Re: [anti-abuse-wg] Fwd: Re: botnet controllers
Hi {Firstname},
Discussion usually happens before we get to a policy proposal.
If you have a policy ready to propose then please feel free to send it
and we can base a discussion around that.
Thanks,
Alistair
On 25/06/2020 10:56, PP wrote:
> I see a lot of discussion, but no formal policy proposal.
>
>
>
> On 25/06/2020 7:23 pm, Serge Droz via anti-abuse-wg wrote:
>>
>> On 25.06.20 10:22, PP wrote:
>>> Perhaps a code of conduct, with de-registration of resources if the
>>> entity does not comply, and enforcement costs to be levied against the
>>> annual fee imposed for the registering of IP resources.
>>>
>> I'm all in favour, but I'm afraid we've had this discussion in here in
>> the past.
>>
>> We can't even agree on the principles, let alone the details.
>>
>> This seems to be harder than world peace.
>>
>> Best
>> Serge
>>> On 25/06/2020 5:45 pm, Serge Droz via anti-abuse-wg wrote:
Hi whoever you are,
(typically it's not a good sign, if you need hide behind an anonymous
alias).
I think the comparison to phone numbers is bad, that area is plagued by
very similar issues. But I get you point.
I think it's not feasible that you need to somehow proof you are
legitimate, the same way you should not need to proof you're a honest
citizen before you get, e.g. an apartment.
What we need however is a standard of what is acceptable behavior and
use of the resources you get, together with a process to remediate
failure to comply and possibly sanctions. I.e. if you use your
apartment
�� for illicit things, what ever they may be (annoying your neighbors
through excessive noise, running a drug empire, )
That's what this group seems to consistently fail to come up with for
various reasons.
As a reputable VPN Provider you can be log-less and yet still follow up
on abuse. I would argue that actually doing so will make your service
better for the people that legitimately need it.
The VPN business is, not unlike the Domain business: A lot of greedy
people with big egos.
This is not a technical issue.
Best
Serge
On 25.06.20 09:26, PP wrote:
> Firstly, reporting it to the LEO does not cause the resources to be
> de-registered.
>
> Secondly, your example regarding IPv6 is another reason why this
> approach is not sufficient: there are
> 340,282,366,920,938,000,000,000,000,000,000,000,000 possible IPv6
> addresses.
>
>
> It should be that the resources are only allocated to legitimate
> established corporations.
>
>
> Phone numbers aren't wholly allocated to anyone who asks, they remain
> controlled by a reputable phone company. Why should IP addresses be
> different?
>
>
>
> On 25/06/2020 4:50 pm, Shane Kerr wrote:
>> Dear Phish Phucker,
>>
>> The RIPE NCC is a not-for-profit, membership-based organization based
>> in the Netherlands. They are responsible for allocating Internet
>> number resources (IP addresses and AS numbers) in their region. Their
>> policies are set by RIPE, which is just anyone who joins the RIPE
>> mailing lists and participates in the policy discussions.
>>
>> I'm not sure what policy can be introduced. Historically RIPE
>> participants have been reluctant to make any value judgements about
>> what IP resources can and cannot be used for. Currently as long as
>> you
>> are truthful about your organization's registration information you
>> have fulfilled the requirements.
>>
>> In a sense this should be enough. The information is available for
>> anyone who cares about protecting their users from spam originating
>> there. Spamhaus lists the organization, and I am pretty sure that
>> most
>> e-mail providers either block their IP addresses because of that - or
>> have their own abuse tracking which identifies them. It's not
>> perfect... I had to change VPS provider because my previous VPS
>> provider kept having its IPv6 addresses blocked by Spamhaus and
>> neither my provider nor Spamhaus would explain why (my provider
>> claimed to have never received any complains, and Spamhaus never
>> explains anything). But it seems to be good enough for most people.
>>
>> If an organization is breaking a law, then the correct action is to
>> report them to the law-enforcement organization (LEO) that feels like
>> it is in their jurisdiction. Again, since the member is required by
>> the RIPE NCC to have correct information about the person or
>> organization that has been allocated resources, the LEO can
>> follow-up.
