From fw at deneb.enyo.de Fri Mar 1 22:29:34 2013 From: fw at deneb.enyo.de (Florian Weimer) Date: Fri, 01 Mar 2013 22:29:34 +0100 Subject: [anti-abuse-wg] Allocation of number resources In-Reply-To: (Fredrik Widell's message of "Fri, 8 Feb 2013 21:43:50 +0100 (CET)") References: <17279.1360271745@tristatelogic.com> <87pq0a7dqc.fsf@mid.deneb.enyo.de> Message-ID: <87bob2ajwh.fsf@mid.deneb.enyo.de> * Fredrik Widell: > You will probably get most of the resources by querying the objects > the lir maintains aswell by this query: > > whois -h whois.ripe.net -- "-B -r -i mnt-by,mnt-routes,mnt-domains,mnt-lower,mnt-irt THE-LIR-MAINTAINER" As far as I understand it, MNT handles are issued to non-LIRs as well, so this doesn't necessarily show the whole story. From ops.lists at gmail.com Mon Mar 4 18:02:28 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Mon, 4 Mar 2013 22:32:28 +0530 Subject: [anti-abuse-wg] What am I missing in this mnt-by query for MNT-ANONYMOUS? Message-ID: inetnum: 37.114.49.0 - 37.114.49.255 netname: DE-NETWORK-ABUSE-3706 descr: Network-Abuse.info country: DE admin-c: HA2568-RIPE tech-c: HA2568-RIPE status: ASSIGNED PA mnt-by: MNT-INTERCOLO mnt-by: MNT-WEESLY source: RIPE # Filtered % Information related to 'HA2568-RIPE' person: Holger Anonymous address: Please contact us by E-Mail phone: +49.180.4100100 abuse-mailbox: abuse at network-abuse.info remarks: ******************************************* remarks: * SPAM / ABUSE / SECURITY / OTHERS * remarks: ******************************************* remarks: * For spam/abuse/security issues please * remarks: * contact : abuse at network-abuse.info * remarks: ******************************************* remarks: * For other information or issues please * remarks: * sent to abuse at network-abuse.info * remarks: ******************************************* nic-hdl: HA2568-RIPE mnt-by: MNT-ANONYMOUS source: RIPE # Filtered and network-abuse.info is domain clocked on godaddy - Domain Name:NETWORK-ABUSE.INFO Created On:19-Sep-2011 12:28:46 UTC Last Updated On:21-Jun-2012 09:56:51 UTC Expiration Date:19-Sep-2013 12:28:46 UTC Now for what I wanted to ask. A RIPE query from the command line doesnt show anything. suresh at oc2751464200 22:27:52 <~> $ whois -h whois.ripe.net -i mnt-by MNT-ANONYMOUS [Querying whois.ripe.net] [whois.ripe.net] %ERROR:101: no entries found % % No entries found in source RIPE. But he has at least two other interesting (to a postmaster for a large email service, hint, hint) netblocks this guy has - 37.114.43.0/24 37.114.45.0/24 Doing a RIPE full text search does get me these and other netblocks inetnum: 89.144.17.0 - 89.144.18.255 mnt-by=MNT-WEESLY ISP4P-MNT MNT-ANONYMOUS inetnum: 185.10.68.0 - 185.10.69.255 mnt-by=MNT-ANONYMOUS inetnum: 185.10.70.0 - 185.10.70.255 mnt-by=MNT-ANONYMOUS inetnum: 185.10.71.128 - 185.10.71.159 mnt-by=MNT-ANONYMOUS inetnum: 185.10.71.160 - 185.10.71.167 mnt-by=MNT-ANONYMOUS inetnum: 185.10.71.192 - 185.10.71.255 mnt-by=MNT-ANONYMOUS mntner: MNT-ANONYMOUS mnt-by=MNT-ANONYMOUS, referral-by=MNT-ANONYMOUS, mntner=MNT-ANONYMOUS route: 185.10.68.0/22AS198599 mnt-by=MNT-ANONYMOUS route: 37.114.43.0/24AS5577 mnt-by=MNT-ANONYMOUS ROOT-MNT route: 37.114.45.0/24AS198599 mnt-by=MNT-ANONYMOUS route: 37.114.46.0/24AS198599 mnt-by=MNT-ANONYMOUS route: 37.114.47.0/24AS198599 mnt-by=MNT-ANONYMOUS route: 37.114.48.0/24AS198599 mnt-by=MNT-ANONYMOUS route: 37.114.49.0/24AS198599 mnt-by=MNT-ANONYMOUS route: 37.114.51.0/24AS198599 mnt-by=MNT-ANONYMOUS -- Suresh Ramasubramanian (ops.lists at gmail.com) -------------- next part -------------- An HTML attachment was scrubbed... URL: From denis at ripe.net Mon Mar 4 18:18:54 2013 From: denis at ripe.net (Denis Walker) Date: Mon, 04 Mar 2013 18:18:54 +0100 Subject: [anti-abuse-wg] What am I missing in this mnt-by query for MNT-ANONYMOUS? In-Reply-To: References: Message-ID: <5134D77E.9070202@ripe.net> Dear Suresh I think this may be a problem with your command line client. From my command line I get a long list of results returned for the query: $ whois -rG -i mnt-by MNT-ANONYMOUS I also see the same results from our web query page: http://apps.db.ripe.net/search/query.html?searchtext=MNT-ANONYMOUS&flags=r&sources=RIPE_NCC&grssources=&inverse=MNT_BY&types=#resultsAnchor Regards Denis Walker Business Analyst RIPE NCC Database Group On 04/03/2013 18:02, Suresh Ramasubramanian wrote: > inetnum: 37.114.49.0 - 37.114.49.255 > netname: DE-NETWORK-ABUSE-3706 > descr: Network-Abuse.info > country: DE > admin-c: HA2568-RIPE > tech-c: HA2568-RIPE > status: ASSIGNED PA > mnt-by: MNT-INTERCOLO > mnt-by: MNT-WEESLY > source: RIPE # Filtered > > % Information related to 'HA2568-RIPE' > > person: Holger Anonymous > address: Please contact us by E-Mail > phone: +49.180.4100100 > abuse-mailbox: abuse at network-abuse.info > remarks: ******************************************* > remarks: * SPAM / ABUSE / SECURITY / OTHERS * > remarks: ******************************************* > remarks: * For spam/abuse/security issues please * > remarks: * contact : abuse at network-abuse.info > * > remarks: ******************************************* > remarks: * For other information or issues please * > remarks: * sent to abuse at network-abuse.info > * > remarks: ******************************************* > nic-hdl: HA2568-RIPE > mnt-by: MNT-ANONYMOUS > source: RIPE # Filtered > > and network-abuse.info is domain clocked on > godaddy - > > Domain Name:NETWORK-ABUSE.INFO > Created On:19-Sep-2011 12:28:46 UTC > Last Updated On:21-Jun-2012 09:56:51 UTC > Expiration Date:19-Sep-2013 12:28:46 UTC > > Now for what I wanted to ask. A RIPE query from the command line doesnt > show anything. > > suresh at oc2751464200 22:27:52 <~> $ whois -h whois.ripe.net > -i mnt-by MNT-ANONYMOUS > [Querying whois.ripe.net ] > [whois.ripe.net ] > > %ERROR:101: no entries found > % > % No entries found in source RIPE. > > But he has at least two other interesting (to a postmaster for a large > email service, hint, hint) netblocks this guy has - > > 37.114.43.0/24 > 37.114.45.0/24 > > Doing a RIPE full text search does get me these and other netblocks > > inetnum: 89.144.17.0 - 89.144.18.255 > mnt-by=MNT-WEESLY ISP4P-MNT MNT-ANONYMOUS > > > inetnum: 185.10.68.0 - 185.10.69.255 > mnt-by=MNT-ANONYMOUS > > > inetnum: 185.10.70.0 - 185.10.70.255 > mnt-by=MNT-ANONYMOUS > > > inetnum: 185.10.71.128 - 185.10.71.159 > mnt-by=MNT-ANONYMOUS > > > inetnum: 185.10.71.160 - 185.10.71.167 > mnt-by=MNT-ANONYMOUS > > > inetnum: 185.10.71.192 - 185.10.71.255 > mnt-by=MNT-ANONYMOUS > > > mntner: MNT-ANONYMOUS > mnt-by=MNT-ANONYMOUS, referral-by=MNT-ANONYMOUS, mntner=MNT-ANONYMOUS > > > route: 185.10.68.0/22AS198599 > mnt-by=MNT-ANONYMOUS > > > route: 37.114.43.0/24AS5577 > mnt-by=MNT-ANONYMOUS ROOT-MNT > > > route: 37.114.45.0/24AS198599 > mnt-by=MNT-ANONYMOUS > > route: 37.114.46.0/24AS198599 > mnt-by=MNT-ANONYMOUS > > > route: 37.114.47.0/24AS198599 > mnt-by=MNT-ANONYMOUS > > > route: 37.114.48.0/24AS198599 > mnt-by=MNT-ANONYMOUS > > > route: 37.114.49.0/24AS198599 > mnt-by=MNT-ANONYMOUS > > route: 37.114.51.0/24AS198599 > mnt-by=MNT-ANONYMOUS > > -- > Suresh Ramasubramanian (ops.lists at gmail.com ) From leo.vegoda at icann.org Mon Mar 4 18:23:32 2013 From: leo.vegoda at icann.org (Leo Vegoda) Date: Mon, 4 Mar 2013 09:23:32 -0800 Subject: [anti-abuse-wg] What am I missing in this mnt-by query for MNT-ANONYMOUS? In-Reply-To: <5134D77E.9070202@ripe.net> References: <5134D77E.9070202@ripe.net> Message-ID: <9E1C1F38-DAA3-466D-AEE3-0AFEF5F1B3C4@icann.org> Hi all, On Mar 4, 2013, at 9:19 AM, "Denis Walker" wrote: > Dear Suresh > > I think this may be a problem with your command line client. From my > command line I get a long list of results returned for the query: > $ whois -rG -i mnt-by MNT-ANONYMOUS I don't know if it counts as a top tip but I telnet to whois.ripe.net on port 43 and enter the search query that way instead of trying to get a client to do what I want. HTH, Leo -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2625 bytes Desc: not available URL: From ops.lists at gmail.com Mon Mar 4 23:19:35 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Tue, 5 Mar 2013 03:49:35 +0530 Subject: [anti-abuse-wg] What am I missing in this mnt-by query for MNT-ANONYMOUS? In-Reply-To: <9E1C1F38-DAA3-466D-AEE3-0AFEF5F1B3C4@icann.org> References: <5134D77E.9070202@ripe.net> <9E1C1F38-DAA3-466D-AEE3-0AFEF5F1B3C4@icann.org> Message-ID: I tried the two. My whois client is rather elderly but is pretty bog standard, being the one bundled with a stable Linux distro On Monday, March 4, 2013, Leo Vegoda wrote: > Hi all, > > On Mar 4, 2013, at 9:19 AM, "Denis Walker" > > wrote: > > > Dear Suresh > > > > I think this may be a problem with your command line client. From my > > command line I get a long list of results returned for the query: > > $ whois -rG -i mnt-by MNT-ANONYMOUS > > I don't know if it counts as a top tip but I telnet to whois.ripe.net on > port 43 and enter the search query that way instead of trying to get a > client to do what I want. > > HTH, > > Leo -- --srs (iPad) -------------- next part -------------- An HTML attachment was scrubbed... URL: From rv at x37.NIC.DTAG.DE Tue Mar 5 11:13:26 2013 From: rv at x37.NIC.DTAG.DE (Ruediger Volk) Date: Tue, 05 Mar 2013 11:13:26 +0100 Subject: [anti-abuse-wg] What am I missing in this mnt-by query for MNT-ANONYMOUS? In-Reply-To: Your message of "Tue, 05 Mar 2013 03:49:35 +0530." Message-ID: <23834.1362478406@x37.NIC.DTAG.DE> Hi Suresh, > I tried the two. My whois client is rather elderly but is pretty > bog standard, being the one bundled with a stable Linux distro if you are using an whois client that is not clearly tuned to take care of the specific RIPE DB options you are better off to enclose the query with all it's options in a single quoted comand line parameter such as whois -h whois.ripe.net "-i mnt-by MNT-ANONYMOUS" Ruediger From denis at ripe.net Tue Mar 5 11:52:02 2013 From: denis at ripe.net (Denis Walker) Date: Tue, 05 Mar 2013 11:52:02 +0100 Subject: [anti-abuse-wg] What am I missing in this mnt-by query for MNT-ANONYMOUS? In-Reply-To: <23834.1362478406@x37.NIC.DTAG.DE> References: <23834.1362478406@x37.NIC.DTAG.DE> Message-ID: <5135CE52.2000304@ripe.net> Hi All There are many different options and some work (or not) on different systems. One that does seem to work, at least on both linux and OSX is this: $ whois -h whois.ripe.net -- "-B dw-ripe" Hope this helps. regards Denis Walker Business Analyst RIPE NCC Database Group On 05/03/2013 11:13, Ruediger Volk wrote: > Hi Suresh, > > I tried the two. My whois client is rather elderly but is pretty > > bog standard, being the one bundled with a stable Linux distro > > if you are using an whois client that is not clearly tuned to take care > of the specific RIPE DB options you are better off to enclose the > query with all it's options in a single quoted comand line parameter > such as > > whois -h whois.ripe.net "-i mnt-by MNT-ANONYMOUS" > > > Ruediger > From brian.nisbet at heanet.ie Tue Mar 5 11:52:35 2013 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Tue, 05 Mar 2013 10:52:35 +0000 Subject: [anti-abuse-wg] Draft Anti-Abuse WG Agenda - RIPE 66 Message-ID: <5135CE73.9030500@heanet.ie> Colleagues, This is the draft agenda for the RIPE 66 meeting. The WG session will take place on Thursday 16th May at 14:00 BST. RIPE 66 will be taking place in the Burlington Hotel, Dublin. There is still possibly some room on the agenda for the session for something small, so if you have any matters you'd like to discuss, please let Tobias & I know. A. Administrative Matters * Welcome * Scribe, Jabber, Stenography * Microphone Etiquette * Approve Minutes from RIPE 65 * Finalise agenda B. Update * B1. Recent List Discussion * B2. CleanIT Project Close-Off * B3. AA-WG Charter C. Policies * RIPE Policy 2011-06 * RIPE Policy Proposal 2013-01 D. Interactions * D1. Working Groups * D3. RIPE NCC Gov/LEA Interactions Update E. Presentation * E1. "Save money online without killing yourself" - Michele Neylon & ASOP * E2. x-arf - Tobias Knecht X. A.O.B. Z. Agenda for RIPE 67 From ops.lists at gmail.com Tue Mar 5 12:06:19 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Tue, 5 Mar 2013 16:36:19 +0530 Subject: [anti-abuse-wg] What am I missing in this mnt-by query for MNT-ANONYMOUS? In-Reply-To: <23834.1362478406@x37.NIC.DTAG.DE> References: <23834.1362478406@x37.NIC.DTAG.DE> Message-ID: On 05-Mar-2013 3:43 PM, "Ruediger Volk" wrote: > whois -h whois.ripe.net "-i mnt-by MNT-ANONYMOUS" Exact same syntax I used except for the double quotes --srs (htc one x) -------------- next part -------------- An HTML attachment was scrubbed... URL: From niall.oreilly at ucd.ie Tue Mar 5 12:11:56 2013 From: niall.oreilly at ucd.ie (Niall O'Reilly) Date: Tue, 5 Mar 2013 11:11:56 +0000 Subject: [anti-abuse-wg] What am I missing in this mnt-by query for MNT-ANONYMOUS? In-Reply-To: References: <23834.1362478406@x37.NIC.DTAG.DE> Message-ID: <60077EA1-6DCB-4600-92FD-3967A74F3815@ucd.ie> On 5 Mar 2013, at 11:06, Suresh Ramasubramanian wrote: > Exact same syntax I used except for the double quotes I expect you need the '--' token shown in Denis's example. /Niall From kjz at gmx.net Tue Mar 5 12:59:57 2013 From: kjz at gmx.net (Karl-Josef Ziegler) Date: Tue, 5 Mar 2013 12:59:57 +0100 (CET) Subject: [anti-abuse-wg] What am I missing in this mnt-by query for MNT-ANONYMOUS? Message-ID: An HTML attachment was scrubbed... URL: From rfg at tristatelogic.com Tue Mar 5 21:36:30 2013 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Tue, 05 Mar 2013 12:36:30 -0800 Subject: [anti-abuse-wg] Draft Anti-Abuse WG Agenda - RIPE 66 In-Reply-To: <5135CE73.9030500@heanet.ie> Message-ID: <19138.1362515790@server1.tristatelogic.com> In message <5135CE73.9030500 at heanet.ie>, Brian Nisbet wrote: >This is the draft agenda for the RIPE 66 meeting... No agenda item about defining (or refining the definition of) "abuse"? I'd like to just reiterate my view that all other activities of this WG will be utterly fruitless until such time as a reasonable, rational, and generally accepted definition of "abuse" is in hand. Regards, rfg P.S. I am still not sure if any other things that drew me to this mailing list, or to this WG, or that I have reported here, over time, are or are not considered abuse. (And by that I mean "formally" considered.) From fw at deneb.enyo.de Wed Mar 6 07:55:26 2013 From: fw at deneb.enyo.de (Florian Weimer) Date: Wed, 06 Mar 2013 07:55:26 +0100 Subject: [anti-abuse-wg] What am I missing in this mnt-by query for MNT-ANONYMOUS? In-Reply-To: (Suresh Ramasubramanian's message of "Tue, 5 Mar 2013 16:36:19 +0530") References: <23834.1362478406@x37.NIC.DTAG.DE> Message-ID: <87wqtluie9.fsf@mid.deneb.enyo.de> * Suresh Ramasubramanian: > On 05-Mar-2013 3:43 PM, "Ruediger Volk" wrote: > >> whois -h whois.ripe.net "-i mnt-by MNT-ANONYMOUS" > > Exact same syntax I used except for the double quotes The double quotes are important, and the query argument shouldn't start with a dash, so use this: whois -h whois.ripe.net " -i mnt-by MNT-ANONYMOUS" From brian.nisbet at heanet.ie Wed Mar 6 11:48:26 2013 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Wed, 06 Mar 2013 10:48:26 +0000 Subject: [anti-abuse-wg] Draft Anti-Abuse WG Agenda - RIPE 66 In-Reply-To: <19138.1362515790@server1.tristatelogic.com> References: <19138.1362515790@server1.tristatelogic.com> Message-ID: <51371EFA.3030502@heanet.ie> Ronald, Ronald F. Guilmette wrote the following on 05/03/2013 20:36: > In message <5135CE73.9030500 at heanet.ie>, > Brian Nisbet wrote: > >> This is the draft agenda for the RIPE 66 meeting... > > No agenda item about defining (or refining the definition of) "abuse"? Nope. > I'd like to just reiterate my view that all other activities of this WG > will be utterly fruitless until such time as a reasonable, rational, and > generally accepted definition of "abuse" is in hand. I genuinely don't think it will be useful to spend time on this. I think an attempt to get a consensual definition of abuse would take the whole of the session in Dublin and every session thereafter and after all that time, I still don't think we would have got anywhere. If the rest of the WG disagrees with me, then we can raise it, but if n = the number of people in the WG, I fear we would have n + 1 definitions. > P.S. I am still not sure if any other things that drew me to this mailing > list, or to this WG, or that I have reported here, over time, are or are > not considered abuse. (And by that I mean "formally" considered.) I certainly believe they are, everyone else seems largely to agree, so we're good. See above regarding my opinions on formal definitions. Brian From jorgen at hovland.cx Wed Mar 6 12:15:04 2013 From: jorgen at hovland.cx (=?ISO-8859-1?Q?J=F8rgen_Hovland?