From brian.nisbet at heanet.ie Mon Apr 13 17:29:48 2015 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Mon, 13 Apr 2015 16:29:48 +0100 Subject: [anti-abuse-wg] Draft Agenda, AA-WG Meeting At RIPE 70 Message-ID: <552BE0EC.70305@heanet.ie> Colleagues, Please find below the current draft agenda for the Anti-Abuse WG meeting at RIPE 70. The meeting will take place on Wednesday 13th May at 14:00 CEST. A. Administrative Matters * Welcome * Scribe, Jabber, Stenography * Microphone Etiquette * Approve Minutes from RIPE 69 * Finalise agenda B. Update * B1. Recent List Discussion * B2. AA-WG Chair Matters C. Policies D. Interactions * D1. Working Groups * D2. RIPE NCC Gov/LEA Interactions Update E. Presentation * E1. Mapping out Cyber Crime Infrastructure - A Law Enforcement Approach - Jon Flaherty UK National Crime Agency National Cyber Crime Unit X. A.O.B. Z. Agenda for RIPE 71 From tk at abusix.com Tue Apr 14 18:44:40 2015 From: tk at abusix.com (Tobias Knecht) Date: Tue, 14 Apr 2015 09:44:40 -0700 Subject: [anti-abuse-wg] Working Group Chair Selection Procedure Message-ID: Colleagues,? As per the draft agenda for our meeting at RIPE70 and the previously? circulated procedures for Working Group Chair selection etc. I would? like to let you all know what will happen in Amsterdam.? At RIPE70 Brian will be standing down as per the agreed procedures. The? meeting will then have the opportunity to choose a second chair for the? working group.? This mail should be taken as a call for candidates. If you are? interested, please mail the mailing list to let us all know. You do not? need to be physically present at RIPE70 in order to put yourself forward.? Any expressions of interest should be sent to the list before Wednesday? 6th May.? Brian has stated that he is interested in continuing as a co-chair of? the working group. If there are any questions, please do not hesitate to contact me. Thanks, Tobias -- | Tobias Knecht | CEO | abusix GmbH | tk at abusix.com | http://abusix.com | Haid-und-Neu-Strasse 18-20 | 76131 Karlsruhe | Germany | mobile_eu: +49 170 455 98 45 | mobile_us: +1 408 960 3785 | --- | Register of Companies(Handelsregister): HRB 707959 | District of Court(Amtsgericht) Mannheim/Germany | Registered Office: Karlsruhe/Germany | CEO: Tobias Knecht Follow abusix on Twitter! http://twitter.com/abusix From brian.nisbet at heanet.ie Tue Apr 14 20:49:53 2015 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Tue, 14 Apr 2015 19:49:53 +0100 Subject: [anti-abuse-wg] Working Group Chair Selection Procedure In-Reply-To: References: Message-ID: <4EE4E314-5104-4EFC-AC4F-4FE8E710D0B6@heanet.ie> >Brian has stated that he is interested in continuing as a co-chair of? >the working group. Thanks, yes, I definitely would. It would be a pleasure to continue as chair of the working group. It has been great working with you all over the years and either way I look forward to many productive years of the AA-WG into the future. Brian From drew at thesecuredomain.org Thu Apr 16 15:32:27 2015 From: drew at thesecuredomain.org (Drew Bagley) Date: Thu, 16 Apr 2015 09:32:27 -0400 Subject: [anti-abuse-wg] Secure Domain Foundation anti-abuse cost research Message-ID: Greetings, I help lead the Secure Domain Foundation in its efforts to curb domain abuse through information sharing. We are currently trying to learn more about the cost of abuse and abuse mitigation for registrars, registries, and hosting companies. This will help us determine new ways to make proactive anti-abuse good for business. To assist us in this effort, we have created a brief survey: http://goo.gl/forms/UMckkncSTX If you are willing to participate then it would be terrific if you could complete the survey by April 30th. Thank you so much in advance for your help. Please let me know if you have any questions or feedback. Sincerely, Drew -- Drew Bagley Director of Operations Secure Domain Foundation drew at securedomain.