Notice: Fradulent RIPE ASNs
After a careful investigation, I am of the opinion that each of the following 18 ASNs was registered (via RIPE) with fradulent information purporting to represent the identity of the true registrant, and that in fact, all 18 of these ASNs were registered by a single party, apparently as part of a larger scheme to provide IP space to various snowshoe spammers. Evidence I have in hand strongly links this scheme and these ASNs and their associated IPv4 route announcements to Jump Network Services, aka JUMP.RO. Furthermore, all of these ASNs are apparently peering with exactly and only the same two other ASNs in all cases, i.e. GTS Telecom SRL (AS5606) and Net Vision Telecom SRL (AS39737). These peers and the fradulent ASNs listed below are all apparently originated out of Romania. AS16011 (fiberwelders.ro) AS28822 (creativitaterpm.ro) AS48118 (telecomhosting.ro) AS49210 (rom-access.ro) AS50659 (grandnethost.com) AS57131 (speedconnecting.ro) AS57133 (nordhost.ro) AS57135 (fastcable.ro) AS57176 (bucovinanetwork.ro) AS57184 (kaboomhost.ro) AS57415 (highwayinternet.ro) AS57695 (effidata.ro) AS57724 (id-trafic.ro) AS57738 (mclick.ro) AS57786 (hosting-www.ro) AS57837 (romtechinnovation.ro) AS57906 (momy.ro) AS57917 (nature-design.ro) At present, the above 18 ASNs are currently announcing routes for a total amount of IP space equal to 1,022 /24s, which is the rough equivalent of an entire /14 block. These IPv4 route announcements are listed below, sorted by IPv4 (32-bit) start address. Additional potentially relevant background information: http://threatpost.com/en_us/blogs/attackers-buying-own-data-centers-botnets-... http://www.spamhaus.org/rokso/evidence/ROK9107/world-company-register-eu-bus... http://www.spamhaus.org/sbl/listings/jump.ro Current route announcements: 31.14.30.0/24 31.14.32.0/24 31.14.33.0/24 31.14.34.0/23 31.14.36.0/22 31.14.40.0/22 31.14.44.0/24 31.14.45.0/24 31.14.46.0/23 31.14.48.0/24 31.14.49.0/24 31.14.50.0/23 31.14.52.0/22 31.14.56.0/21 31.14.64.0/24 31.14.65.0/24 31.14.66.0/23 31.14.68.0/22 31.14.72.0/21 31.14.80.0/20 31.14.112.0/20 31.14.144.0/20 37.153.128.0/22 37.153.132.0/22 37.153.140.0/22 37.153.144.0/21 37.153.152.0/22 37.153.160.0/21 37.153.168.0/22 37.153.172.0/23 37.153.174.0/23 37.153.176.0/20 37.156.0.0/22 37.156.4.0/22 37.156.8.0/21 37.156.16.0/23 37.156.18.0/23 37.156.20.0/23 37.156.22.0/23 37.156.24.0/23 37.156.26.0/23 37.156.28.0/23 37.156.30.0/23 37.156.36.0/24 37.156.37.0/24 37.156.38.0/23 37.156.48.0/21 37.156.56.0/22 37.156.100.0/22 37.156.104.0/22 37.156.108.0/22 37.156.112.0/20 37.156.128.0/20 37.156.144.0/22 37.156.148.0/22 37.156.152.0/21 37.156.160.0/21 37.156.168.0/22 37.156.172.0/23 37.156.180.0/23 37.156.184.0/22 37.156.188.0/22 37.156.208.0/22 37.156.216.0/22 37.156.224.0/24 37.156.225.0/24 37.156.226.0/23 37.156.228.0/23 37.156.230.0/23 37.156.232.0/23 37.156.234.0/23 37.156.236.0/23 37.156.238.0/23 37.156.240.0/21 37.156.248.0/22 37.156.252.0/22 46.102.128.0/20 46.102.144.0/20 46.102.160.0/21 77.81.120.0/23 77.81.126.0/24 77.81.160.0/22 84.247.4.0/22 84.247.18.0/23 84.247.40.0/22 85.204.18.0/24 85.204.20.0/23 85.204.30.0/23 85.204.36.0/22 85.204.54.0/23 85.204.64.0/23 85.204.66.0/24 85.204.76.0/23 85.204.96.0/23 85.204.104.0/23 85.204.120.0/24 85.204.121.0/24 85.204.124.0/24 85.204.132.0/23 85.204.152.0/23 85.204.176.0/21 85.204.194.0/23 86.104.0.0/23 86.104.2.0/24 86.104.4.0/24 86.104.9.0/24 86.104.10.0/24 86.104.96.0/21 86.104.115.0/24 86.104.116.0/24 86.104.118.0/23 86.104.121.0/24 86.104.122.0/23 86.104.132.0/23 86.104.192.0/24 86.104.195.0/24 86.104.212.0/23 86.104.215.0/24 86.104.240.0/22 86.104.245.0/24 86.104.248.0/23 86.105.178.0/24 86.105.195.0/24 86.105.196.0/24 86.105.200.0/22 86.105.225.0/24 86.105.227.0/24 86.105.230.0/24 86.105.242.0/23 86.105.248.0/22 86.106.0.0/21 86.106.8.0/23 86.106.10.0/24 86.106.11.0/24 86.106.12.0/24 86.106.24.0/24 86.106.25.0/24 86.106.90.0/24 86.106.95.0/24 86.106.169.0/24 86.107.8.0/21 86.107.28.0/23 86.107.74.0/23 86.107.104.0/24 86.107.195.0/24 86.107.216.0/21 86.107.242.0/23 89.32.122.0/23 89.32.176.0/23 89.32.192.0/23 89.32.196.0/23 89.32.204.0/24 89.33.46.0/23 89.33.108.0/23 89.33.117.0/24 89.33.168.0/21 89.33.233.0/24 89.33.246.0/24 89.33.255.0/24 89.34.16.0/22 89.34.94.0/23 89.34.102.0/23 89.34.112.0/21 89.34.128.0/20 89.34.148.0/23 89.34.200.0/23 89.34.216.0/23 89.34.236.0/22 89.35.32.0/24 89.35.56.0/24 89.35.77.0/24 89.35.133.0/24 89.35.156.0/23 89.35.176.0/23 89.35.196.0/24 89.35.240.0/21 89.36.16.0/23 89.36.32.0/23 89.36.34.0/24 89.36.35.0/24 89.36.96.0/21 89.36.104.0/21 89.36.178.0/23 89.36.182.0/23 89.36.184.0/21 89.36.226.0/23 89.36.236.0/22 89.37.48.0/21 89.37.64.0/22 89.37.76.0/22 89.37.102.0/23 89.37.107.0/24 89.37.129.0/24 89.37.133.0/24 89.37.143.0/24 89.37.240.0/21 89.38.26.0/24 89.38.216.0/22 89.38.220.0/22 89.39.76.0/22 89.39.168.0/22 89.39.180.0/23 89.39.216.0/22 89.40.40.0/24 89.40.66.0/24 89.40.133.0/24 89.40.240.0/21 89.40.254.0/23 89.41.16.0/21 89.41.44.0/22 89.42.27.0/24 89.42.33.0/24 89.42.150.0/23 89.42.208.0/23 89.43.182.0/23 89.43.184.0/23 89.43.216.0/21 89.43.224.0/21 89.44.94.0/23 89.44.115.0/24 89.44.120.0/21 89.44.190.0/23 89.45.11.0/24 89.45.14.0/24 89.45.72.0/21 89.45.126.0/23 89.46.8.0/22 89.46.44.0/23 89.46.47.0/24 89.46.60.0/24 89.46.88.0/22 89.46.192.0/21 89.47.34.0/24 89.47.44.0/22 92.114.36.0/24 92.114.38.0/24 92.114.83.0/24 93.113.216.0/22 93.114.24.0/21 93.114.85.0/24 93.114.86.0/23 93.114.128.0/24 93.114.133.0/24 93.115.32.0/23 93.115.62.0/23 93.115.130.0/23 93.115.134.0/23 93.115.138.0/23 93.115.142.0/23 93.115.192.0/21 93.115.253.0/24 93.117.112.0/21 93.117.120.0/21 93.119.112.0/23 93.119.118.0/23 93.119.120.0/23 93.119.124.0/23 94.176.224.0/20 176.126.168.0/23 176.126.170.0/23 176.126.172.0/23 176.126.174.0/23 176.223.64.0/23 176.223.108.0/24 176.223.111.0/24 176.223.116.0/23 176.223.118.0/24 176.223.167.0/24 176.223.172.0/22 176.223.176.0/24 176.223.177.0/24 176.223.178.0/23 176.223.190.0/24 188.212.22.0/24 188.212.48.0/20 188.213.64.0/20 188.213.112.0/22 188.213.116.0/23 188.213.118.0/24 188.213.119.0/24 188.213.120.0/23 188.213.122.0/23 188.213.124.0/22 188.213.144.0/20 188.213.176.0/22 188.213.180.0/22 188.213.184.0/22 188.213.188.0/22 188.215.18.0/23 188.215.20.0/22 188.215.192.0/19 188.241.188.0/23 188.241.192.0/22 217.19.4.0/24
The last time a romanian I know checked, most of these appear to be set up with business registration that was valid at the time the netblocks were registered but mostly lapsed a year or so later. Almost as if someone in bucharest walks into a bar, pays people there a few euro in drinking money if they will let their ID get used to register a shell company that can then register for a /16 or larger netblock. --srs (htc one x) On 15-Jan-2013 4:30 AM, "Ronald F. Guilmette" <rfg@tristatelogic.com> wrote:
After a careful investigation, I am of the opinion that each of the following 18 ASNs was registered (via RIPE) with fradulent information purporting to represent the identity of the true registrant, and that in fact, all 18 of these ASNs were registered by a single party, apparently as part of a larger scheme to provide IP space to various snowshoe spammers.
