*
Connect with RIPE 58 : Facebook Twitter dopplr del.icio.us RSS linkedin iCal agenda
 The session commenced at 2 p.m. (RIPE NCC is RIPE NCC)

CHAIR: Good afternoon. And welcome to the RIPE 58 Anti‑Abuse Working Group session. I do hope you all enjoyed your lunch and you are all now awake and so suffering from any kind of afternoon slump. So, we have a few things on the agenda today and hopefully some interesting discussion. Update on a few different /THAEUPBGS that are ongoing and a cry for help somewhere in there as well.

The two chairs, just to let you know, myself, /PWRAOEUZ Nisbet and co‑chair Richard Cox. We have wonderful people from the NCC who will be doing or scribing and jab erring and our technical support and also our wonder stenographer. I do not actually have any idea how we used to live without them.

Thanks.

Just a if I can note on microphone etiquette. Please say who you are and where you are from before asking your question or making your point on anything this afternoon. So, I slightly late and with a slight mistake in the middle sent out the minutes for RIPE 57 during the week which there was a couple of questions about. So, unless there are any points anyone wants to raise now about those minutes? Then I will consider them moving from draft to approved in one glorious magical moment.

There haven't been any sudden additions to the agenda. What we are going to do is flip its slightly and we are going to have Bob Bruen's presentation before we go into the botnet and bad guys community response action and indeed everything else. Everything else on the agenda is going to be mixed together in a selection of kind of updates and comments after we have the opening presentation. So I am going to stand down from here and invite Bob to come up and we shall have that presentation.

SPEAKER: Bob BR U E N): I am Bob Bruen and again I disclaimer /TP* I talk too quickly or say the same things please wave your hands and make me repeat it or explain it differently. This is ago continuation of the talk I gave earlier in the week, but we are trying to show how we use or policy enforcement to do it. I will repeat a few slides because I think /THRER important. One of them is a fact that again, you must keep in mind it's all about the money. If you don't put the money in the air, nobody cares. And that includes all the honest regular people like the /RAPBLG /STRARS, the resellers but the criminals, if you take away their sources of money, they will probably go away. That's probably.

I will repeat the policy: I have discovered that RIPE has a lot of policy people here so I'll expect you understand how important good policy is because it does make a difference.

What we have done is we have looked at the policies which is the registrar accreditation agreement and this is US sent risk, because we have more registrars as opposed to ccTLDs as Europe seems to have, most of the world has actually. And what we did is we looked through the RA A and looked for loopholes and some that we found were interesting, the most important is the process data /ABG /SAOEFPLT if you complain to a registrar in the US in dotcom whatever, and you say this is inaccurate, they have to look at it and verify that you are correct, that's ICANN, then they send it off to the registrar that verifies it as well, then they send a note off to the owner of that domain and say please fix T you have 15 days to fix it, if you don't, your domain name gets suspended. We have used that in loophole that I don't know any criminal that tells the truth when they register. It's going to be inaccurate no /PHOUR how you look at T we send mail to them it bounces, we know it's inaccurate. We take away the domain name then. This has worked very well over the yours.

In the beginning, when my son started doing this my himself, he had ten people where he worked who were getting a lot of spam and we shut down all the registrars, they got no more spam at all. No, it's not true any more because they have now bought and parked millions of domain names F you take one down, they will use the next one. So we need to make sure that we have enough people doing this and the complaint systems balance out with a 50,000 complaints we used to be able to put in and crashed your system and the 50 million new domains you can register in one year. They should be sort of in sync. And now they are with ICANN's new complaints system.

And again, to point out. We have focused, because there are just two of /OUS on the RAA there from ICANN to registrars. We have pushed ICANN a lot to make modifications in the registrar accreditation agreement. We are pushing them for a few more. Right now the bun that I want to get changed which is meeting with resistance is that a registrar has a choice. When you register for a domain name, they can verify who you are, your address and all the other stuff that goes on. Or, once a year or so, periodically is what it says, they can send mail to you and say check your registration, if inaccurate, please fix it. And all the criminals go oh yeah, it's fine and they don't fix it.

So, if we had enough resources we could go after everything. Part of the problem we have with criminals is they are infecting the resellers of registrars, everyone of these places got criminals working inside to take advantage of how the rules work. So the world looks the same to us as it does to them except they are not good guys. An example of use for 15 years of more is that you have a surgeon and a scalpel or you have got a murderer and a knife, it's the same, it depends on how they use T and they will sneak in as resellers, they will use privacy protection, not because they are afraid of some fascist domineering Government but because they don't want you to find out who they are. Some of these privacy protect services they cycle through the mail generating you know hundreds of digits of names, random digit names of e‑mail. So if you try to use it, you know, ten minutes later it's something else. And you can't ever send them e‑mail and complain. We find that wholly in fact receipt in not going along with the accreditation agreement.

As I mentioned before, I'll talk a little more about T the whois data accuracy problem has been going on forever. It was a problem in 19826789 it's still a problem today. There are a couple of different kinds of problems. One is that many people, especially in the EU I suppose, don't want anybody's name available because they want it kept private. And the original thought about this was you don't want spamers scraping off all the name and sending spam out just because you own the domain. But we don't care about individuals. You can have all the privacy we want. We care about people who make money. If you are a criminal, you send spam, you take money to do it, you are a business, you know, it's a transaction, a contract, the service is for money. We do know want to know who you are. In the real world businesses are public. They don't behind behind secrecy things most of the time. Occasionally they do, but generally speaking they don't.

If you sell stock, you are a public company, you file /ROPS to the S EC in the United States. Big 10 K reports, all kinds of information. You have to put up salaries and all kinds of stuff. You have to file with the IRS. He have not secret. On the Internet on the other hand, they try to be secret and they think it's okay and we don't think that's okay.

The controversy still goes on, there are plenty of people who want to sabotage any kinds of correction to this. In ICANN and in some of the committees, you know, it's a constant battle. We have had hearings, the general service administration issued a report in 2005 saying we have going to fix it, you should do this, or that, and of course nothing has been changed. And so we said this is a great loophole. We can make them take down the domain names, we have closed down about half a million sites who are break the flaw many ways, but mostly the problem was is that inaccurate information. And /K‑BG can automated and we have done that, you send them mail. The mail bounces. The whois record is inaccurate. We file the complaint. Again automated. To the 2 to 3 thousand to 10,000 a day and then it /TKP‑S to the /SRAEUPL process and they will take dawn the domain names, which why the spamers ‑‑ when I say spamers I am talking about the Malware guys /‑RBS the phishing guys, anyone who trying to steal money, the fake mortgage companies, all the criminal activity. They will have a parked name and reuse it. You can't do that very often without the registrar helping out. That's what we published our top ten list to point out who the worst ones are.

This is a standard procedure. It works pretty well. We will be expanding it this year. I think you'll see a lot of ICANN changes this year, they made a lot last year, there will be more coming. There will be more activity, I can't tell you exactly what it is, but I am guessing there will be lots of it. The one thing we found that's the most important is no matter how much we do of this stuff, putting it in the public eye makes a difference. We have been accused of the name and shame game because we will tell you who the bad guys are and what that means is if you are a business and you have your domain name or hosting service or whatever with one of those bad guys, you run the risk of losing it because they will be shut down.

So you might want to make a business decision to move it to somewhere to a better registrar.

And this is the top ten from last year. Shin net is still the top one for this year. All the other ones under Beijing networks have all had breach notices from ICANN and they have either been shut down or have begun to be behave themselves except for direct eye, which is in Mumbai India, they have cooperated significantly when S domains were shut down they got S domain stuff transferred over because the he is could he system was already set up. But we in other places vetted the names going over and if we knew they were bad guys, we said don't let them do it. So that worked well.

This is this year's also. Again, the first time a Russian registrar has made it up here. Thigh guys are now mad at us because they don't want to be associated with the really bad guys at the top . Enum we find to be a bad registrar. Network solution it is cooperating with us significantly. They will go off our list next year for sure. Planet Online is really not a good place and I'll show you why in a minute.

WildWest domain is actually owned by GoDaddy. And they are not happy about this either. (Wild west)

Now, to be fair, we have criteria. We just didn't decide that you are a bad guy and we don't like you. We thought about things like how big are you? It's not fair in our mind to say that GoDaddy has an absolute number of bad domain names to thank send out spam compared to another smaller registrar whose numbers are small. And they are bound to get more problems if they are bigger but they are actually trying to do something about it. We know registrars that have got 90 percent of their domain name holders to bad guys, there is no question about it. So we try to balance that out.

We also try to say, well, you got some spamers, but you are not spamming a lot. Maybe there is like spamming 20 people, they just an announce whereas others are sending auld billions a day and they make a difference. So that's another criteria: So we try to look at the whole rate of things they are doing, including the subjective one, are they cooperating with us and trying to help?

Now, I do have charts on this. I assume these will all be available to people, but you can see here Enum has more spam domains than anybody. And Planet Online is second. The rest aren't so much. One of the problems you have is like any good criminal, they will fit into a crowd to keep from being noticed. A few don't care and they get caught more easily but by and large if you have got 10 million domains that are paid for and you got a couple of hundred thousand criminals, you are making good money off of it and you kind of keep them under the radar. But they don't always do that (radar)

Now this one shows up a little bit better where one sort of stands out, this Planet Online, okay, they are really bad by spam messages by the registrar itself. Because we can add up the numbers, the individual domains or by the registrar. And a percent of the main spammed. This one here again, Planet Online shows up way worst than the rest. There is a side called domain NameWire, which claims to be the most read by registrars website and they decided to redo our categorisation of the bad registrars and they have picked this as the only criteria that mattered. And we don't care. You want to change out we do it, fine. We gave them the numbers, they published an article about it and they said this is the worst registrars, Planet Online, not KnujOn. Okay. That was the way they wanted to look at it. That's fine.

And again, this is another one just shows up the same thing. Per domain. So per registrar, per toe main, you can tell by the most messages. Again, what we are done. All we have done here is we have collected e‑mail from all over the world. We have 37 countries represented and just added them up. We didn't really magical numbers on them. Didn't manipulate them at all just added them up so at the end of the year we could say this is how many came, this is what the numbers looked like. So there is no real subjective part to that except for the criteria.

I do have to respond you being criticised before /TK‑G ‑‑ in the Whois record, I am all for local languages and I think it's a big difference between a common language that everybody uses so you can communicate, you use English here, mostly it's a second language, just so you can talk to each other. It's not the same as me forcing to use English just because I am in charge. Because I am not. It's been true Latin once was, French and English, maybe it will be Chinese. We have got a billion and a half people there, who knows. That's all that is. When I talked about the Whois record, that has been in engine rich since the beginning because the Internet was pretty much started in the US and as it spread it kept the same kind of language and I don't care that a person's name is spelt differently in their cultural language because there are different characters in other languages or addresses or something but I do care that the name of the registrar should be something I can find in a common language that everybody can find and know who they are. And when I complained about that was the Chinese, the bad registrars, not all of them, are starting to use Chinese characters in there because they no no one can read them. I can still match the characters, I can figure out who they are as well, but they are doing it to hide and that's not the same thing as trying to push their culture. Because the rest of the record is still in English. And you can look up any of the stuff yourself in the Whois record. It's the same. So what I am trying to point out here is that replacing the name of the registrar is kind of a problem. The addition of a Chinese character registered name with the English name is perfectly fine. You know, I am not trying to push English, I just happened to be born in a country that speaks English first I am lucky in that way and unlucky in other ways. It's not about making it being English. It's about having something that's common that we can all use to talk about. I just couldn't let advantage comment go.

