Send
anti-abuse-wg mailing list submissions to
anti-abuse-wg@ripe.net
To
subscribe or unsubscribe via the World Wide Web,
visit
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
or, via email,
send a message with subject or body 'help'
to
anti-abuse-wg-request@ripe.net
You can reach the person managing
the list at
anti-abuse-wg-owner@ripe.net
When replying, please edit
your Subject line so it is more specific
than "Re: Contents of anti-abuse-wg
digest..."
Today's Topics:
1. Re: VERIFIED[.]IS
was - Russian carding... no, Islandic
carding... no Belizian carding! (andre@ox.co.za)
2. Abuse: dnsbl
- trust and other factors (andre@ox.co.za)
3. Re: VERIFIED[.]IS
(Ronald F. Guilmette)
4. Re: Abuse: dnsbl - trust and other
factors (Antonio Prado)
5. Re: Abuse: dnsbl - trust and other
factors
(andre@ox.co.za)
----------------------------------------------------------------------
Message:
1
Date: Wed, 10 Aug 2016 07:33:02 +0200
From:
<andre@ox.co.za>
To: Suresh Ramasubramanian
<ops.lists@gmail.com>,
<anti-abuse-wg@ripe.net>
Subject: Re:
[anti-abuse-wg] VERIFIED[.]IS was - Russian carding...
no, Islandic
carding... no Belizian carding!
Message-ID:
<mailman.1096.1470816511.19326.anti-abuse-wg@ripe.net>
Content-Type:
text/plain; charset=UTF-8
On Wed, 10 Aug 2016 10:41:00 +0530
Suresh
Ramasubramanian <ops.lists@gmail.com> wrote:
> ?We??
Unless you actually work for ripe ncc that?s a rather large
> amount of
overstatement.
>
deflecting from the actual issues much?
"We" as in us reading this...
I honestly also appreciate
contributions by Ronald F. Guilmette, but if
we are going to start reporting
crime to this abuse list, we are headed
down a slippery
slope...
Better: We stick to abuse, abuse policy discussions and report
crimes
to proper authorities. Or are we saying that the various
law
enforcement agencies Russian, Icelandic, Belizian are
incompetent?
Actually, what are we talking about?
I can stumble
onto hate speech, slavery, child porn, identity thieves,
"carders" in the
RIPE ip space in the hundreds...
Should we invite and dedicate resources
to report all Internet crimes
to this abuse list?
And
then?
Will these criminals be prosecuted?
Or are we thinking about
forming a sub committee to be in charge of
public hangings?
Do we
have some sort of hearing first or can we just hack some ISP's
range, upload
any old site and then hang the company or 'nul-route'
their
traffic?
How about us rather being constructive and actually doing
something?
Should their be an abuse policy relating to potential
criminal
activity, that places a protocol in place for dealing with
intel?
or not?
That may actually be a productive abuse
discussion...
Instead of filing individual crime reports on this list...
- which,
imho, should be first reported to law enforcement (actually -
should
only be reported to law enforcement - we have no power, right or
no
fair way of evaluating content - only abuse - as in the website
attacks
your infrastructure and/or the website sends you something -
and/or
does something abusive. - If someone publishes hate speech, or porn
or
whatever - it is NOT abuse... it is potentially - crime -
Andre
Andre
>
> On 10/08/16, 10:29 AM,
"anti-abuse-wg-bounces@ripe.net on behalf of
> andre@ox.co.za"
<anti-abuse-wg-bounces@ripe.net on behalf of
> andre@ox.co.za>
wrote:
>
>
>
So, you stumbled across some potential criminal activity, then
you
> notified law enforcement and/or
Interpol?
>
> Or
you think that it is a better solution for RIPE to
investigate
> criminal activity and simply to
'nul-route' child pornographers,
> identity
thieves and criminal syndicates?
>
> You are saying that you would rather discuss
criminal syndicates
> on an anti abuse discussion
list?
>
> So, we
should investigate crimes now and then disable their
> routing or email or
what?
>
> On Tue,
09 Aug 2016 12:53:34 -0700
> "Ronald F. Guilmette"
<rfg@tristatelogic.com> wrote:
>
> >
> > I
see that there is an interesting and active discussion
on
> > this now. Everyone may be sure that I
will be posting further
> > comments shortly
which clarify my personal position on all the
>
> matters discussed so far.
> >
> > In the meantime however, I just realized
that I neglected to
> > clarify how I came to
find that VERIFIED[.]IS web site in the
> >
first place.
> >
> > It may not be at all important, but just
so everyone knows, I
> > found that
VERIFIED[.]IS indirectly. First, I stumbled
onto
> > the following web site, which is
clearly selling credit cards
> > *and* also
(U.S.) social security numbers (SSNs) and
> >
dates-of-birth (DOBs). (You can even pick out which U.S.
state
> > you prefer!) These bits of
information are often helpful to
> > people
intent on committing identity theft:
> >
> >
http://www.wellsfargo.lequeshop[.]ru/
> >
> > As you can see, there is an email address
on the above page.
> > It is
<mixx@exploit.im>. I simply googled that email
address
> > and then started to visit the web
sites found.
> >
> > One of them was
verified[.]is
> >
> > But this criminal carder ... who seems to
be Russian... is also
> > active on many other
web sites, presumably selling what he has
> >
to offer in many different forums.
> >
> >
> >
Regards,
> >
rfg
> >
>
>
>
>
>
>
------------------------------
Message: 2
Date:
Wed, 10 Aug 2016 08:28:53 +0200
From: andre@ox.co.za
To:
anti-abuse-wg@ripe.net
Subject: [anti-abuse-wg] Abuse: dnsbl - trust and
other factors
Message-ID:
<mailman.1097.1470816511.19326.anti-abuse-wg@ripe.net>
Content-Type:
text/plain; charset=UTF-8
Recently, in another thread, Suresh
Ramasubramanian said that:
"I trust spamhaus, especially related to their
DROP list, which is
extremely specific in its listing critieria"
Then,
I thought about how many abuse lists and dns blocklists there are
and why
this is the case, as even I trust (use & report to Spamhaus)
but I also
run a public / free dnsbl myself
So why is this? - It is all about trust.
It is also about policies -
but what else is it?
The listing and
delisting criteria has to be clear, fair, transparent,
etc maybe in terms of
http://spamid.net/rfc5782.txt and
http://spamid.net/rfc6471.txt
But
what else? Why did I feel the need to devops my own anti spam
system after 25
years of dealing with abuse?
For one: I trust myself
And as I have
not yet found anything that stops spam, phish, abuse dead
in its tracks, and
there is, on ALL of the dnsbl's - much politics...
How many ESP's &
ISP's operate their mass or bulk spam is to send the
spam from an IP where
50% of the email is legit and valuable emails and
50% is spam...
Also,
they do not respond to abuse complaints from small organisations
or small
isp's or "little ants" - They are similar to cockroaches, only
on the move
when there is a bright light shined on them...
Here is an example, of an
IP number/operator - who is blocked nowhere
and whom has received spam/abuse
reports - and have done absolutely
nothing about that... - and who hides
legit emails - between the spam
they relay...
Not saying Mimecast is
an evil cockroach, just that the example headers
came in a few minutes ago -
and matches the description of an
supposedly "ethical" operator that hides
spam in among relaying emails
from .gov etc. - this operator is blocked
nowhere - as their abuse
behavior is to limit the percentage spam transmitted
to a ratio (for
example maybe 10% spam and 90% legit - or whatever) -
to a ratio that
would not get them blocked on spamhaus or any of the other
dnsbl...
Even my own blocklists cannot block Mimecast - even though
they
transmit spam/phish/crime/virus/spam
Otherwise I lose clients...
- AND Suresh Ramasubramanian and other
similar people think that my block
lists cannot be trusted...
And this, the fact that : **** senders of
abuse are not punished ****
is why we have spam abuse in
2016.
Society does not want to stop spam - if they did - there will be
no
spam in 2016. - comments?
Andre
***************************************
Spam/Abuse
example:
Return-Path: <bounces@thompsons.co.za>
Delivered-To:
spamtrap
Received: from web.hostacc.com
by web.hostacc.com (Dovecot) with
LMTP id WfMLDSLBqlfIaQAAzD9rAQ
for <spamtrap>; Wed, 10 Aug 2016
07:52:34 +0200
Received: from
za-smtp-delivery-158.mimecast.co.za
([41.74.201.158]:20262) by
web.hostacc.com with esmtps
(TLSv1.2:ECDHE-RSA-AES256-SHA:256) (Exim
4.87)
(envelope-from <bounces@thompsons.co.za>)
id
1bXMRN-00072M-Ly
for spamtrap; Wed, 10 Aug 2016 07:52:34 +0200
Received:
from ENGAGE01.cullinanholdings.co.za (105.255.128.165
[105.255.128.165]) by
za-smtp-1.mimecast.co.za with ESMTP id
za-mta-3-amlQSfYROryRH3Zamhv7uw-1;
Wed, 10 Aug 2016 07:51:50 +0200
Received: from engage.cullinanholdings.co.za
([172.17.49.40]) by
ENGAGE01.cullinanholdings.co.za with Microsoft
SMTPSVC(7.5.7601.17514);
Wed, 10 Aug 2016 07:51:50 +0200
Message-ID:
<87f5d9e3c1226a1227d83bf22427355e@engage.cullinanholdings.co.za>
Date:
Wed, 10 Aug 2016 07:51:50 +0200 Subject: Launching Spain
at
Irresistible prices From: Thompsons For Travel
<travel@thompsons.co.za>
Reply-To: Thompsons For Travel
<travel@thompsons.co.za>
To: SpamTrap
MIME-Version:
1.0
X-Campaign: 11507
X-Subscriber: 204641
X-OriginalArrivalTime: 10
Aug 2016 05:51:50.0330 (UTC)
FILETIME=[49F179A0:01D1F2CB] X-MC-Unique:
amlQSfYROryRH3Zamhv7uw-1
Content-Type: text/html;
charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Launching Spain
at Irresistible prices
View this mailer online | Add Thompsons to your safe
senders list
You are receiving this mail as you have subscribed
to Thompsons Travel
newsletters. We NEVER send out any unsolicited e-mail.
Should you wish
to leave our mailing list unsubscribe
here
Disclaimer
The information contained in this
communication from the sender is
confidential. It is intended solely for use
by the recipient and others
authorized to receive it. If you are not the
recipient, you are hereby
notified that any disclosure, copying, distribution
or taking action in
relation of the contents of this information is strictly
prohibited and
may be unlawful.
This email has been scanned for
viruses and malware, and automatically
archived by Mimecast SA (Pty) Ltd, an
innovator in Software as a
Service (SaaS) for business. Mimecast Unified
Email Management ? (UEM)
offers email continuity, security, archiving and
compliance with all
current legislation. To find out more, contact
Mimecast.
------------------------------
Message:
3
Date: Tue, 09 Aug 2016 23:34:20 -0700
From: "Ronald F. Guilmette"
<rfg@tristatelogic.com>
To: anti-abuse-wg@ripe.net
Subject: Re:
[anti-abuse-wg] VERIFIED[.]IS
Message-ID:
<32737.1470810860@server1.tristatelogic.com>
I have a lot
of very visible character flaws, but I like to think
that at least I'm not
reticent when it comes to admitting my own
abundant ignorance, or about
asking for help to correct that, when
appropriate.
I've been asked if,
rather than just howling at the moon (which I
admit is my usual modus
operandi :-) I might not, on this occasion,
also or instead like to
draft some sort of concrete policy proposal.
That is an eminently
reasonable suggestion/request under the circumstances.
I would like to
try to do that, but obviously, I am wading into
deep waters here... deep in
the sense of there being quite a lot of
personal feelings and personal
principals... sometimes in agreement...
sometimes in conflict... that might
relate rather directly to the
issues at hand. Agreement on any proposal
in this area would likely be
elusive, even if the drafter had a deep
understanding of RIPE, as an
organization, which I admit that I don't.
Not yet anyway.
What's I'm trying to get at is just this:
I think
that it would be a waste of everybody's time... not just mine
but
everybody's... if I was to draft a policy suggestion that is
somehow at odds
with one or more of the fundamental and/or long-held
principals of RIPE, the
organization. (As an illustration, here in
America it would be kind-of
entirely silly for any legislator to
propose a bill to lock up anybody who
says the word "Nee!" because
that would quite obviously be in direct conflict
with our founding
document, The U.S. Constitution, and more specifically, in
conflict
with the First Amendment thereto.)
So here is where I must
publically admit my abundant ignorance.
Today I tried for awhile to seek out
the overall "Charter of RIPE"...
its "constitution" if you will. I felt
that before I draft anything,
it would be wise of me to go back to first
principals, basic common
beliefs, and already-agreed-to fundamentals. I
should read, study,
and think about these before I draft anything. What
are the high level
goals and highest aspirations of the organization? I
should familiarize
myself with these things -- *before* attempting to draft
anything.
But for the life of me, google as I might, I was unable to find
any
document online that purported to be the overall Charter of RIPE.
If
someone could point me to that, I would much appreciate it. (I
have
found many documents that describe in great detail various
individual
policies and procedures, but nothing that, at the highest level,
enumerates
the intent and purpose of the organization. I cannot bring
myself to
believe that no such fundamental document exists, so I just have to
hope
now that some kind soul will point me at it. That would be most
helpful.)
Regards,
rfg
------------------------------
Message:
4
Date: Wed, 10 Aug 2016 09:19:21 +0200
From: Antonio Prado
<thinkofit@gmail.com>
To: anti-abuse-wg@ripe.net
Subject: Re:
[anti-abuse-wg] Abuse: dnsbl - trust and other factors
Message-ID:
<60622fea-65d2-3f7a-7d03-25259c602437@gmail.com>
Content-Type:
text/plain; charset=utf-8
On 8/10/16 8:28 AM, andre@ox.co.za
wrote:
> So why is this? - It is all about trust.
well, trust has
to be earned.
