Re: [anti-abuse-wg] New Abuse Information on RIPE NCC Website
Sascha Luck <lists-ripe@c4inet.net> wrote:
Attempts to establish the RIR as a censorship authority do damage to the RIR and its community.
You have an interestingly pervasive definition of "censorship". By your definition, anyone attempting to even disipline, after the fact, a person who had shouted "fire" in a crowded theater, in par- tcular one that had not in fact been on fire, would be guilt of unwarranted "censorship".
I do not think a RIR can survive any other way than by being a "disinterested party" that engages in registry duties, and none other.
Assuming, for the sake of argument, that I and every other member of RIPE agreed with that exact assertion, then I would be forced to ask the obvious question: What then are the goals, missions, and responsibilities of the RIPE Anti-Abuse working group?
A couple of observations... The first one being: you still seem to *not* get the difference between RIPE (the community, rather fuzzily defined, both geogrpahically as well as structurally) and the NCC (the entity formed and founded by its members to do just *one* thing: run the numbers registry on behalf of the members). Ronald F. Guilmette wrote: [...]
I do not think a RIR can survive any other way than by being a "disinterested party" that engages in registry duties, and none other.
Assuming, for the sake of argument, that I and every other member of RIPE agreed with that exact assertion, then I would be forced to ask the obvious question: What then are the goals, missions, and responsibilities of the RIPE Anti-Abuse working group?
May I suggest this description: http://www.ripe.net/ripe/groups/wg/anti-abuse On a more general aspect, please try to relate to the general raos traffic: In most countries, I presume, the unique license plates are managed and issued by one or even more entities. Those entities do not accept any responsibility for the behaviour of the person using a uniquely identified vehicle. It is a task for the police or traffic wardens or whatever applies to your jurisdiction, to oversee the use of the vehicle according to *local* law. If a violation is observed or reported, it is the job of the regular legal system to follow up. If "someone" shouts to the maintainer of the unique license plate numbers "stop what I don't like", instead of getting in touch with the police, you will have see limited success. Is this something you can relate to? To finish off, may I state here (again) that there is infrastructure around to properly and usefully report (perceived) "network abuse"[1]. It is either your local law enforcement agency and/or your (own, local ISP, industry sector or national CSIRT). Those parties do have the mandate, the means and tools, etc. to follow up and take the appropriate steps. Hth, regards, Wilfried. [1] in order to use those services, having a "common" "definition" of "network abuse" is not even necessary :-)
On Tue, 18 Jun 2013 07:10:03 +0200 Wilfried Woeber <Woeber@CC.UniVie.ac.at> wrote:
A couple of observations...
Great! /N
On Tue, Jun 18, 2013 at 07:10:03AM +0200, Wilfried Woeber wrote:
[...] May I suggest this description:
http://www.ripe.net/ripe/groups/wg/anti-abuse
On a more general aspect, please try to relate to the general raos traffic: In most countries, I presume, the unique license plates are managed and issued by one or even more entities. Those entities do not accept any responsibility for the behaviour of the person using a uniquely identified vehicle.
It is a task for the police or traffic wardens or whatever applies to your jurisdiction, to oversee the use of the vehicle according to *local* law.
If a violation is observed or reported, it is the job of the regular legal system to follow up. If "someone" shouts to the maintainer of the unique license plate numbers "stop what I don't like", instead of getting in touch with the police, you will have see limited success.
Is this something you can relate to?
I think it is quite safe to assume that most readers here are well aware of what a RIR is, certainly including Ron who has been fighting network abuse for about two decades now - and I take this opportunity to thank him for working tirelessly during all this time. During this time, we all have learnt that criminals are getting more and more organized, that their creativity and ability should not be underestimated, that we can contribute to defend the Internet from their destructive behavior in many different ways and that, last but not least, that 'reporting to the police' does not scale well, due to a chronic lack of resources (time, skills, adequate international cooperation) on the law enforcement side. I do not believe that anybody is asking RIPE NCC to take actions that are pertinence of law enforcement. I do believe, however, that the RIPE area has a problem with respect to other RIRs, and that some changes (in policies, enforcement of rules, etc) could be made to mitigate the problem somehow, still remaining within the limits of the RIR mandate. One could have a fairly good idea of 'The Problem' by looking at the Spamhaus SBL listings attributed to the RIRs (as far as I understood, Spamhaus does that when the resources are directly allocated by the RIR to criminal groups and therefore no ISP can be accounted for them - the resources are freely moved from one ISP to another). Today: http://www.spamhaus.org/sbl/listings/AFRINIC ...... 4 listings [13] http://www.spamhaus.org/sbl/listings/APNIC ........ 19 listings [55] http://www.spamhaus.org/sbl/listings/ARIN ......... 289 listings [84] http://www.spamhaus.org/sbl/listings/LACNIC ....... 10 listings [20] http://www.spamhaus.org/sbl/listings/RIPE ......... 307 listings [49] The number in brackets is the approximate total allocation size of the RIR in units of /8, extracted from http://labs.apnic.net/ipv4/report.html . ARIN clearly has a serious problem too, but when the number of problem is normalized with the allocation size we obtain (number of problems per /8): AFRINIC ..... 0.31 APNIC ....... 0.35 ARIN ........ 3.44 LACNIC ...... 0.50 RIPENCC ..... 6.27 Certainly one could argue that this is not the best possible metrics as it reflects the point of view of a single actor, and I am sure one could find better metrics. Yet, the normalized result is a factor 2 worse than ARIN, and more than an order of magnitude worse than APNIC. I would doubt that other data could change the RIR order. It may be that this result is simply due to a higher concentration of criminals in the RIPE area than in other areas. In all cases, as an european and a RIPE community member I feel ashamed of this outcome, knowing that I am also in part responsible for it for not having dedicated enough time and thought to this problem. If you look at those Spamhaus listings, you will notice that a good fraction of them is due to 'snowshoe' spamming, where thousands of IP addresses are used as cannons to send unsolicited mail. There are networks as large as /14's used for this purpose. Is anyone here really thinking that this is a valid usage of scarce resources, considering that a well-behaved, opt-in based ESP can usually carry on its activity out of a /24 ? If snowshoe spamming is not an acceptable motivation to get an assignment when asking for it - and I really hope this to be the case - then people could use a network to do that only if they make a false statement when asking for the assignment. Now, RIPE-582 (February 2013) contains the following text: "6.6 Validity of an Assignment All assignments are valid as long as the original criteria on which the assignment was based are still valid and the assignment is properly registered in the RIPE Database. If an assignment is made for a specific purpose and that purpose no longer exists, the assignment is no longer valid." Therefore, if the above premises are correct, spamming ranges are classified "not valid" - simply because snowshoe spam was not the motivation given to get the assignment. Then the RIPENCC problem, it seems to me, is that "no longer valid" ranges remain in use for a long period of time. This seems to indicate that there is no effective mechanism to enforce the rules. Indeed, what is the semantic meaning of "no longer valid" if people continue to use those ranges for extended periods of time ? "Invalid" with respect to what ? RIPE-582 does not seem to address this point. If it does, please point me to the relevant section, or to another document that discuss this point. At the end, the problem seems to boil down to these questions: "Does the RIPE Community really want to have resources defined as "invalid", yet live without a real working mechanism to have these invalid resources claimed back and reassigned ? If not, would the introduction of such an enforcement mechanism go against the acceptable operational limits for a RIR ? And if yes, what is the purpose of defining rules that can not be enforced, and hence resulting in bad guys getting as much resources as they like by making false statements ?" Investigation on what other RIRs are doing in terms of reclaiming invalid resources could perhaps also be of help. Thanks for the attention furio ercolessi
Hi, On Tue, Jun 18, 2013 at 03:29:23PM +0200, furio ercolessi wrote:
The number in brackets is the approximate total allocation size of the RIR in units of /8, extracted from http://labs.apnic.net/ipv4/report.html .
ARIN clearly has a serious problem too, but when the number of problem is normalized with the allocation size we obtain (number of problems per /8):
AFRINIC ..... 0.31 APNIC ....... 0.35 ARIN ........ 3.44 LACNIC ...... 0.50 RIPENCC ..... 6.27
I'm not sure what good is "normalizing by amount of /8s", as that is easily skewed by a few early and large allocations, of which ARIN has quite a lot. Normalizing by *number of LIRs* seems to be a much more interesting metric to see "what percentage of the LIRs under a given RIR umbrella are problematic". I do not have today's membership numbers at hand - last time I collected the figures (end of 2008), RIPE had 6428 members, ARIN had 3465. As far as I have followed the regions, the ratio of growth has been similar, so roughly, RIPE has about 2 times the amount of LIRs that ARIN has. Now, with about the same entries in the Spamhaus RBL, distributed to *twice* the amount of "customers", I think the evil/good ratio in RIPE land is much better...
Certainly one could argue that this is not the best possible metrics as it reflects the point of view of a single actor, and I am sure one could find better metrics. Yet, the normalized result is a factor 2 worse than ARIN, and more than an order of magnitude worse than APNIC. I would doubt that other data could change the RIR order.
It really depends on what you're trying to prove. Of course there are bad actors in the RIPE region - but there are *many* actors here, and the percentage of bad actors is actually *lower* by a factor of 2 than in ARIN land. (That APNIC has so few entries is surprising, but if, for example, all Spam from .cn comes from a single APNIC member, it just shows that just looking at "how many LIRs in a given region are bad?" is not an overly useful metric).
It may be that this result is simply due to a higher concentration of criminals in the RIPE area than in other areas.
No, it's due to "completely useless math". There are just many more actors in the RIPE area, so the same amount of criminals spread over *twice* the amount of RIR members is not "higher concentration" but "lower". The number of "criminals per IP address" is indeed higher, yes. But what exactly is the use of that metric, except to show "ARIN has a larger share from the hoard of /8s"? Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
As a thought experiment, if Furio were to remove LIRs from Eastern Europe, in particular, Romania, from his list below, what would RIPE NCC's figures fall to? Most of those /14s are swipped and then re-swipped to a succession of shell companies that appear to remain valid for the minimum possible duration - and are typically (as creating a shell company in romania requires valid ID) set up by the simple expedient of walking into a bar and paying a guy there a few euro to get him to use his ID to set up the shell company. So even "a much larger number of customers in the RIPE region" is a figure that you would have to allow for substantial inflation in, when you consider these numbers. --srs On Tuesday, June 18, 2013, Gert Doering wrote:
ARIN clearly has a serious problem too, but when the number of problem is normalized with the allocation size we obtain (number of problems per /8):
AFRINIC ..... 0.31 APNIC ....... 0.35 ARIN ........ 3.44 LACNIC ...... 0.50 RIPENCC ..... 6.27
I'm not sure what good is "normalizing by amount of /8s", as that is easily skewed by a few early and large allocations, of which ARIN has quite a lot.
Normalizing by *number of LIRs* seems to be a much more interesting metric to see "what percentage of the LIRs under a given RIR umbrella are problematic".
-- --srs (iPad)
Suresh Ramasubramanian wrote the following on 18/06/2013 15:22:
As a thought experiment, if Furio were to remove LIRs from Eastern Europe, in particular, Romania, from his list below, what would RIPE NCC's figures fall to?
Most of those /14s are swipped and then re-swipped to a succession of shell companies that appear to remain valid for the minimum possible duration - and are typically (as creating a shell company in romania requires valid ID) set up by the simple expedient of walking into a bar and paying a guy there a few euro to get him to use his ID to set up the shell company.
So even "a much larger number of customers in the RIPE region" is a figure that you would have to allow for substantial inflation in, when you consider these numbers.
