Hijacked netblocks - any SOP for these?
Freshly added to spamhaus - SBL114471 83.223.224.0/19 RIPE 28-Jul 02:24 GMT zombies : hijkacked ip block / spam ip block SBL114472 94.250.128.0/18 RIPE 28-Jul 02:24 GMT zombies : hijacked IP block / spammer IP block SBL114473 46.96.0.0/16 RIPE 28-Jul 02:22 GMT zombies : hijacked IP block / spammer IP block SBL114470 188.164.0.0/16 RIPE 28-Jul 02:21 GMT zombies : hijacked ip block / spammer ip block -- Suresh Ramasubramanian (ops.lists@gmail.com)
Suresh Ramasubramanian wrote:
Freshly added to spamhaus -
SBL114471 83.223.224.0/19 RIPE 28-Jul 02:24 GMT zombies : hijkacked ip block / spam ip block
SBL114472 94.250.128.0/18 RIPE 28-Jul 02:24 GMT zombies : hijacked IP block / spammer IP block
SBL114473 46.96.0.0/16 RIPE 28-Jul 02:22 GMT zombies : hijacked IP block / spammer IP block
SBL114470 188.164.0.0/16 RIPE 28-Jul 02:21 GMT zombies : hijacked ip block / spammer ip block
Looks like to me, that RIPE NCC should defny compare RIPEs netblocks to several blacklists. This will indicate highjacked or misused netblocks quite easily. Also looks like to me, that we could keep IPv4 much longer, if all those blocks could be reallocated. Kind regards, Frank -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank@powerweb.de
Not a bad idea which is why I suggested something like the WDPRS to deal with this sort of case. It is not like hijacking netblocks is anything new .. is there already some RIPE policy document on dealing with these? On Thu, Jul 28, 2011 at 1:42 PM, Frank Gadegast <ripe-anti-spam-wg@powerweb.de> wrote:
Looks like to me, that RIPE NCC should defny compare RIPEs netblocks to several blacklists. This will indicate highjacked or misused netblocks quite easily.
Also looks like to me, that we could keep IPv4 much longer, if all those blocks could be reallocated.
-- Suresh Ramasubramanian (ops.lists@gmail.com)
On 28 Jul 2011, at 09:12, Frank Gadegast wrote:
Looks like to me, that RIPE NCC should defny compare RIPEs netblocks to several blacklists. This will indicate highjacked or misused netblocks quite easily.
That's out of scope for RIPE Just because a netblock is blacklisted by a list doesn't actually mean much and as a RIPE member I would be very annoyed if they started getting into this kind of thing Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
Let us put it this way - RIPE should check those lists for hijacked netblocks. And evidence of other fraudulent behavior exhibited during the RIPE registration process (eg : the numerous fake LIRs, assigned PI / PA netblocks allocated to botmasters with fake whois etc) On Thu, Jul 28, 2011 at 2:07 PM, Michele Neylon :: Blacknight <michele@blacknight.ie> wrote:
On 28 Jul 2011, at 09:12, Frank Gadegast wrote:
Looks like to me, that RIPE NCC should defny compare RIPEs netblocks to several blacklists. This will indicate highjacked or misused netblocks quite easily.
That's out of scope for RIPE
Just because a netblock is blacklisted by a list doesn't actually mean much and as a RIPE member I would be very annoyed if they started getting into this kind of thing
-- Suresh Ramasubramanian (ops.lists@gmail.com)
Michele Neylon :: Blacknight wrote:
On 28 Jul 2011, at 09:12, Frank Gadegast wrote:
Looks like to me, that RIPE NCC should defny compare RIPEs netblocks to several blacklists. This will indicate highjacked or misused netblocks quite easily.
That's out of scope for RIPE
Not at all out of scope. You are right saying, that a listing does not proof anything, but its a good indication (like I sayd above). RIPE NCC could ask the member, whats going on with that netblock, if they see a listing. I guess a lot of members do not even realize, that their old netblocks are routed somewhere else. RIPE NCC has to check the use of assigned netblocks anyway (if I understand some rules right). It cannot be that assigned netblocks are used by non-members or members the netblock wasnt assigned to ... Kind regards, Frank
Just because a netblock is blacklisted by a list doesn't actually mean much and as a RIPE member I would be very annoyed if they started getting into this kind of thing
Mr Michele Neylon Blacknight Solutions Hosting& Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
-- Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank@powerweb.de
On 28 Jul 2011, at 09:48, Frank Gadegast wrote:
Not at all out of scope.
I think it is out of scope It is a slippery slope Next you'll have people demanding that RIPE check what content is published on IP blocks ..
You are right saying, that a listing does not proof anything, but its a good indication (like I sayd above).
Not necessarily. There are a multitude of reasons why an IP block can get listed - while it *might* be an indicator that you or I can use for our own *private* networks, it is not something that an organization like RIPE should be doing, as there is absolutely no standard or certification of DNS blacklists.
