[anti-abuse-wg] Fwd: Re: botnet controllers
- Previous message (by thread): [anti-abuse-wg] Fwd: Re: botnet controllers
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Alistair Mackenzie
ripe at v2.pw
Thu Jun 25 12:52:44 CEST 2020
Hi {Firstname}, Discussion usually happens before we get to a policy proposal. If you have a policy ready to propose then please feel free to send it and we can base a discussion around that. Thanks, Alistair On 25/06/2020 10:56, PP wrote: > I see a lot of discussion, but no formal policy proposal. > > > > On 25/06/2020 7:23 pm, Serge Droz via anti-abuse-wg wrote: >> >> On 25.06.20 10:22, PP wrote: >>> Perhaps a code of conduct, with de-registration of resources if the >>> entity does not comply, and enforcement costs to be levied against the >>> annual fee imposed for the registering of IP resources. >>> >> I'm all in favour, but I'm afraid we've had this discussion in here in >> the past. >> >> We can't even agree on the principles, let alone the details. >> >> This seems to be harder than world peace. >> >> Best >> Serge >>> On 25/06/2020 5:45 pm, Serge Droz via anti-abuse-wg wrote: >>>> Hi whoever you are, >>>> (typically it's not a good sign, if you need hide behind an anonymous >>>> alias). >>>> >>>> >>>> I think the comparison to phone numbers is bad, that area is plagued by >>>> very similar issues. But I get you point. >>>> >>>> I think it's not feasible that you need to somehow proof you are >>>> legitimate, the same way you should not need to proof you're a honest >>>> citizen before you get, e.g. an apartment. >>>> >>>> What we need however is a standard of what is acceptable behavior and >>>> use of the resources you get, together with a process to remediate >>>> failure to comply and possibly sanctions. I.e. if you use your >>>> apartment >>>> �� for illicit things, what ever they may be (annoying your neighbors >>>> through excessive noise, running a drug empire, ....) >>>> >>>> That's what this group seems to consistently fail to come up with for >>>> various reasons. >>>> >>>> As a reputable VPN Provider you can be log-less and yet still follow up >>>> on abuse. I would argue that actually doing so will make your service >>>> better for the people that legitimately need it. >>>> >>>> The VPN business is, not unlike the Domain business: A lot of greedy >>>> people with big egos. >>>> >>>> This is not a technical issue. >>>> >>>> Best >>>> Serge >>>> >>>> >>>> >>>> On 25.06.20 09:26, PP wrote: >>>>> Firstly, reporting it to the LEO does not cause the resources to be >>>>> de-registered. >>>>> >>>>> Secondly, your example regarding IPv6 is another reason why this >>>>> approach is not sufficient: there are >>>>> 340,282,366,920,938,000,000,000,000,000,000,000,000 possible IPv6 >>>>> addresses. >>>>> >>>>> >>>>> It should be that the resources are only allocated to legitimate >>>>> established corporations. >>>>> >>>>> >>>>> Phone numbers aren't wholly allocated to anyone who asks, they remain >>>>> controlled by a reputable phone company. Why should IP addresses be >>>>> different? >>>>> >>>>> >>>>> >>>>> On 25/06/2020 4:50 pm, Shane Kerr wrote: >>>>>> Dear Phish Phucker, >>>>>> >>>>>> The RIPE NCC is a not-for-profit, membership-based organization based >>>>>> in the Netherlands. They are responsible for allocating Internet >>>>>> number resources (IP addresses and AS numbers) in their region. Their >>>>>> policies are set by RIPE, which is just anyone who joins the RIPE >>>>>> mailing lists and participates in the policy discussions. >>>>>> >>>>>> I'm not sure what policy can be introduced. Historically RIPE >>>>>> participants have been reluctant to make any value judgements about >>>>>> what IP resources can and cannot be used for. Currently as long as >>>>>> you >>>>>> are truthful about your organization's registration information you >>>>>> have fulfilled the requirements. >>>>>> >>>>>> In a sense this should be enough. The information is available for >>>>>> anyone who cares about protecting their users from spam originating >>>>>> there. Spamhaus lists the organization, and I am pretty sure that >>>>>> most >>>>>> e-mail providers either block their IP addresses because of that - or >>>>>> have their own abuse tracking which identifies them. It's not >>>>>> perfect... I had to change VPS provider because my previous VPS >>>>>> provider kept having its IPv6 addresses blocked by Spamhaus and >>>>>> neither my provider nor Spamhaus would explain why (my provider >>>>>> claimed to have never received any complains, and Spamhaus never >>>>>> explains anything). But it seems to be good enough for most people. >>>>>> >>>>>> If an organization is breaking a law, then the correct action is to >>>>>> report them to the law-enforcement organization (LEO) that feels like >>>>>> it is in their jurisdiction. Again, since the member