This is what I talk about is that the Chinese characters, the registrar name and the registrar, but not the addresses. The rest of the Whois record looks the same as everything else. And I know they are doing this just to make it more difficult for us. We get new little things everyday by the spamers to make things difficult for us. You know they hide ‑‑ they know we are going after the transaction sites. They put a whole bunch of websites in there starting with underscores and all kinds of characters they have got to strip out just to make it more difficult, because they are trying to slow us down.

But what I am worried about is that other places like the Russians, for example, will start using Russian characters for the domain ‑‑ for the registrar name and other characters like the Middle East and that will make it harder to find out who the bad registrars are. It won't be impossible. It's just another slow down point. If they want to have the English and their own, that will work fine.



AUDIENCE SPEAKER: How about learning two languages?

AUDIENCE SPEAKER: This is Richard Barnes. I am wondering why language is really such an issue here? It seems like actually what ‑‑

SPEAKER: Because Randy Bush called me junkieist the other /TKAEUFPLT add

AUDIENCE SPEAKER: You what she had /HAO identifier.

SPEAKER: I am looking Whois record is set up now and I am nowhere near against change that go. So that could be done better. I thank you.

CHAIR: Please do remember there will be plenty of time for questions and discussions after the talk.

SPEAKER: Now the other thing I was looking at too is that the policies exist but we find them broken. And we want policy reform and we have done a lot of that, the last round of ICANN, you will see a lot of changes coming up in the next ICANN meeting which is in Sydney in June I think it is and one in Korea in October where the RAA has had a dozen changes added to it and a lot of people are interested. Some of the policy reforms that we want is transparency. One of the things my son found is that, and we got this fixed last year, is that of all the registrars listed, ICANN's list of registrars, a huge number of them did not have their honest address. And I don't care if you live in Mumbai. But I don't want to you tell me you live /PH beef tonne, organ New York and that's where your business is housed, because it's not. I mean that was actually Direct‑I. They had a mail draft box in beef tonne organ, but didn't know the difference between the different states and it just looked silly because in the background, all the registrars know where everybody lives (direct I) and they exchanged that amongst themselves in case there was some reason they got to talk to each other. We just wanted the same thing. We had to fight with them for months just to have that transparency, okay. And that's what we are looking for in awful this stuff, is more and more transparency and the more we get, the more stable things become. I'd like to see policies that do that. You don't have to do anything special, just don't hide. Because for the most part, it's perfectly fine, it's a worldwide operation. Lots of different parties worksing on it, it it's great.

We do want to have the Whois data verified at registration. And this is really hard because they really don't want to do it. They will check the credit card you have got in there to make sure you pay them but they won't check to see if the Whois data you stick in there is a known bad set of data. I mean, they have 60 that we know about where they have mixed certain things like a phone number in Holland and an address in Brazil but the state doesn't exist. It's all very sick because they automate it had so they have just kept rerepeating the same mistakes over and over again so we'd like to see that stopped. We're trying to put together a database so they can look it up more quickly. By and large they don't know what to do. The e‑mail thing is easy because you can send e‑mail, it bounces, you know it's broken. But if you want to start looking at other things, it involves a human being which takes time and they have to investigate and it stretches things out and by that time the bad guys have disappeared. I worry about the resellers, because they have been pushed out of this country and some have gone back to eastern Europe, but they are sneaking in but resellers range from somewhere like the size of Yahoo who some guy living in the Ukraine. There is no way pour the registrar to tell that that reseller is thest a bad guy until something bad happens and there are so e‑mail guys who will promise that the e‑mail they send is not spam (Yahoo) and the spamers are attacking them as well and sneaking into their systems. So it will ruin their reputation and business because it's hard for them to know. So, if anyone has got some free time on their hands, there is a serious problem of tying to figure out quickly that a reseller is a bad guy before the damage is done. And it would be nice to have that some ideas, but nothing ‑‑

What we are pushing on here again, I mention this had is the fake on line pharmacies. We work with ledgity script. Pharmacies around the world have to have a licence from their Government, state Government, /PHED relevant Government, whatever it is. They have to be licensed to sell drugs that are controlled. If it's over the counter stuff, nobody cares. But in the United States, it doesn't matter. If you have a server in the US and it's selling some controlled substance, you don't have a licence, you don't have a prescription, it's against the law. I don't need to be a cop or a lawyer to figure that out. And that's something can be done automatically because these numbers are available publicly. And we have been talking about pharmaceutical industry representatives, the national pharmacy boards in Europe and the equivalent in the United States and you will see over the next year a lot of work done in this area.

I point out again this /TUFRPed up on the Internet was just a report, it was just on steroids and we picked that because it was easy. In the US cannot sell steroids without a licence. And it's also caused all kinds of problems because a lot of professional sports guys have done it and got caught. In India I understand you are allowed to sell it over the counter without a prescription. But not on US soil. So, different countries have different rules about this. If the server is there, they are going to be in trouble.

