From lou@lougogan.com Fri Nov 4 19:44:39 2011 From: Lou Gogan To: anti-abuse-wg@ripe.net Subject: [anti-abuse-wg] broken contacts Date: Fri, 04 Nov 2011 18:37:48 +0000 Message-ID: <201111041837.48349.lou@lougogan.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0939428664570672706==" --===============0939428664570672706== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi I hope I am not out of place here, but this is my experience today and the=20 problem I find I have because of the broken contacts information via the whoi= s. This morning I received a fraudulent spam claiming to be from the Bank of=20 Ireland with an attached form to be filled in. I was going to delete it as=20 usual but decided that these types of email fraud need to be reported in orde= r=20 to protect others. I checked out the form and found the form contact link: MBNA Online $ host masserialojazzo.it masserialojazzo.it has address 46.252.206.1 ;; connection timed out; no servers could be reached masserialojazzo.it mail is handled by 10 mailstore1.europe.secureserver.net. masserialojazzo.it mail is handled by 0 smtp.europe.secureserver.net. And then I whoised $ whois 46.252.206.1 inetnum: =C2=A0 =C2=A0 =C2=A0 =C2=A046.252.200.0 - 46.252.207.255 netname: =C2=A0 =C2=A0 =C2=A0 =C2=A0GDNL-46-252-200-0-TO-207-255 descr: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Customer country: =C2=A0 =C2=A0 =C2=A0 =C2=A0NL admin-c: =C2=A0 =C2=A0 =C2=A0 =C2=A0WR1096-RIPE tech-c: =C2=A0 =C2=A0 =C2=A0 =C2=A0 WR1096-RIPE status: =C2=A0 =C2=A0 =C2=A0 =C2=A0 ASSIGNED PA mnt-by: =C2=A0 =C2=A0 =C2=A0 =C2=A0 MNT-GDG-NL source: =C2=A0 =C2=A0 =C2=A0 =C2=A0 RIPE # Filtered person: =C2=A0 =C2=A0 =C2=A0 =C2=A0 Will Regg address: =C2=A0 =C2=A0 =C2=A0 =C2=A0H.J.E. Wenckebachweg 127 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 1096 AM Amsterdam phone: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0+14805058877 nic-hdl: =C2=A0 =C2=A0 =C2=A0 =C2=A0WR1096-RIPE source: =C2=A0 =C2=A0 =C2=A0 =C2=A0 RIPE # Filtered As you may notice, there is no suitable email contact at all. (Writing a lett= er=20 and posting it off didn't seem a useful option!) This was a email fraud. I, as a reasonable individual trying to do my civic d= uty=20 and possible prevent someone with less 'cop on' from being scammed, was utter= ly =20 wasting my time trying to do anything. There was no abuse contact. If RIPE and ICANN and others want to do anything at all regarding spam, and=20 scams and net abuse etc one of the first actions should be to ensure there ar= e=20 correct contacts for every ISP so at least scams and illegal activity can be = reported. I would also suggest that a default abuse address be insisted upon eg=20 abuse@wherever.doh as I have found many a frustrating experience emailing a=20 named administrator was has left the company and whose email is dead. Perhaps someone was scammed by this same email today. A quick report and=20 possibly a quick shutdown of that link may have achieved something positive. I also have a web site which is attacked on a regular basis and I try and mak= e a=20 point of reporting them all. In some cases with very positive results eg a=20 compromised server found etc. I consider that trying to close these people do= wn=20 is the only way to prevent things getting totally out of hand. The problem is= =20 that approximately 1 in 4 abuse email addresses are incorrect and the email i= s=20 returned undelivered. These are my frustrating experiences. As I said, I hope I am not out of place here, pointing this out. Regards Lou Gogan Saula, Achill, Co Mayo, Ireland. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ LINUX - bringing joy and creativity to computing. Registered Linux user number 478188 www.lougogan.com --===============0939428664570672706==-- From michele@blacknight.ie Fri Nov 4 20:04:20 2011 From: "Michele Neylon :: Blacknight" To: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] broken contacts Date: Fri, 04 Nov 2011 19:04:17 +0000 Message-ID: In-Reply-To: <201111041837.48349.lou@lougogan.