Anti-Abuse Training: Questions for the WG
Colleagues, As you may remember the WG Co-Chairs have been talking to the NCC about some possible Anti-Abuse training in March of this year. This proposal got very little reaction from the community, so we are going to try again to see if there is interest, or if people who are already on this mailing list believe that there would be interest from other LIRs that they know. I have re-attached the proposal that Alireza sent to the mailing list in March. Between now and RIPE 83 (when this matter will be on the WG session agenda) I would ask the following questions: 1) Would training, as described, be of interest to you? 2) Would training, as described, be of interest to other LIRs you know of/work with? 3) If not, would there be other areas of Anti-Abuse training that would be of interest? 4) Would you be willing to help write training materials for this course? After the list discussion and discussion at RIPE 83 the Co-Chairs will work with the NCC Learning & Development Team to decide if there is enough interest to develop the course and, if there is, how to proceed from there. We really do believe this is something that would be of interest to a large number of small LIRs in the region, but that's not something we can really determine without the help of the WG Thank you, Brian Co-Chair, RIPE AA-WG Brian Nisbet (he/him) Service Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland +35316609040 brian.nisbet@heanet.ie www.heanet.ie Registered in Ireland, No. 275301. CRA No. 20036270
Brian I missed earlier emails about this. I think it would be beneficial for a lot of LIRs to get some basic training. Anything that improves the landscape should be encouraged and welcomed! 1. Would training, as described, be of interest to you? Potentially for new staff if the materials were available ie. As a resource 1. Would training, as described, be of interest to other LIRs you know of/work with? I don’t know of any specifically, but that’s down to my role. 3) If not, would there be other areas of Anti-Abuse training that would be of interest? A lot of hosting providers aren’t LIRs, but are getting IP space from LIRs. Maybe providing materials that LIRs could share with their clients would help? There seems to be a lot of ignorance out there. 4) Would you be willing to help write training materials for this course? I don’t have time to produce materials but I’d be happy to review same. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Brian Nisbet <brian.nisbet@heanet.ie> Date: Friday, 15 October 2021 at 10:15 To: anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net> Subject: [anti-abuse-wg] Anti-Abuse Training: Questions for the WG [EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources. Colleagues, As you may remember the WG Co-Chairs have been talking to the NCC about some possible Anti-Abuse training in March of this year. This proposal got very little reaction from the community, so we are going to try again to see if there is interest, or if people who are already on this mailing list believe that there would be interest from other LIRs that they know. I have re-attached the proposal that Alireza sent to the mailing list in March. Between now and RIPE 83 (when this matter will be on the WG session agenda) I would ask the following questions: 1) Would training, as described, be of interest to you? 2) Would training, as described, be of interest to other LIRs you know of/work with? 3) If not, would there be other areas of Anti-Abuse training that would be of interest? 4) Would you be willing to help write training materials for this course? After the list discussion and discussion at RIPE 83 the Co-Chairs will work with the NCC Learning & Development Team to decide if there is enough interest to develop the course and, if there is, how to proceed from there. We really do believe this is something that would be of interest to a large number of small LIRs in the region, but that's not something we can really determine without the help of the WG Thank you, Brian Co-Chair, RIPE AA-WG Brian Nisbet (he/him) Service Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland +35316609040 brian.nisbet@heanet.ie www.heanet.ie<http://www.heanet.ie> Registered in Ireland, No. 275301. CRA No. 20036270
Hi, On Mon, Oct 18, 2021 at 04:40:06PM +0000, Michele Neylon - Blacknight via anti-abuse-wg wrote:
1. Would training, as described, be of interest to you? Potentially for new staff if the materials were available ie. As a resource
Indeed, that would be helpful. (And I'm not volunteering to write something - sorry, already too many competing voluntary projects) Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Hi All Michele, I think this is a great idea. It would probably make sense to liaise with https://www.m3aawg.org/ and FIRST (tha latter would be me ;-) and I can broker an intro to the M3AAWG peoples. Not also, that FIRST has a "DNS Abuse SIG", that focuses on domain related abuse, but in a wide sense. I'm sure that work could be extended to cover IP abuse. And before we start our usual skirmishes: The fist step the group did was to come up with a taxonomy, so that we all speak of the same. A second step will then be suggestions on how to mitigate this. If we feel something like this would be of value for "IP abuse" I'm happy to help set up a FIRST SIG, so we cover the world, and not just RIPE. But irrespective of this, I think some training courses would be awesome. I'd be super happy to help. Best Serge On 18/10/2021 18:40, Michele Neylon - Blacknight via anti-abuse-wg wrote:
Brian
I missed earlier emails about this.