RIPE NCC could ask the member, whats going on with that netblock, if they see a listing. I guess a lot of members do not even realize, that their old netblocks are routed somewhere else.
RIPE NCC has to check the use of assigned netblocks anyway (if I understand some rules right).
No - the "usage" is related to the assignment rules
It cannot be that assigned netblocks are used by non-members or members the netblock wasnt assigned to …
Sorry, but I don't understand what you mean here regards Michele Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
Slippery slope is a rather poor logical fallacy to bring up Nobody is obligating RIPE to treat anything as conclusive evidence Simply that they do some proactive monitoring instead of waiting for complaints And that they have some published SOP for dealing with and recovering hijacked ranges, or those obtained under false pretences [SOP != policy, goes a bit beyond that] On Thu, Jul 28, 2011 at 3:16 PM, Michele Neylon :: Blacknight <michele@blacknight.ie> wrote:
On 28 Jul 2011, at 09:48, Frank Gadegast wrote:
Not at all out of scope.
I think it is out of scope
It is a slippery slope
Next you'll have people demanding that RIPE check what content is published on IP blocks ..
You are right saying, that a listing does not proof anything, but its a good indication (like I sayd above).
Not necessarily.
There are a multitude of reasons why an IP block can get listed - while it *might* be an indicator that you or I can use for our own *private* networks, it is not something that an organization like RIPE should be doing, as there is absolutely no standard or certification of DNS blacklists.
RIPE NCC could ask the member, whats going on with that netblock, if they see a listing. I guess a lot of members do not even realize, that their old netblocks are routed somewhere else.
RIPE NCC has to check the use of assigned netblocks anyway (if I understand some rules right).
No - the "usage" is related to the assignment rules
It cannot be that assigned netblocks are used by non-members or members the netblock wasnt assigned to …
Sorry, but I don't understand what you mean here
regards
Michele
Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
-- Suresh Ramasubramanian (ops.lists@gmail.com)
Michele Neylon :: Blacknight wrote:
On 28 Jul 2011, at 09:48, Frank Gadegast wrote:
Not at all out of scope.
I think it is out of scope
It is a slippery slope
Next you'll have people demanding that RIPE check what content is published on IP blocks ..
Good idea. Other organisations are monitoring content too to prevent abuse, like search engines that do not even want results from hacked sites in their index. RIPE is defny responsible for any abuse, whatever it is. Lets have an example: A highjacker is using some netblocks to attack a big bank. They are flodded from this IP block and the attacker also sets up a lot of pishing servers using these IPs. Will RIPE ask the LIR about whats going on with his assignment ? Will RIPE deroute this netblock at all ? Just after the bank complaints ? After somebody complains to RIPE that there are pishing servers on this netblock ? What will happen ? Cant be, that RIPE is doing nothing (to my opinion). And it would be very interesting what RIPE would do right now in this scenario. Who knows more ? Kind regards, Frank
You are right saying, that a listing does not proof anything, but its a good indication (like I sayd above).
Not necessarily.
There are a multitude of reasons why an IP block can get listed - while it *might* be an indicator that you or I can use for our own *private* networks, it is not something that an organization like RIPE should be doing, as there is absolutely no standard or certification of DNS blacklists.
RIPE NCC could ask the member, whats going on with that netblock, if they see a listing. I guess a lot of members do not even realize, that their old netblocks are routed somewhere else.
RIPE NCC has to check the use of assigned netblocks anyway (if I understand some rules right).
No - the "usage" is related to the assignment rules
It cannot be that assigned netblocks are used by non-members or members the netblock wasnt assigned to …
Sorry, but I don't understand what you mean here
regards
Michele
Mr Michele Neylon Blacknight Solutions Hosting& Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
-- Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank@powerweb.de
Hi, On Thu, Jul 28, 2011 at 12:33:59PM +0200, Frank Gadegast wrote:
RIPE is defny responsible for any abuse, whatever it is.
So if you are hosting porn on your web site, and making it accessible to minors, why exactly would the RIPE NCC be responsible for that? Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
"Gert Doering" wrote the following on 28/07/2011 11:53:
Hi,
On Thu, Jul 28, 2011 at 12:33:59PM +0200, Frank Gadegast wrote:
RIPE is defny responsible for any abuse, whatever it is.
So if you are hosting porn on your web site, and making it accessible to minors, why exactly would the RIPE NCC be responsible for that?
Before this particular thread of the discussion goes any further can I please remind people that neither the RIPE NCC nor the charter of this WG deals with content. If content breaks laws, then there are systems in place to deal with that on a per country basis and the NCC assists law enforcement when requested, however this mailing list is not the right place to debate matters of content. Brian.
Hi Gert This discussion started off about netblocks allocated based on fake documentation, and hijacked netblocks Can we please not stray out of this scope? thanks suresh On Thu, Jul 28, 2011 at 4:23 PM, Gert Doering <gert@space.net> wrote:
On Thu, Jul 28, 2011 at 12:33:59PM +0200, Frank Gadegast wrote:
RIPE is defny responsible for any abuse, whatever it is.
