Re: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an abuse
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dipl-Inform. Frank Gadegast wrote:
You dont need to know the real one until you have one for every IP.
As I mentioned, you might simply want to contact the abuse team regarding a more general issue. Quite often if I can't find a published abuse contact for foo.com so I'll dig www.foo.com and then lookup the returned address in the RIPE DB - I'm not at all interested in an address specific to that IP address though.
Metric ?
Metric as in a standard of measurement. Sorry that probably wasn't very clear language on my part.
And that prooves what ?
I have 17 million+ users, and a remit to provide very open network access to them. It's inevitable that somewhere on the network someone is sending large volumes of spam, what's important is how quickly and effecitvely we react to that incident. Someone from RIPE calling us, to offer us a training course we don't need, because last year we had a few hosts sending 100,000+ spam e-mails isn't a useful use of anyone's resources. This, and my comment about NAT, are just illustrations of how you need to be careful over deciding what you consider to be a large volume of reports.
Well at least you will hear about incidents with the new system and thats more thats currently happening.
We already hear about incidents. Almost all the address space used on our network has an irt object published and reports reach us at the correct address. I'm not convinced that any abuse team who really wants to make themselves contactable has problems doing so (whether they are aware of the irt object or not is another matter). The difficulty is in convincing network owners that they need abuse teams that take the issue seriously :)
Yes, thats why I stated that. A solution could be, that the RIPE system will return a link to the report sender, that has to be clicked, before the report will be forwarded to the member.
Will that help ?
Sorry I missed that in my original reading.
A member abuse address could be resetted automatically to the members main email adress (but is very likely to be read by the member). The member would not want that many emails arrive at that main address and fix the abuse address asap.
This process could be automated at RIPE system.
I don't know anything about RIPE's existing processes for making sure that member information is correct but I suspect that it still requires human effort as a last resort.
Another idea to stop spam coming in, could be to open the whole system only to RIPE members first !
The ISP could work together and all others stay out.
Will that be a solution ?
No, I suspect most of our reports come from non RIPE members. The link confirmation would be enough, although you'd need some way to deal with automated reports.
No, it'll just ensure that the reports end up being delivered to an
Thats far more, that we have now ...
Shuffling bits from one mailbox to another doesn't constitute actual progress. You need to give a reason for the recipient to care enough about the reports to do something - and if they have that reason they'll take care of making themselves contactable for you :) James - -- James Davis +44 1235 822 229 PGP: 0xD1622876 JANET CSIRT 0870 850 2340 (+44 1235 822 340) Lumen House, Library Avenue, Didcot, Oxfordshire, OX11 0SG -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFLvgCNhZi14NFiKHYRAnvWAJ9z0cWJq/rXaNZgyEPcG3MhdEODhgCfb2OZ MMz5kWuRdgtPKF3vuY9L2OI= =DfbR -----END PGP SIGNATURE----- JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG
You dont need to know the real one until you have one for every IP.
As I mentioned, you might simply want to contact the abuse team regarding a more general issue. Quite often if I can't find a published abuse contact for foo.com so I'll dig www.foo.com and then lookup the returned address in the RIPE DB - I'm not at all interested in an address specific to that IP address though.
well, you can still look it up. But see it this way: - most provider use anti spam tools like SpamAssassin to protect there customer - SA surely lists the IP that was connecting and causing the spam - you can then automatically forward the spam plus a initial text, describing that you do not want this to the general "IP like" address - and the monitoring system will then forward it to the right RIPE member (and to EVERY member)
Metric as in a standard of measurement. Sorry that probably wasn't very clear language on my part.
And that prooves what ?
I have 17 million+ users, and a remit to provide very open network access to them. It's inevitable that somewhere on the network someone is sending large volumes of spam, what's important is how quickly and effecitvely we react to that incident.
Clear. Think about, how easy it would be for you, when you are receiving a report ASAP via the new system. It is likely, that you get a problem report just a few minutes after on of your users started to send spam, because his PC is invected. You can then look up the report (or even automate it), reset his radius password and kick him out, waiting for him to phone your support :o) Or you could redirect him to a webpage describing that there are too many reports coming in for his IP in a whatever time. Its all up you. My dream system looks like this: - abuse reports will get standarized - monitoring systems will be developed at all RIRs - spam detection will be automated at the providers side and send standarized reports to the RIRs monitoring system - and the RIRs member automates and scans the incoming reports like he wants (maybe by devining minimum values and limits) and automates the blockage and information of his users Sounds great ? Well, thats actually what we are doing already with our own users. If we detect incoming spam with high scores a couple of times in a short time we kick the users offline automatically and redirect him next time he loggs in to a information page, where he finds our support numbers :o) Wroks simply great, and I would love to get closer to such a system together with ALL ISP
Someone from RIPE calling us, to offer us a training course we don't need, because last year we had a few hosts sending 100,000+ spam e-mails isn't a useful use of anyone's resources.
Thats was just an idea to inform newer members. For you it might be more important to automate as much as you can, and to be informed as quick as possible, and the monitoring system in my draft simply acchieves that.
This, and my comment about NAT, are just illustrations of how you need to be careful over deciding what you consider to be a large volume of reports.
Well, limits, counts and how you act on them, are fully up to you. We had to test limits as well for our users. Lets say, you receive 100 reports in about 10 minutes for one IP, where this IP had no report ever ? What is likely to happen ? What would you do ? Its up to you, but surely you would read about 5 reports more closely ( to check, that you are not spammed) and then do whatever you are doing normally, (like looking up your own logs, checking other blacklists to proove that there is a problem, dial into the supposed hacked server aso) when you detect a dialin user or a hacked server.
Well at least you will hear about incidents with the new system and thats more thats currently happening.
We already hear about incidents. Almost all the address space used on
But very slow, we see from our own blacklist, that ISPs most often realize problem far later than our blacklist detected the problem or even get informed about the problem via our blacklist for the first time.
our network has an irt object published and reports reach us at the correct address. I'm not convinced that any abuse team who really wants to make themselves contactable has problems doing so (whether they are
Yes they have, the really have a problem receiving breakout infos quick enough ... believe me, we have experiences for now more than 3 years with them.
aware of the irt object or not is another matter).
The difficulty is in convincing network owners that they need abuse teams that take the issue seriously :)
Defny agree. But an implemented system will make them even more aware, espacillay when they have to have a working abuse address and this one is getting flodded with reports. The only thing they can do, is emptying it with cp -f /dev/null /var/spool/mail/abuse every minute. But this will then result in some attention at RIPE NCC, because they do not answer incoming reports to set their state via the backlink. "Bad providers" could be even published by RIPE :o) The incoming reports will maybe even stress their mail servers :o)
The member would not want that many emails arrive at that main address and fix the abuse address asap.
This process could be automated at RIPE system.
I don't know anything about RIPE's existing processes for making sure that member information is correct but I suspect that it still requires human effort as a last resort.
Well, thats only work at RIPE NCC, its not that complicated to automated bounces ...
Another idea to stop spam coming in, could be to open the whole system only to RIPE members first !
The ISP could work together and all others stay out.
Will that be a solution ?
No, I suspect most of our reports come from non RIPE members. The link
Hm, we receive still more than 20% of all spam from RIPE members. TTNET, TPNET and most russian (and new) eastern ISPs are a bid problem. Sure, the most is currentyl coming out of china, brasial and korea. But that has nothing to do, with getting the RIPE zone more advanced and cleaned. Think about the headline: "Europe is clear of spam senders now !" (ok, ok, newl reporters are never correct and a bit too much entusiastic, but it could come close).
confirmation would be enough, although you'd need some way to deal with automated reports.
Well, the monitoring system could send always the same backlink for the same IP, so that the ISP could still count the amount of incoming reports for one IP automatically and then "answers" it as being closed with just clicking ONE link. Good idea ?
Shuffling bits from one mailbox to another doesn't constitute actual progress. You need to give a reason for the recipient to care enough about the reports to do something - and if they have that reason they'll take care of making themselves contactable for you :)
Defny right, but lets start with something ... Kind regards, Frank -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank@powerweb.de
James
- -- James Davis +44 1235 822 229 PGP: 0xD1622876 JANET CSIRT 0870 850 2340 (+44 1235 822 340) Lumen House, Library Avenue, Didcot, Oxfordshire, OX11 0SG -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iD8DBQFLvgCNhZi14NFiKHYRAnvWAJ9z0cWJq/rXaNZgyEPcG3MhdEODhgCfb2OZ MMz5kWuRdgtPKF3vuY9L2OI= =DfbR -----END PGP SIGNATURE-----
JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG
On 8 Apr 2010, at 19:27, Frank Gadegast , Dipl-Inform. Frank Gadegast wrote:
You dont need to know the real one until you have one for every IP.
As I mentioned, you might simply want to contact the abuse team regarding a more general issue. Quite often if I can't find a published abuse contact for foo.com so I'll dig www.foo.com and then lookup the returned address in the RIPE DB - I'm not at all interested in an address specific to that IP address though.
well, you can still look it up.
But see it this way: - most provider use anti spam tools like SpamAssassin to protect there customer - SA surely lists the IP that was connecting and causing the spam - you can then automatically forward the spam plus a initial text, describing that you do not want this to the general "IP like" address - and the monitoring system will then forward it to the right RIPE member (and to EVERY member)
So if a machine on a network were compromised / abused and a large amount of spam was sent out, how many of these emails would you see being relayed via RIPE to the abuse contact??
You can then look up the report (or even automate it), reset his radius password and kick him out, waiting for him to phone your support :o)
Not everyone has the same business model
Or you could redirect him to a webpage describing that there are too many reports coming in for his IP in a whatever time. Its all up you.
My dream system looks like this: - abuse reports will get standarized
that would be helpful
- monitoring systems will be developed at all RIRs
Monitoring for what exactly???
- spam detection will be automated at the providers side and send standarized reports to the RIRs monitoring system
- and the RIRs member automates and scans the incoming reports like he wants (maybe by devining minimum values and limits) and automates the blockage and information of his users
Sounds great ?
Well, thats actually what we are doing already with our own users. If we detect incoming spam with high scores a couple of times in a short time we kick the users offline automatically and redirect him next time he loggs in to a information page, where he finds our support numbers :o)
Wroks simply great, and I would love to get closer to such a system together with ALL ISP
And again you are working under the false assumption that ALL RIPE members offer the same services as you do and in the same way.
"Bad providers" could be even published by RIPE :o)
Are you insane? RIPE cannot open itself up for that kind of liability
Well, thats only work at RIPE NCC, its not that complicated to automated bounces ...
So you say .. You cannot speak for all providers / RIPE members. You are also suggesting putting a very heavy load on RIPE's systems which someone will have to pay for. Who?
confirmation would be enough, although you'd need some way to deal with automated reports.
Well, the monitoring system could send always the same backlink for the same IP, so that the ISP could still count the amount of incoming reports for one IP automatically and then "answers" it as being closed with just clicking ONE link.
Good idea ?
So you expect RIPE members to completely rework their abuse desks to fit into your view of the world? I can't see that happening, because not all RIPE members are the same or work in the same way. Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
On Friday 09 April 2010 10.38, Michele Neylon :: Blacknight wrote:
On 8 Apr 2010, at 19:27, Frank Gadegast , Dipl-Inform. Frank Gadegast wrote:
You dont need to know the real one until you have one for every IP.
As I mentioned, you might simply want to contact the abuse team regarding a more general issue. Quite often if I can't find a published abuse contact for foo.com so I'll dig www.foo.com and then lookup the returned address in the RIPE DB - I'm not at all interested in an address specific to that IP address though.
well, you can still look it up.
But see it this way: - most provider use anti spam tools like SpamAssassin to protect there customer - SA surely lists the IP that was connecting and causing the spam - you can then automatically forward the spam plus a initial text, describing that you do not want this to the general "IP like" address - and the monitoring system will then forward it to the right RIPE member (and to EVERY member)
So if a machine on a network were compromised / abused and a large amount of spam was sent out, how many of these emails would you see being relayed via RIPE to the abuse contact??
proportional to the number of spam. Are you suprised that lot's of spam generates lots of complaints ?
You can then look up the report (or even automate it), reset his radius password and kick him out, waiting for him to phone your support :o)
Not everyone has the same business model
Some does better the others. For those that has no means of blocking a bad behaving customer the would need to rethink their model.
Or you could redirect him to a webpage describing that there are too many reports coming in for his IP in a whatever time. Its all up you.
My dream system looks like this: - abuse reports will get standarized
that would be helpful
- monitoring systems will be developed at all RIRs
Monitoring for what exactly???
Analysing incoming abusereports ( and acting accordingly)
- spam detection will be automated at the providers side and send standarized reports to the RIRs monitoring system
- and the RIRs member automates and scans the incoming reports like he wants (maybe by devining minimum values and limits) and automates the blockage and information of his users
Sounds great ?
Well, thats actually what we are doing already with our own users. If we detect incoming spam with high scores a couple of times in a short time we kick the users offline automatically and redirect him next time he loggs in to a information page, where he finds our support numbers :o)
Wroks simply great, and I would love to get closer to such a system together with ALL ISP
And again you are working under the false assumption that ALL RIPE members offer the same services as you do and in the same way.
Nope, some lazy ISP's will have to adjust their procedures. Allowed to use an ip-range is both a benefit and an obligation. Society at large does not work when rogue individuals mis-behaves and ignores "common rules-of-conduct".
"Bad providers" could be even published by RIPE :o)
Are you insane? RIPE cannot open itself up for that kind of liability
Why ? If ranges are supplied with an explicit rules-of-use, the if the provider does not follow the (agreed rules) it's not RIPE's problem. The key here is to couple assignment of ranges to specific rules for use.
Well, thats only work at RIPE NCC, its not that complicated to automated bounces ...
So you say ..
You cannot speak for all providers / RIPE members.
You are also suggesting putting a very heavy load on RIPE's systems which someone will have to pay for. Who?
Why not take a fee per ip-address / year ? This is something i suggested to IETF ages ago, and it would have made allocations much more fair. Noone would like to pay for resources they don't need, and everyone would have a decent chance of getting addresses when they need.
confirmation would be enough, although you'd need some way to deal with automated reports.
Well, the monitoring system could send always the same backlink for the same IP, so that the ISP could still count the amount of incoming reports for one IP automatically and then "answers" it as being closed with just clicking ONE link.
Good idea ?
So you expect RIPE members to completely rework their abuse desks to fit into your view of the world?
Why not ? The world changes and if some refuses to follow thay will find themselfs outside the loop.
I can't see that happening, because not all RIPE members are the same or work in the same way.
Unfortently.
Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
-- Peter Håkanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det är billigare att göra rätt. Det är dyrt att laga fel. )
peter h wrote: (please also read below) Hello,
So if a machine on a network were compromised / abused and a large amount of spam was sent out, how many of these emails would you see being relayed via RIPE to the abuse contact?? proportional to the number of spam. Are you suprised that lot's of spam generates lots of complaints ?
Thats a point, so there should be methods implemented to detect outbreaks, lets say something like: if there are more than 50 reports are coming for one IP during 10 minutes, store the reports and do not notify the member anymore about it.
You can then look up the report (or even automate it), reset his radius password and kick him out, waiting for him to phone your support :o)
Not everyone has the same business model Some does better the others. For those that has no means of blocking a bad behaving customer the would need to rethink their model.
Defny right. But at least the system would make it easier for everybody willing to something.
Or you could redirect him to a webpage describing that there are too many reports coming in for his IP in a whatever time. Its all up you.
My dream system looks like this: - abuse reports will get standarized that would be helpful
A big yes. Thats why I outlined it as a final goal in the draft.
Well, thats actually what we are doing already with our own users. If we detect incoming spam with high scores a couple of times in a short time we kick the users offline automatically and redirect him next time he loggs in to a information page, where he finds our support numbers :o)
Wroks simply great, and I would love to get closer to such a system together with ALL ISP
And again you are working under the false assumption that ALL RIPE members offer the same services as you do and in the same way. Nope, some lazy ISP's will have to adjust their procedures. Allowed to use an ip-range is both a benefit and an obligation. Society at large does not work when rogue individuals mis-behaves and ignores "common rules-of-conduct".
Good comment.
"Bad providers" could be even published by RIPE :o)
Are you insane? RIPE cannot open itself up for that kind of liability Why ? If ranges are supplied with an explicit rules-of-use, the if the provider does not follow the (agreed rules) it's not RIPE's problem. The key here is to couple assignment of ranges to specific rules for use.
Another big YES !!!!! Thats really the point we should discuss here instead of technical solution (wich would help at least a bit, but do not solve the problem all together). So here the final question: ------------------------------------------------------------ Is the community willing to combine the assignment of ranges with specific rules how to use them and how not to use them and should the misuse of the applied resources have consequences ? ------------------------------------------------------------ If we get consensus about that, the problem will be solved all together, because than its only detailed work. But: if we not get consensus about that, we could stop talking about abuse on this group and the spammer will have won, also on this list ...
Well, thats only work at RIPE NCC, its not that complicated to automated bounces ... So you say ..
You cannot speak for all providers / RIPE members.
You are also suggesting putting a very heavy load on RIPE's systems which someone will have to pay for. Who? Why not take a fee per ip-address / year ? This is something i suggested to IETF ages ago, and it would have made allocations much more fair. Noone would like to pay for resources they don't need, and everyone would have a decent chance of getting addresses when they need.
Or the cost will be simply added to the normal member fee. I like to idea that smaller member have to pay less. Peter: nany thnx for putting the problem of the abuse member back into the foregound and for submitting ideas to solve potential problems ! Kind regards, Frank -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank@powerweb.de
Frank, "Frank Gadegast" wrote the following on 09/04/2010 11:23:
So here the final question: ------------------------------------------------------------ Is the community willing to combine the assignment of ranges with specific rules how to use them and how not to use them and should the misuse of the applied resources have consequences ? ------------------------------------------------------------
If we get consensus about that, the problem will be solved all together, because than its only detailed work.
But: if we not get consensus about that, we could stop talking about abuse on this group and the spammer will have won, also on this list ...
The community will never reach consensus on this, but this does not mean that those who wish to abuse the network will win. The point here is that what you believe is abuse is not what others believe is abuse. For a start, you are still focusing almost entirely on spam (from everything you've indicated, but I'm happy to be told I'm wrong), whereas others consider UBE to be a symptom and annoyance now, rather than the real problem. There are members in the RIPE service region who have incredibly different concepts of what consitutes network abuse, there are likely to be some intersections in most cases, but I think that the binary proposal of reach consensus or declare defeat is a very blinkered one. I am, it should be pointed out, not adverse to attempting to build at least rough consensus on this, but I do not believe that it is an either/or situation. Nor do I believe that, if consensus is reached, everything else will just work. There is work ongoing to look more closely at what the RIPE NCC can do in reaction to a properly judged case of network abuse, in compliance with proper legal requirements and procedures and hopefully we'll hear more about that soon, but the bald statement you have above is dangerous in a variety of ways and far too light on detail to be any sort of real question. Brian.
On Fri, 9 Apr 2010 08:38:36 +0000, Michele Neylon :: Blacknight wrote:
"Bad providers" could be even published by RIPE :o)
Are you insane? RIPE cannot open itself up for that kind of liability
One can publish the truthfully measured metrics without liability
Dipl-Inform. Frank Gadegast wrote:
My dream system looks like this: - abuse reports will get standarized
There is already an effort under way to implement a standard abuse report format: http://www.ietf.org/id/draft-ietf-marf-base-02.txt -- Niall Donegan ---------------- http://www.blacknight.com Blacknight Internet Solutions Ltd, Unit 12A, Barrowside Business Park, Sleaty Road, Graiguecullen, Carlow, Ireland Company No.: 370845
participants (8)
-
Brian Nisbet -
Frank Gadegast -
Frank Gadegast -
James Davis -
Jeffrey Race -
Michele Neylon :: Blacknight -
Niall Donegan -
peter h