=) Date: Wed, 06 Mar 2013 12:15:04 +0100 Subject: [anti-abuse-wg] Draft Anti-Abuse WG Agenda - RIPE 66 In-Reply-To: <51371EFA.3030502@heanet.ie> References: <19138.1362515790@server1.tristatelogic.com> <51371EFA.3030502@heanet.ie> Message-ID: <51372538.60604@hovland.cx> On 03/06/13 11:48, Brian Nisbet wrote: > Ronald, > Ronald F. Guilmette wrote the following on 05/03/2013 20:36: >> In message <5135CE73.9030500 at heanet.ie>, >> Brian Nisbet wrote: >> >>> This is the draft agenda for the RIPE 66 meeting... >> >> No agenda item about defining (or refining the definition of) "abuse"? > > Nope. > >> I'd like to just reiterate my view that all other activities of this WG >> will be utterly fruitless until such time as a reasonable, rational, and >> generally accepted definition of "abuse" is in hand. > > I genuinely don't think it will be useful to spend time on this. I > think an attempt to get a consensual definition of abuse would take > the whole of the session in Dublin and every session thereafter and > after all that time, I still don't think we would have got anywhere. > If the rest of the WG disagrees with me, then we can raise it, but if > n = the number of people in the WG, I fear we would have n + 1 > definitions. > I am pretty sure it will take until the end of the world to agree on a definition. Perhaps even longer. From rfg at tristatelogic.com Thu Mar 7 07:41:53 2013 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Wed, 06 Mar 2013 22:41:53 -0800 Subject: [anti-abuse-wg] Draft Anti-Abuse WG Agenda - RIPE 66 In-Reply-To: <51371EFA.3030502@heanet.ie> Message-ID: <55478.1362638513@server1.tristatelogic.com> In message <51371EFA.3030502 at heanet.ie>, Brian Nisbet wrote: >> P.S. I am still not sure if any other things that drew me to this mailing >> list, or to this WG, or that I have reported here, over time, are or are >> not considered abuse. (And by that I mean "formally" considered.) > >I certainly believe they are, everyone else seems largely to agree Then why hasn't anything been done? I reported a set of blatantly, provably, outrageously fradulent networks here over six weeks ago now. As far as I can tell, they are all still on the books (in the RIPE data base) and all still operating with total and utter impunity... still announcing routes to innumerable IPv4 blocks registered to innumerable utterly fradulent and fictitious entities, all of which were transparently and deliberately created, out of whole cloth, by a single party or entity, entirely and only as a ruse to trick RIPE NCC out of huge quantities of IPv4 addresses so that those could then be sub- leased to several different snowshoe spammers. (None of this is speculation. I have the evidence that clearly supports every charge I've just made, and would have provided it to anyone who asked, but apparently nobody, either here or elsewhere, gives or gave enough of a damn to even ask to see any of it.) RIPE NCC knows all about this stuff, and they haven't lifted a finger in over six weeks to do squat about any of it. And I daresay that it now seems abundantly likely that we will see action out of the College of Cardinals in Rome long before we see any out of RIPE NCC on this issue. Personally, I think this indefensible and abject inaction makes a mockery of you, me, this working group, the Internet as a whole, and every person who, like me, has invested even a moment of their time, effort, or intellectual abilities to try to ferret out and then report these kinds of outrageously crooked operations to ``responsible authorities''... and I use the term loosely. I mean what's the point? I could have more profitably invested my time and energy in rearranging the contents of my sock drawer. (And I doubt that this point will be lost on any others who might likewise be tempted to work to make the Internet a better place for all. Why bother? It won't be appreciated and more to the point, it won't have any effect.) I see only two possibilities. Either what I reported is not actually and formally considered to be ``abuse'', or else _rectifying_ ``abuse'', even of the most blatant, fradulent, wasteful, and destructive kind, is now provably not on anybody's official TO-DO, list. You claim that it is not the former. If it is the latter, then all activities of this working group, past, present, and future, may, in my opinion, rightfully be derided as being nothing more than exercises in mental masturbation and bureaucratic mumbo jumbo yielding absolutely nothing of value. If the point of this WG is merely to _talk_ about network abuse, then I'm confident that it will go down in the history books as having been a great success. >so we're good. Speak for yourself please. To quote the Lone Ranger's trusty (American-)Indian sidekick Tonto ``What do you mean WE kimo sabe?'' From rfg at tristatelogic.com Thu Mar 7 07:51:08 2013 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Wed, 06 Mar 2013 22:51:08 -0800 Subject: [anti-abuse-wg] Draft Anti-Abuse WG Agenda - RIPE 66 In-Reply-To: <51372538.60604@hovland.cx> Message-ID: <55540.1362639068@server1.tristatelogic.com> In message <51372538.60604 at hovland.cx>, =?ISO-8859-1?Q?J=F8rgen_Hovland?= wrote: > On 03/06/13 11:48, Brian Nisbet wrote: >> Ronald, >> Ronald F. Guilmette wrote the following on 05/03/2013 20:36: >>> I'd like to just reiterate my view that all other activities of this WG >>> will be utterly fruitless until such time as a reasonable, rational, and >>> generally accepted definition of "abuse" is in hand. >> >> I genuinely don't think it will be useful to spend time on this. I >> think an attempt to get a consensual definition of abuse would take >> the whole of the session in Dublin and every session thereafter and >> after all that time, I still don't think we would have got anywhere. >> If the rest of the WG disagrees with me, then we can raise it, but if >> n = the number of people in the WG, I fear we would have n + 1 >> definitions. > >I am pretty sure it will take until the end of the world to agree on a >definition. Perhaps even longer. "And when the broken hearted people, living in the world agree, there will be an answer, let it be." -- Paul McCartney From denatrisconsult at hotmail.nl Thu Mar 7 12:56:17 2013 From: denatrisconsult at hotmail.nl (Wout de Natris) Date: Thu, 7 Mar 2013 12:56:17 +0100 Subject: [anti-abuse-wg] anti-abuse-wg Digest, Vol 19, Issue 5 In-Reply-To: References: Message-ID: Ronald, Have you considered working with the Dutch National Cyber Security Center? The people there may be very much interested in your data. Best wishes, Wout - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - De Natris Consult Raaphorst 33 Tel: +31 648388813 2352 KJ Leiderdorp Skype: wout.de.natris denatrisconsult at hotmail.nl http://www.denatrisconsult.nl Blog http://woutdenatris.wordpress.com > From: anti-abuse-wg-request at ripe.net > Subject: anti-abuse-wg Digest, Vol 19, Issue 5 > To: anti-abuse-wg at ripe.net > Date: Thu, 7 Mar 2013 12:00:02 +0100 > > Send anti-abuse-wg mailing list submissions to > anti-abuse-wg at ripe.net > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.ripe.net/mailman/listinfo/anti-abuse-wg > or, via email, send a message with subject or body 'help' to > anti-abuse-wg-request at ripe.net > > You can reach the person managing the list at > anti-abuse-wg-owner at ripe.net > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of anti-abuse-wg digest..." > > > Today's Topics: > > 1. Re: Draft Anti-Abuse WG Agenda - RIPE 66 (Ronald F. Guilmette) > 2. Re: Draft Anti-Abuse WG Agenda - RIPE 66 (Ronald F. Guilmette) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 06 Mar 2013 22:41:53 -0800 > From: "Ronald F. Guilmette" > Subject: Re: [anti-abuse-wg] Draft Anti-Abuse WG Agenda - RIPE 66 > To: anti-abuse-wg at ripe.net > Message-ID: <55478.1362638513 at server1.tristatelogic.com> > > > In message <51371EFA.3030502 at heanet.ie>, > Brian Nisbet wrote: > > >> P.S. I am still not sure if any other things that drew me to this mailing > >> list, or to this WG, or that I have reported here, over time, are or are > >> not considered abuse. (And by that I mean "formally" considered.) > > > >I certainly believe they are, everyone else seems largely to agree > > Then why hasn't anything been done? > > I reported a set of blatantly, provably, outrageously fradulent networks > here over six weeks ago now. As far as I can tell, they are all still > on the books (in the RIPE data base) and all still operating with total > and utter impunity... still announcing routes to innumerable IPv4 blocks > registered to innumerable utterly fradulent and fictitious entities, all > of which were transparently and deliberately created, out of whole cloth, > by a single party or entity, entirely and only as a ruse to trick RIPE NCC > out of huge quantities of IPv4 addresses so that those could then be sub- > leased to several different snowshoe spammers. (None of this is speculation. > I have the evidence that clearly supports every charge I've just made, and > would have provided it to anyone who asked, but apparently nobody, either > here or elsewhere, gives or gave enough of a damn to even ask to see any > of it.) > > RIPE NCC knows all about this stuff, and they haven't lifted a finger > in over six weeks to do squat about any of it. And I daresay that it > now seems abundantly likely that we will see action out of the College > of Cardinals in Rome long before we see any out of RIPE NCC on this issue. > > Personally, I think this indefensible and abject inaction makes a mockery > of you, me, this working group, the Internet as a whole, and every person > who, like me, has invested even a moment of their time, effort, or intellectual > abilities to try to ferret out and then report these kinds of outrageously > crooked operations to ``responsible authorities''... and I use the term > loosely. I mean what's the point? I could have more profitably invested > my time and energy in rearranging the contents of my sock drawer. (And I > doubt that this point will be lost on any others who might likewise be > tempted to work to make the Internet a better place for all. Why bother? > It won't be appreciated and more to the point, it won't have any effect.) > > I see only two possibilities. Either what I reported is not actually and > formally considered to be ``abuse'', or else _rectifying_ ``abuse'', even > of the most blatant, fradulent, wasteful, and destructive kind, is now > provably not on anybody's official TO-DO, list. You claim that it is > not the former. If it is the latter, then all activities of this working > group, past, present, and future, may, in my opinion, rightfully be derided > as being nothing more than exercises in mental masturbation and bureaucratic > mumbo jumbo yielding absolutely nothing of value. > > If the point of this WG is merely to _talk_ about network abuse, then I'm > confident that it will go down in the history books as having been a great > success. > > >so we're good. > > Speak for yourself please. > > To quote the Lone Ranger's trusty (American-)Indian sidekick Tonto ``What > do you mean WE kimo sabe?'' > > > > > ------------------------------ > > Message: 2 > Date: Wed, 06 Mar 2013 22:51:08 -0800 > From: "Ronald F. Guilmette" > Subject: Re: [anti-abuse-wg] Draft Anti-Abuse WG Agenda - RIPE 66 > To: anti-abuse-wg at ripe.net > Message-ID: <55540.1362639068 at server1.tristatelogic.com> > > > In message <51372538.60604 at hovland.cx>, > =?ISO-8859-1?Q?J=F8rgen_Hovland?= wrote: > > > On 03/06/13 11:48, Brian Nisbet wrote: > >> Ronald, > >> Ronald F. Guilmette wrote the following on 05/03/2013 20:36: > >>> I'd like to just reiterate my view that all other activities of this WG > >>> will be utterly fruitless until such time as a reasonable, rational, and > >>> generally accepted definition of "abuse" is in hand. > >> > >> I genuinely don't think it will be useful to spend time on this. I > >> think an attempt to get a consensual definition of abuse would take > >> the whole of the session in Dublin and every session thereafter and > >> after all that time, I still don't think we would have got anywhere. > >> If the rest of the WG disagrees with me, then we can raise it, but if > >> n = the number of people in the WG, I fear we would have n + 1 > >> definitions. > > > >I am pretty sure it will take until the end of the world to agree on a > >definition. Perhaps even longer. > > > "And when the broken hearted people, living in the world agree, > there will be an answer, let it be." > -- Paul McCartney > > > > > End of anti-abuse-wg Digest, Vol 19, Issue 5 > ******************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: From ops.lists at gmail.com Thu Mar 7 13:55:18 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Thu, 7 Mar 2013 18:25:18 +0530 Subject: [anti-abuse-wg] anti-abuse-wg Digest, Vol 19, Issue 5 In-Reply-To: References: Message-ID: That is probably going to be the only way RIPE NCC acts on these. And possibly inevitable sooner or later. However, internet governance wise, it is a can of worms I would much rather wish not get opened. On Thursday, March 7, 2013, Wout de Natris wrote: > Ronald, > > Have you considered working with the Dutch National Cyber Security Center? > The people there may be very much interested in your data. > > Best wishes, > > > -- --srs (iPad) -------------- next part -------------- An HTML attachment was scrubbed... URL: From rezaf at mindspring.com Fri Mar 8 14:04:34 2013 From: rezaf at mindspring.com (Reza Farzan) Date: Fri, 8 Mar 2013 08:04:34 -0500 Subject: [anti-abuse-wg] How do you report Abuse/Spam to Cable and Wireless? Message-ID: <054A2D6501174C94AAD46668ED22FE1F@admin36565265a> Hello All, The other day, I tried to report a Spam that had originated from IP address 195.59.76.89 which belongs to Cable & Wireless. I sent my report to their abuse-mailbox: abuse at cw.com that is listed on their Whois listing. Instead of a proper response, I received the following error message: ------------------- abuse at cw.com SMTP error from remote mail server after end of data: host service97.mimecast.com [91.220.42.49]: 554 Email rejected due to security policies - MCSpamSignature.sa.39.3 - http://www.mimecast.com/knowledgebase/KBID10473.htm#554 ------------------- And when I tried to report this error message [not the Spam report] to their network, I received a similar error message from CW: ----------- A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: ipadmin at cw.net SMTP error from remote mail server after end of data: host service98.mimecast.com [195.130.217.59]: 554 Email rejected due to security policies - MCSpamSignature.sa.39.1 - http://www.mimecast.com/knowledgebase/KBID10473.htm#554 postmaster at cw.com SMTP error from remote mail server after end of data: host service98.mimecast.com [195.130.217.59]: 554 Email rejected due to security policies - MCSpamSignature.sa.39.1 - http://www.mimecast.com/knowledgebase/KBID10473.htm#554 ncipsupport at cw.com SMTP error from remote mail server after end of data: host service98.mimecast.com [195.130.217.59]: 554 Email rejected due to security policies - MCSpamSignature.sa.39.1 - http://www.mimecast.com/knowledgebase/KBID10473.htm#554 --------- Therefore, I like to know why Cable & Wireless does not allow incoming abuse reports come to their Abuse e-mail listed on their Whois contact. I hope to receive more information from members of this group, and possibly from Cable & Wireless as well. Thank you, Reza Farzan rezaf at mindspring.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From tk at abusix.com Mon Mar 11 18:38:29 2013 From: tk at abusix.com (Tobias Knecht) Date: Mon, 11 Mar 2013 18:38:29 +0100 Subject: [anti-abuse-wg] Abuse Reporting Issues Message-ID: <513E1695.7010204@abusix.com> Hello everybody, there was some discussion about abuse reporting in general on the list. To make it easier, we have to differentiate 2 ways of reporting. 1.) Reporting to RIPE members about abuse originating their network. 