[anti-abuse-wg] Fwd: Re: botnet controllers
- Previous message (by thread): [anti-abuse-wg] Fwd: Re: botnet controllers
- Next message (by thread): [anti-abuse-wg] Fwd: Re: botnet controllers
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
PP
phishphucker at storey.ovh
Thu Jun 25 10:22:22 CEST 2020
Perhaps a code of conduct, with de-registration of resources if the entity does not comply, and enforcement costs to be levied against the annual fee imposed for the registering of IP resources. On 25/06/2020 5:45 pm, Serge Droz via anti-abuse-wg wrote: > Hi whoever you are, > (typically it's not a good sign, if you need hide behind an anonymous > alias). > > > I think the comparison to phone numbers is bad, that area is plagued by > very similar issues. But I get you point. > > I think it's not feasible that you need to somehow proof you are > legitimate, the same way you should not need to proof you're a honest > citizen before you get, e.g. an apartment. > > What we need however is a standard of what is acceptable behavior and > use of the resources you get, together with a process to remediate > failure to comply and possibly sanctions. I.e. if you use your apartment > for illicit things, what ever they may be (annoying your neighbors > through excessive noise, running a drug empire, ....) > > That's what this group seems to consistently fail to come up with for > various reasons. > > As a reputable VPN Provider you can be log-less and yet still follow up > on abuse. I would argue that actually doing so will make your service > better for the people that legitimately need it. > > The VPN business is, not unlike the Domain business: A lot of greedy > people with big egos. > > This is not a technical issue. > > Best > Serge > > > > On 25.06.20 09:26, PP wrote: >> Firstly, reporting it to the LEO does not cause the resources to be >> de-registered. >> >> Secondly, your example regarding IPv6 is another reason why this >> approach is not sufficient: there are >> 340,282,366,920,938,000,000,000,000,000,000,000,000 possible IPv6 >> addresses. >> >> >> It should be that the resources are only allocated to legitimate >> established corporations. >> >> >> Phone numbers aren't wholly allocated to anyone who asks, they remain >> controlled by a reputable phone company. Why should IP addresses be >> different? >> >> >> >> On 25/06/2020 4:50 pm, Shane Kerr wrote: >>> Dear Phish Phucker, >>> >>> The RIPE NCC is a not-for-profit, membership-based organization based >>> in the Netherlands. They are responsible for allocating Internet >>> number resources (IP addresses and AS numbers) in their region. Their >>> policies are set by RIPE, which is just anyone who joins the RIPE >>> mailing lists and participates in the policy discussions. >>> >>> I'm not sure what policy can be introduced. Historically RIPE >>> participants have been reluctant to make any value judgements about >>> what IP resources can and cannot be used for. Currently as long as you >>> are truthful about your organization's registration information you >>> have fulfilled the requirements. >>> >>> In a sense this should be enough. The information is available for >>> anyone who cares about protecting their users from spam originating >>> there. Spamhaus lists the organization, and I am pretty sure that most >>> e-mail providers either block their IP addresses because of that - or >>> have their own abuse tracking which identifies them. It's not >>> perfect... I had to change VPS provider because my previous VPS >>> provider kept having its IPv6 addresses blocked by Spamhaus and >>> neither my provider nor Spamhaus would explain why (my provider >>> claimed to have never received any complains, and Spamhaus never >>> explains anything). But it seems to be good enough for most people. >>> >>> If an organization is breaking a law, then the correct action is to >>> report them to the law-enforcement organization (LEO) that feels like >>> it is in their jurisdiction. Again, since the member is required by >>> the RIPE NCC to have correct information about the person or >>> organization that has been allocated resources, the LEO can follow-up. >>> >>> It's hardly an ideal situation, but difficult to see how to improve it >>> given the general anti-regulation philosophy of most Internet providers. >>> >>> Cheers, >>> >>> -- >>> Shane >>> >>> On 25/06/2020 08.03, PP wrote: >>>> So who at RIPE is responsible for allocating this resource, and what >>>> policy can be introduced to prevent the allocation of IP address >>>> resources to irresponsible organizations like this one? >>>> >>>> SpamHaus have it listed as the worlds number one source of spam: >>>> >>>> https://www.spamhaus.org/statistics/networks/ >>>> >>>> >>>> >>>> On 25/06/2020 2:10 pm, Tõnu Tammer via anti-abuse-wg wrote: >>>>> We've had similar experience with this VPN provider. >>>>> >>>>> He claims not being able to track malicious actor is for the benefit >>>>> of free speech but when malware is used to attack people who express >>>>> free speech he did not understand that his service is not >>>>> contributing towards free speech but hinders it. >>>>> >>>>> Tonu >>>>> CERT-EE >>>>> >>>>> On 25.06.2020 04:15, PP wrote: >>>>>> Botnet controllers on VPN provider that refuses to act: >>>>>> >>>>>> >>>>>> organisation: ORG-SL751-RIPE >>>>>> org-name: Freedom Of Speech VPN >>>>>> org-type: OTHER >>>>>> address: P.O. Box 9173 >>>>>> address: Victoria >>>>>> address: Mahe Island >>>>>> address: Seychelles >>>>>> e-mail: info at FOS-VPN.org >>>>>> abuse-c: SL12644-RIPE >>>>>> mnt-ref: FOS-VPN-MNT >>>>>> mnt-by: FOS-VPN-MNT >>>>>> created: 2018-07-13T05:33:45Z >>>>>> last-modified: 2020-02-28T12:37:39Z >>>>>> source: RIPE >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -------- Forwarded Message -------- >>>>>> Subject: Re: botnet controllers >>>>>> Date: Wed, 24 Jun 2020 21:49:21 +0200 >>>>>> From: info at ghlc.biz >>>>>> To: PP <phishphucker at storey.ovh> >>>>>> >>>>>> >>>>>> >>>>>> On 2020-06-24 13:03, PP wrote: >>>>>> Hello! >>>>>> >>>>>> >>>>>> Please note that all mentioned IPs belong to non-logging VPN services. >>>>>> >>>>>> No user logs are kept. >>>>>> >>>>>> >>>>>> Sincerely yours >>>>>> >>>>>> David Craig >>>>>> >>>>>> >>>>>>> SBL488704 >>>>>>> 185.140.53.75/32 >>>>>>> ghlc.biz >>>>>>> 23-Jun-2020 05:26 GMT >>>>>>> Malware botnet controller @185.140.53.75 >>>>>>> https://www.spamhaus.org/sbl/query/SBL488704 >>>>>>> >>>>>>> >>>>>>> SBL488686 >>>>>>> 91.193.75.58/32 >>>>>>> ghlc.biz >>>>>>> 22-Jun-2020 18:39 GMT >>>>>>> NanoCore botnet controller @91.193.75.58 >>>>>>> https://www.spamhaus.org/sbl/query/SBL488686 >>>>>>> >>>>>>> >>>>>>> SBL488548 >>>>>>> 185.244.30.201/32 >>>>>>> ghlc.biz >>>>>>> 19-Jun-2020 13:21 GMT >>>>>>> QuasarRAT botnet controller @185.244.30.201 >>>>>>> https://www.spamhaus.org/sbl/query/SBL488548 >>>>>>> >>>>>>> >>>>>>> SBL488006 >>>>>>> 185.140.53.162/32 >>>>>>> ghlc.biz >>>>>>> 18-Jun-2020 10:11 GMT >>>>>>> NanoCore botnet controller @185.140.53.162 >>>>>>> https://www.spamhaus.org/sbl/query/SBL488006 >>>>>>> >>>>>>> >>>>>>> SBL487900 >>>>>>> 185.140.53.229/32 >>>>>>> ghlc.biz >>>>>>> 16-Jun-2020 13:28 GMT >>>>>>> NanoCore botnet controller @185.140.53.229 >>>>>>> https://www.spamhaus.org/sbl/query/SBL487900 >>>>>>> >>>>>>> >>>>>>> SBL487899 >>>>>>> 185.244.30.113/32 >>>>>>> ghlc.biz >>>>>>> 16-Jun-2020 12:59 GMT >>>>>>> RemcosRAT botnet controller @185.244.30.113 >>>>>>> https://www.spamhaus.org/sbl/query/SBL487899 >>>>>>> >>>>>>> >>>>>>> SBL487893 >>>>>>> 185.140.53.236/32 >>>>>>> ghlc.biz >>>>>>> 16-Jun-2020 12:07 GMT >>>>>>> NanoCore botnet controller @185.140.53.236 >>>>>>> https://www.spamhaus.org/sbl/query/SBL487893 >>>>>>> >>>>>>> >>>>>>> SBL487886 >>>>>>> 185.165.153.45/32 >>>>>>> ghlc.biz >>>>>>> 16-Jun-2020 10:26 GMT >>>>>>> NanoCore botnet controller @185.165.153.45 >>>>>>> >>>>>>> https://www.spamhaus.org/sbl/query/SBL487886
- Previous message (by thread): [anti-abuse-wg] Fwd: Re: botnet controllers
- Next message (by thread): [anti-abuse-wg] Fwd: Re: botnet controllers
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]