[anti-abuse-wg] ORG-NL14-RIPE - Netcetera Limited (Isle of Man)
Please be advised that Netcetera Limited (Isle of Man) aka ORG-NL14-RIPE does not currently accept spam reports if a complete copy of the spam message being reported is included: : host mx.spamexperts.com[38.89.254.156] said: 550 A URL in this email (subrigneten . co . in) is listed on https://spamrl.com/. Please resolve and retry (in reply to end of DATA command) [ part 2 - message/delivery-status - Delivery report 474B (suppressed) ] [ part 3 - message/rfc822 - Undelivered Message 16KB ] Number is required after -h Relevant IP blocks for this network are as follows: 81.27.96.0/20 146.247.48.0/20 146.247.53.0/24 146.247.54.0/24 146.247.55.0/24 146.247.56.0/24 Regards, rfg - To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/anti-abuse-wg.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
Re: [anti-abuse-wg] Yet another BGP hijacking towards AS16509
In message , Siyuan Miao wrote: >Hjacking didn't last too long. AWS started announcing a more specific >announcement to prevent hijacking around 3 hours later. Kudos to Amazon's >security team :-) Sorry. I'm missing something here. If the hijack was of 44.235.216.0/24, then how did AWS propagate a "more specific" than that? Regards, rfg -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] So many idiots. So little time.
In message , you wrote: >Am 13.08.22 um 14:13 schrieb jer...@hackersbescherming.nl: >> I would say perfect for that anti abuse training! > >Training is useful if you want to learn and achieve the training subject >matter. Serverius (like many other >hosting/colocation providers) is in the business of deflecting trouble from >their customers. In an old antispam forum >post I found this quote without exact source, which could be used verbatim by >most of them: > >> Serverius IT infrastructure is providing underlying infrastructure services >> without any hosting activities. Serverius >> is not a hosting provider as it has no data carrier hardware like servers or >> disk storage services under management >> (only our clients do). Serverius is only providing the parent data center >> colocation of client hardware and/or IP >> connectivity services that are used by clients to build their own >> infrastructure. Their services are used by millions >> of companies in the world. Therefore Serverius does not know what Serverius >> network users are hosting (it's >> technically impossible for us to see and forbidden by law) and Serverius is >> therefore not liable for what our customer >> hosts behind its own network and/or on his own infrastructure. >Legally, they may be right (of course they are not allowed to peek into their >customer's servers). However, there's >something more to it - you could have contract and AUP clauses which prohibit >spamming/abuse and give the provider >leverage to enforce that prohibition. But some providers apparently prefer to >keep such clauses out of their contracts >and don't want to waste money on abuse desk training because a well-paying >customer is a well-paying customer after all. >"Pecunia non olet", as Vespasian is reported to have said. Digital Ocean apparently has the exact same sort of "Not our problem man!" attitude. I've reported spams to them, and they say "OK, thanks. We have forwarded this to our customer." (Nice of them to do this so that their customer can then DDoS me.) Regards, rfg -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] So many idiots. So little time.
In message , Hans-Martin Mosner wrote: >Idiots is the wrong choice of word here. Hanlon's Razor does not apply to >Serverius. Thank you for this information. I shall be adjusting my local blacklists accordingly. ORG-SHB2-RIPE: 5.178.64.0/21 5.188.12.0/22 5.255.64.0/19 46.249.32.0/19 89.47.1.0/24 91.221.69.0/24 93.158.200.0/21 93.158.208.0/20 160.20.152.0/22 178.21.16.0/21 185.1.222.0/23 185.8.176.0/22 185.12.12.0/22 185.53.160.0/22 185.79.112.0/22 194.107.76.0/22 -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
[anti-abuse-wg] So many idiots. So little time.
[ part 1 - text/plain - Notification 574B ] This is the mail system at host segfault.tristatelogic.com. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system : host mail.serverius.net[91.221.69.174] said: 554 5.7.1 This message has been blocked because ASE reports it as spam. (in reply to end of DATA command) [ part 2 - message/delivery-status - Delivery report 435B (suppressed) ] [ part 3 - message/rfc822 - Undelivered Message 23.2KB ] Number is required after -h Return-Path: Received: by segfault.tristatelogic.com (Postfix, from userid 1237) id 754EF4E7D0; Fri, 12 Aug 2022 14:59:24 -0700 (PDT) From: "Ronald F. Guilmette" To: ab...@serverius.net Cc: spamrepo...@tristatelogic.com Subject: Spam from your network (AS50673): [194.104.236.160] Date: 12 Aug 2022 14:59:24 -0700 X-Rfg-Spam-Report: (AS50673): [194.104.236.160] Message-Id: <20220812215924.754ef4e...@segfault.tristatelogic.com> ... -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
[anti-abuse-wg] Reclamation of Number Resources
Greetings all, As many of you no doubt know, there has been quite an extraordinarily large brouhaha of late within the AFRINIC region relating to AFRINIC's efforts to reclaim certain large blocks of IPv4 addresses from one particular member organization. This effort has resulted in considerable litigation within Mauritius, the home country of AFRINIC. Partially as a result of this ongoing controversy, but also just for my own edification, I would like to ask a number of questions about any and all prior instances in which RIPE has reclaimed number resources from member organizations, based on policy. It seems safe to assume that there have historically been some instances in which RIPE memberships have been terminated, and any associated assigned number resources reclaimed, if and when a given member has simply failed to pay fess due to RIPE. My questions however have to do with situations where policy violations other than the non-payment of fees are involved. Specifically, I would like to know if any of you can recall past instances where number resources have been reclaimed, by RIPE, for any of the following reasons: *) Usage of the assigned number resources was no longer consistant with the original justification submitted to RIPE. *) Violation(s) of out-of-region usage policy. *) Any other policy violations. Thanks in advance for any and all responses. Regards, rfg -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] Proposal 2022-01
In message , =?ISO-8859-15?Q?Carlos_Fria=E7as?= wrote: >> https://www.ripe.net/participate/policies/proposals/2022-01 >> >> I suspect that many of you are going to want to read those sections before >> you have your memberships revoked for non-compliance. > >I can't read any details about membership revokation. Also i don't see it >as implicit. Well, I have been asking for various policies that would place some restrictions on member conduct (in other context) for quite some years now, and every time I have asked about such things, either in this region (RIPE) or ibn other regions I have always been told "Sorry, no, we can't do that because we have no enforcement mechanism and we have no way to disipline members." Any yet here we have a proposal that clearly intend to -force- members to put accurate information into their WHOIS records. This raises the obvious question: How? How will members be forced into this, when it has previously been asserted (in other contexts) that there never has been (and never will be) any way to force members to do anything OTHER THAN to pay their RIPE dues? >The three sections make perfect sense to me. In section 6.0, if i >understood correctly this won't apply to legacy resources which are still >out of any contractual relationship -- which also seems fine. That's not the way that *I* read it. Regards, rfg -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
[anti-abuse-wg] Proposal 2022-01
Just curious... How many of you folks have actually read sections 4.0, 5.0, and 6.0 of this pending proposal from the Database Working Group? https://www.ripe.net/participate/policies/proposals/2022-01 I suspect that many of you are going to want to read those sections before you have your memberships revoked for non-compliance. Regards, rfg -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] Unanimity
In message , =?ISO-8859-15?Q?Carlos_Fria=E7as?= wrote: >The RIPE NCC Service Region spans over 70+ economies. > >In fact it spans over the whole planet when someone from outside the >service region details some plans to use IP addresses mostly within the >service region -- is this verified some time after the resources are >allocated? I'm sorry Carlos, but I am not understanding either your question or its relevance to what I recently posted (which you quoted). Can you elaborate please? Regards, rfg -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
[anti-abuse-wg] Unanimity
Just a brief point. I previously noted here that RIPE's rules requiring unanimity or near unanimity in order to declare "consensus" with respect to any given proposal has recently been recognized, by some EU politicians at least, as being a material impediment to forward movement on various issues. I only just noted that this growing sentiment has now apparently extended even to the Chancellor of Germany: https://twitter.com/EuromaidanPress/status/1538637496124317704 My hope, of course, is that RIPE and its various WGs are taking notes. Regards, rfg -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
[anti-abuse-wg] Busted!
https://krebsonsecurity.com/2022/06/adconion-execs-plead-guilty-in-federal-anti-spam-case/ -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] personal data in the RIPE Database
In message =?UTF-8?Q?Cynthia_Revstr=C3=B6m?= wrote: >AFAIK the "org-name" attribute on the organisation object does get >verified if the organisation is a LIR or an end user that has received >resources directly from the RIPE NCC (through a sponsoring LIR). (and >possibly a few other cases like legacy resource holders with service >agreements) >I believe there are also many policies that say that information >should be accurate, and while this might not be actively verified for >the most part, it is still policy in many cases. Policy in the total absence of -any- validation or enforcement is vacuous. It is a NO-OP. It is a joke. >Part of the issue is that the RIPE NCC has some responsibility for >this under the GDPR... Or to be more accurate, RIPE NCC is -alleged- to have some responsibility for this, e.g. by yourself and by other privacy extremists. In point of fact however this opinion, on your part, has never been adjudicated in any court of law. And more to the point, GDPR has explicit carve outs for the sharing and/or publication of data as may be necessary for an entity to carry out its mission. Some of us, at least (who may, coincidently have been on the Internet since well before you were born), still maintain the "old school" view that it was, is, and remains an integral part of the mission of both domain name registrars and also Regional Internet Registries to promote, foster, and enable the smooth functioning of the Internet. We also believe that that continued smooth functioning can be either (a) enabled by openess and transparency or else (b) hobbled by pointlessly and unnecessarily fetishizing secrecy, specifically within WHOIS records. If our interpretation of GDPR is the correct one, i.e. that RIPE and other such organizations have both a current and a longstanding/historical duty to *not* "hide the ball", then your claim that the GDPR obliges RIPE NCC to do anything in particular now which is different from what it has been doing for the past 20+ years is both meaningless and not at all supported by *any* legal findings. In short, this contention that GDPR is (suddenly?) forcing RIPE to do something today that it was not forced to do at any time last week, or indeed, at any time over the past 20 years is simply fallacious - an imaginary imperative that doesn't actually exist. >and it can be really difficult to do this >correctly, but I think the legal team could explain those details >better. And I think that the legal team has also been sucked into the vortex of privacy paranoia and extremism, and that they will say whatever they want to say, regardless of whether their position has been endorsed or verified in a court of law or not. In short, they are part of the problem. As I have previously noted RIPE is a *private* organization mostly composed of *private* member organizations, virtually all of which are loath to disclose anything to anybody ever. Thus, I would not be in the least surprised if you told me tomorrow that the RIPE legal team had come out in favor of making the entire WHOIS data base private and accessible to "law enforcement only, eyes only". The legal team doesn't have any incentive whatsoever pulling them in the direction of transparency. All of their incentives run in the opposite direction... i.e. *against* any and all openness & transparency, even if that means degrading the ongoing smooth functioning of the Internet. >I run a hobby network and have an ASN and a /48 of PI assigned to me >from RIPE NCC (through a sponsoring LIR) and also know many other >people who are in a similar situation. >Many people who do this are uncomfortable with having to publish their >home address in the RIPE database... I have two responses: 1) Why don't you get a P.O. box if you are really that worried about it? 2) So if I understand why you're saying, you are saying that because there exists some small, but finite and non-zero set of people who, like you, are "uncomfortable", then everybody else in the universe should bend over backwards, throw out 20+ years of precedent, and should hobble the public WHOIS data base, all just so that -you- won't be made to feel "uncomfortable". Is that what you are saying? If so, then I'd like to suggest that you consider moving to sunny Florida. I think that you might fit in nicely there. Although you may not have heard about it, the Governor of that state recently signed into law a new state statute which makes it now illegal for teachers in that state to say the word "gay". The justification for this new law was that that word makes some small minority of the parents in the State of Florida "uncomfortable". My point of course, is that this is how the dictatorship of the minority begins. You are "uncomfortable" so everyone else must change what they are doing. And how shall we resolve the matter if, hypothetically, the discomfort of you and your friends someday makes me and my friends "uncomfortable"? >Sure, I could
Re: [anti-abuse-wg] personal data in the RIPE Database
In message denis walker wrote: >The bottom line is that there are honest, law abiding people who are, >or would like to be, resource holders but are exposed to considerable >personal danger by making their name and address public. We must take >the personal privacy issue seriously... These are exactly the central fallacies that have driven and that are driving so much of the GDPR-inspired "privacy" fanaticism that's coming out of Europe these days. Who exactly are these unspecified "law abiding people" and what is it, exactly, that is preventing them from taking measures on their own (such as renting a P.O. box) to protect themselves and their privacy? I do not dispute for a moment that there are many people, most notably journalists, many of whom I have had the pleasure to work with (and even some inside of Russia) whose freedom & lives could be endangered by publication of their exact whereabouts. And yet this current proposal was not, as far as I know, generated by any of *them*. *They* already know all about the many readily available ways at their disposal to avoid having their exact whereabouts published. (And God help us all if they ever have to rely on the good graces of RIPE to protect their locations!) Perhaps even more to the point, I'd like to see any actual Venn Diagram which would show us the -actual- (as opposed to postulated, by the privacy fear-mongers) overlap between the set of people who need any kind of anonymity and/or protection of their location info and the set of people who ALSO provably *need* to have RIPE number resources. Oh! Nevermind! Conveniently, some kind soul on the Internet has already generated & published this exact Venn Diagram: https://www.amcharts.com/docs/v4/wp-content/uploads/sites/2/2020/02/image-768x377.png So this is really the first-order fallacy: The assertion, without a single shred of supporting proof offered, that there exists some tiny minority of people who both (a) need either anonymity or else secrecy as regards to their actual physical address, and who also (b) need to have RIR number resources. If we are to believe this alarmist point of view, even, as it is, backed up by zero actual evidence, then we must accept on blind faith that there are some journalists or other "activists" who need to get their stories out to the public but who cannot use *any* form of existing social media to do that, and who cannot even do it via some shared or dedicated web hosting arrangement. No no! We must believe that there are, somewhere out there, activists and/or journalists who both (a) have reason to fear for their physical safety and who also (b) really need at least an ASN or a /24 or else they will be as good as gagged, for all practical purposes. This is clearly nonsense on the face of it. We are blessed to live in an era where communication... even mass communication... has never been easier OR more widley available. And yet the contention is that edgy activism and/or journalism will be entirely wiped from the map if the person who wants to distribute a controversial newsletter cannot get hold of an entire /24. Rubbish. It is this exact sort of illogical thinking that has led to a situation, in Europe, where you now can't even know if the new neighbor who just moved in next door to you is a previously convicted serial pedophile. You aren't allowed to know because your newspapers are no longer allowed to print even just the names of convicted serial sexual predators, much less their photographs. Why any of you folks in Europe ever thought that this would be a good idea is, I confess, beyond me. You have placed this newfound fetish for "privacy" above the competing societal values of free speech, freedom of the press, transparency in public affairs, and the individual citizen's right to know. So now you have to live with the downsides of those value choices. But those obviously dubious value choices DO NOT have to spill over into the public RIPE WHOIS data base. And they will only do so if the same inability to judge fairly the cost/benefit ratio is sold to the membership at large by the privacy extremists. And now, at last, we come to the second absurd fallacy driving this debate. I quote: "We must take the personal privacy issue seriously..." Simple question: Why? Who says we do? Did the EU Council pass a resolution while I was sleeping which has rendered RIPE legally responsible for the privacy of its members or their physical addrsses? If so, I didn't get the memo. Seriously, who exactly is "we" and when did "we" become legally, ethically, or morally responsible for hiding the physical addresses of members who could, as I have noted above, quite easily take care of this on their own? Was RIPE actually responsible for hiding physical addresses for all of the past 20 odd years of its existance, but for some strange reason we are only finding out about it now? Again, I think not. Nothing has changed, morally, eithically, or
Re: [anti-abuse-wg] personal data in the RIPE Database