Evidence I have in hand strongly links this scheme and these ASNs and their associated IPv4 route announcements to Jump Network Services, aka JUMP.RO. Furthermore, all of these ASNs are apparently peering with exactly and only the same two other ASNs in all cases, i.e. GTS Telecom SRL (AS5606) and Net Vision Telecom SRL (AS39737). These peers and the fradulent ASNs listed below are all apparently originated out of Romania.
AS16011 (fiberwelders.ro) AS28822 (creativitaterpm.ro) AS48118 (telecomhosting.ro) AS49210 (rom-access.ro) AS50659 (grandnethost.com) AS57131 (speedconnecting.ro) AS57133 (nordhost.ro) AS57135 (fastcable.ro) AS57176 (bucovinanetwork.ro) AS57184 (kaboomhost.ro) AS57415 (highwayinternet.ro) AS57695 (effidata.ro) AS57724 (id-trafic.ro) AS57738 (mclick.ro) AS57786 (hosting-www.ro) AS57837 (romtechinnovation.ro) AS57906 (momy.ro) AS57917 (nature-design.ro)
At present, the above 18 ASNs are currently announcing routes for a total amount of IP space equal to 1,022 /24s, which is the rough equivalent of an entire /14 block. These IPv4 route announcements are listed below, sorted by IPv4 (32-bit) start address.
Additional potentially relevant background information:
http://threatpost.com/en_us/blogs/attackers-buying-own-data-centers-botnets-...
http://www.spamhaus.org/rokso/evidence/ROK9107/world-company-register-eu-bus... http://www.spamhaus.org/sbl/listings/jump.ro
Current route announcements:
31.14.30.0/24 31.14.32.0/24 31.14.33.0/24 31.14.34.0/23 31.14.36.0/22 31.14.40.0/22 31.14.44.0/24 31.14.45.0/24 31.14.46.0/23 31.14.48.0/24 31.14.49.0/24 31.14.50.0/23 31.14.52.0/22 31.14.56.0/21 31.14.64.0/24 31.14.65.0/24 31.14.66.0/23 31.14.68.0/22 31.14.72.0/21 31.14.80.0/20 31.14.112.0/20 31.14.144.0/20 37.153.128.0/22 37.153.132.0/22 37.153.140.0/22 37.153.144.0/21 37.153.152.0/22 37.153.160.0/21 37.153.168.0/22 37.153.172.0/23 37.153.174.0/23 37.153.176.0/20 37.156.0.0/22 37.156.4.0/22 37.156.8.0/21 37.156.16.0/23 37.156.18.0/23 37.156.20.0/23 37.156.22.0/23 37.156.24.0/23 37.156.26.0/23 37.156.28.0/23 37.156.30.0/23 37.156.36.0/24 37.156.37.0/24 37.156.38.0/23 37.156.48.0/21 37.156.56.0/22 37.156.100.0/22 37.156.104.0/22 37.156.108.0/22 37.156.112.0/20 37.156.128.0/20 37.156.144.0/22 37.156.148.0/22 37.156.152.0/21 37.156.160.0/21 37.156.168.0/22 37.156.172.0/23 37.156.180.0/23 37.156.184.0/22 37.156.188.0/22 37.156.208.0/22 37.156.216.0/22 37.156.224.0/24 37.156.225.0/24 37.156.226.0/23 37.156.228.0/23 37.156.230.0/23 37.156.232.0/23 37.156.234.0/23 37.156.236.0/23 37.156.238.0/23 37.156.240.0/21 37.156.248.0/22 37.156.252.0/22 46.102.128.0/20 46.102.144.0/20 46.102.160.0/21 77.81.120.0/23 77.81.126.0/24 77.81.160.0/22 84.247.4.0/22 84.247.18.0/23 84.247.40.0/22 85.204.18.0/24 85.204.20.0/23 85.204.30.0/23 85.204.36.0/22 85.204.54.0/23 85.204.64.0/23 85.204.66.0/24 85.204.76.0/23 85.204.96.0/23 85.204.104.0/23 85.204.120.0/24 85.204.121.0/24 85.204.124.0/24 85.204.132.0/23 85.204.152.0/23 85.204.176.0/21 85.204.194.0/23 86.104.0.0/23 86.104.2.0/24 86.104.4.0/24 86.104.9.0/24 86.104.10.0/24 86.104.96.0/21 86.104.115.0/24 86.104.116.0/24 86.104.118.0/23 86.104.121.0/24 86.104.122.0/23 86.104.132.0/23 86.104.192.0/24 86.104.195.0/24 86.104.212.0/23 86.104.215.0/24 86.104.240.0/22 86.104.245.0/24 86.104.248.0/23 86.105.178.0/24 86.105.195.0/24 86.105.196.0/24 86.105.200.0/22 86.105.225.0/24 86.105.227.0/24 86.105.230.0/24 86.105.242.0/23 86.105.248.0/22 86.106.0.0/21 86.106.8.0/23 86.106.10.0/24 86.106.11.0/24 86.106.12.0/24 86.106.24.0/24 86.106.25.0/24 86.106.90.0/24 86.106.95.0/24 86.106.169.0/24 86.107.8.0/21 86.107.28.0/23 86.107.74.0/23 86.107.104.0/24 86.107.195.0/24 86.107.216.0/21 86.107.242.0/23 89.32.122.0/23 89.32.176.0/23 89.32.192.0/23 89.32.196.0/23 89.32.204.0/24 89.33.46.0/23 89.33.108.0/23 89.33.117.0/24 89.33.168.0/21 89.33.233.0/24 89.33.246.0/24 89.33.255.0/24 89.34.16.0/22 89.34.94.0/23 89.34.102.0/23 89.34.112.0/21 89.34.128.0/20 89.34.148.0/23 89.34.200.0/23 89.34.216.0/23 89.34.236.0/22 89.35.32.0/24 89.35.56.0/24 89.35.77.0/24 89.35.133.0/24 89.35.156.0/23 89.35.176.0/23 89.35.196.0/24 89.35.240.0/21 89.36.16.0/23 89.36.32.0/23 89.36.34.0/24 89.36.35.0/24 89.36.96.0/21 89.36.104.0/21 89.36.178.0/23 89.36.182.0/23 89.36.184.0/21 89.36.226.0/23 89.36.236.0/22 89.37.48.0/21 89.37.64.0/22 89.37.76.0/22 89.37.102.0/23 89.37.107.0/24 89.37.129.0/24 89.37.133.0/24 89.37.143.0/24 89.37.240.0/21 89.38.26.0/24 89.38.216.0/22 89.38.220.0/22 89.39.76.0/22 89.39.168.0/22 89.39.180.0/23 89.39.216.0/22 89.40.40.0/24 89.40.66.0/24 89.40.133.0/24 89.40.240.0/21 89.40.254.0/23 89.41.16.0/21 89.41.44.0/22 89.42.27.0/24 89.42.33.0/24 89.42.150.0/23 89.42.208.0/23 89.43.182.0/23 89.43.184.0/23 89.43.216.0/21 89.43.224.0/21 89.44.94.0/23 89.44.115.0/24 89.44.120.0/21 89.44.190.0/23 89.45.11.0/24 89.45.14.0/24 89.45.72.0/21 89.45.126.0/23 89.46.8.0/22 89.46.44.0/23 89.46.47.0/24 89.46.60.0/24 89.46.88.0/22 89.46.192.0/21 89.47.34.0/24 89.47.44.0/22 92.114.36.0/24 92.114.38.0/24 92.114.83.0/24 93.113.216.0/22 93.114.24.0/21 93.114.85.0/24 93.114.86.0/23 93.114.128.0/24 93.114.133.0/24 93.115.32.0/23 93.115.62.0/23 93.115.130.0/23 93.115.134.0/23 93.115.138.0/23 93.115.142.0/23 93.115.192.0/21 93.115.253.0/24 93.117.112.0/21 93.117.120.0/21 93.119.112.0/23 93.119.118.0/23 93.119.120.0/23 93.119.124.0/23 94.176.224.0/20 176.126.168.0/23 176.126.170.0/23 176.126.172.0/23 176.126.174.0/23 176.223.64.0/23 176.223.108.0/24 176.223.111.0/24 176.223.116.0/23 176.223.118.0/24 176.223.167.0/24 176.223.172.0/22 176.223.176.0/24 176.223.177.0/24 176.223.178.0/23 176.223.190.0/24 188.212.22.0/24 188.212.48.0/20 188.213.64.0/20 188.213.112.0/22 188.213.116.0/23 188.213.118.0/24 188.213.119.0/24 188.213.120.0/23 188.213.122.0/23 188.213.124.0/22 188.213.144.0/20 188.213.176.0/22 188.213.180.0/22 188.213.184.0/22 188.213.188.0/22 188.215.18.0/23 188.215.20.0/22 188.215.192.0/19 188.241.188.0/23 188.241.192.0/22 217.19.4.0/24
Hi,
The last time a romanian I know checked, most of these appear to be set up with business registration that was valid at the time the netblocks were registered but mostly lapsed a year or so later.
