[anti-abuse-wg] Fwd: Re: botnet controllers
- Previous message (by thread): [anti-abuse-wg] Fwd: Re: botnet controllers
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Alistair Mackenzie
ripe at v2.pw
Thu Jun 25 12:52:44 CEST 2020
Hi {Firstname},
Discussion usually happens before we get to a policy proposal.
If you have a policy ready to propose then please feel free to send it
and we can base a discussion around that.
Thanks,
Alistair
On 25/06/2020 10:56, PP wrote:
> I see a lot of discussion, but no formal policy proposal.
>
>
>
> On 25/06/2020 7:23 pm, Serge Droz via anti-abuse-wg wrote:
>>
>> On 25.06.20 10:22, PP wrote:
>>> Perhaps a code of conduct, with de-registration of resources if the
>>> entity does not comply, and enforcement costs to be levied against the
>>> annual fee imposed for the registering of IP resources.
>>>
>> I'm all in favour, but I'm afraid we've had this discussion in here in
>> the past.
>>
>> We can't even agree on the principles, let alone the details.
>>
>> This seems to be harder than world peace.
>>
>> Best
>> Serge
>>> On 25/06/2020 5:45 pm, Serge Droz via anti-abuse-wg wrote:
>>>> Hi whoever you are,
>>>> (typically it's not a good sign, if you need hide behind an anonymous
>>>> alias).
>>>>
>>>>
>>>> I think the comparison to phone numbers is bad, that area is plagued by
>>>> very similar issues. But I get you point.
>>>>
>>>> I think it's not feasible that you need to somehow proof you are
>>>> legitimate, the same way you should not need to proof you're a honest
>>>> citizen before you get, e.g. an apartment.
>>>>
>>>> What we need however is a standard of what is acceptable behavior and
>>>> use of the resources you get, together with a process to remediate
>>>> failure to comply and possibly sanctions. I.e. if you use your
>>>> apartment
>>>> �� for illicit things, what ever they may be (annoying your neighbors
>>>> through excessive noise, running a drug empire, ....)
>>>>
>>>> That's what this group seems to consistently fail to come up with for
>>>> various reasons.
>>>>
>>>> As a reputable VPN Provider you can be log-less and yet still follow up
>>>> on abuse. I would argue that actually doing so will make your service
>>>> better for the people that legitimately need it.
>>>>
>>>> The VPN business is, not unlike the Domain business: A lot of greedy
>>>> people with big egos.
>>>>
>>>> This is not a technical issue.
>>>>
>>>> Best
>>>> Serge
>>>>
>>>>
>>>>
>>>> On 25.06.20 09:26, PP wrote:
>>>>> Firstly, reporting it to the LEO does not cause the resources to be
>>>>> de-registered.
>>>>>
>>>>> Secondly, your example regarding IPv6 is another reason why this
>>>>> approach is not sufficient: there are
>>>>> 340,282,366,920,938,000,000,000,000,000,000,000,000 possible IPv6
>>>>> addresses.
>>>>>
>>>>>
>>>>> It should be that the resources are only allocated to legitimate
>>>>> established corporations.
>>>>>
>>>>>
>>>>> Phone numbers aren't wholly allocated to anyone who asks, they remain
>>>>> controlled by a reputable phone company. Why should IP addresses be
>>>>> different?
>>>>>
>>>>>
>>>>>
>>>>> On 25/06/2020 4:50 pm, Shane Kerr wrote:
>>>>>> Dear Phish Phucker,
>>>>>>
>>>>>> The RIPE NCC is a not-for-profit, membership-based organization based
>>>>>> in the Netherlands. They are responsible for allocating Internet
>>>>>> number resources (IP addresses and AS numbers) in their region. Their
>>>>>> policies are set by RIPE, which is just anyone who joins the RIPE
>>>>>> mailing lists and participates in the policy discussions.
>>>>>>
>>>>>> I'm not sure what policy can be introduced. Historically RIPE
>>>>>> participants have been reluctant to make any value judgements about
>>>>>> what IP resources can and cannot be used for. Currently as long as
>>>>>> you
>>>>>> are truthful about your organization's registration information you
>>>>>> have fulfilled the requirements.
>>>>>>
>>>>>> In a sense this should be enough. The information is available for
>>>>>> anyone who cares about protecting their users from spam originating
>>>>>> there. Spamhaus lists the organization, and I am pretty sure that
>>>>>> most
>>>>>> e-mail providers either block their IP addresses because of that - or
>>>>>> have their own abuse tracking which identifies them. It's not
>>>>>> perfect... I had to change VPS provider because my previous VPS
>>>>>> provider kept having its IPv6 addresses blocked by Spamhaus and
>>>>>> neither my provider nor Spamhaus would explain why (my provider
>>>>>> claimed to have never received any complains, and Spamhaus never
>>>>>> explains anything). But it seems to be good enough for most people.
>>>>>>
>>>>>> If an organization is breaking a law, then the correct action is to
>>>>>> report them to the law-enforcement organization (LEO) that feels like
>>>>>> it is in their jurisdiction. Again, since the member is required by
>>>>>> the RIPE NCC to have correct information about the person or
>>>>>> organization that has been allocated resources, the LEO can
>>>>>> follow-up.
>>>>>>
>>>>>> It's hardly an ideal situation, but difficult to see how to
>>>>>> improve it
>>>>>> given the general anti-regulation philosophy of most Internet
>>>>>> providers.
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> --�
>>>>>> Shane
>>>>>>
>>>>>> On 25/06/2020 08.03, PP wrote:
>>>>>>> So who at RIPE is responsible for allocating this resource, and what
>>>>>>> policy can be introduced to prevent the allocation of IP address
>>>>>>> resources to irresponsible organizations like this one?