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4290780673960050048==" --===============4290780673960050048== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On 4 Nov 2011, at 19:37, Lou Gogan wrote: > Hi >=20 > I hope I am not out of place here, but this is my experience today and the = > problem I find I have because of the broken contacts information via the wh= ois. >=20 > This morning I received a fraudulent spam claiming to be from the Bank of=20 > Ireland with an attached form to be filled in. I was going to delete it as = > usual but decided that these types of email fraud need to be reported in or= der=20 > to protect others. In the case of a phish you should report it to the bank. >=20 > I checked out the form and found the form contact link: > MBNA Online<= /a> >=20 > $ host masserialojazzo.it > masserialojazzo.it has address 46.252.206.1 > ;; connection timed out; no servers could be reached > masserialojazzo.it mail is handled by 10 mailstore1.europe.secureserver.net. > masserialojazzo.it mail is handled by 0 smtp.europe.secureserver.net. >=20 > And then I whoised >=20 > $ whois 46.252.206.1 > inetnum: 46.252.200.0 - 46.252.207.255 > netname: GDNL-46-252-200-0-TO-207-255 > descr: Customer > country: NL > admin-c: WR1096-RIPE > tech-c: WR1096-RIPE > status: ASSIGNED PA > mnt-by: MNT-GDG-NL > source: RIPE # Filtered >=20 > person: Will Regg > address: H.J.E. Wenckebachweg 127 > 1096 AM Amsterdam > phone: +14805058877 > nic-hdl: WR1096-RIPE > source: RIPE # Filtered >=20 > As you may notice, there is no suitable email contact at all. (Writing a le= tter=20 > and posting it off didn't seem a useful option!) >=20 > This was a email fraud. I, as a reasonable individual trying to do my civic= duty=20 > and possible prevent someone with less 'cop on' from being scammed, was utt= erly =20 > wasting my time trying to do anything. There was no abuse contact. Did the email actually come from that IP or from another one? >=20 > If RIPE and ICANN and others want to do anything at all regarding spam, and= =20 > scams and net abuse etc one of the first actions should be to ensure there = are=20 > correct contacts for every ISP so at least scams and illegal activity can b= e=20 > reported. There has been lengthy discussion on this subject on this mailing list and el= sewhere >=20 > I would also suggest that a default abuse address be insisted upon eg=20 > abuse@wherever.doh as I have found many a frustrating experience emailing a= =20 > named administrator was has left the company and whose email is dead. >=20 > Perhaps someone was scammed by this same email today. A quick report and=20 > possibly a quick shutdown of that link may have achieved something positive. >=20 > I also have a web site which is attacked on a regular basis and I try and m= ake a=20 > point of reporting them all. In some cases with very positive results eg a = > compromised server found etc. I consider that trying to close these people = down=20 > is the only way to prevent things getting totally out of hand. The problem = is=20 > that approximately 1 in 4 abuse email addresses are incorrect and the email= is=20 > returned undelivered. >=20 > These are my frustrating experiences. >=20 > As I said, I hope I am not out of place here, pointing this out. >=20 > Regards >=20 > Lou Gogan >=20 > Saula, Achill, Co Mayo, Ireland. > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > LINUX - bringing joy and creativity to computing. > Registered Linux user number 478188 >=20 > www.lougogan.com >=20 Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612=20 UK: 0844 484 9361 Locall: 1850 929 929 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 --===============4290780673960050048==-- From tk@abusix.com Fri Nov 4 20:36:27 2011 From: Tobias Knecht To: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] broken contacts Date: Fri, 04 Nov 2011 20:29:14 +0100 Message-ID: <4EB43D0A.9020500@abusix.com> In-Reply-To: <201111041837.48349.lou@lougogan.