does one map an IP address to an abuse email address in an automated >> way? >> I assume scripts exist, but I haven't found any. Does everyone roll >> their own? > > There are no public script to my knowledge > > This kind of automatic mapping is quite complicated and > mostly internal know-how of f.e. blacklists, that do > automatic reporting. > > The steps to do it are something like this: > > - first you need to identify, wich RIR is responsible for the > IP/netblock, this is tricky, because there more RIRs like > only RIPE, ARIN, LACNIC, AFRNINIC and APNIC, that actually > hold the information you need (f.e. KRNIC and BRNIC aso) and because > there are early registration networks, that usally do not > belong to the RIR you would expect > - all whois interfaces at the RIRs are different, parsing is > difficult, different options too and all have different regulations > and fields with even dubled content > - then there are limits, how many whois queries you can do > > We have a pearl-script doing all this with over > 3000 lines of code, and this code has to be adjusted > nearly every month ... > > It would be a dream, if this group could discuss > a standard whois output format for all RIRs. > And the final step could be a centralized whois, anybody > could ask for the abuse contact covering the data > of all RIRs. > > > Kind regards, Frank > Network Operation Center - PowerWeb > -- > MOTD: "have you enabled SSL on a website or mailbox today ?" > -- > PHADE Software - PowerWeb http://www.powerweb.de > Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de > Schinkelstrasse 17 fon: +49 33200 52920 > 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 > ====================================================================== > > > > > >> >> >> -- >> Olaf > > > From ripe-anti-spam-wg at powerweb.de Thu Jun 20 13:53:14 2013 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Thu, 20 Jun 2013 13:53:14 +0200 Subject: [anti-abuse-wg] Automatic IP -> abuse email address mapping In-Reply-To: <51C2E7E8.9080304@ripe.net> References: <51C2C88D.9090704@powerweb.de> <51C2E7E8.9080304@ripe.net> Message-ID: <51C2ED2A.60403@powerweb.de> Denis Walker wrote: > Dear Frank, Hi Denis, Im not sure, if this coveres what I would like to have, simply because you have to know to wich RIR the network belongs first. Its quite complicated to - look the RIR up at whois.iana.org first, defny needed for ERX networks - make the whois at the RIR (and usally find, that it sub-deligated the whois to a another RIR like BRNIC or KRNIC - and end up wich 10 different output formats You cant explain that procedure to an end user ... But maybe I understood your interface wrong, and I can really enter an IP at the GRS service and get the abuse contact email addresses ... And I know through the expiriences with our normal customer users, that they simply do not report spam, because they have no single place to look it up, and then do not know, where they should send an abuse complaint to. Normal users are always quite puzzled, when you tell them about whois services, RIRs aso, they have no idea about it, simply because they never heard anything about RIPE, IANA aso ... Most dont even know, what an IP address is ... Its hard enough to tell them how to find the abusive IP in an mail header ... And thats why eople use services like SpamCop, they simply put the spam in a web form, and they do the rest (ok, not perfect, but handy anyway). iana should have such a central service ... Kind regards, Frank > > The RIPE NCC has a Global Resource Service (GRS) where you can perform > unlimited queries on operational data from all the 5 RIRs and all > responses are returned in RIPE RPSL format. You can script your queries > against the RIPE GRS using our API. > > I am, at this very moment, writing a new RIPE Labs article with all the > latest details and improvements we have made recently to this service. > We expect to publish this article next week. > > Regards > Denis Walker > Business Analyst > RIPE NCC Database Team > > On 20/06/2013 11:17, Frank Gadegast wrote: >> Olaf van der Spek wrote: >>> Hi, >>> >>> I hope this is the right list for such a question. >>> How does one map an IP address to an abuse email address in an automated >>> way? >>> I assume scripts exist, but I haven't found any. Does everyone roll >>> their own? >> >> There are no public script to my knowledge >> >> This kind of automatic mapping is quite complicated and >> mostly internal know-how of f.e. blacklists, that do >> automatic reporting. >> >> The steps to do it are something like this: >> >> - first you need to identify, wich RIR is responsible for the >> IP/netblock, this is tricky, because there more RIRs like >> only RIPE, ARIN, LACNIC, AFRNINIC and APNIC, that actually >> hold the information you need (f.e. KRNIC and BRNIC aso) and because >> there are early registration networks, that usally do not >> belong to the RIR you would expect >> - all whois interfaces at the RIRs are different, parsing is >> difficult, different options too and all have different regulations >> and fields with even dubled content >> - then there are limits, how many whois queries you can do >> >> We have a pearl-script doing all this with over >> 3000 lines of code, and this code has to be adjusted >> nearly every month ... >> >> It would be a dream, if this group could discuss >> a standard whois output format for all RIRs. >> And the final step could be a centralized whois, anybody >> could ask for the abuse contact covering the data >> of all RIRs. >> >> >> Kind regards, Frank >> Network Operation Center - PowerWeb >> -- >> MOTD: "have you enabled SSL on a website or mailbox today ?" >> -- >> PHADE Software - PowerWeb http://www.powerweb.de >> Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de >> Schinkelstrasse 17 fon: +49 33200 52920 >> 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 >> ====================================================================== >> >> >> >> >> >>> >>> >>> -- >>> Olaf >> >> >> > > From brian.nisbet at heanet.ie Thu Jun 20 13:59:43 2013 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Thu, 20 Jun 2013 12:59:43 +0100 Subject: [anti-abuse-wg] Authorities, or lack thereof In-Reply-To: <17142.1371678451@server1.tristatelogic.com> References: <17142.1371678451@server1.tristatelogic.com> Message-ID: <51C2EEAF.9010907@heanet.ie> Ronald, I suspect you won't like my answer, but I think there's also a fundamental misunderstanding of the role of Working Groups in the RIPE Community at the heart of your question. Ronald F. Guilmette wrote the following on 19/06/2013 22:47: > Suresh Ramasubramanian wrote: > >> What remains is policy proposals that are effective in getting such >> allocation requests denied and/or revoked. Which seems to be more of a can >> of worms here than in any other RIR. > > I thank my friend Suresh for bringing to my attention a really more > important issue, and one that I should have really considered before > I made any of my recent posts imploring all within the Working Group > to work on solidifying a firmer and more complete defintion of "abuse". > > As the Chair has courteously pointed out to me, the charter of this > Working Group, such as it is, already is fairly clear that "spam" and > "spamming" are most definitely issues within the remit of this Working > Group. But that begs the larger question: Assuming for the moment > that there existed a case in which all or a majority of this Working > Group were convinced that a given particular allocation of number > resources was registered for, and was being used exclusively and com- > pletely for the production and distribution of spam, then at that > point would either the Working Group, or its Chair, have either the > authority or the responsibility to (a) direct or (b) request or (c) > suggest that RIPE NCC withdraw/cancel/retract said allocation? This WG has no greater authority to direct or request anything from the NCC than any other member of the community. The WG is not, explicitly, a group within the community that directly deals with abuse. It is a group of people who are interested in the subject, who may well work together to create policies or documents or form a better understanding of the issue, but it is not a created group to deal with abuse. Now, to go a bit further here. The members of the WG can ask the NCC to do a particular thing. Depending on the thing that might be an action item that arises out of the mailing list or a meeting (eg Could the NCC please clarify under exactly what circumstances an LIR could be closed or deregistered). The alternative is a policy (eg Could the NCC please implement the abuse-c). The WG cannot say "we do not like this operator, please shut them down" in the same way the Routing WG cannot say "we require all members of the NCC to abandon BGP". That is not what WGs in the RIPE community are for. The WG can of course make the NCC aware of a bad operator and the WG can certainly give advice on how best to bring such issues to the NCC's attention (or to the attention of LEAs etc), but neither Tobias nor I sit down with the NCC and go through lists of LIRs, pointing out who is naughty or nice. > If neither (a) nor (b) nor even (c) applies, then regardless of the > formal or working definition of "abuse", it would seem to me... in- > tending no offense to any person here present... that the Working > Group could not reasonably be viewed as anything other than a paper > tiger, utterly devoid of teeth and/or authority, and thus of no > particular value or use or significance to anyone or any thing... > but I am more than willing to be convinced otherwise. First off, no offence is taken. :) However, I think your comments here stem from a fundamental misunderstanding of how the community (of which you are a part, regardless of your earlier comments on the list) works. The WG was not set up to up to do those things. It has been a handy by-product of sharing information and expertise that reports have been passed on to the NCC, but it's not why we're here. There are 9000+ members of the RIPE NCC and countless others in the community. All of those operators will tell you "my network, my rules" albeit they are forced by law or contract to take other views into consideration. They are not beholden to this or any other WG unless a policy is made or a motion passed by the membership. At no point in the Charter for the AA-WG does it suggest we're here to take back resources, so I'm genuinely very interested to know where this all came from? Brian Co-Chair, AA-WG From ripe-anti-spam-wg at powerweb.de Thu Jun 20 14:00:32 2013 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Thu, 20 Jun 2013 14:00:32 +0200 Subject: [anti-abuse-wg] central whois In-Reply-To: <51C2E7E8.9080304@ripe.net> References: <51C2C88D.9090704@powerweb.de> <51C2E7E8.9080304@ripe.net> Message-ID: <51C2EEE0.4040604@powerweb.de> Denis Walker wrote: > Dear Frank, BTW: there is still no simple form under www.ripe.net (maybe upper right corner, directly under the search field), that says: enter an abusive IP address here, and we tell you, where to send an abuse report to ___ ___ ___ ___ (get abuse contact email address) This should be technical pretty easy, because whois -b is in place, but an end user would never us a whois service and play with options ... So: we cannot even send end customers to www.ripe.net ... Kind regards, Frank > > The RIPE NCC has a Global Resource Service (GRS) where you can perform > unlimited queries on operational data from all the 5 RIRs and all > responses are returned in RIPE RPSL format. You can script your queries > against the RIPE GRS using our API. > > I am, at this very moment, writing a new RIPE Labs article with all the > latest details and improvements we have made recently to this service. > We expect to publish this article next week. > > Regards > Denis Walker > Business Analyst > RIPE NCC Database Team > > On 20/06/2013 11:17, Frank Gadegast wrote: >> Olaf van der Spek wrote: >>> Hi, >>> >>> I hope this is the right list for such a question. >>> How does one map an IP address to an abuse email address in an automated >>> way? >>> I assume scripts exist, but I haven't found any. Does everyone roll >>> their own? >> >> There are no public script to my knowledge >> >> This kind of automatic mapping is quite complicated and >> mostly internal know-how of f.e. blacklists, that do >> automatic reporting. >> >> The steps to do it are something like this: >> >> - first you need to identify, wich RIR is responsible for the >> IP/netblock, this is tricky, because there more RIRs like >> only RIPE, ARIN, LACNIC, AFRNINIC and APNIC, that actually >> hold the information you need (f.e. KRNIC and BRNIC aso) and because >> there are early registration networks, that usally do not >> belong to the RIR you would expect >> - all whois interfaces at the RIRs are different, parsing is >> difficult, different options too and all have different regulations >> and fields with even dubled content >> - then there are limits, how many whois queries you can do >> >> We have a pearl-script doing all this with over >> 3000 lines of code, and this code has to be adjusted >> nearly every month ... >> >> It would be a dream, if this group could discuss >> a standard whois output format for all RIRs. >> And the final step could be a centralized whois, anybody >> could ask for the abuse contact covering the data >> of all RIRs. >> >> >> Kind regards, Frank >> Network Operation Center - PowerWeb >> -- >> MOTD: "have you enabled SSL on a website or mailbox today ?" >> -- >> PHADE Software - PowerWeb http://www.powerweb.de >> Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de >> Schinkelstrasse 17 fon: +49 33200 52920 >> 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 >> ====================================================================== >> >> >> >> >> >>> >>> >>> -- >>> Olaf >> >> >> > > From leo.vegoda at icann.org Thu Jun 20 14:05:17 2013 From: leo.vegoda at icann.org (Leo Vegoda) Date: Thu, 20 Jun 2013 05:05:17 -0700 Subject: [anti-abuse-wg] Automatic IP -> abuse email address mapping In-Reply-To: <51C2E660.1000505@powerweb.de> References: <51C2C88D.9090704@powerweb.de> <1AB6D761-D453-4F2B-AA25-19A934B29F1C@ucd.ie> <51C2E660.1000505@powerweb.de> Message-ID: <5648A8908CCB564EBF46E2BC904A75B184E0DEA226@EXVPMBX100-1.exc.icann.org> Hi Frank, Frank Gadegast wrote: [...] > > Perhaps it would be useful to consider generalizing the > > referral mechanism described in 2.11 of the RIPE Database > > Query Reference Manual? > > The main problem is, that IANA should be responsible > for that, but they will not create a technical service > for the public. Can you please expand upon that? ICANN currently provide a whois service (whois.iana.org) which provides the same information as is found in the registries we publish. If there is a strong demand for improvements to the service then please let us know. Kind regards, Leo Vegoda -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5475 bytes Desc: not available URL: From brian.nisbet at heanet.ie Thu Jun 20 14:08:03 2013 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Thu, 20 Jun 2013 13:08:03 +0100 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <69263.1371610548@server1.tristatelogic.com> References: <69263.1371610548@server1.tristatelogic.com> Message-ID: <51C2F0A3.8040302@heanet.ie> Ronald, I'm going to snip a lot of this mail, but there's a core issue I'd like to address. > Now, imagine for a moment that The Duchy of Grand Fenwick (google it) has > just passed a law _requiring_ all of its citizens to spam. What is RIPE > going to do? Issue each citizen of Grand Fenwick his or her own /24? > In short, at what point does respect for the individuality and authority > of the constituent nations and municipalities of the entire RIPE region > cross over into unambiguous lunacy? It's an interesting hypothetical, certainly. There are a number of possible options. The first is that the EU, or just the Netherlands, became aware of this and said "These people are bad, EU companies may not trade with them". The RIPE NCC operates under Dutch law, so they would be forced to stop doing business with those people. This has happened recently in relation to companies who are under sanctions. The second may be that while these companies may be legitimate businesses the NCC is aware of the local law and says, "Ah, no, we know, for a fact, that you are mandated to use these resources for network abuse, therefore your application is invalid." The third option may be that the law is passed, the resources are handed out and the RIPE community, so incensed by this, writes a policy that allows for far more invasive deregistration and closure steps and the membership of the NCC signs off on this. It would be... fun (fcvo fun) to watch and I suspect Nigel may cry. Of course in amongst all of this I would suspect if the resources were handed out, there would be a lot of depeering and null routing going on in relation to the poor, forced-to-spam, citizens of the Grand Duchy. :) Brian From ripe-anti-spam-wg at powerweb.de Thu Jun 20 14:27:49 2013 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Thu, 20 Jun 2013 14:27:49 +0200 Subject: [anti-abuse-wg] Automatic IP -> abuse email address mapping In-Reply-To: <5648A8908CCB564EBF46E2BC904A75B184E0DEA226@EXVPMBX100-1.exc.icann.org> References: <51C2C88D.9090704@powerweb.de> <1AB6D761-D453-4F2B-AA25-19A934B29F1C@ucd.ie> <51C2E660.1000505@powerweb.de> <5648A8908CCB564EBF46E2BC904A75B184E0DEA226@EXVPMBX100-1.exc.icann.org> Message-ID: <51C2F545.6020303@powerweb.de> Leo Vegoda wrote: > Hi Frank, Hi Leo, >> > Perhaps it would be useful to consider generalizing the > > > referral mechanism described in 2.11 of the RIPE Database > > > Query Reference Manual? >> >> The main problem is, that IANA should be responsible >> for that, but they will not create a technical service >> for the public. > > Can you please expand upon that? Well, I might be uninformed, but when asking iana's whois I simply get: # whois.ripe -h whois.iana.org 85.237.64.1 % IANA WHOIS server % for more information on IANA, visit http://www.iana.org % This query returned 1 object refer: whois.ripe.net inetnum: 85.0.0.0 - 85.255.255.255 organisation: RIPE NCC status: ALLOCATED whois: whois.ripe.net changed: 2004-04 source: IANA So, it only tells me the reponsible RIR. Now I know its RIPE, then I have to ask RIPE (and when IANA tells me APNIC, I might have to ask APNIC first, wich tells me, its KRNIC ...) There might be more, when using options, but I would like a command like the following wich would return one single line # whois -h abuse.iana.org 85.237.64.1 abuse at powerweb.de So, there should be an interface between IANA and all RIRs to query abuse contacts, IANA knows at least, which RIR to ask. If IANA sees an IP from RIPE, its pretty easy, the whois could connect to whois.ripe.net make the -b and return a standarizes line. If its that simple with other RIRs, I dont really know, f.e. ARIN holds its abuse contacts still in about 4 different places. APNIC could be pretty easy, because of the IRT-object, others are really hard, because even IANA probably does not know, wich RIR delegated wich network to wich sub-RIR (like BRNIC). And the final interface should be presented under https://abuse.iana.org doing excactly the same, one sentence explaining what its for, one field to enter an IP, one button and following, one line as result. Simple, clean and easy to use for everyone. Then we would have ONE single place, where to look up published abuse contact email addresses. We could direct our end users to it, when they like to report abuse and we would have one single source for automatic reporting ... > ICANN currently provide a whois service (whois.iana.org) which provides > the same information as is found in the registries we publish. "Your" information, not the abuse contacts from all RIRs whois service, I guess (or does IANA mirrors all of them ?) ... > If there > is a strong demand for improvements to the service then please let us > know. Yes, please (strong demand, really strong demand, the most important demand ;o) Kind regards, Frank > > Kind regards, > > Leo Vegoda > From leo.vegoda at icann.org Thu Jun 20 14:50:04 2013 From: leo.vegoda at icann.org (Leo Vegoda) Date: Thu, 20 Jun 2013 05:50:04 -0700 Subject: [anti-abuse-wg] Automatic IP -> abuse email address mapping In-Reply-To: <51C2F545.6020303@powerweb.de> References: <51C2C88D.9090704@powerweb.de> <1AB6D761-D453-4F2B-AA25-19A934B29F1C@ucd.ie> <51C2E660.1000505@powerweb.de> <5648A8908CCB564EBF46E2BC904A75B184E0DEA226@EXVPMBX100-1.exc.icann.org> <51C2F545.6020303@powerweb.de> Message-ID: <5648A8908CCB564EBF46E2BC904A75B184E0DEA229@EXVPMBX100-1.exc.icann.org> Hi Frank, Frank Gadegast wrote: [...] > >> The main problem is, that IANA should be responsible > >> for that, but they will not create a technical service > >> for the public. > > > > Can you please expand upon that? [...] > So, it only tells me the reponsible RIR. > Now I know its RIPE, then I have to ask RIPE > (and when IANA tells me APNIC, I might have to > ask APNIC first, wich tells me, its KRNIC ...) > > There might be more, when using options, but I would > like a command like the following wich would > return one single line > > # whois -h abuse.iana.org 85.237.64.1 > abuse at powerweb.de > > So, there should be an interface between IANA > and all RIRs to query abuse contacts, > IANA knows at least, which RIR to ask. We could implement an active referral service if there was strong demand for it. However, I wonder whether taping lots of whois servers together with web interfaces and scripting is the right way to go. As I understand it, the protocol being developed by the IETF's WEIRDS WG "SHOULD be able to deliver a reply that is effectively a referral or redirect to another server" as well as supporting internationalised addresses and so forth. That might be a better way to go. Regards, Leo -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5475 bytes Desc: not available URL: From gert at space.net Thu Jun 20 15:03:46 2013 From: gert at space.net (Gert Doering) Date: Thu, 20 Jun 2013 15:03:46 +0200 Subject: [anti-abuse-wg] central whois In-Reply-To: <51C2EEE0.4040604@powerweb.de> References: <51C2C88D.9090704@powerweb.de> <51C2E7E8.9080304@ripe.net> <51C2EEE0.4040604@powerweb.de> Message-ID: <20130620130346.GM2504@Space.Net> Hi, On Thu, Jun 20, 2013 at 02:00:32PM +0200, Frank Gadegast wrote: > enter an abusive IP address here, and we tell you, > where to send an abuse report to > ___ ___ ___ ___ (get abuse contact email address) What sort of input field would that be? IP addresses are no longer fitting into 4 groups of 3 digits. Just because *you* do not see abuse coming from IPv6 addresses... Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 306 bytes Desc: not available URL: From ripe-anti-spam-wg at powerweb.de Thu Jun 20 15:08:07 2013 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Thu, 20 Jun 2013 15:08:07 +0200 Subject: [anti-abuse-wg] central whois In-Reply-To: <20130620130346.GM2504@Space.Net> References: <51C2C88D.9090704@powerweb.de> <51C2E7E8.9080304@ripe.net> <51C2EEE0.4040604@powerweb.de> <20130620130346.GM2504@Space.Net> Message-ID: <51C2FEB7.7020002@powerweb.de> Gert Doering wrote: > Hi, > > On Thu, Jun 20, 2013 at 02:00:32PM +0200, Frank Gadegast wrote: >> enter an abusive IP address here, and we tell you, >> where to send an abuse report to >> ___ ___ ___ ___ (get abuse contact email address) > > What sort of input field would that be? IP addresses are no longer > fitting into 4 groups of 3 digits. > > Just because *you* do not see abuse coming from IPv6 addresses... Hm ... maybe because this is only a fuzzy idea floating in my head, not a final draft ? > > Gert Doering > -- NetMaster > Kind regards, Frank From lists-ripe at c4inet.net Thu Jun 20 15:10:15 2013 From: lists-ripe at c4inet.net (Sascha Luck) Date: Thu, 20 Jun 2013 14:10:15 +0100 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <51C2F0A3.8040302@heanet.ie> References: <69263.1371610548@server1.tristatelogic.com> <51C2F0A3.8040302@heanet.ie> Message-ID: <20130620131014.GA58774@cilantro.c4inet.net> Hi Brian, On Thu, Jun 20, 2013 at 01:08:03PM +0100, Brian Nisbet wrote: >The second may be that while these companies may be legitimate >businesses the NCC is aware of the local law and says, "Ah, no, we >know, for a fact, that you are mandated to use these resources for >network abuse, therefore your application is invalid." Hmmm. That raises an interesting question: What *does* the NCC consider "network abuse" and grounds to deny an, otherwise legitimate, request? I was not aware that the RAs even have this option... rgds, Sascha Luck From brian.nisbet at heanet.ie Thu Jun 20 15:16:51 2013 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Thu, 20 Jun 2013 14:16:51 +0100 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <20130620131014.GA58774@cilantro.c4inet.net> References: <69263.1371610548@server1.tristatelogic.com> <51C2F0A3.8040302@heanet.ie> <20130620131014.GA58774@cilantro.c4inet.net> Message-ID: <51C300C3.6020507@heanet.ie> Sascha Luck wrote the following on 20/06/2013 14:10: > Hi Brian, > > On Thu, Jun 20, 2013 at 01:08:03PM +0100, Brian Nisbet wrote: >> The second may be that while these companies may be legitimate >> businesses the NCC is aware of the local law and says, "Ah, no, we >> know, for a fact, that you are mandated to use these resources for >> network abuse, therefore your application is invalid." > > Hmmm. That raises an interesting question: What *does* the NCC > consider "network abuse" and grounds to deny an, otherwise legitimate, > request? I was not aware that the RAs even have this option... Please note the word "may". We're still talking hypotheticals and I doubt this would be the decision of just one IPRA. I would also not presume to speak for the NCC. Brian From BECHA at ripe.net Thu Jun 20 15:18:04 2013 From: BECHA at ripe.net (Vesna Manojlovic) Date: Thu, 20 Jun 2013 15:18:04 +0200 Subject: [anti-abuse-wg] Automatic IP -> abuse email address mapping In-Reply-To: References: Message-ID: <51C3010C.8070901@ripe.net> Hi Olaf, all, On 6/20/13 10:08 AM, Olaf van der Spek wrote: > Hi, > > I hope this is the right list for such a question. > How does one map an IP address to an abuse email address in an automated > way? > I assume scripts exist, but I haven't found any. Does everyone roll > their own? for the IP addresses and AS numbers in RIPE Database, you can use "ripestat" text service / abuse finder widget/functionality (*) puppy:becha:~ $ whois -h stat.ripe.net " -d abuse-contact-finder -s anti_abuse_contacts.abuse_c.0.email 5.2.25.1" the answer should be: csm-dpto.comunicaciones at ibermatica.com I hope this helps, Vesna (*) More details in this RIPE Labs article: https://labs.ripe.net/Members/cteusche/finding-anti-abuse-contact-information-with-ripestat From ripe-anti-spam-wg at powerweb.de Thu Jun 20 15:21:23 2013 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Thu, 20 Jun 2013 15:21:23 +0200 Subject: [anti-abuse-wg] centralized abuse whois In-Reply-To: <5648A8908CCB564EBF46E2BC904A75B184E0DEA229@EXVPMBX100-1.exc.icann.org> References: <51C2C88D.9090704@powerweb.de> <1AB6D761-D453-4F2B-AA25-19A934B29F1C@ucd.ie> <51C2E660.1000505@powerweb.de> <5648A8908CCB564EBF46E2BC904A75B184E0DEA226@EXVPMBX100-1.exc.icann.org> <51C2F545.6020303@powerweb.de> <5648A8908CCB564EBF46E2BC904A75B184E0DEA229@EXVPMBX100-1.exc.icann.org> Message-ID: <51C301D3.6010305@powerweb.de> Leo Vegoda wrote: > Hi Frank, > > Frank Gadegast wrote: > > [...] > >>>> The main problem is, that IANA should be responsible >>>> for that, but they will not create a technical service >>>> for the public. >>> >>> Can you please expand upon that? > > [...] > >> So, it only tells me the reponsible RIR. >> Now I know its RIPE, then I have to ask RIPE >> (and when IANA tells me APNIC, I might have to >> ask APNIC first, wich tells me, its KRNIC ...) >> >> There might be more, when using options, but I would >> like a command like the following wich would >> return one single line >> >> # whois -h abuse.iana.org 85.237.64.1 >> abuse at powerweb.de >> >> So, there should be an interface between IANA >> and all RIRs to query abuse contacts, >> IANA knows at least, which RIR to ask. > > We could implement an active referral service if there was strong demand > for it. The problem is how to estimate a demand for people, that are no "pros" and have no idea, that they would probably like this central service. I believe that there are no members on this list, that do not know how to find an abuse contact with current tools, so this list would not be representative ... even the RIRs members itself would not be representative ... > However, I wonder whether taping lots of whois servers together > with web interfaces and scripting is the right way to go. As I understand > it, the protocol being developed by the IETF's WEIRDS WG "SHOULD be able > to deliver a reply that is effectively a referral or redirect to another > server" as well as supporting internationalised addresses and so forth. URL ? > That might be a better way to go. But why do things always need to be complicated ? Using this way, it would not work during the next 5 years ... Remember how long it took, to have the abuse-c and the -b option at RIPE ... And involving groups and standards and all the like would end up in an interface so complicated, that it isnt usefull for normal people anymore, it will be full of options, explanations, dos and donts, funny APIs based on pretty seldom standards and the like ... The more easy way would probably be: - IANA tells the RIRs to implement a whois like the "whois -b" from RIPE only reachable from IANAs servers (lets say until August ;o) - IANA creates the new whois under abuse.iana.org, and referres the queries and standarizes the output I would estimate about 1/2 hour work on IANAs side ... Done, bingo. > Regards, > > Leo Kind regards, Frank From leo.vegoda at icann.org Thu Jun 20 15:33:59 2013 From: leo.vegoda at icann.org (Leo Vegoda) Date: Thu, 20 Jun 2013 06:33:59 -0700 Subject: [anti-abuse-wg] centralized abuse whois In-Reply-To: <51C301D3.6010305@powerweb.de> References: <51C2C88D.9090704@powerweb.de> <1AB6D761-D453-4F2B-AA25-19A934B29F1C@ucd.ie> <51C2E660.1000505@powerweb.de> <5648A8908CCB564EBF46E2BC904A75B184E0DEA226@EXVPMBX100-1.exc.icann.org> <51C2F545.6020303@powerweb.de> <5648A8908CCB564EBF46E2BC904A75B184E0DEA229@EXVPMBX100-1.exc.icann.org> <51C301D3.6010305@powerweb.de> Message-ID: <5648A8908CCB564EBF46E2BC904A75B184E0DEA22A@EXVPMBX100-1.exc.icann.org> Hi Frank, Frank Gadegast wrote: [...] > > We could implement an active referral service if there was strong > > demand > > for it. > > The problem is how to estimate a demand for people, that are no "pros" > and have no idea, that they would probably like this central service. I wonder whether asking end users to report abuse is the right way to go. Would it not be more effective for the user to inform their service provider that a message or event is abuse and rely on the service provider to do the right thing. After all, most people ask a mechanic to service their car rather than learn how to do that. [...] > > However, I wonder whether taping lots of whois servers together > > with web interfaces and scripting is the right way to go. As I > > understand > > it, the protocol being developed by the IETF's WEIRDS WG "SHOULD be > > able > > to deliver a reply that is effectively a referral or redirect to > > another > > server" as well as supporting internationalised addresses and so > > forth. > > URL ? The requirements are here: http://tools.ietf.org/id/draft-kucherawy-weirds-requirements-04.txt and the charter is here: http://tools.ietf.org/wg/weirds/charters [...] > And involving groups and standards and all the like would end up > in an interface so complicated, that it isnt usefull for normal > people anymore, it will be full of options, explanations, dos > and donts, funny APIs based on pretty seldom standards and the like ... I believe that one of the requirements is that the protocols is simple and lightweight. > The more easy way would probably be: > - IANA tells the RIRs to implement a whois like the "whois -b" from RIPE > only reachable from IANAs servers (lets say until August ;o) > - IANA creates the new whois under abuse.iana.org, and referres the > queries and standarizes the output In this bottom-up world the policies and requirements are given to ICANN as the IANA functions operator. ICANN doesn't command the RIRs to perform specific tasks. If you want to place a requirement on ICANN and the RIRs along the lines above, you could go down the Global Policy route and ask the ASO AC to start a global policy process. Details here: http://archive.icann.org/en/aso/aso-mou-attachmentA-29oct04.htm Regards, Leo Vegoda -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5475 bytes Desc: not available URL: From lists-ripe at c4inet.net Thu Jun 20 15:43:03 2013 From: lists-ripe at c4inet.net (Sascha Luck) Date: Thu, 20 Jun 2013 14:43:03 +0100 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <51C300C3.6020507@heanet.ie> References: <69263.1371610548@server1.tristatelogic.com> <51C2F0A3.8040302@heanet.ie> <20130620131014.GA58774@cilantro.c4inet.net> <51C300C3.6020507@heanet.ie> Message-ID: <20130620134303.GB58774@cilantro.c4inet.net> On Thu, Jun 20, 2013 at 02:16:51PM +0100, Brian Nisbet wrote: >Please note the word "may". We're still talking hypotheticals and I >doubt this would be the decision of just one IPRA. I would also not >presume to speak for the NCC. Oh, OK. Too subtle for me to pick up on ;) cheers, Sascha Luck From ripe-anti-spam-wg at powerweb.de Thu Jun 20 16:06:39 2013 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Thu, 20 Jun 2013 16:06:39 +0200 Subject: [anti-abuse-wg] centralized abuse whois In-Reply-To: <5648A8908CCB564EBF46E2BC904A75B184E0DEA22A@EXVPMBX100-1.exc.icann.org> References: <51C2C88D.9090704@powerweb.de> <1AB6D761-D453-4F2B-AA25-19A934B29F1C@ucd.ie> <51C2E660.1000505@powerweb.de> <5648A8908CCB564EBF46E2BC904A75B184E0DEA226@EXVPMBX100-1.exc.icann.org> <51C2F545.6020303@powerweb.de> <5648A8908CCB564EBF46E2BC904A75B184E0DEA229@EXVPMBX100-1.exc.icann.org> <51C301D3.6010305@powerweb.de> <5648A8908CCB564EBF46E2BC904A75B184E0DEA22A@EXVPMBX100-1.exc.icann.org> Message-ID: <51C30C6F.2000807@powerweb.de> Leo Vegoda wrote: > Hi Frank, Hi, >> The problem is how to estimate a demand for people, that are no "pros" >> and have no idea, that they would probably like this central service. > > I wonder whether asking end users to report abuse is the right way to go. > Would it not be more effective for the user to inform their service > provider that a message or event is abuse and rely on the service provider > to do the right thing. After all, most people ask a mechanic to service > their car rather than learn how to do that. Quite right, our users simply want that no spam arrives at all. Reporting reduces spam a lot, simply because it makes the originator aware of a problem (he might fix or not). Even our normal customers and end users are aware of this, but they have no tools to do it right and easy. SpamCop is pretty often used by our end users, simply because they paste the email or forward the spam to SpamCop and they do the rest and its simple do use. Other ISPs would probably like to have such a reporting service for their customers, but struggle because of the quite complicated structure how abuse contacts are stored all over the world (if you remember, the "automatic mapping" was the start of this discussion this morning). abusix is a good example, they dont do some "magic". They are gluing the whois services together and it works brilliant, I think its the most up-to-date abuse address source currently available. But: why should everybody depend on a service someone implemented to cover the inability of the ones that ARE responsible for the resources ? Hm ? Why do big organizations do not think like companies and simply present the best solution themself ? So, a unique interface to "find" the abuse contacts email address, world-wide, would be a good start for ISPs and blacklist to start a reporting service as well as for sighly-advanced end-users ... even think of admins in local (business) networks responsible for the spam their co-workers receive ... And again: this whois or webinterface isnt something new nor is it something you need to ask the compunity for. The data is public, simply wrap it up under a unique place. You dont have to force the RIRs to implement their bit, IANA could ask them for an unrestricted whois channel and implement the parsing themself ... > I believe that one of the requirements is that the protocols is simple and > lightweight. Sure, but it would be something new again, and would take ages ... Whats wrong with something you can build today ? Using whois ? Anything wrong with whois ? Or a web-interface ? >> The more easy way would probably be: >> - IANA tells the RIRs to implement a whois like the "whois -b" from RIPE >> only reachable from IANAs servers (lets say until August ;o) >> - IANA creates the new whois under abuse.iana.org, and referres the >> queries and standarizes the output > > In this bottom-up world the policies and requirements are given to ICANN > as the IANA functions operator. ICANN doesn't command the RIRs to perform > specific tasks. Sure not, but sometime policies are just "in-the-way". All RIRs do meet regulary, so get their admins at a little table in a bar and simply do it ... A centralized whois isnt something "new". Its just a unique way to present information that is already available, but difficult to find. > If you want to place a requirement on ICANN and the RIRs > along the lines above, you could go down the Global Policy route and ask > the ASO AC to start a global policy process. Details here: > http://archive.icann.org/en/aso/aso-mou-attachmentA-29oct04.htm I knew this answer would come, thats why I sayd in my first mail today, that IANA would not implement a service for the public ... Specially because I asked IANA about 2 year ago for it and guess what the answer was ... > Regards, > > Leo Vegoda > Kind regards, Frank P.S.: So, forget my query. Im happy that I know how to find abuse contacts and can do the reporting automatically, why did I even think of asking IANA ? We have automatic reporting for our customers and that gives me some kind of advantage over my competitors. Sorry, Im so stupid ... From bs at stepladder-it.com Thu Jun 20 16:00:57 2013 From: bs at stepladder-it.com (Benedikt Stockebrand) Date: Thu, 20 Jun 2013 14:00:57 +0000 Subject: [anti-abuse-wg] central whois In-Reply-To: <51C2EEE0.4040604@powerweb.de> (Frank Gadegast's message of "Thu, 20 Jun 2013 14:00:32 +0200") References: <51C2C88D.9090704@powerweb.de> <51C2E7E8.9080304@ripe.net> <51C2EEE0.4040604@powerweb.de> Message-ID: <87bo70c25i.fsf@stepladder-it.com> Hi Frank and list, Frank Gadegast writes: > but an end user would never us a whois service and play with options > ... I won't bother you with the entirety of a rather scary story, but I've had a colleague listed as admin-c for a large dial-in address pool. One day he received a death threat by some end user who assumed him to be responsible for something someone has done using one of these addresses (details over a beer at the next RIPE meeting if you press me). If you make looking up the admin-c for an address as easy as some people here like, this will lead to a significant-to-unbearable extra burden on the people listed as admin-c; the result is rather likely that admin-c's will have no option but to resort to rather heavy automated filtering. I have significant doubt that this is in any way helpful. So please, try to find some sort of balance here. Evacuating an office until the police arrive isn't something you---or your management---want to happen more often than can be helped. Cheers, Benedikt -- Business Grade IPv6 Consulting, Training, Projects Benedikt Stockebrand, Dipl.