Re: [anti-abuse-wg] Adding a "Security Information" contact?

2022-06-09 Thread Cynthia Revström via anti-abuse-wg 
Yes, this was exactly my point :)

If the aa-wg wants this feature it should be proposed to the db-wg for
deciding how it should be implemented. (such as if it's another type
contact or just another abuse mailbox attribute)


-Cynthia

On Tue, Jun 7, 2022, 20:12 Ángel González Berdasco via anti-abuse-wg <
anti-abuse-wg@ripe.net> wrote:

> Cynthia Revström writes:
> > I think this sounds like a good idea as someone who is also very much
> > interested in security.
> >
> >
> > However I think the implementation details should be discussed in the
> > db-wg as opposed to the aa-wg.
> >
> >
> > -Cynthia
>
> It affects both anti-abuse and db-wg. If anti-abuse sees no merit in
> that, there's no point in going further with it, but if this wg considers
> it worth pursuing, I guess it should then proposed it to the db-wg.
>
> I am open to input on the steps that should be followed, as I'm not
> familiar with what would be the proper process.
>
> Best regards
>
>
> --
> INCIBE-CERT - Spanish National CSIRT
> https://www.incibe-cert.es/
>
> PGP keys:
> https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys
>
> 
>
> INCIBE-CERT is the Spanish National CSIRT designated for citizens,
> private law entities, other entities not included in the subjective
> scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen
> Jurídico del Sector Público", as well as digital service providers,
> operators of essential services and critical operators under the terms
> of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de
> las redes y sistemas de información" that transposes the Directive (EU)
> 2016/1148 of the European Parliament and of the Council of 6 July 2016
> concerning measures for a high common level of security of network and
> information systems across the Union.
>
> 
>
> In compliance with the General Data Protection Regulation of the EU
> (Regulation EU 2016/679, of 27 April 2016) we inform you that your
> personal and corporate data (as well as those included in attached
> documents); and e-mail address, may be included in our records
> for the purpose derived from legal, contractual or pre-contractual
> obligations or in order to respond to your queries. You may exercise
> your rights of access, correction, cancellation, portability,
> limitationof processing and opposition under the terms established by
> current legislation and free of charge by sending an e-mail to
> d...@incibe.es. The Data Controller is S.M.E. Instituto Nacional de
> Ciberseguridad de España, M.P., S.A. More information is available
> on our website: https://www.incibe.es/proteccion-datos-personales
> and https://www.incibe.es/registro-actividad.
>
> 
>
> --
>
> To unsubscribe from this mailing list, get a password reminder, or change
> your subscription options, please visit:
> https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
>
-- 

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] Adding a "Security Information" contact?

2022-06-07 Thread Cynthia Revström via anti-abuse-wg 
I think this sounds like a good idea as someone who is also very much
interested in security.

However I think the implementation details should be discussed in the db-wg
as opposed to the aa-wg.

-Cynthia

On Tue, Jun 7, 2022, 13:46 Gert Doering  wrote:

> Hi,
>
> On Tue, Jun 07, 2022 at 12:36:10PM +, Ángel González Berdasco via
> anti-abuse-wg wrote:
> > abuse-c: GROBECKER-ABUSE
> >
> > and the GROBECKER-ABUSE object:
> > abuse-mailbox: gene...@abuse.grobecker.info
> > abuse-mailbox-vulnerable: vulnerability-repo...@abuse.grobecker.info
> > abuse-mailbox-fraud: fraudabu...@abuse.grobecker.info
> >
> > where 'vulnerable', 'fraud', etc. are the machine readable tags defined
> > in the RSIT for the values in the classification column.
> [..]
> > Does something like this seem sensible to others?
>
> From a LIR perspective, this sounds like an interesting and quite
> workable idea (... it would need some easily-findable help texts that
> explains what these terms stand for, and which one to use for what :-) ).
>
> I think teaching this to CERTs would also be doable... ;-)
>
> "whois" would need some help (as it today only returns one abuse e-mail),
> but that's implementation
>
> $ whois 195.30.0.1
> % Abuse contact for '195.30.0.0 - 195.30.0.255' is 'ab...@space.net'
>
> Gert Doering
> -- NetMaster
> --
> have you enabled IPv6 on something today...?
>
> SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael
> Emmer
> Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
> D-80807 Muenchen HRB: 136055 (AG Muenchen)
> Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
> --
>
> To unsubscribe from this mailing list, get a password reminder, or change
> your subscription options, please visit:
> https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
>
-- 

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] personal data in the RIPE Database

2022-06-06 Thread Cynthia Revström via anti-abuse-wg 
Hi,

I just want to start out by saying that I have been quite busy lately
so I can't reply to all points in this thread but I mostly agree with
denis and what I have previously said in the db-wg.

I have replied to rfg below.

On Tue, Jun 7, 2022 at 12:36 AM Ronald F. Guilmette
 wrote:
>
> In message 
> 
> denis walker  wrote:
>
> >We are talking about restricting access to one piece of data, the
> >address of natural persons. I accept that a lot of abuse may come from
> >address space held by natural people. I understand that a lot of
> >investigation work is done by companies and individuals. How much of
> >an impact would it be on your activities to not know the private
> >address of these natural people?
>
> Just a second.  Let's pause here for a moment and look at this question
> of the "physical address" information as it relates to WHOIS records.
>
> One of the many things that have, over the past several years, rendered
> almost all of the information that is now available in *domain name*
> WHOIS records virtually entirely worthless was the decision, some
> considerable time ago, by ICANN, to permit the use of essentially
> anonymous P.O. box addresses in the WHOIS records for domains registered
> within the gTLDs.  Additional commonly used methods of obfsucation in
> these domain name WHOIS records include but are not limited to (a) the
> use of "proxy" registrants and (b) the use of addresses of incorporation
> agents and (c) use of the addresses of attorneys.  (I have not surveyed the
> policies of the various ccTLDs with regards to their level of acceptance
> of such shenanigans but I have no reason to doubt that even the .US TLD
> allows for all of these clever methods of "hiding the ball" with respect
> to the actual physical location of the domain name registrant.  Hell!
> The policies governing the .US domain are crystal clear in prohibiting
> non-US legal entities from registering .US domains, but the operators of
> the .US registry demonstratably make no attempt whatsoever to check for
> conformance with even this minimal requirement.)

While not that important for this point, I would argue that the policy
is in no way "crystal clear" in prohibiting non-US legal entities from
registering .US domains as the following category exists in the
policy:
> A foreign entity or organization that has a bona fide presence in the United 
> States of America or any of its possessions or territories [Nexus Category 3].
https://www.about.us/cdn/resources/ebooks/policies/usTLD_Nexus_Requirements_Policy.pdf

> So, as I have listed above, there are many different frequently-used ways
> that any natural person may use to obfsucate their actual physical location
> when registering a domain name.
>
> This prompts a rather obvious question:  Do there exist any policies,
> rules, or regulations which would prevent a natural person from using any
> one of the several techniques I have listed above to obfsucate their
> actual physical location when they generate their RIPE organization
> WHOIS record?  And more to the point, is it true or false that, as I have
> previously asserted, any member can put literally any inaccurate garbage
> they want into their public-facing RIPE WHOIS records with no consequence
> whatsoever?