2.) Reporting of issues to RIPE NCC directly. Brian and I have seen the demand for action in this area. We know that RIPE NCC already has some plans in both areas and we are planing a meeting with RIPE NCC folks in Dublin to discuss further steps. Since the 2011-06 abuse-c will be implemented soon we will see some improvements for 1.) But what happens if data is incorrect or addresses do not work properly? This part of the data accuracy and is already on our agenda as well. There is a possibility that we can give some more feedback and insights into these issues at the AA-WG Session in Dublin already. Thanks, Tobias From wiegert at telus.net Mon Mar 11 19:30:23 2013 From: wiegert at telus.net (Arnold) Date: Mon, 11 Mar 2013 10:30:23 -0800 Subject: [anti-abuse-wg] Abuse Reporting Issues In-Reply-To: <513E1695.7010204@abusix.com> References: <513E1695.7010204@abusix.com> Message-ID: <513E22BF.2080400@telus.net> On 11/03/2013 9:38 AM, Tobias Knecht wrote: > Hello everybody, > > there was some discussion about abuse reporting in general on the list. > > To make it easier, we have to differentiate 2 ways of reporting. > > 1.) Reporting to RIPE members about abuse originating their network. > 2.) Reporting of issues to RIPE NCC directly. > > Brian and I have seen the demand for action in this area. We know that > RIPE NCC already has some plans in both areas and we are planing a > meeting with RIPE NCC folks in Dublin to discuss further steps. > > Since the 2011-06 abuse-c will be implemented soon we will see some > improvements for 1.) But what happens if data is incorrect or > addresses do not work properly? This part of the data accuracy and is > already on our agenda as well. > > There is a possibility that we can give some more feedback and > insights into these issues at the AA-WG Session in Dublin already. Since I have been reporting SPAM for some time, missing, out-of-date or inaccurate contact information has always been a problem. A number of contact addresses are listed as some public general mail server such as gmail, hotmail etc. All of those are pretty much useless. Since RIPE registers the actual user, it should insist on a usable contact address at the registering organization. In addition, if this issue is taken seriously, then RIPE ought to provide a means of reporting 'abuse' by the registering organization of this feature. Arnold -- Fight Spam - report it with wxSR 0.5 Vista & Win7 ready http://www.columbinehoney.net/wxSR.shtml From tk at abusix.com Tue Mar 12 00:50:42 2013 From: tk at abusix.com (Tobias Knecht) Date: Tue, 12 Mar 2013 00:50:42 +0100 Subject: [anti-abuse-wg] Abuse Reporting Issues In-Reply-To: <513E22BF.2080400@telus.net> References: <513E1695.7010204@abusix.com> <513E22BF.2080400@telus.net> Message-ID: <513E6DD2.80409@abusix.com> Hi Arnold, > Since I have been reporting SPAM for some time, missing, out-of-date > or inaccurate contact information has always been a problem. Absolutely agree. That is one part of the data accuracy part we want to face now. > A number of contact addresses are listed as some public general mail > server such as gmail, hotmail etc. All of those are pretty much > useless. Since RIPE registers the actual user, it should insist on a > usable contact address at the registering organization. Same here. Topic on the agenda as well. > In addition, if this issue is taken seriously, then RIPE ought to > provide a means of reporting 'abuse' by the registering organization > of this feature. There are several things that can be done easily to increase data accuracy and others that are more complex. I think abuse-c will already increase data accuracy significantly, but yes, we need to figure out ways to increase and keep up data quality. Lets go step by step and make things happen. All this is definitively on our agenda in the near future. Thanks for your feedback. Tobias From wiegert at telus.net Tue Mar 12 03:03:20 2013 From: wiegert at telus.net (Arnold) Date: Mon, 11 Mar 2013 18:03:20 -0800 Subject: [anti-abuse-wg] Abuse Reporting Issues In-Reply-To: <513E6DD2.80409@abusix.com> References: <513E1695.7010204@abusix.com> <513E22BF.2080400@telus.net> <513E6DD2.80409@abusix.com> Message-ID: <513E8CE8.6090204@telus.net> On 11/03/2013 3:50 PM, Tobias Knecht wrote: > Hi Arnold, > >> Since I have been reporting SPAM for some time, missing, out-of-date >> or inaccurate contact information has always been a problem. > > Absolutely agree. That is one part of the data accuracy part we want > to face now. Thank you for your comments, Tobias, I have just now run into a database entry where the users seem to be confused as to what to enter into the fields and we end up with circular definition as in this case http://apps.db.ripe.net/whois/lookup/ripe/person/MM29699-RIPE.html I was looking for MM29699-RIPE it's entry pointed to NIC-Handle nic-hdl:MM29699-RIPE where it is defined as: MM29699-RIPE which brought me full circle :-) This sort of thing happens on a regular basis Arnold -- Fight Spam - report it with wxSR 0.5 Vista & Win7 ready http://www.columbinehoney.net/wxSR.shtml -------------- next part -------------- An HTML attachment was scrubbed... URL: From leo.vegoda at icann.org Tue Mar 12 03:25:15 2013 From: leo.vegoda at icann.org (Leo Vegoda) Date: Mon, 11 Mar 2013 19:25:15 -0700 Subject: [anti-abuse-wg] Abuse Reporting Issues In-Reply-To: <513E22BF.2080400@telus.net> References: <513E1695.7010204@abusix.com> <513E22BF.2080400@telus.net> Message-ID: Hi, On Mar 11, 2013, at 11:30 am, Arnold wrote: [?] > Since I have been reporting SPAM for some time, missing, out-of-date or > inaccurate contact information has always been a problem. It always will be. There were 43,809 maintainers in the database on 11 March according to ftp://ftp.ripe.net/ripe/dbase/split/ripe.db.mntner.gz. It doesn't take a particularly large churn in the staff or organisational structures at network operators for an appreciable fraction of the social data to become unreliable each year. > A number of contact addresses are listed as some public general mail > server such as gmail, hotmail etc. > All of those are pretty much useless. > Since RIPE registers the actual user, it should insist on a usable > contact address at the registering organization. I think you are equating the requirement to list an address with a commitment to actually handle abuse reports. While there's nothing wrong with improving contact information publication tools, it's the will to handle the reports that's really important. If people want to receive reports and use the information to improve their network operations they will make sure they are easy to contact. The reason people do not publish useful contact information is because they have no interest in handling the reports and not because of a deficiency in the tools provided by the RIPE NCC or any other RIR. Regards, Leo -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4359 bytes Desc: not available URL: From rezaf at mindspring.com Tue Mar 12 04:16:07 2013 From: rezaf at mindspring.com (Reza Farzan) Date: Mon, 11 Mar 2013 23:16:07 -0400 Subject: [anti-abuse-wg] Abuse Reporting Issues In-Reply-To: References: <513E1695.7010204@abusix.com> <513E22BF.2080400@telus.net> Message-ID: Hello Leo, You are right in stating that many networks "have no interest in handling the abuse reports." A good example is DetectNetwork.US that manages Net Range: 173.245.64.0 - 173.245.64.255. They have listed "abuse at detectnetworks.us" as their abuse contact, but this address is invalid and any report sent to this address comes back with an error message. Apparently, www.egihosting.com is the parent company of DetectNetwork.US, and they might be aware of this problem, but the above incorrect address remains on the Whois listing. Thank you, Reza Farzan *********** -----Original Message----- From: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg-bounces at ripe.net] On Behalf Of Leo Vegoda Sent: Monday, March 11, 2013 10:25 PM To: Arnold Cc: anti-abuse-wg at ripe.net Subject: Re: [anti-abuse-wg] Abuse Reporting Issues Hi, On Mar 11, 2013, at 11:30 am, Arnold wrote: [.] > Since I have been reporting SPAM for some time, missing, out-of-date or > inaccurate contact information has always been a problem. It always will be. There were 43,809 maintainers in the database on 11 March according to ftp://ftp.ripe.net/ripe/dbase/split/ripe.db.mntner.gz. It doesn't take a particularly large churn in the staff or organisational structures at network operators for an appreciable fraction of the social data to become unreliable each year. > A number of contact addresses are listed as some public general mail > server such as gmail, hotmail etc. > All of those are pretty much useless. > Since RIPE registers the actual user, it should insist on a usable > contact address at the registering organization. I think you are equating the requirement to list an address with a commitment to actually handle abuse reports. While there's nothing wrong with improving contact information publication tools, it's the will to handle the reports that's really important. If people want to receive reports and use the information to improve their network operations they will make sure they are easy to contact. The reason people do not publish useful contact information is because they have no interest in handling the reports and not because of a deficiency in the tools provided by the RIPE NCC or any other RIR. Regards, Leo From ops.lists at gmail.com Tue Mar 12 04:22:23 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Tue, 12 Mar 2013 08:52:23 +0530 Subject: [anti-abuse-wg] Abuse Reporting Issues In-Reply-To: References: <513E1695.7010204@abusix.com> <513E22BF.2080400@telus.net> Message-ID: Examples of shady networks aside (and there seem to be rather more in the RIPE region than the average RIR has .. but that's another can of worms), this is not a tools deficiency in RIPE NCC, I fully agree with Leo there. These tools are great. I only wish I could say as much for the processes behind all this. --srs On Tuesday, March 12, 2013, Reza Farzan wrote: > Hello Leo, > > You are right in stating that many networks "have no interest in handling > the abuse reports." > > A good example is DetectNetwork.US that manages Net Range: > 173.245.64.0 - 173.245.64.255. They have listed "abuse at detectnetworks.us" > as > their abuse contact, but this address is invalid and any report sent to > this > address comes back with an error message. > > Apparently, www.egihosting.com is the parent company of DetectNetwork.US, > and they might be aware of this problem, but the above incorrect address > remains on the Whois listing. > > Thank you, > > Reza Farzan > > > *********** > > -----Original Message----- > From: anti-abuse-wg-bounces at ripe.net [mailto: > anti-abuse-wg-bounces at ripe.net ] > On Behalf Of Leo Vegoda > Sent: Monday, March 11, 2013 10:25 PM > To: Arnold > Cc: anti-abuse-wg at ripe.net > Subject: Re: [anti-abuse-wg] Abuse Reporting Issues > > Hi, > > On Mar 11, 2013, at 11:30 am, Arnold > > wrote: > > [.] > > > Since I have been reporting SPAM for some time, missing, out-of-date or > > inaccurate contact information has always been a problem. > > It always will be. There were 43,809 maintainers in the database on 11 > March > according to ftp://ftp.ripe.net/ripe/dbase/split/ripe.db.mntner.gz. It > doesn't take a particularly large churn in the staff or organisational > structures at network operators for an appreciable fraction of the social > data to become unreliable each year. > > > A number of contact addresses are listed as some public general mail > > server such as gmail, hotmail etc. > > All of those are pretty much useless. > > Since RIPE registers the actual user, it should insist on a usable > > contact address at the registering organization. > > I think you are equating the requirement to list an address with a > commitment to actually handle abuse reports. While there's nothing wrong > with improving contact information publication tools, it's the will to > handle the reports that's really important. If people want to receive > reports and use the information to improve their network operations they > will make sure they are easy to contact. The reason people do not publish > useful contact information is because they have no interest in handling the > reports and not because of a deficiency in the tools provided by the RIPE > NCC or any other RIR. > > Regards, > > Leo > > > > -- --srs (iPad) -------------- next part -------------- An HTML attachment was scrubbed... URL: From denis at ripe.net Tue Mar 12 11:35:36 2013 From: denis at ripe.net (Denis Walker) Date: Tue, 12 Mar 2013 11:35:36 +0100 Subject: [anti-abuse-wg] Abuse Reporting Issues In-Reply-To: <513E8CE8.6090204@telus.net> References: <513E1695.7010204@abusix.com> <513E22BF.2080400@telus.net> <513E6DD2.80409@abusix.com> <513E8CE8.6090204@telus.net> Message-ID: <513F04F8.5040002@ripe.net> Dear Arnold I am afraid I am a little confused as to what you were trying to find in the database. You looked up a PERSON object by the Nic Hdl. The Nic Hdl is the primary key of a PERSON object in the database. So you found what you were looking for, the person. Now I see that this Nic Hdl is referenced in an INETNUM object. If you were looking for the abuse contact for that resource, it is possible to find one by doing many queries manually yourself, but it is not the recommended way. This PERSON object, has a MNTNER, which has an admin-c, which references another PERSON that has an abuse-mailbox. If you used the Abuse Finder tool to look up the resource, it would return you the same abuse-mailbox without the need for you to do all the individual queries. http://apps.db.ripe.net/search/abuse-finder.html I noticed that this resource is an allocation object. Within the next 6 months this resource WILL have an abuse-c reference. So it will be even easier to find the abuse contact details without needing to lookup any personal data. Regards, Denis Walker Business Analyst RIPE NCC Database Group On 12/03/2013 03:03, Arnold wrote: > On 11/03/2013 3:50 PM, Tobias Knecht wrote: >> Hi Arnold, >> >>> Since I have been reporting SPAM for some time, missing, out-of-date >>> or inaccurate contact information has always been a problem. >> >> Absolutely agree. That is one part of the data accuracy part we want >> to face now. > Thank you for your comments, Tobias, > > I have just now run into a database entry where the users seem to be > confused > as to what to enter into the fields and we end up with circular > definition as in this case > http://apps.db.ripe.net/whois/lookup/ripe/person/MM29699-RIPE.html > I was looking for MM29699-RIPE > it's entry pointed to NIC-Handle > > nic-hdl:MM29699-RIPE > where it is defined as: MM29699-RIPE > which brought me full circle :-) > > This sort of thing happens on a regular basis > > Arnold > > > -- > Fight Spam - report it with wxSR 0.5 > Vista & Win7 ready > http://www.columbinehoney.net/wxSR.shtml > From wiegert at telus.net Wed Mar 13 00:31:39 2013 From: wiegert at telus.net (Arnold) Date: Tue, 12 Mar 2013 15:31:39 -0800 Subject: [anti-abuse-wg] Abuse Reporting Issues In-Reply-To: <513F04F8.5040002@ripe.net> References: <513E1695.7010204@abusix.com> <513E22BF.2080400@telus.net> <513E6DD2.80409@abusix.com> <513E8CE8.6090204@telus.net> <513F04F8.5040002@ripe.net> Message-ID: <513FBADB.2040101@telus.net> On 12/03/2013 2:35 AM, Denis Walker wrote: > Dear Arnold > > I am afraid I am a little confused as to what you were trying to find > in the database. Hello Denis, What I am typically looking for is an e-mail address to which I can send a SPAM report. First I look up the originating IP address in the source code of the SPAM message, plug it into a WhoIs look up via the IANA ipv4-address-space.xml files. Often enough this gives me the abuse handler address. For RIPE, when no abuse address is given, I try to find one using the admin-c: ?????-RIPE and plugging it into http://apps.db.ripe.net/search/query.html to find the NIC handle, which some times has an e-mail address, sometimes it has a circular reference to itself and other times it may have a gmail or hotmail address which often enough bounce because the mail box is full . > > You looked up a PERSON object by the Nic Hdl. The Nic Hdl is the > primary key of a PERSON object in the database. So you found what you > were looking for, the person. > > Now I see that this Nic Hdl is referenced in an INETNUM object. If you > were looking for the abuse contact for that resource, it is possible > to find one by doing many queries manually yourself, but it is not the > recommended way. This PERSON object, has a MNTNER, which has an > admin-c, which references another PERSON that has an abuse-mailbox. > > If you used the Abuse Finder tool to look up the resource, it would > return you the same abuse-mailbox without the need for you to do all > the individual queries. > http://apps.db.ripe.net/search/abuse-finder.html I have tried to use the abuse finder tool a few times, but have never really had enough luck with it to keep using it. Just now I tried both with 217.75.223.120 - abuse-finder.html gave me nothing at all, The query tool gave me - in this case a whole slew of contacts as admin-c, tech-c & NIC-hdl. At least one of these got me a usable e-mail address to which I will send my report. > > I noticed that this resource is an allocation object. Within the next > 6 months this resource WILL have an abuse-c reference. So it will be > even easier to find the abuse contact details without needing to > lookup any personal data. When I first learned of the abuse finder, I tried it - with much the same success as this time. Perhaps I am feeding it the wrong questions and data. In that case I need more information about what sort of things I can feed it - but it would have to be things I can glean from the SPAM e-mail. Clicking on the '?' for the Resource field in the abuse finder did not give me enough to make it work as I would expect it to work - i.e. give me a useful contact e-mail address. Hoping that helps explain how I look for data. Please let me know if there are better or quicker ways to come by the needed data. That being said, I do find that these days I do run into a lot more WhoIS records with usable e-mail addresses compared to even a year ago. Regards, Arnold -- Fight Spam - report it with wxSR 0.5 Vista & Win7 ready http://www.columbinehoney.net/wxSR.shtml From leo.vegoda at icann.org Wed Mar 13 02:03:36 2013 From: leo.vegoda at icann.org (Leo Vegoda) Date: Tue, 12 Mar 2013 18:03:36 -0700 Subject: [anti-abuse-wg] Abuse Reporting Issues In-Reply-To: <513FBADB.2040101@telus.net> References: <513E1695.7010204@abusix.com> <513E22BF.2080400@telus.net> <513E6DD2.80409@abusix.com> <513E8CE8.6090204@telus.net> <513F04F8.5040002@ripe.net>,<513FBADB.2040101@telus.net> Message-ID: <5648A8908CCB564EBF46E2BC904A75B15EFE451440@EXVPMBX100-1.exc.icann.org> Hi, Arnold wrote: [...] > First I look up the originating IP address in the source code of the > SPAM message, > plug it into a WhoIs look up via the IANA ipv4-address-space.xml files. Why would you do this instead of using the whois service at whois.iana.org or http://www.iana.org/whois? The whois service will always return the most specific answer in an IANA registry. Regards, Leo From wiegert at telus.net Thu Mar 14 10:20:35 2013 From: wiegert at telus.net (Arnold) Date: Thu, 14 Mar 2013 02:20:35 -0700 Subject: [anti-abuse-wg] Abuse Reporting Issues In-Reply-To: <5648A8908CCB564EBF46E2BC904A75B15EFE451440@EXVPMBX100-1.exc.icann.org> References: <513E1695.7010204@abusix.com> <513E22BF.2080400@telus.net> <513E6DD2.80409@abusix.com> <513E8CE8.6090204@telus.net> <513F04F8.5040002@ripe.net>, <513FBADB.2040101@telus.net> <5648A8908CCB564EBF46E2BC904A75B15EFE451440@EXVPMBX100-1.exc.icann.org> Message-ID: <51419663.70801@telus.net> On 3/12/2013 6:03 PM, Leo Vegoda wrote: > Hi, > > Arnold wrote: > > [...] > >> First I look up the originating IP address in the source code of the >> SPAM message, >> plug it into a WhoIs look up via the IANA ipv4-address-space.xml files. > Why would you do this instead of using the whois service at whois.iana.org or http://www.iana.org/whois? The whois service will always return the most specific answer in an IANA registry. > > Regards, > > Leo Because that way it is all contained within my SPAM reporter program. Assuming that IANA updated their DB files at reasonable intervals - my program checks to see if it has the latest file and if not it downloads the latest one - so it should end up being much easier - no cut-n-paste. Only if I can't find it within the latest IANA data do I consult other sources and in several years worth of using this, most of the time IANA does the job for me. Arnold -- Fight Spam - report it with wxSR 0.5 - ready for Vista & Win7 http://www.columbinehoney.net/wxSR.shtml From denis at ripe.net Thu Mar 14 11:28:47 2013 From: denis at ripe.net (Denis Walker) Date: Thu, 14 Mar 2013 11:28:47 +0100 Subject: [anti-abuse-wg] Abuse Reporting Issues In-Reply-To: <513FBADB.2040101@telus.net> References: <513E1695.7010204@abusix.com> <513E22BF.2080400@telus.net> <513E6DD2.80409@abusix.com> <513E8CE8.6090204@telus.net> <513F04F8.5040002@ripe.net> <513FBADB.2040101@telus.net> Message-ID: <5141A65F.8080402@ripe.net> Dear Arnold On 13/03/2013 00:31, Arnold wrote: > On 12/03/2013 2:35 AM, Denis Walker wrote: >> Dear Arnold >> >> I am afraid I am a little confused as to what you were trying to find >> in the database. > Hello Denis, > What I am typically looking for is an e-mail address to which I can send > a SPAM > report. > First I look up the originating IP address in the source code of the > SPAM message, > plug it into a WhoIs look up via the IANA ipv4-address-space.xml files. > Often enough this gives me the abuse handler address. > For RIPE, when no abuse address is given, I try to find one using > the admin-c: ?????