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From michele at blacknight.com Thu Apr 16 17:23:56 2015 From: michele at blacknight.com (Michele Neylon - Blacknight) Date: Thu, 16 Apr 2015 15:23:56 +0000 Subject: [anti-abuse-wg] Secure Domain Foundation anti-abuse cost research Message-ID: <6E1978FF-5553-4E8F-87E7-D7B4202AA459@blacknight.com> Drew Thanks for sharing this I think it?s a really good idea to try and get some metrics of what it?s costing us all to deal with abuse so this kind of research could be very valuable Regards Michele (Disclosure ? I?m involved with the SDF ) -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains http://www.blacknight.host/ http://blog.blacknight.com/ http://www.blacknight.press - get our latest news & media coverage http://www.technology.ie Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Social: http://mneylon.social ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From: Drew Bagley Date: Thursday 16 April 2015 14:32 To: "anti-abuse-wg at ripe.net" Subject: [anti-abuse-wg] Secure Domain Foundation anti-abuse cost research Greetings, I help lead the Secure Domain Foundation in its efforts to curb domain abuse through information sharing. We are currently trying to learn more about the cost of abuse and abuse mitigation for registrars, registries, and hosting companies. This will help us determine new ways to make proactive anti-abuse good for business. To assist us in this effort, we have created a brief survey: http://goo.gl/forms/UMckkncSTX If you are willing to participate then it would be terrific if you could complete the survey by April 30th. Thank you so much in advance for your help. Please let me know if you have any questions or feedback. Sincerely, Drew -- Drew Bagley Director of Operations Secure Domain Foundation drew at securedomain.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From brian.nisbet at heanet.ie Fri Apr 17 10:58:36 2015 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Fri, 17 Apr 2015 09:58:36 +0100 Subject: [anti-abuse-wg] Second Draft Agenda, AA-WG Meeting at RIPE 70 Message-ID: <5530CB3C.5080303@heanet.ie> Colleagues, Please find below the current draft agenda for the Anti-Abuse WG meeting at RIPE 70. The meeting will take place on Wednesday 13th May at 14:00 CEST. A. Administrative Matters - 5' * Welcome * Scribe, Jabber, Stenography * Microphone Etiquette * Approve Minutes from RIPE 69 * Finalise agenda B. Update - 15' * B1. Recent List Discussion * B2. AA-WG Chair Matters C. Policies - 15' * C1. "User-experience of abuse-c & possible extensions" - Elliott Ingram, Entura International D. Interactions - 5' * D1. Working Groups * D2. RIPE NCC Gov/LEA Interactions Update E. Presentation - 50' * E1. Mapping out Cyber Crime Infrastructure - A Law Enforcement Approach - Jon Flaherty UK National Crime Agency National Cyber Crime Unit * E2. "DNS-Based DDoS: Fast Changing Threat" - Bruce Van Nice, Nominum X. A.O.B. Z. Agenda for RIPE 71 From nibbler at nibbler.de Mon Apr 20 10:41:21 2015 From: nibbler at nibbler.de (Michael Horn) Date: Mon, 20 Apr 2015 10:41:21 +0200 Subject: [anti-abuse-wg] SPAM from other LIRs to db-contacts regarding resource sale Message-ID: <20150420104121.73b47036@hashi> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Cheerio AA-WG, while we all are familiar with the joys of receiving spam on our whois-db contact mail addresses, this one below sets a new low. Unsolicited mail from another LIR to one of my whois-db contacts advertising IPv4 address space sale, underlining their legitimacy by bragging with their LIR status. afaik there are currently no effective sanctions provided for such behaviour. I