There is no question in my mind that there is a massive problem in the RIPE NCC service region, just as there is elsewhere. I'm not convinced that there's any good in comparing them, rather we should admit that there is such a problem. I remain to be convinced that we will ever reach an agreed definition of network abuse, but I do think there are types of activity that are generally agreed to be abusive. But even with these, do we want the NCC to say "Ah, you have operated a botnet to crack credit card numbers, we will now deregulate!" I do not believe we will ever reach consensus on such a policy. I *do* believe that there should be more rigour involved in obtaining addresses, but there you also have a problem of national law. If a state says "this company is a legitimate company" does the NCC have any right to argue? Ronald, I ask this sincerely, and I apologise if I missed it before, but what is your definition of 'network abuse'? I'm not asking this to call you out, I'm genuinely interested. I know why definitions are important, but I also know how hard they can be and given the limitations of what the NCC can do (and what I, as an operator, want it to do) I'm not sure how much use it will actually be to pursue such a thing. Are there other ways of looking at this, of tackling it, that have more chance of success? Brian
Ripe is a bookkeeper, not a law enforcer. and I guess we had enough law enforcer around every of us. On Tue, Jun 18, 2013 at 5:09 PM, Brian Nisbet <brian.nisbet@heanet.ie> wrote:
Suresh Ramasubramanian wrote the following on 18/06/2013 15:22:
As a thought experiment, if Furio were to remove LIRs from Eastern Europe, in particular, Romania, from his list below, what would RIPE NCC's figures fall to?
Most of those /14s are swipped and then re-swipped to a succession of shell companies that appear to remain valid for the minimum possible duration - and are typically (as creating a shell company in romania requires valid ID) set up by the simple expedient of walking into a bar and paying a guy there a few euro to get him to use his ID to set up the shell company.
So even "a much larger number of customers in the RIPE region" is a figure that you would have to allow for substantial inflation in, when you consider these numbers.
There is no question in my mind that there is a massive problem in the RIPE NCC service region, just as there is elsewhere. I'm not convinced that there's any good in comparing them, rather we should admit that there is such a problem.
I remain to be convinced that we will ever reach an agreed definition of network abuse, but I do think there are types of activity that are generally agreed to be abusive. But even with these, do we want the NCC to say "Ah, you have operated a botnet to crack credit card numbers, we will now deregulate!" I do not believe we will ever reach consensus on such a policy.
I *do* believe that there should be more rigour involved in obtaining addresses, but there you also have a problem of national law. If a state says "this company is a legitimate company" does the NCC have any right to argue?
Ronald, I ask this sincerely, and I apologise if I missed it before, but what is your definition of 'network abuse'? I'm not asking this to call you out, I'm genuinely interested. I know why definitions are important, but I also know how hard they can be and given the limitations of what the NCC can do (and what I, as an operator, want it to do) I'm not sure how much use it will actually be to pursue such a thing.
Are there other ways of looking at this, of tackling it, that have more chance of success?
Brian
-- -- Kind regards. Lu This transmission is intended solely for the addressee(s) shown above. It may contain information that is privileged, confidential or otherwise protected from disclosure. Any review, dissemination or use of this transmission or its contents by persons other than the intended addressee(s) is strictly prohibited. If you have received this transmission in error, please notify this office immediately and e-mail the original at the sender's address above by replying to this message and including the text of the transmission received.
I prefer to use the analogy of a bank manager disbursing loans. He has a fiduciary duty to ensure deadbeats don't get loans .. And any fraud .. He detects it, takes proactive action within his sphere of influence and passes it to law enforcement for actual punishment. But not granting or revoking the loan isn't something he leaves to the police. On Tuesday, June 18, 2013, Lu Heng wrote:
Ripe is a bookkeeper, not a law enforcer. and I guess we had enough law enforcer around every of us.
On Tue, Jun 18, 2013 at 5:09 PM, Brian Nisbet <brian.nisbet@heanet.ie<javascript:;>> wrote:
-- --srs (iPad)
Hi, On Tue, Jun 18, 2013 at 10:16:35PM +0530, Suresh Ramasubramanian wrote:
I prefer to use the analogy of a bank manager disbursing loans. He has a fiduciary duty to ensure deadbeats don't get loans .. And any fraud .. He detects it, takes proactive action within his sphere of influence and passes it to law enforcement for actual punishment. But not granting or revoking the loan isn't something he leaves to the police.
Banks, in the western world of these days, are not exactly a good example for "trusted entities". I'd prefer the NCC to not turn into something that is very difficult to work with if you need their service, annoys you with advertising when you *don't* need their service, and if you give them your money, they spend it on casino activities and then need the taxpayer to bail them out... Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
Which isn't quite a shining example of fiduciary duty but well, if we are to split hairs over an analogy rather than discuss what sort of fiduciary duty ripe NCC has towards being a custodian of v4 space .. On Wednesday, June 19, 2013, Gert Doering wrote:
Banks, in the western world of these days, are not exactly a good example for "trusted entities".
I'd prefer the NCC to not turn into something that is very difficult to work with if you need their service, annoys you with advertising when you *don't* need their service, and if you give them your money, they spend it on casino activities and then need the taxpayer to bail them out...
-- --srs (iPad)
In general, a consensus definition of spam HAS evolved - and more to the point, a consensus on best practices for ISPs and marketers has evolved. Whether or not some of the spam ronald is concerned about is illegal - most of it tends to skate on the borderline between legal and illegal (and some of the gray areas keep getting plugged by regulatory action, court rulings etc - a substantial part of it is the sort that leaves the IP space such customers acquired polluted and unusable by other customers, after it is abandoned by the spammers after being blacklisted and nullrouted beyond any viable further use. The objective furio has for these numbers is not as much to name and shame as to highlight just where the problem exists, and provide actionable metrics that can be used to zero in on and address the problem. If you think Furio's math is bad, it might be a way forward to actually share usable metrics and discuss a statistical approach (possibly using as a platform a neutral third party like maawg - which the oecd and others have used for metrics data, and which represents a sizeable chunk of the isp / antispam research and product / legitimate email marketer community). I wish there was RIPE NCC representation at the recent Vienna MAAWG .. it'd have been good to discuss these and other ways forward. thanks srs On Tuesday, June 18, 2013, Brian Nisbet wrote:
Suresh Ramasubramanian wrote the following on 18/06/2013 15:22:
As a thought experiment, if Furio were to remove LIRs from Eastern Europe, in particular, Romania, from his list below, what would RIPE NCC's figures fall to?
Most of those /14s are swipped and then re-swipped to a succession of shell companies that appear to remain valid for the minimum possible duration - and are typically (as creating a shell company in romania requires valid ID) set up by the simple expedient of walking into a bar and paying a guy there a few euro to get him to use his ID to set up the shell company.
So even "a much larger number of customers in the RIPE region" is a figure that you would have to allow for substantial inflation in, when you consider these numbers.
There is no question in my mind that there is a massive problem in the RIPE NCC service region, just as there is elsewhere. I'm not convinced that there's any good in comparing them, rather we should admit that there is such a problem.
I remain to be convinced that we will ever reach an agreed definition of network abuse, but I do think there are types of activity that are generally agreed to be abusive. But even with these, do we want the NCC to say "Ah, you have operated a botnet to crack credit card numbers, we will now deregulate!" I do not believe we will ever reach consensus on such a policy.
I *do* believe that there should be more rigour involved in obtaining addresses, but there you also have a problem of national law. If a state says "this company is a legitimate company" does the NCC have any right to argue?
Ronald, I ask this sincerely, and I apologise if I missed it before, but what is your definition of 'network abuse'? I'm not asking this to call you out, I'm genuinely interested. I know why definitions are important, but I also know how hard they can be and given the limitations of what the NCC can do (and what I, as an operator, want it to do) I'm not sure how much use it will actually be to pursue such a thing.
Are there other ways of looking at this, of tackling it, that have more chance of success?
Brian
-- --srs (iPad)
In message <51C0783C.7010708@heanet.ie>, Brian Nisbet <brian.nisbet@heanet.ie> wrote:
There is no question in my mind that there is a massive problem in the RIPE NCC service region, just as there is elsewhere. I'm not convinced that there's any good in comparing them, rather we should admit that there is such a problem.
As noted in my prior post, I agree entirely with Brian on this.
I remain to be convinced that we will ever reach an agreed definition of network abuse...
Please excuse me for stating the obvious, but the most certain way to insure that we will never succeed in such an effort is never to even try.
I *do* believe that there should be more rigour involved in obtaining addresses, but there you also have a problem of national law. If a state says "this company is a legitimate company" does the NCC have any right to argue?
An excellent question if ever there was one. Please allow me two responses. Firstly, this sort-of reminds me of various classic and generally archetypal discussions/disagreements/confrontations that I had with various adult authority figures when I was growing up, in particular, my mother. I would begin by saying something like "Gee, ma, but all of the other kids are having fun, sniffing the fumes from felt-tip pens and then skateboarding down Lombard Street! So why can't I??" to which she would provide the stock pre-canned stadard adult response "So, if Johnny jumped off a cliff would you do the same thing?" If a given nation, or even a given municipality within the admirably diverse RIPE region decided to make criminality a virtue, would RIPE be in any sense, either legally, morally, or ethically obliged to follow suit? I don't think so. Would it be wise to do so? Again, I don't think so. If Upper Volta decides tomorrow to diversify its flagging economy by making it 100% legal, within that jurisdiction, to offer DDoS-for-hire services, then should (or must) all nations and munici- palities within the RIPE region then automatically ascent to that lowest common denominator of sanity? (We have a saying that covers exactly such self-destructive outcomes in this country... "The Constitution is NOT a suicide pact.") Secondly, although not probable, it is certainly possible that at some point the express laws of some nation or municipality within the RIPE region might come into direct conflict with what _already_ seems to be against the rules... or at the very least seriously frowned upon... within RIPE's jurisdiction, i.e. spamming. In such a case, whose rules should give way to whose? Here in the United States, there are many who advocate for, and take the view that society would be safer if each and every last one of us owned and carried a gun around all of the time. This is certainly a debatable point, but every now and again some small municipality, usually somewhere in Texas, passes or tries to pass a law _requiring_ all citizens to own firearms. Now, imagine for a moment that The Duchy of Grand Fenwick (google it) has just passed a law _requiring_ all of its citizens to spam. What is RIPE going to do? Issue each citizen of Grand Fenwick his or her own /24? In short, at what point does respect for the individuality and authority of the constituent nations and municipalities of the entire RIPE region cross over into unambiguous lunacy? At the birth of my own nation, there existed 13 totally independent colonies, none of which could even stand to be in the same room with any of the others for any length of time. They all hated each other and each had their own preferred ways of doing things. In the end, they found a sufficently motivating external threat that was enough to force them at least into a loose confederation. I suggest that the kinds of threats to network stability and usefulness that we all know exist on the Internet today, and which we can reasonably anticipate are only likely to worsen in the future, are and should be enough for the RIPE membership to assert, at least to some minimal resonable extent, its own independent authority, at least within that very limited jurisdiction which is, by all rights, more the property and province of RIPE than it is of any nation state, i.e. that portion of "cyberspace" which hovers like an unseen aether at all times over the RIPE geographic region. This portion of cyberspace is in some ways more important than any of the individual nation states that happen to lie under it, and its continued stability and usefulness is most definitely _not_ the primary responsibility of any of those individual nation states, nor even all of them put together. As it is not their responsibility, what sense would it make (or what sense does it make) to defer exclusively to _their_ authority? The answer is simple. It makes no sense at all. RIPE must have its own rules for the protection and stability of what is, after all, its own special dominion. (Notwithstanding all of the above having being said, I want to be clear that I am not fundamentally an "internationalist". Nor would I by any means or on any occasion make any attempt to defend the so-called "Euro Project", let alone its now evident tragic consequences. I am an advocate only of pragmatism, of what makes sense, and of what works. The Euro does not. The Internet must.)
Ronald, I ask this sincerely, and I apologise if I missed it before, but what is your definition of 'network abuse'?
Everything I don't like that goes on every day on the Internet. I could drag out the whole list, but I don't want to bore you. It's as long as your arm, and most definitely includes a LOT more than spamming. But my own views on this are neither here nor there. I think that you and I agree that only that set of things that the community as a whole says are "network abuse" should be construed, for any practical purpose, to be such, and in this crowd I'm only one... or, as I myself would advocate, perhaps only 1/2 or 1/4 vote, as I neither reside in RIPE-land, nor do any substantial business there, nor, most importantly, do I operate an Internet-connected network there.
