[anti-abuse-wg] Fwd: Re: botnet controllers
- Previous message (by thread): [anti-abuse-wg] Fwd: Re: botnet controllers
- Next message (by thread): [anti-abuse-wg] Fwd: Re: botnet controllers
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Serge Droz
serge.droz at first.org
Thu Jun 25 09:45:23 CEST 2020
Hi whoever you are, (typically it's not a good sign, if you need hide behind an anonymous alias). I think the comparison to phone numbers is bad, that area is plagued by very similar issues. But I get you point. I think it's not feasible that you need to somehow proof you are legitimate, the same way you should not need to proof you're a honest citizen before you get, e.g. an apartment. What we need however is a standard of what is acceptable behavior and use of the resources you get, together with a process to remediate failure to comply and possibly sanctions. I.e. if you use your apartment for illicit things, what ever they may be (annoying your neighbors through excessive noise, running a drug empire, ....) That's what this group seems to consistently fail to come up with for various reasons. As a reputable VPN Provider you can be log-less and yet still follow up on abuse. I would argue that actually doing so will make your service better for the people that legitimately need it. The VPN business is, not unlike the Domain business: A lot of greedy people with big egos. This is not a technical issue. Best Serge On 25.06.20 09:26, PP wrote: > Firstly, reporting it to the LEO does not cause the resources to be > de-registered. > > Secondly, your example regarding IPv6 is another reason why this > approach is not sufficient: there are > 340,282,366,920,938,000,000,000,000,000,000,000,000 possible IPv6 > addresses. > > > It should be that the resources are only allocated to legitimate > established corporations. > > > Phone numbers aren't wholly allocated to anyone who asks, they remain > controlled by a reputable phone company. Why should IP addresses be > different? > > > > On 25/06/2020 4:50 pm, Shane Kerr wrote: >> Dear Phish Phucker, >> >> The RIPE NCC is a not-for-profit, membership-based organization based >> in the Netherlands. They are responsible for allocating Internet >> number resources (IP addresses and AS numbers) in their region. Their >> policies are set by RIPE, which is just anyone who joins the RIPE >> mailing lists and participates in the policy discussions. >> >> I'm not sure what policy can be introduced. Historically RIPE >> participants have been reluctant to make any value judgements about >> what IP resources can and cannot be used for. Currently as long as you >> are truthful about your organization's registration information you >> have fulfilled the requirements. >> >> In a sense this should be enough. The information is available for >> anyone who cares about protecting their users from spam originating >> there. Spamhaus lists the organization, and I am pretty sure that most >> e-mail providers either block their IP addresses because of that - or >> have their own abuse tracking which identifies them. It's not >> perfect... I had to change VPS provider because my previous VPS >> provider kept having its IPv6 addresses blocked by Spamhaus and >> neither my provider nor Spamhaus would explain why (my provider >> claimed to have never received any complains, and Spamhaus never >> explains anything). But it seems to be good enough for most people. >> >> If an organization is breaking a law, then the correct action is to >> report them to the law-enforcement organization (LEO) that feels like >> it is in their jurisdiction. Again, since the member is required by >> the RIPE NCC to have correct information about the person or >> organization that has been allocated resources, the LEO can follow-up. >> >> It's hardly an ideal situation, but difficult