just two recent examples:
Aug 10 08:52:16 zimbra-1
postfix/smtpd[27024]: NOQUEUE: reject: RCPT
from
66-220-144-147.outmail.facebook.com[66.220.144.147]: 554 5.7.1
Service
unavailable; Client host [66.220.144.147] blocked
using
superblock.ascams.com; 66.220.144.147 Listed For Abuse. To delist
please
email del@ascams.com;
from=<notification+zj4ooysyaz0y@facebookmail.com>
to=<mylegitaddress@mylegitdomain.tld>
proto=ESMTP helo=<mx-out.facebook.com>
Aug 9 17:57:23
smtpfe01 postfix/smtpd[15131]: NOQUEUE: reject: RCPT
from
o4.email.wetransfer.com[192.254.123.89]: 554 5.7.1 Service
unavailable;
Client host [192.254.123.89] blocked using
superblock.ascams.com;
192.254.123.89 Listed For Abuse. To delist please
email del@ascams.com;
from=<alegitaddress@email.wetransfer.com>
to=<mylegitaddress@mylegitdomain.tld>
proto=ESMTP
helo=<o4.email.wetransfer.com>
therefore I'm forced
to delete
superblock.ascams.com
--
antonio
------------------------------
Message:
5
Date: Wed, 10 Aug 2016 10:08:24 +0200
From: andre@ox.co.za
To:
Antonio Prado <thinkofit@gmail.com>
Cc:
anti-abuse-wg@ripe.net
Subject: Re: [anti-abuse-wg] Abuse: dnsbl - trust and
other factors
Message-ID:
<mailman.1098.1470816511.19326.anti-abuse-wg@ripe.net>
Content-Type:
text/plain; charset=US-ASCII
On Wed, 10 Aug 2016 09:19:21
+0200
Antonio Prado <thinkofit@gmail.com> wrote:
> On 8/10/16
8:28 AM, andre@ox.co.za wrote:
> > So why is this? - It is all about
trust.
>
> well, trust has to be earned.
>
agreed, trust
is reputation. In the case of a blacklist, it is quite
simple though - if it
is transparent, like mine superblock.ascams.com
each and every listing has
been abusive and either is not responding to
abuse complaints or is simply
ongoing in the abuse...
> just two recent examples:
>
thank
you so much! lets deal with that - please see below each
of your
examples
> Aug 10 08:52:16 zimbra-1 postfix/smtpd[27024]:
NOQUEUE: reject: RCPT
> from
66-220-144-147.outmail.facebook.com[66.220.144.147]: 554 5.7.1
> Service
unavailable; Client host [66.220.144.147] blocked using
>
superblock.ascams.com; 66.220.144.147 Listed For Abuse. To delist
> please
email del@ascams.com;
>
from=<notification+zj4ooysyaz0y@facebookmail.com>
>
to=<mylegitaddress@mylegitdomain.tld> proto=ESMTP
>
helo=<mx-out.facebook.com>
>
Yes! because 66.220.144.147 is
BLOCKED for abuse
66.220.144.147 sends email spam, on an ongoing basis, to
FAKE people
and, even after receiving three or more abuse reports, is still
sending
the same SPAM to the same fake people.
So, what I am saying:
facebook.com sends spam to example@example.com
Facebook then receives 3+ spam
reports/complaints
And then
After that
Facebook.com STILL sends spam to
the same example@example.com
So, Facebook.com (66.220.144.147) is
blacklisted for spam abuse.
Thank you, Antonio - for pointing this
example out - This is why we
cannot stop spam! - the SENDERS or transmitters
of spam - are never
punished - but we have to field complaints from our USERS
when the
senders MIX legit email with spam email.
next example below
the example
> Aug 9 17:57:23 smtpfe01 postfix/smtpd[15131]:
NOQUEUE: reject: RCPT
> from o4.email.wetransfer.com[192.254.123.89]: 554
5.7.1 Service
> unavailable; Client host [192.254.123.89] blocked
using
> superblock.ascams.com; 192.254.123.89 Listed For Abuse. To
delist
> please email del@ascams.com;
from=<alegitaddress@email.wetransfer.com>
>
to=<mylegitaddress@mylegitdomain.tld> proto=ESMTP
>
helo=<o4.email.wetransfer.com>
>
192.254.123.89 - EXACLTY the
same as Facebook.com - transmits spam to
fake people/spam traps - and does
not do anything about spam abuse
complaints!
> therefore I'm forced
to delete superblock.ascams.com
indeed... - this is why the spam problem
persists... yet, if you were
to continue using superblock.ascams.com - you
may actually force the
senders of spam to CHANGE their abusive and crappy
behavior
But we, society, we do not have the BALLS to do that.
Can
we at least have the decency to be honest with ourselves?
Why lie to
ourselves?
We do not want to solve the spam abuse
problem.
Andre
> --
> antonio
>
End of anti-abuse-wg Digest, Vol 58, Issue
10
*********************************************