Almost as if someone in bucharest walks into a bar, pays people there a few euro in drinking money if they will let their ID get used to register a shell company that can then register for a /16 or larger netblock.
Well, the allocations/assignments are only valid as long as the original criteria are still met. In this case it seems obvious that this is no longer the case as the entity for which they were requested no longer exists. But to be certain there has to be work done by the RIPE NCC. They can't just revoke resources because someone posted a message on a mailing list :-) Submitting this information to http://www.ripe.net/report-form seems appropriate. Cheers, Sander
Problems with excessively large allocations by romanian LIRs to spam operations has been a problem over the last few years at least, so that ripe ncc might want to take cognizance of all this information do a proactive audit of all allocations over a period of time done through a particular LIRs, rather than play whack a mole with manually reported netblocks. --srs (htc one x) On 15-Jan-2013 6:20 AM, "Sander Steffann" <sander@steffann.nl> wrote:
Hi,
The last time a romanian I know checked, most of these appear to be set up with business registration that was valid at the time the netblocks were registered but mostly lapsed a year or so later.
Almost as if someone in bucharest walks into a bar, pays people there a few euro in drinking money if they will let their ID get used to register a shell company that can then register for a /16 or larger netblock.
Well, the allocations/assignments are only valid as long as the original criteria are still met. In this case it seems obvious that this is no longer the case as the entity for which they were requested no longer exists. But to be certain there has to be work done by the RIPE NCC. They can't just revoke resources because someone posted a message on a mailing list :-)
Submitting this information to http://www.ripe.net/report-form seems appropriate.
Cheers, Sander
On Tue, Jan 15, 2013 at 6:27 AM, Suresh Ramasubramanian <ops.lists@gmail.com
wrote:
Problems with excessively large allocations by romanian LIRs to spam operations has been a problem over the last few years at least, so that ripe ncc might want to take cognizance of all this information do a proactive audit of all allocations over a period of time done through a particular LIRs, rather than play whack a mole with manually reported netblocks.
This is a list of RIPE assigned pi / pa netblocks that are in spamhaus .. quite a few in the past few days, large ones too. Mostly romania / eastern europe, for one reason or the other.. http://www.spamhaus.org/sbl/listings/ripe -- Suresh Ramasubramanian (ops.lists@gmail.com)
Hi,
This is a list of RIPE assigned pi / pa netblocks that are in spamhaus .. quite a few in the past few days, large ones too. Mostly romania / eastern europe, for one reason or the other..
Being listed by Spamhaus is not a reason to revoke address space. There is no such policy in the RIPE region, and I think it is very unlikely that the whole RIPE community will agree to let one organisation veto anybody's right to address space. There have been incidents in the past where Spamhaus listings were very controversial. Now if anyone sees that there has been fraud, people lying to the RIPE NCC, people lying about their need for address space, etc. then that is in violation of the RIPE policies and the RIPE NCC Service Contract. In those cases the RIPE NCC can act and has the mandate of the members to act. With 8800+ members it is not possible to audit all of them all the time, so helpful information about fraud are very helpful for the RIPE NCC to target their audits. Cheers, Sander
On Saturday 19 January 2013 17.24, Sander Steffann wrote:
Hi,
This is a list of RIPE assigned pi / pa netblocks that are in spamhaus .. quite a few in the past few days, large ones too. Mostly romania / eastern europe, for one reason or the other..
Being listed by Spamhaus is not a reason to revoke address space. There is no such policy in the RIPE region, and I think it is very unlikely that the whole RIPE community will agree to let one organisation veto anybody's right to address space. There have been incidents in the past where Spamhaus listings were very controversial.
Now if anyone sees that there has been fraud, people lying to the RIPE NCC, people lying about their need for address space, etc. then that is in violation of the RIPE policies and the RIPE NCC Service Contract. In those cases the RIPE NCC can act and has the mandate of the members to act. With 8800+ members it is not possible to audit all of them all the time, so helpful information about fraud are very helpful for the RIPE NCC to target their audits.
To be listed as spammer may in itself not be a reason to revoke addresses. But it should be enough to start an investigation, for instance mail the address"owners" and ask for a comment. If they cannot be reached then revokation comes closer ....
Cheers, Sander
-- Peter Håkanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det är billigare att göra rätt. Det är dyrt att laga fel. )
Call it yet another data point for RIPE NCC to use, proactiely.. Spamhaus listings and controversy - well, there have been earlier cases where they have escalated to cover an ISP (say), where several ranges in that ISP's IP space were infested. Several of those assigned PI / PA netblocks appear to be cybercrime controlled though. With 8800 customers, well - it simply means RIPE NCC needs to learn from, say, a bank manager, on what'd happen to him if he sanctioned a bank loan on the strength of the same weird and wonderful paperwork with which RIPE NCC ocasionally sanctions a /16 or larger. "We are not the X police" doesn't quite gel with the fiduciary responsibility they have as trustees of a globally shared, finitely available resource. On Saturday, January 19, 2013, peter h wrote:
Hi,
This is a list of RIPE assigned pi / pa netblocks that are in spamhaus .. quite a few in the past few days, large ones too. Mostly romania / eastern europe, for one reason or the other..
Being listed by Spamhaus is not a reason to revoke address space. There is no such policy in the RIPE region, and I think it is very unlikely that
On Saturday 19 January 2013 17.24, Sander Steffann wrote: the whole RIPE community will agree to let one organisation veto anybody's right to address space. There have been incidents in the past where Spamhaus listings were very controversial.
Now if anyone sees that there has been fraud, people lying to the RIPE
NCC, people lying about their need for address space, etc. then that is in violation of the RIPE policies and the RIPE NCC Service Contract. In those cases the RIPE NCC can act and has the mandate of the members to act. With 8800+ members it is not possible to audit all of them all the time, so helpful information about fraud are very helpful for the RIPE NCC to target their audits.
To be listed as spammer may in itself not be a reason to revoke addresses. But it should be enough to start an investigation, for instance mail the address"owners" and ask for a comment. If they cannot be reached then revokation comes closer ....
Cheers, Sander
-- Peter Håkanson
There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det är billigare att göra rätt. Det är dyrt att laga fel. )
-- --srs (iPad)
In message <201301191728.56389.peter@hk.ipsec.se>, peter h <peter@hk.ipsec.se> wrote:
To be listed as spammer may in itself not be a reason to revoke addresses. But it should be enough to start an investigation, for instance mail the address"owners" and ask for a comment. If they cannot be reached then revokation comes closer ....
Having investigated a number of these kinds of things over a period of time I'd just like to say that responses obtained via either e-mail or via snail-mail are entirely less than definitive when one is trying to determine the truth. A reply e-mail can say anything, can contain any sort of a made up story that the sender wishes to fabricate, and can easily be made to appear to come from pretty much any domain that the responding party has control over. Likewise, snail-mails may spin any desired legend, and can (and have) included utterly made-up letterheads and envelopes and such other things as may seem to support the overall deception. Usually however, there is a finite and small number of individuals behind this sort of thing, so that requiring contact, at some mutually convenient time, via telephone can most likely flush out the fraud most efficiently. If it is always the exact same voice on the other end of the line... even when one is speaking to a number of allegedly separate and independent companies, then, to paraphrase William Shakespeare, it should be altogether apparent that something is rotten in Romania. Regards, rfg
On Sun, Jan 20, 2013 at 12:03 AM, Ronald F. Guilmette <rfg@tristatelogic.com
wrote:
Usually however, there is a finite and small number of individuals behind this sort of thing, so that requiring contact, at some mutually convenient time, via telephone can most likely flush out the fraud most efficiently. If it is always the exact same voice on the other end of the line... even when one is speaking to a number of allegedly separate and independent companies, then, to paraphrase William Shakespeare, it should be altogether apparent that something is rotten in Romania.
