<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><br><br><div id="AppleMailSignature" dir="ltr">Envoyé de mon iPhone par René Briaut </div><div dir="ltr"><br>Le 17 janv. 2020 à 07:48, Fi Shing <<a href="mailto:phishing@storey.xxx">phishing@storey.xxx</a>> a écrit :<br><br></div><div dir="ltr"><div> </div>
<div>Your email presumes that an "ombudsman" model would resolve an issue.</div>
<div> </div>
<div>If a person has dedicated themselves to controlling a 200,000 strong botnet and sending spam emails through unauthorised access etc. what is sending them a fancy piece of paper or an email "asking them to be nice" going to do?</div>
<div> </div>
<div>For example, there are 3 types of phishing websites:</div>
<div> </div>
<div>1) Outright false domain name,</div>
<div>2) hacked server, using legitimate domain name,</div>
<div>3) free website sign-up</div>
<div> </div>
<div>Which of these would it be appropriate to ask the criminal to behave through a letter or email?</div>
<div> </div>
<div>In reality, none of them, because the phisher has hacked the server, dumped the phishing website template and left, never to return.</div>
<div> </div>
<div>The service needs to be suspended, as the server owner cannot expect:</div>
<div> </div>
<div>1) a customer to know how to fix the security vulnerability,</div>
<div>2) the customer to log in to their email within the next day, week or even month, it might take them years to log in.</div>
<div>3) the criminal not to control the customers email also etc.</div>
<div> </div>
<div> </div>
<div>Often when reporting phishing websites, the response from ISP is "I have notified the customer to investigate."</div>
<div> </div>
<div>The question then is, in which instance would it be appropriate to ask nicely of a customer? I can't think of any examples.</div>
<div> </div>
<div>You are like the United Nations... "North Korea, you are killing 2 million people in concentration camps, so we are asking nicely and going to send you a piece of paper expressing how bad it is."</div>
<div> </div>
<div>I'm sure North Korea really cares!</div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<blockquote class="threadBlockQuote" style="border-left: 2px solid #C2C2C2; padding-left: 3px; margin-left: 4px;">--------- Original Message ---------
<div>Subject: Re: [anti-abuse-wg] @EXT: RE: working in new version of 2019-04 (Validation of "abuse-mailbox")<br>From: "Volker Greimann" <<a href="mailto:vgreimann@key-systems.net">vgreimann@key-systems.net</a>><br>Date: 1/17/20 2:03 am<br>To: "<a href="mailto:anti-abuse-wg@ripe.net">anti-abuse-wg@ripe.net</a>" <<a href="mailto:anti-abuse-wg@ripe.net">anti-abuse-wg@ripe.net</a>><br><br>
<p>Hi Jordi, </p>
<p>your example seems a bit off though. If your contract is with your ISP and you need to complain to them, why would you complain to another ISP you have no contract with?</p>
<p>I agree that current GDPR implementations may impact the contactibility of the customer, but that can be improved in GDPR-compliant manners that do not require playing chinese whispers down the chain. </p>
<p>Not objecting to your 3. but you need to consider it may not be the contractual partner acting against the contract. They may be a victim as well, and therefore enforcing any actions against them may be unproductive. Would you shut down <a href="http://Google.com">Google.com</a> because of one link to a site violating third party rights?</p>
<p>Best,</p>
<p>Volker</p>
<div class="moz-cite-prefix">Am 16.01.2020 um 15:52 schrieb JORDI PALET MARTINEZ via anti-abuse-wg:</div>
<blockquote cite="mid:195C1081-2709-432D-993F-A95159C9BEA7@consulintel.es">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size: 12.0pt; mso-fareast-language: EN-US;" lang="EN-US">Hi Volker,</span></p>
<p class="MsoNormal"><span style="font-size: 12.0pt; mso-fareast-language: EN-US;" lang="EN-US"> </span></p>
<p class="MsoNormal"><span style="font-size: 12.0pt; mso-fareast-language: EN-US;" lang="EN-US">I don’t agree with that, because:</span></p>
<ol style="margin-top: 0cm;" type="1" start="1">
