- anti-abuse-wg - mailman.ripe.net

RIPE Mailing List Code of Conduct
by Brian Nisbet 06 Jul '17

06 Jul '17

Colleagues, I wanted to make you all aware of the formal implementation of a code of conduct for RIPE mailing lists. As you're aware the AA-WG mailing list has been, loosely, operating under similar guidelines for some time, but I certainly appreciate a much broader community approach. The code of conduct is here: https://www.ripe.net/participate/mail/ripe-mailing-list-ripe-forum-code-of-… It is based on the RIPE Community code of conduct and codes in place for technical communities across the world. If you have any questions in regards to this, please let Tobias or myself know. We can, as always, be contacted at aa-wg-chair(a)ripe.net Thanks, Brian Co-Chair, RIPE AA-WG -- Brian Nisbet Network Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland +35316609040 brian.nisbet(a)heanet.ie www.heanet.ie Registered in Ireland, No. 275301. CRA No. 20036270

1 0

Re: [anti-abuse-wg] .gov .ru or .ch ?
by Bengt Gördén 30 Jun '17

30 Jun '17

Den 2017-06-30 kl. 07:53, skrev ox: > Hi All, > > Frequently I see new exploits, old exploits, plain old brute force and > all scans from the same weird shell corporations. > (of course I collect exploits, specially 0day, as they are very useful) > > Usually when I report hacking/security abuse (like a main bot, etc) > most ISP's actually take a look and clean up, as it is bad for their > network to have this there anyway.... > > But there are 'bullet proof' hackers as complaints never do anything, > no matter how much logs and evidence is submitted. > > These are your government hackers, USA, China, Russia, etc. > > But, one of these bullet proof hackers is so k1dD13 that I have no > clue what it could be (as the stuff they run, will never work, even on > non patched servers/devices) - Yet complaints also have no result and > the modus operandi is always the same... They have distributed small > delegations, like /29 /28 /27 and on rare occasions a /26 and always > registered to Kansas, USA > > For example IP number 69.30.255.107 We've had our fare share of spam from them. The announcement spree seems to have started more or less in 2017 although the earlier announcements in 2005-2006 seems to have same pattern. Smaller prefixes also seems to be way back. Check the json-file for that. https://stat.ripe.net/widget/routing-history#w.resource=69.30.192.0/18 https://stat.ripe.net/data/routing-history/data.json?min_peers=0&resource=6… > > Has anyone experienced anything similar and does anyone know what type > of silly operation this is or what their goals could possibly be? > > Is it some AI learning thing? or a bit eater? or what? Due to the price model https://www.wholesaleinternet.net/ has I see it as just a heaven for spammers and black hats. Buy a virtual server for $10/month no question asked. Cheers, -- Bengt Gördén Resilans AB

1 0

.gov .ru or .ch ?
by ox 30 Jun '17

30 Jun '17

Hi All, Frequently I see new exploits, old exploits, plain old brute force and all scans from the same weird shell corporations. (of course I collect exploits, specially 0day, as they are very useful) Usually when I report hacking/security abuse (like a main bot, etc) most ISP's actually take a look and clean up, as it is bad for their network to have this there anyway.... But there are 'bullet proof' hackers as complaints never do anything, no matter how much logs and evidence is submitted. These are your government hackers, USA, China, Russia, etc. But, one of these bullet proof hackers is so k1dD13 that I have no clue what it could be (as the stuff they run, will never work, even on non patched servers/devices) - Yet complaints also have no result and the modus operandi is always the same... They have distributed small delegations, like /29 /28 /27 and on rare occasions a /26 and always registered to Kansas, USA For example IP number 69.30.255.107 Has anyone experienced anything similar and does anyone know what type of silly operation this is or what their goals could possibly be? Is it some AI learning thing? or a bit eater? or what? Andre

1 0

article
by ox 23 Jun '17

23 Jun '17

Hi, Thought I should share the link with the group: https://www.nytimes.com/2017/06/22/technology/ransomware-attack-nsa-cyberwe… Andre

1 0

Re: [anti-abuse-wg] Abuse: Too big to fail
by abos34＠wanadoo.fr 21 Jun '17

21 Jun '17

1 0

Re: [anti-abuse-wg] Abuse: Too big to fail
by Volker Greimann 20 Jun '17

20 Jun '17

It seems there is a definition issue here. I am sure Twitter does not intentionally spam its users, but many users that receive messages from Twitter think of these as spam. What is probably true: - Real spammers may be abusing the infrastructure offered by Twitter to spam and Twitter is unable/unwilling to take action to stop this - Twitter account holders have their settings set up that they receive too many notifications that they do not really want. Solving the second is easy: Just change your notification settings. Volker PS: It may be helpful to say exactly which messages you consider spam instead of opening up with the big guns right away but without sufficient detail to verify your claims. Am 19.06.2017 um 17:08 schrieb ox: > If I do actually look at the abuse lists that list the spammer, Twitter > - they are sorbs, etc and have a reputation for ethical behavior.. > > What is interesting is how you & michele defend the spammer > > One has to wonder whether it is because the fact that Twitter is an > evil spammer hurts you guys personally? > > Or if you are products (have twitter etc) accounts and the truth hurts? > > If you love the Twitter spammer that much, why do you not try to get the > spammer to change their evil ways? Instead of trying to make it about a > quarter of all the rbl's being useless, etc. > > or just plain stupid and obviously false claims that Twitter never sends spam. > > Andre > > On Mon, 19 Jun 2017 14:53:07 +0000 > Suresh Ramasubramanian <ops.lists(a)gmail.com> wrote: > >> On 19/06/17, 8:20 PM, "anti-abuse-wg on behalf of ox" >> <anti-abuse-wg-bounces(a)ripe.net on behalf of andre(a)ox.co.za> wrote: >> >> And, apart from the fact that 25% of all spam lists does in fact >> list Twitter as a spammer >> >> Sturgeon’s law manifests itself all the time. eg: the number of weird >> and wonderful blocklists used by maybe two men and their dog, the >> population of cranks on the Internet… >> >> --srs >> > -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann(a)key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann(a)key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

3 3

Re: [anti-abuse-wg] Abuse: Too big to fail
by Suresh Ramasubramanian 19 Jun '17

19 Jun '17

On 19/06/17, 8:20 PM, "anti-abuse-wg on behalf of ox" <anti-abuse-wg-bounces(a)ripe.net on behalf of andre(a)ox.co.za> wrote: And, apart from the fact that 25% of all spam lists does in fact list Twitter as a spammer Sturgeon’s law manifests itself all the time. eg: the number of weird and wonderful blocklists used by maybe two men and their dog, the population of cranks on the Internet… --srs

3 2

Re: [anti-abuse-wg] Abuse: Too big to fail
by Michele Neylon - Blacknight 19 Jun '17

19 Jun '17

Andre You’re claiming that Twitter is a spammer, yet you haven’t provided any evidence that they are. What makes them a spammer? Any emails I’ve seen from them have been 100% legit and if there’s any I personally get that I don’t want I simply unsubscribe. In common with any other company that provides email services we get a LOT of email from social networks such as Facebook and Twitter. It’s not spam. So I really fail to understand what it is you’re actually complaining about. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

2 1

Re: [anti-abuse-wg] Abuse: Too big to fail
by Ronald F. Guilmette 19 Jun '17

19 Jun '17

ox <andre(a)ox.co.za> wrote: >But the simple truth is that Twitter is arguably the largest 'legal' >spammer on the planet and they are unstoppable... Again, at the risk of repeating myself, they are by no means "unstoppable". In fact, it would take me personally all of about 9 seconds to run vi on my own local mail server domain blacklist file to add the domain name "twitter.com" to that list. And if I did so, then I would never get any email from them whatsoever, ever again, forever, guarranteed. And I personally would not hesitate at all to do exactly that if they were to spam me. Hummm... gee. I have a *lot* of domains that I've added to my local domains blacklist over the years.... hundreds in fact. There being so many of them, there's no way that I can remember them all. So I just now went and did a grep. And do you know what? I swear, I didn't even remember putting this there, so I must have put it in there a long time ago... perhaps years and years ago... but yes, actually, now that you mention it, I *do* have an entry in my own local HELO/EHLO blacklist of "twitter.com". There are two implications of that statment: 1) Yes, actually, once upon a time, they must have spammed me too. I would not have added that domain to that list unless they had done so. 2) The list entry in question effectively blocks any and all incoming email messages where the HELO/EHLO string offered by the SMTP client is either "twitter.com" (case insensitive) or else some subdomain thereof. So there you have it. Proof positive that... contrary to your assertion... even the mighty twitter.com is in fact -very- "stoppable". (Locally, I have completely stopped them cold.) I feel quite confident in asserting to you, and to everyone, that since the day that domain was inducted into my local blacklist, they have not successfully spammed me a single time. Furthermore, if more mail system adminitrators would do as I do, and take a hard line and adopt a zero tolerance policy, even against the "big names" then eventually the bad practices of these companies would start to cost them money, and at that point they would be forced to discontinue employing them. So, really, the only question left is: Why don't both mail system administrators *and* millions of end users everywhere do as I do and vote "no" on spam? Why don't they all blacklist the bad senders? And the answer is what it always has been: "It's complicated." The admins of big mail *receivers* (e.g. comcast, aol, etc.) fear that if they did so, many of their less educated users would take this as a "defect" rather than as a "feature" and would bolt to other providers. But individual end users can each also take their own unilateral action against the bad actors, and if enough of them do so, then eventually it will make an impact. So why don't they? Well, unfortunately, an awful lot of them are just plain ignorant, and many fo them don't even know that they have even the -capability- in theeir own hands and in their own mail clients to block specific domains and to this "vote no" on spam. In short, it is an education problem. There was a similar problem some years ago when a major effort was launched to finally and fully eradicate smallpox. There were some backwards villagers in the wilds of rural Pakistan who just couldn't be convinced that smallpox wasn't "the will of god". As you may have noticed, in the American political system also, bad outcomes accrue in the presence of a poorly educated populace. It is incumbant upon us, the class of netizens who understand the problem, to educate our less well educated brethern and fellow Internet users on the importance of not just putting up with it when this big company or that big company takes a dump in your inbox. Speaking only for myself, I certainly attempt to provide such education at every opportunity, and only wish that others would do likewise. covfefe

2 1

Re: [anti-abuse-wg] Abuse: Too big to fail
by Esa Laitinen 19 Jun '17

19 Jun '17

On Mon, Jun 19, 2017 at 10:49 AM ox <andre(a)ox.co.za> wrote: > > As I said: All ethical, honest and functional blocklists lists Twitter > as a Spammer. - It seems that at least 25% do actually list Twitter as a > spammer, and that is quite a lot. So maybe there is hope after all? > While I can certainly believe Twitter is a spam enabler, I did a small test. I created a new twitter account, but didn't confirm the account. I cannot send messages to this account from my other twitter account. So, I couldn't make twitter to facilitate email spam in this case. I do get email from Twitter when somebody sends me a direct message to my real twitter account. I chose to receive these notifications, thus the emails are not spam, and it would be wrong of me to report those emails as spam, even if the direct message is spam. Question raises: does the user you were using as an example have a twitter account connected with that email address? And has he selected to receive emails for direct messages (or something else) in twitter? Yours, esa

2 1