>>
>> It's hardly an ideal situation, but difficult to see how to
>> improve it
>> given the general anti-regulation philosophy of most Internet
>> providers.
>>
Re: [anti-abuse-wg] Fwd: Re: botnet controllers
I see a lot of discussion, but no formal policy proposal. On 25/06/2020 7:23 pm, Serge Droz via anti-abuse-wg wrote: On 25.06.20 10:22, PP wrote: Perhaps a code of conduct, with de-registration of resources if the entity does not comply, and enforcement costs to be levied against the annual fee imposed for the registering of IP resources. I'm all in favour, but I'm afraid we've had this discussion in here in the past. We can't even agree on the principles, let alone the details. This seems to be harder than world peace. Best Serge On 25/06/2020 5:45 pm, Serge Droz via anti-abuse-wg wrote: Hi whoever you are, (typically it's not a good sign, if you need hide behind an anonymous alias). I think the comparison to phone numbers is bad, that area is plagued by very similar issues. But I get you point. I think it's not feasible that you need to somehow proof you are legitimate, the same way you should not need to proof you're a honest citizen before you get, e.g. an apartment. What we need however is a standard of what is acceptable behavior and use of the resources you get, together with a process to remediate failure to comply and possibly sanctions. I.e. if you use your apartment for illicit things, what ever they may be (annoying your neighbors through excessive noise, running a drug empire, ) That's what this group seems to consistently fail to come up with for various reasons. As a reputable VPN Provider you can be log-less and yet still follow up on abuse. I would argue that actually doing so will make your service better for the people that legitimately need it. The VPN business is, not unlike the Domain business: A lot of greedy people with big egos. This is not a technical issue. Best Serge On 25.06.20 09:26, PP wrote: Firstly, reporting it to the LEO does not cause the resources to be de-registered. Secondly, your example regarding IPv6 is another reason why this approach is not sufficient: there are 340,282,366,920,938,000,000,000,000,000,000,000,000 possible IPv6 addresses. It should be that the resources are only allocated to legitimate established corporations. Phone numbers aren't wholly allocated to anyone who asks, they remain controlled by a reputable phone company. Why should IP addresses be different? On 25/06/2020 4:50 pm, Shane Kerr wrote: Dear Phish Phucker, The RIPE NCC is a not-for-profit, membership-based organization based in the Netherlands. They are responsible for allocating Internet number resources (IP addresses and AS numbers) in their region. Their policies are set by RIPE, which is just anyone who joins the RIPE mailing lists and participates in the policy discussions. I'm not sure what policy can be introduced. Historically RIPE participants have been reluctant to make any value judgements about what IP resources can and cannot be used for. Currently as long as you are truthful about your organization's registration information you have fulfilled the requirements. In a sense this should be enough. The information is available for anyone who cares about protecting their users from spam originating there. Spamhaus lists the organization, and I am pretty sure that most e-mail providers either block their IP addresses because of that - or have their own abuse tracking which identifies them. It's not perfect... I had to change VPS provider because my previous VPS provider kept having its IPv6 addresses blocked by Spamhaus and neither my provider nor Spamhaus would explain why (my provider claimed to have never received any complains, and Spamhaus never explains anything). But it seems to be good enough for most people. If an organization is breaking a law, then the correct action is to report them to the law-enforcement organization (LEO) that feels like it is in their jurisdiction. Again, since the member is required by the RIPE NCC to have correct information about the person or organization that has been allocated resources, the LEO can follow-up. It's hardly an ideal situation, but difficult to see how to improve it given the general anti-regulation philosophy of most Internet providers. Cheers, -- Shane On 25/06/2020 08.03, PP wrote: So who at RIPE is responsible for allocating this resource, and what policy can be introduced to prevent the allocation of IP address resources to irresponsible organizations like this one? SpamHaus have it listed as the worlds number one source of spam: https://www.spamhaus.org/statistics/networks/ On 25/06/2020 2:10 pm, Tõnu Tammer via anti-abuse-wg wrote: We've had similar experience with this VPN provider. He claims not being able to track malicious actor is for the benefit of free speech but when malware is used to attack people who express free speech he did not understand that his service is not contributing towards free speech but hinders it. Tonu CERT-EE On 25.06.2020 04:15, PP wrote: Botnet controllers on VPN provider that refuses to act: organisation:
Re: [anti-abuse-wg] Fwd: Re: botnet controllers
On 25.06.20 10:22, PP wrote: > Perhaps a code of conduct, with de-registration of resources if the > entity does not comply, and enforcement costs to be levied against the > annual fee imposed for the registering of IP resources. > I'm all in favour, but I'm afraid we've had this discussion in here in the past. We can't even agree on the principles, let alone the details. This seems to be harder than world peace. Best Serge > > On 25/06/2020 5:45 pm, Serge Droz via anti-abuse-wg wrote: >> Hi whoever you are, >> (typically it's not a good sign, if you need hide behind an anonymous >> alias). >> >> >> I think the comparison to phone numbers is bad, that area is plagued by >> very similar issues. But I get you point. >> >> I think it's not feasible that you need to somehow proof you are >> legitimate, the same way you should not need to proof you're a honest >> citizen before you get, e.g. an apartment. >> >> What we need however is a standard of what is acceptable behavior and >> use of the resources you get, together with a process to remediate >> failure to comply and possibly sanctions. I.e. if you use your apartment >> for illicit things, what ever they may be (annoying your neighbors >> through excessive noise, running a drug empire, ) >> >> That's what this group seems to consistently fail to come up with for >> various reasons. >> >> As a reputable VPN Provider you can be log-less and yet still follow up >> on abuse. I would argue that actually doing so will make your service >> better for the people that legitimately need it. >> >> The VPN business is, not unlike the Domain business: A lot of greedy >> people with big egos. >> >> This is not a technical issue. >> >> Best >> Serge >> >> >> >> On 25.06.20 09:26, PP wrote: >>> Firstly, reporting it to the LEO does not cause the resources to be >>> de-registered. >>> >>> Secondly, your example regarding IPv6 is another reason why this >>> approach is not sufficient: there are >>> 340,282,366,920,938,000,000,000,000,000,000,000,000 possible IPv6 >>> addresses. >>> >>> >>> It should be that the resources are only allocated to legitimate >>> established corporations. >>> >>> >>> Phone numbers aren't wholly allocated to anyone who asks, they remain >>> controlled by a reputable phone company. Why should IP addresses be >>> different? >>> >>> >>> >>> On 25/06/2020 4:50 pm, Shane Kerr wrote: Dear Phish Phucker, The RIPE NCC is a not-for-profit, membership-based organization based in the Netherlands. They are responsible for allocating Internet number resources (IP addresses and AS numbers) in their region. Their policies are set by RIPE, which is just anyone who joins the RIPE mailing lists and participates in the policy discussions. I'm not sure what policy can be introduced. Historically RIPE participants have been reluctant to make any value judgements about what IP resources can and cannot be used for. Currently as long as you are truthful about your organization's registration information you have fulfilled the requirements. In a sense this should be enough. The information is available for anyone who cares about protecting their users from spam originating there. Spamhaus lists the organization, and I am pretty sure that most e-mail providers either block their IP addresses because of that - or have their own abuse tracking which identifies them. It's not perfect... I had to change VPS provider because my previous VPS provider kept having its IPv6 addresses blocked by Spamhaus and neither my provider nor Spamhaus would explain why (my provider claimed to have never received any complains, and Spamhaus never explains anything). But it seems to be good enough for most people. If an organization is breaking a law, then the correct action is to report them to the