So if you are hosting porn on your web site, and making it accessible to minors, why exactly would the RIPE NCC be responsible for that?
-- Suresh Ramasubramanian (ops.lists@gmail.com)
Hi, On Thu, Jul 28, 2011 at 04:38:40PM +0530, Suresh Ramasubramanian wrote:
This discussion started off about netblocks allocated based on fake documentation, and hijacked netblocks
Can we please not stray out of this scope?
I wasn't the one that said "RIPE is ... responsible for any abuse". I just tried to point out how ridiculous that is. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
Thanks for making that clear - but maybe fighting fire with fire isnt going to work here. Can we turn back to the question that was actually riased in the thread? 1. A complaint mechanism 2. Sources for RIPE NCC to do proactive research on misallocations / hijacks On Thu, Jul 28, 2011 at 4:43 PM, Gert Doering <gert@space.net> wrote:
I wasn't the one that said "RIPE is ... responsible for any abuse".
I just tried to point out how ridiculous that is.
-- Suresh Ramasubramanian (ops.lists@gmail.com)
[Catching up after being out of office for a while...] Suresh Ramasubramanian wrote: [...]
Can we turn back to the question that was actually riased in the thread?
Yes, please. :-) As Spamhouse was mentioned, and the term "hijacked" pointed at, can anyone please provide me/us with (a pointer to) the definition of "hijacked", in particular as used by Spamhouse? TIA, Wilfried.
On Mon, Aug 08, 2011 at 03:42:35PM +0000, Wilfried Woeber, UniVie/ACOnet wrote:
[Catching up after being out of office for a while...]
Suresh Ramasubramanian wrote:
[...]
Can we turn back to the question that was actually riased in the thread?
Yes, please. :-)
As Spamhouse was mentioned, and the term "hijacked" pointed at, can anyone please provide me/us with (a pointer to) the definition of "hijacked", in particular as used by Spamhouse?
They define "hijacked netblocks" in http://www.spamhaus.org/faq/answers.lasso?section=DROP%20FAQ#258 furio
The problem is : Does any network operator wants to examine how does a "Spamming Trojan that works on its own" works? Live, while in contact with the remote intruder with whom the infected trojan is in contact with? Please, let me give a specific example... I have this "Other" given mailbox for which maybe its exact email address was given to what is know as a "SPAM List". I decide to keep to keep that address instead of getting rid of it. Of course, if there was a SPAM to get on the Internet, rest assure that I'll get that SPAM at that email address! Anyhow, at one time (Rather many, many times), I get a SPAM that bares an HTLM link in its email body but the domain name is an absolutle gibberish word inintellible in any language that anyone could dream of. So, I sent the complaint to both the abuse@ department from which the SPAM originated and to the other network website (IP#) where the gibberish domain name was located... If I remember well, the origin of the SPAM was from "Spain-Bada-Telecome", a very respectable & serious network and the other network hosting the "Gibberish" domain name (IP#...) was also a quite respectable network... I have kept their reply as some other "Same type" reply in which a given network operator thank me to advise him about this or that trojan using his own network for spamming purpose (Sort of an intrusion)... If you want I can send or post these thanfull dudes? Ok??? Let's go on... Some 2 days later, I get another SPAM baring the same gibberish HTML domain name but now located on a IP# located within the APNIC authority... Done complaint as usual and watched it for the whole day thereafter... For about 10 hours, the gibberish domain name disapeared from the APNIC network and re-appeared on a network located in Romania and for which close to none of the "RIPE registration datas" appeared to be valid. All email addies and civic addies appeared wrong, bounced back, etc... Now, about the question what does the term "hijacked Netwok or IP#" means to RiPE or to any Internet concerned individual? Within all the cases I seen up to now, all network operators of good faith and good will resolved the given problem in less than 6 hours. Aside from blacklisting the "Supposed" source of trojan intruders. In do time, if the infectuous network runs into problems because he's refused connection with this network elsewhere, he could always use another email address to reach the network that blacklisted him? No problem there! Got it?
-----Original Message----- From: woeber@cc.univie.ac.at Sent: Mon, 08 Aug 2011 15:42:35 +0000 To: ops.lists@gmail.com Subject: Re: [anti-abuse-wg] Hijacked netblocks - any SOP for these?
[Catching up after being out of office for a while...]
Suresh Ramasubramanian wrote:
[...]
Can we turn back to the question that was actually riased in the thread?
Yes, please. :-)
As Spamhouse was mentioned, and the term "hijacked" pointed at, can anyone please provide me/us with (a pointer to) the definition of "hijacked", in particular as used by Spamhouse?
TIA, Wilfried.