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6818076037884387560==" --===============6818076037884387560== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Lou, there is already a Task Force in place trying to solve the fact of missing abuse contact information. http://www.ripe.net/ripe/groups/tf/abuse-contact We will publish a policy proposal soon. Feel free to support the proposal here on the list as soon as we will post it. Thanks, Tobias Am 04.11.11 19:37, schrieb Lou Gogan: > Hi >=20 > I hope I am not out of place here, but this is my experience today and the = > problem I find I have because of the broken contacts information via the wh= ois. >=20 > This morning I received a fraudulent spam claiming to be from the Bank of=20 > Ireland with an attached form to be filled in. I was going to delete it as = > usual but decided that these types of email fraud need to be reported in or= der=20 > to protect others. >=20 > I checked out the form and found the form contact link: > MBNA Online<= /a> >=20 > $ host masserialojazzo.it > masserialojazzo.it has address 46.252.206.1 > ;; connection timed out; no servers could be reached > masserialojazzo.it mail is handled by 10 mailstore1.europe.secureserver.net. > masserialojazzo.it mail is handled by 0 smtp.europe.secureserver.net. >=20 > And then I whoised >=20 > $ whois 46.252.206.1 > inetnum: 46.252.200.0 - 46.252.207.255 > netname: GDNL-46-252-200-0-TO-207-255 > descr: Customer > country: NL > admin-c: WR1096-RIPE > tech-c: WR1096-RIPE > status: ASSIGNED PA > mnt-by: MNT-GDG-NL > source: RIPE # Filtered >=20 > person: Will Regg > address: H.J.E. Wenckebachweg 127 > 1096 AM Amsterdam > phone: +14805058877 > nic-hdl: WR1096-RIPE > source: RIPE # Filtered >=20 > As you may notice, there is no suitable email contact at all. (Writing a le= tter=20 > and posting it off didn't seem a useful option!) >=20 > This was a email fraud. I, as a reasonable individual trying to do my civic= duty=20 > and possible prevent someone with less 'cop on' from being scammed, was utt= erly =20 > wasting my time trying to do anything. There was no abuse contact. >=20 > If RIPE and ICANN and others want to do anything at all regarding spam, and= =20 > scams and net abuse etc one of the first actions should be to ensure there = are=20 > correct contacts for every ISP so at least scams and illegal activity can b= e=20 > reported. >=20 > I would also suggest that a default abuse address be insisted upon eg=20 > abuse@wherever.doh as I have found many a frustrating experience emailing a= =20 > named administrator was has left the company and whose email is dead. >=20 > Perhaps someone was scammed by this same email today. A quick report and=20 > possibly a quick shutdown of that link may have achieved something positive. >=20 > I also have a web site which is attacked on a regular basis and I try and m= ake a=20 > point of reporting them all. In some cases with very positive results eg a = > compromised server found etc. I consider that trying to close these people = down=20 > is the only way to prevent things getting totally out of hand. The problem = is=20 > that approximately 1 in 4 abuse email addresses are incorrect and the email= is=20 > returned undelivered. >=20 > These are my frustrating experiences. >=20 > As I said, I hope I am not out of place here, pointing this out. >=20 > Regards >=20 > Lou Gogan >=20 > Saula, Achill, Co Mayo, Ireland. > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > LINUX - bringing joy and creativity to computing. > Registered Linux user number 478188 >=20 > www.lougogan.com >=20 --===============6818076037884387560== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcvTWFjR1BHMiB2Mi4w LjE3IChEYXJ3aW4pCkNvbW1lbnQ6IEdQR1Rvb2xzIC0gaHR0cDovL2dwZ3Rvb2xzLm9yZwpDb21t ZW50OiBVc2luZyBHbnVQRyB3aXRoIE1vemlsbGEgLSBodHRwOi8vZW5pZ21haWwubW96ZGV2Lm9y Zy8KCmlFWUVBUkVDQUFZRkFrNjBQUXNBQ2drUVgxaVdiU1d1d216MDF3Q2ZWUksyNlJJaU5KSjhW OU5ObFJTWXA4OGYKMXhJQW4waGF3bVlXQy8yR1FYZTdFcEJiQ2VDWmVQdm4KPUhCN04KLS0tLS1F TkQgUEdQIFNJR05BVFVSRS0tLS0tCg== --===============6818076037884387560==-- From lou@lougogan.com Fri Nov 4 22:02:55 2011 From: Lou Gogan To: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] broken contacts Date: Fri, 04 Nov 2011 21:02:45 +0000 Message-ID: <201111042102.45448.lou@lougogan.com> In-Reply-To: <4EB43D0A.9020500@abusix.