law-enforcement organization (LEO) that feels like it is in their jurisdiction. Again, since the member is required by the RIPE NCC to have correct information about the person or organization that has been allocated resources, the LEO can follow-up. It's hardly an ideal situation, but difficult to see how to improve it given the general anti-regulation philosophy of most Internet providers. Cheers, -- Shane On 25/06/2020 08.03, PP wrote: > So who at RIPE is responsible for allocating this resource, and what > policy can be introduced to prevent the allocation of IP address > resources to irresponsible organizations like this one? > > SpamHaus have it listed as the worlds number one source of spam: > > https://www.spamhaus.org/statistics/networks/ > > > > On 25/06/2020 2:10 pm, Tõnu Tammer via anti-abuse-wg wrote: >> We've had similar experience with this VPN provider. >> >> He claims not being able to track malicious actor is
Re: [anti-abuse-wg] Fwd: Re: botnet controllers
Perhaps a code of conduct, with de-registration of resources if the entity does not comply, and enforcement costs to be levied against the annual fee imposed for the registering of IP resources. On 25/06/2020 5:45 pm, Serge Droz via anti-abuse-wg wrote: Hi whoever you are, (typically it's not a good sign, if you need hide behind an anonymous alias). I think the comparison to phone numbers is bad, that area is plagued by very similar issues. But I get you point. I think it's not feasible that you need to somehow proof you are legitimate, the same way you should not need to proof you're a honest citizen before you get, e.g. an apartment. What we need however is a standard of what is acceptable behavior and use of the resources you get, together with a process to remediate failure to comply and possibly sanctions. I.e. if you use your apartment for illicit things, what ever they may be (annoying your neighbors through excessive noise, running a drug empire, ) That's what this group seems to consistently fail to come up with for various reasons. As a reputable VPN Provider you can be log-less and yet still follow up on abuse. I would argue that actually doing so will make your service better for the people that legitimately need it. The VPN business is, not unlike the Domain business: A lot of greedy people with big egos. This is not a technical issue. Best Serge On 25.06.20 09:26, PP wrote: Firstly, reporting it to the LEO does not cause the resources to be de-registered. Secondly, your example regarding IPv6 is another reason why this approach is not sufficient: there are 340,282,366,920,938,000,000,000,000,000,000,000,000 possible IPv6 addresses. It should be that the resources are only allocated to legitimate established corporations. Phone numbers aren't wholly allocated to anyone who asks, they remain controlled by a reputable phone company. Why should IP addresses be different? On 25/06/2020 4:50 pm, Shane Kerr wrote: Dear Phish Phucker, The RIPE NCC is a not-for-profit, membership-based organization based in the Netherlands. They are responsible for allocating Internet number resources (IP addresses and AS numbers) in their region. Their policies are set by RIPE, which is just anyone who joins the RIPE mailing lists and participates in the policy discussions. I'm not sure what policy can be introduced. Historically RIPE participants have been reluctant to make any value judgements about what IP resources can and cannot be used for. Currently as long as you are truthful about your organization's registration information you have fulfilled the requirements. In a sense this should be enough. The information is available for anyone who cares about protecting their users from spam originating there. Spamhaus lists the organization, and I am pretty sure that most e-mail providers either block their IP addresses because of that - or have their own abuse tracking which identifies them. It's not perfect... I had to change VPS provider because my previous VPS provider kept having its IPv6 addresses blocked by Spamhaus and neither my provider nor Spamhaus would explain why (my provider claimed to have never received any complains, and Spamhaus never explains anything). But it seems to be good enough for most people. If an organization is breaking a law, then the correct action is to report them to the law-enforcement organization (LEO) that feels like it is in their jurisdiction. Again, since the member is required by the RIPE NCC to have