[LACNIC/Seguridad] Abuse contact of gvt.com.br not functioning

Arturo Servin aservin en lacnic.net
Lun Oct 15 20:15:29 BRT 2012



On 15/10/2012 20:04, U.Mutlu wrote:
> Dear Sir from LACNIC!
> your suggestions are impractical, you seem never have been
> an administrator, and you seem not to know your own mandate!

	I don't get it, be explicit. I think I have very clear my role and what
I can and cannot do.

> 
> There must be a working abuse contact in the WHOIS db,
> and that contact must process the Abuse Reports caused by its clients,
> and cut off those clients who are evidently doing cyber crimes
> like attempting to hack other systems.

	Yes, the abuse contact should do that. But they are not in the
obligation to do it unless a request from a judge.



> If that contact evidently does not do its duty, then it is
> the job of the RIR to make them obey the rules.

	No, the RIRs are no the Internet police. You are clearly confused.

	I let you with this URL to clarify for you the role of an RIR:

http://www.ietf.org/rfc/rfc2050.txt


> 
> FYI: here over in Europe (RIPE) "abuse-c" in the WHOIS has become a
> _mandatory_ entry
> --> https://www.ripe.net/ripe/policies/proposals/2011-06
> and it works in about all EU countries.

	We also have that contact, but it is for informational purposes so all
entities can coordinate actions in case of abuse. It depends of the good
will of all parties to make it work.

> Problematic countries are CN, IN, ID, BR, RU, UA etc.
> One wonders why...
> I think because of lack of law & rules, education, and moral values.

	Now I think you are crossing the line and being impolite.

	With that kind of attitude you are going no where.

Regards,
as

> 
> 
> Arturo Servin wrote, On 10/15/2012 06:32 PM:
>>
>>     So, why not just block the IP(s)?
>>
>>     Any fw can do that, I do not see why you need to block the whole
>> cctld.
>>
>>     Also you can change the ssh port or/and to allow just some IP address
>> to login to your server.
>>
>>     Finally, what do you expect for the IP address holder to do?    
>>     
>>     IMHO and IANAL if you want them to do something you need to execute
>> legal action, not just an email to abuse.
>>
>> Regards,
>> as
>>
>> On 15/10/2012 14:11, U.Mutlu wrote:
>>> Arturo Servin wrote, On 10/15/2012 05:48 PM:
>>>>
>>>>      What do you mean it is not possible?
>>>>
>>>>      What is your problem? Do you get SPAM or DDoS from gvt.com.br?
>>>>
>>>>      It would be difficult to give an advise without knowing the
>>>> problem.
>>>> But certainly blocking the whole .cc is not a clean/optimal/advisable
>>>> solution to say the least no matter the problem.
>>>
>>> Especially unauthorized login attempts, ie. hacker activities, just one
>>> example:
>>>
>>> "
>>> Subject: [MIT-s5-BR3S083182EHL] Net Abuse: illegal ssh login attempt
>>> (hacker activity) from IP 187.115.202.83
>>> To: abuse en gvt.com.br (Network Abuse Desk)
>>> Date: Sat, 13 Oct 2012 11:27:37 +0200
>>> "
>>>
>>> This was the 3rd Abuse Report that IP had caused on that server of ours.
>>> And we wait 2+ days before sending another AR if the attack/attempt
>>> repeats.
>>> Ie. that company has not reacted to any of the 3 Abuse Reports for
>>> that IP,
>>> and unfortunately there are way too many such cases...
>>>
>>>
>>>> On 15/10/2012 13:42, U.Mutlu wrote:
>>>>> Carlos Martinez wrote, On 10/14/2012 06:05 PM:
>>>>>> I don't really understand your logic. You  blocked a CC of 170M
>>>>>> people
>>>>>> for a single domain.
>>>>>>
>>>>>> A more fine grained acl can be created I'm sure.
>>>>>
>>>>> I admit it's not the best method, I too would prefer blocking
>>>>> on a company/domain basis (or abuse-address basis), but that is
>>>>> IMHO not possible with the standard tools we use (iptables with
>>>>> xtools/geoip).
>>>
>>> _______________________________________________
>>> Seguridad mailing list
>>> Seguridad en lacnic.net
>>> https://mail.lacnic.net/mailman/listinfo/seguridad
>> _______________________________________________
>> Seguridad mailing list
>> Seguridad en lacnic.net
>> https://mail.lacnic.net/mailman/listinfo/seguridad
>>



Más información sobre la lista de distribución Seguridad