-Inform. http://www.stepladder-it.com/ From denis at ripe.net Thu Jun 20 16:11:32 2013 From: denis at ripe.net (Denis Walker) Date: Thu, 20 Jun 2013 16:11:32 +0200 Subject: [anti-abuse-wg] Automatic IP -> abuse email address mapping In-Reply-To: <51C2ED2A.60403@powerweb.de> References: <51C2C88D.9090704@powerweb.de> <51C2E7E8.9080304@ripe.net> <51C2ED2A.60403@powerweb.de> Message-ID: <51C30D94.7020208@ripe.net> Dear Frank, The RIPE NCC already mirrors the other RIRs whois databases as well as some routing registries like JPIRR and RADB. All this data is already available with a single query and all in RIPE RPSL format. You do not need to know which registry is the authoritative source for the resource. That information is part of the response we return. For RIPE data the abuse-c is being implemented so we will be able to give answers to abuse contact requests for this data. The data we return for the other RIRs contains pointers to their abuse contact details. This data also includes information from some of the NICs who may hold the authoritative data. For example, querying a JPNIC address in the APNIC database includes information from the JPNIC registry. For example (I have shortened some of the output here): $ whois -h whois.nic.ad.jp 134.180.0.0/16/e Network Information: [Network Number] 134.180.0.0/16 [Network Name] [Organization] SANYO Information Technology Solutions Co., Ltd. [Administrative Contact] JP00018865 [Technical Contact] JP00018865 [Abuse] abuse at sannet.ne.jp [Allocated Date] 2011/09/20 [Last Update] 2011/09/20 14:50:42(JST) This shows the abuse contact from JPNIC as an attribute. $ whois -h whois.apnic.net 134.180.0.0/16 inetnum: 134.180.0.0 - 134.180.255.255 netname: SANNET descr: SANYO Information Technology Solutions Co., Ltd. descr: 2-5-5, Keihan-Hondori, descr: Moriguchi-shi,Osaka 570-8686, Japan country: JP admin-c: JNIC1-AP tech-c: JNIC1-AP status: ALLOCATED PORTABLE remarks: Email address for spam or abuse complaints : abuse at sannet.ne.jp mnt-irt: IRT-JPNIC-JP mnt-by: MAINT-JPNIC mnt-lower: MAINT-JPNIC changed: hostmaster at arin.net 19990719 changed: hm-changed at apnic.net 20031111 changed: hm-changed at apnic.net 20040926 changed: hm-changed at apnic.net 20041214 changed: ip-apnic at nic.ad.jp 20050406 changed: hm-changed at apnic.net 20050407 changed: ip-apnic at nic.ad.jp 20110920 source: APNIC This shows the same abuse contact as a remarks: attribute $ whois -h whois.ripe.net --resource 134.180.0.0/16 inetnum: 134.180.0.0 - 134.180.255.255 netname: SANNET descr: SANYO Information Technology Solutions Co., Ltd. descr: 2-5-5, Keihan-Hondori, descr: Moriguchi-shi,Osaka 570-8686, Japan country: JP admin-c: DUMY-RIPE tech-c: DUMY-RIPE status: ALLOCATED PORTABLE remarks: Email address for spam or abuse complaints : abuse at sannet.ne.jp mnt-irt: IRT-JPNIC-JP mnt-by: MAINT-JPNIC mnt-lower: MAINT-JPNIC changed: unread at ripe.net 20000101 source: APNIC-GRS So using the RIPE GRS also gives you the abuse contact from JPNIC for this resource. For more details see the new RIPE Labs article next week. Regards Denis Walker Business Analyst RIPE NCC Database Team On 20/06/2013 13:53, Frank Gadegast wrote: > Denis Walker wrote: >> Dear Frank, > > Hi Denis, > > Im not sure, if this coveres what I would like to have, > simply because you have to know to wich RIR the network > belongs first. > > Its quite complicated to > - look the RIR up at whois.iana.org first, > defny needed for ERX networks > - make the whois at the RIR (and usally find, that > it sub-deligated the whois to a another RIR like > BRNIC or KRNIC > - and end up wich 10 different output formats > > You cant explain that procedure to an end user ... > > But maybe I understood your interface wrong, and > I can really enter an IP at the GRS service > and get the abuse contact email addresses ... > > And I know through the expiriences with our normal > customer users, that they simply do not report spam, > because they have no single place to look it up, and > then do not know, where they should send an abuse complaint > to. > > Normal users are always quite puzzled, when you tell > them about whois services, RIRs aso, they have > no idea about it, simply because they never heard > anything about RIPE, IANA aso ... > Most dont even know, what an IP address is ... > Its hard enough to tell them how to find the > abusive IP in an mail header ... > > And thats why eople use services like SpamCop, > they simply put the spam in a web form, and > they do the rest (ok, not perfect, but handy > anyway). > > iana should have such a central service ... > > > Kind regards, Frank > >> >> The RIPE NCC has a Global Resource Service (GRS) where you can perform >> unlimited queries on operational data from all the 5 RIRs and all >> responses are returned in RIPE RPSL format. You can script your queries >> against the RIPE GRS using our API. >> >> I am, at this very moment, writing a new RIPE Labs article with all the >> latest details and improvements we have made recently to this service. >> We expect to publish this article next week. >> >> Regards >> Denis Walker >> Business Analyst >> RIPE NCC Database Team >> >> On 20/06/2013 11:17, Frank Gadegast wrote: >>> Olaf van der Spek wrote: >>>> Hi, >>>> >>>> I hope this is the right list for such a question. >>>> How does one map an IP address to an abuse email address in an >>>> automated >>>> way? >>>> I assume scripts exist, but I haven't found any. Does everyone roll >>>> their own? >>> >>> There are no public script to my knowledge >>> >>> This kind of automatic mapping is quite complicated and >>> mostly internal know-how of f.e. blacklists, that do >>> automatic reporting. >>> >>> The steps to do it are something like this: >>> >>> - first you need to identify, wich RIR is responsible for the >>> IP/netblock, this is tricky, because there more RIRs like >>> only RIPE, ARIN, LACNIC, AFRNINIC and APNIC, that actually >>> hold the information you need (f.e. KRNIC and BRNIC aso) and because >>> there are early registration networks, that usally do not >>> belong to the RIR you would expect >>> - all whois interfaces at the RIRs are different, parsing is >>> difficult, different options too and all have different regulations >>> and fields with even dubled content >>> - then there are limits, how many whois queries you can do >>> >>> We have a pearl-script doing all this with over >>> 3000 lines of code, and this code has to be adjusted >>> nearly every month ... >>> >>> It would be a dream, if this group could discuss >>> a standard whois output format for all RIRs. >>> And the final step could be a centralized whois, anybody >>> could ask for the abuse contact covering the data >>> of all RIRs. >>> >>> >>> Kind regards, Frank >>> Network Operation Center - PowerWeb >>> -- >>> MOTD: "have you enabled SSL on a website or mailbox today ?" >>> -- >>> PHADE Software - PowerWeb http://www.powerweb.de >>> Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de >>> Schinkelstrasse 17 fon: +49 33200 52920 >>> 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 >>> ====================================================================== >>> >>> >>> >>> >>> >>>> >>>> >>>> -- >>>> Olaf >>> >>> >>> >> >> > > > From ops.lists at gmail.com Thu Jun 20 16:14:30 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Thu, 20 Jun 2013 19:44:30 +0530 Subject: [anti-abuse-wg] central whois In-Reply-To: <87bo70c25i.fsf@stepladder-it.com> References: <51C2C88D.9090704@powerweb.de> <51C2E7E8.9080304@ripe.net> <51C2EEE0.4040604@powerweb.de> <87bo70c25i.fsf@stepladder-it.com> Message-ID: This is one of those one in a million type occurences .. and given that your company is a listed one - so that contact information is available in a multitude of other places, that same death threat would probably have been phoned in to your office receptionist instead of your colleague, from whoever was crazy enough to make it. That does not sound like any kind of argument to do what you ask for .. and making it hard will simply add to the already extremely high quantum of abuse issues in the RIPE area. On Thursday, June 20, 2013, Benedikt Stockebrand wrote: > Hi Frank and list, > > Frank Gadegast > writes: > > > but an end user would never us a whois service and play with options > > ... > > I won't bother you with the entirety of a rather scary story, but I've > had a colleague listed as admin-c for a large dial-in address pool. One > day he received a death threat by some end user who assumed him to be > responsible for something someone has done using one of these addresses > (details over a beer at the next RIPE meeting if you press me). > > If you make looking up the admin-c for an address as easy as some people > here like, this will lead to a significant-to-unbearable extra burden on > the people listed as admin-c; the result is rather likely that admin-c's > will have no option but to resort to rather heavy automated filtering. > I have significant doubt that this is in any way helpful. > > So please, try to find some sort of balance here. Evacuating an office > until the police arrive isn't something you---or your management---want > to happen more often than can be helped. > > > Cheers, > > Benedikt > > -- > Business Grade IPv6 > Consulting, Training, Projects > > Benedikt Stockebrand, Dipl.-Inform. http://www.stepladder-it.com/ > > -- --srs (iPad) -------------- next part -------------- An HTML attachment was scrubbed... URL: From ripe-anti-spam-wg at powerweb.de Thu Jun 20 16:15:29 2013 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Thu, 20 Jun 2013 16:15:29 +0200 Subject: [anti-abuse-wg] central whois In-Reply-To: <87bo70c25i.fsf@stepladder-it.com> References: <51C2C88D.9090704@powerweb.de> <51C2E7E8.9080304@ripe.net> <51C2EEE0.4040604@powerweb.de> <87bo70c25i.fsf@stepladder-it.com> Message-ID: <51C30E81.2040404@powerweb.de> Benedikt Stockebrand wrote: > Hi Frank and list, > > Frank Gadegast writes: > >> but an end user would never us a whois service and play with options >> ... > > I won't bother you with the entirety of a rather scary story, but I've > had a colleague listed as admin-c for a large dial-in address pool. One > day he received a death threat by some end user who assumed him to be > responsible for something someone has done using one of these addresses > (details over a beer at the next RIPE meeting if you press me). Sad, but how can you submit a death threat to a role persons (object) ? > If you make looking up the admin-c for an address as easy as some people No, not the admin-c, the abuse contact email addresses, that are already published ... > here like, this will lead to a significant-to-unbearable extra burden on > the people listed as admin-c; the result is rather likely that admin-c's > will have no option but to resort to rather heavy automated filtering. > I have significant doubt that this is in any way helpful. Only the abuse email address published by the ISPs or resource holder will be available. Its up to every resource holder to publish, what he thinks whats accurate. Usally a role address like abuse at sitename.de or so ... Kind regards, Frank > So please, try to find some sort of balance here. Evacuating an office > until the police arrive isn't something you---or your management---want > to happen more often than can be helped. > > > Cheers, > > Benedikt > From ripe-anti-spam-wg at powerweb.de Thu Jun 20 16:24:01 2013 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Thu, 20 Jun 2013 16:24:01 +0200 Subject: [anti-abuse-wg] Automatic IP -> abuse email address mapping In-Reply-To: <51C30D94.7020208@ripe.net> References: <51C2C88D.9090704@powerweb.de> <51C2E7E8.9080304@ripe.net> <51C2ED2A.60403@powerweb.de> <51C30D94.7020208@ripe.net> Message-ID: <51C31081.9030502@powerweb.de> Denis Walker wrote: > Dear Frank, Hi, > > The RIPE NCC already mirrors the other RIRs whois databases as well as > some routing registries like JPIRR and RADB. All this data is already > available with a single query and all in RIPE RPSL format. You do not > need to know which registry is the authoritative source for the > resource. That information is part of the response we return. But these queries are restricted, because they contain personal data. And its to MUCH information. > For RIPE data the abuse-c is being implemented so we will be able to > give answers to abuse contact requests for this data. The data we return > for the other RIRs contains pointers to their abuse contact details. Sure, but what do you return when asked for aother registries ? They dont have simply ONE place for the abuse contacts email address. So, you return "everything", what is not usefull for end users ... > This data also includes information from some of the NICs who may hold > the authoritative data. For example, querying a JPNIC address in the > APNIC database includes information from the JPNIC registry. > > For example (I have shortened some of the output here): You see ? Too much information ... A normal lookup looks like this: # whois.ripe 201.237.64.1 % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '0.0.0.0 - 255.255.255.255' inetnum: 0.0.0.0 - 255.255.255.255 netname: IANA-BLK descr: The whole IPv4 address space country: EU # Country field is actually all countries in the world and not just EU countries org: ORG-IANA1-RIPE admin-c: IANA1-RIPE tech-c: IANA1-RIPE status: ALLOCATED UNSPECIFIED remarks: This object represents all IPv4 addresses. remarks: If you see this object as a result of a single IP query, it remarks: means that the IP address you are querying is not managed by remarks: the RIPE NCC but by one of the other five RIRs. It might remarks: also be an address that has been reserved by the IETF as part remarks: of a protocol or test range. remarks: You can find the whois server to query, or the remarks: IANA registry to query on this web page: remarks: http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml mnt-by: RIPE-NCC-HM-MNT mnt-lower: RIPE-NCC-HM-MNT mnt-routes: RIPE-NCC-RPSL-MNT source: RIPE # Filtered organisation: ORG-IANA1-RIPE org-name: Internet Assigned Numbers Authority org-type: IANA address: see http://www.iana.org remarks: The IANA allocates IP addresses and AS number blocks to RIRs remarks: see http://www.iana.org/ipaddress/ip-addresses.htm remarks: and http://www.iana.org/assignments/as-numbers admin-c: IANA1-RIPE tech-c: IANA1-RIPE mnt-ref: RIPE-NCC-HM-MNT mnt-by: RIPE-NCC-HM-MNT source: RIPE # Filtered role: Internet Assigned Numbers Authority address: see http://www.iana.org. admin-c: IANA1-RIPE tech-c: IANA1-RIPE nic-hdl: IANA1-RIPE remarks: For more information on IANA services remarks: go to IANA web site at http://www.iana.org. mnt-by: RIPE-NCC-MNT source: RIPE # Filtered % This query was served by the RIPE Database Query Service version 1.66.3 (WHOIS1) You see ? No information about the RIR. Its pointing to IANA ! Ok, lets ask IANA: # whois.ripe -h whois.iana.org 201.237.64.1 % IANA WHOIS server % for more information on IANA, visit http://www.iana.org % This query returned 1 object refer: whois.lacnic.net inetnum: 201.0.0.0 - 201.255.255.255 organisation: LACNIC status: ALLOCATED whois: whois.lacnic.net changed: 2003-04 source: IANA Ah, LACNIC .... Lets ask LACNIC: # whois.ripe -h whois.lacnic.net 201.237.64.1 % Joint Whois - whois.lacnic.net % This server accepts single ASN, IPv4 or IPv6 queries % LACNIC resource: whois.lacnic.net % Copyright LACNIC lacnic.net % The data below is provided for information purposes % and to assist persons in obtaining information about or % related to AS and IP numbers registrations % By submitting a whois query, you agree to use this data % only for lawful purposes. % 2013-06-20 11:22:08 (BRT -03:00) inetnum: 201.237.64/23 status: reallocated owner: NOSARA ownerid: CR-NOSA-LACNIC responsible: Desarrollo de la Red - ICE address: 10032, 1, 1 address: 1 - Liberia - country: CR phone: +506 1 22207465 [] owner-c: REJ tech-c: REJ abuse-c: REJ created: 20080828 changed: 20080828 inetnum-up: 201.237/16 nic-hdl: REJ person: Desarrollo de la Red - DDIBA e-mail: gspam at ICE.GO.CR address: 10032-1000 San Jos###Costa Rica, 10032, San Jos### address: 10032-100 - San Jos### cr country: CR phone: +506 20001123 [] created: 20041004 changed: 20120529 % whois.lacnic.net accepts only direct match queries. % Types of queries are: POCs, ownerid, CIDR blocks, IP % and AS numbers. Great, no abuse contact. Its just a handle with an email address. You can to explain this to an end user ... > $ whois -h whois.nic.ad.jp 134.180.0.0/16/e > > Network Information: > [Network Number] 134.180.0.0/16 > [Network Name] > [Organization] SANYO Information Technology Solutions > Co., Ltd. > [Administrative Contact] JP00018865 > [Technical Contact] JP00018865 > [Abuse] abuse at sannet.ne.jp > [Allocated Date] 2011/09/20 > [Last Update] 2011/09/20 14:50:42(JST) > > This shows the abuse contact from JPNIC as an attribute. > > $ whois -h whois.apnic.net 134.180.0.0/16 > > inetnum: 134.180.0.0 - 134.180.255.255 > netname: SANNET > descr: SANYO Information Technology Solutions Co., Ltd. > descr: 2-5-5, Keihan-Hondori, > descr: Moriguchi-shi,Osaka 570-8686, Japan > country: JP > admin-c: JNIC1-AP > tech-c: JNIC1-AP > status: ALLOCATED PORTABLE > remarks: Email address for spam or abuse complaints : > abuse at sannet.ne.jp > mnt-irt: IRT-JPNIC-JP > mnt-by: MAINT-JPNIC > mnt-lower: MAINT-JPNIC > changed: hostmaster at arin.net 19990719 > changed: hm-changed at apnic.net 20031111 > changed: hm-changed at apnic.net 20040926 > changed: hm-changed at apnic.net 20041214 > changed: ip-apnic at nic.ad.jp 20050406 > changed: hm-changed at apnic.net 20050407 > changed: ip-apnic at nic.ad.jp 20110920 > source: APNIC > > This shows the same abuse contact as a remarks: attribute > > $ whois -h whois.ripe.net --resource 134.180.0.0/16 > > inetnum: 134.180.0.0 - 134.180.255.255 > netname: SANNET > descr: SANYO Information Technology Solutions Co., Ltd. > descr: 2-5-5, Keihan-Hondori, > descr: Moriguchi-shi,Osaka 570-8686, Japan > country: JP > admin-c: DUMY-RIPE > tech-c: DUMY-RIPE > status: ALLOCATED PORTABLE > remarks: Email address for spam or abuse complaints : > abuse at sannet.ne.jp > mnt-irt: IRT-JPNIC-JP > mnt-by: MAINT-JPNIC > mnt-lower: MAINT-JPNIC > changed: unread at ripe.net 20000101 > source: APNIC-GRS > > So using the RIPE GRS also gives you the abuse contact from JPNIC for > this resource. > > For more details see the new RIPE Labs article next week. Again, too complicated, too much information. Not usefull for end users or admin, that are not familiar with all this. Kind regards, Frank > > Regards > Denis Walker > Business Analyst > RIPE NCC Database Team > > > On 20/06/2013 13:53, Frank Gadegast wrote: >> Denis Walker wrote: >>> Dear Frank, >> >> Hi Denis, >> >> Im not sure, if this coveres what I would like to have, >> simply because you have to know to wich RIR the network >> belongs first. >> >> Its quite complicated to >> - look the RIR up at whois.iana.org first, >> defny needed for ERX networks >> - make the whois at the RIR (and usally find, that >> it sub-deligated the whois to a another RIR like >> BRNIC or KRNIC >> - and end up wich 10 different output formats >> >> You cant explain that procedure to an end user ... >> >> But maybe I understood your interface wrong, and >> I can really enter an IP at the GRS service >> and get the abuse contact email addresses ... >> >> And I know through the expiriences with our normal >> customer users, that they simply do not report spam, >> because they have no single place to look it up, and >> then do not know, where they should send an abuse complaint >> to. >> >> Normal users are always quite puzzled, when you tell >> them about whois services, RIRs aso, they have >> no idea about it, simply because they never heard >> anything about RIPE, IANA aso ... >> Most dont even know, what an IP address is ... >> Its hard enough to tell them how to find the >> abusive IP in an mail header ... >> >> And thats why eople use services like SpamCop, >> they simply put the spam in a web form, and >> they do the rest (ok, not perfect, but handy >> anyway). >> >> iana should have such a central service ... >> >> >> Kind regards, Frank >> >>> >>> The RIPE NCC has a Global Resource Service (GRS) where you can perform >>> unlimited queries on operational data from all the 5 RIRs and all >>> responses are returned in RIPE RPSL format. You can script your queries >>> against the RIPE GRS using our API. >>> >>> I am, at this very moment, writing a new RIPE Labs article with all the >>> latest details and improvements we have made recently to this service. >>> We expect to publish this article next week. >>> >>> Regards >>> Denis Walker >>> Business Analyst >>> RIPE NCC Database Team >>> >>> On 20/06/2013 11:17, Frank Gadegast wrote: >>>> Olaf van der Spek wrote: >>>>> Hi, >>>>> >>>>> I hope this is the right list for such a question. >>>>> How does one map an IP address to an abuse email address in an >>>>> automated >>>>> way? >>>>> I assume scripts exist, but I haven't found any. Does everyone roll >>>>> their own? >>>> >>>> There are no public script to my knowledge >>>> >>>> This kind of automatic mapping is quite complicated and >>>> mostly internal know-how of f.e. blacklists, that do >>>> automatic reporting. >>>> >>>> The steps to do it are something like this: >>>> >>>> - first you need to identify, wich RIR is responsible for the >>>> IP/netblock, this is tricky, because there more RIRs like >>>> only RIPE, ARIN, LACNIC, AFRNINIC and APNIC, that actually >>>> hold the information you need (f.e. KRNIC and BRNIC aso) and because >>>> there are early registration networks, that usally do not >>>> belong to the RIR you would expect >>>> - all whois interfaces at the RIRs are different, parsing is >>>> difficult, different options too and all have different regulations >>>> and fields with even dubled content >>>> - then there are limits, how many whois queries you can do >>>> >>>> We have a pearl-script doing all this with over >>>> 3000 lines of code, and this code has to be adjusted >>>> nearly every month ... >>>> >>>> It would be a dream, if this group could discuss >>>> a standard whois output format for all RIRs. >>>> And the final step could be a centralized whois, anybody >>>> could ask for the abuse contact covering the data >>>> of all RIRs. >>>> >>>> >>>> Kind regards, Frank >>>> Network Operation Center - PowerWeb >>>> -- >>>> MOTD: "have you enabled SSL on a website or mailbox today ?" >>>> -- >>>> PHADE Software - PowerWeb http://www.powerweb.de >>>> Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de >>>> Schinkelstrasse 17 fon: +49 33200 52920 >>>> 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 >>>> ====================================================================== >>>> >>>> >>>> >>>> >>>> >>>>> >>>>> >>>>> -- >>>>> Olaf >>>> >>>> >>>> >>> >>> >> >> >> > > From denis at ripe.net Thu Jun 20 16:27:11 2013 From: denis at ripe.net (Denis Walker) Date: Thu, 20 Jun 2013 16:27:11 +0200 Subject: [anti-abuse-wg] central whois In-Reply-To: <51C30E81.2040404@powerweb.de> References: <51C2C88D.9090704@powerweb.de> <51C2E7E8.9080304@ripe.net> <51C2EEE0.4040604@powerweb.de> <87bo70c25i.fsf@stepladder-it.com> <51C30E81.2040404@powerweb.de> Message-ID: <51C3113F.2070201@ripe.net> Dear Colleagues, One of the changes that was made with the introduction of the "abuse-c:" attribute was to make "admin-c:" and "tech-c:" optional attributes on the ROLE object. The specific purpose of this was to allow abuse contact information to be strictly a 'role' and not force references to real people with personal details. The intention of "abuse-c:" is to clearly and simply document business contact information for a department where abuse can be reported. Even if that department is an individual, it does not need to be personal data. Regards Denis Walker Business Analyst RIPE NCC Database Team On 20/06/2013 16:15, Frank Gadegast wrote: > Benedikt Stockebrand wrote: >> Hi Frank and list, >> >> Frank Gadegast writes: >> >>> but an end user would never us a whois service and play with options >>> ... >> >> I won't bother you with the entirety of a rather scary story, but I've >> had a colleague listed as admin-c for a large dial-in address pool. One >> day he received a death threat by some end user who assumed him to be >> responsible for something someone has done using one of these addresses >> (details over a beer at the next RIPE meeting if you press me). > > Sad, but how can you submit a death threat to a role persons (object) ? > >> If you make looking up the admin-c for an address as easy as some people > > No, not the admin-c, the abuse contact email addresses, that are > already published ... > >> here like, this will lead to a significant-to-unbearable extra burden on >> the people listed as admin-c; the result is rather likely that admin-c's >> will have no option but to resort to rather heavy automated filtering. >> I have significant doubt that this is in any way helpful. > > Only the abuse email address published by the ISPs or resource holder > will be available. > Its up to every resource holder to publish, what he thinks whats accurate. > Usally a role address like abuse at sitename.de or so ... > > > Kind regards, Frank > >> So please, try to find some sort of balance here. Evacuating an office >> until the police arrive isn't something you---or your management---want >> to happen more often than can be helped. >> >> >> Cheers, >> >> Benedikt >> > > > From brian.nisbet at heanet.ie Thu Jun 20 18:53:07 2013 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Thu, 20 Jun 2013 17:53:07 +0100 Subject: [anti-abuse-wg] 2013-01 Discussion Period extended until 26 June 2013 (Openness about Policy Violations) In-Reply-To: References: Message-ID: <51C33373.5000501@heanet.ie> Colleagues, There has been very little discussion on the below and there is just under a week remaining in the discussion phase. So, now is your time to talk about it! Brian Co-Chair, AA-WG Emilio Madaio wrote, On 29/05/2013 14:15: > Dear Colleagues, > > > The text of the policy proposal 2013-01, "Openness about Policy > Violations", has been revised based on the community feedback received > on the mailing list. We have published the new version (version 2.0) > today. As a result a new Discussion Phase is set for the proposal. > > The main changes in the new version are: > > -rewording of the second part of the Abstract > > -rewording of the section 1.0 > > -new section 2.0 and consequent renumbering of the other sections > > -rewording of the "Arguments opposing the proposal" in the Rationale > > > You can find the full proposal at: > > https://www.ripe.net/ripe/policies/proposals/2013-01 > > > We encourage you to review this policy proposal and send your comments > to . > > Regards, > > Emilio Madaio > Policy Development Officer > RIPE NCC > > > From nigel.titley at easynet.com Thu Jun 20 18:25:56 2013 From: nigel.titley at easynet.com (Nigel Titley) Date: Thu, 20 Jun 2013 16:25:56 +0000 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <51C2F0A3.8040302@heanet.ie> References: <69263.1371610548@server1.tristatelogic.com> <51C2F0A3.8040302@heanet.ie> Message-ID: > The third option may be that the law is passed, the resources are handed out and the RIPE community, so incensed by this, writes a policy that allows for far > more invasive deregistration and closure steps and the membership of the NCC signs off on this. It would be... fun (fcvo fun) to watch and I suspect Nigel > may cry. I'm crying already, just thinking about it Nigel From wiegert at telus.net Thu Jun 20 19:58:08 2013 From: wiegert at telus.net (Arnold) Date: Thu, 20 Jun 2013 09:58:08 -0800 Subject: [anti-abuse-wg] Automatic IP -> abuse email address mapping In-Reply-To: <5648A8908CCB564EBF46E2BC904A75B184E0DEA226@EXVPMBX100-1.exc.icann.org> References: <51C2C88D.9090704@powerweb.de> <1AB6D761-D453-4F2B-AA25-19A934B29F1C@ucd.ie> <51C2E660.1000505@powerweb.de> <5648A8908CCB564EBF46E2BC904A75B184E0DEA226@EXVPMBX100-1.exc.icann.org> Message-ID: <51C342B0.4070700@telus.net> On 6/20/2013 4:05 AM, Leo Vegoda wrote: > Hi Frank, > > Frank Gadegast wrote: > > [...] > >> > Perhaps it would be useful to consider generalizing the > > > referral mechanism described in 2.11 of the RIPE Database > > > Query Reference Manual? >> The main problem is, that IANA should be responsible >> for that, but they will not create a technical service >> for the public. FWIW. my Spam reporter utility - see my signature - does use the IANA database to identify, where possible, the e-mail address to which any abuse report should be made. Arnold > Can you please expand upon that? > > ICANN currently provide a whois service (whois.iana.org) which provides > the same information as is found in the registries we publish. If there > is a strong demand for improvements to the service then please let us > know. > > Kind regards, > > Leo Vegoda -- Fight Spam - report it with wxSR 0.6 ready for Vista & Win7 http://www.columbinehoney.net/wxSR.shtml From rfg at tristatelogic.com Thu Jun 20 22:11:10 2013 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Thu, 20 Jun 2013 13:11:10 -0700 Subject: [anti-abuse-wg] Authorities, or lack thereof In-Reply-To: <51C2EEAF.9010907@heanet.ie> Message-ID: <83052.1371759070@server1.tristatelogic.com> In message <51C2EEAF.9010907 at heanet.ie>, Brian Nisbet wrote: >This WG has no greater authority to direct or request anything from the >NCC than any other member of the community. The WG is not, explicitly, a >group within the community that directly deals with abuse. It is a group >of people who are interested in the subject, who may well work together >to create policies or documents or form a better understanding of the >issue, but it is not a created group to deal with abuse. > >Now, to go a bit further here. The members of the WG can ask the NCC to >do a particular thing. Depending on the thing that might be an action >item that arises out of the mailing list or a meeting (eg Could the NCC >please clarify under exactly what circumstances an LIR could be closed >or deregistered). So, the WG may, explicitly, send requests to the NCC, yes? >The WG cannot say "we do not like this operator, >please shut them down"... Cannot or will not? I am not just playing with words here. I ernestly would like to know if there is anything... anything at all... codified into any of the written rules or bylaws of either RIPE or this WG, in particular, that explicitly prohibits this or any other WG, as a whole, and as a WG, from _saying_ any bloody thing it likes. I could well and truly understand if you were to tell me that if the WG said `X' or the WG said `Y' then it would only garner a laugh all around and/or general condemnation from a solid majority of the remainder of the RIPE membership. But that would be quite different from the statement that you just made, which, the way I read it, sounds like this WG is _obligated_ to utterly refrain from making certain kinds of public comments and/or certain kinds of requests to NCC. I probably should not try to anticipate your response to the above, but I will anyway... I suspect that you will say that I am corerct that there is nothing _explicit_ that prohibits the WG from saying any bloody thing it likes, but that it would simply be extraordinarily impolitic for this WG to go about making such requests or comments on specific operators or allocations, and that doing so might only be likely to result in the WG meeting its own untimely demise, at the request of the general RIPE membership. Assuming so, I for one might be willing to run that risk, even if others... perhaps many others... might not be so inclined. >in the same way the Routing WG cannot say "we >require all members of the NCC to abandon BGP". That is not what WGs in >the RIPE community are for. See above. Even I can well and truly see that it would be extraordinarily impolitic if the Routing WG were to make that specific declaration. They would be laughed and ignored into oblivion. But my question remains... Other than the fact that those consequences would predictably ensue for that WG, I mean if it were to make such a (clearly unworable) declaration, is there anything specific that prohibits that WG from speaking its co- llective mind in any way it chooses? >The WG can of course make the NCC aware of a bad operator With what effect, exactly? To what end? Do you see what I mean? If such information transmission (to NCC) occurs, and if no allocations ever change as a result, then what was the point? Also, when you say that 'the Anti-Abuse WG" may do so, do you mean only the individual members thereof, acting only as individual members? That seems to me to be what you were implying or intending to say, i.e. that any individual WG member can send over a note to NCC telling then about a "bad operator". Obviously, any individual member may elect to do that, however _individuals_ obviously carry a lot less weight than an entire WG. Has there ever been any instance in the history of the Anti-Abuse WG in which the WG _as a whole_ provided a package of information to NCC regarding, as you put it, a "bad operator"? >First off, no offence is taken. :) OK, good. Thank you. You are a gentleman. >However, I think your comments here stem from a fundamental >misunderstanding of how the community (of which you are a part, >regardless of your earlier comments on the list) works. The WG was not >set up to up to do those things. I was arguably not born to do software, but I do anyway. People and organizations and institutions do change and evolve, including even in their goals and missions. >It has been a handy by-product of >sharing information and expertise that reports have been passed on to >the NCC, but it's not why we're here. There are 9000+ members of the >RIPE NCC and countless others in the community. All of those operators >will tell you "my network, my rules" albeit they are forced by law or >contract to take other views into consideration. They are not beholden >to this or any other WG unless a policy is made or a motion passed by >the membership. Right. And that is all as it should be. I am not asking about any hypothetical new policies that might be enacted. What about policies that exist that are simply not being enforced? And what about open questions like the one that I think Furio put, i.e. if a new or existing RIPE member came to RIPE NCC with a request for, say, a /19 with their explicitly stated intended use being "snowshoe spamming", then what would happen? >At no point in the Charter for the AA-WG does it suggest we're here to >take back resources, so I'm genuinely very interested to know where this >all came from? It came from the fact that there _do_ exist problems, and with respect to the specific problems that exist (both within the RIPE region and most certainly elsewhere as well) _everyone_ seems to constantly be running as far and as fast away from actually dealing with those problems as it is humanly possible to do. In short, to paraphrase an old saying that we have here on this side of the pond, "It's a tough job, but _somebody_ ought to be doing it." The problems are problems of network abuse, and of instances where, arguably, fraud had been perpetrated against RIPE in order to obtain resources. RIPE NCC clearly does not want to actually have to deal with any of this, and I understand that. For them, it is all just a potential political hornet's nest, so the absolutely politically safest thing for them to do is to turn a blind eye and do nothing. This is to be expected, and I think that there exists a vast UNDER-appreciation, here and elswhere, of the really substantial DE-motivating factors that are in play with respect to RIPE NCC and the problem of dealing with abuse issues. NCC has real and clear incentives to try to bury all of these issues and questions and problems, as deeply as possible. So, um, let me see... we have instances of network abuse... instances that arguably go against policies that already exist and that have already been ratified by the RIPE membership as a whole. But there is little or no enforcement of said rules on the part of RIPE NCC, which, quite naturally, finds it politically safest not to rock the boat in any way, ever. But then we have this thing called the "Anti- Abuse Working Group" which, as you have been kind enough to clarify for me, has no authority to do anything in particular about any actual instances of acutal abuse, and which rather must content itself with occasionally making recommendations for specific _new_ policies to the RIPE membership as a whole, an activity which, I gather it does with a relatively high degree of infrequency. Meanwhile the problems continue, even as everyone and his brother seems to be out buying ten foot poles with which they may avoid touching any of the real, current, and press- ing problems. So anyway, yes, if you wish to assert that I might in some ways be en- couraging a more expansive view of the charter, mission, and goals of this WG, then I plead guilty as charged, however I throw myself upon the mercy of the court and ask for clemency on the basis of that fact that it is perhaps a natual mistake for an outsider to make to assume... apparently improperly... that a working group going by the name "Anti-Abuse" might actually wish to get its hands dirty from time to time, you know, by actually taking actual actions with respect to actual and ongoing instances of abuse, including instances which are already well and truly defined as such. Regards, rfg From rfg at tristatelogic.com Thu Jun 20 22:26:46 2013 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Thu, 20 Jun 2013 13:26:46 -0700 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <51C2F0A3.8040302@heanet.ie> Message-ID: <83157.1371760006@server1.tristatelogic.com> In message <51C2F0A3.8040302 at heanet.ie>, Brian Nisbet wrote: >I'm going to snip a lot of this mail, but there's a core issue I'd like >to address. > >> Now, imagine for a moment that The Duchy of Grand Fenwick (google it) has >> just passed a law _requiring_ all of its citizens to spam. What is RIPE >> going to do? Issue each citizen of Grand Fenwick his or her own /24? >> In short, at what point does respect for the individuality and authority >> of the constituent nations and municipalities of the entire RIPE region >> cross over into unambiguous lunacy? > >It's an interesting hypothetical, certainly. There are a number of >possible options. The first is that the EU, or just the Netherlands, >became aware of this and said "These people are bad, EU companies may >not trade with them". The RIPE NCC operates under Dutch law, so they >would be forced to stop doing business with those people. A highly unlikely scenario, I think you will agree. >The second may be that while these companies may be legitimate >businesses the NCC is aware of the local law and says, "Ah, no, we know, >for a fact, that you are mandated to use these resources for network >abuse, therefore your application is invalid." Again, based upon the current available evidence, also a highly unlikely scenario. >The third option may be that the law is passed, the resources are handed >out and the RIPE community, so incensed by this, writes a policy that >allows for far more invasive deregistration and closure steps and the >membership of the NCC signs off on this. It would be... fun (fcvo fun) >to watch and I suspect Nigel may cry. I'm not even sure which specific Nigel you are referring to, but I for one could live with that. >Of course in amongst all of this I would suspect if the resources were >handed out, there would be a lot of depeering and null routing going on >in relation to the poor, forced-to-spam, citizens of the Grand Duchy. :) Once again, based upon the available evidence, I would claim that it would in fact be improbable that any substantial amount of deppeering and/or null routing would occur, in practice. It is a classic "trajedy of the commons" problem, and no operator would wish to have to explain to its user base why they, end end lusers, can no longer send e-mail to their cousins in Grand Fenwick. Regards, rfg From tk at abusix.com Fri Jun 21 12:07:43 2013 From: tk at abusix.com (Tobias Knecht) Date: Fri, 21 Jun 2013 12:07:43 +0200 Subject: [anti-abuse-wg] centralized abuse whois In-Reply-To: <5648A8908CCB564EBF46E2BC904A75B184E0DEA22A@EXVPMBX100-1.exc.icann.org> References: <51C2C88D.9090704@powerweb.de> <1AB6D761-D453-4F2B-AA25-19A934B29F1C@ucd.ie> <51C2E660.1000505@powerweb.de> <5648A8908CCB564EBF46E2BC904A75B184E0DEA226@EXVPMBX100-1.exc.icann.org> <51C2F545.6020303@powerweb.de> <5648A8908CCB564EBF46E2BC904A75B184E0DEA229@EXVPMBX100-1.exc.icann.org> <51C301D3.6010305@powerweb.de> <5648A8908CCB564EBF46E2BC904A75B184E0DEA22A@EXVPMBX100-1.exc.icann.org> Message-ID: <51C425EF.3080207@abusix.com> Hi there, > I wonder whether asking end users to report abuse is the right way to go. > Would it not be more effective for the user to inform their service > provider that a message or event is abuse and rely on the service provider > to do the right thing. After all, most people ask a mechanic to service > their car rather than learn how to do that. I fully agree. There are several services out there that offer this kind of reporting. Big ISPs do this in a automatic way via feedbackloops. Other services with plugins for mail clients, or copy&paste website solutions. There is imho no need to make this process understandable and workable for everybody. At least not until it is working and understandable for technical people. Thanks, Tobias From leo.vegoda at icann.org Fri Jun 21 13:02:51 2013 From: leo.vegoda at icann.org (Leo Vegoda) Date: Fri, 21 Jun 2013 04:02:51 -0700 Subject: [anti-abuse-wg] centralized abuse whois In-Reply-To: <51C30C6F.2000807@powerweb.de> References: <51C2C88D.9090704@powerweb.de> <1AB6D761-D453-4F2B-AA25-19A934B29F1C@ucd.ie> <51C2E660.1000505@powerweb.de> <5648A8908CCB564EBF46E2BC904A75B184E0DEA226@EXVPMBX100-1.exc.icann.org> <51C2F545.6020303@powerweb.de> <5648A8908CCB564EBF46E2BC904A75B184E0DEA229@EXVPMBX100-1.exc.icann.org> <51C301D3.6010305@powerweb.de> <5648A8908CCB564EBF46E2BC904A75B184E0DEA22A@EXVPMBX100-1.exc.icann.org> <51C30C6F.2000807@powerweb.de> Message-ID: <5648A8908CCB564EBF46E2BC904A75B184E0DEA2FE@EXVPMBX100-1.exc.icann.org> Hi Frank, Frank Gadegast wrote: [...] > Sure not, but sometime policies are just "in-the-way". > All RIRs do meet regulary, so get their admins at a little table in a > bar and simply do it ... > A centralized whois isnt something "new". > Its just a unique way to present information that is already available, > but difficult to find. There are more than just six organisations involved. Discussions in bars are good ways to start things off but probably not the right way to come up with full plans for an integrated service that is intended to last for a decade or more. The discussion on how best to implement the kind of service you've described is already happening in the IETF's WEIRDS WG. I doubt people would go to the effort to draft, review and redraft documents if reaching agreement and implementing the service was something that could be done in an evening. Regards, Leo -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5475 bytes Desc: not available URL: From brian.nisbet at heanet.ie Fri Jun 21 13:23:27 2013 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Fri, 21 Jun 2013 12:23:27 +0100 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <83157.1371760006@server1.tristatelogic.com> References: <83157.1371760006@server1.tristatelogic.com> Message-ID: <51C437AF.1080300@heanet.ie> Ronald F. Guilmette wrote, On 20/06/2013 21:26: > In message <51C2F0A3.8040302 at heanet.ie>, > Brian Nisbet wrote: > >> I'm going to snip a lot of this mail, but there's a core issue I'd like >> to address. >> >>> Now, imagine for a moment that The Duchy of Grand Fenwick (google it) has >>> just passed a law _requiring_ all of its citizens to spam. What is RIPE >>> going to do? Issue each citizen of Grand Fenwick his or her own /24? >>> In short, at what point does respect for the individuality and authority >>> of the constituent nations and municipalities of the entire RIPE region >>> cross over into unambiguous lunacy? >> >> It's an interesting hypothetical, certainly. There are a number of >> possible options. The first is that the EU, or just the Netherlands, >> became aware of this and said "These people are bad, EU companies may >> not trade with them". The RIPE NCC operates under Dutch law, so they >> would be forced to stop doing business with those people. > > A highly unlikely scenario, I think you will agree. Not unlikely at all. As the last sentence of that paragraph says, it happened recently in real life. >> The second may be that while these companies may be legitimate >> businesses the NCC is aware of the local law and says, "Ah, no, we know, >> for a fact, that you are mandated to use these resources for network >> abuse, therefore your application is invalid." > > Again, based upon the current available evidence, also a highly unlikely > scenario. Less likely, certainly, but we're talking in deep hypotheticals here. >> The third option may be that the law is passed, the resources are handed >> out and the RIPE community, so incensed by this, writes a policy that >> allows for far more invasive deregistration and closure steps and the >> membership of the NCC signs off on this. It would be... fun (fcvo fun) >> to watch and I suspect Nigel may cry. > > I'm not even sure which specific Nigel you are referring to, but I for one > could live with that. Ah, sorry, Nigel Titley, the Chairman of the Executive Board of the NCC. Also, and I know I've said this several times before, there is nothing stopping a member (or members) of the community from writing such a proposal right now. >> Of course in amongst all of this I would suspect if the resources were >> handed out, there would be a lot of depeering and null routing going on >> in relation to the poor, forced-to-spam, citizens of the Grand Duchy. :) > > Once again, based upon the available evidence, I would claim that it > would in fact be improbable that any substantial amount of deppeering > and/or null routing would occur, in practice. It is a classic "trajedy > of the commons" problem, and no operator would wish to have to explain > to its user base why they, end end lusers, can no longer send e-mail to > their cousins in Grand Fenwick. I'm not sure, Spamhaus were quite happy to block Latvia for a far smaller reason. I think if it was a mandated activity for all citizens the reaction of the international community might be interesting. Brian From shane at time-travellers.org Fri Jun 21 13:13:55 2013 From: shane at time-travellers.org (Shane Kerr) Date: Fri, 21 Jun 2013 13:13:55 +0200 Subject: [anti-abuse-wg] Not entirely Off-Topic In-Reply-To: <20574.1371694677@server1.tristatelogic.com> References: <20574.1371694677@server1.tristatelogic.com> Message-ID: <20130621131355.53cad373@earth.home.time-travellers.org> Ronald, On Wed, 19 Jun 2013 19:17:57 -0700 "Ronald F. Guilmette" wrote: > By the way, would any of you happen to know where I might be able to > purchase one of these t-shirts? > > http://www.flickr.com/photos/philwolff/96987427/ ISC (my employer) sells these: http://store.isc.org/ProductDetails.asp?ProductCode=tshirt-layer Cheers, -- Shane From erik at bais.name Fri Jun 21 13:49:36 2013 From: erik at bais.name (Erik Bais) Date: Fri, 21 Jun 2013 11:49:36 +0000 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <51C437AF.1080300@heanet.ie> References: <83157.1371760006@server1.tristatelogic.com> <51C437AF.1080300@heanet.ie> Message-ID: <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> >>> Of course in amongst all of this I would suspect if the resources were >>> handed out, there would be a lot of depeering and null routing going on >>> in relation to the poor, forced-to-spam, citizens of the Grand Duchy. :) >> >> Once again, based upon the available evidence, I would claim that it >> would in fact be improbable that any substantial amount of deppeering >> and/or null routing would occur, in practice. It is a classic "trajedy >> of the commons" problem, and no operator would wish to have to explain >> to its user base why they, end end lusers, can no longer send e-mail to >> their cousins in Grand Fenwick. > I'm not sure, Spamhaus were quite happy to block Latvia for a far > smaller reason. I think if it was a mandated activity for all citizens > the reaction of the international community might be interesting. > Brian For those that want to read up on what actually happened on that specific incident in Latvia (July/August 2010), have a read on the following open letter from CERT.lv https://cert.lv/uploads/uploads/OpenLetter.pdf Erik Bais From ops.lists at gmail.com Fri Jun 21 14:07:13 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Fri, 21 Jun 2013 17:37:13 +0530 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> References: <83157.1371760006@server1.tristatelogic.com> <51C437AF.1080300@heanet.ie> <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> Message-ID: On Friday, June 21, 2013, Erik Bais wrote: > > For those that want to read up on what actually happened on that specific > incident in Latvia (July/August 2010), have a read on the following open > letter from CERT.lv > > https://cert.lv/uploads/uploads/OpenLetter.pdf > > Erik Bais > To maintain some balance on an issue that involved blocking one ISP (not "all of latvia") that was hosting bot spammers for a very long time indeed .. a couple of other articles. http://www.theregister.co.uk/2010/08/13/spamhaus_latvia/ And an assessment of this situation from another organization- Trend Micro, which can, in some cases, be seen as competing with spamhaus (they after all acquired the original MAPS RBL lists) http://blog.trendmicro.com/trendlabs-security-intelligence/spamhaus-listing-rightfully-lists-latvian-hoster/ Quite frankly my sympathies are not with nic.lv in this matter. --srs -- --srs (iPad) -------------- next part -------------- An HTML attachment was scrubbed... URL: From brian.nisbet at heanet.ie Fri Jun 21 14:16:46 2013 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Fri, 21 Jun 2013 13:16:46 +0100 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: References: <83157.1371760006@server1.tristatelogic.com> <51C437AF.1080300@heanet.ie> <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> Message-ID: <51C4442E.4060602@heanet.ie> Suresh Ramasubramanian wrote the following on 21/06/2013 13:07: > On Friday, June 21, 2013, Erik Bais wrote: > > > For those that want to read up on what actually happened on that > specific incident in Latvia (July/August 2010), have a read on the > following open letter from CERT.lv > > https://cert.lv/uploads/uploads/OpenLetter.pdf > > Erik Bais > > To maintain some balance on an issue that involved blocking one ISP (not > "all of latvia") that was hosting bot spammers for a very long time > indeed .. a couple of other articles. > > http://www.theregister.co.uk/2010/08/13/spamhaus_latvia/ > > And an assessment of this situation from another organization- Trend > Micro, which can, in some cases, be seen as competing with spamhaus > (they after all acquired the original MAPS RBL lists) > > http://blog.trendmicro.com/trendlabs-security-intelligence/spamhaus-listing-rightfully-lists-latvian-hoster/ > > Quite frankly my sympathies are not with nic.lv in this > matter. It is a complicated situation and while I'm not necessarily a fan of the action taken or how it played out, my initial comment was overly glib. My intent was to point out that wide reaching actions have been taken in the past and I apologise for the remark. I have no particular with to reignite nor insert myself into that argument. Brian From ops.lists at gmail.com Fri Jun 21 14:42:52 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Fri, 21 Jun 2013 18:12:52 +0530 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <51C4442E.4060602@heanet.ie> References: <83157.1371760006@server1.tristatelogic.com> <51C437AF.1080300@heanet.ie> <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> <51C4442E.4060602@heanet.ie> Message-ID: not my intention to rake it up either but do believe me, it is dangerous if an us versus them mentality were to take root in the rir / netops community against groups that are on your side against a common enemy On Friday, June 21, 2013, Brian Nisbet wrote: > Suresh Ramasubramanian wrote the following on 21/06/2013 13:07: > >> On Friday, June 21, 2013, Erik Bais wrote: >> >> >> For those that want to read up on what actually happened on that >> specific incident in Latvia (July/August 2010), have a read on the >> following open letter from CERT.lv >> >> https://cert.lv/uploads/**uploads/OpenLetter.pdf >> >> Erik Bais >> >> To maintain some balance on an issue that involved blocking one ISP (not >> "all of latvia") that was hosting bot spammers for a very long time >> indeed .. a couple of other articles. >> >> http://www.theregister.co.uk/**2010/08/13/spamhaus_latvia/ >> >> And an assessment of this situation from another organization- Trend >> Micro, which can, in some cases, be seen as competing with spamhaus >> (they after all acquired the original MAPS RBL lists) >> >> http://blog.trendmicro.com/**trendlabs-security-** >> intelligence/spamhaus-listing-**rightfully-lists-latvian-**hoster/ >> >> Quite frankly my sympathies are not with nic.lv in this >> matter. >> > > It is a complicated situation and while I'm not necessarily a fan of the > action taken or how it played out, my initial comment was overly glib. My > intent was to point out that wide reaching actions have been taken in the > past and I apologise for the remark. I have no particular with to reignite > nor insert myself into that argument. > > Brian > > -- --srs (iPad) -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists-ripe at c4inet.net Fri Jun 21 14:47:47 2013 From: lists-ripe at c4inet.net (Sascha Luck) Date: Fri, 21 Jun 2013 13:47:47 +0100 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: References: <83157.1371760006@server1.tristatelogic.com> <51C437AF.1080300@heanet.ie> <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> <51C4442E.4060602@heanet.ie> Message-ID: <20130621124747.GC58774@cilantro.c4inet.net> On Fri, Jun 21, 2013 at 06:12:52PM +0530, Suresh Ramasubramanian wrote: >not my intention to rake it up either but do believe me, it is dangerous if >an us versus them mentality were to take root in the rir / netops community >against groups that are on your side against a common enemy So, anyone who disagrees with your modus operandi (and perhaps even the fact that you would gleefully destroy the village to save the inhabitants) should just shut up? I pick my own enemies, thank you very much. rgds, Sascha Luck From brian.nisbet at heanet.ie Fri Jun 21 14:50:34 2013 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Fri, 21 Jun 2013 13:50:34 +0100 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: References: <83157.1371760006@server1.tristatelogic.com> <51C437AF.1080300@heanet.ie> <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> <51C4442E.4060602@heanet.ie> Message-ID: <51C44C1A.5000906@heanet.ie> Suresh, Suresh Ramasubramanian wrote the following on 21/06/2013 13:42: > not my intention to rake it up either but do believe me, it is dangerous > if an us versus them mentality were to take root in the rir / netops > community against groups that are on your side against a common enemy Well, this is why I wanted to clarify my remarks. Like I said, I'm not a fan of some things that a variety of people do, but I absolutely agree on avoiding that mentality. As with all of these things, aim is to enhance collaboration and work to improve things, while neither side is afraid to be honest etc. Brian From peter at hk.ipsec.se Fri Jun 21 14:50:35 2013 From: peter at hk.ipsec.se (peter h) Date: Fri, 21 Jun 2013 14:50:35 +0200 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> References: <83157.1371760006@server1.tristatelogic.com> <51C437AF.1080300@heanet.ie> <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> Message-ID: <201306211450.36538.peter@hk.ipsec.se> On Friday 21 June 2013 13.49, Erik Bais wrote: > > >>> Of course in amongst all of this I would suspect if the resources were > >>> handed out, there would be a lot of depeering and null routing going on > >>> in relation to the poor, forced-to-spam, citizens of the Grand Duchy. :) > >> > >> Once again, based upon the available evidence, I would claim that it > >> would in fact be improbable that any substantial amount of deppeering > >> and/or null routing would occur, in practice. It is a classic "trajedy > >> of the commons" problem, and no operator would wish to have to explain > >> to its user base why they, end end lusers, can no longer send e-mail to > >> their cousins in Grand Fenwick. > > > I'm not sure, Spamhaus were quite happy to block Latvia for a far > > smaller reason. I think if it was a mandated activity for all citizens > > the reaction of the international community might be interesting. > > > Brian > > For those that want to read up on what actually happened on that specific incident in Latvia (July/August 2010), have a read on the following open letter from CERT.lv > > https://cert.lv/uploads/uploads/OpenLetter.pdf > > Erik Bais cert.lv is wrong on one point : There is no "right" to send spam, and there is no right to send mail to anyone. It's a service that each and every mailserver owner has to deny mail on any reason. Spamhaus ( and other) is only a list of known abusers, anyone using any of these lists has the right to do so. Aggreed that some listings are in error. That should be resolved asap, but as long as a provider does not stop spam they will sooner or later be listed. A few providers actually prevent spam. Those won't show up in listings. To stay out of listings one has to be more then whining, one has to actually prevent spam originating! > > > -- Peter H?kanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det ?r billigare att g?ra r?tt. Det ?r dyrt att laga fel. ) From lists-ripe at c4inet.net Fri Jun 21 15:20:07 2013 From: lists-ripe at c4inet.net (Sascha Luck) Date: Fri, 21 Jun 2013 14:20:07 +0100 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <201306211450.36538.peter@hk.ipsec.se> References: <83157.1371760006@server1.tristatelogic.com> <51C437AF.1080300@heanet.ie> <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> <201306211450.36538.peter@hk.ipsec.se> Message-ID: <20130621132007.GA64131@cilantro.c4inet.net> On Fri, Jun 21, 2013 at 02:50:35PM +0200, peter h wrote: >A few providers actually prevent spam. Those won't show up in listings. >To stay out of listings one has to be more then whining, one has to >actually prevent spam originating! Just for the avoidance of doubt, are you arguing for the scanning of the content of outgoing third-party email (aka Censorship) in order to avoid landing on some blocklist? rgds, Sascha Luck From ops.lists at gmail.com Fri Jun 21 15:33:06 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Fri, 21 Jun 2013 19:03:06 +0530 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <20130621132007.GA64131@cilantro.c4inet.net> References: <83157.1371760006@server1.tristatelogic.com> <51C437AF.1080300@heanet.ie> <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> <201306211450.36538.peter@hk.ipsec.se> <20130621132007.GA64131@cilantro.c4inet.net> Message-ID: since when does commercial speech qualify for free speech protection? and yes, outbound mail scanning is a widely recognized best practice no, it would not have helped in the Latvia case because the ISP in question was hosting botnet command and control sites, which don't tend to control bots or run telemetry over smtp. On Friday, June 21, 2013, Sascha Luck wrote: > On Fri, Jun 21, 2013 at 02:50:35PM +0200, peter h wrote: > > A few providers actually prevent spam. Those won't show up in listings. >> To stay out of listings one has to be more then whining, one has to >> actually prevent spam originating! >> > > Just for the avoidance of doubt, are you arguing for the scanning of the > content of outgoing third-party email (aka Censorship) in order to avoid > landing on some blocklist? > > rgds, > Sascha Luck > > > -- --srs (iPad) -------------- next part -------------- An HTML attachment was scrubbed... URL: From ripe-anti-spam-wg at powerweb.de Fri Jun 21 16:00:29 2013 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Fri, 21 Jun 2013 16:00:29 +0200 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: References: <83157.1371760006@server1.tristatelogic.com> <51C437AF.1080300@heanet.ie> <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> <201306211450.36538.peter@hk.ipsec.se> <20130621132007.GA64131@cilantro.c4inet.net> Message-ID: <51C45C7D.70901@powerweb.de> Suresh Ramasubramanian wrote: > > and yes, outbound mail scanning is a widely recognized best practice But this is in some countries or under some other regulations no option. > > no, it would not have helped in the Latvia case because the ISP in > question was hosting botnet command and control sites, which don't tend > to control bots or run telemetry over smtp. > > On Friday, June 21, 2013, Sascha Luck wrote: > > On Fri, Jun 21, 2013 at 02:50:35PM +0200, peter h wrote: > > A few providers actually prevent spam. Those won't show up in > listings. > To stay out of listings one has to be more then whining, one has to > actually prevent spam originating! > > > Just for the avoidance of doubt, are you arguing for the scanning of the > content of outgoing third-party email (aka Censorship) in order to avoid > landing on some blocklist? There is a much easier way of finding botted PCs dialing into your own network without having to scan outgoing mail. Lets say your dialin users are also having email services with you and they already have a anti-spam system running along with those services. Simply check incoming spam if they originate from your own dialin networks ;o) If your big enough, its likely (its proofed that its working) that your own customers receive spam from botted PCs that are also your customers. If detected, call them and explain the problem, they will love this service ... This simply works because most botted PCs used to send out mail also scan the address books of those users and the friends or family or colleges tend to use the same provider. Or: simply count the amount of mails coming out from dialin IPs and look for unregular peeks ... that should be allowed in most countries ... Kind regards, Frank > > rgds, > Sascha Luck > > > > > -- > --srs (iPad) From ops.lists at gmail.com Fri Jun 21 16:24:17 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Fri, 21 Jun 2013 19:54:17 +0530 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <51C45C7D.70901@powerweb.de> References: <83157.1371760006@server1.tristatelogic.com> <51C437AF.1080300@heanet.ie> <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> <201306211450.36538.peter@hk.ipsec.se> <20130621132007.GA64131@cilantro.c4inet.net> <51C45C7D.70901@powerweb.de> Message-ID: On Friday, June 21, 2013, Frank Gadegast wrote: > Suresh Ramasubramanian wrote: > > >> and yes, outbound mail scanning is a widely recognized best practice >> > > But this is in some countries or under some other regulations no option. Which is a pity of course. However it remains a best practice and even in Germany there are ISPs who do filter outbound mail. There is a much easier way of finding botted PCs dialing into your own > network without having to scan outgoing mail. This wasn't anything about botted PCs ON that network. It was about C2 for various bots running on collocated IP space leased by botmasters. As for the rest of it - there's RFC 6561 besides a ton of best practice documents on how to detect botted PCs on a network. --srs -- --srs (iPad) -------------- next part -------------- An HTML attachment was scrubbed... URL: From brian.nisbet at heanet.ie Fri Jun 21 16:56:35 2013 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Fri, 21 Jun 2013 15:56:35 +0100 Subject: [anti-abuse-wg] Authorities, or lack thereof In-Reply-To: <83052.1371759070@server1.tristatelogic.com> References: <83052.1371759070@server1.tristatelogic.com> Message-ID: <51C469A3.5020404@heanet.ie> Ronald F. Guilmette wrote, On 20/06/2013 21:11: > In message <51C2EEAF.9010907 at heanet.ie>, > Brian Nisbet wrote: > >> This WG has no greater authority to direct or request anything from the >> NCC than any other member of the community. The WG is not, explicitly, a >> group within the community that directly deals with abuse. It is a group >> of people who are interested in the subject, who may well work together >> to create policies or documents or form a better understanding of the >> issue, but it is not a created group to deal with abuse. >> >> Now, to go a bit further here. The members of the WG can ask the NCC to >> do a particular thing. Depending on the thing that might be an action >> item that arises out of the mailing list or a meeting (eg Could the NCC >> please clarify under exactly what circumstances an LIR could be closed >> or deregistered). > > So, the WG may, explicitly, send requests to the NCC, yes? For certain things, yes. >> The WG cannot say "we do not like this operator, >> please shut them down"... > > Cannot or will not? Ah, yes, ok... > I am not just playing with words here. I ernestly would like to know if > there is anything... anything at all... codified into any of the written > rules or bylaws of either RIPE or this WG, in particular, that explicitly > prohibits this or any other WG, as a whole, and as a WG, from _saying_ > any bloody thing it likes. I could well and truly understand if you > were to tell me that if the WG said `X' or the WG said `Y' then it would > only garner a laugh all around and/or general condemnation from a solid > majority of the remainder of the RIPE membership. But that would be > quite different from the statement that you just made, which, the way > I read it, sounds like this WG is _obligated_ to utterly refrain from > making certain kinds of public comments and/or certain kinds of requests > to NCC. You are right, there is nothing prohibiting anyone saying it, but saying it would have no effect as there is no policy or document there to enforce it or for the NCC to react. I think the interpretations here are in use of language. There is no such obligation. > I probably should not try to anticipate your response to the above, but > I will anyway... Well, it saves me having to type so much. :) > I suspect that you will say that I am corerct that there is nothing > _explicit_ that prohibits the WG from saying any bloody thing it likes, > but that it would simply be extraordinarily impolitic for this WG to > go about making such requests or comments on specific operators or > allocations, and that doing so might only be likely to result in the > WG meeting its own untimely demise, at the request of the general RIPE > membership. Assuming so, I for one might be willing to run that risk, > even if others... perhaps many others... might not be so inclined. I'm not sure about an untimely demise, per se. The NCC, nor the members of the NCC, have no power over the WGs, but it would certainly change the nature of the relationship between the WG and the NCC. It is conceivable that the community might think we've gone off the rails, certainly, so yeah, there would be a danger. But if those who are involved in the WG mandated the WG to actually take this action, even knowing the above, well I suppose the WG would have to do it. >> in the same way the Routing WG cannot say "we >> require all members of the NCC to abandon BGP". That is not what WGs in >> the RIPE community are for. > > See above. Even I can well and truly see that it would be extraordinarily > impolitic if the Routing WG were to make that specific declaration. They > would be laughed and ignored into oblivion. But my question remains... > Other than the fact that those consequences would predictably ensue for > that WG, I mean if it were to make such a (clearly unworable) declaration, > is there anything specific that prohibits that WG from speaking its co- > llective mind in any way it chooses? Again, not of which I am aware. >> The WG can of course make the NCC aware of a bad operator > > With what effect, exactly? To what end? Do you see what I mean? If such > information transmission (to NCC) occurs, and if no allocations ever change > as a result, then what was the point? I do see what you mean, but I was answering the questions you asked. Without a policy change, likely agreed to by the NCC membership (which opens up a whole different can of stakeholder interaction worms) there would be no automatic action. However such a notification may trigger an audit and the NCC's only processes, which may in turn lead to action under the procedures as currently documented. > Also, when you say that 'the Anti-Abuse WG" may do so, do you mean only > the individual members thereof, acting only as individual members? That > seems to me to be what you were implying or intending to say, i.e. that > any individual WG member can send over a note to NCC telling then about > a "bad operator". > > Obviously, any individual member may elect to do that, however _individuals_ > obviously carry a lot less weight than an entire WG. Has there ever been > any instance in the history of the Anti-Abuse WG in which the WG _as a > whole_ provided a package of information to NCC regarding, as you put it, > a "bad operator"? An individual could always do this. The WG could, but the members would have to direct it to do so. This can be done on the mailing list or in a meeting. Whether that would carry more weight is honestly debatable, if they came with evidence, but no, I mean that the WG could, if so directed by its members. The specific action here would likely be Tobias and I speaking to the NCC about it, but I wouldn't like to speculate on what would happen or if that would be actually any more effective than you or any other member of this WG doing it. >> First off, no offence is taken. :) > > OK, good. Thank you. You are a gentleman. And you are too kind. Debate on these topics can often descend very quickly into badness (and has on this list in the past), I'm very glad this isn't. Indeed, it is proving very useful, to me at least. >> However, I think your comments here stem from a fundamental >> misunderstanding of how the community (of which you are a part, >> regardless of your earlier comments on the list) works. The WG was not >> set up to up to do those things. > > I was arguably not born to do software, but I do anyway. People and > organizations and institutions do change and evolve, including even in > their goals and missions. Absolutely and the WG may well (and indeed did very obviously but a few years ago), but I can only answer on the current circumstances. >> It has been a handy by-product of >> sharing information and expertise that reports have been passed on to >> the NCC, but it's not why we're here. There are 9000+ members of the >> RIPE NCC and countless others in the community. All of those operators >> will tell you "my network, my rules" albeit they are forced by law or >> contract to take other views into consideration. They are not beholden >> to this or any other WG unless a policy is made or a motion passed by >> the membership. > > Right. And that is all as it should be. I am not asking about any > hypothetical new policies that might be enacted. What about policies > that exist that are simply not being enforced? And what about open > questions like the one that I think Furio put, i.e. if a new or existing > RIPE member came to RIPE NCC with a request for, say, a /19 with their > explicitly stated intended use being "snowshoe spamming", then what > would happen? This is something that I will specifically bring to the attention of the NCC (although I know a number of the staff read this list) and ask for someone to address these points. >> At no point in the Charter for the AA-WG does it suggest we're here to >> take back resources, so I'm genuinely very interested to know where this >> all came from? > > It came from the fact that there _do_ exist problems, and with respect to > the specific problems that exist (both within the RIPE region and most > certainly elsewhere as well) _everyone_ seems to constantly be running as > far and as fast away from actually dealing with those problems as it is > humanly possible to do. In short, to paraphrase an old saying that we > have here on this side of the pond, "It's a tough job, but _somebody_ > ought to be doing it." Arguably yes, it's easier to do nothing, but I don't think people are doing nothing, at all. I'm still worried you are asking the wrong people to do this job. > So, um, let me see... we have instances of network abuse... instances > that arguably go against policies that already exist and that have > already been ratified by the RIPE membership as a whole. But there > is little or no enforcement of said rules on the part of RIPE NCC, > which, quite naturally, finds it politically safest not to rock the > boat in any way, ever. But then we have this thing called the "Anti- > Abuse Working Group" which, as you have been kind enough to clarify > for me, has no authority to do anything in particular about any actual > instances of acutal abuse, and which rather must content itself with > occasionally making recommendations for specific _new_ policies to the > RIPE membership as a whole, an activity which, I gather it does with > a relatively high degree of infrequency. Meanwhile the problems continue, > even as everyone and his brother seems to be out buying ten foot poles > with which they may avoid touching any of the real, current, and press- > ing problems. It has no authority, nor was there ever any notion that it would, as an entity, have authority. It really is that straight forward. Also, the WG has been increasingly active in recent years. The situation is far from perfect, in regards to abuse in general, again, it's about the right people/groups for the right jobs. > So anyway, yes, if you wish to assert that I might in some ways be en- > couraging a more expansive view of the charter, mission, and goals of this > WG, then I plead guilty as charged, however I throw myself upon the mercy > of the court and ask for clemency on the basis of that fact that it is > perhaps a natual mistake for an outsider to make to assume... apparently > improperly... that a working group going by the name "Anti-Abuse" might > actually wish to get its hands dirty from time to time, you know, by > actually taking actual actions with respect to actual and ongoing instances > of abuse, including instances which are already well and truly defined as > such. I think we might get quite circular at some point, but I do now certainly have a greater understanding of what you're talking about, which is most useful. I also don't think I'm going to have any answer in the short term that's going to please you. Tobias and I will be working to produce an updated Charter for the WG's consideration soon, although I honestly doubt it will include the kind of activity you are specifically looking for. Brian Co-Chair, AA-WG From lists-ripe at c4inet.net Fri Jun 21 17:14:33 2013 From: lists-ripe at c4inet.net (Sascha Luck) Date: Fri, 21 Jun 2013 16:14:33 +0100 Subject: [anti-abuse-wg] Authorities, or lack thereof In-Reply-To: <51C469A3.5020404@heanet.ie> References: <83052.1371759070@server1.tristatelogic.com> <51C469A3.5020404@heanet.ie> Message-ID: <20130621151433.GB64131@cilantro.c4inet.net> Hi Brian, On Fri, Jun 21, 2013 at 03:56:35PM +0100, Brian Nisbet wrote: >I'm not sure about an untimely demise, per se. The NCC, nor the >members of the NCC, have no power over the WGs, but it would Strictly speaking, the membership can, in Plenary, disband the WG. Also, ISTR a WG chair being "fired" in Plenary a few years ago... rgds, Sascha Luck From brian.nisbet at heanet.ie Fri Jun 21 18:14:26 2013 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Fri, 21 Jun 2013 17:14:26 +0100 Subject: [anti-abuse-wg] Authorities, or lack thereof In-Reply-To: References: <83052.1371759070@server1.tristatelogic.com> <51C469A3.5020404@heanet.ie> <20130621151433.GB64131@cilantro.c4inet.net> Message-ID: <51C47BE2.3040100@heanet.ie> Sasha/Nigel, Nigel Titley wrote the following on 21/06/2013 17:03: > Sascha > >>> I'm not sure about an untimely demise, per se. The NCC, nor the members >>> of the NCC, have no power over the WGs, but it would > >> Strictly speaking, the membership can, in Plenary, disband the WG. >> Also, ISTR a WG chair being "fired" in Plenary a few years ago... > > Sorry to be pedantic, but the "membership" (usually understood to be the members of the RIPE NCC) have no power over a WG. I think you may mean the "community", which does. YEs, this is why I explicitly stated the members of the NCC. The community is a whole different matter. > And the WG chair who was fired (in Rome if I recall correctly) was actually fired by his own WG, not the plenary. I believe that is a fair retelling of the incident. Brian From lists-ripe at c4inet.net Fri Jun 21 18:18:40 2013 From: lists-ripe at c4inet.net (Sascha Luck) Date: Fri, 21 Jun 2013 17:18:40 +0100 Subject: [anti-abuse-wg] Authorities, or lack thereof In-Reply-To: References: <83052.1371759070@server1.tristatelogic.com> <51C469A3.5020404@heanet.ie> <20130621151433.GB64131@cilantro.c4inet.net> Message-ID: <20130621161840.GC64131@cilantro.c4inet.net> Hi Nigel, On Fri, Jun 21, 2013 at 04:03:58PM +0000, Nigel Titley wrote: >Sorry to be pedantic, but the "membership" (usually understood to be >the members of the RIPE NCC) have no power over a WG. I think you may >mean the "community", which does. You're right of course, it's the community in Plenary. >And the WG chair who was fired (in Rome if I recall correctly) was >actually fired by his own WG, not the plenary. I wasn't at the meeting, just watching the stream. I thought it was taken to the Plenary, but ICBW. rgds, Sascha Luck From nigel.titley at easynet.com Fri Jun 21 18:03:58 2013 From: nigel.titley at easynet.com (Nigel Titley) Date: Fri, 21 Jun 2013 16:03:58 +0000 Subject: [anti-abuse-wg] Authorities, or lack thereof In-Reply-To: <20130621151433.GB64131@cilantro.c4inet.net> References: <83052.1371759070@server1.tristatelogic.com> <51C469A3.5020404@heanet.ie> <20130621151433.GB64131@cilantro.c4inet.net> Message-ID: Sascha >>I'm not sure about an untimely demise, per se. The NCC, nor the members >>of the NCC, have no power over the WGs, but it would >Strictly speaking, the membership can, in Plenary, disband the WG. >Also, ISTR a WG chair being "fired" in Plenary a few years ago... Sorry to be pedantic, but the "membership" (usually understood to be the members of the RIPE NCC) have no power over a WG. I think you may mean the "community", which does. And the WG chair who was fired (in Rome if I recall correctly) was actually fired by his own WG, not the plenary. As always, I stand ready to be corrected Nigel From peter at hk.ipsec.se Fri Jun 21 18:56:18 2013 From: peter at hk.ipsec.se (peter h) Date: Fri, 21 Jun 2013 18:56:18 +0200 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <20130621132007.GA64131@cilantro.c4inet.net> References: <83157.1371760006@server1.tristatelogic.com> <201306211450.36538.peter@hk.ipsec.se> <20130621132007.GA64131@cilantro.c4inet.net> Message-ID: <201306211856.18980.peter@hk.ipsec.se> On Friday 21 June 2013 15.20, Sascha Luck wrote: > On Fri, Jun 21, 2013 at 02:50:35PM +0200, peter h wrote: > > >A few providers actually prevent spam. Those won't show up in listings. > >To stay out of listings one has to be more then whining, one has to > >actually prevent spam originating! > > Just for the avoidance of doubt, are you arguing for the scanning of the > content of outgoing third-party email (aka Censorship) in order to avoid > landing on some blocklist? > > rgds, > Sascha Luck I'm just saying that any provider that allows spam to flow out there is a large risk of getting on blocklists. There is a number of ways to provent this happen, a good customer contract is a good start, surveillance of outbound mail another, blocking port 25 from customers pc a third. As i understand they did nothing of the sort - thus spam will happen. ( spammers are seeking unprotected pc's on sloppy ISP network. When they find it they plant a trojan and start spewing spam. Preventing this in the first place is a good start. Whan spam is detected isolation of affected pc's another step) Sending mail to my servers is not an inherent right, it's something that is granted on MY conditions. Same goes for my customers. > > > -- Peter H?kanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det ?r billigare att g?ra r?tt. Det ?r dyrt att laga fel. ) From ops.lists at gmail.com Sat Jun 22 01:23:02 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Sat, 22 Jun 2013 04:53:02 +0530 Subject: [anti-abuse-wg] Authorities, or lack thereof In-Reply-To: <20130621161840.GC64131@cilantro.c4inet.net> References: <83052.1371759070@server1.tristatelogic.com> <51C469A3.5020404@heanet.ie> <20130621151433.GB64131@cilantro.c4inet.net> <20130621161840.GC64131@cilantro.c4inet.net> Message-ID: If that is the same case I am thinking of, it was quite strange that 1. The chair himself was not present at the meeting 2. The discussion to remove the co chair was raised during AOB, in overtime 3.. Several prominent members normally active in various other wgs just happened (by pure chance, i take it) to be present, to quickly reach consensus that the chair be removed. Seeing all of them in the same room .. Well, I am not surprised that Sascha thought it was a plenary session. Hopefully the wg has moved on from that, but I see the discussion has come full circle right back to that painful episode. --srs On Friday, June 21, 2013, Sascha Luck wrote: > Hi Nigel, > On Fri, Jun 21, 2013 at 04:03:58PM +0000, Nigel Titley wrote: > > Sorry to be pedantic, but the "membership" (usually understood to be >> the members of the RIPE NCC) have no power over a WG. I think you may >> mean the "community", which does. >> > > You're right of course, it's the community in Plenary. > > And the WG chair who was fired (in Rome if I recall correctly) was >> actually fired by his own WG, not the plenary. >> > > I wasn't at the meeting, just watching the stream. I thought it was taken > to the Plenary, but ICBW. > > rgds, > Sascha Luck > > -- --srs (iPad) -------------- next part -------------- An HTML attachment was scrubbed... URL: From bs at stepladder-it.com Mon Jun 24 13:03:38 2013 From: bs at stepladder-it.com (Benedikt Stockebrand) Date: Mon, 24 Jun 2013 11:03:38 +0000 Subject: [anti-abuse-wg] central whois In-Reply-To: (Suresh Ramasubramanian's message of "Thu, 20 Jun 2013 19:44:30 +0530") References: <51C2C88D.9090704@powerweb.de> <51C2E7E8.9080304@ripe.net> <51C2EEE0.4040604@powerweb.de> <87bo70c25i.fsf@stepladder-it.com> Message-ID: <87zjuflqid.fsf@stepladder-it.com> Hi Suresh and list, Suresh Ramasubramanian writes: > This is one of those one in a million type occurences .. so when Frank reasons that he doesn't want *any* spam to reach his customers, that's ok, but when I reason that making certain information too readily available to end users may increase the likelyhood some way more serious incidents it's a "one in a million type occurrence"? Sorry, I can't follow that reasoning. > and given that your company is a listed one - so that contact > information is available in a multitude of other places, that same > death threat would probably have been phoned in to your office > receptionist instead of your colleague, from whoever was crazy enough > to make it. What do you mean "would probably have"? It *has* been sent by e-mail. And as far as "crazy" goes: Being "crazy" doesn't make someone harmless. > That does not sound like any kind of argument to do what you ask for > .. and making it hard will simply add to the already extremely high > quantum of abuse issues in the RIPE area. Have you actually read beyond the first paragraph of my posting? A few weeks ago a (kind of) colleague -- more of a developer -- who had detected rather persistent attacks against a customer's SIP server had his mails to abuse-c systematically ignored. When he resorted to legal means he was told "nobody here bothers to read those mails anyway" by the attacker's ISP. Please explain to me why providing an excessively easy-to-use abuse interface won't cause such an increase in workload for the recipients of that list that it becomes impossible to handle. Cheers, Benedikt -- Business Grade IPv6 Consulting, Training, Projects Benedikt Stockebrand, Dipl.-Inform. http://www.stepladder-it.com/ From ripe-anti-spam-wg at powerweb.de Mon Jun 24 13:44:45 2013 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Mon, 24 Jun 2013 13:44:45 +0200 Subject: [anti-abuse-wg] central whois In-Reply-To: <87zjuflqid.fsf@stepladder-it.com> References: <51C2C88D.9090704@powerweb.de> <51C2E7E8.9080304@ripe.net> <51C2EEE0.4040604@powerweb.de> <87bo70c25i.fsf@stepladder-it.com> <87zjuflqid.fsf@stepladder-it.com> Message-ID: <51C8312D.6070208@powerweb.de> Benedikt Stockebrand wrote: > Hi Suresh and list, > > > Please explain to me why providing an excessively easy-to-use abuse > interface won't cause such an increase in workload for the recipients of > that list that it becomes impossible to handle. Thats the wrong starting point. If some resource holder is not willing to reduce abuse coming from his networks, theres nothing we can do. And it will not harm him to pubish his abuse contact in a central space, hes not reding the abuse reports anyway ... If they ARE willing, but have a heavy workload with these abuse reports, whats about, if the resource holder is securing his networks to reduce the abuse ? This will reduce his work load and the mails he receive ASAP. And if theres no more abuse originating from his networks, he will not care, if his abuse address is beeing published at a central space. Once he maybe reaches a point, where he has no leaks in his networks anymore and is very happy to receive reports as quick as possible to close new security leaks ... Kind regards, Frank > > > Cheers, > > Benedikt > From ops.lists at gmail.com Mon Jun 24 18:18:09 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Mon, 24 Jun 2013 21:48:09 +0530 Subject: [anti-abuse-wg] central whois In-Reply-To: <87zjuflqid.fsf@stepladder-it.com> References: <51C2C88D.9090704@powerweb.de> <51C2E7E8.9080304@ripe.net> <51C2EEE0.4040604@powerweb.de> <87bo70c25i.fsf@stepladder-it.com> <87zjuflqid.fsf@stepladder-it.com> Message-ID: On Jun 24, 2013 4:34 PM, "Benedikt Stockebrand" wrote: > customers, that's ok, but when I reason that making certain information > too readily available to end users may increase the likelyhood some way That same information, that is, contact information about your company, is absolutely not available elsewhere? Any maniac out to issue a death threat may well use any other way to deliver that threat, rather than a ripe whois contact address > more serious incidents it's a "one in a million type occurrence"? > Sorry, I can't follow that reasoning After having worked on and managed large isp abuse desks for millions of users for about fifteen + years, I regret to report that I have yet to receive any death threats. OK, maybe that one nigerian in 2004 who wanted to practice voodoo on me after I killed some extremely high value accounts of his (the sort used higher up the food chain of a scam). > his mails to abuse-c systematically ignored. When he resorted to legal > means he was told "nobody here bothers to read those mails anyway" by > the attacker's ISP. One incompetent or complicit isp.. Rather more common than death threats or voodoo curses, but still no reason to suppress this information --srs -------------- next part -------------- An HTML attachment was scrubbed... URL: From ml at vdspek.org Tue Jun 25 09:18:10 2013 From: ml at vdspek.org (Olaf van der Spek) Date: Tue, 25 Jun 2013 09:18:10 +0200 Subject: [anti-abuse-wg] Who owns 24.205.98.101? Message-ID: Hi, Whois seems to say it's Charter Communications, abuse at charter.net. But if I mail them, they say: This email address is for reporting incidents of abuse coming from IP addresses registered to Charter Communications. Abuse from IP addresses not registered to Charter Communications should be directed to the registered owners of the IP address in question. The following link should be of assistance in locating the organization responsible for the IP address: http://www.arin.net/whois Thank you, Charter High-Speed Internet Security Team # # # From: Olaf van der Spek To: abuse at charter.net Date: Tue, 25 Jun 2013 09:11:38 +0200 Subject: DDoS Attack from 24.205.98.101 -- Olaf From corebug at corebug.net Tue Jun 25 09:38:15 2013 From: corebug at corebug.net (=?UTF-8?B?0JLQuNGC0LDQu9C40Lkg0KLRg9GA0L7QstC10YY=?