In message denis walker wrote: >We are talking about restricting access to one piece of data, the >address of natural persons. I accept that a lot of abuse may come from >address space held by natural people. I understand that a lot of >investigation work is done by companies and individuals. How much of >an impact would it be on your activities to not know the private >address of these natural people? Just a second. Let's pause here for a moment and look at this question of the "physical address" information as it relates to WHOIS records. One of the many things that have, over the past several years, rendered almost all of the information that is now available in *domain name* WHOIS records virtually entirely worthless was the decision, some considerable time ago, by ICANN, to permit the use of essentially anonymous P.O. box addresses in the WHOIS records for domains registered within the gTLDs. Additional commonly used methods of obfsucation in these domain name WHOIS records include but are not limited to (a) the use of "proxy" registrants and (b) the use of addresses of incorporation agents and (c) use of the addresses of attorneys. (I have not surveyed the policies of the various ccTLDs with regards to their level of acceptance of such shenanigans but I have no reason to doubt that even the .US TLD allows for all of these clever methods of "hiding the ball" with respect to the actual physical location of the domain name registrant. Hell! The policies governing the .US domain are crystal clear in prohibiting non-US legal entities from registering .US domains, but the operators of the .US registry demonstratably make no attempt whatsoever to check for conformance with even this minimal requirement.) So, as I have listed above, there are many different frequently-used ways that any natural person may use to obfsucate their actual physical location when registering a domain name. This prompts a rather obvious question: Do there exist any policies, rules, or regulations which would prevent a natural person from using any one of the several techniques I have listed above to obfsucate their actual physical location when they generate their RIPE organization WHOIS record? And more to the point, is it true or false that, as I have previously asserted, any member can put literally any inaccurate garbage they want into their public-facing RIPE WHOIS records with no consequence whatsoever? If the answer to *either* question is "yes", then it seems to me that enlisting RIPE NCC to embark upon a deliberate program to hide personal information in public-facing WHOIS records EVEN WHEN THE CORRESPONDING REGISTRANTS HAVE NOT THEMSELVES REQUESTED THAT is not only clearly unnecessary, but actually and demonstratably counterproductive. Should a natural-person who actually WANTS to be directly contacted for any and all issues relating to their RIPE number resources have that opportunity closed out, perhaps without even their knowledge or consent, by some small over-agressive cabal of GDPR fanatics acting unilaterally? I think not. As noted above, if any RIPE registrant wants to have their physical address info obfsucated then there appears to be any number of simple alternatives available to the registrant themself to achieve exactly that. Thus, this new push to get RIPE NCC to hide information in public-facing WHOIS records seems to be a solution in search of a problem, and just another misguided top-down enforcement of an extremist view of "privacy", pushed onto the community whether the people actually affected, i.e. the registrants themselves, like it or not. (Note: I am not intending to pick specifically on RIPE here. To the best of my current knowledge there are -no- policies or rules in -any- RIR globally that explicitly prohibit the use of P.O. boxes, proxy registrants, or the addrsses of associated corporate registration agents or lawyers within public-facing number resource WHOIS�records. Nor do any RIRs have any clear policies which would have the effect of requiring there to be -any- clear correlation between what appears in a registrant's public-facing WHOIS records and anything corresponding to objective reality.) >I can only think of three reasons why >you would need the full address. You intend to visit them (unlikely), >you want to serve legal papers on them or you attempt some kind of >heuristics with the free text search in the database to match up >resources with the same address. I agree with this list of possibilities, 1, 2, 3. So which of these three are you attempting to hobble? Are you in favor of making it harder to serve people with legal papers? If so, why would you do that and who would be the beneficiaries of that? Are you in favor of making it harder for open-source researchers to search the data base for textual correlations that might provide clues to untoward activities? If so, why would you do that and who would be the beneficiaries of that? Regards, rfg --
Re: [anti-abuse-wg] personal data in the RIPE Database
In message , Suresh Ramasubramanian wrote: >The person you should invite for this is Ron Guilmette > >Ask him about Romanian LIRs from eight or nine years back and you will >probably get chapter and verse. > >For example https://seclists.org/nanog/2013/Jan/328 Indeed. I could write a book about the voracious Romanian gang. And a whole additional one about some similarly voracious folks in Moldova. The only question is: Who would read them? Nobody seems to care. Regards, rfg -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] personal data in the RIPE Database
In message <5f2f5fec-15cd-a307-dac4-366dd76b6...@heeg.de>, Hans-Martin Mosner wrote: >> If you say yes to both, then I am compelled to point out there there is, >> as far as I understand it, *no* requirement, within the RIPE region, at >> present for there to be *any* correlation between what appears in any >> public RIPE WHOIS record and the actual bona fides of the corresponding >> member, the -actual- identity o which remain secret & hidden behind an >> opaque wall of stony silence, backed up by RIPE's legal counsel. > >I can't really judge this, but I see why that is your point of view. It isn't a point of view. It's a simple fact and easy enough to verify. Members are allowed to put any garbage they like into their WHOIS records. Nobody will stop them, nobody will police them if they do this, and there exists no policy, rule, procedure, or mechanism to correct the WHOIS records if they contain absolute horse manure. And if you or I suspect that someone has in fact put inaccurate garbage into their WHOIS records, you can ask the ever helpful folks at RIPE NCC to let you see the actual bona fides documents that the corporate entity in question gave to RIPE NCC when it first became a RIPE member. You can ask, and you will be told to get lost, because that is considered to be "secret" and "confidential" info. Again, I'm talking about non-person CORPORATE entities here. And again, I'm talking about corporate legal registration documents... documents which SHOULD BE PUBLIC anyway due to EU Anti-Money Laundering rules. Yes, even the EU got tired of its own opacity when it came to shell companies and other corporate entities years ago, and they developed sets of "Anti Money Laundering Directives" that all of the EU member states were *supposed* to enact as local national laws years ago, starting, I guess, with 1AMLD, then 2AMLD, then 3AMLD, 4AMLD, and finally, in 2018, 5AMLD. But just like with RIPE, the EU member states, having approved these new transparency measures at the EU level were apparently loath to actually implement them, as required, as national laws in a majority of the EU countries. The result was that as of the year 2020, 22 out of 27 EU member states were still playing "hide the ball" with corporate registration and ownership information. This should be a scandalous embarassment, but both the lethargic EU member countries and also RIPE have never been accused of having anything approximating shame. You can read the whole shameful story here: https://www.globalwitness.org/en/campaigns/corruption-and-money-laundering/anonymous-company-owners/5amld-patchy-progress/ Of course this is just the EU/AML part. For now I won't even go into the story of the time law enforcement officers showed up at RIPE headquarters in 2009 and started asking questions in connection with a money laundering investigation they were working on... which apparently involved RIPE itself. Regards, rfg -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] personal data in the RIPE Database
In message , Hans-Martin Mosner wrote: >For resources allocated to legal entities (companies, organizations, etc.) >an identification of the organization should be mandatory. Would you agree also that such identification of non-person legal entities that are the registrants of number resources should be: a) public, and b) accurate and consistant with the bona fides that were submitted to RIPE NCC at the time the member was made a member, and at any & all times thereafter when the non-person member requested or was granted number resources? If you say yes to both, then I am compelled to point out there there is, as far as I understand it, *no* requirement, within the RIPE region, at present for there to be *any* correlation between what appears in any public RIPE WHOIS record and the actual bona fides of the corresponding member, the -actual- identity o which remain secret & hidden behind an opaque wall of stony silence, backed up by RIPE's legal counsel. In short, everything you see in any and all public RIPE WHOIS records is subject to the whims of the corresponding member, whose true identity may be well and truly hidden, and thus, the WHOIS data often is nothing more than totally made-up bovine excrement. I hasten to add that this is due not to any single mistake or specific deliberate policy choice on the part of RIPE or its members or its legal counsel. Rather it is due entirely to the fundamental nature of RIPE which is a -private- member-based corporation, the membership of which is composed almost entirely of -private- corporate entities whose most sincere and fervent wish is to be accountable to, answerable to, and transparent to absolutely no one, and often times not even to their own shareholders[1] and/or Boards of Directors[2]. In short, I have some time ago given up entirely in the idea that RIPE could be gradually "refomed" to be more accountable, e.g. to the billion+ ordinary people who now rely on the number resources that it distributes. Reform isn't possible for an organization that has stealthy secrecy and deliberate opacity baked in, as a guiding principal, from its very inception. Regards, rfg [1] The mere existance of "activist" investors like Carl Icahn illustrates the point that corporate entities many times do not even feel any special obligations to be honest, open, and transparent with their own shareholders, let alone the "unwashed masses" of the public at large. [2] The now well-known story of the rise and fall of the U.S. corporation known as "Theranos" and its all-too-clever former CEO, Elizabeth Holmes, vividly demonstrates that management sometimes (often?) has incentives to keep even a company's own Board of Directors in the dark. And if management isn't telling the truth to its own Board, then they quite certainly are not likely to be truthful, open, honest or transparent with the public at large. -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] personal data in the RIPE Database
In message <009401d8768b$4286eca0$c794c5e0$@hackersbescherming.nl>, jer...@hackersbescherming.nl wrote: >But again, i get the feeling this group hardly has any people in it from the >public interest and is bassicly filled with internet cowboys who don't care >about all the crap that is being pushed over the internet. > >I have gotten the feeling that Ripe is just a waste of my time when u give >answers like u have done so far! > >And with that being said, this will be my last reply in Ripe mailing lists >since i get the feeling that the whole Ripe organisation is just looking the >other way when something obviously wrong is going on For whatever little it's worth, everything you just said is 100% accurate, and it explains why I myself have largely stopped wasting any more of my time trying to create change within the RIPE structures of power. They don't care, and they are not obliged to care, under law. So they can do whatever they want, and do. They hide information that should be public, using GDPR as a pretense, and allow members to put any gibberish they want into WHOIS records. If you ever have the audacity to ask anybody connected with RIPE for the REAL identification of the REAL owners of any given IP block, RIPE's corporate legal counsel will tell you to come back with a warrant or else go pound sand, because no law obliges them to give this to you, and neither ethical considerations nor public policy considerations carry any weight with RIPE whatsoever. It's all just about preserving the status quo and protecting the guilty. (As regards to the former, all you have to do is to just look at the remarkable absence of ANY progress or notable achievement whatsoever by this, the so-called Anti-Abuse Working Group, over the past 10+ years. The group managers, together with a small group of reliable naysayers, have been rather spectacularly successful at suppressing any meaningful action or decisions whatsoever for at least that long and, i believe, longer.) And it's even getting worse, day by day. Now they are considering hiding EVEN MORE of the WHOIS data. The excuse, once again, is GDPR. They don't really care to get any input from either law enforcement or legitimate security researchers. God NO! That might force them to at least have to acknowlege the existance of some other point of view that doesn't conform to their already planned agenda of recalcitrance, obstructionism, consistant inaction, and protecting the guilty. And yes, over the years this do-nothing agenda has been quite successful in driving out of these groups and these mailing lists anybody and everybody who had ever hoped for some positive change but who valued their time and came to realize that they were just pounding their head against an impenetrable wall... a wall created deliberately, and in no small measure by the "consensus" rule that reqires EVERYONE to agree before anything at all can happen... a moronic rule that applies also in the structures of the European Union (EU) and that at least some of the elected members of that body have now gone on television to say is (now) glaringly and rather obviously unworkable, in practice. Welcome to the institutionalized dysfunction that is Europe and RIPE -- the only place on earth where you may be assured of perfect, continued, and uninterrupted Internet connectivity for your country's hacking and crypto-scam communities, even as you threaten to touch off World War III. Regards, rfg -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] personal data in the RIPE Database
In message , Matthias Merkel wrote: >... If you think someone is >intentionally sending you malicious traffic, the police is the point of >contact for you. Yes, because in practice THAT works oh so well! Worldwide, and even in Russia, the police just LOVE cleaning up the messes that we in the networking community have managed to manufacture for ourselves. Sigh. If only we didn't first have to educate them all on the meaning of the word "packet". Regards, rfg -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] Another incompetent ISP - Signet, B.V. - transip.net / signet.nl
In message denis walker wrote: >Why is this not possible? Because of you. Because you basically told me to just go away when I previously requested on the db-wg mailing list to have -all- of the WHOIS records for -all- IP block allocations include a org: field. (I have just posted my more complete & detailed description of this issue / problem to the db-wg mailing list so you can find that there.) >Your list below seems to be a full list of their IPv4. Well, I know it -seems- that way, but it isn't, for reasons I've explained on the db-wg list. Regards, rfg -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
[anti-abuse-wg] Another incompetent ISP - Signet, B.V. - transip.net / signet.nl
I recently attempted to report spam that was sent to me from [136.144.219.231]. This address is being routed by AS20857 (ORG-SI6-RIPE / Signet B.V.) and the containing IP block (136.144.128.0/17) is registered to TransIP B.V. (NOTE: no associated ORG record) which appears to be just a different face of the same Dutch company (Signet). My spam report was sent to the abuse reporting address contained in the RIPE WHOIS record for the revevant ASN (AS20857) i.e. . Of course, I included in the report a complete copy of the spam message I received so that the people on the other end could have a clear picture of the nature of this incident and those responsible for it. Unfortunately, Signet/transIP appears to be yet another in a succession of ISPs that have failed to grasp the seemingly obvious fact that enabling spam filtering on your own inbound spam reporting email address is counterproductive. Thus, for my trouble I received back: (expanded from ): host mx.transip.email[86.105.244.9] said: 550 5.7.1 Our system has detected that this message is likely unsolicited mail (SPAM). To reduce the amount of spam, this message has been blocked. (4Kpghy5Bcvz1J9nY) (in reply to end of DATA command) Based on this rejection it is now my intention to locally blacklist all IPv4 blocks assigned to this ISP. A partial list of these is included below. Unfortunately, due to ongoing and longstanding issues with the RIPE data base (which I will be mentioning yet again on the RIPE db-wg mailing list, for all the good it will do) it is not easily possible to derive a full list of all of the IP address blocks assigned to this company, at least not in a simple automated fashion. Blocks assigned to ORG-SI6-RIPE (fully aggregated): 31.3.8.0/21 31.3.96.0/21 31.14.96.0/22 31.223.160.0/20 37.17.208.0/20 37.34.48.0/20 37.97.128.0/17 37.230.96.0/21 46.21.224.0/20 46.226.56.0/21 77.72.144.0/21 78.108.128.0/20 79.170.88.0/21 80.69.64.0/19 80.84.224.0/19 80.246.192.0/20 80.255.240.0/20 81.4.64.0/19 81.4.96.0/22 81.4.112.0/21 81.21.136.0/21 81.30.32.0/20 83.96.128.0/17 84.247.8.0/21 85.10.128.0/18 85.158.248.0/21 85.222.224.0/21 86.105.244.0/22 87.253.128.0/19 89.31.96.0/21 89.41.168.0/22 91.142.240.0/20 91.205.32.0/22 91.216.162.0/24 93.119.0.0/20 93.191.128.0/21 94.142.208.0/21 95.170.64.0/19 141.138.136.0/21 141.138.192.0/20 141.255.176.0/21 149.210.128.0/17 171.33.128.0/21 176.74.224.0/19 178.18.80.0/20 185.3.208.0/22 185.10.48.0/22 185.15.248.0/22 185.21.188.0/22 185.65.52.0/22 185.69.232.0/22 185.76.236.0/22 185.84.72.0/22 185.89.152.0/22 185.95.68.0/22 185.96.4.0/22 185.105.204.0/22 185.105.216.0/22 185.108.112.0/22 185.110.172.0/22 185.110.200.0/22 188.240.52.0/22 188.241.148.0/22 193.93.172.0/22 193.138.204.0/22 193.242.119.0/24 194.60.207.0/24 195.8.195.0/24 195.135.195.0/24 213.187.240.0/21 217.21.240.0/20 217.149.128.0/20 -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] ORG-OG2-RIPE -- plusserver.com / plusserver.de
In message <746a4ef3-204f-4f3f-913f-22544eeaf...@plusserver.com>, Christian Adler wrote: >you are completely right. This is not acceptable and I escalate this to my >collegues who are in charge of this problem. Thank you Christian for proactively addressing this issue. It will certainly be helpful if it becomes possible to email a proper sort of spam report to Plusserver. Separately and additionally however, I hope that you and your collegues will invest some brain cycles also to consider the other part of the critique that I posted here the other day. It is apparent that Plusserver does have the technical ability in place to detect and block spam, at least when it is incoming to your network and to your company mail server. Thus it seems apparent that if that same technology were applied equally and also to all email flowing -out- from the Plusserver network, this would have an undeniably salutary effect. It may be technically difficult to set that all up, but as you may be aware, many larger networks across the globe do already block direct outbound port 25 TCP connects from their network customers, asking them all instead to utilize the company's own outbound "smart host" mail server for all outbound email. The technology to do this is relatively easy to put in place, and is quite mature. If Plusserver were to do this, possibly with the exception of its large and well-trusted customers, tnen EVEN IF Plusserver did not also implement any sort of filtering or spam detection on that one outbound "smart host" mail server, the company would at least still have some very helpful realtime logs that would clearly show when some individual customer had been sending a large and atypical amount of outbound emails. And that alone might be just enough to disuade spammers from trying to use the Plusserver network for their disruptive and abusive activities. Regards, rfg -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
[anti-abuse-wg] ORG-SOVF2-RIPE -- "Oleksandr Siedinkin" -- thehost.ua
Sending a spam report to this network results in the following ignorebot reply: -- Mailbox confirmation Hello. You sent an email to our support team, but unfortunately you are not registered in our customer support system. In order for the message to be accepted, you need to follow the link https:// my.thehost.com.ua/manager/billmgr?func=confirmemail&code= REDACTED and confirm the registration. TheHost Team Official website - TheHost.ua TheHost - Hosting-provider Customer support - supp...@thehost.ua TelegramFacebookInstagramVKTwitter -- My feeling is that one should not have to register in order to simply report spam received from any given network. Thus I've decided to locally blacklist all RIPE blocks currently assigned to this network. The fully aggregated set of these is as follows: 45.154.116.0/22 88.218.188.0/22 91.223.180.0/24 91.234.32.0/22 176.114.0.0/20 185.166.216.0/22 185.230.88.0/22 185.252.24.0/22 -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
[anti-abuse-wg] ORG-OG2-RIPE -- plusserver.com / plusserver.de