>>>>>>>
>>>>>>> SpamHaus have it listed as the worlds number one source of spam:
>>>>>>>
>>>>>>> https://www.spamhaus.org/statistics/networks/
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 25/06/2020 2:10 pm, T�nu Tammer via anti-abuse-wg wrote:
>>>>>>>> We've had similar experience with this VPN provider.
>>>>>>>>
>>>>>>>> He claims not being able to track malicious actor is for the
>>>>>>>> benefit
>>>>>>>> of free speech but when malware is used to attack people who
>>>>>>>> express
>>>>>>>> free speech he did not understand that his service is not
>>>>>>>> contributing towards free speech but hinders it.
>>>>>>>>
>>>>>>>> Tonu
>>>>>>>> CERT-EE
>>>>>>>>
>>>>>>>> On 25.06.2020 04:15, PP wrote:
>>>>>>>>> Botnet controllers on VPN provider that refuses to act:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ����� organisation:��� ORG-SL751-RIPE
>>>>>>>>> ����� org-name:������� Freedom Of Speech VPN
>>>>>>>>> ����� org-type:������� OTHER
>>>>>>>>> ����� address:�������� P.O. Box 9173
>>>>>>>>> ����� address:�������� Victoria
>>>>>>>>> ����� address:�������� Mahe Island
>>>>>>>>> ����� address:�������� Seychelles
>>>>>>>>> ����� e-mail: info at FOS-VPN.org
>>>>>>>>> ����� abuse-c:�������� SL12644-RIPE
>>>>>>>>> ����� mnt-ref:�������� FOS-VPN-MNT
>>>>>>>>> ����� mnt-by:��������� FOS-VPN-MNT
>>>>>>>>> ����� created:�������� 2018-07-13T05:33:45Z
>>>>>>>>> ����� last-modified:�� 2020-02-28T12:37:39Z
>>>>>>>>> ����� source:��������� RIPE
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -------- Forwarded Message --------
>>>>>>>>> Subject:���� Re: botnet controllers
>>>>>>>>> Date:���� Wed, 24 Jun 2020 21:49:21 +0200
>>>>>>>>> From:���� info at ghlc.biz
>>>>>>>>> To:���� PP <phishphucker at storey.ovh>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 2020-06-24 13:03, PP wrote:
>>>>>>>>> Hello!
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Please note that all mentioned IPs belong to non-logging VPN
>>>>>>>>> services.
>>>>>>>>>
>>>>>>>>> No user logs are kept.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Sincerely yours
>>>>>>>>>
>>>>>>>>> David Craig
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> SBL488704
>>>>>>>>>> 185.140.53.75/32
>>>>>>>>>> ghlc.biz
>>>>>>>>>> 23-Jun-2020 05:26 GMT
>>>>>>>>>> Malware botnet controller @185.140.53.75
>>>>>>>>>> https://www.spamhaus.org/sbl/query/SBL488704
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> SBL488686
>>>>>>>>>> 91.193.75.58/32
>>>>>>>>>> ghlc.biz
>>>>>>>>>> 22-Jun-2020 18:39 GMT
>>>>>>>>>> NanoCore botnet controller @91.193.75.58
>>>>>>>>>> https://www.spamhaus.org/sbl/query/SBL488686
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> SBL488548
>>>>>>>>>> 185.244.30.201/32
>>>>>>>>>> ghlc.biz
>>>>>>>>>> 19-Jun-2020 13:21 GMT
>>>>>>>>>> QuasarRAT botnet controller @185.244.30.201
>>>>>>>>>> https://www.spamhaus.org/sbl/query/SBL488548
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> SBL488006
>>>>>>>>>> 185.140.53.162/32
>>>>>>>>>> ghlc.biz
>>>>>>>>>> 18-Jun-2020 10:11 GMT
>>>>>>>>>> NanoCore botnet controller @185.140.53.162
>>>>>>>>>> https://www.spamhaus.org/sbl/query/SBL488006
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> SBL487900
>>>>>>>>>> 185.140.53.229/32
>>>>>>>>>> ghlc.biz
>>>>>>>>>> 16-Jun-2020 13:28 GMT
>>>>>>>>>> NanoCore botnet controller @185.140.53.229
>>>>>>>>>> https://www.spamhaus.org/sbl/query/SBL487900
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> SBL487899
>>>>>>>>>> 185.244.30.113/32
>>>>>>>>>> ghlc.biz
>>>>>>>>>> 16-Jun-2020 12:59 GMT
>>>>>>>>>> RemcosRAT botnet controller @185.244.30.113
>>>>>>>>>> https://www.spamhaus.org/sbl/query/SBL487899
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> SBL487893
>>>>>>>>>> 185.140.53.236/32
>>>>>>>>>> ghlc.biz
>>>>>>>>>> 16-Jun-2020 12:07 GMT
>>>>>>>>>> NanoCore botnet controller @185.140.53.236
>>>>>>>>>> https://www.spamhaus.org/sbl/query/SBL487893
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> SBL487886
>>>>>>>>>> 185.165.153.45/32
>>>>>>>>>> ghlc.biz
>>>>>>>>>> 16-Jun-2020 10:26 GMT
>>>>>>>>>> NanoCore botnet controller @185.165.153.45
>>>>>>>>>>
>>>>>>>>>> https://www.spamhaus.org/sbl/query/SBL487886
>
- Previous message (by thread): [anti-abuse-wg] Fwd: Re: botnet controllers
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]