am a bit dumbfounded by the chutzpah they display and don't really know how to approach this. I'm sure that I am not the only one who has received one of these. How do we - as a community - want to handle cases like these? - - Michael Begin forwarded message: Date: Sun, 19 Apr 2015 02:02:21 +0300 From: "Aleksey Bulgakov" To: "ripe" Subject: IPv4 allocation offer ePochta Mailer Email Template Hello. As you know, the RIPE NCC can only provide one final /22 to your LIR because it is currently allocating address space from the last /8 of IPv4 addresses. However the RIPE NCC allows to get IPv4 addresses from other LIR. Our company has LIR status and ready to transfer such addresses to your LIR. This operation is approved by the RIPE NCC and absolutely legal. The blocks are absolutely clean, haven't been in usage, are absent in any blacklist. If you have any questions, don't hesitate to ask me. Simply answer to this letter and you will get the answer shortly. - -- Kind regards, Aleksey Bulgakov Chief Director FastTelecom Tel. +7 926 690-87-29 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCgAGBQJVNLuxAAoJEB+r0I6sHZXyYlkH+wV+sxqbYWyNT7iZSMG4iozM w60C4FpavwcYeoZUX2SBDwmcixgHiXr/01zga+iN18jp8q7Fl1LxmJvdfhGYY50P 6Sv9F7/oIypNjlB9RvBEUZHczJiZXGrNjJE98sI2HslDeamz3YRkmoaXSil524RT V7uZfASkpfpok7BbPiIqL0YndIibC7yIZfu17yLk48k6LSGRs9dqg4xJsaz8wMIJ 26V98PlCmaCw4utVPUxMttxfz+yEL1rGzNqcV8FYQBNq3wjVqlmA4lnfkKPjTTKr Nx4FO6HvZZoSO3EeWXURs6r7P+KtoI1e0Kx9Vhp7QTqGI7gZ6F6SN/lqGQUWU3I= =jpdO -----END PGP SIGNATURE----- From ripe.anti-abuse-wg at ml.karotte.org Mon Apr 20 11:45:39 2015 From: ripe.anti-abuse-wg at ml.karotte.org (Sebastian Wiesinger) Date: Mon, 20 Apr 2015 11:45:39 +0200 Subject: [anti-abuse-wg] Abuse-C attributes - required e-mail address contact method. In-Reply-To: <20150313160325.GJ54385@Space.Net> References: <7A20203ABF99B841B3EB003ECF217784449696C6@WB2-MBX-P0002.systems.private> <20150313160325.GJ54385@Space.Net> Message-ID: <20150420094538.GA7762@danton.fire-world.de> * Gert Doering [2015-03-13 17:12]: > > Virgin Media would like to specify virginmedia.com/netreport (a > > web-form that feeds an abuse case management system) > > I would not support such a change, at least not without a *well > defined* format for such web forms. > > On the reporting side of abuse, it is just way too much work to > figure out how particular ISPs expect to receive abuse reports, > offloading half the work of abuse handling to the reporter. > > (I report quite a lot of abuse, but I refuse to do anything but > e-mail, because it is just too much work for me - it's your > customers, they are giving *you* money, their abuse should not cost > *me* extra time). I completely agree. Before such a change could be implemented you would need a well defined format for *automated* abuse reports via web form (or rather web API). Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 616 bytes Desc: Digital signature URL: From sebastian at karotte.org Mon Apr 27 08:36:21 2015 From: sebastian at karotte.org (Sebastian Wiesinger) Date: Mon, 27 Apr 2015 08:36:21 +0200 Subject: [anti-abuse-wg] SPAM from other LIRs to db-contacts regarding resource sale In-Reply-To: <20150420104121.73b47036@hashi> References: <20150420104121.73b47036@hashi> Message-ID: <20150427063621.GA28378@danton.fire-world.