AFAIK the "org-name" attribute on the organisation object does get
verified if the organisation is a LIR or an end user that has received
resources directly from the RIPE NCC (through a sponsoring LIR). (and
possibly a few other cases like legacy resource holders with service
agreements)
I believe there are also many policies that say that information
should be accurate, and while this might not be actively verified for
the most part, it is still policy in many cases.

> If the answer to *either* question is "yes", then it seems to me that
> enlisting RIPE NCC to embark upon a deliberate program to hide personal
> information in public-facing WHOIS records EVEN WHEN THE CORRESPONDING
> REGISTRANTS HAVE NOT THEMSELVES REQUESTED THAT is not only clearly
> unnecessary, but actually and demonstratably counterproductive.  Should
> a natural-person who actually WANTS to be directly contacted for any and
> all issues relating to their RIPE number resources have that opportunity
> closed out, perhaps without even their knowledge or consent, by some
> small over-agressive cabal of GDPR fanatics acting unilaterally?  I think
> not.

Part of the issue is that the RIPE NCC has some responsibility for
this under the GDPR and it can be really difficult to do this
correctly, but I think the legal team could explain those details
better.

> As noted above, if any RIPE registrant wants to have their physical address
> info obfsucated then there appears to be any number of simple alternatives
> available to the registrant themself to achieve exactly that.  Thus, this
> new push to get RIPE NCC to hide information in public-facing WHOIS records
> seems to be a solution in search of a problem, and just another

Re: [anti-abuse-wg] Potential New Co-Chair

2022-01-20 Thread Cynthia Revström via anti-abuse-wg 
Hi Brian,

While not intensely familiar with the AA-WG specifically, this seems
like a good idea to me to help reduce load on the current co-chairs.
(I have no objections)

-Cynthia

On Thu, Jan 20, 2022 at 11:04 AM Brian Nisbet  wrote:
>
> Colleagues,
>
> As you're all aware Alireza stepped down as Co-Chair at the end of his term 
> at RIPE 83. As nobody put themselves forward for the third position at that 
> time it was not filled, which is fine.
>
> Since then a community member contacted Tobias and I, expressing an interest 
> in helping to Chair the WG. They were rather engaged with important life 
> matters last autumn and did not have the chance to put themselves forward at 
> that point.
>
> What we are now proposing is that this person is introduced to the WG as a 
> potential Co-Chair (likely with a term technically starting at RIPE 83) and 
> the WG can either accept them or not. This is your choice, of course.
>
> So, as a first stage, does any object to this happening "out of cycle"? I'm 
> very happy to say that silence indicates consent here, but if you have any 
> objections then please state them here or to aa-wg-cha...@ripe.net before 
> 17:00 CET on Wednesday 26th January.
>
> If that is all good, we'll proceed with the next phase.
>
> Thank you all,
>
> Brian
> Co-Chair, RIPE AA-WG
>
> Brian Nisbet (he/him)
>
> Service Operations Manager
>
> HEAnet CLG, Ireland's National Education and Research Network
>
> 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland
>
> +35316609040 brian.nis...@heanet.ie www.heanet.ie
>
> Registered in Ireland, No. 275301. CRA No. 20036270
>
> --
>
> To unsubscribe from this mailing list, get a password reminder, or change 
> your subscription options, please visit: 
> https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

-- 

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] About whitelisting (was: UCEPROTECT DNSBL possibly abusive practice and RIPEStat Blacklist entries widget)

2021-03-05 Thread Cynthia Revström via anti-abuse-wg 
I personally feel like it's impossible to have a neutral list if you charge
for delisting.

Regardless of what might be the best solution, I feel like there is no way*
to do this that isn't subject to abuse.

Like if your business model is getting fees for delist requests, it's going
to be close to impossible to keep it neutral.

* Within reason, like you come up with ideas as proof of donation to a
charity if you want to have a filter against people spamming. But that will
always have some issues too.

-Cynthia


On Fri, Mar 5, 2021, 11:59 Esa Laitinen  wrote:

> Hi!
>
> Let me start saying that it seems to me that UCEPROTECT doesn't follow
> their own stated policies. If it is so, it is a bad list. But I'd like
> to discuss a principle here which I think I'd like to know opinions of.
>
> On 05.03.21 11:38, Cynthia Revström via anti-abuse-wg wrote:
> > As others have pointed out, even purely on a technical level, they are
> > not any kind of trustworthy source as paying to be delisted creates a
> > very bad incentive for them.
>
> We have a situation where your IP address has landed in a DNSBL as
> collateral damage. You're hosted in the same subnet with a spammer, for
> example, so it is an escalation listing.
>
> Which one is preferable?
>
> 1. no chance of whitelisting your IP (as is the case with SORBS, and I
> think many other DNSBL operators), so you either need to move out, or
> convince the hosting provider to fix the issue
>
> 2. you can get a whitelisting done (possibly for a (relatively small) fee).
>
> Personally I'd prefer to have an option of 2. Having a small fee would
> motivate me to talk with the hosting provider first, to get their act
> together.
>
>
> Let's forget how UCEPROTECT is messing up, let's discuss this as a
> principle.
>
>
> Yours,
>
>
> esa
>
>
> --
> Mr Esa Laitinen
> IM: https://threema.id/2JP4Y33R or https://signal.org/install
> Skype: reunaesa
> Mobile: +4178 838 57 77
>
>
>
>

Re: [anti-abuse-wg] UCEPROTECT DNSBL possibly abusive practice and RIPEStat Blacklist entries widget

2021-03-05 Thread Cynthia Revström via anti-abuse-wg 
Hi Christian,

As others have pointed out, even purely on a technical level, they are not
any kind of trustworthy source as paying to be delisted creates a very bad
incentive for them.

I agree that in general more lists should be added, but uceprotect should
be removed, because just listing it does (whether intended or not) give it
some legitimacy in the eyes of many (I assume).

I can understand that the sexist comments could be overlooked from the
point of view of RIPEstat if you had a list far larger including pretty
much every list that is semi-common.
However, the fact that it is basically based on extortion inherently
results in a very low quality blocklist.

I know I have repeated myself a bit here, but I feel it is important to
point out that disregarding their awful business practices, it is just very
bad on a technical level too.

-Cynthia


On Thu, Mar 4, 2021 at 5:16 PM Christian Teuschel  wrote:

