[anti-abuse-wg] What todo when a registrar doe snot respond to babuse form an IP

> On 23 Jun 2022, at 08:00, Hans-Martin Mosner via anti-abuse-wg <anti-abuse-wg at ripe.net> wrote:

[..]
> What you *can* do is protect yourself and don't rely on other's assistance. Block IP space if you experience abuse from there.

This.

Use block lists like https://www.spamhaus.org/xbl/ to make your life a bit easier; but, do not outright block, use them ala Spamassassin as one of many inputs to rank if an IP is likely to be good or bad.

For Tor, there is https://check.torproject.org/api/bulk ; though in the end Tor is just noise; compromised hosts are a bigger issue.
For Internet, there is a very harsh: https://www.spamhaus.org/drop/ (you might also accidentally possibly block good people using those ISPs)


Whatever list you use, be it those from Spamhaus or other providers, do verify what you block and maybe whitelist what you never want to block.
Making a baseline of "normal clients" can also be useful: eg, no sense in processing packets from a IP in Antartica when you normally do not get traffic from there. Your Network, Your Policy... but also your pain when a user gets accidentally blocked...




Whois info is mostly useless, as fake data is there.

Hence, having "this is anonymous user" info in Whois is futile, just let those orgs opt out of providing data altogether.

As then, we have mostly left information from entities that do want to be contacted and likely want to re-act to problems.

Which means that whois becomes a bit more useful, as there is a much higher chance that one can reach somebody who will act.


And also, one could then easily build a nice list of ISPs that do not provide contactable & re-active abuse departments, and rank those as 'likely useless, maybe hostile, possibly criminal' and when shit hits the fan (DDoS, or other abuse) through those in the bit bucket.

A multi-class Internet will exist (currently already with ASNs that are being blacklisted due to abuse or heck darknets), but will also exist in the long run.

A "Clean We-know the other party" Internet is coming... sooner or later (and will likely be very very commercial). And that will involve that people properly deal with abuse. But to get there we need automation and contactability and accountability.... and from a freedom perspective and that one sometimes want to be anonymous, that is not going to happen easily; neither getting rid of junk data in Whois... (too many parties who have an interest of doing abuse unfortunately, some because it supports their business case of providing the protection services that are now needed...)

Internet... a fun beast -- I would love the Internet to be a bit more open, but unfortunately bad parties and commercialisation does not allow that.

Fortunately there are movements like Tor, Freifunk and https://DN42.dev that provide alternative Internet methods. All of them run into similar scaling problems and... who pays for it though. (Internet should just have been a commodity provided freely by states, but alas... too late)

Greets,
 Jeroen