Hi I hope I am not out of place here, but this is my experience today and the problem I find I have because of the broken contacts information via the whois. This morning I received a fraudulent spam claiming to be from the Bank of Ireland with an attached form to be filled in. I was going to delete it as usual but decided that these types of email fraud need to be reported in order to protect others. I checked out the form and found the form contact link: <a href="http://masserialojazzo.it/wp-admin/user/login.html">MBNA Online</a> $ host masserialojazzo.it masserialojazzo.it has address 46.252.206.1 ;; connection timed out; no servers could be reached masserialojazzo.it mail is handled by 10 mailstore1.europe.secureserver.net. masserialojazzo.it mail is handled by 0 smtp.europe.secureserver.net. And then I whoised $ whois 46.252.206.1 inetnum: 46.252.200.0 - 46.252.207.255 netname: GDNL-46-252-200-0-TO-207-255 descr: Customer country: NL admin-c: WR1096-RIPE tech-c: WR1096-RIPE status: ASSIGNED PA mnt-by: MNT-GDG-NL source: RIPE # Filtered person: Will Regg address: H.J.E. Wenckebachweg 127 1096 AM Amsterdam phone: +14805058877 nic-hdl: WR1096-RIPE source: RIPE # Filtered As you may notice, there is no suitable email contact at all. (Writing a letter and posting it off didn't seem a useful option!) This was a email fraud. I, as a reasonable individual trying to do my civic duty and possible prevent someone with less 'cop on' from being scammed, was utterly wasting my time trying to do anything. There was no abuse contact. If RIPE and ICANN and others want to do anything at all regarding spam, and scams and net abuse etc one of the first actions should be to ensure there are correct contacts for every ISP so at least scams and illegal activity can be reported. I would also suggest that a default abuse address be insisted upon eg abuse@wherever.doh as I have found many a frustrating experience emailing a named administrator was has left the company and whose email is dead. Perhaps someone was scammed by this same email today. A quick report and possibly a quick shutdown of that link may have achieved something positive. I also have a web site which is attacked on a regular basis and I try and make a point of reporting them all. In some cases with very positive results eg a compromised server found etc. I consider that trying to close these people down is the only way to prevent things getting totally out of hand. The problem is that approximately 1 in 4 abuse email addresses are incorrect and the email is returned undelivered. These are my frustrating experiences. As I said, I hope I am not out of place here, pointing this out. Regards Lou Gogan Saula, Achill, Co Mayo, Ireland. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ LINUX - bringing joy and creativity to computing. Registered Linux user number 478188 www.lougogan.com
On 4 Nov 2011, at 19:37, Lou Gogan wrote:
Hi
I hope I am not out of place here, but this is my experience today and the problem I find I have because of the broken contacts information via the whois.
This morning I received a fraudulent spam claiming to be from the Bank of Ireland with an attached form to be filled in. I was going to delete it as usual but decided that these types of email fraud need to be reported in order to protect others.
In the case of a phish you should report it to the bank.
I checked out the form and found the form contact link: <a href="http://masserialojazzo.it/wp-admin/user/login.html">MBNA Online</a>
$ host masserialojazzo.it masserialojazzo.it has address 46.252.206.1 ;; connection timed out; no servers could be reached masserialojazzo.it mail is handled by 10 mailstore1.europe.secureserver.net. masserialojazzo.it mail is handled by 0 smtp.europe.secureserver.net.
And then I whoised
$ whois 46.252.206.1 inetnum: 46.252.200.0 - 46.252.207.255 netname: GDNL-46-252-200-0-TO-207-255 descr: Customer country: NL admin-c: WR1096-RIPE tech-c: WR1096-RIPE status: ASSIGNED PA mnt-by: MNT-GDG-NL source: RIPE # Filtered
person: Will Regg address: H.J.E. Wenckebachweg 127 1096 AM Amsterdam phone: +14805058877 nic-hdl: WR1096-RIPE source: RIPE # Filtered
As you may notice, there is no suitable email contact at all. (Writing a letter and posting it off didn't seem a useful option!)
This was a email fraud. I, as a reasonable individual trying to do my civic duty and possible prevent someone with less 'cop on' from being scammed, was utterly wasting my time trying to do anything. There was no abuse contact.
Did the email actually come from that IP or from another one?
If RIPE and ICANN and others want to do anything at all regarding spam, and scams and net abuse etc one of the first actions should be to ensure there are correct contacts for every ISP so at least scams and illegal activity can be reported.