=) Date: Tue, 25 Jun 2013 10:38:15 +0300 Subject: [anti-abuse-wg] Who owns 24.205.98.101? In-Reply-To: References: Message-ID: Charter Communications CHARWR (NET-24-205-0-0-1) 24.205.0.0 - 24.205.255.255 Charter Communications CHAR-PAS-205-76-99 (NET-24-205-76-0-1) 24.205.76.0 - 24.205.99.255 2013/6/25 Olaf van der Spek > Hi, > > Whois seems to say it's Charter Communications, abuse at charter.net. > But if I mail them, they say: > > This email address is for reporting incidents of abuse coming from IP > addresses registered to Charter Communications. Abuse from IP addresses > not registered to Charter Communications should be directed to the > registered owners of the IP address in question. > > The following link should be of assistance in locating the organization > responsible for the IP address: > > http://www.arin.net/whois > > > Thank you, > > Charter High-Speed Internet Security Team > > # # # > > From: Olaf van der Spek > To: abuse at charter.net > Date: Tue, 25 Jun 2013 09:11:38 +0200 > Subject: DDoS Attack from 24.205.98.101 > > -- > Olaf > > -- ~~~ WBR, Vitaliy Turovets NOC Lead @TV-Net ISP +38(093)265-70-55 VITU-RIPE X-NCC-RegID: ua.tv -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnitzsche at netcologne.de Tue Jun 25 09:46:06 2013 From: gnitzsche at netcologne.de (Gunther Nitzsche) Date: Tue, 25 Jun 2013 09:46:06 +0200 Subject: [anti-abuse-wg] Who owns 24.205.98.101? In-Reply-To: References: Message-ID: <51C94ABE.6040806@netcologne.de> On 25.06.2013 09:18, Olaf van der Spek wrote: > Hi, > > Whois seems to say it's Charter Communications, abuse at charter.net. > But if I mail them, they say: > > This email address is for reporting incidents of abuse coming from IP > addresses registered to Charter Communications. Abuse from IP addresses > not registered to Charter Communications should be directed to the > registered owners of the IP address in question. > > The following link should be of assistance in locating the organization > responsible for the IP address: > > http://www.arin.net/whois > > > Thank you, > > Charter High-Speed Internet Security Team > > # # # > > From: Olaf van der Spek > To: abuse at charter.net > Date: Tue, 25 Jun 2013 09:11:38 +0200 > Subject: DDoS Attack from 24.205.98.101 > They respond this to every complaint I send - no matter which ip-range is involved. It's just a broken abuse-desk .. Gunther NetCologne Systemadministration -- NetCologne Gesellschaft f?r Telekommunikation mbH Am Coloneum 9 ; 50829 K?ln Gesch?ftsf?hrer: Dr. Hans Konle (Sprecher), Dipl.-Kfm. Mario Wilhelm Dipl.-Ing. Karl-Heinz Zankel Vorsitzender des Aufsichtsrates: Dr. Andreas Cerbe HRB 25580, AG K?ln From Woeber at CC.UniVie.ac.at Tue Jun 25 10:00:43 2013 From: Woeber at CC.UniVie.ac.at (Wilfried Woeber) Date: Tue, 25 Jun 2013 10:00:43 +0200 Subject: [anti-abuse-wg] Who owns 24.205.98.101? In-Reply-To: References: Message-ID: <51C94E2B.8010901@CC.UniVie.ac.at> Excerpt from RFC3330 (Special-Use IPv4 Addresses, page 2 24.0.0.0/8 - This block was allocated in early 1996 for use in provisioning IP service over cable television systems. Although the IANA initially was involved in making assignments to cable operators, this responsibility was transferred to American Registry for Internet Numbers (ARIN) in May 2001. Addresses within this block are assigned in the normal manner and should be treated as such. Just feed the following into the web-whois at https://apps.db.ripe.net/search/ -rBTinetnum -m 24.0.0.0/8 into the search field and tick the "all" box in the *Global resource Service beta* Hth, Wilfried. PS: for the Internet Archeologists - iirc, back then this was the interesting case of the cable "NET24" allocation, made outside the RIR system :-) From Woeber at CC.UniVie.ac.at Tue Jun 25 10:08:38 2013 From: Woeber at CC.UniVie.ac.at (Wilfried Woeber) Date: Tue, 25 Jun 2013 10:08:38 +0200 Subject: [anti-abuse-wg] Who owns 24.205.98.101? In-Reply-To: References: Message-ID: <51C95006.4090506@CC.UniVie.ac.at> Olaf van der Spek wrote: > Hi, > > Whois seems to say it's Charter Communications, revDNS seems to agree: ... 15 225 ms 225 ms 226 ms 24-205-98-101.static.reno.nv.charter.com [24.205.98.101] -ww From rfg at tristatelogic.com Tue Jun 25 12:04:01 2013 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Tue, 25 Jun 2013 03:04:01 -0700 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <51C437AF.1080300@heanet.ie> Message-ID: <46543.1372154641@server1.tristatelogic.com> My apologies to everyone. I had intended to respond to the last few messages in this thread several days ago, but I've been preoccupied with other matters until now. I want to respond only very briefly to one thing that Brian said, and then I want to put forward three very simple proposals. I know that I have already been far too verbose, so I shall try now to be brief. In message <51C437AF.1080300 at heanet.ie>, Brian Nisbet wrote: >>> Of course in amongst all of this I would suspect if the resources were >>> handed out, there would be a lot of depeering and null routing going on >>> in relation to the poor, forced-to-spam, citizens of the Grand Duchy. :) >> >> Once again, based upon the available evidence, I would claim that it >> would in fact be improbable that any substantial amount of deppeering >> and/or null routing would occur, in practice. It is a classic "trajedy >> of the commons" problem, and no operator would wish to have to explain >> to its user base why they, end end lusers, can no longer send e-mail to >> their cousins in Grand Fenwick. > >I'm not sure, Spamhaus were quite happy to block Latvia for a far >smaller reason. I think if it was a mandated activity for all citizens >the reaction of the international community might be interesting. For once I am at a loss for words. Let me just say that I really feel that it would be... and perhaps even is currently... utterly wrong for the Internet and all actual and at least somewhat transparent and/or democratic authorities thereof, to completely defer, for the ongoing maintenance of order and sanity on the Internet, to Spamhaus. To say that that organization is imperfect would be an understatement. They miss much. And more to the point, Spamhaus is, in my estimation anyway, about as non-transparent in their policies, their operations, and their records as it is possible to be. Furthermore, deferring to them entirely for the enforcement of accepted norms is, and would be, in my opinion, just another kind of abdication. I believe that we can do better. To that end, I have three small proposals: 1) That the charter of the RIPE Anti-Abuse working group be ammended so as to make abundantly clear that whenever any two or more members of the WG bring to the attention of the chair that there may exist some specific allocation of number resources which either is no longer valid, or which may never have been actually valid to begin with, (based upon currently accepted criteria for number resource allocation within the RIPE region) then the WG chair will be obliged to undertake a preliminary informal inquiry, including public discussion on the mailing list, as and when that may be useful, and that following this initial informal inquiry, if, in the opinion of that chair, there exists some reasonable basis for believing that the number resource allocation(s) in question may indeed no longer be valid, then the chair is further obligated to formally report this fact to RIPE NCC, along with a formal request from the WG to RIPE NCC, that RIPE NCC immediately undertake a usual and customary audit of the allocation(s) in question, and the justification thereof. 2) That the charter of RIPE itself be ammended to stipulate, explicitly, that in any case in which the Anti-Abuse Working Group chair has made a formal request, to RIPE NCC, on behalf of the WG, for an audit to determine whether or not a given number resource allocation is or is not currently valid, that RIPE NCC is obliged by such a request to actually conduct the requested audit, and to do so in a timely fashion. 3) That the precise cirteria used by RIPE NCC to justify each possible different kind of number resource allocation, either initially or during any post-allocation audit, be made public in its entirety if it is not so already. I make the above three proposals with an understanding that what is politically possible at the present time with respect to most forms of what I suspect we would all agree constitutes "network abuse" is at best minimal. There is clearly little appetite to turn either this WG or RIPE NCC into a functioning police force in any sense, and certainly not with respect to matters that are not even universally accepted as "abuse". Nonetheless, there does exist a massive problem with so-called "snowshoe" spammers getting ahold of really big chunks of IPv4 address space... which they then waste in a truly massive and almost obscene way... and also there is a problem with crooks who either want to lay their hands on vast tracks of IPv4 address space for so-called "black-hat SEO" purposes, or who have already done so. As I understand it, RIPE allocation policies _already_ place most or all of this activity outside of the established RIPE rules and framework for allocations. So to combat at least these few limited forms of "network abuse" it now seems that all we need is an accepted process by which the pre-existing process known as a "RIPE NCC audit" can be triggered, in deserving cases, many of which are already known to, or are likely in future to come to the attention of members of this working group and participants on this mailing list. Regards, rfg From rfg at tristatelogic.com Tue Jun 25 12:15:34 2013 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Tue, 25 Jun 2013 03:15:34 -0700 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> Message-ID: <46601.1372155334@server1.tristatelogic.com> In message <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD at E2010-MBX04.exchange2010.n l>, Erik Bais wrote: >For those that want to read up on what actually happened on that specific >incident in Latvia (July/August 2010), have a read on the following open >letter from CERT.lv > >https://cert.lv/uploads/uploads/OpenLetter.pdf Although generally speaking I virtually never take issue with Spamhaus' rationale on those rare occasions when they actually work up the gumption to actually list somebody, let alone on those even rarer occasions when they elect to escalate a listing to relevant providers, I will say that regardless of whether I personally might agree or disagree with what Spamhaus did in this case, I am not persuaded that many would, after reading the published reports of this event, characterize this as Spamhaus' finest hour. It would be better, I think, if RIPE would be more pro-active in dealing with its own dirty laundry, rather than waiting around and relying on Spanhaus, who, as spammers are always eager to point out, nobody elected, to take out the garbage. But as I said in my prior posting, that just does not seem to be the cards, politically, at the present time. Regards, rfg From rfg at tristatelogic.com Tue Jun 25 12:30:16 2013 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Tue, 25 Jun 2013 03:30:16 -0700 Subject: [anti-abuse-wg] Authorities, or lack thereof In-Reply-To: <51C469A3.5020404@heanet.ie> Message-ID: <46695.1372156216@server1.tristatelogic.com> In message <51C469A3.5020404 at heanet.ie>, Brian Nisbet wrote: >>> The WG can of course make the NCC aware of a bad operator >> >> With what effect, exactly? To what end? Do you see what I mean? If such >> information transmission (to NCC) occurs, and if no allocations ever change >> as a result, then what was the point? > >I do see what you mean, but I was answering the questions you asked. >Without a policy change, likely agreed to by the NCC membership (which >opens up a whole different can of stakeholder interaction worms) there >would be no automatic action. However such a notification may trigger an >audit and the NCC's only processes, which may in turn lead to action >under the procedures as currently documented. In case anyone missed it, it was exactly the above snippet from the discussion that Brian and I have been having here on the list that prompted my set of three proposals. I am forced to agree that it appears, even to me, that it is rather unlikely that the RIPE membership would vote _anybody_ the authority to simply kick a given person or company out of RIPE altogether, EVEN IF all available evidence points to said party being the absolute scum of the earth (and guilty of hacking, cracking, spamming, running botnets and generally being a menace to all of mankind). I wish this were not true, but at present it appears that it is. So consider _that_ idea tabled (please). But just as Brian said, there is the established NCC audit process. Presumably, within that process any party undergoing an audit receives a full and fair review, and an opportunity to be heard... or what we here in the states call "due process". It does not seem unreasonable to begin such a process in cases where there exists probable cause to believe that some party has broken the already established rules relating to allocations and their justifications. Regards, rfg From rfg at tristatelogic.com Tue Jun 25 12:35:56 2013 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Tue, 25 Jun 2013 03:35:56 -0700 Subject: [anti-abuse-wg] Who owns 24.205.98.101? In-Reply-To: Message-ID: <46763.1372156556@server1.tristatelogic.com> In message Olaf van der Spek wrote: >From: Olaf van der Spek >To: abuse at charter.net >Date: Tue, 25 Jun 2013 09:11:38 +0200 >Subject: DDoS Attack from 24.205.98.101 I can't help but be curious... How exactly does a DISTRIBUTED Denial Of Service attack manage to originate from one single IP address? Regards, rfg P.S. Having myself been a victim of a reflection mailbomb attack in the distant past, let me just say that I _do_ know how _that_ sort of thing works, so please don't anybody waste a lot of electrons trying to explain _that_ to me. Thanks From rfg at tristatelogic.com Tue Jun 25 12:39:37 2013 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Tue, 25 Jun 2013 03:39:37 -0700 Subject: [anti-abuse-wg] Who owns 24.205.98.101? In-Reply-To: <51C94ABE.6040806@netcologne.de> Message-ID: <46795.1372156777@server1.tristatelogic.com> In message <51C94ABE.6040806 at netcologne.de>, Gunther Nitzsche wrote: >They respond this to every complaint I send - no matter >which ip-range is involved. It's just a broken abuse-desk .. Don't take it personally. Large cable companies treat even their own customers like shit also. And you probably aren't even sending them checks every month. Regards, rfg From brian.nisbet at heanet.ie Tue Jun 25 12:56:25 2013 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Tue, 25 Jun 2013 11:56:25 +0100 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <46543.1372154641@server1.tristatelogic.com> References: <46543.1372154641@server1.tristatelogic.com> Message-ID: <51C97759.7040506@heanet.ie> Ronald F. Guilmette wrote the following on 25/06/2013 11:04: > My apologies to everyone. I had intended to respond to the last few > messages in this thread several days ago, but I've been preoccupied > with other matters until now. > > I want to respond only very briefly to one thing that Brian said, and > then I want to put forward three very simple proposals. I know that I > have already been far too verbose, so I shall try now to be brief. And I, in turn, am just going to respond to one comment below which I think stems from a misunderstanding of something I may have badly phrased. The three proposals I will, of course, comment on, but I just want to clear up the misunderstanding first. > > In message <51C437AF.1080300 at heanet.ie>, > Brian Nisbet wrote: > >>>> Of course in amongst all of this I would suspect if the resources were >>>> handed out, there would be a lot of depeering and null routing going on >>>> in relation to the poor, forced-to-spam, citizens of the Grand Duchy. :) >>> >>> Once again, based upon the available evidence, I would claim that it >>> would in fact be improbable that any substantial amount of deppeering >>> and/or null routing would occur, in practice. It is a classic "trajedy >>> of the commons" problem, and no operator would wish to have to explain >>> to its user base why they, end end lusers, can no longer send e-mail to >>> their cousins in Grand Fenwick. >> >> I'm not sure, Spamhaus were quite happy to block Latvia for a far >> smaller reason. I think if it was a mandated activity for all citizens >> the reaction of the international community might be interesting. > > For once I am at a loss for words. > > Let me just say that I really feel that it would be... and perhaps even > is currently... utterly wrong for the Internet and all actual and at > least somewhat transparent and/or democratic authorities thereof, to > completely defer, for the ongoing maintenance of order and sanity on > the Internet, to Spamhaus. To say that that organization is imperfect > would be an understatement. They miss much. And more to the point, > Spamhaus is, in my estimation anyway, about as non-transparent in their > policies, their operations, and their records as it is possible to be. > Furthermore, deferring to them entirely for the enforcement of accepted > norms is, and would be, in my opinion, just another kind of abdication. > I believe that we can do better. I was not suggesting that Spamhaus were necessarily the appropriate people to do this. As I mentioned in another mail this was an overly glib comment meant to suggest that people had reacted in the past. My point was rather that I'd be interested to see what the international reaction to such a situation would be, not that I think the international reaction would be to hand over full "policing" powers to Spamhaus. I am *very* much a fan of transparency, the more of it the better. Brian From ripe-anti-spam-wg at powerweb.de Tue Jun 25 12:58:07 2013 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Tue, 25 Jun 2013 12:58:07 +0200 Subject: [anti-abuse-wg] audit proposals In-Reply-To: <46543.1372154641@server1.tristatelogic.com> References: <46543.1372154641@server1.tristatelogic.com> Message-ID: <51C977BF.1090908@powerweb.de> Ronald F. Guilmette wrote: Sounds like a good start ... but I doubt if this should be the job of the anti-abuse-wg or its chair. I would rather prever, if there would be somebody at the RIPE NCC having this job, and setting up another wg maillinglist (like abuse-audit at ripe.net) ... I personally do not like to be flodded with discussions about specific networks, that might or might not be audited again ... If this gets changed, Im +1 Kind regards, Frank > To that end, I have three small proposals: > > 1) That the charter of the RIPE Anti-Abuse working group be ammended > so as to make abundantly clear that whenever any two or more members > of the WG bring to the attention of the chair that there may exist > some specific allocation of number resources which either is no longer > valid, or which may never have been actually valid to begin with, > (based upon currently accepted criteria for number resource allocation > within the RIPE region) then the WG chair will be obliged to undertake > a preliminary informal inquiry, including public discussion on the > mailing list, as and when that may be useful, and that following this > initial informal inquiry, if, in the opinion of that chair, there > exists some reasonable basis for believing that the number resource > allocation(s) in question may indeed no longer be valid, then the > chair is further obligated to formally report this fact to RIPE NCC, > along with a formal request from the WG to RIPE NCC, that RIPE NCC > immediately undertake a usual and customary audit of the allocation(s) > in question, and the justification thereof. > > 2) That the charter of RIPE itself be ammended to stipulate, explicitly, > that in any case in which the Anti-Abuse Working Group chair has made > a formal request, to RIPE NCC, on behalf of the WG, for an audit to > determine whether or not a given number resource allocation is or is > not currently valid, that RIPE NCC is obliged by such a request to > actually conduct the requested audit, and to do so in a timely fashion. > > 3) That the precise cirteria used by RIPE NCC to justify each possible > different kind of number resource allocation, either initially or > during any post-allocation audit, be made public in its entirety if > it is not so already. > > I make the above three proposals with an understanding that what is > politically possible at the present time with respect to most forms of > what I suspect we would all agree constitutes "network abuse" is at best > minimal. There is clearly little appetite to turn either this WG or > RIPE NCC into a functioning police force in any sense, and certainly > not with respect to matters that are not even universally accepted as > "abuse". > > Nonetheless, there does exist a massive problem with so-called "snowshoe" > spammers getting ahold of really big chunks of IPv4 address space... which > they then waste in a truly massive and almost obscene way... and also > there is a problem with crooks who either want to lay their hands on vast > tracks of IPv4 address space for so-called "black-hat SEO" purposes, or > who have already done so. As I understand it, RIPE allocation policies > _already_ place most or all of this activity outside of the established > RIPE rules and framework for allocations. So to combat at least these > few limited forms of "network abuse" it now seems that all we need is > an accepted process by which the pre-existing process known as a "RIPE > NCC audit" can be triggered, in deserving cases, many of which are already > known to, or are likely in future to come to the attention of members of > this working group and participants on this mailing list. > > > Regards, > rfg > > From ops.lists at gmail.com Tue Jun 25 13:18:44 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Tue, 25 Jun 2013 16:48:44 +0530 Subject: [anti-abuse-wg] audit proposals In-Reply-To: <51C977BF.1090908@powerweb.de> References: <46543.1372154641@server1.tristatelogic.com> <51C977BF.1090908@powerweb.de> Message-ID: Entirely depends on the audit's conclusions. 1. Shell company in romania or the ukraine - "the documents say it is a registered company". Stop. 2. Hosting snowshoe spam or malware or whatever. "the justification just says "hosting". stop" :) On Tuesday, June 25, 2013, Frank Gadegast wrote: > Ronald F. Guilmette wrote: > > Sounds like a good start ... but I doubt if this should > be the job of the anti-abuse-wg or its chair. > > I would rather prever, if there would be somebody > at the RIPE NCC having this job, and setting up > another wg maillinglist (like abuse-audit at ripe.net) ... > > I personally do not like to be flodded with > discussions about specific networks, that > might or might not be audited again ... > > If this gets changed, Im +1 > > > > -- --srs (iPad) -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at hk.ipsec.se Tue Jun 25 15:37:57 2013 From: peter at hk.ipsec.se (peter h) Date: Tue, 25 Jun 2013 15:37:57 +0200 Subject: [anti-abuse-wg] Who owns 24.205.98.101? In-Reply-To: References: Message-ID: <201306251537.57757.peter@hk.ipsec.se> On Tuesday 25 June 2013 09.18, Olaf van der Spek wrote: > Hi, > > Whois seems to say it's Charter Communications, abuse at charter.net. > But if I mail them, they say: > > This email address is for reporting incidents of abuse coming from IP > addresses registered to Charter Communications. Abuse from IP addresses > not registered to Charter Communications should be directed to the > registered owners of the IP address in question. If the abuse "function" don't work i suggest that blocking this range will work. If and when charter decides that their customers should have full access they should start with a working abuse staff ( and some more ) Until then, we can manage without them. # # # > > From: Olaf van der Spek > To: abuse at charter.net > Date: Tue, 25 Jun 2013 09:11:38 +0200 > Subject: DDoS Attack from 24.205.98.101 > -- Peter H?kanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det ?r billigare att g?ra r?tt. Det ?r dyrt att laga fel. ) From rezaf at mindspring.com Tue Jun 25 16:07:37 2013 From: rezaf at mindspring.com (Reza Farzan) Date: Tue, 25 Jun 2013 10:07:37 -0400 (GMT-04:00) Subject: [anti-abuse-wg] Who owns 24.205.98.101? Message-ID: <19821080.1372169258167.JavaMail.root@mswamui-valley.atl.sa.earthlink.net> Hello Peter, The Whois information clearly shows this IP to be part of Charter Communications network: NetRange: 24.205.76.0 - 24.205.99.255 CIDR: 24.205.96.0/22, 24.205.80.0/20, 24.205.76.0/22 OriginAS: NetName: CHAR-PAS-205-76-99 NetHandle: NET-24-205-76-0-1 Parent: NET-24-205-0-0-1 NetType: Reallocated RegDate: 2001-09-30 Updated: 2003-08-27 Ref: http://whois.arin.net/rest/net/NET-24-205-76-0-1 OrgName: Charter Communications OrgId: CC04 Address: 12405 Powerscourt Dr. City: St. Louis StateProv: MO PostalCode: 63131 Country: US RegDate: Updated: 2012-07-03 Ref: http://whois.arin.net/rest/org/CC04 OrgTechHandle: IPADD1-ARIN OrgTechName: IPAddressing OrgTechPhone: +1-314-288-3889 OrgTechEmail: ipaddressing at chartercom.com OrgTechRef: http://whois.arin.net/rest/poc/IPADD1-ARIN OrgAbuseHandle: ABUSE19-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-314-288-3111 OrgAbuseEmail: abuse at charter.net OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE19-ARIN OrgNOCHandle: NNOC16-ARIN OrgNOCName: National Network Operations Center OrgNOCPhone: +1-314-288-3111 OrgNOCEmail: dlnocip at chartercom.com OrgNOCRef: http://whois.arin.net/rest/poc/NNOC16-ARIN ++++ So, I do not understand why they are telling you otherwise. I have copied the responsible parties at Charter Communication so that they could investigate this matter further. Thank you, Reza Farzan ****************** -----Original Message----- >From: peter h >Sent: Jun 25, 2013 9:37 AM >To: anti-abuse-wg at ripe.net >Subject: Re: [anti-abuse-wg] Who owns 24.205.98.101? > >On Tuesday 25 June 2013 09.18, Olaf van der Spek wrote: >> Hi, >> >> Whois seems to say it's Charter Communications, abuse at charter.net. >> But if I mail them, they say: >> >> This email address is for reporting incidents of abuse coming from IP >> addresses registered to Charter Communications. Abuse from IP addresses >> not registered to Charter Communications should be directed to the >> registered owners of the IP address in question. > >If the abuse "function" don't work i suggest that blocking this range will work. > >If and when charter decides that their customers should have full access they >should start with a working abuse staff ( and some more ) >Until then, we can manage without them. > > > > # # # >> >> From: Olaf van der Spek >> To: abuse at charter.net >> Date: Tue, 25 Jun 2013 09:11:38 +0200 >> Subject: DDoS Attack from 24.205.98.101 >> > >-- > Peter H?kanson > > There's never money to do it right, but always money to do it > again ... and again ... and again ... and again. > ( Det ?r billigare att g?ra r?tt. Det ?r dyrt att laga fel. ) > From pk at DENIC.DE Tue Jun 25 17:01:36 2013 From: pk at DENIC.DE (Peter Koch) Date: Tue, 25 Jun 2013 17:01:36 +0200 Subject: [anti-abuse-wg] 2013-01 Discussion Period extended until 26 June 2013 (Openness about Policy Violations) In-Reply-To: <51C33373.5000501@heanet.ie> References: <51C33373.5000501@heanet.ie> Message-ID: <20130625150136.GK25143@x28.adm.denic.de> On Thu, Jun 20, 2013 at 05:53:07PM +0100, Brian Nisbet wrote: > There has been very little discussion on the below and there is just > under a week remaining in the discussion phase. So, now is your time to > talk about it! you asked for it. The policy text needs a copy edit - "publicly published" is confusingly confusing. > >-rewording of the section 1.0 I believe this part makes sense, except that It doesn't clearly state that the resolution time ought to be part of the statistics, as well. I'm not convinced that we need a policy for this, though. > >-new section 2.0 and consequent renumbering of the other sections This part is worrying. First because it defers details to the implementation and second because it suggests to give the reporting party unconditional access to an unspecified level of detail. What's the legitimate interest of the reporting party in monitoring the progress? What level of detail is envisioned? Without that being specified (and available for review) I do not support the progress of this proposal. -Peter From sander at steffann.nl Tue Jun 25 20:44:45 2013 From: sander at steffann.nl (Sander Steffann) Date: Tue, 25 Jun 2013 20:44:45 +0200 Subject: [anti-abuse-wg] 2013-01 Discussion Period extended until 26 June 2013 (Openness about Policy Violations) In-Reply-To: <20130625150136.GK25143@x28.adm.denic.de> References: <51C33373.5000501@heanet.ie> <20130625150136.GK25143@x28.adm.denic.de> Message-ID: <451DA72E-5ABD-43D5-9F42-724CEF296B36@steffann.nl> Hi Peter, >> There has been very little discussion on the below and there is just >> under a week remaining in the discussion phase. So, now is your time to >> talk about it! > > you asked for it. The policy text needs a copy edit - "publicly > published" is confusingly confusing. :-) >>> -rewording of the section 1.0 > > I believe this part makes sense, except that It doesn't clearly state > that the resolution time ought to be part of the statistics, as well. +1 > I'm not convinced that we need a policy for this, though. Usually I would agree with you and keep operational stuff out of policy-land, but in this case I think having a community-defined policy on openness / stats about how the NCC is handling violations of the policies *we* defined is better. >>> -new section 2.0 and consequent renumbering of the other sections > > This part is worrying. First because it defers details to the implementation > and second because it suggests to give the reporting party unconditional > access to an unspecified level of detail. Can you suggest text for where the limits should be? I would personally agree to a very limited level of detail, but I agree that this is nog clear in the current proposal text. > What's the legitimate interest > of the reporting party in monitoring the progress? In the current situation reporting parties don't see anything, which gives the feeling that all such reports disappear into a black hole. If we want to keep (or restore) community involvement in the care-taking of our shared resources then showing those that care enough to report problems that we (community+NCC) take their input seriously is important. We need to provide some feedback for this. I certainly don't mean to show all the (potentially confidential) detail of how the report is handled. Maybe an appropriate list of progress states can be defined? > What level of > detail is envisioned? Without that being specified (and available for > review) I do not support the progress of this proposal. Please provide text. Thanks, Sander From rfg at tristatelogic.com Tue Jun 25 21:33:58 2013 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Tue, 25 Jun 2013 12:33:58 -0700 Subject: [anti-abuse-wg] audit proposals In-Reply-To: <51C977BF.1090908@powerweb.de> Message-ID: <49896.1372188838@server1.tristatelogic.com> In message <51C977BF.1090908 at powerweb.de>, Frank Gadegast wrote: >Ronald F. Guilmette wrote: > >Sounds like a good start ... but I doubt if this should >be the job of the anti-abuse-wg or its chair. > >I would rather prever, if there would be somebody >at the RIPE NCC having this job, and setting up >another wg maillinglist (like abuse-audit at ripe.net) ... > >I personally do not like to be flodded with >discussions about specific networks, that >might or might not be audited again ... > >If this gets changed, Im +1 I can understand the concern, so yes, I personally wouldn't have any objection to there being a separate mailing list for discussions of issues with specific networks or, as I put it, specific allocations. (I can easly imagine that there might exist some cases in which there are noticable problems with some specific allocation that are not really problems for the relevant AS as a whole.) Regards, rfg From rfg at tristatelogic.com Tue Jun 25 21:38:10 2013 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Tue, 25 Jun 2013 12:38:10 -0700 Subject: [anti-abuse-wg] audit proposals In-Reply-To: Message-ID: <49939.1372189090@server1.tristatelogic.com> In message Suresh Ramasubramanian wrote: >Entirely depends on the audit's conclusions. > >1. Shell company in romania or the ukraine - "the documents say it is a >registered company". Stop. > >2. Hosting snowshoe spam or malware or whatever. "the justification just >says "hosting". stop" > >:) I'm not grasping whatever point you were making Suresh. Can I ask you to please take another whack at it? Were you saying that the current audit NCC policies would in fact "stop" an audit (and declare everything acceptable?) upon learning that the target of the audit is merely a properly registered company? Regards, rfg From ops.lists at gmail.com Wed Jun 26 00:32:15 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Wed, 26 Jun 2013 04:02:15 +0530 Subject: [anti-abuse-wg] audit proposals In-Reply-To: <49939.1372189090@server1.tristatelogic.com> References: <49939.1372189090@server1.tristatelogic.com> Message-ID: Just a scenario. Which may be totally off the wall, to be sure. --srs (htc one x) On 26-Jun-2013 1:08 AM, "Ronald F. Guilmette" wrote: > > In message < > CAArzuosEHQ6RYqnGwXWuCbGzuvqwEk9iH-tis948AcU00iL+fA at mail.gmail.com> > Suresh Ramasubramanian wrote: > > >Entirely depends on the audit's conclusions. > > > >1. Shell company in romania or the ukraine - "the documents say it is a > >registered company". Stop. > > > >2. Hosting snowshoe spam or malware or whatever. "the justification just > >says "hosting". stop" > > > >:) > > > I'm not grasping whatever point you were making Suresh. Can I ask you > to please take another whack at it? > > Were you saying that the current audit NCC policies would in fact "stop" > an audit (and declare everything acceptable?) upon learning that the > target of the audit is merely a properly registered company? > > > Regards, > rfg > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Woeber at CC.UniVie.ac.at Wed Jun 26 14:44:08 2013 From: Woeber at CC.UniVie.ac.at (Wilfried Woeber) Date: Wed, 26 Jun 2013 14:44:08 +0200 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> References: <83157.1371760006@server1.tristatelogic.com> <51C437AF.1080300@heanet.ie> <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> Message-ID: <51CAE218.8000607@CC.UniVie.ac.at> Erik Bais wrote: [...] > For those that want to read up on what actually happened on that specific > incident in Latvia (July/August 2010), have a read on the following open > letter from CERT.lv > > https://cert.lv/uploads/uploads/OpenLetter.pdf And this actually wasn't the only or the first "incident" with Spamhaus. They also tried similer *piep*^Wbullying against NIC.at before. Which actually has discredited Spamhaus in my personal opinion for sure, for knowingly disregarding local law, but that's slightly OT here - but maybe not... > Erik Bais Wilfried. From ops.lists at gmail.com Wed Jun 26 15:06:01 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Wed, 26 Jun 2013 18:36:01 +0530 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <51CAE218.8000607@CC.UniVie.ac.at> References: <83157.1371760006@server1.tristatelogic.com> <51C437AF.1080300@heanet.ie> <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> <51CAE218.8000607@CC.UniVie.ac.at> Message-ID: There are of course multiple sides to that story as well. Like a massive infestation of rock phish domains which, too, were knowingly disregarding local law, and were present in rather massive quantities on the .at ccTLD at that time. http://www.spamhaus.org/organization/statement/7/ --srs On Wednesday, June 26, 2013, Wilfried Woeber wrote: > Erik Bais wrote: > [...] > > For those that want to read up on what actually happened on that specific > > incident in Latvia (July/August 2010), have a read on the following open > > letter from CERT.lv > > > > https://cert.lv/uploads/uploads/OpenLetter.pdf > > And this actually wasn't the only or the first "incident" with Spamhaus. > They also tried similer *piep*^Wbullying against NIC.at before. > > Which actually has discredited Spamhaus in my personal opinion for sure, > for knowingly disregarding local law, but that's slightly OT here - but > maybe not... > > > Erik Bais > > Wilfried. > > -- --srs (iPad) -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at hk.ipsec.se Wed Jun 26 15:20:13 2013 From: peter at hk.ipsec.se (peter h) Date: Wed, 26 Jun 2013 15:20:13 +0200 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <51CAE218.8000607@CC.UniVie.ac.at> References: <83157.1371760006@server1.tristatelogic.com> <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> <51CAE218.8000607@CC.UniVie.ac.at> Message-ID: <201306261520.13689.peter@hk.ipsec.se> On Wednesday 26 June 2013 14.44, Wilfried Woeber wrote: > Erik Bais wrote: > [...] > > For those that want to read up on what actually happened on that specific > > incident in Latvia (July/August 2010), have a read on the following open > > letter from CERT.lv > > > > https://cert.lv/uploads/uploads/OpenLetter.pdf > > And this actually wasn't the only or the first "incident" with Spamhaus. > They also tried similer *piep*^Wbullying against NIC.at before. > > Which actually has discredited Spamhaus in my personal opinion for sure, > for knowingly disregarding local law, but that's slightly OT here - but > maybe not... > > > Erik Bais > > Wilfried. > This han nothing to do with any local laws. Spamhaus runs a list of "bad senders", other people uses this list ON THEIR OWN MAILSERVERS. If one wants to stay out of spamhaus list then dont send spam or allow abuse, if you do like to allow spam flowing, you will get on a number of lists. > -- Peter H?kanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det ?r billigare att g?ra r?tt. Det ?r dyrt att laga fel. ) From simon-lists at ldml.com Wed Jun 26 15:37:35 2013 From: simon-lists at ldml.com (Simon Forster) Date: Wed, 26 Jun 2013 14:37:35 +0100 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <51CAE218.8000607@CC.UniVie.ac.at> References: <83157.1371760006@server1.tristatelogic.com> <51C437AF.1080300@heanet.ie> <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> <51CAE218.8000607@CC.UniVie.ac.at> Message-ID: As I'm about to shout "disclosure" at someone, I better mention that I'm affiliated with Spamhaus. I have no input / control / influence whatsoever on the listings side of things but I do work for a Spamhaus entity. On 26 Jun 2013, at 13:44, Wilfried Woeber wrote: > Erik Bais wrote: > [...] >> For those that want to read up on what actually happened on that specific >> incident in Latvia (July/August 2010), have a read on the following open >> letter from CERT.lv >> >> https://cert.lv/uploads/uploads/OpenLetter.pdf This snippet brought to us by Erik Bais. Is this the same Erik Bais who filed a complaint with the Dutch police against Spamhaus in October 2011 ? The MD of A2B who was providing connectivity to "German ISP Cyberbunker, aka CB3ROB"? With CyberBunker being heavily implicated in the recent DDoS attack against Spamhaus. Heavily in as much as "Sven Olaf Kamphuis, a vocal spokesman for CyberBunker, was arrested at the request of Dutch authorities near Barcelona by Spanish Police after collaboration through Eurojust" . Sir, I question your motives for bringing this up. > And this actually wasn't the only or the first "incident" with Spamhaus. > They also tried similer *piep*^Wbullying against NIC.at before. > > Which actually has discredited Spamhaus in my personal opinion for sure, > for knowingly disregarding local law, but that's slightly OT here - but > maybe not... Spamhaus is an organisation which publishes reputation datasets for users to do with as they wish. Many users wish to block inbound email based on Spamhaus' datasets. That's Spamhaus' users' prerogative. No pressure is exerted to use the lists. There are no fees charged for the removal of an entity from a Spamhaus blocklist ? the problem which initiated the listing simply needs to have been resolved. The Spamhaus datasets consist of reputation lists ? which is to say an entity's (Spamhaus') opinion as to the reputation of certain properties (IPs and domains). Third party, independent reports are used in any number of different industries to help organisations arrive at best possible decisions. In what way is this significantly different? Extortion or bullying is not being applied. Laws are not being broken ? whatever spin people may try to put on this. Spamhaus' reputation lists have been published for over a decade now. Over that time some traction has built up to the point that slightly shy of two billion email accounts are protected (directly, indirectly or via derivative products) by the Spamhaus datasets. Such longevity and market acceptance has not been forced on anyone. Spamhaus simply does a damn good job and has done so for many years. Simon From ops.lists at gmail.com Wed Jun 26 16:04:04 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Wed, 26 Jun 2013 19:34:04 +0530 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: References: <83157.1371760006@server1.tristatelogic.com> <51C437AF.1080300@heanet.ie> <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> <51CAE218.8000607@CC.UniVie.ac.at> Message-ID: Ok. So, i dont work for spamhaus and only use them to filter mail at work. Obviously, I dont speak for my employer either, just for myself. The three cases in this thread arent related except that there are two problems : criminals as customers, and a disinclination to, possibly based on their interpretation of their country's laws, get these customers removed. A more recent case, the virut botnet, is interesting as other cctlds operating in the EU (poland) did suspend several, as did russia. Last I checked there were some still left .. in .at. www.spamhaus.org/news/article/690/ On Jun 26, 2013 7:13 PM, "Simon Forster" wrote: > > As I'm about to shout "disclosure" at someone, I better mention that I'm > affiliated with Spamhaus. I have no input / control / influence whatsoever > on the listings side of things but I do work for a Spamhaus entity. > > On 26 Jun 2013, at 13:44, Wilfried Woeber wrote: > > > Erik Bais wrote: > > [...] > >> For those that want to read up on what actually happened on that > specific > >> incident in Latvia (July/August 2010), have a read on the following open > >> letter from CERT.lv > >> > >> https://cert.lv/uploads/uploads/OpenLetter.pdf > > This snippet brought to us by Erik Bais. > > Is this the same Erik Bais who filed a complaint with the Dutch police > against Spamhaus in October 2011 < > http://www.theregister.co.uk/2011/10/13/dutch_isp_accuses_spamhaus/>? > > The MD of A2B who was providing connectivity to "German ISP Cyberbunker, > aka CB3ROB"? > > With CyberBunker being heavily implicated in the recent DDoS attack > against Spamhaus. Heavily in as much as "Sven Olaf Kamphuis, a vocal > spokesman for CyberBunker, was arrested at the request of Dutch authorities > near Barcelona by Spanish Police after collaboration through Eurojust" < > http://en.wikipedia.org/wiki/CyberBunker>. > > Sir, I question your motives for bringing this up. > > > And this actually wasn't the only or the first "incident" with Spamhaus. > > They also tried similer *piep*^Wbullying against NIC.at before. > > > > Which actually has discredited Spamhaus in my personal opinion for sure, > > for knowingly disregarding local law, but that's slightly OT here - but > > maybe not... > > Spamhaus is an organisation which publishes reputation datasets for users > to do with as they wish. Many users wish to block inbound email based on > Spamhaus' datasets. That's Spamhaus' users' prerogative. No pressure is > exerted to use the lists. > > There are no fees charged for the removal of an entity from a Spamhaus > blocklist ? the problem which initiated the listing simply needs to have > been resolved. > > The Spamhaus datasets consist of reputation lists ? which is to say an > entity's (Spamhaus') opinion as to the reputation of certain properties > (IPs and domains). Third party, independent reports are used in any number > of different industries to help organisations arrive at best possible > decisions. In what way is this significantly different? > > Extortion or bullying is not being applied. Laws are not being broken ? > whatever spin people may try to put on this. > > Spamhaus' reputation lists have been published for over a decade now. Over > that time some traction has built up to the point that slightly shy of two > billion email accounts are protected (directly, indirectly or via > derivative products) by the Spamhaus datasets. Such longevity and market > acceptance has not been forced on anyone. Spamhaus simply does a damn good > job and has done so for many years. > > Simon > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ripe-anti-spam-wg at powerweb.de Wed Jun 26 16:22:20 2013 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Wed, 26 Jun 2013 16:22:20 +0200 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: References: <83157.1371760006@server1.tristatelogic.com> <51C437AF.1080300@heanet.ie> <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> <51CAE218.8000607@CC.UniVie.ac.at> Message-ID: <51CAF91C.3020307@powerweb.de> Suresh Ramasubramanian wrote: Just want to note, that domainnames themself cant be dangerous (of course using a similar name could cos problems with trademarks and the like). Its only the content thats dangerous, eMail or webpage. So its more a problem of the people running the services and these are either hacked sites or ISPs tolerating or deliberatly hosting this content. Asking a TLD registry to remove domainnames because of pishing its then somehow to wrong place to start, specially for Spamhaus, they should know better and simply place all those IPs on their lists ... BTW: just found the service "Google Safe Browsing Alerts for Network Administrators" where every AS owner can register under http://www.google.com/safebrowsing/alerts/ to receive notification about doubtful content Google might find, when spidering your network. This could be pretty usefull to remove pishing and hacked sites for pretty quick. Kind regards, Frank > There are of course multiple sides to that story as well. > > Like a massive infestation of rock phish domains which, too, were > knowingly disregarding local law, and were present in rather massive > quantities on the .at ccTLD at that time. > > http://www.spamhaus.org/organization/statement/7/ > > --srs > > On Wednesday, June 26, 2013, Wilfried Woeber wrote: > > Erik Bais wrote: > [...] > > For those that want to read up on what actually happened on that > specific > > incident in Latvia (July/August 2010), have a read on the > following open > > letter from CERT.lv > > > > https://cert.lv/uploads/uploads/OpenLetter.pdf > > And this actually wasn't the only or the first "incident" with Spamhaus. > They also tried similer *piep*^Wbullying against NIC.at before. > > Which actually has discredited Spamhaus in my personal opinion for sure, > for knowingly disregarding local law, but that's slightly OT here - but > maybe not... > > > Erik Bais > > Wilfried. > > > > -- > --srs (iPad) From ml at vdspek.org Wed Jun 26 16:26:28 2013 From: ml at vdspek.org (Olaf van der Spek) Date: Wed, 26 Jun 2013 16:26:28 +0200 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <51CAF91C.3020307@powerweb.de> References: <83157.1371760006@server1.tristatelogic.com> <51C437AF.1080300@heanet.ie> <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> <51CAE218.8000607@CC.UniVie.ac.at> <51CAF91C.3020307@powerweb.de> Message-ID: On Wed, Jun 26, 2013 at 4:22 PM, Frank Gadegast wrote: > Suresh Ramasubramanian wrote: > > Just want to note, that domainnames themself cant be > dangerous (of course using a similar name could cos > problems with trademarks and the like). What about domain names used to control botnets? Killing the name will ensure the botnet can't reach it's controller, while just killing the service would allow the service to be put back up on another host. Olaf From ops.lists at gmail.com Wed Jun 26 16:31:26 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Wed, 26 Jun 2013 20:01:26 +0530 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <51CAF91C.3020307@powerweb.de> References: <83157.1371760006@server1.tristatelogic.com> <51C437AF.1080300@heanet.ie> <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> <51CAE218.8000607@CC.UniVie.ac.at> <51CAF91C.3020307@powerweb.de> Message-ID: Consider, if you will, a domain that has absolutely no "content", but is the command and control for a fast flux botnet. Which has been the case with both the latvian as well as austrian cctld cases. On Jun 26, 2013 7:52 PM, "Frank Gadegast" wrote: > Suresh Ramasubramanian wrote: > > Just want to note, that domainnames themself cant be > dangerous (of course using a similar name could cos > problems with trademarks and the like). > > Its only the content thats dangerous, eMail or webpage. > So its more a problem of the people running the services > and these are either hacked sites or ISPs tolerating > or deliberatly hosting this content. > > Asking a TLD registry to remove domainnames because > of pishing its then somehow to wrong place to start, > specially for Spamhaus, they should know better and > simply place all those IPs on their lists ... > > > BTW: > just found the service "Google Safe Browsing Alerts > for Network Administrators" where every AS owner can > register under > http://www.google.com/**safebrowsing/alerts/ > to receive notification about doubtful content > Google might find, when spidering your network. > > This could be pretty usefull to remove pishing > and hacked sites for pretty quick. > > > > Kind regards, Frank > > There are of course multiple sides to that story as well. >> >> Like a massive infestation of rock phish domains which, too, were >> knowingly disregarding local law, and were present in rather massive >> quantities on the .at ccTLD at that time. >> >> http://www.spamhaus.org/**organization/statement/7/ >> >> --srs >> >> On Wednesday, June 26, 2013, Wilfried Woeber wrote: >> >> Erik Bais wrote: >> [...] >> > For those that want to read up on what actually happened on that >> specific >> > incident in Latvia (July/August 2010), have a read on the >> following open >> > letter from CERT.lv >> > >> > https://cert.lv/uploads/**uploads/OpenLetter.pdf >> >> And this actually wasn't the only or the first "incident" with >> Spamhaus. >> They also tried similer *piep*^Wbullying against NIC.at before. >> >> Which actually has discredited Spamhaus in my personal opinion for >> sure, >> for knowingly disregarding local law, but that's slightly OT here - >> but >> maybe not... >> >> > Erik Bais >> >> Wilfried. >> >> >> >> -- >> --srs (iPad) >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ripe-anti-spam-wg at powerweb.de Wed Jun 26 17:19:11 2013 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Wed, 26 Jun 2013 17:19:11 +0200 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: References: <83157.1371760006@server1.tristatelogic.com> <51C437AF.1080300@heanet.ie> <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> <51CAE218.8000607@CC.UniVie.ac.at> <51CAF91C.3020307@powerweb.de> Message-ID: <51CB066F.2080501@powerweb.de> Suresh Ramasubramanian wrote: > Consider, if you will, a domain that has absolutely no "content", but is > the command and control for a fast flux botnet. Which has been the case > with both the latvian as well as austrian cctld cases. Same thing. The controllers must run on a server with an IP address, destroy these servers. The domainname is just a name, its the hostnames in the domains nameserver pointing to an IP and a server with whatever service running under that IP. Its likely that the botnet owner uses another domainname, if you remove it. botnet owners arent stupid. Kind regards, Frank > > On Jun 26, 2013 7:52 PM, "Frank Gadegast" > wrote: > > Suresh Ramasubramanian wrote: > > Just want to note, that domainnames themself cant be > dangerous (of course using a similar name could cos > problems with trademarks and the like). > > Its only the content thats dangerous, eMail or webpage. > So its more a problem of the people running the services > and these are either hacked sites or ISPs tolerating > or deliberatly hosting this content. > > Asking a TLD registry to remove domainnames because > of pishing its then somehow to wrong place to start, > specially for Spamhaus, they should know better and > simply place all those IPs on their lists ... > > > BTW: > just found the service "Google Safe Browsing Alerts > for Network Administrators" where every AS owner can > register under > http://www.google.com/__safebrowsing/alerts/ > > to receive notification about doubtful content > Google might find, when spidering your network. > > This could be pretty usefull to remove pishing > and hacked sites for pretty quick. > > > > Kind regards, Frank > > There are of course multiple sides to that story as well. > > Like a massive infestation of rock phish domains which, too, were > knowingly disregarding local law, and were present in rather massive > quantities on the .at ccTLD at that time. > > http://www.spamhaus.org/__organization/statement/7/ > > > --srs > > On Wednesday, June 26, 2013, Wilfried Woeber wrote: > > Erik Bais wrote: > [...] > > For those that want to read up on what actually happened > on that > specific > > incident in Latvia (July/August 2010), have a read on the > following open > > letter from CERT.lv > > > > https://cert.lv/uploads/__uploads/OpenLetter.pdf > > > And this actually wasn't the only or the first "incident" > with Spamhaus. > They also tried similer *piep*^Wbullying against NIC.at before. > > Which actually has discredited Spamhaus in my personal > opinion for sure, > for knowingly disregarding local law, but that's slightly > OT here - but > maybe not... > > > Erik Bais > > Wilfried. > > > > -- > --srs (iPad) > > > From ops.lists at gmail.com Wed Jun 26 17:23:28 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Wed, 26 Jun 2013 20:53:28 +0530 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <51CB066F.2080501@powerweb.de> References: <83157.1371760006@server1.tristatelogic.com> <51C437AF.1080300@heanet.ie> <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> <51CAE218.8000607@CC.UniVie.ac.at> <51CAF91C.3020307@powerweb.de> <51CB066F.2080501@powerweb.de> Message-ID: I did say fast flux. Take down one compromised vm in a cheap datacenter somewhere and it pops up on some random company's exposed file and print server somewhere else. On Jun 26, 2013 8:49 PM, "Frank Gadegast" wrote: > Suresh Ramasubramanian wrote: > >> Consider, if you will, a domain that has absolutely no "content", but is >> the command and control for a fast flux botnet. Which has been the case >> with both the latvian as well as austrian cctld cases. >> > > Same thing. > The controllers must run on a server with an IP address, > destroy these servers. > > The domainname is just a name, its the hostnames in the domains > nameserver pointing to an IP and a server with whatever service > running under that IP. > Its likely that the botnet owner uses another domainname, > if you remove it. > > botnet owners arent stupid. > > > Kind regards, Frank > > >> On Jun 26, 2013 7:52 PM, "Frank Gadegast" > >> >> wrote: >> >> Suresh Ramasubramanian wrote: >> >> Just want to note, that domainnames themself cant be >> dangerous (of course using a similar name could cos >> problems with trademarks and the like). >> >> Its only the content thats dangerous, eMail or webpage. >> So its more a problem of the people running the services >> and these are either hacked sites or ISPs tolerating >> or deliberatly hosting this content. >> >> Asking a TLD registry to remove domainnames because >> of pishing its then somehow to wrong place to start, >> specially for Spamhaus, they should know better and >> simply place all those IPs on their lists ... >> >> >> BTW: >> just found the service "Google Safe Browsing Alerts >> for Network Administrators" where every AS owner can >> register under >> http://www.google.com/__**safebrowsing/alerts/ >> >> > >> to receive notification about doubtful content >> Google might find, when spidering your network. >> >> This could be pretty usefull to remove pishing >> and hacked sites for pretty quick. >> >> >> >> Kind regards, Frank >> >> There are of course multiple sides to that story as well. >> >> Like a massive infestation of rock phish domains which, too, were >> knowingly disregarding local law, and were present in rather >> massive >> quantities on the .at ccTLD at that time. >> >> http://www.spamhaus.org/__**organization/statement/7/ >> >> > >> >> --srs >> >> On Wednesday, June 26, 2013, Wilfried Woeber wrote: >> >> Erik Bais wrote: >> [...] >> > For those that want to read up on what actually happened >> on that >> specific >> > incident in Latvia (July/August 2010), have a read on the >> following open >> > letter from CERT.lv >> > >> > https://cert.lv/uploads/__**uploads/OpenLetter.pdf >> >> > >> >> And this actually wasn't the only or the first "incident" >> with Spamhaus. >> They also tried similer *piep*^Wbullying against NIC.at >> before. >> >> Which actually has discredited Spamhaus in my personal >> opinion for sure, >> for knowingly disregarding local law, but that's slightly >> OT here - but >> maybe not... >> >> > Erik Bais >> >> Wilfried. >> >> >> >> -- >> --srs (iPad) >> >> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From andre at ox.co.za Wed Jun 26 16:37:22 2013 From: andre at ox.co.za (andre) Date: Wed, 26 Jun 2013 16:37:22 +0200 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: References: <83157.1371760006@server1.tristatelogic.com> <51C437AF.1080300@heanet.ie> <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> <51CAE218.8000607@CC.UniVie.ac.at> <51CAF91C.3020307@powerweb.de> Message-ID: <20130626163722.22898b41@cow.cow.co.za> On Wed, 26 Jun 2013 20:01:26 +0530 Suresh Ramasubramanian wrote: > Consider, if you will, a domain that has absolutely no "content", but > is the command and control for a fast flux botnet. Which has been > the case with both the latvian as well as austrian cctld cases. We have many domains that are ONLY used for email, some for DNS, etc. etc. (one client uses his domain just for MUD) -- So "content" should not even be mentioned / discussed... but there are so many valid points and if you are open/unbiased it is very hard to decide a firm opinion. For myself: we all become desperate as the fight against spam/abuse is sometimes a very difficult one as things are not always white and black but more than 50 shades of grey :) From ops.lists at gmail.com Wed Jun 26 17:55:22 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Wed, 26 Jun 2013 21:25:22 +0530 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <20130626163722.22898b41@cow.cow.co.za> References: <83157.1371760006@server1.tristatelogic.com> <51C437AF.1080300@heanet.ie> <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> <51CAE218.8000607@CC.UniVie.ac.at> <51CAF91C.3020307@powerweb.de> <20130626163722.22898b41@cow.cow.co.za> Message-ID: I deal with gray all the time, but I am afraid that we are dealing with positions on both sides of this argument that could use a lot more nuance to find common ground. Denouncing spamhaus as clumsy and evil vigilantes isn't quite the true picture - and equally ccTLDs operate within a specific legal framework, but so do other ccTLDs in countries with similar legal systems. Definitely something to discuss and use to drive process change internally, though doubtless that's already being done. --srs (htc one x) On 26-Jun-2013 9:14 PM, "andre" wrote: > On Wed, 26 Jun 2013 20:01:26 +0530 > Suresh Ramasubramanian wrote: > > Consider, if you will, a domain that has absolutely no "content", but > > is the command and control for a fast flux botnet. Which has been > > the case with both the latvian as well as austrian cctld cases. > > We have many domains that are ONLY used for email, some for DNS, > etc. etc. (one client uses his domain just for MUD) -- So "content" > should not even be mentioned / discussed... > > but there are so many valid points and if you are open/unbiased it > is very hard to decide a firm opinion. > > For myself: we all become desperate as the fight against spam/abuse > is sometimes a very difficult one as things are not always white and > black > but more than 50 shades of grey :) > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pk at DENIC.DE Wed Jun 26 19:03:34 2013 From: pk at DENIC.DE (Peter Koch) Date: Wed, 26 Jun 2013 19:03:34 +0200 Subject: [anti-abuse-wg] 2013-01 Discussion Period extended until 26 June 2013 (Openness about Policy Violations) In-Reply-To: <451DA72E-5ABD-43D5-9F42-724CEF296B36@steffann.nl> References: <51C33373.5000501@heanet.ie> <20130625150136.GK25143@x28.adm.denic.de> <451DA72E-5ABD-43D5-9F42-724CEF296B36@steffann.nl> Message-ID: <20130626170334.GA2642@x28.adm.denic.de> Hi Sander, > Usually I would agree with you and keep operational stuff out of policy-land, but in this case I think having a community-defined policy on openness / stats about how the NCC is handling violations of the policies *we* defined is better. just to be clear: piggybacking this on a broader proposal seems sensible to me, for a standalone it's too much process IMHO. > >>> -new section 2.0 and consequent renumbering of the other sections > > > > This part is worrying. First because it defers details to the implementation > > and second because it suggests to give the reporting party unconditional > > access to an unspecified level of detail. > > Can you suggest text for where the limits should be? I would personally agree to a very limited level of detail, but I agree that this is nog clear in the current proposal text. I have a hard time proposing text because despite my own potential curiosity or potential role as a stakeholder (probably in the legal sense of the word), I do not believe that there's a good case to treat the reporter special. A ticket number that is mapped to 'in progress' or 'closed' would likely be sufficient. > > What's the legitimate interest > > of the reporting party in monitoring the progress? > > In the current situation reporting parties don't see anything, which gives > the feeling that all such reports disappear into a black hole. If we want We've heard it being seen this way. And while (see above), I personally might have some sympathy for that frustration, I do not see the disclosure of investigation details as a cure. > to keep (or restore) community involvement in the care-taking of our shared > resources then showing those that care enough to report problems that we > (community+NCC) take their input seriously is important. We need to provide So, we delegated the day to day care taking to the NCC and hat's where the details belong. If anybody cares enough they will check the status of a particular object and either see a change or not. If there's no change (yet), the ticket status will show it's ongoing. The oversight would start looking at the numbers: total time until ticket closed and maybe amount of reports resulting in no action. -Peter From rfg at tristatelogic.com Wed Jun 26 22:29:08 2013 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Wed, 26 Jun 2013 13:29:08 -0700 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <51CAE218.8000607@CC.UniVie.ac.at> Message-ID: <59563.1372278548@server1.tristatelogic.com> In message <51CAE218.8000607 at CC.UniVie.ac.at>, Woeber at CC.UniVie.ac.at wrote: >Erik Bais wrote: >[...] >> For those that want to read up on what actually happened on that specific >> incident in Latvia (July/August 2010), have a read on the following open >> letter from CERT.lv >> >> https://cert.lv/uploads/uploads/OpenLetter.pdf > >And this actually wasn't the only or the first "incident" with Spamhaus. >They also tried similer *piep*^Wbullying against NIC.at before. > >Which actually has discredited Spamhaus in my personal opinion for sure, >for knowingly disregarding local law, but that's slightly OT here - but >maybe not... I don't think that it is, because _that_ (ignoring local law... to a certain extent[1]) is pretty much exactly what I, at least, have been advocating here. When it comes to physical territory -- the kind that politicians draw lines around on maps -- sovereign nations should be just that, sovereign. But as we all know, the Internet pretty much ignores all such borders. It is a realm unto itself, with its own needs for security and the common good. None of this is to say that I am in any way defending what Spamhaus either did or did not do in either of these cases (Latvia or Austria). Indeed, in the case of the latter I cannot, because I don't even have any idea about what happened, what they (Spamhaus) did about it, or why. For all I know, in that case they actually may have been either perfectly justified or else perfectly indefensible. Regards, rfg =-=-=-=-=-=-=-=- Footnote: [1] I cannot envision any cases in which local laws should be *weakened* by their counterparts in ``cyberspace'' (to coin a phrase :-). I can however easily imagine many many scenarios where local laws allow action `X' but where action `X' is quite clearly and obviously detrimental to the ongoing stability, security, or operability of the Internet. In such cases, and _only_ within the realm of the Internet, yes, local laws should be ``ignored'' if you will. Then again, now that we know that China is hacking the USA... and most probably everybody else... and now that we know that the USA is hacking China... and probably everybody else... maybe it is already to late to do anything about anything that even a large percentage of us here might classify as "abusive". Maybe the cat is already out of the barn door. From rfg at tristatelogic.com Thu Jun 27 02:14:23 2013 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Wed, 26 Jun 2013 17:14:23 -0700 Subject: [anti-abuse-wg] The Rules Message-ID: <61964.1372292063@server1.tristatelogic.com> I am going to try to work with Brian, off-list, to try to wordsmith and do whatever else is necessary in order to convert the informal proposals that I posted here recently into formal ones. While I am working on that however, I would very much like to ask a very simple question... What exactly are The Rules with respect to IPv4 address block allocations? What does one need to show, exactly, in order to either get or, more importantly, to keep, say, a /21 ? Assume for the sake of argument that I received a /21 from some RIPE LiR one year ago. Assume that I never put _anything_ in it. Assume that RIPE NCC "audits" me. What happens, exactly? Regards, rfg From doi at bva.bund.de Tue Jun 25 12:43:07 2013 From: doi at bva.bund.de (DOI (BIT A 5)) Date: Tue, 25 Jun 2013 10:43:07 +0000 Subject: [anti-abuse-wg] 2013-01 Discussion Period extended until 26 June 2013 (Openness about Policy Violations) In-Reply-To: <20130604192859.GA78676@cilantro.c4inet.net> References: <20130604192859.GA78676@cilantro.c4inet.net> Message-ID: To prevent abuse and to give the holder a fair chance to resolve any policy violation before the report is published there has to be a time for a reply of four weeks. If the holder has resolved all problems before expiration of the deadline, the report is not published. Best regards Carsten Br?ckner From rfg at tristatelogic.com Thu Jun 27 10:58:11 2013 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Thu, 27 Jun 2013 01:58:11 -0700 Subject: [anti-abuse-wg] 2013-01 Discussion Period extended until 26 June 2013 (Openness about Policy Violations) In-Reply-To: Message-ID: <95977.1372323491@server1.tristatelogic.com> In message , "DOI (BIT A 5)" wrote: >To prevent abuse and to give the holder a fair chance to resolve any policy= > violation before the report is published there has to be a time for a repl= >y of four weeks. If the holder has resolved all problems before expiration = >of the deadline, the report is not published. Four weeks? Yea. Sure. That seems fair. After all, we all know how much more slowly electrons travel in Europe. Not to mention the two months they get off in the summertime. And then there is paternity leave, you know, after they have just had a a baby electron. Maybe we should make it 12 weeks, you know, to give people a chance to setttle in if they have just come back from summer holiday. From gert at space.net Thu Jun 27 13:14:02 2013 From: gert at space.net (Gert Doering) Date: Thu, 27 Jun 2013 13:14:02 +0200 Subject: [anti-abuse-wg] The Rules In-Reply-To: <61964.1372292063@server1.tristatelogic.com> References: <61964.1372292063@server1.tristatelogic.com> Message-ID: <20130627111402.GZ2706@Space.Net> Hi, On Wed, Jun 26, 2013 at 05:14:23PM -0700, Ronald F. Guilmette wrote: > What exactly are The Rules with respect to IPv4 address block allocations? > What does one need to show, exactly, in order to either get or, more > importantly, to keep, say, a /21 ? "nothing you can present to the RIPE NCC will give you a /21 of IPv4 space". IPv4 has run out, and we're in the last /8 policy - which means "if you are a member (LIR) and present the need for a single IPv4 address, you will get a /22, no more, no less", and this /22 is only given out *once* per LIR. To keep it, you have to pay your LIR fees, be truthful about the stuff in your contract (company details etc), and don't let a judge convict you for a crime. > Assume for the sake of argument that I received a /21 from some RIPE > LiR one year ago. Assume that I never put _anything_ in it. Assume > that RIPE NCC "audits" me. What happens, exactly? If you got the /21 *from a LIR*, you will not be audited, because you're not dealing with the NCC. If you *are* a LIR, and as that LIR have received a /21, the NCC will try to ensure that whatever you registered is OK - if you have never registered anything, nothing will happen, unless they find lies in your contractual information (company doesn't exist, etc.) - in *that* case they will close down the LIR and take back the space. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 306 bytes Desc: not available URL: From furio+as at spin.it Thu Jun 27 15:13:15 2013 From: furio+as at spin.it (furio ercolessi) Date: Thu, 27 Jun 2013 15:13:15 +0200 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <51CB066F.2080501@powerweb.de> References: <83157.1371760006@server1.tristatelogic.com> <51C437AF.1080300@heanet.ie> <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> <51CAE218.8000607@CC.UniVie.ac.at> <51CAF91C.3020307@powerweb.de> <51CB066F.2080501@powerweb.de> Message-ID: <20130627131315.GA7007@spin.it> On Wed, Jun 26, 2013 at 05:19:11PM +0200, Frank Gadegast wrote: > Suresh Ramasubramanian wrote: > >Consider, if you will, a domain that has absolutely no "content", but is > >the command and control for a fast flux botnet. Which has been the case > >with both the latvian as well as austrian cctld cases. > > Same thing. > The controllers must run on a server with an IP address, > destroy these servers. > > The domainname is just a name, its the hostnames in the domains > nameserver pointing to an IP and a server with whatever service > running under that IP. > Its likely that the botnet owner uses another domainname, > if you remove it. A domain is just a domain, an IP address is just an IP address, a botted PC is just a botted PC. Abuse comes from a combination of resources, some of them are just a sequence of bytes that gets associated with some actual hardware at some point. Some of these resources are more important than others. For instance, a botted PC is arguably more important than the dynamic IP on which it is observed in a particular day. A C&C domain is an extremely important resource, as it is hardwired in the bot code and indicates how to reach the master to get instructions. It is a "pure" criminal-owned resource, and taking it down has often a very large positive impact on spam flows as it makes inoperative a large number of botted PCs all at once. It is one level up in the hierarchy with respect to the botted PCs level. The NS or the A DNS records for the C&C domain are of secondary importance, because the criminal can easily walk around terminations, usually in a fully automated way. Not to mention the fastflux setups where these records are also rotated among machines running malware (for instance DNS proxies redirecting traffic to a hidden location), or setup where criminals host their domains on hijacked nameservers that can not really be "destroyed". Therefore the responsibility for terminating C&C domains lies on the registries, not on the DNS providers (that may not even exist). The .AT and .LV cases have been two rather dramatic cases where the registries were sitting there doing nothing for a very long time, while the word spread among criminals that they were a 'safe haven'. Similar problems have then occurred in .PL and .RU as well. Luckily, the times have changed and country CERTs are nowadays much more aware of the C&C problem and of the need to take down those domains swiftly. As it often happens with large organizations, 'learning' may be very slow and may need to be stimulated by external forces - not because of lack of capacity of the individuals working in the organizations to understand the issue, but because of the fear of those individuals to break a complex set of rules, and the possible need to have those rules changed to avoid breaking them. I believe that all the external forces working on this problem - Spamhaus, Cymru, Shadowserver, SURBL, GTSC, ISC, Trend Micro and others - have played and are playing a very important role in interacting with registries and CERTs regarding cybercrime domains, even more so when those interactions have to be a little 'rough' to get some traction. Nobody likes friction i think, but sometimes it is needed to shake things and see some action. furio ercolessi > >On Jun 26, 2013 7:52 PM, "Frank Gadegast" >> wrote: > > > > Suresh Ramasubramanian wrote: > > > > Just want to note, that domainnames themself cant be > > dangerous (of course using a similar name could cos > > problems with trademarks and the like). > > > > Its only the content thats dangerous, eMail or webpage. > > So its more a problem of the people running the services > > and these are either hacked sites or ISPs tolerating > > or deliberatly hosting this content. > > > > Asking a TLD registry to remove domainnames because > > of pishing its then somehow to wrong place to start, > > specially for Spamhaus, they should know better and > > simply place all those IPs on their lists ... > > > > > > BTW: > > just found the service "Google Safe Browsing Alerts > > for Network Administrators" where every AS owner can > > register under > > http://www.google.com/__safebrowsing/alerts/ > > > > to receive notification about doubtful content > > Google might find, when spidering your network. > > > > This could be pretty usefull to remove pishing > > and hacked sites for pretty quick. > > > > > > > > Kind regards, Frank > > > > There are of course multiple sides to that story as well. > > > > Like a massive infestation of rock phish domains which, too, were > > knowingly disregarding local law, and were present in rather > > massive > > quantities on the .at ccTLD at that time. > > > > http://www.spamhaus.org/__organization/statement/7/ > > > > > > --srs > > > > On Wednesday, June 26, 2013, Wilfried Woeber wrote: > > > > Erik Bais wrote: > > [...] > > > For those that want to read up on what actually happened > > on that > > specific > > > incident in Latvia (July/August 2010), have a read on the > > following open > > > letter from CERT.lv > > > > > > https://cert.lv/uploads/__uploads/OpenLetter.pdf > > > > > > And this actually wasn't the only or the first "incident" > > with Spamhaus. > > They also tried similer *piep*^Wbullying against NIC.at > > before. > > > > Which actually has discredited Spamhaus in my personal > > opinion for sure, > > for knowingly disregarding local law, but that's slightly > > OT here - but > > maybe not... > > > > > Erik Bais > > > > Wilfried. > > > > > > > > -- > > --srs (iPad) > > > > > > > > From michele at blacknight.com Thu Jun 27 15:38:48 2013 From: michele at blacknight.com (Michele Neylon :: Blacknight) Date: Thu, 27 Jun 2013 13:38:48 +0000 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <20130627131208.C70B15A4010@merlin.blacknight.ie> References: <83157.1371760006@server1.tristatelogic.com> <51C437AF.1080300@heanet.ie> <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> <51CAE218.8000607@CC.UniVie.ac.at> <51CAF91C.3020307@powerweb.de> <51CB066F.2080501@powerweb.de> <20130627131208.C70B15A4010@merlin.blacknight.ie> Message-ID: Furio If you're going to make statements about 3rd parties you should try to restrict yourself to facts and not make broad sweeping statements. On 27 Jun 2013, at 14:13, furio ercolessi wrote: > > > Therefore the responsibility for terminating C&C domains lies on the > registries, not on the DNS providers (that may not even exist). Not necessarily. If registries are going round the place pulling domains it causes headaches for registrars - and the registries don't have a contract / agreement with the registrant While this may be different with ccTLDs you haven't specified that you're only referring to cctlds .. And I don't see how a domain can resolve without a DNS provider - that makes zero sense. > > The .AT and .LV cases have been two rather dramatic cases where the > registries were sitting there doing nothing for a very long time, while > the word spread among criminals that they were a 'safe haven'. That's highly defamatory. I don't think the managers of either ccTLD would appreciate anyone referring to them using that tone. > Similar problems have then occurred in .PL and .RU as well. Again - broad sweeping statements. I'd take you more seriously if you referred to the current state of play and not some past issues that have been addressed > > Luckily, the times have changed and country CERTs are nowadays > much more aware of the C&C problem and of the need to take down those > domains swiftly. Irrelevant statement CERTs have little impact on registry operations when they're run by private entities > As it often happens with large organizations, > 'learning' may be very slow and may need to be stimulated by external > forces - not because of lack of capacity of the individuals working > in the organizations to understand the issue, but because of the fear > of those individuals to break a complex set of rules, and the possible > need to have those rules changed to avoid breaking them. > > I believe that all the external forces working on this problem - > Spamhaus, Cymru, Shadowserver, SURBL, GTSC, ISC, Trend Micro and > others - have played and are playing a very important role in > interacting with registries and CERTs regarding cybercrime domains, > even more so when those interactions have to be a little 'rough' > to get some traction. Nobody likes friction i think, but sometimes > it is needed to shake things and see some action. > > furio ercolessi Mr Michele Neylon Blacknight Solutions ? Hosting & Domains ICANN Accredited Registrar http://www.blacknight.co http://blog.blacknight.com/ Intl. +353 (0) 59 9183072 US: 213-233-1612 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Facebook: http://fb.me/blacknight Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From ops.lists at gmail.com Thu Jun 27 15:57:07 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Thu, 27 Jun 2013 19:27:07 +0530 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: References: <83157.1371760006@server1.tristatelogic.com> <51C437AF.1080300@heanet.ie> <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> <51CAE218.8000607@CC.UniVie.ac.at> <51CAF91C.3020307@powerweb.de> <51CB066F.2080501@powerweb.de> <20130627131208.C70B15A4010@merlin.blacknight.ie> Message-ID: Michele, there's this thing called fastflux NS as well Host the NS on compromised nodes with a low TTL and you just don't need to find an ISP or dns provider to host NS for you. As for the defamatory / sweeping statements thing - I will only say that an analysis of the number of .at / .lv etc domains turning up in traps, honeypots, bls etc tends to bear out an impression that once criminals find a gTLD or ccTLD where terminations are slow to non existent, they will crowd on to it, in increasingly larger numbers. .hk found that out the hard way some years back and it took a lot of data passed to hkdnr, and a lot of convincing and/or pressure on them from a variety of sources (including, presumably, some official ones) made them take several steps to lock their ccTLD down. There should be a presentation somewhere from HKDNR's Bonnie Chun talking about their experiences and the steps they took to ensure this doesn't recur. I can tell you for sure that soon after the largescale termination of like thousands of .hk domains in a matter of days, the domains started to crop up on a provider in another (very small) asian nation, where a simple email to a trusted contact there was enough to get them turfed off, very quickly indeed. They didn't ever come back there as far as my statistics show - and this is from nearly a decade back. This is absolutely not behavior restricted to registrars or TLDs. If you find a colo host that is lackadaisical about abuse issues for whatever reason, that provider will pretty soon find his service overrun with spammers, bot c&c, irc kiddiez and whatever else, compared to providers that run a tighter ship wrt abuse mitigation. So, I am sorry to say but furio's statements are fairly accurate, though they may be a trifle more blunt than some can take. thanks -srs On Thursday, June 27, 2013, Michele Neylon :: Blacknight wrote: > Furio > > If you're going to make statements about 3rd parties you should try to > restrict yourself to facts and not make broad sweeping statements. > > On 27 Jun 2013, at 14:13, furio ercolessi > > wrote: > > > > > > > Therefore the responsibility for terminating C&C domains lies on the > > registries, not on the DNS providers (that may not even exist). > > Not necessarily. > > If registries are going round the place pulling domains it causes > headaches for registrars - and the registries don't have a contract / > agreement with the registrant > > While this may be different with ccTLDs you haven't specified that you're > only referring to cctlds .. > > And I don't see how a domain can resolve without a DNS provider - that > makes zero sense. > > > > > > The .AT and .LV cases have been two rather dramatic cases where the > > registries were sitting there doing nothing for a very long time, while > > the word spread among criminals that they were a 'safe haven'. > > > That's highly defamatory. > > I don't think the managers of either ccTLD would appreciate anyone > referring to them using that tone. > > > > Similar problems have then occurred in .PL and .RU as well. > > Again - broad sweeping statements. > > I'd take you more seriously if you referred to the current state of play > and not some past issues that have been addressed > > > > > > > Luckily, the times have changed and country CERTs are nowadays > > much more aware of the C&C problem and of the need to take down those > > domains swiftly. > > Irrelevant statement > > CERTs have little impact on registry operations when they're run by > private entities > > > > As it often happens with large organizations, > > 'learning' may be very slow and may need to be stimulated by external > > forces - not because of lack of capacity of the individuals working > > in the organizations to understand the issue, but because of the fear > > of those individuals to break a complex set of rules, and the possible > > need to have those rules changed to avoid breaking them. > > > > I believe that all the external forces working on this problem - > > Spamhaus, Cymru, Shadowserver, SURBL, GTSC, ISC, Trend Micro and > > others - have played and are playing a very important role in > > interacting with registries and CERTs regarding cybercrime domains, > > even more so when those interactions have to be a little 'rough' > > to get some traction. Nobody likes friction i think, but sometimes > > it is needed to shake things and see some action. > > > > furio ercolessi > > > > Mr Michele Neylon > Blacknight Solutions ? > Hosting & Domains > ICANN Accredited Registrar > http://www.blacknight.co > http://blog.blacknight.com/ > Intl. +353 (0) 59 9183072 > US: 213-233-1612 > Locall: 1850 929 929 > Direct Dial: +353 (0)59 9183090 > Facebook: http://fb.me/blacknight > Twitter: http://twitter.com/mneylon > ------------------------------- > Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty > Road,Graiguecullen,Carlow,Ireland Company No.: 370845 > > -- --srs (iPad) -------------- next part -------------- An HTML attachment was scrubbed... URL: From ripe-anti-spam-wg at powerweb.de Thu Jun 27 16:11:05 2013 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Thu, 27 Jun 2013 16:11:05 +0200 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: References: <83157.1371760006@server1.tristatelogic.com> <51C437AF.1080300@heanet.ie> <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> <51CAE218.8000607@CC.UniVie.ac.at> <51CAF91C.3020307@powerweb.de> <51CB066F.2080501@powerweb.de> <20130627131208.C70B15A4010@merlin.blacknight.ie> Message-ID: <51CC47F9.4060701@powerweb.de> Suresh Ramasubramanian wrote: > Michele, there's this thing called fastflux NS as well > > Host the NS on compromised nodes with a low TTL and you just don't need > to find an ISP or dns provider to host NS for you. Any nameserver