____________________________________________________________ Send any screenshot to your friends in seconds... Works in all emails, instant messengers, blogs, forums and social networks. TRY IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if2 for FREE
Mr World Antispam Report, Please stop complaining about your spamproblems. Get a (better) spamfilter or stop reading your mail :) If you would like to send a comlaint regarding a resource assigned by RIPE with inaccurate contactinformation I suggest you send it to the provider (as in LIR or RIR) instead. As always, anyone can decide not to read or reply to your complaint. The type of people you are talking about in your mail will most likely do just that. Good luck, On Aug 8, 2011, at 6:56 PM, abuse@localhost.com wrote:
The problem is : Does any network operator wants to examine how does a "Spamming Trojan that works on its own" works? Live, while in contact with the remote intruder with whom the infected trojan is in contact with?
Please, let me give a specific example... I have this "Other" given mailbox for which maybe its exact email address was given to what is know as a "SPAM List". I decide to keep to keep that address instead of getting rid of it. Of course, if there was a SPAM to get on the Internet, rest assure that I'll get that SPAM at that email address!
Anyhow, at one time (Rather many, many times), I get a SPAM that bares an HTLM link in its email body but the domain name is an absolutle gibberish word inintellible in any language that anyone could dream of. So, I sent the complaint to both the abuse@ department from which the SPAM originated and to the other network website (IP#) where the gibberish domain name was located... If I remember well, the origin of the SPAM was from "Spain-Bada-Telecome", a very respectable & serious network and the other network hosting the "Gibberish" domain name (IP#...) was also a quite respectable network... I have kept their reply as some other "Same type" reply in which a given network operator thank me to advise him about this or that trojan using his own network for spamming purpose (Sort of an intrusion)... If you want I can send or post these thanfull dudes?
Ok??? Let's go on...
Some 2 days later, I get another SPAM baring the same gibberish HTML domain name but now located on a IP# located within the APNIC authority... Done complaint as usual and watched it for the whole day thereafter... For about 10 hours, the gibberish domain name disapeared from the APNIC network and re-appeared on a network located in Romania and for which close to none of the "RIPE registration datas" appeared to be valid. All email addies and civic addies appeared wrong, bounced back, etc...
Now, about the question what does the term "hijacked Netwok or IP#" means to RiPE or to any Internet concerned individual?
Within all the cases I seen up to now, all network operators of good faith and good will resolved the given problem in less than 6 hours. Aside from blacklisting the "Supposed" source of trojan intruders.
In do time, if the infectuous network runs into problems because he's refused connection with this network elsewhere, he could always use another email address to reach the network that blacklisted him? No problem there!
Got it?
-----Original Message----- From: woeber@cc.univie.ac.at Sent: Mon, 08 Aug 2011 15:42:35 +0000 To: ops.lists@gmail.com Subject: Re: [anti-abuse-wg] Hijacked netblocks - any SOP for these?
[Catching up after being out of office for a while...]
Suresh Ramasubramanian wrote:
[...]
Can we turn back to the question that was actually riased in the thread?
Yes, please. :-)
As Spamhouse was mentioned, and the term "hijacked" pointed at, can anyone please provide me/us with (a pointer to) the definition of "hijacked", in particular as used by Spamhouse?
TIA, Wilfried.
____________________________________________________________ Send any screenshot to your friends in seconds... Works in all emails, instant messengers, blogs, forums and social networks. TRY IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if2 for FREE
Thak you for the informations you provided here below as well as for the network you use for your post. It makes thing much clearer as to what type of individual you are. Good luck as well for you!
-----Original Message----- From: jorgen@hovland.cx Sent: Mon, 8 Aug 2011 22:04:32 +0200 To: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] Hijacked netblocks - any SOP for these?
Mr World Antispam Report,
Please stop complaining about your spamproblems. Get a (better) spamfilter or stop reading your mail :)
If you would like to send a comlaint regarding a resource assigned by RIPE with inaccurate contactinformation I suggest you send it to the provider (as in LIR or RIR) instead. As always, anyone can decide not to read or reply to your complaint. The type of people you are talking about in your mail will most likely do just that.
Good luck,
On Aug 8, 2011, at 6:56 PM, abuse@localhost.com wrote:
The problem is : Does any network operator wants to examine how does a "Spamming Trojan that works on its own" works? Live, while in contact with the remote intruder with whom the infected trojan is in contact with?
Please, let me give a specific example... I have this "Other" given mailbox for which maybe its exact email address was given to what is know as a "SPAM List". I decide to keep to keep that address instead of getting rid of it. Of course, if there was a SPAM to get on the Internet, rest assure that I'll get that SPAM at that email address!
Anyhow, at one time (Rather many, many times), I get a SPAM that bares an HTLM link in its email body but the domain name is an absolutle gibberish word inintellible in any language that anyone could dream of. So, I sent the complaint to both the abuse@ department from which the SPAM originated and to the other network website (IP#) where the gibberish domain name was located... If I remember well, the origin of the SPAM was from "Spain-Bada-Telecome", a very respectable & serious network and the other network hosting the "Gibberish" domain name (IP#...) was also a quite respectable network... I have kept their reply as some other "Same type" reply in which a given network operator thank me to advise him about this or that trojan using his own network for spamming purpose (Sort of an intrusion)... If you want I can send or post these thanfull dudes?
Ok??? Let's go on...
Some 2 days later, I get another SPAM baring the same gibberish HTML domain name but now located on a IP# located within the APNIC authority... Done complaint as usual and watched it for the whole day thereafter... For about 10 hours, the gibberish domain name disapeared from the APNIC network and re-appeared on a network located in Romania and for which close to none of the "RIPE registration datas" appeared to be valid. All email addies and civic addies appeared wrong, bounced back, etc...
Now, about the question what does the term "hijacked Netwok or IP#" means to RiPE or to any Internet concerned individual?
Within all the cases I seen up to now, all network operators of good faith and good will resolved the given problem in less than 6 hours. Aside from blacklisting the "Supposed" source of trojan intruders.
In do time, if the infectuous network runs into problems because he's refused connection with this network elsewhere, he could always use another email address to reach the network that blacklisted him? No problem there!
Got it?
-----Original Message----- From: woeber@cc.univie.ac.at Sent: Mon, 08 Aug 2011 15:42:35 +0000 To: ops.lists@gmail.com Subject: Re: [anti-abuse-wg] Hijacked netblocks - any SOP for these?
[Catching up after being out of office for a while...]
Suresh Ramasubramanian wrote:
[...]
Can we turn back to the question that was actually riased in the thread?
Yes, please. :-)
As Spamhouse was mentioned, and the term "hijacked" pointed at, can anyone please provide me/us with (a pointer to) the definition of "hijacked", in particular as used by Spamhouse?
TIA, Wilfried.
____________________________________________________________ Send any screenshot to your friends in seconds... Works in all emails, instant messengers, blogs, forums and social networks. TRY IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if2 for FREE
____________________________________________________________ Share photos & screenshots in seconds... TRY FREE IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if1 Works in all emails, instant messengers, blogs, forums and social networks.
Could it be that most of the users of "anti-abuse-wg@ripe.net" mailing list are wrong? To begin with, why the name "ANTI-ABUSE"??? As explained by the absolutely brillant Jørgen Hovland (See here below) all the RIPE Internet community should simply "Get a (better)
spamfilter or stop reading your mail :)", quote.
And the case is thus closed. All problems classified! Howerver, it would be a sure good thing to publish RIPE's decison regarding this topic since RIPE is for now, part of a world commonly known as humankind on planet earth. Meaning that if Wilfried from "cc.univie.ac.at" want & have time to care about the issues & last trends about trojans coded to send spam after intruding infecting a RIPE network, isn't its freedom to do so? And this, against the will of those who appeared and support the fact that this or that RIPE network gives RIPE erroneous datas so that this or that specific RIPE IP# allocated network is factually unreachable? If your IP# allocation isn't much more than a list of "Kinglon" outerspace residents, what's the reason to offer what the world's Internet authority once decided to provide? Take a lifetime vacation than? But as of now, does mail.netclient.no AKA www.mote.no do respect RIPE regulations from "A" to "Z"? In short, I'm asking you if the mailing list named anti-abuse-wg bare the right name or not? Thank you in advance. =================>>>>>>>>>>>>>>>>>>>>>>
-----Original Message----- From: jorgen@hovland.cx Sent: Mon, 8 Aug 2011 22:04:32 +0200 To: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] Hijacked netblocks - any SOP for these?
Mr World Antispam Report,
Please stop complaining about your spam problems. Get a (better) spam filter or stop reading your mail :)
If you would like to send a comlaint regarding a resource assigned by RIPE with inaccurate contactinformation I suggest you send it to the provider (as in LIR or RIR) instead. As always, anyone can decide not to read or reply to your complaint. > The type of people you are talking about in your mail will most likely do just that.
Good luck,
=======================================
On Aug 8, 2011, at 6:56 PM, abuse@localhost.com wrote:
The problem is : Does any network operator wants to examine how does a Spamming Trojan that works on its own" works? Live, while in contact with the remote intruder with whom the infected trojan is in contact with?
Please, let me give a specific example... I have this "Other" given mailbox for which maybe its exact email address was given to what is know as a "SPAM List". I decide to keep to keep that address instead of getting rid of it. Of course, if there was a SPAM to get on the Internet, rest assure that I'll get that SPAM at that email address!
Anyhow, at one time (Rather many, many times), I get a SPAM that bares an HTLM link in its email body but the domain name is an absolute gibberish word inintellible in any language that anyone could dream of. So, I sent the complaint to both the abuse@ department from which the SPAM originated and to the other network website (IP#) where the gibberish domain name was located... If I remember well, the origin of the SPAM was from "Spain-Bada-Telecome", a very respectable & serious network and the other network hosting the "Gibberish" domain name (IP#...) was also a quite respectable network... I have kept their reply as some other "Same type" reply in which a given network operator thank me to advise him about this or that trojan using his own network for spamming purpose (Sort of an intrusion)... If you want I can send or post these thanfull dudes?
Ok??? Let's go on...