-RIPE and plugging it into > http://apps.db.ripe.net/search/query.html > to find the NIC handle, which some times has an e-mail address, > sometimes it > has a circular reference to itself and other times it may have a gmail > or hotmail > address which often enough bounce because the mail box is full . The RIPE Database contains many email addresses. These addresses are there for different reasons. Many attributes may point you to an email address, for example: admin-c: tech-c: zone-c: ping-hdl: notify: ref-nfy: mnt-ref: changed: and abuse-mailbox: Only this last one is specifically intended for abuse complaints. The problem we had in the past is that this attribute was always optional and if used could be put in many different places. With the new abuse-c:, to be deployed very soon, it will be mandatory and fixed in one place. Within the next 6 months all PA address space allocated by the RIPE NCC and all the more specific assignments WILL be covered by this mandatory abuse-mailbox: using the abuse-c: reference. >> >> You looked up a PERSON object by the Nic Hdl. The Nic Hdl is the >> primary key of a PERSON object in the database. So you found what you >> were looking for, the person. >> >> Now I see that this Nic Hdl is referenced in an INETNUM object. If you >> were looking for the abuse contact for that resource, it is possible >> to find one by doing many queries manually yourself, but it is not the >> recommended way. This PERSON object, has a MNTNER, which has an >> admin-c, which references another PERSON that has an abuse-mailbox. >> >> If you used the Abuse Finder tool to look up the resource, it would >> return you the same abuse-mailbox without the need for you to do all >> the individual queries. >> http://apps.db.ripe.net/search/abuse-finder.html > I have tried to use the abuse finder tool a few times, but have never > really had enough luck with it > to keep using it. > Just now I tried both with > 217.75.223.120 - > abuse-finder.html gave me nothing at all, > The query tool gave me - in this case a whole slew of > contacts as admin-c, tech-c & NIC-hdl. > At least one of these got me a usable e-mail address to which I will > send my report. I think in this context 'usable' may have different interpretations. One of the functions of the RIPE Database is for engineers to be able to contact each other to resolve network and routing problems. Sending an abuse report to a network engineer because he has a 'usable' email address in the database may not achieve the result you were expecting. The Abuse Finder tool returns the email addresses that have been provided for receiving abuse reports. If no such address has been provided the tool will return nothing, even if there are other email addresses in the database that are intended for other purposes. Over the next few months, as the abuse-c: data is entered into the database, the Abuse Finder tool will return more positive results. This will be the quickest and most reliable way to find abuse contacts for any resource. Regards Denis Walker Business Analyst RIPE NCC Database Group >> >> I noticed that this resource is an allocation object. Within the next >> 6 months this resource WILL have an abuse-c reference. So it will be >> even easier to find the abuse contact details without needing to >> lookup any personal data. > When I first learned of the abuse finder, I tried it - with much the > same success as this time. > Perhaps I am feeding it the wrong questions and data. > In that case I need more information about what sort of things I can > feed it - but it would have to be things I can glean from the SPAM e-mail. > Clicking on the '?' for the Resource field in the abuse finder did not > give me enough to make it work as I would expect it to work - i.e. give > me a useful contact e-mail address. > > Hoping that helps explain how I look for data. > > Please let me know if there are better or quicker ways to come by the > needed data. > > That being said, I do find that these days I do run into a lot more > WhoIS records with > usable e-mail addresses compared to even a year ago. > > Regards, > Arnold > From wiegert at telus.net Fri Mar 15 09:29:17 2013 From: wiegert at telus.net (Arnold) Date: Fri, 15 Mar 2013 01:29:17 -0700 Subject: [anti-abuse-wg] Abuse Reporting Issues In-Reply-To: <5141A65F.8080402@ripe.net> References: <513E1695.7010204@abusix.com> <513E22BF.2080400@telus.net> <513E6DD2.80409@abusix.com> <513E8CE8.6090204@telus.net> <513F04F8.5040002@ripe.net> <513FBADB.2040101@telus.net> <5141A65F.8080402@ripe.net> Message-ID: <5142DBDD.2040007@telus.net> On 3/14/2013 3:28 AM, Denis Walker wrote: > > The RIPE Database contains many email addresses. These addresses are > there for different reasons. Many attributes may point you to an email > address, for example: > admin-c: > tech-c: > zone-c: > ping-hdl: > notify: > ref-nfy: > mnt-ref: > changed: > > and abuse-mailbox: > > Only this last one is specifically intended for abuse complaints. The > problem we had in the past is that this attribute was always optional > and if used could be put in many different places. I applaud the motion to make the attribute mandatory; whether it will have much effect in reality I'll wait and see. I realize there are many addresses in the RIPE database and if at all possible - for records without an abuse -email address - I tend to address my report to the admin-c, as I see those people as the most likely to have any influence on getting the 'problem' fixed. > I think in this context 'usable' may have different interpretations. > One of the functions of the RIPE Database is for engineers to be able > to contact each other to resolve network and routing problems. Sending > an abuse report to a network engineer because he has a 'usable' email > address in the database may not achieve the result you were expecting. > No disagreement on this from me. I merely pointed out that for _my_ purposes, the Abuse Finder is less useful than the IANA files or the RIPE query page. > The Abuse Finder tool returns the email addresses that have been > provided for receiving abuse reports. If no such address has been > provided the tool will return nothing, even if there are other email > addresses in the database that are intended for other purposes. Understood and accepted, but I have to and have had to work with what there was available. If the available resources change, with time my approach will change as well. > > Over the next few months, as the abuse-c: data is entered into the > database, the Abuse Finder tool will return more positive results. > This will be the quickest and most reliable way to find abuse contacts > for any resource. Hope your expectations will become reality. Regards Arnold -- Fight Spam - report it with wxSR 0.5 - ready for Vista & Win7 http://www.columbinehoney.net/wxSR.shtml From leo.vegoda at icann.org Thu Mar 14 20:45:55 2013 From: leo.vegoda at icann.org (Leo Vegoda) Date: Thu, 14 Mar 2013 12:45:55 -0700 Subject: [anti-abuse-wg] Abuse Reporting Issues In-Reply-To: <51419663.70801@telus.net> References: <513E1695.7010204@abusix.com> <513E22BF.2080400@telus.net> <513E6DD2.80409@abusix.com> <513E8CE8.6090204@telus.net> <513F04F8.5040002@ripe.net>, <513FBADB.2040101@telus.net> <5648A8908CCB564EBF46E2BC904A75B15EFE451440@EXVPMBX100-1.exc.icann.org> <51419663.70801@telus.net> Message-ID: <5648A8908CCB564EBF46E2BC904A75B15EFE7B1A04@EXVPMBX100-1.exc.icann.org> Hi Arnold, Arnold wrote: [...] > Assuming that IANA updated their DB files at reasonable intervals - my > program > checks to see if it has the latest file and if not it downloads the > latest one - > so it should end up being much easier - no cut-n-paste. New registry files are published within seconds of the registry being updated. Kind regards, Leo -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5499 bytes Desc: not available URL: From wiegert at telus.net Fri Mar 15 10:32:55 2013 From: wiegert at telus.net (Arnold) Date: Fri, 15 Mar 2013 02:32:55 -0700 Subject: [anti-abuse-wg] Abuse Reporting Issues In-Reply-To: <5648A8908CCB564EBF46E2BC904A75B15EFE7B1A04@EXVPMBX100-1.exc.icann.org> References: <513E1695.7010204@abusix.com> <513E22BF.2080400@telus.net> <513E6DD2.80409@abusix.com> <513E8CE8.6090204@telus.net> <513F04F8.5040002@ripe.net>, <513FBADB.2040101@telus.net> <5648A8908CCB564EBF46E2BC904A75B15EFE451440@EXVPMBX100-1.exc.icann.org> <51419663.70801@telus.net> <5648A8908CCB564EBF46E2BC904A75B15EFE7B1A04@EXVPMBX100-1.exc.icann.org> Message-ID: <5142EAC7.1030300@telus.net> On 3/14/2013 12:45 PM, Leo Vegoda wrote: > Hi Arnold, > > Arnold wrote: > > [...] > >> Assuming that IANA updated their DB files at reasonable intervals - my >> program >> checks to see if it has the latest file and if not it downloads the >> latest one - >> so it should end up being much easier - no cut-n-paste. > New registry files are published within seconds of the registry being > updated. Good - though from my experience this updating does not happen very frequently. Having just barely recovered from a hardware crash, I unfortunately have not gotten all my records fully restored, but if I had to guess, in the past year there have not been any more then a handful of updates, if that. Regards, Arnold -- Fight Spam - report it with wxSR 0.5 - ready for Vista & Win7 http://www.columbinehoney.net/wxSR.shtml From david at mailplus.nl Fri Mar 15 09:19:13 2013 From: david at mailplus.nl (MailPlus| David Hofstee) Date: Fri, 15 Mar 2013 09:19:13 +0100 Subject: [anti-abuse-wg] Abuse Reporting Issues In-Reply-To: <5142DBDD.2040007@telus.net> References: <513E1695.7010204@abusix.com> <513E22BF.2080400@telus.net> <513E6DD2.80409@abusix.com> <513E8CE8.6090204@telus.net> <513F04F8.5040002@ripe.net> <513FBADB.2040101@telus.net> <5141A65F.8080402@ripe.net> <5142DBDD.2040007@telus.net> Message-ID: <78C35D6C1A82D243B830523B4193CF5F5E9433905B@SBS1.blinker.local> I have never seen an email asking me to confirm that I still do the stuff that is listed in my local RIR... David -----Oorspronkelijk bericht----- Van: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg-bounces at ripe.net] Namens Arnold Verzonden: vrijdag 15 maart 2013 09:29 Aan: Denis Walker CC: Tobias Knecht; anti-abuse-wg at ripe.net Onderwerp: Re: [anti-abuse-wg] Abuse Reporting Issues On 3/14/2013 3:28 AM, Denis Walker wrote: > > The RIPE Database contains many email addresses. These addresses are > there for different reasons. Many attributes may point you to an email > address, for example: > admin-c: > tech-c: > zone-c: > ping-hdl: > notify: > ref-nfy: > mnt-ref: > changed: > > and abuse-mailbox: > > Only this last one is specifically intended for abuse complaints. The > problem we had in the past is that this attribute was always optional > and if used could be put in many different places. I applaud the motion to make the attribute mandatory; whether it will have much effect in reality I'll wait and see. I realize there are many addresses in the RIPE database and if at all possible - for records without an abuse -email address - I tend to address my report to the admin-c, as I see those people as the most likely to have any influence on getting the 'problem' fixed. > I think in this context 'usable' may have different interpretations. > One of the functions of the RIPE Database is for engineers to be able > to contact each other to resolve network and routing problems. Sending > an abuse report to a network engineer because he has a 'usable' email > address in the database may not achieve the result you were expecting. > No disagreement on this from me. I merely pointed out that for _my_ purposes, the Abuse Finder is less useful than the IANA files or the RIPE query page. > The Abuse Finder tool returns the email addresses that have been > provided for receiving abuse reports. If no such address has been > provided the tool will return nothing, even if there are other email > addresses in the database that are intended for other purposes. Understood and accepted, but I have to and have had to work with what there was available. If the available resources change, with time my approach will change as well. > > Over the next few months, as the abuse-c: data is entered into the > database, the Abuse Finder tool will return more positive results. > This will be the quickest and most reliable way to find abuse contacts > for any resource. Hope your expectations will become reality. Regards Arnold -- Fight Spam - report it with wxSR 0.5 - ready for Vista & Win7 http://www.columbinehoney.net/wxSR.shtml From fredrik at resilans.se Fri Mar 15 09:30:00 2013 From: fredrik at resilans.se (Fredrik Widell) Date: Fri, 15 Mar 2013 09:30:00 +0100 (CET) Subject: [anti-abuse-wg] Abuse Reporting Issues In-Reply-To: <78C35D6C1A82D243B830523B4193CF5F5E9433905B@SBS1.blinker.local> References: <513E1695.7010204@abusix.com> <513E22BF.2080400@telus.net> <513E6DD2.80409@abusix.com> <513E8CE8.6090204@telus.net> <513F04F8.5040002@ripe.net> <513FBADB.2040101@telus.net> <5141A65F.8080402@ripe.net> <5142DBDD.2040007@telus.net> <78C35D6C1A82D243B830523B4193CF5F5E9433905B@SBS1.blinker.local> Message-ID: On Fri, 15 Mar 2013, MailPlus| David Hofstee wrote: There is a way of always reaching the correct recipients when it comes to reporting abuse, which it seems every single abuse-department is neglecting to use. Why not take a look at the source, see which Autonomous System is actually announcing the prefix the address belongs to, it is quite hard to hide that information. (there are a lot of free looking-glasses on the Internet for those of you who does not have access to a router, or, why not use ripes riswhois :) When you know the AS, return to the whois-databases and look for the contact information for that Autonomous System, and contact them instead, they will always know which the offending customer is, they can always do something about the problem. And the best part, it actually works :) > I have never seen an email asking me to confirm that I still do the stuff that is listed in my local RIR... > > David > > -----Oorspronkelijk bericht----- > Van: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg-bounces at ripe.net] Namens Arnold > Verzonden: vrijdag 15 maart 2013 09:29 > Aan: Denis Walker > CC: Tobias Knecht; anti-abuse-wg at ripe.net > Onderwerp: Re: [anti-abuse-wg] Abuse Reporting Issues > > On 3/14/2013 3:28 AM, Denis Walker wrote: >> >> The RIPE Database contains many email addresses. These addresses are >> there for different reasons. Many attributes may point you to an email >> address, for example: >> admin-c: >> tech-c: >> zone-c: >> ping-hdl: >> notify: >> ref-nfy: >> mnt-ref: >> changed: >> >> and abuse-mailbox: >> >> Only this last one is specifically intended for abuse complaints. The >> problem we had in the past is that this attribute was always optional >> and if used could be put in many different places. > I applaud the motion to make the attribute mandatory; whether it will have much effect in reality I'll wait and see. > > I realize there are many addresses in the RIPE database and if at all possible - for records without an abuse -email address - I tend to address my report to the admin-c, as I see those people as the most likely to have any