has to be registered with the registry of the domain (is there another way DNS works, I dont know ?) So: you can always find the server running the nameserver for that domain. Take this server down. Again: a domain name is not something physical, its just a name There are some registries offering domains where you do not have to put nameservers in, when you dont want to. There is no service running then under these domains, they are just reserved names, nothing physical. Lets say somebodies name is "John Doo". The name itself cannot harm anybody, the person "named" John Doo can. Kind regards, Frank From ops.lists at gmail.com Thu Jun 27 16:20:17 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Thu, 27 Jun 2013 19:50:17 +0530 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <51CC47F9.4060701@powerweb.de> References: <83157.1371760006@server1.tristatelogic.com> <51C437AF.1080300@heanet.ie> <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> <51CAE218.8000607@CC.UniVie.ac.at> <51CAF91C.3020307@powerweb.de> <51CB066F.2080501@powerweb.de> <20130627131208.C70B15A4010@merlin.blacknight.ie> <51CC47F9.4060701@powerweb.de> Message-ID: On Thursday, June 27, 2013, Frank Gadegast wrote: > Any nameserver has to be registered with the registry of the domain > (is there another way DNS works, I dont know ?) > > So: you can always find the server running the nameserver for that domain. > Take this server down. for fastflux, take it down and theres a fresh ns real soon. then what? > Lets say somebodies name is "John Doo". The name itself cannot > harm anybody, the person "named" John Doo can. headdesk. -- --srs (iPad) -------------- next part -------------- An HTML attachment was scrubbed... URL: From ripe-anti-spam-wg at powerweb.de Thu Jun 27 16:50:48 2013 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Thu, 27 Jun 2013 16:50:48 +0200 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: References: <83157.1371760006@server1.tristatelogic.com> <51C437AF.1080300@heanet.ie> <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> <51CAE218.8000607@CC.UniVie.ac.at> <51CAF91C.3020307@powerweb.de> <51CB066F.2080501@powerweb.de> <20130627131208.C70B15A4010@merlin.blacknight.ie> <51CC47F9.4060701@powerweb.de> Message-ID: <51CC5148.902@powerweb.de> Suresh Ramasubramanian wrote: > On Thursday, June 27, 2013, Frank Gadegast wrote: > > Any nameserver has to be registered with the registry of the domain > (is there another way DNS works, I dont know ?) > > So: you can always find the server running the nameserver for that > domain. > Take this server down. > > > for fastflux, take it down and theres a fresh ns real soon. then what? The botnet has usually one domain wired into the bot. This domain "a" is running on a nameserver. The bot is asking the nameserver (wich isnt changed by the botnet owner) for a second domain "b" (wich might not be registrered at all, but configured) running fastflux for the IP of its control servers. But: you can find the domain "a" by reverse engeneering the bot. Find the nameservers for "a" and your done. And if the bot is doing only single fastflux, the botnet owner HAS to update the domain at the registry, makes it even easier. Take the first nameservers down, wait for the update at the registry, take the next two nameservers down aso until there is none left. Complaining about Registries isnt the right start, even if it would make things easy. Domains could change, even complaining about the nameservers on hacked servers isnt the right start (probably because they are hosted in countries where you have no chance to to find a legal argument to take them down). I would even argue that not only the domainname cannot harm anybody, the nameservers arent doing that too. A nameservice itself isnt something illegal even if it resolves IPs for a botnet (except it resides on a hacked und misused server and if that is illegal in the country where it resides). They are both only part of a system. The harmfull parts are the bots and the intruded and misused servers, if you delete the domainname, they are all still floating about and will be soon part of the next botnet ... I personally would start at the other end and force Microsoft legally to only have PCs connected to the Internet that have an AntiVirus solution installed and running ... But then you have the antitrust agencies arguing that Microsoft is not allowed to install a antivirus solutions because it wouldnt be that nice to their competitors ... And surely have laws in all countries to forbid to run servers delivering malware and force the ISPs to remove them after knowledge ... Kind regards, Frank > > Lets say somebodies name is "John Doo". The name itself cannot > harm anybody, the person "named" John Doo can. > > > headdesk. > > > > -- > --srs (iPad) From ops.lists at gmail.com Thu Jun 27 17:21:41 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Thu, 27 Jun 2013 20:51:41 +0530 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <51CC5148.902@powerweb.de> References: <83157.1371760006@server1.tristatelogic.com> <51C437AF.1080300@heanet.ie> <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> <51CAE218.8000607@CC.UniVie.ac.at> <51CAF91C.3020307@powerweb.de> <51CB066F.2080501@powerweb.de> <20130627131208.C70B15A4010@merlin.blacknight.ie> <51CC47F9.4060701@powerweb.de> <51CC5148.902@powerweb.de> Message-ID: Usually one domain..? More often than not, a domain generation algorithm with lots more than just one Beyond that, please do some more research. On Thursday, June 27, 2013, Frank Gadegast wrote: > Suresh Ramasubramanian wrote: > >> On Thursday, June 27, 2013, Frank Gadegast wrote: >> >> Any nameserver has to be registered with the registry of the domain >> (is there another way DNS works, I dont know ?) >> >> So: you can always find the server running the nameserver for that >> domain. >> Take this server down. >> >> >> for fastflux, take it down and theres a fresh ns real soon. then what? >> > > The botnet has usually one domain wired into the bot. > This domain "a" is running on a nameserver. > The bot is asking the nameserver (wich isnt changed by the botnet owner) > for a second domain "b" (wich might not be registrered at all, but > configured) running fastflux for the IP of its control > servers. > > But: you can find the domain "a" by reverse engeneering the bot. > Find the nameservers for "a" and your done. > > And if the bot is doing only single fastflux, the botnet owner > HAS to update the domain at the registry, makes it even > easier. Take the first nameservers down, wait for the update > at the registry, take the next two nameservers down aso > until there is none left. > Complaining about Registries isnt the right start, even if it > would make things easy. Domains could change, even complaining about > the nameservers on hacked servers isnt the right start (probably > because they are hosted in countries where you have no chance to > to find a legal argument to take them down). > > I would even argue that not only the domainname cannot harm > anybody, the nameservers arent doing that too. > A nameservice itself isnt something illegal even if it resolves > IPs for a botnet (except it resides on a hacked und misused > server and if that is illegal in the country where it resides). > They are both only part of a system. > > The harmfull parts are the bots and the intruded and misused > servers, if you delete the domainname, they are all > still floating about and will be soon part of the next botnet ... > > > I personally would start at the other end and force Microsoft > legally to only have PCs connected to the Internet that > have an AntiVirus solution installed and running ... > > But then you have the antitrust agencies arguing > that Microsoft is not allowed to install a antivirus > solutions because it wouldnt be that nice to their > competitors ... > > And surely have laws in all countries to forbid > to run servers delivering malware and force the ISPs > to remove them after knowledge ... > > > Kind regards, Frank > > >> Lets say somebodies name is "John Doo". The name itself cannot >> harm anybody, the person "named" John Doo can. >> >> >> headdesk. >> >> >> >> -- >> --srs (iPad) >> > > > -- --srs (iPad) -------------- next part -------------- An HTML attachment was scrubbed... URL: From lem at isc.org Thu Jun 27 17:22:08 2013 From: lem at isc.org (=?iso-8859-1?Q?Luis_Mu=F1oz?=) Date: Thu, 27 Jun 2013 11:22:08 -0400 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <51CC5148.902@powerweb.de> References: <83157.1371760006@server1.tristatelogic.com> <51C437AF.1080300@heanet.ie> <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> <51CAE218.8000607@CC.UniVie.ac.at> <51CAF91C.3020307@powerweb.de> <51CB066F.2080501@powerweb.de> <20130627131208.C70B15A4010@merlin.blacknight.ie> <51CC47F9.4060701@powerweb.de> <51CC5148.902@powerweb.de> Message-ID: On Jun 27, 2013, at 10:50 AM, Frank Gadegast wrote: > I personally would start at the other end and force Microsoft > legally to only have PCs connected to the Internet that > have an AntiVirus solution installed and running ... Not all computers run Microsoft software. Furthermore not all computers run *recent* Microsoft software. There's still a very fair share of, for instance, Windows XP machines out there. Compromise 50% of them and you'll get yourself a very nice botnet to play with. The fact that a machine ships with an anti-virus dos not imply that said AV will remain running, maintain effectiveness over time, etc. From past experience, a significant proportion of infected machines in an access ISP network did have an anti-virus installed by the time we had to pull the plug on the customer because they were spewing. Being proactive in this front will only get you that far. You still need to have a reactive mechanism to respond and mitigate. Best regards -lem From ripe-anti-spam-wg at powerweb.de Thu Jun 27 17:37:12 2013 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Thu, 27 Jun 2013 17:37:12 +0200 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: References: <83157.1371760006@server1.tristatelogic.com> <51C437AF.1080300@heanet.ie> <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> <51CAE218.8000607@CC.UniVie.ac.at> <51CAF91C.3020307@powerweb.de> <51CB066F.2080501@powerweb.de> <20130627131208.C70B15A4010@merlin.blacknight.ie> <51CC47F9.4060701@powerweb.de> <51CC5148.902@powerweb.de> Message-ID: <51CC5C28.4050702@powerweb.de> Luis Mu?oz wrote: > > On Jun 27, 2013, at 10:50 AM, Frank Gadegast wrote: > >> I personally would start at the other end and force Microsoft >> legally to only have PCs connected to the Internet that >> have an AntiVirus solution installed and running ... > > Not all computers run Microsoft software. Oh, sorry, I dint know that ... > Furthermore not all computers run *recent* Microsoft software. There's still a very fair share of, for instance, Windows XP machines With an update mechanism in place on most of them ... > out there. Compromise 50% of them and you'll get yourself a very nice botnet to play with. > > The fact that a machine ships with an anti-virus dos not imply that said AV will remain running, Sure, that why I sayd, that Microsoft should only allow an internet connection WHEN its running. > maintain effectiveness over time, etc. > >>From past experience, a significant proportion of infected machines in an access ISP network did have an anti-virus installed by the time we had to pull the plug on the customer because they were spewing. > > Being proactive in this front will only get you that far. Sure, but its a good start. Old OSes will die one day, and all others should only be allowed to connect when there is something protecting it. From today on. This would then kill most of the bots ... What I sayd: a good start. And forcing ISPs step-by-step to stop their intruded servers is another good start (and thats what we are starting here, I always thought). Kind regards, Frank > You still need to have a reactive mechanism to respond and mitigate. > > Best regards > > -lem > > > From ripe-anti-spam-wg at powerweb.de Thu Jun 27 17:38:15 2013 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Thu, 27 Jun 2013 17:38:15 +0200 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: References: <83157.1371760006@server1.tristatelogic.com> <51C437AF.1080300@heanet.ie> <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> <51CAE218.8000607@CC.UniVie.ac.at> <51CAF91C.3020307@powerweb.de> <51CB066F.2080501@powerweb.de> <20130627131208.C70B15A4010@merlin.blacknight.ie> <51CC47F9.4060701@powerweb.de> <51CC5148.902@powerweb.de> Message-ID: <51CC5C67.8020607@powerweb.de> Suresh Ramasubramanian wrote: > Usually one domain..? More often than not, a domain generation > algorithm with lots more than just one True, so why trying to argue with the registries ? Will not help ... > Beyond that, please do some more research. Pfff ... Kind regards, Frank > > On Thursday, June 27, 2013, Frank Gadegast wrote: > > Suresh Ramasubramanian wrote: > > On Thursday, June 27, 2013, Frank Gadegast wrote: > > Any nameserver has to be registered with the registry of > the domain > (is there another way DNS works, I dont know ?) > > So: you can always find the server running the nameserver > for that > domain. > Take this server down. > > > for fastflux, take it down and theres a fresh ns real soon. then > what? > > > The botnet has usually one domain wired into the bot. > This domain "a" is running on a nameserver. > The bot is asking the nameserver (wich isnt changed by the botnet owner) > for a second domain "b" (wich might not be registrered at all, but > configured) running fastflux for the IP of its control > servers. > > But: you can find the domain "a" by reverse engeneering the bot. > Find the nameservers for "a" and your done. > > And if the bot is doing only single fastflux, the botnet owner > HAS to update the domain at the registry, makes it even > easier. Take the first nameservers down, wait for the update > at the registry, take the next two nameservers down aso > until there is none left. > Complaining about Registries isnt the right start, even if it > would make things easy. Domains could change, even complaining about > the nameservers on hacked servers isnt the right start (probably > because they are hosted in countries where you have no chance to > to find a legal argument to take them down). > > I would even argue that not only the domainname cannot harm > anybody, the nameservers arent doing that too. > A nameservice itself isnt something illegal even if it resolves > IPs for a botnet (except it resides on a hacked und misused > server and if that is illegal in the country where it resides). > They are both only part of a system. > > The harmfull parts are the bots and the intruded and misused > servers, if you delete the domainname, they are all > still floating about and will be soon part of the next botnet ... > > > I personally would start at the other end and force Microsoft > legally to only have PCs connected to the Internet that > have an AntiVirus solution installed and running ... > > But then you have the antitrust agencies arguing > that Microsoft is not allowed to install a antivirus > solutions because it wouldnt be that nice to their > competitors ... > > And surely have laws in all countries to forbid > to run servers delivering malware and force the ISPs > to remove them after knowledge ... > > > Kind regards, Frank > > > Lets say somebodies name is "John Doo". The name itself cannot > harm anybody, the person "named" John Doo can. > > > headdesk. > > > > -- > --srs (iPad) > > > > > > -- > --srs (iPad) -- Mit freundlichen Gruessen, Frank Gadegast -- MOTD: "have you enabled SSL on a website or mailbox today ?" -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== From furio+as at spin.it Thu Jun 27 18:25:48 2013 From: furio+as at spin.it (furio ercolessi) Date: Thu, 27 Jun 2013 18:25:48 +0200 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: References: <83157.1371760006@server1.tristatelogic.com> <51C437AF.1080300@heanet.ie> <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.nl> <51CAE218.8000607@CC.UniVie.ac.at> <51CAF91C.3020307@powerweb.de> <51CB066F.2080501@powerweb.de> <20130627131208.C70B15A4010@merlin.blacknight.ie> Message-ID: <20130627162548.GB7007@spin.it> On Thu, Jun 27, 2013 at 01:38:48PM +0000, Michele Neylon :: Blacknight wrote: > Furio > > If you're going to make statements about 3rd parties you should try to restrict yourself to facts and not make broad sweeping statements. Not sure about "broad sweeping". I gave my opinions for what they are worth. The facts are out there, several links have been given already and I do not see the need to go through them in a list post. > On 27 Jun 2013, at 14:13, furio ercolessi wrote: > > > > > > > Therefore the responsibility for terminating C&C domains lies on the > > registries, not on the DNS providers (that may not even exist). > > Not necessarily. > > If registries are going round the place pulling domains it causes headaches for registrars - and the registries don't have a contract / agreement with the registrant > > While this may be different with ccTLDs you haven't specified that you're only referring to cctlds .. Sorry, yes, I was referring to cctlds. More generally one could refer to the domain registration system, including registrars and registries but specifically excluding the DNS provider. [ Still, for very serious issues involving cybercrime it could be reasonable to have a nucleus of competence coordinating remedies within the registries, since there are wide differences between different registrars (in skills, resources, ethics etc), and registrars tend to not listen to abuse reports from users and security organizations. (There are exceptions for sure!) ] > And I don't see how a domain can resolve without a DNS provider - that makes zero sense. In fastflux there is a DNS server somewhere but you would not be able to locate it from DNS records. All you can find from the NS delegations of the domain and the corresponding A records are machines running malware without their owner knowing it. That malware is basically a DNS proxy that sends the query to the real server and passes the answer back. All the involved NS domains are cybercrime domains. Killing those machines does not accomplish any result as far as the botnet operation is concerned, while killing the domains may result in a major disruption of the botnet. > > The .AT and .LV cases have been two rather dramatic cases where the > > registries were sitting there doing nothing for a very long time, while > > the word spread among criminals that they were a 'safe haven'. > > > That's highly defamatory. > > I don't think the managers of either ccTLD would appreciate anyone referring to them using that tone. I am sorry if they get offended, but I think I described fairly well the net outcome as observable from outside. 'Doing nothing' reflects an absence of observable actions, not a lack of actions. There could have been a large amount of internal discussions and meetings, possibly board meetings too, which did not produce any observable action with respect to abuse mitigation for rather long times. Again, this is the past, and I do not think anyone working in these organizations should be personally blamed. It is quite common and normal that structured organizations are unable to address effectively an unexpected issue on a short timescale, and I can see that there could be very good reasons for this. But it is also my belief that, when this happens, applying a pressure to have things fixed as quickly as possible is healthy for the system as a whole, particularly when the positive and negative effects are integrated over time. Applying pressure is not a pleasant thing for both parties involved, as any parent reprimanding his/her child would know - but it is a healthy thing for everybody when you look at it on a larger timescale and on a larger perspective. > > Similar problems have then occurred in .PL and .RU as well. > > Again - broad sweeping statements. > > I'd take you more seriously if you referred to the current state of play and not some past issues that have been addressed Broad sweeping? It is a one-line summary of a rather huge cybercrime problem on these ccTLDs. This is peripheral to the current discussion - it may deserve a separate thread, but I am not sure if this would be the proper forum for this discussion as no RIPE resource would be involved. furio ercolessi From rfg at tristatelogic.com Thu Jun 27 21:58:32 2013 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Thu, 27 Jun 2013 12:58:32 -0700 Subject: [anti-abuse-wg] The Rules In-Reply-To: <20130627111402.GZ2706@Space.Net> Message-ID: <4410.1372363112@server1.tristatelogic.com> In message <20130627111402.GZ2706 at Space.Net>, Gert Doering wrote: >> Assume for the sake of argument that I received a /21 from some RIPE >> LiR one year ago. Assume that I never put _anything_ in it. Assume >> that RIPE NCC "audits" me. What happens, exactly? > >If you got the /21 *from a LIR*, you will not be audited, because you're >not dealing with the NCC. > >If you *are* a LIR, and as that LIR have received a /21, the NCC will try >to ensure that whatever you registered is OK Please definie the meaning of "OK" in this context. >if you have never registered >anything, nothing will happen, unless they find lies in your contractual >information (company doesn't exist, etc.) - in *that* case they will >close down the LIR and take back the space. So, if I am understanding you correctly, if, say, a given LIR obtained, say, a /17 two years ago, and then just sat on it, and never put a single thing in it in all that time, there is nothing that can or will be done about that colossal waste of (supposedly) precious IPv4 space. Is that correct? Have I understood you correctly? And likewise, if said hypothetical LIR obtained the same hypothetical /17 two years ago, and since that time has allocated it to a "customer" who then proceeded to fill it only with a single physical machine and on the order of 32,000 utterly phony baloney domain names, either for the purpose of snowshoe spamming or for the purpose of so-called "blackhat SEO", then there is nothing that anybody within RIPE, or within RIPE NCC, or anywhere in all the world either may or will do about that. Is that a correct interpretation of what you have said? (Please understand that I'm not trying to be rude to anybody. I'm just trying to understand the current policy.) Regards, rfg From gert at space.net Thu Jun 27 22:09:18 2013 From: gert at space.net (Gert Doering) Date: Thu, 27 Jun 2013 22:09:18 +0200 Subject: [anti-abuse-wg] The Rules In-Reply-To: <4410.1372363112@server1.tristatelogic.com> References: <20130627111402.GZ2706@Space.Net> <4410.1372363112@server1.tristatelogic.com> Message-ID: <20130627200918.GO2706@Space.Net> Hi, On Thu, Jun 27, 2013 at 12:58:32PM -0700, Ronald F. Guilmette wrote: > In message <20130627111402.GZ2706 at Space.Net>, > Gert Doering wrote: > > >> Assume for the sake of argument that I received a /21 from some RIPE > >> LiR one year ago. Assume that I never put _anything_ in it. Assume > >> that RIPE NCC "audits" me. What happens, exactly? > > > >If you got the /21 *from a LIR*, you will not be audited, because you're > >not dealing with the NCC. > > > >If you *are* a LIR, and as that LIR have received a /21, the NCC will try > >to ensure that whatever you registered is OK > > Please definie the meaning of "OK" in this context. Technically OK, as in "no overlaps in the network objects", policy-wise OK, as in "no assignments bigger than permitted by your assignment window", and sometimes they ask for the justification documents for a given assignment, aka "the form that needs to be filled in". > >if you have never registered > >anything, nothing will happen, unless they find lies in your contractual > >information (company doesn't exist, etc.) - in *that* case they will > >close down the LIR and take back the space. > > So, if I am understanding you correctly, if, say, a given LIR obtained, > say, a /17 two years ago, and then just sat on it, and never put a > single thing in it in all that time, there is nothing that can or will > be done about that colossal waste of (supposedly) precious IPv4 space. > Is that correct? Have I understood you correctly? Yes. (Though I disagree with you on the preciousness of IPv4 space. Reclaiming even a full /8 would have pushed out the IPv4 run-out in the RIPE region by a few months, but not changed the fundamental issue of "there is no way to make IPv4 last") > And likewise, if said hypothetical LIR obtained the same hypothetical /17 > two years ago, and since that time has allocated it to a "customer" who > then proceeded to fill it only with a single physical machine and on > the order of 32,000 utterly phony baloney domain names, either for the > purpose of snowshoe spamming or for the purpose of so-called "blackhat > SEO", then there is nothing that anybody within RIPE, or within RIPE NCC, > or anywhere in all the world either may or will do about that. Is that > a correct interpretation of what you have said? Yes. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 306 bytes Desc: not available URL: From rfg at tristatelogic.com Thu Jun 27 22:14:36 2013 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Thu, 27 Jun 2013 13:14:36 -0700 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: Message-ID: <4555.1372364076@server1.tristatelogic.com> In message , "Michele Neylon :: Blacknight" wrote: >On 27 Jun 2013, at 14:13, furio ercolessi wrote: >> Therefore the responsibility for terminating C&C domains lies on the >> registries, not on the DNS providers (that may not even exist). > >Not necessarily. > >If registries are going round the place pulling domains it causes headaches for registrars Do you know what this is? ->.<- Answer: World's smallest violin. In short, any registrar who cannot cope with a reasonable action taken to defend the Internet from a botnet should get out of the business. The world does not revolve around them. > - and the registries don't have a contract / agreement with the registrant Correct, and in this context, that is a Good Thing, because it means that they can kill a C&C domain and they are not breaking any contract when they do so. So what is the problem? >And I don't see how a domain can resolve without a DNS provider - that makes zero sense. The criminals use hijacked machines of their own choosing (they usually have many to choose from) to supply whatever DNS they need. They have no reliance on traditional third-party suppliers of DNS, such as ISPs or registrars or dedicated DNS providers. (I suspect that this is what Furio was trying to say.) >> The .AT and .LV cases have been two rather dramatic cases where the >> registries were sitting there doing nothing for a very long time, while >> the word spread among criminals that they were a 'safe haven'. > >That's highly defamatory. > >I don't think the managers of either ccTLD would appreciate anyone referring to them using that tone. On this side of the pond, we have a saying... "If the shoe fits..." >> Similar problems have then occurred in .PL and .RU as well. > >Again - broad sweeping statements. Again, broadly true. I _personally_ have cataloged tens of thousands of crooked fake pharmacy domains, all registered under the .RU ccTLD. >I'd take you more seriously if you referred to the current state of play and not some past issues that have been addressed You really think that the problems with .RU have been "addressed"?? On what do you base this belief? Regards, rfg From rfg at tristatelogic.com Thu Jun 27 22:47:24 2013 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Thu, 27 Jun 2013 13:47:24 -0700 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <51CC5148.902@powerweb.de> Message-ID: <4803.1372366044@server1.tristatelogic.com> In message <51CC5148.902 at powerweb.de>, Frank Gadegast wrote: >I personally would start at the other end and force Microsoft >legally to only have PCs connected to the Internet that >have an AntiVirus solution installed and running ... There is a simpler solution that nobody ever talks about because it is not politically viable. (Translation: Too many campaign contributors with too much money are against it.) Ths simple solution is just to withdraw the existing specific exemptions to product liability laws that allow Microsoft and other software vendors to ship dangerous crap to people and yet never get sued for doing so. (This is a special exemption that applies to essentially no other cate- gory of product.) Regards, rfg From rfg at tristatelogic.com Thu Jun 27 23:50:16 2013 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Thu, 27 Jun 2013 14:50:16 -0700 Subject: [anti-abuse-wg] Bye Bye (was: Re: The Rules) In-Reply-To: <20130627200918.GO2706@Space.Net> Message-ID: <5246.1372369816@server1.tristatelogic.com> In message <20130627200918.GO2706 at Space.Net>, Gert Doering wrote: >On Thu, Jun 27, 2013 at 12:58:32PM -0700, Ronald F. Guilmette wrote: >> In message <20130627111402.GZ2706 at Space.Net>,=20 >> Gert Doering wrote: >> >If you *are* a LIR, and as that LIR have received a /21, the NCC will try >> >to ensure that whatever you registered is OK >> >> Please definie the meaning of "OK" in this context. > >Technically OK, as in "no overlaps in the network objects", policy-wise >OK, as in "no assignments bigger than permitted by your assignment window", >and sometimes they ask for the justification documents for a given >assignment, aka "the form that needs to be filled in". Sometimes?? Why not all the time? >> So, if I am understanding you correctly, if, say, a given LIR obtained, >> say, a /17 two years ago, and then just sat on it, and never put a >> single thing in it in all that time, there is nothing that can or will >> be done about that colossal waste of (supposedly) precious IPv4 space. >> Is that correct? Have I understood you correctly? > >Yes. Am I really the only person on the planet who thinks this is absurd? >(Though I disagree with you on the preciousness of IPv4 space. Fine. I am an authorized Wikipedia Editor. Please provide me with some new correct verbage to replace the following utterly innacurate section of the relevant Wikipedia page: http://en.wikipedia.org/wiki/IPv4_address_exhaustion "On 31 January 2011, IANA announced it had exhausted its free pool of IPv4 addresses (from which IP blocks were allocated to regional RIRs), the exhaustion of the RIRs APNIC on 15 April 2011 and RIPE NCC on 14 September 2012..." ^^^^^^^^ I suppose that the word "exhaustion" has a different meaning depending upon one's own individual situation. Certainly, if you are one of the luck few who had the foresight to start hording and to squirrel away a whole lot of IPv4 space some time ago, then right now I am sure that you are sitting pretty, and saying to yourself "Shortage? What shortage?" Other people (and companis) may perhaps not have had the same level of foresight. >Reclaiming >even a full /8 would have pushed out the IPv4 run-out in the RIPE region >by a few months, but not changed the fundamental issue of "there is no >way to make IPv4 last") Yes, you're right and that is a very good point. So since that is all true, let's do this... Let's resolve to give away any and all remaining IPv4 space to crooks, thieves, and homeless people until it really and truly is all gone. That will force everyone to buy all new IPv6 equipment, which will be good for the economy in Europe, and maybe even bring it out of its current slump. Hey! I own Cisco stock! This idea works for me! Is everyone else on board? (Apparently, I don't even need to ask.) > >> And likewise, if said hypothetical LIR obtained the same hypothetical /17 >> two years ago, and since that time has allocated it to a "customer" who >> then proceeded to fill it only with a single physical machine and on >> the order of 32,000 utterly phony baloney domain names, either for the >> purpose of snowshoe spamming or for the purpose of so-called "blackhat >> SEO", then there is nothing that anybody within RIPE, or within RIPE NCC, >> or anywhere in all the world either may or will do about that. Is that >> a correct interpretation of what you have said? > >Yes. So basically, the idea that I had of having these kinds of cooks "audited" is utterly futile and pointless, yes? OK. That's it. I'm outta here. I had hoped that something positive could be accomplished within this group but now I know that I was just deluding myself. Thanks everybody. Take care. I wish you all a nice life. Regards, rfg From saso at eth.si Fri Jun 28 06:39:28 2013 From: saso at eth.si (Saso G.) Date: Fri, 28 Jun 2013 06:39:28 +0200 Subject: [anti-abuse-wg] Bye Bye In-Reply-To: <5246.1372369816@server1.tristatelogic.com> References: <5246.1372369816@server1.tristatelogic.com> Message-ID: <51CD1380.1070507@eth.si> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 27/06/13 23:50, Ronald F. Guilmette wrote: >>> >> And likewise, if said hypothetical LIR obtained the same hypothetical /17 >>> >> two years ago, and since that time has allocated it to a "customer" who >>> >> then proceeded to fill it only with a single physical machine and on >>> >> the order of 32,000 utterly phony baloney domain names, either for the >>> >> purpose of snowshoe spamming or for the purpose of so-called "blackhat >>> >> SEO", then there is nothing that anybody within RIPE, or within RIPE NCC, >>> >> or anywhere in all the world either may or will do about that. Is that >>> >> a correct interpretation of what you have said? >> > >> >Yes. > So basically, the idea that I had of having these kinds of cooks "audited" > is utterly futile and pointless, yes? > > OK. That's it. I'm outta here. I had hoped that something positive could > be accomplished within this group but now I know that I was just deluding > myself. > > Thanks everybody. Take care. I wish you all a nice life. Address space is not some commodity that you (or anyone else) should assume to own. Instead of turning your focus towards LEGACY protocols, that should have been discarded years ago try realizing that IP address space is a virtual commodity, limited only by the tech capabilities and foresight of the designers building it. The fact that someone is taking their time to attemp freeing resources from a legacy protocol just proves how much pointless buirocracy there is in this world. Maybe turn it down a notch? You forget this is a decentralized network without a central authority, there's only so much a RIR can do... -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRzROAAAoJEKDRRlJA5M0IC7UP/R52f/ddswSWLymPFGo7d9xY qqH+zI94mfYLw8NBGYaqdyCuc/LhjA1rW2ziP4wkaznc2Pz7FdgJhWdL//CJNaLz /WBAdMPMcFMFyvzzFQjcazJCIv6vUN1ePH1Y8WvjGpBMM1uIC5bHpiJ9Jmau94nk hCkdVw8JEfPsCFdOsDX9k1rzQChyCVVNlfXLsHaPkz75Er38hO4KOmAQzE0cp7Xw +gmTZG6Ku8Lzl19Nr7O6WRfzZXi5NbEikpe0+yU4dGr75sE7Xig9CodDrLzVO42D Kkxu676AYKtcXWaC1kaJzozD25ESM0PEvhkoJTOEC7ZOTtieKRs6ToKpe21kyEhH pw56jPUftDTDFdgDXdDwA078fD/dRjYvMFzGNgWi5tFmRymJO9yCv9EYQrPM9TKs vkHhirsMPSq9Yn88EAdTaZmG5Hogjcp3d/OtFfkEvHgARJNRXzrJ+e79nS3UGq9L iGQWv+pi7hiTmeH45e3cRT5TxLsOAq0sHUNjkz96nnrbZDb8QWofzBNhnaYEEZ1l Cp2PvoR3t5uA6nJ8hy7h8pTYKbcgG+66o1c0Tp8C1U8Tb4S/oHJyu3+PA4PnSPh2 YDrKN6cHlhQpipiGhbI68sJCfusSEoo1koYicoaZbaLVsYPRb+thekMoGBRfAQ83 DeOp5X5WSX+vgqf3xVok =5DpD -----END PGP SIGNATURE----- From ops.lists at gmail.com Fri Jun 28 07:04:17 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Fri, 28 Jun 2013 10:34:17 +0530 Subject: [anti-abuse-wg] Bye Bye In-Reply-To: <51CD1380.1070507@eth.si> References: <5246.1372369816@server1.tristatelogic.com> <51CD1380.1070507@eth.si> Message-ID: Nope. He is trying to convince the decision makers to keep those resources out of the hands of people who use them to our mutual detriment Do note that the same people who were getting themselves /15s are also getting themselves rather large v6 allocations. As soon as more places adopt v6 they will see much more of the same than they ever experienced on v4 Keep at the we are not the internet police meme though.. You people have far more IP space to squander in this manner so that future generations will surely thank you for the extensively poisoned IP and name space that they will inherit. Oh, v6 is never going to run out? I remember people saying exactly that when class A, B and C addresses were to be had for the asking. --srs (htc one x) On 28-Jun-2013 10:18 AM, "Saso G." wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 27/06/13 23:50, Ronald F. Guilmette wrote: > >>> >> And likewise, if said hypothetical LIR obtained the same > hypothetical /17 > >>> >> two years ago, and since that time has allocated it to a > "customer" who > >>> >> then proceeded to fill it only with a single physical machine and on > >>> >> the order of 32,000 utterly phony baloney domain names, either > for the > >>> >> purpose of snowshoe spamming or for the purpose of so-called > "blackhat > >>> >> SEO", then there is nothing that anybody within RIPE, or within > RIPE NCC, > >>> >> or anywhere in all the world either may or will do about that. > Is that > >>> >> a correct interpretation of what you have said? > >> > > >> >Yes. > > So basically, the idea that I had of having these kinds of cooks > "audited" > > is utterly futile and pointless, yes? > > > > OK. That's it. I'm outta here. I had hoped that something positive > could > > be accomplished within this group but now I know that I was just deluding > > myself. > > > > Thanks everybody. Take care. I wish you all a nice life. > Address space is not some commodity that you (or anyone else) should > assume to own. Instead of turning your focus towards LEGACY protocols, > that should have been discarded years ago try realizing that IP address > space is a virtual commodity, limited only by the tech capabilities and > foresight of the designers building it. > The fact that someone is taking their time to attemp freeing resources > from a legacy protocol just proves how much pointless buirocracy there > is in this world. > > Maybe turn it down a notch? You forget this is a decentralized network > without a central authority, there's only so much a RIR can do... > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.20 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBAgAGBQJRzROAAAoJEKDRRlJA5M0IC7UP/R52f/ddswSWLymPFGo7d9xY > qqH+zI94mfYLw8NBGYaqdyCuc/LhjA1rW2ziP4wkaznc2Pz7FdgJhWdL//CJNaLz > /WBAdMPMcFMFyvzzFQjcazJCIv6vUN1ePH1Y8WvjGpBMM1uIC5bHpiJ9Jmau94nk > hCkdVw8JEfPsCFdOsDX9k1rzQChyCVVNlfXLsHaPkz75Er38hO4KOmAQzE0cp7Xw > +gmTZG6Ku8Lzl19Nr7O6WRfzZXi5NbEikpe0+yU4dGr75sE7Xig9CodDrLzVO42D > Kkxu676AYKtcXWaC1kaJzozD25ESM0PEvhkoJTOEC7ZOTtieKRs6ToKpe21kyEhH > pw56jPUftDTDFdgDXdDwA078fD/dRjYvMFzGNgWi5tFmRymJO9yCv9EYQrPM9TKs > vkHhirsMPSq9Yn88EAdTaZmG5Hogjcp3d/OtFfkEvHgARJNRXzrJ+e79nS3UGq9L > iGQWv+pi7hiTmeH45e3cRT5TxLsOAq0sHUNjkz96nnrbZDb8QWofzBNhnaYEEZ1l > Cp2PvoR3t5uA6nJ8hy7h8pTYKbcgG+66o1c0Tp8C1U8Tb4S/oHJyu3+PA4PnSPh2 > YDrKN6cHlhQpipiGhbI68sJCfusSEoo1koYicoaZbaLVsYPRb+thekMoGBRfAQ83 > DeOp5X5WSX+vgqf3xVok > =5DpD > -----END PGP SIGNATURE----- > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gert at space.net Fri Jun 28 09:44:59 2013 From: gert at space.net (Gert Doering) Date: Fri, 28 Jun 2013 09:44:59 +0200 Subject: [anti-abuse-wg] Bye Bye (was: Re: The Rules) In-Reply-To: <5246.1372369816@server1.tristatelogic.com> References: <20130627200918.GO2706@Space.Net> <5246.1372369816@server1.tristatelogic.com> Message-ID: <20130628074459.GP2706@Space.Net> Hi, On Thu, Jun 27, 2013 at 02:50:16PM -0700, Ronald F. Guilmette wrote: > >On Thu, Jun 27, 2013 at 12:58:32PM -0700, Ronald F. Guilmette wrote: > >> In message <20130627111402.GZ2706 at Space.Net>,=20 > >> Gert Doering wrote: > >> >If you *are* a LIR, and as that LIR have received a /21, the NCC will try > >> >to ensure that whatever you registered is OK > >> > >> Please definie the meaning of "OK" in this context. > > > >Technically OK, as in "no overlaps in the network objects", policy-wise > >OK, as in "no assignments bigger than permitted by your assignment window", > >and sometimes they ask for the justification documents for a given > >assignment, aka "the form that needs to be filled in". > > Sometimes?? Why not all the time? Well, maybe the wording was not so good. I think they will always pick "some of the assignments" to look at the paperwork, but for reasons of scale, they are not asking for the paperwork for *all* your assignments (because that could be multiple thousand for a medium-sized business ISP). > >> So, if I am understanding you correctly, if, say, a given LIR obtained, > >> say, a /17 two years ago, and then just sat on it, and never put a > >> single thing in it in all that time, there is nothing that can or will > >> be done about that colossal waste of (supposedly) precious IPv4 space. > >> Is that correct? Have I understood you correctly? > > > >Yes. > > Am I really the only person on the planet who thinks this is absurd? There seem to be a few, and we covered that topic in the address policy WG two meetings ago. The outcome was that "well, it's not in the policy documents, so the NCC has no lever to ever ask for return of space on the basis of it not being used" - which is understandably as these documents have been written under the assumption that ISPs grow, fill their space, ask for more, fill that, and ask for more again (and *that* is covered in great detail). This outcome was presented, and the WG didn't see the need to change the policy here - acknowledging, I'd say, the fact that it would cause lots of effort for minimal gain. > >(Though I disagree with you on the preciousness of IPv4 space. > > Fine. I am an authorized Wikipedia Editor. Please provide me with some > new correct verbage to replace the following utterly innacurate section > of the relevant Wikipedia page: > > http://en.wikipedia.org/wiki/IPv4_address_exhaustion > > "On 31 January 2011, IANA announced it had exhausted its free pool > of IPv4 addresses (from which IP blocks were allocated to regional > RIRs), the exhaustion of the RIRs APNIC on 15 April 2011 and > RIPE NCC on 14 September 2012..." > ^^^^^^^^ > > I suppose that the word "exhaustion" has a different meaning depending > upon one's own individual situation. Certainly, if you are one of the > luck few who had the foresight to start hording and to squirrel away > a whole lot of IPv4 space some time ago, then right now I am sure that > you are sitting pretty, and saying to yourself "Shortage? What shortage?" > > Other people (and companis) may perhaps not have had the same level of > foresight. No, you're misunderstanding me. Whatever we do, 4 billion IPv4 addresses will not be sufficient to number Internet access for 6+ billion humans on earth. So it's important to get over the fact that IPv4 is *gone* and move ahead to the only alternative we have: IPv6. Spending lots of resources to stretch IPv4 for a few more months will mainly achieve a larger installed basis of IPv4-only gear that will then cause *more* effort converting towards IPv6 - and based on that, the RIPE community decided (the topic came up multiple times, and the outcome was always the same) to not invest lots of NCC time = member money in IPv4 reclaim activities. [..] > So since that is all true, let's do this... Let's resolve to give away any > and all remaining IPv4 space to crooks, thieves, and homeless people until > it really and truly is all gone. That will force everyone to buy all new > IPv6 equipment, which will be good for the economy in Europe, and maybe even > bring it out of its current slump. Whoever in the RIPE region comes up, unless they are a convicted criminal, will get a single last /22 for their LIR. This is expected to last for a few more years to give new entrants in the market the chance to have a few IPv4 addresses to run their NAT64 gear on. (But I told you that already). > >> And likewise, if said hypothetical LIR obtained the same hypothetical /17 > >> two years ago, and since that time has allocated it to a "customer" who > >> then proceeded to fill it only with a single physical machine and on > >> the order of 32,000 utterly phony baloney domain names, either for the > >> purpose of snowshoe spamming or for the purpose of so-called "blackhat > >> SEO", then there is nothing that anybody within RIPE, or within RIPE NCC, > >> or anywhere in all the world either may or will do about that. Is that > >> a correct interpretation of what you have said? > > > >Yes. > > So basically, the idea that I had of having these kinds of cooks "audited" > is utterly futile and pointless, yes? The audit will ensure that the contact data the NCC has is right (so we know who they are), that the company registration data is right (so we can sue them, if needed), but it does not ensure that the holder will use their IP addresses in a way that doesn't offend anyone, right. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 306 bytes Desc: not available URL: From gert at space.net Fri Jun 28 09:45:51 2013 From: gert at space.net (Gert Doering) Date: Fri, 28 Jun 2013 09:45:51 +0200 Subject: [anti-abuse-wg] Bye Bye In-Reply-To: References: <5246.1372369816@server1.tristatelogic.com> <51CD1380.1070507@eth.si> Message-ID: <20130628074551.GQ2706@Space.Net> Hi, On Fri, Jun 28, 2013 at 10:34:17AM +0530, Suresh Ramasubramanian wrote: > Oh, v6 is never going to run out? I remember people saying exactly that > when class A, B and C addresses were to be had for the asking. Learn math, then come back. Thanks. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 306 bytes Desc: not available URL: From ripe-anti-spam-wg at powerweb.de Fri Jun 28 09:47:35 2013 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Fri, 28 Jun 2013 09:47:35 +0200 Subject: [anti-abuse-wg] New Abuse Regulations In-Reply-To: <4803.1372366044@server1.tristatelogic.com> References: <4803.1372366044@server1.tristatelogic.com> Message-ID: <51CD3F97.2000400@powerweb.de> Ronald F. Guilmette wrote: > In message <51CC5148.902 at powerweb.de>, > Frank Gadegast wrote: > >> I personally would start at the other end and force Microsoft >> legally to only have PCs connected to the Internet that >> have an AntiVirus solution installed and running ... > > There is a simpler solution that nobody ever talks about because it is > not politically viable. (Translation: Too many campaign contributors > with too much money are against it.) > > Ths simple solution is just to withdraw the existing specific exemptions > to product liability laws that allow Microsoft and other software vendors > to ship dangerous crap to people and yet never get sued for doing so. > (This is a special exemption that applies to essentially no other cate- > gory of product.) What about a RIR regulation to ensure that address space is only used for purposes not harming anybody ? That resource holders are responsible for the abuse coming out of their networks ? And a framework to withdraw address space, if there is whatever evidence that the resource holder is not doing enough to stop it ? I think this is the main question in wich direction we all should go after the abuse-c is in place. Its nice, that there will be contact now for every address space, but now we should talk about responsibilies of resource holders and procedures to control them. For a start Im really interested how the current revoking process at RIPE NCC actually looks like and examples how this process was actually used in the past ... I might have missed that, but maybe that was never comunicated to the list in detail. Kind regards, Frank > > > Regards, > rfg > > From lists-ripe at c4inet.net Fri Jun 28 09:55:41 2013 From: lists-ripe at c4inet.net (Sascha Luck) Date: Fri, 28 Jun 2013 08:55:41 +0100 Subject: [anti-abuse-wg] New Abuse Regulations In-Reply-To: <51CD3F97.2000400@powerweb.de> References: <4803.1372366044@server1.tristatelogic.com> <51CD3F97.2000400@powerweb.de> Message-ID: <20130628075541.GA96362@cilantro.c4inet.net> On Fri, Jun 28, 2013 at 09:47:35AM +0200, Frank Gadegast wrote: >What about a RIR regulation to ensure that address space is only >used for purposes not harming anybody ? >That resource holders are responsible for the abuse coming >out of their networks ? Srsly? Abandon the common-carrier principle for the sake of a minor annoyance like *spam*? Forcing ISPs to censor and surveil all traffic passing their networks? Apart from the fact that this is undemocratic and unworkable, how well did that work for China? rgds, Sascha Luck From ops.lists at gmail.com Fri Jun 28 09:57:19 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Fri, 28 Jun 2013 13:27:19 +0530 Subject: [anti-abuse-wg] Bye Bye In-Reply-To: <20130628074551.GQ2706@Space.Net> References: <5246.1372369816@server1.tristatelogic.com> <51CD1380.1070507@eth.si> <20130628074551.GQ2706@Space.Net> Message-ID: I know the size of the v6 namespace Remember that we are currently working with a smaller effective size.. The allocated part of v6, with martian filters to block out the rest And out of that.. Well, the more space poorly administered allocation policies squander by handing them to abusers without very much due diligence, the more trouble the rest of us face As for the future, I won't try predicting what the internet will be like and what devices from where will connect over v6. I would just tell you to avoid history repeating itself so we don't look back with regret at this conversation after a decade or two --srs (htc one x) On 28-Jun-2013 1:15 PM, "Gert Doering" wrote: > Hi, > > On Fri, Jun 28, 2013 at 10:34:17AM +0530, Suresh Ramasubramanian wrote: > > Oh, v6 is never going to run out? I remember people saying exactly that > > when class A, B and C addresses were to be had for the asking. > > Learn math, then come back. Thanks. > > Gert Doering > -- NetMaster > -- > have you enabled IPv6 on something today...? > > SpaceNet AG Vorstand: Sebastian v. Bomhard > Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann > D-80807 Muenchen HRB: 136055 (AG Muenchen) > Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gert at space.net Fri Jun 28 10:07:33 2013 From: gert at space.net (Gert Doering) Date: Fri, 28 Jun 2013 10:07:33 +0200 Subject: [anti-abuse-wg] Bye Bye In-Reply-To: References: <5246.1372369816@server1.tristatelogic.com> <51CD1380.1070507@eth.si> <20130628074551.GQ2706@Space.Net> Message-ID: <20130628080733.GR2706@Space.Net> Hi, On Fri, Jun 28, 2013 at 01:27:19PM +0530, Suresh Ramasubramanian wrote: > I know the size of the v6 namespace > Remember that we are currently working with a smaller effective size.. The > allocated part of v6, with martian filters to block out the rest > > And out of that.. Well, the more space poorly administered allocation > policies squander by handing them to abusers without very much due > diligence, the more trouble the rest of us face I'm aware of all that, but I *can* do the math. Inside RIPE's /12, there are *one million* /32s. > As for the future, I won't try predicting what the internet will be like > and what devices from where will connect over v6. I would just tell you to > avoid history repeating itself so we don't look back with regret at this > conversation after a decade or two I've heard that argument so many times over the last 16 years where the much more important goal should have been "get IPv6 deployed!" instead of worrying about "not giving out IPv6 addresses to , as they might run out!". We're inside a /12, which has LOTS of space left. That /12 is inside a /3, which is barely touched (5 /12s out of 512 allocated). And *that* /3 has 6 more to be used, if we really mess up. I'll start to reconsider my position if we manage to fill the RIPE /12 by giving out standard-size allocations (/32) in the next 20 years. I'll start to *worry* if we fill half of 2000::/3 in the next 30 years. I'll publically admit I was wrong about my IPv6 use predictions if we fill FP001 (2000::/3) in the next 40 years. ... and *then*, we have people that can learn from what happened in FP001 and get it right in one of the next FPs. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 306 bytes Desc: not available URL: From ops.lists at gmail.com Fri Jun 28 10:17:03 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Fri, 28 Jun 2013 13:47:03 +0530 Subject: [anti-abuse-wg] Bye Bye In-Reply-To: <20130628080733.GR2706@Space.Net> References: <5246.1372369816@server1.tristatelogic.com> <51CD1380.1070507@eth.si> <20130628074551.GQ2706@Space.Net> <20130628080733.GR2706@Space.Net> Message-ID: There has been little or no reason to adopt v6 so far, other than as an alternate means of connectivity to reach what, geek operated mail, ftp and rsync servers for Linux distros and assorted open source software? With some majors like Google starting to adopt it, and with only a few years left for a v4 aftermarket, carrier grade nat etc to have any effect, and with newer generations of devices yet to ship with v6 only stacks but that's a matter of time... That is when you will start to see the true uptake and growth of v6. I rather suspect what i predict may well happen in our lifetimes, or even in the couple of decades of years before I retire --srs (htc one x) On 28-Jun-2013 1:37 PM, "Gert Doering" wrote: > > Hi, > > On Fri, Jun 28, 2013 at 01:27:19PM +0530, Suresh Ramasubramanian wrote: > > I know the size of the v6 namespace > > Remember that we are currently working with a smaller effective size.. The > > allocated part of v6, with martian filters to block out the rest > > > > And out of that.. Well, the more space poorly administered allocation > > policies squander by handing them to abusers without very much due > > diligence, the more trouble the rest of us face > > I'm aware of all that, but I *can* do the math. > > Inside RIPE's /12, there are *one million* /32s. > > > As for the future, I won't try predicting what the internet will be like > > and what devices from where will connect over v6. I would just tell you to > > avoid history repeating itself so we don't look back with regret at this > > conversation after a decade or two > > I've heard that argument so many times over the last 16 years where the > much more important goal should have been "get IPv6 deployed!" instead of > worrying about "not giving out IPv6 addresses to , as > they might run out!". > > We're inside a /12, which has LOTS of space left. > > That /12 is inside a /3, which is barely touched (5 /12s out of 512 allocated). > > And *that* /3 has 6 more to be used, if we really mess up. > > > I'll start to reconsider my position if we manage to fill the RIPE /12 by > giving out standard-size allocations (/32) in the next 20 years. > > I'll start to *worry* if we fill half of 2000::/3 in the next 30 years. > > I'll publically admit I was wrong about my IPv6 use predictions if we > fill FP001 (2000::/3) in the next 40 years. > > ... and *then*, we have people that can learn from what happened in FP001 > and get it right in one of the next FPs. > > Gert Doering > -- NetMaster > -- > have you enabled IPv6 on something today...? > > SpaceNet AG Vorstand: Sebastian v. Bomhard > Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann > D-80807 Muenchen HRB: 136055 (AG Muenchen) > Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 -------------- next part -------------- An HTML attachment was scrubbed... URL: From brian.nisbet at heanet.ie Fri Jun 28 10:25:33 2013 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Fri, 28 Jun 2013 09:25:33 +0100 Subject: [anti-abuse-wg] New Abuse Regulations In-Reply-To: <51CD3F97.2000400@powerweb.de> References: <4803.1372366044@server1.tristatelogic.com> <51CD3F97.2000400@powerweb.de> Message-ID: <51CD487D.9070904@heanet.ie> Frank Gadegast wrote the following on 28/06/2013 08:47: > > For a start Im really interested how the current revoking > process at RIPE NCC actually looks like and examples > how this process was actually used in the past ... > I might have missed that, but maybe that was never > comunicated to the list in detail. I don't have direct references for past use, but the Closure & Deregistration document has been repeatedly communicated to this list. It is here in all its glory: http://www.ripe.net/ripe/docs/ripe-578 Brian From gert at space.net Fri Jun 28 10:32:18 2013 From: gert at space.net (Gert Doering) Date: Fri, 28 Jun 2013 10:32:18 +0200 Subject: [anti-abuse-wg] Bye Bye In-Reply-To: References: <5246.1372369816@server1.tristatelogic.com> <51CD1380.1070507@eth.si> <20130628074551.GQ2706@Space.Net> <20130628080733.GR2706@Space.Net> Message-ID: <20130628083218.GT2706@Space.Net> Hi, On Fri, Jun 28, 2013 at 01:47:03PM +0530, Suresh Ramasubramanian wrote: > There has been little or no reason to adopt v6 so far, other than as an > alternate means of connectivity to reach what, geek operated mail, ftp and > rsync servers for Linux distros and assorted open source software? Uh. I'd say "providing IP connectivity to end users, without having to go through a carrier-grade nat at their provider" seems to be compelling enough that quite a number of large-scale providers in europe have started to assign a /56 to all new customers... > With some majors like Google starting to adopt it, and with only a few > years left for a v4 aftermarket, carrier grade nat etc to have any effect, > and with newer generations of devices yet to ship with v6 only stacks but > that's a matter of time... That is when you will start to see the true > uptake and growth of v6. I rather suspect what i predict may well happen in > our lifetimes, or even in the couple of decades of years before I retire "True uptake and growth" will happen in terms of traffic ratio, actual usage ratio *inside* the IPv6 prefixes, but not so much in terms of "how many entities are all of a sudden becoming a RIR member to get IPv6 address space". There's currently about 10.000 RIPE members - which is well inside the bounds that can be served by RIPE's /12. Why should entities that are not RIPE members today become one, just because of IPv6 uptake? And, more interesting, why would the number go up by a factor of 50, to actually threaten to fill the /12? Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 306 bytes Desc: not available URL: From ripe-anti-spam-wg at powerweb.de Fri Jun 28 10:50:41 2013 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Fri, 28 Jun 2013 10:50:41 +0200 Subject: [anti-abuse-wg] New Abuse Regulations In-Reply-To: <20130628075541.GA96362@cilantro.c4inet.net> References: <4803.1372366044@server1.tristatelogic.com> <51CD3F97.2000400@powerweb.de> <20130628075541.GA96362@cilantro.c4inet.net> Message-ID: <51CD4E61.30906@powerweb.de> Sascha Luck wrote: > On Fri, Jun 28, 2013 at 09:47:35AM +0200, Frank Gadegast wrote: >> What about a RIR regulation to ensure that address space is only >> used for purposes not harming anybody ? >> That resource holders are responsible for the abuse coming >> out of their networks ? > > Srsly? Abandon the common-carrier principle for the sake of a minor > annoyance like *spam*? Forcing ISPs to censor and surveil all traffic Sure, its a matter we should discuss, how far we like to push things. For a start I would like to force resource holders to actually read the mail arriving under their abuse address. This will not force anybody to control all the traffic. F.e. by returning ticket numbers or the like. Or sending automatic CCs to the RIPE NCC .. This could be controlled, weighted and analyzed by the NCC and could give evidence about how the ISP is working with abuse reports. And this could be used in the autiting process somebody (sorry, forgot the name) likes to bring a bit further right now here on this list. Others have probably other ideas, lets hear and discuss them. > passing their networks? Apart from the fact that this is undemocratic > and unworkable, how well did that work for China? We are talking about the RIPE region. Kind regards, Frank > > rgds, > Sascha Luck > > From jorgen at hovland.cx Fri Jun 28 11:39:01 2013 From: jorgen at hovland.cx (=?ISO-8859-1?Q?J=F8rgen_Hovland?=) Date: Fri, 28 Jun 2013 11:39:01 +0200 Subject: [anti-abuse-wg] New Abuse Regulations In-Reply-To: <51CD4E61.30906@powerweb.de> References: <4803.1372366044@server1.tristatelogic.com> <51CD3F97.2000400@powerweb.de> <20130628075541.GA96362@cilantro.c4inet.net> <51CD4E61.30906@powerweb.de> Message-ID: <51CD59B5.2040809@hovland.cx> Den 6/28/13 10:50 AM, skrev Frank Gadegast: > Sascha Luck wrote: >> On Fri, Jun 28, 2013 at 09:47:35AM +0200, Frank Gadegast wrote: >>> What about a RIR regulation to ensure that address space is only >>> used for purposes not harming anybody ? >>> That resource holders are responsible for the abuse coming >>> out of their networks ? >> >> Srsly? Abandon the common-carrier principle for the sake of a minor >> annoyance like *spam*? Forcing ISPs to censor and surveil all traffic > > Sure, its a matter we should discuss, how far we like > to push things. I find it disturbing that anyone would even consider regulating IP allocations based on abuse just because they don't have a good enough spamfilter themselves. I would rather see a regulation that would deny address space allocation to LIRs not having a good spamfilter. > > For a start I would like to force resource holders to actually > read the mail arriving under their abuse address. > This will not force anybody to control all the traffic. Do you believe this is practically possible for any huge email provider (or other services) ? > F.e. by returning ticket numbers or the like. > Or sending automatic CCs to the RIPE NCC .. > This could be controlled, weighted and analyzed by the NCC > and could give evidence about how the ISP is working > with abuse reports. Or even better; RIPE NCC could just get a login to PRISM and read all your mail there. > Others have probably other ideas, lets hear and discuss them. Accepting your abuse mail is not a right, but a service. This may be unfortunate, but it should be up to each LIR to decide if and through what media they accept complaints. Creating a standard and encourage all LIRs to use it would however be great. > > From ops.lists at gmail.com Fri Jun 28 12:09:36 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Fri, 28 Jun 2013 15:39:36 +0530 Subject: [anti-abuse-wg] New Abuse Regulations In-Reply-To: <51CD59B5.2040809@hovland.cx> References: <4803.1372366044@server1.tristatelogic.com> <51CD3F97.2000400@powerweb.de> <20130628075541.GA96362@cilantro.c4inet.net> <51CD4E61.30906@powerweb.de> <51CD59B5.2040809@hovland.cx> Message-ID: The discussion in this thread has also included bot and crimeware netblocks.. As for the 'good enough spam filter' versus giving spammers and botmasters an unlimited supply of IP space, it starts to remind me of those high school maths problems where a burette empties out a tank while a firehose fills it up People with good enough spam filters to run mail for millions of users each will tell you much the same thing --srs (htc one x) On 28-Jun-2013 3:09 PM, "J?rgen Hovland" wrote: > Den 6/28/13 10:50 AM, skrev Frank Gadegast: > >> Sascha Luck wrote: >> >>> On Fri, Jun 28, 2013 at 09:47:35AM +0200, Frank Gadegast wrote: >>> >>>> What about a RIR regulation to ensure that address space is only >>>> used for purposes not harming anybody ? >>>> That resource holders are responsible for the abuse coming >>>> out of their networks ? >>>> >>> >>> Srsly? Abandon the common-carrier principle for the sake of a minor >>> annoyance like *spam*? Forcing ISPs to censor and surveil all traffic >>> >> >> Sure, its a matter we should discuss, how far we like >> to push things. >> > > I find it disturbing that anyone would even consider regulating IP > allocations based on abuse just because they don't have a good enough > spamfilter themselves. I would rather see a regulation that would deny > address space allocation to LIRs not having a good spamfilter. > > > >> For a start I would like to force resource holders to actually >> read the mail arriving under their abuse address. >> This will not force anybody to control all the traffic. >> > > > Do you believe this is practically possible for any huge email provider > (or other services) ? > > > F.e. by returning ticket numbers or the like. >> Or sending automatic CCs to the RIPE NCC .. >> This could be controlled, weighted and analyzed by the NCC >> and could give evidence about how the ISP is working >> with abuse reports. >> > > > Or even better; RIPE NCC could just get a login to PRISM and read all your > mail there. > > > > Others have probably other ideas, lets hear and discuss them. > > > Accepting your abuse mail is not a right, but a service. This may be > unfortunate, but it should be up to each LIR to decide if and through what > media they accept complaints. Creating a standard and encourage all LIRs to > use it would however be great. > > > > >> >> > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bs at stepladder-it.com Fri Jun 28 12:18:42 2013 From: bs at stepladder-it.com (Benedikt Stockebrand) Date: Fri, 28 Jun 2013 10:18:42 +0000 Subject: [anti-abuse-wg] central whois In-Reply-To: <51C30E81.2040404@powerweb.de> (Frank Gadegast's message of "Thu, 20 Jun 2013 16:15:29 +0200") References: <51C2C88D.9090704@powerweb.de> <51C2E7E8.9080304@ripe.net> <51C2EEE0.4040604@powerweb.de> <87bo70c25i.fsf@stepladder-it.com> <51C30E81.2040404@powerweb.de> Message-ID: <8761wypmgt.fsf@stepladder-it.com> Frank Gadegast writes: > Sad, but how can you submit a death threat to a role persons (object) ? As e-mail. >> If you make looking up the admin-c for an address as easy as some people > > No, not the admin-c, the abuse contact email addresses, that are > already published ... Sorry, that was a typo. Same problem, however. > Only the abuse email address published by the ISPs or resource holder > will be available. > Its up to every resource holder to publish, what he thinks whats accurate. > Usally a role address like abuse at sitename.de or so ... The reason why I am so wary about this is because at that time you'd have to have a real person, with name and phone number, listed as admin-c. Things have improved since then, partly due to the introduction of abuse-c. Nevertheless, the actual problem with the idea about abuse-c being too easily accessible still remains: People who don't really know what they are doing will find that interface and cause additional work to the people on the receiving end of the abuse-c mail queue. -- Business Grade IPv6 Consulting, Training, Projects Benedikt Stockebrand, Dipl.-Inform. http://www.stepladder-it.com/ From bs at stepladder-it.com Fri Jun 28 12:24:37 2013 From: bs at stepladder-it.com (Benedikt Stockebrand) Date: Fri, 28 Jun 2013 10:24:37 +0000 Subject: [anti-abuse-wg] central whois In-Reply-To: <51C8312D.6070208@powerweb.de> (Frank Gadegast's message of "Mon, 24 Jun 2013 13:44:45 +0200") References: <51C2C88D.9090704@powerweb.de> <51C2E7E8.9080304@ripe.net> <51C2EEE0.4040604@powerweb.de> <87bo70c25i.fsf@stepladder-it.com> <87zjuflqid.fsf@stepladder-it.com> <51C8312D.6070208@powerweb.de> Message-ID: <871u7mpm6y.fsf@stepladder-it.com> Frank Gadegast writes: > Benedikt Stockebrand wrote: >> Hi Suresh and list, >> >> >> Please explain to me why providing an excessively easy-to-use abuse >> interface won't cause such an increase in workload for the recipients of >> that list that it becomes impossible to handle. > > Thats the wrong starting point. > > If some resource holder is not willing to reduce abuse coming > from his networks, theres nothing we can do. > And it will not harm him to pubish his abuse contact in a central space, > hes not reding the abuse reports anyway ... Sorry, this is nonsense. If somebody has his home PC being part of a botnet, and someone uses that botnet to flood a victim with ping or TCP syn or flood attacks using my IP address, then how will the mails I get as my own abuse-c find their way to the bot PC owner or his ISP's abuse-c? Your entire chain of reasoning relies on the fact that whatever IP address from an attacker your end users find in their logs identifies the abuse-c to contact. -- Business Grade IPv6 Consulting, Training, Projects Benedikt Stockebrand, Dipl.-Inform. http://www.stepladder-it.com/ From ripe-anti-spam-wg at powerweb.de Fri Jun 28 12:43:58 2013 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Fri, 28 Jun 2013 12:43:58 +0200 Subject: [anti-abuse-wg] New Abuse Regulations In-Reply-To: <51CD59B5.2040809@hovland.cx> References: <4803.1372366044@server1.tristatelogic.com> <51CD3F97.2000400@powerweb.de> <20130628075541.GA96362@cilantro.c4inet.net> <51CD4E61.30906@powerweb.de> <51CD59B5.2040809@hovland.cx> Message-ID: <51CD68EE.4090204@powerweb.de> J?rgen Hovland wrote: > Den 6/28/13 10:50 AM, skrev Frank Gadegast: >> Sascha Luck wrote: >>> On Fri, Jun 28, 2013 at 09:47:35AM +0200, Frank Gadegast wrote: >>>> What about a RIR regulation to ensure that address space is only >>>> used for purposes not harming anybody ? >>>> That resource holders are responsible for the abuse coming >>>> out of their networks ? >>> >>> Srsly? Abandon the common-carrier principle for the sake of a minor >>> annoyance like *spam*? Forcing ISPs to censor and surveil all traffic >> >> Sure, its a matter we should discuss, how far we like >> to push things. > > I find it disturbing that anyone would even consider regulating IP > allocations based on abuse just because they don't have a good enough Well, everybody is free to have his own opinion. I dont see this. I you get a "lend" of something you should be carefull with it. > spamfilter themselves. Thats a stupid estimation. abuse has not only something to do with spam ... > I would rather see a regulation that would deny > address space allocation to LIRs not having a good spamfilter. Honest ? Well, describe how this could work and we discuss it here. If a majority likes it ... >> For a start I would like to force resource holders to actually >> read the mail arriving under their abuse address. >> This will not force anybody to control all the traffic. > > > Do you believe this is practically possible for any huge email provider > (or other services) ? Sure, how many abuse reports are beeing send during a day. Does anybody has a number or a good estimation ? > > >> F.e. by returning ticket numbers or the like. >> Or sending automatic CCs to the RIPE NCC .. >> This could be controlled, weighted and analyzed by the NCC >> and could give evidence about how the ISP is working >> with abuse reports. > > > Or even better; RIPE NCC could just get a login to PRISM and read all > your mail there. > > > > Others have probably other ideas, lets hear and discuss them. > > > Accepting your abuse mail is not a right, but a service. Good point. > This may be > unfortunate, but it should be up to each LIR to decide if and through > what media they accept complaints. Creating a standard and encourage all > LIRs to use it would however be great. You see ? Currently the abuse-c will be the only practical way to get in contact. You can send letters, drive-by, a fax, whatever, but the addresses are probably worse than the abuse-c's email address. So there is no real descision to make wich way is best to contact them. The current regulations at RIPE now say in fact, that you can only get (or keep) your resources when you have an abuse-c Its only another step to enhance the regulations that you need to read email coming in. Kind regards, Frank > > > >> >> > > > > > From ripe-anti-spam-wg at powerweb.de Fri Jun 28 13:01:31 2013 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Fri, 28 Jun 2013 13:01:31 +0200 Subject: [anti-abuse-wg] central whois In-Reply-To: <8761wypmgt.fsf@stepladder-it.com> References: <51C2C88D.9090704@powerweb.de> <51C2E7E8.9080304@ripe.net> <51C2EEE0.4040604@powerweb.de> <87bo70c25i.fsf@stepladder-it.com> <51C30E81.2040404@powerweb.de> <8761wypmgt.fsf@stepladder-it.com> Message-ID: <51CD6D0B.7090501@powerweb.de> Benedikt Stockebrand wrote: > Frank Gadegast writes: > >> Sad, but how can you submit a death threat to a role persons (object) ? > > As e-mail. There is no such "person" under a role object. Sure, you can send an email "I kill you all there at this company", but ... > The reason why I am so wary about this is because at that time you'd > have to have a real person, with name and phone number, listed as > admin-c. Things have improved since then, partly due to the > introduction of abuse-c. Exactly. Now you can hide some more personal information. > Nevertheless, the actual problem with the idea about abuse-c being too > easily accessible still remains: People who don't really know what they > are doing will find that interface and cause additional work to the > people on the receiving end of the abuse-c mail queue. Understand. What about admin fearing a higher workload, simply send an email back with a ticket number, when the incoming mail isnt in ARF ? Or direct people with this returning mail to a webform where the user only can enter certain things .. Its the admins choice ... Its my personal opinion that admins are fixing there security holes when the complain about the work load. The will get less complains, if they do. Kind regards, Frank > From ripe-anti-spam-wg at powerweb.de Fri Jun 28 13:14:18 2013 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Fri, 28 Jun 2013 13:14:18 +0200 Subject: [anti-abuse-wg] central whois In-Reply-To: <871u7mpm6y.fsf@stepladder-it.com> References: <51C2C88D.9090704@powerweb.de> <51C2E7E8.9080304@ripe.net> <51C2EEE0.4040604@powerweb.de> <87bo70c25i.fsf@stepladder-it.com> <87zjuflqid.fsf@stepladder-it.com> <51C8312D.6070208@powerweb.de> <871u7mpm6y.fsf@stepladder-it.com> Message-ID: <51CD700A.9060206@powerweb.de> Benedikt Stockebrand wrote: > Frank Gadegast writes: > >> Benedikt Stockebrand wrote: >>> Hi Suresh and list, >>> >>> >>> Please explain to me why providing an excessively easy-to-use abuse >>> interface won't cause such an increase in workload for the recipients of >>> that list that it becomes impossible to handle. >> >> Thats the wrong starting point. >> >> If some resource holder is not willing to reduce abuse coming >> from his networks, theres nothing we can do. >> And it will not harm him to pubish his abuse contact in a central space, >> hes not reding the abuse reports anyway ... > > Sorry, this is nonsense. If somebody has his home PC being part of a > botnet, and someone uses that botnet to flood a victim with ping or TCP > syn or flood attacks using my IP address, then how will the > mails I get as my own abuse-c find their way to the bot PC owner or his > ISP's abuse-c? Dont get the point here. If you get attacked with a whatever flood, you see the sender IP. Enter the sender-ip in the central whois and write a mail to the abuse-c responsible. He now can check, wich user used the IP at that time and get in contact with him to fix the problem, or deny the end users access or ignore it or whatever policy they run. > Your entire chain of reasoning relies on the fact that whatever IP > address from an attacker your end users find in their logs identifies > the abuse-c to contact. Sure, end user arent normally able to find the IP, but there are already tools and plugins to do this. And I still think that a central whois makes it easy to find the right contact, for end users, semi-professionals and pros ... Kind regards, Frank From leo.vegoda at icann.org Fri Jun 28 16:18:37 2013 From: leo.vegoda at icann.org (Leo Vegoda) Date: Fri, 28 Jun 2013 07:18:37 -0700 Subject: [anti-abuse-wg] New Abuse Regulations In-Reply-To: <51CD4E61.30906@powerweb.de> References: <4803.1372366044@server1.tristatelogic.com> <51CD3F97.2000400@powerweb.de> <20130628075541.GA96362@cilantro.c4inet.net> <51CD4E61.30906@powerweb.de> Message-ID: <5648A8908CCB564EBF46E2BC904A75B184E0DEA60F@EXVPMBX100-1.exc.icann.org> Frank Gadegast wrote: [...] > For a start I would like to force resource holders to actually > read the mail arriving under their abuse address. > This will not force anybody to control all the traffic. Can you describe the incentive that would force this? Regards, Leo Vegoda -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5475 bytes Desc: not available URL: From ripe-anti-spam-wg at powerweb.de Fri Jun 28 17:14:13 2013 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Fri, 28 Jun 2013 17:14:13 +0200 Subject: [anti-abuse-wg] New Abuse Regulations In-Reply-To: <5648A8908CCB564EBF46E2BC904A75B184E0DEA60F@EXVPMBX100-1.exc.icann.org> References: <4803.1372366044@server1.tristatelogic.com> <51CD3F97.2000400@powerweb.de> <20130628075541.GA96362@cilantro.c4inet.net> <51CD4E61.30906@powerweb.de> <5648A8908CCB564EBF46E2BC904A75B184E0DEA60F@EXVPMBX100-1.exc.icann.org> Message-ID: <51CDA845.2020402@powerweb.de> Leo Vegoda wrote: > Frank Gadegast wrote: > > [...] > >> For a start I would like to force resource holders to actually >> read the mail arriving under their abuse address. >> This will not force anybody to control all the traffic. > > Can you describe the incentive that would force this? Could be a step-by-step educational/regulation process. First, when NCC gets a complaint about a netblock, they could check if the abuse address is working at all. Or they send an email ordering a return receipt (might indicate something, but is probably no proof). NCC could also check regulary of they exist. (I know, it could also be filtered or faked at the receivers side) Or it could be a regulation, that such an address has to return something (email, ticket). Or abuse reports should always be sent with a CC to an ripe address, where the NCC does some counting. Or the abuse-c has to send a CC to the NCC when replying ... or both together ... When an netblock is suspiscous, these "sums" could be looked at (going up, going down, short outbreak or beeing very high all the time compared to others with that size of allocations aso). Or trusted blacklist could prepare some kind of counting and forward this to the NCC (we can tell quite a lot about non-existing, not-working or non-reponsive addresses and also about spam-per-networksize ratios, just looked into our database: some ISPs in Poland, Ukraine and Spain are still at the top, then a lot of nothing, but Kazachstan is moving, aehm, forward). All this is a kind of "indirect force". When there are audits, no network admin likes to have a bad reputation, right ? If I knew how to start an audit process, I would have a few nice candidates, that did nothing during the last years to get their complaint ratio down. Another example: we also have some netblock from another LIR not belonging to our AS. Surely this LIR forwards complaints to us and we are forced to reply, because its his abuse-c address visible through whois. The LIR is always pretty happy, when we reply and audits this again after a while, if the complaints stopped or not. If not, they will start to look closer at us and maybe revoke our netblocks ... NCC could do the same, it only depends on what kind of regulations we want, what kind of framework, rules, values, whatever. I know, that there are lots of holes we could fall into (like faked reports to kill somebodies reputation, automatic replies that look, if everything is good aso), but we cannot get this going, if we do not collect ideas, how it could work ... But I guess, it would be pretty easy to find and seperate the really bad ones from the ones, that only sometimes have a problem and those, that have never a problem. Kind regards, Frank > > Regards, > > Leo Vegoda > From md at Linux.IT Fri Jun 28 18:49:57 2013 From: md at Linux.IT (Marco d'Itri) Date: Fri, 28 Jun 2013 18:49:57 +0200 Subject: [anti-abuse-wg] Bye Bye In-Reply-To: References: <5246.1372369816@server1.tristatelogic.com> <51CD1380.1070507@eth.si> <20130628074551.GQ2706@Space.Net> <20130628080733.GR2706@Space.Net> Message-ID: <20130628164957.GA16513@bongo.bofh.it> On Jun 28, Suresh Ramasubramanian wrote: > There has been little or no reason to adopt v6 so far, other than as an I have a great reason: I am out of v4 addresses and I want to turn up new customers. > With some majors like Google starting to adopt it, and with only a few > years left for a v4 aftermarket, carrier grade nat etc to have any effect, There is no noticeable v4 market and NAT is only relevant on the access side. I don't do access. -- ciao, Marco -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: From ops.lists at gmail.com Fri Jun 28 20:00:52 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Fri, 28 Jun 2013 23:30:52 +0530 Subject: [anti-abuse-wg] Bye Bye In-Reply-To: <20130628164957.GA16513@bongo.bofh.it> References: <5246.1372369816@server1.tristatelogic.com> <51CD1380.1070507@eth.si> <20130628074551.GQ2706@Space.Net> <20130628080733.GR2706@Space.Net> <20130628164957.GA16513@bongo.bofh.it> Message-ID: The access side is about the largest adopter of whatever IP connectivity works for them wih a minimum of effort. So decisions will vary across providers, sure. On Friday, June 28, 2013, Marco d'Itri wrote: > On Jun 28, Suresh Ramasubramanian > > wrote: > > > There has been little or no reason to adopt v6 so far, other than as an > I have a great reason: I am out of v4 addresses and I want to turn up > new customers. > > > With some majors like Google starting to adopt it, and with only a few > > years left for a v4 aftermarket, carrier grade nat etc to have any > effect, > There is no noticeable v4 market and NAT is only relevant on the access > side. I don't do access. > > -- > ciao, > Marco > -- --srs (iPad) -------------- next part -------------- An HTML attachment was scrubbed... URL: From rfg at tristatelogic.com Sat Jun 29 01:27:26 2013 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Fri, 28 Jun 2013 16:27:26 -0700 Subject: [anti-abuse-wg] Bye Bye (was: Re: The Rules) In-Reply-To: <20130628074459.GP2706@Space.Net> Message-ID: <14828.1372462046@server1.tristatelogic.com> Before responding, I'd just like to say that yesterday, I believed that I had adjusted my procmail rules so that I would never again get any messages from or relating to this list or this WG. As far as I am concerned, any further time of mine spent interacting with this WG is an utter waste of my precious remaining minutes on this earth. (I continue to be subscribed to this list only because I automagically, using procmail, archive many many mailing list for reasons that I shall not go into, but which have nothing at all to do with content. And before anybody asks, no, I am _not_ an NSA contractor or employee.) In message <20130628074459.GP2706 at Space.Net>, Gert Doering wrote: >> I suppose that the word "exhaustion" has a different meaning depending >> upon one's own individual situation. Certainly, if you are one of the >> luck few who had the foresight to start hording and to squirrel away >> a whole lot of IPv4 space some time ago, then right now I am sure that >> you are sitting pretty, and saying to yourself "Shortage? What shortage?" >> >> Other people (and companis) may perhaps not have had the same level of >> foresight. > >No, you're misunderstanding me. Whatever we do, 4 billion IPv4 addresses >will not be sufficient to number Internet access for 6+ billion humans >on earth. So it's important to get over the fact that IPv4 is *gone* >and move ahead to the only alternative we have: IPv6. I see no reason to continue any pretense of courtesy in the presence of such unmitigated fertilizer. The above is the standard pro forma argument that is always trotted out by all those who either own stock in equipment makers that are selling IPv6 gear or who otherwise have some financial interest in persuading everybody on earth to use something that it has already been proven that virtually nobody actually wants or is actively using. To say that 4 billion IPv4 addresses cannot sustain 6+ billion residents of planet earth is essentially no different from saying that because we have 6+ billion people we need 6+ billion toilets. In short, the statement is ludicrous on the face of it. Such statements are deserving of nothing other then derision and ridicule. They ignore both readily available technology and also the obscene amounts of waste, fraud, and abuse that are almost everywhere evident in what can only jokingly be called the current allocation "master plan" of the IPv4 address space. Personally, I think that anyone who even remotely identifies himself or herself with the profession of engineering and who simultaneously denies humanity's ability... or even willingness... to stretch something less that 6 billion toliets to cover 6+ billion people ought to (a) hang their heads in shame and also (b) be immediately laughed out of the business. But we live in an odd world these days, and unfortunately neither (a) nor (b) is currently happening. In the meantime, until it does, and for the forseeable future, I personally shall continue to look forward to the day... soon I hope, for all our sakes... when the species homo sapiens finally grows up and starts understanding how to properly care for, be good stewards of, and live within the limits of the resources that we have, including a finite atmosphere into which we _cannot_ actually just simply pump unlimited amounts of our effluent, a finite land mass, a finite amount of airable land, a finite amount of fresh clean water, and a finite IP address space. All these resources, if managed properly, sensibly, and without profligate waste and short-term driven exploitation, could be easily rendered infinitely renewable, could be handed down, by us, largely if not entirely intact, not merely to the next generation, but also to their descendants, forever. But homo sapiens clearly has not reached that understanding yet. He is still out walking across that frozen land bridge from Asia into the Americans, and all the way down to Tierra Del Fuego, perpetually in search of new space to invade, conquer, exploit, lay waste to, and then, as always move on. This worked great for dozens of millennia. Alas it will not work forever. Regards, rfg From ripe-anti-spam-wg at powerweb.de Sat Jun 29 10:34:25 2013 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Sat, 29 Jun 