Some 2 days later, I get another SPAM baring the same gibberish HTML domain name but now located on a IP# located within the APNIC authority... Done complaint as usual and watched it for the whole day thereafter... For about 10 hours, the gibberish domain name disapeared from the APNIC network and re-appeared on a network located in Romania and for which close to none of the "RIPE registration datas" appeared to be valid. All email addies and civic addies appeared wrong, bounced back, etc...
Now, about the question what does the term "hijacked Netwok or IP#" means to RiPE or to any Internet concerned individual?
Within all the cases I seen up to now, all network operators of good faith and good will resolved the given problem in less than 6 hours. Aside from blacklisting the "Supposed" source of trojan intruders.
In do time, if the infectuous network runs into problems because he's refused connection with this network elsewhere, he could always use another email address to reach the network that blacklisted him? No problem there!
Got it?
-----Original Message----- From: woeber@cc.univie.ac.at Sent: Mon, 08 Aug 2011 15:42:35 +0000 To: ops.lists@gmail.com Subject: Re: [anti-abuse-wg] Hijacked netblocks - any SOP for these?
[Catching up after being out of office for a while...]
Suresh Ramasubramanian wrote:
[...]
Can we turn back to the question that was actually riased in the thread?
Yes, please. :-)
As Spamhouse was mentioned, and the term "hijacked" pointed at, can anyone please provide me/us with (a pointer to) the definition of "hijacked", in particular as used by Spamhouse?
TIA, Wilfried.
____________________________________________________________
____________________________________________________________ FREE 3D EARTH SCREENSAVER - Watch the Earth right on your desktop! Check it out at http://www.inbox.com/earth
Here below are the few factual examples I can provide. May you please note that I don't think that the trojans (What the N-Americans qualify as "Exploited") don't take over all IP# of an infected network through the infection? -Though, that is only an opinion. Otherwise, the poor operator would be climbing on the walls! He'd pull the plug out! HiHiHi! Nope! The trojan simply implant itself on a given infected network (An email server for instance) to take over (1-2) IP# and sends forged headers spam from the intruded network. In most cases I seen up to now if not all, the "Exploiting" individual (Trojan encoder) do not implant both the HTML website advertised by the spamming trojan and the spamming trojan on the same sole network for obvious reasons. Therefore, once the infected network operator discovers the "Exploit", the HTML website to which the spam bares the link remains live. Even thought the intruded network gets rid of the automated spamming trojan. The website to which the spams refer (Hyperlink) is not yet destroyed! Being elsewhere on another infected network... On the contrary, when the "Other" network baring an intruded trojan that take over a given IP# within the network to give life to an HLML simple abusive webpage is destroyed by the infected network operator as Glen J., did (Here below) a little while back, and did clean that trojan up, does the abusive website should go down? NOPE! Rarely, very rarely goes down... Because the guy controlling the trojan which intruded the network to begin with, sure has sort of a motoring device that warns him when the infected network operator cleans his network and brings down the website. When GlenJ, destroyed the trojan-exploiting website, the abuser seen his website goes down and brought back on an IP# based his own network abroad from where he or she operates. This, until he finds that his intruder trojan succeeded to infect a new network. Never take so long... Only during that time, it is feasable to know exactly "Whois" the one who dissiminated those 2 types of exploit-trojans! The whole goal is free hosting and under the responsability of "Who Knows Who"! But who care really? If you'd want further details on all the methods as to how coders and "Pirates" can do such tricks, you'd be better to address yourself to peoples who want to protect these types of abusers. There just ought to be a few watching and taking good notes. I done what I could do, Ok? Thank you very much for reading me. ======================================== Note that one email here below is from an ARIN jurisdiction, another one from a huge network in SPAIN, very formal but also very friendly and the other one? .....I don't remember, forgotten... ========================================
Hello -
Mail Delivery System <XXXXX@XXXXX.com> wrote:
http://annevaleriejasmin.com/edit/yahoolink.php
Thank you for writing. The exploited site content has been taken offline. --
- Glen J., Abuse Coordinator
===================================
Hello.
Thank you for your report.
We have contacted our direct client regarding your report and expect a prompt response, including action against the abuser.
If you have any questions, please let us know.
---- Best Wishes, Sreejith S Systems Administration Support
Dear Sir:
We thank you for your message and we inform you that we are taking measures to prevent the problem from happening again.
We remember you our email.
Faithfully.
Nemesys Abuse Team Telefonica de España S.A.U.
-----Original Message----- From: woeber@cc.univie.ac.at Sent: Mon, 08 Aug 2011 15:42:35 +0000 To: ops.lists@gmail.com Subject: Re: [anti-abuse-wg] Hijacked netblocks - any SOP for these?
[Catching up after being out of office for a while...]
Suresh Ramasubramanian wrote:
[...] ============================================
Can we turn back to the question that was actually riased in the thread?
Yes, please. :-)
As Spamhouse was mentioned, and the term "hijacked" pointed at, can anyone please provide me/us with (a pointer to) the definition of "hijacked", in particular as used by Spamhouse?