The first time, about a month or so ago, the FBI and some others actually arrested people because they are trying to take advantage of the financial crisis and sell fake mortgages to people and shut down websites and they arrested about 50 people. And that's the first of mean to come of that nature. Because it's slowly catching up to what it means to be on a website somewhere on a server in the US and even though spam generally has the majority coming from the US, it's not all US individuals doing it, it's other countries having servers on US soil using the great networks we have and the better service and the cheap cost to send their stuff out. And that's going to change next year.

We'll look into any that's in the an I Hisity pharmacy site. The steroids report was pretty good. We shut down hundreds of thousands of sites using data and you'll see more of that.

I didn't go over this closely enough but I do want to mention that mostly the law enforcement they worry about bureaucracy. There was a nice presentation the other day by the CO IT people on what they have to go through to get information. And from my perspective, Whois data is pretty safe, everybody is worried about their own privacy. You don't have to get into the privacy aspect of this. They want to get details, they need warrants, evidence, they need to take a long time to do things. And they want to put people in handcuffs. I don't really care, because I look at this and I say, look, you have got a problem with your Whois data. We are going to shut you down because I know you are probably a liar. If you make a mistake, fix it. Straightforward. Not a big deal. I don't have to take much I am to do that. And the difference in time is also a difference in cost. And if you look at the number of arrests that have happened because of some Malware site or phishing site versus how many we have taken down by using Whois data, it's, you know, one of these versus one of these.

And part of the problem we have is that you know, there are so many things here, these are the guys selling credit cards, stealing identities, selling Malware, doing botnets, there is just an infinite amount of stuff. There is nothing wrong with companies Akamai use to keep their web service going. A botnet itself which is controlling other computers, I got a bunch in my house. I use a botnet to control them and do perfectly fine. It's the difference between what people do with what they have. And its much harder to find them if they look like they are okay and they are really not until they have done something wrong.

So, all we want to see happen is people should make the laws, whoever they are, shouldn't run the red lights and run over people in the streets you know. There is no reason to disrupt privacy because we are not talking about individuals. You know, and one thing I think is happening is that especially with the registrars, there is a change from the /*EPBT /KWREL spirit into an institutionisation of something. If every country has done this where we have battles and struggles to become a country where they institutionalise the parts that keep the country together. You know, legislators and bureaucracies and things like that to make it work and there in that transition period and they are going to fight it r and nail and they are going to lose in the end. In the it will be one way or the other. There will be certain kinds of rules. And last story here, I am not a smoker. I never was, and I always didn't like it when people smoked in elevators and cars it, a long time ago my kid was five years old and eventually the US Government decided smoking is bad, we did studies on it and what's happened is because of the resistance, it's gone so far past, now I think it's wrong. There are people that can get arrested for smokeing in a car with a child under 12. There are places in column /TPARPB ayou can't smoke in your own apartment. There are certain parks out in the air you can't smoke. It's gone ‑‑ there is a big swing. I think the harder they resist the worse the regulations are going to be. Instead of cooperating where they can control how the regulations come about and make it easier for themselves, they are not going to do it. No one ever does, put your feet on the ground and say this is it.

And I am here. And you want to hold questions now or later?

CHAIR: Now. Thank you very much Bob for that. Are there any questions?

AUDIENCE SPEAKER: Hi, I have got lots, but... I am going to keep it down to four, because ‑‑ Bob Bob I can't remember more than one at a time.

AUDIENCE SPEAKER: I am Malcolm Hussey and I am going to keep this down to four because we really can't do a complete if I say king of that presentation. But I really want ‑‑ I kind of need to make four points the last one of really is going to be a question.

You said that earlier on in your presentation that on privacy you didn't really care about the privacy of individual registrants, these companies, you don't care about that, and you are not looking into that, it's not an issue for you. Well under European law at least it is an issue and you are going to have to deal with that.

SPEAKER: What I meant was I am not look to go get into the privacy. I think Europe has done it better than the US.

AUDIENCE SPEAKER: On the Chinese characters issue, a billion Chinese people don't right their name in mandarin just to piss you off. If you want to read their addresses, you better learn their script.

SPEAKER: I disagree with you, what I am saying is if they want to add a line that says registrar in mandarin.

AUDIENCE SPEAKER: You are still saying they have to use a Latin script as well. They have to learn the Latin script so as to have access the ability to be able to register a domain name. A normative rule in the registration system should be that they must be able to provide their address in a Latin script in an ASCII style script. I am sorry but tough, that is no reason why they should agree with you that that is an acceptable norm.

SPEAKER: They don't but the thing is the rules say they have to. If they want to change the rules they have got to change it a different way. They can't arbitrarily to it.

AUDIENCE SPEAKER: I spent a lot of my time in the regulatory space dealing with these issues and I very rarely a.m. on the same sides it have as the governments on the PRC. On this one you have to deal with it. You have got to see where they are coming from.

SPEAKER: I do. They are hiding who they are.

AUDIENCE SPEAKER: Only the spamers are. This is point 3 so I am making progress. Your assuming that anything that's inconvenient to you or that gets in your way or that is unexpected is evidence of evil doing. That's not true. The spamers might be doing that, although to be honest I am not sure the spamers are putting it in in Chinese just to hide from you, because I am not sure ‑‑

SPEAKER: Spamers are not doing it. The registrars are doing it.

AUDIENCE SPEAKER: But the ordinary Chinese people that wish to have their addresses represented in their own script that they are capable of read /TK‑G

SPEAKER: It's not their addresses. You are not paying attention. It's only the registrar name. Not the name of the person. All the rest it have is still in Latin characters.

AUDIENCE SPEAKER: I am going to move past this money to now a question.

On the pharmacies issue. This was put /OU if /TPH* a Plenary before but I think you didn't quite understand what was questioner meant so I am going to try to put it to you again.

Tylenol is prohibited in Dubai. You can buy it over the counter in the United States. The last RIPE meeting was in Dubai. If you had brought tie Len not into the country awe would you have had conif I /SKAEUSed. So what you are you saying? Are you saying that A) an American on line business that is selling Tylenol without a prescription as it doesn't require in America should have its domain name resolved as a way of shutting down that business if they post that Tylenol to Dubai, is that what you are saying?

SPEAKER: What I said was, this is US centric. On US soil, these are the rules. The other countries, I can't do anything about that. That's why we are talking to the national boards of pharmacy in Europe (centric) to see how they would approach that and we'll make those changes. I used steroids in India as an example because you can get them over the counter as far as I know. The thing is you can't sell them to Americans specially if your server is in America. I am trying to distinguish between the jurisdiction of the United States versus other places.

AUDIENCE SPEAKER: But doesn't the principal in the reciprocity apply? If you are going to ask other countries not to sell drugs to Americans, then should not you not by the same token at their request stop selling drugs to them?

SPEAKER: In my opinion, they should do what I am suggesting to the US. They should in their country say you can't sell Tylenol to Dubai citizens on the net. I can't tell Dubai what to do.

AUDIENCE SPEAKER: /SUPBT that apply to pornography or the newspapers. Much of the stuff in the New York Times is illegal in many countries, are you going to have the New York Times domain name removed at the behest of mine an yeah regime

SPEAKER: If they are baking the law in that country, they have the right to do that. There is a certain amount of censorship involved in this stuff. I prefer no censorship whatever for a whole lot of reasons, but at the same time, if I believe in my country you should follow the rules, that should apply elsewhere.

AUDIENCE SPEAKER: You have just aplead that the New York Times stands to lose its owe domain name under the proposals at the ‑‑

SPEAKER: If they had a New York Times dot Dubai given out by Dubai they could take it away, but if it's given /OUPT in the United States as a dotcom through a registrar and through Verisign, then they don't have the right to take it abecause because it's not in their country.

AUDIENCE SPEAKER: That makes me nuts a bit. Have you just said that the dotcom top level domain is a US national top level domain? Have you just said that the dotcom top level domain is a US national top level domain subject to US legislation only?

SPEAKER: What I said was the New York Times dotcom is in US. They did get it through a registrar in the US and through Verisign. What happened in the rest of the world, I don't know.

AUDIENCE SPEAKER: Hang on. Verisign is a registry for dotcom, right? This is why you say they got it through Verisign. So what you are saying is, so that would apply to all dotcom domains because you can't get past Verisign for any dotcom registration in the first place. So what you are saying is that all dotcom registrations are subject to US local laws only?

SPEAKER: If they are selling something in the US.

AUDIENCE SPEAKER: How can that a domain sell anything. A domain is a named registrar. So? So, what rules should apply there? I am not understanding what you are after here? We are talking about the Internet and the /EUPBT err is the same prefix that applies to international. You are trying to advocate national boundaries and I am not sure I am in the right movies here

SPEAKER: There are boundaries because there are jurisdictions. The US has to rights in Europe F even if he saw a criminal act, there are jurisdiction issues and I am saying that if you are selling something in the US that's illegal, especially if it's a server in the US and it is a dotcom server, then yes, you are subject to US laws.

AUDIENCE SPEAKER: Okay, first of all, the web /SR‑FRS location and the domain name and the registries and the registrars positioning on the planet are completely distinct issues so what if the web server is actually located in what do you say, my an mar, and the domain name is still a dotcom domain name.

SPEAKER: Are they selling something in the United States that's illegal?

AUDIENCE SPEAKER: Okay.

SPEAKER: Is that part of your question?

AUDIENCE SPEAKER: Then they should have taken the dotcom name taken away?

SPEAKER: If the Whois record is wrong and they are selling illegal drugs, yes, take it away.

AUDIENCE SPEAKER: Someone make me sit down.

CHAIR: I think that's the point. Richard?

AUDIENCE SPEAKER: Richard Cox from spam house, a couple of questions which I found the presentation quite challenging and interesting. I think we all found it quite challenging and interesting probably in different ways.

More practically, you gave us some very interesting lists of registrars and the ones you thought were good and the ones you thought were bad.

SPEAKER: Based on spam levels.

Richard Cox: That list didn't come as any surprise whatever to us. But I was interested that you didn't split the difference between domains that are registered for illegal activities and domains that are registered for activities which, while perfectly legal, are antisocial. I am talking about marketing of surveys and /TPRE gifts by unsolicited e‑mail. That's perfectly legal in the country you come from certainly. To a certain extent it is in the UK /‑PB fortunately. But yet that's unacceptable to us as net citizens. Have you done any analysis on that list of registrars and their spam load based on the split between that type of material and the pharmacy material which is spammed out using botnets, for example, which I mean, that's illegal, whatever jurisdiction you are in pretty well. That's a clear indication of bad intent.

SPEAKER: The answer is no. And basically the problem is just my son and myself, we do this on the side. We don't have the resources to go there.



AUDIENCE SPEAKER: I am suggesting it's something you might want to look at. Secondly you spoke about the registrar ICANN accreditation agreement, which is good to look at, we found it very practical too. You didn't mention 377.2, which does provide you with a take down in 14 days for bad Whois, but it also ‑‑

SPEAKER: It must have registrared, notified by the the registrar.

Richard Cox: But it does also provide for instant take down where the bad Whois is will. .

SPEAKER: There are rules that say for example you can't have a fell on running it. And cannot knowingly engage in illegal behaviour or allow the domain to engage in illegal behaviour.