2013 10:34:25 +0200 Subject: [anti-abuse-wg] Bye Bye In-Reply-To: <14828.1372462046@server1.tristatelogic.com> References: <14828.1372462046@server1.tristatelogic.com> Message-ID: <51CE9C11.50107@powerweb.de> Ronald F. Guilmette wrote: > am concerned, any further time of mine spent interacting with this Hm, you would probably have more time, when bringing your mails down to facts instead of writing lines and lines of lyrics ... Nearly all IPv4 space has been given to people and companies. There is nearly nothing left you could give away ... > All these resources, if managed properly, sensibly, and without profligate > waste and short-term driven exploitation, could be easily rendered I agree, that there are many many IPv4 addresses currentyl wasted, unused like all these big class-A blocks they gave to the NSA, HP, Apple aso, wich can never proof a need of that many IPs for servers and equipment. And there are stupid big block reservations for protocols nobody actually uses, like internal networks, multicast aso. They could be reduced to a single Class-B for example ... There are also lots of blocks given to people and companies that do illegal or unwanted things, at least in some countries ... And there are lots of big blocks wasted with companies (I would say typically access providers), that are really to stupid to configure there equipment right and instead ordered more and more IPs (an example: the German DTAG could only give access to 80 Million people maximum, guess how many IPs they have for access purpose ?) All those IPs could be used much better and probably last a very long time ... But: those netblocks have been given to the resource holders under the regulations of that time. Do you really want to change the regulations now, to take resources "back" ? You have have to be "Robin Hood" to achieve that ... Good luck, Frank > infinitely renewable, could be handed down, by us, largely if not entirely > intact, not merely to the next generation, but also to their descendants, > forever. > > But homo sapiens clearly has not reached that understanding yet. He is > still out walking across that frozen land bridge from Asia into the > Americans, and all the way down to Tierra Del Fuego, perpetually in > search of new space to invade, conquer, exploit, lay waste to, and then, > as always move on. This worked great for dozens of millennia. Alas > it will not work forever. > > > Regards, > rfg > > -- Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== From ops.lists at gmail.com Sat Jun 29 11:22:52 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Sat, 29 Jun 2013 14:52:52 +0530 Subject: [anti-abuse-wg] Bye Bye In-Reply-To: <51CE9C11.50107@powerweb.de> References: <14828.1372462046@server1.tristatelogic.com> <51CE9C11.50107@powerweb.de> Message-ID: Neither dtag nor the other entities that you mentioned, are using the resources that they have been allocated, and could possibly do with less of, are using their IP space for large scale network abuse so i do wish you wouldn't make such comparisons --srs (htc one x) On 29-Jun-2013 2:02 PM, "Frank Gadegast" wrote: > Ronald F. Guilmette wrote: > > am concerned, any further time of mine spent interacting with this >> > > Hm, you would probably have more time, when bringing your mails > down to facts instead of writing lines and lines of lyrics ... > > Nearly all IPv4 space has been given to people and companies. > There is nearly nothing left you could give away ... > > All these resources, if managed properly, sensibly, and without profligate >> waste and short-term driven exploitation, could be easily rendered >> > > I agree, that there are many many IPv4 addresses currentyl wasted, > unused like all these big class-A blocks they gave to the > NSA, HP, Apple aso, wich can never proof a need of that many IPs for > servers and equipment. > > And there are stupid big block reservations for protocols nobody > actually uses, like internal networks, multicast aso. > They could be reduced to a single Class-B for example ... > > There are also lots of blocks given to people and companies that > do illegal or unwanted things, at least in some countries ... > > And there are lots of big blocks wasted with companies (I would > say typically access providers), that are really to stupid > to configure there equipment right and instead ordered > more and more IPs (an example: the German DTAG could only > give access to 80 Million people maximum, guess how many > IPs they have for access purpose ?) > > All those IPs could be used much better and probably last a very > long time ... > > > But: those netblocks have been given to the resource holders > under the regulations of that time. > Do you really want to change the regulations now, to take > resources "back" ? > > You have have to be "Robin Hood" to achieve that ... > > > Good luck, Frank > > infinitely renewable, could be handed down, by us, largely if not entirely >> intact, not merely to the next generation, but also to their descendants, >> forever. >> >> But homo sapiens clearly has not reached that understanding yet. He is >> still out walking across that frozen land bridge from Asia into the >> Americans, and all the way down to Tierra Del Fuego, perpetually in >> search of new space to invade, conquer, exploit, lay waste to, and then, >> as always move on. This worked great for dozens of millennia. Alas >> it will not work forever. >> >> >> Regards, >> rfg >> >> >> > > -- > > Mit freundlichen Gruessen, > -- > PHADE Software - PowerWeb http://www.powerweb.de > Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de > Schinkelstrasse 17 fon: +49 33200 52920 > 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 > ==============================**==============================**========== > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ripe-anti-spam-wg at powerweb.de Sat Jun 29 11:45:34 2013 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Sat, 29 Jun 2013 11:45:34 +0200 Subject: [anti-abuse-wg] Bye Bye In-Reply-To: References: <14828.1372462046@server1.tristatelogic.com> <51CE9C11.50107@powerweb.de> Message-ID: <51CEACBE.7010507@powerweb.de> Suresh Ramasubramanian wrote: > Neither dtag nor the other entities that you mentioned, are using the > resources that they have been allocated, and could possibly do with less > of, are using their IP space for large scale network abuse so i do wish > you wouldn't make such comparisons Who did a comparison here ? I didnt. Those are different facts (abusers, wasters, stupid protocols and far too big legacy chunks along with stupid ERX blocks spreaded and wasted all over the place) all ending up in wasted address space. The question is, if the community likes to collects these netblocks back to give it away to people that need some, in much smaller chunks. Or if we are too lazy (simply because it would be quite difficult) and then push IPv6 forward (what will exhaust one day too, simply because we waste them already). In this case Ronald is quite right ... I personally wondered why IPv6 was started before the IPv4 space was cleaned up, somehow typical I would say ... Kind regards, Frank > > --srs (htc one x) > > On 29-Jun-2013 2:02 PM, "Frank Gadegast" > wrote: > > Ronald F. Guilmette wrote: > > am concerned, any further time of mine spent interacting with this > > > Hm, you would probably have more time, when bringing your mails > down to facts instead of writing lines and lines of lyrics ... > > Nearly all IPv4 space has been given to people and companies. > There is nearly nothing left you could give away ... > > All these resources, if managed properly, sensibly, and without > profligate > waste and short-term driven exploitation, could be easily rendered > > > I agree, that there are many many IPv4 addresses currentyl wasted, > unused like all these big class-A blocks they gave to the > NSA, HP, Apple aso, wich can never proof a need of that many IPs for > servers and equipment. > > And there are stupid big block reservations for protocols nobody > actually uses, like internal networks, multicast aso. > They could be reduced to a single Class-B for example ... > > There are also lots of blocks given to people and companies that > do illegal or unwanted things, at least in some countries ... > > And there are lots of big blocks wasted with companies (I would > say typically access providers), that are really to stupid > to configure there equipment right and instead ordered > more and more IPs (an example: the German DTAG could only > give access to 80 Million people maximum, guess how many > IPs they have for access purpose ?) > > All those IPs could be used much better and probably last a very > long time ... > > > But: those netblocks have been given to the resource holders > under the regulations of that time. > Do you really want to change the regulations now, to take > resources "back" ? > > You have have to be "Robin Hood" to achieve that ... > > > Good luck, Frank > > infinitely renewable, could be handed down, by us, largely if > not entirely > intact, not merely to the next generation, but also to their > descendants, > forever. > > But homo sapiens clearly has not reached that understanding yet. > He is > still out walking across that frozen land bridge from Asia into the > Americans, and all the way down to Tierra Del Fuego, perpetually in > search of new space to invade, conquer, exploit, lay waste to, > and then, > as always move on. This worked great for dozens of millennia. Alas > it will not work forever. > > > Regards, > rfg > > > > > -- > > Mit freundlichen Gruessen, > -- > PHADE Software - PowerWeb http://www.powerweb.de > Inh. Dipl.-Inform. Frank Gadegast > mailto:frank at powerweb.de > Schinkelstrasse 17 fon: +49 33200 52920 > 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 > ==============================__==============================__========== > -- Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== From bs at stepladder-it.com Sat Jun 29 13:27:10 2013 From: bs at stepladder-it.com (Benedikt Stockebrand) Date: Sat, 29 Jun 2013 11:27:10 +0000 Subject: [anti-abuse-wg] central whois In-Reply-To: <51CD700A.9060206@powerweb.de> (Frank Gadegast's message of "Fri, 28 Jun 2013 13:14:18 +0200") References: <51C2C88D.9090704@powerweb.de> <51C2E7E8.9080304@ripe.net> <51C2EEE0.4040604@powerweb.de> <87bo70c25i.fsf@stepladder-it.com> <87zjuflqid.fsf@stepladder-it.com> <51C8312D.6070208@powerweb.de> <871u7mpm6y.fsf@stepladder-it.com> <51CD700A.9060206@powerweb.de> Message-ID: <87a9m99my9.fsf@stepladder-it.com> Frank Gadegast writes: > Dont get the point here. Obviously you don't. > If you get attacked with a whatever flood, you see the sender IP. You see the IP that the sender has configured. To spell it out just for you: If someone configures a box to use the address 62.67.229.200 and then flood pings some poor soul using that address as source, who will then get all the abuse mails you want people to force to read? Hint: $ dig +noall +answer www.powerweb.de any www.powerweb.de. 500 IN MX 200 mail.berlin3.powerweb.de. www.powerweb.de. 500 IN MX 100 mail.powerweb.de. www.powerweb.de. 500 IN A 62.67.229.200 Now do that with an entire botnet and see what happens. Or do you have any plans you didn't share yet on how to prevent attackers from using this for a new kind of Joe job? >> Your entire chain of reasoning relies on the fact that whatever IP >> address from an attacker your end users find in their logs identifies >> the abuse-c to contact. > > Sure, end user arent normally able to find the IP, but there > are already tools and plugins to do this. So, more mails to abuse at powerweb.de. Which of course, since you want to force other people to read their abuse-c mail address, you will all read yourself. And if that's not enough to keep you busy: Maybe somebody with basic scripting skills takes your approach even a bit further and links his/her packet filter to script that stuffs every such packet in a mail to the "responsible" abuse-c. Happy reading. > And I still think that a central whois makes it easy to find > the right contact, for end users, semi-professionals and pros ... And the "right contact" is whoever holds the IP address used as source for some sort of attack or whatever. This is so immensely clever I'm absolutely speechless. -- Business Grade IPv6 Consulting, Training, Projects Benedikt Stockebrand, Dipl.-Inform. http://www.stepladder-it.com/ From ripe-anti-spam-wg at powerweb.de Sat Jun 29 14:25:32 2013 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Sat, 29 Jun 2013 14:25:32 +0200 Subject: [anti-abuse-wg] central whois In-Reply-To: <87a9m99my9.fsf@stepladder-it.com> References: <51C2C88D.9090704@powerweb.de> <51C2E7E8.9080304@ripe.net> <51C2EEE0.4040604@powerweb.de> <87bo70c25i.fsf@stepladder-it.com> <87zjuflqid.fsf@stepladder-it.com> <51C8312D.6070208@powerweb.de> <871u7mpm6y.fsf@stepladder-it.com> <51CD700A.9060206@powerweb.de> <87a9m99my9.fsf@stepladder-it.com> Message-ID: <51CED23C.9030700@powerweb.de> Benedikt Stockebrand wrote: > Frank Gadegast writes: > >> Dont get the point here. > > Obviously you don't. > >> If you get attacked with a whatever flood, you see the sender IP. > > You see the IP that the sender has configured. To spell it out just for Did you ever configured Netflow in your backbone ? and have backbone partners that also have Netflow ? You can then easily follow where its really coming from. > you: If someone configures a box to use the address 62.67.229.200 and > then flood pings some poor soul using that address as source, who will > then get all the abuse mails you want people to force to read? Hint: > > $ dig +noall +answer www.powerweb.de any > www.powerweb.de. 500 IN MX 200 mail.berlin3.powerweb.de. > www.powerweb.de. 500 IN MX 100 mail.powerweb.de. > www.powerweb.de. 500 IN A 62.67.229.200 > > Now do that with an entire botnet and see what happens. You can with ping or other packets, when you actually do not want any packet to return to you, but with spam ? Hacking ? TCP-flodding, password-harvesting ? No way, this is two-way, they need to expose the originating IP. And Anti-DDoS-Protection is then quite easy. > Or do you have > any plans you didn't share yet on how to prevent attackers from using > this for a new kind of Joe job? admins allowing ICMP to float into their backbone are, aeh, stupid. >>> Your entire chain of reasoning relies on the fact that whatever IP >>> address from an attacker your end users find in their logs identifies >>> the abuse-c to contact. >> >> Sure, end user arent normally able to find the IP, but there >> are already tools and plugins to do this. > > So, more mails to abuse at powerweb.de. Not at all. Your getting personal here, so a personal answer. There is no spam leaving our address space and nearly no other abuse problems (maybe a badly administered webspace gets hacked once or twice a year, but then Im really happy about every report I do get to find more details, but we usally find and repair these kind of problems BEFORE any report or complaint is reaching us). So: clean network, no work. Because you got personal, here a little homework: try and find any of our IP addresses on a blacklist ... BTW: checked (probably one of some) /28, that your using and found 3 IPs on only one blacklist nobody is really using, you shouldnt get too many mails for that (probably because your arent the abuse-contact for that block yourself, but your ISP is :o). And suprise, suprise, no spam ever reached us from your ISPs networks, impressive. They shouldnt get so many complaints either ... > Which of course, since you want to > force other people to read their abuse-c mail address, you will all read > yourself. Sure, I like that, and its not too much for me to read about 10 mails a year, and even reply to those 5 that think the abuse was coming from us, explaining them that it wasnt and why it wasnt. > And if that's not enough to keep you busy: Maybe somebody with basic > scripting skills takes your approach even a bit further and links > his/her packet filter to script that stuffs every such packet in a mail > to the "responsible" abuse-c. Happy reading. Happy filtering ... >> And I still think that a central whois makes it easy to find >> the right contact, for end users, semi-professionals and pros ... > > And the "right contact" is whoever holds the IP address used as source > for some sort of attack or whatever. This is so immensely clever I'm > absolutely speechless. How often does that really happen, aeh ? Compared to all those bots where precise reports get send to the right person, but who simply do nothing and then complain about "so many reports". Again, clean, close and protect your network, educated your customers, clean your hacked homepages, kill the bots together with your customers and your done. You will not get a lot to read anymore ... Kind regards, Frank From furio+as at spin.it Sat Jun 29 15:43:23 2013 From: furio+as at spin.it (furio ercolessi) Date: Sat, 29 Jun 2013 15:43:23 +0200 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <20130618132923.GA4854@spin.it> References: <39804.1371411773@server1.tristatelogic.com> <51BFEBAB.4010708@CC.UniVie.ac.at> <20130618132923.GA4854@spin.it> Message-ID: <20130629134323.GA27051@spin.it> On Tue, Jun 18, 2013 at 03:29:23PM +0200, furio ercolessi wrote: > [...] > Now, RIPE-582 (February 2013) contains the following text: > > "6.6 Validity of an Assignment > All assignments are valid as long as the original criteria on which the > assignment was based are still valid and the assignment is properly > registered in the RIPE Database. If an assignment is made for a specific > purpose and that purpose no longer exists, the assignment is no longer > valid." > > Therefore, if the above premises are correct, spamming ranges are > classified "not valid" - simply because snowshoe spam was not the > motivation given to get the assignment. > > Then the RIPENCC problem, it seems to me, is that "no longer valid" > ranges remain in use for a long period of time. This seems to > indicate that there is no effective mechanism to enforce the rules. > Indeed, what is the semantic meaning of "no longer valid" if people > continue to use those ranges for extended periods of time ? > "Invalid" with respect to what ? RIPE-582 does not seem to address this > point. If it does, please point me to the relevant section, or to > another document that discuss this point. > > At the end, the problem seems to boil down to these questions: > > "Does the RIPE Community really want to have resources defined as > "invalid", yet live without a real working mechanism to have these > invalid resources claimed back and reassigned ? If not, would the > introduction of such an enforcement mechanism go against the acceptable > operational limits for a RIR ? And if yes, what is the purpose of defining > rules that can not be enforced, and hence resulting in bad guys getting > as much resources as they like by making false statements ?" Sadly, these questions remained mostly unanswered so far. I am starting to think that perhaps no attempts are made to classify IPv4 assignments as "invalid" according to RIPE-582, section 6.6. I will be glad to know about a counterexample. furio From julien at tayon.net Sat Jun 29 17:42:43 2013 From: julien at tayon.net (julien tayon) Date: Sat, 29 Jun 2013 11:42:43 -0400 Subject: [anti-abuse-wg] Bye Bye In-Reply-To: <51CEACBE.7010507@powerweb.de> References: <14828.1372462046@server1.tristatelogic.com> <51CE9C11.50107@powerweb.de> <51CEACBE.7010507@powerweb.de> Message-ID: So I guess this document http://www.ripe.net/ripe/docs/ripe-592 is BS IPv4 Address Allocation and Assignment Policies for the RIPE NCC Service Region Unless we delete 10.0 (audit) 11.0 (closing LIR that don't comply with policies) 9.0 (record keeping) in 8.0 I suggest to remove the additionnal End User Agreement that should be written in the sub user contract ... In fact everything. ripe-592 could be : do whatever you want, we don't care, but we'll take the money of the LIR + formations, enforce heavy bureaucratic stuff and don't care about people. In fact RIPE does not do what it tells its mission is... it inconsistency, plain disrespect for the people who are complying to the policies. Tell me honestly: is it plain loss of interest in the mission of having a fair use of internet where it is not the stronger/bolder that makes the rules, lies, or just incompetency? 2013/6/29 Frank Gadegast > Suresh Ramasubramanian wrote: > >> Neither dtag nor the other entities that you mentioned, are using the >> resources that they have been allocated, and could possibly do with less >> of, are using their IP space for large scale network abuse so i do wish >> you wouldn't make such comparisons >> > > Who did a comparison here ? > I didnt. > > Those are different facts (abusers, wasters, stupid protocols > and far too big legacy chunks along with stupid ERX blocks spreaded > and wasted all over the place) all ending up in wasted address space. > > > The question is, if the community likes to collects these netblocks > back to give it away to people that need some, in much smaller > chunks. > > Or if we are too lazy (simply because it would be quite difficult) > and then push IPv6 forward (what will exhaust one day too, simply > because we waste them already). > > In this case Ronald is quite right ... > > I personally wondered why IPv6 was started before the IPv4 > space was cleaned up, somehow typical I would say ... > > > Kind regards, Frank > > >> --srs (htc one x) >> >> On 29-Jun-2013 2:02 PM, "Frank Gadegast" > >> >> wrote: >> >> Ronald F. Guilmette wrote: >> >> am concerned, any further time of mine spent interacting with this >> >> >> Hm, you would probably have more time, when bringing your mails >> down to facts instead of writing lines and lines of lyrics ... >> >> Nearly all IPv4 space has been given to people and companies. >> There is nearly nothing left you could give away ... >> >> All these resources, if managed properly, sensibly, and without >> profligate >> waste and short-term driven exploitation, could be easily rendered >> >> >> I agree, that there are many many IPv4 addresses currentyl wasted, >> unused like all these big class-A blocks they gave to the >> NSA, HP, Apple aso, wich can never proof a need of that many IPs for >> servers and equipment. >> >> And there are stupid big block reservations for protocols nobody >> actually uses, like internal networks, multicast aso. >> They could be reduced to a single Class-B for example ... >> >> There are also lots of blocks given to people and companies that >> do illegal or unwanted things, at least in some countries ... >> >> And there are lots of big blocks wasted with companies (I would >> say typically access providers), that are really to stupid >> to configure there equipment right and instead ordered >> more and more IPs (an example: the German DTAG could only >> give access to 80 Million people maximum, guess how many >> IPs they have for access purpose ?) >> >> All those IPs could be used much better and probably last a very >> long time ... >> >> >> But: those netblocks have been given to the resource holders >> under the regulations of that time. >> Do you really want to change the regulations now, to take >> resources "back" ? >> >> You have have to be "Robin Hood" to achieve that ... >> >> >> Good luck, Frank >> >> infinitely renewable, could be handed down, by us, largely if >> not entirely >> intact, not merely to the next generation, but also to their >> descendants, >> forever. >> >> But homo sapiens clearly has not reached that understanding yet. >> He is >> still out walking across that frozen land bridge from Asia into >> the >> Americans, and all the way down to Tierra Del Fuego, perpetually >> in >> search of new space to invade, conquer, exploit, lay waste to, >> and then, >> as always move on. This worked great for dozens of millennia. >> Alas >> it will not work forever. >> >> >> Regards, >> rfg >> >> >> >> >> -- >> >> Mit freundlichen Gruessen, >> -- >> PHADE Software - PowerWeb http://www.powerweb.de >> Inh. Dipl.-Inform. Frank Gadegast >> mailto:frank at powerweb.de >> >> Schinkelstrasse 17 fon: +49 33200 52920 >> 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 >> ==============================**__============================** >> ==__========== >> >> > > -- > > Mit freundlichen Gruessen, > -- > PHADE Software - PowerWeb http://www.powerweb.de > Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de > Schinkelstrasse 17 fon: +49 33200 52920 > 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 > ==============================**==============================**========== > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gert at space.net Sat Jun 29 22:14:57 2013 From: gert at space.net (Gert Doering) Date: Sat, 29 Jun 2013 22:14:57 +0200 Subject: [anti-abuse-wg] New Abuse Information on RIPE NCC Website In-Reply-To: <20130629134323.GA27051@spin.it> References: <39804.1371411773@server1.tristatelogic.com> <51BFEBAB.4010708@CC.UniVie.ac.at> <20130618132923.GA4854@spin.it> <20130629134323.GA27051@spin.it> Message-ID: <20130629201456.GG2706@Space.Net> HI, On Sat, Jun 29, 2013 at 03:43:23PM +0200, furio ercolessi wrote: > On Tue, Jun 18, 2013 at 03:29:23PM +0200, furio ercolessi wrote: > > [...] > > Now, RIPE-582 (February 2013) contains the following text: > > > > "6.6 Validity of an Assignment > > All assignments are valid as long as the original criteria on which the > > assignment was based are still valid and the assignment is properly > > registered in the RIPE Database. If an assignment is made for a specific > > purpose and that purpose no longer exists, the assignment is no longer > > valid." > > > > Therefore, if the above premises are correct, spamming ranges are > > classified "not valid" - simply because snowshoe spam was not the > > motivation given to get the assignment. This paragraph mentions *assignments*, which is (in the context of LIRs) what a LIR gives to it's customers. So indeed, if a customer is lying to the LIR, the assignment falls back to the LIR (which makes a difference when the LIR's allocation is full and they can't get more space because their assignments are not valid). This paragraph does not apply to the *allocation* give to the LIR from the RIPE NCC. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 306 bytes Desc: not available URL: From rfg at tristatelogic.com Sun Jun 30 00:32:26 2013 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Sat, 29 Jun 2013 15:32:26 -0700 Subject: [anti-abuse-wg] Bye Bye In-Reply-To: <51CE9C11.50107@powerweb.de> Message-ID: <27514.1372545146@server1.tristatelogic.com> In message <51CE9C11.50107 at powerweb.de>, you wrote: >But: those netblocks have been given to the resource holders >under the regulations of that time. >Do you really want to change the regulations now, to take >resources "back" ? When the space is being demonstratably used for snowshoe spamming and/or for "blackhat SEO" purposes (which are also fundamentally anti-social), yes, I do. From md at Linux.IT Sun Jun 30 01:14:04 2013 From: md at Linux.IT ('Marco d'Itri') Date: Sun, 30 Jun 2013 01:14:04 +0200 Subject: [anti-abuse-wg] Bye Bye In-Reply-To: <007901ce74b7$50007ed0$f0017c70$@a2b-internet.com> References: <5246.1372369816@server1.tristatelogic.com> <51CD1380.1070507@eth.si> <20130628074551.GQ2706@Space.Net> <20130628080733.GR2706@Space.Net> <20130628164957.GA16513@bongo.bofh.it> <007901ce74b7$50007ed0$f0017c70$@a2b-internet.com> Message-ID: <20130629231404.GA29784@bongo.bofh.it> On Jun 29, Erik Bais wrote: > I have to disagree with you, there IS a v4 market .. and people are already > in pain or are looking at how to fix their issue. I see people trying to buy IPv4 space (even if most of them are spammers). I do not see many people trying to sell IPv4 space. Why sell now while the price is still going up? -- ciao, Marco -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: From ripe-anti-spam-wg at powerweb.de Sun Jun 30 09:18:24 2013 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Sun, 30 Jun 2013 09:18:24 +0200 Subject: [anti-abuse-wg] Bye Bye In-Reply-To: <27514.1372545146@server1.tristatelogic.com> References: <27514.1372545146@server1.tristatelogic.com> Message-ID: <51CFDBC0.3040608@powerweb.de> Ronald F. Guilmette wrote: > In message<51CE9C11.50107 at powerweb.de>, you wrote: > >> But: those netblocks have been given to the resource holders >> under the regulations of that time. >> Do you really want to change the regulations now, to take >> resources "back" ? > > When the space is being demonstratably used for snowshoe spamming > and/or for "blackhat SEO" purposes (which are also fundamentally > anti-social), yes, I do. Good. Now we know, that LIRs should only give resources away, when the usage is clearly defined and does not change, I like to ask: - is an LIR forced by any RFC or RIPE regulation to control the usage later on ? RIPE seems to only take care, that the address of an LIR is ok, its still the same company, the company exists and the resources are put into the RIPE db aso: - but does the RIPE NCC also checks the usage of all resources and if the LIR controls the usage of those resources during an audit process ? how can a LIR proove to the RIPE NCC that the initial purpose is still the same ? - can RIPE NCC force an LIR legally to withdraw a specific network not used for its initial purpose ? - and can RIPE NCC withdraw the complete allocation of this LIR if he does not ? Could someone please name the excact phrase of an RFC or other RIPE NCC document or contract. If there is none, should that not be our next proposal ? Kind regards, Frank -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== From ripe-anti-spam-wg at powerweb.de Sun Jun 30 09:31:50 2013 From: ripe-anti-spam-wg at powerweb.de (Frank Gadegast) Date: Sun, 30 Jun 2013 09:31:50 +0200 Subject: [anti-abuse-wg] Bye Bye In-Reply-To: <20130629231404.GA29784@bongo.bofh.it> References: <5246.1372369816@server1.tristatelogic.com> <51CD1380.1070507@eth.si> <20130628074551.GQ2706@Space.Net> <20130628080733.GR2706@Space.Net> <20130628164957.GA16513@bongo.bofh.it> <007901ce74b7$50007ed0$f0017c70$@a2b-internet.com> <20130629231404.GA29784@bongo.bofh.it> Message-ID: <51CFDEE6.3050501@powerweb.de> 'Marco d'Itri' wrote: > On Jun 29, Erik Bais wrote: > >> I have to disagree with you, there IS a v4 market .. and people are already >> in pain or are looking at how to fix their issue. > I see people trying to buy IPv4 space (even if most of them are > spammers). > I do not see many people trying to sell IPv4 space. > > Why sell now while the price is still going up? > Funny enough we do get a lot of requests to give IP space away during the last few month and we never had these kind of requests before. Usually the interest drops, when we tell them, that we only use our allocation for services in our housing centers :o) This increased interest could be, because IPv4 space is getting rare or it could also be because of the new abuse-c. Usually our customers are quite happy, if they dont have to manage an abuse address themself. But its funny with these kind of offers we get now, they always offer to handle abuse reports themself :o) Thats make me thinking: - what about an LIR that does not know, what his "customer" is doing ? lets say, he sells the IP space, it gets announced somewhere in the world, he does not route it, it not his AS anymore and surely not his abuse-c How can he control the initial usage of the "customers" netblocks ? How could he be informed by others, that his "customer" is a professional spammer ? Kind regards, Frank -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== From gert at space.net Sun Jun 30 10:25:24 2013 From: gert at space.net (Gert Doering) Date: Sun, 30 Jun 2013 10:25:24 +0200 Subject: [anti-abuse-wg] Bye Bye In-Reply-To: <51CEACBE.7010507@powerweb.de> References: <14828.1372462046@server1.tristatelogic.com> <51CE9C11.50107@powerweb.de> <51CEACBE.7010507@powerweb.de> Message-ID: <20130630082524.GI2706@Space.Net> Hi, On Sat, Jun 29, 2013 at 11:45:34AM +0200, Frank Gadegast wrote: > I personally wondered why IPv6 was started before the IPv4 > space was cleaned up, somehow typical I would say ... This is *very* easy - because some of us had the foresight of "not waiting until the very last moment". This is why we have halfway sane IPv6 allocation policies today, and people who want to deploy IPv6 have been able to do so (and have done so). Moving to IPv6 some 10 years ago would have been MUCH less work, because the amount of IPv4-only devices that have been rolled out in these 10 years is enormous (10 years ago, there was no UMTS, and no IPv4-only UMTS handsets that now provice a large legacy to care for). Running headfirst into the wall, and *then* thinking of a backup plan is not a very good approach. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 306 bytes Desc: not available URL: From erik at bais.name Sun Jun 30 10:26:34 2013 From: erik at bais.name (Erik Bais) Date: Sun, 30 Jun 2013 08:26:34 +0000 Subject: [anti-abuse-wg] Bye Bye References: <5246.1372369816@server1.tristatelogic.com> <51CD1380.1070507@eth.si> <20130628074551.GQ2706@Space.Net> <20130628080733.GR2706@Space.Net> <20130628164957.GA16513@bongo.bofh.it> Message-ID: <862A73D42343AE49B2FC3C32FDDFE91C605398F1@E2010-MBX04.exchange2010.nl> Repost as my other email address wasn't subscribed to the list. -----Original Message----- From: Erik Bais [mailto:ebais at a2b-internet.com] Sent: zaterdag 29 juni 2013 12:57 To: 'Marco d'Itri'; anti-abuse-wg at ripe.net Subject: RE: [anti-abuse-wg] Bye Bye Hi Marco, > > With some majors like Google starting to adopt it, and with only a few > > years left for a v4 aftermarket, carrier grade nat etc to have any effect, > There is no noticeable v4 market and NAT is only relevant on the access > side. I don't do access. I have to disagree with you, there IS a v4 market .. and people are already in pain or are looking at how to fix their issue. Going native v6 isn't the fix for most of them, a majority of the LIR's NEED to run dual-stack for a noticeable time ahead. Not because they can't run native v6, but because others don't run v6 at all. Carrier Grade Nat (CGN) will break stuff in certain scenario's like VOIP, some streaming video's, Xbox live connectivity and will cost you a lot in storage for (abuse) logging. You will require boxes that aren't cheap either.. and in order to be able to pinpoint that one customer that did a spam-run or portscan (as an example) you will need to know exactly who used IP X, tcp ports range Z to Y at timestamp. And with the current EU Data Retention Act, you may be forced to store that information between 6 months to 24 months for legal reasons. (your mileage may vary depending on the country you work in ) To give you an indication, a 1 milj. subscriber LIR, will generate per subscriber about 5 to 96 Mb of logs per day (just headers from the CGN) that is about 1Pbyte storage per 1M subscribers .. per month .. - http://pc.denog.de/system/attachments/5/original/07-Grundemann-Carrier_Grade_NAT.pdf?1353317223 See this very nice presentation from CableLabs about CGN from Denog4 in November 2012. To give an indication, 1 Pb of storage will cost you about 6 racks filled with disks, setting you back only in colocation cost about 5k US$ and roughly an equal amount in power cost per month. So keeping it online alone will have an operating cost of 10k US$, not including cost of purchase of the storage or management of the information on it. So if you, for instance in my case, live in the Netherlands, you NEED to store the information 12 months. Does that give enough background about why people are looking into the IPv4 market ? The reason why people tend to say there is no v4 market, is not because it is not here ... it is because the transfer policy is currently for a lot of companies to restrictive. This results in movement of IP ranges not being updated in the actual registry. Think about PI IPv4 being sold, but not transferred in ownership to the new 'owner' Why ? Because the transfer policy doesn't allow for PI transfers... So sometimes a side letter is made, money is provided and things stay as it is in the registry. Sometimes it is even sold, without such a letter I've seen. The 24 month cool-down period for a range after a transfer ? Come on, if money is to be made, it is foolish to think that people will take the high road and sit on their resources. The current policies don't state that you can't move an LIR between legal entities ... or just buy the complete legal entity that holds the LIR. (stock transfers) There IS a market and people DO relocate resources in the above mentioned ways... Wake up and smell the new reality. The more restrictive and difficult the policies are, the more creative people will become. Should it be frowned upon ? Perhaps, but most of the people doing it, don't care if someone would ask them why they would do it. Especially if serious money is to be made (or if they can proceed signing up customers in the years to come) WE as a community should make the transfer policies as transparent as possible to make sure that the registry is up to date, because it is not possible to restrict transfers. By maintaining all these transfer limitations, we will not prevent the transfers, the registry will not be up to date AND if people that have a v4 surplus will move their resources to people who want to compensate the current owners for it, so be it. At least the un-used IP's get used by those that are willing/able to put money on the table for it. The RIPE NCC did a great job in the past in fair distribution, but their role isn't in distribution anymore, it is to keep the registry up to date. That is their #1 role for the future. Sorry for the long reply, but people who still think that there is no v4 Market haven't paid much attention to what is happening around them. See also the growing list of transfers on the RIPE website: https://www.ripe.net/lir-services/resource-management/ipv4-transfers/table-of-transfers Regards, Erik Bais From ebais at a2b-internet.com Sat Jun 29 12:56:30 2013 From: ebais at a2b-internet.com (Erik Bais) Date: Sat, 29 Jun 2013 12:56:30 +0200 Subject: [anti-abuse-wg] Bye Bye In-Reply-To: <20130628164957.GA16513@bongo.bofh.it> References: <5246.1372369816@server1.tristatelogic.com> <51CD1380.1070507@eth.si> <20130628074551.GQ2706@Space.Net> <20130628080733.GR2706@Space.Net> <20130628164957.GA16513@bongo.bofh.it> Message-ID: <007901ce74b7$50007ed0$f0017c70$@a2b-internet.com> Hi Marco, > > With some majors like Google starting to adopt it, and with only a few > > years left for a v4 aftermarket, carrier grade nat etc to have any effect, > There is no noticeable v4 market and NAT is only relevant on the access > side. I don't do access. I have to disagree with you, there IS a v4 market .. and people are already in pain or are looking at how to fix their issue. Going native v6 isn't the fix for most of them, a majority of the LIR's NEED to run dual-stack for a noticeable time ahead. Not because they can't run native v6, but because others don't run v6 at all. Carrier Grade Nat (CGN) will break stuff in certain scenario's like VOIP, some streaming video's, Xbox live connectivity and will cost you a lot in storage for (abuse) logging. You will require boxes that aren't cheap either.. and in order to be able to pinpoint that one customer that did a spam-run or portscan (as an example) you will need to know exactly who used IP X, tcp ports range Z to Y at timestamp. And with the current EU Data Retention Act, you may be forced to store that information between 6 months to 24 months for legal reasons. (your mileage may vary depending on the country you work in ) To give you an indication, a 1 milj. subscriber LIR, will generate per subscriber about 5 to 96 Mb of logs per day (just headers from the CGN) that is about 1Pbyte storage per 1M subscribers .. per month .. - http://pc.denog.de/system/attachments/5/original/07-Grundemann-Carrier_Grade _NAT.pdf?1353317223 See this very nice presentation from CableLabs about CGN from Denog4 in November 2012. To give an indication, 1 Pb of storage will cost you about 6 racks filled with disks, setting you back only in colocation cost about 5k US$ and roughly an equal amount in power cost per month. So keeping it online alone will have an operating cost of 10k US$, not including cost of purchase of the storage or management of the information on it. So if you, for instance in my case, live in the Netherlands, you NEED to store the information 12 months. Does that give enough background about why people are looking into the IPv4 market ? The reason why people tend to say there is no v4 market, is not because it is not here ... it is because the transfer policy is currently for a lot of companies to restrictive. This results in movement of IP ranges not being updated in the actual registry. Think about PI IPv4 being sold, but not transferred in ownership to the new 'owner' Why ? Because the transfer policy doesn't allow for PI transfers... So sometimes a side letter is made, money is provided and things stay as it is in the registry. Sometimes it is even sold, without such a letter I've seen. The 24 month cool-down period for a range after a transfer ? Come on, if money is to be made, it is foolish to think that people will take the high road and sit on their resources. The current policies don't state that you can't move an LIR between legal entities ... or just buy the complete legal entity that holds the LIR. (stock transfers) There IS a market and people DO relocate resources in the above mentioned ways... Wake up and smell the new reality. The more restrictive and difficult the policies are, the more creative people will become. Should it be frowned upon ? Perhaps, but most of the people doing it, don't care if someone would ask them why they would do it. Especially if serious money is to be made (or if they can proceed signing up customers in the years to come) WE as a community should make the transfer policies as transparent as possible to make sure that the registry is up to date, because it is not possible to restrict transfers. By maintaining all these transfer limitations, we will not prevent the transfers, the registry will not be up to date AND if people that have a v4 surplus will move their resources to people who want to compensate the current owners for it, so be it. At least the un-used IP's get used by those that are willing/able to put money on the table for it. The RIPE NCC did a great job in the past in fair distribution, but their role isn't in distribution anymore, it is to keep the registry up to date. That is their #1 role for the future. Sorry for the long reply, but people who still think that there is no v4 Market haven't paid much attention to what is happening around them. See also the growing list of transfers on the RIPE website: https://www.ripe.net/lir-services/resource-management/ipv4-transfers/table-o f-transfers Regards, Erik Bais