There has been lengthy discussion on this subject on this mailing list and elsewhere
I would also suggest that a default abuse address be insisted upon eg abuse@wherever.doh as I have found many a frustrating experience emailing a named administrator was has left the company and whose email is dead.
Perhaps someone was scammed by this same email today. A quick report and possibly a quick shutdown of that link may have achieved something positive.
I also have a web site which is attacked on a regular basis and I try and make a point of reporting them all. In some cases with very positive results eg a compromised server found etc. I consider that trying to close these people down is the only way to prevent things getting totally out of hand. The problem is that approximately 1 in 4 abuse email addresses are incorrect and the email is returned undelivered.
These are my frustrating experiences.
As I said, I hope I am not out of place here, pointing this out.
Regards
Lou Gogan
Saula, Achill, Co Mayo, Ireland. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ LINUX - bringing joy and creativity to computing. Registered Linux user number 478188
www.lougogan.com
Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
Hi Michele On Friday 04 November 2011 19:04:17 you wrote:
On 4 Nov 2011, at 19:37, Lou Gogan wrote:
Hi I hope I am not out of place here, but this is my experience today and the problem I find I have because of the broken contacts information via the
whois.
This morning I received a fraudulent spam claiming to be from the Bank of Ireland with an attached form to be filled in. I was going to delete it as usual but decided that these types of email fraud need to be reported in
order
to protect others.
In the case of a phish you should report it to the bank.
Didn't think of that. Doh! Though I still think a direct contact with the IP would close down that fraudulent link immediately.
I checked out the form and found the form contact link: <a href="http://masserialojazzo.it/wp-admin/user/login.html">MBNA Online</a>
$ host masserialojazzo.it masserialojazzo.it has address 46.252.206.1
And then I whoised
$ whois 46.252.206.1
~~~ snip ~~~
As you may notice, there is no suitable email contact at all. (Writing a letter and posting it off didn't seem a useful option!)
This was a email fraud. I, as a reasonable individual trying to do my civic duty and possible prevent someone with less 'cop on' from being scammed, was utterly wasting my time trying to do anything. There was no abuse contact.
Did the email actually come from that IP or from another one?
According to spamcop: virginmedia.com - I sent virginmedia.com an email report
If RIPE and ICANN and others want to do anything at all regarding spam, and scams and net abuse etc one of the first actions should be to ensure there are correct contacts for every ISP so at least scams and illegal activity can be reported.
There has been lengthy discussion on this subject on this mailing list and elsewhere
I would also suggest that a default abuse address be insisted upon eg abuse@wherever.doh as I have found many a frustrating experience emailing a named administrator was has left the company and whose email is dead.
Perhaps someone was scammed by this same email today. A quick report and possibly a quick shutdown of that link may have achieved something positive.
Regards
Lou Gogan
Saula, Achill, Co Mayo, Ireland.
LINUX - bringing joy and creativity to computing. Registered Linux user number 478188 www.lougogan.com
Mr Michele Neylon
> http://www.blacknight.com/
> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
> Road,Graiguecullen,Carlow,Ireland Company No.: 370845
>
>
Hi,
Though I still think a direct contact with the IP would close down that fraudulent link immediately.
There's no reason you can't do both. If you report it to the bank they have an interest in stopping the criminals while the network operators just has an interest in them moving on. Regards, Leo Vegoda
Am Freitag, den 04.11.2011, 15:28 -0700 schrieb Leo Vegoda:
Hi,
Though I still think a direct contact with the IP would close down that fraudulent link immediately.
There's no reason you can't do both. If you report it to the bank they have an interest in stopping the criminals while the network operators just has an interest in them moving on.
Might be true but if such things would happen in my scope of resposibility, I'd have no reason to *not* take this offline immediately. If I know (and there is the problem!) If you report such a thing at abuse@MYDOMAIN, promised, someone will wake me up at 4 o'clock and we'll turn it off.... Thats how things should be, isn't it ? ;) I guess there are far enough responsible people out there, to solve such issues right away - but only if they have the tools to verify! and the "rights" to react.. Currently we havent..(as the thread-starter noticed) This is IMHO not a matter of privacy (in terms of ISP - which we all are?) but more bureaucracy burdens, legal stuff.. So I also wait what comes up there, I'll support it. Long discussions, ok, but at some point in time there also has to be a decision: do we want anonymous IP's in the RIPE region or not ? Should it be possible to have an anonymous Scam/Spam-IP? I'd say no. (sure that banks also badly failed to have secure methologies, but thats not my scope, I have to take care about secure networks & IP ;)) Michael
On Friday 04 November 2011 22:28:10 Leo Vegoda wrote:
Hi,
Though I still think a direct contact with the IP would close down that fraudulent link immediately.