AUDIENCE SPEAKER: We are looking at specific Whois accuracy and you have made the point you can get the domain shut down after 14 days. Most /SPHAPLers don't expect their owe deign to last 14 days anyway.

SPEAKER: They will usually last five days. There is a paper, they found five days but at the same time, that was a domain tasting period as well.

AUDIENCE SPEAKER: That's been fixed. What I am trying to communicate here is there is another clause that's already in the agreement that's not being enforced. And as you seem to have an ICANN it may be well worth looking at if it can be enforced. That is the requirement for instant take down where there is obvious intent to put a willful false Whois.

SPEAKER: We found that more difficult because for some people this is pornography, for other people this is not. And that's where /KWR* I prefaced the pharmacy stuff, which is not quite the same as the Whois data /ABG /SAOEFPLT we are stepping out a little bit.

AUDIENCE SPEAKER: Leaving most of the feels in a Whois record empty or putting meaningless words in there, that is willful data inaccuracy and opposed to accidental or possibly intentional. And under those circumstances, you can get an instant shut down. Another thing that you might want to think with.

Under /# 773 of course the registrar is liable for anything done (3773) somebody in the Whois privacy service, which bring me onto the last point I wanted to make to you and give you some thought about how you do things.

If you get into a situation where you can shut a domain down quickly with bad Whois, then you can be sure the Whois was going to become very, very credible, spot on rights code every time and usually it will belong to the exact same guy whose credit card details they stole to buy the domain in the first place. This isn't progress unfortunately. I wish it was. We are looking for progress. So, I would say when pursuing Whois data accuracy, be aware there is an own goal sitting out there. A very good example is this: We chase add spamer the other day for bad Whois data on a particular registrar and his registrar said to him, we have got this complaint about your /KHO*S data, you'll need to fix it. Oh and by the way, if you don't want people to see it, we have got this privacy service as well. Again, progress? I think not.

SPEAKER: They are fighting back. It's a war of the escalation. It's a question of when you can get to a tipping point.

CHAIR: Are there any more questions?

AUDIENCE SPEAKER: Hi, I work for Microsoft and I fully support what Richard Cox just said. It's really a very difficult way to fight against spam, even if you get to the domain shut down, they will only use the domain for spam for 24 hours. After that it is already been triggered by all spam filters and it's being blocked by any good spam filters. So what may be a better way, it's just a suggestion, but we have found it better to try and have the accounts closed down of those spamers, because they may have registered a thousand domain names ‑‑

SPEAKER: Or a million.

AUDIENCE SPEAKER: Or millions and they are using one at a time. And exhausting them that way, but if you can shut down his entire account because it has been used not as bad Whois but it has been used against the terms of use of the registrar, then you will create more damage to him also and it will be more difficult for him to register one domain per account.

SPEAKER: We are trying to escalate as well and I will say one thing, about four years ago Microsoft worked with the Attorney General of Massachusetts and spent nine months gathering evidence against a Russian gang, they arrested them, plenty of evidence, they spent I don't know how many tens of thousands of millions of dollars. They were bailed out and went back to rich athe next /TKAEUFPLT all that time and energy wasted. What we did was by shutting the domain names down, was faster. In 2007 there were 50 million domain names registered. 30 million came from three registrars and that's an ICANN report, not ours, so you know, I understand the problem. And looking for ways to get better at it. We'll take any help we can get. Spare change...

AUDIENCE SPEAKER: The Whois information, it is very sensitive. As you can see from the gentleman back there, it is a very sensitive topic. People at registrar domain, it's not that they want to be known /PHRUBLly like somebody that registers a trademark. You want it to be known to the world. Whereas for domain names, people sometimes register a domain name they want to use it with hundreds of their closest friends but not with the 6 billion people of the world and another difficulty is, although the EU privacy directive does not go beyond identifiable persons, many European legislations have also data protection for businesses. So you are not allowed to just publicly divulge that information without the consent of the business. This makes the Whois public information or accuracy of the Whois information privacy protection services a very difficult debate still.

SPEAKER: I agree with you in general. But you have to understand, we have looked at the privacy protection stuff for a couple of years, I have yet to find a single legitimate use of it.

AUDIENCE SPEAKER: It's the privacy protection. It's not because they don't, you know, they want to be a system critic, it's just because they don't want information out there, and ‑‑

SPEAKER: We haven't found that. What we have found for real is covering up criminal behaviour. We have looked at this carefully.

CHAIR: I'd like to move on.

AUDIENCE SPEAKER: Core Ron Kaplan. You mention that had it's an escalation and you are waiting for that tipping point. I might just add that as far as I can see, with all the financial, the money flow of spam etc., all the Malware that we are seeing on the Internet, I think the tipping point is not in your favour in this, for this particular solution.

SPEAKER: We are very persistent.

AUDIENCE SPEAKER: Well, no. It's I think ‑‑ different solutions to the problem would actually be more efficient, like following the money stream for example.

SPEAKER: Except for one thing. Nobody has shut down and stopped spam as much as we have. And we can document that. Nobody. Not a single place.

AUDIENCE SPEAKER: Still my spam levels are increasing and increasing.

SPEAKER: If the spam filters work /THR*Ted less spam today there been that was five or 2 years ago. All they do is filter it out. They don't stop its production.

CHAIR: And on that note. ‑‑

SPEAKER: But I welcome any help I can get from anybody.

CHAIR: I think this is a conversation we could continue well through the rest of the session, the coffee break, have it during the 20 years celebration, but seriously I think /AO*ED like to leave it there so thanks very much Bob.

SPEAKER: Thank you very much for listening.