I just wanted to make you all aware that whereas most networks require any spam report to include the entire spam message, attempting to include an actual spam sample in an abuse report sent to ORG-OG2-RIPE aka plusserver.com results in an an undeliverable (5xx) bounce message contain text like the following: : host mx01.hornetsecurity.com[94.100.132.8] said: 554 5.6.3 Your mail contains SPAM. To unblock visit http://cloud-security.net/unblock?REDACTED (in reply to end of DATA command) Is is of course admirable that this network is able to accurately recognize -inbound- spam messages so accurately. It is rather a shame however that this network is apparently incapable of doing likewise when it comes to spam flowing outwards from their network. For reference, the fully aggregated set of IPv4 CIDRs currently assigned to this network within the RIPE region is as follows: 46.22.32.0/20 46.23.208.0/20 46.163.80.0/22 46.163.88.0/21 46.163.100.0/22 46.163.120.0/21 46.231.88.0/21 62.75.128.0/23 62.75.131.0/24 62.75.132.0/23 62.75.135.0/24 62.75.140.0/24 62.75.153.0/24 62.75.154.0/24 62.75.172.0/24 62.75.174.0/24 62.75.176.0/24 62.75.180.0/24 62.75.205.0/24 62.75.206.0/24 62.75.212.0/24 62.75.226.0/23 62.75.231.0/24 62.75.239.0/24 62.138.64.0/18 62.138.192.0/18 78.138.64.0/19 78.138.108.0/22 78.138.112.0/22 78.138.116.0/23 78.138.119.0/24 78.138.120.0/22 78.138.124.0/23 80.86.80.0/24 80.86.88.0/23 80.237.131.0/24 80.237.134.0/24 80.237.140.0/23 80.237.152.0/21 80.237.176.0/20 80.237.192.0/23 80.237.196.0/22 80.237.200.0/21 80.237.208.0/22 80.237.213.0/24 80.237.216.0/21 80.237.224.0/20 80.237.240.0/21 80.237.250.0/24 80.242.128.0/19 83.169.48.0/22 83.169.56.0/21 83.220.128.0/19 85.25.18.0/23 85.25.21.0/24 85.25.22.0/23 85.25.24.0/23 85.25.28.0/22 85.25.65.0/24 85.25.69.0/24 85.25.70.0/24 85.25.80.0/21 85.25.88.0/22 85.25.96.0/23 85.25.101.0/24 85.25.111.0/24 85.25.121.0/24 85.25.158.0/24 85.25.175.0/24 85.25.212.0/24 85.25.221.0/24 85.25.234.0/24 85.25.240.0/23 85.25.245.0/24 85.25.247.0/24 85.119.200.0/21 87.119.192.0/23 87.119.194.0/24 87.119.196.0/22 87.119.200.0/21 87.119.208.0/21 87.119.216.0/22 87.230.36.0/22 87.230.50.0/23 87.230.52.0/22 87.230.56.0/22 87.230.65.0/24 87.230.72.0/22 87.230.82.0/23 87.230.96.0/21 87.230.108.0/23 87.230.120.0/22 87.230.124.0/23 87.230.127.0/24 89.19.224.0/19 91.209.52.0/24 91.250.72.0/21 91.250.92.0/22 91.250.104.0/22 92.51.152.0/21 92.51.168.0/23 92.51.171.0/24 92.51.172.0/22 92.51.176.0/22 92.51.184.0/21 93.187.112.0/21 151.106.64.0/19 176.28.24.0/21 176.28.60.0/23 176.28.63.0/24 178.77.88.0/21 178.77.120.0/22 178.77.125.0/24 178.77.126.0/23 185.55.68.0/22 185.209.64.0/22 188.64.192.0/21 188.138.64.0/22 188.138.80.0/24 193.33.20.0/23 193.34.200.0/25 194.15.144.0/24 194.24.192.0/19 194.64.0.0/16 194.163.16.0/20 194.163.64.0/18 194.163.192.0/18 194.195.0.0/18 194.195.64.0/20 194.195.96.0/20 194.195.128.0/18 194.195.192.0/20 194.195.224.0/20 194.233.0.0/18 194.233.112.0/20 194.233.128.0/19 194.233.192.0/18 195.177.0.0/18 195.179.0.0/17 195.179.128.0/18 195.179.208.0/20 195.179.240.0/20 195.180.0.0/16 195.191.26.0/23 195.206.128.0/19 195.244.96.0/19 195.252.128.0/18 212.1.32.0/19 212.40.160.0/24 212.40.166.0/24 212.40.168.0/24 212.40.174.0/23 212.40.176.0/24 212.40.181.0/24 212.40.182.0/23 212.40.186.0/24 212.116.0.0/19 212.224.0.0/18 213.131.224.0/19 213.174.32.0/19 213.203.192.0/18 217.69.64.0/19 217.115.136.0/22 217.115.140.0/24 217.115.144.0/24 217.115.148.0/22 217.119.48.0/24 217.119.51.0/24 217.119.52.0/23 217.119.55.0/24 217.119.57.0/24 217.119.58.0/23 217.119.60.0/22 217.172.163.0/24 217.172.165.0/24 217.172.166.0/23 217.172.168.0/23 217.172.173.0/24 217.172.174.0/23 217.172.191.0/24 -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] Fwd: [dns-wg] EU: DNS abuse study
In message , =?UTF-8?Q?Markus_de_Br=c3=bcn?= wrote: >f) The top five most abused registrars account for 48% of all >maliciously registered domain names (Appendix 1 - Technical Report, >Section 11.2, pp. 43-44). Hey! I have an idea! What if we created one global organization to accredit and monitor literall all domain name registrar companies, and what if we allowed that organization to actually *disipline* domain name registrars which have proven by their actions that they are purely profit-oriented anti-social assholes? Now I know what you are thinking. "Impossible!", right? But I can dream, can't I? Regards, rfg P.S. Namecheap, Inc., whose name comes up repeatedly in this study, has at various times claimed to have its headquarters in California and then, subsequently, in Arizona. as far as I have been been able to determnine it has never been properly registered in either state. It is, I believe, logical to infer from that fact that it has never filed a state-level tax return in either California or Arizona, quite possibly violating the law in either or both states. Not that ICANN would give a shit. Aa long as no officers of any accredited registrar have murdered anybody lately, or been convicted of robbing any banks lately, I think that ICANN is OK with pretty much anything else, as long as they keep on getting their checks regularly. I am reminded of that old saying... "Fish rots from the head down." https://opencorporates.com/companies?q=Namecheap&utf8=%E2%9C%93 -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] Anti-Abuse Training: Questions for the WG
In message <26f1df33-b958-bed4-f748-f82324d0b...@tana.it>, Alessandro Vesely wrote: >Shouldn't there be a standard for automatically forwarding messages destined >to abuse-c following a path similar to that of RFC 2317 delegations? I'd love >if AA training encouraged such behavior. Although delegation of abuse report handling may sound like a good idea in theory, in practice it is a tragically bad idea. What happens when the customer is a spammer and abuse handling is delegated to that customer? Google for the term "list washing". This isn't merely a theoretical possibility. Digital Ocean has previously sent me multiple response emails saying quite explicitly that they had forwarded my spam reports to their spammer customer(s). Those customers will then surely cease to spam *me* but will continue to spam everyone else on the planet. This does not create any meaningful reduction in the global spam load. It simply rewards those "responsible" spammers who remove from their target lists the email addreses of the few "complainers" who nowadays take the time to report spam. Regards, rfg
Re: [anti-abuse-wg] New on RIPE Labs: RIPE NCC Anti-Abuse Support - What to Do if It Happens to You
In message <366ab1dc-8e7e-4ca9-b68d-0cfddad96...@blacknight.com>, Michele Neylon - Blacknight wrote: >Please explain. I'm not sure there's anything really to explain. I said what I meant and meant what I said. When it comes to cybercrime generally, law enforcement generally hasn't had what I would call a sterling history of unbridled and/or and consistant sucess. Rather the opposite, in fact. Regards, rfg
Re: [anti-abuse-wg] New on RIPE Labs: RIPE NCC Anti-Abuse Support - What to Do if It Happens to You
In message <7ed28c86-0c0d-4e0f-95d0-3f7374b1f...@ripe.net>, Alun Davies wrote: >At the RIPE NCC, we get lots of requests for assistance from people >dealing with online abuse. In this new article on RIPE Labs, Angela >Dall'Ara talks about how you can use RIPE NCC tools to help resolve >abuse issues, but also takes a look at what you can do when further >steps need to be taken. > >https://labs.ripe.net/author/angela_dallara/ripe-ncc-anti-abuse-support-what-to-do-if-it-happens-to-you/ This is an interesting tutorial, however I would like to just suggest that the subsections titled "When to Contact a Law Enforcement Agency" and "Contacting LEAs in Other Countries" be removed in order to prevent naive readers of this tutorial from incorrectly inferring that law enforcement agencies might be at all likely to be of any assistance when dealing with online abuse issues. Regards, rfg
Re: [anti-abuse-wg] AS8003 and U.S. Department of Defense routing
In message , Randy Bush wrote: >interesting wg to do routing security analysis. To be 100% clear, it was not my intention that anyone here should attempt to engage in any sort of "security analysis" with respect to the current rather inexplicable routing for much DoD IPv4 address space. I just posted here because, as I said, I felt some folks here might find the information interesting. >as i do really not know the dod's or their proxy's motive(s), i can not >say much about their tactics let alone strategy. Neither do I. Nor do I even much care. It's their space. They can do whatever the hell they want with it. The only reason that any of this is even intersting is because it all is really rather bizzare. Why did they even need to bother with a goofy shell company? It's silly, really, and it didn't actually hide anything. >is some random (small, i hope) isp using my address space internally as >1918 equivalent abusive, beyond their customers maybe not be able to >reach my network? if so, maybe the vigilantes are looking in the wrong >direction. Which "vigilantes" would those be, exactly? Regards, rfg
[anti-abuse-wg] AS8003 and U.S. Department of Defense routing
Greetings friends, I though that you all might like to be aware of this: https://apnews.com/article/technology-business-government-and-politics-b26ab809d1e9fdb53314f56299399949 Regards, rfg
[anti-abuse-wg] AFRINIC -- The Saga Continues
Just published. https://mybroadband.co.za/news/internet/390378-afrinic-hired-a-convicted-criminal-to-look-after-valuable-it-assets.html
Re: [anti-abuse-wg] Question about spam to abuse inbox
In message , Randy Bush wrote: >we are in a 'maturing' industry... That excuse might almost be a reasonable justification for bad behavior and even worse operating policies if it hadn't already been in continuous use for the past 20+ years. The spam problem has existed on the Internet since the late 1990s. May we optimistically hold out some hope that this industry might be able to get its shit together by, say, 2045? >so margins are low and people are overworked and underpaid. Maybe margins are low *structurally*, because just like in the spam trade, everybody and his brother got enticed by the low barriers to entry in the commercial hosting business, resulting in tens of thousands of "me too" operators that, in point of fact, have no commercial advantage, and thus no reason to even exist. And they are all now competing with tens of thousands just like them, as well as trying, vainly, to compete with a few othjer outfits you may have heard of, e.g. Amazon, Google, Microsoft. "Margins are low" is the same excuse that polluters used back in the day for dumping toxic waste into rivers in the dead of night. Now it is being trotted out as an excuse for an inability... or rather an unwillingness... to do this simple things (like blocking outbound port 25) needed to stop the effluent of spam from leaking out into and onto the global Internet. Profits may be in short supply in the commecial hosting business, but fortunately there is never any shortage of lame excuses to justify the status quo. Regards, rfg P.S. I am at pains to stress that essentially 100% of *all* network abuse of ALL KINDS these days originates from commercial hosting providers. I do not, in general, get spam, or break-in attempts, or port scans, or any other such abuse from government networks, from academic networks, from non-profit associations, or from legitimate businesses that have their own netblocks and that are not fundamentally in the Internet services business. Nor do I have to endure such crap from any of the thousands of so-called "eyeball networks", e.g. Comcast, etc. Rather, the sum total of essentially all network abuse these days is consistantly emanating from commercial hosting providers, and specifically from the ones that have elected to entice miscreants and criminals to their services by having deliberately loose contractual policies or else deliberately loose enforcement of their stated policies. It's a fairly moronic way to try to make a living, or to turn a profit, but I guess that when you have nothing else to offer in the way of competitive advantage...
Re: [anti-abuse-wg] Question about spam to abuse inbox
In message , Randy Bush wrote: >there is a fair bit of spectrum between the internet of cooperating >competitors running their networks as prudently as they can afford >and an internet desired by some where everything is done uniformly >by rigid written rules. You are using the word "afford" in this context as a blanket excuse for incompetence and/or willful anti-social negligence. What is the cost of adding a "cleanup fee" clause to your standard service contracts, and why are you so abysmally bad at business that you cannot afford to do that? What is the cost of filtering outbound port 25 by default, and why are you so abysmally bad at business that you cannot afford to do that? The data is in, and applying one or both of these simple measures to any given network has been demonstrated to reduce the need to pay humans to staff an "abuse desk" dramatically. Are you also unable to "afford" to implement BCP 38? Regards, rfg
Re: [anti-abuse-wg] Question about spam to abuse inbox
In message , =?UTF-8?Q?Cynthia_Revstr=C3=B6m?= wrote: >Can you please stop attacking ideas (such as web forms) implying that they >only have malicious use cases. You have missed my point entirely. Web-based abuse reporting forms are not merely "an idea" any more than discrimination is merely an "idea". Rather it is an attitude and a way of life. It is the Internet equivalent of refusing to wear a face mask, for the good of all, in a crowded elevator in the middle of a global pandemic. It is demonstratably and provably a selfish and self-serving anti-social behavior pattern. I don't know where you live, but where I live we have already had more than enough of this kind of attitude, and this kind of childish anti-social behavior. >> I hold them responsible because they obviously >> fail to have in place contractual clauses that would persuasively >> deter this behavior on the part of their customers. > >In many cases it is practically impossible to know if your customers are >sending legit emails or spam without having people reporting it. Again, you have missed my point quite entirely. Some providers have clauses in their service contracts that say explicitly that custiomers who are caught spamming will face a manditory (and heavy) "cleanup fee". Many other providers do not have such clauses in their standard service contracts. Can you guess which providers are the sources of most spams? >> The provider in question is a perfectly lousy coder and is thus >> unable and/or unwilling to write code to parse emailed abuse >> reports. > >Hi, I am actually primarily a software dev and not a network engineer, it >is not even close to as easy as you make it out to be. Fine. Have it your way. The point can be argued either way, but I see no point in us doing so at this moment, since I made a different and *overriding* point that renders this question of parsing abuse reports sent via email moot. I say again, any professional treatment of an abuse report will necessarily require a human being to actually LOOK at the bloody thing. When viewed with that context, the manner in which the report arrives is utterly irrelevant. If a human being is, in the end, going to end up looking at the bloody thing anyway, then what difference does it make if the report arrives via email or via a web form? None. None at all. >My point here is that parsing free form text in this way without having a >clearly defined structure is far from trivial. >Also please stop assuming bad faith by saying that providers are >"unwilling" to do this. I do not assume. I observe. And I've been doing this a LONG time. With the highly prohable exception of my friend Michele Neylon, it has been my experience that those providers that set up web-based abuse reporting forms ignore most or all of what they receive via those forms. Either that or they just forward the reports on to their pet spammers, whichj is provably even WORSE thanm idf they had just dropped the reports into /dev/null. >> And anyway, don't actual human beings need to look at these things, >> in the end, in order to be able to react to each of them properly >> and in a professional fashion? > >Web forms can have pros and cons, I am just going to take the case of a >VPS/Dedicated server hosting company. > >If the hosting company provides a web form, they can have a field where >they explicitly ask for the offending IP address. Oh! So you want and indeed *demand* that the spam *victim* should be obliged to fish this tidbit of information out of the headers, so that the actual offending network doesn't have to do that part of the analysis work, yes? Where I come from, that's called cost shifting... onto the victim... and it is no more morally or ethically defensible than trying to justify sexual abuse by saying that the victim wore a short skirt. >This report could then automatically also be sent to the customer in >question Do you really not understand why this is an extraordinarily BAD IDEA? >(I believe Hetzner as an example does this or something similar.) Yes, Hetzner has more than once ratted me out to their spammer customers. Are you seriously holding that company up as a shining example of ethical behavor for others to follow or be guided by?? >> A provider that is routinely receiving so many abuse reports that >> it can barely keep up with them all has bigger problems that just >> the manner in which abuse reports are received. > >Due to the automated procedure by some providers for abuse reports, if I >have one bad host sending spam, I might get an abuse report for every >single email they receive, so even if it is just one customer I might wake >up to 200 emails. So you're saying that you work as an outsourced abuse department for various providers? And you're OK with spammers being allowed to send out 200 spams, but you really don't want to then have to deal with 200 reports of same? I just want top make sure that I understand hat you're sayi
[anti-abuse-wg] Anti-social assholes
I get an email spam so I report it... via email. I *do not * don snorkle gear. I do not contort my body into odd shapes. I do not make my report out-of-band, via smoke signals, or morse code, or via modulated infrared wavelengths. Call me old fashioned, but as I have already made plain, I do not think that I should be required to do any of these things. It is easier for me just to block all of Hostdime, which I had plenty of reasons to do already anyway. Regards, rfg P.S. Seriously, how much arrogance does it take for them to say to me that it is OK for me to have taken up *my* time to have read the crap that was originated by *their* customer, but *they* cannot be bothered to read *my* mail to them? --- Forwarded Message Date:Sat, 20 Feb 2021 19:47:33 -0500 From:ab...@hostdime.com To: r...@tristatelogic.com Subject: [AUTOREPLY] - Please submit complaint to https://www.hostdime.com/abus e-report/ Hello, Thank you for contacting HostDime. Please resubmit your original message at the following link for action to be co nsidered: - --- HostDime Abuse Report Form https://www.hostdime.com/abuse-report/ - --- Thank you, HostDime.com, Inc NOTE: This is an automated message. Please do not reply to this email. This mai lbox is not monitored. --- End of Forwarded Message
Re: [anti-abuse-wg] On the abuse handling policy of manitu.net (AS34240)
In message , furio ercolessi wrote: >remarks:trouble:| ab...@manitu.net | >remarks:trouble:|| >remarks:trouble:| IMPORTANT:Your message will probably sent to | >remarks:trouble:| the customer concerned by an automatic system. | >... >This is so absurd, I had to read it twice to make sure that I was not >misreading it. >They state that they automatically pass all my personal data to abusers if I >send a report to them... A representative of Digital Ocean told me point blank that they have the exact same policy. They just don't put it into their WHOIS records. Until there is some serious downside, companies will continue to get away with this shit without paying any price for this asshole-ness. Regards, rfg
Re: [anti-abuse-wg] Question about spam to abuse inbox
