Perhaps a code of conduct, with de-registration of resources if the
entity does not comply, and enforcement costs to be levied against the
annual fee imposed for the registering of IP resources.
On 25/06/2020 5:45 pm, Serge Droz via anti-abuse-wg wrote:
Hi whoever you are,
(typically it's not a good sign, if you need hide behind an anonymous
alias).
I think the comparison to phone numbers is bad, that area is plagued by
very similar issues. But I get you point.
I think it's not feasible that you need to somehow proof you are
legitimate, the same way you should not need to proof you're a honest
citizen before you get, e.g. an apartment.
What we need however is a standard of what is acceptable behavior and
use of the resources you get, together with a process to remediate
failure to comply and possibly sanctions. I.e. if you use your apartment
for illicit things, what ever they may be (annoying your neighbors
through excessive noise, running a drug empire, ....)
That's what this group seems to consistently fail to come up with for
various reasons.
As a reputable VPN Provider you can be log-less and yet still follow up
on abuse. I would argue that actually doing so will make your service
better for the people that legitimately need it.
The VPN business is, not unlike the Domain business: A lot of greedy
people with big egos.
This is not a technical issue.
Best
Serge
On 25.06.20 09:26, PP wrote:
Firstly, reporting it to the LEO does not cause the resources to be
de-registered.
Secondly, your example regarding IPv6 is another reason why this
approach is not sufficient: there are
340,282,366,920,938,000,000,000,000,000,000,000,000 possible IPv6
addresses.
It should be that the resources are only allocated to legitimate
established corporations.
Phone numbers aren't wholly allocated to anyone who asks, they remain
controlled by a reputable phone company. Why should IP addresses be
different?
On 25/06/2020 4:50 pm, Shane Kerr wrote:
Dear Phish Phucker,
The RIPE NCC is a not-for-profit, membership-based organization based
in the Netherlands. They are responsible for allocating Internet
number resources (IP addresses and AS numbers) in their region. Their
policies are set by RIPE, which is just anyone who joins the RIPE
mailing lists and participates in the policy discussions.
I'm not sure what policy can be introduced. Historically RIPE
participants have been reluctant to make any value judgements about
what IP resources can and cannot be used for. Currently as long as you
are truthful about your organization's registration information you
have fulfilled the requirements.
In a sense this should be enough. The information is available for
anyone who cares about protecting their users from spam originating
there. Spamhaus lists the organization, and I am pretty sure that most
e-mail providers either block their IP addresses because of that - or
have their own abuse tracking which identifies them. It's not
perfect... I had to change VPS provider because my previous VPS
provider kept having its IPv6 addresses blocked by Spamhaus and
neither my provider nor Spamhaus would explain why (my provider
claimed to have never received any complains, and Spamhaus never
explains anything). But it seems to be good enough for most people.
If an organization is breaking a law, then the correct action is to
report them to the law-enforcement organization (LEO) that feels like
it is in their jurisdiction. Again, since the member is required by
the RIPE NCC to have correct information about the person or
organization that has been allocated resources, the LEO can follow-up.
It's hardly an ideal situation, but difficult to see how to improve it
given the general anti-regulation philosophy of most Internet providers.
Cheers,
--
Shane
On 25/06/2020 08.03, PP wrote:
So who at RIPE is responsible for allocating this resource, and what
policy can be introduced to prevent the allocation of IP address
resources to irresponsible organizations like this one?
SpamHaus have it listed as the worlds number one source of spam:
https://www.spamhaus.org/statistics/networks/
On 25/06/2020 2:10 pm, Tõnu Tammer via anti-abuse-wg wrote:
We've had similar experience with this VPN provider.
He claims not being able to track malicious actor is for the benefit
of free speech but when malware is used to attack people who express
free speech he did not understand that his service is not
contributing towards free speech but hinders it.
Tonu
CERT-EE
On 25.06.2020 04:15, PP wrote:
Botnet controllers on VPN provider that refuses to act:
organisation: ORG-SL751-RIPE
org-name: Freedom Of Speech VPN
org-type: OTHER
address: P.O. Box 9173
address: Victoria
address: Mahe Island
address: Seychelles
e-mail: i...@fos-vpn.org
abuse-c: SL12644-RIPE
mnt-ref: FOS-VPN-MNT
mnt-by: FOS-VPN-MNT
created: 2018-07-13T05:33:45Z
last-modified: 2020-02-28T12:37:39Z
source: RIPE
-------- Forwarded Message --------
Subject: Re: botnet controllers
Date: Wed, 24 Jun 2020 21:49:21 +0200
From: i...@ghlc.biz
To: PP <phishphuc...@storey.ovh>
On 2020-06-24 13:03, PP wrote:
Hello!
Please note that all mentioned IPs belong to non-logging VPN services.
No user logs are kept.
Sincerely yours
David Craig
SBL488704
185.140.53.75/32
ghlc.biz
23-Jun-2020 05:26 GMT
Malware botnet controller @185.140.53.75
https://www.spamhaus.org/sbl/query/SBL488704
SBL488686
91.193.75.58/32
ghlc.biz
22-Jun-2020 18:39 GMT
NanoCore botnet controller @91.193.75.58
https://www.spamhaus.org/sbl/query/SBL488686
SBL488548
185.244.30.201/32
ghlc.biz
19-Jun-2020 13:21 GMT
QuasarRAT botnet controller @185.244.30.201
https://www.spamhaus.org/sbl/query/SBL488548
SBL488006
185.140.53.162/32
ghlc.biz
18-Jun-2020 10:11 GMT
NanoCore botnet controller @185.140.53.162
https://www.spamhaus.org/sbl/query/SBL488006
SBL487900
185.140.53.229/32
ghlc.biz
16-Jun-2020 13:28 GMT
NanoCore botnet controller @185.140.53.229
https://www.spamhaus.org/sbl/query/SBL487900
SBL487899
185.244.30.113/32
ghlc.biz
16-Jun-2020 12:59 GMT
RemcosRAT botnet controller @185.244.30.113
https://www.spamhaus.org/sbl/query/SBL487899
SBL487893
185.140.53.236/32
ghlc.biz
16-Jun-2020 12:07 GMT
NanoCore botnet controller @185.140.53.236
https://www.spamhaus.org/sbl/query/SBL487893
SBL487886
185.165.153.45/32
ghlc.biz
16-Jun-2020 10:26 GMT
NanoCore botnet controller @185.165.153.45
https://www.spamhaus.org/sbl/query/SBL487886