(Applause)

CHAIR: Right, so, the next talk is, Richard is now going to give us a talk about some current trends in Malware, botnets and abuse that are ongoing and very prevalent right now. So it's very much of an up to the moment tour through what's going on.

SPEAKER: Richard Cox: Good afternoon ladies and gentlemen. Before I start on the main talk I want to give you this afternoon, which I shall give on behalf of spam house, I want to separate roles slightly and say something in my role as co‑chair. You very kindly elected me to this post a couple of years back and since then I have been remarkably absent. Some of you might have wondered why, had I had a row with Brian? I can assure you I haven't, it's almost impossible anyway, he is a good guy to work with, but in fact I had surgery just over a year ago and we hoped it would improve a problem. It actually made the problem worse. I have had to take considerable rest over the last year. The meeting immediately after the surgery was out anyway, but Dubai, because of the temperatures, would have been a major problem. So, while Brian and I have been in regular contact, I have been very low profile otherwise and if any of you feel I have let you down, I would like to make an apology at this stage, so at least everyone knows what's happened.

Changing hats. Botnets and bad guys. And bad guys to us are not just the ones we call criminals, but they are also the ones that flood in boxes with junk e‑mail, even where it's legal. And of course the problem is that in the US, where a lot of it is generated. It's legal as long as you do certain things. I am not saying they do all those certain things but the enforcement of that part of the law is somewhat lacks. The can spam provision /R‑S rarely invoked unless something else has upset somebody. Not an ideal basis for enforcement in any jurisdiction. But that I think is where we are today.

So, whereas we could previously block by filter sources that we knew to be sending spam, and we could block automatically anything sending us a lot of mail unless we knew what it was. It was a technique use bid people like AOL, Yahoo, etc., if you were going to send them a lot of mail, you had to get white‑listed and there is a process for that. Well, the latest technique from these guys is what we call Snowshoe. Snowshoe, because if you are walking a cross snow, you don't want to put too much weight on any single part it have so you spread the weight across a very large flat area. That's exactly what these spamers are doing at the moment. They started by just having blocks of perhaps /23 full of random host names with one domain name or random domain names. Things that were totally meaningless and they would change these from time to time. That worked moderately well except that the domain names were caught up on. And then once the block had been caught sending a volume of spam, it got blocked. And the block stayed there until the spam stopped for a period of time.

Well, they got wise to that. As I was saying just now, whatever you do to these guys, they will get wise to it. They will find a solution to it. You have got to be a step ahead in the dynamic in working out what they are going to do next and try and cover that.

So, the latest technique is not just to re/TAEUT around individual IPs and say a /23 but to rotate those /23s or 24s or whatever with each other at numerous different hosting providers all over the US and of more recent date one or two in your Europe, this is relevant to the RIPE community because of course those of you who are doing hosting may get one of these on your blocks, and you may see your customers says oh yes, sorry, we had a bad customer who was spamming from there. We have termed /TPHAEUD him. You will see the block go quiet. Nothing coming from there for a month or two. Well nothing has actually happened. This is the problem. The guy who terminated their customer, he was the spamer, and all he did was shut that block down until the reputation for that block on the various reputation services like sender base has aged off. And then they go back and use it it again. One particular guy in the states who is very fond of this technique is darn roll, he is a Florida spamer, tends to have perhaps at little as 6 IPs on any one particular hosting provider, but he has got about between 10 and 15 hosting providers across the states and he rotates his domains and IPs between those hosting providers. You can always tells /WOLS traffic, he always uses dot org. Domains because of the limitation in looking up dot org. domains, some of the cheaper registrars of course don't really care how many domains you do a Whois on, dot org. gets fussy about that. So if you have to look up a few hundred domains you are going to find it's going to be a low process on dot org.. And he tends to use mail dot in almost every case, so mail dot garbage org.. Mail dot garbage 2 dot org.. Very distinctive these patterns and you get to recognise them. We are now having to do analysis on these and identify ISPs yes they have a spamer, even though there is no mail from there you have still got a spamer. Believe me that is a difficult argument to deliver until such time as the hosting community understands this new threat to their reputation. Because at the end of the day, it's their ISPs IPs, not the spamers IPs. If you got a black mark against it anywhere it's the ISP that ultimately suffers.

Let's go on to botnets. Quite a few of them around you may have noticed and a lot of them are sending spam, a lot of them are doing things a lot worse than spam. That is one of the reasons that why we are now the Anti‑Abuse Working Group and not the Anti‑Spam Working Group. So conif I /KA is a very high profile botnet at the moment. It's a project end obviously running on PCs talking to a command and control, that's quite normal, multi‑layer and encryption to protect the communications, that's also becoming the norm. We were certainly able to intercept communications before but they found that sending them in the clear wasn't quite such a good idea so they adapted. Now, they are encrypted.

Conficker however has got a very interesting feature, which I felt it worth sharing with you today. For three versions of it so far and for some reason they have called them A, B and C. Now, up to now, there were a few domains that conif I can a/AOUGSed to find its host, find out where to get its command and control if ever it lost contact with its base. Once you find out where botnet is being controlled of, first thing you do is get that server shut down and as long as it's not in certain jurisdictions, that's actually quite straightforward.

So, the bot has now got to find where its command and control is gone when it's not where they thought it was. And the original idea was to register a few domains and put those into the an actual code and it would go and look up host names on those domains. Well, that's quite easy, we got them taken down. And then we got an early version of the next one, which had about 500 domains coded in it. That was a little more difficult. It cost some money, but what was actually done, someone went out and registered all the domains that were being used or could be used by that bot. As a result. It conget much command or control that worked.