correct information about the person or organization that has been allocated resources, the LEO can follow-up. It's hardly an ideal situation, but difficult to see how to improve it given the general anti-regulation philosophy of most Internet providers. Cheers, -- Shane On 25/06/2020 08.03, PP wrote: So who at RIPE is responsible for allocating this resource, and what policy can be introduced to prevent the allocation of IP address resources to irresponsible organizations like this one? SpamHaus have it listed as the worlds number one source of spam: https://www.spamhaus.org/statistics/networks/ On 25/06/2020 2:10 pm, Tõnu Tammer via anti-abuse-wg wrote: We've had similar experience with this VPN provider. He claims not being able to track malicious actor is for the benefit of free speech but when malware is used to attack people who express free speech he did not understand that his service is not contributing towards free speech but hinders it. Tonu CERT-EE On 25.06.2020 04:15, PP wrote: Botnet controllers on VPN provider that refuses to act: organisation: ORG-SL751-RIPE org-name: Freedom Of Speech VPN org-type: OTHER address: P.O. Box 9173 address: Victoria address: Mahe Island address: Seychelles e-mail: i...@fos-vpn.org abuse-c: SL12644-RIPE mnt-ref: FOS-VPN-MNT mnt-by: FOS-VPN-MNT
Re: [anti-abuse-wg] Fwd: Re: botnet controllers
Hi whoever you are, (typically it's not a good sign, if you need hide behind an anonymous alias). I think the comparison to phone numbers is bad, that area is plagued by very similar issues. But I get you point. I think it's not feasible that you need to somehow proof you are legitimate, the same way you should not need to proof you're a honest citizen before you get, e.g. an apartment. What we need however is a standard of what is acceptable behavior and use of the resources you get, together with a process to remediate failure to comply and possibly sanctions. I.e. if you use your apartment for illicit things, what ever they may be (annoying your neighbors through excessive noise, running a drug empire, ) That's what this group seems to consistently fail to come up with for various reasons. As a reputable VPN Provider you can be log-less and yet still follow up on abuse. I would argue that actually doing so will make your service better for the people that legitimately need it. The VPN business is, not unlike the Domain business: A lot of greedy people with big egos. This is not a technical issue. Best Serge On 25.06.20 09:26, PP wrote: > Firstly, reporting it to the LEO does not cause the resources to be > de-registered. > > Secondly, your example regarding IPv6 is another reason why this > approach is not sufficient: there are > 340,282,366,920,938,000,000,000,000,000,000,000,000 possible IPv6 > addresses. > > > It should be that the resources are only allocated to legitimate > established corporations. > > > Phone numbers aren't wholly allocated to anyone who asks, they remain > controlled by a reputable phone company. Why should IP addresses be > different? > > > > On 25/06/2020 4:50 pm, Shane Kerr wrote: >> Dear Phish Phucker, >> >> The RIPE NCC is a not-for-profit, membership-based organization based >> in the Netherlands. They are responsible for allocating Internet >> number resources (IP addresses and AS numbers) in their region. Their >> policies are set by RIPE, which is just anyone who joins the RIPE >> mailing lists and participates in the policy discussions. >> >> I'm not sure what policy can be introduced. Historically RIPE >> participants have been reluctant to make any value judgements about >> what IP resources can and cannot be used for. Currently as long as you >> are truthful about your organization's registration information you >> have fulfilled the requirements. >> >> In a sense this should be enough. The information is available for >> anyone who cares about protecting their users from spam originating >> there. Spamhaus lists the organization, and I am pretty sure that most >> e-mail providers either block their IP addresses because of that - or >> have their own abuse tracking which identifies them. It's not >> perfect... I had to change VPS provider because my previous VPS >> provider kept having its IPv6 addresses blocked by Spamhaus and >> neither my provider nor Spamhaus would explain why (my provider >> claimed to have never received any complains, and Spamhaus never >> explains anything). But it seems to be good enough for most