On the abuse handling policy of manitu.net (AS34240)
Manitu.net is a german hosting provider operating AS34240 currently announcing 2.59.84.0/22, 85.116.192.0/19, 89.238.64.0/18, 217.11.48.0/20 and 2a00:1828::/32. I was quite disconcerted to read this notice in their whois record in the RIPE NCC db (within the nic handle MANI-RIPE ): remarks: trouble:+------------------------------------------------+ remarks: trouble:| In case of abuse, e.g. spam, scans, probes, | remarks: trouble:| hack attacks, violation or any other illegal | remarks: trouble:| activity, please contact | remarks: trouble:| | remarks: trouble:| abuse@manitu.net | remarks: trouble:| | remarks: trouble:| IMPORTANT:Your message will probably sent to | remarks: trouble:| the customer concerned by an automatic system. | remarks: trouble:| All of your data, esp. your name, your e-mail | remarks: trouble:| address and the content of your message, will | remarks: trouble:| be visible to the customer. If you do not | remarks: trouble:| agree with this do not use the e-mail address | remarks: trouble:| shown above. | remarks: trouble:| | remarks: trouble:| Complaints sent to any other contacts cannot | remarks: trouble:| be handled in realtime and are therefore not | remarks: trouble:| preferred. | remarks: trouble:| | remarks: trouble:| Please note that this contact is not | remarks: trouble:| responsible for the actions themselves. | remarks: trouble:| So please do not blame us for actions of | remarks: trouble:| third parties. | remarks: trouble:+------------------------------------------------+ This is so absurd, I had to read it twice to make sure that I was not misreading it. They state that they automatically pass all my personal data to abusers if I send a report to them, so that: * Abusers can listwash me and avoid getting further reports from me * Abusers can sell my data to other abusers * Abusers can start harass me electronically (for instance using list bombing, DDOS etc) as a retaliation for disturbing their activity * Abusers could also harass me or my family in real life for the same reason In this process: * My personal data are released automatically to third parties without my explicit consent * Those third parties will presumably remain unknown to me, and the whole process is completely opaque: I will never know where my personal data went. So this is what a reporter would get back in exchange of doing volunteering work to report incidents to them so that they could run a cleaner network! This behaviour appears to blatantly violate RIPE-409, section 5 [ https://www.ripe.net/publications/docs/ripe-409#5 ]: The ISP MUST ensure that the alleged abuser is NOT informed of the identity of those who are reporting the abuse, except with their explicit permission and I thought that this was given for granted by the whole Internet industry. This brings a lot of suspicion around Manitu GmbH. Who are they? Why are they violating the BCP, probably many privacy laws, putting reporters at danger, and doing such a huge favour to cybercriminals ? What benefit are they getting from acting in this way? In the meanwhile, I would suggest that no one sends anything to Manitu abuse. They have two upstreams, AS9063 (VSE NET) and AS42652 (Inexio): probably their abuse desks should receive all the AS34240 reports, at least until this situation has been clarified. furio ercolessi
Even worst ... You've read that, but automated systems will not do, just use the abuse mailbox. Anyway, I think in general the information will get if an automated abuse report is sent, will be not personal, but from an organization. In fact, if they send personal data to the "abuser", I think they will be breaking the GDPR, because you need an explicit consent to transfer personal data to third parties, right? And of course, in front of law, all this text is "wet paper". If there is a claim because an abuse case, and their customer doesn't respond, they may be liable. Regards, Jordi @jordipalet El 19/2/21 21:56, "anti-abuse-wg en nombre de furio ercolessi" <anti-abuse-wg-bounces@ripe.net en nombre de furio+as@spin.it> escribió: Manitu.net is a german hosting provider operating AS34240 currently announcing 2.59.84.0/22, 85.116.192.0/19, 89.238.64.0/18, 217.11.48.0/20 and 2a00:1828::/32. I was quite disconcerted to read this notice in their whois record in the RIPE NCC db (within the nic handle MANI-RIPE ): remarks: trouble:+------------------------------------------------+ remarks: trouble:| In case of abuse, e.g. spam, scans, probes, | remarks: trouble:| hack attacks, violation or any other illegal | remarks: trouble:| activity, please contact | remarks: trouble:| | remarks: trouble:| abuse@manitu.net | remarks: trouble:| | remarks: trouble:| IMPORTANT:Your message will probably sent to | remarks: trouble:| the customer concerned by an automatic system. | remarks: trouble:| All of your data, esp. your name, your e-mail | remarks: trouble:| address and the content of your message, will | remarks: trouble:| be visible to the customer. If you do not | remarks: trouble:| agree with this do not use the e-mail address | remarks: trouble:| shown above. | remarks: trouble:| | remarks: trouble:| Complaints sent to any other contacts cannot | remarks: trouble:| be handled in realtime and are therefore not | remarks: trouble:| preferred. | remarks: trouble:| | remarks: trouble:| Please note that this contact is not | remarks: trouble:| responsible for the actions themselves. | remarks: trouble:| So please do not blame us for actions of | remarks: trouble:| third parties. | remarks: trouble:+------------------------------------------------+ This is so absurd, I had to read it twice to make sure that I was not misreading it. They state that they automatically pass all my personal data to abusers if I send a report to them, so that: * Abusers can listwash me and avoid getting further reports from me * Abusers can sell my data to other abusers * Abusers can start harass me electronically (for instance using list bombing, DDOS etc) as a retaliation for disturbing their activity * Abusers could also harass me or my family in real life for the same reason In this process: * My personal data are released automatically to third parties without my explicit consent * Those third parties will presumably remain unknown to me, and the whole process is completely opaque: I will never know where my personal data went. So this is what a reporter would get back in exchange of doing volunteering work to report incidents to them so that they could run a cleaner network! This behaviour appears to blatantly violate RIPE-409, section 5 [ https://www.ripe.net/publications/docs/ripe-409#5 ]: The ISP MUST ensure that the alleged abuser is NOT informed of the identity of those who are reporting the abuse, except with their explicit permission and I thought that this was given for granted by the whole Internet industry. This brings a lot of suspicion around Manitu GmbH. Who are they? Why are they violating the BCP, probably many privacy laws, putting reporters at danger, and doing such a huge favour to cybercriminals ? What benefit are they getting from acting in this way? In the meanwhile, I would suggest that no one sends anything to Manitu abuse. They have two upstreams, AS9063 (VSE NET) and AS42652 (Inexio): probably their abuse desks should receive all the AS34240 reports, at least until this situation has been clarified. furio ercolessi ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
JORDI PALET MARTINEZ writes:
Even worst ...
You've read that, but automated systems will not do, just use the abuse mailbox.
Anyway, I think in general the information will get if an automated abuse report is sent, will be not personal, but from an organization.
In fact, if they send personal data to the "abuser", I think they will be breaking the GDPR, because you need an explicit consent to transfer personal data to third parties, right?
And of course, in front of law, all this text is "wet paper". If there is a claim because an abuse case, and their customer doesn't respond, they may be liable.
