[anti-abuse-wg] On the abuse handling policy of manitu.net (AS34240)

Manitu.net is a german hosting provider operating AS34240 currently announcing
2.59.84.0/22, 85.116.192.0/19, 89.238.64.0/18, 217.11.48.0/20 and 2a00:1828::/32.

I was quite disconcerted to read this notice in their whois record in the RIPE NCC db
(within the nic handle MANI-RIPE ):

remarks:        trouble:+------------------------------------------------+
remarks:        trouble:| In case of abuse, e.g. spam, scans, probes,    |
remarks:        trouble:| hack attacks, violation or any other illegal   |
remarks:        trouble:| activity, please contact                       |
remarks:        trouble:|                                                |
remarks:        trouble:|              abuse at manitu.net                  |
remarks:        trouble:|                                                |
remarks:        trouble:| IMPORTANT:Your message will probably sent to   |
remarks:        trouble:| the customer concerned by an automatic system. |
remarks:        trouble:| All of your data, esp. your name, your e-mail  |
remarks:        trouble:| address and the content of your message, will  |
remarks:        trouble:| be visible to the customer. If you do not      |
remarks:        trouble:| agree with this do not use the e-mail address  |
remarks:        trouble:| shown above.                                   |
remarks:        trouble:|                                                |
remarks:        trouble:| Complaints sent to any other contacts cannot   |
remarks:        trouble:| be handled in realtime and are therefore not   |
remarks:        trouble:| preferred.                                     |
remarks:        trouble:|                                                |
remarks:        trouble:| Please note that this contact is not           |
remarks:        trouble:| responsible for the actions themselves.        |
remarks:        trouble:| So please do not blame us for actions of       |
remarks:        trouble:| third parties.                                 |
remarks:        trouble:+------------------------------------------------+

This is so absurd, I had to read it twice to make sure that I was not misreading it.
They state that they automatically pass all my personal data to abusers if I
send a report to them, so that:

* Abusers can listwash me and avoid getting further reports from me

* Abusers can sell my data to other abusers

* Abusers can start harass me electronically (for instance using
  list bombing, DDOS etc) as a retaliation for disturbing their activity

* Abusers could also harass me or my family in real life for the same reason

In this process:

* My personal data are released automatically to third parties without my
  explicit consent

* Those third parties will presumably remain unknown to me, and the whole
  process is completely opaque: I will never know where my personal data went.

So this is what a reporter would get back in exchange of doing volunteering work to
report incidents to them so that they could run a cleaner network!

This behaviour appears to blatantly violate RIPE-409, section 5
[ https://www.ripe.net/publications/docs/ripe-409#5 ]:

	The ISP MUST ensure that the alleged abuser is NOT informed of the identity
	of those who are reporting the abuse, except with their explicit permission

and I thought that this was given for granted by the whole Internet industry.

This brings a lot of suspicion around Manitu GmbH. Who are they? Why are they
violating the BCP, probably many privacy laws, putting reporters at danger, and
doing such a huge favour to cybercriminals ? What benefit are they getting from
acting in this way?
 
In the meanwhile, I would suggest that no one sends anything to Manitu abuse.
They have two upstreams, AS9063 (VSE NET) and AS42652 (Inexio): probably their
abuse desks should receive all the AS34240 reports, at least until this situation
has been clarified.

furio ercolessi