<li class="MsoListParagraph" style="margin-left: 0cm; mso-list: l0 level1 lfo1;"><span style="font-size: 12.0pt; mso-fareast-language: EN-US;" lang="EN-US">I believe the electricity sample I provided proves otherwise. My contract is with the electricity provider (the Internet provider), so I need to complain to them and they need to follow the chain.</span></li>
<li class="MsoListParagraph" style="margin-left: 0cm; mso-list: l0 level1 lfo1;"><span style="font-size: 12.0pt; mso-fareast-language: EN-US;" lang="EN-US">For a victim, to complain directly to the customer (not the operator), will need to know the data of the “abuser” which may be protected by GDPR.</span></li>
<li class="MsoListParagraph" style="margin-left: 0cm; mso-list: l0 level1 lfo1;"><span style="font-size: 12.0pt; mso-fareast-language: EN-US;" lang="EN-US">Customers sign a contract with the operator. The contract must have clear conditions (AUP) about the appropriate use of the network. If you act against that contract, the problem is with the operator, not victims.</span></li>
</ol>
<p class="MsoNormal"><span style="font-size: 12.0pt; mso-fareast-language: EN-US;" lang="EN-US"> </span></p>
<div>
<p class="MsoNormal"><span style="font-size: 12.0pt; color: black;" lang="EN-US">By the way, if an operator has a badly designed AUP, either they are doing a bad job, or they have *<strong>no interest</strong>* in acting against abuses.</span></p>
<p class="MsoNormal"><span style="font-size: 12.0pt; color: black;" lang="EN-US"> </span></p>
<p class="MsoNormal"><span style="font-size: 12.0pt; color: black;" lang="EN-US">Regards,</span></p>
<p class="MsoNormal" style="margin-bottom: 12.0pt;"><span style="font-size: 12.0pt; color: black; mso-fareast-language: EN-US;" lang="EN-US">Jordi</span></p>
<p class="MsoNormal" style="margin-bottom: 12.0pt;"><span style="font-size: 12.0pt; color: black; mso-fareast-language: EN-US;" lang="EN-US">@jordipalet</span></p>
<p class="MsoNormal" style="margin-bottom: 12.0pt;"><span style="font-size: 12.0pt; color: black; mso-fareast-language: EN-US;" lang="EN-US"> </span></p>
</div>
<p class="MsoNormal"><span style="font-size: 12.0pt; mso-fareast-language: EN-US;" lang="EN-US"> </span></p>
<p class="MsoNormal"><span style="font-size: 12.0pt; mso-fareast-language: EN-US;" lang="EN-US"> </span></p>
<div>
<div>
<p class="MsoNormal" style="margin-left: 35.4pt;">El 16/1/20 15:44, "anti-abuse-wg en nombre de Volker Greimann" <<a href="mailto:anti-abuse-wg-bounces@ripe.net">anti-abuse-wg-bounces@ripe.net</a> en nombre de <a href="mailto:vgreimann@key-systems.net">vgreimann@key-systems.net</a>> escribió:</p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-left: 35.4pt;"> </p>
</div>
<p style="margin-left: 35.4pt;">Obviously every user should lock their doors / protect themselves against fraud. I am just saying that the ability of many service providers to curtail abuse of their system (without impacting legitimate uses) is very limited as it may not their customers doing the abusing and any targeted action against those customers themselvesd would be inappropriate and affect many legitimate users of their services.</p>
<p style="margin-left: 35.4pt;">At what point should a network service provider remove privileges from a customer that is himself being abused but is technically unable to deal with it properly? Would the complaint not be better directed at that customer, not the provider, since they are the ones that can resolve this issue in a more targetted and appropriate manner? How does the service provider differentiate between a customer that is abusing vs one that is being abused? Deputising the service providers will not necessarily solve the problems, and possibly create many new ones.</p>
<p style="margin-left: 35.4pt;">In the domain industry, we were required to provide an abuse contact, however the reports we get to that address usually deal with issues we cannot do much about other than pulling or deactivating the domain name, which is usually the nuclear option. So we spend our time forwarding abuse mails to our customers that the complainant should have sent to the customer directly.</p>
<p style="margin-left: 35.4pt;">Best,</p>
<p style="margin-left: 35.4pt;">volker</p>
<p style="margin-left: 35.4pt;"> </p>
<div>
<p class="MsoNormal" style="margin-left: 35.4pt;">Am 16.01.2020 um 15:16 schrieb Serge Droz via anti-abuse-wg:</p>
</div>
<blockquote style="margin-top: 5.0pt; margin-bottom: 5.0pt;">
<pre style="margin-left: 35.4pt;">Hi Volker</pre>
<pre style="margin-left: 35.4pt;"> </pre>
<pre style="margin-left: 35.4pt;">On 16/01/2020 15:03, Volker Greimann wrote:</pre>
<blockquote style="margin-top: 5.0pt; margin-bottom: 5.0pt;">
<pre style="margin-left: 35.4pt;">isn't making the world (and the internet) first and foremost a job of</pre>
<pre style="margin-left: 35.4pt;">law enforcement agencies like the police and Europol?</pre>
</blockquote>
<pre style="margin-left: 35.4pt;">Law enforcement's job primarily is arresting criminals. And yes they do</pre>
<pre style="margin-left: 35.4pt;">prevention. But you can't stop locking your door or walk by fight just</pre>
<pre style="margin-left: 35.4pt;">ignoring it, because it's LEA's job.</pre>
<pre style="margin-left: 35.4pt;"> </pre>
<pre style="margin-left: 35.4pt;">This is even more true on the internet, where CERT's have long been</pre>
<pre style="margin-left: 35.4pt;">working together fighting cybercrime etc.</pre>
<pre style="margin-left: 35.4pt;"> </pre>
<pre style="margin-left: 35.4pt;">While there obviously is an appeal to the notion of "The best problems</pre>
<pre style="margin-left: 35.4pt;">are some one else's problem" my believe is we don't want to have an</pre>
<pre style="margin-left: 35.4pt;">internet or a world, for that matter, where this is how things run. The</pre>
<pre style="margin-left: 35.4pt;">internet is a bottom up thing, it is so cool because people follow</pre>
<pre style="margin-left: 35.4pt;">protocols, that are not law.</pre>
<pre style="margin-left: 35.4pt;"> </pre>
<pre style="margin-left: 35.4pt;">There was a time whn this wasn't a given: During the "Browser wars"</pre>
<pre style="margin-left: 35.4pt;">different producer leveraged ambiguities in the HTML standard, and the</pre>
<pre style="margin-left: 35.4pt;">end result was horrible.</pre>
<pre style="margin-left: 35.4pt;"> </pre>
<pre style="margin-left: 35.4pt;">We don't want this. If we delegate the problem, we've already lost.</pre>
<pre style="margin-left: 35.4pt;"> </pre>
<pre style="margin-left: 35.4pt;">Best</pre>
<pre style="margin-left: 35.4pt;">Serge</pre>
<pre style="margin-left: 35.4pt;"> </pre>
<pre style="margin-left: 35.4pt;"> </pre>
<pre style="margin-left: 35.4pt;"> </pre>
</blockquote>
<div>
<p class="MsoNormal" style="margin-left: 35.4pt;">-- <br> Volker A. Greimann<br> General Counsel and Policy Manager<br> <strong><span style="font-family: 'Calibri',sans-serif;">KEY-SYSTEMS GMBH</span></strong><br> <br> T: +49 6894 9396901<br> M: +49 6894 9396851<br> F: +49 6894 9396851<br> W: <a href="http://www.key-systems.net">www.key-systems.net</a><br> <br> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835<br> CEO: Alexander Siffrin<br> <br> Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.</p>
</div>
</div>
<br> **********************************************<br> IPv4 is over<br> Are you ready for the new Internet ?<br> <a class="moz-txt-link-freetext" href="http://www.theipv6company.com">http://www.theipv6company.com</a><br> The IPv6 Company<br> <br> This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.<br> </blockquote>
<div class="moz-signature">-- <br> Volker A. Greimann<br> General Counsel and Policy Manager<br> <strong style="border-bottom: 3px solid #5C46B5;">KEY-SYSTEMS GMBH</strong><br> <br> T: +49 6894 9396901<br> M: +49 6894 9396851<br> F: +49 6894 9396851<br> W: <a class="moz-txt-link-abbreviated" href="http://www.key-systems.net">www.key-systems.net</a><br> <br> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835<br> CEO: Alexander Siffrin<br> <br> Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.</div>
</div>
</blockquote>
</div></body></html>