Re: [anti-abuse-wg] Fwd: Re: botnet controllers
Hello @Moderators Can you please suspend this participant? I take offense at this. We may disagree on issues and opinions. However I feel there is no space for name calling. Best regards Serge On 09.07.20 15:16, Elad Cohen wrote:
Michele how more bigger asshole you can be to be the puppet of spamhaus so you will be able monetize your connections with them to more $$$
You are a loser and you are a disgraceful businessman and you are a disgrace to the whole internet community ------------------------------------------------------------------------ *From:* anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Michele Neylon - Blacknight <michele@blacknight.com> *Sent:* Thursday, July 9, 2020 4:02 PM *To:* Serge Droz <serge.droz@first.org>; anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net> *Subject:* Re: [anti-abuse-wg] Fwd: Re: botnet controllers +1 on all points
That someone who won't even disclose who they are has the gall to demand that Spamhaus or anyone else should is hilarious and disturbing.
-- Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
https://www.blacknight.com https://blacknight.blog /
Intl. +353 (0) 59 9183072
Direct Dial: +353 (0)59 9183090
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park, Sleaty Road, Graiguecullen, Carlow, R93 X265,Ireland Company No.: 370845
On 09/07/2020, 07:30, "anti-abuse-wg on behalf of Serge Droz via anti-abuse-wg" <anti-abuse-wg-bounces@ripe.net on behalf of anti-abuse-wg@ripe.net> wrote:
Hi Info
Maybe one of the reasons some Non-logging VPNs end up on blacklist sis that the Non-Looging phrase is just an excuse to not go after misuse. The rights to privacy and free speech do not mean anything goes.
You can fight abuse without violating privacy. But of course that's not for free, you need abuse people that investigate and they cost money. Sadly, many of these VPNs frankly just don't care, using the lame excuse that they are protecting fundamental rights, when in fact they are just don't care or take responsibility.
I don't agree with everything Spamhaus does, but I find them responsible and and always found a way way to talk to them.
I was reluctant writing this, because I'm not sure this discussion will lead anywhere. It's one of these where opinions seem to already have been formed.
But you start accusing people of posting anonymously. I totally agree this is bad, but then, who are you, info@fos-vpn.org?
You don't seem to offer a name yourself. I find this a bit hypocritical.
Best Serge
On 08.07.20 20:46, info@fos-vpn.org wrote: > All I would like from Spamhaus is to stop publishing fake SBL records in > order to discredit us and to use that to put pressure both upon us and > our upstreams. > Non-logging VPN services are as legal within the EU as Exit Nodes of the > Tor Network (which have massive abuse entries in various data bases, > especially the larger ones) and public WiFi Hotspots, which can be used > for abusive activities, too. > > I don't know who "PP" is (probably the same person which posts under the > nickname "Petras Simeon" on Twitter and on various boards), but he > contacted us and our upstream providers without telling his name, just > using this email address: phishphucker@storey.ovh and sending us the > list of SBL entries which he also posted here. > Don't know if he's working for Spamhaus or not, but before attacking > others publicly, people should reveal their true identity, anything else > would be sneaky in my opinion. >
-- Dr. Serge Droz Chair of the FIRST Board of Directors https://www.first.org
-- Dr. Serge Droz Chair of the FIRST Board of Directors https://www.first.org
Serge, all, Elad Cohen is still under moderation on this WG and every mail is being reviewed on a case-by-case basis. Right now, his emails only reach the list if someone replies to them, copying the list, so I will repeat our request that people not do that, please. If you wish to report any communication to the list, please contact the Co-Chairs at aa-wg-chair@ripe.net The Co-Chairs have noted this email. We agree it contravenes the Community guidelines and Code of Conduct and will be taking further action. Thanks, Brian Co-Chair, RIPE AA-WG Brian Nisbet Service Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland +35316609040 brian.nisbet@heanet.ie www.heanet.ie Registered in Ireland, No. 275301. CRA No. 20036270 ________________________________ From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Serge Droz via anti-abuse-wg <anti-abuse-wg@ripe.net> Sent: Thursday 9 July 2020 14:32 To: anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] Fwd: Re: botnet controllers CAUTION[External]: This email originated from outside of the organisation. Do not click on links or open the attachments unless you recognise the sender and know the content is safe. Hello @Moderators Can you please suspend this participant? I take offense at this. We may disagree on issues and opinions. However I feel there is no space for name calling. Best regards Serge On 09.07.20 15:16, Elad Cohen wrote:
Michele how more bigger asshole you can be to be the puppet of spamhaus so you will be able monetize your connections with them to more $$$
You are a loser and you are a disgraceful businessman and you are a disgrace to the whole internet community ------------------------------------------------------------------------ *From:* anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Michele Neylon - Blacknight <michele@blacknight.com> *Sent:* Thursday, July 9, 2020 4:02 PM *To:* Serge Droz <serge.droz@first.org>; anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net> *Subject:* Re: [anti-abuse-wg] Fwd: Re: botnet controllers
+1 on all points
That someone who won't even disclose who they are has the gall to demand that Spamhaus or anyone else should is hilarious and disturbing.
-- Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.blackn... https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fblacknight... /
https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fceo.hosting...
Intl. +353 (0) 59 9183072
Direct Dial: +353 (0)59 9183090
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park, Sleaty Road, Graiguecullen, Carlow, R93 X265,Ireland Company No.: 370845
On 09/07/2020, 07:30, "anti-abuse-wg on behalf of Serge Droz via anti-abuse-wg" <anti-abuse-wg-bounces@ripe.net on behalf of anti-abuse-wg@ripe.net> wrote:
Hi Info
Maybe one of the reasons some Non-logging VPNs end up on blacklist sis that the Non-Looging phrase is just an excuse to not go after misuse. The rights to privacy and free speech do not mean anything goes.
You can fight abuse without violating privacy. But of course that's not for free, you need abuse people that investigate and they cost money. Sadly, many of these VPNs frankly just don't care, using the lame excuse that they are protecting fundamental rights, when in fact they are just don't care or take responsibility.
I don't agree with everything Spamhaus does, but I find them responsible and and always found a way way to talk to them.
I was reluctant writing this, because I'm not sure this discussion will lead anywhere. It's one of these where opinions seem to already have been formed.
But you start accusing people of posting anonymously. I totally agree this is bad, but then, who are you, info@fos-vpn.org?
You don't seem to offer a name yourself. I find this a bit hypocritical.
Best Serge
On 08.07.20 20:46, info@fos-vpn.org wrote: > All I would like from Spamhaus is to stop publishing fake SBL records in > order to discredit us and to use that to put pressure both upon us and > our upstreams. > Non-logging VPN services are as legal within the EU as Exit Nodes of the > Tor Network (which have massive abuse entries in various data bases, > especially the larger ones) and public WiFi Hotspots, which can be used > for abusive activities, too. > > I don't know who "PP" is (probably the same person which posts under the > nickname "Petras Simeon" on Twitter and on various boards), but he > contacted us and our upstream providers without telling his name, just > using this email address: phishphucker@storey.ovh and sending us the > list of SBL entries which he also posted here. > Don't know if he's working for Spamhaus or not, but before attacking > others publicly, people should reveal their true identity, anything else > would be sneaky in my opinion. >
-- Dr. Serge Droz Chair of the FIRST Board of Directors https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.first....
-- Dr. Serge Droz Chair of the FIRST Board of Directors https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.first....
Please don't argue with each other. I always seek for diplomatic solutions. I never said that everything what Spamhaus did in the past was wrong. They might have done a good job in fighting SPAM, but what we experienced in recent years was that Spamhaus attacked various hosting and upstream providers by blacklisting their clean prefixes even when we used our own ASN and our own prefixes there. Just after one of our upstream providers took legal actions against Spamhaus in the UK because of that, they moved to Andorra to avoid a trial. Those "Escalation Listings" cause big problems and there is no independent board of arbitration which could bring a solution in such cases. Spamhaus should cease to attack upstream and hosting providers if a VPN service provider like ours brings its own prefixes to be used under its own ASN. Blacklisting clean IPs of the companies which offer nothing more than just IP Transit does not primarily fulfill an informational purpuse for other Spamhaus users, it's sipmly a form of illegal coercion to force those companies to get rid of us.
On Thu, 9 Jul 2020, 18:36 , <info@fos-vpn.org> wrote:
Those "Escalation Listings" cause big problems and there is no independent board of arbitration which could bring a solution in such cases.