TIA, Wilfried.
____________________________________________________________ Publish your photos in seconds for FREE TRY IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if4
Hi Gert,
So if you are hosting porn on your web site, and making it accessible to minors, why exactly would the RIPE NCC be responsible for that?
I don't think that the RIPE NCC has anything to do with it in that case, local authorities would suffice imho. However if you share that sort of info on this mailing list, you might attract some extra visitors ;-) Regards, Erik Bais
If you check the weekly CIDR-Report than you will find certain prefixes in bogus adv head for many many months. NO RIR cares about it. we've been attacked/spammed/phished by such bogus prefix adv in past. Regards, Aftab A. Siddiqui On Thu, Jul 28, 2011 at 3:33 PM, Frank Gadegast < ripe-anti-spam-wg@powerweb.de> wrote:
Michele Neylon :: Blacknight wrote:
On 28 Jul 2011, at 09:48, Frank Gadegast wrote:
Not at all out of scope.
I think it is out of scope
It is a slippery slope
Next you'll have people demanding that RIPE check what content is published on IP blocks ..
Good idea.
Other organisations are monitoring content too to prevent abuse, like search engines that do not even want results from hacked sites in their index.
RIPE is defny responsible for any abuse, whatever it is.
Lets have an example: A highjacker is using some netblocks to attack a big bank. They are flodded from this IP block and the attacker also sets up a lot of pishing servers using these IPs.
Will RIPE ask the LIR about whats going on with his assignment ? Will RIPE deroute this netblock at all ? Just after the bank complaints ? After somebody complains to RIPE that there are pishing servers on this netblock ?
What will happen ?
Cant be, that RIPE is doing nothing (to my opinion). And it would be very interesting what RIPE would do right now in this scenario. Who knows more ?
Kind regards, Frank
You are right saying, that a listing does not proof anything, but its a good indication (like I sayd above).
Not necessarily.
There are a multitude of reasons why an IP block can get listed - while it *might* be an indicator that you or I can use for our own *private* networks, it is not something that an organization like RIPE should be doing, as there is absolutely no standard or certification of DNS blacklists.
RIPE NCC could ask the member, whats going on with that netblock, if they see a listing. I guess a lot of members do not even realize, that their old netblocks are routed somewhere else.
RIPE NCC has to check the use of assigned netblocks anyway (if I understand some rules right).
No - the "usage" is related to the assignment rules
It cannot be that
assigned netblocks are used by non-members or members the netblock wasnt assigned to …
Sorry, but I don't understand what you mean here
regards
Michele
Mr Michele Neylon Blacknight Solutions Hosting& Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Twitter: http://twitter.com/mneylon ------------------------------**- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,**Ireland Company No.: 370845
--
Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ==============================**==============================**========== Public PGP Key available for frank@powerweb.de
On Aug 7, 2011, at 1:57 PM, abuse@localhost.com wrote:
Very useful that list! Where can I have access to it? Where can I download the list?
http://www.cidr-report.org/ It's also published weekly to the routing-wg@ripe.net list, among others. Regards, Leo
Hijacked or not, does everyone (Every network on planet earth) care? RIPE's regulation simply state that the registation needs to be exact and accurate. Does anybody has a problem with this? 'Coze the only logical reason there would be to condemn this is that the individual who wants keep his or her indentification concealed is to perpetrate abuses, frauds and who knows some terrorism. If anyone cannot be recognized as part of the humankind on this planet, there's gotta be a reason to this! Anyhow, in do time, as a network is reconized as an abuser, the best that can be done is to blacklist the whole IP# block numbers. Refuse connection! And don't count on either ARIN, RIPE of the other registry bases. It would be too costly to ask them to do that. There are many, many other means to shut down or bare an IP Block number. As long as RIPE, ARIN and the other registry data bases gives us the right registry for a given IP# allocation, the abusing network can be track down. That's what's the RIPE authority is for? I'll cope with that!
-----Original Message----- From: ripe-anti-spam-wg@powerweb.de Sent: Thu, 28 Jul 2011 12:33:59 +0200 To: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] Hijacked netblocks - any SOP for these?
Michele Neylon :: Blacknight wrote:
On 28 Jul 2011, at 09:48, Frank Gadegast wrote:
Not at all out of scope.
I think it is out of scope
It is a slippery slope
Next you'll have people demanding that RIPE check what content is published on IP blocks ..
Good idea.
Other organisations are monitoring content too to prevent abuse, like search engines that do not even want results from hacked sites in their index.
RIPE is defny responsible for any abuse, whatever it is.
Lets have an example: A highjacker is using some netblocks to attack a big bank. They are flodded from this IP block and the attacker also sets up a lot of pishing servers using these IPs.
Will RIPE ask the LIR about whats going on with his assignment ? Will RIPE deroute this netblock at all ? Just after the bank complaints ? After somebody complains to RIPE that there are pishing servers on this netblock ?
What will happen ?