> Hi Elvis and Suresh, dear colleagues,
>
> Putting exact numbers on how many operators are using UCEProtect is
> difficult, but through feedback from users, network operators and
> members we understand that it is in use and that the provisioning of
> this RBL on RIPEstat has value.
>
> If I am reading the feedback in this discussion correctly, the sentiment
> is leaning towards adding more RBLs instead of less and if that is the
> case we are going to look into how and when we can achieve this. Please
> let me know if that is aligned with your requirements/expectations.
>
> Best regards,
> Christian
>
> On 04/03/2021 09:54, Elvis Daniel Velea wrote:
> > Hi Christian,
> >
> > while it may be useful to have their data source, it only shows the RIPE
> > NCC favors one or two operators and I think that is damaging to the
> > whole idea of being impartial.
> >
> > You either include a good list of blacklist operators and their data or
> > none. Including only a couple will lead to the impression that only
> > those are important enough to be considered by the RIPE NCC.
> >
> > my 2 cents,
> > Elvis
> >
> > On 3/3/21 8:27 AM, Christian Teuschel wrote:
> >> Dear colleagues,
> >>
> >> RIPEstat is a neutral source of information and we aim to provide users
> >> with access to as many data sources as possible to provide insights.
> >>
> >> UCEProtect was added as a data source prior to 2010 and is still used by
> >> several network operators to filter traffic into their networks.
> >> Including it as a data source in RIPEstat allows users to see whether
> >> resources are included in their lists.
> >>
> >> RIPE NCC does not pay for, support or endorse their practices, although
> >> we understand that continuing to include UCEProtect as a data source
> >> could be misunderstood as such. We also do not use their lists to filter
> >> traffic on our services.
> >>
> >> Our goal remains to provide the best visibility and tools for network
> >> operators to diagnose their networks. We have also heard your feedback
> >> regarding including more RBLs. It is something that we have considered
> >> in the past, and we are open to revisiting this.
> >>
> >> RIPEstat is driven by the community. We would like to hear from you
> >> about whether including UCEProtect as a data source is useful.
> >>
> >> Regards,
> >> Christian
> >>
> >> On 02/03/2021 00:08, Kristijonas Lukas Bukauskas via anti-abuse-wg
> wrote:
> >>> Hello,
> >>>
> >>> I noticed that RIPE NCC uses uceprotect-level1, uceprotect-level2 and
> >>> uceprotect-level3 in RIPEStat Anti Abuse Blacklist Entries widget.
> >>>
> >>> There have been controversial positions about this blacklist recently:
> >>>
> >>> 1)
> >>>
> https://success.trendmicro.com/solution/000236583-Emails-being-rejected-by-RBL-UCEPROTECL-in-Hosted-Email-Security-and-Email-Security
> >>>
> >>> <
> https://success.trendmicro.com/solution/000236583-Emails-being-rejected-by-RBL-UCEPROTECL-in-Hosted-Email-Security-and-Email-Security
> >
> >>>
> >>> 2) https://blog.sucuri.net/2021/02/uceprotect-when-rbls-go-bad.html
> >>> 
> >>>
> >>> UCEPROTECT blacklists the whole range of IP addresses, including the
> >>> full IP range of some autonomous systems:
> >>>   UCEPROTECT states, '/Who is responsible for this listing? YOU ARE
> NOT!
> >>> Your IP was NOT directly involved in abuse but has a bad neighborhood.
> >>> Other customers within this range did not care about their security and
> >>> got hacked, started spamming, or were even attacking others, while your
> >>> provider has possibly not even noticed that there is a serious problem.
> >>> We are sorry for you, but you have chosen a provider not acting fast
> >>> enough on abusers'/) [http://www.uceprotect.net/en/rblcheck.php
> >>> ].
> >>>   It asks for a fee if some individual IP address wants to be
> >>> whitelisted
> >>> (http://www.whitelisted.org/ ),
> >>>   It abuses people who decide to challenge their

Re: [anti-abuse-wg] Question about spam to abuse inbox

2021-02-26 Thread Cynthia Revström via anti-abuse-wg 
> It seems to me that if your abuse@ email is being overloaded and you are
unable to keep your network spam free, then you shouldn't be taking on any
more customers until you figure things out.

As has been noted before in this thread, just because you are getting 200
abuse emails in a day doesn't necessarily mean you have a huge issue but it
is a lot of emails to deal with.
It might just be one customer who port scanned a /24 somewhere on the
internet.

> Why do you think that because you tell yourself you are "too big" that
you don't need to monitor your network?

I don't think anyone is saying that, but if you want a human to read your
emails, you shouldn't automate the sending so you end up with potential
situations like that.

> The first thing that comes to mind is having your abuse@ email checked
via a script to eliminate any actual spam to your server and parse out
legitimate emails and requests.

As was mentioned in the second email in this thread (from Jordi), just
using spam filters on content is not necessarily a good idea for the abuse
inbox.

> If you need help with something so basic or are asking these types of
questions, you shouldn't be running a network in the first place. My
::slams keyboard::
> Yes, if you can't figure newbie stuff out then what the heck are you
doing trying to host people on the internet?

Don't assume people are lacking in basic knowledge, rather consider that
some people might have requirements other than yours, and that it might not
be as simple as you suggest.

This also applies in most cases in this thread, just because something
works for you or might seem easy for you doesn't mean it works for everyone
in all situations. (I feel like this needs to be said)

-Cynthia


On Fri, Feb 26, 2021 at 10:02 PM steve payne  wrote:

> I don't agree with the "All these responses from people who don't actually
> run a network ::slams keyboard::" remarks.
>
> It seems to me that if your abuse@ email is being overloaded and you are
> unable to keep your network spam free, then you shouldn't be taking on any
> more customers until you figure things out.
>
> Why do you think that because you tell yourself you are "too big" that you
> don't need to monitor your network?
>
> If your abuse @ email is being slammed to death, it would seem you need to
> optimize this solution.
>
> The first thing that comes to mind is having your abuse@ email checked
> via a script to eliminate any actual spam to your server and parse out
> legitimate emails and requests.
>
> If you need help with something so basic or are asking these types of
> questions, you shouldn't be running a network in the first place. My
> ::slams keyboard::
>
> Yes, if you can't figure newbie stuff out then what the heck are you doing
> trying to host people on the internet?
>
> On Fri, Feb 26, 2021 at 1:19 PM Jacob Slater  wrote:
>
>> If you predicate sending reports via web form, then report forwarding
>>> from the ISP to its customer should also be done via web form.
>>>
>>
>> The relationship between an arbitrary internet user and an ISP is
>> different from the relationship between an ISP and a customer who is on a
>> contract.
>> I can (and do) require end users of my infrastructure respond to abuse
>> e-mails sent to them in specific ways. If they don't like the terms I've
>> set, they are welcome to take their business elsewhere.
>> The same relationship does not currently exist with abuse reports.
>>
>> At times I also try and
>>> send fake complaints about my IP, to see if they would forward them to
>>> me.  All of those messages fall into a black black hole where time is
>>> frozen expectations fade.  Lazy.
>>>
>>
>> It is also possible your ISP believes the report is fake and does not
>> forward it on. Alternatively, perhaps their policy is to not forward
>> reports on. They might investigate, deem it incorrect, and delete it.
>>
>>
>> I personally am opposed to banning or discouraging web forms unless we
>> standardize some system. If there is an expectation for human review on the
>> ISP side, there should be an expectation that the sender is human. If we
>> set an expectation for automated sending of abuse reports, limited machine
>> review prior to acceptance should be expected.
>>
>> Solving this is a difficult problem. From my (admittedly limited)
>> experience, I'm in agreement with Alex de Joode - a solution cannot impact
>> certain operational realities of ISPs. Limited machine review - along with
>> automation of abuse reports on the receiving side - is an operational
>> reality. False, inaccurate, incomplete, or just plain malicious abuse
>> reports are just as real as actual abuse reports.
>>
>> I would note a further operational reality: any standard we come up with
>> outside of the current method of communication (email) is likely to never
>> reach large-scale deployment. Even if we make a standard within e-mail (ex.
>> ARF), some ISPs will want (or need) details beyond what would be outlined
>>

Re: [anti-abuse-wg] Question about spam to abuse inbox

2021-02-25 Thread Cynthia Revström via anti-abuse-wg 
I think you have misunderstood my point.