influence on getting the 'problem' fixed. > >> I think in this context 'usable' may have different interpretations. >> One of the functions of the RIPE Database is for engineers to be able >> to contact each other to resolve network and routing problems. Sending >> an abuse report to a network engineer because he has a 'usable' email >> address in the database may not achieve the result you were expecting. >> > No disagreement on this from me. I merely pointed out that for _my_ purposes, the Abuse Finder is less useful than the IANA files or the RIPE query page. >> The Abuse Finder tool returns the email addresses that have been >> provided for receiving abuse reports. If no such address has been >> provided the tool will return nothing, even if there are other email >> addresses in the database that are intended for other purposes. > Understood and accepted, but I have to and have had to work with what there was available. > If the available resources change, with time my approach will change as well. >> >> Over the next few months, as the abuse-c: data is entered into the >> database, the Abuse Finder tool will return more positive results. >> This will be the quickest and most reliable way to find abuse contacts >> for any resource. > Hope your expectations will become reality. > > > Regards > Arnold > > -- Mvh Fredrik Widell Resilans AB http://www.resilans.se/ mail: info at resilans.se , fredrik at resilans.se phone: +46 8 688 11 82 From david at mailplus.nl Fri Mar 15 10:03:08 2013 From: david at mailplus.nl (MailPlus| David Hofstee) Date: Fri, 15 Mar 2013 10:03:08 +0100 Subject: [anti-abuse-wg] Abuse Reporting Issues In-Reply-To: References: <513E1695.7010204@abusix.com> <513E22BF.2080400@telus.net> <513E6DD2.80409@abusix.com> <513E8CE8.6090204@telus.net> <513F04F8.5040002@ripe.net> <513FBADB.2040101@telus.net> <5141A65F.8080402@ripe.net> <5142DBDD.2040007@telus.net> <78C35D6C1A82D243B830523B4193CF5F5E9433905B@SBS1.blinker.local> Message-ID: <78C35D6C1A82D243B830523B4193CF5F5E94339069@SBS1.blinker.local> Hi Frederik, I am such a person (DH3195-RIPE). I entered my email a long time ago. Unlike passwords that expire and accounts that get locked when not used, this vital contact info is never re-validated. We never get mail that says: "Ripe wants to confirm that you are still having Role X in your organisation. Click here to confirm.". A full-inbox bounce could trigger a phone call. Etc. Ripe should charge money for not keeping records up to date. In my (ESP) world, an email address that has not been used by the list-owner for over a year is a risk for a spam trap ;-). Bye, David -----Oorspronkelijk bericht----- Van: Fredrik Widell [mailto:fredrik at resilans.se] Verzonden: vrijdag 15 maart 2013 09:30 Aan: MailPlus| David Hofstee CC: Arnold; Denis Walker; Tobias Knecht; anti-abuse-wg at ripe.net Onderwerp: Re: [anti-abuse-wg] Abuse Reporting Issues On Fri, 15 Mar 2013, MailPlus| David Hofstee wrote: There is a way of always reaching the correct recipients when it comes to reporting abuse, which it seems every single abuse-department is neglecting to use. Why not take a look at the source, see which Autonomous System is actually announcing the prefix the address belongs to, it is quite hard to hide that information. (there are a lot of free looking-glasses on the Internet for those of you who does not have access to a router, or, why not use ripes riswhois :) When you know the AS, return to the whois-databases and look for the contact information for that Autonomous System, and contact them instead, they will always know which the offending customer is, they can always do something about the problem. And the best part, it actually works :) > I have never seen an email asking me to confirm that I still do the stuff that is listed in my local RIR... > > David > > -----Oorspronkelijk bericht----- > Van: anti-abuse-wg-bounces at ripe.net > [mailto:anti-abuse-wg-bounces at ripe.net] Namens Arnold > Verzonden: vrijdag 15 maart 2013 09:29 > Aan: Denis Walker > CC: Tobias Knecht; anti-abuse-wg at ripe.net > Onderwerp: Re: [anti-abuse-wg] Abuse Reporting Issues > > On 3/14/2013 3:28 AM, Denis Walker wrote: >> >> The RIPE Database contains many email addresses. These addresses are >> there for different reasons. Many attributes may point you to an >> email address, for example: >> admin-c: >> tech-c: >> zone-c: >> ping-hdl: >> notify: >> ref-nfy: >> mnt-ref: >> changed: >> >> and abuse-mailbox: >> >> Only this last one is specifically intended for abuse complaints. The >> problem we had in the past is that this attribute was always optional >> and if used could be put in many different places. > I applaud the motion to make the attribute mandatory; whether it will have much effect in reality I'll wait and see. > > I realize there are many addresses in the RIPE database and if at all possible - for records without an abuse -email address - I tend to address my report to the admin-c, as I see those people as the most likely to have any influence on getting the 'problem' fixed. > >> I think in this context 'usable' may have different interpretations. >> One of the functions of the RIPE Database is for engineers to be able >> to contact each other to resolve network and routing problems. >> Sending an abuse report to a network engineer because he has a >> 'usable' email address in the database may not achieve the result you were expecting. >> > No disagreement on this from me. I merely pointed out that for _my_ purposes, the Abuse Finder is less useful than the IANA files or the RIPE query page. >> The Abuse Finder tool returns the email addresses that have been >> provided for receiving abuse reports. If no such address has been >> provided the tool will return nothing, even if there are other email >> addresses in the database that are intended for other purposes. > Understood and accepted, but I have to and have had to work with what there was available. > If the available resources change, with time my approach will change as well. >> >> Over the next few months, as the abuse-c: data is entered into the >> database, the Abuse Finder tool will return more positive results. >> This will be the quickest and most reliable way to find abuse >> contacts for any resource. > Hope your expectations will become reality. > > > Regards > Arnold > > -- Mvh Fredrik Widell Resilans AB http://www.resilans.se/ mail: info at resilans.se , fredrik at resilans.se phone: +46 8 688 11 82 From fredrik at resilans.se Fri Mar 15 10:37:16 2013 From: fredrik at resilans.se (Fredrik Widell) Date: Fri, 15 Mar 2013 10:37:16 +0100 (CET) Subject: [anti-abuse-wg] Abuse Reporting Issues In-Reply-To: <78C35D6C1A82D243B830523B4193CF5F5E94339069@SBS1.blinker.local> References: <513E1695.7010204@abusix.com> <513E22BF.2080400@telus.net> <513E6DD2.80409@abusix.com> <513E8CE8.6090204@telus.net> <513F04F8.5040002@ripe.net> <513FBADB.2040101@telus.net> <5141A65F.8080402@ripe.net> <5142DBDD.2040007@telus.net> <78C35D6C1A82D243B830523B4193CF5F5E9433905B@SBS1.blinker.local> <78C35D6C1A82D243B830523B4193CF5F5E94339069@SBS1.blinker.local> Message-ID: On Fri, 15 Mar 2013, MailPlus| David Hofstee wrote: Well, that is probably more a sign of a sloppy organisation, it is up to the LIR to keep the ripedb up to date, this is not the role of RIPE. You probably dont expect RIPE to keep track of your old DNS-entrys and give you a phone-call if it seems that a customer-name is wrong do you? > Hi Frederik, > > I am such a person (DH3195-RIPE). I entered my email a long time ago. Unlike passwords that expire and accounts that get locked when not used, this vital contact info is never re-validated. We never get mail that says: "Ripe wants to confirm that you are still having Role X in your organisation. Click here to confirm.". A full-inbox bounce could trigger a phone call. Etc. Ripe should charge money for not keeping records up to date. > > In my (ESP) world, an email address that has not been used by the list-owner for over a year is a risk for a spam trap ;-). > > Bye, > > David > > -----Oorspronkelijk bericht----- > Van: Fredrik Widell [mailto:fredrik at resilans.se] > Verzonden: vrijdag 15 maart 2013 09:30 > Aan: MailPlus| David Hofstee > CC: Arnold; Denis Walker; Tobias Knecht; anti-abuse-wg at ripe.net > Onderwerp: Re: [anti-abuse-wg] Abuse Reporting Issues > > On Fri, 15 Mar 2013, MailPlus| David Hofstee wrote: > > > > There is a way of always reaching the correct recipients when it comes to reporting abuse, which it seems every single abuse-department is neglecting to use. > > Why not take a look at the source, see which Autonomous System is actually announcing the prefix the address belongs to, it is quite hard to hide that information. > > (there are a lot of free looking-glasses on the Internet for those of you who does not have access to a router, or, why not use ripes riswhois :) > > When you know the AS, return to the whois-databases and look for the contact information for that Autonomous System, and contact them instead, they will always know which the offending customer is, they can always do something about the problem. > > And the best part, it actually works :) > > > > > > > >> I have never seen an email asking me to confirm that I still do the stuff that is listed in my local RIR... >> >> David >> >> -----Oorspronkelijk bericht----- >> Van: anti-abuse-wg-bounces at ripe.net >> [mailto:anti-abuse-wg-bounces at ripe.net] Namens Arnold >> Verzonden: vrijdag 15 maart 2013 09:29 >> Aan: Denis Walker >> CC: Tobias Knecht; anti-abuse-wg at ripe.net >> Onderwerp: Re: [anti-abuse-wg] Abuse Reporting Issues >> >> On 3/14/2013 3:28 AM, Denis Walker wrote: >>> >>> The RIPE Database contains many email addresses. These addresses are >>> there for different reasons. Many attributes may point you to an >>> email address, for example: >>> admin-c: >>> tech-c: >>> zone-c: >>> ping-hdl: >>> notify: >>> ref-nfy: >>> mnt-ref: >>> changed: >>> >>> and abuse-mailbox: >>> >>> Only this last one is specifically intended for abuse complaints. The >>> problem we had in the past is that this attribute was always optional >>> and if used could be put in many different places. >> I applaud the motion to make the attribute mandatory; whether it will have much effect in reality I'll wait and see. >> >> I realize there are many addresses in the RIPE database and if at all possible - for records without an abuse -email address - I tend to address my report to the admin-c, as I see those people as the most likely to have any influence on getting the 'problem' fixed. >> >>> I think in this context 'usable' may have different interpretations. >>> One of the functions of the RIPE Database is for engineers to be able >>> to contact each other to resolve network and routing problems. >>> Sending an abuse report to a network engineer because he has a >>> 'usable' email address in the database may not achieve the result you were expecting. >>> >> No disagreement on this from me. I merely pointed out that for _my_ purposes, the Abuse Finder is less useful than the IANA files or the RIPE query page. >>> The Abuse Finder tool returns the email addresses that have been >>> provided for receiving abuse reports. If no such address has been >>> provided the tool will return nothing, even if there are other email >>> addresses in the database that are intended for other purposes. >> Understood and accepted, but I have to and have had to work with what there was available. >> If the available resources change, with time my approach will change as well. >>> >>> Over the next few months, as the abuse-c: data is entered into the >>> database, the Abuse Finder tool will return more positive results. >>> This will be the quickest and most reliable way to find abuse >>> contacts for any resource. >> Hope your expectations will become reality. >> >> >> Regards >> Arnold >> >> > > -- Mvh Fredrik Widell Resilans AB http://www.resilans.se/ mail: info at resilans.se , fredrik at resilans.se phone: +46 8 688 11 82 From david at mailplus.nl Fri Mar 15 10:53:11 2013 From: david at mailplus.nl (MailPlus| David Hofstee) Date: Fri, 15 Mar 2013 10:53:11 +0100 Subject: [anti-abuse-wg] Abuse Reporting Issues In-Reply-To: References: <513E1695.7010204@abusix.com> <513E22BF.2080400@telus.net> <513E6DD2.80409@abusix.com> <513E8CE8.6090204@telus.net> <513F04F8.5040002@ripe.net> <513FBADB.2040101@telus.net> <5141A65F.8080402@ripe.net> <5142DBDD.2040007@telus.net> <78C35D6C1A82D243B830523B4193CF5F5E9433905B@SBS1.blinker.local> <78C35D6C1A82D243B830523B4193CF5F5E94339069@SBS1.blinker.local> Message-ID: <78C35D6C1A82D243B830523B4193CF5F5E94339081@SBS1.blinker.local> Hi Frederik, Who has an interest in a clean database? The sloppy Org or Ripe? The answer is Ripe, therefore it should also spend energy [via Ripe Ncc] in (making sure that Orgs are) keeping it clean. Kids do not grow up themselves, it requires an active process. Organisations are not much different. David -----Oorspronkelijk bericht----- Van: Fredrik Widell [mailto:fredrik at resilans.se] Verzonden: vrijdag 15 maart 2013 10:37 Aan: MailPlus| David Hofstee CC: anti-abuse-wg at ripe.net Onderwerp: RE: [anti-abuse-wg] Abuse Reporting Issues On Fri, 15 Mar 2013, MailPlus| David Hofstee wrote: Well, that is probably more a sign of a sloppy organisation, it is up to the LIR to keep the ripedb up to date, this is not the role of RIPE. You probably dont expect RIPE to keep track of your old DNS-entrys and give you a phone-call if it seems that a customer-name is wrong do you? > Hi Frederik, > > I am such a person (DH3195-RIPE). I entered my email a long time ago. Unlike passwords that expire and accounts that get locked when not used, this vital contact info is never re-validated. We never get mail that says: "Ripe wants to confirm that you are still having Role X in your organisation. Click here to confirm.". A full-inbox bounce could trigger a phone call. Etc. Ripe should charge money for not keeping records up to date. > > In my (ESP) world, an email address that has not been used by the list-owner for over a year is a risk for a spam trap ;-). > > Bye, > > David From denis at ripe.net Fri Mar 15 11:17:52 2013 From: denis at ripe.net (Denis Walker) Date: Fri, 15 Mar 2013 11:17:52 +0100 Subject: [anti-abuse-wg] Abuse Reporting Issues In-Reply-To: References: <513E1695.7010204@abusix.com> <513E22BF.2080400@telus.net> <513E6DD2.80409@abusix.com> <513E8CE8.6090204@telus.net> <513F04F8.5040002@ripe.net> <513FBADB.2040101@telus.net> <5141A65F.8080402@ripe.net> <5142DBDD.2040007@telus.net> <78C35D6C1A82D243B830523B4193CF5F5E9433905B@SBS1.blinker.local> Message-ID: <5142F550.3060209@ripe.net> Dear Fredrik The RIPE NCC's Abuse Finder tool also works with AS number resources. For RIPE NCC members their AS numbers also reference the same ORGANISATION object as do their IP resource allocations. So over the next 6 months as they add the abuse-c contact details for their allocations it also covers their AS number resources. This will make it a lot easier to find abuse contact details from a routing perspective. Regards Denis Walker Business Analyst RIPE NCC Database Group On 15/03/2013 09:30, Fredrik Widell wrote: > On Fri, 15 Mar 2013, MailPlus| David Hofstee wrote: > > > > There is a way of always reaching the correct recipients when it > comes to reporting abuse, which it seems every single abuse-department > is neglecting to use. > > Why not take a look at the source, see which Autonomous System is > actually announcing the > prefix the address belongs to, it is quite hard to hide that information. > > (there are a lot of free looking-glasses on the Internet for those of > you who does not have access to a router, or, why not use ripes riswhois :) > > When you know the AS, return to the whois-databases and look for the > contact > information for that Autonomous System, and contact them instead, they will > always know which the offending customer is, they can always do > something about the problem. > > And the best part, it actually works :) > > > > > > > >> I have never seen an email asking me to confirm that I still do the >> stuff that is listed in my local RIR... >> >> David >> >> -----Oorspronkelijk bericht----- >> Van: anti-abuse-wg-bounces at ripe.net >> [mailto:anti-abuse-wg-bounces at ripe.net] Namens Arnold >> Verzonden: vrijdag 15 maart 2013 09:29 >> Aan: Denis Walker >> CC: Tobias Knecht; anti-abuse-wg at ripe.net >> Onderwerp: Re: [anti-abuse-wg] Abuse Reporting Issues >> >> On 3/14/2013 3:28 AM, Denis Walker wrote: >>> >>> The RIPE Database contains many email addresses. These addresses are >>> there for different reasons. Many attributes may point you to an email >>> address, for example: >>> admin-c: >>> tech-c: >>> zone-c: >>> ping-hdl: >>> notify: >>> ref-nfy: >>> mnt-ref: >>> changed: >>> >>> and abuse-mailbox: >>> >>> Only this last one is specifically intended for abuse complaints. The >>> problem we had in the past is that this attribute was always optional >>> and if used could be put in many different places. >> I applaud the motion to make the attribute mandatory; whether it will >> have much effect in reality I'll wait and see. >> >> I realize there are many addresses in the RIPE database and if at all >> possible - for records without an abuse -email address - I tend to >> address my report to the admin-c, as I see those people as the most >> likely to have any influence on getting the 'problem' fixed. >> >>> I think in this context 'usable' may have different interpretations. >>> One