is required by >>>>>> the RIPE NCC to have correct information about the person or >>>>>> organization that has been allocated resources, the LEO can >>>>>> follow-up. >>>>>> >>>>>> It's hardly an ideal situation, but difficult to see how to >>>>>> improve it >>>>>> given the general anti-regulation philosophy of most Internet >>>>>> providers. >>>>>> >>>>>> Cheers, >>>>>> >>>>>> --� >>>>>> Shane >>>>>> >>>>>> On 25/06/2020 08.03, PP wrote: >>>>>>> So who at RIPE is responsible for allocating this resource, and what >>>>>>> policy can be introduced to prevent the allocation of IP address >>>>>>> resources to irresponsible organizations like this one? >>>>>>> >>>>>>> SpamHaus have it listed as the worlds number one source of spam: >>>>>>> >>>>>>> https://www.spamhaus.org/statistics/networks/ >>>>>>> >>>>>>> >>>>>>> >>>>>>> On 25/06/2020 2:10 pm, T�nu Tammer via anti-abuse-wg wrote: >>>>>>>> We've had similar experience with this VPN provider. >>>>>>>> >>>>>>>> He claims not being able to track malicious actor is for the >>>>>>>> benefit >>>>>>>> of free speech but when malware is used to attack people who >>>>>>>> express >>>>>>>> free speech he did not understand that his service is not >>>>>>>> contributing towards free speech but hinders it. >>>>>>>> >>>>>>>> Tonu >>>>>>>> CERT-EE >>>>>>>> >>>>>>>> On 25.06.2020 04:15, PP wrote: >>>>>>>>> Botnet controllers on VPN provider that refuses to act: >>>>>>>>> >>>>>>>>> >>>>>>>>> ����� organisation:��� ORG-SL751-RIPE >>>>>>>>> ����� org-name:������� Freedom Of Speech VPN >>>>>>>>> ����� org-type:������� OTHER >>>>>>>>> ����� address:�������� P.O. Box 9173 >>>>>>>>> ����� address:�������� Victoria >>>>>>>>> ����� address:�������� Mahe Island >>>>>>>>> ����� address:�������� Seychelles >>>>>>>>> ����� e-mail: info at FOS-VPN.org >>>>>>>>> ����� abuse-c:�������� SL12644-RIPE >>>>>>>>> ����� mnt-ref:�������� FOS-VPN-MNT >>>>>>>>> ����� mnt-by:��������� FOS-VPN-MNT >>>>>>>>> ����� created:�������� 2018-07-13T05:33:45Z >>>>>>>>> ����� last-modified:�� 2020-02-28T12:37:39Z >>>>>>>>> ����� source:��������� RIPE >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -------- Forwarded Message -------- >>>>>>>>> Subject:���� Re: botnet controllers >>>>>>>>> Date:���� Wed, 24 Jun 2020 21:49:21 +0200 >>>>>>>>> From:���� info at ghlc.biz >>>>>>>>> To:���� PP <phishphucker at storey.ovh> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On 2020-06-24 13:03, PP wrote: >>>>>>>>> Hello! >>>>>>>>> >>>>>>>>> >>>>>>>>> Please note that all mentioned IPs belong to non-logging VPN >>>>>>>>> services. >>>>>>>>> >>>>>>>>> No user logs are kept. >>>>>>>>> >>>>>>>>> >>>>>>>>> Sincerely yours >>>>>>>>> >>>>>>>>> David Craig >>>>>>>>> >>>>>>>>> >>>>>>>>>> SBL488704 >>>>>>>>>> 185.140.53.75/32 >>>>>>>>>> ghlc.biz >>>>>>>>>> 23-Jun-2020 05:26 GMT >>>>>>>>>> Malware botnet controller @185.140.53.75 >>>>>>>>>> https://www.spamhaus.org/sbl/query/SBL488704 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> SBL488686 >>>>>>>>>> 91.193.75.58/32 >>>>>>>>>> ghlc.biz >>>>>>>>>> 22-Jun-2020 18:39 GMT >>>>>>>>>> NanoCore botnet controller @91.193.75.58 >>>>>>>>>> https://www.spamhaus.org/sbl/query/SBL488686 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> SBL488548 >>>>>>>>>> 185.244.30.201/32 >>>>>>>>>> ghlc.biz >>>>>>>>>> 19-Jun-2020 13:21 GMT >>>>>>>>>> QuasarRAT botnet controller @185.244.30.201 >>>>>>>>>> https://www.spamhaus.org/sbl/query/SBL488548 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> SBL488006 >>>>>>>>>> 185.140.53.162/32 >>>>>>>>>> ghlc.biz >>>>>>>>>> 18-Jun-2020 10:11 GMT >>>>>>>>>> NanoCore botnet controller @185.140.53.162 >>>>>>>>>> https://www.spamhaus.org/sbl/query/SBL488006 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> SBL487900 >>>>>>>>>> 185.140.53.229/32 >>>>>>>>>> ghlc.biz >>>>>>>>>> 16-Jun-2020 13:28 GMT >>>>>>>>>> NanoCore botnet controller @185.140.53.229 >>>>>>>>>> https://www.spamhaus.org/sbl/query/SBL487900 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> SBL487899 >>>>>>>>>> 185.244.30.113/32 >>>>>>>>>> ghlc.biz >>>>>>>>>> 16-Jun-2020 12:59 GMT >>>>>>>>>> RemcosRAT botnet controller @185.244.30.113 >>>>>>>>>> https://www.spamhaus.org/sbl/query/SBL487899 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> SBL487893 >>>>>>>>>> 185.140.53.236/32 >>>>>>>>>> ghlc.biz >>>>>>>>>> 16-Jun-2020 12:07 GMT >>>>>>>>>> NanoCore botnet controller @185.140.53.236 >>>>>>>>>> https://www.spamhaus.org/sbl/query/SBL487893 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> SBL487886 >>>>>>>>>> 185.165.153.45/32 >>>>>>>>>> ghlc.biz >>>>>>>>>> 16-Jun-2020 10:26 GMT >>>>>>>>>> NanoCore botnet controller @185.165.153.45 >>>>>>>>>> >>>>>>>>>> https://www.spamhaus.org/sbl/query/SBL487886 >
- Previous message (by thread): [anti-abuse-wg] Fwd: Re: botnet controllers
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]