people. >> >> If an organization is breaking a law, then the correct action is to >> report them to the law-enforcement organization (LEO) that feels like >> it is in their jurisdiction. Again, since the member is required by >> the RIPE NCC to have correct information about the person or >> organization that has been allocated resources, the LEO can follow-up. >> >> It's hardly an ideal situation, but difficult to see how to improve it >> given the general anti-regulation philosophy of most Internet providers. >> >> Cheers, >> >> -- >> Shane >> >> On 25/06/2020 08.03, PP wrote: >>> So who at RIPE is responsible for allocating this resource, and what >>> policy can be introduced to prevent the allocation of IP address >>> resources to irresponsible organizations like this one? >>> >>> SpamHaus have it listed as the worlds number one source of spam: >>> >>> https://www.spamhaus.org/statistics/networks/ >>> >>> >>> >>> On 25/06/2020 2:10 pm, Tõnu Tammer via anti-abuse-wg wrote: We've had similar experience with this VPN provider. He claims not being able to track malicious actor is for the benefit of free speech but when malware is used to attack people who express free speech he did not understand that his service is not contributing towards free speech but hinders it. Tonu CERT-EE On 25.06.2020 04:15, PP wrote: > > Botnet controllers on VPN provider that refuses to act: > > > organisation: ORG-SL751-RIPE > org-name: Freedom Of Speech VPN > org-type: OTHER > address: P.O. Box 9173 > address: Victoria > address: Mahe Island > address: Seychelles > e-mail: i...@fos-vpn.org > abuse-c: SL12644-RIPE > mnt-ref:
Re: [anti-abuse-wg] Fwd: Re: botnet controllers
Firstly, reporting it to the LEO does not cause the resources to be de-registered. Secondly, your example regarding IPv6 is another reason why this approach is not sufficient: there are 340,282,366,920,938,000,000,000,000,000,000,000,000 possible IPv6 addresses. It should be that the resources are only allocated to legitimate established corporations. Phone numbers aren't wholly allocated to anyone who asks, they remain controlled by a reputable phone company. Why should IP addresses be different? On 25/06/2020 4:50 pm, Shane Kerr wrote: Dear Phish Phucker, The RIPE NCC is a not-for-profit, membership-based organization based in the Netherlands. They are responsible for allocating Internet number resources (IP addresses and AS numbers) in their region. Their policies are set by RIPE, which is just anyone who joins the RIPE mailing lists and participates in the policy discussions. I'm not sure what policy can be introduced. Historically RIPE participants have been reluctant to make any value judgements about what IP resources can and cannot be used for. Currently as long as you are truthful about your organization's registration information you have fulfilled the requirements. In a sense this should be enough. The information is available for anyone who cares about protecting their users from spam originating there. Spamhaus lists the organization, and I am pretty sure that most e-mail providers either block their IP addresses because of that - or have their own abuse tracking which identifies them. It's not perfect... I had to change VPS provider because my previous VPS provider kept having its IPv6 addresses blocked by Spamhaus and neither my provider nor Spamhaus would explain why (my provider claimed to have never received any complains, and Spamhaus never explains anything). But it seems to be good enough for most people. If an organization is breaking a law, then the correct action is to report them to the law-enforcement organization (LEO) that feels like it is in their jurisdiction. Again, since the member is required by the RIPE NCC to have correct information about the person or organization that has been allocated resources, the LEO can follow-up. It's hardly an ideal situation, but difficult to see how to improve it given the general anti-regulation philosophy of most Internet providers. Cheers, -- Shane On 25/06/2020 08.03, PP wrote: So who at RIPE is responsible for allocating this resource, and what policy can be introduced to prevent the allocation of IP address resources to irresponsible organizations like this one? SpamHaus have it listed as the worlds number one source of spam: https://www.spamhaus.org/statistics/networks/ On 25/06/2020 2:10 pm, Tõnu Tammer via anti-abuse-wg wrote: We've had similar experience with this VPN provider. He claims not being able to track malicious actor is for the benefit of free speech but when malware is used to attack people who express free speech he did not understand that his service is not contributing towards free speech but hinders it. Tonu CERT-EE On 25.06.2020 04:15, PP wrote: Botnet controllers on VPN provider that refuses to act: organisation: ORG-SL751-RIPE org-name: Freedom Of Speech VPN org-type: OTHER address: P.O. Box 9173 address: Victoria address: Mahe Island address: Seychelles e-mail: i...