While I agree, there are some others guilty of that, viz. the repeated accusation that ISPs (and the RIPE NCC) are criminals (or at least in league with such etc. Seemingly, they have yet to be banned from this list.

KKKKKKKKKKKKKKKKKKKK

If nobody is to be allowed to ridicule or criticise the "other" side - and the contributor has a valid point, however annoyingly presented, it is not a "community" but a "cult".

K K K

Agreed. So, if censorship be it, please remove all the other trolls, including their sockpuppets, from this list. I suspect it will be a very quiet one after that and perhaps deservedly so.

Either we learn to live with the contradictory or we will burn crosses and wear hoods. Marilson From: anti-abuse-wg-request@ripe.net Sent: Thursday, February 16, 2017 2:45 PM To: anti-abuse-wg@ripe.net Subject: anti-abuse-wg Digest, Vol 63, Issue 19 Send anti-abuse-wg mailing list submissions to anti-abuse-wg@ripe.net To subscribe or unsubscribe via the World Wide Web, visit https://lists.ripe.net/mailman/listinfo/anti-abuse-wg or, via email, send a message with subject or body 'help' to anti-abuse-wg-request@ripe.net You can reach the person managing the list at anti-abuse-wg-owner@ripe.net When replying, please edit your Subject line so it is more specific than "Re: Contents of anti-abuse-wg digest..." Today's Topics: 1. WG Chair Mailing List Decision (Brian Nisbet) 2. Re: The well-behaved ISP's role in spamfight (Max Grobecker) 3. Re: WG Chair Mailing List Decision (Sascha Luck [ml]) 4. Re: WG Chair Mailing List Decision (Suresh Ramasubramanian) 5. Re: WG Chair Mailing List Decision (ox) 6. Re: WG Chair Mailing List Decision (Brian Nisbet) ---------------------------------------------------------------------- Message: 1 Date: Thu, 16 Feb 2017 13:05:19 +0000 From: Brian Nisbet <brian.nisbet@heanet.ie> To: "'anti-abuse-wg@ripe.net'" <anti-abuse-wg@ripe.net> Cc: "aa-wg-chair@ripe.net" <aa-wg-chair@ripe.net> Subject: [anti-abuse-wg] WG Chair Mailing List Decision Message-ID: <e3b44f81-c9d7-5680-c70e-526aba509889@heanet.ie> Content-Type: text/plain; charset=utf-8 Colleagues, This morning Tobias and I asked the NCC to take the very unusual step, effectively immediately, of removing the person behind svenk@xs4all.nl from the Anti-Abuse WG mailing list. This was not done lightly, rather it was done to safeguard this community. We would ask the members not to forward any of their mails to the list, nor to include them in list discussions. This mailing list is a place to discuss network abuse (of all sorts, not just spam) amongst ISPs, LEAs, Governments, Enterprise Networks and any concerned Internet Citizens. It is not a place to insult, to decry, to repeatedly state the same point over and over or to discriminate against other members of the community based on their race, creed, gender or sexual preferences. If we cannot maintain a list upon which reasonable discussion can take place, then it leaves our community in a weakened state. Tobias and I discussed this matter with Hans Petter Holen, the RIPE Chair, and we have arrived at this course of action. The Co-Chairs are happy to answer reasonable questions off-list. Of course this is a community mailing list, so we are also happy for discussion to take place here. However, as with all discussions, we would ask that if people do wish for this, that it remain respectful and on topic. If required we can devote some time to discussion of this at RIPE74. Brian & Tobias Co-Chairs, RIPE AA-WG ------------------------------ Message: 2 Date: Thu, 16 Feb 2017 14:42:19 +0100 From: Max Grobecker <max.grobecker@ml.grobecker.info> To: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] The well-behaved ISP's role in spamfight Message-ID: <79675681-d0cd-9b0f-4f00-75b1f6bbb234@ml.grobecker.info> Content-Type: text/plain; charset="utf-8" Hi, Am 13.02.2017 um 22:18 schrieb peter h:

There is not any req that all customers always should be forced to use ISP relays, the default behaviour might be to use ISP relays, and to have DHCP given address. But for an extra service one could obtain a fixed address, and as extra service, use port 25. The main point is to have those "unaware" users, whos computers might be stolen, prevented. They won't notice, and they don't get harmed.

The best practice should be to (automatically?) block port 25 as soon as there are complaints about SPAM being sent from the according account. Maybe some good reputated blacklist providers could work together with ISPs to provide them real-time notifications for their IP allocations based on a kind of "push service". Then (as a provider) you have: A) Customers that can use any port unfiltered and are not complaining about blocked ports in your support department. B) If you receive notifications about SPAM being sent you have a good reason to block specific ports for this user (and, of course, send a notification to the customer). C) The customer is made aware that something inside his network is infected with malware which should get cleaned. The provider could offer help, fees apply. If I block port 25 outgoing by default, the user can sit there for ages in his home network while the malware is trying to send SPAM - but the customer won't notice. "Yes, of course, the computer is very slow, but..." As soon as the user moves his infected laptop to another network which don't have this blocking policy for whatever reason, the malware fires out its offers for medication to improve specific parts of the male body. And, besides of SPAM, there are also other services that are getting targeted by malware - for example SIP. You can set up a SIP server, reachable to the whole world on port 5060/UDP and you get a feeling that specific parts of the internet are trying to place phone calls to countries you wouldn't even find on a map ;-) THAT is more than a bit inconvenient - it's really harmful and costs real money (much money). But: Would you block port 5060 by default? And which other ports, too? And what about bruteforce attacks against websites? And why aren't ISPs blocking incoming packets to port 1900/UDP or port 5454/UDP by default, which are misused for DDoS attacks? I think blocking ports by default isn't the cure. It's just raising support volumes. IMHO the better way is to let customers learn from it (when they get instant notifications as soon as malware starts attacking others). Max