of the functions of the RIPE Database is for engineers to be able >>> to contact each other to resolve network and routing problems. Sending >>> an abuse report to a network engineer because he has a 'usable' email >>> address in the database may not achieve the result you were expecting. >>> >> No disagreement on this from me. I merely pointed out that for _my_ >> purposes, the Abuse Finder is less useful than the IANA files or the >> RIPE query page. >>> The Abuse Finder tool returns the email addresses that have been >>> provided for receiving abuse reports. If no such address has been >>> provided the tool will return nothing, even if there are other email >>> addresses in the database that are intended for other purposes. >> Understood and accepted, but I have to and have had to work with what >> there was available. >> If the available resources change, with time my approach will change >> as well. >>> >>> Over the next few months, as the abuse-c: data is entered into the >>> database, the Abuse Finder tool will return more positive results. >>> This will be the quickest and most reliable way to find abuse contacts >>> for any resource. >> Hope your expectations will become reality. >> >> >> Regards >> Arnold >> >> > From fredrik at resilans.se Fri Mar 15 11:27:32 2013 From: fredrik at resilans.se (Fredrik Widell) Date: Fri, 15 Mar 2013 11:27:32 +0100 (CET) Subject: [anti-abuse-wg] Abuse Reporting Issues In-Reply-To: <78C35D6C1A82D243B830523B4193CF5F5E94339081@SBS1.blinker.local> References: <513E1695.7010204@abusix.com> <513E22BF.2080400@telus.net> <513E6DD2.80409@abusix.com> <513E8CE8.6090204@telus.net> <513F04F8.5040002@ripe.net> <513FBADB.2040101@telus.net> <5141A65F.8080402@ripe.net> <5142DBDD.2040007@telus.net> <78C35D6C1A82D243B830523B4193CF5F5E9433905B@SBS1.blinker.local> <78C35D6C1A82D243B830523B4193CF5F5E94339069@SBS1.blinker.local> <78C35D6C1A82D243B830523B4193CF5F5E94339081@SBS1.blinker.local> Message-ID: On Fri, 15 Mar 2013, MailPlus| David Hofstee wrote: > Hi Frederik, > > Who has an interest in a clean database? The sloppy Org or Ripe? The answer is Ripe, therefore it should also spend energy [via Ripe Ncc] in (making sure that Orgs are) keeping it clean. Maybe there should be a new category for LIRs, Large, Medium, Small, and Sloppy, extra fees on the Sloppy so RIPE kan keep their records up to date. > > Kids do not grow up themselves, it requires an active process. Organisations are not much different. > > David > > > -----Oorspronkelijk bericht----- > Van: Fredrik Widell [mailto:fredrik at resilans.se] > Verzonden: vrijdag 15 maart 2013 10:37 > Aan: MailPlus| David Hofstee > CC: anti-abuse-wg at ripe.net > Onderwerp: RE: [anti-abuse-wg] Abuse Reporting Issues > > On Fri, 15 Mar 2013, MailPlus| David Hofstee wrote: > > Well, that is probably more a sign of a sloppy organisation, it is up to the LIR to keep the ripedb up to date, this is not the role of RIPE. You probably dont expect RIPE to keep track of your old DNS-entrys and give you a phone-call if it seems that a customer-name is wrong do you? > > > >> Hi Frederik, >> >> I am such a person (DH3195-RIPE). I entered my email a long time ago. Unlike passwords that expire and accounts that get locked when not used, this vital contact info is never re-validated. We never get mail that says: "Ripe wants to confirm that you are still having Role X in your organisation. Click here to confirm.". A full-inbox bounce could trigger a phone call. Etc. Ripe should charge money for not keeping records up to date. >> >> In my (ESP) world, an email address that has not been used by the list-owner for over a year is a risk for a spam trap ;-). >> >> Bye, >> >> David > > -- Mvh Fredrik Widell Resilans AB http://www.resilans.se/ mail: info at resilans.se , fredrik at resilans.se phone: +46 8 688 11 82 From wiegert at telus.net Sat Mar 16 07:08:51 2013 From: wiegert at telus.net (Arnold) Date: Fri, 15 Mar 2013 23:08:51 -0700 Subject: [anti-abuse-wg] Abuse Reporting Issues In-Reply-To: <78C35D6C1A82D243B830523B4193CF5F5E94339069@SBS1.blinker.local> References: <513E1695.7010204@abusix.com> <513E22BF.2080400@telus.net> <513E6DD2.80409@abusix.com> <513E8CE8.6090204@telus.net> <513F04F8.5040002@ripe.net> <513FBADB.2040101@telus.net> <5141A65F.8080402@ripe.net> <5142DBDD.2040007@telus.net> <78C35D6C1A82D243B830523B4193CF5F5E9433905B@SBS1.blinker.local> <78C35D6C1A82D243B830523B4193CF5F5E94339069@SBS1.blinker.local> Message-ID: <51440C73.2030606@telus.net> On 3/15/2013 2:03 AM, MailPlus| David Hofstee wrote: > Hi Frederik, > > I am such a person (DH3195-RIPE). I entered my email a long time ago. Unlike passwords that expire and accounts that get locked when not used, this vital contact info is never re-validated. We never get mail that says: "Ripe wants to confirm that you are still having Role X in your organisation. Click here to confirm.". A full-inbox bounce could trigger a phone call. Etc. Ripe should charge money for not keeping records up to date. My sentiments exactly. Without ongoing efforts to verify and costs to the client for failing to respond, all of this possibly keeps some people busy, but does nothing to help stem SPAM. Arnold > > In my (ESP) world, an email address that has not been used by the list-owner for over a year is a risk for a spam trap ;-). > > Bye, > > David > > -----Oorspronkelijk bericht----- > Van: Fredrik Widell [mailto:fredrik at resilans.se] > Verzonden: vrijdag 15 maart 2013 09:30 > Aan: MailPlus| David Hofstee > CC: Arnold; Denis Walker; Tobias Knecht; anti-abuse-wg at ripe.net > Onderwerp: Re: [anti-abuse-wg] Abuse Reporting Issues > > On Fri, 15 Mar 2013, MailPlus| David Hofstee wrote: > > > > There is a way of always reaching the correct recipients when it comes to reporting abuse, which it seems every single abuse-department is neglecting to use. > > Why not take a look at the source, see which Autonomous System is actually announcing the prefix the address belongs to, it is quite hard to hide that information. > > (there are a lot of free looking-glasses on the Internet for those of you who does not have access to a router, or, why not use ripes riswhois :) > > When you know the AS, return to the whois-databases and look for the contact information for that Autonomous System, and contact them instead, they will always know which the offending customer is, they can always do something about the problem. > > And the best part, it actually works :) > > > > > > > >> I have never seen an email asking me to confirm that I still do the stuff that is listed in my local RIR... >> >> David >> >> -----Oorspronkelijk bericht----- >> Van: anti-abuse-wg-bounces at ripe.net >> [mailto:anti-abuse-wg-bounces at ripe.net] Namens Arnold >> Verzonden: vrijdag 15 maart 2013 09:29 >> Aan: Denis Walker >> CC: Tobias Knecht; anti-abuse-wg at ripe.net >> Onderwerp: Re: [anti-abuse-wg] Abuse Reporting Issues >> >> On 3/14/2013 3:28 AM, Denis Walker wrote: >>> The RIPE Database contains many email addresses. These addresses are >>> there for different reasons. Many attributes may point you to an >>> email address, for example: >>> admin-c: >>> tech-c: >>> zone-c: >>> ping-hdl: >>> notify: >>> ref-nfy: >>> mnt-ref: >>> changed: >>> >>> and abuse-mailbox: >>> >>> Only this last one is specifically intended for abuse complaints. The >>> problem we had in the past is that this attribute was always optional >>> and if used could be put in many different places. >> I applaud the motion to make the attribute mandatory; whether it will have much effect in reality I'll wait and see. >> >> I realize there are many addresses in the RIPE database and if at all possible - for records without an abuse -email address - I tend to address my report to the admin-c, as I see those people as the most likely to have any influence on getting the 'problem' fixed. >> >>> I think in this context 'usable' may have different interpretations. >>> One of the functions of the RIPE Database is for engineers to be able >>> to contact each other to resolve network and routing problems. >>> Sending an abuse report to a network engineer because he has a >>> 'usable' email address in the database may not achieve the result you were expecting. >>> >> No disagreement on this from me. I merely pointed out that for _my_ purposes, the Abuse Finder is less useful than the IANA files or the RIPE query page. >>> The Abuse Finder tool returns the email addresses that have been >>> provided for receiving abuse reports. If no such address has been >>> provided the tool will return nothing, even if there are other email >>> addresses in the database that are intended for other purposes. >> Understood and accepted, but I have to and have had to work with what there was available. >> If the available resources change, with time my approach will change as well. >>> Over the next few months, as the abuse-c: data is entered into the >>> database, the Abuse Finder tool will return more positive results. >>> This will be the quickest and most reliable way to find abuse >>> contacts for any resource. >> Hope your expectations will become reality. >> >> >> Regards >> Arnold >> >> -- Fight Spam - report it with wxSR 0.5 - ready for Vista & Win7 http://www.columbinehoney.net/wxSR.shtml From niall.oreilly at ucd.ie Fri Mar 15 18:35:51 2013 From: niall.oreilly at ucd.ie (Niall O'Reilly) Date: Fri, 15 Mar 2013 17:35:51 +0000 Subject: [anti-abuse-wg] Abuse Reporting Issues In-Reply-To: <51440C73.2030606@telus.net> References: <513E1695.7010204@abusix.com> <513E22BF.2080400@telus.net> <513E6DD2.80409@abusix.com> <513E8CE8.6090204@telus.net> <513F04F8.5040002@ripe.net> <513FBADB.2040101@telus.net> <5141A65F.8080402@ripe.net> <5142DBDD.2040007@telus.net> <78C35D6C1A82D243B830523B4193CF5F5E9433905B@SBS1.blinker.local> <78C35D6C1A82D243B830523B4193CF5F5E94339069@SBS1.blinker.local> <51440C73.2030606@telus.net> Message-ID: <13478B20-0BBB-4D8C-8404-C67576E9E32F@ucd.ie> On 16 Mar 2013, at 06:08, Arnold wrote: > Without ongoing efforts to verify and costs to the client for failing to respond, all of this possibly keeps some people busy, but does nothing to help stem SPAM. Brownie points ? la SixXs to qualify for a more attractive charging band, or? Just wondering ... /Niall From leo.vegoda at icann.org Fri Mar 15 23:51:34 2013 From: leo.vegoda at icann.org (Leo Vegoda) Date: Fri, 15 Mar 2013 15:51:34 -0700 Subject: [anti-abuse-wg] Abuse Reporting Issues In-Reply-To: <5142EAC7.1030300@telus.net> References: <513E1695.7010204@abusix.com> <513E22BF.2080400@telus.net> <513E6DD2.80409@abusix.com> <513E8CE8.6090204@telus.net> <513F04F8.5040002@ripe.net>, <513FBADB.2040101@telus.net> <5648A8908CCB564EBF46E2BC904A75B15EFE451440@EXVPMBX100-1.exc.icann.org> <51419663.70801@telus.net> <5648A8908CCB564EBF46E2BC904A75B15EFE7B1A04@EXVPMBX100-1.exc.icann.org> <5142EAC7.1030300@telus.net> Message-ID: Hi Arnold, On Mar 15, 2013, at 2:32 am, Arnold wrote: > On 3/14/2013 12:45 PM, Leo Vegoda wrote: [?] >> New registry files are published within seconds of the registry being >> updated. > Good - though from my experience this updating does not happen very > frequently. Yes, now that the unicast IPv4 address space is pretty much fully allocated the changes are infrequent. Regards, Leo -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4359 bytes Desc: not available URL: From Woeber at CC.UniVie.ac.at Sat Mar 16 14:59:39 2013 From: Woeber at CC.UniVie.ac.at (Wilfried Woeber) Date: Sat, 16 Mar 2013 14:59:39 +0100 Subject: [anti-abuse-wg] Abuse Reporting Issues In-Reply-To: <51440C73.2030606@telus.net> References: <513E1695.7010204@abusix.com> <513E22BF.2080400@telus.net> <513E6DD2.80409@abusix.com> <513E8CE8.6090204@telus.net> <513F04F8.5040002@ripe.net> <513FBADB.2040101@telus.net> <5141A65F.8080402@ripe.net> <5142DBDD.2040007@telus.net> <78C35D6C1A82D243B830523B4193CF5F5E9433905B@SBS1.blinker.local> <78C35D6C1A82D243B830523B4193CF5F5E94339069@SBS1.blinker.local> <51440C73.2030606@telus.net> Message-ID: <51447ACB.8010007@CC.UniVie.ac.at> Arnold wrote: > On 3/15/2013 2:03 AM, MailPlus| David Hofstee wrote: > >> Hi Frederik, >> >> I am such a person (DH3195-RIPE). I entered my email a long time ago. >> Unlike passwords that expire and accounts that get locked when not >> used, this vital contact info is never re-validated. We never get mail >> that says: "Ripe wants to confirm that you are still having Role X in >> your organisation. Click here to confirm.". A full-inbox bounce could >> trigger a phone call. Etc. Ripe should charge money for not keeping >> records up to date. > > My sentiments exactly. > Without ongoing efforts to verify and costs to the client for failing to > respond, all of this possibly keeps some people busy, but does nothing > to help stem SPAM. And even if there would be money involved, some way or another, SPAM would not go away or become less. It simply is a fact, that sending unsolicited messages simply is not illegal in some places. In some corners of the world it is even a business model. So whether the contact info is "correct" (for any definition of), working (for any definition of) or not, is mostly a non-issue in this case. Bothering the RIPE NCC again and again is also not going to have a too big impact. There are quite a few other well-established mechanisms to fight unwanted (again, for any definition of) activities. Like Regulators, Trade Commissions, national and sector-specific or ISP-related CERTs and so on. And - hopping on my soap-box - the real problem to solve is to educate the users to *not* react to SPAM. No business gained by spamming, costing money (even if it is cheap), would make it go away pretty quickly. End soap-box :-) Wilfried > Arnold > >> >> In my (ESP) world, an email address that has not been used by the >> list-owner for over a year is a risk for a spam trap ;-). >> >> Bye, >> >> David >> >> -----Oorspronkelijk bericht----- >> Van: Fredrik Widell [mailto:fredrik at resilans.se] >> Verzonden: vrijdag 15 maart 2013 09:30 >> Aan: MailPlus| David Hofstee >> CC: Arnold; Denis Walker; Tobias Knecht; anti-abuse-wg at ripe.net >> Onderwerp: Re: [anti-abuse-wg] Abuse Reporting Issues >> >> On Fri, 15 Mar 2013, MailPlus| David Hofstee wrote: >> >> >> >> There is a way of always reaching the correct recipients when it comes >> to reporting abuse, which it seems every single abuse-department is >> neglecting to use. >> >> Why not take a look at the source, see which Autonomous System is >> actually announcing the prefix the address belongs to, it is quite >> hard to hide that information. >> >> (there are a lot of free looking-glasses on the Internet for those of >> you who does not have access to a router, or, why not use ripes >> riswhois :) >> >> When you know the AS, return to the whois-databases and look for the >> contact information for that Autonomous System, and contact them >> instead, they will always know which the offending customer is, they >> can always do something about the problem. >> >> And the best part, it actually works :) >> >> >> >> >> >> >> >>> I have never seen an email asking me to confirm that I still do the >>> stuff that is listed in my local RIR... >>> >>> David >>> >>> -----Oorspronkelijk bericht----- >>> Van: anti-abuse-wg-bounces at ripe.net >>> [mailto:anti-abuse-wg-bounces at ripe.net] Namens Arnold >>> Verzonden: vrijdag 15 maart 2013 09:29 >>> Aan: Denis Walker >>> CC: Tobias Knecht; anti-abuse-wg at ripe.net >>> Onderwerp: Re: [anti-abuse-wg] Abuse Reporting Issues >>> >>> On 3/14/2013 3:28 AM, Denis Walker wrote: >>> >>>> The RIPE Database contains many email addresses. These addresses are >>>> there for different reasons. Many attributes may point you to an >>>> email address, for example: >>>> admin-c: >>>> tech-c: >>>> zone-c: >>>> ping-hdl: >>>> notify: >>>> ref-nfy: >>>> mnt-ref: >>>> changed: >>>> >>>> and abuse-mailbox: >>>> >>>> Only this last one is specifically intended for abuse complaints. The >>>> problem we had in the past is that this attribute was always optional >>>> and if used could be put in many different places. >>> >>> I applaud the motion to make the attribute mandatory; whether it will >>> have much effect in reality I'll wait and see. >>> >>> I realize there are many addresses in the RIPE database and if at all >>> possible - for records without an abuse -email address - I tend to >>> address my report to the admin-c, as I see those people as the most >>> likely to have any influence on getting the 'problem' fixed. >>> >>>> I think in this context 'usable' may have different interpretations. >>>> One of the functions of the RIPE Database is for engineers to be able >>>> to contact each other to resolve network and routing problems. >>>> Sending an abuse report to a network engineer because he has a >>>> 'usable' email address in the database may not achieve the result >>>> you were expecting. >>>> >>> No disagreement on this from me. I merely pointed out that for _my_ >>> purposes, the Abuse Finder is less useful than the IANA files or the >>> RIPE query page. >>> >>>> The Abuse Finder tool returns the email addresses that have been >>>> provided for receiving abuse reports. If no such address has been >>>> provided the tool will return nothing, even if there are other email >>>> addresses in the database that are intended for other purposes. >>> >>> Understood and accepted, but I have to and have had to work with what >>> there was available. >>> If the available resources change, with time my approach will change >>> as well. >>> >>>> Over