[anti-abuse-wg] Fwd: Re: botnet controllers
- Previous message (by thread): [anti-abuse-wg] Fwd: Re: botnet controllers
- Next message (by thread): [anti-abuse-wg] Fwd: Re: botnet controllers
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
PP
phishphucker at storey.ovh
Thu Jun 25 11:56:42 CEST 2020
I see a lot of discussion, but no formal policy proposal. On 25/06/2020 7:23 pm, Serge Droz via anti-abuse-wg wrote: > > On 25.06.20 10:22, PP wrote: >> Perhaps a code of conduct, with de-registration of resources if the >> entity does not comply, and enforcement costs to be levied against the >> annual fee imposed for the registering of IP resources. >> > I'm all in favour, but I'm afraid we've had this discussion in here in > the past. > > We can't even agree on the principles, let alone the details. > > This seems to be harder than world peace. > > Best > Serge >> On 25/06/2020 5:45 pm, Serge Droz via anti-abuse-wg wrote: >>> Hi whoever you are, >>> (typically it's not a good sign, if you need hide behind an anonymous >>> alias). >>> >>> >>> I think the comparison to phone numbers is bad, that area is plagued by >>> very similar issues. But I get you point. >>> >>> I think it's not feasible that you need to somehow proof you are >>> legitimate, the same way you should not need to proof you're a honest >>> citizen before you get, e.g. an apartment. >>> >>> What we need however is a standard of what is acceptable behavior and >>> use of the resources you get, together with a process to remediate >>> failure to comply and possibly sanctions. I.e. if you use your apartment >>> for illicit things, what ever they may be (annoying your neighbors >>> through excessive noise, running a drug empire, ....) >>> >>> That's what this group seems to consistently fail to come up with for >>> various reasons. >>> >>> As a reputable VPN Provider you can be log-less and yet still follow up >>> on abuse. I would argue that actually doing so will make your service >>> better for the people that legitimately need it. >>> >>> The VPN business is, not unlike the Domain business: A lot of greedy >>> people with big egos. >>> >>> This is not a technical issue. >>> >>> Best >>> Serge >>> >>> >>> >>> On 25.06.20 09:26, PP wrote: >>>> Firstly, reporting it to the LEO does not cause the resources to be >>>> de-registered. >>>> >>>> Secondly, your example regarding IPv6 is another reason why this >>>> approach is not sufficient: there are >>>> 340,282,366,920,938,000,000,000,000,000,000,000,000 possible IPv6 >>>> addresses. >>>> >>>> >>>> It should be that the resources are only allocated to legitimate >>>> established corporations. >>>> >>>> >>>> Phone numbers aren't wholly allocated to anyone who asks, they remain >>>> controlled by a reputable phone company. Why should IP addresses be >>>> different? >>>> >>>> >>>> >>>> On 25/06/2020 4:50 pm, Shane Kerr wrote: >>>>> Dear Phish Phucker, >>>>> >>>>> The RIPE NCC is a not-for-profit, membership-based organization based >>>>> in the Netherlands. They are responsible for allocating Internet >>>>> number resources (IP addresses and AS numbers) in their region. Their >>>>> policies are set by RIPE, which is just anyone who joins the RIPE >>>>> mailing lists and participates in the policy discussions. >>>>> >>>>> I'm not sure what policy can be introduced. Historically RIPE >>>>> participants have been reluctant to make any value judgements about >>>>> what IP resources can and cannot be used for. Currently as long as you >>>>> are truthful about your organization's registration information you >>>>> have fulfilled the requirements. >>>>> >>>>> In a sense this should be enough. The information is available for >>>>> anyone who cares about protecting their users from spam originating >>>>> there. Spamhaus lists the organization, and I am pretty sure that most >>>>> e-mail providers either block their IP addresses because of that - or >>>>> have their own abuse tracking which identifies them. It's not >>>>> perfect... I had to change VPS provider because my previous VPS >>>>> provider kept having its IPv6 addresses blocked by Spamhaus and >>>>> neither my provider nor Spamhaus would explain why (my provider >>>>> claimed to have never received any complains, and Spamhaus never >>>>> explains anything). But it seems to be good enough for most people. >>>>> >>>>> If an organization is breaking a law, then the correct action is to >>>>> report them to the law-enforcement organization (LEO) that feels like >>>>> it is in their jurisdiction. Again, since the member is required by >>>>> the RIPE NCC to have correct information about the person or >>>>> organization that has been allocated resources, the LEO can follow-up. >>>>> >>>>> It's hardly an ideal situation, but difficult to see how to improve it >>>>> given the general anti-regulation philosophy of most Internet >>>>> providers. >>>>> >>>>> Cheers, >>>>> >>>>> -- >>>>> Shane >>>>> >>>>> On 25/06/2020 08.03, PP wrote: >>>>>> So who at RIPE is responsible for allocating this resource, and what >>>>>> policy can be introduced to prevent the allocation of IP address >>>>>> resources to irresponsible organizations like this one? >>>>>> >>>>>> SpamHaus have it listed as the worlds number one source of spam: >>>>>> >>>>>> https://www.spamhaus.org/statistics/networks/ >>>>>> >>>>>> >>>>>> >>>>>> On 25/06/2020 2:10 pm, Tõnu Tammer via anti-abuse-wg wrote: >>>>>>> We've had similar experience with this VPN provider. >>>>>>> >>>>>>> He claims not being able to track malicious actor is for the benefit >>>>>>> of free speech but when malware is used to attack people who express >>>>>>> free speech he did not understand that his service is not >>>>>>> contributing towards free speech but hinders it. >>>>>>> >>>>>>> Tonu >>>>>>> CERT-EE >>>>>>> >>>>>>> On 25.06.2020 04:15, PP wrote: >>>>>>>> Botnet controllers on VPN provider that refuses to act: >>>>>>>> >>>>>>>> >>>>>>>> organisation: ORG-SL751-RIPE >>>>>>>> org-name: Freedom Of Speech VPN >>>>>>>> org-type: OTHER >>>>>>>> address: P.O. Box 9173 >>>>>>>> address: Victoria >>>>>>>> address: Mahe Island >>>>>>>> address: Seychelles >>>>>>>> e-mail: info at FOS-VPN.org >>>>>>>> abuse-c: SL12644-RIPE >>>>>>>> mnt-ref: FOS-VPN-MNT >>>>>>>> mnt-by: FOS-VPN-MNT >>>>>>>> created: 2018-07-13T05:33:45Z >>>>>>>> last-modified: 2020-02-28T12:37:39Z >>>>>>>> source: RIPE >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -------- Forwarded Message -------- >>>>>>>> Subject: Re: botnet controllers >>>>>>>> Date: Wed, 24 Jun 2020 21:49:21 +0200 >>>>>>>> From: info at ghlc.biz >>>>>>>> To: PP <phishphucker at storey.ovh> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On 2020-06-24 13:03, PP wrote: >>>>>>>> Hello! >>>>>>>> >>>>>>>> >>>>>>>> Please note that all mentioned IPs belong to non-logging VPN >>>>>>>> services. >>>>>>>> >>>>>>>> No user logs are kept. >>>>>>>> >>>>>>>> >>>>>>>> Sincerely yours >>>>>>>> >>>>>>>> David Craig >>>>>>>> >>>>>>>> >>>>>>>>> SBL488704 >>>>>>>>> 185.140.53.75/32 >>>>>>>>> ghlc.biz >>>>>>>>> 23-Jun-2020 05:26 GMT >>>>>>>>> Malware botnet controller @185.140.53.75 >>>>>>>>> https://www.spamhaus.org/sbl/query/SBL488704 >>>>>>>>> >>>>>>>>> >>>>>>>>> SBL488686 >>>>>>>>> 91.193.75.58/32 >>>>>>>>> ghlc.biz >>>>>>>>> 22-Jun-2020 18:39 GMT >>>>>>>>> NanoCore botnet controller @91.193.75.58 >>>>>>>>> https://www.spamhaus.org/sbl/query/SBL488686 >>>>>>>>> >>>>>>>>> >>>>>>>>> SBL488548 >>>>>>>>> 185.244.30.201/32 >>>>>>>>> ghlc.biz >>>>>>>>> 19-Jun-2020 13:21 GMT >>>>>>>>> QuasarRAT botnet controller @185.244.30.201 >>>>>>>>> https://www.spamhaus.org/sbl/query/SBL488548 >>>>>>>>> >>>>>>>>> >>>>>>>>> SBL488006 >>>>>>>>> 185.140.53.162/32 >>>>>>>>> ghlc.biz >>>>>>>>> 18-Jun-2020 10:11 GMT >>>>>>>>> NanoCore botnet controller @185.140.53.162 >>>>>>>>> https://www.spamhaus.org/sbl/query/SBL488006 >>>>>>>>> >>>>>>>>> >>>>>>>>> SBL487900 >>>>>>>>> 185.140.53.229/32 >>>>>>>>> ghlc.biz >>>>>>>>> 16-Jun-2020 13:28 GMT >>>>>>>>> NanoCore botnet controller @185.140.53.229 >>>>>>>>> https://www.spamhaus.org/sbl/query/SBL487900 >>>>>>>>> >>>>>>>>> >>>>>>>>> SBL487899 >>>>>>>>> 185.244.30.113/32 >>>>>>>>> ghlc.biz >>>>>>>>> 16-Jun-2020 12:59 GMT >>>>>>>>> RemcosRAT botnet controller @185.244.30.113 >>>>>>>>> https://www.spamhaus.org/sbl/query/SBL487899 >>>>>>>>> >>>>>>>>> >>>>>>>>> SBL487893 >>>>>>>>> 185.140.53.236/32 >>>>>>>>> ghlc.biz >>>>>>>>> 16-Jun-2020 12:07 GMT >>>>>>>>> NanoCore botnet controller @185.140.53.236 >>>>>>>>> https://www.spamhaus.org/sbl/query/SBL487893 >>>>>>>>> >>>>>>>>> >>>>>>>>> SBL487886 >>>>>>>>> 185.165.153.45/32 >>>>>>>>> ghlc.biz >>>>>>>>> 16-Jun-2020 10:26 GMT >>>>>>>>> NanoCore botnet controller @185.165.153.45 >>>>>>>>> >>>>>>>>> https://www.spamhaus.org/sbl/query/SBL487886
- Previous message (by thread): [anti-abuse-wg] Fwd: Re: botnet controllers
- Next message (by thread): [anti-abuse-wg] Fwd: Re: botnet controllers
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]