to see how to improve it >> given the general anti-regulation philosophy of most Internet providers. >> >> Cheers, >> >> -- >> Shane >> >> On 25/06/2020 08.03, PP wrote: >>> So who at RIPE is responsible for allocating this resource, and what >>> policy can be introduced to prevent the allocation of IP address >>> resources to irresponsible organizations like this one? >>> >>> SpamHaus have it listed as the worlds number one source of spam: >>> >>> https://www.spamhaus.org/statistics/networks/ >>> >>> >>> >>> On 25/06/2020 2:10 pm, Tõnu Tammer via anti-abuse-wg wrote: >>>> >>>> We've had similar experience with this VPN provider. >>>> >>>> He claims not being able to track malicious actor is for the benefit >>>> of free speech but when malware is used to attack people who express >>>> free speech he did not understand that his service is not >>>> contributing towards free speech but hinders it. >>>> >>>> Tonu >>>> CERT-EE >>>> >>>> On 25.06.2020 04:15, PP wrote: >>>>> >>>>> Botnet controllers on VPN provider that refuses to act: >>>>> >>>>> >>>>> organisation: ORG-SL751-RIPE >>>>> org-name: Freedom Of Speech VPN >>>>> org-type: OTHER >>>>> address: P.O. Box 9173 >>>>> address: Victoria >>>>> address: Mahe Island >>>>> address: Seychelles >>>>> e-mail: info at FOS-VPN.org >>>>> abuse-c: SL12644-RIPE >>>>> mnt-ref: FOS-VPN-MNT >>>>> mnt-by: FOS-VPN-MNT >>>>> created: 2018-07-13T05:33:45Z >>>>> last-modified: 2020-02-28T12:37:39Z >>>>> source: RIPE >>>>> >>>>> >>>>> >>>>> >>>>> -------- Forwarded Message -------- >>>>> Subject: Re: botnet controllers >>>>> Date: Wed, 24 Jun 2020 21:49:21 +0200 >>>>> From: info at ghlc.biz >>>>> To: PP <phishphucker at storey.ovh> >>>>> >>>>> >>>>> >>>>> On 2020-06-24 13:03, PP wrote: >>>>> Hello! >>>>> >>>>> >>>>> Please note that all mentioned IPs belong to non-logging VPN services. >>>>> >>>>> No user logs are kept. >>>>> >>>>> >>>>> Sincerely yours >>>>> >>>>> David Craig >>>>> >>>>> >>>>>> SBL488704 >>>>>> 185.140.53.75/32 >>>>>> ghlc.biz >>>>>> 23-Jun-2020 05:26 GMT >>>>>> Malware botnet controller @185.140.53.75 >>>>>> https://www.spamhaus.org/sbl/query/SBL488704 >>>>>> >>>>>> >>>>>> SBL488686 >>>>>> 91.193.75.58/32 >>>>>> ghlc.biz >>>>>> 22-Jun-2020 18:39 GMT >>>>>> NanoCore botnet controller @91.193.75.58 >>>>>> https://www.spamhaus.org/sbl/query/SBL488686 >>>>>> >>>>>> >>>>>> SBL488548 >>>>>> 185.244.30.201/32 >>>>>> ghlc.biz >>>>>> 19-Jun-2020 13:21 GMT >>>>>> QuasarRAT botnet controller @185.244.30.201 >>>>>> https://www.spamhaus.org/sbl/query/SBL488548 >>>>>> >>>>>> >>>>>> SBL488006 >>>>>> 185.140.53.162/32 >>>>>> ghlc.biz >>>>>> 18-Jun-2020 10:11 GMT >>>>>> NanoCore botnet controller @185.140.53.162 >>>>>> https://www.spamhaus.org/sbl/query/SBL488006 >>>>>> >>>>>> >>>>>> SBL487900 >>>>>> 185.140.53.229/32 >>>>>> ghlc.biz >>>>>> 16-Jun-2020 13:28 GMT >>>>>> NanoCore botnet controller @185.140.53.229 >>>>>> https://www.spamhaus.org/sbl/query/SBL487900 >>>>>> >>>>>> >>>>>> SBL487899 >>>>>> 185.244.30.113/32 >>>>>> ghlc.biz >>>>>> 16-Jun-2020 12:59 GMT >>>>>> RemcosRAT botnet controller @185.244.30.113 >>>>>> https://www.spamhaus.org/sbl/query/SBL487899 >>>>>> >>>>>> >>>>>> SBL487893 >>>>>> 185.140.53.236/32 >>>>>> ghlc.biz >>>>>> 16-Jun-2020 12:07 GMT >>>>>> NanoCore botnet controller @185.140.53.236 >>>>>> https://www.spamhaus.org/sbl/query/SBL487893 >>>>>> >>>>>> >>>>>> SBL487886 >>>>>> 185.165.153.45/32 >>>>>> ghlc.biz >>>>>> 16-Jun-2020 10:26 GMT >>>>>> NanoCore botnet controller @185.165.153.45 >>>>>> >>>>>> https://www.spamhaus.org/sbl/query/SBL487886 >> > -- Dr. Serge Droz Chair of the FIRST Board of Directors https://www.first.org
- Previous message (by thread): [anti-abuse-wg] Fwd: Re: botnet controllers
- Next message (by thread): [anti-abuse-wg] Fwd: Re: botnet controllers
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]