You already admitted you're providing services to users that don't obey your ToS, and who are involved in abuse of internet resources. Additionally you refuse to act on the abuse. Those escalation listings target your service providers, as you're involved in providing service to facilitate internet abuse. They are in turn enabling you to provide the said service, i.e.they profit from the internet abuse. IMHO this is perfectly valid reason for expanding the listing. The target is to motivate you to stop the abuse. If you're willing to do it, and would actually do it, the problem goes away. Have you even considered ways of doing just that? You're expecting the others to pay for the problems your clients are causing. Not very nice. Blacklisting clean IPs of the companies which offer nothing
more than just IP Transit does not primarily fulfill an informational purpuse for other Spamhaus users, it's sipmly a form of illegal coercion to force those companies to get rid of us
The other companies enable you to provide services that are being abused. Nobody wants you to stop providing the VPN service. They want you to stop the abuse coming from your systems. The rest of the internet is not obligated to accept your traffic. They are also not obligated to accept the traffic from your upstreams (unless there are contracts mandating it). So, I think you should stop whining about the listings, and fix the problem that caused them in the first place. esa
Sorry, but only legal entities have the right to impose penalties, not privately owned companies. Spamhaus behaves as if they would be executive, legislative and judiciary at once. They immunize itself against legal actions by moving their headquarters outside the EU. Furthermore, they violate EU laws by publishing the names and even photos of spammers in their ROKSO list without their consent. They never show any proof how they gather their information. Their SBL listings don't prove anything. We even received SBL listings at a time when a certain prefix was unannounced and we have strong evidence that a lot of their listings are incorrect. Yes, VPN services can be used for unlawful activities such as Tor Exit Nodes or public WiFi Hotspots; that lies in the nature of things. However we believe that most of our customers behave behave in a responsible fashion and respect the laws as well as we do. Over the years they have built their trust in us, because when we say we don't take any user logs we don't do it.
I've trouble to understand why you see "sharing info or files with information of abuse records", is a legal penalty. The only "penalty" (filtering) is imposed by other folks using those files and taking their own decision. If they are doing anything wrong against the law, Andorra is not a safe place. They used to have no transparency as a fiscal paradise, but is no longer the case since several years ago (around 6 maybe). We know it in Spain, because we caught several corrupt politicians hiding the money there. You may be right only on the part of publishing names and pics of people, unless that information is already public ... And last, but not least, law may be on your side (and if that's the case it needs to change), but I don't see why logs are requested to other providers and not to VPN providers. This is a clear discrimination. I'm probably missing lot of information here to judge properly. Regards, Jordi @jordipalet El 9/7/20 19:49, "anti-abuse-wg-bounces@ripe.net en nombre de info@fos-vpn.org" <anti-abuse-wg-bounces@ripe.net en nombre de info@fos-vpn.org> escribió: Sorry, but only legal entities have the right to impose penalties, not privately owned companies. Spamhaus behaves as if they would be executive, legislative and judiciary at once. They immunize itself against legal actions by moving their headquarters outside the EU. Furthermore, they violate EU laws by publishing the names and even photos of spammers in their ROKSO list without their consent. They never show any proof how they gather their information. Their SBL listings don't prove anything. We even received SBL listings at a time when a certain prefix was unannounced and we have strong evidence that a lot of their listings are incorrect. Yes, VPN services can be used for unlawful activities such as Tor Exit Nodes or public WiFi Hotspots; that lies in the nature of things. However we believe that most of our customers behave behave in a responsible fashion and respect the laws as well as we do. Over the years they have built their trust in us, because when we say we don't take any user logs we don't do it. ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
On 9 Jul 2020, at 20:15, JORDI PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote:
If they are doing anything wrong against the law, Andorra is not a safe place.
Indeed Andorra is a very small place and there's not only no possibility of dodging laws there, but since I've lived in Andorra for the last 15 years I'd certainly not want legal issues there. (btw, I generally never respond to claims of imaginary lawsuits filed against us in miscellaneous countries but it's safe to say whatever 'UK lawsuit' the anonymous non-logging-vpn actor claims we are somehow avoiding is imaginary at best.) Regards, Steve Linford Chief Executive The Spamhaus Project https://www.spamhaus.org
Hi, On Thu, Jul 09, 2020 at 07:52:44PM +0200, info@fos-vpn.org wrote:
Yes, VPN services can be used for unlawful activities such as Tor Exit Nodes or public WiFi Hotspots; that lies in the nature of things. However we believe that most of our customers behave behave in a responsible fashion and respect the laws as well as we do. Over the years they have built their trust in us, because when we say we don't take any user logs we don't do it.
