Re: [anti-abuse-wg] So many idiots. So little time.

[Hans-Martin Mosner via anti-abuse-wg]

Jeroen,
ist's hard to distinguish between straight statements and serious questions on one hand and sarcasm, rhetorical 
questions and strawman arguments on the other hand in written communication, especially when there sometimes seems to be 
a "mode switch". I'm trying to respond seriously and to be explicit about how I understood your statements.


Am 14.08.22 um 10:26 schrieb jer...@hackersbescherming.nl:

My bad! I assumed that when u create or follow a training course that u want
to learn or teach a way that ALWAYS works.


I'm unsure whether you meant that seriously or sarcastically.

Of course the assumption is wrong. Training is a way of improving your ability to do something, not of learning 
something that always works. A football team will train to learn to play better and win more games, not to learn a away 
that will let them win ALWAYS. Similarly, an abuse desk team will train to learn ways of detecting abuse earlier, to 
distinguish between true and false abuse accusations, to use tools and automation to focus their human attention on the 
tricky problems instead of doing rote work, etc. None of that will guarantee that there will be no abuse from their 
network, but it will likely reduce the amount by catching it quicker and making it unattractive for spammers. Of course, 
that's the theory, but my experience from the other side of the fence is that quick and swift action is the primary 
thing that reduces the amount of spam, and it should work equally well and on a larger volume on the provider side.




With my assumption of the below.
To solve the abuse problem u either need a system that can hold the abuser
responsible or and that would be even better u need a system where nobody
would grow an interest to even try to abuse


Did you forget a period here? As such, this sentence sort of makes sense, although I would not strive to "solve" the 
abuse problem but to reduce the volume and impact on recipients. Holding abusers responsible may be one way (although it 
would be necessary to define what that means).


A system where nobody would grow an interest to even try abuse is impossible, we know from the non-effectiveness of 
capital punishment against murder etc. that there is no effective deterrant that keeps people from wanting to do and 
actually doing horrible things. The only "effective" way would be to lock up everybody as a safety measure. That's like 
blocking access to port 25, surely it keeps out the spam, but would have some undesirable side effects.


So, this is not what I want.


  and when u start thinking into
this direction all the other "BIG" problems in the world will become easy to
solve. (Yes u read this right they are easy to solve, we currently just use
the wrong systems (all over the world) to guide and lead us)
Is this a strawman argument of the form "we should not try to solve problem X because we can't solve problem Y and 
that's even bigger"? That's faulty logic, I assume written tongue-in-cheek.


When u would have a good system then a large portion or maybe even all of
the current training material would be irrelevant since it is based on the
current system that doesn't provide a solution for the problem.


That's an assumption about the training material (which I haven't seen and know nothing about) and the current system 
that I don't share. It seems to imply that there is no way of reducing the amount of spam in the current system, which 
is IMO not true.


I do think that the current system is lacking in some areas but is overall usable, and that it is possible to reduce 
abuse within the framework of the current system. Usable training material would teach what can be done at one point 
(one provider) to achive this without requiring undue cooperation from other players or changing the system. That is, 
actually doable changes to one's operation to reduce the amount of abuse.




What u are saying is that when I create a training that teaches 1+1=11 and
someone out there wants to learn this that this would be a usefull training
 (maybe for someone to do on his own but not for a global/regional
solution).
Looks like a strawman argument again. I'm not proposing that training should teach nonsense and that someone out there 
could want to learn nonsense, so this would be useful training. What I was saying is that a training course (which I 
presumed teaches something actually useful in reducing the spam load) can only be useful for organizations that want to 
get closer to that goal. If an organization does not share that goal (or has different main goals), they most likely 
would not want or need the training.


It doesn't matter to which group u belong to, in the end we all belong to
the same group called Humans
We need a fair worldwide system where power is removed from all
individuals (Since power allways creates a form of abuse)


Looks like a hyperbole/strawman argument again: "If we can't solve the worldwide power abuse issues, we 

Re: [anti-abuse-wg] So many idiots. So little time.

[Hans-Martin Mosner via anti-abuse-wg]

Am 13.08.22 um 14:13 schrieb jer...@hackersbescherming.nl:

I would say perfect for that anti abuse training!