> Would they send such report using their customer's own web form?

No? I don't know what implied that?

> Yes, doing so requires some work too, but heck aren't we paying for that
already?

The person sending the abuse report is rarely a paying customer.

> The right thing to do would be to arrange for the abuse mailbox address
to point (in)directly to the actual user of the IP address.

I am assuming you are referring to having a separate abuse contact for each
customer, so like abuse.cust123@domain and registering it in the RIPE
Registry/DB?
In some cases with large customers maybe but if you are a hosting provider
where each customer might only have one or two IPv4 addresses, that can get
to an insane amount of handles and make the database really messy.
Also the customer in question is not the only info that is relevant, like
is it DoS, spam, or port scanning, etc?

But in general I think there are pros and cons to web forms and email
templates just as there are pros and cons to arbitrarily structured emails.

-Cynthia


On Thu, Feb 25, 2021 at 10:05 AM Alessandro Vesely  wrote:

> Sorry for being late to the party...
>
> On Sun 21/Feb/2021 03:44:07 +0100 Cynthia Revström via anti-abuse-wg wrote:
> > If the hosting company provides a web form, they can have a field where
> they
> > explicitly ask for the offending IP address.
> > This report could then automatically also be sent to the customer in
> question,
> > because we shouldn't assume the customer is malicious, they might just
> have a
> > bad config that made them a relay for example.
>
>
> Would they send such report using their customer's own web form?
>
> The right thing to do would be to arrange for the abuse mailbox address to
> point (in)directly to the actual user of the IP address.  Yes, doing so
> requires some work too, but heck aren't we paying for that already?
>
>
> Best
> Ale
> --
>
>
>
>
>
>
>
>

Re: [anti-abuse-wg] [ripe-list] RIPE AA-WG discussion

2021-02-23 Thread Cynthia Revström via anti-abuse-wg 
Hi Carsten,

I made a mistake in judgement with regards to what the email was about, so
I think this topic is sort of redundant at this point.
And to not end up spamming people too much, I think we should at least
restrict it to aa-wg only if it should be discussed further (which I don't
personally think it should).
I got an email mentioning how this is maybe not too much in scope for RIPE
list.

-Cynthia


On Tue, Feb 23, 2021 at 2:46 PM Carsten Schiefner 
wrote:

> Hi Cynthia,
>
> I share Volker's PoV to some larger extend: yes, Tobias' email might be
> a bit edgy wrt. marketing - but one could also read his first mentioning
> of him being Co-Chair as just proper introduction. And the second one as
> a reasoning why his email just went to you instead of the AA WG list as
> a whole.
>
> Also, it would be interesting - at least for me - which of your postings
> triggered Tobias' private response. I am unsure which one of your's at:
>
>
> https://www.ripe.net/ripe/mail/archives/anti-abuse-wg/2021-February/date.html
>
> to pick...
>
> ATB,
>
> -C.
>
> On 22.02.2021 18:23, Cynthia Revström via ripe-list wrote:
> > It is possible but I highly doubt it.
> >
> >> We at Abusix run Abuse Desk for dozens of Service Providers of any
> > size and any type of product. From Cloud to DC-Services, Cable, and so
> on.
> >
> > That sounds so much like marketing and irrelevant if it wasn't.
> > Also if it wasn't marketing, why would he ask for me to schedule a video
> > call?
> >
> > Once again I could be wrong, and if I am, I am sorry, but I can't see
> > how this isn't marketing.
> >
> > -Cynthia
> >
> >
> > On Mon, Feb 22, 2021 at 6:18 PM Volker Greimann
> > mailto:vgreim...@key-systems.net>> wrote:
> >
> > I think you totally misread his mail. It reads to me as a proposal
> > to help you understand the processes used by many providers, not as
> > a sales pitch.
> >
> > Best,
> > --
> > Volker A. Greimann
> > General Counsel and Policy Manager
> > *KEY-SYSTEMS GMBH*
> >
> > T: +49 6894 9396901
> > M: +49 6894 9396851
> > F: +49 6894 9396851
> > W: www.key-systems.net <http://www.key-systems.net/>
> >
> > Key-Systems GmbH is a company registered at the local court of
> > Saarbruecken, Germany with the registration no. HR B 18835
> > CEO: Oliver Fries and Robert Birkner
> >
> > Part of the CentralNic Group PLC (LON: CNIC) a company registered in
> > England and Wales with company number 8576358.
> >
> > This email and any files transmitted are confidential and intended
> > only for the person(s) directly addressed. If you are not the
> > intended recipient, any use, copying, transmission, distribution, or
> > other forms of dissemination is strictly prohibited. If you have
> > received this email in error, please notify the sender immediately
> > and permanently delete this email with any files that may be
> attached.
> >
> >
> > On Mon, Feb 22, 2021 at 6:12 PM Cynthia Revström via anti-abuse-wg
> > mailto:anti-abuse-wg@ripe.net>> wrote:
> >
> > Hi,
> >
> > (intro)
> > Tobias Knecht sent me an email (which this is a reply to)
> > abusing his position as co-chair in order to try to sell me
> > services based on what I said on a mailing list.
> >
> > (mainly towards Tobias)
> > Replying to me based on a mailing list post in order to try to
> > sell me services is bad enough.
> > To do it as a co-chair and then to use the fact that you are
> > co-chair as a selling point is much worse.
> >
> > I find this utterly appalling behaviour from a co-chair of a
> > working group, I didn't reach out to you, you weren't even in
> > the thread at all.
> >
> > also this:
> > > As a Co-Chair I didn't want to jump into the mix on the
> > mailing list, that's why I'm reaching out to you directly.
> >
> > I mean that is sort of the point of co-chairs generally speaking
> > but yeah it is going to look bad if you are trying to sell
> > something, because it is bad.
> >
> > (mainly towards chair team and aa-wg chairs)
> > A co-chair of a working group should absolutely be warned or
> > removed if they abuse their position to sell their services.
> >
> > I also somehow doubt that this is t

Re: [anti-abuse-wg] RIPE AA-WG discussion

2021-02-23 Thread Cynthia Revström via anti-abuse-wg 
Hi Tobias,

I am very sorry, I messed up and I really shouldn't have come to the
conclusion of it for sure being marketing that quickly.
I will remember this for any potential future similar scenarios to not
repeat it.

