From apak at ripe.net Tue Aug 9 11:49:27 2022 From: apak at ripe.net (Anastasiya Pak) Date: Tue, 9 Aug 2022 11:49:27 +0200 (CEST) Subject: [anti-abuse-wg] New on RIPE Labs: Threat Integration Lessons of Indicator and Incident Exchange Message-ID: <1116366874.8367.1660038567797.JavaMail.app-admin@ba-apps-3.ripe.net> Dear colleagues, Integration of shared indicators of compromise is very difficult when the responsibility is distributed to organisations which are then left with the task of turning those indicators into defensive actions or blocking rules. In the new article on RIPE Labs, Kathleen Moriarty, Chief Technology Officer for the Center of Internet Security, shares lessons learned for indicator and incident exchange. Read now: https://labs.ripe.net/author/kathleen_moriarty/threat-integration-lessons-of-indicator-and-incident-exchange/ Kind regards, Anastasiya Pak Marketing & Communications Officer RIPE NCC From brian.nisbet at heanet.ie Thu Aug 11 18:17:01 2022 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Thu, 11 Aug 2022 16:17:01 +0000 Subject: [anti-abuse-wg] Anti-Abuse Training - Final? Draft Slides & Zoom Call Message-ID: Colleagues, As you know the RIPE NCC L&D team has been working on a one hour anti-abuse training session. We've received substantial input from the WG and we're hoping that will continue as the Gerardo and the team work to get everything into the final state. First off, this is the current slide deck. If you have the opportunity we would ask if you could take a look and either reply with your feedback to the list or directly to Gerardo - gviviers at ripe.net https://docs.google.com/presentation/d/1FylfGQoMrgg0xJjNnE3wLvcW9KV1KmwcE4ceuir-Msk/edit?usp=sharing We're also arranging for another online round table to discuss the material as needed, because sometimes voice is better than text. This will be taking place on Tuesday 27th September from 10:00 - 12:00 CEST on Zoom. The plan is to run down through the full slidedeck and allow for comments and discussion as needed. The link to this call will be: https://ripe.zoom.us/j/91448568019?pwd=VDFKWEJqT2lkbFdGbVpaL0FmL1R1Zz09 This call, as with any AA-WG activity, will be subject to the RIPE Community Code of Conduct. Thanks for all your work so far and I look forward to more productive discussion! Brian Co-Chair, RIPE AA-WG Brian Nisbet (he/him) Service Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland +35316609040 brian.nisbet at heanet.ie www.heanet.ie Registered in Ireland, No. 275301. CRA No. 20036270 -------------- next part -------------- An HTML attachment was scrubbed... URL: From michele at blacknight.com Fri Aug 12 12:19:23 2022 From: michele at blacknight.com (Michele Neylon - Blacknight) Date: Fri, 12 Aug 2022 10:19:23 +0000 Subject: [anti-abuse-wg] Anti-Abuse Training - Final? Draft Slides & Zoom Call In-Reply-To: References: Message-ID: Brian et al I like the content, but I don?t see how this could be delivered in one hour. There are 55 slides. That?s roughly 1 slide per minute. Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: anti-abuse-wg on behalf of Brian Nisbet Date: Friday, 12 August 2022 at 09:30 To: anti-abuse-wg at ripe.net Subject: [anti-abuse-wg] Anti-Abuse Training - Final? Draft Slides & Zoom Call [EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources. Colleagues, As you know the RIPE NCC L&D team has been working on a one hour anti-abuse training session. We've received substantial input from the WG and we're hoping that will continue as the Gerardo and the team work to get everything into the final state. First off, this is the current slide deck. If you have the opportunity we would ask if you could take a look and either reply with your feedback to the list or directly to Gerardo - gviviers at ripe.net https://docs.google.com/presentation/d/1FylfGQoMrgg0xJjNnE3wLvcW9KV1KmwcE4ceuir-Msk/edit?usp=sharing We're also arranging for another online round table to discuss the material as needed, because sometimes voice is better than text. This will be taking place on Tuesday 27th September from 10:00 - 12:00 CEST on Zoom. The plan is to run down through the full slidedeck and allow for comments and discussion as needed. The link to this call will be: https://ripe.zoom.us/j/91448568019?pwd=VDFKWEJqT2lkbFdGbVpaL0FmL1R1Zz09 This call, as with any AA-WG activity, will be subject to the RIPE Community Code of Conduct. Thanks for all your work so far and I look forward to more productive discussion! Brian Co-Chair, RIPE AA-WG Brian Nisbet (he/him) Service Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland +35316609040 brian.nisbet at heanet.ie www.heanet.ie Registered in Ireland, No. 275301. CRA No. 20036270 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rfg at tristatelogic.com Sat Aug 13 01:01:13 2022 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Fri, 12 Aug 2022 16:01:13 -0700 Subject: [anti-abuse-wg] So many idiots. So little time. Message-ID: <78667.1660345273@segfault.tristatelogic.com> [ part 1 - text/plain - Notification 574B ] This is the mail system at host segfault.tristatelogic.com. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system : host mail.serverius.net[91.221.69.174] said: 554 5.7.1 This message has been blocked because ASE reports it as spam. (in reply to end of DATA command) [ part 2 - message/delivery-status - Delivery report 435B (suppressed) ] [ part 3 - message/rfc822 - Undelivered Message 23.2KB ] Number is required after -h Return-Path: Received: by segfault.tristatelogic.com (Postfix, from userid 1237) id 754EF4E7D0; Fri, 12 Aug 2022 14:59:24 -0700 (PDT) From: "Ronald F. Guilmette" To: abuse at serverius.net Cc: spamreports at tristatelogic.com Subject: Spam from your network (AS50673): [194.104.236.160] Date: 12 Aug 2022 14:59:24 -0700 X-Rfg-Spam-Report: (AS50673): [194.104.236.160] Message-Id: <20220812215924.754EF4E7D0 at segfault.tristatelogic.com> ... From hmm at heeg.de Sat Aug 13 07:33:02 2022 From: hmm at heeg.de (Hans-Martin Mosner) Date: Sat, 13 Aug 2022 07:33:02 +0200 Subject: [anti-abuse-wg] So many idiots. So little time. In-Reply-To: <78667.1660345273@segfault.tristatelogic.com> References: <78667.1660345273@segfault.tristatelogic.com> Message-ID: Idiots is the wrong choice of word here. Hanlon's Razor does not apply to Serverius. Cheers, Hans-Martin From rfg at tristatelogic.com Sat Aug 13 08:05:37 2022 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Fri, 12 Aug 2022 23:05:37 -0700 Subject: [anti-abuse-wg] So many idiots. So little time. In-Reply-To: Message-ID: <80918.1660370737@segfault.tristatelogic.com> In message , Hans-Martin Mosner wrote: >Idiots is the wrong choice of word here. Hanlon's Razor does not apply to Serverius. Thank you for this information. I shall be adjusting my local blacklists accordingly. ORG-SHB2-RIPE: 5.178.64.0/21 5.188.12.0/22 5.255.64.0/19 46.249.32.0/19 89.47.1.0/24 91.221.69.0/24 93.158.200.0/21 93.158.208.0/20 160.20.152.0/22 178.21.16.0/21 185.1.222.0/23 185.8.176.0/22 185.12.12.0/22 185.53.160.0/22 185.79.112.0/22 194.107.76.0/22 From jeroen at hackersbescherming.nl Sat Aug 13 14:13:10 2022 From: jeroen at hackersbescherming.nl (jeroen at hackersbescherming.nl) Date: Sat, 13 Aug 2022 14:13:10 +0200 Subject: [anti-abuse-wg] So many idiots. So little time. In-Reply-To: <78667.1660345273@segfault.tristatelogic.com> References: <78667.1660345273@segfault.tristatelogic.com> Message-ID: <007701d8af0e$0deda270$29c8e750$@hackersbescherming.nl> I would say perfect for that anti abuse training! Because if u can't solve the below and some other important issues that excist (for at least one or more decades) with the current system that whole training is useless. Even when it's made with good intentions and all, in my opinion it's useless and will not solve the real problem. Just like all the big problems in this world why not try to create patches that create even more problems instead of solving the real issue.... I couldn't resist to react on this one (sorry) -----Original Message----- From: anti-abuse-wg On Behalf Of Ronald F. Guilmette Sent: zaterdag 13 augustus 2022 01:01 To: anti-abuse-wg at ripe.net Subject: [anti-abuse-wg] So many idiots. So little time. [ part 1 - text/plain - Notification 574B ] This is the mail system at host segfault.tristatelogic.com. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system : host mail.serverius.net[91.221.69.174] said: 554 5.7.1 This message has been blocked because ASE reports it as spam. (in reply to end of DATA command) [ part 2 - message/delivery-status - Delivery report 435B (suppressed) ] [ part 3 - message/rfc822 - Undelivered Message 23.2KB ] Number is required after -h Return-Path: Received: by segfault.tristatelogic.com (Postfix, from userid 1237) id 754EF4E7D0; Fri, 12 Aug 2022 14:59:24 -0700 (PDT) From: "Ronald F. Guilmette" To: abuse at serverius.net Cc: spamreports at tristatelogic.com Subject: Spam from your network (AS50673): [194.104.236.160] Date: 12 Aug 2022 14:59:24 -0700 X-Rfg-Spam-Report: (AS50673): [194.104.236.160] Message-Id: <20220812215924.754EF4E7D0 at segfault.tristatelogic.com> ... -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg From hmm at heeg.de Sat Aug 13 16:47:29 2022 From: hmm at heeg.de (Hans-Martin Mosner) Date: Sat, 13 Aug 2022 16:47:29 +0200 Subject: [anti-abuse-wg] So many idiots. So little time. In-Reply-To: <007701d8af0e$0deda270$29c8e750$@hackersbescherming.nl> References: <78667.1660345273@segfault.tristatelogic.com> <007701d8af0e$0deda270$29c8e750$@hackersbescherming.nl> Message-ID: Am 13.08.22 um 14:13 schrieb jeroen at hackersbescherming.nl: > I would say perfect for that anti abuse training! Training is useful if you want to learn and achieve the training subject matter. Serverius (like many other hosting/colocation providers) is in the business of deflecting trouble from their customers. In an old antispam forum post I found this quote without exact source, which could be used verbatim by most of them: > Serverius IT infrastructure is providing underlying infrastructure services without any hosting activities. Serverius > is not a hosting provider as it has no data carrier hardware like servers or disk storage services under management > (only our clients do). Serverius is only providing the parent data center colocation of client hardware and/or IP > connectivity services that are used by clients to build their own infrastructure. Their services are used by millions > of companies in the world. Therefore Serverius does not know what Serverius network users are hosting (it's > technically impossible for us to see and forbidden by law) and Serverius is therefore not liable for what our customer > hosts behind its own network and/or on his own infrastructure. Legally, they may be right (of course they are not allowed to peek into their customer's servers). However, there's something more to it - you could have contract and AUP clauses which prohibit spamming/abuse and give the provider leverage to enforce that prohibition. But some providers apparently prefer to keep such clauses out of their contracts and don't want to waste money on abuse desk training because a well-paying customer is a well-paying customer after all. "Pecunia non olet", as Vespasian is reported to have said. Those are not the target group for anti abuse training. They would probably need it, but first they would need the will to stop network abuse emanating from their infrastructure. Cheers, Hans-Martin From rfg at tristatelogic.com Sat Aug 13 23:31:43 2022 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Sat, 13 Aug 2022 14:31:43 -0700 Subject: [anti-abuse-wg] So many idiots. So little time. In-Reply-To: Message-ID: <86606.1660426303@segfault.tristatelogic.com> In message , you wrote: >Am 13.08.22 um 14:13 schrieb jeroen at hackersbescherming.nl: >> I would say perfect for that anti abuse training! > >Training is useful if you want to learn and achieve the training subject matter. Serverius (like many other >hosting/colocation providers) is in the business of deflecting trouble from their customers. In an old antispam forum >post I found this quote without exact source, which could be used verbatim by most of them: > >> Serverius IT infrastructure is providing underlying infrastructure services without any hosting activities. Serverius >> is not a hosting provider as it has no data carrier hardware like servers or disk storage services under management >> (only our clients do). Serverius is only providing the parent data center colocation of client hardware and/or IP >> connectivity services that are used by clients to build their own infrastructure. Their services are used by millions >> of companies in the world. Therefore Serverius does not know what Serverius network users are hosting (it's >> technically impossible for us to see and forbidden by law) and Serverius is therefore not liable for what our customer >> hosts behind its own network and/or on his own infrastructure. >Legally, they may be right (of course they are not allowed to peek into their customer's servers). However, there's >something more to it - you could have contract and AUP clauses which prohibit spamming/abuse and give the provider >leverage to enforce that prohibition. But some providers apparently prefer to keep such clauses out of their contracts >and don't want to waste money on abuse desk training because a well-paying customer is a well-paying customer after all. >"Pecunia non olet", as Vespasian is reported to have said. Digital Ocean apparently has the exact same sort of "Not our problem man!" attitude. I've reported spams to them, and they say "OK, thanks. We have forwarded this to our customer." (Nice of them to do this so that their customer can then DDoS me.) Regards, rfg From jeroen at hackersbescherming.nl Sun Aug 14 10:26:51 2022 From: jeroen at hackersbescherming.nl (jeroen at hackersbescherming.nl) Date: Sun, 14 Aug 2022 10:26:51 +0200 Subject: [anti-abuse-wg] So many idiots. So little time. In-Reply-To: References: <78667.1660345273@segfault.tristatelogic.com> <007701d8af0e$0deda270$29c8e750$@hackersbescherming.nl> Message-ID: <003001d8afb7$9b001720$d1004560$@hackersbescherming.nl> My bad! I assumed that when u create or follow a training course that u want to learn or teach a way that ALWAYS works. With my assumption of the below. To solve the abuse problem u either need a system that can hold the abuser responsible or and that would be even better u need a system where nobody would grow an interest to even try to abuse and when u start thinking into this direction all the other "BIG" problems in the world will become easy to solve. (Yes u read this right they are easy to solve, we currently just use the wrong systems (all over the world) to guide and lead us) When u would have a good system then a large portion or maybe even all of the current training material would be irrelevant since it is based on the current system that doesn't provide a solution for the problem. What u are saying is that when I create a training that teaches 1+1=11 and someone out there wants to learn this that this would be a usefull training .... (maybe for someone to do on his own but not for a global/regional solution). It doesn't matter to which group u belong to, in the end we all belong to the same group called Humans.... We need a fair worldwide system where power is removed from all individuals!!!! (Since power allways creates a form of abuse) Kind regards, Jeroen -----Original Message----- From: anti-abuse-wg On Behalf Of Hans-Martin Mosner via anti-abuse-wg Sent: zaterdag 13 augustus 2022 16:47 To: anti-abuse-wg at ripe.net Subject: Re: [anti-abuse-wg] So many idiots. So little time. Am 13.08.22 um 14:13 schrieb jeroen at hackersbescherming.nl: > I would say perfect for that anti abuse training! Training is useful if you want to learn and achieve the training subject matter. Serverius (like many other hosting/colocation providers) is in the business of deflecting trouble from their customers. In an old antispam forum post I found this quote without exact source, which could be used verbatim by most of them: > Serverius IT infrastructure is providing underlying infrastructure > services without any hosting activities. Serverius is not a hosting > provider as it has no data carrier hardware like servers or disk > storage services under management (only our clients do). Serverius is > only providing the parent data center colocation of client hardware > and/or IP connectivity services that are used by clients to build > their own infrastructure. Their services are used by millions of companies in the world. Therefore Serverius does not know what Serverius network users are hosting (it's technically impossible for us to see and forbidden by law) and Serverius is therefore not liable for what our customer hosts behind its own network and/or on his own infrastructure. Legally, they may be right (of course they are not allowed to peek into their customer's servers). However, there's something more to it - you could have contract and AUP clauses which prohibit spamming/abuse and give the provider leverage to enforce that prohibition. But some providers apparently prefer to keep such clauses out of their contracts and don't want to waste money on abuse desk training because a well-paying customer is a well-paying customer after all. "Pecunia non olet", as Vespasian is reported to have said. Those are not the target group for anti abuse training. They would probably need it, but first they would need the will to stop network abuse emanating from their infrastructure. Cheers, Hans-Martin -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg From hmm at heeg.de Sun Aug 14 15:47:19 2022 From: hmm at heeg.de (Hans-Martin Mosner) Date: Sun, 14 Aug 2022 15:47:19 +0200 Subject: [anti-abuse-wg] So many idiots. So little time. In-Reply-To: <003001d8afb7$9b001720$d1004560$@hackersbescherming.nl> References: <78667.1660345273@segfault.tristatelogic.com> <007701d8af0e$0deda270$29c8e750$@hackersbescherming.nl> <003001d8afb7$9b001720$d1004560$@hackersbescherming.nl> Message-ID: <2901471d-b9e0-cf23-5b4f-318ea5f1efa6@heeg.de> Jeroen, ist's hard to distinguish between straight statements and serious questions on one hand and sarcasm, rhetorical questions and strawman arguments on the other hand in written communication, especially when there sometimes seems to be a "mode switch". I'm trying to respond seriously and to be explicit about how I understood your statements. Am 14.08.22 um 10:26 schrieb jeroen at hackersbescherming.nl: > My bad! I assumed that when u create or follow a training course that u want > to learn or teach a way that ALWAYS works. I'm unsure whether you meant that seriously or sarcastically. Of course the assumption is wrong. Training is a way of improving your ability to do something, not of learning something that always works. A football team will train to learn to play better and win more games, not to learn a away that will let them win ALWAYS. Similarly, an abuse desk team will train to learn ways of detecting abuse earlier, to distinguish between true and false abuse accusations, to use tools and automation to focus their human attention on the tricky problems instead of doing rote work, etc. None of that will guarantee that there will be no abuse from their network, but it will likely reduce the amount by catching it quicker and making it unattractive for spammers. Of course, that's the theory, but my experience from the other side of the fence is that quick and swift action is the primary thing that reduces the amount of spam, and it should work equally well and on a larger volume on the provider side. > > With my assumption of the below. > To solve the abuse problem u either need a system that can hold the abuser > responsible or and that would be even better u need a system where nobody > would grow an interest to even try to abuse Did you forget a period here? As such, this sentence sort of makes sense, although I would not strive to "solve" the abuse problem but to reduce the volume and impact on recipients. Holding abusers responsible may be one way (although it would be necessary to define what that means). A system where nobody would grow an interest to even try abuse is impossible, we know from the non-effectiveness of capital punishment against murder etc. that there is no effective deterrant that keeps people from wanting to do and actually doing horrible things. The only "effective" way would be to lock up everybody as a safety measure. That's like blocking access to port 25, surely it keeps out the spam, but would have some undesirable side effects. So, this is not what I want. > and when u start thinking into > this direction all the other "BIG" problems in the world will become easy to > solve. (Yes u read this right they are easy to solve, we currently just use > the wrong systems (all over the world) to guide and lead us) Is this a strawman argument of the form "we should not try to solve problem X because we can't solve problem Y and that's even bigger"? That's faulty logic, I assume written tongue-in-cheek. > > When u would have a good system then a large portion or maybe even all of > the current training material would be irrelevant since it is based on the > current system that doesn't provide a solution for the problem. That's an assumption about the training material (which I haven't seen and know nothing about) and the current system that I don't share. It seems to imply that there is no way of reducing the amount of spam in the current system, which is IMO not true. I do think that the current system is lacking in some areas but is overall usable, and that it is possible to reduce abuse within the framework of the current system. Usable training material would teach what can be done at one point (one provider) to achive this without requiring undue cooperation from other players or changing the system. That is, actually doable changes to one's operation to reduce the amount of abuse. > > What u are saying is that when I create a training that teaches 1+1=11 and > someone out there wants to learn this that this would be a usefull training > .... (maybe for someone to do on his own but not for a global/regional > solution). Looks like a strawman argument again. I'm not proposing that training should teach nonsense and that someone out there could want to learn nonsense, so this would be useful training. What I was saying is that a training course (which I presumed teaches something actually useful in reducing the spam load) can only be useful for organizations that want to get closer to that goal. If an organization does not share that goal (or has different main goals), they most likely would not want or need the training. > > It doesn't matter to which group u belong to, in the end we all belong to > the same group called Humans.... > We need a fair worldwide system where power is removed from all > individuals!!!! (Since power allways creates a form of abuse) Looks like a hyperbole/strawman argument again: "If we can't solve the worldwide power abuse issues, we should not even try to fight local abuse". Faulty logic. > Kind regards, > > Jeroen Cheers, Hans-Martin From gviviers at ripe.net Mon Aug 15 09:03:35 2022 From: gviviers at ripe.net (Gerardo Viviers) Date: Mon, 15 Aug 2022 09:03:35 +0200 Subject: [anti-abuse-wg] Anti-Abuse Training - Final? Draft Slides & Zoom Call In-Reply-To: References: Message-ID: Hi Michele, Thank you for the feedback. We have the option open to extend the duration of the webinar to one and a half hours if the content so requires it. I hope this answers your concern. Best regards, Gerardo Viviers RIPE NCC Learning & Development > On 12 Aug 2022, at 12:19, Michele Neylon - Blacknight via anti-abuse-wg wrote: > > Brian et al > > I like the content, but I don?t see how this could be delivered in one hour. There are 55 slides. > That?s roughly 1 slide per minute. > > Michele > > > -- > Mr Michele Neylon > Blacknight Solutions > Hosting, Colocation & Domains > https://www.blacknight.com/ > https://blacknight.blog/ > Intl. +353 (0) 59 9183072 > Direct Dial: +353 (0)59 9183090 > Personal blog: https://michele.blog/ > Some thoughts: https://ceo.hosting/ > ------------------------------- > Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty > Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 > > > From: anti-abuse-wg > on behalf of Brian Nisbet > > Date: Friday, 12 August 2022 at 09:30 > To: anti-abuse-wg at ripe.net > > Subject: [anti-abuse-wg] Anti-Abuse Training - Final? Draft Slides & Zoom Call > > [EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources. > > Colleagues, > > As you know the RIPE NCC L&D team has been working on a one hour anti-abuse training session. We've received substantial input from the WG and we're hoping that will continue as the Gerardo and the team work to get everything into the final state. > > First off, this is the current slide deck. If you have the opportunity we would ask if you could take a look and either reply with your feedback to the list or directly to Gerardo - gviviers at ripe.net > > https://docs.google.com/presentation/d/1FylfGQoMrgg0xJjNnE3wLvcW9KV1KmwcE4ceuir-Msk/edit?usp=sharing > > We're also arranging for another online round table to discuss the material as needed, because sometimes voice is better than text. > > This will be taking place on Tuesday 27th September from 10:00 - 12:00 CEST on Zoom. The plan is to run down through the full slidedeck and allow for comments and discussion as needed. > > The link to this call will be: > > https://ripe.zoom.us/j/91448568019?pwd=VDFKWEJqT2lkbFdGbVpaL0FmL1R1Zz09 > > This call, as with any AA-WG activity, will be subject to the RIPE Community Code of Conduct. > > Thanks for all your work so far and I look forward to more productive discussion! > > Brian > Co-Chair, RIPE AA-WG > > Brian Nisbet (he/him) > > Service Operations Manager > > HEAnet CLG, Ireland's National Education and Research Network > > 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland > > +35316609040 brian.nisbet at heanet.ie www.heanet.ie > Registered in Ireland, No. 275301. CRA No. 20036270 > > -- > > To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: Message signed with OpenPGP URL: From alan at vanilla.co.za Mon Aug 22 11:40:05 2022 From: alan at vanilla.co.za (Alan Levin) Date: Mon, 22 Aug 2022 11:40:05 +0200 Subject: [anti-abuse-wg] So many idiots. So little time. In-Reply-To: <4C5881A5-0624-4CF3-85C5-EA31991586E6@ripe.net> References: <78667.1660345273@segfault.tristatelogic.com> <007701d8af0e$0deda270$29c8e750$@hackersbescherming.nl> <003001d8afb7$9b001720$d1004560$@hackersbescherming.nl> <2901471d-b9e0-cf23-5b4f-318ea5f1efa6@heeg.de> <4C5881A5-0624-4CF3-85C5-EA31991586E6@ripe.net> Message-ID: On Mon, 22 Aug 2022 at 07:50, Alun Davies wrote: > I?m out of office till 22 August. Any RIPE Labs related queries can be > sent to labs at ripe.net and one of my colleagues will get back to you. > irony - three unsolicited messages on the same subject - appropriate too > Jeroen, > > ist's hard to distinguish between straight statements and serious > questions on one hand and sarcasm, rhetorical questions and strawman > arguments on the other hand in written communication, especially when there > sometimes seems to be a "mode switch". I'm trying to respond seriously and > to be explicit about how I understood your statements. > > > > Am 14.08.22 um 10:26 schrieb jeroen at hackersbescherming.nl: > > My bad! I assumed that when u create or follow a training course that u > want > > to learn or teach a way that ALWAYS works. > > > > I'm unsure whether you meant that seriously or sarcastically. > > > > Of course the assumption is wrong. Training is a way of improving your > ability to do something, not of learning something that always works. A > football team will train to learn to play better and win more games, not to > learn a away that will let them win ALWAYS. Similarly, an abuse desk team > will train to learn ways of detecting abuse earlier, to distinguish between > true and false abuse accusations, to use tools and automation to focus > their human attention on the tricky problems instead of doing rote work, > etc. None of that will guarantee that there will be no abuse from their > network, but it will likely reduce the amount by catching it quicker and > making it unattractive for spammers. Of course, that's the theory, but my > experience from the other side of the fence is that quick and swift action > is the primary thing that reduces the amount of spam, and it should work > equally well and on a larger volume on the provider side. > > > > > > With my assumption of the below. > > To solve the abuse problem u either need a system that can hold the > abuser > > responsible or and that would be even better u need a system where nobody > > would grow an interest to even try to abuse > > > > Did you forget a period here? As such, this sentence sort of makes > sense, although I would not strive to "solve" the abuse problem but to > reduce the volume and impact on recipients. Holding abusers responsible may > be one way (although it would be necessary to define what that means). > > > > A system where nobody would grow an interest to even try abuse is > impossible, we know from the non-effectiveness of capital punishment > against murder etc. that there is no effective deterrant that keeps people > from wanting to do and actually doing horrible things. The only "effective" > way would be to lock up everybody as a safety measure. That's like blocking > access to port 25, surely it keeps out the spam, but would have some > undesirable side effects. > > > > So, this is not what I want. > > > > and when u start thinking into > > this direction all the other "BIG" problems in the world will become > easy to > > solve. (Yes u read this right they are easy to solve, we currently just > use > > the wrong systems (all over the world) to guide and lead us) > > Is this a strawman argument of the form "we should not try to solve > problem X because we can't solve problem Y and that's even bigger"? That's > faulty logic, I assume written tongue-in-cheek. > > > > When u would have a good system then a large portion or maybe even all of > > the current training material would be irrelevant since it is based on > the > > current system that doesn't provide a solution for the problem. > > > > That's an assumption about the training material (which I haven't seen > and know nothing about) and the current system that I don't share. It seems > to imply that there is no way of reducing the amount of spam in the current > system, which is IMO not true. > > > > I do think that the current system is lacking in some areas but is > overall usable, and that it is possible to reduce abuse within the > framework of the current system. Usable training material would teach what > can be done at one point (one provider) to achive this without requiring > undue cooperation from other players or changing the system. That is, > actually doable changes to one's operation to reduce the amount of abuse. > > > > > > What u are saying is that when I create a training that teaches 1+1=11 > and > > someone out there wants to learn this that this would be a usefull > training > > .... (maybe for someone to do on his own but not for a global/regional > > solution). > > Looks like a strawman argument again. I'm not proposing that training > should teach nonsense and that someone out there could want to learn > nonsense, so this would be useful training. What I was saying is that a > training course (which I presumed teaches something actually useful in > reducing the spam load) can only be useful for organizations that want to > get closer to that goal. If an organization does not share that goal (or > has different main goals), they most likely would not want or need the > training. > > > > It doesn't matter to which group u belong to, in the end we all belong to > > the same group called Humans.... > > We need a fair worldwide system where power is removed from all > > individuals!!!! (Since power allways creates a form of abuse) > > > > Looks like a hyperbole/strawman argument again: "If we can't solve the > worldwide power abuse issues, we should not even try to fight local abuse". > Faulty logic. > > > > Kind regards, > > > > Jeroen > > Cheers, > > Hans-Martin > > > > -- > > > > To unsubscribe from this mailing list, get a password reminder, or > change your subscription options, please visit: > https://lists.ripe.net/mailman/listinfo/anti-abuse-wg > -- > > To unsubscribe from this mailing list, get a password reminder, or change > your subscription options, please visit: > https://lists.ripe.net/mailman/listinfo/anti-abuse-wg > -- Alan Levin ---------------------------------- +27 21 4882820 (ddi) -------------- next part -------------- An HTML attachment was scrubbed... URL: From brian.nisbet at heanet.ie Mon Aug 22 12:18:58 2022 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Mon, 22 Aug 2022 10:18:58 +0000 Subject: [anti-abuse-wg] Call For Agenda Items - RIPE 85 Message-ID: Colleagues, We hope you're all having a good summer! As you have hopefully seen, registration has now opened for RIPE 85 in Belgrade - https://ripe85.ripe.net/ The meeting, running from the 24th - 28th October, will be hybrid and we're hoping to continue to evolve and make it as useful as possible for those in person and remote. The Anti-Abuse WG will be meeting and Markus, Tobias and I would invite people to submit topics for discussion, presentations for general enlightenment and, of course, work items for the working group. Speakers & presenters can either be present in Belgrade or reaching us live via the Internet! The session is currently scheduled for Thursday 27th October, but the date and time may both change as the various agendas fill up, we'll keep you posted. As always you can reach us at aa-wg-chair at ripe.net Thanks, Brian Co-Chair, RIPE AA-WG Brian Nisbet (he/him) Service Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland +35316609040 brian.nisbet at heanet.ie www.heanet.ie Registered in Ireland, No. 275301. CRA No. 20036270 -------------- next part -------------- An HTML attachment was scrubbed... URL: From adavies at ripe.net Mon Aug 22 15:50:26 2022 From: adavies at ripe.net (Alun Davies) Date: Mon, 22 Aug 2022 15:50:26 +0200 Subject: [anti-abuse-wg] Apologies for spam Message-ID: <377F9F6D-1D5D-4B5C-A063-76A5F6920C4A@ripe.net> Hello all, My apologies to everyone who received my out of office response this morning. Just wanted to note that the relevant messages have now been removed from the archives. Again, sorry for the spam! Best regards, Alun Davies RIPE NCC From angel.gonzalez at incibe.es Mon Aug 22 15:55:23 2022 From: angel.gonzalez at incibe.es (=?utf-8?B?w4FuZ2VsIEdvbnrDoWxleiBCZXJkYXNjbw==?=) Date: Mon, 22 Aug 2022 13:55:23 +0000 Subject: [anti-abuse-wg] Autoresponders Message-ID: On 2022-08-22 at 11:40 +0200, Alan Levin wrote: > On Mon, 22 Aug 2022 at 07:50, someone > wrote: > > I?m out of office till 22 August. Any RIPE Labs related queries can > > be sent to labs at ripe.net and one of my colleagues will get back to > > you. > > irony - three unsolicited messages on the same subject - appropriate > too This list was lucky. db-wg received 477 copies of this Out of Office message. It actually serves as a great example of what an autoresponder shall *not* be doing: * It only ran when the user returned to the office * It replied to every message, with no waiting period * It replied to mailing lists? * It replied *to its own vacation message* distributed by the mailing list, creating a loop And it happened from inside the same organization, so the delivery delay would have been minimal. It must have been a tiny Bedlam3 for RIPE. RFC 3834 recommendations were not pointless musings. Kind regards ? The list properly contained a Precedence: list header, so no fault of the mailing list software here. -- INCIBE-CERT - Spanish National CSIRT https://www.incibe-cert.es/ PGP keys: https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys ==================================================================== INCIBE-CERT is the Spanish National CSIRT designated for citizens, private law entities, other entities not included in the subjective scope of application of the "Ley 40/2015, de 1 de octubre, de R?gimen Jur?dico del Sector P?blico", as well as digital service providers, operators of essential services and critical operators under the terms of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de las redes y sistemas de informaci?n" that transposes the Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. ==================================================================== In compliance with the General Data Protection Regulation of the EU (Regulation EU 2016/679, of 27 April 2016) we inform you that your personal and corporate data (as well as those included in attached documents); and e-mail address, may be included in our records for the purpose derived from legal, contractual or pre-contractual obligations or in order to respond to your queries. You may exercise your rights of access, correction, cancellation, portability, limitationof processing and opposition under the terms established by current legislation and free of charge by sending an e-mail to dpd at incibe.es. The Data Controller is S.M.E. Instituto Nacional de Ciberseguridad de Espa?a, M.P., S.A. More information is available on our website: https://www.incibe.es/proteccion-datos-personales and https://www.incibe.es/registro-actividad. ==================================================================== -------------- next part -------------- An HTML attachment was scrubbed... URL: From siyuan at misaka.io Tue Aug 23 01:51:14 2022 From: siyuan at misaka.io (Siyuan Miao) Date: Tue, 23 Aug 2022 01:51:14 +0200 Subject: [anti-abuse-wg] Yet another BGP hijacking towards AS16509 Message-ID: Hi folks, Recently I read a post regarding the recent incident of Celer Network and noticed a very interesting and successful BGP hijacking towards AS16509. The attacker AS209243 added AS16509 to their AS-SET and a more specific route object for the /24 where the victim's website is in ALTDB: (Below is our IRRd4 server NRTM logging, UTC timezone) irrd.log-20220817.gz:31106270-ADD 96126 irrd.log-20220817.gz:31106280- irrd.log-20220817.gz:31106281-as-set: AS-SET209243 irrd.log-20220817.gz:31106306-descr: quickhost set irrd.log-20220817.gz:31106332-members: AS209243, AS16509 irrd.log-20220817.gz:31106362:mnt-by: MAINT-QUICKHOSTUK irrd.log-20220817.gz:31106392-changed: crussell at quickhostuk.net 20220816 irrd.log-20220817.gz:31106438-source: ALTDB irrd.log-20220817.gz:31147549-ADD 96127 irrd.log-20220817.gz:31147559- irrd.log-20220817.gz:31147560-route: 44.235.216.0/24 irrd.log-20220817.gz:31147588-descr: route irrd.log-20220817.gz:31147606-origin: AS16509 irrd.log-20220817.gz:31147626:mnt-by: MAINT-QUICKHOSTUK irrd.log-20220817.gz:31147656-changed: crussell at quickhostuk.net 20220816 irrd.log-20220817.gz:31147702-source: ALTDB Then they started announcing the prefix ... under another AWS ASN (AS14618) I guess AS1299 Arelion doesn't check if the origin AS of an announcement is in the customer's AS-SET but it's pretty normal and understandable. https://stat.ripe.net/widget/bgplay#w.resource=44.235.216.0/24&w.ignoreReannouncements=true&w.starttime=1660694458&w.endtime=1661032798&w.rrcs=0&w.instant=null&w.type=bgp Type: A > announce Involving: 44.235.216.0/24 Short description: The new route 34854 1299 209243 14618 has been announced Path: 34854, 1299, 209243, 14618, Community: 1299:35000,34854:3001 Date and time: 2022-08-17 19:39:50 Collected by: 00-2.56.11.1 Hjacking didn't last too long. AWS started announcing a more specific announcement to prevent hijacking around 3 hours later. Kudos to Amazon's security team :-) Type: A > announce Involving: 44.235.216.0/24 Short description: The new route 58057 34549 5511 1299 16509 has been announced Path: 58057, 34549, 5511, 1299, 16509, Community: 5511:521,5511:666,5511:710,5511:5511,34549:100,34549:5511 Date and time: 2022-08-17 23:08:47 Collected by: 00-194.50.92.251 The attacker cleaned up the IRR objects on 17 Aug and surprisingly no one seems to notice them ... irrd.log-20220819.gz:26517714-ADD 96196 irrd.log-20220819.gz:26517724- irrd.log-20220819.gz:26517725:as-set: AS-SET209243 irrd.log-20220819.gz:26517750-descr: quickhost set irrd.log-20220819.gz:26517776-members: AS209243, AS35437, AS37497 irrd.log-20220819.gz:26517815-mnt-by: MAINT-QUICKHOSTUK irrd.log-20220819.gz:26517845-changed: crussell at quickhostuk.net 20220817 irrd.log-20220819.gz:26517891-source: ALTDB irrd.log-20220819.gz:26517910-DEL 96197 irrd.log-20220819.gz:26517920- irrd.log-20220819.gz:26517921-route: 44.235.216.0/24 irrd.log-20220819.gz:26517949-descr: route irrd.log-20220819.gz:26517967-origin: AS16509 irrd.log-20220819.gz:26517987-mnt-by: MAINT-QUICKHOSTUK irrd.log-20220819.gz:26518017-changed: crussell at quickhostuk.net 20220816 irrd.log-20220819.gz:26518063-source: ALTDB Nowadays hijacking a service by forging AS path is pretty easy and RPKI won't be able to solve this (as it validates origin AS and prefixes only) :-( Regards, Siyuan -------------- next part -------------- An HTML attachment was scrubbed... URL: From siyuan at misaka.io Tue Aug 23 02:15:47 2022 From: siyuan at misaka.io (Siyuan Miao) Date: Tue, 23 Aug 2022 02:15:47 +0200 Subject: [anti-abuse-wg] Yet another BGP hijacking towards AS16509 In-Reply-To: References: Message-ID: Just noticed another thing: ? ~ whois -h whois.ripe.net -- "--list-versions AS1299" | tail -n10 2862 2022-07-11T14:44:49Z ADD/UPD 2863 2022-07-27T11:17:25Z ADD/UPD 2864 2022-08-02T08:43:02Z ADD/UPD 2865 2022-08-10T12:11:29Z ADD/UPD *2866 2022-08-17T10:47:43Z ADD/UPD2867 2022-08-18T12:53:37Z ADD/UPD* % This query was served by the RIPE