Cant be, that RIPE is doing nothing (to my opinion). And it would be very interesting what RIPE would do right now in this scenario. Who knows more ?
Kind regards, Frank
You are right saying, that a listing does not proof anything, but its a good indication (like I sayd above).
Not necessarily.
There are a multitude of reasons why an IP block can get listed - while it *might* be an indicator that you or I can use for our own *private* networks, it is not something that an organization like RIPE should be doing, as there is absolutely no standard or certification of DNS blacklists.
RIPE NCC could ask the member, whats going on with that netblock, if they see a listing. I guess a lot of members do not even realize, that their old netblocks are routed somewhere else.
RIPE NCC has to check the use of assigned netblocks anyway (if I understand some rules right).
No - the "usage" is related to the assignment rules
It cannot be that assigned netblocks are used by non-members or members the netblock wasnt assigned to …
Sorry, but I don't understand what you mean here
regards
Michele
Mr Michele Neylon Blacknight Solutions Hosting& Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
--
Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank@powerweb.de
____________________________________________________________ Share photos & screenshots in seconds... TRY FREE IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if1 Works in all emails, instant messengers, blogs, forums and social networks.
* Suresh Ramasubramanian:
Freshly added to spamhaus -
My personal problem with these reports is that they are totally incomprehensible to me. Why do you think the netblocks have been hijacked? Maybe the documentation in the WHOIS database is outdated, and Link Telecom still enjoys full control over those prefixes.
Spamhaus might be able to explain better But when I see that and want more information I'd ask them rather than doubt them. Just saying. On Fri, Jul 29, 2011 at 12:14 AM, Florian Weimer <fw@deneb.enyo.de> wrote:
Freshly added to spamhaus -
My personal problem with these reports is that they are totally incomprehensible to me. Why do you think the netblocks have been hijacked? Maybe the documentation in the WHOIS database is outdated, and Link Telecom still enjoys full control over those prefixes.
-- Suresh Ramasubramanian (ops.lists@gmail.com)
* Suresh Ramasubramanian:
Spamhaus might be able to explain better
But when I see that and want more information I'd ask them rather than doubt them. Just saying.
Sorry, you can't expect a constructive discussion if you just dump unstructured information and claim that is evidence of some policy violation, when other participants are not able to recognize your data as evidence (and I'm pretty sure I'm not alone in this regard). The Spamhaus report you referenced (rather indirectly) is not very illuminating, either. It says, "This block is to be returned to RIPE". What does this mean? Is it in the process of being returned? Has Spamhaus suggested (to whom?) that it should be returned? Is this some sort of demand?
The usual way this goes is that spamhaus has some further evidence available, which they don't expose publicly. They would make it available to vetted security contacts at RIPE, or LE that are interested, for example. The data point isn't unstructured beyond what you'd expect, and most abuse complaints you'd get are far less structured. Right now, it is simply a statement "CIDRs x, y and z are suspected to be hijacked". On Fri, Jul 29, 2011 at 12:54 PM, Florian Weimer <fw@deneb.enyo.de> wrote:
The Spamhaus report you referenced (rather indirectly) is not very illuminating, either. It says, "This block is to be returned to RIPE". What does this mean? Is it in the process of being returned? Has Spamhaus suggested (to whom?) that it should be returned? Is this some sort of demand?
-- Suresh Ramasubramanian (ops.lists@gmail.com)
In an earlier post, Florian Weimer mentioned the following:
My personal problem with these reports is that they are totally incomprehensible to me. Why do you think the netblocks have been hijacked? Maybe the documentation in the WHOIS database is outdated, and Link Telecom still enjoys full control over those prefixes.
If one carry a lookup on RIPE website, and finds erroneous datas regarding the registration of a given IP# assignation, "Who's" HOIS database is outdated in such case? For instance, a false non-existant or outdated email address. Else, a civic address located in a vacant field? Why would you care so much if a network 800 miles from your civic address in another country got highkacked? You ain't a public employee of all RIPE's registered network? The only thing RIPE have legal and justified reasons to ask any network and LIR to whom RIPE allocates IP# is true and real datas such as valid email addresses and full civic location. Anybody has a problem with this? Go ahead, everybody's listening. Thank to read me.
-----Original Message----- From: fw@deneb.enyo.de Sent: Thu, 28 Jul 2011 20:44:12 +0200 To: ops.lists@gmail.com Subject: Re: [anti-abuse-wg] Hijacked netblocks - any SOP for these?
____________________________________________________________ Share photos & screenshots in seconds... TRY FREE IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if1 Works in all emails, instant messengers, blogs, forums and social networks.
participants (13)
-
abuse@localhost.com -
Aftab Siddiqui -
Brian Nisbet -
Erik Bais -
Florian Weimer -
Frank Gadegast -
furio ercolessi -
Gert Doering -
Jørgen Hovland -
Leo Vegoda -
Michele Neylon :: Blacknight -
Suresh Ramasubramanian -
Wilfried Woeber, UniVie/ACOnet