From aftab.siddiqui at gmail.com Thu May 2 07:24:32 2013 From: aftab.siddiqui at gmail.com (Aftab Siddiqui) Date: Thu, 2 May 2013 10:24:32 +0500 Subject: [anti-abuse-wg] Citizen Lab Report on FinFisher Message-ID: Dear All, As this may land slightly-off the charter of this group so off-list replies are welcome. I just want to know the credibility of the report by Citizen-Lab on FinFisher C&C servers. Some of the C&C servers are hosted in RIPE region. While checking the flow records of 2 weeks, I've seen some good number of connection to prefixes mentioned in this report out of my ISP. https://citizenlab.org/storage/finfisher/final/fortheireyesonly.pdf Regards, Aftab A. Siddiqui -------------- next part -------------- An HTML attachment was scrubbed... URL: From rezaf at mindspring.com Fri May 10 12:48:01 2013 From: rezaf at mindspring.com (Reza Farzan) Date: Fri, 10 May 2013 06:48:01 -0400 Subject: [anti-abuse-wg] Max-Planck-Institute Stuttgart - inetnum: 134.105.0.0 - 134.105.255.255 Message-ID: Hello All, Just received a Spam from (sebastien.ronteau at pbcards.dp.ua@134.105.185.144) and as I found out this IP belongs to Max-Planck-Institute Stuttgart. The only contact listed for this IP range listed in the Whois listing is netz at mpis.mpg.de which happens to be an invalid address: netz at mpis.mpg.de SMTP error from remote mail server after RCPT TO:: host mail.is.mpg.de [134.105.242.5]: 550 address netz at mpis.mpg.de is unknown or disabled Does anyone here has or knows a better network contact for Max-Planck-Institute Stuttgart? This case reminds me of my previous inquiry about a Network without contact, even an important institution such as Max-Planck-Institute Stuttgart. I certainly appreciate your assistance in this matter. Thank you, Reza Farzan rezaf at mindspring.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From james.davis at ja.net Fri May 10 13:03:35 2013 From: james.davis at ja.net (James Davis) Date: Fri, 10 May 2013 12:03:35 +0100 Subject: [anti-abuse-wg] Max-Planck-Institute Stuttgart - inetnum: 134.105.0.0 - 134.105.255.255 In-Reply-To: References: Message-ID: <518CD407.1080000@ja.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 10/05/2013 11:48, Reza Farzan wrote: > Does anyone here has or knows a better network contact for > Max-Planck-Institute Stuttgart? They appear to be connected via. DFN. Try contacting DFN CERT for assistance: http://www.dfn-cert.de/ Regards, James - -- James Davis 0300 999 2340 (+44 1235 822340) Senior CSIRT Member Lumen House, Library Avenue, Didcot, Oxfordshire, OX11 0SG -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlGM1AcACgkQjsS2Y6D6yLxWGQEA0RE4qPPYRx3BuIeo8/VR3akd nQsuBn3eXcMbBC7LsZgA/RVXIWkpSmaMS3zCTI/gtK6MgPJBmUKVB0ZQ70NYzwoZ =c9iO -----END PGP SIGNATURE----- Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238 From fw at deneb.enyo.de Fri May 10 21:28:35 2013 From: fw at deneb.enyo.de (Florian Weimer) Date: Fri, 10 May 2013 21:28:35 +0200 Subject: [anti-abuse-wg] Max-Planck-Institute Stuttgart - inetnum: 134.105.0.0 - 134.105.255.255 In-Reply-To: (Reza Farzan's message of "Fri, 10 May 2013 06:48:01 -0400") References: Message-ID: <87a9o2bpng.fsf@mid.deneb.enyo.de> * Reza Farzan: > This case reminds me of my previous inquiry about a Network without contact, > even an important institution such as Max-Planck-Institute Stuttgart. "Max-Planck-Institute Stuttgart" is not a real organization. The organization is actually called "Max-Planck-Gesellschaft zur F?rderung der Wissenschaften e.V.". This document even states that its subdivisons and sub-organizations usually aren't legal persons in their own right: should be able to fix things pretty quickly. DFN-NOC probably as well. (If DFN-CERT actually felt responsible, surely there'd by an IRT object pointing to them.) From wiegert at telus.net Fri May 10 23:57:52 2013 From: wiegert at telus.net (Arnold) Date: Fri, 10 May 2013 13:57:52 -0800 Subject: [anti-abuse-wg] Max-Planck-Institute Stuttgart - inetnum: 134.105.0.0 - 134.105.255.255 In-Reply-To: References: Message-ID: <518D6D60.7040501@telus.net> On 5/10/2013 2:48 AM, Reza Farzan wrote: > > Hello All, > > Just received a Spam from > (sebastien.ronteau at pbcards.dp.ua@134.105.185.144) and as I found out > this IP belongs to Max-Planck-Institute Stuttgart. > My IANA based look up gives methe following results for 134.105.185.144: --------------------- Waiting for Whois server Default - IANA ...WhoIs Session started: 10/05/13 13:53:22. +++++++++++++++ Contacting Whois proxy: whois.arin.net at 199.71.0.47 