Training is useful if you want to learn and achieve the training subject matter. Serverius (like many other 
hosting/colocation providers) is in the business of deflecting trouble from their customers. In an old antispam forum 
post I found this quote without exact source, which could be used verbatim by most of them:


Serverius IT infrastructure is providing underlying infrastructure services without any hosting activities. Serverius 
is not a hosting provider as it has no data carrier hardware like servers or disk storage services under management 
(only our clients do). Serverius is only providing the parent data center colocation of client hardware and/or IP 
connectivity services that are used by clients to build their own infrastructure. Their services are used by millions 
of companies in the world. Therefore Serverius does not know what Serverius network users are hosting (it's 
technically impossible for us to see and forbidden by law) and Serverius is therefore not liable for what our customer 
hosts behind its own network and/or on his own infrastructure. 
Legally, they may be right (of course they are not allowed to peek into their customer's servers). However, there's 
something more to it - you could have contract and AUP clauses which prohibit spamming/abuse and give the provider 
leverage to enforce that prohibition. But some providers apparently prefer to keep such clauses out of their contracts 
and don't want to waste money on abuse desk training because a well-paying customer is a well-paying customer after all. 
"Pecunia non olet", as Vespasian is reported to have said.


Those are not the target group for anti abuse training. They would probably need it, but first they would need the will 
to stop network abuse emanating from their infrastructure.


Cheers,
Hans-Martin


--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] So many idiots. So little time.

[Hans-Martin Mosner via anti-abuse-wg]

Idiots is the wrong choice of word here. Hanlon's Razor does not apply to 
Serverius.

Cheers,
Hans-Martin



--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] What todo when a registrar doe snot respond to babuse form an IP

[Hans-Martin Mosner via anti-abuse-wg]

Am 22.06.22 um 22:39 schrieb Angel P:

Hello there,

I have reported to a registrar an IP that has been doing a bunch of wordpress attacks one one of my sites and also 
using a fake referrer by impersonating itself a www.bing.com 

What can be done?


Basically nothing (but read on).

Registrars happily hide the identity of registrants but disclaim any responsibility for their actions ("it's not us but 
our customer, but we won't give you the customer's name").


Hosting companies, which would normally be the correct abuse contact for those IPs, happily hide the identity of their 
customers but disclaim any responsibility for their actions ("it's not us but our customer, but we won't give you the 
customer's name").


They may provide you with a way to contact their customer through some forwarding mechanism, but when the customer is 
itself the abuser, that would mean they expose your identity to the abuser without exposing the abuser's identity to 
you. In real-life abuse situations it has long be established that this is an absolute no-no, but registry and hosting 
service providers get away with it.


The attacks are probably too easy to defend against, so there's no incentive for law enforcement to follow through with 
your issue, which would otherwise be a way to subpoena the contact information. However, even if they did that, the 
information would likely be worthless, as abusers can register with fake ID easily.


What you *can* do is protect yourself and don't rely on other's assistance. Block IP space if you experience abuse from 
there. Install wordpress plugins to detect and reject attacks.


There are some ways to report abusive IPs to the public (https://abuseipdb.com comes to mind, but there are others) but 
these probably have little effect beyond documenting that a problem is seen by more than one reporter.


Cheers,
Hans-Martin

(I've responded to the mailing list although this isn't really an abuse reporting help forum but to reinforce the POV 
that the refusal to require accurate identity and contact information about internet resource owners is a major reason 
that internet abuse is so hard to fight).
-- 

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] personal data in the RIPE Database

[Hans-Martin Mosner via anti-abuse-wg]

Am 04.06.22 um 02:05 schrieb Ronald F. Guilmette:

In message ,
Hans-Martin Mosner  wrote:


For resources allocated to legal entities (companies, organizations, etc.)
an identification of the organization should be mandatory.

Would you agree also that such identification of non-person legal entities
that are the registrants of number resources should be:

 a)  public, and

 b)  accurate and consistant with the bona fides that were submitted to
 RIPE NCC at the time the member was made a member, and at any & all
 times thereafter when the non-person member requested or was granted
 number resources?
Yes, with the addition that whenever the identification of a legal entity changes, it needs to be updated. "Accurate" 
and "consistent" may be at conflict when initial information was inaccurate, I'd prefer accurate over consistent.

If you say yes to both, then I am compelled to point out there there is,
as far as I understand it, *no* requirement, within the RIPE region, at
present for there to be *any* correlation between what appears in any
public RIPE WHOIS record and the actual bona fides of the corresponding
member, the -actual- identity o which remain secret & hidden behind an
opaque wall of stony silence, backed up by RIPE's legal counsel.


I can't really judge this, but I see why that is your point of view.

To be clear, I am just a participant in this mailing list, have never taken part in WG meetings, don't have the 
slightest insight into why certain information is withheld from public view, and as such I can only guess. Organizations 
with numerous stakeholders having different interests tend to be blocked by unanimous consensus and veto rules, so it's 
no surprise that RIPE seems to be afflicted by this, too.


What such organizations need to come up with is a mechanism that allows them to deal with problem members without being 
blocked by them and their allies, while not succumbing to a dictatorship of the majority (majority decisions aren't 
always the best) or some central authority. As you point out, this is an issue with other organizations, too, but it's 
by far not limited to the ones you listed.


I still believe in reason to a certain extent, although it takes a big leap of 
faith in light of reality.

Cheers,
Hans-Martin


--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] personal data in the RIPE Database

[Hans-Martin Mosner via anti-abuse-wg]

Am 31.05.22 um 15:12 schrieb denis walker:

Colleagues

I have raised an issue on the DB WG mailing list about publishing in
the database the identity of natural persons holding resources.


Hi, this mail triggered the expected avalanche of controversial responses, which quickly devolved into name-calling, so 
I prefer to respond to the original instead of any of the later responses.


There are conflicting interests at work here. In your proposal, you mention the need to contact resource owners, which 
is probably accepted by most.


However, besides wanting to contact someone, there is a legitimate need to identify bad actors and shun them with 
whatever means at your disposal (SpamAssassin rules, IP blocks, nullroutes, whatever). I do not want to communicate with 
them, just as I don't want to discuss with burglars about their actions!


So, a mere contact database (which could contain fully anonymized forwarding addresses through a "privacy provider", 
like it's nowadays common for whois entries) would work for the purpose of contacting someone, but it does not work for 
identifying who can be held accountable for abuse emitted from a network range.


For resources allocated to legal entities (companies, organizations, etc.) an identification of the organization should 
be mandatory. This does not need to include personal data on employees that happen to be responsible for network or 
abuse issues, I'm fine with role accounts here. So in this case, no objection to eliminate personal data (which often 
becomes stale anyway after some years).


However, resources allocated to private persons are a bit different. I suppose very few private persons hold a /24 
network range, and if they do, they probably fall squarely in the area of operating a business or other publicly visible 
enterprise under their personal name, and in many jurisdictions they are required to do so with identifying information. 
For example, in Germany you can't even have a web page without an imprint containing the names of people responsible for 
the content if you address the general public, and if you do business of any kind and you're not a corporation, you must 
do so under your name.


I suppose that RIPE operates mostly on the level of legal entities that can be identified without naming individual 
persons. As such, it would be proper to clearly state that every database entry pertaining to a resource allocated 
through RIPE must contain truthful and usable identifying information of the resource holder. In German, that's 
"Ladungsfähige Anschrift" which was basically required to be an actual place of presence, but it appears that "virtual 
office" providers have succeeded in letting their addresses count as "Ladungsfähige Anschrift". I'm not a legal expert, 
I think this is wrong, but jurisprudence isn't always compatible with reason.


Since RIPE isn't bound by German law, they may choose contractual wording that provides reasonable value for all parties 
involved. If all identifying information is lost, the abusers have won, as they have with domain whois already.


Cheers,
Hans-Martin


--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

[anti-abuse-wg] Someone on this list has been hacked

[Hans-Martin Mosner via anti-abuse-wg]

Hi folks,

looks like someone on this list had their PC and/or mailbox hacked, I got a "reply" to one of my mails trying to make me 
open some link (probably malware). This stuff is pretty common, but it feels a bit weird that it happened through 
someone who's active in anti-abuse and presumably not a noob :-)


This is what I got (since the link does not include an URL scheme, I consider 
it fairly safe to post here)


HI THERE,

The data file you wanted is available down below.


1)eddieserotica.com/eu/uocfqimediifa


Please tell me in case you have any questions.


Cheers,
Hans-Martin


--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] RIPE NCC Anti-Abuse Training: Next Steps & WG Input!

[Hans-Martin Mosner]

Am 10.02.22 um 10:25 schrieb Brian Nisbet:

Colleagues,

Since we last spoke about the proposed training the NCC have been working with various community members to put a 
draft syllabus in place for further discussion.


This is a link to the feedback document for this draft:

https://docs.google.com/document/d/1M9Wrqu-VKGGwMfJQGK0NlTs5UzH6xJ2_HR2MkTBVR2w/edit?usp=sharing


Nice!
What the NCC and the Co-Chairs would love is if everybody could just comment what they think they understand from the 
learning goals as they’re written and suggest any changes or additions and obviously ask any questions. We’d also like 
the feedback on the webinar flow design.


It’s important for everybody to understand that the learning objectives are the basis for the training. These are the 
skills that the learner must acquire. With these skills we also expect a change of attitude towards abuse handling 
(which is we think the purpose of this training).


While discussion on the list is welcomed and encouraged, we've also planned a Zoom session for any interested parties 
to discuss this further.


I'll most likely not be able to join the Zoom session, so here are some thoughts. The document draft shows the structure 
(which is good and as far as I can see covers the important areas) but not much detail. My suggestions (from the POV of 
an abuse reporter) go straight into the details, please forgive me if that is out of scope.


 * Abuse handling is not the same as support handling. Abuse reporters don't 
want help, they expect that it is in your
   own interest as a network operator to curb abuse originating from your 
network, and their reports are intended to
   help you reach that goal. This results in some Don'ts (I'm seeing all of 
these in reponse to abuse reports):
 o don't reject their messages because they are not your customers,
 o don't require them to register with some support system,
 o don't send meaningless auto-replies,
 o don't try to teach them (unless they are really doing something wrong).
 * Although there may be conflicts with protecting your user's privacy, 
reporters really appreciate to know whether
   their reports have a meaningful effect as they sometimes spend considerable 
amounts of time. Positive feedback
   ("we've terminated that customer", or "we've worked with the customer to fix 
their exploitable software/account") is
   a huge encouragement to continue reporting abuse. If there is no detectable 
reaction (either in form of an answer or
   an observable stop of abuse) then an abuse reporter might determine that 
blocking your network is a more effective
   use of their time.
 * Many types of abuse originating from your network are signs of substandard 
security and warnings of possibly more
   damaging future exploits. Work proactively with your customers when you find 
systemic problems. For example, on one
   of the services that I look after, we had one or two mail account password 
compromises which led to spam bursts. We
   established a strict password policy, checking the password database for 
easily breakable passwords, and contacting
   all users with weak passwords so they changed them to secure passwords. 
Similarly, we proactively check customer's
   websites for exploitable plugins. What kinds of proactive abuse prevention 
works in your case might be vastly
   different, but not doing anything is gross negligence.
 * Abuse desk workers need authority to contact customers and to restrict their 
use of your resources. One basic
   prerequisite for contacting customers is that you know them. If your 
operation does not establish appropriate KYC
   rules you're bound to be an attractive provider for abusers. Of course, the 
amount of info you need for an e-mail
   account and for renting out a server are different, and you may be limited 
by privacy laws, but if you simply refuse
   to take responsibility while not disclosing information on who *is* actually 
responsible you're in for blocking.

Cheers,
Hans-Martin-- 

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] Proposal: Publish effective users' abuse-c

[Hans-Martin Mosner]

Am 20.01.22 um 13:37 schrieb Alessandro Vesely:


However, it is the ISPs' customers who are the effective users of those IPs. Any complaint, whether reporting spam or 
botnet activity, can probably be handled more effectively by the people who run the systems connected to a given IP 
than the actual owner. 


In a considerable amount of cases, the ISP's customer is also the spammer. I would prefer not to talk to them when 
complaining about their behavior - in the best case, they will ignore me, in the worst case, they might do something in 
revenge.