In that case you'll have to live with "parts of the Internet are not willing to accept your packets". Could you please let me know your IP ranges so I can block them at our borders? We are not interested in communicating with networks that knowingly permit abuse coming from their customers. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
On 09.07.20 19:52, info@fos-vpn.org wrote:
Yes, VPN services can be used for unlawful activities such as Tor Exit Nodes or public WiFi Hotspots; that lies in the nature of things. However we believe that most of our customers behave behave in a responsible fashion and respect the laws as well as we do.
This is the equivalent of saying, you shouldn't do anything against drunk driving, after all most people don't do it. This flawed argument works for almost all abuse. It is and excuse you use to not take responsibility. You are already now paying a price for it, people will block you. So in the end it's up to you. Set up an abuse process and act. I would argue that within very little time your networks become cleaner and Spamhaus will unlist you. Best Serge -- Dr. Serge Droz Chair of the FIRST Board of Directors https://www.first.org
Getting back to your street example. We -just like the police- are unable to watch the streets 24/7/365 for a potential bank robber traversing the street. Assuming that we lease the street and let others use it openly, we can only do our best to keep miscreants off it. It is however not a reason for anyone to declare the actual owner of the specific street, which owns hundreds of streets, as criminal! This would equal declaring every state criminal for supporting criminals in moving between places by providing streets. It is indeed unreasonable not to act at all, this is however nothing we ever stated. It is equally unreasonable never to remove SBL Listings which are not valid, can not be reproduced and merely serve the purpose of discrediting us and putting pressure on our upstream providers.
Getting back to your street example. We -just like the police- are unable to watch the streets 24/7/365 for a potential bank robber traversing the street
or more like the police here in the states seem unable to police themselves internally for fascist racist murderers.
Do you have a clear anti-abuse policy? Do you have clear terms of service? Are you enforcing both of them? -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com https://blacknight.blog / http://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park, Sleaty Road, Graiguecullen, Carlow, R93 X265,Ireland Company No.: 370845 On 09/07/2020, 21:46, "anti-abuse-wg on behalf of info@fos-vpn.org" <anti-abuse-wg-bounces@ripe.net on behalf of info@fos-vpn.org> wrote: Getting back to your street example. We -just like the police- are unable to watch the streets 24/7/365 for a potential bank robber traversing the street. Assuming that we lease the street and let others use it openly, we can only do our best to keep miscreants off it. It is however not a reason for anyone to declare the actual owner of the specific street, which owns hundreds of streets, as criminal! This would equal declaring every state criminal for supporting criminals in moving between places by providing streets. It is indeed unreasonable not to act at all, this is however nothing we ever stated. It is equally unreasonable never to remove SBL Listings which are not valid, can not be reproduced and merely serve the purpose of discrediting us and putting pressure on our upstream providers.
Yes we have: Prohibited Activities We prohibit the use of any of our services in any of the following ways: * Spamming (e-mail, Usenet, message boards, etc.) * Copyright, trademark, and patent infringement. * Defamatory or abusive language * IP Spoofing * Illegal or unauthorized access to other computers or networks * Distribution of Internet viruses, worms or other destructive activities * Export control violations * All other illegal activities
To answer your last question: If we receive a valid abuse report i.e. from a CERT we temporarily close the regarding Port on the particular IP. If the customer then starts to complain we send him a copy of the report and point out that another violation of our ToS will result in a termination of the account without a prior warning and without the option of a refund.
In message <20b290b5003cafb91745b7db6d31cd57@fos-vpn.org>, info@fos- vpn.org writes
To answer your last question: If we receive a valid abuse report i.e. from a CERT we temporarily close the regarding Port on the particular IP.
For clarity (and I appreciate that English is probably not your first language...) do you mean "i.e." (the only abuse reports you consider to be valid are from CERTs) or did you actually mean "e.g." (an example of the sort of entity that sends valid abuse reports). Also .. by "close the regarding Port" do I take it that you mean that you block outgoing traffic (of a particular type) to a particular IP or do you mean you block all outgoing traffic (for example, all tcp/25) ?