I have done the complete paperwork and RIPE interfacing for several of our customers who we are sponsoring PI space and AS numbers for. Matter of fact, this is the default mode of operation for us. This is _precisely_ what tech-c is for and quite common. The same applies to any customer wanting to become a LIR themselves and buying consultation from us. Assuming a phone-in system was introduced and ignoring the obvious issues with recognizing voices that any hostmaster may or may not have heard at some time before, I would introduce myself as tech-c, tell the hostmaster that I would hand over to admin-c who is not very deep into understanding the matter at hand, and they would basically confirm everything I said. Exactly the same process and outward appearance for valid and fraudulent requests. Even though I may disagree with your proposed solution, talking about specific concerns and/or suggestions as per above is vastly preferable over what amounts to grandstanding and refusing to fill out a simple form, and quite vocally so. This is especially puzzling since you already did the detective work and provided apparently useful information. It's a pity to get side-tracked, really. I suggest focusing on actual WG discourse on this list. Thank you for said detective work, Richard
In message <CAD77+gTo_ZQW2oJmCmQLPiRiqguTMgSLp9LrYut=GN5w+zCzkQ@mail.gmail.com> Richard Hartmann <richih.mailinglist@gmail.com> wrote:
Assuming a phone-in system was introduced and ignoring the obvious issues with recognizing voices that any hostmaster may or may not have heard at some time before, I would introduce myself as tech-c, tell the hostmaster that I would hand over to admin-c who is not very deep into understanding the matter at hand, and they would basically confirm everything I said.
Exactly the same process and outward appearance for valid and fraudulent requests.
First, allow me to be clear that I was not suggeting any long-term or generally applicable "system" for verifying/validating RIPE resource registrants. My simple "phone contact" suggestion was only put forward with reference to this one rather entirely unusual situation where the true ownership of numerous resources is now in doubt. Leaving that point aside however, I gather you are trying to say that my simple phone validation idea/suggestion would not work, however I'm not at all sure that I see your reasoning. I guess that the admin-c person is supposed to represent the true registrant of the resource. If so, and if all of the admin-c persons reached by phone had exactly the same voice (e.g baratone), exactly the same manner of speech, and exactly the same accent, wouldn't that tend to strongly confirm that something is amiss?
Even though I may disagree with your proposed solution, talking about specific concerns and/or suggestions as per above is vastly preferable over what amounts to grandstanding and refusing to fill out a simple form, and quite vocally so.
I hereby apologize for any grandstanding that I may have engaged in. Please put it down to my fervent desire that the matter I reported on should be investigated, throughly and promptly. As regards my reluntance to engage with RIPE NCC on any kind of a formal basis, although that too may be unforgivable, allow me to point out what I feel is a relevant point, specifically that the free flow of information is, as we here in the states would say, a two-way street... or should be anyway. Since my original post on this matter, a RIPE NCC staff member has reached out to me, and in an informal manner I have appraised her throughly of the various lines of evidence that formed the basis of my suspicions about these specific 18 ASNs. In a follow-up to this, I inquired as to how much I might be told, and when, with regards to RIPE NCC's investigation of this matter, stating up-front that I understood that RIPR NCC staff might possibly labor under some of the same con- straints as ARIN staff do with regards to this kind of investigation, and their ability for be forthcoming, either publically or privately, about either investigation results, or actions taken. I was then politely informed that yes indeed, RIPE secrecy rules are not materially different from those of ARIN with respect to these kinds of investigations. In short, it appears that none of us will ever know anything, either about how this happened, why it happened, who was responsible (within Romania) for causing it to happen, or what actions, if any, RIPE NCC will take in response to this matter. (I sort of feel like I want to use the term "this incident" rather than "this matter", but it appears that this has not been so much an "event" as it has been a process. The data seem to indicate that the fraudlent scheme I reported on has been ongoing for over two years now.) Anyway, it may come as no surprise when I say that this information flow "one way street" is less than satisfying. In fact that would be an understatement. And if one thinks about it, this cloak of secrecy that hides all... all noble actions and all skullduggery, without discrimination... may be a part of the reason that other people of generosity and good intent, unlike me, do not waste their time on looking to deeply into funny stuff on this Internet, let alone reporting any such. Why bother when it is a forgone conclusion that the whole thing will be hushed up in the end anyway, and, as far as anyone of the outside knows, neither any drop of justice nor any dollop of disipline is ever dispensed. Thinking about it, just in the last day or two I've realized that RIPE, ARIN, IANA, ICANN, and all such authorities are in many ways quite analogous to our Federal Reserve here in the United States. In both cases, the entities have much authority and are widely perceived as having charters that somehow commit them to pursuit of the public good. But in both cases, the reality is rather different... these entities are in fact merely commercial associations of business interests that are pledged, if not by law then by contract, to never reveal even a smidgeon of their commercial member's dirty laundry to any "outsider", and their iron-clad commitment to this goal always takes precedence over any other consideration. In the United States, and because of our Freedom of Information Act, Bloomberg News was ultimately able to extract from the Feredal Reserve the various dirty secrets of the largess that the Fed had doled out to its members during the financial crisis. The airing of this dirty laundry shocked the nation, and led to many aspects of the final Dodd-Frank financial reform act aimed at disallowing any future screwings of the Amercian public for the benefit of the various large Federal Reserve member banks (and in particular the ones that were most directly responsible for having created the crisis in the first place). All I can say is that I wish that I had as much money as Bloomberg News. If I did, I would most definitely seek the juducious application of our federal FOIA, both to the Commerce Department generated entity known as ICANN, and thence also to the lower level entities that it has spawed or sponsored, namely IANA, ARIN, RIPE, APNIC, LACNIC, and AFRINIC. (Although I'm sure that even the mere suggestion will likely outrage all of you europeans, it is my contention that ultimately, and for anyone with enough money to pursue it, all of these entities would ultimately be found to be subject to U.S. law generally, and to FOIA, specifically.) I think this is the only way the counterproductive shroud of secrecy will ever be lifted, and by extension, I think that this is the only way that any of these entities might ever actually be called upon to serve the public good, in preference to the private commercial good of their respective memberships, unlike the present situation where the private commercial interests trump the public's need to know at every turn. My apologies for the length of this posting. Regards, rfg
Hi Ronald,
As regards my reluntance to engage with RIPE NCC on any kind of a formal basis, although that too may be unforgivable, allow me to point out what I feel is a relevant point, specifically that the free flow of information is, as we here in the states would say, a two-way street... or should be anyway.
Since my original post on this matter, a RIPE NCC staff member has reached out to me, and in an informal manner I have appraised her throughly of the various lines of evidence that formed the basis of my suspicions about these specific 18 ASNs. In a follow-up to this, I inquired as to how much I might be told, and when, with regards to RIPE NCC's investigation of this matter, stating up-front that I understood that RIPR NCC staff might possibly labor under some of the same con- straints as ARIN staff do with regards to this kind of investigation, and their ability for be forthcoming, either publically or privately, about either investigation results, or actions taken. I was then politely informed that yes indeed, RIPE secrecy rules are not materially different from those of ARIN with respect to these kinds of investigations.
In short, it appears that none of us will ever know anything, either about how this happened, why it happened, who was responsible (within Romania) for causing it to happen, or what actions, if any, RIPE NCC will take in response to this matter. (I sort of feel like I want to use the term "this incident" rather than "this matter", but it appears that this has not been so much an "event" as it has been a process. The data seem to indicate that the fraudlent scheme I reported on has been ongoing for over two years now.)
Anyway, it may come as no surprise when I say that this information flow "one way street" is less than satisfying. In fact that would be an understatement. And if one thinks about it, this cloak of secrecy that hides all... all noble actions and all skullduggery, without discrimination... may be a part of the reason that other people of generosity and good intent, unlike me, do not waste their time on looking to deeply into funny stuff on this Internet, let alone reporting any such. Why bother when it is a forgone conclusion that the whole thing will be hushed up in the end anyway, and, as far as anyone of the outside knows, neither any drop of justice nor any dollop of disipline is ever dispensed.
Now *this* is something that might be solved by a policy proposal. How about a policy that states that a list of all resources reclaimed by/returned to/delegated to the RIPE NCC must be published? I don't know about the legal implications of also publishing the company name etc of the last holder, but how about a list containing: - Resource - Reclaimed date - Reason (received from IANA, returned by holder, violation of policy, bankruptcy, court order, non-payment, fraud/untruthful information, etc) - Returned to pool date I am trying to find the balance between avoiding legal trouble for the RIPE NCC (IANAL etc, so I don't know what is acceptable under Dutch law) and giving feedback and showing the community what is being done. The NCC already publishes the resources it allocates/assigns (output list). What I propose is that they also publish what they receive (input list). Showing both sides of the story would be part of good stewardship etc. /me looks at the worms crawling out of the can... What do you (=AAWG) think? Sander
Sander, On Sunday, 2013-01-20 22:37:44 +0100, Sander Steffann <sander@steffann.nl> wrote:
Anyway, it may come as no surprise when I say that this information flow "one way street" is less than satisfying. In fact that would be an understatement. And if one thinks about it, this cloak of secrecy that hides all... all noble actions and all skullduggery, without discrimination... may be a part of the reason that other people of generosity and good intent, unlike me, do not waste their time on looking to deeply into funny stuff on this Internet, let alone reporting any such. Why bother when it is a forgone conclusion that the whole thing will be hushed up in the end anyway, and, as far as anyone of the outside knows, neither any drop of justice nor any dollop of disipline is ever dispensed.
Now *this* is something that might be solved by a policy proposal.
I agree.