Regards, Jordi @jordipalet
It can make sense. When there's an abusive resource that usually falls in one of these two cases: a) The customer was compromised by the bad guy b) The customer itself is the evil guy For case a) it absolutely makes sense to notify the customer. Moreso, the *should* notify them (independently of other measures they may take). If the isn't aware of the issue, they will hardly fix the vulnerabilities on their site. For case b) the customer SHALL NOT be notified. The provider itself must handle the complaint, not the evil guy. Now, every company has its own procedures. A few will directly delete the customer account, even in case a). Some will suspend the website and let the customer clean it themselves. Others will roll the site back to a previous backup, or otherwise delete the extraneous files themselves. Some companies pass along the complaints to the customer. Specially when the server is fully administered by the customer, as seems to be offered by this company ("dedizierte Root-Server"). Some companies will overview that the customer do handle such compliants in a satisfactory way. I'm afraid others won't. But I see no problem in that they forward _certain_ reports to the customer. Ideally, the company itself would have someone hadling the queue and classifying if the report is spam and must be discarded, if it should be passed to the customer to take actio (albeit not necessarily providing the details of the sender!), or investigated by the provider. Using an automated mechanism does result in faster processing, at the cost of lower quality. I appreciate that they openly reveal their policy. We reported some case explicitely stating not to send it to the customer, just to receive a "We have passed this to the customer" response. I sorely miss that they included a slow way to contact them in that banner (the hostmaster account, I guess?) for the case you don't want it forwarded but, if properly managed (which we don't know if they do), an automated system which automatically handles most reports could be acceptable. Not ideal, but still somewhat acceptable. Note we don't know if it's a dumb system that forwards everything, or if it's smart enough to identify the typology of most mails and decide based on a number of factors if it should be forwarded or not. Nor how this compares with the humans that would otherwise be handling such queue manually. Best regards -- INCIBE-CERT - Spanish National CSIRT https://www.incibe-cert.es/ PGP keys: https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys ==================================================================== INCIBE-CERT is the Spanish National CSIRT designated for citizens, private law entities, other entities not included in the subjective scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen Jurídico del Sector Público", as well as digital service providers, operators of essential services and critical operators under the terms of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de las redes y sistemas de información" that transposes the Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. ==================================================================== In compliance with the General Data Protection Regulation of the EU (Regulation EU 2016/679, of 27 April 2016) we inform you that your personal and corporate data (as well as those included in attached documents); and e-mail address, may be included in our records for the purpose derived from legal, contractual or pre-contractual obligations or in order to respond to your queries. You may exercise your rights of access, correction, cancellation, portability, limitationof processing and opposition under the terms established by current legislation and free of charge by sending an e-mail to dpd@incibe.es. The Data Controller is S.M.E. Instituto Nacional de Ciberseguridad de España, M.P., S.A. More information is available on our website: https://www.incibe.es/proteccion-datos-personales and https://www.incibe.es/registro-actividad. ====================================================================
furio ercolessi wrote on 19/02/2021 20:55:
This is so absurd, I had to read it twice to make sure that I was not misreading it. They state that they automatically pass all my personal data to abusers if I send a report to them, so that:
it's difficult to see how this is fully compatible with the GDPR. Have you opened up a case with the Data Protection Office in Italy? Germany has strong data privacy laws, so there may be a legal way of handling this. Nick
It sounds GDPR legal. After all, they are telling you exactly what will happen with anything that you send there, so by sending it there in full knowledge, you are essentially consenting to that processing of your data. Also, German courts have ruled that in-between service providers are only liable for taking action after the complainant has raised the issue with the party that is directly violating the rights of the complainant, or their hosting provider and those efforts have proven futile or can be objectively deemed to be futile from the outset. And finally, who says their customers are the abusers? In many cases, their customers may be the victims as well, without their knowledge, for example due to compromised CMS and would indeed be the best person to address the issue you may want to see resolved. -- Volker A. Greimann <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Virus-free. www.avast.com <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> On Fri, Feb 19, 2021 at 10:07 PM Nick Hilliard <nick@foobar.org> wrote:
furio ercolessi wrote on 19/02/2021 20:55:
This is so absurd, I had to read it twice to make sure that I was not misreading it. They state that they automatically pass all my personal data to abusers if I send a report to them, so that:
it's difficult to see how this is fully compatible with the GDPR. Have you opened up a case with the Data Protection Office in Italy? Germany has strong data privacy laws, so there may be a legal way of handling this.
Nick
Am 20.02.21 um 01:39 schrieb Volker Greimann:
It sounds GDPR legal. After all, they are telling you exactly what will happen with anything that you send there, so by sending it there in full knowledge, you are essentially consenting to that processing of your data.
That may or may not be true, I'm not a legal expert. It sounds essentially like a protective clause that indemnifies them in case they've given your data to a criminal who then begins to harrass you. Note that the reasonability of such protective clauses may be dubious, and their legality tends to be undefined until they are tested in courts. Protective clauses often don't fully consider the rights of one side, for example I would be fairly sure that giving my private data to a spamming customer who stays anonymous to me would be a blatant violation of *my* rights.
Also, German courts have ruled that in-between service providers are only liable for taking action after the complainant has raised the issue with the party that is directly violating the rights of the complainant, or their hosting provider and those efforts have proven futile or can be objectively deemed to be futile from the outset. And finally, who says their customers are the abusers? In many cases, their customers may be the victims as well, without their knowledge, for example due to compromised CMS and would indeed be the best person to address the issue you may want to see resolved.
I have been working as a part-time postmaster for quite a bit over 30 years, and I'm am pretty capable of distinguishing between compromised resources (web sites or mail accounts) and spammer-owned resources in most cases, thank you very much :-) As an abuse reporter, I need to decide which parties I can or cannot trust in which respects. If a hosting company hosts customers for prolonged times that are to the best of my knowledge blatant abusers, I simply cannot trust that company to handle my abuse reports properly. Whether they claim to keep my personal data safe or give it to their customer doesn't really matter, I must assume that they are acting in the interests of their abusive customers and therefore not in my interest. The only sensible action is to block their network completely to protect my users. I'm not trying to talk to such a provider anymore. In the case of Manitu, I'd probably give them the benefit of the doubt as they are actively sponsoring a useful DNSBL and a spamfighting forum, and I'm not aware of any spammers hosted by them. When I see that abuse is most likely caused by compromised resources, I tend to send abuse reports through spamcop which should be delivered with enough technical info to analyze the problem but still somewhat shield my identity. Of course, dynamic IPs are a special case, they are blocked without discussion, and providers who don't respond to and act on abuse reports will be blocked, too. I just don't have enough time to play games with providers. We are doing them a favor by notifying them of problems in their network, we don't request a service. If they don't want to be notified, so be it. Cheers, Hans-Martin
Volker Greimann wrote on 20/02/2021 00:39:
It sounds GDPR legal. After all, they are telling you exactly what will happen with anything that you send there, so by sending it there in full knowledge, you are essentially consenting to that processing of your data.
the best that could be said in this situation is that it's not clear. If you're reporting an abuse complaint to a responsible provider with clearly documented abuse processes which are carefully followed, and who has a good relationship with a responsible client who had clearly documented abuse processes which are carefully followed, then maybe this might ok. OTOH if it's a bulletproof hoster with poor processes / process compliance and the client abuses abuse reports (e.g. uses them to confirm that emails are still active), then that's less likely to be in any way legal. But a-priori, you don't know. Also GDPR consent compliance isn't achieved by "telling you exactly what will happen with anything that you send there". The European Data Protection Board has extensive documentation on GDPR interpretation:
https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recom...
of which the document regarding Consent is well worth reading:
https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-05...
Specifically it notes: "As a general rule, the GDPR prescribes that if the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid". tl,dr: ianal + the OP's case would benefit from analysis by an actual lawyer with competence in this complex area. The above is purely speculation. Nick
In message <YDAlwVe1ee9CSh9L@largheg.giato>, furio ercolessi <furio+as@spin.it> wrote:
remarks: trouble:| abuse@manitu.net | remarks: trouble:| | remarks: trouble:| IMPORTANT:Your message will probably sent to | remarks: trouble:| the customer concerned by an automatic system. | ...
This is so absurd, I had to read it twice to make sure that I was not misreading it. They state that they automatically pass all my personal data to abusers if I send a report to them...
A representative of Digital Ocean told me point blank that they have the exact same policy. They just don't put it into their WHOIS records. Until there is some serious downside, companies will continue to get away with this shit without paying any price for this asshole-ness. Regards, rfg
participants (7)
-
furio ercolessi -
Hans-Martin Mosner -
JORDI PALET MARTINEZ -
Nick Hilliard -
Ronald F. Guilmette -
Volker Greimann -
Ángel González Berdasco