I think it would be beneficial for a lot of LIRs to get some basic training.
Anything that improves the landscape should be encouraged and welcomed!
1. Would training, as described, be of interest to you?
Potentially for new staff if the materials were available ie. As a resource
2. Would training, as described, be of interest to other LIRs you know of/work with?
I don’t know of any specifically, but that’s down to my role.
3) If not, would there be other areas of Anti-Abuse training that would be of interest?
A lot of hosting providers aren’t LIRs, but are getting IP space from LIRs. Maybe providing materials that LIRs could share with their clients would help? There seems to be a lot of ignorance out there.
4) Would you be willing to help write training materials for this course? I don’t have time to produce materials but I’d be happy to review same.
Regards
Michele
--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
https://www.blacknight.com/ <https://www.blacknight.com/>
https://blacknight.blog/ <https://blacknight.blog/>
Intl. +353 (0) 59 9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/ <https://michele.blog/>
Some thoughts: https://ceo.hosting/ <https://ceo.hosting/>
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845
*From: *anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Brian Nisbet <brian.nisbet@heanet.ie> *Date: *Friday, 15 October 2021 at 10:15 *To: *anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net> *Subject: *[anti-abuse-wg] Anti-Abuse Training: Questions for the WG
[EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources.
Colleagues,
As you may remember the WG Co-Chairs have been talking to the NCC about some possible Anti-Abuse training in March of this year.
This proposal got very little reaction from the community, so we are going to try again to see if there is interest, or if people who are already on this mailing list believe that there would be interest from other LIRs that they know.
I have re-attached the proposal that Alireza sent to the mailing list in March.
Between now and RIPE 83 (when this matter will be on the WG session agenda) I would ask the following questions:
1) Would training, as described, be of interest to you?
2) Would training, as described, be of interest to other LIRs you know of/work with?
3) If not, would there be other areas of Anti-Abuse training that would be of interest?
4) Would you be willing to help write training materials for this course?
After the list discussion and discussion at RIPE 83 the Co-Chairs will work with the NCC Learning & Development Team to decide if there is enough interest to develop the course and, if there is, how to proceed from there.
We really do believe this is something that would be of interest to a large number of small LIRs in the region, but that's not something we can really determine without the help of the WG
Thank you,
Brian Co-Chair, RIPE AA-WG
Brian Nisbet (he/him) Service Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland +35316609040 brian.nisbet@heanet.ie www.heanet.ie <http://www.heanet.ie> Registered in Ireland, No. 275301. CRA No. 20036270
-- Dr. Serge Droz Director, Forum of Incident Response and Security Teams (FIRST) Phone +41 76 542 44 93 | serge.droz@first.org | https://www.first.org
Hi all, On Mon 18/Oct/2021 18:40:06 +0200 Michele Neylon - Blacknight via anti-abuse-wg wrote:
3) If not, would there be other areas of Anti-Abuse training that would be of interest?
A lot of hosting providers aren’t LIRs, but are getting IP space from LIRs. Maybe providing materials that LIRs could share with their clients would help? There seems to be a lot of ignorance out there.