How about a policy that states that a list of all resources reclaimed by/returned to/delegated to the RIPE NCC must be published? I don't know about the legal implications of also publishing the company name etc of the last holder, but how about a list containing: - Resource - Reclaimed date - Reason (received from IANA, returned by holder, violation of policy, bankruptcy, court order, non-payment, fraud/untruthful information, etc) - Returned to pool date
It does not seem to me that merely recording reclaimed resources is really going to get to the heart of the transparency problem. Perhaps something more like a couple of checkboxes on the complaint form which say: [ ] I wish this complaint to be public. [ ] I wish my name to be included in the public report. This way we could have an opt-in public archive of all abuse reports that the RIPE NCC has received. Consider it a sort of RIPE NCC version of the Google Transparency Report. :) http://www.google.com/transparencyreport/ Cheers, -- Shane
Hi,
It does not seem to me that merely recording reclaimed resources is really going to get to the heart of the transparency problem.
Well, the person who filed the complaint/report gets some feedback on whether action has been taken. And the rest of the world can see that the RIPE NCC does act on fraudulent behaviour, which hopefully encourages others to file reports as well.
Perhaps something more like a couple of checkboxes on the complaint form which say:
[ ] I wish this complaint to be public. [ ] I wish my name to be included in the public report.
This way we could have an opt-in public archive of all abuse reports that the RIPE NCC has received.
Even better! Then we also have an input/output view on the RIPE NCC fraud/complaint handling procedure. Thanks, Sander
In message <40A6A1EE-5F5B-46A3-ACFE-17F69F24EDB1@steffann.nl>, Sander Steffann <sander@steffann.nl> wrote:
Perhaps something more like a couple of checkboxes on the complaint = form which say:
[ ] I wish this complaint to be public. [ ] I wish my name to be included in the public report.
This way we could have an opt-in public archive of all abuse reports that the RIPE NCC has received.
Even better! Then we also have an input/output view on the RIPE NCC fraud/complaint handling procedure.
Ummmm... no. Apparently there is some confusion here. Let me try to clear that up. As I understand it, RIPE has contractual confidentiality commitments that are of such a nature that RIPE will _never_ say _anything_ about _any_ aspect of its handling of _any_ abuse report. Period full stop. For that reason, you will *not* ``get an input/output view'' on the process. No person outside of RIPE staff will _ever_ see _any_ ``output''. That's the problem. Putting an extra check box on a report form isn't going to change that. I hope that we are clear on this now. Regards, rfg
Hi,
Even better! Then we also have an input/output view on the RIPE NCC fraud/complaint handling procedure.
Ummmm... no.
I meant 'even better when this is added to what I already suggested'. Publishing which resources have been revoked/reclaimed/etc (when possible including the name of the last holder) would be the most important part. Publishing both sides would make it possible for everyone to see which resources got complaints and which resources got revoked. Cheers, Sander
Ronald, On Monday, 2013-01-21 03:53:02 -0800, "Ronald F. Guilmette" <rfg@tristatelogic.com> wrote:
In message <40A6A1EE-5F5B-46A3-ACFE-17F69F24EDB1@steffann.nl>, Sander Steffann <sander@steffann.nl> wrote:
Perhaps something more like a couple of checkboxes on the complaint = form which say:
[ ] I wish this complaint to be public. [ ] I wish my name to be included in the public report.
This way we could have an opt-in public archive of all abuse reports that the RIPE NCC has received.
Even better! Then we also have an input/output view on the RIPE NCC fraud/complaint handling procedure.
Ummmm... no.
Apparently there is some confusion here. Let me try to clear that up.
As I understand it, RIPE has contractual confidentiality commitments that are of such a nature that RIPE will _never_ say _anything_ about _any_ aspect of its handling of _any_ abuse report. Period full stop.
For that reason, you will *not* ``get an input/output view'' on the process. No person outside of RIPE staff will _ever_ see _any_ ``output''.
That's the problem.
Putting an extra check box on a report form isn't going to change that.
I hope that we are clear on this now.
Actually we are not. The RIPE NCC does have confidentiality clauses. This makes sense, as they ask companies to provide proprietary information like their business plans, which could be harmful to their operations if made public. However, I don't believe that this means that *all* interactions between the RIPE NCC and the outside world is necessarily confidential. In fact, we know that some things are not, because we can see dates when addresses were allocated to specific LIR. An even more important point is that the proposed check box on abuse reports is NOT FOR THE LIRs. It is for the ABUSE REPORTER, and allows them to declare their desire to have their complaints made public. The idea is to create a system which allows continued confidentiality, but makes public possible abuses. It prevents the RIPE NCC from getting 50 reports about an abusive LIR and ignoring them... which is what you are concerned about, right? If you think that improving transparency is a reasonable goal, but that the check box idea is silly... excellent! Please propose an alternate way to improve things! If you think that the goal is unreasonable, because the RIPE NCC will never, ever provide any transparency to its operations... then your objection is of the sort, "it won't help". In that case, perhaps you should at least let us try? Cheers, -- Shane
Sorry for the late reply. I have been off working on other things. In message <20130122100335.443507cf@shane-desktop>, Shane Kerr <shane@time-travellers.org> wrote:
The idea is to create a system which allows continued confidentiality, but makes public possible abuses. It prevents the RIPE NCC from getting 50 reports about an abusive LIR and ignoring them... which is what you are concerned about, right?
No, not actually. I am concerned about RIPE NCC getting _one_ highly _accurate_ report, like the one I posted here recently, and then sweeping it under the rug (aka "hushing it up"), in one way or another. That could be by just ignoring it, and letting the thief keep what he stole, or it could be by taking back what was stolen, and possibly imposing some sort of penalty/sanction against the thief, but all done quietly, behind the scenes, without any public notice which would take the general form "So-and-so was determined by RIPE NCC staff to have comitted a fraud, thereby obtaining thus-and-such number resource in a manner inconsistant with current RIPE policy." The number of reports shouldn't matter. As far as I know, I am the only one who either found or reported that big mess/fraud in Romania, so RIPE NCC now has in hand exactly and only _one_ report about that. That's not the issue. The issue is, what happens when RIPE NCC verifies what I've said, i.e. that all those ASNs.... and, not coincidently, all of the IPv4 space they have been allocated and/or that they are routing... was all obtained via fraud, deceit, or artifice? Will the perpetrators *and* those who aided and abetted them be publically outted? Or will the results of RIPE NCCs investigation all just be hushed up, you know, so that the exact same crooks can just come back and do it all over again in a month or two?
If you think that improving transparency is a reasonable goal...
I do.
but that the check box idea is silly... excellent! Please propose an alternate way to improve things!
Well, in the first place, the specific "transparency" that I would like to see improved... or rather that I would like to see come into existance (because right now, it seems, there isn't _any_ of it) is RIPE NCC's transparency... not _my_ transparency. I'm not the one keeping secrets. Secondarily however, let me say that I _am_ mulling over an idea that I have had which may perhaps be useful in getting more eyes focused on at least the externally provided _reports_ of these kinds of issues, if not also RIPE NCC's (secretive) response(s) to same.
If you think that the goal is unreasonable, because the RIPE NCC will never, ever provide any transparency to its operations...
If?? I have been informed that RIPE NCC works under the same sorts of confi- dentiality arrangement as ARIN. I have some experience with ARIN's handling of these sorts of things, and I can assure you that they behave entirely like the proverbial "black box", "brick wall", name your metaphor. So, um, yes. I believe that "RIPE NCC will never, ever provide any transparency to its operations" with respect to these sorts of incidents. In fact I have been point blank told as much by a RIPE NCC staff member.
then your objection is of the sort, "it won't help". In that case, perhaps you should at least let us try?
Try what, exactly? I'm sorry. I'm not following. Could you please elaborate? Regards, rfg
In message <20130121105243.04109468@shane-desktop>, Shane Kerr <shane@time-travellers.org> wrote:
It does not seem to me that merely recording reclaimed resources is really going to get to the heart of the transparency problem.