I'm not asking this to call you out, I'm genuinely interested.
I am not offended and wll be happy to give you a more detailed expose of my personal defintion of "network abuse" off list.
I know why definitions are important, but I also know how hard they can be and given the limitations of what the NCC can do (and what I, as an operator, want it to do) I'm not sure how much use it will actually be to pursue such a thing.
See above. What is RIPE going to do when Grand Fenwick starts _encouraging_ its citizens to spam, hack, and DDoS? All things considered, it would be Better if RIPE had an answer to this question well _before_ it comes to this, because I can assure you that eventually it _will_ come to this. It will be an inevitable result of the fact that money is involved, and lots of it.
Are there other ways of looking at this, of tackling it, that have more chance of success?
None whatsoever. It is always politically expedient not to decide anything, but as I said earlier, not to decide is to decide. Regards, rfg P.S. In the early 1970's, somehow and for some reason I cannot even remember now, I aquired a thin little paperback book that described what I dimly remember was probably the instruction set of the early PDP-11's. (This was before I had even touched any actual computer, let alone any PDP.) Anyway, in the first few pages, probably just after the title page of the book, I think, DEC had inserted a small quote from a poem. I have thought about that many times since. I don't know if I can even quote it accurately anymore... I somehow lost the book decades ago... but I'll try. He took the wheel in a lashing raging storm. "My plan is to have no plan!" he said. And six months later, "I have been driven by events." -- The People, Yes Carl Sandburg
On Tue, Jun 18, 2013 at 07:55:48PM -0700, Ronald F. Guilmette wrote:
What is RIPE going to do when Grand Fenwick starts _encouraging_ its citizens to spam, hack, and DDoS?
Nothing. That is, nothing beyond making sure that the resource holder is registered in the ripedb -which it does- and that there is a contact to report abuse to -which it now also does-. What the resource holder does with these resources is between them and their relevant legal authorities. rgds, Sascha Luck
On Wed, Jun 19, 2013 at 09:42:55PM +0100, Sascha Luck wrote:
On Tue, Jun 18, 2013 at 07:55:48PM -0700, Ronald F. Guilmette wrote:
What is RIPE going to do when Grand Fenwick starts _encouraging_ its citizens to spam, hack, and DDoS?
Nothing. That is, nothing beyond making sure that the resource holder is registered in the ripedb -which it does- and that there is a contact to report abuse to -which it now also does-.
What the resource holder does with these resources is between them and their relevant legal authorities.
http://www.ripe.net/ripe/docs/ripe-584#addressing-plan indicates that RIPENCC _wants_ to know. I would really like to know if an Assignment Request Form for a /19 with 'snowshoe spamming' indicated in the 'Purpose' field would be accepted by RIPENCC. If not, I would really like to know what, for instance, the gentlemen that control 91.90.192.0/19 told RIPENCC about the intended purpose, and whether their statements are compatible with the PTR records defined on that block. furio
In message <20130619204255.GB55051@cilantro.c4inet.net>, Sascha Luck <lists-ripe@c4inet.net> wrote:
On Tue, Jun 18, 2013 at 07:55:48PM -0700, Ronald F. Guilmette wrote:
What is RIPE going to do when Grand Fenwick starts _encouraging_ its citizens to spam, hack, and DDoS?
Nothing. That is, nothing beyond making sure that the resource holder is registered in the ripedb -which it does- and that there is a contact to report abuse to -which it now also does-.
What the resource holder does with these resources is between them and their relevant legal authorities.
Well, I'm sure glad that we got that cleared up. Regards, rfg
Ronald, I'm going to snip a lot of this mail, but there's a core issue I'd like to address.
Now, imagine for a moment that The Duchy of Grand Fenwick (google it) has just passed a law _requiring_ all of its citizens to spam. What is RIPE going to do? Issue each citizen of Grand Fenwick his or her own /24? In short, at what point does respect for the individuality and authority of the constituent nations and municipalities of the entire RIPE region cross over into unambiguous lunacy?
It's an interesting hypothetical, certainly. There are a number of possible options. The first is that the EU, or just the Netherlands, became aware of this and said "These people are bad, EU companies may not trade with them". The RIPE NCC operates under Dutch law, so they would be forced to stop doing business with those people. This has happened recently in relation to companies who are under sanctions. The second may be that while these companies may be legitimate businesses the NCC is aware of the local law and says, "Ah, no, we know, for a fact, that you are mandated to use these resources for network abuse, therefore your application is invalid." The third option may be that the law is passed, the resources are handed out and the RIPE community, so incensed by this, writes a policy that allows for far more invasive deregistration and closure steps and the membership of the NCC signs off on this. It would be... fun (fcvo fun) to watch and I suspect Nigel may cry. Of course in amongst all of this I would suspect if the resources were handed out, there would be a lot of depeering and null routing going on in relation to the poor, forced-to-spam, citizens of the Grand Duchy. :) Brian
Hi Brian, On Thu, Jun 20, 2013 at 01:08:03PM +0100, Brian Nisbet wrote:
The second may be that while these companies may be legitimate businesses the NCC is aware of the local law and says, "Ah, no, we know, for a fact, that you are mandated to use these resources for network abuse, therefore your application is invalid."
Hmmm. That raises an interesting question: What *does* the NCC consider "network abuse" and grounds to deny an, otherwise legitimate, request? I was not aware that the RAs even have this option... rgds, Sascha Luck
Sascha Luck wrote the following on 20/06/2013 14:10:
Hi Brian,
On Thu, Jun 20, 2013 at 01:08:03PM +0100, Brian Nisbet wrote:
The second may be that while these companies may be legitimate businesses the NCC is aware of the local law and says, "Ah, no, we know, for a fact, that you are mandated to use these resources for network abuse, therefore your application is invalid."
Hmmm. That raises an interesting question: What *does* the NCC consider "network abuse" and grounds to deny an, otherwise legitimate, request? I was not aware that the RAs even have this option...
Please note the word "may". We're still talking hypotheticals and I doubt this would be the decision of just one IPRA. I would also not presume to speak for the NCC. Brian
On Thu, Jun 20, 2013 at 02:16:51PM +0100, Brian Nisbet wrote:
Please note the word "may". We're still talking hypotheticals and I doubt this would be the decision of just one IPRA. I would also not presume to speak for the NCC.
Oh, OK. Too subtle for me to pick up on ;) cheers, Sascha Luck
The third option may be that the law is passed, the resources are handed out and the RIPE community, so incensed by this, writes a policy that allows for far > more invasive deregistration and closure steps and the membership of the NCC signs off on this. It would be... fun (fcvo fun) to watch and I suspect Nigel
may cry.
I'm crying already, just thinking about it Nigel
In message <51C2F0A3.8040302@heanet.ie>, Brian Nisbet <brian.nisbet@heanet.ie> wrote:
I'm going to snip a lot of this mail, but there's a core issue I'd like to address.
Now, imagine for a moment that The Duchy of Grand Fenwick (google it) has just passed a law _requiring_ all of its citizens to spam. What is RIPE going to do? Issue each citizen of Grand Fenwick his or her own /24? In short, at what point does respect for the individuality and authority of the constituent nations and municipalities of the entire RIPE region cross over into unambiguous lunacy?
It's an interesting hypothetical, certainly. There are a number of possible options. The first is that the EU, or just the Netherlands, became aware of this and said "These people are bad, EU companies may not trade with them". The RIPE NCC operates under Dutch law, so they would be forced to stop doing business with those people.
A highly unlikely scenario, I think you will agree.
The second may be that while these companies may be legitimate businesses the NCC is aware of the local law and says, "Ah, no, we know, for a fact, that you are mandated to use these resources for network abuse, therefore your application is invalid."
Again, based upon the current available evidence, also a highly unlikely scenario.
The third option may be that the law is passed, the resources are handed out and the RIPE community, so incensed by this, writes a policy that allows for far more invasive deregistration and closure steps and the membership of the NCC signs off on this. It would be... fun (fcvo fun) to watch and I suspect Nigel may cry.
I'm not even sure which specific Nigel you are referring to, but I for one could live with that.
Of course in amongst all of this I would suspect if the resources were handed out, there would be a lot of depeering and null routing going on in relation to the poor, forced-to-spam, citizens of the Grand Duchy. :)
Once again, based upon the available evidence, I would claim that it would in fact be improbable that any substantial amount of deppeering and/or null routing would occur, in practice. It is a classic "trajedy of the commons" problem, and no operator would wish to have to explain to its user base why they, end end lusers, can no longer send e-mail to their cousins in Grand Fenwick. Regards, rfg
Ronald F. Guilmette wrote, On 20/06/2013 21:26:
In message <51C2F0A3.8040302@heanet.ie>, Brian Nisbet <brian.nisbet@heanet.ie> wrote:
I'm going to snip a lot of this mail, but there's a core issue I'd like to address.
Now, imagine for a moment that The Duchy of Grand Fenwick (google it) has just passed a law _requiring_ all of its citizens to spam. What is RIPE going to do? Issue each citizen of Grand Fenwick his or her own /24? In short, at what point does respect for the individuality and authority of the constituent nations and municipalities of the entire RIPE region cross over into unambiguous lunacy?
It's an interesting hypothetical, certainly. There are a number of possible options. The first is that the EU, or just the Netherlands, became aware of this and said "These people are bad, EU companies may not trade with them". The RIPE NCC operates under Dutch law, so they would be forced to stop doing business with those people.
A highly unlikely scenario, I think you will agree.
Not unlikely at all. As the last sentence of that paragraph says, it happened recently in real life.
The second may be that while these companies may be legitimate businesses the NCC is aware of the local law and says, "Ah, no, we know, for a fact, that you are mandated to use these resources for network abuse, therefore your application is invalid."
Again, based upon the current available evidence, also a highly unlikely scenario.
Less likely, certainly, but we're talking in deep hypotheticals here.
The third option may be that the law is passed, the resources are handed out and the RIPE community, so incensed by this, writes a policy that allows for far more invasive deregistration and closure steps and the membership of the NCC signs off on this. It would be... fun (fcvo fun) to watch and I suspect Nigel may cry.
I'm not even sure which specific Nigel you are referring to, but I for one could live with that.
Ah, sorry, Nigel Titley, the Chairman of the Executive Board of the NCC. Also, and I know I've said this several times before, there is nothing stopping a member (or members) of the community from writing such a proposal right now.
Of course in amongst all of this I would suspect if the resources were handed out, there would be a lot of depeering and null routing going on in relation to the poor, forced-to-spam, citizens of the Grand Duchy. :)
Once again, based upon the available evidence, I would claim that it would in fact be improbable that any substantial amount of deppeering and/or null routing would occur, in practice. It is a classic "trajedy of the commons" problem, and no operator would wish to have to explain to its user base why they, end end lusers, can no longer send e-mail to their cousins in Grand Fenwick.
I'm not sure, Spamhaus were quite happy to block Latvia for a far smaller reason. I think if it was a mandated activity for all citizens the reaction of the international community might be interesting. Brian
Of course in amongst all of this I would suspect if the resources were handed out, there would be a lot of depeering and null routing going on in relation to the poor, forced-to-spam, citizens of the Grand Duchy. :)
Once again, based upon the available evidence, I would claim that it would in fact be improbable that any substantial amount of deppeering and/or null routing would occur, in practice. It is a classic "trajedy of the commons" problem, and no operator would wish to have to explain to its user base why they, end end lusers, can no longer send e-mail to their cousins in Grand Fenwick.
I'm not sure, Spamhaus were quite happy to block Latvia for a far smaller reason. I think if it was a mandated activity for all citizens the reaction of the international community might be interesting.