There are also people who are not hosting providers, but host their own server(s) using a handful of IP addresses. I know mailbox self-providers are an endangered species, but they may still happen to have an IP delegation w/o abuse-c. And complainants may prefer to send reports to the top level delegate. However, top level delegate may happen to have non-responding abuse teams. At best, ISPs forward complaints to their clients. Shouldn't there be a standard for automatically forwarding messages destined to abuse-c following a path similar to that of RFC 2317 delegations? I'd love if AA training encouraged such behavior. Best Ale --
Hello all
Shouldn't there be a standard for automatically forwarding messages destined to abuse-c following a path similar to that of RFC 2317 delegations? I'd love if AA training encouraged such behavior.
I don't think the standard should be for automatically forwarding messages. You would need a standard for *exchanging* the information. Fields you would need should include IP address being reported, port (optionally), timestamp, whether this may be shared with the customer (default yes), RSIT taxonomy of the incident being reported, etc. And then, among the actions that can be taken, automatically forwarding could be one of them (and probablye the less expensive for the abuse-c owner), but they could choose to process them differently. But the first step is to match the report with the machine/customer. Many abuse teams already do that automatically, although I don't know the amount of guessing needed by the tools on their normal flows. The first idea that comes to mind when talking about communicating this would be to create a solution based on X-ARF, but it's not without its shortcomings, either, so maybe a different way is felt to be preferable. This is an interesting discussion, although I feel it's a bigger design issue, significantly more ambitious than the proposal of providing some abuse training which opened this thread. Best regards -- INCIBE-CERT - Spanish National CSIRT https://www.incibe-cert.es/ PGP keys: https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys ==================================================================== INCIBE-CERT is the Spanish National CSIRT designated for citizens, private law entities, other entities not included in the subjective scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen Jurídico del Sector Público", as well as digital service providers, operators of essential services and critical operators under the terms of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de las redes y sistemas de información" that transposes the Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. ==================================================================== In compliance with the General Data Protection Regulation of the EU (Regulation EU 2016/679, of 27 April 2016) we inform you that your personal and corporate data (as well as those included in attached documents); and e-mail address, may be included in our records for the purpose derived from legal, contractual or pre-contractual obligations or in order to respond to your queries. You may exercise your rights of access, correction, cancellation, portability, limitationof processing and opposition under the terms established by current legislation and free of charge by sending an e-mail to dpd@incibe.es. The Data Controller is S.M.E. Instituto Nacional de Ciberseguridad de España, M.P., S.A. More information is available on our website: https://www.incibe.es/proteccion-datos-personales and https://www.incibe.es/registro-actividad. ====================================================================
On Fri 22/Oct/2021 23:26:23 +0200 Ángel González Berdasco wrote:
Hello all
Shouldn't there be a standard for automatically forwarding messages destined to abuse-c following a path similar to that of RFC 2317 delegations? I'd love if AA training encouraged such behavior.
I don't think the standard should be for automatically forwarding messages. You would need a standard for *exchanging* the information. Fields you would need should include IP address being reported, port (optionally), timestamp, whether this may be shared with the customer (default yes), RSIT taxonomy of the incident being reported, etc.
Yeah, I didn't mean a capital 'S' Standard. Rather some common practice.
And then, among the actions that can be taken, automatically forwarding could be one of them (and probably the less expensive for the abuse-c owner), but they could choose to process them differently. But the first step is to match the report with the machine/customer.
If I were LIR.example, I'd set my abuse-c entries to something like: abuse-customer1@LIR.example abuse-customer2@LIR.example ... That way messages can be forwarded without parsing them; but there's still a chance to look at them, if the budget allows it.
Many abuse teams already do that automatically, although I don't know the amount of guessing needed by the tools on their normal flows.
The first idea that comes to mind when talking about communicating this would be to create a solution based on X-ARF, but it's not without its shortcomings, either, so maybe a different way is felt to be preferable.
plain text, X-ARF, ARF, IODEF, https://xkcd.com/927/ Another way is to send an autoresponse which asks to fill the provider's web form, whereby the number of different formats grows unconstrained. However, it'd be possible for a forwarding LIR.example to ask its clients to fill a web form, in order to summarize the complaint and its followup. Most providers only have one or two ISPs, so the number of formats would stay low. And that could ease LIR's monitoring.
This is an interesting discussion, although I feel it's a bigger design issue, significantly more ambitious than the proposal of providing some abuse training which opened this thread.
Since the training is addressed to LIRs, a schema like the above could at least be aired. Best Ale
In message <26f1df33-b958-bed4-f748-f82324d0bea8@tana.it>, Alessandro Vesely <vesely@tana.it> wrote:
Shouldn't there be a standard for automatically forwarding messages destined to abuse-c following a path similar to that of RFC 2317 delegations? I'd love if AA training encouraged such behavior.
Although delegation of abuse report handling may sound like a good idea in theory, in practice it is a tragically bad idea. What happens when the customer is a spammer and abuse handling is delegated to that customer? Google for the term "list washing". This isn't merely a theoretical possibility. Digital Ocean has previously sent me multiple response emails saying quite explicitly that they had forwarded my spam reports to their spammer customer(s). Those customers will then surely cease to spam *me* but will continue to spam everyone else on the planet. This does not create any meaningful reduction in the global spam load. It simply rewards those "responsible" spammers who remove from their target lists the email addreses of the few "complainers" who nowadays take the time to report spam. Regards, rfg
On Sat 23/Oct/2021 01:38:56 +0200 Ronald F. Guilmette wrote:
In message <26f1df33-b958-bed4-f748-f82324d0bea8@tana.it>, Alessandro Vesely <vesely@tana.it> wrote:
Shouldn't there be a standard for automatically forwarding messages destined to abuse-c following a path similar to that of RFC 2317 delegations? I'd love if AA training encouraged such behavior.
Although delegation of abuse report handling may sound like a good idea in theory, in practice it is a tragically bad idea.
What happens when the customer is a spammer and abuse handling is delegated to that customer? Google for the term "list washing".
This isn't merely a theoretical possibility. Digital Ocean has previously sent me multiple response emails saying quite explicitly that they had forwarded my spam reports to their spammer customer(s). Those customers will then surely cease to spam *me* but will continue to spam everyone else on the planet.
That'd be an incentive to send spam reports, wouldn't it?
This does not create any meaningful reduction in the global spam load. It simply rewards those "responsible" spammers who remove from their target lists the email addresses of the few "complainers" who nowadays take the time to report spam.
On the other hand, there are honest mailbox providers who have not realized that their system has been hacked, or that their clients' credentials have been stolen. And if you send a complaint to my abuse-c address, I won't get it. For an easy guess, LIRs who offer services at regular prices —not thousand domain discounts— have more of the latter cases. Still, their budget might not be enough for an abuse team capable of looking at each complaint. Best Ale
Hi, On 15-10-2021 11:14, Brian Nisbet wrote:
1) Would training, as described, be of interest to you?
Yes, we (AS12859) would be interested. I hope it will help new colleagues in getting a good understanding of the issues.
2) Would training, as described, be of interest to other LIRs you know of/work with?
I expect so, yes. Before covid I spoke regularly with LIR's who expressed some tips and tricks on the subject would be helpful.
3) If not, would there be other areas of Anti-Abuse training that would be of interest? I think most people would benefit from practical tips and sharing of experiences from other LIR's/providers.
4) Would you be willing to help write training materials for this course?
Yes, I am co-author of an anti-abuse code of conduct and roadmap for Dutch providers and registrars. These are both creative commons licensed. Last year I helped developing an anti-abuse course by the .NL registry for .NL registrars, I have asked whether this content can be shared. Kind regards, -- Wido Potters
participants (8)
-
Alessandro Vesely -
Brian Nisbet -
Gert Doering -
Michele Neylon - Blacknight -
Ronald F. Guilmette -
Serge Droz -
Wido Potters -
Ángel González Berdasco