Well, it would be a good start. Better than nothing. As should be apparent, now, to anyone who seriously investigates the report I made here recently, there are fraudsters on the Internet. (DUH!) And some of them have found, and clearly do find (present tense) that RiRs are enormously easy marks. Some might be inclined to rage against the various RiR staffs for this, but not me. I understand why hyper-vigilance against this sort of thing is probably not the best way for RiRs to spend their limited resources. (Nor is it particularly likely that they will.) Still, there ought to be some way to making this particular sort of crime ether less easy or else less attaractive. Assuming that the former is not really in the cards, I would suggest that more thought be put into the latter. I can't remember where anymore, but somewhere, a long time ago, I read something about crime & punishment that basically said that for crimes that are particularly easy to pull off, it can be easily seen that those specific types of crimes will run rampant _unless_ the punishment for those few who get caught is made extremely harsh... you know, so that anyone in their right mind would really have to think twice before trying it, even in the odds are only one in a hundred of ever actually getting caught. Based on various situations, past and present, that I have brought to light, in the ARIN region, and now in the RIPE region, although I mean no offense to any RiR staff member(s), I have to say that from where I am sitting it appears to me that defrauding an RiR sure looks like it is as easy as pie, _and_ that the probability of ever even getting caught is extremely small. The implications of those facts for any policy that seeks to deter such abuses is, in my mind at least, self evident. The punishment for this sort of hanky panky should be severe, and a head or two on pikes would go a long way towards reducing the likelihood of these events in the future. Public naming and shaming of any and all parties involved should be a part of that, in my opinion, and furthermore I think that a pro- vision which explicitly allows this should be written into all RIPE contracts from now on.... as in "If we catch you doing this, then no, you DON'T get to hide behind any confidentiality provisions within this contract that might otherwise apply." (This would be a good thing to add, going forward, but actually, depending on the wording of existing contracts, that might not even be necessary, i.e. in order for RIPE to be able to name and shame anybody who has an existing contract with RIPR NCC _today_, because any fraud on their part, or any failure... e.g. on the part of an LIR, to properly vet the lower level entities they dole out resources to... is, I would guess, a material breach of contract. And a breach of contract by the other party means, I think, that RIPE NCC is no longer legally obliged to hold up its end of the contract... specifically with respect to confidentiality of the other party.) With respect to this fraudulent scheme I outted the other day, it is possible that one or more LIRs were either behind it or at the very least were happy to collude with the real perps in order to make it possible... as long as they also go a cut of the profits to be made out of this scheme. (And make no mistake about it... spamming is _highly_ profitable.) Me personally? I would like to see the perps named and shamed, _and_ I'd also like to see any LIR that didn't do its job... to properly vet applications for reasources according to established guidelines... or that actively colluded with the real perps... named and shamed, publically, also. To me, this is the absolute least that both prudence and an ordinary sense of justice and fair play would demand. But if it were up to me, I would certainly go further... making criminal referrals, wherever possible and filing civil suits for breach of contract (and the con- cominant damage to RIPE NCC's reputation). Of course, in my ideal universe, one could achieve much the same ends, but much more efficiently, economically, and expediently simply by revoking a up-front performance bond that all parties contracting with RIPE NCC would be required to post before being allocated resources. (Having said that however, let me assure all that I _do_ understand that most probably a majority of all current RIPE members would howl at even the suggestion of what I just said, and that thus, it would never fly, politically, in practice. Nontheless, that doesn't mean it is a bad idea. RIPE has resources which it loans out to other parties to use for a time, and those resources can be damaged, or can be made off with fradulently. Don't they demand a credit card number from you before you drive off in a rental car?)
Perhaps something more like a couple of checkboxes on the complaint form which say:
[ ] I wish this complaint to be public. [ ] I wish my name to be included in the public report.
Color me flumoxed. I _thought_ that we were talking about the (unfortunate) confidentiality now being routinely and contractually provided to RIPE members... even, apparently, utterly fictitious and fradulent ones... who make off with resources, counter to current allocation policies, via fraud, deceit, or artifice. All of a sudden you seem to be worried about _my_ confi- dentiality, or lack thereof, or forfiture thereof. Allow me to be clear. I never asked for, nor ever expected that anything about my report... including but not limited to my name... would be held in any sort of confidence. Indeed quite the opposite. Ever since I found that big fat Romanian spam empire/cesspit I have been staying awake at nights, trying to figure out how to get news of it publicised and circulated even more widely than what I have so far been able to accomplish on my own. (And I _do_ hope that any reporting on this will mention my name somewhere, in a favorable light, as the guy who discovered this mess.) I suspect that most folks making reports to RIPE about abusive/deceptive violations of RIPE allocation policies, like me, will be only too happy to have the information they report... and their names... trumpted on every streetcorner. In short, your suggested checkboxes are, I think, utterly superfluous and unnecessary.
This way we could have an opt-in public archive of all abuse reports that the RIPE NCC has received.
See above. You have a solution in search of a problem. Has _any_ person who has _ever_ reported any kind of fraud or "abuse" to RIPE NCC _ever_ seriously desired _any_ anonymity and/or confidentialty in connection with any such report? I rather doubt it. The people who need to hide in the shadows are the abusers... not the public spirited samaritans who merely report their skulduggery. Speaking for myself, I can assure you that _I_ don't feel any need to hide. Regards, rfg
Hi Ronald,
Has _any_ person who has _ever_ reported any kind of fraud or "abuse" to RIPE NCC _ever_ seriously desired _any_ anonymity and/or confidentialty in connection with any such report?
I rather doubt it.
The people who need to hide in the shadows are the abusers... not the public spirited samaritans who merely report their skulduggery. Speaking for myself, I can assure you that _I_ don't feel any need to hide.
There could be very good reasons not to put a target on themselves. Especially with certain crime, like running Botnets for hire or selling online pharmacy pills in huge quantities, those involve a lot of cash and mafia type practices are very likely, it is far better to be able to be able to report information without your name having published publicly. Some of the people in this community are also running their own network/business and just because you find a huge issue or you were part of a large botnet takedown, doesn't mean you want to risk your network/business to be a target of repercussions. Regards, Erik Bais
In message <862A73D42343AE49B2FC3C32FDDFE91C0940BB25@e2010-mbx-c1n2.exchange201 0.nl>, Erik Bais <erik@bais.name> wrote:
Hi Ronald,
Has _any_ person who has _ever_ reported any kind of fraud or "abuse" to RIPE NCC _ever_ seriously desired _any_ anonymity and/or confidentialt y in connection with any such report?
I rather doubt it.
The people who need to hide in the shadows are the abusers... not the pub lic spirited samaritans who merely report their skulduggery. Speaking for myself, I can assure you that _I_ don't feel any need to hide.
There could be very good reasons not to put a target on themselves.
Especially with certain crime, like running Botnets for hire or selling onl ine pharmacy pills in huge quantities, those involve a lot of cash and mafi a type practices are very likely, it is far better to be able to be able to report information without your name having published publicly.
Yes, I probably should have realized that someone would raise that argument. I reluctantly must grant that you are correct, and that it is theoretically possible that someone desires to make a report but desires to remain anonymous. The solution could be a checkbox on the form, or to simply make those fields of the reporting form in which one could enter personal identity information optional. The harder problem is the one that I was trying to raise, and that I think crys out far more for a solution, i.e. the fact that once some resource allocation funny business is reported to RIPE (or to ARIN for that matter) that's the last that anybody ever hears of it. As I've tried to point out, I think that this is distinctly counter- productive, both because is discourages everybody from making any such reports in the future and also because it absolutely minimizes the disincentive for both the current perp and future perps to try again to defaud RIPE. Regards, rfg
Hi,
The harder problem is the one that I was trying to raise, and that I think crys out far more for a solution, i.e. the fact that once some resource allocation funny business is reported to RIPE (or to ARIN for that matter) that's the last that anybody ever hears of it. As I've tried to point out, I think that this is distinctly counter- productive, both because is discourages everybody from making any such reports in the future and also because it absolutely minimizes the disincentive for both the current perp and future perps to try again to defaud RIPE.
I agree. Showing which resources the NCC has received complaints about would be good for transparency. They would have to show the outcome after investigation as well though. An example: you complain about my IP space, this gets published on the RIPE website. Of course I'm innocent so the RIPE NCC will investigate the case and conclude that there is nothing wrong. I wouldn't want the complaint to disappear from the website because that would not be very transparent. But I would really object to the complaint being visible on the website without a note saying: "investigated, found nothing wrong"... I don't mind people complaining, but I do want my name cleared if I'm innocent! ;-) Cheers, Sander
I think we are missing the main point rfg raised and going around in circles about transparency. How do we give enough teeth to ripe ncc's audit processes, and it's ip allocation processes, especially through LIRs, so that the issue we are concerned about is mitigated? --srs (htc one x) On 22-Jan-2013 4:47 AM, "Sander Steffann" <sander@steffann.nl> wrote:
Hi,
The harder problem is the one that I was trying to raise, and that I think crys out far more for a solution, i.e. the fact that once some resource allocation funny business is reported to RIPE (or to ARIN for that matter) that's the last that anybody ever hears of it. As I've tried to point out, I think that this is distinctly counter- productive, both because is discourages everybody from making any such reports in the future and also because it absolutely minimizes the disincentive for both the current perp and future perps to try again to defaud RIPE.
I agree. Showing which resources the NCC has received complaints about would be good for transparency. They would have to show the outcome after investigation as well though. An example: you complain about my IP space, this gets published on the RIPE website. Of course I'm innocent so the RIPE NCC will investigate the case and conclude that there is nothing wrong. I wouldn't want the complaint to disappear from the website because that would not be very transparent. But I would really object to the complaint being visible on the website without a note saying: "investigated, found nothing wrong"... I don't mind people complaining, but I do want my name cleared if I'm innocent! ;-)
Cheers, Sander
Suresh, [ using your top-posting style in this reply, to avoid "crossing the streams" ] We can have transparent processes, that have no "teeth" as you say. We can also have strict policies that are enforced in secret. Both transparency and effectiveness are important. I do think ISPs are more likely to support a fair and transparent policy that will punish abusers than they will to support a fair and secretive policy that will punish abusers, because they will have no guarantees that they will be safe under such a system. Cheers, -- Shane On Tuesday, 2013-01-22 07:20:26 +0530, Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
I think we are missing the main point rfg raised and going around in circles about transparency.