Brian
For those that want to read up on what actually happened on that specific incident in Latvia (July/August 2010), have a read on the following open letter from CERT.lv https://cert.lv/uploads/uploads/OpenLetter.pdf Erik Bais
On Friday, June 21, 2013, Erik Bais wrote:
For those that want to read up on what actually happened on that specific incident in Latvia (July/August 2010), have a read on the following open letter from CERT.lv
https://cert.lv/uploads/uploads/OpenLetter.pdf
Erik Bais
To maintain some balance on an issue that involved blocking one ISP (not "all of latvia") that was hosting bot spammers for a very long time indeed .. a couple of other articles. http://www.theregister.co.uk/2010/08/13/spamhaus_latvia/ And an assessment of this situation from another organization- Trend Micro, which can, in some cases, be seen as competing with spamhaus (they after all acquired the original MAPS RBL lists) http://blog.trendmicro.com/trendlabs-security-intelligence/spamhaus-listing-... Quite frankly my sympathies are not with nic.lv in this matter. --srs -- --srs (iPad)
Suresh Ramasubramanian wrote the following on 21/06/2013 13:07:
On Friday, June 21, 2013, Erik Bais wrote:
For those that want to read up on what actually happened on that specific incident in Latvia (July/August 2010), have a read on the following open letter from CERT.lv
https://cert.lv/uploads/uploads/OpenLetter.pdf
Erik Bais
To maintain some balance on an issue that involved blocking one ISP (not "all of latvia") that was hosting bot spammers for a very long time indeed .. a couple of other articles.
http://www.theregister.co.uk/2010/08/13/spamhaus_latvia/
And an assessment of this situation from another organization- Trend Micro, which can, in some cases, be seen as competing with spamhaus (they after all acquired the original MAPS RBL lists)
http://blog.trendmicro.com/trendlabs-security-intelligence/spamhaus-listing-...
Quite frankly my sympathies are not with nic.lv <http://nic.lv> in this matter.
It is a complicated situation and while I'm not necessarily a fan of the action taken or how it played out, my initial comment was overly glib. My intent was to point out that wide reaching actions have been taken in the past and I apologise for the remark. I have no particular with to reignite nor insert myself into that argument. Brian
not my intention to rake it up either but do believe me, it is dangerous if an us versus them mentality were to take root in the rir / netops community against groups that are on your side against a common enemy On Friday, June 21, 2013, Brian Nisbet wrote:
Suresh Ramasubramanian wrote the following on 21/06/2013 13:07:
On Friday, June 21, 2013, Erik Bais wrote:
For those that want to read up on what actually happened on that specific incident in Latvia (July/August 2010), have a read on the following open letter from CERT.lv
https://cert.lv/uploads/**uploads/OpenLetter.pdf<https://cert.lv/uploads/uploads/OpenLetter.pdf>
Erik Bais
To maintain some balance on an issue that involved blocking one ISP (not "all of latvia") that was hosting bot spammers for a very long time indeed .. a couple of other articles.
And an assessment of this situation from another organization- Trend Micro, which can, in some cases, be seen as competing with spamhaus (they after all acquired the original MAPS RBL lists)
http://blog.trendmicro.com/**trendlabs-security-** intelligence/spamhaus-listing-**rightfully-lists-latvian-**hoster/<http://blog.trendmicro.com/trendlabs-security-intelligence/spamhaus-listing-rightfully-lists-latvian-hoster/>
Quite frankly my sympathies are not with nic.lv <http://nic.lv> in this matter.
It is a complicated situation and while I'm not necessarily a fan of the action taken or how it played out, my initial comment was overly glib. My intent was to point out that wide reaching actions have been taken in the past and I apologise for the remark. I have no particular with to reignite nor insert myself into that argument.
Brian
-- --srs (iPad)
On Fri, Jun 21, 2013 at 06:12:52PM +0530, Suresh Ramasubramanian wrote:
not my intention to rake it up either but do believe me, it is dangerous if an us versus them mentality were to take root in the rir / netops community against groups that are on your side against a common enemy
So, anyone who disagrees with your modus operandi (and perhaps even the fact that you would gleefully destroy the village to save the inhabitants) should just shut up? I pick my own enemies, thank you very much. rgds, Sascha Luck
Suresh, Suresh Ramasubramanian wrote the following on 21/06/2013 13:42:
not my intention to rake it up either but do believe me, it is dangerous if an us versus them mentality were to take root in the rir / netops community against groups that are on your side against a common enemy
Well, this is why I wanted to clarify my remarks. Like I said, I'm not a fan of some things that a variety of people do, but I absolutely agree on avoiding that mentality. As with all of these things, aim is to enhance collaboration and work to improve things, while neither side is afraid to be honest etc. Brian
On Friday 21 June 2013 13.49, Erik Bais wrote:
Of course in amongst all of this I would suspect if the resources were handed out, there would be a lot of depeering and null routing going on in relation to the poor, forced-to-spam, citizens of the Grand Duchy. :)
Once again, based upon the available evidence, I would claim that it would in fact be improbable that any substantial amount of deppeering and/or null routing would occur, in practice. It is a classic "trajedy of the commons" problem, and no operator would wish to have to explain to its user base why they, end end lusers, can no longer send e-mail to their cousins in Grand Fenwick.
I'm not sure, Spamhaus were quite happy to block Latvia for a far smaller reason. I think if it was a mandated activity for all citizens the reaction of the international community might be interesting.
Brian
For those that want to read up on what actually happened on that specific incident in Latvia (July/August 2010), have a read on the following open letter from CERT.lv
https://cert.lv/uploads/uploads/OpenLetter.pdf
Erik Bais
cert.lv is wrong on one point : There is no "right" to send spam, and there is no right to send mail to anyone. It's a service that each and every mailserver owner has to deny mail on any reason. Spamhaus ( and other) is only a list of known abusers, anyone using any of these lists has the right to do so. Aggreed that some listings are in error. That should be resolved asap, but as long as a provider does not stop spam they will sooner or later be listed. A few providers actually prevent spam. Those won't show up in listings. To stay out of listings one has to be more then whining, one has to actually prevent spam originating!
-- Peter Håkanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det är billigare att göra rätt. Det är dyrt att laga fel. )
On Fri, Jun 21, 2013 at 02:50:35PM +0200, peter h wrote:
A few providers actually prevent spam. Those won't show up in listings. To stay out of listings one has to be more then whining, one has to actually prevent spam originating!
Just for the avoidance of doubt, are you arguing for the scanning of the content of outgoing third-party email (aka Censorship) in order to avoid landing on some blocklist? rgds, Sascha Luck
since when does commercial speech qualify for free speech protection? and yes, outbound mail scanning is a widely recognized best practice no, it would not have helped in the Latvia case because the ISP in question was hosting botnet command and control sites, which don't tend to control bots or run telemetry over smtp. On Friday, June 21, 2013, Sascha Luck wrote:
On Fri, Jun 21, 2013 at 02:50:35PM +0200, peter h wrote:
A few providers actually prevent spam. Those won't show up in listings.
To stay out of listings one has to be more then whining, one has to actually prevent spam originating!
Just for the avoidance of doubt, are you arguing for the scanning of the content of outgoing third-party email (aka Censorship) in order to avoid landing on some blocklist?
rgds, Sascha Luck
-- --srs (iPad)
Suresh Ramasubramanian wrote:
and yes, outbound mail scanning is a widely recognized best practice
But this is in some countries or under some other regulations no option.
no, it would not have helped in the Latvia case because the ISP in question was hosting botnet command and control sites, which don't tend to control bots or run telemetry over smtp.
On Friday, June 21, 2013, Sascha Luck wrote:
On Fri, Jun 21, 2013 at 02:50:35PM +0200, peter h wrote:
A few providers actually prevent spam. Those won't show up in listings. To stay out of listings one has to be more then whining, one has to actually prevent spam originating!
Just for the avoidance of doubt, are you arguing for the scanning of the content of outgoing third-party email (aka Censorship) in order to avoid landing on some blocklist?
There is a much easier way of finding botted PCs dialing into your own network without having to scan outgoing mail. Lets say your dialin users are also having email services with you and they already have a anti-spam system running along with those services. Simply check incoming spam if they originate from your own dialin networks ;o) If your big enough, its likely (its proofed that its working) that your own customers receive spam from botted PCs that are also your customers. If detected, call them and explain the problem, they will love this service ... This simply works because most botted PCs used to send out mail also scan the address books of those users and the friends or family or colleges tend to use the same provider. Or: simply count the amount of mails coming out from dialin IPs and look for unregular peeks ... that should be allowed in most countries ... Kind regards, Frank
rgds, Sascha Luck
-- --srs (iPad)
On Friday, June 21, 2013, Frank Gadegast wrote:
Suresh Ramasubramanian wrote:
and yes, outbound mail scanning is a widely recognized best practice
But this is in some countries or under some other regulations no option.
Which is a pity of course. However it remains a best practice and even in Germany there are ISPs who do filter outbound mail. There is a much easier way of finding botted PCs dialing into your own
network without having to scan outgoing mail.
This wasn't anything about botted PCs ON that network. It was about C2 for various bots running on collocated IP space leased by botmasters. As for the rest of it - there's RFC 6561 besides a ton of best practice documents on how to detect botted PCs on a network. --srs -- --srs (iPad)
On Friday 21 June 2013 15.20, Sascha Luck wrote:
On Fri, Jun 21, 2013 at 02:50:35PM +0200, peter h wrote:
A few providers actually prevent spam. Those won't show up in listings. To stay out of listings one has to be more then whining, one has to actually prevent spam originating!
Just for the avoidance of doubt, are you arguing for the scanning of the content of outgoing third-party email (aka Censorship) in order to avoid landing on some blocklist?
rgds, Sascha Luck
I'm just saying that any provider that allows spam to flow out there is a large risk of getting on blocklists. There is a number of ways to provent this happen, a good customer contract is a good start, surveillance of outbound mail another, blocking port 25 from customers pc a third. As i understand they did nothing of the sort - thus spam will happen. ( spammers are seeking unprotected pc's on sloppy ISP network. When they find it they plant a trojan and start spewing spam. Preventing this in the first place is a good start. Whan spam is detected isolation of affected pc's another step) Sending mail to my servers is not an inherent right, it's something that is granted on MY conditions. Same goes for my customers.
-- Peter Håkanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det är billigare att göra rätt. Det är dyrt att laga fel. )
In message <862A73D42343AE49B2FC3C32FDDFE91C5A6CA1CD@E2010-MBX04.exchange2010.n l>, Erik Bais <erik@bais.name> wrote:
For those that want to read up on what actually happened on that specific incident in Latvia (July/August 2010), have a read on the following open letter from CERT.lv
Although generally speaking I virtually never take issue with Spamhaus' rationale on those rare occasions when they actually work up the gumption to actually list somebody, let alone on those even rarer occasions when they elect to escalate a listing to relevant providers, I will say that regardless of whether I personally might agree or disagree with what Spamhaus did in this case, I am not persuaded that many would, after reading the published reports of this event, characterize this as Spamhaus' finest hour. It would be better, I think, if RIPE would be more pro-active in dealing with its own dirty laundry, rather than waiting around and relying on Spanhaus, who, as spammers are always eager to point out, nobody elected, to take out the garbage. But as I said in my prior posting, that just does not seem to be the cards, politically, at the present time. Regards, rfg
Erik Bais wrote: [...]
For those that want to read up on what actually happened on that specific incident in Latvia (July/August 2010), have a read on the following open letter from CERT.lv
And this actually wasn't the only or the first "incident" with Spamhaus. They also tried similer *piep*^Wbullying against NIC.at before. Which actually has discredited Spamhaus in my personal opinion for sure, for knowingly disregarding local law, but that's slightly OT here - but maybe not...
Erik Bais
Wilfried.
There are of course multiple sides to that story as well. Like a massive infestation of rock phish domains which, too, were knowingly disregarding local law, and were present in rather massive quantities on the .at ccTLD at that time. http://www.spamhaus.org/organization/statement/7/ --srs On Wednesday, June 26, 2013, Wilfried Woeber wrote:
Erik Bais wrote: [...]
For those that want to read up on what actually happened on that specific incident in Latvia (July/August 2010), have a read on the following open letter from CERT.lv
And this actually wasn't the only or the first "incident" with Spamhaus. They also tried similer *piep*^Wbullying against NIC.at before.
Which actually has discredited Spamhaus in my personal opinion for sure, for knowingly disregarding local law, but that's slightly OT here - but maybe not...
Erik Bais
Wilfried.
-- --srs (iPad)
Suresh Ramasubramanian wrote: Just want to note, that domainnames themself cant be dangerous (of course using a similar name could cos problems with trademarks and the like). Its only the content thats dangerous, eMail or webpage. So its more a problem of the people running the services and these are either hacked sites or ISPs tolerating or deliberatly hosting this content. Asking a TLD registry to remove domainnames because of pishing its then somehow to wrong place to start, specially for Spamhaus, they should know better and simply place all those IPs on their lists ... BTW: just found the service "Google Safe Browsing Alerts for Network Administrators" where every AS owner can register under http://www.google.com/safebrowsing/alerts/ to receive notification about doubtful content Google might find, when spidering your network. This could be pretty usefull to remove pishing and hacked sites for pretty quick. Kind regards, Frank
There are of course multiple sides to that story as well.
Like a massive infestation of rock phish domains which, too, were knowingly disregarding local law, and were present in rather massive quantities on the .at ccTLD at that time.
http://www.spamhaus.org/organization/statement/7/
--srs
On Wednesday, June 26, 2013, Wilfried Woeber wrote:
Erik Bais wrote: [...] > For those that want to read up on what actually happened on that specific > incident in Latvia (July/August 2010), have a read on the following open > letter from CERT.lv > > https://cert.lv/uploads/uploads/OpenLetter.pdf
And this actually wasn't the only or the first "incident" with Spamhaus. They also tried similer *piep*^Wbullying against NIC.at before.
Which actually has discredited Spamhaus in my personal opinion for sure, for knowingly disregarding local law, but that's slightly OT here - but maybe not...
> Erik Bais
Wilfried.
-- --srs (iPad)
On Wed, Jun 26, 2013 at 4:22 PM, Frank Gadegast <ripe-anti-spam-wg@powerweb.de> wrote:
Suresh Ramasubramanian wrote:
Just want to note, that domainnames themself cant be dangerous (of course using a similar name could cos problems with trademarks and the like).
What about domain names used to control botnets? Killing the name will ensure the botnet can't reach it's controller, while just killing the service would allow the service to be put back up on another host. Olaf
Consider, if you will, a domain that has absolutely no "content", but is the command and control for a fast flux botnet. Which has been the case with both the latvian as well as austrian cctld cases. On Jun 26, 2013 7:52 PM, "Frank Gadegast" <ripe-anti-spam-wg@powerweb.de> wrote:
Suresh Ramasubramanian wrote:
Just want to note, that domainnames themself cant be dangerous (of course using a similar name could cos problems with trademarks and the like).
Its only the content thats dangerous, eMail or webpage. So its more a problem of the people running the services and these are either hacked sites or ISPs tolerating or deliberatly hosting this content.
Asking a TLD registry to remove domainnames because of pishing its then somehow to wrong place to start, specially for Spamhaus, they should know better and simply place all those IPs on their lists ...
BTW: just found the service "Google Safe Browsing Alerts for Network Administrators" where every AS owner can register under http://www.google.com/**safebrowsing/alerts/<http://www.google.com/safebrowsing/alerts/> to receive notification about doubtful content Google might find, when spidering your network.
This could be pretty usefull to remove pishing and hacked sites for pretty quick.
Kind regards, Frank
There are of course multiple sides to that story as well.
Like a massive infestation of rock phish domains which, too, were knowingly disregarding local law, and were present in rather massive quantities on the .at ccTLD at that time.
--srs
On Wednesday, June 26, 2013, Wilfried Woeber wrote:
Erik Bais wrote: [...] > For those that want to read up on what actually happened on that specific > incident in Latvia (July/August 2010), have a read on the following open > letter from CERT.lv > > https://cert.lv/uploads/**uploads/OpenLetter.pdf<https://cert.lv/uploads/uploads/OpenLetter.pdf>
And this actually wasn't the only or the first "incident" with Spamhaus. They also tried similer *piep*^Wbullying against NIC.at before.
Which actually has discredited Spamhaus in my personal opinion for sure, for knowingly disregarding local law, but that's slightly OT here - but maybe not...
> Erik Bais
Wilfried.
-- --srs (iPad)
On Wed, 26 Jun 2013 20:01:26 +0530 Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
Consider, if you will, a domain that has absolutely no "content", but is the command and control for a fast flux botnet. Which has been the case with both the latvian as well as austrian cctld cases.
We have many domains that are ONLY used for email, some for DNS, etc. etc. (one client uses his domain just for MUD) -- So "content" should not even be mentioned / discussed... but there are so many valid points and if you are open/unbiased it is very hard to decide a firm opinion. For myself: we all become desperate as the fight against spam/abuse is sometimes a very difficult one as things are not always white and black but more than 50 shades of grey :)
I deal with gray all the time, but I am afraid that we are dealing with positions on both sides of this argument that could use a lot more nuance to find common ground. Denouncing spamhaus as clumsy and evil vigilantes isn't quite the true picture - and equally ccTLDs operate within a specific legal framework, but so do other ccTLDs in countries with similar legal systems. Definitely something to discuss and use to drive process change internally, though doubtless that's already being done. --srs (htc one x) On 26-Jun-2013 9:14 PM, "andre" <andre@ox.co.za> wrote:
On Wed, 26 Jun 2013 20:01:26 +0530 Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
Consider, if you will, a domain that has absolutely no "content", but is the command and control for a fast flux botnet. Which has been the case with both the latvian as well as austrian cctld cases.
We have many domains that are ONLY used for email, some for DNS, etc. etc. (one client uses his domain just for MUD) -- So "content" should not even be mentioned / discussed...
but there are so many valid points and if you are open/unbiased it is very hard to decide a firm opinion.
For myself: we all become desperate as the fight against spam/abuse is sometimes a very difficult one as things are not always white and black but more than 50 shades of grey :)
Suresh Ramasubramanian wrote:
Consider, if you will, a domain that has absolutely no "content", but is the command and control for a fast flux botnet. Which has been the case with both the latvian as well as austrian cctld cases.
Same thing. The controllers must run on a server with an IP address, destroy these servers. The domainname is just a name, its the hostnames in the domains nameserver pointing to an IP and a server with whatever service running under that IP. Its likely that the botnet owner uses another domainname, if you remove it. botnet owners arent stupid. Kind regards, Frank
On Jun 26, 2013 7:52 PM, "Frank Gadegast" <ripe-anti-spam-wg@powerweb.de <mailto:ripe-anti-spam-wg@powerweb.de>> wrote:
Suresh Ramasubramanian wrote:
Just want to note, that domainnames themself cant be dangerous (of course using a similar name could cos problems with trademarks and the like).
Its only the content thats dangerous, eMail or webpage. So its more a problem of the people running the services and these are either hacked sites or ISPs tolerating or deliberatly hosting this content.
Asking a TLD registry to remove domainnames because of pishing its then somehow to wrong place to start, specially for Spamhaus, they should know better and simply place all those IPs on their lists ...
BTW: just found the service "Google Safe Browsing Alerts for Network Administrators" where every AS owner can register under http://www.google.com/__safebrowsing/alerts/ <http://www.google.com/safebrowsing/alerts/> to receive notification about doubtful content Google might find, when spidering your network.
This could be pretty usefull to remove pishing and hacked sites for pretty quick.
Kind regards, Frank
There are of course multiple sides to that story as well.
Like a massive infestation of rock phish domains which, too, were knowingly disregarding local law, and were present in rather massive quantities on the .at ccTLD at that time.
http://www.spamhaus.org/__organization/statement/7/ <http://www.spamhaus.org/organization/statement/7/>
--srs
On Wednesday, June 26, 2013, Wilfried Woeber wrote:
Erik Bais wrote: [...] > For those that want to read up on what actually happened on that specific > incident in Latvia (July/August 2010), have a read on the following open > letter from CERT.lv > > https://cert.lv/uploads/__uploads/OpenLetter.pdf <https://cert.lv/uploads/uploads/OpenLetter.pdf>
And this actually wasn't the only or the first "incident" with Spamhaus. They also tried similer *piep*^Wbullying against NIC.at before.
Which actually has discredited Spamhaus in my personal opinion for sure, for knowingly disregarding local law, but that's slightly OT here - but maybe not...
> Erik Bais
Wilfried.
-- --srs (iPad)
I did say fast flux. Take down one compromised vm in a cheap datacenter somewhere and it pops up on some random company's exposed file and print server somewhere else. On Jun 26, 2013 8:49 PM, "Frank Gadegast" <ripe-anti-spam-wg@powerweb.de> wrote:
Suresh Ramasubramanian wrote:
Consider, if you will, a domain that has absolutely no "content", but is the command and control for a fast flux botnet. Which has been the case with both the latvian as well as austrian cctld cases.
Same thing. The controllers must run on a server with an IP address, destroy these servers.
The domainname is just a name, its the hostnames in the domains nameserver pointing to an IP and a server with whatever service running under that IP. Its likely that the botnet owner uses another domainname, if you remove it.
botnet owners arent stupid.
Kind regards, Frank
On Jun 26, 2013 7:52 PM, "Frank Gadegast" <ripe-anti-spam-wg@powerweb.de <mailto:ripe-anti-spam-wg@**powerweb.de <ripe-anti-spam-wg@powerweb.de>>> wrote:
Suresh Ramasubramanian wrote:
Just want to note, that domainnames themself cant be dangerous (of course using a similar name could cos problems with trademarks and the like).
Its only the content thats dangerous, eMail or webpage. So its more a problem of the people running the services and these are either hacked sites or ISPs tolerating or deliberatly hosting this content.
Asking a TLD registry to remove domainnames because of pishing its then somehow to wrong place to start, specially for Spamhaus, they should know better and simply place all those IPs on their lists ...
BTW: just found the service "Google Safe Browsing Alerts for Network Administrators" where every AS owner can register under http://www.google.com/__**safebrowsing/alerts/<http://www.google.com/__safebrowsing/alerts/> <http://www.google.com/**safebrowsing/alerts/<http://www.google.com/safebrowsing/alerts/>
to receive notification about doubtful content Google might find, when spidering your network.
This could be pretty usefull to remove pishing and hacked sites for pretty quick.
Kind regards, Frank
There are of course multiple sides to that story as well.
Like a massive infestation of rock phish domains which, too, were knowingly disregarding local law, and were present in rather massive quantities on the .at ccTLD at that time.
http://www.spamhaus.org/__**organization/statement/7/<http://www.spamhaus.org/__organization/statement/7/> <http://www.spamhaus.org/**organization/statement/7/<http://www.spamhaus.org/organization/statement/7/>
--srs
On Wednesday, June 26, 2013, Wilfried Woeber wrote:
Erik Bais wrote: [...] > For those that want to read up on what actually happened on that specific > incident in Latvia (July/August 2010), have a read on the following open > letter from CERT.lv > > https://cert.lv/uploads/__**uploads/OpenLetter.pdf<https://cert.lv/uploads/__uploads/OpenLetter.pdf> <https://cert.lv/uploads/**uploads/OpenLetter.pdf<https://cert.lv/uploads/uploads/OpenLetter.pdf>
And this actually wasn't the only or the first "incident" with Spamhaus. They also tried similer *piep*^Wbullying against NIC.at before.
Which actually has discredited Spamhaus in my personal opinion for sure, for knowingly disregarding local law, but that's slightly OT here - but maybe not...
> Erik Bais
Wilfried.
-- --srs (iPad)
On Wed, Jun 26, 2013 at 05:19:11PM +0200, Frank Gadegast wrote:
Suresh Ramasubramanian wrote:
Consider, if you will, a domain that has absolutely no "content", but is the command and control for a fast flux botnet. Which has been the case with both the latvian as well as austrian cctld cases.
Same thing. The controllers must run on a server with an IP address, destroy these servers.
The domainname is just a name, its the hostnames in the domains nameserver pointing to an IP and a server with whatever service running under that IP. Its likely that the botnet owner uses another domainname, if you remove it.
A domain is just a domain, an IP address is just an IP address, a botted PC is just a botted PC. Abuse comes from a combination of resources, some of them are just a sequence of bytes that gets associated with some actual hardware at some point. Some of these resources are more important than others. For instance, a botted PC is arguably more important than the dynamic IP on which it is observed in a particular day. A C&C domain is an extremely important resource, as it is hardwired in the bot code and indicates how to reach the master to get instructions. It is a "pure" criminal-owned resource, and taking it down has often a very large positive impact on spam flows as it makes inoperative a large number of botted PCs all at once. It is one level up in the hierarchy with respect to the botted PCs level. The NS or the A DNS records for the C&C domain are of secondary importance, because the criminal can easily walk around terminations, usually in a fully automated way. Not to mention the fastflux setups where these records are also rotated among machines running malware (for instance DNS proxies redirecting traffic to a hidden location), or setup where criminals host their domains on hijacked nameservers that can not really be "destroyed". Therefore the responsibility for terminating C&C domains lies on the registries, not on the DNS providers (that may not even exist). The .AT and .LV cases have been two rather dramatic cases where the registries were sitting there doing nothing for a very long time, while the word spread among criminals that they were a 'safe haven'. Similar problems have then occurred in .PL and .RU as well. Luckily, the times have changed and country CERTs are nowadays much more aware of the C&C problem and of the need to take down those domains swiftly. As it often happens with large organizations, 'learning' may be very slow and may need to be stimulated by external forces - not because of lack of capacity of the individuals working in the organizations to understand the issue, but because of the fear of those individuals to break a complex set of rules, and the possible need to have those rules changed to avoid breaking them. I believe that all the external forces working on this problem - Spamhaus, Cymru, Shadowserver, SURBL, GTSC, ISC, Trend Micro and others - have played and are playing a very important role in interacting with registries and CERTs regarding cybercrime domains, even more so when those interactions have to be a little 'rough' to get some traction. Nobody likes friction i think, but sometimes it is needed to shake things and see some action. furio ercolessi
On Jun 26, 2013 7:52 PM, "Frank Gadegast" <ripe-anti-spam-wg@powerweb.de <mailto:ripe-anti-spam-wg@powerweb.de>> wrote:
Suresh Ramasubramanian wrote:
Just want to note, that domainnames themself cant be dangerous (of course using a similar name could cos problems with trademarks and the like).
Its only the content thats dangerous, eMail or webpage. So its more a problem of the people running the services and these are either hacked sites or ISPs tolerating or deliberatly hosting this content.
Asking a TLD registry to remove domainnames because of pishing its then somehow to wrong place to start, specially for Spamhaus, they should know better and simply place all those IPs on their lists ...
BTW: just found the service "Google Safe Browsing Alerts for Network Administrators" where every AS owner can register under http://www.google.com/__safebrowsing/alerts/ <http://www.google.com/safebrowsing/alerts/> to receive notification about doubtful content Google might find, when spidering your network.
This could be pretty usefull to remove pishing and hacked sites for pretty quick.
Kind regards, Frank
There are of course multiple sides to that story as well.
Like a massive infestation of rock phish domains which, too, were knowingly disregarding local law, and were present in rather massive quantities on the .at ccTLD at that time.
http://www.spamhaus.org/__organization/statement/7/ <http://www.spamhaus.org/organization/statement/7/>
--srs
On Wednesday, June 26, 2013, Wilfried Woeber wrote:
Erik Bais wrote: [...] > For those that want to read up on what actually happened on that specific > incident in Latvia (July/August 2010), have a read on the following open > letter from CERT.lv > > https://cert.lv/uploads/__uploads/OpenLetter.pdf <https://cert.lv/uploads/uploads/OpenLetter.pdf>
And this actually wasn't the only or the first "incident" with Spamhaus. They also tried similer *piep*^Wbullying against NIC.at before.
Which actually has discredited Spamhaus in my personal opinion for sure, for knowingly disregarding local law, but that's slightly OT here - but maybe not...
> Erik Bais
Wilfried.
-- --srs (iPad)
On Wednesday 26 June 2013 14.44, Wilfried Woeber wrote:
Erik Bais wrote: [...]
For those that want to read up on what actually happened on that specific incident in Latvia (July/August 2010), have a read on the following open letter from CERT.lv
And this actually wasn't the only or the first "incident" with Spamhaus. They also tried similer *piep*^Wbullying against NIC.at before.
Which actually has discredited Spamhaus in my personal opinion for sure, for knowingly disregarding local law, but that's slightly OT here - but maybe not...
Erik Bais
Wilfried.
This han nothing to do with any local laws. Spamhaus runs a list of "bad senders", other people uses this list ON THEIR OWN MAILSERVERS. If one wants to stay out of spamhaus list then dont send spam or allow abuse, if you do like to allow spam flowing, you will get on a number of lists.
-- Peter Håkanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det är billigare att göra rätt. Det är dyrt att laga fel. )
As I'm about to shout "disclosure" at someone, I better mention that I'm affiliated with Spamhaus. I have no input / control / influence whatsoever on the listings side of things but I do work for a Spamhaus entity. On 26 Jun 2013, at 13:44, Wilfried Woeber <Woeber@CC.UniVie.ac.at> wrote:
Erik Bais wrote: [...]
For those that want to read up on what actually happened on that specific incident in Latvia (July/August 2010), have a read on the following open letter from CERT.lv
This snippet brought to us by Erik Bais. Is this the same Erik Bais who filed a complaint with the Dutch police against Spamhaus in October 2011 <http://www.theregister.co.uk/2011/10/13/dutch_isp_accuses_spamhaus/>? The MD of A2B who was providing connectivity to "German ISP Cyberbunker, aka CB3ROB"? With CyberBunker being heavily implicated in the recent DDoS attack against Spamhaus. Heavily in as much as "Sven Olaf Kamphuis, a vocal spokesman for CyberBunker, was arrested at the request of Dutch authorities near Barcelona by Spanish Police after collaboration through Eurojust" <http://en.wikipedia.org/wiki/CyberBunker>. Sir, I question your motives for bringing this up.
And this actually wasn't the only or the first "incident" with Spamhaus. They also tried similer *piep*^Wbullying against NIC.at before.
Which actually has discredited Spamhaus in my personal opinion for sure, for knowingly disregarding local law, but that's slightly OT here - but maybe not...
Spamhaus is an organisation which publishes reputation datasets for users to do with as they wish. Many users wish to block inbound email based on Spamhaus' datasets. That's Spamhaus' users' prerogative. No pressure is exerted to use the lists. There are no fees charged for the removal of an entity from a Spamhaus blocklist – the problem which initiated the listing simply needs to have been resolved. The Spamhaus datasets consist of reputation lists – which is to say an entity's (Spamhaus') opinion as to the reputation of certain properties (IPs and domains). Third party, independent reports are used in any number of different industries to help organisations arrive at best possible decisions. In what way is this significantly different? Extortion or bullying is not being applied. Laws are not being broken – whatever spin people may try to put on this. Spamhaus' reputation lists have been published for over a decade now. Over that time some traction has built up to the point that slightly shy of two billion email accounts are protected (directly, indirectly or via derivative products) by the Spamhaus datasets. Such longevity and market acceptance has not been forced on anyone. Spamhaus simply does a damn good job and has done so for many years. Simon
Ok. So, i dont work for spamhaus and only use them to filter mail at work. Obviously, I dont speak for my employer either, just for myself. The three cases in this thread arent related except that there are two problems : criminals as customers, and a disinclination to, possibly based on their interpretation of their country's laws, get these customers removed. A more recent case, the virut botnet, is interesting as other cctlds operating in the EU (poland) did suspend several, as did russia. Last I checked there were some still left .. in .at. www.spamhaus.org/news/article/690/ On Jun 26, 2013 7:13 PM, "Simon Forster" <simon-lists@ldml.com> wrote:
As I'm about to shout "disclosure" at someone, I better mention that I'm affiliated with Spamhaus. I have no input / control / influence whatsoever on the listings side of things but I do work for a Spamhaus entity.
On 26 Jun 2013, at 13:44, Wilfried Woeber <Woeber@CC.UniVie.ac.at> wrote:
Erik Bais wrote: [...]
For those that want to read up on what actually happened on that specific incident in Latvia (July/August 2010), have a read on the following open letter from CERT.lv
This snippet brought to us by Erik Bais.
Is this the same Erik Bais who filed a complaint with the Dutch police against Spamhaus in October 2011 < http://www.theregister.co.uk/2011/10/13/dutch_isp_accuses_spamhaus/>?
The MD of A2B who was providing connectivity to "German ISP Cyberbunker, aka CB3ROB"?
With CyberBunker being heavily implicated in the recent DDoS attack against Spamhaus. Heavily in as much as "Sven Olaf Kamphuis, a vocal spokesman for CyberBunker, was arrested at the request of Dutch authorities near Barcelona by Spanish Police after collaboration through Eurojust" < http://en.wikipedia.org/wiki/CyberBunker>.
Sir, I question your motives for bringing this up.
And this actually wasn't the only or the first "incident" with Spamhaus. They also tried similer *piep*^Wbullying against NIC.at before.
Which actually has discredited Spamhaus in my personal opinion for sure, for knowingly disregarding local law, but that's slightly OT here - but maybe not...
Spamhaus is an organisation which publishes reputation datasets for users to do with as they wish. Many users wish to block inbound email based on Spamhaus' datasets. That's Spamhaus' users' prerogative. No pressure is exerted to use the lists.
There are no fees charged for the removal of an entity from a Spamhaus blocklist – the problem which initiated the listing simply needs to have been resolved.
The Spamhaus datasets consist of reputation lists – which is to say an entity's (Spamhaus') opinion as to the reputation of certain properties (IPs and domains). Third party, independent reports are used in any number of different industries to help organisations arrive at best possible decisions. In what way is this significantly different?
Extortion or bullying is not being applied. Laws are not being broken – whatever spin people may try to put on this.
Spamhaus' reputation lists have been published for over a decade now. Over that time some traction has built up to the point that slightly shy of two billion email accounts are protected (directly, indirectly or via derivative products) by the Spamhaus datasets. Such longevity and market acceptance has not been forced on anyone. Spamhaus simply does a damn good job and has done so for many years.
Simon
In message <51CAE218.8000607@CC.UniVie.ac.at>, Woeber@CC.UniVie.ac.at wrote:
Erik Bais wrote: [...]
For those that want to read up on what actually happened on that specific incident in Latvia (July/August 2010), have a read on the following open letter from CERT.lv
And this actually wasn't the only or the first "incident" with Spamhaus. They also tried similer *piep*^Wbullying against NIC.at before.
Which actually has discredited Spamhaus in my personal opinion for sure, for knowingly disregarding local law, but that's slightly OT here - but maybe not...
I don't think that it is, because _that_ (ignoring local law... to a certain extent[1]) is pretty much exactly what I, at least, have been advocating here. When it comes to physical territory -- the kind that politicians draw lines around on maps -- sovereign nations should be just that, sovereign. But as we all know, the Internet pretty much ignores all such borders. It is a realm unto itself, with its own needs for security and the common good. None of this is to say that I am in any way defending what Spamhaus either did or did not do in either of these cases (Latvia or Austria). Indeed, in the case of the latter I cannot, because I don't even have any idea about what happened, what they (Spamhaus) did about it, or why. For all I know, in that case they actually may have been either perfectly justified or else perfectly indefensible. Regards, rfg =-=-=-=-=-=-=-=- Footnote: [1] I cannot envision any cases in which local laws should be *weakened* by their counterparts in ``cyberspace'' (to coin a phrase :-). I can however easily imagine many many scenarios where local laws allow action `X' but where action `X' is quite clearly and obviously detrimental to the ongoing stability, security, or operability of the Internet. In such cases, and _only_ within the realm of the Internet, yes, local laws should be ``ignored'' if you will. Then again, now that we know that China is hacking the USA... and most probably everybody else... and now that we know that the USA is hacking China... and probably everybody else... maybe it is already to late to do anything about anything that even a large percentage of us here might classify as "abusive". Maybe the cat is already out of the barn door.
My apologies to everyone. I had intended to respond to the last few messages in this thread several days ago, but I've been preoccupied with other matters until now. I want to respond only very briefly to one thing that Brian said, and then I want to put forward three very simple proposals. I know that I have already been far too verbose, so I shall try now to be brief. In message <51C437AF.1080300@heanet.ie>, Brian Nisbet <brian.nisbet@heanet.ie> wrote:
Of course in amongst all of this I would suspect if the resources were handed out, there would be a lot of depeering and null routing going on in relation to the poor, forced-to-spam, citizens of the Grand Duchy. :)
Once again, based upon the available evidence, I would claim that it would in fact be improbable that any substantial amount of deppeering and/or null routing would occur, in practice. It is a classic "trajedy of the commons" problem, and no operator would wish to have to explain to its user base why they, end end lusers, can no longer send e-mail to their cousins in Grand Fenwick.
I'm not sure, Spamhaus were quite happy to block Latvia for a far smaller reason. I think if it was a mandated activity for all citizens the reaction of the international community might be interesting.
For once I am at a loss for words. Let me just say that I really feel that it would be... and perhaps even is currently... utterly wrong for the Internet and all actual and at least somewhat transparent and/or democratic authorities thereof, to completely defer, for the ongoing maintenance of order and sanity on the Internet, to Spamhaus. To say that that organization is imperfect would be an understatement. They miss much. And more to the point, Spamhaus is, in my estimation anyway, about as non-transparent in their policies, their operations, and their records as it is possible to be. Furthermore, deferring to them entirely for the enforcement of accepted norms is, and would be, in my opinion, just another kind of abdication. I believe that we can do better. To that end, I have three small proposals: 1) That the charter of the RIPE Anti-Abuse working group be ammended so as to make abundantly clear that whenever any two or more members of the WG bring to the attention of the chair that there may exist some specific allocation of number resources which either is no longer valid, or which may never have been actually valid to begin with, (based upon currently accepted criteria for number resource allocation within the RIPE region) then the WG chair will be obliged to undertake a preliminary informal inquiry, including public discussion on the mailing list, as and when that may be useful, and that following this initial informal inquiry, if, in the opinion of that chair, there exists some reasonable basis for believing that the number resource allocation(s) in question may indeed no longer be valid, then the chair is further obligated to formally report this fact to RIPE NCC, along with a formal request from the WG to RIPE NCC, that RIPE NCC immediately undertake a usual and customary audit of the allocation(s) in question, and the justification thereof. 2) That the charter of RIPE itself be ammended to stipulate, explicitly, that in any case in which the Anti-Abuse Working Group chair has made a formal request, to RIPE NCC, on behalf of the WG, for an audit to determine whether or not a given number resource allocation is or is not currently valid, that RIPE NCC is obliged by such a request to actually conduct the requested audit, and to do so in a timely fashion. 3) That the precise cirteria used by RIPE NCC to justify each possible different kind of number resource allocation, either initially or during any post-allocation audit, be made public in its entirety if it is not so already. I make the above three proposals with an understanding that what is politically possible at the present time with respect to most forms of what I suspect we would all agree constitutes "network abuse" is at best minimal. There is clearly little appetite to turn either this WG or RIPE NCC into a functioning police force in any sense, and certainly not with respect to matters that are not even universally accepted as "abuse". Nonetheless, there does exist a massive problem with so-called "snowshoe" spammers getting ahold of really big chunks of IPv4 address space... which they then waste in a truly massive and almost obscene way... and also there is a problem with crooks who either want to lay their hands on vast tracks of IPv4 address space for so-called "black-hat SEO" purposes, or who have already done so. As I understand it, RIPE allocation policies _already_ place most or all of this activity outside of the established RIPE rules and framework for allocations. So to combat at least these few limited forms of "network abuse" it now seems that all we need is an accepted process by which the pre-existing process known as a "RIPE NCC audit" can be triggered, in deserving cases, many of which are already known to, or are likely in future to come to the attention of members of this working group and participants on this mailing list. Regards, rfg
Ronald F. Guilmette wrote the following on 25/06/2013 11:04:
My apologies to everyone. I had intended to respond to the last few messages in this thread several days ago, but I've been preoccupied with other matters until now.
I want to respond only very briefly to one thing that Brian said, and then I want to put forward three very simple proposals. I know that I have already been far too verbose, so I shall try now to be brief.
And I, in turn, am just going to respond to one comment below which I think stems from a misunderstanding of something I may have badly phrased. The three proposals I will, of course, comment on, but I just want to clear up the misunderstanding first.
In message <51C437AF.1080300@heanet.ie>, Brian Nisbet <brian.nisbet@heanet.ie> wrote:
Of course in amongst all of this I would suspect if the resources were handed out, there would be a lot of depeering and null routing going on in relation to the poor, forced-to-spam, citizens of the Grand Duchy. :)
Once again, based upon the available evidence, I would claim that it would in fact be improbable that any substantial amount of deppeering and/or null routing would occur, in practice. It is a classic "trajedy of the commons" problem, and no operator would wish to have to explain to its user base why they, end end lusers, can no longer send e-mail to their cousins in Grand Fenwick.
I'm not sure, Spamhaus were quite happy to block Latvia for a far smaller reason. I think if it was a mandated activity for all citizens the reaction of the international community might be interesting.
For once I am at a loss for words.
Let me just say that I really feel that it would be... and perhaps even is currently... utterly wrong for the Internet and all actual and at least somewhat transparent and/or democratic authorities thereof, to completely defer, for the ongoing maintenance of order and sanity on the Internet, to Spamhaus. To say that that organization is imperfect would be an understatement. They miss much. And more to the point, Spamhaus is, in my estimation anyway, about as non-transparent in their policies, their operations, and their records as it is possible to be. Furthermore, deferring to them entirely for the enforcement of accepted norms is, and would be, in my opinion, just another kind of abdication. I believe that we can do better.
I was not suggesting that Spamhaus were necessarily the appropriate people to do this. As I mentioned in another mail this was an overly glib comment meant to suggest that people had reacted in the past. My point was rather that I'd be interested to see what the international reaction to such a situation would be, not that I think the international reaction would be to hand over full "policing" powers to Spamhaus. I am *very* much a fan of transparency, the more of it the better. Brian
Ronald F. Guilmette wrote: Sounds like a good start ... but I doubt if this should be the job of the anti-abuse-wg or its chair. I would rather prever, if there would be somebody at the RIPE NCC having this job, and setting up another wg maillinglist (like abuse-audit@ripe.net) ... I personally do not like to be flodded with discussions about specific networks, that might or might not be audited again ... If this gets changed, Im +1 Kind regards, Frank
To that end, I have three small proposals:
1) That the charter of the RIPE Anti-Abuse working group be ammended so as to make abundantly clear that whenever any two or more members of the WG bring to the attention of the chair that there may exist some specific allocation of number resources which either is no longer valid, or which may never have been actually valid to begin with, (based upon currently accepted criteria for number resource allocation within the RIPE region) then the WG chair will be obliged to undertake a preliminary informal inquiry, including public discussion on the mailing list, as and when that may be useful, and that following this initial informal inquiry, if, in the opinion of that chair, there exists some reasonable basis for believing that the number resource allocation(s) in question may indeed no longer be valid, then the chair is further obligated to formally report this fact to RIPE NCC, along with a formal request from the WG to RIPE NCC, that RIPE NCC immediately undertake a usual and customary audit of the allocation(s) in question, and the justification thereof.
2) That the charter of RIPE itself be ammended to stipulate, explicitly, that in any case in which the Anti-Abuse Working Group chair has made a formal request, to RIPE NCC, on behalf of the WG, for an audit to determine whether or not a given number resource allocation is or is not currently valid, that RIPE NCC is obliged by such a request to actually conduct the requested audit, and to do so in a timely fashion.
3) That the precise cirteria used by RIPE NCC to justify each possible different kind of number resource allocation, either initially or during any post-allocation audit, be made public in its entirety if it is not so already.
I make the above three proposals with an understanding that what is politically possible at the present time with respect to most forms of what I suspect we would all agree constitutes "network abuse" is at best minimal. There is clearly little appetite to turn either this WG or RIPE NCC into a functioning police force in any sense, and certainly not with respect to matters that are not even universally accepted as "abuse".
Nonetheless, there does exist a massive problem with so-called "snowshoe" spammers getting ahold of really big chunks of IPv4 address space... which they then waste in a truly massive and almost obscene way... and also there is a problem with crooks who either want to lay their hands on vast tracks of IPv4 address space for so-called "black-hat SEO" purposes, or who have already done so. As I understand it, RIPE allocation policies _already_ place most or all of this activity outside of the established RIPE rules and framework for allocations. So to combat at least these few limited forms of "network abuse" it now seems that all we need is an accepted process by which the pre-existing process known as a "RIPE NCC audit" can be triggered, in deserving cases, many of which are already known to, or are likely in future to come to the attention of members of this working group and participants on this mailing list.
Regards, rfg
Entirely depends on the audit's conclusions. 1. Shell company in romania or the ukraine - "the documents say it is a registered company". Stop. 2. Hosting snowshoe spam or malware or whatever. "the justification just says "hosting". stop" :) On Tuesday, June 25, 2013, Frank Gadegast wrote:
Ronald F. Guilmette wrote:
Sounds like a good start ... but I doubt if this should be the job of the anti-abuse-wg or its chair.
I would rather prever, if there would be somebody at the RIPE NCC having this job, and setting up another wg maillinglist (like abuse-audit@ripe.net) ...
I personally do not like to be flodded with discussions about specific networks, that might or might not be audited again ...
If this gets changed, Im +1
-- --srs (iPad)
In message <CAArzuosEHQ6RYqnGwXWuCbGzuvqwEk9iH-tis948AcU00iL+fA@mail.gmail.com> Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
Entirely depends on the audit's conclusions.
1. Shell company in romania or the ukraine - "the documents say it is a registered company". Stop.
2. Hosting snowshoe spam or malware or whatever. "the justification just says "hosting". stop"
:)
I'm not grasping whatever point you were making Suresh. Can I ask you to please take another whack at it? Were you saying that the current audit NCC policies would in fact "stop" an audit (and declare everything acceptable?) upon learning that the target of the audit is merely a properly registered company? Regards, rfg
Just a scenario. Which may be totally off the wall, to be sure. --srs (htc one x) On 26-Jun-2013 1:08 AM, "Ronald F. Guilmette" <rfg@tristatelogic.com> wrote:
In message < CAArzuosEHQ6RYqnGwXWuCbGzuvqwEk9iH-tis948AcU00iL+fA@mail.gmail.com> Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
Entirely depends on the audit's conclusions.
1. Shell company in romania or the ukraine - "the documents say it is a registered company". Stop.
2. Hosting snowshoe spam or malware or whatever. "the justification just says "hosting". stop"
:)
I'm not grasping whatever point you were making Suresh. Can I ask you to please take another whack at it?
Were you saying that the current audit NCC policies would in fact "stop" an audit (and declare everything acceptable?) upon learning that the target of the audit is merely a properly registered company?
Regards, rfg
In message <51C977BF.1090908@powerweb.de>, Frank Gadegast <ripe-anti-spam-wg@powerweb.de> wrote:
Ronald F. Guilmette wrote:
Sounds like a good start ... but I doubt if this should be the job of the anti-abuse-wg or its chair.
I would rather prever, if there would be somebody at the RIPE NCC having this job, and setting up another wg maillinglist (like abuse-audit@ripe.net) ...
I personally do not like to be flodded with discussions about specific networks, that might or might not be audited again ...
