This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] Reporting Fraud
- Previous message (by thread): [anti-abuse-wg] Reporting Fraud
- Next message (by thread): [anti-abuse-wg] Reporting Fraud
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Richard Cox
richard.cox at btuser.net
Thu Sep 30 02:07:26 CEST 2010
Peter Koch <pk at DENIC.DE> asked: > are you suggesting that the "mnt-by:" attribute should be made > mandatory for person: objects? No. I am suggesting that where an LIR represents to RIPE NCC that their customer is the party named on a request form, and that party meets the hardware etc requirement for allocation of RIPE resources, then the name of the LIR that made the representation should be included in the WHOIS output (for INETNUM and ASN objects). This would hopefully deter (the very small number of) LIRs that currently seem to be submitting resource requests that ultimately turn out to have been somewhat exaggerated. To give some background to this, there are two problem areas - Romania and Russia/Ukraine. Certain Romanian LIRs have for some time now been processing IP block requests from "customers" that turn out to not even be in the RIPE service region, and whose sole reason for requesting a block anywhere from a /22 to a /19 turns out to be one or two servers that want to be able to rapidly rotate their IP address(es) through such a large block in order that their activities (mostly spam) should go undetected. While RIPE does not have any policies that preclude the allocation of our scarce IPv4 resources for spammers, RIPE does have firm policies about the amount of hardware needed to justify allocation of IP blocks - policies which are being repeatedly ignored by said LIRs. In Russia/Ukraine we have a different problem: LIRs are requesting ASNs and IP space on behalf of criminal customers, whose sole objective in being allocated a /22 or similar is to mount one or two servers to be used as botnet Command and Controls, and as malware download sources - particularly by the gang currently running the Zeus trojans. Their method seems to be that by interposing one (but more commonly two) uncontactable ISPs between the server causing harm, and the rest of the internet, complaints will be sent first to the actual ISP, and later when those fail (because the ISPs don't really exist), to the upstream. It will take quite some time for complaints to be escalated as far as the third level. And in the case we documented earlier this morning, where the BGP Path points to ISPs that are _not_ carrying the criminal traffic, there will be even more confusion. -- Richard Cox
- Previous message (by thread): [anti-abuse-wg] Reporting Fraud
- Next message (by thread): [anti-abuse-wg] Reporting Fraud
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]