How do we give enough teeth to ripe ncc's audit processes, and it's ip allocation processes, especially through LIRs, so that the issue we are concerned about is mitigated?
Shane - please. Have you actually done any abuse desk work as opposed to DNS, routing, IP allocation etc? Any process, transparent or not - has to have teeth. And any transparency need exist only between RIPE NCC and the LIR or other party with whom they have a contract (and an AUP, and various other policies). Nobody expects RIPE NCC to immediately revoke any IP allocation without its own due diligence. And whether or not a complainer opts in, I would not expect RIPE NCC to publish any complaint data (unless specifically anonymized, and aggregated). The issue here is not whether RIPE NCC reports the largely redundant proposed statistics back to the community - reclaimed IP space is already reported out. The issue is whether RIPE NCC's policies, especially in LIR allocated IP space, are effective to prevent fraudulent registrations, and to weed them out when detected. And whether RIPE NCC staff has the will to enforce these policies, regardless of the size of the customer involved. The only transparency that is actually required (given that data on available and reclaimed v4 space is already reported) is that any new receiver of this reclaimed space would have to be told upfront that the space is poisoned for any further use thanks to its previous ownership. SMTP blocks only, if all there was, was bulk mail .. but IP space reclaimed from a botnet operation would very probably be nullrouted all over the place. --srs On Tuesday, January 22, 2013, Shane Kerr wrote:
Suresh,
[ using your top-posting style in this reply, to avoid "crossing the streams" ]
We can have transparent processes, that have no "teeth" as you say.
We can also have strict policies that are enforced in secret.
Both transparency and effectiveness are important.
I do think ISPs are more likely to support a fair and transparent policy that will punish abusers than they will to support a fair and secretive policy that will punish abusers, because they will have no guarantees that they will be safe under such a system.
Cheers,
-- Shane
On Tuesday, 2013-01-22 07:20:26 +0530, Suresh Ramasubramanian <ops.lists@gmail.com <javascript:;>> wrote:
I think we are missing the main point rfg raised and going around in circles about transparency.
How do we give enough teeth to ripe ncc's audit processes, and it's ip allocation processes, especially through LIRs, so that the issue we are concerned about is mitigated?
-- --srs (iPad)
Sander, On Tuesday, 2013-01-22 00:16:38 +0100, Sander Steffann <sander@steffann.nl> wrote:
Hi,
The harder problem is the one that I was trying to raise, and that I think crys out far more for a solution, i.e. the fact that once some resource allocation funny business is reported to RIPE (or to ARIN for that matter) that's the last that anybody ever hears of it. As I've tried to point out, I think that this is distinctly counter- productive, both because is discourages everybody from making any such reports in the future and also because it absolutely minimizes the disincentive for both the current perp and future perps to try again to defaud RIPE.
I agree. Showing which resources the NCC has received complaints about would be good for transparency. They would have to show the outcome after investigation as well though. An example: you complain about my IP space, this gets published on the RIPE website.
I agree. That was what I tried to suggest. :)
Of course I'm innocent so the RIPE NCC will investigate the case and conclude that there is nothing wrong. I wouldn't want the complaint to disappear from the website because that would not be very transparent. But I would really object to the complaint being visible on the website without a note saying: "investigated, found nothing wrong"... I don't mind people complaining, but I do want my name cleared if I'm innocent! ;-)
Also nice to have. It would also help give some indication of how long investigation takes. Cheers, -- Shane
Ronald, On Monday, 2013-01-21 03:44:57 -0800, "Ronald F. Guilmette" <rfg@tristatelogic.com> wrote:
I can't remember where anymore, but somewhere, a long time ago, I read something about crime & punishment that basically said that for crimes that are particularly easy to pull off, it can be easily seen that those specific types of crimes will run rampant _unless_ the punishment for those few who get caught is made extremely harsh... you know, so that anyone in their right mind would really have to think twice before trying it, even in the odds are only one in a hundred of ever actually getting caught.
Contemporary research tends to suggest that increasing harshness won't help: While the criminal justice system as a whole provides some deterrent effect, a key question for policy development regards whether enhanced sanctions or an enhanced possibility of being apprehended provide any additional deterrent benefits. Research to date generally indicates that increases in the *certainty* of punishment, as opposed to the *severity* of punishment, are more likely to produce deterrent benefits. http://www.sentencingproject.org/doc/deterrence%20briefing%20.pdf Cheers, -- Shane p.s. There is a _Star Trek_ episode which posits that we only need the death penalty to achieve utopia though: http://en.wikipedia.org/wiki/Justice_%28Star_Trek:_The_Next_Generation%29
In message <20130122102802.72514639@shane-desktop>, Shane Kerr <shane@time-travellers.org> wrote:
Ronald,
On Monday, 2013-01-21 03:44:57 -0800, "Ronald F. Guilmette" <rfg@tristatelogic.com> wrote:
I can't remember where anymore, but somewhere, a long time ago, I read something about crime & punishment that basically said that for crimes that are particularly easy to pull off, it can be easily seen that those specific types of crimes will run rampant _unless_ the punishment for those few who get caught is made extremely harsh... you know, so that anyone in their right mind would really have to think twice before trying it, even in the odds are only one in a hundred of ever actually getting caught.
Contemporary research tends to suggest that increasing harshness won't help:
While the criminal justice system as a whole provides some deterrent effect, a key question for policy development regards whether enhanced sanctions or an enhanced possibility of being apprehended provide any additional deterrent benefits. Research to date generally indicates that increases in the *certainty* of punishment, as opposed to the *severity* of punishment, are more likely to produce deterrent benefits.
http://www.sentencingproject.org/doc/deterrence%20briefing%20.pdf
We can agree to disagree about the deterrent value of "harshness", however one part of the overall point I've been making is actually supported by what you have quoted above. Right now, if anything, the only iron-clad 100% certainty that party who effectively defrauds either ARIN or RIPE out of number resources can have is the 100% certainty that they will NOT by punished in any way.... that they will not pay any sort of a penalty whatsoever and that they will not even be publically named and shamed... unless that is accomplished independently, by someone entirely outside of RIPE and/or ARIN, i.e. by an independent researcher or journalist such as myself. As I have suggested, it is my belief that it is precisely this widespread certainty regarding the utter lack of punishment for such crimes and misdemeanors that effectively insures their continued proliferation. Regards, rfg
Ronald, On Monday, 2013-01-21 03:44:57 -0800, "Ronald F. Guilmette" <rfg@tristatelogic.com> wrote:
Public naming and shaming of any and all parties involved should be a part of that, in my opinion, and furthermore I think that a pro- vision which explicitly allows this should be written into all RIPE contracts from now on.... as in "If we catch you doing this, then no, you DON'T get to hide behind any confidentiality provisions within this contract that might otherwise apply."
I agree. I even don't think we should wait until the end of the process! :) There are reasons that trials are matters of the public record, and basically I think they all apply here.
Perhaps something more like a couple of checkboxes on the complaint form which say:
[ ] I wish this complaint to be public. [ ] I wish my name to be included in the public report.
Color me flumoxed.
I can't find "flummoxed" in my crayon box, but maybe I need to get one with more colors. ;)
I _thought_ that we were talking about the (unfortunate) confidentiality now being routinely and contractually provided to RIPE members... even, apparently, utterly fictitious and fradulent ones... who make off with resources, counter to current allocation policies, via fraud, deceit, or artifice. All of a sudden you seem to be worried about _my_ confi- dentiality, or lack thereof, or forfiture thereof.
No, I'm not worried about your confidentiality, however I was trying to think of potential misuse of the system. For example, I might falsely report abuse by a competitor, in order to tarnish their name, and cost them time & money dealing with the report. Because of this, it is in people's interest to have the identity of the abuse reporter public to avoid this issue. HOWEVER, there is also a place for anonymous abuse reporting. People may notice something "funny", but not really be interested in spending a lot of their own effort resolving it. Consider it like an anonymous tip-line that some police departments set up. So when evaluating reports of an LIR's abuse, one could see anonymous reports but view with an additional level of skepticism.
You have a solution in search of a problem.
Well, the main point of the proposal is to have a public archive of abuse reports to the RIPE NCC, not anonymity. The problem that I was attempting to solve is the utter lack of transparency in abuse handling. I readily admit it is probably not the best! Please suggest something else! Cheers, -- Shane
In message <20130122104548.4406e7d9@shane-desktop>, Shane Kerr <shane@time-travellers.org> wrote:
No, I'm not worried about your confidentiality, however I was trying to think of potential misuse of the system.
For example, I might falsely report abuse by a competitor, in order to tarnish their name, and cost them time & money dealing with the report. Because of this, it is in people's interest to have the identity of the abuse reporter public to avoid this issue.
We agree, and you make an excellent point. Here is this country we have (at least) two entirely notorious sagas, both part of our national collective consciousness, that eternally remind us of how accusations by unnamed accusers (or little children) can lead to tragic consequences. One is the Salem Witch Trials. The other is the political era of Senator Joseph McCarthy. Personally, I've been on the Internet for roughly 29 years now, and unlike many others, I've always held the belief that if I want to say anything that might be in the least controversial, that I should have the guts to do so using my own name and my own e-mail address, and that I should _not_ hide behind an alias, a handle, a pseudonym, or a throw-away e-mail address. And I have always stuck to that rule. I just believe that men should take responsibility for their words, as well as for their actions. Call me old-fashioned, anachronistic, or antiquated. I don't care. This is one of my own personal bedrock principals.
