Send
anti-abuse-wg mailing list submissions to
anti-abuse-wg@ripe.net
To
subscribe or unsubscribe via the World Wide Web,
visit
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
or, via email,
send a message with subject or body 'help'
to
anti-abuse-wg-request@ripe.net
You can reach the person managing
the list at
anti-abuse-wg-owner@ripe.net
When replying, please edit
your Subject line so it is more specific
than "Re: Contents of anti-abuse-wg
digest..."
Today's Topics:
1. Re: New on RIPE
Labs: Reasons Dynamic Addresses Change
(Ramakrishna)
2. What's the point in this type of spam ? (peter
h)
3. Re: What's the point in this type of spam ?
(ox)
----------------------------------------------------------------------
Message:
1
Date: Sat, 19 Nov 2016 06:41:43 -0800
From: Ramakrishna
<ramapad@cs.umd.edu>
To: anti-abuse-wg@ripe.net
Subject: Re:
[anti-abuse-wg] New on RIPE Labs: Reasons Dynamic
Addresses
Change
Message-ID:
<CAAYmKkJ3DjUf7bd9pUktFwr8QjV3QtNAWMF41VzTeFbqskE4kQ@mail.gmail.com>
Content-Type:
text/plain; charset="utf-8"
> ok... so first of all the address
changes within DTAG and most other
german SOHO DSL providers, from what i
heard back then, goes back to the
days of dialup... a couple of years ago
they apparently still were
forced by law (or something) to also offer DSL on
a 'charge per time
use' basis, and also disconnect virtual channels every
once in a while,
something to do with anti-competition to the telephone
dialup network..
which apparently is why most german dsl providers still do
that.
Ah, thanks for providing the historical context for why German
DSL
providers change addresses so frequently. I am skeptical, however,
that
there is a law requiring German DSL providers to disconnect
virtual
channels 'every once in a while' because I asked several German
colleagues
about such a law and they were unable to find one (I would be
delighted if
you can point me to one!).
> secondly... if your
authentication and telling users apart has anything
to do with layer 3, your
authentication method is just crap, not well
thought of, etc.
There
are other use-cases for IP addresses as end-host identifiers that I
outlined
in my post (such as counting the number of users in a system by
counting the
number of distinct IP addresses). I am personally interested
in measuring
outages by pinging IP addresses belonging to residential CPEs.
My premise for
detecting outages is that an address that sends responses to
active probes is
alive and well, and that a previously responsive address
that has stopped
responding to probes could be experiencing an outage. This
premise is
incorrect when I am pinging a dynamic address that has been
withdrawn from
the CPE; thus, I would love to analyze dynamic reassignment
behavior across
ISPs.
I agree that using IP addresses for identifying users for
authentication
purposes isn't ideal but sometimes, IP addresses are the
easiest way to
identify users. Other times, they are the only ways to
identify users. For
example, if one is defending against a DoS attack, the
most straightforward
and efficient approach is to blacklist that IP address
temporarily. How
long that address can continue to remain in the blacklist is
the question
that we aim to answer.
> as for wikipedia, it also
leaks ips all over the place. (basically
inciting users to ddos each
other,although probably a less common result
than with IRC.)
Well,
wikipedia is only one example of a well-known company that employs IP
address
based blacklists. In private conversation with Google and
several
content-delivery networks (including one where I interned earlier
this
year), I learned that IP addresses are very much a part of
host-reputation
systems. So although IP addresses as end-hosts isn't ideal,
it's a common
assumption and our work shows that the assumption can actually
even be
valid for weeks at a time in North American
ISPs.
Cheers,
Rama
http://www.cs.umd.edu/~ramapad/
--------------
next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.ripe.net/ripe/mail/archives/anti-abuse-wg/attachments/20161119/0ffe4c0a/attachment-0001.html>
------------------------------
Message:
2
Date: Sat, 19 Nov 2016 19:01:43 +0100
From: peter h
<peter@hk.ipsec.se>
To: anti-abuse-wg@ripe.net
Subject:
[anti-abuse-wg] What's the point in this type of spam ?
Message-ID:
<201611191901.44498.peter@hk.ipsec.se>
Content-Type: text/plain;
charset="iso-8859-1"
The last days i have been sent a number of these
threats, they come from
different addresses ( stolen computers ) but contain
no links or attatchements.
Is the goal to harass the gmail user ( it's
munged by me to protect an innocent person )
Received: from
14.145.207.224 ([113.68.244.108])
by ipsec.se (8.13.6/8.13.6) with SMTP id
uAILTOwC091474
for <peter@ipsec.nu>; Fri, 18 Nov 2016 22:29:32 +0100
(CET)
Message-Id: <201611182129.uAILTOwC091474@ipsec.se>
Received:
from unknown (HELO localhost) (mark.silberman78@gmail.com@177.205.66.120)
by
113.68.244.108 with ESMTPA; Sat, 19 Nov 2016 05:29:22 +0800
From:
m-**-.-munged-78@gmail.com
To: peter@ipsec.nu
Subject: You are
hacked!
Date: Sat, 19 Nov 2016 05:21:56 +0800
Content-Type:
X-UID:
5404
X-Length: 910
Your email peter@ipsec.nu has been hacked and spam
is sent to all your contacts!
If you don't have a lawyer, you may contact me
at
<munged>@gmail.com
Best
Regards,
M**-
m**-.-munged-78@gmail.com
--
Peter H?kanson
There's never money to do it
right, but always money to do it
again ... and again ... and again ... and
again.
( Det ?r billigare att g?ra
r?tt. Det ?r dyrt att laga fel.
)
------------------------------
Message: 3
Date: Sun,
20 Nov 2016 07:53:34 +0200
From: ox <andre@ox.co.za>
To: peter h
<peter@hk.ipsec.se>
Cc: anti-abuse-wg@ripe.net
Subject: Re:
[anti-abuse-wg] What's the point in this type of spam ?
Message-ID:
<mailman.2.1479639602.27612.anti-abuse-wg@ripe.net>
Content-Type:
text/plain; charset=US-ASCII
On Sat, 19 Nov 2016 19:01:43 +0100
peter
h <peter@hk.ipsec.se> wrote:
> The last days i have been sent a
number of these threats, they come
> from different addresses ( stolen
computers ) but contain no links or
> attatchements.
> Is the goal
to harass the gmail user ( it's munged by me to protect
> an innocent
person )
>
There is not a single one of the trillions of spams that
are senseless.
All spam has a reason to exist and no spam is ever
senseless - not even
a single one...
There are a few goals with your
spam as it is rich with possibilities.
The vast majority of spam only has a
singular goal and your spam is
rich in possibilities :)
The most
obvious is to confuse/poison (some/basic) anti spam systems:
> Received:
from 14.145.207.224 ([113.68.244.108])
> Received: from unknown (HELO
localhost)
> (mark.silberman78@gmail.com@177.205.66.120) by
113.68.244.108
My software handles any headers that deviate from the
expected with extreme care
as there are only a limited number of reasons why
headers are different than expected
Other goals (and their are many with
your example of Shotgun spam
(named after shotgun weddings)
Goals may
be to solicit a relationship with victims, cyber criminals are finding
it
more challenging to open dialog and engage with shotgun victims
It may be
to target the @gmail account holder, to receive spam that
Google will allow
as it will be from other victims (think denial of
service or just to
attack/assault a gmail account holder)
and of course many other
reasons
hth
andre
>
> Received:
from 14.145.207.224 ([113.68.244.108])
> by ipsec.se (8.13.6/8.13.6) with
SMTP id uAILTOwC091474
> for <peter@ipsec.nu>; Fri, 18 Nov 2016
22:29:32 +0100 (CET)
> Message-Id:
<201611182129.uAILTOwC091474@ipsec.se>
> Received: from unknown
(HELO localhost)
> (mark.silberman78@gmail.com@177.205.66.120) by
113.68.244.108 with
> ESMTPA; Sat, 19 Nov 2016 05:29:22 +0800
From:
> m-**-.-munged-78@gmail.com To: peter@ipsec.nu
> Subject: You
are hacked!
> Date: Sat, 19 Nov 2016 05:21:56 +0800
> Content-Type:
> X-UID: 5404
> X-Length: 910
>
> Your email
peter@ipsec.nu has been hacked and spam is sent to all
> your contacts! If
you don't have a lawyer, you may contact me at
>
<munged>@gmail.com
>
> Best Regards,
> M**-
>
m**-.-munged-78@gmail.com
>
End of anti-abuse-wg
Digest, Vol 61, Issue
6
********************************************