-Cynthia


On Mon, Feb 22, 2021 at 7:19 PM Tobias Knecht  wrote:

> Cynthia,
>
> If you got the impression of me trying to sell you something, I apologize.
>
> My intention was to help you answer your genuine question and give you my
> experience on how dozens of Abuse Desk Operators handle this day in, day
> out.
> Those real-world best practices differ fundamentally from what some
> Security Researchers and some Anti Abuse Advocates would love to see
> implemented real-world best practices.
>
> Once again, if this was hitting the wrong buttons I apologize, this was
> not my intention.
>
> Thanks,
>
> Tobias
>
> --
>
>
> Tobias Knecht
>
> Founder & CEO
>
>
>
> T.
>
> +49 170 455 98 45
>
> abusix.com
> 
>
> Book a meeting
> 
>
>
>
> [image: My Logo]
>
>
>
>
> 
>
>
> 
>
>
> 
>
>
>
>
>
> CONFIDENTIALITY This email and any attachments are confidential and may
> also be privileged or otherwise protected from disclosure. If you are not
> the named recipient, please notify the sender immediately and do not
> disclose the contents to another person, use it for any purpose, or store
> or copy the information in any medium.
>
>
>
> On Mon, Feb 22, 2021 at 6:10 PM Cynthia Revström  wrote:
>
>> Hi,
>>
>> (intro)
>> Tobias Knecht sent me an email (which this is a reply to) abusing his
>> position as co-chair in order to try to sell me services based on what I
>> said on a mailing list.
>>
>> (mainly towards Tobias)
>> Replying to me based on a mailing list post in order to try to sell me
>> services is bad enough.
>> To do it as a co-chair and then to use the fact that you are co-chair as
>> a selling point is much worse.
>>
>> I find this utterly appalling behaviour from a co-chair of a working
>> group, I didn't reach out to you, you weren't even in the thread at all.
>>
>> also this:
>> > As a Co-Chair I didn't want to jump into the mix on the mailing list,
>> that's why I'm reaching out to you directly.
>>
>> I mean that is sort of the point of co-chairs generally speaking but yeah
>> it is going to look bad if you are trying to sell something, because it is
>> bad.
>>
>> (mainly towards chair team and aa-wg chairs)
>> A co-chair of a working group should absolutely be warned or removed if
>> they abuse their position to sell their services.
>>
>> I also somehow doubt that this is the first time, I could be wrong, but
>> idk why this would be the first time.
>>
>> I hate it when for example Cogent sends me emails trying to sell me
>> services despite me never having contacted them (outside of replying saying
>> I am not interested).
>> But this is more like if the Cogent sales people were co-chairs of the
>> db-wg.
>>
>> Also with a subject like "RIPE AA-WG discussion" I initially thought it
>> was actually about something I said or whatever, in his role as co-chair,
>> it didn't appear like it was a sales email.
>>
>> I have also CC'd the aa-wg and ripe list as this is too appalling to be
>> held private.
>>
>> -Cynthia
>>
>>
>> On Mon, Feb 22, 2021 at 5:50 PM Tobias Knecht  wrote:
>>
>>> Hello Cynthia,
>>>
>>> my name is Tobias. I'm a Co-Chair of the Anti-Abuse Working Group and
>>> also Founder and CEO of Abusix.
>>>
>>>
>>> As a Co-Chair I didn't want to jump into the mix on the mailing list,
>>> that's why I'm reaching out to you directly.
>>>
>>> We at Abusix run Abuse Desk for dozens of Service Providers of any size
>>> and any type of product. From Cloud to DC-Services, Cable, and so on.
>>>
>>> Happy to jump on a call and answer the questions you have and tell you
>>> about how our clients handle those things.
>>>
>>> Feel free to reach out via email or just pick a time in my calendar:
>>>

Re: [anti-abuse-wg] RIPE AA-WG discussion

2021-02-22 Thread Cynthia Revström via anti-abuse-wg 
Tobias,

Could you please clarify what the intent was of this email? I should
probably have started by asking this but to me it seems so much like
marketing.

-Cynthia


On Mon, Feb 22, 2021 at 6:23 PM Cynthia Revström  wrote:

> It is possible but I highly doubt it.
>
> > We at Abusix run Abuse Desk for dozens of Service Providers of any size
> and any type of product. From Cloud to DC-Services, Cable, and so on.
>
> That sounds so much like marketing and irrelevant if it wasn't.
> Also if it wasn't marketing, why would he ask for me to schedule a video
> call?
>
> Once again I could be wrong, and if I am, I am sorry, but I can't see how
> this isn't marketing.
>
> -Cynthia
>
>
> On Mon, Feb 22, 2021 at 6:18 PM Volker Greimann 
> wrote:
>
>> I think you totally misread his mail. It reads to me as a proposal to
>> help you understand the processes used by many providers, not as a sales
>> pitch.
>>
>> Best,
>> --
>> Volker A. Greimann
>> General Counsel and Policy Manager
>> *KEY-SYSTEMS GMBH*
>>
>> T: +49 6894 9396901
>> M: +49 6894 9396851
>> F: +49 6894 9396851
>> W: www.key-systems.net
>>
>> Key-Systems GmbH is a company registered at the local court of
>> Saarbruecken, Germany with the registration no. HR B 18835
>> CEO: Oliver Fries and Robert Birkner
>>
>> Part of the CentralNic Group PLC (LON: CNIC) a company registered in
>> England and Wales with company number 8576358.
>>
>> This email and any files transmitted are confidential and intended only
>> for the person(s) directly addressed. If you are not the intended
>> recipient, any use, copying, transmission, distribution, or other forms of
>> dissemination is strictly prohibited. If you have received this email in
>> error, please notify the sender immediately and permanently delete this
>> email with any files that may be attached.
>>
>>
>> On Mon, Feb 22, 2021 at 6:12 PM Cynthia Revström via anti-abuse-wg <
>> anti-abuse-wg@ripe.net> wrote:
>>
>>> Hi,
>>>
>>> (intro)
>>> Tobias Knecht sent me an email (which this is a reply to) abusing his
>>> position as co-chair in order to try to sell me services based on what I
>>> said on a mailing list.
>>>
>>> (mainly towards Tobias)
>>> Replying to me based on a mailing list post in order to try to sell me
>>> services is bad enough.
>>> To do it as a co-chair and then to use the fact that you are co-chair as
>>> a selling point is much worse.
>>>
>>> I find this utterly appalling behaviour from a co-chair of a working
>>> group, I didn't reach out to you, you weren't even in the thread at all.
>>>
>>> also this:
>>> > As a Co-Chair I didn't want to jump into the mix on the mailing list,
>>> that's why I'm reaching out to you directly.
>>>
>>> I mean that is sort of the point of co-chairs generally speaking but
>>> yeah it is going to look bad if you are trying to sell something, because
>>> it is bad.
>>>
>>> (mainly towards chair team and aa-wg chairs)
>>> A co-chair of a working group should absolutely be warned or removed if
>>> they abuse their position to sell their services.
>>>
>>> I also somehow doubt that this is the first time, I could be wrong, but
>>> idk why this would be the first time.
>>>
>>> I hate it when for example Cogent sends me emails trying to sell me
>>> services despite me never having contacted them (outside of replying saying
>>> I am not interested).
>>> But this is more like if the Cogent sales people were co-chairs of the
>>> db-wg.
>>>
>>> Also with a subject like "RIPE AA-WG discussion" I initially thought it
>>> was actually about something I said or whatever, in his role as co-chair,
>>> it didn't appear like it was a sales email.
>>>
>>> I have also CC'd the aa-wg and ripe list as this is too appalling to be
>>> held private.
>>>
>>> -Cynthia
>>>
>>>
>>> On Mon, Feb 22, 2021 at 5:50 PM Tobias Knecht  wrote:
>>>
>>>> Hello Cynthia,
>>>>
>>>> my name is Tobias. I'm a Co-Chair of the Anti-Abuse Working Group and
>>>> also Founder and CEO of Abusix.
>>>>
>>>>
>>>> As a Co-Chair I didn't want to jump into the mix on the mailing list,
>>>> that's why I'm reaching out to you directly.
>>>>
>>>> We at Abusix run Abuse Desk for dozens of Service Provi

Re: [anti-abuse-wg] RIPE AA-WG discussion

2021-02-22 Thread Cynthia Revström via anti-abuse-wg 
It is possible but I highly doubt it.