Database Query Service version 1.103 (WAGYU) ? ~ whois -h whois.ripe.net -- "--show-version 2865 AS1299" | grep 209243 ? ~ whois -h whois.ripe.net -- "--show-version 2866 AS1299" | grep 209243 import: from AS209243 accept AS209243 mp-import: afi ipv6 from AS209243 accept AS209243 *? ~ whois -h whois.ripe.net -- "--show-version 2867 AS1299" | grep 209243import: from AS209243 accept AS-SET209243mp-import: afi ipv6 from AS209243 accept AS-SET209243* Looks like the first thing that AS209243 had done after they got AS1299 transit is ... hijacking an Amazon prefix ..? On Tue, Aug 23, 2022 at 1:51 AM Siyuan Miao wrote: > Hi folks, > > Recently I read a post regarding the recent incident of Celer Network and > noticed a very interesting and successful BGP hijacking towards AS16509. > > The attacker AS209243 added AS16509 to their AS-SET and a more specific > route object for the /24 where the victim's website is in ALTDB: > (Below is our IRRd4 server NRTM logging, UTC timezone) > > irrd.log-20220817.gz:31106270-ADD 96126 > > irrd.log-20220817.gz:31106280- > > irrd.log-20220817.gz:31106281-as-set: AS-SET209243 > > irrd.log-20220817.gz:31106306-descr: quickhost set > > irrd.log-20220817.gz:31106332-members: AS209243, AS16509 > > irrd.log-20220817.gz:31106362:mnt-by: MAINT-QUICKHOSTUK > > irrd.log-20220817.gz:31106392-changed: crussell at quickhostuk.net > 20220816 > > irrd.log-20220817.gz:31106438-source: ALTDB > > irrd.log-20220817.gz:31147549-ADD 96127 > > irrd.log-20220817.gz:31147559- > > irrd.log-20220817.gz:31147560-route: 44.235.216.0/24 > > irrd.log-20220817.gz:31147588-descr: route > > irrd.log-20220817.gz:31147606-origin: AS16509 > > irrd.log-20220817.gz:31147626:mnt-by: MAINT-QUICKHOSTUK > > irrd.log-20220817.gz:31147656-changed: crussell at quickhostuk.net > 20220816 > > irrd.log-20220817.gz:31147702-source: ALTDB > > > Then they started announcing the prefix ... under another AWS ASN (AS14618) > I guess AS1299 Arelion doesn't check if the origin AS of an announcement > is in the customer's AS-SET but it's pretty normal and understandable. > > > https://stat.ripe.net/widget/bgplay#w.resource=44.235.216.0/24&w.ignoreReannouncements=true&w.starttime=1660694458&w.endtime=1661032798&w.rrcs=0&w.instant=null&w.type=bgp > > > Type: A > announce Involving: 44.235.216.0/24 > Short description: The new route 34854 1299 209243 14618 has been > announced > Path: 34854, 1299, 209243, 14618, > Community: 1299:35000,34854:3001 > Date and time: 2022-08-17 19:39:50 Collected by: 00-2.56.11.1 > > Hjacking didn't last too long. AWS started announcing a more specific > announcement to prevent hijacking around 3 hours later. Kudos to Amazon's > security team :-) > > Type: A > announce Involving: 44.235.216.0/24 > Short description: The new route 58057 34549 5511 1299 16509 has been > announced > Path: 58057, 34549, 5511, 1299, 16509, > Community: 5511:521,5511:666,5511:710,5511:5511,34549:100,34549:5511 > Date and time: 2022-08-17 23:08:47 Collected by: 00-194.50.92.251 > > The attacker cleaned up the IRR objects on 17 Aug and surprisingly no one > seems to notice them ... > > irrd.log-20220819.gz:26517714-ADD 96196 > > irrd.log-20220819.gz:26517724- > > irrd.log-20220819.gz:26517725:as-set: AS-SET209243 > > irrd.log-20220819.gz:26517750-descr: quickhost set > > irrd.log-20220819.gz:26517776-members: AS209243, AS35437, AS37497 > > irrd.log-20220819.gz:26517815-mnt-by: MAINT-QUICKHOSTUK > > irrd.log-20220819.gz:26517845-changed: crussell at quickhostuk.net > 20220817 > > irrd.log-20220819.gz:26517891-source: ALTDB > > > > irrd.log-20220819.gz:26517910-DEL 96197 > > irrd.log-20220819.gz:26517920- > > irrd.log-20220819.gz:26517921-route: 44.235.216.0/24 > > irrd.log-20220819.gz:26517949-descr: route > > irrd.log-20220819.gz:26517967-origin: AS16509 > > irrd.log-20220819.gz:26517987-mnt-by: MAINT-QUICKHOSTUK > > irrd.log-20220819.gz:26518017-changed: crussell at quickhostuk.net > 20220816 > > irrd.log-20220819.gz:26518063-source: ALTDB > > > > Nowadays hijacking a service by forging AS path is pretty easy and RPKI > won't be able to solve this (as it validates origin AS and prefixes only) > :-( > > Regards, > Siyuan > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rfg at tristatelogic.com Tue Aug 23 04:03:19 2022 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Mon, 22 Aug 2022 19:03:19 -0700 Subject: [anti-abuse-wg] Yet another BGP hijacking towards AS16509 In-Reply-To: Message-ID: <81042.1661220199@segfault.tristatelogic.com> In message , Siyuan Miao wrote: >Hjacking didn't last too long. AWS started announcing a more specific >announcement to prevent hijacking around 3 hours later. Kudos to Amazon's >security team :-) Sorry. I'm missing something here. If the hijack was of 44.235.216.0/24, then how did AWS propagate a "more specific" than that? Regards, rfg From siyuan at misaka.io Tue Aug 23 04:05:16 2022 From: siyuan at misaka.io (Siyuan Miao) Date: Tue, 23 Aug 2022 04:05:16 +0200 Subject: [anti-abuse-wg] Yet another BGP hijacking towards AS16509 In-Reply-To: <81042.1661220199@segfault.tristatelogic.com> References: <81042.1661220199@segfault.tristatelogic.com> Message-ID: Amazon was only announcing 44.224.0.0/11 at first. https://bgp.tools/prefix/44.235.216.0/24 On Tue, Aug 23, 2022 at 4:03 AM Ronald F. Guilmette wrote: > In message < > CAO3CAMoT9gC_Evd-CcZg06A-o_MajmLtxLHbXFnauDoMyqoSYg at mail.gmail.com>, > Siyuan Miao wrote: > > >Hjacking didn't last too long. AWS started announcing a more specific > >announcement to prevent hijacking around 3 hours later. Kudos to Amazon's > >security team :-) > > Sorry. I'm missing something here. If the hijack was of 44.235.216.0/24, > then > how did AWS propagate a "more specific" than that? > > > Regards, > rfg > > -- > > To unsubscribe from this mailing list, get a password reminder, or change > your subscription options, please visit: > https://lists.ripe.net/mailman/listinfo/anti-abuse-wg > -------------- next part -------------- An HTML attachment was scrubbed... URL: