This is better than stand-up comic! From: anti-abuse-wg-request@ripe.net Sent: Wednesday, August 10, 2016 5:08 AM To: anti-abuse-wg@ripe.net Subject: anti-abuse-wg Digest, Vol 58, Issue 10 Send anti-abuse-wg mailing list submissions to anti-abuse-wg@ripe.net To subscribe or unsubscribe via the World Wide Web, visit https://lists.ripe.net/mailman/listinfo/anti-abuse-wg or, via email, send a message with subject or body 'help' to anti-abuse-wg-request@ripe.net You can reach the person managing the list at anti-abuse-wg-owner@ripe.net When replying, please edit your Subject line so it is more specific than "Re: Contents of anti-abuse-wg digest..." Today's Topics: 1. Re: VERIFIED[.]IS was - Russian carding... no, Islandic carding... no Belizian carding! (andre@ox.co.za) 2. Abuse: dnsbl - trust and other factors (andre@ox.co.za) 3. Re: VERIFIED[.]IS (Ronald F. Guilmette) 4. Re: Abuse: dnsbl - trust and other factors (Antonio Prado) 5. Re: Abuse: dnsbl - trust and other factors (andre@ox.co.za) ---------------------------------------------------------------------- Message: 1 Date: Wed, 10 Aug 2016 07:33:02 +0200 From: <andre@ox.co.za> To: Suresh Ramasubramanian <ops.lists@gmail.com>, <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] VERIFIED[.]IS was - Russian carding... no, Islandic carding... no Belizian carding! Message-ID: <mailman.1096.1470816511.19326.anti-abuse-wg@ripe.net> Content-Type: text/plain; charset=UTF-8 On Wed, 10 Aug 2016 10:41:00 +0530 Suresh Ramasubramanian <ops.lists@gmail.com> wrote:

?We?? Unless you actually work for ripe ncc that?s a rather large amount of overstatement.

deflecting from the actual issues much? "We" as in us reading this... I honestly also appreciate contributions by Ronald F. Guilmette, but if we are going to start reporting crime to this abuse list, we are headed down a slippery slope... Better: We stick to abuse, abuse policy discussions and report crimes to proper authorities. Or are we saying that the various law enforcement agencies Russian, Icelandic, Belizian are incompetent? Actually, what are we talking about? I can stumble onto hate speech, slavery, child porn, identity thieves, "carders" in the RIPE ip space in the hundreds... Should we invite and dedicate resources to report all Internet crimes to this abuse list? And then? Will these criminals be prosecuted? Or are we thinking about forming a sub committee to be in charge of public hangings? Do we have some sort of hearing first or can we just hack some ISP's range, upload any old site and then hang the company or 'nul-route' their traffic? How about us rather being constructive and actually doing something? Should their be an abuse policy relating to potential criminal activity, that places a protocol in place for dealing with intel? or not? That may actually be a productive abuse discussion... Instead of filing individual crime reports on this list... - which, imho, should be first reported to law enforcement (actually - should only be reported to law enforcement - we have no power, right or no fair way of evaluating content - only abuse - as in the website attacks your infrastructure and/or the website sends you something - and/or does something abusive. - If someone publishes hate speech, or porn or whatever - it is NOT abuse... it is potentially - crime - Andre Andre

On 10/08/16, 10:29 AM, "anti-abuse-wg-bounces@ripe.net on behalf of andre@ox.co.za" <anti-abuse-wg-bounces@ripe.net on behalf of andre@ox.co.za> wrote:

So, you stumbled across some potential criminal activity, then you notified law enforcement and/or Interpol?

Or you think that it is a better solution for RIPE to investigate criminal activity and simply to 'nul-route' child pornographers, identity thieves and criminal syndicates?

You are saying that you would rather discuss criminal syndicates on an anti abuse discussion list?

So, we should investigate crimes now and then disable their routing or email or what?

On Tue, 09 Aug 2016 12:53:34 -0700 "Ronald F. Guilmette" <rfg@tristatelogic.com> wrote:

> > I see that there is an interesting and active discussion on > this now. Everyone may be sure that I will be posting further > comments shortly which clarify my personal position on all the > matters discussed so far. > > In the meantime however, I just realized that I neglected to > clarify how I came to find that VERIFIED[.]IS web site in the > first place. > > It may not be at all important, but just so everyone knows, I > found that VERIFIED[.]IS indirectly. First, I stumbled onto > the following web site, which is clearly selling credit cards > *and* also (U.S.) social security numbers (SSNs) and > dates-of-birth (DOBs). (You can even pick out which U.S. state > you prefer!) These bits of information are often helpful to > people intent on committing identity theft: > > http://www.wellsfargo.lequeshop[.]ru/ > > As you can see, there is an email address on the above page. > It is <mixx@exploit.im>. I simply googled that email address > and then started to visit the web sites found. > > One of them was verified[.]is > > But this criminal carder ... who seems to be Russian... is also > active on many other web sites, presumably selling what he has > to offer in many different forums. > > > Regards, > rfg >

------------------------------ Message: 2 Date: Wed, 10 Aug 2016 08:28:53 +0200 From: andre@ox.co.za To: anti-abuse-wg@ripe.net Subject: [anti-abuse-wg] Abuse: dnsbl - trust and other factors Message-ID: <mailman.1097.1470816511.19326.anti-abuse-wg@ripe.net> Content-Type: text/plain; charset=UTF-8 Recently, in another thread, Suresh Ramasubramanian said that: "I trust spamhaus, especially related to their DROP list, which is extremely specific in its listing critieria" Then, I thought about how many abuse lists and dns blocklists there are and why this is the case, as even I trust (use & report to Spamhaus) but I also run a public / free dnsbl myself So why is this? - It is all about trust. It is also about policies - but what else is it? The listing and delisting criteria has to be clear, fair, transparent, etc maybe in terms of http://spamid.net/rfc5782.txt and http://spamid.net/rfc6471.txt But what else? Why did I feel the need to devops my own anti spam system after 25 years of dealing with abuse? For one: I trust myself And as I have not yet found anything that stops spam, phish, abuse dead in its tracks, and there is, on ALL of the dnsbl's - much politics... How many ESP's & ISP's operate their mass or bulk spam is to send the spam from an IP where 50% of the email is legit and valuable emails and 50% is spam... Also, they do not respond to abuse complaints from small organisations or small isp's or "little ants" - They are similar to cockroaches, only on the move when there is a bright light shined on them... Here is an example, of an IP number/operator - who is blocked nowhere and whom has received spam/abuse reports - and have done absolutely nothing about that... - and who hides legit emails - between the spam they relay... Not saying Mimecast is an evil cockroach, just that the example headers came in a few minutes ago - and matches the description of an supposedly "ethical" operator that hides spam in among relaying emails from .gov etc. - this operator is blocked nowhere - as their abuse behavior is to limit the percentage spam transmitted to a ratio (for example maybe 10% spam and 90% legit - or whatever) - to a ratio that would not get them blocked on spamhaus or any of the other dnsbl... Even my own blocklists cannot block Mimecast - even though they transmit spam/phish/crime/virus/spam Otherwise I lose clients... - AND Suresh Ramasubramanian and other similar people think that my block lists cannot be trusted... And this, the fact that : **** senders of abuse are not punished **** is why we have spam abuse in 2016. Society does not want to stop spam - if they did - there will be no spam in 2016. - comments? Andre *************************************** Spam/Abuse example: Return-Path: <bounces@thompsons.co.za> Delivered-To: spamtrap Received: from web.hostacc.com by web.hostacc.com (Dovecot) with LMTP id WfMLDSLBqlfIaQAAzD9rAQ for <spamtrap>; Wed, 10 Aug 2016 07:52:34 +0200 Received: from za-smtp-delivery-158.mimecast.co.za ([41.74.201.158]:20262) by web.hostacc.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-SHA:256) (Exim 4.87) (envelope-from <bounces@thompsons.co.za>) id 1bXMRN-00072M-Ly for spamtrap; Wed, 10 Aug 2016 07:52:34 +0200 Received: from ENGAGE01.cullinanholdings.co.za (105.255.128.165 [105.255.128.165]) by za-smtp-1.mimecast.co.za with ESMTP id za-mta-3-amlQSfYROryRH3Zamhv7uw-1; Wed, 10 Aug 2016 07:51:50 +0200 Received: from engage.cullinanholdings.co.za ([172.17.49.40]) by ENGAGE01.cullinanholdings.co.za with Microsoft SMTPSVC(7.5.7601.17514); Wed, 10 Aug 2016 07:51:50 +0200 Message-ID: <87f5d9e3c1226a1227d83bf22427355e@engage.cullinanholdings.co.za> Date: Wed, 10 Aug 2016 07:51:50 +0200 Subject: Launching Spain at Irresistible prices From: Thompsons For Travel <travel@thompsons.co.za> Reply-To: Thompsons For Travel <travel@thompsons.co.za> To: SpamTrap MIME-Version: 1.0 X-Campaign: 11507 X-Subscriber: 204641 X-OriginalArrivalTime: 10 Aug 2016 05:51:50.0330 (UTC) FILETIME=[49F179A0:01D1F2CB] X-MC-Unique: amlQSfYROryRH3Zamhv7uw-1 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Launching Spain at Irresistible prices View this mailer online | Add Thompsons to your safe senders list You are receiving this mail as you have subscribed to Thompsons Travel newsletters. We NEVER send out any unsolicited e-mail. Should you wish to leave our mailing list unsubscribe here Disclaimer The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful. This email has been scanned for viruses and malware, and automatically archived by Mimecast SA (Pty) Ltd, an innovator in Software as a Service (SaaS) for business. Mimecast Unified Email Management ? (UEM) offers email continuity, security, archiving and compliance with all current legislation. To find out more, contact Mimecast. ------------------------------ Message: 3 Date: Tue, 09 Aug 2016 23:34:20 -0700 From: "Ronald F. Guilmette" <rfg@tristatelogic.com> To: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] VERIFIED[.]IS Message-ID: <32737.1470810860@server1.tristatelogic.com> I have a lot of very visible character flaws, but I like to think that at least I'm not reticent when it comes to admitting my own abundant ignorance, or about asking for help to correct that, when appropriate. I've been asked if, rather than just howling at the moon (which I admit is my usual modus operandi :-) I might not, on this occasion, also or instead like to draft some sort of concrete policy proposal. That is an eminently reasonable suggestion/request under the circumstances. I would like to try to do that, but obviously, I am wading into deep waters here... deep in the sense of there being quite a lot of personal feelings and personal principals... sometimes in agreement... sometimes in conflict... that might relate rather directly to the issues at hand. Agreement on any proposal in this area would likely be elusive, even if the drafter had a deep understanding of RIPE, as an organization, which I admit that I don't. Not yet anyway. What's I'm trying to get at is just this: I think that it would be a waste of everybody's time... not just mine but everybody's... if I was to draft a policy suggestion that is somehow at odds with one or more of the fundamental and/or long-held principals of RIPE, the organization. (As an illustration, here in America it would be kind-of entirely silly for any legislator to propose a bill to lock up anybody who says the word "Nee!" because that would quite obviously be in direct conflict with our founding document, The U.S. Constitution, and more specifically, in conflict with the First Amendment thereto.) So here is where I must publically admit my abundant ignorance. Today I tried for awhile to seek out the overall "Charter of RIPE"... its "constitution" if you will. I felt that before I draft anything, it would be wise of me to go back to first principals, basic common beliefs, and already-agreed-to fundamentals. I should read, study, and think about these before I draft anything. What are the high level goals and highest aspirations of the organization? I should familiarize myself with these things -- *before* attempting to draft anything. But for the life of me, google as I might, I was unable to find any document online that purported to be the overall Charter of RIPE. If someone could point me to that, I would much appreciate it. (I have found many documents that describe in great detail various individual policies and procedures, but nothing that, at the highest level, enumerates the intent and purpose of the organization. I cannot bring myself to believe that no such fundamental document exists, so I just have to hope now that some kind soul will point me at it. That would be most helpful.) Regards, rfg ------------------------------ Message: 4 Date: Wed, 10 Aug 2016 09:19:21 +0200 From: Antonio Prado <thinkofit@gmail.com> To: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] Abuse: dnsbl - trust and other factors Message-ID: <60622fea-65d2-3f7a-7d03-25259c602437@gmail.com> Content-Type: text/plain; charset=utf-8 On 8/10/16 8:28 AM, andre@ox.co.za wrote:

So why is this? - It is all about trust.

well, trust has to be earned. just two recent examples: Aug 10 08:52:16 zimbra-1 postfix/smtpd[27024]: NOQUEUE: reject: RCPT from 66-220-144-147.outmail.facebook.com[66.220.144.147]: 554 5.7.1 Service unavailable; Client host [66.220.144.147] blocked using superblock.ascams.com; 66.220.144.147 Listed For Abuse. To delist please email del@ascams.com; from=<notification+zj4ooysyaz0y@facebookmail.com> to=<mylegitaddress@mylegitdomain.tld> proto=ESMTP helo=<mx-out.facebook.com> Aug 9 17:57:23 smtpfe01 postfix/smtpd[15131]: NOQUEUE: reject: RCPT from o4.email.wetransfer.com[192.254.123.89]: 554 5.7.1 Service unavailable; Client host [192.254.123.89] blocked using superblock.ascams.com; 192.254.123.89 Listed For Abuse. To delist please email del@ascams.com; from=<alegitaddress@email.wetransfer.com> to=<mylegitaddress@mylegitdomain.tld> proto=ESMTP helo=<o4.email.wetransfer.com> therefore I'm forced to delete superblock.ascams.com -- antonio ------------------------------ Message: 5 Date: Wed, 10 Aug 2016 10:08:24 +0200 From: andre@ox.co.za To: Antonio Prado <thinkofit@gmail.com> Cc: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] Abuse: dnsbl - trust and other factors Message-ID: <mailman.1098.1470816511.19326.anti-abuse-wg@ripe.net> Content-Type: text/plain; charset=US-ASCII On Wed, 10 Aug 2016 09:19:21 +0200 Antonio Prado <thinkofit@gmail.com> wrote:

On 8/10/16 8:28 AM, andre@ox.co.za wrote:

...

So why is this? - It is all about trust.

well, trust has to be earned.

agreed, trust is reputation. In the case of a blacklist, it is quite simple though - if it is transparent, like mine superblock.ascams.com each and every listing has been abusive and either is not responding to abuse complaints or is simply ongoing in the abuse...

just two recent examples:

thank you so much! lets deal with that - please see below each of your examples

Aug 10 08:52:16 zimbra-1 postfix/smtpd[27024]: NOQUEUE: reject: RCPT from 66-220-144-147.outmail.facebook.com[66.220.144.147]: 554 5.7.1 Service unavailable; Client host [66.220.144.147] blocked using superblock.ascams.com; 66.220.144.147 Listed For Abuse. To delist please email del@ascams.com; from=<notification+zj4ooysyaz0y@facebookmail.com> to=<mylegitaddress@mylegitdomain.tld> proto=ESMTP helo=<mx-out.facebook.com>

Yes! because 66.220.144.147 is BLOCKED for abuse 66.220.144.147 sends email spam, on an ongoing basis, to FAKE people and, even after receiving three or more abuse reports, is still sending the same SPAM to the same fake people. So, what I am saying: facebook.com sends spam to example@example.com Facebook then receives 3+ spam reports/complaints And then After that Facebook.com STILL sends spam to the same example@example.com So, Facebook.com (66.220.144.147) is blacklisted for spam abuse. Thank you, Antonio - for pointing this example out - This is why we cannot stop spam! - the SENDERS or transmitters of spam - are never punished - but we have to field complaints from our USERS when the senders MIX legit email with spam email. next example below the example

Aug 9 17:57:23 smtpfe01 postfix/smtpd[15131]: NOQUEUE: reject: RCPT from o4.email.wetransfer.com[192.254.123.89]: 554 5.7.1 Service unavailable; Client host [192.254.123.89] blocked using superblock.ascams.com; 192.254.123.89 Listed For Abuse. To delist please email del@ascams.com; from=<alegitaddress@email.wetransfer.com> to=<mylegitaddress@mylegitdomain.tld> proto=ESMTP helo=<o4.email.wetransfer.com>

192.254.123.89 - EXACLTY the same as Facebook.com - transmits spam to fake people/spam traps - and does not do anything about spam abuse complaints!

therefore I'm forced to delete superblock.ascams.com

indeed... - this is why the spam problem persists... yet, if you were to continue using superblock.ascams.com - you may actually force the senders of spam to CHANGE their abusive and crappy behavior But we, society, we do not have the BALLS to do that. Can we at least have the decency to be honest with ourselves? Why lie to ourselves? We do not want to solve the spam abuse problem. Andre

-- antonio

End of anti-abuse-wg Digest, Vol 58, Issue 10 *********************************************