There's no reason you can't do both. If you report it to the bank they have an interest in stopping the criminals while the network operators just has an interest in them moving on.
Regards,
Leo Vegoda
Hi Leo You are missing the point entirely. Firstly, it is not the job of the Bank of Ireland to persue fraudsters all around the world merely because they are pretending to be the BOI. This is an attempt to steal money from people. It is a crime. The only main contact with the criminals is the ISP. They will know the acual contact details of the criminls, hopefully, and can act on that, or at the very least shut that link down pronto. Secondly, there are many scams out there trying to con people into giving details of their credit cards etc with no direct connection to any bank - thus the abuse contact details still should be easy to obtain so a report can be sent from anyone aware of a fraud attempt, even a Lou Blogs. Thought experiment: If you saw a bank robbery and the thieves were using a HONDA as the getaway car, would you contact HONDA or would you contact the police? To a certain degree you are saying I should contact Honda, whereas I would consider contacting the police, or someone who can contact the police - in this case the ISP. Slán Lou Achill, Ireland - where the sun shines from morning till night . . . . . . . . . . above the rain clouds 8=(
On 5 Nov 2011, at 09:14, Lou Gogan wrote:
Firstly, it is not the job of the Bank of Ireland to persue fraudsters all around the world merely because they are pretending to be the BOI.
Actually it is ..
This is an attempt to steal money from people. It is a crime. The only main contact with the criminals is the ISP.
That's based on an assumption that the ISP / hosting provider actually has contact with the phisher. In most cases they wouldn't, as the bulk of phishing attacks go via compromised hosting accounts and / or accounts that lead to chargebacks
They will know the acual contact details of the criminls,
Doubtful - see above
hopefully, and can act on that, or at the very least shut that link down pronto.
Secondly, there are many scams out there trying to con people into giving details of their credit cards etc with no direct connection to any bank - thus the abuse contact details still should be easy to obtain so a report can be sent from anyone aware of a fraud attempt, even a Lou Blogs.
Thought experiment: If you saw a bank robbery and the thieves were using a HONDA as the getaway car, would you contact HONDA or would you contact the police? To a certain degree you are saying I should contact Honda, whereas I would consider contacting the police, or someone who can contact the police - in this case the ISP.
I'm really finding it hard to follow that analogy. Regards Michele Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
On Nov 5, 2011, at 2:14 am, Lou Gogan wrote: […]
You are missing the point entirely.
Firstly, it is not the job of the Bank of Ireland to persue fraudsters all around the world merely because they are pretending to be the BOI.
I don't know how you came up with that one. At the very least, a responsible bank should work with the relevant law enforcement agencies.
This is an attempt to steal money from people. It is a crime. The only main contact with the criminals is the ISP. They will know the acual contact details of the criminls, hopefully, and can act on that, or at the very least shut that link down pronto.
You're assuming the baddies bought accounts instead of just hacking someone else's server.
Secondly, there are many scams out there trying to con people into giving details of their credit cards etc with no direct connection to any bank - thus the abuse contact details still should be easy to obtain so a report can be sent from anyone aware of a fraud attempt, even a Lou Blogs.
Abuse contact details are only useful when there is a there is a properly resourced set of people behind them. Without that they are at best worthless and and at worst dangerously misleading. I'm all in favour of ISPs doing the right thing abut ISPs are only part of the story and they each only see a small slice of the picture. The kind of abuse described in this thread needs to be addressed by the brand owner as well as the ISP because the brand owner will want to minimise its association with fraudsters. Regards, Leo
Lou, On Sat, 2011-11-05 at 09:14 +0000, Lou Gogan wrote:
Firstly, it is not the job of the Bank of Ireland to persue fraudsters all around the world merely because they are pretending to be the BOI.
I mostly agree with you, but would like to point out that banks call this sort of thing "identity theft". They make it the problem of the people being impersonated, even though that person has nothing to do with what is going on. ;) -- Shane
Shane - 1. It depends, you will find enough banks actively engaged in pursuing phish sites [if you are in the right forums for that, and the right forum for that is not anywhere IP allocation, routing and dns are about the only content you'll find] 2. The "we are not the X police" meme needs to be taken out and shot. On Mon, Nov 7, 2011 at 6:22 PM, Shane Kerr <shane@time-travellers.org> wrote:
On Sat, 2011-11-05 at 09:14 +0000, Lou Gogan wrote:
Firstly, it is not the job of the Bank of Ireland to persue fraudsters all around the world merely because they are pretending to be the BOI.
