Re: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an
Hello Leo,
The benefit is clear: - it will give RIPE NCC the chance to seperate good from "spam-friendly" members, prepare impresive statistics for further discussions (e.g. with Governments) and much more - it will simplify the process of reporting spam and reacting to spam reports for everybody, querying whois is still too complicated and unknown to the normal end user and hard to automate for blacklists or other services, because there are about 20 different whois output formats worldwide (inserting an abuse-address into an IRT object will even make it more complicated) - having an easy and unique address to report to, is another step in standarizing the report format, what would make it much more easy for members that are willing to deal with abuse reports
You didn't answer the question, though. Why would you proposal make ISPs want to deal with abuse reports when they are not doing so already?
I did answer this a couple of times now, but ok, again. The first version will not work against members, that are not willing to do something against abuse that is coming from their networks. Working against them will need some kind of "punishment", and sure there is more to talk about first with this. But at least there will be some kind of identification, wich one needs to be educated or even "punished" with this kind of system. The consequences are still for further discussion.
As to the claim that whois is to complicated to normal end users, I would contend that normal end users should not have to try and work out where abuse actually originates from. That is something that service providers should be doing. As someone who receives abuse reports for most of the special use IPv4 addresses reserved in various RFCs I can assure you that end users have a very hard time reading mail headers or understanding the warning messages provided by their firewall software.
whois is even too complicated for normal people even for ISPs or blacklist owners like we are. Or even for super-professionals. - abuse-records are mostly hidden in remark-field because the abuse-field isnt used very often, because its non-mandatory (yet). - whois is showing IP ranges and ranges are often quite small, what means that you have to look up each range, better each IP seperatly - whois has only a connection to the owner of the range and not to the member, unless you do even more queries - queries to personal objects are limited, what makes automated systems impossible, if they are not starting to cache queries or read old database dumps or have the special right to receive as many infos as they need - caching query results are causing delays, what means that the abuse contacts cant be correct all the time, because they could have changed already - if the IRT object is introduced including abuse records, you will have to look up the normal whois AND the IRT object, and what result will you prefer, if both is available ? and if you see it world-wide: - the formatting of the world wide whois systems is not equal and sometimes even hard to parse, even if they nearly have the same fields - IPv4 ranges are widely spread between all RIRs, you will need to look up arins whois first, to find out, where the range actually belongs to, and then ask that RIR - dont forget the early registration blocks spread all over the world - arins whois requires up to three queries to finally get the abuse contact hidden in several possible objects, multi-range listings with more than one correct answer. What field will you really look for in arins whois ? OrgTechHandle, OrgAbuseHandle, RAbuseEmail, OrgNOCEmail, OrgTechEmail ? - apnics whois is now spread along several other referral whois in different countries and there is not clear and often changing relocation or change in the size of the assigned blocks for those sub-RIRs - lacnic also spreads, brasil has its own whois - lacnic always includes the mains RIRs abuse contats, relevant ? yes, no, both ? - the objects changed-date is not visible on all whois worldwide - tools that should make this more easy (like jwhois for domainname) are always developed with big delays and are never accurate And many more problems, thats not what I understand as standarized .... And if there is an RFC nearly for everything, its pretty weird, that whois is not equal all over the world. (well, but the same with domain whois, at least the output format could be the same, even if every country will hide fields or not like its needed by local law or commitment)
A system like the one proposed would add an extra layer between the complainant and the relevant network and could well become a target for abuse itself. I am not sure how it would make network managers want to deal with abuse complaints that they are currently ignoring, though. Can you expand on that?
Thats right, the possible amount of reports arriving could be a real problem and could use more resources than expected. The problem is, that the amount is not really predictable until maybe even a testbed is implemented.
Members that are ignoring spam reports could be at least identified, whatever "punishment" ( starting from public blame reaching up to real sanctions) will appear after identification, is for further discussions.
