Not here for a flame way on the topic...
Just trying to feed the conversation.. examples that can be used or
talked about at M3AAWG or amongst the community..
However, a couple of small 'opinion' pieces..
* I refuse to believe that there is nothing to do on this issue, and
that the boat has sailed.. And even more, I think that M3AAWG has a role
to play here..
* I think we will see that those companies that are diligent in
transparency will get better treatment from those in the infosec and
security space, than those that don't.
* If you are an ESP, you should make it easy to reach you, you have a
responsibility to show that you are professional, and it is NOT THAT
HARD. If you are overwhelmed with complaints, you are doing something
wrong.
Another example:
http://unifiedlayer.com/
Now, us in the industry might recognize the name, but a junior sysadmin
or infosec person would not.. The URL looks like any of the manner
'placeholders' the spammers would put up.
BlueHost (the new brand) still hasn't updated the 'rwhois' information
so we get..
Found a referral to rwhois.unifiedlayer.com:4321.
%rwhois V-1.5:000080:00 rwhois.unifiedlayer.com (by Unified Layer, V-1.0.0)
network:Class-Name:network
network:ID: NETBLK-UL.74.220.192.0/19
network:Auth-Area: 74.220.192.0/19
network:Network-Name: UL-74.220.192.0/19
network:IP-Network: 74.220.192.0/19
network:Organization: Unified Layer
network:Tech-Contact: net...@unifiedlayer.com
network:Admin-Contact: net...@unifiedlayer.com
network:Abuse-Contact: ab...@unifiedlayer.com
network:Created: 20121119
network:Updated: 20121119
network:Updated-By: net...@unifiedlayer.com
At least they have an abuse address, but so do many spammers
The 'whois' for unifiedlayer.com is redaccted.. Why would they NOT want
to indicate that this belongs to BlueHost? If there is a REAL reason to
report something..
.. for example 'child abuse', I KNOW BlueHost would want to know about
it, and this was a topic the last two meetings at M3AAWG, how can we
better share that kind of information..
Today, just caught it... a Junior might think it was a fake company, so
rather than wasting cycles reporting that they have a bad compromise
In this case, a cPanel Phishing, from Romanian IP .. (Might want to look
at RATS-AUTH ;)....
But of course, if a company doesn't WANT those reports, or make it easy
for John Q Public to report it to them, (not even discussing those that
ignore reportsf) .. then yeah, they will have to reap the fallout..
Wouldn't it be easier to simply redirect 'http://unifiedlayer.com' to
http://bluehost.com?
Oh.. wait.. bluehost.com says you have to fill out a captcha before even
seeing the site.. *grumble* That doesn't stop the bad guys, only causes
the good guys to maybe give up..
On 2023-05-31 08:53, Laura Atkins via mailop wrote:
On 31 May 2023, at 14:21, Mike Hillyer via mailop <mailop@mailop.org>
wrote:
I know that whois is a lost cause, and I still believe that methods
for identifying the real controlling entities of domains would help
quite a bit in reducing unwanted e-mail spam.
I agree, but the reality of the matter is that even if mailgun.co and
mailgun.net had matching org information in the whois for mailgun.com,
that would still not prove a connection, only that whomever registered
those domains put in the same information that was found in the
mailgun.com whois record.
Validating the identity of the ownership of domains would go a long
way to helping the situation, but the current whois implementation
will never get us there.
And I’ll remind folks that GoDaddy implemented privacy on by default
prior to GDPR coming into effect. I went to a talk they gave on why
fully intending to explain to them why this was a bad thing to do. But
they had good reasons, primarily protecting their customers from scams
and spam, for doing it. As much as I hate it, we’re never getting back
to having whois being a useful database.
There are also registrars that don’t even offer customers a choice on
publishing information.
I don’t like it. I don’t want it to be that way. But that ship sailed
almost a decade ago.
laura
Mike
-----Original Message-----
From: mailop <mailop-boun...@mailop.org> On Behalf Of Hans-Martin
Mosner via mailop
Sent: Wednesday, May 31, 2023 1:50 AM
To: mailop@mailop.org
Subject: Re: [mailop] Transparency is key... Here is a perfect
example.. M3AAWG is coming.. time to take a st
Am 31.05.23 um 01:18 schrieb Sebastian Nielsen via mailop:
I don't agree with your stance.
Hiding whois details doesn't mean you hiding your identity. Normally,
this type of privacy is also used when you want to hide the actual
person that is responsible for, lets say paying the domains.
Still, in this example the domain information for mailgun.co and
mailgun.net is so thoroughly hidden that it isn't possible which legal
entity owns them. I don't care about the private phone number of some
poor fellow who is tasked with paying for the domains but for a
commercial enterprise I one can reasonably expect truthful and working
contact information as well as an identification of the legal entity.
A role e-mail address and a phone number where someone can be reached
in emergencies should not be to hard to implement for a sizable business.
Because, you don't want people calling these phones, about spam,
about support cases, about things that SHOULD be taken through their
ticket system.
Do mailgun.co and mailgun.net have working ticket systems?
But you still want a private phone there, that could be ringing in
the middle of the night if something went amiss with their payment
for their domain, so the domain doesn't get snapped by a squatter.
Who said that they wanted a private phone contact? Not Michael if I
read his words correctly. Not me (I hate phone conversations). I don't
think that any reasonable person expects private phone numbers in
whois contacts. Companies must have company contact channels which
should be public info, and for truly private domains I'm fine with not
seeing their private contact data in whois. However, they should also
be fine if my mail system does not accept mail from essentially
anonymous sources and requires them to ask for whitelisting.
So I would say, this practice is legitimate for larger companies like
mailgun.
Well, is this mailgun even? These are just domain names which use that
sequence of characters, registered with registries and registrars who
don't give a flying f for the actual identity of their customers.
There is no way for me to find out whether these are fake or real.
From my experience with NameCheap, "fake" is a pretty safe bet, I'm
seeing those kind by the hundreds daily, and very rarely do I see a
legitimate domain using them as registrar.
Just because details are hidden at location A or for automated tools
doesn't mean they are dubious.
Same if they hide their details on website, but require filling out a
captcha to get their office address. Doesn't mean they are shady.
You can still find their details on their official website
https://www.mailgun.com/contact/ With a address to their office even.
To repeat myself: That contact info is for mailgun.com, not for
mailgun.co nor mailgun.net. It is conceivable that somewhere hidden on
mailgun.com's web site there is a mention of those two domains and
that they are indeed operated by the same company, but the domain info
itself does not say that.
I know that whois is a lost cause, and I still believe that methods
for identifying the real controlling entities of domains would help
quite a bit in reducing unwanted e-mail spam.
Cheers,
Hans-Martin
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
--
The Delivery Experts
Laura Atkins
Word to the Wise
la...@wordtothewise.com
Email Delivery Blog: http://wordtothewise.com/blog
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