the next few months, as the abuse-c: data is entered into the >>>> database, the Abuse Finder tool will return more positive results. >>>> This will be the quickest and most reliable way to find abuse >>>> contacts for any resource. >>> >>> Hope your expectations will become reality. >>> >>> >>> Regards >>> Arnold >>> >>> > > From lp at shlink.de Mon Mar 18 23:46:56 2013 From: lp at shlink.de (Lutz Petersen) Date: Mon, 18 Mar 2013 23:46:56 +0100 Subject: [anti-abuse-wg] Romanian Spam Network with curious effetcs Message-ID: <20130318224656.GA10805@work-lp.shlink.de> I just realized a new spam active network. When doing some deeper checks I was really astonished. There is a huge netrange (Romania) prepared for spamming. The netrange is 176.121.24.0/21 176.121.32.0/19 Only half an hour after mails arrived I took a look at a border gateway - but it says this network has no route. There are different AS numbers within the RipeDB for these networks. The AS whois looks strange. Anyone out there who can give some hints what happens here ? From rfg at tristatelogic.com Tue Mar 19 00:48:25 2013 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Mon, 18 Mar 2013 16:48:25 -0700 Subject: [anti-abuse-wg] Romanian Spam Network with curious effetcs In-Reply-To: <20130318224656.GA10805@work-lp.shlink.de> Message-ID: <3323.1363650505@server1.tristatelogic.com> In message <20130318224656.GA10805 at work-lp.shlink.de>, Lutz Petersen wrote: >The AS whois looks strange. Anyone out there who can give some hints what >happens here ? Yes. But what does it matter? From ops.lists at gmail.com Tue Mar 19 02:57:18 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Tue, 19 Mar 2013 07:27:18 +0530 Subject: [anti-abuse-wg] Romanian Spam Network with curious effetcs In-Reply-To: <3323.1363650505@server1.tristatelogic.com> References: <20130318224656.GA10805@work-lp.shlink.de> <3323.1363650505@server1.tristatelogic.com> Message-ID: Not much you can do here. The LIRs involved need to be stopped from operating a cash and carry ip allocation service for spammers and botmasters but that doesn't seem likely to happen --srs (htc one x) On 19-Mar-2013 5:18 AM, "Ronald F. Guilmette" wrote: > > In message <20130318224656.GA10805 at work-lp.shlink.de>, > Lutz Petersen wrote: > > >The AS whois looks strange. Anyone out there who can give some hints what > >happens here ? > > Yes. > > But what does it matter? > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lp at shlink.de Tue Mar 19 06:21:34 2013 From: lp at shlink.de (Lutz Petersen) Date: Tue, 19 Mar 2013 06:21:34 +0100 Subject: [anti-abuse-wg] Romanian Spam Network with curious effetcs In-Reply-To: <3323.1363650505@server1.tristatelogic.com> References: <20130318224656.GA10805@work-lp.shlink.de> <3323.1363650505@server1.tristatelogic.com> Message-ID: <20130319052134.GA3908@laptl.shlink.de> Ronald, it's a mysterious for me, sorry. Maybe I did not made it clearly enough what irritates me.. Viewing BGP tables one don't see a single accouncement for this netblock. Traces all ends obvious at default null route in core routers. Seems to be one of the cases where nets are only announced when spinning out short time spam waves - one can see this comparing older logs. But: Reverse delegation from RIPE for this nets has been done to two nameservers - 176.121.32.2 + 176.121.32.3. But even if there does not exit an BGP entry, these nameservers can be asked and give an answer: # sh ip bgp 176.121.32.2 % Network not in table # host -t ptr 2.34.121.176.in-addr.arpa. ns2.alvinemove.info. # Using domain server: # Name: ns2.alvinemove.info. # Address: 176.121.32.3#53 # 2.34.121.176.in-addr.arpa domain name pointer rented-2.beggarlyout.info. What may be the trick with that ? From zsako at iszt.hu Tue Mar 19 08:49:29 2013 From: zsako at iszt.hu (Janos Zsako) Date: Tue, 19 Mar 2013 08:49:29 +0100 Subject: [anti-abuse-wg] Romanian Spam Network with curious effetcs In-Reply-To: <20130319052134.GA3908@laptl.shlink.de> References: <20130318224656.GA10805@work-lp.shlink.de> <3323.1363650505@server1.tristatelogic.com> <20130319052134.GA3908@laptl.shlink.de> Message-ID: <51481889.4050708@iszt.hu> Dear Lutz, I may misunderstand you, but see below. > it's a mysterious for me, sorry. Maybe I did not made it clearly enough what > irritates me.. Viewing BGP tables one don't see a single accouncement for this > netblock. Traces all ends obvious at default null route in core routers. > Seems to be one of the cases where nets are only announced when spinning out > short time spam waves - one can see this comparing older logs. > > But: Reverse delegation from RIPE for this nets has been done to two > nameservers - 176.121.32.2 + 176.121.32.3. But even if there does not exit an > BGP entry, these nameservers can be asked and give an answer: > > # sh ip bgp 176.121.32.2 > % Network not in table This only says _your_ router does not have it in the BGP. I suspect though that you do have a default route. So sh ip route 176.121.32.2 would give you some answer. Please note that the network _is_ advertised (as 176.121.32.0/24 at present), see http://www.ris.ripe.net/cgi-bin/lg/index.cgi?rrc=RRC001&query=1&arg=176.121.32.2 for example. I hope this helps. Best regards, Janos > # host -t ptr 2.34.121.176.in-addr.arpa. ns2.alvinemove.info. > # Using domain server: > # Name: ns2.alvinemove.info. > # Address: 176.121.32.3#53 > # 2.34.121.176.in-addr.arpa domain name pointer rented-2.beggarlyout.info. > > What may be the trick with that ? > > From ops.lists at gmail.com Tue Mar 19 09:03:27 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Tue, 19 Mar 2013 13:33:27 +0530 Subject: [anti-abuse-wg] Romanian Spam Network with curious effetcs In-Reply-To: <20130319052134.GA3908@laptl.shlink.de> References: <20130318224656.GA10805@work-lp.shlink.de> <3323.1363650505@server1.tristatelogic.com> <20130319052134.GA3908@laptl.shlink.de> Message-ID: On Tue, Mar 19, 2013 at 10:51 AM, Lutz Petersen wrote: > > # sh ip bgp 176.121.32.2 > % Network not in table > > # host -t ptr 2.34.121.176.in-addr.arpa. ns2.alvinemove.info. > # Using domain server: > # Name: ns2.alvinemove.info. > # Address: 176.121.32.3#53 > # 2.34.121.176.in-addr.arpa domain name pointer rented-2.beggarlyout.info. suresh at frodo 01:01:32 <~> $ whois -h whois.ripe.net DSCNET|perl ./ iprange2cidr.pl 31.133.24.0/21 46.151.32.0/21 91.226.52.0/22 91.240.154.0/24 91.240.156.0/22 91.246.172.0/22 91.246.176.0/20 91.246.192.0/21 91.246.200.0/23 94.232.96.0/21 176.102.120.0/21 176.111.0.0/21 176.115.224.0/20 176.121.32.0/20 -- Suresh Ramasubramanian (ops.lists at gmail.com) -------------- next part -------------- An HTML attachment was scrubbed... URL: From robert at ripe.net Tue Mar 19 09:44:07 2013 From: robert at ripe.net (Robert Kisteleki) Date: Tue, 19 Mar 2013 09:44:07 +0100 Subject: [anti-abuse-wg] Romanian Spam Network with curious effetcs In-Reply-To: <51481889.4050708@iszt.hu> References: <20130318224656.GA10805@work-lp.shlink.de> <3323.1363650505@server1.tristatelogic.com> <20130319052134.GA3908@laptl.shlink.de> <51481889.4050708@iszt.hu> Message-ID: <51482557.10005@ripe.net> Dear All, In order to get more information about this block, you can also take a look at RIPEstat, which shows the routing status and history very nicely: https://stat.ripe.net/176.121.32.2#tabId=routing Regards, Robert Kisteleki RIPE NCC R&D On 2013.03.19. 8:49, Janos Zsako wrote: > Dear Lutz, > > I may misunderstand you, but see below. > >> it's a mysterious for me, sorry. Maybe I did not made it clearly enough what >> irritates me.. Viewing BGP tables one don't see a single accouncement for >> this >> netblock. Traces all ends obvious at default null route in core routers. >> Seems to be one of the cases where nets are only announced when spinning out >> short time spam waves - one can see this comparing older logs. >> >> But: Reverse delegation from RIPE for this nets has been done to two >> nameservers - 176.121.32.2 + 176.121.32.3. But even if there does not exit an >> BGP entry, these nameservers can be asked and give an answer: >> >> # sh ip bgp 176.121.32.2 >> % Network not in table > > This only says _your_ router does not have it in the BGP. I suspect though that > you do have a default route. So > sh ip route 176.121.32.2 > would give you some answer. > > Please note that the network _is_ advertised (as 176.121.32.0/24 at > present), see > http://www.ris.ripe.net/cgi-bin/lg/index.cgi?rrc=RRC001&query=1&arg=176.121.32.2 > > for example. > > I hope this helps. > > Best regards, > Janos > >> # host -t ptr 2.34.121.176.in-addr.arpa. ns2.alvinemove.info. >> # Using domain server: >> # Name: ns2.alvinemove.info. >> # Address: 176.121.32.3#53 >> # 2.34.121.176.in-addr.arpa domain name pointer rented-2.beggarlyout.info. >> >> What may be the trick with that ? >> >> > > From brian.nisbet at heanet.ie Tue Mar 19 10:19:50 2013 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Tue, 19 Mar 2013 09:19:50 +0000 Subject: [anti-abuse-wg] Internet Bad Neighbourhood Research Message-ID: <51482DB6.9020504@heanet.ie> Morning, For those who haven't seen it elsewhere, some interesting research from the University of Twente. The BBC story is here: http://www.bbc.co.uk/news/technology-21798829 The actual research paper is here: http://doc.utwente.nl/84507/ Brian From rfg at tristatelogic.com Tue Mar 19 11:59:20 2013 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Tue, 19 Mar 2013 03:59:20 -0700 Subject: [anti-abuse-wg] Romanian Spam Network with curious effetcs Message-ID: <9041.1363690760@server1.tristatelogic.com> Lutz Petersen wrote: >it's a mysterious for me, sorry. Maybe I did not made it clearly enough what >irritates me.. Viewing BGP tables one don't see a single accouncement for this >netblock. Traces all ends obvious at default null route in core routers. >Seems to be one of the cases where nets are only announced when spinning out >short time spam waves - one can see this comparing older logs. > >But: Reverse delegation from RIPE for this nets has been done to two >nameservers - 176.121.32.2 + 176.121.32.3. But even if there does not exit an >BGP entry, these nameservers can be asked and give an answer: >... >What may be the trick with that ? Just because a traceroute ends at a certain point, that most definitely DOES NOT mean that other (non-traceroute) types of packets will have any trouble at all getting through to the final destination and/or back again. There are quite a lot of networks on the Internet that are blocking traceroute packets, due to either incompetence or malevolence. Networks that know that they are harboring criminals and criminal activity will almost always be found to be blocking ordinary traceroute packets. tinet.net, in parcticular, does not have the best reputation when it comes to who they are willing to connect with. They and their dodgy customer probably don't want you to know even what little you can learn from the following... % traceroute 176.121.32.2 traceroute to 176.121.32.2 (176.121.32.2), 64 hops max, 52 byte packets 1 3.255-62-69.res.dyn.surewest.net (69.62.255.3) 44.516 ms 44.805 ms 43.774 ms 2 172.21.2.57 (172.21.2.57) 45.517 ms 46.255 ms 46.922 ms 3 172.21.0.250 (172.21.0.250) 45.977 ms 45.436 ms 45.825 ms 4 sjo-bb1-link.telia.net (213.248.88.73) 49.417 ms 49.347 ms 49.497 ms 5 xe-1-3-0.sjc10.ip4.tinet.net (173.241.128.109) 49.521 ms 50.778 ms 49.954 ms 6 xe-10-1-1.fra60.ip4.tinet.net (141.136.109.253) 214.637 ms xe-5-1-0.fra60.ip4.tinet.net (141.136.108.41) 253.992 ms xe-10-1-1.fra60.ip4.tinet.net (141.136.109.253) 210.634 ms 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 *^C Regards, rfg From lp at shlink.de Tue Mar 19 13:05:10 2013 From: lp at shlink.de (Lutz Petersen) Date: Tue, 19 Mar 2013 13:05:10 +0100 Subject: [anti-abuse-wg] Romanian Spam Network with curious effetcs In-Reply-To: <9041.1363690760@server1.tristatelogic.com> References: <9041.1363690760@server1.tristatelogic.com> Message-ID: <20130319120510.GA3824@laptl.shlink.de> > tinet.net, in parcticular, does not have the best reputation when it > comes to who they are willing to connect with. They and their dodgy > customer probably don't want you to know even what little you can learn > from the following... Yes - coming from different ways here it always seems to end in Frankfurt at one of Tinet Border Router interfaces. In fact we could realize that the router directly connected with Tinets has the full bgp table (a personal known admin just checked) but even he could not trace more than one hop. Seems indeed they filter at border gateways.. From Woeber at CC.UniVie.ac.at Tue Mar 19 13:15:19 2013 From: Woeber at CC.UniVie.ac.at (Wilfried Woeber) Date: Tue, 19 Mar 2013 13:15:19 +0100 Subject: [anti-abuse-wg] Romanian Spam Network with curious effetcs In-Reply-To: <9041.1363690760@server1.tristatelogic.com> References: <9041.1363690760@server1.tristatelogic.com> Message-ID: <514856D7.6080502@CC.UniVie.ac.at> Ronald F. Guilmette wrote: > Lutz Petersen wrote: [...] > There are quite a lot of networks on the Internet that are blocking > traceroute packets, due to either incompetence or malevolence. Assuming that a TCP-based service is available on the subnet of interest, then `tcptraceroute? is helpful in many cases :-) > Networks > that know that they are harboring criminals and criminal activity will > almost always be found to be blocking ordinary traceroute packets. [...] > Regards, > rfg hth, -wilfried From kranjbar at ripe.net Tue Mar 19 17:26:20 2013 From: kranjbar at ripe.net (Kaveh Ranjbar) Date: Tue, 19 Mar 2013 17:26:20 +0100 Subject: [anti-abuse-wg] Soft launch of "abuse-c:", ripe-563: Improving Abuse Contact Information Message-ID: <463D8C2D-ECEC-43BA-BD36-EE03DA45E827@ripe.net> Dear colleagues The RIPE NCC is pleased to announce that we now have the software changes for "abuse-c:" in place. Although it won't be enforced before April 2013, RIPE NCC members can immediately start to add the "abuse-c:" attribute to their ORGANISATION objects. On 15 November 2012 the RIPE NCC published a proposed implementation plan for RIPE policy 563 titled "Abuse Contact Management in the RIPE Database" on the RIPE Database Working Group and RIPE Anti-Abuse Working Group mailing lists. http://www.ripe.net/ripe/mail/archives/anti-abuse-wg/2012-November/001974.html This plan was accepted by the working groups' co-chairs on 5 December 2012 and the RIPE NCC was asked to move forward with the implementation. http://www.ripe.net/ripe/mail/archives/anti-abuse-wg/2012-December/001993.html According to the timeline in this proposal the software changes to the RIPE Database and LIR Portal are to be completed by the end of Q1 2013. Throughout Q2 and Q3 members SHOULD add an "abuse-c:" attribute to their main ORGANISATION object. (The one with "org-type: LIR") This will cover all resources allocated to the LIR. Additional ORGANISATION objects with an "abuse-c:" attribute can be added to fine tune delegated responsibility for abuse handling to customers. For further details please see: https://labs.ripe.net/Members/denis/creating-and-finding-abuse-contacts-in-the-ripe-database Enforcement by the RIPE NCC of the requirement for PI assignments and AS Numbers held by non-members to reference an "abuse-c:", will not start until Q4 2013. But there is no restriction on any resource holder setting up their details now. Additional tools to assist with the creation of necessary objects and addition of appropriate references are being developed and tested at the moement and will be announced shortly. Kind regards, Kaveh Ranjbar Database Group Manager RIPE NCC From rezaf at mindspring.com Fri Mar 29 13:19:01 2013 From: rezaf at mindspring.com (Reza Farzan) Date: Fri, 29 Mar 2013 08:19:01 -0400 Subject: [anti-abuse-wg] A Network without contact! Message-ID: <2480FBC8AD1D40CF94B6669F3D92234B@admin36565265a> Hello All, Here is a network that I came across which does not have any contact information: inetnum: 148.148.0.0 - 148.148.255.255 netname: SCANIF descr: Scania Nederland B.V. descr: P.O. Box 618 descr: 8000 AP Zwolle country: NL admin-c: RS3212-RIPE tech-c: RS3212-RIPE status: EARLY-REGISTRATION mnt-by: ERX-NET-148-148-MNT mnt-lower: ERX-NET-148-148-MNT mnt-routes: ERX-NET-148-148-MNT changed: hostmaster at arin.net 19910418 changed: hostmaster at arin.net 19910418 changed: er-transfer at ripe.net 20031003 source: RIPE person: Roelof Sondaar address: Scania Nederland B.V. Potbus 61S address: 8000 AP Zwolle address: NL phone: +31 30977966 nic-hdl: RS3212-RIPE mnt-by: RIPE-ERX-MNT changed: hostmaster at arin.net 19910628 changed: er-transfer at ripe.net 20031003 source: RIPE How can someone contact this network? Does anyone know? Thank you, Reza Farzan -------------- next part -------------- An HTML attachment was scrubbed... URL: From gert at space.net Fri Mar 29 14:00:11 2013 From: gert at space.net (Gert Doering) Date: Fri, 29 Mar 2013 14:00:11 +0100 Subject: [anti-abuse-wg] A Network without contact! In-Reply-To: <2480FBC8AD1D40CF94B6669F3D92234B@admin36565265a> References: <2480FBC8AD1D40CF94B6669F3D92234B@admin36565265a> Message-ID: <20130329130011.GL51699@Space.Net> Hi, On Fri, Mar 29, 2013 at 08:19:01AM -0400, Reza Farzan wrote: > Here is a network that I came across which does not have any contact > information: [..] > person: Roelof Sondaar > > address: Scania Nederland B.V. Potbus 61S > address: 8000 AP Zwolle > address: NL > > phone: +31 30977966 These two look very much contactish to me. A postal address and a phone number. > How can someone contact this network? Does anyone know? The phone thingie is something fairly recent, and a bit complicated. You have to pick up the phone, then type these numbers into the numbered keys. "+" will have to be entered as 00 or 000, or maybe as "+", depending on the local setup, so you need to ask your local phone expert how to work that. But then it's magic, you can hear the person on the other and just as if he were standing besides you. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 From esa at laitinen.org Fri Mar 29 13:57:23 2013 From: esa at laitinen.org (Esa Laitinen) Date: Fri, 29 Mar 2013 13:57:23 +0100 Subject: [anti-abuse-wg] A Network without contact! In-Reply-To: <2480FBC8AD1D40CF94B6669F3D92234B@admin36565265a> References: <2480FBC8AD1D40CF94B6669F3D92234B@admin36565265a> Message-ID: <294ee2d3b5d01729c3b42f1090db8696@mail.gmail.com> Reza Farzan wrote: > How can someone contact this network? Does anyone know? No contact info, huh? I can see at least snail mail address and a telephone number. Granted, e-mail address is more convenient, but the contact info is there. Whether it is valid, that is another question. -- esa From wiegert at telus.net Fri Mar 29 18:22:53 2013 From: wiegert at telus.net (Arnold) Date: Fri, 29 Mar 2013 09:22:53 -0800 Subject: [anti-abuse-wg] A Network without contact! In-Reply-To: <2480FBC8AD1D40CF94B6669F3D92234B@admin36565265a> References: <2480FBC8AD1D40CF94B6669F3D92234B@admin36565265a> Message-ID: <5155CDED.2080100@telus.net> On 3/29/2013 4:19 AM, Reza Farzan wrote: > > Hello All, > > Here is a network that I came across which does not have any contact > information: > Entries like it are the bane of SPAM reporters.But if you go to: http://apps.db.ripe.net/search/query.html and enter _*RS3212-RIPE*_from the data you posted, you will get something like /person: Roelof Sondaar// //address: Scania Nederland B.V. Potbus 61S// //address: 8000 AP Zwolle// //address: NL// //phone: +31 30977966// //nic-hdl://RS3212-RIPE // //mnt-by://RIPE-ERX-MNT // //source: RIPE #Filtered/ If you then follow nic-handle you'll find: /person: Roelof Sondaar// //address: Scania Nederland B.V. Potbus 61S// //address: 8000 AP Zwolle// //address: NL// //phone: +31 30977966// //nic-hdl: RS3212-RIPE// //mnt-by://RIPE-ERX-MNT // / /changed: //hostmaster at arin.net //19910628// //changed: //er-transfer at ripe.net//20031003// //source: RIPE/ The contacts in red above, ought to be able to pass on information and that is as close as you can get by e-mail - at least for now :-( Arnold > inetnum: 148.148.0.0 - 148.148.255.255 > > netname: SCANIF > > descr: Scania Nederland B.V. > > descr: P.O. Box 618 > > descr: 8000 AP Zwolle > > country: NL > > admin-c: RS3212-RIPE > > tech-c: RS3212-RIPE > > status: EARLY-REGISTRATION > > mnt-by: ERX-NET-148-148-MNT > > mnt-lower: ERX-NET-148-148-MNT > > mnt-routes: ERX-NET-148-148-MNT > > changed: hostmaster at arin.net 19910418 > > changed: hostmaster at arin.net 19910418 > > changed: er-transfer at ripe.net 20031003 > > source: RIPE > > person: Roelof Sondaar > > address: Scania Nederland B.V. Potbus 61S > > address: 8000 AP Zwolle > > address: NL > > phone: +31 30977966 > > nic-hdl: RS3212-RIPE > > mnt-by: RIPE-ERX-MNT > > changed: hostmaster at arin.net 19910628 > > changed: er-transfer at ripe.net 20031003 > > source: RIPE > > How can someone contact this network? Does anyone know? > > Thank you, > > Reza Farzan > -- Fight Spam - report it with wxSR 0.5 ready for Vista & Win7 - latest build: 196+ http://www.columbinehoney.net/wxSR.shtml -------------- next part -------------- An HTML attachment was scrubbed... URL: From ops.lists at gmail.com Fri Mar 29 18:27:12 2013 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Fri, 29 Mar 2013 22:57:12 +0530 Subject: [anti-abuse-wg] A Network without contact! In-Reply-To: <5155CDED.2080100@telus.net> References: <2480FBC8AD1D40CF94B6669F3D92234B@admin36565265a> <5155CDED.2080100@telus.net> Message-ID: The scania bv website shows the provide alternate contact information --srs (htc one x) On 29-Mar-2013 10:53 PM, "Arnold" wrote: > On 3/29/2013 4:19 AM, Reza Farzan wrote: > > ** ** ** ** > > Hello All,**** > > ** ** > > Here is a network that I came across which does not have any contact > information: > ******** > > > Entries like it are the bane of SPAM reporters. But if you go to: > http://apps.db.ripe.net/search/query.html > and enter *RS3212-RIPE* from the data you posted, > you will get something like > > *person: Roelof Sondaar****address: Scania Nederland B.V. Potbus 61S****address: 8000 AP Zwolle****address: NL****phone: +31 30977966****nic-hdl: **RS3212-RIPE ****mnt-by: **RIPE-ERX-MNT ****source: RIPE #Filtered* > > If you then follow nic-handle > you'll find:*person: Roelof Sondaar****address: Scania Nederland B.V. Potbus 61S****address: 8000 AP Zwolle****address: NL****phone: +31 30977966****nic-hdl: RS3212-RIPE****mnt-by: **RIPE-ERX-MNT *** > > *changed: ** hostmaster at arin.net **19910628** > **changed: ** er-transfer at ripe.net** 20031003** > **source: RIPE* > > The contacts in red above, ought to be able to pass on information > and that is as close as you can get by e-mail - at least for now :-( > > Arnold > > ******** > > **** > > ** ** > > ** ** > > inetnum: 148.148.0.0 - 148.148.255.255**** > > netname: SCANIF**** > > descr: Scania Nederland B.V.**** > > descr: ****P.O. Box** 618****** > > descr: 8000 AP ****Zwolle******** > > country: NL**** > > admin-c: RS3212-RIPE**** > > tech-c: RS3212-RIPE**** > > status: EARLY-REGISTRATION**** > > mnt-by: ERX-NET-148-148-MNT**** > > mnt-lower: ERX-NET-148-148-MNT**** > > mnt-routes: ERX-NET-148-148-MNT**** > > changed: hostmaster at arin.net 19910418**** > > changed: hostmaster at arin.net 19910418**** > > changed: er-transfer at ripe.net 20031003**** > > source: RIPE**** > > ** ** > > person: Roelof Sondaar**** > > address: Scania Nederland B.V. Potbus 61S**** > > address: 8000 AP ****Zwolle******** > > address: NL**** > > phone: +31 30977966**** > > nic-hdl: RS3212-RIPE**** > > mnt-by: RIPE-ERX-MNT**** > > changed: hostmaster at arin.net 19910628**** > > changed: er-transfer at ripe.net 20031003**** > > source: RIPE**** > > ** ** > > ** ** > > ** ** > > How can someone contact this network? Does anyone know?**** > > ** ** > > Thank you,**** > > ** ** > > Reza Farzan**** > ******** > > > > -- > Fight Spam - report it with wxSR 0.5 > ready for Vista & Win7 - latest build: 196+http://www.columbinehoney.net/wxSR.shtml > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From andre at ox.co.za Sat Mar 30 09:54:33 2013 From: andre at ox.co.za (andre) Date: Sat, 30 Mar 2013 10:54:33 +0200 Subject: [anti-abuse-wg] A Network without contact! In-Reply-To: <20130329130011.GL51699@Space.Net> References: <2480FBC8AD1D40CF94B6669F3D92234B@admin36565265a> <20130329130011.GL51699@Space.Net> Message-ID: <20130330105433.6b27efaf@cow.cow.co.za> On Fri, 29 Mar 2013 14:00:11 +0100 Gert Doering wrote: > > phone: +31 30977966 > These two look very much contactish to me. A postal address and a > phone number. > > How can someone contact this network? Does anyone know? > The phone thingie is something fairly recent, and a bit complicated. > You have to pick up the phone, then type these numbers into the > numbered keys. "+" will have to be entered as 00 or 000, or maybe as > "+", depending on the local setup, so you need to ask your local > phone expert how to work that. But then it's magic, you can hear the > person on the other and just as if he were standing besides you. > Gert Doering roflmao, the phone thingy is also increasing in complexity as it also takes pics, videos, pays for stuff purchased and in fact is becoming so sophisticated that it is easy to forget that you can also just talk into it... Hardcore old style / old school :) > -- NetMaster >-- >have you enabled IPv6 on something today...? IPV6? --> yip, my toaster! My toaster now successfully resolves to a domain name and it is even thinking of starting it's own blog... "All about toast and sliced bread in the twenty first century" From denatrisconsult at hotmail.nl Sat Mar 30 12:55:58 2013 From: denatrisconsult at hotmail.nl (Wout de Natris) Date: Sat, 30 Mar 2013 12:55:58 +0100 Subject: [anti-abuse-wg] anti-abuse-wg Digest, Vol 19, Issue 20 In-Reply-To: References: Message-ID: Scania is a Swedish truck company, with a subsidiary company in NL. For those more observant, the phone number given is incorrect for two reasons: 1) it has 9 digits and Holland has 10 as a standard (for years). 2) If the office is in Zwolle (netnumber 038), the phone number given is in Utrecht (030). This is possible of course, but confusing. A question that could be asked is, does Scania NL really have its own IP range? Maybe, why not? Taking it one step further. Looking at the Scania NLwebsite I see that the main office of Scania Nederland B.V. is in Breda (076), but a Scania production unit is in Zwolle with these contact details: Scania Production Zwolle B.V. Russenweg 5 Postbus 618 8000 AP Zwolle Tel: +31 (0)38-4977 611 (See here from the contact details in the database +31 30977966 It's close, probably an extension number and two typos somewhere. Scania's? RIPE NCC's? A villain?) A small check should suffice to correct the database I think. Best, Wout de Natris - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - De Natris Consult Raaphorst 33 Tel: +31 648388813 2352 KJ Leiderdorp Skype: wout.de.natris denatrisconsult at hotmail.nl http://www.denatrisconsult.nl Blog http://woutdenatris.wordpress.com > From: anti-abuse-wg-request at ripe.net > Subject: anti-abuse-wg Digest, Vol 19, Issue 20 > To: anti-abuse-wg at ripe.net > Date: Sat, 30 Mar 2013 12:00:02 +0100 > > Send anti-abuse-wg mailing list submissions to > anti-abuse-wg at ripe.net > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.ripe.net/mailman/listinfo/anti-abuse-wg > or, via email, send a message with subject or body 'help' to > anti-abuse-wg-request at ripe.net > > You can reach the person managing the list at > anti-abuse-wg-owner at ripe.net > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of anti-abuse-wg digest..." > > > Today's Topics: > > 1. Re: A Network without contact! (Suresh Ramasubramanian) > 2. Re: A Network without contact! (andre) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 29 Mar 2013 22:57:12 +0530 > From: Suresh Ramasubramanian > Subject: Re: [anti-abuse-wg] A Network without contact! > To: Arnold > Cc: anti-abuse-wg at ripe.net > Message-ID: > > Content-Type: text/plain; charset="utf-8" > > The scania bv website shows the provide alternate contact information > > --srs (htc one x) > On 29-Mar-2013 10:53 PM, "Arnold" wrote: > > > On 3/29/2013 4:19 AM, Reza Farzan wrote: > > > > ** ** ** ** > > > > Hello All,**** > > > > ** ** > > > > Here is a network that I came across which does not have any contact > > information: > > ******** > > > > > > Entries like it are the bane of SPAM reporters. But if you go to: > > http://apps.db.ripe.net/search/query.html > > and enter *RS3212-RIPE* from the data you posted, > > you will get something like > > > > *person: Roelof Sondaar****address: Scania Nederland B.V. Potbus 61S****address: 8000 AP Zwolle****address: NL****phone: +31 30977966****nic-hdl: **RS3212-RIPE ****mnt-by: **RIPE-ERX-MNT ****source: RIPE #Filtered* > > > > If you then follow nic-handle > > you'll find:*person: Roelof Sondaar****address: Scania Nederland B.V. Potbus 61S****address: 8000 AP Zwolle****address: NL****phone: +31 30977966****nic-hdl: RS3212-RIPE****mnt-by: **RIPE-ERX-MNT *** > > > > *changed: ** hostmaster at arin.net **19910628** > > **changed: ** er-transfer at ripe.net** 20031003** > > **source: RIPE* > > > > The contacts in red above, ought to be able to pass on information > > and that is as close as you can get by e-mail - at least for now :-( > > > > Arnold > > > > ******** > > > > **** > > > > ** ** > > > > ** ** > > > > inetnum: 148.148.0.0 - 148.148.255.255**** > > > > netname: SCANIF**** > > > > descr: Scania Nederland B.V.**** > > > > descr: ****P.O. Box** 618****** > > > > descr: 8000 AP ****Zwolle******** > > > > country: NL**** > > > > admin-c: RS3212-RIPE**** > > > > tech-c: RS3212-RIPE**** > > > > status: EARLY-REGISTRATION**** > > > > mnt-by: ERX-NET-148-148-MNT**** > > > > mnt-lower: ERX-NET-148-148-MNT**** > > > > mnt-routes: ERX-NET-148-148-MNT**** > > > > changed: hostmaster at arin.net 19910418**** > > > > changed: hostmaster at arin.net 19910418**** > > > > changed: er-transfer at ripe.net 20031003**** > > > > source: RIPE**** > > > > ** ** > > > > person: Roelof Sondaar**** > > > > address: Scania Nederland B.V. Potbus 61S**** > > > > address: 8000 AP ****Zwolle******** > > > > address: NL**** > > > > phone: +31 30977966**** > > > > nic-hdl: RS3212-RIPE**** > > > > mnt-by: RIPE-ERX-MNT**** > > > > changed: hostmaster at arin.net 19910628**** > > > > changed: er-transfer at ripe.net 20031003**** > > > > source: RIPE**** > > > > ** ** > > > > ** ** > > > > ** ** > > > > How can someone contact this network? Does anyone know?**** > > > > ** ** > > > > Thank you,**** > > > > ** ** > > > > Reza Farzan**** > > ******** > > > > > > > > -- > > Fight Spam - report it with wxSR 0.5 > > ready for Vista & Win7 - latest build: 196+http://www.columbinehoney.net/wxSR.shtml > > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: https://www.ripe.net/ripe/mail/archives/anti-abuse-wg/attachments/20130329/8b579bf0/attachment-0001.html > > ------------------------------ > > Message: 2 > Date: Sat, 30 Mar 2013 10:54:33 +0200 > From: andre > Subject: Re: [anti-abuse-wg] A Network without contact! > To: anti-abuse-wg at ripe.net > Message-ID: <20130330105433.6b27efaf at cow.cow.co.za> > Content-Type: text/plain; charset=US-ASCII > > On Fri, 29 Mar 2013 14:00:11 +0100 > Gert Doering wrote: > > > > phone: +31 30977966 > > These two look very much contactish to me. A postal address and a > > phone number. > > > How can someone contact this network? Does anyone know? > > The phone thingie is something fairly recent, and a bit complicated. > > You have to pick up the phone, then type these numbers into the > > numbered keys. "+" will have to be entered as 00 or 000, or maybe as > > "+", depending on the local setup, so you need to ask your local > > phone expert how to work that. But then it's magic, you can hear the > > person on the other and just as if he were standing besides you. > > Gert Doering > > roflmao, the phone thingy is also increasing in complexity as it > also takes pics, videos, pays for stuff purchased and in fact is > becoming so sophisticated that it is easy to forget that you can also > just talk into it... Hardcore old style / old school :) > > > -- NetMaster > >-- > >have you enabled IPv6 on something today...? > > IPV6? --> yip, my toaster! My toaster now successfully resolves > to a domain name and it is even thinking of starting it's own blog... > "All about toast and sliced bread in the twenty first century" > > > > > > > End of anti-abuse-wg Digest, Vol 19, Issue 20 > ********************************************* -------------- next part -------------- An HTML attachment was scrubbed... URL: From leo.vegoda at icann.org Sat Mar 30 16:35:01 2013 From: leo.vegoda at icann.org (Leo Vegoda) Date: Sat, 30 Mar 2013 08:35:01 -0700 Subject: [anti-abuse-wg] A Network without contact! In-Reply-To: <20130330105433.6b27efaf@cow.cow.co.za> References: <2480FBC8AD1D40CF94B6669F3D92234B@admin36565265a> <20130329130011.GL51699@Space.Net> <20130330105433.6b27efaf@cow.cow.co.za> Message-ID: <6CD9BE46-8B48-4EB2-8DB5-818DA40CAD25@icann.org> On Mar 30, 2013, at 1:54 am, andre wrote: [?] > roflmao, the phone thingy is also increasing in complexity as it > also takes pics, videos, pays for stuff purchased and in fact is > becoming so sophisticated that it is easy to forget that you can also > just talk into it... Hardcore old style / old school :) Putting humour to one side, when I visited the Scania NL website I didn't find an e-mail address. So, I ask whether there ought to be a requirement for anyone running an IP network to commit to accepting e-mail? My initial thoughts are that it is unreasonable to require an organisation to turn up and maintain an e-mail service solely to be contacted by people it doesn't have a business relationship with. Frankly, I don't like the idea of people turning up mail servers and then forgetting to maintain them just so they can have an abuse@ address. It strikes me as a recipe for increasing the volume of spam and compromised systems. That being said, it does mean that the set of communication protocols the reporter prefers and the set of communication protocols the network manager implements might not overlap. As I understand it, the RIPE database currently supports the publication of postal addresses, telephone numbers and e-mail addresses. It's possible that there is value in expanding the number of supported systems to include things like instant messaging identifiers and social network IDs in a structured way that allows them to be parsed by abuse reporting systems. The death of e-mail seems to be a favourite of newspaper features editors and is often reported in a Mark Twain fashion. Nonetheless, if e-mail is on a death spiral, it would seem sensible for the RIPE database to provide support for whatever takes its place so that abuse reporters and network owners can easily communicate. Regards, Leo -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4359 bytes Desc: not available URL: