I'd like to second Serge's sentiment, RFG catches a good deal of abuse for his contributions, which we have all seen on this and other lists. What the continued findings indicate is a need for IANA and the RIRs to adapt to a new stage in the resource issuance and governance lifecycle. Since this is by definition a working group, would it make sense to establish some metrics to quantify the perceived impact of this phenomenon on abuse?

If we establish a process to collect these observations of either "abandoned" resources, prefixes or ASNs, which then re-appear mysteriously or in the case of an ASN start routing space that is unexpectedly, "hijack", we can take a step as a community to quantify the phenomenon? 

Note: This is specifically not an internet policing function as much as a neighborhood watch effort to help inform the governing bodies / policy ... etc. Right now from responses it seems like defacto this weight has been put onto the shoulder of Spamhaus vs. having a working group work on a solution.

If this is of interest I'm happy to write up a proposal and or work with the chairs to see if this is something that is seen as constructive. Also if this doesn't fit into the anti-abuse working group ... where does it fit?


On Wed, Dec 2, 2020 at 3:12 AM Serge Droz via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote:
First of: Congrats and thank you Ronald for this work.

What makes me a bit sad is, that posting this here immediately starts a
discussion about what is expected behavior on these lists, rather than
how we could combat abuse more efficiently.

It seems a seeminglu, to me at least, humorous remark, sparks more
discussion than the troubling fact that criminals have the time of their
lives during this period of time.

I'm all in favor of staying civil on public fora. But noting in the
original post was not civil. I am wondering what the we want to achieve
here on the anti-abuse list? Call me stupid, but I just don't get it.

Best
Serge


On 01.12.20 22:48, Ronald F. Guilmette wrote:
> In message <DB7PR06MB501791137C12E71EA525C7DD94F40@DB7PR06MB5017.eurprd06.prod.
> outlook.com>, Brian Nisbet <brian.nisbet@heanet.ie> wrote:
>
>> However I suspect that X-posting to a list like apnic-talk may not be the
>> wisest idea, given the different populations etc...
>
> It is among my fondest hopes that cybercriminals of all stripes, and
> particularly the ones who squat on IPv4 space that doesn't belong to
> them, will, in future, show more respect for regional boundaries, such
> that their devious activities will only oblige me to notify the
> members of a single one of the five RIR regions regarding any single
> one of these elaborate criminal schemes.  Alas, in this instance
> however, the perpetrators, in a very unsportsmanlike manner, elected
> to make messes whose roots were found in both the RIPE region and also
> in the APNIC region.  (And that's not even to mention that most of the
> squatted IPv4 real estate was and is under the administration of the
> ARIN region.)
>
> Clearly, authorities in all five regions should be devoting somewhat
> more effort towards the cultivation of a better and more respectful
> class of cybercriminals who will confine their convoluted schemes to
> their own home regions.
>
>
> Regards,
> rfg
>

--
Dr. Serge Droz
Chair of the FIRST Board of Directors
https://www.first.org