> We at Abusix run Abuse Desk for dozens of Service Providers of any size
and any type of product. From Cloud to DC-Services, Cable, and so on.

That sounds so much like marketing and irrelevant if it wasn't.
Also if it wasn't marketing, why would he ask for me to schedule a video
call?

Once again I could be wrong, and if I am, I am sorry, but I can't see how
this isn't marketing.

-Cynthia


On Mon, Feb 22, 2021 at 6:18 PM Volker Greimann 
wrote:

> I think you totally misread his mail. It reads to me as a proposal to help
> you understand the processes used by many providers, not as a sales pitch.
>
> Best,
> --
> Volker A. Greimann
> General Counsel and Policy Manager
> *KEY-SYSTEMS GMBH*
>
> T: +49 6894 9396901
> M: +49 6894 9396851
> F: +49 6894 9396851
> W: www.key-systems.net
>
> Key-Systems GmbH is a company registered at the local court of
> Saarbruecken, Germany with the registration no. HR B 18835
> CEO: Oliver Fries and Robert Birkner
>
> Part of the CentralNic Group PLC (LON: CNIC) a company registered in
> England and Wales with company number 8576358.
>
> This email and any files transmitted are confidential and intended only
> for the person(s) directly addressed. If you are not the intended
> recipient, any use, copying, transmission, distribution, or other forms of
> dissemination is strictly prohibited. If you have received this email in
> error, please notify the sender immediately and permanently delete this
> email with any files that may be attached.
>
>
> On Mon, Feb 22, 2021 at 6:12 PM Cynthia Revström via anti-abuse-wg <
> anti-abuse-wg@ripe.net> wrote:
>
>> Hi,
>>
>> (intro)
>> Tobias Knecht sent me an email (which this is a reply to) abusing his
>> position as co-chair in order to try to sell me services based on what I
>> said on a mailing list.
>>
>> (mainly towards Tobias)
>> Replying to me based on a mailing list post in order to try to sell me
>> services is bad enough.
>> To do it as a co-chair and then to use the fact that you are co-chair as
>> a selling point is much worse.
>>
>> I find this utterly appalling behaviour from a co-chair of a working
>> group, I didn't reach out to you, you weren't even in the thread at all.
>>
>> also this:
>> > As a Co-Chair I didn't want to jump into the mix on the mailing list,
>> that's why I'm reaching out to you directly.
>>
>> I mean that is sort of the point of co-chairs generally speaking but yeah
>> it is going to look bad if you are trying to sell something, because it is
>> bad.
>>
>> (mainly towards chair team and aa-wg chairs)
>> A co-chair of a working group should absolutely be warned or removed if
>> they abuse their position to sell their services.
>>
>> I also somehow doubt that this is the first time, I could be wrong, but
>> idk why this would be the first time.
>>
>> I hate it when for example Cogent sends me emails trying to sell me
>> services despite me never having contacted them (outside of replying saying
>> I am not interested).
>> But this is more like if the Cogent sales people were co-chairs of the
>> db-wg.
>>
>> Also with a subject like "RIPE AA-WG discussion" I initially thought it
>> was actually about something I said or whatever, in his role as co-chair,
>> it didn't appear like it was a sales email.
>>
>> I have also CC'd the aa-wg and ripe list as this is too appalling to be
>> held private.
>>
>> -Cynthia
>>
>>
>> On Mon, Feb 22, 2021 at 5:50 PM Tobias Knecht  wrote:
>>
>>> Hello Cynthia,
>>>
>>> my name is Tobias. I'm a Co-Chair of the Anti-Abuse Working Group and
>>> also Founder and CEO of Abusix.
>>>
>>>
>>> As a Co-Chair I didn't want to jump into the mix on the mailing list,
>>> that's why I'm reaching out to you directly.
>>>
>>> We at Abusix run Abuse Desk for dozens of Service Providers of any size
>>> and any type of product. From Cloud to DC-Services, Cable, and so on.
>>>
>>> Happy to jump on a call and answer the questions you have and tell you
>>> about how our clients handle those things.
>>>
>>> Feel free to reach out via email or just pick a time in my calendar:
>>> https://calendly.com/tobias-knecht/30min
>>>
>>> Thanks and stay safe.
>>>
>>> Tobias
>>>
>>> --
>>>
>>>
>>> Tobias Knecht
>>>
>>> Founder & CEO
>>>
>>>
&g

Re: [anti-abuse-wg] RIPE AA-WG discussion

2021-02-22 Thread Cynthia Revström via anti-abuse-wg 
Hi,

(intro)
Tobias Knecht sent me an email (which this is a reply to) abusing his
position as co-chair in order to try to sell me services based on what I
said on a mailing list.

(mainly towards Tobias)
Replying to me based on a mailing list post in order to try to sell me
services is bad enough.
To do it as a co-chair and then to use the fact that you are co-chair as a
selling point is much worse.

I find this utterly appalling behaviour from a co-chair of a working group,
I didn't reach out to you, you weren't even in the thread at all.

also this:
> As a Co-Chair I didn't want to jump into the mix on the mailing list,
that's why I'm reaching out to you directly.

I mean that is sort of the point of co-chairs generally speaking but yeah
it is going to look bad if you are trying to sell something, because it is
bad.

(mainly towards chair team and aa-wg chairs)
A co-chair of a working group should absolutely be warned or removed if
they abuse their position to sell their services.

I also somehow doubt that this is the first time, I could be wrong, but idk
why this would be the first time.

I hate it when for example Cogent sends me emails trying to sell me
services despite me never having contacted them (outside of replying saying
I am not interested).
But this is more like if the Cogent sales people were co-chairs of the
db-wg.

Also with a subject like "RIPE AA-WG discussion" I initially thought it was
actually about something I said or whatever, in his role as co-chair, it
didn't appear like it was a sales email.

I have also CC'd the aa-wg and ripe list as this is too appalling to be
held private.

-Cynthia


On Mon, Feb 22, 2021 at 5:50 PM Tobias Knecht  wrote:

> Hello Cynthia,
>
> my name is Tobias. I'm a Co-Chair of the Anti-Abuse Working Group and also
> Founder and CEO of Abusix.
>
>
> As a Co-Chair I didn't want to jump into the mix on the mailing list,
> that's why I'm reaching out to you directly.
>
> We at Abusix run Abuse Desk for dozens of Service Providers of any size
> and any type of product. From Cloud to DC-Services, Cable, and so on.
>
> Happy to jump on a call and answer the questions you have and tell you
> about how our clients handle those things.
>
> Feel free to reach out via email or just pick a time in my calendar:
> https://calendly.com/tobias-knecht/30min
>
> Thanks and stay safe.
>
> Tobias
>
> --
>
>
> Tobias Knecht
>
> Founder & CEO
>
>
>
> T.
>
> +49 170 455 98 45
>
> abusix.com
> 
>
> Book a meeting
> 
>
>
>
> [image: My Logo]
>
>
>
>
> 
>
>
> 
>
>
> 
>
>
>
>
>
> CONFIDENTIALITY This email and any attachments are confidential and may
> also be privileged or otherwise protected from disclosure. If you are not
> the named recipient, please notify the sender immediately and do not
> disclose the contents to another person, use it for any purpose, or store
> or copy the information in any medium.
>
>

Re: [anti-abuse-wg] Question about spam to abuse inbox

2021-02-21 Thread Cynthia Revström via anti-abuse-wg 
I give up, I am just wasting my time trying to argue, I want to make it
clear I still disagree with you but arguing is a waste of time.

-Cynthia

On Sun, Feb 21, 2021, 05:30 Ronald F. Guilmette 
wrote:

> In message  u1e9un9ccc8uy-f7...@mail.gmail.com>,
> =?UTF-8?Q?Cynthia_Revstr=C3=B6m?=  wrote:
>
> >Can you please stop attacking ideas (such as web forms) implying that they
> >only have malicious use cases.
>
> You have missed my point entirely.
>
> Web-based abuse reporting forms are not merely "an idea" any more than
> discrimination is merely an "idea".  Rather it is an attitude and a
> way of life.  It is the Internet equivalent of refusing to wear a
> face mask, for the good of all, in a crowded elevator in the middle of
> a global pandemic.  It is demonstratably and provably a selfish and
> self-serving anti-social behavior pattern.  I don't know where you
> live, but where I live we have already had more than enough of this
> kind of attitude, and this kind of childish anti-social behavior.
>
> >> I hold them responsible because they obviously
> >> fail to have in place contractual clauses that would persuasively
> >> deter this behavior on the part of their customers.
> >
> >In many cases it is practically impossible to know if your customers are
> >sending legit emails or spam without having people reporting it.
>
> Again, you have missed my point quite entirely.
>
> Some providers have clauses in their service contracts that say explicitly
> that custiomers who are caught spamming will face a manditory (and heavy)
> "cleanup fee".  Many other providers do not have such clauses in their
> standard service contracts.  Can you guess which providers are the sources
> of most spams?
>
> >> The provider in question is a perfectly lousy coder and is thus
> >> unable and/or unwilling to write code to parse emailed abuse
> >> reports.
> >
> >Hi, I am actually primarily a software dev and not a network engineer, it
> >is not even close to as easy as you make it out to be.
>
> Fine.  Have it your way.  The point can be argued either way, but I see no
> point in us doing so at this moment, since I made a different and
> *overriding*
> point that renders this question of parsing abuse reports sent via email
> moot.
>
> I say again, any professional treatment of an abuse report will necessarily
> require a human being to actually LOOK at the bloody thing.  When viewed
> with that context, the manner in which the report arrives is utterly
> irrelevant.
>
> If a human being is, in the end, going to end up looking at the bloody
> thing
> anyway, then what difference does it make if the report arrives via email
> or via a web form?  None.  None at all.
>
> >My point here is that parsing free form text in this way without having a
> >clearly defined structure is far from trivial.
> >Also please stop assuming bad faith by saying that providers are
> >"unwilling" to do this.
>
> I do not assume.  I observe.  And I've been doing this a LONG time.
>
> With the highly prohable exception of my friend Michele Neylon, it has
> been my experience that those providers that set up web-based abuse
> reporting forms ignore most or all of what they receive via those
> forms.  Either that or they just forward the reports on to their pet
> spammers, whichj is provably even WORSE thanm idf they had just dropped
> the reports into /dev/null.
>
> >> And anyway, don't actual human beings need to look at these things,
> >> in the end, in order to be able to react to each of them properly
> >> and in a professional fashion?
> >
> >Web forms can have pros and cons, I am just going to take the case of a
> >VPS/Dedicated server hosting company.
> >
> >If the hosting company provides a web form, they can have a field where
> >they explicitly ask for the offending IP address.
>
> Oh!  So you want and indeed *demand* that the spam *victim* should be
> obliged to fish this tidbit of information out of the headers, so that
> the actual offending network doesn't have to do that part of the analysis
> work, yes?
>
> Where I come from, that's called cost shifting... onto the victim...
> and it is no more morally or ethically defensible than trying to
> justify sexual abuse by saying that the victim wore a short skirt.
>
> >This report could then automatically also be sent to the customer in
> >question
>
> Do you really not understand why this is an extraordinarily BAD IDEA?
>
> >(I believe Hetzner as an example does this or something similar.)
>
> Yes, Hetzner has more than once ratted me out to their spammer customers.
>
> Are you seriously holding that company up as a shining example of ethical
> behavor for others to follow or be guided by??
>
> >> A provider that is routinely receiving so many abuse reports that
> >> it can barely keep up with them all has bigger problems that just
> >> the manner in which abuse reports are received.
> >
> >Due to the automated procedure by some providers for abuse reports, if I
> >have one bad host

Re: [anti-abuse-wg] Question about spam to abuse inbox

2021-02-20 Thread Cynthia Revström via anti-abuse-wg 
Ronald,

Can you please stop attacking ideas (such as web forms) implying that they
only have malicious use cases.

> I hold them responsible because they obviously
> fail to have in place contractual clauses that would persuasively
> deter this behavior on the part of their customers.

In many cases it is practically impossible to know if your customers are
sending legit emails or spam without having people reporting it.
As TLS is used in many cases now, the provider can't look at the network
data to see what the customer is sending even on a technical level,
disregarding any trust/potential legal issues.

> The provider in question is a perfectly lousy coder and is thus
> unable and/or unwilling to write code to parse emailed abuse
> reports.

Hi, I am actually primarily a software dev and not a network engineer, it
is not even close to as easy as you make it out to be.
Sure you can have a regex to extract IP addresses and other messy things
like that, but you can't be sure what that address is, it might be your
customer, it might be the address they say you attacked, etc.
My point here is that parsing free form text in this way without having a
clearly defined structure is far from trivial.
Also please stop assuming bad faith by saying that providers are
"unwilling" to do this.
If they could drastically lower the amount of manual work needed here with
a bit of code, they absolutely would in almost all cases.

> And anyway, don't actual human beings need to look at these things,
> in the end, in order to be able to react to each of them properly
> and in a professional fashion?

Web forms can have pros and cons, I am just going to take the case of a
VPS/Dedicated server hosting company.

If the hosting company provides a web form, they can have a field where
they explicitly ask for the offending IP address.
This report could then automatically also be sent to the customer in
question, because we shouldn't assume the customer is malicious, they might
just have a bad config that made them a relay for example.
This could make it so the report is acted upon sooner potentially as the
hosting company might take a few days to reply but maybe the customer can
act sooner.
(I believe Hetzner as an example does this or something similar.)


> A provider that is routinely receiving so many abuse reports that
> it can barely keep up with them all has bigger problems that just
> the manner in which abuse reports are received.

Due to the automated procedure by some providers for abuse reports, if I
have one bad host sending spam, I might get an abuse report for every
single email they receive, so even if it is just one customer I might wake
up to 200 emails.
But if I had a way to group it by sender IP address, that would be a lot
more manageable.
(this was just a hypothetical example)

Now I absolutely agree that having an abuse email address that is acted
upon in a reasonable amount of time (maybe a week or so) is still essential
as the web forms aren't standardised or might rely on technology like
captchas.
But if you send me 200 emails about the same host in one day, I am probably
still going to be mildly annoyed and I could see how this is actually
unmanageable for larger providers.

I think the true solution here is just to have a standard email template or
similar so providers could easily and reliably parse it automatically (at
least partially).
just a very quick example that I didn't consider for more than a minute:
the standard could be as easy as just beginning every report email with
"abuse-host=192.0.2.20,192.0.2.21\n\n" and whatever other fields are needed.

-Cynthia


On Sun, Feb 21, 2021 at 2:51 AM Ronald F. Guilmette 
wrote:

> In message <20210218200036.066496e36...@ary.qy>,
> "John Levine"  wrote:
>
> >Report web forms are out of the question because they do not scale. I
> >send about a hundred abuse reports a day about spam received from all
> >over the Internet, and I have no interest in using your form or anyone
> >else's to make a manual special case for under 1% of my reports.
>
> I'm real glad that John posted the above comment, as he has saved me
> from having to do so myself.  (But I will take this opportunity to
> elaborate on what John said anyway.)
>
> I am in 1000% agreement with John on this.  Abuse reporting forms do
> not scale... at least not for the *victims* of the abuse.
>
> I report email spams... by far the most common form of network abuse...
> to dozens of different providers every week.  At the moment in time
> when I send each of these reports, I have already been abused by each
> of these providers.  (I hold them responsible because they obviously
> fail to have in place contractual clauses that would persuasively
> deter this behavior on the part of their customers.)
>
> To make me "jump through the hoops" of first even just *finding* each
> provider's unique abuse reporting web form, and then navigating it
> sufficiently well to insure that I have dotted all of the i's

Re: [anti-abuse-wg] Question about spam to abuse inbox

2021-02-20 Thread Cynthia Revström via anti-abuse-wg 
Hi Ronald,

You would find one example if you looked at my second email in the thread,
but I am re-sending for your convenience.
> Also to clarify these emails in particular were complete nonsense such as
"I am under ddos from you, please help" with no other details.
> They were also sent with invalid SPF, and I don't think the from
addresses were actually the senders.

The others were similar, just one sentence, like "Please check the attached
abuse report pdf" with no attachments.
And due to me being almost entirely certain the addresses in the "from"
headers not being the actual sender, I did not reply asking for more
information.

For the next time, especially for such a short thread, please look
beyond the first message before questioning my determination in this way.

-Cynthia


On Sun, Feb 21, 2021 at 1:13 AM Ronald F. Guilmette 
wrote:

> In message <
> cakw1m3nkecdjlwzopmfwgd+vs50pkgieoz1rgbauvpd1d9k...@mail.gmail.com>
> =?UTF-8?Q?Cynthia_Revstr=C3=B6m?=  wrote:
>
> >For some context, today and yesterday I have been receiving spam in the
> >form of fake abuse notices to my abuse contact email address.
>
>
> Example please?
>
> In what sense are these "fake"?
>
>
> Regards,
> rfg
>
>

[anti-abuse-wg] Question about spam to abuse inbox

2021-02-18 Thread Cynthia Revström via anti-abuse-wg 
Hi aa-wg,

For some context, today and yesterday I have been receiving spam in the
form of fake abuse notices to my abuse contact email address.

Is there a generally accepted standard for when it's okay to block an
address or a prefix from emailing your abuse contact?

I consider being able to contact the abuse email address of a network a
rather important function, so I prefer not to block it.
But also as I have more relaxed spam filters for the abuse contact to make
sure nothing gets lost, it feels like blocking the address/prefix is my
only option other than manually filtering through these emails (10 so far
in total, today and yesterday).

So back to the question, is there a generally accepted point at which
blocking an address/prefix is fine?

Thanks,
-Cynthia

Re: [anti-abuse-wg] 196.52.0.0/14 revoked, cleanup efforts needed

2021-01-20 Thread Cynthia Revström via anti-abuse-wg 
Hi Ostap,

First of all this mailing list is not intended to discuss individual cases
of abuse (especially ones not related to the RIPE NCC), but rather to
discuss and develop new methods for dealing with it in general.
(Brian, please correct me if I am wrong here)

Nonetheless, while I certainly don't represent them, I believe RADb does
delete objects if you email them and can show proof that you are the holder
of that IP space.

-Cynthia


On Wed, Jan 20, 2021 at 11:58 AM Brian Nisbet 
wrote:

> Ostap,
>
> Just to clarify, this list is moderated where necessary, in line with
> https://www.ripe.net/participate/mail/ripe-mailing-list-ripe-forum-code-of-conduct
>  and
> certainly we would generally ask users to be very careful in what they post
> about named individuals.
>
> Thanks,
>
> Brian
> Co-Chair, RIPE AA-WG
>
> Brian Nisbet
>
> Service Operations Manager
>
> HEAnet CLG, Ireland's National Education and Research Network
>
> 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland
>
> +35316609040 brian.nis...@heanet.ie www.heanet.ie
>
> Registered in Ireland, No. 275301. CRA No. 20036270
> --
> *From:* anti-abuse-wg  on behalf of Ostap
> Efremov 
> *Sent:* Wednesday 20 January 2021 01:00
> *To:* anti-abuse-wg@ripe.net 
> *Subject:* [anti-abuse-wg] 196.52.0.0/14 revoked, cleanup efforts needed
>
>
> CAUTION[External]: This email originated from outside of the
> organisation. Do not click on links or open the attachments unless you
> recognise the sender and know the content is safe.
>
> Hi,
>
> 196.52.0.0/14
> 
> was recently revoked.
> Before it was revoked, the whois for this /14 was:
>
> inetnum:196.52.0.0 - 196.55.255.255
> netname:LogicWeb-Inc
> descr:  LogicWeb Inc.
> descr:  3003 Woodbridge Ave
> descr:  Edison, NJ 08837
> country:ZA
> remarks:REMARK
> remarks:The custodianship of this IP prefix is presently
> remarks:in dispute. A police investigation is on-going
> remarks:and AFRINIC reserves the right to
> remarks:reclaim this IP prefix at anytime.
> remarks:REMARK===
>
> However, now, this /14 has been revoked by AFRINIC. Do a whois on it and
> you will see, it's unallocated.
> I believe this /14 was under control from our big friend from Israel, but
> I don't remember.
> This does not matter however.
> But, sadly there are about 367 ip ranges being announced from this /14
> https://pastebin.com/raw/MHaW3nPe
> 
> From about 71 unique ASN's
> This is a BOGON, unallocated space.
> I would appreciate if any network that is on that list and on this mailing
> list, would stop announcing parts of this hijacked /14.
> I reached out to  RADB to remove all the radb entries concerning this /14,
> however after 72 hours they still haven't.
>
> This is not an ignored ticket, we have escalated internally with our RADb
> admins and they are looking into it. I will let them know that you are
> looking for a update and we will provide it as soon as possible.
>
> How is it possible that they can't just delete all entries? It is
> UNALLOCATED SPACE, it shouldn't be routed, it shouldn't have radb.
>
> https://www.radb.net/query?advanced_query=1=-M+196.52.0.0%2F14&-T+option=_option=&-i+option==RADB
> 
> I have also tried to post about this massive source of BOGONS on the nanog
> mailing list, however, they rejected my posts.
> Most likely because it possibly concerns "that one guy from Israel",
> however the nanog moderators refused to comment while continuing to reject
> my posts.
> Their self-censorship is very destructive and harmful. I hope that if this
> list is moderated, I will not have any trouble posting about this issue.
>
> Greetings,
> Ostap.
>
>