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4680868173781836429==" --===============4680868173781836429== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit On Friday 04 November 2011 19:29:14 Tobias Knecht wrote: > Hi Lou, > > there is already a Task Force in place trying to solve the fact of > missing abuse contact information. > > http://www.ripe.net/ripe/groups/tf/abuse-contact > > We will publish a policy proposal soon. Feel free to support the > proposal here on the list as soon as we will post it. > > Thanks, > > Tobias > > Hi Tobias I'll watch out for it. Danke Lou > > > > Regards > > > > Lou Gogan > > > > Saula, Achill, Co Mayo, Ireland. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > LINUX - bringing joy and creativity to computing. > > Registered Linux user number 478188 > > > > www.lougogan.com > > --===============4680868173781836429==-- From lou@lougogan.com Fri Nov 4 22:08:14 2011 From: Lou Gogan To: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] broken contacts Date: Fri, 04 Nov 2011 21:07:57 +0000 Message-ID: <201111042107.57549.lou@lougogan.com> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7054257438873528142==" --===============7054257438873528142== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Michele On Friday 04 November 2011 19:04:17 you wrote: >=20 > On 4 Nov 2011, at 19:37, Lou Gogan wrote: >=20 > > Hi > > I hope I am not out of place here, but this is my experience today and th= e=20 > > problem I find I have because of the broken contacts information via the = whois. > >=20 > > This morning I received a fraudulent spam claiming to be from the Bank of= =20 > > Ireland with an attached form to be filled in. I was going to delete it a= s=20 > > usual but decided that these types of email fraud need to be reported in = order=20 > > to protect others. >=20 > In the case of a phish you should report it to the bank. Didn't think of that. Doh! Though I still think a direct contact with the IP would close down that=20 fraudulent link immediately.=20 > >=20 > > I checked out the form and found the form contact link: > > MBNA Onlin= e > >=20 > > $ host masserialojazzo.it > > masserialojazzo.it has address 46.252.206.1 > >=20 > > And then I whoised > >=20 > > $ whois 46.252.206.1 ~~~ snip ~~~ > > As you may notice, there is no suitable email contact at all. (Writing a > > letter and posting it off didn't seem a useful option!) > >=20 > > This was a email fraud. I, as a reasonable individual trying to do my civ= ic=20 duty=20 > > and possible prevent someone with less 'cop on' from being scammed, was=20 utterly =20 > > wasting my time trying to do anything. There was no abuse contact. >=20 > Did the email actually come from that IP or from another one? According to spamcop: virginmedia.com - I sent virginmedia.com an email report > > If RIPE and ICANN and others want to do anything at all regarding spam, a= nd=20 > > scams and net abuse etc one of the first actions should be to ensure ther= e=20 are=20 > > correct contacts for every ISP so at least scams and illegal activity can= be=20 > > reported. >=20 > There has been lengthy discussion on this subject on this mailing list and = elsewhere >=20 > > I would also suggest that a default abuse address be insisted upon eg=20 > > abuse@wherever.doh as I have found many a frustrating experience emailing= a=20 > > named administrator was has left the company and whose email is dead. > >=20 > > Perhaps someone was scammed by this same email today. A quick report and = > > possibly a quick shutdown of that link may have achieved something positi= ve. > >=20 ~~~ snip ~~~ Regards Lou Gogan Saula, Achill, Co Mayo, Ireland. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ LINUX - bringing joy and creativity to computing. Registered Linux user number 478188 www.lougogan.com =20 > Mr Michele Neylon ~~~snip ~~~ > http://www.blacknight.com/ > Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty > Road,Graiguecullen,Carlow,Ireland Company No.: 370845 >=20 >=20 --===============7054257438873528142==-- From leo.vegoda@icann.org Fri Nov 4 23:38:26 2011 From: Leo Vegoda To: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] broken contacts Date: Fri, 04 Nov 2011 15:28:10 -0700 Message-ID: <41F6C547EA49EC46B4EE1EB2BC2F341849F82D47C4@EXVPMBX100-1.exc.icann.org> In-Reply-To: <201111042107.57549.lou@lougogan.