[anti-abuse-wg] Fwd: Re: botnet controllers

Hi whoever you are,
(typically it's not a good sign, if you need hide behind an anonymous
alias).


I think the comparison to phone numbers is bad, that area is plagued by
very similar issues. But I get you point.

I think it's not feasible that you need to somehow proof you are
legitimate, the same way you should not need to proof you're a honest
citizen before you get, e.g. an apartment.

What we need however is a standard of what is acceptable behavior and
use of the resources you get, together with a process to remediate
failure to comply and possibly sanctions. I.e. if you use your apartment
 for illicit things, what ever they may be (annoying your neighbors
through excessive noise, running a drug empire, ....)

That's what this group seems to consistently fail to come up with for
various reasons.

As a reputable VPN Provider you can be log-less and yet still follow up
on abuse. I would argue that actually doing so will make your service
better for the people that legitimately need it.

The VPN business is, not unlike the Domain business: A lot of greedy
people with big egos.

This is not a technical issue.

Best
Serge



On 25.06.20 09:26, PP wrote:
> Firstly, reporting it to the LEO does not cause the resources to be
> de-registered.
> 
> Secondly, your example regarding IPv6 is another reason why this
> approach is not sufficient: there are
> 340,282,366,920,938,000,000,000,000,000,000,000,000 possible IPv6
> addresses.
> 
> 
> It should be that the resources are only allocated to legitimate
> established corporations.
> 
> 
> Phone numbers aren't wholly allocated to anyone who asks, they remain
> controlled by a reputable phone company. Why should IP addresses be
> different?
> 
> 
> 
> On 25/06/2020 4:50 pm, Shane Kerr wrote:
>> Dear Phish Phucker,
>>
>> The RIPE NCC is a not-for-profit, membership-based organization based
>> in the Netherlands. They are responsible for allocating Internet
>> number resources (IP addresses and AS numbers) in their region. Their
>> policies are set by RIPE, which is just anyone who joins the RIPE
>> mailing lists and participates in the policy discussions.
>>
>> I'm not sure what policy can be introduced. Historically RIPE
>> participants have been reluctant to make any value judgements about
>> what IP resources can and cannot be used for. Currently as long as you
>> are truthful about your organization's registration information you
>> have fulfilled the requirements.
>>
>> In a sense this should be enough. The information is available for
>> anyone who cares about protecting their users from spam originating
>> there. Spamhaus lists the organization, and I am pretty sure that most
>> e-mail providers either block their IP addresses because of that - or
>> have their own abuse tracking which identifies them. It's not
>> perfect... I had to change VPS provider because my previous VPS
>> provider kept having its IPv6 addresses blocked by Spamhaus and
>> neither my provider nor Spamhaus would explain why (my provider
>> claimed to have never received any complains, and Spamhaus never
>> explains anything). But it seems to be good enough for most people.
>>
>> If an organization is breaking a law, then the correct action is to
>> report them to the law-enforcement organization (LEO) that feels like
>> it is in their jurisdiction. Again, since the member is required by
>> the RIPE NCC to have correct information about the person or
>> organization that has been allocated resources, the LEO can follow-up.
>>
>> It's hardly an ideal situation, but difficult to see how to improve it
>> given the general anti-regulation philosophy of most Internet providers.
>>
>> Cheers,
>>