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 * Michael Horn [2015-04-20 10:54]: > Cheerio AA-WG, > > while we all are familiar with the joys of receiving spam on our > whois-db contact mail addresses, this one below sets a new low. > Unsolicited mail from another LIR to one of my whois-db contacts > advertising IPv4 address space sale, underlining their legitimacy by > bragging with their LIR status. > > afaik there are currently no effective sanctions provided for such > behaviour. I am a bit dumbfounded by the chutzpah they display and > don't really know how to approach this. I'm sure that I am not the only > one who has received one of these. How do we - as a community - want to > handle cases like these? > > - Michael > > Begin forwarded message: > > Date: Sun, 19 Apr 2015 02:02:21 +0300 > From: "Aleksey Bulgakov" > To: "ripe" > Subject: IPv4 allocation offer > Hello, I received the same SPAM today, from the same person. Ironically this person is currently arguing to stop a proposal over in the address-policy WG that is trying to impede exactly this behaviour. As that person is a LIR/RIPE NCC member I think that this could be a breach of the RIPE NCC LIR terms and I would like the RIPE NCC to investigate this. Regards Sebastian - -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQF6BAEBCgBkBQJVPdjlMxSAAAAAABUAFXBrYS1hZGRyZXNzQGdudXBnLm9yZ3Nl YmFzdGlhbkBrYXJvdHRlLm9yZykaaHR0cHM6Ly93d3cua2Fyb3R0ZS5vcmcvcGdw LXBvbGljeS5zaHRtbAAKCRBYotlKk6C5zkcHCADT/aEvmwd8xChfu2QUkK8FDnIG aKR51y89HPu08YgUgVEqE6xs+ew0jVOQb4/vXzjMiVr9lD38QiQ2XG+jlGzML8E3 SsNJ8dlntseqeRm85GVh5guo1ADmQaEUjHJ1oC+CpWJyNUBarUodcg3UxuzYkyIM JNkYGFO5su6s8pJyhzkIcsOfGo5uZYgDpW4tHgrX2Re40wjFu9BP8eYQENhr1qpt 1ZsKJojmvdVNFC5NXZUQWuoWpb/lFmnBM9l+rScMabN2R70xS+JO6a//Qq34zS+w dxr4Y3uPRmJpUVN7diV2lPfRjpKkW1MofgbJ8e1FLm4+Ap6w905BlOMJ4CCF =X5bk -----END PGP SIGNATURE----- From elvis at velea.eu Mon Apr 27 09:43:00 2015 From: elvis at velea.eu (Elvis Daniel Velea) Date: Mon, 27 Apr 2015 00:43:00 -0700 Subject: [anti-abuse-wg] SPAM from other LIRs to db-contacts regarding resource sale In-Reply-To: <20150427063621.GA28378@danton.fire-world.de> References: <20150420104121.73b47036@hashi> <20150427063621.GA28378@danton.fire-world.de> Message-ID: <553DE884.7060808@velea.eu> Hi, On 26/04/15 23:36, Sebastian Wiesinger wrote: [snip] > Hello, > > I received the same SPAM today, from the same person. I got it as well :) > Ironically this > person is currently arguing to stop a proposal over in the > address-policy WG that is trying to impede exactly this behaviour. I actually made him an offer :)) A very low one, but still, an offer. > As that person is a LIR/RIPE NCC member I think that this could be a > breach of the RIPE NCC LIR terms and I would like the RIPE NCC to > investigate this. For the RIPE NCC to even start anything, a proper report must be filled in: https://www.ripe.net/report-form I'd say you could report a violation of the RIPE DB Terms and Conditions. Although.. it is very difficult to prove it. regards, Elvis > > Regards > > Sebastian > > - -- > GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) > 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. > -- Terry Pratchett, The Fifth Elephant > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.12 (GNU/Linux) > > iQF6BAEBCgBkBQJVPdjlMxSAAAAAABUAFXBrYS1hZGRyZXNzQGdudXBnLm9yZ3Nl > YmFzdGlhbkBrYXJvdHRlLm9yZykaaHR0cHM6Ly93d3cua2Fyb3R0ZS5vcmcvcGdw > LXBvbGljeS5zaHRtbAAKCRBYotlKk6C5zkcHCADT/aEvmwd8xChfu2QUkK8FDnIG > aKR51y89HPu08YgUgVEqE6xs+ew0jVOQb4/vXzjMiVr9lD38QiQ2XG+jlGzML8E3 > SsNJ8dlntseqeRm85GVh5guo1ADmQaEUjHJ1oC+CpWJyNUBarUodcg3UxuzYkyIM > JNkYGFO5su6s8pJyhzkIcsOfGo5uZYgDpW4tHgrX2Re40wjFu9BP8eYQENhr1qpt > 1ZsKJojmvdVNFC5NXZUQWuoWpb/lFmnBM9l+rScMabN2R70xS+JO6a//Qq34zS+w > dxr4Y3uPRmJpUVN7diV2lPfRjpKkW1MofgbJ8e1FLm4+Ap6w905BlOMJ4CCF > =X5bk > -----END PGP SIGNATURE----- > From sebastian at karotte.org Mon Apr 27 09:58:02 2015 From: sebastian at karotte.org (Sebastian Wiesinger) Date: Mon, 27 Apr 2015 09:58:02 +0200 Subject: [anti-abuse-wg] SPAM from other LIRs to db-contacts regarding resource sale In-Reply-To: <553DE884.7060808@velea.eu> References: <20150420104121.73b47036@hashi> <20150427063621.GA28378@danton.fire-world.de> <553DE884.7060808@velea.eu> Message-ID: <20150427075802.GB28378@danton.fire-world.de> * Elvis