If the customer then starts to complain we send him a copy of the report and point out that another violation of our ToS will result in a termination of the account without a prior warning and without the option of a refund.
Since, as I understand it, you keep no record of what customers do, you are effectively describing a system for preventing complaints from customers (viz: a customer who reports to you on two occasions that their activity has been the subject of a valid abuse complaint will be terminated). I can understand the attractions to you of that business model. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755
In message <20b290b5003cafb91745b7db6d31cd57@fos-vpn.org>, info@fos- vpn.org writes
[various message about abuse issues around VPNs without logging] In message <oTPJCACb0FCfFAyl@highwayman.com>, Richard Clayton <richard@highwayman.com> writes
I can understand the attractions to you of that business model.
List readers may be interested in what I found when I decided to have a look at the "fos-vpn" website (I find that it is invariably interesting to see what people actually publish in T&Cs etc) http://www.fos-vpn.org redirects to torservers.net (where there is lots to read, so anyone interested can have a look). However https://www.fos-vpn.org does not redirect to the same website! (easy mistake to make) instead it serves up the website codevest.sh (which appears also to be known as codevest.to). There's not a whole lot on the codevest website to explain what it is about, however some Googling will reveal that it is a licensing system widely advertised on HackForums (a well-known gathering place for all sorts of hackers, both good and bad ... you may have heard of it as the place where the Mirai source code was first published). I leave it to the reader to explore HackForums, but to save you a bit of time the PaloAltoNetworks Unit42 people had this to say about codevest in October 2019, in their review (if that's the right word) of "Blackremote" an expensive RAT (remote access trojan) being sold by a Swedish actor: Blackremote utilizes the third-party "CodeVEST" licensing system, also peddled on underground forums. The licensing system validates by connecting to codevest[.]sh. "CodeVEST" seems to take the place of "Netseal" as a registration service used by commodity malware. The author of "Netseal", Taylor Huddleston, was charged in 2017 for that operation together with the sale of his own commodity malware, "Nanocore RAT." The same person who offers the "Codevest" licensing service, also profits from a crypting service "Cyber Seal". This highlights the role in the commodity malware ecosystem of not only the malware sellers, but also service providers such as the licensing services they use, and the crypting services they purchase to avoid detection of the malware that they build. I found that fascinating, but cannot vouch for its accuracy except to say that I have a high regard for Unit42. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755
So you're ignoring abuse reports from other network operators? Or do you mean that you view reports from a CERT as being the only type of report you'll take seriously? -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com https://blacknight.blog / http://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park, Sleaty Road, Graiguecullen, Carlow, R93 X265,Ireland Company No.: 370845 On 10/07/2020, 11:04, "anti-abuse-wg on behalf of info@fos-vpn.org" <anti-abuse-wg-bounces@ripe.net on behalf of info@fos-vpn.org> wrote: To answer your last question: If we receive a valid abuse report i.e. from a CERT we temporarily close the regarding Port on the particular IP. If the customer then starts to complain we send him a copy of the report and point out that another violation of our ToS will result in a termination of the account without a prior warning and without the option of a refund.
This statement is simply not correct to put it mildly! When we contacted you regarding C2 of Netwire malware you replied and I quote: "To make long things short: Because we have no logs, there isn't much we can do in order to solve this case." Tonu CERT-EE On 10.07.2020 13:07, info@fos-vpn.org wrote:
To answer your last question: If we receive a valid abuse report i.e. from a CERT we temporarily close the regarding Port on the particular IP. If the customer then starts to complain we send him a copy of the report and point out that another violation of our ToS will result in a termination of the account without a prior warning and without the option of a refund.
We have removed that customer as you you have seen, therefore we actually solved this case. Regarding the CodeVest thing: The fact that both sites are hosted on the same server does not mean that there is a direct link between these projects.
participants (11)
-
Brian Nisbet -
Esa Laitinen -
Gert Doering -
info@fos-vpn.org -
JORDI PALET MARTINEZ -
Michele Neylon - Blacknight -
Randy Bush -
Richard Clayton -
Serge Droz -
Steve Linford -
Tõnu Tammer