>> -- 
>> Shane
>>
>> On 25/06/2020 08.03, PP wrote:
>>> So who at RIPE is responsible for allocating this resource, and what
>>> policy can be introduced to prevent the allocation of IP address
>>> resources to irresponsible organizations like this one?
>>>
>>> SpamHaus have it listed as the worlds number one source of spam:
>>>
>>> https://www.spamhaus.org/statistics/networks/
>>>
>>>
>>>
>>> On 25/06/2020 2:10 pm, Tõnu Tammer via anti-abuse-wg wrote:
>>>>
>>>> We've had similar experience with this VPN provider.
>>>>
>>>> He claims not being able to track malicious actor is for the benefit
>>>> of free speech but when malware is used to attack people who express
>>>> free speech he did not understand that his service is not
>>>> contributing towards free speech but hinders it.
>>>>
>>>> Tonu
>>>> CERT-EE
>>>>
>>>> On 25.06.2020 04:15, PP wrote:
>>>>>
>>>>> Botnet controllers on VPN provider that refuses to act:
>>>>>
>>>>>
>>>>>     organisation:    ORG-SL751-RIPE
>>>>>     org-name:        Freedom Of Speech VPN
>>>>>     org-type:        OTHER
>>>>>     address:         P.O. Box 9173
>>>>>     address:         Victoria
>>>>>     address:         Mahe Island
>>>>>     address:         Seychelles
>>>>>     e-mail: info at FOS-VPN.org
>>>>>     abuse-c:         SL12644-RIPE
>>>>>     mnt-ref:         FOS-VPN-MNT
>>>>>     mnt-by:          FOS-VPN-MNT
>>>>>     created:         2018-07-13T05:33:45Z
>>>>>     last-modified:   2020-02-28T12:37:39Z
>>>>>     source:          RIPE
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> -------- Forwarded Message --------
>>>>> Subject:     Re: botnet controllers
>>>>> Date:     Wed, 24 Jun 2020 21:49:21 +0200
>>>>> From:     info at ghlc.biz
>>>>> To:     PP <phishphucker at storey.ovh>
>>>>>
>>>>>
>>>>>
>>>>> On 2020-06-24 13:03, PP wrote:
>>>>> Hello!
>>>>>
>>>>>
>>>>> Please note that all mentioned IPs belong to non-logging VPN services.
>>>>>
>>>>> No user logs are kept.
>>>>>
>>>>>
>>>>> Sincerely yours
>>>>>
>>>>> David Craig
>>>>>
>>>>>
>>>>>> SBL488704
>>>>>> 185.140.53.75/32
>>>>>> ghlc.biz
>>>>>> 23-Jun-2020 05:26 GMT
>>>>>> Malware botnet controller @185.140.53.75
>>>>>> https://www.spamhaus.org/sbl/query/SBL488704
>>>>>>
>>>>>>
>>>>>> SBL488686
>>>>>> 91.193.75.58/32
>>>>>> ghlc.biz
>>>>>> 22-Jun-2020 18:39 GMT
>>>>>> NanoCore botnet controller @91.193.75.58
>>>>>> https://www.spamhaus.org/sbl/query/SBL488686
>>>>>>
>>>>>>
>>>>>> SBL488548
>>>>>> 185.244.30.201/32
>>>>>> ghlc.biz
>>>>>> 19-Jun-2020 13:21 GMT
>>>>>> QuasarRAT botnet controller @185.244.30.201
>>>>>> https://www.spamhaus.org/sbl/query/SBL488548
>>>>>>
>>>>>>
>>>>>> SBL488006
>>>>>> 185.140.53.162/32
>>>>>> ghlc.biz
>>>>>> 18-Jun-2020 10:11 GMT
>>>>>> NanoCore botnet controller @185.140.53.162
>>>>>> https://www.spamhaus.org/sbl/query/SBL488006
>>>>>>
>>>>>>
>>>>>> SBL487900
>>>>>> 185.140.53.229/32
>>>>>> ghlc.biz
>>>>>> 16-Jun-2020 13:28 GMT
>>>>>> NanoCore botnet controller @185.140.53.229
>>>>>> https://www.spamhaus.org/sbl/query/SBL487900
>>>>>>
>>>>>>
>>>>>> SBL487899
>>>>>> 185.244.30.113/32
>>>>>> ghlc.biz
>>>>>> 16-Jun-2020 12:59 GMT
>>>>>> RemcosRAT botnet controller @185.244.30.113
>>>>>> https://www.spamhaus.org/sbl/query/SBL487899
>>>>>>
>>>>>>
>>>>>> SBL487893
>>>>>> 185.140.53.236/32
>>>>>> ghlc.biz
>>>>>> 16-Jun-2020 12:07 GMT
>>>>>> NanoCore botnet controller @185.140.53.236
>>>>>> https://www.spamhaus.org/sbl/query/SBL487893
>>>>>>
>>>>>>
>>>>>> SBL487886
>>>>>> 185.165.153.45/32
>>>>>> ghlc.biz
>>>>>> 16-Jun-2020 10:26 GMT
>>>>>> NanoCore botnet controller @185.165.153.45
>>>>>>
>>>>>> https://www.spamhaus.org/sbl/query/SBL487886
>>
> 

-- 
Dr. Serge Droz
Chair of the FIRST Board of Directors
https://www.first.org