@fos-vpn.org abuse-c: SL12644-RIPE mnt-ref: FOS-VPN-MNT mnt-by: FOS-VPN-MNT created: 2018-07-13T05:33:45Z last-modified: 2020-02-28T12:37:39Z source: RIPE Forwarded Message Subject: Re: botnet controllers Date: Wed, 24 Jun 2020 21:49:21 +0200 From: i...@ghlc.biz To: PP On 2020-06-24 13:03, PP wrote: Hello! Please note that all mentioned IPs belong to non-logging VPN services. No user logs are kept. Sincerely yours David Craig SBL488704 185.140.53.75/32 ghlc.biz 23-Jun-2020 05:26 GMT Malware botnet controller @185.140.53.75 https://www.spamhaus.org/sbl/query/SBL488704 SBL488686 91.193.75.58/32 ghlc.biz 22-Jun-2020 18:39 GMT NanoCore botnet controller @91.193.75.58 https://www.spamhaus.org/sbl/query/SBL488686 SBL488548 185.244.30.201/32 ghlc.biz 19-Jun-2020 13:21 GMT QuasarRAT botnet controller @185.244.30.201 https://www.spamhaus.org/sbl/query/SBL488548 SBL488006 185.140.53.162/32 ghlc.biz 18-Jun-2020 10:11 GMT NanoCore botnet controller @185.140.53.162 https://www.spamhaus.org/sbl/query/SBL488006 SBL487900 185.140.53.229/32 ghlc.biz 16-Jun-2020 13:28 GMT NanoCore botnet controller @185.140.53.229 https://www.spamhaus.org/sbl/query/SBL487900 SBL487899 185.244.30.113/32 ghlc.biz 16-Jun-2020 12:59 GMT RemcosRAT botnet controller @185.244.30.113 https://www.spamhaus.org/sbl/query/SBL487899 SBL487893 185.140.53.236/32 ghlc.biz 16-Jun-2020 12:07 GMT NanoCore botnet controller
Re: [anti-abuse-wg] Fwd: Re: botnet controllers
So who at RIPE is responsible for allocating this resource, and what policy can be introduced to prevent the allocation of IP address resources to irresponsible organizations like this one? SpamHaus have it listed as the worlds number one source of spam: https://www.spamhaus.org/statistics/networks/ On 25/06/2020 2:10 pm, Tõnu Tammer via anti-abuse-wg wrote: We've had similar experience with this VPN provider. He claims not being able to track malicious actor is for the benefit of free speech but when malware is used to attack people who express free speech he did not understand that his service is not contributing towards free speech but hinders it. Tonu CERT-EE On 25.06.2020 04:15, PP wrote: Botnet controllers on VPN provider that refuses to act: organisation: ORG-SL751-RIPE org-name: Freedom Of Speech VPN org-type: OTHER address: P.O. Box 9173 address: Victoria address: Mahe Island address: Seychelles e-mail: i...@fos-vpn.org abuse-c: SL12644-RIPE mnt-ref: FOS-VPN-MNT mnt-by: FOS-VPN-MNT created: 2018-07-13T05:33:45Z last-modified: 2020-02-28T12:37:39Z source: RIPE Forwarded Message Subject:Re: botnet controllers Date: Wed, 24 Jun 2020 21:49:21 +0200 From: i...@ghlc.biz To: PP On 2020-06-24 13:03, PP wrote: Hello! Please note that all mentioned IPs belong to non-logging VPN services. No user logs are kept. Sincerely yours David Craig SBL488704 185.140.53.75/32 ghlc.biz 23-Jun-2020 05:26 GMT Malware botnet controller @185.140.53.75 https://www.spamhaus.org/sbl/query/SBL488704 SBL488686 91.193.75.58/32 ghlc.biz 22-Jun-2020 18:39 GMT NanoCore botnet controller @91.193.75.58 https://www.spamhaus.org/sbl/query/SBL488686 SBL488548 185.244.30.201/32 ghlc.biz 19-Jun-2020 13:21 GMT QuasarRAT botnet controller @185.244.30.201 https://www.spamhaus.org/sbl/query/SBL488548 SBL488006 185.140.53.162/32 ghlc.biz 18-Jun-2020 10:11 GMT NanoCore botnet controller @185.140.53.162 https://www.spamhaus.org/sbl/query/SBL488006 SBL487900 185.140.53.229/32 ghlc.biz 16-Jun-2020 13:28 GMT NanoCore botnet controller @185.140.53.229 https://www.spamhaus.org/sbl/query/SBL487900 SBL487899 185.244.30.113/32 ghlc.biz 16-Jun-2020 12:59 GMT RemcosRAT botnet controller @185.244.30.113 https://www.spamhaus.org/sbl/query/SBL487899 SBL487893 185.140.53.236/32 ghlc.biz 16-Jun-2020 12:07 GMT NanoCore botnet controller @185.140.53.236 https://www.spamhaus.org/sbl/query/SBL487893 SBL487886 185.165.153.45/32 ghlc.biz 16-Jun-2020 10:26 GMT NanoCore botnet controller @185.165.153.45 https://www.spamhaus.org/sbl/query/SBL487886