It could start with a blacklist filled from RIPEs data, lets call it the "spam report ignoring RIPE member blacklist", or SRIRMB ;o)
So, if I understand your proposal correctly, you want RIPE NCC membership fees to be used to create a system that will be used to 'name and shame' RIPE NCC members. I think this brings me back to the question I asked in my last message and which you did not answer: what is the incentive for RIPE NCC members to finance this system?
Yes, because the development and maintance cost are spread on all members, instead on only those, that are willing to do something, this would be one way to "punish" the others :o) And the system only has to be developed once. And it will get even cheaper for everybody, if you add more functionality in the next steps ... And no member that already receives and reads and works on abuse reports has to fear this system, that how it should be constructed. It should help members with working abuse departments to simplify their work. It should also be a starting point to get report formats standarized, to simplify the lookup of abuse contacts (or even make lookups unnessessary). It should be a start to talk about consequences if a member ignores abuse reports. Kind regards, Frank -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank@powerweb.de
Regards,
Leo
Hello, On 09/04/2010 21:43, Frank Gadegast wrote:
to do something against abuse that is coming from their networks.
What is abuse, and why do you think you are a better judge than the government?
Working against them will need some kind of "punishment", and sure there is more to talk about first with this. But at least there will be some kind of identification, wich one needs to be educated or even "punished" with this kind of system. The consequences are still for further discussion.
But this already exists (the law). Anyone else dealing with punishment, like some blacklists do, is by me considered having a very poor credibility. If you want things to be done better against abusive activity on the internet, why don't you become a politician? RIPE is a registry. That's it. If you think it is difficult to find contact information in the registry, perhaps RIPE should make improvements to http://www.db.ripe.net/whois ? Cheers,
Legal systems are ineffective in dealing with this type of issue for well understood structural reasons. See <http://www.camblab.com/misc/univ_std.txt> based on <http://www.camblab.com/nugget/spam_03.pdf> On Sat, 10 Apr 2010 14:17:40 +0200, Jørgen Hovland wrote:>Hello,
On 09/04/2010 21:43, Frank Gadegast wrote:
to do something against abuse that is coming from their networks. What is abuse, and why do you think you are a better judge than the government?> Working against them will need some kind of "punishment", and sure there is more to talk about first with this. But at least there will be some kind of identification, wich one needs to be educated or even "punished" with this kind of system. The consequences are still for further discussion. But this already exists (the law).
On 9 Apr 2010, at 20:43, Frank Gadegast , Dipl-Inform. Frank Gadegast wrote:
- whois is showing IP ranges and ranges are often quite small, what means that you have to look up each range, better each IP seperatly
Huh?
- whois has only a connection to the owner of the range and not to the member, unless you do even more queries
What are you talking about? If you do a lookup on an IP you can clearly see which AS number they belong to. You might need to do a second lookup on the AS number to get a bit more verbose information, but it's clearly there
- queries to personal objects are limited, what makes automated systems impossible, if they are not starting to cache queries or read old database dumps or have the special right to receive as many infos as they need
Why do you need to query personal objects?
- caching query results are causing delays, what means that the abuse contacts cant be correct all the time, because they could have changed already
Abuse contacts are unlikely to change that often. Sure, they may change, but they're not going to be changing on a regular basis.
- if the IRT object is introduced including abuse records, you will have to look up the normal whois AND the IRT object, and what result will you prefer, if both is available ?
and if you see it world-wide: - the formatting of the world wide whois systems is not equal and sometimes even hard to parse, even if they nearly have the same fields - IPv4 ranges are widely spread between all RIRs, you will need to look up arins whois first, to find out, where the range actually belongs to, and then ask that RIR
No you don't. You just do a whois lookup using a proper whois client and it will automatically handle the RIR side of things for you. If you're having issues with this then your whois client is out of date.
- dont forget the early registration blocks spread all over the world - arins whois requires up to three queries to finally get the abuse contact hidden in several possible objects, multi-range listings with more than one correct answer. What field will you really look for in arins whois ?
You're talking about a proposal for RIPE. Broadening it to other regions and any possible issues they may have isn't going to help RIPE much ..
OrgTechHandle, OrgAbuseHandle, RAbuseEmail, OrgNOCEmail, OrgTechEmail ? - apnics whois is now spread along several other referral whois in different countries and there is not clear and often changing relocation or change in the size of the assigned blocks for those sub-RIRs - lacnic also spreads, brasil has its own whois - lacnic always includes the mains RIRs abuse contats, relevant ? yes, no, both ? - the objects changed-date is not visible on all whois worldwide - tools that should make this more easy (like jwhois for domainname) are always developed with big delays and are never accurate
And many more problems, thats not what I understand as standarized ....
And if there is an RFC nearly for everything, its pretty weird, that whois is not equal all over the world.
(well, but the same with domain whois, at least the output format could be the same, even if every country will hide fields or not like its needed by local law or commitment)
What has domain whois got to do with anything?
So, if I understand your proposal correctly, you want RIPE NCC membership fees to be used to create a system that will be used to 'name and shame' RIPE NCC members. I think this brings me back to the question I asked in my last message and which you did not answer: what is the incentive for RIPE NCC members to finance this system?
Yes, because the development and maintance cost are spread on all members, instead on only those, that are willing to do something, this would be one way to "punish" the others :o)
Which doesn't answer Leo's question at all.
And the system only has to be developed once.
And it will get even cheaper for everybody, if you add more functionality in the next steps ...
And no member that already receives and reads and works on abuse reports has to fear this system, that how it should be constructed.
If we're already handling our own abuse reports and paying our normal RIPE fees why on earth would we want our RIPE fees to increase? Sorry, but you've completely lost me on this one. Regards Michele Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Fax. +353 (0) 1 4811 763 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
Hi again,
On 9 Apr 2010, at 20:43, Frank Gadegast , Dipl-Inform. Frank Gadegast wrote:
- whois is showing IP ranges and ranges are often quite small, what means that you have to look up each range, better each IP seperatly
Huh?
Who cares about a range, when I want the responsible person for a fixed IP ?
- whois has only a connection to the owner of the range and not to the member, unless you do even more queries
What are you talking about?
If you do a lookup on an IP you can clearly see which AS number they belong to. You might need to do a second lookup on the AS number to get a bit more verbose information, but it's clearly there
Thats it, you need a second query, thats weird these days. whois is that old and has nothing to do with up-to-date database design. If I design a database, I design it to serve the questions I like to ask the database about, e.g. I like to ask the RIPEs database the following things: - give me the abuse address of the responsible RIPE member for this IP - give me the abuse address of the responsible IP user/owner - give me the abuse address of the upstream provider for this IP - give me the telephone number of the RIPE member for this IP - aso ... You cant do that with whois without programming a lot of special cases, understand what type of objects to query and to parse the first result, do a second query, parse that result. whois has really nothing to do with current databases. If I could run RIPEs databases I would love to do a simple: SELECT abuseemail FROM owner where ip='1.2.3.4' and send this to port whatever via telnet and get a clean asnwer in one line just containing what I asked for and nothing else. Easier ? Yes. Is whois kind of blocking the development of several tools because of an non-up-to-date design ? Yes sure.
- queries to personal objects are limited, what makes automated systems impossible, if they are not starting to cache queries or read old database dumps or have the special right to receive as many infos as they need
Why do you need to query personal objects?
For the abuse email address or the owners email address or the tech-c email address. A lot of netobjects do neither have a remark section including an abuse address, they do not have a valid abuse-email field, the only thing they have is a "link" to the admin-c or tech-c object, that you have to query then again ...
- caching query results are causing delays, what means that the abuse contacts cant be correct all the time, because they could have changed already
Abuse contacts are unlikely to change that often.
Wrong. They change really quick. Specially for those netrange objects that do only have personal objects and no abuse-email field or remark.
Sure, they may change, but they're not going to be changing on a regular basis.
admin-c and tech-c do change quite often, at least this is our expirience with our own blacklist. We decided to look up any object as quick again as RIPE whois allows us with their limits, otherwise we will send report to the wrong person, at that still happens too often.
and if you see it world-wide: - the formatting of the world wide whois systems is not equal and sometimes even hard to parse, even if they nearly have the same fields - IPv4 ranges are widely spread between all RIRs, you will need to look up arins whois first, to find out, where the range actually belongs to, and then ask that RIR
No you don't. You just do a whois lookup using a proper whois client and it will automatically handle the RIR side of things for you.
Love to have a whois tool, that can somehow sniff the right RIR out of the air without having to do a query first, look it up in whatever file on a ftp server or some other remote thing. How do you think that a proper whois client is doing that decision ? Come on ... he has to look it up first, to wich RIR it belongs.
If you're having issues with this then your whois client is out of date.
Sure, and it will be out of date every week, if its not doing that "magic" lookup. 109.x.x.x was assigned to RIPE not that long ago. APNIC got a few blocks lately. KRNIC got a few blocks from APNIC All not long ago ...
- dont forget the early registration blocks spread all over the world - arins whois requires up to three queries to finally get the abuse contact hidden in several possible objects, multi-range listings with more than one correct answer. What field will you really look for in arins whois ?
You're talking about a proposal for RIPE. Broadening it to other regions and any possible issues they may have isn't going to help RIPE much ..
Its written in the draft, that other RIRs might pick up on the same idea. In the end I would love if all RIRs have the same tools, protocols one day.
OrgTechHandle, OrgAbuseHandle, RAbuseEmail, OrgNOCEmail, OrgTechEmail ? - apnics whois is now spread along several other referral whois in different countries and there is not clear and often changing relocation or change in the size of the assigned blocks for those sub-RIRs - lacnic also spreads, brasil has its own whois - lacnic always includes the mains RIRs abuse contats, relevant ? yes, no, both ? - the objects changed-date is not visible on all whois worldwide - tools that should make this more easy (like jwhois for domainname) are always developed with big delays and are never accurate
No comment here ?
And many more problems, thats not what I understand as standarized ....
And if there is an RFC nearly for everything, its pretty weird, that whois is not equal all over the world.
Hm, no answer on that too ? Why is whois output different all over the world ? Its like having a different internet everywhere.
(well, but the same with domain whois, at least the output format could be the same, even if every country will hide fields or not like its needed by local law or commitment)
What has domain whois got to do with anything?
That was only a note. Domains are also hard to parse. At least the last new domain registries (like .org, .biz, .name) finally picked up, that whois should look the same, should be easy to parse and should at least try to have the same fields all over the world. But, look at ARINs whois, this one is a desaster according to a parsing function. Sometimes you get even two answers when asking for ONE IP, then you have to parse the least significant object from the NET-name and query that object again. Really weird ...
So, if I understand your proposal correctly, you want RIPE NCC membership fees to be used to create a system that will be used to 'name and shame' RIPE NCC members. I think this brings me back to the question I asked in my last message and which you did not answer: what is the incentive for RIPE NCC members to finance this system?
Yes, because the development and maintance cost are spread on all members, instead on only those, that are willing to do something, this would be one way to "punish" the others :o)
Which doesn't answer Leo's question at all.
Different mail.
And the system only has to be developed once.
And it will get even cheaper for everybody, if you add more functionality in the next steps ...
And no member that already receives and reads and works on abuse reports has to fear this system, that how it should be constructed.
If we're already handling our own abuse reports and paying our normal RIPE fees why on earth would we want our RIPE fees to increase?
Sorry, but you've completely lost me on this one.
Answer in the reply to Leos mail ... Kind regards, Frank -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank@powerweb.de
Regards
Michele
Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Fax. +353 (0) 1 4811 763 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
participants (4)
-
Frank Gadegast -
Jeffrey Race -
Jørgen Hovland -
Michele Neylon :: Blacknight