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3356223091959784816==" --===============3356223091959784816== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, > Though I still think a direct contact with the IP would close down that=20 > fraudulent link immediately.=20 There's no reason you can't do both. If you report it to the bank they have a= n interest in stopping the criminals while the network operators just has an = interest in them moving on.=20 Regards, Leo Vegoda --===============3356223091959784816==-- From mm@elabnet.de Sat Nov 5 04:20:31 2011 From: Michael Markstaller To: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] broken contacts Date: Sat, 05 Nov 2011 04:11:52 +0100 Message-ID: <1320462712.19837.25.camel@v1520-mm> In-Reply-To: <41F6C547EA49EC46B4EE1EB2BC2F341849F82D47C4@EXVPMBX100-1.exc.icann.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7296065209855978873==" --===============7296065209855978873== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Am Freitag, den 04.11.2011, 15:28 -0700 schrieb Leo Vegoda: > Hi, >=20 > > Though I still think a direct contact with the IP would close down that=20 > > fraudulent link immediately.=20 >=20 > There's no reason you can't do both. If you report it to the bank they have= an interest in stopping the criminals while the network operators just has a= n interest in them moving on.=20 Might be true but if such things would happen in my scope of resposibility, I'd have no reason to *not* take this offline immediately. If I know (and there is the problem!) If you report such a thing at abuse@MYDOMAIN, promised, someone will wake me up at 4 o'clock and we'll turn it off.... Thats how things should be, isn't it ? ;) I guess there are far enough responsible people out there, to solve such issues right away - but only if they have the tools to verify! and the "rights" to react..=20 Currently we havent..(as the thread-starter noticed)=20 This is IMHO not a matter of privacy (in terms of ISP - which we all are?) but more bureaucracy burdens, legal stuff.. So I also wait what comes up there, I'll support it. Long discussions, ok, but at some point in time there also has to be a decision: do we want anonymous IP's in the RIPE region or not ? Should it be possible to have an anonymous Scam/Spam-IP? I'd say no. (sure that banks also badly failed to have secure methologies, but thats not my scope, I have to take care about secure networks & IP ;)) Michael --===============7296065209855978873== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjEuNC4xMSAoR05V L0xpbnV4KQoKaUVZRUFCRUNBQVlGQWs2MHFYZ0FDZ2tRYVdSSFYya011QUtFYkFDZlZyZDQrWlFH Y09sVUJYL09ZTi9oTTFtZwpYdFVBb091WnhHOGc0U3BrMDRIcGFSWWttSGZ5WXdwOAo9TTY0aQot LS0tLUVORCBQR1AgU0lHTkFUVVJFLS0tLS0K --===============7296065209855978873==-- From lou@lougogan.com Sat Nov 5 10:15:08 2011 From: Lou Gogan To: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] broken contacts Date: Sat, 05 Nov 2011 09:14:43 +0000 Message-ID: <201111050914.44068.lou@lougogan.com> In-Reply-To: <41F6C547EA49EC46B4EE1EB2BC2F341849F82D47C4@EXVPMBX100-1.exc.icann.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3173357326798061840==" --===============3173357326798061840== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Friday 04 November 2011 22:28:10 Leo Vegoda wrote: > Hi, >=20 > > Though I still think a direct contact with the IP would close down that=20 > > fraudulent link immediately.=20 >=20 > There's no reason you can't do both. If you report it to the bank they have= an=20 interest in stopping the criminals while the network operators just has an=20 interest in them moving on.