[anti-abuse-wg] anti-abuse-wg Digest, Vol 58, Issue 10

This is better than stand-up comic!

From: anti-abuse-wg-request at ripe.net 
Sent: Wednesday, August 10, 2016 5:08 AM
To: anti-abuse-wg at ripe.net 
Subject: anti-abuse-wg Digest, Vol 58, Issue 10

Send anti-abuse-wg mailing list submissions to
anti-abuse-wg at ripe.net

To subscribe or unsubscribe via the World Wide Web, visit
https://mailman.ripe.net/
or, via email, send a message with subject or body 'help' to
anti-abuse-wg-request at ripe.net

You can reach the person managing the list at
anti-abuse-wg-owner at ripe.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of anti-abuse-wg digest..."


Today's Topics:

   1. Re: VERIFIED[.]IS was - Russian carding... no, Islandic
      carding... no Belizian carding! (andre at ox.co.za)
   2. Abuse: dnsbl - trust and other factors (andre at ox.co.za)
   3. Re: VERIFIED[.]IS (Ronald F. Guilmette)
   4. Re: Abuse: dnsbl - trust and other factors (Antonio Prado)
   5. Re: Abuse: dnsbl - trust and other factors (andre at ox.co.za)


----------------------------------------------------------------------

Message: 1
Date: Wed, 10 Aug 2016 07:33:02 +0200
From: <andre at ox.co.za>
To: Suresh Ramasubramanian <ops.lists at gmail.com>,
<anti-abuse-wg at ripe.net>
Subject: Re: [anti-abuse-wg] VERIFIED[.]IS was - Russian carding...
no, Islandic carding... no Belizian carding!
Message-ID: <mailman.1096.1470816511.19326.anti-abuse-wg at ripe.net>
Content-Type: text/plain; charset=UTF-8

On Wed, 10 Aug 2016 10:41:00 +0530
Suresh Ramasubramanian <ops.lists at gmail.com> wrote:

> ?We??  Unless you actually work for ripe ncc that?s a rather large
> amount of overstatement.
> 

deflecting from the actual issues much? 

"We" as in us reading this...

I honestly also appreciate contributions by Ronald F. Guilmette, but if
we are going to start reporting crime to this abuse list, we are headed
down a slippery slope...

Better: We stick to abuse, abuse policy discussions and report crimes
to proper authorities. Or are we saying that the various law
enforcement agencies Russian, Icelandic, Belizian are incompetent?

Actually, what are we talking about?

I can stumble onto hate speech, slavery, child porn, identity thieves,
"carders" in the RIPE ip space in the hundreds...

Should we invite and dedicate resources to report all Internet crimes
to this abuse list?

And then?

Will these criminals be prosecuted?

Or are we thinking about forming a sub committee to be in charge of
public hangings? 

Do we have some sort of hearing first or can we just hack some ISP's
range, upload any old site and then hang the company or 'nul-route'
their traffic?

How about us rather being constructive and actually doing something?

Should their be an abuse policy relating to potential criminal
activity, that places a protocol in place for dealing with intel?

or not?

That may actually be a productive abuse discussion...

Instead of filing individual crime reports on this list... - which,
imho, should be first reported to law enforcement (actually - should
only be reported to law enforcement - we have no power, right or no
fair way of evaluating content - only abuse - as in the website attacks
your infrastructure  and/or the website sends you something - and/or
does something abusive. - If someone publishes hate speech, or porn or
whatever - it is NOT abuse... it is potentially - crime - 

Andre

Andre

> 
> On 10/08/16, 10:29 AM, "anti-abuse-wg-bounces at ripe.net on behalf of
> andre at ox.co.za" <anti-abuse-wg-bounces at ripe.net on behalf of
> andre at ox.co.za> wrote:
> 
>     
>     So, you stumbled across some potential criminal activity, then you
>     notified law enforcement and/or Interpol?
>     
>     Or you think that it is a better solution for RIPE to investigate
>     criminal activity and simply to 'nul-route' child pornographers,
>     identity thieves and criminal syndicates?
>     
>     You are saying that you would rather discuss criminal syndicates
> on an anti abuse discussion list?
>     
>     So, we should investigate crimes now and then disable their
> routing or email or what?
>     
>     On Tue, 09 Aug 2016 12:53:34 -0700
>     "Ronald F. Guilmette" <rfg at tristatelogic.com> wrote:
>     
>     > 
>     > I see that there is an interesting and active discussion on
>     > this now. Everyone may be sure that I will be posting further
>     > comments shortly which clarify my personal position on all the
>     > matters discussed so far.
>     > 
>     > In the meantime however, I just realized that I neglected to
>     > clarify how I came to find that VERIFIED[.]IS web site in the
>     > first place.
>     > 
>     > It may not be at all important, but just so everyone knows, I
>     > found that VERIFIED[.]IS indirectly.  First, I stumbled onto
>     > the following web site, which is clearly selling credit cards
>     > *and* also (U.S.) social security numbers (SSNs) and
>     > dates-of-birth (DOBs).  (You can even pick out which U.S. state
>     > you prefer!)  These bits of information are often helpful to
>     > people intent on committing identity theft:
>     > 
>     >    http://www.wellsfargo.lequeshop[.]ru/
>     > 
>     > As you can see, there is an email address on the above page.
>     > It is <mixx at exploit.im>.  I simply googled that email address
>     > and then started to visit the web sites found.
>     > 
>     > One of them was verified[.]is
>     > 
>     > But this criminal carder ... who seems to be Russian... is also
>     > active on many other web sites, presumably selling what he has
>     > to offer in many different forums.
>     > 
>     > 
>     > Regards,
>     > rfg
>     > 
>     
>     
>     
> 
> 
> 




------------------------------

Message: 2
Date: Wed, 10 Aug 2016 08:28:53 +0200
From: andre at ox.co.za
To: anti-abuse-wg at ripe.net
Subject: [anti-abuse-wg] Abuse: dnsbl - trust and other factors
Message-ID: <mailman.1097.1470816511.19326.anti-abuse-wg at ripe.net>
Content-Type: text/plain; charset=UTF-8

Recently, in another thread, Suresh Ramasubramanian said that:
"I trust spamhaus, especially related to their DROP list, which is
extremely specific in its listing critieria"

Then, I thought about how many abuse lists and dns blocklists there are
and why this is the case, as even I trust (use & report to Spamhaus)
but I also run a public / free dnsbl myself

So why is this? - It is all about trust. It is also about policies -
but what else is it?

The listing and delisting criteria has to be clear, fair, transparent,
etc maybe in terms of http://spamid.net/rfc5782.txt and
http://spamid.net/rfc6471.txt 

But what else? Why did I feel the need to devops my own anti spam
system after 25 years of dealing with abuse?

For one: I trust myself 
And as I have not yet found anything that stops spam, phish, abuse dead
in its tracks, and there is, on ALL of the dnsbl's - much politics...

How many ESP's & ISP's operate their mass or bulk spam is to send the
spam from an IP where 50% of the email is legit and valuable emails and
50% is spam...

Also, they do not respond to abuse complaints from small organisations 
or small isp's or "little ants" - They are similar to cockroaches, only
on the move when there is a bright light shined on them...

Here is an example, of an IP number/operator - who is blocked nowhere
and whom has received spam/abuse reports - and have done absolutely
nothing about that... - and who hides legit emails - between the spam
they relay...

Not saying Mimecast is an evil cockroach, just that the example headers
came in a few minutes ago - and matches the description of an
supposedly "ethical" operator that hides spam in among relaying emails
from .gov etc. - this operator is blocked nowhere - as their abuse
behavior is to limit the percentage spam transmitted to a ratio (for
example maybe 10% spam and 90% legit - or whatever)  - to a ratio that
would not get them blocked on spamhaus or any of the other dnsbl...

Even my own blocklists cannot block Mimecast - even though they
transmit spam/phish/crime/virus/spam 

Otherwise I lose clients... - AND Suresh Ramasubramanian and other
similar people think that my block lists cannot be trusted...

And this, the fact that : **** senders of abuse are not punished **** 

is why we have spam abuse in 2016.

Society does not want to stop spam - if they did - there will be no
spam in 2016. - comments? 

Andre


***************************************
Spam/Abuse example:

Return-Path: <bounces at thompsons.co.za>
Delivered-To: spamtrap
Received: from web.hostacc.com
by web.hostacc.com (Dovecot) with LMTP id WfMLDSLBqlfIaQAAzD9rAQ
for <spamtrap>; Wed, 10 Aug 2016 07:52:34 +0200
Received: from za-smtp-delivery-158.mimecast.co.za
([41.74.201.158]:20262) by web.hostacc.com with esmtps
(TLSv1.2:ECDHE-RSA-AES256-SHA:256) (Exim 4.87)
(envelope-from <bounces at thompsons.co.za>)
id 1bXMRN-00072M-Ly
for spamtrap; Wed, 10 Aug 2016 07:52:34 +0200
Received: from ENGAGE01.cullinanholdings.co.za (105.255.128.165
[105.255.128.165]) by za-smtp-1.mimecast.co.za with ESMTP id
za-mta-3-amlQSfYROryRH3Zamhv7uw-1; Wed, 10 Aug 2016 07:51:50 +0200
Received: from engage.cullinanholdings.co.za ([172.17.49.40]) by
ENGAGE01.cullinanholdings.co.za with Microsoft SMTPSVC(7.5.7601.17514);
Wed, 10 Aug 2016 07:51:50 +0200 Message-ID:
<87f5d9e3c1226a1227d83bf22427355e at engage.cullinanholdings.co.za> Date:
Wed, 10 Aug 2016 07:51:50 +0200 Subject: Launching Spain at
Irresistible prices From: Thompsons For Travel <travel at thompsons.co.za>
Reply-To: Thompsons For Travel <travel at thompsons.co.za>
To: SpamTrap
MIME-Version: 1.0
X-Campaign: 11507
X-Subscriber: 204641
X-OriginalArrivalTime: 10 Aug 2016 05:51:50.0330 (UTC)
FILETIME=[49F179A0:01D1F2CB] X-MC-Unique: amlQSfYROryRH3Zamhv7uw-1
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Launching Spain at Irresistible prices
View this mailer online | Add Thompsons to your safe senders list