Connected: 10/05/13 13:53:22. +++++++++++++++ # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html # # # Query terms are ambiguous. The query is assumed to be: # "n 134.105.185.144" # # Use "?" to get help. # # # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=134.105.185.144?showDetails=true&showARIN=false&ext=netref2 # NetRange: 134.91.0.0 - 134.110.255.255 CIDR: 134.110.0.0/16, 134.108.0.0/15, 134.96.0.0/13, 134.104.0.0/14, 134.92.0.0/14, 134.91.0.0/16 OriginAS: NetName: RIPE-ERX-134-91-0-0 NetHandle: NET-134-91-0-0-1 Parent: NET-134-0-0-0-0 NetType: Early Registrations, Transferred to RIPE NCC Comment: These addresses have been further assigned to users in Comment: the RIPE NCC region. Contact information can be found in Comment: the RIPE database at http://www.ripe.net/whois RegDate: 2003-11-26 Updated: 2003-11-26 Ref: http://whois.arin.net/rest/net/NET-134-91-0-0-1 OrgName: RIPE Network Coordination Centre OrgId: RIPE Address: P.O. Box 10096 City: Amsterdam StateProv: PostalCode: 1001EB Country: NL RegDate: Updated: 2011-09-24 Ref: http://whois.arin.net/rest/org/RIPE ReferralServer: whois://whois.ripe.net:43 OrgTechHandle: RNO29-ARIN OrgTechName: RIPE NCC Operations OrgTechPhone: +31 20 535 4444 OrgTechEmail: hostmaster at ripe.net OrgTechRef: http://whois.arin.net/rest/poc/RNO29-ARIN OrgAbuseHandle: RNO29-ARIN OrgAbuseName: RIPE NCC Operations OrgAbusePhone: +31 20 535 4444 OrgAbuseEmail: hostmaster at ripe.net OrgAbuseRef: http://whois.arin.net/rest/poc/RNO29-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html # Closing connection WhoIs Session Closed: 10/05/13 13:53:22. +++++++++++++++ --------------------- Arnold > > The only contact listed for this IP range listed in the Whois listing isnetz at mpis.mpg.de which happens to be an invalid address: > > > netz at mpis.mpg.de > > SMTP error from remote mail server after RCPT TO:: > > host mail.is.mpg.de [134.105.242.5]: 550 address netz at mpis.mpg.de is unknown or disabled > > Does anyone here has or knows a better network contact for > Max-Planck-Institute Stuttgart? > > This case reminds me of my previous inquiry about a Network without > contact, even an important institution such as Max-Planck-Institute > Stuttgart. > > I certainly appreciate your assistance in this matter. > > Thank you, > > Reza Farzan > _rezaf at mindspring.com _ > -- Fight Spam - report it with wxSR 0.6 ready for Vista & Win7 http://www.columbinehoney.net/wxSR.shtml -------------- next part -------------- An HTML attachment was scrubbed... URL: From tim at haitabu.net Sat May 11 11:48:51 2013 From: tim at haitabu.net (Tim Kleefass) Date: Sat, 11 May 2013 11:48:51 +0200 Subject: [anti-abuse-wg] Max-Planck-Institute Stuttgart - inetnum: 134.105.0.0 - 134.105.255.255 In-Reply-To: References: Message-ID: <518E1403.7020206@haitabu.net> On 10.05.2013 12:48 PM, Reza Farzan wrote: > The only contact listed for this IP range listed in the Whois listing is > netz at mpis.mpg.de which happens to be an invalid address: > > > netz at mpis.mpg.de > > SMTP error from remote mail server after RCPT TO:: > > host mail.is.mpg.de [134.105.242.5]: 550 address netz at mpis.mpg.de is > unknown or disabled > > > > Does anyone here has or knows a better network contact for > Max-Planck-Institute Stuttgart? I called them yesterday, the e-mail address (netz at mpis.mpg.de) was for some reasons offline and should work now, again and the got your e-mail over some other channels. And they will have a look at the RIPE-DB entries in the near future. Cheers, Tim From emadaio at ripe.net Wed May 29 15:15:47 2013 From: emadaio at ripe.net (Emilio Madaio) Date: Wed, 29 May 2013 15:15:47 +0200 Subject: [anti-abuse-wg] 2013-01 Discussion Period extended until 26 June 2013 (Openness about Policy Violations) Message-ID: Dear Colleagues, The text of the policy proposal 2013-01, "Openness about Policy Violations", has been revised based on the community feedback received on the mailing list. We have published the new version (version 2.0) today. As a result a new Discussion Phase is set for the proposal. The main changes in the new version are: -rewording of the second part of the Abstract -rewording of the section 1.0 -new section 2.0 and consequent renumbering of the other sections -rewording of the "Arguments opposing the proposal" in the Rationale You can find the full proposal at: https://www.ripe.net/ripe/policies/proposals/2013-01 We encourage you to review this policy proposal and send your comments to . Regards, Emilio Madaio Policy Development Officer RIPE NCC