=20 >=20 > Regards, >=20 > Leo Vegoda >=20 Hi Leo You are missing the point entirely. Firstly, it is not the job of the Bank of Ireland to persue fraudsters all=20 around the world merely because they are pretending to be the BOI. This is an attempt to steal money from people. It is a crime. The only main=20 contact with the criminals is the ISP. They will know the acual contact detai= ls=20 of the criminls, hopefully, and can act on that, or at the very least shut th= at=20 link down pronto. Secondly, there are many scams out there trying to con people into giving=20 details of their credit cards etc with no direct connection to any bank - thu= s=20 the abuse contact details still should be easy to obtain so a report can be=20 sent from anyone aware of a fraud attempt, even a Lou Blogs. Thought experiment: If you saw a bank robbery and the thieves were using a HONDA as the getaway c= ar,=20 would you contact HONDA or would you contact the police? To a certain degree = you are saying I should contact Honda, whereas I would consider contacting th= e=20 police, or someone who can contact the police - in this case the ISP. Sl=C3=A1n Lou Achill, Ireland - where the sun shines from morning till night . . . . . . . . . . above the rain clouds 8=3D( --===============3173357326798061840==-- From michele@blacknight.ie Sat Nov 5 12:39:57 2011 From: "Michele Neylon :: Blacknight" To: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] broken contacts Date: Sat, 05 Nov 2011 11:39:52 +0000 Message-ID: <4578B2F4-F0DE-418C-8AB4-B5DDDD31CACD@blacknight.ie> In-Reply-To: <201111050914.44068.lou@lougogan.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1813818193854222298==" --===============1813818193854222298== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On 5 Nov 2011, at 09:14, Lou Gogan wrote: > Firstly, it is not the job of the Bank of Ireland to persue fraudsters all = > around the world merely because they are pretending to be the BOI. Actually it is ..=20 >=20 > This is an attempt to steal money from people. It is a crime. The only main= =20 > contact with the criminals is the ISP. That's based on an assumption that the ISP / hosting provider actually has co= ntact with the phisher. In most cases they wouldn't, as the bulk of phishing = attacks go via compromised hosting accounts and / or accounts that lead to ch= argebacks > They will know the acual contact details=20 > of the criminls, Doubtful - see above > hopefully, and can act on that, or at the very least shut that=20 > link down pronto. >=20 > Secondly, there are many scams out there trying to con people into giving=20 > details of their credit cards etc with no direct connection to any bank - t= hus=20 > the abuse contact details still should be easy to obtain so a report can be= =20 > sent from anyone aware of a fraud attempt, even a Lou Blogs. >=20 > Thought experiment: > If you saw a bank robbery and the thieves were using a HONDA as the getaway= car,=20 > would you contact HONDA or would you contact the police? To a certain degre= e=20 > you are saying I should contact Honda, whereas I would consider contacting = the=20 > police, or someone who can contact the police - in this case the ISP. I'm really finding it hard to follow that analogy. Regards Michele Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection ICANN Accredited Registrar http://www.blacknight.com/ http://blog.blacknight.com/ http://blacknight.mobi/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612=20 UK: 0844 484 9361 Locall: 1850 929 929 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 --===============1813818193854222298==-- From leo.vegoda@icann.org Sat Nov 5 13:31:29 2011 From: Leo Vegoda To: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] broken contacts Date: Sat, 05 Nov 2011 05:31:24 -0700 Message-ID: In-Reply-To: <201111050914.44068.lou@lougogan.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8517268283068721129==" --===============8517268283068721129== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Nov 5, 2011, at 2:14 am, Lou Gogan wrote: [=E2=80=A6] > You are missing the point entirely. >=20 > Firstly, it is not the job of the Bank of Ireland to persue fraudsters all = > around the world merely because they are pretending to be the BOI. I don't know how you came up with that one. At the very least, a responsible = bank should work with the relevant law enforcement agencies. > This is an attempt to steal money from people. It is a crime. The only main= =20 > contact with the criminals is the ISP. They will know the acual contact det= ails=20 > of the criminls, hopefully, and can act on that, or at the very least shut = that=20 > link down pronto. You're assuming the baddies bought accounts instead of just hacking someone e= lse's server. > Secondly, there are many scams out there trying to con people into giving=20 > details of their credit cards etc with no direct connection to any bank - t= hus=20 > the abuse contact details still should be easy to obtain so a report can be= =20 > sent from anyone aware of a fraud attempt, even a Lou Blogs. Abuse contact details are only useful when there is a there is a properly res= ourced set of people behind them. Without that they are at best worthless and= and at worst dangerously misleading. I'm all in favour of ISPs doing the rig= ht thing abut ISPs are only part of the story and they each only see a small = slice of the picture. The kind of abuse described in this thread needs to be = addressed by the brand owner as well as the ISP because the brand owner will = want to minimise its association with fraudsters. Regards, Leo --===============8517268283068721129==-- From ripe-wg-antiabuse@kyubu.de Mon Nov 7 09:22:25 2011 From: ripe-wg-antiabuse@kyubu.de To: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] broken contacts Date: Mon, 07 Nov 2011 08:58:09 +0100 Message-ID: <20111107075809.GA32247@core.kyubu.de> In-Reply-To: <201111041837.48349.lou@lougogan.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3829387261729667869==" --===============3829387261729667869== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Fri, Nov 04, 2011 at 06:37:48PM +0000, Lou Gogan wrote: Hey Lou, > $ whois 46.252.206.1 > inetnum: =C2=A0 =C2=A0 =C2=A0 =C2=A046.252.200.0 - 46.252.207.255 > As you may notice, there is no suitable email contact at all. (Writing a le= tter=20 Besides all mentioned solutions, you could go upstream with your complaints. = At least, they should have a valid contact. Cheers, Adrian --===============3829387261729667869==-- From shane@time-travellers.org Mon Nov 7 14:01:18 2011 From: Shane Kerr To: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] broken contacts Date: Mon, 07 Nov 2011 13:52:12 +0100 Message-ID: <1320670332.5722.9.camel@shane-desktop> In-Reply-To: <201111050914.44068.lou@lougogan.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1936120673916868935==" --===============1936120673916868935== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Lou, On Sat, 2011-11-05 at 09:14 +0000, Lou Gogan wrote: > > Firstly, it is not the job of the Bank of Ireland to persue fraudsters all > around the world merely because they are pretending to be the BOI. I mostly agree with you, but would like to point out that banks call this sort of thing "identity theft". They make it the problem of the people being impersonated, even though that person has nothing to do with what is going on. ;) -- Shane --===============1936120673916868935==-- From ops.lists@gmail.com Mon Nov 7 14:39:08 2011 From: Suresh Ramasubramanian To: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] broken contacts Date: Mon, 07 Nov 2011 19:02:02 +0530 Message-ID: In-Reply-To: <1320670332.5722.9.camel@shane-desktop> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3894564511172360776==" --===============3894564511172360776== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Shane - 1. It depends, you will find enough banks actively engaged in pursuing phish sites [if you are in the right forums for that, and the right forum for that is not anywhere IP allocation, routing and dns are about the only content you'll find] 2. The "we are not the X police" meme needs to be taken out and shot. On Mon, Nov 7, 2011 at 6:22 PM, Shane Kerr wrote: > > On Sat, 2011-11-05 at 09:14 +0000, Lou Gogan wrote: >> >> Firstly, it is not the job of the Bank of Ireland to persue fraudsters all >> around the world merely because they are pretending to be the BOI. > > I mostly agree with you, but would like to point out that banks call > this sort of thing "identity theft". They make it the problem of the > people being impersonated, even though that person has nothing to do > with what is going on. ;) -- Suresh Ramasubramanian (ops.lists@gmail.com) --===============3894564511172360776==--