 
You are receiving this mail as you have subscribed to Thompsons Travel
newsletters. We NEVER send out any unsolicited e-mail. Should you wish
to leave our mailing list unsubscribe here



Disclaimer

The information contained in this communication from the sender is
confidential. It is intended solely for use by the recipient and others
authorized to receive it. If you are not the recipient, you are hereby
notified that any disclosure, copying, distribution or taking action in
relation of the contents of this information is strictly prohibited and
may be unlawful.

This email has been scanned for viruses and malware, and automatically
archived by Mimecast SA (Pty) Ltd, an innovator in Software as a
Service (SaaS) for business. Mimecast Unified Email Management ? (UEM)
offers email continuity, security, archiving and compliance with all
current legislation. To find out more, contact Mimecast.



------------------------------

Message: 3
Date: Tue, 09 Aug 2016 23:34:20 -0700
From: "Ronald F. Guilmette" <rfg at tristatelogic.com>
To: anti-abuse-wg at ripe.net
Subject: Re: [anti-abuse-wg] VERIFIED[.]IS
Message-ID: <32737.1470810860 at server1.tristatelogic.com>



I have a lot of very visible character flaws, but I like to think
that at least I'm not reticent when it comes to admitting my own
abundant ignorance, or about asking for help to correct that, when
appropriate.

I've been asked if, rather than just howling at the moon (which I
admit is my usual modus operandi :-)  I might not, on this occasion,
also or instead like to draft some sort of concrete policy proposal.

That is an eminently reasonable suggestion/request under the circumstances.

I would like to try to do that, but obviously, I am wading into
deep waters here... deep in the sense of there being quite a lot of
personal feelings and personal principals... sometimes in agreement...
sometimes in conflict... that might relate rather directly to the
issues at hand.  Agreement on any proposal in this area would likely be
elusive, even if the drafter had a deep understanding of RIPE, as an
organization, which I admit that I don't.  Not yet anyway.

What's I'm trying to get at is just this:

I think that it would be a waste of everybody's time... not just mine
but everybody's... if I was to draft a policy suggestion that is
somehow at odds with one or more of the fundamental and/or long-held
principals of RIPE, the organization.  (As an illustration, here in
America it would be kind-of entirely silly for any legislator to
propose a bill to lock up anybody who says the word "Nee!" because
that would quite obviously be in direct conflict with our founding
document, The U.S. Constitution, and more specifically, in conflict
with the First Amendment thereto.)

So here is where I must publically admit my abundant ignorance.
Today I tried for awhile to seek out the overall "Charter of RIPE"...
its "constitution" if you will.  I felt that before I draft anything,
it would be wise of me to go back to first principals, basic common
beliefs, and already-agreed-to fundamentals.  I should read, study,
and think about these before I draft anything.  What are the high level
goals and highest aspirations of the organization?  I should familiarize
myself with these things -- *before* attempting to draft anything.

But for the life of me, google as I might, I was unable to find any
document online that purported to be the overall Charter of RIPE.
If someone could point me to that, I would much appreciate it.  (I have
found many documents that describe in great detail various individual
policies and procedures, but nothing that, at the highest level, enumerates
the intent and purpose of the organization.  I cannot bring myself to
believe that no such fundamental document exists, so I just have to hope
now that some kind soul will point me at it.  That would be most helpful.)


Regards,
rfg



------------------------------

Message: 4
Date: Wed, 10 Aug 2016 09:19:21 +0200
From: Antonio Prado <thinkofit at gmail.com>
To: anti-abuse-wg at ripe.net
Subject: Re: [anti-abuse-wg] Abuse: dnsbl - trust and other factors
Message-ID: <60622fea-65d2-3f7a-7d03-25259c602437 at gmail.com>
Content-Type: text/plain; charset=utf-8

On 8/10/16 8:28 AM, andre at ox.co.za wrote:
> So why is this? - It is all about trust.

well, trust has to be earned.

just two recent examples:

Aug 10 08:52:16 zimbra-1 postfix/smtpd[27024]: NOQUEUE: reject: RCPT
from 66-220-144-147.outmail.facebook.com[66.220.144.147]: 554 5.7.1
Service unavailable; Client host [66.220.144.147] blocked using
superblock.ascams.com; 66.220.144.147 Listed For Abuse. To delist please
email del at ascams.com; from=<notification+zj4ooysyaz0y at facebookmail.com>
to=<mylegitaddress at mylegitdomain.tld> proto=ESMTP helo=<mx-out.facebook.com>

Aug  9 17:57:23 smtpfe01 postfix/smtpd[15131]: NOQUEUE: reject: RCPT
from o4.email.wetransfer.com[192.254.123.89]: 554 5.7.1 Service
unavailable; Client host [192.254.123.89] blocked using
superblock.ascams.com; 192.254.123.89 Listed For Abuse. To delist please
email del at ascams.com; from=<alegitaddress at email.wetransfer.com>
to=<mylegitaddress at mylegitdomain.tld> proto=ESMTP
helo=<o4.email.wetransfer.com>

therefore I'm forced to delete superblock.ascams.com
--
antonio



------------------------------

Message: 5
Date: Wed, 10 Aug 2016 10:08:24 +0200
From: andre at ox.co.za
To: Antonio Prado <thinkofit at gmail.com>
Cc: anti-abuse-wg at ripe.net
Subject: Re: [anti-abuse-wg] Abuse: dnsbl - trust and other factors
Message-ID: <mailman.1098.1470816511.19326.anti-abuse-wg at ripe.net>
Content-Type: text/plain; charset=US-ASCII

On Wed, 10 Aug 2016 09:19:21 +0200
Antonio Prado <thinkofit at gmail.com> wrote:

> On 8/10/16 8:28 AM, andre at ox.co.za wrote:
> > So why is this? - It is all about trust.
> 
> well, trust has to be earned.
> 
agreed, trust is reputation. In the case of a blacklist, it is quite
simple though - if it is transparent, like mine superblock.ascams.com 
each and every listing has been abusive and either is not responding to
abuse complaints or is simply ongoing in the abuse...

> just two recent examples:
> 
thank you so much! lets deal with that - please see below each
of your examples
 
> Aug 10 08:52:16 zimbra-1 postfix/smtpd[27024]: NOQUEUE: reject: RCPT
> from 66-220-144-147.outmail.facebook.com[66.220.144.147]: 554 5.7.1
> Service unavailable; Client host [66.220.144.147] blocked using
> superblock.ascams.com; 66.220.144.147 Listed For Abuse. To delist
> please email del at ascams.com;
> from=<notification+zj4ooysyaz0y at facebookmail.com>
> to=<mylegitaddress at mylegitdomain.tld> proto=ESMTP
> helo=<mx-out.facebook.com>
> 
Yes! because 66.220.144.147 is BLOCKED for abuse 
66.220.144.147 sends email spam, on an ongoing basis, to FAKE people
and, even after receiving three or more abuse reports, is still sending
the same SPAM to the same fake people.

So, what I am saying: facebook.com sends spam to example at example.com
Facebook then receives 3+ spam reports/complaints
And then
After that
Facebook.com STILL sends spam to the same example at example.com

So, Facebook.com (66.220.144.147) is blacklisted for spam abuse.

Thank you, Antonio - for pointing this example out - This is why we
cannot stop spam! - the SENDERS or transmitters of spam - are never
punished - but we have to field complaints from our USERS when the
senders MIX legit email with spam email.

next example below the example

> Aug  9 17:57:23 smtpfe01 postfix/smtpd[15131]: NOQUEUE: reject: RCPT
> from o4.email.wetransfer.com[192.254.123.89]: 554 5.7.1 Service
> unavailable; Client host [192.254.123.89] blocked using
> superblock.ascams.com; 192.254.123.89 Listed For Abuse. To delist
> please email del at ascams.com; from=<alegitaddress at email.wetransfer.com>
> to=<mylegitaddress at mylegitdomain.tld> proto=ESMTP
> helo=<o4.email.wetransfer.com>
> 
192.254.123.89 - EXACLTY the same as Facebook.com - transmits spam to
fake people/spam traps - and does not do anything about spam abuse
complaints!

> therefore I'm forced to delete superblock.ascams.com

indeed... - this is why the spam problem persists... yet, if you were
to continue using superblock.ascams.com - you may actually force the
senders of spam to CHANGE their abusive and crappy behavior

But we, society, we do not have the BALLS to do that.

Can we at least have the decency to be honest with ourselves?

Why lie to ourselves?

We do not want to solve the spam abuse problem.

Andre





> --
> antonio
> 




End of anti-abuse-wg Digest, Vol 58, Issue 10
*********************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/anti-abuse-wg/attachments/20160810/8e66bfa4/attachment.html>