If this gets changed, Im +1
I can understand the concern, so yes, I personally wouldn't have any objection to there being a separate mailing list for discussions of issues with specific networks or, as I put it, specific allocations. (I can easly imagine that there might exist some cases in which there are noticable problems with some specific allocation that are not really problems for the relevant AS as a whole.) Regards, rfg
In message <CAArzuosJQN7ku3SqnTSRb+hgTBu=E0h1H=yksNfbAW6MNfBJcQ@mail.gmail.com> Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
As a thought experiment, if Furio were to remove LIRs from Eastern Europe, in particular, Romania, from his list below, what would RIPE NCC's figures fall to?
Gentlemen, Please excuse me for saying that this discussion seems to be veering rather dramatically away from where it began. Personally, I don't care how many crooks there are in this region or that region. As far as I am concerned a single crook (or spammer) in _any_ region is one too many, and indicates a failure of something. What, I'm not so sure. I understand that my friend Furio Ercolessi was attempting to spur this group, and/or RIPE NCC and/or RIPE generally to action, based upon some comparative numbers, and I applaud him for that effort, even if, as has been noted, both his methodology and the proper interpretation of his numbers can be (and now have been) questioned.
From my perspective, even if Furio had crunched the numbers and found RIPE to come out as having the least issues/problems of any RiR, I, for one, would still be asking for what I have asked for, a mere definition of "network abuse", and one which may be viewed as being binding within the RIPE region.
The charter, such as it is, of this working group, appears to focus fairly exclusively on the issue of spamming. If this was arrived at by explicit intent of the RIPE membership then I will say here and now that I can live with that (and indeed, it isn't as if I would have any other choice). I would like to point out however that within the document alluded to earlier which contains what passes for a charter of this group, the terms "spam" and "spamming" are mentioned, but it isn't even clear whose definition of "spam" is being relied upon in this context, within that document, or within this group. This may seem to some as a petty point, but based upon long personal experience I can assure everyone most solemnly that (a) there are almost as many definitions of "spam" as there are people and (b) spammers themselves invariably define the term self-referentially as "that which I myself do not do". In short, this group could do worse things with its time than to at least develop a clear definition of the one and only particular kind of network abuse which, it seems, this group was formed to focus its attentions on, i.e. "spam". Regards, rfg
On Tue, Jun 18, 2013 at 03:44:46PM +0200, Gert Doering wrote:
No, it's due to "completely useless math". There are just many more actors in the RIPE area, so the same amount of criminals spread over *twice* the amount of RIR members is not "higher concentration" but "lower".
The number of "criminals per IP address" is indeed higher, yes. But what exactly is the use of that metric, except to show "ARIN has a larger share from the hoard of /8s"?
Not going to argue with that. That indicator was just one like many others. I clearly failed to make my main point across: my main purpose was not to state that the RIPE area is "worse" than the ARIN area, and actually it do not think it really matters which one is worse. Let us just say that the situation is bad (and there seems to be consensus on this). My main point was in the second half of the post, and concerned the meaning of "invalid resources", their long lifetime, the fact that the current system is favoring people that lie about resource usage, while in fact the opposite should be the case. furio ercolessi
On Wednesday, June 19, 2013, furio ercolessi wrote:
My main point was in the second half of the post, and concerned the meaning of "invalid resources", their long lifetime, the fact that the current system is favoring people that lie about resource usage, while in fact the opposite should be the case.
This is correct - and actionable metrics should be straightforward to provide. What remains is policy proposals that are effective in getting such allocation requests denied and/or revoked. Which seems to be more of a can of worms here than in any other RIR. --srs -- --srs (iPad)
On Tue, Jun 18, 2013 at 03:29:23PM +0200, furio ercolessi wrote:
[...] Now, RIPE-582 (February 2013) contains the following text:
"6.6 Validity of an Assignment All assignments are valid as long as the original criteria on which the assignment was based are still valid and the assignment is properly registered in the RIPE Database. If an assignment is made for a specific purpose and that purpose no longer exists, the assignment is no longer valid."
Therefore, if the above premises are correct, spamming ranges are classified "not valid" - simply because snowshoe spam was not the motivation given to get the assignment.
Then the RIPENCC problem, it seems to me, is that "no longer valid" ranges remain in use for a long period of time. This seems to indicate that there is no effective mechanism to enforce the rules. Indeed, what is the semantic meaning of "no longer valid" if people continue to use those ranges for extended periods of time ? "Invalid" with respect to what ? RIPE-582 does not seem to address this point. If it does, please point me to the relevant section, or to another document that discuss this point.
At the end, the problem seems to boil down to these questions:
"Does the RIPE Community really want to have resources defined as "invalid", yet live without a real working mechanism to have these invalid resources claimed back and reassigned ? If not, would the introduction of such an enforcement mechanism go against the acceptable operational limits for a RIR ? And if yes, what is the purpose of defining rules that can not be enforced, and hence resulting in bad guys getting as much resources as they like by making false statements ?"
Sadly, these questions remained mostly unanswered so far. I am starting to think that perhaps no attempts are made to classify IPv4 assignments as "invalid" according to RIPE-582, section 6.6. I will be glad to know about a counterexample. furio
HI, On Sat, Jun 29, 2013 at 03:43:23PM +0200, furio ercolessi wrote:
On Tue, Jun 18, 2013 at 03:29:23PM +0200, furio ercolessi wrote:
[...] Now, RIPE-582 (February 2013) contains the following text:
"6.6 Validity of an Assignment All assignments are valid as long as the original criteria on which the assignment was based are still valid and the assignment is properly registered in the RIPE Database. If an assignment is made for a specific purpose and that purpose no longer exists, the assignment is no longer valid."
Therefore, if the above premises are correct, spamming ranges are classified "not valid" - simply because snowshoe spam was not the motivation given to get the assignment.
This paragraph mentions *assignments*, which is (in the context of LIRs) what a LIR gives to it's customers. So indeed, if a customer is lying to the LIR, the assignment falls back to the LIR (which makes a difference when the LIR's allocation is full and they can't get more space because their assignments are not valid). This paragraph does not apply to the *allocation* give to the LIR from the RIPE NCC. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
On Sat, Jun 29, 2013 at 10:14:57PM +0200, Gert Doering wrote:
HI,
On Sat, Jun 29, 2013 at 03:43:23PM +0200, furio ercolessi wrote:
On Tue, Jun 18, 2013 at 03:29:23PM +0200, furio ercolessi wrote:
[...] Now, RIPE-582 (February 2013) contains the following text:
"6.6 Validity of an Assignment All assignments are valid as long as the original criteria on which the assignment was based are still valid and the assignment is properly registered in the RIPE Database. If an assignment is made for a specific purpose and that purpose no longer exists, the assignment is no longer valid."
Therefore, if the above premises are correct, spamming ranges are classified "not valid" - simply because snowshoe spam was not the motivation given to get the assignment.
This paragraph mentions *assignments*, which is (in the context of LIRs) what a LIR gives to it's customers.
So indeed, if a customer is lying to the LIR, the assignment falls back to the LIR (which makes a difference when the LIR's allocation is full and they can't get more space because their assignments are not valid).
This paragraph does not apply to the *allocation* give to the LIR from the RIPE NCC.
Sure, I fully understand that. The question remains. Who is supposed to classify the range as invalid ? Are invalid assignments revoked by RIPE NCC ? If not, what the 6.6 wording is there for ? What happens if an assignment is revoked and the customer continues to use the same allocated and now unassigned space as if nothing happened ? furio ercolessi
And what if the LIR is complicit in this activity, to the extent of providing IP space no questions asked? On Jul 1, 2013 12:58 PM, "furio ercolessi" <furio+as@spin.it> wrote:
HI,
On Sat, Jun 29, 2013 at 03:43:23PM +0200, furio ercolessi wrote:
On Tue, Jun 18, 2013 at 03:29:23PM +0200, furio ercolessi wrote:
[...] Now, RIPE-582 (February 2013) contains the following text:
"6.6 Validity of an Assignment All assignments are valid as long as the original criteria on which
On Sat, Jun 29, 2013 at 10:14:57PM +0200, Gert Doering wrote: the
assignment was based are still valid and the assignment is properly registered in the RIPE Database. If an assignment is made for a specific purpose and that purpose no longer exists, the assignment is no longer valid."
Therefore, if the above premises are correct, spamming ranges are classified "not valid" - simply because snowshoe spam was not the motivation given to get the assignment.
This paragraph mentions *assignments*, which is (in the context of LIRs) what a LIR gives to it's customers.
So indeed, if a customer is lying to the LIR, the assignment falls back to the LIR (which makes a difference when the LIR's allocation is full and they can't get more space because their assignments are not valid).
This paragraph does not apply to the *allocation* give to the LIR from the RIPE NCC.
Sure, I fully understand that.
The question remains. Who is supposed to classify the range as invalid ? Are invalid assignments revoked by RIPE NCC ? If not, what the 6.6 wording is there for ? What happens if an assignment is revoked and the customer continues to use the same allocated and now unassigned space as if nothing happened ?
furio ercolessi
Hi, On Mon, Jul 01, 2013 at 02:38:40PM +0530, Suresh Ramasubramanian wrote:
And what if the LIR is complicit in this activity, to the extent of providing IP space no questions asked?
In that case, the address space can be revoked. This is all covered in the Closures document that Brian already referenced to: http://www.ripe.net/ripe/docs/ripe-578 Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
In message <51BFEBAB.4010708@CC.UniVie.ac.at>, Woeber@CC.UniVie.ac.at wrote:
May I suggest this description:
So basically JUST spamming. Nothing about hacking, nothing about phishing or spear phishing, nothing about IP space hijacking (e.g. for SEO purposes only and NOT any spamming), nothing about credit card or other financial crimes, nothing about defrauding RIPE and/or entering deliberately bogus information into the RIPE data base. Is that about the size of it?
Ronald F. Guilmette wrote the following on 19/06/2013 00:39:
In message <51BFEBAB.4010708@CC.UniVie.ac.at>, Woeber@CC.UniVie.ac.at wrote:
May I suggest this description:
So basically JUST spamming.
Nothing about hacking, nothing about phishing or spear phishing, nothing about IP space hijacking (e.g. for SEO purposes only and NOT any spamming), nothing about credit card or other financial crimes, nothing about defrauding RIPE and/or entering deliberately bogus information into the RIPE data base.
Is that about the size of it?
No, not really. I do note your comments about definitions, but I would also point out a couple of things. First off the important line in the charter is: "It is considered difficult for this charter to include an exhaustive list of abuse types that would be considered within the scope of this working group, not least because this is expected to change over time. However an initial list can be stated and any necessary additions can be made." The list that follows almost entirely touches on spam, unquestionably, but the WG itself has discussed and dealt with a range of other abuses. Additionally phishing (spear or otherwise) was certainly intended to be covered by Spam via SMTP. The aim was to start with a non-exhaustive list and not have a charter full of bullet points. The second point is that in Dublin in May Tobias and I undertook to review the charter and to see if we could usefully expand the list and the charter in general. Thirdly the WG has worked with the NCC on the Closure and Deregistration document http://www.ripe.net/ripe/docs/ripe-578 which I think covers some of your points above. There are definitely things missing, but I think it would be wrong to look at the charter in isolation, especially as that page also links to the minutes of the WG sessions that clearly show what else is going on. Brian
On Tue, Jun 18, 2013 at 04:39:26PM -0700, Ronald F. Guilmette wrote:
nothing about defrauding RIPE and/or entering deliberately bogus information into the RIPE data base.
Both of those *already* result in resource de-registration and closure of the LIR if found to have occurred. https://www.ripe.net/ripe/docs/ripe-578 rgds, Sascha Luck
participants (16)
-
andre -
Brian Nisbet -
Erik Bais -
Frank Gadegast -
furio ercolessi -
Gert Doering -
Lu Heng -
Niall O'Reilly -
Nigel Titley -
Olaf van der Spek -
peter h -
Ronald F. Guilmette -
Sascha Luck -
Simon Forster -
Suresh Ramasubramanian -
Wilfried Woeber