I mostly agree with you, but would like to point out that banks call this sort of thing "identity theft". They make it the problem of the people being impersonated, even though that person has nothing to do with what is going on. ;)
-- Suresh Ramasubramanian (ops.lists@gmail.com)
Hi Lou, there is already a Task Force in place trying to solve the fact of missing abuse contact information. http://www.ripe.net/ripe/groups/tf/abuse-contact We will publish a policy proposal soon. Feel free to support the proposal here on the list as soon as we will post it. Thanks, Tobias Am 04.11.11 19:37, schrieb Lou Gogan:
Hi
I hope I am not out of place here, but this is my experience today and the problem I find I have because of the broken contacts information via the whois.
This morning I received a fraudulent spam claiming to be from the Bank of Ireland with an attached form to be filled in. I was going to delete it as usual but decided that these types of email fraud need to be reported in order to protect others.
I checked out the form and found the form contact link: <a href="http://masserialojazzo.it/wp-admin/user/login.html">MBNA Online</a>
$ host masserialojazzo.it masserialojazzo.it has address 46.252.206.1 ;; connection timed out; no servers could be reached masserialojazzo.it mail is handled by 10 mailstore1.europe.secureserver.net. masserialojazzo.it mail is handled by 0 smtp.europe.secureserver.net.
And then I whoised
$ whois 46.252.206.1 inetnum: 46.252.200.0 - 46.252.207.255 netname: GDNL-46-252-200-0-TO-207-255 descr: Customer country: NL admin-c: WR1096-RIPE tech-c: WR1096-RIPE status: ASSIGNED PA mnt-by: MNT-GDG-NL source: RIPE # Filtered
person: Will Regg address: H.J.E. Wenckebachweg 127 1096 AM Amsterdam phone: +14805058877 nic-hdl: WR1096-RIPE source: RIPE # Filtered
As you may notice, there is no suitable email contact at all. (Writing a letter and posting it off didn't seem a useful option!)
This was a email fraud. I, as a reasonable individual trying to do my civic duty and possible prevent someone with less 'cop on' from being scammed, was utterly wasting my time trying to do anything. There was no abuse contact.
If RIPE and ICANN and others want to do anything at all regarding spam, and scams and net abuse etc one of the first actions should be to ensure there are correct contacts for every ISP so at least scams and illegal activity can be reported.
I would also suggest that a default abuse address be insisted upon eg abuse@wherever.doh as I have found many a frustrating experience emailing a named administrator was has left the company and whose email is dead.
Perhaps someone was scammed by this same email today. A quick report and possibly a quick shutdown of that link may have achieved something positive.
I also have a web site which is attacked on a regular basis and I try and make a point of reporting them all. In some cases with very positive results eg a compromised server found etc. I consider that trying to close these people down is the only way to prevent things getting totally out of hand. The problem is that approximately 1 in 4 abuse email addresses are incorrect and the email is returned undelivered.
These are my frustrating experiences.
As I said, I hope I am not out of place here, pointing this out.
Regards
Lou Gogan
Saula, Achill, Co Mayo, Ireland. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ LINUX - bringing joy and creativity to computing. Registered Linux user number 478188
www.lougogan.com
On Friday 04 November 2011 19:29:14 Tobias Knecht wrote:
Hi Lou,
there is already a Task Force in place trying to solve the fact of missing abuse contact information.
http://www.ripe.net/ripe/groups/tf/abuse-contact
We will publish a policy proposal soon. Feel free to support the proposal here on the list as soon as we will post it.
Thanks,
Tobias
Hi Tobias I'll watch out for it. Danke Lou
Regards
Lou Gogan
Saula, Achill, Co Mayo, Ireland. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ LINUX - bringing joy and creativity to computing. Registered Linux user number 478188
www.lougogan.com
On Fri, Nov 04, 2011 at 06:37:48PM +0000, Lou Gogan wrote: Hey Lou,
$ whois 46.252.206.1 inetnum: 46.252.200.0 - 46.252.207.255 As you may notice, there is no suitable email contact at all. (Writing a letter
Besides all mentioned solutions, you could go upstream with your complaints. At least, they should have a valid contact. Cheers, Adrian
participants (8)
-
Leo Vegoda -
Lou Gogan -
Michael Markstaller -
Michele Neylon :: Blacknight -
ripe-wg-antiabuse@kyubu.de -
Shane Kerr -
Suresh Ramasubramanian -
Tobias Knecht