The IP owner is the one who can pull the plug on misbehaving customers. As it is much easier to identify IP owners, I 
can collect reputation data about who I can trust to handle my abuse complaint responsibly, who will just ignore it, who 
will forward it unedited to their customer. Depending on this assessment of their trustworthiness, I will or won't report.


There are very few cases where reporting to end users makes much sense. Either they operate their system responsibly 
including monitoring the mail rejects and bounces, then they already know there's something that needs to be fixed, or 
they don't, and most often don't care, and my complaint will probably not change that.


Cheers,
Hans-Martin


--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

[anti-abuse-wg] Is there any analysis on root causes of mail account break-ins?

[Hans-Martin Mosner]

Hi folks,

I'm trying to understand the root causes and vulnerabilities that lead to hacked mailboxes. Currently, we can handle 
dynamic IP ranges pretty well, and we have an extensive list of network ranges whose owner are spammers or knowingly 
accept spammers as customers.


So what mainly remains as spam sources are hacked servers/websites, hacked mail accounts, and freemail accounts 
registered with the purpose of spamming (I'm looking at you, Google).


Here I want to focus on hacked mail accounts. I can think of two major root causes but I have no idea about their 
relative significance:


 * Easily guessable passwords, with two subcauses for exploits:
 o Brute force authentication attempts - I'm seeing them regularly, and the 
most egregious networks (e.g.
   5.188.206.0/24) are fully blocked at our mailserver, but some mailops 
are less struct about blocking such abusers.
 o Hashed password data exfiltration and cracking (for example using JtR) 
these lists - this would work better with
   weaker password hashing, but with weak passwords and some CPU power it 
is probably possible even for strong hash
   algorithms.
 * Malware on client machines where passwords are either stored in a password 
vault, or entered manually.

My gut feeling is that some organizations are especially prone to hacked mail accounts. We're seeing lots of south 
american government agency users, and many accounts at educational institutions. The latter are often hosted using 
Microsoft O365 services, and I highly suspect that weak passwords for all the freshly created student accounts may be a 
major cause, although exfiltrated password data may be a possibility, too.


So does anyone have pointers to studies analyzing these (and probably more) 
causes of exploited mail accounts?

Cheers,
Hans-Martin
To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] Input request for system on how to approach abuse filtering on Route Servers - bad hosters

[Hans-Martin Mosner]

Am 18.05.21 um 21:52 schrieb Erik Bais:
>
> Hi, 
>
>  
>
> As I asked during the Connect WG today, there are discussions currently going 
> on in the Dutch network community to see
> if there is a way to get a cleaner feed from routeservers on internet 
> exchanges. ( by default )
>
>  
>
> As you may know there is an Dutch Anti Abuse Network initiative ( AAN ) – 
> abuse.nl
>
>  
>
> The companies associated with AAN setup and all signed a manifest ( in Dutch 
> - https://www.abuse.nl/manifest/  ) that
> states that we will all do our best to provide a better and cleaner internet. 
>
>  
>
Nice initiative!
> ...
>
>  
>
> Topics that should be included on the rating for the list :
>
>  
>
>   * Phishing (hosting sites / domain registrations )
>   * Malware hosting ( binaries and C’s )
>   * DDOS traffic  ( number of amplification devices in the network compared 
> to the number of IP address ratio )
>   * Login attacks / excessive port scanning
>   * Hosting of Child exploitation content
>   * Infected websites / Zeus Botnets
>   * Etc
>
>  
>
One problem with the approach is that there isn't a single measure of badness, 
as the topic list already shows. It's a
multi-dimensional vector, and its dimensions are not easily defined in a 
non-controversial way. The criteria for
including a network in a top N list will therefore be unavoidably subjective.

In the process of thinking about ways to tackle e-mail abuse (which doesn't 
even show in your list, probably because
it's not really a problem for network operators but only for mail operators) I 
came up with some ideas about a
distributed reputation network that might have some desirable properties:

  * Separation of network and resource owner observations and policy decisions:
It would be very helpful to have multiple independent and reliable sources 
listing type and severity of network
abuse in real time, but I'd like to define my own policy rules and use 
those abuse metrics as input for policy
decisions. As a mail operator, I might be personally very concerned about 
malware hosting, but the things that would
affect my blocking policy are spam volume and mail account bruteforce 
attacks (and to some extent, DDOS traffic).
Network operators may have different policies to protect the integrity of 
their networks and implement legally
required rules.
  * Distributed P2P database:
I'm thinking about something like a cryptocurrency blockchain or the PGP 
web of trust, which avoids having a single
point of failure and also avoids a single hierarchy of trust. Cryptography 
provides some excellent tools, but apart
from the ubiquitous TLS (and the mentioned blockchain systems) it's used 
much too sparingly in securing information
integrity.
  * Reputation metrics:
It should be possible to assert not only observations of network behavior, 
but also reputation statements about the
publishers of such observations. This makes evaluating the trustworthyness 
of a reporter possible, and with enough
participants could provide a relatively unbiased view.

Hope this provides some food for thought/discussion. I'm well aware that my 
viewpoint is necessarily limited, as I don't
have any network operating experience, but some aspects may be transferrable to 
that area.

Cheers,
Hans-Martin

Re: [anti-abuse-wg] Call For Agenda Items - RIPE82

[Hans-Martin Mosner]

Am 23.03.21 um 17:53 schrieb Brian Nisbet:
> Colleagues,
>
> RIPE 82 will be taking place somewhere on the Internet from the 17th - 21st 
> May 2021.
>
> https://ripe82.ripe.net
> 
>
Don't know if anyone noticed, but this is a nice example of how tricksters get 
you to link on misleading URLs :-)

After an indirection via a Microsoft "safelinks" service, the URL does not lead 
to ripe82.ripe.net, as the readable text
would imply, but to ripe81.ripe.net :-)


Cheers,
Hans-Martin

[anti-abuse-wg] Sorry for derailing

[Hans-Martin Mosner]

Folks, I need to apologize for derailing Cynthia's topic. I had a feeling that 
this might happen, I should have listened
to that feeling and just stop it.

I know that we will continue to have different opinions on some matters, such 
as how to handle abuse reports. As long as
we exchange arguments about which approach is preferential in which situation, 
all is well. Once we get into name
calling and questioning each other's competence, things deteriorate quickly. 
Let's not do that.

It is sadly very hard to reach agreement on even very basic issues, and the 
more one is convinced that one's point of
view is correct the more one is likely to belittle different opinions. We 
should be able to present our views and
discuss them rationally without resolving to ad hominem attacks. It's ok to say 
"I stay by my opinion and will do it
that way" but it's not ok to say "you're an idiot if you do it differently".

Opinions on who should bear the main burden in resolving abuse issues naturally 
differ a lot depending what role in the
process you take. It might be helpful to state one's own role when arguing for 
one's view, and to recognize the role of
others defending different viewpoints.

Cheers,
Hans-Martin

Re: [anti-abuse-wg] On the abuse handling policy of manitu.net (AS34240)

[Hans-Martin Mosner]

Am 20.02.21 um 01:39 schrieb Volker Greimann:
> It sounds GDPR legal. After all, they are telling you exactly what will 
> happen with anything that you send there, so
> by sending it there in full knowledge, you are essentially consenting to that 
> processing of your data.

That may or may not be true, I'm not a legal expert. It sounds essentially like 
a protective clause that indemnifies
them in case they've given your data to a criminal who then begins to harrass 
you.

Note that the reasonability of such protective clauses may be dubious, and 
their legality tends to be undefined until
they are tested in courts. Protective clauses often don't fully consider the 
rights of one side, for example I would be
fairly sure that giving my private data to a spamming customer who stays 
anonymous to me would be a blatant violation of
*my* rights.

> Also, German courts have ruled that in-between service providers are only 
> liable for taking action after the
> complainant has raised the issue with the party that is directly violating 
> the rights of the complainant, or their
> hosting provider and those efforts have proven futile or can be objectively 
> deemed to be futile from the outset.
> And finally, who says their customers are the abusers? In many cases, their 
> customers may be the victims as well,
> without their knowledge, for example due to compromised CMS and would indeed 
> be the best person to address the issue
> you may want to see resolved.

I have been working as a part-time postmaster for quite a bit over 30 years, 
and I'm am pretty capable of distinguishing
between compromised resources (web sites or mail accounts) and spammer-owned 
resources in most cases, thank you very
much :-)

As an abuse reporter, I need to decide which parties I can or cannot trust in 
which respects.

If a hosting company hosts customers for prolonged times that are to the best 
of my knowledge blatant abusers, I simply
cannot trust that company to handle my abuse reports properly. Whether they 
claim to keep my personal data safe or give
it to their customer doesn't really matter, I must assume that they are acting 
in the interests of their abusive
customers and therefore not in my interest. The only sensible action is to 
block their network completely to protect my
users. I'm not trying to talk to such a provider anymore.

In the case of Manitu, I'd probably give them the benefit of the doubt as they 
are actively sponsoring a useful DNSBL
and a spamfighting forum, and I'm not aware of any spammers hosted by them.

When I see that abuse is most likely caused by compromised resources, I tend to 
send abuse reports through spamcop which
should be delivered with enough technical info to analyze the problem but still 
somewhat shield my identity. Of course,
dynamic IPs are a special case, they are blocked without discussion, and 
providers who don't respond to and act on abuse
reports will be blocked, too.

I just don't have enough time to play games with providers. We are doing them a 
favor by notifying them of problems in
their network, we don't request a service. If they don't want to be notified, 
so be it.

Cheers,
Hans-Martin

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Hans-Martin Mosner]

Am 18.02.21 um 15:02 schrieb Michele Neylon - Blacknight via anti-abuse-wg:
>
>  
>
> I know quite a few companies now use specific forms for handling reports of 
> different types of reports and have moved
> away from email almost entirely, which makes a lot of sense.
>
>  
>
At the risk of derailing this interesting and useful topic, I have to disagree 
with the use of forms to report abuse. In
the cases I've seen, those forms are hard to find, are a burden to fill out, 
require me to add information that is
completely irrelevant to the abuse incident, and don't allow me to add relevant 
information (such as a complete mail
header). Not getting a response only adds to the feeling that I've wasted my 
time...

It may make a lot of sense for companies who see abuse reports as a nuisance, 
though :-)

There are better ways to increase the quality of abuse reports received. The 
best is to respond positively to
informative and verifiable abuse reports with timely and appropriate replies 
and, above all, actions.

Cheers,
Hans-Martin

Re: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552

[Hans-Martin Mosner]

Am 30.11.2020 09:15, schrieb Eileen Morris-Ross via anti-abuse-wg:

What the hell is all that crap about



As far as I understand (I'm not a routing expert at all) it's about 
network abuse by hijacking ip ranges without having actual ownership for 
the given network blocks.
An AS registered with RIPE is involved, as such the mail is on topic for 
the anti-abuse working group at RIPE, IMHO.


If you don't know why you're receiving this mail you should probably ask 
yourself why you've subscribed to this mailing list.


If the majority of list members disagree with MHO I should ask myself 
why I am subscribed to this list :-)


Cheers,
Hans-Martin

Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

[Hans-Martin Mosner]

Am 30.04.20 um 02:58 schrieb Suresh Ramasubramanian:
>
> However, being in a fiduciary role - with IPv4 being traded like currency 
> these days the description fits - RIPE NCC
> can’t not get involved.
>
...
> NCC owes it to the rest of its membership and the internet community at large 
> to take a more active role in this matter.
>
This.

And as long as RIPE and/or NCC explicitly does not want to take action when 
RIPE members don't handle abuse from their
networks properly, the whole issue of validating abuse mailbox addresses is 
moot. After all discussion, the toothless
compromise will be that there should be an abuse mailbox, and FWIW it can be 
handled by Dave Null because nobody will
exert pressure on the resource holder to do anything else.

Our problem on the receiving side of network abuse is not with the few 
good-willing but technically challenged providers
whose abuse mailbox isn't working properly but with those large operators who 
don't give a flying f about their
customer's network abuse.

Personally, I consider the anti-abuse WG a failure at this point. When I joined 
I had hoped to see and possibly support
constructive work towards a reduction in network abuse, but apparently there 
are big players in this game who are not
interested in such a reduction as it would undermine their "business".

Cheers,
Hans-Martin

Re: [anti-abuse-wg] Invitation to participate in a survey on internet standards deployment

[Hans-Martin Mosner]

Am 09.03.20 um 11:56 schrieb Wout de Natris:
>
> Dear colleagues,
>
> Following my request to participate in a survey last year,please find 
> attached to this email the report Setting the
> Standard. It finalises an Internet Governance Forum pilot project concerning 
> the slow deployment of internet
> standards, standards that, if deployed, would make the internet and all its 
> users a safer place immediately.
>
>
That's a long and really interesting read, thanks for sharing!

As a private user / SME part-time admin I'm probably not really part of the 
primary target group, but especially the
conclusion and recommendation sections give a lot of thought for improving our 
own setup.


Reaching out to the managers instead of only the technical folks to improve 
general security awareness is certainly the
right direction, but my hopes for measurable improvements are low. Influencing 
in these areas mostly works top-down,
with the possible exception of publications read and respected by the decision 
makers. Perhaps these magazines could be
utilized to heighten awareness by publishing manager-level articles that don't 
just boil down to product recommendations
but action plans for their IT departments?


Cheers,

Hans-Martin

[anti-abuse-wg] AS24961 myLoc managed IT AG, uadns.com, ledl.net, and non-disclosing registries

[Hans-Martin Mosner]

AS24961 (RIPE NCC member myLoc managed IT AG) continues to host one persistent 
spam sender years after years. I have
complained to them a number of times, with no noticeable effect.

The sender is recognizable by characteristics of their domain names and local 
parts, and most importantly by their DNS
service, which is always uadns.com. Would be easy to deny them service if myLoc 
wanted to.

Domain registrations are most often done via Ledl.net GmbH (RIPE NCC member).

Registries DENIC eG (RIPE NCC member), EURid vzw (RIPE NCC member), nic.at GmbH 
(RIPE NCC member) willingly accept
registrations that have most likely fake data (which I can't check because 
these data are conveniently not disclosed,
although they very likely describe a commercial entity and not existing private 
persons and are therefore not subject to
GDPR protections.)

Excuse me while I vomit a little.

I know that this working group is not responsible for handling individual cases 
of abuse, so my intention is not to get
a solution (which I already did via nullrouting that AS) but to understand how 
persistent abuse-enabling entities can
act unhindered without any clear escalation path. Effectively extracting the 
last rotten tooth "ICANN Whois Inaccuracy
Complaint" by hiding all registration data so that an inaccuracy check is made 
impossible didn't help much...

Cheers,
Hans-Martin

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Hans-Martin Mosner]

Am 14.01.20 um 13:10 schrieb Ronald F. Guilmette:
> [...]
> So, my solution is just don't.  Let the whole planet vote on whether
> they think this provider or that provider are ***heads, and let the
> chips fall where they may.
>
> I'm not saying that even this idea would neessarily be piece-of-cake easy.
> The first problem would be working out a way to prevent the system from
> being gamed by bad actors for malicious purposes, or for positive "PR"
> purposes.  (Don't get me started about the fake positive review over on
> TripAdvisor.)  But I am not persuaded that these are in any sense
> insoluable problems.
>
>
> Regards,
> rfg
>
While this would probably paint a pretty solid picture of which network 
operators can be trusted and which can't,
there's another point besides your valid concern about abusers gaming the 
system: Whoever publishes the results of such
user ratings would most likely expose themselves to litigious lawsuits, which 
neither you nor me nor RIPE NCC really
wants to do.

Remember that some DSNBLs had a hard time due to this, some preferred to stay 
anonymous for that very reason. An
"abuser-friendliness" rating system targeting network operators who may be 
"RIPE NCC members in good standing" would
probably not live long, even if it published just clear facts ("this network 
operator does not want to receive and
handle abuse reports") because these facts might be used to block access from 
these networks and hurt their business.

I've been running mail systems since when "postmas...@domain.tld" was still the 
first point of contact you would go to
when something bad emanated from a mailserver. Then spammers operated their own 
domains, and you would need to address
abuse@ for the IP range. Then network operators decided to look the other way 
when their well-paying customers spammed,
and reporting to abuse mailbox addresses became hopeless. I just don't do that 
anymore. IP-level blocking of whole
network address ranges works for me. If network operators don't want to get 
blocked, they need to clean up their act,
with or without abuse mailbox.

Cheers,
Hans-Martin