HOWEVER, there is also a place for anonymous abuse reporting. People may notice something "funny", but not really be interested in spending a lot of their own effort resolving it. Consider it like an anonymous tip-line that some police departments set up.
See above, re The Salem Witch Trials and/or Sen. Joe McCarthy. In this country we have also experienced more recent but similar traumas revolving around theripist-induced "recoved memories" of children being used to indict many totally innocent caregivers on charges of child abuse (including sexual abuse). http://www.pbs.org/wgbh/pages/frontline/shows/innocence/ All, things considered, I personally am not in favor of the whole notion of anonymously lodged complaints. But that's just my personal opinion, and I understand that others do not share this view.
You have a solution in search of a problem.
Well, the main point of the proposal is to have a public archive of abuse reports to the RIPE NCC
That would be good. However that issue is unrelated to, and orthogonal to the question of whether issue reporters should or should not be encouraged or allowed to remain anonymous.
The problem that I was attempting to solve is the utter lack of transparency in abuse handling.
Please proceed. You have my complete support. Getting all the reports online would certainly be a Good Thing. Regards, rfg
Ronald F. Guilmette wrote: [...]
Of course, in my ideal universe, one could achieve much the same ends, but much more efficiently, economically, and expediently simply by revoking a up-front performance bond that all parties contracting with RIPE NCC would be required to post before being allocated resources.
Assuming that everybody has read Shane's description regarding the 2 types of non-profit :-) While it is certainly true that a considerable numer of RIPE NCC Members and beneficiaries of it's services are (big) commercial companies, we have to keep in mind that the NCC also distributes resources (directly or by way of a sponsoring LIR), to Non-Profits of Type#1, NGOs, very small or start-up companies, even small associations and individuals. What you are suggesting would certainly harm primarily (or even exclusively?) the wrong parties, as the bad guys would certainly have the deep pockets to just pay and forget. :-( [...]
Regards, rfg
Wilfried.
In message <879A3743-07E6-411C-AE53-E3BC06C3585E@steffann.nl>, Sander Steffann <sander@steffann.nl> wrote:
Now if anyone sees that there has been fraud, people lying to the RIPE NCC, people lying about their need for address space, etc. then that is in violation of the RIPE policies and the RIPE NCC Service Contract. In those cases the RIPE NCC can act and has the mandate of the members to act.
For the benefit of someone... me, in particular... who is not only not a RIPE member, but who is also even physically located outside of the RIPE region, could you elaborate a bit on this "mandate" you speak of? I'm really just curious about one thing. For its region, ARIN actually has an explicit policy that in the event of any person or entity being caught deliberately defrauding ARIN, ARIN will (allegedly[1]) make contact with law enforcement authorities, inform them of the fraud, and (I believe) ask those authorities to take action against the perpetrator(s). It is certainly pleasing to know that RIPE NCC already has in its hand an explicit mandate from the membership to take action to undo the effects of any fraud or frauds that have been perpetrated against it, however I cannot help but be curious as to whether or not that is the outer limit of RIPE NCC's mandate with regards to such incidents. Regards, rfg =-=-=-=-=-=-=-=-=-=-= [1] I am forced to insert the qualifier "allegedly" here because... much to my dismay... I personally am not aware of any actual instance where any fraud artist who has cleverly managed to defaud ARIP out of number resources have ever faced any sort of arrest, let alone any sort of actual prosecution. (Not that there have not been numerous worthy candidates.)
Hi,
For the benefit of someone... me, in particular... who is not only not a RIPE member, but who is also even physically located outside of the RIPE region, could you elaborate a bit on this "mandate" you speak of?
Well, all resource holders must sign a contract these days, and there is an official procedure called 'Closure of Member and Deregistration of Internet Number Resources': https://www.ripe.net/ripe/docs/ripe-578. All members signed the Standard Service Agreement, of which ripe-578 is an integral part. RIPE-578 contains the following text about fraudulent LIRs: ---8<--- Untruthful information ====================== The RIPE NCC concludes the SSA and provides services to Members in good faith. The Member is in breach of good faith in the following cases: - Falsified/incorrect information If the Member repeatedly provides falsified data or information, or purposefully and/or repeatedly provides incorrect data or information (for example, falsified registration documents or IDs, incorrect/inaccurate contact details, etc.) - Fraudulent requests If the Member submits repeatedly fraudulent requests for Internet number resources (for example, providing incorrect purpose/need or falsified information about the network, etc.) Procedure ========= The RIPE NCC will: - Send an email to the registered contact(s) indicating: - The reason for termination of the SSA - The immediate termination of the SSA - Terminate the progress of any open requests for RIPE NCC services The RIPE NCC Managing Director will send an official notification of termination of the SSA (i.e., closure of the Member’s account) to all registered postal and email addresses of the Member. ---8<--- And terminating the SSA (Standard Service Agreement) means: "Upon termination of the SSA, Members lose all rights to RIPE NCC services and their RIPE NCC member status." That section contains the text "The RIPE NCC will deregister the relevant Internet number resource records. The procedure for deregistration is described in section B.2. The RIPE NCC will also revoke any certificates generated by the RIPE NCC Certification Service." And that also includes independent (PI) resources they hold: "The RIPE NCC will send an official notification to all registered contacts stating that the Independent Internet number resources will be deregistered, explaining the reasons for this deregistration and the procedure for the deregistration. The Member must immediately inform the End User about the imminent deregistration." So yes: the NCC can act on fraud and deregister the resources.
I'm really just curious about one thing. For its region, ARIN actually has an explicit policy that in the event of any person or entity being caught deliberately defrauding ARIN, ARIN will (allegedly[1]) make contact with law enforcement authorities, inform them of the fraud, and (I believe) ask those authorities to take action against the perpetrator(s).
The RIPE documents don't say anything about the RIPE NCC contacting law enforcement AFAIK. With all the different countries and all their different laws that might be harder to do for the RIPE NCC than in the ARIN region. But if it's possible: good idea.
It is certainly pleasing to know that RIPE NCC already has in its hand an explicit mandate from the membership to take action to undo the effects of any fraud or frauds that have been perpetrated against it, however I cannot help but be curious as to whether or not that is the outer limit of RIPE NCC's mandate with regards to such incidents.
I think it's all in RIPE-578. Cheers, Sander
In message <2C4F5FA7-C670-4253-AE43-0C4BF5DE1A21@steffann.nl>, Sander Steffann <sander@steffann.nl> wrote:
The RIPE documents don't say anything about the RIPE NCC contacting law enforcement AFAIK. With all the different countries and all their different laws that might be harder to do for the RIPE NCC than in the ARIN region. But if it's possible: good idea.
It is not only possible... as the ARIN example would seem to indicate it is even _advisable_. What is the disincentive for these same crooks coming back and doing the same thing all over again next month, using a brand new set of fradulent documents, signatures, company charters, etc. ? Regards, rfg
Receiving suspected stock fraud solicitation from 83.149.41.69, I query on the RIPE handle AD4211-RIPE and receive no useful data. Why and what to do? Jeffrey Race Cambridge Electronics Laboratories Checking server [whois.ripe.net] Results: % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to 'AD4211-RIPE' person: Alexander Deulin address: Russian Federation address: N.Novgorod, 603000 address: Nartova 6 phone: +7 831 4130000 nic-hdl: AD4211-RIPE mnt-by: MF-CENTER-MNT source: RIPE # Filtered % This query was served by the RIPE Database Query Service version 1.51.1 (WHOIS4)
In message <CAArzuousy4=M3ZyEbTD13zNJNgt4CTP3-rUzoQ7CHTbmF7Sotg@mail.gmail.com> Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
I frankly am inclined to wonder when/if Spamhaus will get around to listing all of the romanian ASNs and IPv4 ranges that I listed here a couple of days ago. As far as I can see, it is all 100% fradulent and all 100% being used for snowshoe support. Furthermore, I do not believe that this fact is really all that hard to discern/verify, once the ASNs have been identified. Regards, rfg
On Monday 14 January 2013 23.52, Ronald F. Guilmette wrote:
After a careful investigation, I am of the opinion that each of the following 18 ASNs was registered (via RIPE) with fradulent information purporting to represent the identity of the true registrant, and that in fact, all 18 of these ASNs were registered by a single party, apparently as part of a larger scheme to provide IP space to various snowshoe spammers.
Thanks you very much. Some of them is confirmed spammers, all of them now added to my blocklist. <snipped to save space> 217.19.4.0/24
-- Peter Håkanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det är billigare att göra rätt. Det är dyrt att laga fel. )
participants (9)
-
Erik Bais -
Jeffrey Race -
peter h -
Richard Hartmann -
Ronald F. Guilmette -
Sander Steffann -
Shane Kerr -
Suresh Ramasubramanian -
Wilfried Woeber