Daniel Velea [2015-04-27 09:54]: > For the RIPE NCC to even start anything, a proper report must be filled in: > > https://www.ripe.net/report-form > > I'd say you could report a violation of the RIPE DB Terms and > Conditions. Although.. it is very difficult to prove it. Hello, I already contacted the NCC about this. In our case it's not so difficult to prove, the address is only used in the database, it is not used in outgoing communication. If it is not from the database it would be quite interested to hear where he got it. :) My guess is he harvested the last /8 for all members who got their /22. Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 616 bytes Desc: Digital signature URL: From stolpe at resilans.se Mon Apr 27 10:06:42 2015 From: stolpe at resilans.se (Daniel Stolpe) Date: Mon, 27 Apr 2015 10:06:42 +0200 (CEST) Subject: [anti-abuse-wg] SPAM from other LIRs to db-contacts regarding resource sale In-Reply-To: <20150427075802.GB28378@danton.fire-world.de> References: <20150420104121.73b47036@hashi> <20150427063621.GA28378@danton.fire-world.de> <553DE884.7060808@velea.eu> <20150427075802.GB28378@danton.fire-world.de> Message-ID: On Mon, 27 Apr 2015, Sebastian Wiesinger wrote: > * Elvis Daniel Velea [2015-04-27 09:54]: >> For the RIPE NCC to even start anything, a proper report must be filled in: >> >> https://www.ripe.net/report-form >> >> I'd say you could report a violation of the RIPE DB Terms and >> Conditions. Although.. it is very difficult to prove it. > > Hello, > > I already contacted the NCC about this. In our case it's not so > difficult to prove, the address is only used in the database, it is > not used in outgoing communication. If it is not from the database it > would be quite interested to hear where he got it. :) > > My guess is he harvested the last /8 for all members who got their > /22. You are not the only one to receive them, I can assure you. Cheers, Daniel _________________________________________________________________________________ Daniel Stolpe Tel: 08 - 688 11 81 stolpe at resilans.se Resilans AB Fax: 08 - 55 00 21 63 http://www.resilans.se/ Box 45 094 556741-1193 104 30 Stockholm From h.lu at anytimechinese.com Mon Apr 27 10:14:21 2015 From: h.lu at anytimechinese.com (Lu Heng) Date: Mon, 27 Apr 2015 09:14:21 +0100 Subject: [anti-abuse-wg] SPAM from other LIRs to db-contacts regarding resource sale In-Reply-To: References: <20150420104121.73b47036@hashi> <20150427063621.GA28378@danton.fire-world.de> <553DE884.7060808@velea.eu> <20150427075802.GB28378@danton.fire-world.de> Message-ID: I guess he just sent to everybody... On Apr 27, 2015 10:12 AM, "Daniel Stolpe" wrote: > > > On Mon, 27 Apr 2015, Sebastian Wiesinger wrote: > > * Elvis Daniel Velea [2015-04-27 09:54]: >> >>> For the RIPE NCC to even start anything, a proper report must be filled >>> in: >>> >>> https://www.ripe.net/report-form >>> >>> I'd say you could report a violation of the RIPE DB Terms and >>> Conditions. Although.. it is very difficult to prove it. >>> >> >> Hello, >> >> I already contacted the NCC about this. In our case it's not so >> difficult to prove, the address is only used in the database, it is >> not used in outgoing communication. If it is not from the database it >> would be quite interested to hear where he got it. :) >> >> My guess is he harvested the last /8 for all members who got their >> /22. >> > > You are not the only one to receive them, I can assure you. > > Cheers, > > Daniel > > > _________________________________________________________________________________ > Daniel Stolpe Tel: 08 - 688 11 81 > stolpe at resilans.se > Resilans AB Fax: 08 - 55 00 21 63 > http://www.resilans.se/ > Box 45 094 > 556741-1193 > 104 30 Stockholm > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: