Re: [anti-abuse-wg] Spam FAQs need revision, was 2011-06 New Policy
Hi Laura, You mentioned: #We have published new FAQs on spam/hacking. You can find them online at: # http://www.ripe.net/data-tools/db/faq/faq-hacking-spamming Tremendous improvement, thank you! One suggestion for the last item ("Where can I find out more about spam/hacking?"), which currently only has two items, would be to add additional resources, perhaps: -- Messaging Anti-Abuse Working Group (http://www.maawg.org/) -- Spamhaus (http://www.spamhaus.org/) -- Spamwiki (http://spamtrackers.eu/wiki/index.php/Main_Page) Thanks for all the work on this, Merry Christmas/Happy New Year! Regards, Joe
-- Spamhaus (http://www.spamhaus.org/)
With all the discussion about European privacy laws I often wondered about blacklists like SpamHaus that operate in Europe. Don't they collect information that is considered "personal information" under European Privacy laws? Do they have to follow the requirements of collection and dissemination of the information like other European businesses? I had noticed in some cases they publish names of suspected spammers along with discussions of their activities (in addition to the distribution of the blacklists). The Spamhuas privacy policy doesn't address any of this stuff. Thank You
On 16 Dec 2011, at 16:33, russ@consumer.net wrote:
-- Spamhaus (http://www.spamhaus.org/)
With all the discussion about European privacy laws I often wondered about blacklists like SpamHaus that operate in Europe. Don't they collect information that is considered "personal information" under European Privacy laws?
Like what exactly??
Do they have to follow the requirements of collection and dissemination of the information like other European businesses? I had noticed in some cases they publish names of suspected spammers along with discussions of their activities (in addition to the distribution of the blacklists).
They normally list companies ..
The Spamhuas privacy policy doesn't address any of this stuff.
Thank You
Why don't you ask them directly?
Mr Michele Neylon Blacknight Solutions ♞ Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.biz http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Facebook: http://fb.me/blacknight Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
Like what exactly??
They distribute IP addresses and identify individual spammers. As I understand the definition of personal information that if you can track someone down from an IP then it is "personal information. In some cases you can and other cases you cannot. I wondered how this is handled under these European privacy Laws.
They normally list companies ..
They list IP's, companies, and individuals in some cases. They compile data from complaints, honeypots, etc. Then they report their findings via blacklists and reputations and sometimes they discuss activities of individual spammers (companies or individuals).
Why don't you ask them directly?
I did and the head guy answered under his pseudonym and gave some vague discussion about how they are a volunteer organization without resources, etc. etc. and then never answered any followups. I asked them to update their privacy policy but they never did. Back when they were being sued in the US I noticed several people in Europe had filed complaints against Spamhaus with some data protection office in the UK citing these European Privacy Laws. I was wondering what ever became of that and if any ruling was ever made. Thank You
I received a few private e-mails from people on this list claiming i am all wrong about IP addresses being classified as personal information. I did not make this ruling, it was a 2008 proclamation by the EU Data Commission. One link is at http://pcin.net/update/2008/01/22/ip-addresses-are-private-eu/. Obviously people are tracked down all the time by their IP address (just ask the copyright enforcers) so it fits the EU definition. One guy is writing to me telling me not to post on this list because I am all wrong and off topic. The e-mail he sent borders on harassment. The fact is security and abuse has to be balanced with privacy. It is funny how the so-called anti-spam privacy activists go berserk by the mere mention that anti-spam blacklists also have to abide by privacy regulations. If you want to argue the point don't complain to me, I am just reporting the EU's findings. Contact the EU privacy commissioners and argue your point. Security and privacy are things that need to be balanced so it is not off-topic to discuss privacy requirements for abuse systems. Thank You
On 16/Dec/11 22:32, russ@consumer.net wrote:
Security and privacy are things that need to be balanced so it is not off-topic to discuss privacy requirements for abuse systems.
The subject is on topic indeed. It has various facets, including unlimited access to abuse-mailboxes, anonymity of IP delegations, and possibly even redaction of spam complaints. For IP numbers, a privacy requirement is necessary to avoid tracking users. However, there has to be an exception for mail delivery (not submission). IIRC there is an exception for e-commerce, that limits a merchant's right to anonymity. Likewise, mail servers shouldn't be allowed to be anonymous. Most EU concerns are discussed within the coordination-wg, though. So I'm not clear on the worthiness of having this discussion here. jm2c
The subject is on topic indeed. It has various facets,
All my posts in the last couple threads are related to abuse and RIPE but I am making my points in a roundabout way. My main point is that some of the people involved in abuse issues get so wrapped up in one aspect of the problem that they fail to see the overall picture. When we talk about enforcement of the EU privacy laws for the RIPE database many are arguing for a very strict application of EU privacy laws. No consideration was given for pass-through sites like mine or that fact that access to the whois lookups is not a regional issue. This is what happens when we talk about something people don't like (namely getting spam from having a contact address in the RIPE database). Yet when I bring up applying these laws to an anti-spam group suddenly their position changes and they argue for not applying the EU privacy laws strictly. In this case we have an anti-spam mechanism that everybody likes. Some people are applying the laws based on whether they like something or not, not on the actual facts. As for IP addresses and whether they identity a person is a complicated issues. The US courts have been split over whether IP addresses are "Personally Identifiable Information" (PII). There are long complicated discussions of the context in which the information is collected. The EU definition of "personal information" appears to be broader that the PII definition. In the case of spam blacklists or reputation scores the information is generally collected to accuse someone of spamming and blacklist their IP address. If you get put on one these lists by mistake and want to dispute the findings you suddenly see the importance of the privacy aspect. If you blacklist someone you may have to give them the information you collected about them and allow them to dispute it. In my case my web site IP is on RIPE's blacklist. That IP leads directly to my company and identifies me. By bringing up these issue I am now being accused of all sorts of things. My web site was set up in 1998 as a tool to track down and complain about spam, not a harvesting system. Not only that, I used to sue companies for breaking US privacy laws and I even testified at the first "so-called" spam summit at the US Federal Trade Commission. The US telemarketing and junk fax laws you can take companies into small claims court. I took many large corporations to court even sued several companies who harvested by whois info and used it send illegal junk faxes. To claim I am a "harvester" or that I am promoting violating privacy laws is ridiculous. What RIPE did when they implemented this IP address blocking was they reduced security for the sake of privacy. It is now more difficult to get abuse contacts. Sure people can go directly to the database but it makes things more difficult and time comsuming. Several users of my web site took the time to write to me to complain about the block. These were mostly system administrators and abuse staff, not people looking to harvest RIPE e-mail addresses. I get contacted all the time from security companies and law enforcement entities who use the site. No consideration is given to them and the fact that they are users of RIPE services when this block system was implemented. The other issue is the fact that the data is being collected under a government contract with IANA. A contractor is not permitted, on its own, to place restrictions on the data because it doesn't belong to them. Forgetting about EU privacy laws for the moment I noticed ARIN has placed a restriction on their whois data that reads: "You may not use, allow to use, or otherwise facilitate the use of ARIN WHOIS data for advertising, direct marketing, marketing research, or similar purposes." There is no legal basis for this restriction since things like "marketing research" are perfectly legal. The marketing research companies paid their taxes like everyone else and they have right to the public data and they can legally use it any way they want (as long as they don't break a law like sending an illegal junk fax). I believe the whois access issues needs to handled at the level of the Address Council because it is a universal service and any access restrictions need to be coordinated with IANA who, in turn, should coordinate with the US Government as they are required to do under their contract. Certainly I should not have to join a European mailing list to discuss the services I use from North America. Thank You Thank You.
On 17 Dec 2011, at 16:37, russ@consumer.net wrote:
The other issue is the fact that the data is being collected under a government contract with IANA. A contractor is not permitted, on its own, to place restrictions on the data because it doesn't belong to them. Forgetting about EU privacy laws for the moment I noticed ARIN has placed a restriction on their whois data that reads: "You may not use, allow to use, or otherwise facilitate the use of ARIN WHOIS data for advertising, direct marketing, marketing research, or similar purposes." There is no legal basis for this restriction since things like "marketing research" are perfectly legal. The marketing research companies paid their taxes like everyone else and they have right to the public data and they can legally use it any way they want (as long as they don't break a law like sending an illegal junk fax).
I believe the whois access issues needs to handled at the level of the Address Council because it is a universal service and any access restrictions need to be coordinated with IANA who, in turn, should coordinate with the US Government as they are required to do under their contract. Certainly I should not have to join a European mailing list to discuss the services I use from North America.
If you feel so strongly about all this then go to the next ICANN meeting in Costa Rica in March and raise it with the ASO. And if you want to access a European database then you are going to have to deal with us nasty Europeans. Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Fax. +353 (0) 1 4811 763 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
On 17/Dec/11 17:49, Michele Neylon :: Blacknight wrote:
And if you want to access a European database then you are going to have to deal with us nasty Europeans.
Even that may not be enough. IANAL, but when I read RIPE Database Terms and Conditions[1], its "Article 3 - Purpose of the RIPE Database" doesn't seem to be designed to provide abuse contacts info to anyone. The nearest point is its fifth bullet, which says: * Providing information about the Registrant and Maintainer of Internet number resources when the resources are suspected of being used for unlawful activities, to parties who are authorised under the law to receive such information. Do users have to take special actions in order to become "authorized under the law"? [1] http://www.ripe.net/db/support/db-terms-conditions.pdf
when I read RIPE Database Terms and Conditions ...
I suspect the requirements for operating a publicly accessible whois are found in the list of requirements for opertaing an RIR. This document is referenced in the RIR MOU but I don't have copy yet. If an RIR develops something outside of these RIR requirements then I think they can set any kind of restriction they want. If the requirement is somehow superseded by EU laws then they obviously have to follow those laws. However, nobody has pointed to a specific law that would restrict access to abuse contacts to 1000 queries per day. Thank You
On 17/12/11 16:37, russ@consumer.net wrote:
What RIPE did when they implemented this IP address blocking was they reduced security for the sake of privacy. It is now more difficult to get abuse contacts. Sure people can go directly to the database but it makes things more difficult and time comsuming. Several users of my web site took the time to write to me to complain about the block. These were mostly system administrators and abuse staff, not people looking to harvest RIPE e-mail addresses. I get contacted all the time from security companies and law enforcement entities who use the site. No consideration is given to them and the fact that they are users of RIPE services when this block system was implemented.
What you're forgetting it that RIPE NCC have finite resources. They have documented the block system at http://www.ripe.net/ripe/docs/ripe-358#211 These restrictions were put in place in order to make sure that everyone has fair access to the system. You are clearly hitting limits, and they have provisions for your case in order to allow Bulk Access. Have a look at http://www.ripe.net/data-tools/support/documentation/bulk-access-agreement Yes, there is a fee, but again, that's because you're using more resources than average. There's also services like http://www.radb.net who mirror the data from all the IRRs who you might like to deal with!
I believe the whois access issues needs to handled at the level of the Address Council because it is a universal service and any access restrictions need to be coordinated with IANA who, in turn, should coordinate with the US Government as they are required to do under their contract. Certainly I should not have to join a European mailing list to discuss the services I use from North America.
You're trying to use a service that's based in Europe and hence operates under EU law. Where does American law come into this? This is purely an implementation matter for Ripe NCC. Niall -- Niall Donegan ---------------- http://www.blacknight.com Blacknight Internet Solutions Ltd, Unit 12A, Barrowside Business Park, Sleaty Road, Graiguecullen, Carlow, Ireland Company No.: 370845
What you're forgetting it that RIPE NCC have finite resources.
I agree that RIPE has to limit access to prevent DOS attacks or slowdowns to the system. However, I am nowhere near that limit and they have told me the reason is that I cannot have unrestricted access is because EU privacy laws restrict "unlimited access." They told me I could continue making requests at my current level if I used a "-r" switch but I would not get the abuse contact info. I would run my own mirror except I would not get the abuse contact info. Thank You
Russ, On Mon, 2011-12-19 at 15:54 -0500, russ@consumer.net wrote:
What you're forgetting it that RIPE NCC have finite resources.
I agree that RIPE has to limit access to prevent DOS attacks or slowdowns to the system. However, I am nowhere near that limit and they have told me the reason is that I cannot have unrestricted access is because EU privacy laws restrict "unlimited access." They told me I could continue making requests at my current level if I used a "-r" switch but I would not get the abuse contact info. I would run my own mirror except I would not get the abuse contact info.
See, this is what's great about the way things work in the RIPE region! If you were dealing with, say, a bank or an airline or even a governmental department and did not like one of their bureaucratic rules, you would have little or no recourse. Luckily, the RIPE NCC takes their policies from the RIPE community. So all you need to do is make a rational policy proposal directing the RIPE NCC to set their contact information publication policy as you prefer (although this must of course bow to Dutch law), and get consensus from the community on it. Unfortunately, you seem to be the only one in favor of lifting the Whois restrictions so you may have a tough time getting consensus on a policy proposal. But who knows? A carefully worded policy proposal may gain widespread support! Brian has already offered to help you create one, so I eagerly await the results. I'd be happy to read a draft if you're nervous about going forward without discussing it with someone privately first. -- Shane
Shane Kerr wrote: Hi,
Luckily, the RIPE NCC takes their policies from the RIPE community. So all you need to do is make a rational policy proposal directing the RIPE NCC to set their contact information publication policy as you prefer (although this must of course bow to Dutch law), and get consensus from the community on it.
Unfortunately, you seem to be the only one in favor of lifting the Whois restrictions so you may have a tough time getting consensus on a policy proposal.
But who knows?
Raising the restrictions on personal objects isnt a bad idea at all, but it should wait until personal data and abuse contacts are seperated, like outlined by Tobias' last proposal and after most objects in the database confirm to this new model. I would love to hide all personal email addresses behind a randomly changing address <randomcode>@abuse.ripe.net And names, postal, fon and fax address of personal objects could be hidden behind a webpage with captcha code or thelike, maybe the abuse finder tool could be enhanced here. But again: most important is the seperation of personal and abuse data, a database cleanup and the general unrestricted access to abuse contacts. Kind regards, Frank -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank@powerweb.de
On 20/Dec/11 15:44, Frank Gadegast wrote:
Raising the restrictions on personal objects isnt a bad idea at all, but it should wait until personal data and abuse contacts are seperated, like outlined by Tobias' last proposal and after most objects in the database confirm to this new model.
Agreed. What synchronization is exactly needed depends on the software details, so I'd leave that in RIPE NCC's hands. However, proposal 2011-06 doesn't mention relaxing access restrictions. Do we need to add such goal explicitly?
I would love to hide all personal email addresses behind a randomly changing address <randomcode>@abuse.ripe.net
Uh, that sounds like programming the "search" button to step aside from the cursor whenever users try to click on it :-) Abuse directed to an abuse-mailbox is like bugs caught during regression testing: still annoying, but much better than uncontrolled occurrences.
And names, postal, fon and fax address of personal objects could be hidden behind a webpage with captcha code or thelike, maybe the abuse finder tool could be enhanced here.
Yes, personal data has to be protected. Perhaps not names. Perhaps login is easier than captcha for some users.
Alessandro Vesely wrote:
On 20/Dec/11 15:44, Frank Gadegast wrote:
Raising the restrictions on personal objects isnt a bad idea at all, but it should wait until personal data and abuse contacts are seperated, like outlined by Tobias' last proposal and after most objects in the database confirm to this new model.
Agreed. What synchronization is exactly needed depends on the software details, so I'd leave that in RIPE NCC's hands. However, proposal 2011-06 doesn't mention relaxing access restrictions. Do we need to add such goal explicitly?
No, thats really a different issue and should be looked at later.
I would love to hide all personal email addresses behind a randomly changing address<randomcode>@abuse.ripe.net
Uh, that sounds like programming the "search" button to step aside from the cursor whenever users try to click on it :-)
Yes, sounds like security by obscurity, but why not ? I like to make sure, that this should not apply to abuse contacts, wich are to my opinion the only contacts that really need to be available for automated system. Or does anybody see a reason, that a non-abuse but personal contact should be visible by whois or in whatever else automated way ? I cant think of an example here. whois could show the netrange, netname, routing and all other technical objects, surely the new abuse-c with all its data, could name the other contacts, but then simply point to a webpage for the details of the other contacts.
And names, postal, fon and fax address of personal objects could be hidden behind a webpage with captcha code or thelike, maybe the abuse finder tool could be enhanced here.
Yes, personal data has to be protected. Perhaps not names. Perhaps login is easier than captcha for some users.
A login for everybody that simply wants to know to whom a network belongs ? Thats maybe too much security and it should better not be possible to track, wich user is requesting wich information. That would again be personal data, thats needs to be protected inside the systems of RIPE NCC, better leave that one out. Kind regards, Frank -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== -- Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ======================================================================
I realise this is a week old, but it's a holiday so perhaps that excuses my delayed contribution? On Wed, Dec 21, 2011 at 7:32 AM, Frank Gadegast < ripe-anti-spam-wg@powerweb.de> wrote:
I would love to hide all personal email addresses behind
a randomly changing address<randomcode>@abuse.ripe.net
Uh, that sounds like programming the "search" button to step aside from the cursor whenever users try to click on it :-)
Yes, sounds like security by obscurity, but why not ?
I like to make sure, that this should not apply to abuse contacts, wich are to my opinion the only contacts that really need to be available for automated system.
Or does anybody see a reason, that a non-abuse but personal contact should be visible by whois or in whatever else automated way ? I cant think of an example here.
whois could show the netrange, netname, routing and all other technical objects, surely the new abuse-c with all its data, could name the other contacts, but then simply point to a webpage for the details of the other contacts.
Ensuring that abuse-c details are the ones that're available unobscured highlights the very reason the issue is problematic... abuse@ needs to be the service which is _not_ filtered, and to be effective, needs real people to pay prompt attention. Half the reason organisations of a certain age or size are often seen to turn a blind eye to feedback received via that alias, is due to the sheer volume of crud directed at it. Surely leaving abuse-c details as the ones that aren't obscured is just going to magnify the affect? I like the idea of @abuse.ripe.net aliases but frankly, that'll just submit the MX records to an insane amount of abuse. Better that organisations be required to manage their own contact details appropriately enough for public listing; role based, write-off aliases which can be superceded over time if necessary, perhaps. Fact is, if you're eligible to get an IP Range direct from an RIR (as opposed to getting an ISP CIDR range, and thus being proxied through them in terms of any complaints about your conduct) you're morally (if not by policy) obliged to provide legitimate contact information. Cost of doing business, and it's not that onerous IMHO.
And names, postal, fon and fax address of personal objects
could be hidden behind a webpage with captcha code or thelike, maybe the abuse finder tool could be enhanced here.
Yes, personal data has to be protected. Perhaps not names. Perhaps login is easier than captcha for some users.
A login for everybody that simply wants to know to whom a network belongs ? Thats maybe too much security and it should better not be possible to track, wich user is requesting wich information. That would again be personal data, thats needs to be protected inside the systems of RIPE NCC, better leave that one out.
If I only had to maintain a small number of Logins and I was using them regularly, i wouldn't have a problem with this.... however this will only discourage Joe-Public from actually tracking down abuse and reporting it - as the opportunity cost of taking the time to register in order to report an offense will be that much higher. Just look at how successful the mail service providers who've reverted to requiring web-form-submission complaints are finding it.... The drop in noise is no doubt coincidental to a drop in legitimate complaints from victims who now find it's easier to simply trash spam coming from Yahoo, than it is to submit complaints (that are, from the users perspective, largely ineffective, people see the abuse@dept's of most large organisations as a black hole manned by something vaguely better than trained monkeys...) Oh, is that my cynical nature coming through? whoops... My $0.02: - Compulsary abuse-c information in whois, supported. - Validation and reverification of contact information, supported. - Revoking (?) peoples IP ranges if they can't keep their contact information accurate? supported. - This is only going to get worse with IPv6. It's so big there will be large swathes of 'throw away' space and an even larger tendency for people to judge an entire netblock by the behavior of a small subset. I firmly believe that the RIRs and ISP's and Network Operators at all levels need to keep the lines of communication open, we should be able to recognise our need to mutually support eachother and to be able to deal with abuse (not just spam, either) originating from within our midst. Networks who can't take some responsibility for their customers, shouldn't expect anywhere near the same degree of professional courtesy. Mark. PS: In New Zealand where I am, It's been widely discussed that identifying an IP address holder only identifies the 'Account Holder', not the individual who's carried out an offense. So the Account Holder gets to have the responsibility associated with this. (Awareness of this point came as a by product of anti-piracy legislation introduced in the last year or two.) If the ISP won't disclose Account Holder information (under the terms of the law) they lose their 'safe harbour' provisions and essentially take that responsibility on themselves. Just throwing that out there as a possibly useful data point.
* Mark Foster:
Half the reason organisations of a certain age or size are often seen to turn a blind eye to feedback received via that alias, is due to the sheer volume of crud directed at it. Surely leaving abuse-c details as the ones that aren't obscured is just going to magnify the affect?
Maybe, who knows. Just make it opt-in, so that people can decide whether they want to publish their abuse contact point or not. Some of us are actually interested in receiving reports, despite the high false positive rate. Acceptance among RIPE members would probably increase if this contact point information could be a URL and not just a mailbox (but this would certainly draw ire from some potential reporters). -- Florian Weimer <fweimer@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99
Just make it opt-in, so that people can decide whether they want to publish their abuse contact point or not.
I thought is already is "opt-in" as the contact enters the information with the knowledge it will be published. If it is opt-in the EU data protection laws do not come into play since there is an exemption for those that opt-in to their info being published. Thank You
Just make it opt-in, so that people can decide whether they want to publish their abuse contact point or not.
I thought is already is "opt-in" as the contact enters the information with the knowledge it will be published.
If it is opt-in the EU data protection laws do not come into play since there is an exemption for those that opt-in to their info being published.
The RIPE NCC has decided that publication in the RIPE database does not give consent to publication (sic), at least not in bulk form as generally needed for some forms of abuse processing. I was surprised when this was announced and I believe RIPE NCC's legal counsel was and is wrong. It would have been better to advise its members that they need to make sure that they have consent from the folks whose data they've submitted to the RIPE NCC for publication. This is what DENIC did when it was discovered that the WHOIS for 9.4.e164.arpa, despite being nominally opt-in, was populated by default with personally identifiable information by several DENIC members. Anyway, I don't think RIPE NCC will give us reassurances that they won't make another u-turn on the abuse-c: attribute, particularly if it is mandatory. That's why I think the whole endeavor is rather pointless. -- Florian Weimer <fweimer@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99
Florian, On Wednesday, 2011-12-28 14:40:02 +0000, Florian Weimer <fweimer@bfk.de> wrote:
Just make it opt-in, so that people can decide whether they want to publish their abuse contact point or not.
I thought is already is "opt-in" as the contact enters the information with the knowledge it will be published.
If it is opt-in the EU data protection laws do not come into play since there is an exemption for those that opt-in to their info being published.
I was surprised when this was announced and I believe RIPE NCC's legal counsel was and is wrong. It would have been better to advise its members that they need to make sure that they have consent from the folks whose data they've submitted to the RIPE NCC for publication. This is what DENIC did when it was discovered that the WHOIS for 9.4.e164.arpa, despite being nominally opt-in, was populated by default with personally identifiable information by several DENIC members.
Perhaps it makes sense to create an explicitly privacy-free form of contact information in the database? While we could re-use the ROLE object type for this, maybe we should be explicit, and make a NON-PERSON-CONTACT-INFORMATION-THAT-THE-WHOLE-INTERNET-CAN-READ object type? ;) -- Shane
* Shane Kerr:
Perhaps it makes sense to create an explicitly privacy-free form of contact information in the database?
Yes, that's one way to achieve opt-in, provided that use of these objects is not required. -- Florian Weimer <fweimer@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99
I was surprised when this was announced and I believe RIPE NCC's legal counsel was and is wrong. It would have been better to advise its members that they need to make sure that they have consent from the folks whose data they've submitted to the RIPE NCC for publication.
I wasn't involved in the development and this is speculation on my part ... but I suspect the policy development came about because some anti-abuse people believe it is wrong for companies to harvest public information for marketing purposes. Therefore, they came up with the blocking idea. Since there was no legitimate reason for blocking access to public information they came up with this privacy law idea. Even though it doesn't apply it sounds good so they just keep repeating over and over that privacy laws are forcing their hand. The report that is supposed to describe the situation is so vague and incomplete that it is impossible to determine how they made their decisions and it does not even identify the legal council that provided the advice: http://www.ripe.net/ripe/groups/tf/dp This stuff happens when abuse issues are treated as a "religion." Thank You
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 16/12/2011 21:32, russ@consumer.net wrote:
I received a few private e-mails from people on this list claiming i am all wrong about IP addresses being classified as personal information. I did not make this ruling, it was a 2008 proclamation by the EU Data Commission.
The law is meant to be interpreted with a degree of subtlety. ISPs and mail providers are generally allowed to process IP addresses if it's in their legitimate interest (we'd not get very far otherwise). Dealing with spam or running an incident response function is thought to lie within this realm. The risk of being able to identify an individual starting with an IP address listed in a black list is very small, and the impact very small, but the benefits from publishing them should be very clear. If you'd like to learn more, our legal and regulatory officer wrote a paper on these issues at http://www.terena.org/activities/tf-csirt/publications/data-protection-v2.pd... Regards, James - -- James Davis 0300 999 2340 (+44 1235 822340) Senior CSIRT Member Lumen House, Library Avenue, Didcot, Oxfordshire, OX11 0SG -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iF4EAREIAAYFAk7u8ycACgkQjsS2Y6D6yLxbawD+OAUlE2LW/AWUSz3ivT69AJ7H AsNLcxv+T/ZM2L7MkssA/ibp1oqn3+QhyEM/zn3h29ZGpHTF/Zpj/8APaidMoNQN =Xok5 -----END PGP SIGNATURE----- JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG
The risk of being able to identify an individual starting with an IP address listed in a black list is very small, and the impact very small, but the benefits from publishing them should be very clear.
Your discussion and the associated paper implies that the list operator/security personnel are always right because they are protecting the Internet. It implies their mission is more important than any other issue that someone may have. "It should be very clear" implies that if you have another opinion then there must be something wrong with you. This is the attitude many of those involved in abuse have and I am trying to point out that there are problems with such a position. It gives people involved in abuse the idea that they don't have to answer to anyone or abide by the same rules as everyone else. If the list is run poorly the impact can be tremendous. Both Cisco and Microsoft both currently run blacklists that generate all sorts of complaints. They often won't tell people why they were put on the lists. Even when they remove someone people report the staff is arrogant and accusatory. They assume anyone on the list is guilty and it up to them to prove otherwise. the complaints say sometimes they don't remove false alarms for months. Another guy in Australia running a blacklist used to demand "donations" to get removed and if he got into an argument with someone he would add them to the list. (On top of that he used to register for free DNS services and crash them by uploading his blacklist). Many in abuse do not think twice about advising ISP's to do deep packet inspection to find abuse and malware without ever considering the ISP's marketing department will use the system for other purposes. The people involved in privacy are the same way. They often don't consider the security implications of keeping everything private. No, I do not agree that ignoring or minimizing the privacy issues is justified because of the benefits. The blacklists of today are much like the early days of credit reporting when there were no clear rules and people could not get mistakes fixes. The blacklist operators should promote these protections to improve their products rather than looking for excuses to avoid them. Thank You
I will be the last to deny that 1. There's poor quality spam filtering out there 2. There's poor quality customer service types out there [especially in abuse - being a great bofh doesnt make you a great abuse desker] But that isn't any reason to tar all spam filtering with the same brush. On Mon, Dec 19, 2011 at 2:30 PM, russ@consumer.net <russ@consumer.net> wrote:
If the list is run poorly the impact can be tremendous. Both Cisco and Microsoft both currently run blacklists that generate all sorts of complaints. They often won't tell people why they were put on the lists. Even when they remove someone people report the staff is arrogant and accusatory. They assume anyone on the list is guilty and it up to them to prove otherwise. the complaints say sometimes they don't remove false alarms for months. Another guy in Australia running a blacklist used to demand "donations" to get removed and if he got into an argument with someone he would add them to the list. (On top of that he used to register for free DNS services and crash them by uploading his blacklist). Many in abuse do not think twice about advising ISP's to do deep packet inspection to find abuse and malware without ever considering the ISP's marketing department will use the system for other purposes. The people involved in privacy are the same way. They often don't consider the security implications of keeping everything private.
-- Suresh Ramasubramanian (ops.lists@gmail.com)
But that isn't any reason to tar all spam filtering with the same brush.
I never said all abuse lists are bad or are run poorly, some of them are run very well and provide tremendous benefits and I use them. I am just saying they need to live by the same standards as everyone else. I have dealt with the abuse desk you ran before if you remember me. I tried to respond to an e-mail from the network you ran and it was blocked. Your abuse desk told me other people on my netblock were spammers and I was supposed to go to my hosting provider and somehow make it stop. I had no idea (or power) to do anything about it and I had no idea what anyone else on the netblock was doing. When I ask for proof of the claims you never sent anything or explained further (although you did unblock me). These are some of the crazy stunts pulled by abuse departments that has no basis in law or common sense. Thank You
On 19 Dec 2011, at 14:16, russ@consumer.net wrote:
But that isn't any reason to tar all spam filtering with the same brush.
I never said all abuse lists are bad or are run poorly, some of them are run very well and provide tremendous benefits and I use them. I am just saying they need to live by the same standards as everyone else.
And what standard would that be? DNSBLs provide a free service Nobody is obliged to use them And if a DNSBL is badly run then mail admins shouldn't use them ..
I have dealt with the abuse desk you ran before if you remember me. I tried to respond to an e-mail from the network you ran and it was blocked. Your abuse desk told me other people on my netblock were spammers and I was supposed to go to my hosting provider and somehow make it stop. I had no idea (or power) to do anything about it and I had no idea what anyone else on the netblock was doing. When I ask for proof of the claims you never sent anything or explained further (although you did unblock me). These are some of the crazy stunts pulled by abuse departments that has no basis in law or common sense.
Because of course we all make massive amounts of money from our abuse desks and running a network and protecting it from scumbags is free .. Mr Michele Neylon Blacknight Solutions ♞ Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.biz http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Facebook: http://fb.me/blacknight Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
I don't remember that incident - but yes, you don't own the larger netblock that was filtered. I, my filters or my team don't make a habit of filtering covering CIDRs unless there's massive amounts of spam spread across multiple subnets in there. And when that happens, I do like to talk to the ISP and ensure that they address those issues before I relax any filters. --srs On Mon, Dec 19, 2011 at 7:46 PM, russ@consumer.net <russ@consumer.net> wrote:
I have dealt with the abuse desk you ran before if you remember me. I tried to respond to an e-mail from the network you ran and it was blocked. Your abuse desk told me other people on my netblock were spammers and I was supposed to go to my hosting provider and somehow make it stop. I had no idea (or power) to do anything about it and I had no idea what anyone else on the netblock was doing. When I ask for proof of the claims you never sent anything or explained further (although you did unblock me). These are some of the crazy stunts pulled by abuse departments that has no basis in law or common sense.
-- Suresh Ramasubramanian (ops.lists@gmail.com)
-----Original Message----- From: anti-abuse-wg-bounces@ripe.net [mailto:anti-abuse-wg- bounces@ripe.net] On Behalf Of russ@consumer.net Sent: Monday, December 19, 2011 4:17 PM To: anti-abuse-wg@ripe.net
I tried to respond to an e-mail from the network you ran and it was blocked. Your abuse desk told me other people on my netblock were spammers and I was supposed to go to my hosting provider and somehow make it stop. I had no idea (or power) to do anything about it and I had no idea what anyone else on the netblock was doing. When I ask for proof of the claims you never sent anything or explained further (although you did unblock me). These are some of the crazy stunts pulled by abuse departments that has no basis in law or common sense.
A network accepting mail from another network is extending the latter a privilege. It is extremely common sense to block networks from which spam or other abuse is detected. If you really would like to argue that such blocking is illegal, the burden of proof is on you. -- Thor Kottelin http://www.anta.net/
+1 On 19 Dec 2011, at 14:32, Thor Kottelin wrote:
-----Original Message----- From: anti-abuse-wg-bounces@ripe.net [mailto:anti-abuse-wg- bounces@ripe.net] On Behalf Of russ@consumer.net Sent: Monday, December 19, 2011 4:17 PM To: anti-abuse-wg@ripe.net
I tried to respond to an e-mail from the network you ran and it was blocked. Your abuse desk told me other people on my netblock were spammers and I was supposed to go to my hosting provider and somehow make it stop. I had no idea (or power) to do anything about it and I had no idea what anyone else on the netblock was doing. When I ask for proof of the claims you never sent anything or explained further (although you did unblock me). These are some of the crazy stunts pulled by abuse departments that has no basis in law or common sense.
A network accepting mail from another network is extending the latter a privilege. It is extremely common sense to block networks from which spam or other abuse is detected. If you really would like to argue that such blocking is illegal, the burden of proof is on you.
-- Thor Kottelin http://www.anta.net/
Mr Michele Neylon Blacknight Solutions ♞ Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.biz http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Facebook: http://fb.me/blacknight Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
A network accepting mail from another network is extending the latter a privilege. It is extremely common sense to block networks from which spam or other abuse is detected. If you really would like to argue that such blocking is illegal, the burden of proof is on you.
That is a simplistic argument from the early days the Internet and is often not true anymore. In many cases IPS's have contracts with users to provide certain services. In other countries Internet service is a public utility. Under US law if you block someone and tell them to make their ISP do something to get unblocked that is technically extortion. In many cases it is certainly proper and allowed to block another network but simplistic arguments will get you into trouble. The specific case I was describing where I tried to reply to someone and was probably not illegal until they told me to make my host do something. It is interesting that the network allowed e-mail to go from their network to mine yet was blocked when I responded. Does anyone check blacklists for outbound mail?
I do like to talk to the ISP and ensure that they address those issues before I relax any filters.
Right, you advocate a "I know abuse when I see it" standard where you have the final say and there is no recourse. If anyone complains they must be a spammer or support spamming? I am now on a Comcast Business IP. At what point or at what level is too much abuse via the Comcast network to get all Comcast customers blocked?
And what standard would that be?
The first standard would be privacy laws (In this case EU laws). Next would be compliance with the posted privacy policy. Microsoft and Cisco play all sorts of tricks here. Microsoft tells the US Government they have corporate privacy program monitored by the TRUSTe program. They tell customers that each of their services has different privacy policies and that some are covered by TRUSTe and some are not. They claim their blacklist services is a service not covered by their main privacy policy and not monitored by TRUSTe. Cisco does exactly the same thing with senderbase.org. The next standard is defamation laws that vary from country to country.
On 19 Dec 2011, at 15:29, russ@consumer.net wrote:
A network accepting mail from another network is extending the latter a privilege. It is extremely common sense to block networks from which spam or other abuse is detected. If you really would like to argue that such blocking is illegal, the burden of proof is on you.
That is a simplistic argument from the early days the Internet and is often not true anymore.
Ok, so how big is the network that you are running?
In many cases IPS's have contracts with users to provide certain services. In other countries Internet service is a public utility. Under US law if you block someone and tell them to make their ISP do something to get unblocked that is technically extortion. In many cases it is certainly proper and allowed to block another network but simplistic arguments will get you into trouble. The specific case I was describing where I tried to reply to someone and was probably not illegal until they told me to make my host do something. It is interesting that the network allowed e-mail to go from their network to mine yet was blocked when I responded. Does anyone check blacklists for outbound mail?
I do like to talk to the ISP and ensure that they address those issues before I relax any filters.
Right, you advocate a "I know abuse when I see it" standard where you have the final say and there is no recourse. If anyone complains they must be a spammer or support spamming? I am now on a Comcast Business IP. At what point or at what level is too much abuse via the Comcast network to get all Comcast customers blocked?
And what standard would that be?
The first standard would be privacy laws (In this case EU laws).
How is that even relevant?
Next would be compliance with the posted privacy policy. Microsoft and Cisco play all sorts of tricks here. Microsoft tells the US Government they have corporate privacy program monitored by the TRUSTe program. They tell customers that each of their services has different privacy policies and that some are covered by TRUSTe and some are not. They claim their blacklist services is a service not covered by their main privacy policy and not monitored by TRUSTe. Cisco does exactly the same thing with senderbase.org.
The next standard is defamation laws that vary from country to country.
Huh? How is listing an IP or netblock as a source of network abuse defamatory? That's the kind of defence used by spammers
Mr Michele Neylon Blacknight Solutions ♞ Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.biz http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Facebook: http://fb.me/blacknight Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
In many cases it is certainly proper and allowed to block another network
Should be allowed in all cases. I guess there is no law wherever in the world that disallows me to protect my own services from abuse. And no law whatsoever that pushes me, that I have to communicate with everybody in the world, even if I dont want to. That will make every antivirus- or firewall-software illegal. Dont simply think of abuse as spam, abuse is more (e.g. every day, we have idiots, that are trying to guess mailbox passwords or that try to log into network appliances, wich only have an IP and no domain pointing to them, surely until their IPs get captured and blocked, our IDS and firewall logs are full of this crap). And how could it be defamation, if we try to reach the responsible network abuse contact, to inform them, that they have a security breach and that one of their servers or dialin clients got hi-jacked ? Blacklist do not accuse anybody, they are simply informative and tell people that there might be a problem ...
Huh?
How is listing an IP or netblock as a source of network abuse defamatory?
That's the kind of defence used by spammers
... and harvesters :o) Kind regards, Frank -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ======================================================================
Frank Most of us run private networks. I can't see why or how we could be "obliged" to grant anyone free access. It makes no sense to me. None Regards Michele On 19 Dec 2011, at 16:30, Frank Gadegast wrote:
In many cases it is certainly proper and allowed to block another network
Should be allowed in all cases.
I guess there is no law wherever in the world that disallows me to protect my own services from abuse. And no law whatsoever that pushes me, that I have to communicate with everybody in the world, even if I dont want to. That will make every antivirus- or firewall-software illegal.
Dont simply think of abuse as spam, abuse is more (e.g. every day, we have idiots, that are trying to guess mailbox passwords or that try to log into network appliances, wich only have an IP and no domain pointing to them, surely until their IPs get captured and blocked, our IDS and firewall logs are full of this crap).
And how could it be defamation, if we try to reach the responsible network abuse contact, to inform them, that they have a security breach and that one of their servers or dialin clients got hi-jacked ?
Blacklist do not accuse anybody, they are simply informative and tell people that there might be a problem ...
Huh?
How is listing an IP or netblock as a source of network abuse defamatory?
That's the kind of defence used by spammers
... and harvesters :o)
Kind regards, Frank
-- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ======================================================================
Mr Michele Neylon Blacknight Solutions ♞ Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.biz http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Facebook: http://fb.me/blacknight Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
I guess there is no law wherever in the world that disallows me to protect my own services from abuse. ... And how could it be defamation, if we try to reach the responsible network abuse contact, to inform them, that they have a security breach and that one of their servers or dialin clients got hi-jacked ?
Blacklist do not accuse anybody, they are simply informative and tell people that there might be a problem ... ... Perhaps you are underestimating some people's requirement for absolute perfection in the world? (Their version of perfection, not yours or mine, of course...) ...
As an online discussion about network abuse grows longer, the probability of someone comparing blacklisting to extortion approaches 1.
... All of the above comments are pretty much worthless. They are meant to twist what I said and try to ridicule me while avoiding the issues I raised. These types of response make abuse groups look like a small group of arrogant individuals who could not care less about other issues or other people's rights. This is exactly what Spamhaus did when they got sued and they posted all those child-like messages on their web site. In the end the court found they lied and they paid all kinds of legal fees because of it. I don't completely disagree with the points made above but the treatment is way too simplistic. Just like the worst criminals, spammers have rights too and sometimes abuse people accuse the wrong people, make mistakes, or are too busy to fix flaws in their system. Nobody requires "perfection" but to completely ignore issues and ridicule people when they raise the issues is negligence. The operation of a blacklist on its own is not extortion until you start telling people to do certain things (like pay money or demand action from your ISP) does it fall into the area of extortion. You also run into iisues of running ancillary paid services. I wonder if you have a much easier time getting off a Microsoft or Cisco blacklist if you subscribe to their services?
That's the kind of defence used by spammers ... and harvesters :o)
Every time someone says abuse staff should adhere to standards this is the response. It shows how clueless some people can be. People get so hyped up when someone mentions this type of stuff they fail to realized these standards will greatly improve things like blacklists. Thank You
On 19 Dec 2011, at 18:41, russ@consumer.net wrote:
This is exactly what Spamhaus did when they got sued and they posted all those child-like messages on their web site. In the end the court found they lied and they paid all kinds of legal fees because of it.
OK people, I know I've been cryogenically frozen for the last 10 years but you really need to tell me these things... We were found to have lied by a court? When? And we paid "all kinds of legal fees" because of it? Why doesn't anybody tell me these things! Steve Linford The Spamhaus Project http://www.spamhaus.org
Michele Neylon :: Blacknight wrote: Hi Michele,
On 19 Dec 2011, at 15:29, russ@consumer.net wrote:
That is a simplistic argument from the early days the Internet and is often not true anymore.
Ok, so how big is the network that you are running?
Hm. Lets use Russ' own tools at network-tools.com to estimate that: TraceRoute to 67.222.132.203 [consumer.net] Hop (ms) (ms) (ms) IP Address Host name 1 0 0 0 67.222.132.203 67.222.132.203.tailormadeservers.com Trace complete badly enough this whois service does not show any networks, well lets look those up myself: Comcast Business Communications, LLC CBC-PHILADELPHIA-29 (NET-70-90-0-0-1) 70.90.0.0 - 70.90.31.255 and THEKEYWORDFACTORYLLC THEKEYWORDFACTORYLLCNET (NET-67-222-132-192-1) 67.222.132.192 - 67.222.132.254 and a whois for one of those domains Whois query for nwtools.com... Results returned from whois.internic.net: ... (the usual internic stuff) ... Domain Name: NWTOOLS.COM Registrar: TUCOWS.COM CO. Whois Server: whois.tucows.com Referral URL: http://domainhelp.opensrs.net Name Server: DNS.CONSUMER.NET Name Server: DNS2.CONSUMER.NET Status: ok Updated Date: 12-dec-2011 Creation Date: 23-feb-2005 Expiration Date: 23-feb-2015 ... (the usual disclaimer) ... Results returned from whois.tucows.com: IP Address: 67.222.132.193 Maximum Daily connection limit reached. Lookup refused. **** Daily limit reached, looks like Tucows is trying to protect their own service, those bad, bad boys :o ) **** Hm, so I have to use our own whois at Tucows (we are reseller of Tucows :o) Registrant: Consumer.net, LLC PO Box 1860 Ocean City, NJ 08226 US Domain name: CONSUMER.NET Administrative Contact: Domain Administrator, Consumer.net whois222@consumer.net PO Box 1860 Ocean City, NJ 08226 US +1.6093983301 consumer.net is an LCC. It calls itself "web development company", but does not seem to have any customers. consumer.net seems to simply bake a few network tools and copyright and privacy website (wich mostly consist of a handfull "tweets" from twitter without even an own "design" or own software installed on the own servers (so it looks like, if those sites are giving all http-logs completly over to twitter !) and places adverts all over them (even on the own homepage !) to make money from it. consumer.net is no IANA or ARIN (or other RIR) member (as far as I could search the net), does not own a own network and seems to simply rent a few housing server at two different provider. Furthermore, all "web design customers" share the same few IPs and the same "design". Finally directly from www.consumer.net: " The types of advertisements displayed are based on a number of factors such as this site's content and your Internet browsing and search history. See the Privacy Policy for more information. This information is collected if a purchases are made, advertising services are purchased, or an inquiry is made. No third party marketers are used. " So: consumer.net should not have any data about me visiting his site :o) But this "service" is giving my data already to third parties, e.g google and twitter Great ... BTW: there are 27 links pointing to www.consumer.net in google and they are mostly from its other own sites. So my estimation is: - one person - two servers - 5 IPs - no customers at all - makes profit from collecting services from third parties (what is probably not allowed from those parties at all, otherwise consumer.net would have no access limits :o) - gives all visitors data to third parties I can only hope that this silly discussion will stop now. Brian: please do something, that we are coming back to mails regarding abuse AND ripe ... Kind regards, Frank -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ======================================================================
-----Original Message----- From: anti-abuse-wg-bounces@ripe.net [mailto:anti-abuse-wg- bounces@ripe.net] On Behalf Of russ@consumer.net Sent: Monday, December 19, 2011 5:29 PM To: <anti-abuse-wg@ripe.net>
Under US law if you block someone and tell them to make their ISP do something to get unblocked that is technically extortion.
As an online discussion about network abuse grows longer, the probability of someone comparing blacklisting to extortion approaches 1. (With apologies to Mike Godwin.) Under the law over here, extortion involves a threat as well as a benefit to which the recipient has no legal right. -- Thor Kottelin http://www.anta.net/
Er - there's a huge difference between "cheap colo range with a /18 that's spread with snowshoe bulk mailers" and "comcast business ranges with mostly individual static IP cablemodems allotted to different businesses, with an ISP that practices what seems to be the gold standard in outbound filtering of abuse from their IP space". Our filters at least tend not to block Comcast. On Mon, Dec 19, 2011 at 8:59 PM, russ@consumer.net <russ@consumer.net> wrote:
I do like to talk to the ISP and ensure that they address those issues before I relax any filters.
Right, you advocate a "I know abuse when I see it" standard where you have the final say and there is no recourse. If anyone complains they must be a spammer or support spamming? I am now on a Comcast Business IP. At what point or at what level is too much abuse via the Comcast network to get all Comcast customers blocked?
-- Suresh Ramasubramanian (ops.lists@gmail.com)
Er - there's a huge difference between "cheap colo range with a /18 that's spread with snowshoe bulk mailers" and "comcast business ranges ...
Right, those are the extremes but where do you draw the line? In my case I rented a server with an ISP operating legally. I actually checked for abuse complaints of several companies that rented servers and I found complaints about all of them. As for Comcast being the "gold standard" for filtering the only way they can do this is to violate their network policy. After the p2p throttling they claimed they have a "protocol agnostic" network policy. But you can't do that and also block specific ports. Further, if Comcast does block you they often won't tell people why. The exact quote to me was: "it doesn't matter what our privacy policy says, you are not getting the info." They also told me if I registered for a higher level of service somehow the security issues would disappear and there would no longer be blocking. Plus, last year they moved most of their privacy policies from Comcast.NET (covered by TRUSTe) to Comcast.COM (not covered by TRUSTe). If you want to be the "gold standard" for filtering then you will need to violate the privacy of your customers, keep it secret from them so they don't get pissed off, and then the system will be hijacked by the marketing department and used to increase the bottom line. This is getting off the issue of RIPE and abuse but the point is there are tradeoffs for all these actions and abuse is not the only issue in the world. Thank You
On 12/19/2011 5:30 AM, Suresh Ramasubramanian wrote:
But that isn't any reason to tar all spam filtering with the same brush.
Perhaps you are underestimating some people's requirement for absolute perfection in the world? (Their version of perfection, not yours or mine, of course...) d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net
participants (14)
-
Alessandro Vesely -
Dave CROCKER -
Florian Weimer -
Frank Gadegast -
James Davis -
Joe St Sauver -
Mark Foster -
Michele Neylon :: Blacknight -
Niall Donegan -
russ@consumer.net -
Shane Kerr -
Steve Linford -
Suresh Ramasubramanian -
Thor Kottelin