In message <20210218200036.066496e36...@ary.qy>, "John Levine" wrote: >Report web forms are out of the question because they do not scale. I >send about a hundred abuse reports a day about spam received from all >over the Internet, and I have no interest in using your form or anyone >else's to make a manual special case for under 1% of my reports. I'm real glad that John posted the above comment, as he has saved me from having to do so myself. (But I will take this opportunity to elaborate on what John said anyway.) I am in 1000% agreement with John on this. Abuse reporting forms do not scale... at least not for the *victims* of the abuse. I report email spams... by far the most common form of network abuse... to dozens of different providers every week. At the moment in time when I send each of these reports, I have already been abused by each of these providers. (I hold them responsible because they obviously fail to have in place contractual clauses that would persuasively deter this behavior on the part of their customers.) To make me "jump through the hoops" of first even just *finding* each provider's unique abuse reporting web form, and then navigating it sufficiently well to insure that I have dotted all of the i's and crossed all of the t's, as required, uniquely, for each different provider, just *adds* injury to the insult that I have already suffered at the hands of these same providers, and these same networks. The demand to use a web-based reporting form is itself a form of cost shifting. It shifts more of the costs of dealing with network abuse onto the victims of abuse and away from the providfers that are actually originating the abuse in the first place. In that sense it is arguably the same as spam itself. Email spam only exists because it is a way of shifting the costs of advertising onto the recipient and away from the senders. Likewise, demanding that I must find my way to, and then properly complete *your* unique web reporting form is yet another way of shifting the costs of dealing with *your* abuse of *my* inbox away from yourself and onto me. Sure, it is maximally convenient FOR YOU, but how about a little more consideration for the victim? As John and others have noted, if I take up *my* time and effort to report to you abuse that is coming from *your* network, then I am NOT doing that for *my* benefit. Rather all of the benefits of abuse reports flow to the network operator of the network where the abuse originated. I am not an imbecile, and I can easily enough block any arbitrary sender in my own local configuration, either by full email address, or by domain name, or by IP address range. Thus, nothing obligates me to report any spam, and I can easily enough prevent myself from gettting spammed twice or more from the same source. So how does it benefit *me* as a spam recipient, or send in a spam report? The answer is that it doesn't. Period, full stop. I only do it out of a sense of community responsibility, i.e. to do my part to help pick up trash that other people leave lying around on the Internet. In an ideal world the networks/providers who are the recipients of my spam reports would be greatful for my help in truing to keep their networks clean, EVEN TO THE POINT WHERE THEY SHOULD PAY ME OUT OF GRATITUDE upon receiving any professionally prepared report from me. But they don't. (Sigh.) At the very least they should have the minimal courtesy and respect to not make the task of sending them a report more cumbersome and more tedious than it needs to be. Web reporting forms do the exact opposite, and they are thus every bit as anti-social as spam itself. Regards, rfg P.S. Some providers try to justify or excuse their clearly anti-social demand that everyone reporting abuse to them must use a web form by claiming that they get too abuse many reports, on a regular basis, to allow them to do anything sane or useful with such reports UNLESS they come to them via a web form. This is 1000% bullshit, and it indicates two things: 1) The provider in question is a perfectly lousy coder and is thus unable and/or unwilling to write code to parse emailed abuse reports. And anyway, don't actual human beings need to look at these things, in the end, in order to be able to react to each of them properly and in a professional fashion? If so, then how does the additional automation of a web form even provide any real or useful service to *either* the originator of an abuse report *or* to the sender of such a report? It doesn't, clearly. It is just a way of maximally inconveniencing the originators of abuse reports, and thus to quite apparently deter them from reporting AT ALL. In fact, for me, any time a provider says to me "Oh, you need to use our web form to report that" I take any such statement as a nearly 100% reliable indicator that the provider/networ
Re: [anti-abuse-wg] Question about spam to abuse inbox
In message <0a339f88-8746-458d-a868-7bd3058b8...@consulintel.es>, JORDI PALET MARTINEZ wrote: >I see it in the other way around. Forms are not useful at all. You need to >manually fill in the form, unless you modify the automated reporting tools for >?each? ?form-holder?. Many of them also ask you to create an account in their >ticketing system, but because you?re not their customer, you actually can?t do >it, or can?t use it, etc. ? When I tried to follow the steps, with major >datacenters, such as OVH (one very common hoster of ?bad? customers, not to say >criminals), they never solve the issues, or you can?t see the ?results? of the >investigation (I tend to think that never investigated in fact ?). It's really too bad that this WG could never even agree to define the term "abuse". If there was a definition of "abuse", the perhaps some further forward movement would be possible, specifically, as should be obvious from what Jordi posted (which reflects the common and shared experience of most of us) if we had a definition of "abuse" to start from, then we might be able to move on to developing a Best Practices document for -responding- to various kinds of abuse reports. It's crystal clear, and has been already for many many years, that many networks are so far away from what might be called "optimal" abuse report handing that many are actually doing things that no only do not prevent or deter abuse, but rather, the actions of some networks are actually and actively encouraging, fostering, and supporting abuse. Unlike the present situation here on earth, on any sane planet there would at least be some generally agreed upon yardstick that would allow the community to say definitively, and based on evidence, that "Provider X is doing a perfectly abysmal job of handling abuse reports" or conversely that "Provider Y is doing a fine job of professionally handing abuse reports." Unfortunately, as of now, here on planet earth we can only share unscientific anecdotes and (possibly biased) personal opinions. Regards, rfg
Re: [anti-abuse-wg] Question about spam to abuse inbox
In message =?UTF-8?Q?Cynthia_Revstr=C3=B6m?= wrote: >For some context, today and yesterday I have been receiving spam in the >form of fake abuse notices to my abuse contact email address. Example please? In what sense are these "fake"? Regards, rfg
[anti-abuse-wg] REPORT: DDoS-Guard - AS57724, AS262254, AS49612
I hope that you all will read this report: English version: https://meduza.io/en/feature/2021/01/29/remove-this-infection-from-your-network Russian version: https://meduza.io/feature/2021/01/28/uberite-etu-zarazu-iz-svoey-seti Regards, rfg
[anti-abuse-wg] AFRINIC Audit report
The following has recebntly been posted to the RIPE web site: https://labs.ripe.net/Members/alun_davies/outcome-of-the-afrinic-audit I have attempted to lodge the following comment, but apparently my comment is being held for review, presumably to insure that it does not contain any four letter words, nor any material that might violate GDPR, another four letter word. When I and my journalistic colleague, Jan Vermeulen of MyBroadband.co.za began our investigations into this colossal and truly epic malfeasance and theft of valuable IPv4 resources in mid 2019, the notion of either of us becoming famous or of receiving any credit for unraveling and publicly documenting this gigantic scandal was not what motivated us, nor has it been, since the beginning. Rather, we merely wished to right some wrongs and return to the people of Africa some valuable IP resources critically needed for the ongoing development of the Internet in Africa. Nonetheless, it would have been, I think, at least minimally respectful if either AFRINIC or (now) RIPE had taken a moment to at least mention our names and our very evident, abundant, and key contributions towards exposing this whole huge mess. Neither organization, it seems, has thus far elected to do so publicly. Such is the reward, or lack thereof, of a job well done. Regards, rfg
[anti-abuse-wg] BREAKING: AFRINIC IPv4 address skulduggery FINAL REPORT - Just released
Holy Hell! I didn't know until this moment that the U.S. FBI was looking into this colossal mess, starting apparently from even before March of 2019. Nontheless, I still claim credit for having planted the flag first. I was publicly bitching about all of the apparent AFRINIC funny business starting from November 17, 2016. https://afrinic.net/20210121-afrinic-whois-database-accuracy-report Regards, rfg
Re: [anti-abuse-wg] 196.52.0.0/14 revoked, cleanup efforts needed
In message , Ostap Efremov wrote: >196.52.0.0/14 was recently revoked. Confirmed. It appears that AFRINIC returned that /14 to its free pool. >Before it was revoked, the whois for this /14 was: > >> inetnum:196.52.0.0 - 196.55.255.255 >> netname:LogicWeb-Inc >> descr: LogicWeb Inc. >> descr: 3003 Woodbridge Ave >> descr: Edison, NJ 08837 >> country:ZA Confirmed. Please note however that contrary to all rumors, Edison, New Jersey is -not- actually located in "ZA" (South Africa). >I believe this /14 was under control from our big friend from Israel... No. This block -somehow- made its way... for some several years anyway... directly into the hands of a certain Mr. Chad Abizeid, proprietor of LogicWeb, in New Jersey, most specifically the one that's located in in the U.S.. There's no involvement of any Israeli personages with this specific block as far as I can determine. >This is a BOGON, unallocated space. Yes. *Now* it is. >I would appreciate if any network that is on that list and on this mailing >list, would stop announcing parts of this hijacked /14. That would be Good, yes. >I reached out to RADB to remove all the radb entries concerning this /14, >however after 72 hours they still haven't. In my experience, neither accuracy nor security are among RADB's strong suits. >How is it possible that they can't just delete all entries? Other things just take priority sometimes, you know. Have you never heard of Tetris? >It is UNALLOCATED SPACE, it shouldn't be routed, it shouldn't have radb. Well, yea. But also, we in these United States should not have had to live with four full years of totally unprecedented social lunacy, the likes of which none of us have ever before known in our entire lives. But we have fixed that now. Sometimes you just have to be patient. These things take time. Regards, rfg
Re: [anti-abuse-wg] DDoS-Guard, a dodgy Russian firm that also hosts the official site for the terrorist group Hamas
In message , Siyuan Miao wrote: >hamas.ps seems to be hosted on Sucuri ... a doggy US based firm? I bitched about this to Sucuri. They ignored me for a few days but then kicked the site from their reverse proxy service and now it is now back on a Russian network again: # ORG: (RU) ORG-FG2-RIPE "OOO FREEnet Group" # 193.233.15.207 hamas.ps The entire 193.233.0.0/16 block is registered to this "FREEnet Group" thing, whose contact info includes this: address:FREEnet NOC address:Institute of Organic Chemistry RAS address:47, Leninsky prospect address:119991 GSP-1, Moscow address:Russia (I can only speculate that the Institute of Organic Chemistry is probably as good a source as any for DIY homemade rocket fuel formulas.) Meanwhile the 193.233.15.0/24 sub-block is being routed by AS42745 aka "Safe Value Limited"... allegedly of the Seychelles Islands. I'm a bit slow on the uptake, so if someone would be so kind as to explain to me again why RIPE is in the habit of giving out AS numbers to companies located in tax & corporate secrecy havens which are themselves located the Indian Ocean, I'd appreciate it. Well, anyway. this outfit does have a very impressive web site. :-) http://safevalue.pro/ Regards, rfg
Re: [anti-abuse-wg] DDoS-Guard, a dodgy Russian firm that also hosts the official site for the terrorist group Hamas
In message , you wrote: >hamas.ps seems to be hosted on Sucuri ... a doggy US based firm? According to data provided by Farsight Security, Inc. the site was formerly located at 190.115.18.139, which is indeed DDos-Guard, up until 2020-11-12, and it was then moved to its current location, 192.124.249.13, which is indeed, Securi. -- ;; bailiwick: hamas.ps. ;; count: 70144 ;; first seen: 2019-05-14 23:18:11 - ;; last seen: 2020-11-12 13:40:58 - hamas.ps. IN A 190.115.18.139 ;; bailiwick: hamas.ps. ;; count: 11017 ;; first seen: 2020-11-12 13:45:02 - ;; last seen: 2021-01-12 14:21:11 - hamas.ps. IN A 192.124.249.13
Re: [anti-abuse-wg] Huge List of Domains Cloaking to Malware (5, 000+)
In message , steve payne wrote: >There is a huge amount of some type of fraud happening with .it, .pl, .xyz >and other domains being registered (see links below). > >https://docs.google.com/document/d/159Sbik8CkO9WDbLjH_tqAhr-dkpODWS1kt4UULLLfk0/edit?usp=sharing > >https://docs.google.com/document/d/1z43WugqqgyVjNy6-IPgON118YaE0HxrgRMKbVwW42NM/edit?usp=sharing > >These links contain a list of over 5,000 domains that are currently >spamming search engines with spun text and then cloaking users to malware >that have the search engine referrer. I'm confused. How exactly does one "spam" a search engine? And what is "spun text", exactly? Regards, rfg P.S. Please send me via private email the full list of suspicious URLs. I may not be able to actually do anything with those, but I can at least have a look. (For some reason my browser is not allowing me to just cut and paste from your google docs.)
[anti-abuse-wg] Second Notice: Squatting / Fraud / Identity theft by AS13259 - Delta Telesystems Ltd. (RU)
Greetings all and Happy New Year. It is my sad duty to report to you all that since my posting of 2020-12-21 noting the several squats onto various IPv4 address blocks and multiple ASNs, little if anything has changed. Here is a link to that prior posting: https://www.ripe.net/ripe/mail/archives/routing-wg/2020-December/004212.html (Note that there was one minor typo in that posting -- I wrote "AS1065" in one place where I should have written "AS10650".) As noted in that prior posting, all of this illicit activity quite clearly traces back to AS13259 - Delta Telesystems Ltd. (RU). Several abandoned AS numbers were and are being used in an attempt to disguise that fact, but the evidence is clear that 100% of these squats are tracable back to AS13259. The only thing that appears to have changed since my original report of 2020-12-21 is that now, instead of using fradulent RADB route objects to try to frame up an apparently innocent party (Leaseweb Deutschland GmbH) the perpetrator of these squats has removed those prior fradulent RADB route objects and has simpley replaced them with a new set of fradulent RADB route objects which now attempt to shift blame instead onto a different German company, specifically the owners of AS8208, Teamware GmbH. It is easy to see past this new deception however, since all of the same old squatted blocks are still being squatted. A full listing of the affected squatted blocks is given below, along with annotations that show, for each block, the identity of the legitimate registrant organization and also the identity of the organization that is routing each squatted block. As noted in my prior report, many of these ASNs are themselves being squatted on, specifically: AS39325 - Viptelecom LLC AS41762 - PE Logvinov Vladimir Vladimirovich AS56968 - TemirLan Net Ltd AS34498 - Jilcomservice AS10650 - Extreme Internet The non-squatted ASNs that are still active & willing participants in these ongoing frauds are as follows: AS13259 - Delta Telesystems Ltd. (RU) AS9009 - M247 Ltd (UK) AS397373 - H4Y Technologies LLC (US) Given that this entire mess quite evidently originates from within the RIPE region, it would be Nice if more could be done, by RIPE and/or the RIPE community to put a stop to these ongoing squats. Regards, rfg P.S. Most of you will no doubt have heard by now about the large and ongoing SolarWinds[tm] hack/scandal, and probably also the belief, expressed by some, that this gigantic hack originated in Russia. Nobody has had the courtesy to show me the hard evidence which supports that attribution, so I personally remain entirely ambivalent about it. That hack, wherever it originated, does however provide me with the opportunity to remind all of you here of the age-old differention between abuse "on the Internet" versus abuse "of the Internet". Regardless of origin, the SolarWinds[tm] hack did not and does not in any way threaten the stability of the Internet. It thus must be properly categorized as being a kind of abuse "on the Internet"... and shame on all those whose security missteps, on the receiving end, allowed it to happen. In contrast, what I have described with respect to these squats is, I think, quite clearly abuse "of the Internet", and as such I hope that this sort of skulduggery will earn truly international and non-partisan condemnation, and suitably immediate attention from all quarters. It is not in the interests of any faction or any nation to see the Internet descend into lawless routing chaos. # # ORG: (KZ) ORG-TNL11-RIPE "TemirLan Net Ltd" # 91.229.148.0/22 - routed by AS56968 - TemirLan Net Ltd (KZ) # # ORG: (RU) ORG-CC3-RIPE "Gorodskaya elektronnaya svyaz Ltd" # 85.28.48.0/20 - routed by AS13259 - Delta Telesystems Ltd. (RU) # # ORG: (RU) ORG-OA780-RIPE "OOO \"IT-Region\"" # 79.173.104.0/21 - routed by AS13259 - Delta Telesystems Ltd. (RU) # # ORG: (RU) ORG-PL249-RIPE "Prime-Service LLC" # 128.0.80.0/20 - routed by AS34498 - Jilcomservice (RU) # # ORG: (RU) ORG-TCUL3-RIPE "Telecommunications center UMOS, LLC" # 85.89.104.0/21 - routed by AS13259 - Delta Telesystems Ltd. (RU) # # ORG: (UA) ORG-FA278-RIPE "Filite Ltd" #-
Re: [anti-abuse-wg] AS28753 - Leaseweb Deutschland GmbH -- Facilitating legacy squatting?
In message <73c593e8-88b4-0c47-bda3-b1a053b9f...@storey.ovh>, PP wrote: >and more importantly, how much of this crap is occurring that even he >himself has not yet noticed? Thank you for your kind comments. More coming. You ain't seen nuttin' yet! NOTE: Yes, there's more... way more. The main constraint that slows me down in posting and presenting this kind of stuff is *not* my ability to find such things. Rather, the main constraint is the time it takes to write up my findings, carefully, in a way so that everyone can see the real issue/problem, and in ways that that won't get me sued (because all of the relevant, undeniable, and independently verifiable facts are presented). For example, I really can't say for sure whether or not AS28753 - Leaseweb Deutschland GmbH actually has any involvement with this set of apparent squats or not, and it is really entirely possible that they don't. (Note that whoever did this used a disposable @yahoo.com email address.) If Leaseweb actually doesn't have anything to do with this, then maybe they will do the planet a favor and register their unhappiness about being framed for this crime with the people who run the fundamentally flawed RADB data base, who are effectively allowing such bogus frame-ups to take place. Regards, rfg
[anti-abuse-wg] AS28753 - Leaseweb Deutschland GmbH -- Facilitating legacy squatting?
In the period from 2020-12-04 until 2020-12-10 someone representing AS28753 - Leaseweb Deutschland GmbH, or someone purporting to represent that ASN/company created a set of thirteen (13) new route: entries in the security-free RADB data base: https://pastebin.com/raw/qs9yywFe It appears somewhat more than coincidental that many of these new RADB route entries refer to either(a) legacy IPv4 address blocks in the ARIN region or else (b) unassigned (bogon) IPv4 address space in the ARIN region. A listing of the relevant IPv4 cidrs along with the top-level allocation holders for each CIDR is given in the following table: https://pastebin.com/raw/rnqMXHW0 Although there is some ambiguity regarding the status of the non-US/non-ARIN blocks listed in the above table, my inspection of the relevant WHOIS records for the US/ARIN blocks indicates to me that these are all either (a) abandoned IPv4 legacy blocks or else (b) unassigned ARIN bogons. This strongly suggests that all of the IPv4 address blocks named in all of the relevant RADB rote entries may be, and likely are being squatted on at the present time. Please note however that AS28753 - Leaseweb Deutschland GmbH - is not itself doing any of the squatting. Rather, the squatting is being undertaken by the various ASNs mention in the following active routing summary: 62.182.160.0/21AS39325 RU Viptelecom LLC 79.173.104.0/21AS13259 RU Delta Telesystems Ltd. 85.28.48.0/20 AS13259 RU Delta Telesystems Ltd. 85.89.104.0/21 AS13259 RU Delta Telesystems Ltd. 89.187.8.0/21 AS41762 UA PE Logvinov Vladimir Vladimirovich 91.229.148.0/22AS56968 KZ TemirLan Net Ltd 128.0.80.0/20 AS34498 RU Jilcomservice 199.61.32.0/19 AS9009GB M247 Ltd 204.229.64.0/19AS10650 US Extreme Internet 205.134.96.0/19AS10650 US Extreme Internet 205.148.96.0/19AS397373 US H4Y Technologies LLC 209.151.96.0/19AS9009GB M247 Ltd 216.93.0.0/19 AS9009GB M247 Ltd Note that AS10650 (Extreme Internet) is itself a legacy abandoned ARIN ASN. It is likely also squatted. It's one and only current upstream, according to bgp.he.net, is AS13259 - Delta Telesystems Ltd. (Russia). In fact, all of the following ASNs from the above table also have AS13259, Delta Telesystems Ltd. (Russia) as their one and only upstream at the present time: AS39325 - Viptelecom LLC AS41762 - PE Logvinov Vladimir Vladimirovich AS56968 - TemirLan Net Ltd AS34498 - Jilcomservice AS1065 - Extreme Internet On this basis it would appear that the root of the problem in this case lies at AS13259, Delta Telesystems Ltd. (Russia). As a mitigation for these squats, I recommend dropping/blocking all of the IPv4 CIDRs listed above. Additionally, since AS13259 appears to be highly untrustworth at the present time. I would advise blocking all traffic to/from these blocks also: https://bgp.he.net/AS13259#_prefixes 79.173.104.0/21 82.147.68.0/24 82.147.70.0/24 82.147.71.0/24 82.147.75.0/24 85.28.48.0/20 85.89.104.0/21 91.206.16.0/23 193.107.92.0/22 2001:678:68c::/48 Regards, rfg
Re: [anti-abuse-wg] AS47510 & AS35555 -- Bogon ASNs routing Bogon IPv4 space
In message =?UTF-8?Q?T=C3=B6ma_Gavrichenkov?= wrote: >On Sat, Dec 5, 2020, 1:57 AM Ronald F. Guilmette >wrote: > >> It appears that AS47510 is itself an unallocated bogon at the present >> time: >> >> https://bgp.he.net/AS47510#_asinfo >> >> As can be readily seen at the above link, AS47510 is peering with only >> two other ASNs, i.e. AS29226 - JSC Mastertel (Russia) and AS3 - >> Crex Fex Pex Internet System Solutions" LLC. >> > >Both peering links are now down. > >The matters with AS3 may be harder to resolve, though. If possible please elaborate. It appears that AS3, which is a bogon ASN, is bdeing kept alive at this point only by AS213254 -- Rait Telecom, which is just a seven-month old Russian company/ASN with -zero- IP allocations and apparently NO WEB SITE. And yet despite being only 7 months old and having absolutely no IP space of its own (and also no web site), Rait Telecom has somehow managed to work itself into the fabric of no fewer than seven European IXes: https://bgp.he.net/AS213254#_ix And it also has managed to acquire all these IPv4 peers: AS25091 IP-Max SA AS50340 OOO "Network of data-centers "Selectel" AS35297 Dataline LLC AS199524 G-Core Labs S.A. AS3 "Crex Fex Pex Internet System Solutions" LLC AS49673 Truenetwork LLC AS8492 "OBIT" Ltd. AS42861 Foton Telecom CJSC AS35598 INETCOM LLC AS47441 TRUNK MOBILE, INC How exactly does that even happen? And who the hell are these people anyway? Regards, rfg
Re: [anti-abuse-wg] AS16019, vodafone.cz == idiots
In message <83900d1f-3eb8-4d72-8a8e-2086bcd0d...@devnull.ru>, Sergey Myasoedov wrote: >my two cents on this: >http://www.openspf.net/Why?s=3Dmfrom;id=3Drfg%40tristatelogic.com;ip=3D80.= >95.99.97;r=3Dmail2.dkm.cz > >There are many SMTP relays in the world checking SPF record for the >incoming mail and providing a diagnostics with openspf.net web. That would be fine, BUT... there isn't a goddamn single thing wrong with my domain's SPF record. The brain damage is on THEIR END. Apparently they don't even know how to check SPF TXT properly. >But unfortunately this website is down for almost two years and this >diagnostics leads to nowhere. Yea, there's that also. Basically, it is stupid layered on top of stupid. It's a stupid sandwich. Regards, rfg
[anti-abuse-wg] AS16019, vodafone.cz == idiots
Some days I am inclined to wonder how or why anything at all actually works on this planet. I suspect that I am not alone, given that Covid-19 has now exposed for all the world to see just how inept and dysfunctional even so-called "first world" systems are at dealing with anything that is even just a little bit out of the ordinary. Another case in point: AS16019 aka vodafone.cz, whose formally declared abuse reporting address, as given in the WHOIS record for the ASN, is ab...@vodafone.cz. Unfortunately, if you send a copy of a spam that you have received from their network to that address, you will get back something that may look vaguely like this: : host mail2.dkm.cz[62.24.64.36] said: 550 5.7.1 : Recipient address rejected: Please see http://www.openspf.net/Why?s=mfrom;id=rfg%40tristatelogic.com;ip=80.95.99.97;r=mail2.dkm.cz So, the retorical question for the day is: Just how completely idiotic does any given group of network operators have to be in order to be unable to just simply operate a functioning email address for inbound messages? I guess Vodafone is either too broke or too cheap to hire merely competent people. It would be one thing if this was an impoverished third-world country involved here, but it isn't. It's the Czech Republic. So what is their excuse for this level of sheer incompetence? Does someone need to send a formal memo to Vodafone, explaining to them about this thing called spam? And why are they even leaving port 25 outbound open on end-luser lines? Regards, rfg
[anti-abuse-wg] AS47510 & AS35555 -- Bogon ASNs routing Bogon IPv4 space
I have just received a spam which has a so-called "payload" URL which the spammer wants me to visit, apparently so that I can be sold some male performance drugs of dubious origin. The domain part of the URL resolves to the IPv4 address 217.8.117.98. That address lies within a pair of bogon (unallocated) IPv4 address blocks, 217.8.116.0/24 and 217.8.117.0/24, that are both being routed by a common ASN, i.e. AS47510. https://bgp.he.net/AS47510#_prefixes It appears that AS47510 is itself an unallocated bogon at the present time: https://bgp.he.net/AS47510#_asinfo As can be readily seen at the above link, AS47510 is peering with only two other ASNs, i.e. AS29226 - JSC Mastertel (Russia) and AS3 - Crex Fex Pex Internet System Solutions" LLC. The latter ASN, AS3 also appears to be an unallocated bogon ASN at the present time. Nontheless, that does not appear to be preventing it from peering with yet another Russian network, AS213254 - OOO Rait Telecom: https://bgp.he.net/AS3 It would be Nice, in my opinion, if someone who speaks Russian could make contact with the operators of AS29226 and AS213254 and respectfully suggest to them that they should cease peering with bogon ASNs, such as AS47510 and AS3, including but not limited to bogon ASNs that are at present routing bogon IPv4 address space. Regards, rfg P.S. It appears that the company "Crex Fex Pex Internet System Solutions, LLC" which was the former owner of AS47510 and AS3 and also AS60031 was a Russian entity, and one that most likely no longer qualifies as what one would call a "going concern": https://crex-fex-pex.ru/
[anti-abuse-wg] ORG-TKDS1-RIPE - VECTRA S.A. - Spam filters & abuse reporting addresses
Based on my experience, if one is reporting spam to most typical networks, the network operators generally like to actually -see- the spam being reported. Thus, I always include a copy. It is Good that RIPE resource holders now all have abuse reporting addresses in their WHOIS records. It is also Good that RIPE NCC is now checking these abuse reporting contact email addresses to insure that they actually function, at least minimally. What is un-good, in my opinion, is for any network to have an abuse reporting address set up with *content based* anti-spam filters. To illustrate this point, I have recently received a spam from an IP address that is currently being routed by AS29314 - Vectra S.A., located in Poland. I duly forwarded a full copy of that spam to the abuse reporting address provided in the RIPE WHOIS for AS29314, i.e. ab...@vectra.pl. That message was rejected with the following SMTP reject message: : host smtp.vectra.pl[88.156.64.22] said: 554 Spam. Email Session ID: 86748699 (in reply to end of DATA command) Given that outcome, I now feel compelled to locally blacklist all IP space associated with ORG-TKDS1-RIPE (VECTRA S.A.) until such time as some kind soul provides the operators of this network with some education on the topic of how to operate an abuse reporting address. The space in question is as follows: 31.11.128.0/17 31.22.96.0/21 31.135.168.0/21 37.8.192.0/18 37.77.152.0/21 46.36.224.0/19 62.122.112.0/21 77.222.224.0/19 78.31.152.0/21 78.31.209.0/24 78.88.0.0/16 82.139.0.0/18 83.143.40.0/21 83.143.136.0/21 83.243.104.0/21 88.156.0.0/16 89.151.0.0/18 91.192.76.0/22 91.230.159.0/24 91.230.162.0/23 91.230.164.0/22 91.231.116.0/23 91.238.232.0/22 93.105.0.0/16 94.231.48.0/20 95.160.0.0/16 109.107.0.0/19 109.197.56.0/21 109.197.64.0/21 109.241.0.0/16 178.235.0.0/16 185.51.180.0/22 192.166.120.0/23 193.108.228.0/23 193.201.18.0/23 194.54.188.0/22 195.26.72.0/22 195.28.170.0/23 195.95.170.0/24 195.191.162.0/23 195.225.92.0/22 195.242.252.0/22
Re: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552
In message , IP Abuse Research wrote: >What the >continued findings indicate is a need for IANA and the RIRs to adapt to a >new stage in the resource issuance and governance lifecycle. Since this is >by definition a working group, would it make sense to establish some >metrics to quantify the perceived impact of this phenomenon on abuse? > >If we establish a process to collect these observations of either >"abandoned" resources, prefixes or ASNs, which then re-appear mysteriously >or in the case of an ASN start routing space that is unexpectedly, >"hijack", we can take a step as a community to quantify the phenomenon? This kind of stuff certainly could be done, but this would be a serious research project, requiring sme serious manpower expenditure. That's not to say that it would not be worth the investment. I think it would be. But someone or something would have to step up to make the investment. In the meantime, there is other work, and other steps that would obviously be worthwhile. The first is doing everything possible to try to get RPKI adopted more widely. The second is persuading everyone, certainly including Petersburg Internet, to stop even trying to use an data from RADB. That thing has -zero- security. Any fool can use that at any time to create any route object he/she/it wants. And speaking of which, I for one would love to know if Petersburg Internet was performing -any- checking on those route announcements it was passing on behalf of its customer in this case. If not, then that right there constitutes some "low hanging fruit" in terms of moving things forward so as to prevent repeats of this kind of situation. Regards, rfg
Re: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552
In message =?UTF-8?Q?T=C3=B6ma_Gavrichenkov?= wrote: >On Wed, Dec 2, 2020 at 12:42 PM T=C3=B6ma Gavrichenkov = >wrote: >> AS44050 is basically the SOHO provider for the St. Petersburg Internet >> Exchange. St. Petersburg's population is slightly below 5 million >> people, not counting satellite cities and suburbs (which, if counted, >> would contribute another 2 millions I think), and the city has quite >> got a reputation for hidden criminal activity. It's Chicago-style if >> you will. Surely there are also quite a few criminals in one of the >> largest ISP networks of the city. > >To avoid blatant misunderstanding and inappropriate jokes: that's a >few criminals AS CUSTOMERS of the largest SOHO ISP network of the city. I, for one, am not offended. We do indeed have plenty of our own criminals right here in the U.S. of A., including in Chicago, and that includes cyber- criminals. >There's no reason at this point to suspect intentional harm from the >employees. OK, who then? Someone is responsible, even if no one wishes to take responsibility. Those several bogus route announcements did not create themselves. And this shouldn't be a hard question to get an answer to. The fact that it is, for some unexplained reason, is indicative of just how far trust & cooperation in the "Internet community" have deteriorated to the point where they are nothing more that the butts of jokes. Regards, rfg
Re: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552
In message , =?UTF-8?Q?T=C3=B6ma_Gavrichenkov?= wrote: >> Neither AS44050 nor AS58552 was never announcing any of the squatted >> prefixes themselves directly. >> Rather AS44050 was... for reasons which have yet to be explained... peering >> with the set of four apparently squatted ASNs > >Yes, this is understood. There's no peering anymore. See e.g.: Very good. I have confirmed. >> If you are in a position to have one more short conversation with the >> owners and/or operators of AS44050, Petersburg Internet Network Ltd., >> then please be so kind as to ask them on my behalf why they were >> peering with those four different apparently squatted & abandoned ASNs. > >I don't think I'm anywhere close to a position where I can ask them >questions like that. OK. Just give me the contact information that was used to have this previous "brief conversation" with them, and I will ask them myself. See, I'm not like most folks who just shrug and move on after an incident like this. I sort of like to find out what really happened, why, and who is actually responsible. Either Petersburg Internet Network did this themselves, or else *somebody* was paying them a *lot* of money to get them to provide peering & transit to all of these bogus squatted ASNs. >> The name "Petersburg Internet" has come up, time and time again, >> in relation to online skulduggery and malfesance. [..] >> https://krebsonsecurity.com/page/2/?s=3DPetersburg+Internet&x=3D0&y=3D0 > >This search yields all the results containing "petersburg" OR >"internet". There's no doubt there would be many in this case. That's actually not correct, but it turns out that we were both half right and both half wrong about Brian Kerbs' web site search function. I looked into this, and it now appears that if you search for "Petersburg Internet" on Brian's site, you *do not* get the results for "Petersburg OR Internet" and you also *do not* get results for "Petersburg AND Internet". In fact, it looks like the search function just ignores the second word entirely, so the search is effectively for just "Petersburg". In any case, you may wish to have a loook at the following article in which the company *is* mentioned, and not in any good way: https://krebsonsecurity.com/2016/07/carbanak-gang-tied-to-russian-security-firm/ I would also recommend perusing page 28 of the following expert witness statement, which relates to botnet command & control servers: http://cdn.cnn.com/cnn/2019/images/03/15/xbt.doc.248.2.pdf See also page 5 of this academic paper about automated Internet attacks: https://grehack.fr/data/2017/slides/GreHack17_Automation_Attacks_at_Scale_paper.pdf >AS44050 is basically the SOHO provider for the St. Petersburg Internet >Exchange. St. Petersburg's population is slightly below 5 million >people, not counting satellite cities and suburbs (which, if counted, >would contribute another 2 millions I think), and the city has quite >got a reputation for hidden criminal activity. It's Chicago-style if >you will. Surely there are also quite a few criminals in one of the >largest ISP networks of the city. Yes, but if any of -our- criminals attack people or businesses located in other countries, we will allow them to be extradited to those other countries to face trial. Your country, I am sad to say, instead protects online miscreants, and insures that they never have to face justice. You know that, I know that, everybody who knows even the first thing about online cybercrime knows that. It's not exactly a secret. Regards, rfg
Re: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552
In message , Brian Nisbet wrote: >My comments about the apnic-talk address was that I wasn't sure if that list >was used to the kind of content, and I was worried that it might not get >Ronald's message where it would it best for it to go... I've looked around and frankly, the pickings, when it comes to APNIC mailing lists, are rather on the lean/sparse side. That region doesn't have a "abuse" working group or mailing list. It does have a "Routing Security" Special Interest Group (SIG) and an associated mailing lists for that, and you're right, Brian, that I might have been better off to send my notice there, rather than sending it to apnic-talk, as I did do, but then again it could be argued, albeit a bit tongue-in-cheek, that what I posted had more to do with routing IN-security than it did with routing security, per se. Not that any of this matters much anyway. As I have been infomred several thousand times, none of the RIRs are "the Internet Police" and thus all are utterly powerless to even so much as officially -care- about such matters. But given the general difficulty of finding anybody anywhere who cares about such events/schemes, I confess that I do have a tendency to just shout into the wind and hope that someone somwhere who has the authority to act will see what I have written, will care, and will act. Regards, rfg
Re: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552
In message =?UTF-8?Q?T=C3=B6ma_Gavrichenkov?= wrote: >On Mon, Nov 30, 2020 at 10:09 AM Ronald F. Guilmette > wrote: >> Please be advised that the set of IPv4 blocks listed below appear to be >> squatted on at the present time, with the apparent aid and assistance of >> AS44050 -- "Petersburg Internet Network Ltd." (Russia) and also AS58552 >> "PT Multidata Rancana Prima" (Indonesia). > >Please be informed that after a (pretty short) conversation AS44050 is >not announcing those prefixes anymore. Neither AS44050 nor AS58552 was never announcing any of the squatted prefixes themselves directly. Rather AS44050 was... for reasons which have yet to be explained... peering with the set of four apparently squatted ASNs which were in turn announcing the various squatted prefixes. If you are in a position to have one more short conversation with the owners and/or operators of AS44050, Petersburg Internet Network Ltd., then please be so kind as to ask them on my behalf why they were peering with those four different apparently squatted & abandoned ASNs. If, as I suspect, they wish to blame some other party for all of this apparent skulduggery, and if they wish such an excuse to be believable, then at the very least they should be willing to identify whatever other party they would like to shift the blame to. Not that any of their lame excuses will be too awfully believable in any event. The name "Petersburg Internet" has come up, time and time again, in relation to online skulduggery and malfesance. And not just among the anti-abuse people that I hang out with. I just now did a search on the web site of journalist Brian Krebs for the name "Petersburg Internet" and found no fewer than 19 different stories, written by Krebs, that featured this network, in some supporting role or another... and not in any good way. https://krebsonsecurity.com/page/2/?s=Petersburg+Internet&x=0&y=0 (Full disclosure: I have direct personal knowledge of, and had direct participation in the development of some, but certainly not all of those Krebs stories.) Regards, rfg
Re: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552
In message , Brian Nisbet wrote: >However I suspect that X-posting to a list like apnic-talk may not be the >wisest idea, given the different populations etc... It is among my fondest hopes that cybercriminals of all stripes, and particularly the ones who squat on IPv4 space that doesn't belong to them, will, in future, show more respect for regional boundaries, such that their devious activities will only oblige me to notify the members of a single one of the five RIR regions regarding any single one of these elaborate criminal schemes. Alas, in this instance however, the perpetrators, in a very unsportsmanlike manner, elected to make messes whose roots were found in both the RIPE region and also in the APNIC region. (And that's not even to mention that most of the squatted IPv4 real estate was and is under the administration of the ARIN region.) Clearly, authorities in all five regions should be devoting somewhat more effort towards the cultivation of a better and more respectful class of cybercriminals who will confine their convoluted schemes to their own home regions. Regards, rfg
Re: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552
In message , Randy Bush wrote: >> Amongst the greatest mysteries of the shady underbelly of the >> internet: how to pronounce "Guilmette" > >speaking of anti-abuse; back in the '80s we agreed that making fun of >others' typos, misspellings, personal names, etc. was impolite. I do not believe the original poster was making fun of my name, and I likely would not take exception even if the OP had done so. There have certainly been far more scurrilous and disturbing things said about me personally, on various mailing lists, so I am somewhat inoculated against taking too much offense nowadays about virtually anything personal. If one is fortunate to live long enough, one develops a thick skin. Regards, rfg
[anti-abuse-wg] AS55330 -- Routing oddities
Some people seem to think that I'm sort of a master Internet sleuth. The truth is that I'm just as dumb as anybody else, and maybe even moreso. But if one spends enough time looking at stuff on the Internet, it really takes both very little time and also very little in the way of brains to notice many many inexplicable oddities. AS55330 is a case in point. This ASN was allocated/assigned to the Afghan government by APNIC, circa 2009-12-08. Given the nature of the registrant in this case, One might thus reasonably assume that this ASN, belonging as it does to a national government, would be one of the last ones that one would ever see as being involved in any kind of untoward hanky panky or funny business on the Internet. But despite that, I feel compelled to ask if anyone would like to take a stab at explaining to me why the Afghan national government's ASN would be announcing routes to IP blocks belonging to (a) a Chinese commercial enterprise (180.94.99.0/24) and also (b) several RIPE-issued IPv4 blocks that appear to be the property of some Airbus facility located in Norway (182.50.176.0/24, 182.50.177.0/24, 182.50.178.0/23, 182.50.180.0/22): https://bgp.he.net/AS55330#_prefixes I am not persuaded that Airbus/Norway's apparent reliance on the Afghan government to route their IPv4 space for them is an entirely sustainable business model, over the longer term. If I have misunderstood any of the data I'm looking at, then I do apologize to all parties concerned. Regards, rfg
Re: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552
In message , Alessandro Vesely wrote: >Only a few of them are listed on https://www.spamhaus.org/drop/ I have some hope and faith that that state of affairs will be rectified in due course, and likely before too long, now that I have shared this info widely. Regards, rfg
[anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552
Please be advised that the set of IPv4 blocks listed below appear to be squatted on at the present time, with the apparent aid and assistance of AS44050 -- "Petersburg Internet Network Ltd." (Russia) and also AS58552 -- "PT Multidata Rancana Prima" (Indonesia). These blocks appear to be mostly or entirely very old "legacy" block, primarily from the ARIN region. It should additionally be noted that downstream from AS44050 and AS58552 there appear to be a number of other ASNs which themselves appear to be squatted on, without the consent or permission of the rightful owners, at the present time, and tghat these are the ASNs that are actually routing most or all of the squatted-on IPv4 space listed in teh table below, specifically: AS6603US CottonWood CyberVentures (NOTE: legacy ASN) AS7309US The Virtual Marketing Corporation (NOTE: legacy ASN) AS24199 ID Dini Nusa Kusuma, P.T. (allocated: 2011-03-01) AS62927 US Moose-Tec (allocated: 2015-02-20) AS198448 -- unknown/unallocated All parties are advsed to take action as seems appropriate, under the circumstances. Looking at the RIPE Routing History, specifically for AS7309, strongly suggests that this extensive squatting campaign has been ongoing since at least 2019-09-29. The table below only lists currently active squats however. Most or all of these are represented in the (unsecured) RADB data base in association with the somewhat mysterious email addresses and/or . The uswo.network domain name was registered on 2020-07-24. It has no associated web site, nor indeed does it or any subdomain associated with it have any IP address. (MX is set to send email to the mail servers of registrar namecheap.com.) # # COUNT: 1 ORG: (CA) ARENAC "Arena Communications" # 199.84.16.0/20 # # COUNT: 1 ORG: (CA) HUSKY-1 "Husky Energy Inc." # 199.185.144.0/20 # # COUNT: 1 ORG: (CA) NINS-1 "AllCore Communications Inc." # 68.66.48.0/20 # # COUNT: 16 ORG: (ID) IRT-DNK-ID "PT Dini Nusa Kusuma" # 202.89.208.0/24 202.89.209.0/24 202.89.210.0/24 202.89.211.0/24 202.89.212.0/24 202.89.213.0/24 202.89.214.0/24 202.89.215.0/24 202.89.216.0/24 202.89.217.0/24 202.89.218.0/24 202.89.219.0/24 202.89.220.0/24 202.89.221.0/24 202.89.222.0/24 202.89.223.0/24 # # COUNT: 1 ORG: (PT) HS2098-RIPE "Rumos, SA" # 192.199.16.0/20 # # COUNT: 1 ORG: (US) CORP "Corporate Communications, Inc." # 207.70.224.0/20 # # COUNT: 1 ORG: (US) DHIN "Dean Health Information Network" # 199.217.16.0/20 # # COUNT: 1 ORG: (US) DTEK "Friends of Synergytics" # 207.228.192.0/20 # # COUNT: 1 ORG: (US) EVANS-25 "Evanston Data & Colocation, Inc." # 96.45.144.0/20 # # COUNT: 1 ORG: (US) FLEXFA "Flexfab Division" # 204.44.208.0/20 # # COUNT: 1 ORG: (US) HASTIN-6 "Hastings Entertainment Inc." # 204.156.192.0/20 # # COUNT: 2 ORG: (US) HAWK "Hawk Communications" # 69.8.64.0/20 69.8.96.0/20 # # COUNT: 1 ORG: (US) IE "Enternet Express" # 206.125.16.0/20 # # COUNT: 1 ORG: (US) MACROV-1 "Rovi Corporation" # 64.92.224.0/20 #---
[anti-abuse-wg] Phishing for your RIPE credentials
If any odf you happen to get a phishing spam that looks anything like this one: https://pastebin.com/raw/1MJGMbUK then please do report it to ab...@orange-business.com since the source IP (212.234.232.249) belongs to Orange, as does the domain name gmessaging.net (which someone @ Orange foolishly didn't even bother to create a web site for). Regards, rfg
Re: [anti-abuse-wg] RIPE NCC Executive Board election
In message , Brian Nisbet wrote: >While obviously I can only make comments for AA-WG (I note there are many >WGs in x-post) I need to point out that this is not a suitable email for >this working group. Others may disagree. I most certainly do. The Anti-Abuse Working Group has been repeatedly given ample opportunities to provide a formal definition for the term "abuse" with respect to the Internet, and Internet resources. It has declined all of these opportunities. It logically and inescapably follows from that fact that as far as the entire RIPE community goes, "abuse" remains in the eye of the beholder. I know more than a few people, both on this list and elsewhere, who, like me, are of the opinion that active participation in the fradulent theft of IP address blocks, regadless of which portion of the world's Internet they are stolen from, consititutes "abuse" of a kind that quite properly is and should be a concern of this working group. Also and likewise, I know more than a few people, both in this Working Group, and elsewhere, who, like me, are of the opinion that the act of attempting to fradulently extort IP address assets from the rightful owner of said assets, e.g. the City of Cape Town, South Africa, is "abuse" of a type that is and rightly should be of concern to this Working Group, and further, that these acts are also a repugnant abuse against simple honesty, decency, and humanity generally, and ones that cannot be either excused or dismissed, let alone rewarded with a RIPE NCC executive board seat. You, Brian, along with every other member of this Working Group had your opportunity to codify a definition of "abuse" that would explicitly exclude theft, fraud, and extortion, thuse rendering exactly such gross misdeeds explicitly irrelevant to this Working Group. You declined to do so, as did others. It follows that you cannot now say that such acts have no relevance to the Anti-Abuse Working Group. You are the Chainman of the Working Group. You are not the King... an entirely salient point which our own Mr. Trump has of late needed to be reminded of also. Theft, fraud, and extortion, especially as they relates to IP address allocations, as in this case, may be something that you personally prefer to turn a blind eye to, but your personal preferences in this regard cannot and will not override the conscience of those who prefer to see things as they are, based on abundant evidence, even if those members of this WG who still place some value on simple decency and honesty are in the minority. Regards, rfg
[anti-abuse-wg] RIPE NCC Executive Board election
Greetings all, I know that all is not right with the world right now, and that most of you, like me, have much more pressing things on your minds right now, but someone just sent me the following link and I cannot exactly ignore it: https://www.ripe.net/participate/meetings/gm/meetings/may-2020/confirmed-candidates I would like to call everyone's attention to the last of the three candidates who have, it seems, "qualified" as candidates for open seats of the RIPE NCC Executive Board. As I have already said, I know that things are bad in the world right now, but I must ask this question: Is there really no one other than these three candidates who is willing and/or able to stand for the three open seats on the RIPE NCC Executive board... three open seats that will be voted on at the next general meeting, 13-15 May 2020 ? If not, then it seems that RIPE NCC will soon be following in the new tradition, established first by AFRINIC only last year, of placing well and widely known crooks on it board. I desperately hope it won't come to that, but that is not for me to decide. The decision is in your hands dear friends. Regards, rfg
[anti-abuse-wg] Reporting abuse to OVH -- don't bother
The RIPE WHOIS data base says that the abose contact for AS16276 is ab...@ovh.net. It would appear thet the folks at OVH haven't yet quite figured how this whole email thing works. Give them time. Another decade or two and they should have it down pat. --- Forwarded Message Date:12 Feb 2020 10:26:23 +0200 From:mailer-dae...@mx1.ovh.net To: r...@tristatelogic.com Subject: failure notice Hi. This is the qmail-send program at mx1.ovh.net. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. : user does not exist, but will deliver to /homez.12/vpopmail/domains/ovh.net/abu se/ can not open new email file errno=2 file=/homez.12/vpopmail/domains/ovh.net/abu se/Maildir/tmp/1581495983.28582.mail141.ha.ovh.net,S=10651 system error - --- Below this line is a copy of the message. Return-Path: Received: from localhost (HELO queue) (127.0.0.1) by localhost with SMTP; 12 Feb 2020 10:26:23 +0200 Received: from unknown (HELO output55.mail.ovh.net) (10.108.98.118) by mail141.ha.ovh.net with AES256-GCM-SHA384 encrypted SMTP; 12 Feb 2020 10:2 6:23 +0200 Received: from vr15.mail.ovh.net (unknown [10.101.8.15]) by out55.mail.ovh.net (Postfix) with ESMTP id 48HXmH0nz4z7SwqFq for ; Wed, 12 Feb 2020 08:26:23 + (UTC) Received: from in32.mail.ovh.net (unknown [10.101.4.32]) by vr15.mail.ovh.net (Postfix) with ESMTP id 48HXm96hlfz1DGZD for ; Wed, 12 Feb 2020 08:26:17 + (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=69.62.255.118; helo= outgoing.tristatelogic.com; envelope-from=r...@tristatelogic.com; receiver=abuse @ovh.net Authentication-Results: in32.mail.ovh.net; dkim=none; dkim-atps=neutral Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com [69.62.25 5.118]) by in32.mail.ovh.net (Postfix) with ESMTP id 48HXm91ZjszZ0l2m for ; Wed, 12 Feb 2020 08:26:16 + (UTC) Received: by segfault.tristatelogic.com (Postfix, from userid 1237) id 5A1884E69A; Wed, 12 Feb 2020 00:26:10 -0800 (PST) From: "Ronald F. Guilmette" To: ab...@ovh.net Cc: spamrepo...@tristatelogic.com Subject: Spam from your network (AS16276): [54.39.173.134] Date: 12 Feb 2020 00:26:10 -0800 X-Rfg-Spam-Report: (AS16276): [54.39.173.134] Message-Id: <20200212082610.5a1884e...@segfault.tristatelogic.com> X-Ovh-Remote: 69.62.255.118 (segfault.tristatelogic.com) X-Ovh-Tracer-Id: 13162051389114427986 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedugedrieeggdduudehucetufdoteggode trfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttd enucenucfjughrpefhvffusedttddttddttddtnecuhfhrohhmpedftfhonhgrlhguucfhrdcuifhui hhlmhgvthhtvgdfuceorhhfghesthhrihhsthgrthgvlhhoghhitgdrtghomheqnecuffhomhgrihhn peguihhgihhtrghlvggsohhokhifrhhithhinhhgrdgtohhmpdhiphdqheegqdefledqudejfedrnhg vthdpthhrihhsthgrthgvlhhoghhitgdrtghomhdpghhoohhglhgvuhhsvghrtghonhhtvghnthdrtg homhdpohhvhhdrtggrpdhvihguvghorghnihhmrghtihhonhhnvghtfihorhhkrdgtohhmnecukfhpp eeiledriedvrddvheehrdduudeknecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmohgu vgepshhmthhppdhhvghlohepihhnfedvrdhmrghilhdrohhvhhdrnhgvthdpihhnvghtpeeiledried vrddvheehrdduudekpdhmrghilhhfrhhomheprhhfghesthhrihhsthgrthgvlhhoghhitgdrtghomh dprhgtphhtthhopegrsghushgvsehovhhhrdhnvght X-Ovh-Spam-Status: OK X-Ovh-Spam-Reason: vr: OK; dkim: disabled; spf: disabled X-Ovh-Message-Type: OK I have received the email spam message which is appended below from your network, AS16276. I did not request this spam, and I have had no prior contact with the sender. Indeed, I do not even know the sender, and I do not know how the sender even acquired my email address. Please terminate this spamming from your network immediately. Thank you for your assistance in this matter. = Return-Path: X-Original-To: rfg-dyna...@tristatelogic.com Delivered-To: rfg-dyna...@tristatelogic.com Received: from craig.digitalebookwriting.com (ip134.ip-54-39-173.net [54.39.173 .134]) by segfault.tristatelogic.com (Postfix) with ESMTP id 391A44E68A for ; Thu, 30 Jan 2020 09:25:09 -0800 (P ST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=craig.digitalebookwriting.com; s=default; h=Message-ID:Date:Content-T ype: Subject:To:Reply-To:From:MIME-Version:Sender:Cc:Content-Transfer-Encodi ng: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Arc hive; bh=G73Y84vFDgG+jBeFAVpzuuyKr+8smk3J4l/NIzyP9C4=; b=tCn5obRIaLbJNpqABwp FNHbHR OXQwDJeK7/0PlQ+mSB2UL6WPrfiATe7chmWgIBAn44xXMWeo77fOIn8Eu1FQ5hC37rugcpO B0I9Ja /FJynsra3Z2/5oW49syyroNwHTbWWuMj1Hex7
[anti-abuse-wg] The Great AFRINIC Heist -- The Enablers
As the primary investigator pursuing this case, I have invested more than a little effort into continuing to track what has been going on as AFRINIC attempts to remediate the effects of these thefts. I would like now to provide you all with some insight into the current situation and status relating to the affected stolen AFRINIC blocks and the multiple parties in your own region who are continuing, at present, to provide routing to the various bits and pieces of the stolen AFRINIC IPv4 space. My hope, of course, is that you will all join with me in trying to persuade these networks to cease all routing to all of the stolen AFRINIC address space. A full list of all of the stolen AFRINIC blocks that are still of ongoing concern at the present moment is available here: https://pastebin.com/raw/71zNNriB Note that many of the blocks listed at the link above have already been "reclaimed" as far as the AFRINIC WHOIS records are concerned. But because routing remains almost entirely decoupled from RIR WHOIS data bases, much of this "reclaimed" space is still being routed as I write this. The only difference is that now the space is being routed as bogons, rather than as "legitimately" allocated space. A summary of all of the current routing for all of the stolen AFRINIC IPv4 address space that is still of concern (including routing for recently reclaimed address space that AFRINIC will eventually be returning to its free pool) is provided below. This list is sorted by the number of constituent stolen /24 blocks being routed by each listed network, thus showing the most major offenders at the top. A few footnotes concerning specific ASNs in this list follow below the listing. I urge everyone on this mailing list to share this data as widely as possible in and among the global networking community. In all cases noted below, the networks in question are unambiguously routing IP blocks that were obtained, in the first instance, via thefts perpetrated by one or more AFRINIC insiders and then resold on the black market in secretive deals. In many and perhaps most cases listed below, the relevant networks appear to have been more than happy to accept some cash in exchange for their services, while not looking all that carefully at the purported (but fradulent) "LOA" documents that they were given in order to persuade them to announce routes to stolen IP space. (Repeated use of blatantly fradulent documents has been one of the consistant features of this entire ongoing criminal enterprise.) I would also like to request the assistance of every person on this mailing list in the task of informing all of the networks that are mentioned in the list below, and that are within your own geographic region, that they are each currently announcing routes to stolen IP space. Of course, it is my hope that you will also encourage them, in no uncertain terms, to stop doing this immediately, if not sooner. As you can see below, this Internet crime spree is a globe-spanning and ongoing disaster. There is no way that I can get all of this mess cleaned up on my own. I am therefore relying on all people of honesty and good will, in all regions, to assist me in getting the word to the networks mentioned below, and telling them, very directly, that they are each facilitating a colossal fraud that affects the whole of the global Internet community. (I know for a fact that there is ongoing criminal activity which is being perpetrated from at least some of this provably stolen IP address space, so it is in the self interest of every honest netizen to get this all turned off and shut down.) All routing data is derived from current data published by RIPEstat. == 3719 0 ?? UNROUTED IP SPACE 629 132165 PK Connect Communication 512 18013 HK Asline Limited 504 19969 US Joe's Datacenter, LLC 500 62355 CO Network Dedicated SAS 423 202425 SC IP Volume inc 286 58895 PK Ebone Network (PVT.) Limited 250 136525 PK Wancom (Pvt) Ltd. 192 18530 US Isomedia, Inc. 186 9009GB M247 Ltd 134 262287 BR Maxihost LTDA 132 204655 NL Novogara LTD 79 132116 IN Ani Network Pvt Ltd 75 136384 PK Optix Pakistan (Pvt.) Limited 68 132422 HK Hong Kong Business Telecom Limited 60 137443 HK Anchnet Asia Limited 48 63956 AU Colocation Australia Pty Ltd 26 132335 IN LeapSwitch Networks Pvt Ltd 21 131284 AF Etisalat Afghan 20 139043 PK WellNetworks (Private) Limited 19 43092 JP OSOA Corporation., LTD 17 36351 US SoftLayer Technologies Inc. 16 56611 NL REBA Communications BV 16 199267 IL Netstyle A. Ltd 16 23679 ID Media Antar Nusa PT. 14 137085 IN Nixi 10 63018 US Dedicated.com 9 136782 JP Pingtan Hotline Co., Limited 8 45671 AU Servers Australia Pty. Ltd 8 57717 NL FiberXpress
[anti-abuse-wg] ORG-DTL20-RIPE
46.3.0.0/16 46.232.0.0/17 80.243.128.0/20 149.126.192.0/18 https://bgp.he.net/AS55933#_prefixes https://bgp.he.net/AS207636#_prefixes
Re: [anti-abuse-wg] [routing-wg] AS12679 -- 206.195.224.0/19
In message <20200129091215.gk3...@vurt.meerval.net>, Job Snijders wrote: >It appears changes have been made to the record, perhaps by ARIN staff. > >$ whois -h whois.arin.net 206.195.224.0 > >NetRange: 206.195.224.0 - 206.195.255.255 >CIDR: 206.195.224.0/19 >NetName:THRIFTD >NetHandle: NET-206-195-224-0-1 >Parent: NET206 (NET-206-0-0-0-0) >NetType:Direct Assignment >OriginAS: >Organization: Thrift Drug, Inc. (THRIFT) >RegDate:1995-08-03 >Updated:2020-01-28 >Ref:https://rdap.arin.net/registry/ip/206.195.224.0 > >The 'OriginAS:' attribute is now empty, also the 'Updated:' date >changed. Great! One down. Many more to go. Regards, rfg
[anti-abuse-wg] The curious case of 159.174.0.0/16
Just posted: https://mailman.nanog.org/pipermail/nanog/2020-January/105672.html
Re: [anti-abuse-wg] [routing-wg] AS12679 -- 206.195.224.0/19
In message , Job Snijders wrote: >All snide aside, did you report this prefix=E2=80=99s current state to ARIN > through >their fraud form? If not, I'm happy to do so. Negative. I did not do so and I shall not do so. Like all of the RIRs, ARIN's forms and their procedures for dealing with these kinds of issues are, by intent, black holes. I give them the product of my hard work and my diligent effort and research and what do I get back? Do I get a bug bounty? No. Do I get a 10% finders fee for finding the facts that allow some block to be returned to its rightful (legacy) owner or to the RIR free pool? No. Do I get any kind of reward whatsoever? No. Do I at least get a courtesy follow-up after a certain period of time has elapsed, telling me whether they think I am right or wrong? NO! I don't get squat! I don't get either a confirmation, or a rebuttal. In fact I don't get anything at all. I don't even get a polite thank you. But let's just forget about that. Do you really think that me filling some bloody stupid form is really going to chage the process -or- the outcomes? Do you seriously think that YOU filling out the form will have any better effect? If so, I'm going to have to ask you to defend that belief in light of the known facts. Do you really think that ARIN is utterly ignorant about this, even though I got an on-the-record ``no comment'' comment directly from John Curran about it before I even posted it? https://mailman.nanog.org/pipermail/nanog/2019-August/102791.html If not, then how do you explain the fact that after 5 months ARIN hasn't lifted a finger to do a damn thing about it? Looking forward to you explaining this to me Job. I'm all ears. Regards, rfg P.S. I don't need to seek out any web forms or any RIR if I want to experience first-hand this level of lethargic and studied inaction. As I like to tell people, if I ever want to experience this kind of utter lack of productive activity... well... I have relatives for that!
Re: [anti-abuse-wg] [routing-wg] AS12679 -- 206.195.224.0/19
In message <20200127071712.gn36...@vurt.meerval.net>, Job Snijders wrote: >Hold on a second, are you sure there ever *was* a request to change who >controls this legacy block? I am not so sure. > >I suspect what happened is that the 'thriftdrug.org' domain name >registration expired, and the alleged thief registered thriftdrug.org... Nope. I have already looked at the ARIN WhoWas report. Here are the relevant records, with date stamps: https://pastebin.com/raw/M3fDR7nh >> But from where I am sitting it does appear that there was exactly and >> only -zero- review of this take-over request. > >There was no take-over request, I'd call this impersonation or a >compromised account. I agree that "impersonation" occurred. I *do not* agree that this was enabled by any kind of account compromise. Furthermore, I have no reason to believe that suddenly, after a couple of decades of utter dormancy, someone just guessed the acocunt password needed to take control over this ARIN WHOIS record. (And in this instance I apply Occam's razor.) >> I mean that it appears that absolutely *nothing* was done in the way >> of vetting in this case. The age of the new contact domain... which >> would have been a BIG red flag... quite apparentkly wasn't checked. > >Have you considered asking ARIN to take the 'domain name creation' date >into consideration when usernames are retrieved or passwords are reset? >Perhaps there are some simple heuristics that can be applied to improve >the password reset process. Thank you for a nice laugh Job! No, I have not suggested to ARIN how to do their jobs in this kind of a context. And no, I *do not* think that I should even have to suggest that such factors should be considered when giving someone control over a nice juicy legacy block that has sat dormant for a couple of decades. Nor do I think that -I- should have to suggest such a step to the ARIN folks for the simple reason that it is JUST TOO EFFING OBVIOUS... a fact which this present case renderes even more bloody obvious than it already was. >ARIN has a fine working process to publicly log enhancement requests >called the 'ACSP' https://www.arin.net/participate/community/acsp/ Gee. Thanks Job. I just love to spend time jumping through mindless bureaucratic hoops, just so that I can claim the privilege of informing some folks of what should have been bloody obvious to those same folks from the get-go anyway. >ARIN would not be unique in having trouble preventing account >compromises when the control over the domain name falls in the wrong >hands. See above. That's not what happened in this case. Regards, rfg
Re: [anti-abuse-wg] [routing-wg] AS12679 -- 206.195.224.0/19
In message <2020012700.gk36...@vurt.meerval.net>, Job Snijders wrote: >I think it is very counter-productive to frame things as 'incompetence @ >ARIN', we rather should assume positive intent. If this indeed is a case >of theft, the attacker was sophisiticated enough to understand the rules >of the game and how to cheat them. The various registries may be tricked >at times, that's part of life, the real failure would be if they don't >act after the registration problem is reported to them. I have no reason >to believe this will be the case. Please be nice ronald! :-) Ok, just a couple of points: #1) I *was* being nice! I *am* being nice. I am taking it as an apriori given that this is NOT another AFRINIC situation. That is only sheer generosity and kindness and deep regard on my part. I am applying Hanlon's razor. #2) No, this is *not* just "part of life". The people at the RIRs are being paid to do a job. The job is to make allocations and keep track of who has them. Everything else they do, including all of the time and effort they all spend, e.g. arranging lavish conferences and explaining to everyone why they are not the routing police... all that stuff is secondary. Maybe this simple graphic will underscore my point: https://i.kym-cdn.com/entries/icons/original/000/012/300/you-had-one-job34-580x425.jpg I'll tell you what Job, I'll make you a deal. You tell me what ARIN did to properly review and vet this request (i.e. for a change to who controls this legacy block) and then, if I am persuaded that they did that *and* that what they did was both reasonable and sufficient, then I'll grovel and beg forgivness from all, including ARIN. But from where I am sitting it does appear that there was exactly and only -zero- review of this take-over request. I mean that it appears that absolutely *nothing* was done in the way of vetting in this case. The age of the new contact domain... which would have been a BIG red flag... quite apparentkly wasn't checked. The web site associated with that domain name wasn't checked. And clearly nobody ever even tried dialing the new contact phone number, as I did, which took me all of ten seconds. So what did the vetting consist of in this case, exactly? Whatever it was, please persuade me that I could not have hired a well-educated and well-qualified chimpanzee with a top-notch resume and paid him less money to perform the same job, thereby saving the ARIN membership thousands or tens of thousands per year. Given that ARIN walks around, all day every day, with a huge "Kick me! I won't sue you if you do!" sign on its back, I think they need to take this vetting stuff a wee bit more seriously. It would be a different story if they had a reputation for coming down hard, in a legal sense, on anybody who tries to screw with them by pulling these kinds of fraud games on them. But in point of fact, and in the dark Internet underground where all of us decent people never go, they, ARIN, and indeed all of the RIRs have the exact opposite reputation, i.e. a reputation for their standing policy of always wanting to "catch and release" when it comes to fraudsters. And what is the predictable outcome of this longstanding policy, when combined with inadequate due diligence in the vetting process? I'll tell you what it is. Rught now, as we speak, the U.S. Department of Justice is spending my tax dollars to prosecute not one but -two- active criminal fraud prosecutions against two separate groups of fraudsters who ARIN allowed to snooker it. Is shifting this burden onto the taxpayers fair? Is it made fair just because the respective memberships of each of the five RIRs do not wish to get their hands dirty by legally going after the fraudsters who mess with the RIRs, and because they do not wish to absorb the time, expense, and risk of handling these kinds of problems themselves, like most other businesses have to do? Sorry, Job, but you hit a raw nerve as you can see. As far as I am concerned, the RIRs, and their ultimate parent, ICANN, seem to want to have their cake and eat it too. They don't want to spend the time or effort to do proper vetting, and yet when things like this happen, and when they are then, predictably, defrauded, they want someone else to fight their legal battles for them... using taxpayer money instead of member money. This cereats a situation that is often referred to as "moral hazard", i.e. where one party doesn't have to absorb the actual costs if they recklessly gamble and then lose. Thanks to the late great Jack Valenti, the MPAA and the RIAA already managed to successfully lobby to get the government to treat content piracy as a criminal offense, thus allowing the FBI to become the unpaid police force of the content producers while relieving said content producers of any obligation to solve their own damn problems. So now, I ask you, how is the situation with the five RIRs any different? Nobody wants the RIRs to be the r
Re: [anti-abuse-wg] [routing-wg] AS12679 -- 206.195.224.0/19
In message <20200127052621.gj36...@vurt.meerval.net>, Job Snijders wrote: >The dates, the website at https://www.thriftdrug.org/, the non-US origin >of the announcement all seem to suggest that someone discovered the >block was dangling, the domain unregistered, and some quick registration >& forgery could lead to treasure. Yes. My apologies to all. I made a bit of a mistake here. Note that I no longer use the term "hijacked" because it is too imprecise. These days I only use the terms "squatted" or "stolen" where the latter is a term that I reserve for cases where the relevant WHOIS record has actually been fiddled. Upon further review, this block (206.195.224.0/19) now appears to have been stolen, i.e. with the (assumed unwitting) participation of ARIN. As Job has noted, multiple aspects of the WHOIS record are most certainly non-conformant with common sense. I highlight these below. (I have attempted to call the new contact phone number and it is dead/disconnected.) It is my hope, of course, that the apparent illicit take-over of this block was a product of garden variety incompetence @ ARIN, rather than, you know, the alternative. It appears from ARIN WhoWas data that this takeover began on 2019-08-12 with additional fradulent changes to the WHOIS also on 2019-08-14, 2019-08-15, and lastly 2019-09-24, when the OriginAS was fiddled to its present state. == [Source: whois://whois.arin.net 2020-01-27 04:18:39 UTC] NetRange: 206.195.224.0 - 206.195.255.255 CIDR: 206.195.224.0/19 NetName:THRIFT-NET-1 NetHandle: NET-206-195-224-0-1 Parent: NET206 (NET-206-0-0-0-0) NetType:Direct Assignment OriginAS: AS12679 <= Russia Organization: Thrift Drug, Inc. (THRIFT) RegDate:1995-08-03 Updated:2019-09-24 Ref:https://rdap.arin.net/registry/ip/206.195.224.0 OrgName:Thrift Drug, Inc. OrgId: THRIFT Address:100 Delta Drive City: Pittsburgh StateProv: PA PostalCode: 15238 Country:US RegDate:1994-03-15 Updated:2019-08-14 Ref:https://rdap.arin.net/registry/entity/THRIFT OrgAbuseHandle: WEBBK16-ARIN OrgAbuseName: Webb, Kristi OrgAbusePhone: +1-885-923-1290 < dead/bogus OrgAbuseEmail: kw...@thriftdrug.org <=== bogus/parked OrgAbuseRef:https://rdap.arin.net/registry/entity/WEBBK16-ARIN OrgTechHandle: WEBBK16-ARIN OrgTechName: Webb, Kristi OrgTechPhone: +1-885-923-1290 < dead/bogus OrgTechEmail: kw...@thriftdrug.org <=== bogus/parked OrgTechRef:https://rdap.arin.net/registry/entity/WEBBK16-ARIN
[anti-abuse-wg] AS12679 -- 206.195.224.0/19
Thrift Drug, Inc. of Pennsylvania was bought out in October, 1996 by
the Rite Aid pharmacy chain (US):
https://www.riteaid.com/corporate/news/-/pressreleases/news-room/1996/rite-aid-to-acquire-thrifty-payless-inc-
https://en.wikipedia.org/wiki/Thrift_Drug
https://opencorporates.com/companies/us_pa/2002644
Unfortunately, the parent company, Rite Aid, never got the memo to tell
that that Thrify Drug, Inc owned the legacy IPv4 block 206.195.224.0/19.
The results were predictable. This /19 has been repeatedly squatted on
in recent years, as shown by RIPEstat:
https://stat.ripe.net/widget/routing-history#w.resource=206.195.224.1
2016-08-15 AS42861 RU Foton Telecom, CJSC Network Operation Centre
2017-12-08 AS65075 -- {{reserved ASN}}
2018-03-26 AS28191 BR Jupiter Telecomunicacoes e Informatica Ltda
2019-08-24 AS20473 US Choopa, LLC
2019-10-11 AS12679 RU Iceberg Telecom Ltd.
The 206.195.224.0/19 block is currently being squatted on by AS12679,
Iceburg Telecom (Moscow).
It appears that this ASN is also and likewise squatting on a great number
of other blocks as well:
https://bgp.he.net/AS12679#_prefixes
AS12679 (Iceburg) appears to be a "leaf" ASN, connected to the public
Internet only via AS25227 (Avantel, Close Joint Stock Company, Moscow)
which it turn appears to be getting more than 3/4ths of its own IPv4
connectivity from AS9002 (RETN):
https://bgp.he.net/AS25227
Suggest filtering all route announcements from both AS12679 -and- also
AS25227 until they each decide if they would like to be part of the
civilized internet.
==
[Source: whois://whois.arin.net 2020-01-27 04:18:39 UTC]
NetRange: 206.195.224.0 - 206.195.255.255
CIDR: 206.195.224.0/19
NetName:THRIFT-NET-1
NetHandle: NET-206-195-224-0-1
Parent: NET206 (NET-206-0-0-0-0)
NetType:Direct Assignment
OriginAS: AS12679
Organization: Thrift Drug, Inc. (THRIFT)
RegDate:1995-08-03
Updated:2019-09-24
Ref:https://rdap.arin.net/registry/ip/206.195.224.0
OrgName:Thrift Drug, Inc.
OrgId: THRIFT
Address:100 Delta Drive
City: Pittsburgh
StateProv: PA
PostalCode: 15238
Country:US
RegDate:1994-03-15
Updated:2019-08-14
Ref:https://rdap.arin.net/registry/entity/THRIFT
OrgAbuseHandle: WEBBK16-ARIN
OrgAbuseName: Webb, Kristi
OrgAbusePhone: +1-885-923-1290
OrgAbuseEmail: kw...@thriftdrug.org
OrgAbuseRef:https://rdap.arin.net/registry/entity/WEBBK16-ARIN
OrgTechHandle: WEBBK16-ARIN
OrgTechName: Webb, Kristi
OrgTechPhone: +1-885-923-1290
OrgTechEmail: kw...@thriftdrug.org
OrgTechRef:https://rdap.arin.net/registry/entity/WEBBK16-ARIN
Re: [anti-abuse-wg] @EXT: RE: working in new version of 2019-04 (Validation of "abuse-mailbox")
In message <2ff201d5cccf$f6ffe640$e4ffb2c0$@makeitsimple.pt>, "=?iso-8859-1?Q?S=E9rgio_Rocha?=" wrote: >Someone said: You must be new here, yes it's true, I'm on the list for a >few months. Maybe that's why you're still optimistic. You completely mis-read my comment. What I meant was that you must be new here, because YOU are still optimistic that anything said or done here will ever have any effect. Some of us have already been here for years and know that it won't. Regards, rfg
Re: [anti-abuse-wg] @EXT: RE: working in new version of 2019-04 (Validation of "abuse-mailbox")
In message , Volker Greimann wrote: >As the abuse using domains registered through us usually does not happen >on our networks, we have zero ability to detect it in advance, all we >can do is take care of them after the fact, which we do dilligently. We >have a team tasked exclusively with reviewing abuse complaints and >taking appropriate action. You already clarified what your idea of "appropriate action" is, i.e. ratting out the "troublemaker/complainer" to your spammer customer's reseller, so that that company can in turn rat out the "complainer" to the spammer, so that the spammer can then launch a DDoS or other type of attack. (And for the record, I have myself been DDoS'd *twice* in the past 20 years, since I have been working on network abuse issues.) I'm sorry, sir, but this is *not* my idea of "appropriate action". Far from it in fact. >Clearly you have never looked at what normal end users put in the Org >fields. I have *actually* looked at more domain name WHOIS records, and carefully studied them, that you will likely even glance at in your entire lifetime. >In our experience, they put anything in there, not just org names. That is not my problem and it is also not your problem. The fact that some tiny percentage of the world's population are perfect imbecils who are unable to grasp the simple and obvious concept of an "organization" as something other than a natural person is not a fact which either can or should drive global policy as it relates to the overall health and safety of the entire Internet. More to the point, how many natural persons have names that end with ", LLC" or ", Inc." or ", Ltd." or ", S.A.R.L." ? Could your company and your entire industry at least display in public WHOIS records the Organization fields that contain these suffixes? Of course you could! Will you do so? Of course not, because as I have said, you folks who are in the domain registration business are not interested at all in either transparency *or* in the health of the Internet. Your only goals are to helpfully hide the details of your crooked and wicked primary revenue-generating customers, i.e. spammers and phishers, and maximizing your own revenue at the expense of everyone else. Ladies and gentlemen, for those of you who may think that I have just gone off the deep end, and that I am just ranting against the domain name registration industry without any basis, I ask you to just consider this: There exists a domain name registrar company, NameSilo, here in the U.S. and on its web site it proudly displays the details of its bulk discount policies for domain name buyers: https://www.namesilo.com/Support/Discount-Program As you can all see, the discount schedule for bulk purchases maxes out and yields the highest level of discounts for buyers at the level where a single buyer is purchasing FIVE THOUSAND DOMAIN NAMES IN A SINGLE SITTING. So now, everyone, ask yourselves: Who needs to buy FIVE THOUSAND domain names in a single transaction? Who even WANTS to buy FIVE THOUSAND domain unique names in a single transaction? And whoever wants that, would you trust them to hold your wallet? The entire scam that is the modern domain name business is an open secret. The domain name registrars don't even hide what they are up to anymore. They display it right out in the open and on their web sites, almost as if it were something to be proud of, rather than something that they should be ashamed to tell their mothers about. I have talked to a senior official at ICANN about this practice of ICANN's accredited registrars offering discounts for bulk purchases... which are clearly and unambiguously intended to draw in the Internet criminal element... and this ICANN official said to me point blank "Yea, we know. There is nothing we can do about it." Why can't ICANN control this outrageous behavior of the part of its own contractually bound accredited registrars? The answer is as simple as it is obvious: The problem isn't that ICANN actually "can't" do anything about this explicit catering to the criminal element. The real problem is that ICANN has no incentive to put a stop to this, and in fact makes lots of money itself by the perpetuation of this sordid trade, which they and everyone else who has been paying attention all know about. >If you have the perfect method of >differentiating between personal data and non-personal data, you could >do a lot of good by sharing that instead of mouthing off. See above. This isn't rocket science. But you are now displaying, on behalf of your entire crooked industry, your willful and self-serving blindness to the obvious. If the value in the Organization: field ends in "Inc." or "LLC" or "Ltd." or "Limited" or "Co.", or "Company" or "OOO" or "SRL" or "S.R.L." or "SARL" or "S.A.R.L." then guess what? That is NOT the name of a natural person. and therfroe the infomation in that field is clearly NOT covered under or by GDPR. If I thought t
Re: [anti-abuse-wg] @EXT: RE: working in new version of 2019-04 (Validation of "abuse-mailbox")
In message , Volker Greimann wrote: >Hi Robert, The nane is Ron, actually. >in 99,9% of the cases, the customer we forward the complaint to is not >the spammer, but the service provider used by the spammer for their >domain registration services, e.g. the party who has the closer >relationship and can actually do something about the issue, such as >disabling their customers access to the service. OK, two points: 1) *YOU* can do something about the issue if you are the registrar of record. All of this crap designed to evade any and all -responsibility- on your part is just that, crap. You hide behind multiple layers of "resellers" and try to tell the world that because you elect to do business this way, your company is can dodge all responsiblity. These lame excuses and attemps to evade personal or corporate responsibility don't work in war crimes trials and if there were any justice in the world they wouldn't work any better on the Internet. 2) You have "resellers". OK. Fine. So you forward *my* spam complaint on to your reseller. Then your reseller forwards it on to his pet spammer... you know... the one that is providing 93% of that reseller's domain registration revenue. Now, please explain to me, slowly and carefully, what it is that either compels or even motivates your reseller to take action against the party that is putting bread on his table? More to the point, please tell me what prevents that reseller from ratting me out to his pet spammer, so that his pet spammer can then DDoS "the troublemaker"? Your entire industry, with all of its sellers and re-sellers and re-re-sellers is all just one colossal layered ponzi scheme which is funded and fueled more than 90% these days by snowshoe spammers. You know it and I know it. The only people who don't know it are the people who haven't taken the time to study what is really going on. There are, at last count, something like eighty seven thousand ICANN Accredited domain name registrars, and 98% of them would be out of business tomorrow if it were not for the snowshoe spammer trade, because there is NO real money to be made just selling domain names, one or two at a time, to butcher shops and dentist's offices. You are just porcine animals, feeding at the trough of a corrupt trade made possible by what amounts to your over-arching industry lobbying organization, ICANN. >Also, our treatment of WHOIS is not in violation of ICANN contracts, but >in compliance with it. Check out the Temporary Specification to the >agreements that ICANN put out. I really don't give a rat's ass what self-serving fradulent justifications ICANN has put out to try to excuse their own inaction *or* your non-compliance with your contractual commitments. The fact remains that GDPR *does not* restrict domain registrars from displaying the Organization: fields in WHOIS records, specifically when the named organizations represent things other than natural persons... which is almost always the case... and yet I can name right now any number of ICANN Accredited domain name registrars that are, and that have been, for quite some time now, very deliberately suppressing literally *all* WHOIS data fields, period. How do you justify that? How does your corrupt industry justify that? >We are working hard to bring back some model to provide access to >registration data to parties with a legitimate interests, but... Screw that! This is just a clever smoke-screen, invented by your corrupt industry to try to fool naive and stupid people into believing that there is really some complex issue here when there isn't. The Organization: field of each and every domain name WHOIS records is quite clearly SUPPOSED to contain the name of the non-natural-person to which the domain name is registered. So why do most domain name registrars suppress this data? What is your excuse for that, when GDPR clearly does not apply? I am *not* talking about your industry's lame attempts to limit access to the data to only *your* hand-picked non-troublemaker "parties with a legitimate interest". These are just industry code words for "law enforcement only" access. This is what your industry wants, because you all know good and goddamn well that law enforcement doesn't have the time, the interest, the training, or the manpower to chase down mere small-time hackers and spammers, so your industry-wide plan is to proceeding according to these two phases: 1) Suppress *all* WHOIS information, even for entities not covered by GDPR, and then... 2) When people complaint that you are violating your clear contractual commitments to ICANN (which ICANN, which also profits handsomely from the snowshoe spammer trade, is conveniently doing nothing about) then your industry offers to "compromise" by allowing WHOIS access *only* to untrained, ineffective, and mostly uninterested law enforcement. Actually, I must complement your whole ind
Re: [anti-abuse-wg] @EXT: RE: working in new version of 2019-04 (Validation of "abuse-mailbox")
In message <23ad49c8-8fc4-41fa-a8fc-cae3479ad...@key-systems.net>, Volker Greimann wrote: >In the domain industry, we were required to provide an abuse contact, >however the reports we get to that address usually deal with issues we >cannot do much about other than pulling or deactivating the domain name, >which is usually the nuclear option. So we spend our time forwarding >abuse mails to our customers that the complainant should have sent to >the customer directly. Digital Ocean does the same thing. If you send them a spam complaint, they will thoughtlessly and immediately forward it on directly to their spammer customers, as you do, so that that spammer customer will then know exactly who ratted him out, and thus, who he should put out a contract on, to have that party immediately DDoS'd. You sir, and your company, are part of the problem. In fact your entire industry is also. Working together you have all succeded in serving you own financial ends while shamlessly twisting and exploiting the true meaning of GDPR, using it as a blunt instrument to demolish and bludgeon to death the perfectly usable system that used to be called "WHOIS"... in clear violation of your contractual commitments to ICANN I might add... a system (WHOIS) which is now little more than a useless joke for all practical purposes. Congratulations on maximizing your own revenue at the expense of everyone else, and at the expense of civilization and a civilized Internet. I can only hope that the facts of what you and your company have done, and what the entire domain registrar inustry has done, will ultimately become a part of your permanent epitaph, following you to wherever you go from here, which I have some hopes will not be upwards. Please let me know if I have failed to be adequately clear. Regards, rfg
[anti-abuse-wg] Proposal
My apologies. I see that I must make a slight but important correction to my proposal... Be it resolved that: Henceforth, and until this policy is retracted, it shall be the policy and practice of RIPE NCC to place electronic copies of all documents used to establish the bona fides of each and every RIPE member WHICH IS NOT A NATURAL PERSON on the RIPE web site, and in a manner which will allow free and unfettered public access to all such documents. Discuss. Regards, rfg
Re: [anti-abuse-wg] @EXT: RE: working in new version of 2019-04 (Validation of "abuse-mailbox")
In message , JORDI PALET MARTINEZ via anti-abuse-wg wrote: >I'm sure that this is the same in every EU country. Can we agree on that? Quite certainly not! Doing so would break ALL established precedent! When was the last time this working group agreed on *anything*? Regards, rfg P.S. And anyway, as I myself have just been reminded, RIPE != EU.
Re: [anti-abuse-wg] @EXT: RE: working in new version of 2019-04 (Validation of "abuse-mailbox")
In message ,
JORDI PALET MARTINEZ wrote:
>{... quoting Sara...}
>"Complete, accurate information goes hand in hand with a duty of care..."
A simple proposal:
Be it resolved that:
Henceforth, and until this policy is retracted, it shall be the
policy and practice of RIPE NCC to place electronic copies of
all documents used to establish the bona fides of each and every
RIPE member on the RIPE web site, and in a manner which will
allow free and unfettered public access to all such documents.
Discuss.
Regards,
rfg
P.S. For those new members who are only just joining us, please reserve
your judgements regarding the ineffectiveness of this group for anything
other that blocking any and all forward progress until you see the
reactions to the above simple proposal. Those reactions should be
educational, and will tell you everything you need to know.
Re: [anti-abuse-wg] @EXT: RE: working in new version of 2019-04 (Validation of "abuse-mailbox")
In message <33b2e10eb9694eadb4bdaba30eb25...@elvas.europol.eu.int>, "Marcolla, Sara Veronica" wrote: >If the community does not agree that everyone has the right to a safe, spam >free, crime free Internet, maybe we have some issue to solve here first. Welcome to the Working Group. You must be new here. Regards, rfg
Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
In message <077501d5cc69$d9427020$8bc75060$@makeitsimple.pt>, "=?iso-8859-1?Q?S=E9rgio_Rocha?=" wrote: >Agree, This anti-abuse list seems the blocking group to any anit-abuse >response measure. > >It's amazing that nobody cant propose anything without receiving a >shower of all sorts of arguments against Welcome to the Working Group. You must be new here. Regards, rfg
Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
In message <4be52277-cecb-603f-6840-4ee76245b...@first.org>, Serge Droz wrote: >I think we already spent way more executive time on this thread than it >would cost us to verify e-mail addresses. I think that I may cut that out, print it in a 48-point type face, have it framed, and hang it on my office wall. :-) This is true even though I expressed some similar view on some similar situation here already some years ago. >And honestly: taking a step back and reading this entire thread, I'm not >surprised that the bad guys are winning. You know: They don't care about >the purty and beauty of a solution. They just do it and profit, and >probably have a fabulous time seeing us argue and go at each others >throats. I myself have certainly expressed this view previously, in private if not also in public. Regards, rfg
Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
In message , Richard Clayton wrote: >bottom line is that if you want to run a reputation site and not be >under an obligation to remove libellous material (not fair comment) you >would be unwise to do it outside the USA As much as I would like to claim, on behalf of my countrymen, an absolutely unique status in this regard, I do believe that there are any number of other locales from whence a similar feat could be accomplished. Iceland seems like a possibility, but also Belize, perhaps Gibraltar, The Dominican Republic, and quite certainly Nevis & St. Kitts. Oh! And the sovereign Republic of Sealand, of course. Regards, rfg P.S. I cannot help but offer the entirely gratuitous observation that in many parts of the world it may indeed be more legally tenable to be either a spammer or a spam-fiendly provider than it is to be a person or other form of legal entity which publishes anything not qualifying as glowing positive commentary about any such.
Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
In message <20200115155949.af7f9f79718891d8e76b551cf73e1563.e548b98006.mailapi@ email19.asia.godaddy.com>, "Fi Shing" wrote: >That is the most stupid thing i've read on this list. Well, I think you shouldn't be quite so harsh in your judgement. It is not immediately apparent that you have been on the list for all that long. So perhaps you should stick around for awhile longer before making such comments. If you do, I feel sure that there will be any number of stupider things that may come to your attention, including even a few from your's truly. Best not to judge the race until it has been fully run. >Which criminal is paying you to say this nonsense, because no ordinary person >that has ever received a spam email would ever say such crap. I would also offer the suggestion that such inartful commentary, being as it is, ad hominem, is not at all likely to advance your agenda. It may have felt good, but I doubt that you have changed a single mind, other than perhaps one or two who will now be persuaded to take the opposing position, relative to whatever it was that you had hoped to achieve. Regards, rfg
Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
In message <68c5238d-b796-45b9-8735-5849140dc...@consulintel.es>, JORDI PALET MARTINEZ wrote: >When some operators aren't responding to abuse cases, or when they are boun= >cing emails, or you get a response from someone telling "sorry I'm not the = >right contact for this, the email is mistaken", and many other similar situ= >ations ... the operator is telling you "we don't care about abuse from our = >customer to other networks". Just a quick follow-up note on this. These days, about half of the time when I report a spam that came to me from one of Microsoft's ASNs, I get a reply back telling me that the spam in question came from an Outlook user, and giving me some other reporting email address, and vaguely encouraging me to re-report the spam to that different address. I never do. (This happens EVEN IF I had, in the first instance, reported the spam to the exact email address that is given as the abuse reporting address for the relevant ASN in the official ARIN WHOIS records.) If the people at Microsoft who handle abuse cannot be bothered to just simply forward a spam report from one of their own departments to another, internally, then I am not persuaded that any part of their organization is adequately motivated to do anything at all about it, no matter who I sent it to. Regards, rfg
[anti-abuse-wg] Fresh News from the Dark Continent
This was to be expected, but it is good to know that it really did happen. https://mybroadband.co.za/news/security/335226-here-are-the-police-charges-filed-in-the-great-african-ip-address-heist.html I have high hopes for the new AFRINIC CEO. Quite obviously, he is not at all tained by the sins of the past, which have been, rather unfortunately, replete. Regards, rfg
Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
In message <58ece9f6-4d64-4315-8ee5-88574f6b4...@consulintel.es>, JORDI PALET MARTINEZ wrote: >Right, and that was a part of my point about eBay-like feedback ratings >for resource holders, i.e. "Let's not even try." >Instead, let the people decide. Let anyone register a feedback point, >positive or negative, against any resource holder, with the proviso >that if they are registering a negative feedback point, they should assert >exactly *why* they are unhappy (e.g. "mail to abuse address bounced as >undeliverable", "no response for eight days" etc.) and if possible, >provide some context also, e.g. a copy of the spam, a copy of some >logs showing hack attempts, etc. > >This may have legal consequences for RIPE NCC, as somebody could use the >system to publish untrue information for competitors ... not a good idea. OK, two points: 1) I cannot and will not dispute that rating systems which allow votes from the public at large can be gamed, e.g. by unscrupulous competitors, and indeed, it is my belief that there have already been some well- documented cases of this. That's not to say that I think that adequate counter-measures could not be developed. I think they could be. 2) As regards to the "legal" issue, I can only express my deepest sympathies for all you folks on your side of the pond and beyond, especially as you all seem to be at least somewhat constrained in your freedom to speak truth to power. Regards, rfg
Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
In message Leo Vegoda wrote: >E-mail does not scale well. It was great in the 1990s, when the >Internet was smaller and people knew each other. About half the >world's population now has some sort of Internet connectivity. >Expecting organizations to be able to understand reports from such a >diverse group of people is unreasonable. You're right. Email is shit. However as long as network operators allow their errant end-lusers to spam me via email, I expect them to also accept reports about that via email. If they don't want to, then fine. They can just block outbound port 25 for their entire networks at and in the routers. Problem solved and everybody's happy. Regards, rfg
Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
In message <9ew8xocpiyhef...@highwayman.com>, Richard Clayton wrote: >these (which are the most interesting parts of the Communications >Decency Act that did not get invalidated by the application of the First >Amendment which swept away much of it) provide a safe harbour for the >people operating platforms regarding what the users of those platforms >say ... so yes this is very much on point > >within the EU (and the RIPE region is far bigger than that) there is NOT >an equivalent regime -- there is a safe harbour (under the ECommerce >Directive) for hosting companies but ONLY up to the point at which they >have "actual knowledge" that material is problematic (eg that it is >defamatory) after that they are on the hook if they fail to act >appropriately > >companies such as EBay and TripAdvisor are well aware of this and >operate their platforms accordingly -- so this means that problematic >material will not be visible within the EU (and doubtless in other RIPE >region countries) ... whether they remove it entirely (so that US >residents miss out) I could not say, you'd need to ask each company >individually as to how they configure their systems I reiterate and slightly rehprase my question: Do you people in within the RIPE region see, or not see critical reviews on, for example, eBay, TripAdvisor, etc? It is being seriously suggested that eBay erases or makes magically and selectively invisible just those bad seller (or buyer) reviews which implicate some draconian defamation laws that exist in some one of the fiefdoms of Europe, perhaps even one small enough to be entirely covered in shag carpeting? It is being seriously suggested that TripAdvisor likewise selectively erases complaints about lousey coffee at each and every litigious brothel in Amsterdam? If this is what is being suggested, then color me skeptical. >note that companies that operate solely in the USA can take some solace >from the USA SPEECH Act... The notion of "operating solely in the USA" is not one which lacks ambiguity, at least when it comes to Internet-based services, as I am sure you are all too aware. Still, pragmatics and commerce, like time and tide, wait for no man. And the services I have named and used as examples *do* exist, *do* survive, and *do* provide, collect, organize, and disseminate reviews entered by globe-spanning armies of individual end users. I would argue that if they can do it, we can do it. As regards to jurisdiction and legal responsibility, I would be more than happy to host the thing here in the United States, and take full, personal, and sole legal responsibility for it. I am not afraid, because 47 USC 230(c) is both abundantly clear and already very much tested, in real courts of law, and it has consistantly prevailed. The operator of a platform is *not* legally liable for the speech of others. Not in these United States anyway. I would do these things, but I cannot -build- such a review platform, because frankly, I just don't have the time. That small fact doesn't make it a fundamentally Bad or Unworkable idea. Regards, rfg
Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
In message <02d201d5cb84$89d6b950$9d842bf0$@makeitsimple.pt>, "=?iso-8859-1?Q?S=E9rgio_Rocha?=" wrote: >Maybe we can change the approach. >If RIPE website had a platform to post abuse report, that send the email for >the abuse contact, it will be possible to evaluate the responsiveness of the >abuse contact. > >This way anyone that report an abuse could assess not only the response but >also the effectiveness of the actions taken by the network owner. After some >time with this evaluations we would easy to realize who manages the reports >and even who does not respond at all. This is essentially similar to what I had proposed. As such please put me down as a: +1
Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
In message <20200115080615.gq72...@space.net>, Gert Doering wrote: >So why is it preferrable to send mails which are not acted on, as >opposed to "not send mail because you know beforehand that the other >network is not interested"? Not sure that I understand fully the context of the question here, but in relation to what I suggested, which would be an "eBay-like" public review collection & publication service, it would be, and is, always helpful to know which networks just don't give a damn about being responsible in responding to abuse arising from their networks. Because there are these things called blacklists. >I can see that it is frustrating - but I still cannot support a policy >change which will not help dealing with irresponsible networks in any >way, but at the same time increases costs and workload for those that >do the right thing alrady. As I have said, "You can lead a horse to water, but you can't make him drink." No matter how much any of us here might wish it, we should at long last resign ourselves to the unambigous and ever-present reality that no significant portion of the RIPE connunity is ever going to be persuaded to do -anything- in the way of forcing, or even just strongly encouraging good behavior and/or social responsibility on the part of independent individual network operators. It just isn't going to happen, ever. We should thus move on and should take heed of ancient wisdom of 1 Corinthians 13:11: When I was a child, I spake as a child, I understood as a child, I thought as a child: but when I became a man, I put away childish things. It is a childish thing to still hope or believe that any part of RIPE or its community will ever take any meaningful action to *directly* influence the behavior of networks that simply wish to minimize their costs and maximize their revenue through a corporate strategy of ignoring all acts of customer network abuse. This is why I have suggested that, at the very least, RIPE NCC could set up and maintain just a basic review "platform" where the public at large can at least make it known to all observers which networks are the assholes and which ones aren't. >> To an extreme, there should always be a known contact responsible for >> any network infrastructure. Yes, but the operative word there is "should". Who will *mandate* and *enforce* this rule? Not RIPE NCC and not the RIPE community. I and others have been on this list for years and years and the result is as recurrent as it is entirely predictable by now. There are those, here and elsewhere, who religiously cling to their God-given "right" to refuse, stubbornly, adamantly, and absolutely, to be told what to do or how to responsibly run their networks by any other party, including even the RIPE community. (Hell! Some of them are apparently not even entirely convinced that they have any clear obligations to stay within the bounds proscribed by criminal law!) Thus, in short, it is well past time to move on and to put away childish things, specifically the eternal and ever-unfulfilled forlorn hope that either RIPE or it's community will someday, at long last, come to its senses and start demanding even some minimal level of responsibility and/or accountability from its members. The only small thing that RIPE -might- actually be able to do to improve the present situation... without all of the usual vetos from all of the usual quarters... would be for it to set up a public review platform so that members of the public at large could at least document, in full public view, which networks are the shitheads and which are the good guys. That way RIPE is not expressing *any* viewpoint itself... not about any network and not even about what does or does not constitute "abuse" or "responsible network behavior"... and thus just this one small thing might actually be achievable, where all of the years of ranting and raving, of tearing of hair and gnashing of teeth about the wanton abuse of the Internet by networks within the RIPE community has achieved -zero-, zip, nada, nothing of any substance in the way of prudently setting even just a minimum floor on behavior, let alone actually enforcing that minimal floor. Time to put away childish things and childish hopes that RIPE will be someday persuaded to be a part of the solution. For the moment it remains, as it has remained for quite some years now, a part of the problem. RIPE will never itself enforce -any- code of network behavior. Period. Full stop. There are too many people making too much money based on the present utter absence of any behaviorly rules, much less enforcement, to allow that to change any time soon. Get over it and move on. Regards, rfg
Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
In message , Hans-Martin Mosner wrote: >While this would probably paint a pretty solid picture of which network o= >perators can be trusted and which can't, >there's another point besides your valid concern about abusers gaming the= > system: Whoever publishes the results of such >user ratings would most likely expose themselves to litigious lawsuits, w= >hich neither you nor me nor RIPE NCC really >wants to do. That comment, and that concern, certainly does not seem to apply in any country in which either eBay or TripAdvisor operate. Do you folks on your side of the pond not receive eBay? Are you not able to view Tripadvisor.Com? Here in this country (U.S.) there are actually -three- separate and clearly discrenable legal protections that would cover and that do cover circumstances like this. In no particular order, they are: (*) The First Amendment. (*) 47 USC 230(c)(1) (*) 47 USC 230(c)(2)(B) Ref: https://www.law.cornell.edu/uscode/text/47/230 The middle one is actually the first-order go-to provision for situations like this, and provides for quick dismissal for any silly cases brought against *me* for something that *you* have said on some discussion or review web site that I just happen to provide electricity, connectivity, and CPU cycles for. One would hope that european law might have some counterpart for that, but I confess that I really have no idea about that, one way or the other. So, um, is the european continent utterly devoid of any and all web sites where reviews can or do appear? Does europe have its own GDPR mandated Great Firewall to keep the evil likes of eBay and TripAdvisor out? Or were you, Hans-Martin, just saying that in europe, free speech is reserved only for those who can afford it, and who conveniently have hoards of corporate lawyers covering their backsides? Asking seriously, because I don't know the answer. I'm just puzzled by this whole thing, and this concern about lawsuits. Regards, rfg
Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
In message <30174d32-225f-467e-937a-5bc42650f...@consulintel.es>, JORDI PALET MARTINEZ via anti-abuse-wg wrote: >I think if we try to agree on those ratings, we will never reach consensus Right, and that was a part of my point about eBay-like feedback ratings for resource holders, i.e. "Let's not even try." Instead, let the people decide. Let anyone register a feedback point, positive or negative, against any resource holder, with the proviso that if they are registering a negative feedback point, they should assert exactly *why* they are unhappy (e.g. "mail to abuse address bounced as undeliverable", "no response for eight days" etc.) and if possible, provide some context also, e.g. a copy of the spam, a copy of some logs showing hack attempts, etc. >So it is not just easier to ask the abuse-c mailboxes that don't want to >process to setup an autoresponder with an specific (standard) text about that, for example:... In the "eBay feedback" model I am proposing there is no need for *RIPE NCC* to ask anybody about anything. People will register negative points against any resource holder with an undeliverable abuse address. (I know I will!) I'm sorry Jordi, if this idea sounds like it is undermining everything you have been trying to do, which is all very very admirable. But I have only just realized what you said above, i.e. if we really start to try to design a system where RIPE NCC will do 100% of the work of "reviewing" all one zillion RIPE resource holders, the size of the task will almost be the least of the worries. The first order problem, as you already know since you have been doing yeoman's work on this for awhile now, is just getting people in the various RIRs to agree on the numerous fine details. (Hell! You can't even get *me* to agree that a 15 day turn- around is in any sense "reasonable", and apparently I'm not alone in that regard.) So, my solution is just don't. Let the whole planet vote on whether they think this provider or that provider are ***heads, and let the chips fall where they may. I'm not saying that even this idea would neessarily be piece-of-cake easy. The first problem would be working out a way to prevent the system from being gamed by bad actors for malicious purposes, or for positive "PR" purposes. (Don't get me started about the fake positive review over on TripAdvisor.) But I am not persuaded that these are in any sense insoluable problems. Regards, rfg
Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
In message <671286eb-7fad-4d70-addd-efa0a680b...@consulintel.es>, JORDI PALET MARTINEZ via anti-abuse-wg wrote: >>Section 3.0 part 3. Why on earth should it take 15 days for >>anyone to respond to an email?? Things on the Internet happen >>in millseconds. If a provider is unable to respond to an issue >>within 72 hours then they might as well be dead, because they >>have abandoned all social responsibility. >> >>I fully agree! My original proposal was only 3 working days, but the >>community told me "no way". This was the same input I got in APNIC >>and LACNIC (in both regions it reached consensus with 15 days). >> >>So, I will keep 15 days ... > >I think this is provable, and also transparently obvious and colossal >bullshit, but that's just my opinion. > >And mine!, but as a proposal author, I need to try to match as much as poss= >ible the wishes of the community. You are hereby officially absolved from all guilt in the matter. In nomine patri et fili spiritu sancte. Go in peace my son, and do what you have to do. Regards, rfg
Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
In message , =?utf-8?B?w4FuZ2VsIEdvbnrDoWxleiBCZXJkYXNjbw==?= wrote: >Well, I do see the value of an option (a magic email value?) meaning "this >entity supports the use of its network for abusive purposes and will take no >action on any abuse report". > >That would save time for everyone involved, and would allow to easily block >those networks from accesing ours! These are pretty much my sentiments exactly. The only questions remaining are: 1) Should there just be a simple yes/no one-bit flag published for each resource holder, or would a scale and a range of possible "rating" values be more useful? 2) How shall the "ratings" be computed and by whom? I have provided my personal opinions on both of these points in my prior posting. Regards, rfg