The latest version now can generate up to 50,000 domains per day. And needless to say they are aren't going to register 50,000 domains today and neither are we. The cost, the administration etc., is somewhat difficult. Conif I can aC has domains in quite a large number of TLDs, certainly in the UK, Austria, New Zealand, Australia and all the top level domains, all the well known top level domains anyway. And the approach has been taken at the moment is to ask registrars to take down domains that are in use as command and control and also to not allow the registration of domains that the bot has put into its code. It's an algorithm now. It's not an individual list and the idea is that the bad guys will go out and register a domain when they want to. They know what pattern of names the bot will try on a particular day, and they go out just before that and register the domain name. Well obviously, the only solution there is to get the registrar to refuse registration of those domains. Now in top level domains, moderately good success, in country code domains, things are different. Country code domains, they tend to be very independent and insistent on their right to do things their way. And in some cases, this means doing things which conflict with the best interest of the Internet as a whole.

Conficker D is the one that's actually going to carry I think the main pay loads. I think that's the only significance we have seen on Conficker C. Wing that Conficker C is a proof of concept and that Conficker D is the one that takes the heavyweight pay loads. But if their plan is as we understand it, which is to examine Conficker C and see which registrars and which top level domains will block registration of their chosen codes and then they are going to stick to all the others. This /‑PB means that as a community, we have got to share with each other the need to protect ourselves against this type of activity. Conficker is a major threat to the usability of the Internet. Obviously it does all the things that a botnet will do that are bad, liking put in a key logger and stealing all your passwords and credit card details. You know, there is nothing more chilling than have to go and help somebody, it happened to me, whose home computer flagged up from a firewall that they have got a /TROEPBLG end on it and then the next week explain to them why their credit card has just been used the other end of the country to top up an anonymous mobile phone. It wasn't that person's fault. They didn't do anything wrong, they didn't do go to any bad websites. I assume that nobody here would say that installing Windows was a bad thing but that was the only thing they did that had actually allowed that Trojan to get on their machine. So we are dealing with a very high threat.

And when you find a command and control centre, sometimes it is on what you might call bullet proof hosting. Sometimes this is in China, although there are ways to deal with that. The latest we are finding in, particularly in the RIPE region, is the hosting by means of a fake entity setting up an ASN, asking for IP ranges, using completely bogus information. The entity that checks the information is of of course the LIR. The LIR may well be in the same country as the entity doing the crime, and the LIR, of course may well be subjected to what we might call local pressures. You know, bribes.

This doesn't help us. So, it came as no surprise to us to find last week one of those entities operating with ostensibly an address in Scotland that looked perfectly like a reasonable company. Yes, there were alarm signals to say this is not a Scottish company, this is eastern Europe, and when somebody went to check the address, they found it was empty. The same address that RIPE had exchanged contracts and in all circumstances, that's the process with that entity a few weeks before, because that entity was the LIR.

So, we have got to sit back and think, and I know Brian wants to talk about policy development and we need to do some policy development and give some policy advice here, but RIPE is exposing itself as a friend to the bad guys by not having central validation of the holders of ASNs and ISP space. APNIC and ARIN both have central validation. They make sure they know exactly who that space is going to. We don't do that. And obviously, we are seeing the bad guys coming to us fairly consistently and we are seeing a lot of blocks being registered by entities that almost certainly do not exist in the form that they tell us they are. And some of them will be the Russian business network under a new name, a lot of you will remember the Russian business network which set up base in the UK a couple of years back and then mysteriously disappeared one November when suddenly it appeared to go to Taiwan. But what hadn't been spotted at first was that the trace route to Taiwan of generated by a trace route similar later and did not match will BGP announcement status. Quite a lot of you have will recognise how important BGP is. If you don't recognise this you have got a trace route similar later in there. If that doesn't tell you you have got a bad guy. Nothing will. So there we are.

That's a very brief run down on the situation today. I am happy obviously to take any questions.

CHAIR: Are there any any questions for Richard?

AUDIENCE SPEAKER: I am Richard Barnes of BB in So I think that you are on a good track suggesting that the RIPE and the other RIRs indeed have contact with these organisations that are doing bad things, but I wonder if you think that there is a scalable approach to doing this sort of verification and validation that you are proposing, or are we going to have to form the investigations unit of RIPE?

SPEAKER: Scaleability is always important. Whatever we do, they will find counter measures for. Rule one in my book, would be to make sure we are alert to the problem and not look the other way and say we are all good guys, we wouldn't do that, would we? Because the bottom line is we are not all good guys and some of us would and it only takes one.

As far as checking is concerned, it seems to me reasonable that there should be a physical mail flow between RIPE or an RIR and an entity that uses its services. Limiting yourself to e‑mail leaves you wide open to misrepresentation of facts. That's known as fraud in some circles. So, I think that doing something is better than doing nothing. If you do something and you have still got a problem, then you have got to go and think about it, but what you don't need to do is ignore it. Because it ain't going to go away.

AUDIENCE SPEAKER: Aaron company link again. I just want to add to something that you said. I just want to say that the blocking, the registering of the domain names for Conficker C, the big you know frenzy and hype that was going on in the that registries, as far as I know, and I have been discussing this also on the Conficker mailing lists and (Conficker) and basically the result was the updates from B to C happened without the domain names and I just want to say that one more time: I am pretty sure about it. My question was on the mailing list, did somebody disagree, the answer of Paul v6ey was: Well basically, we can still at least monitor the domain names now. That's interesting for sure, but I just want to say that one more time. I think that's a very important point. Because, good botnet like Conficker, really smart one used multiple approaches.

SPEAKER: That is the key, use multiple approaches which means that the domain route is just one of the ways it can communicate, but trying to shut the others down while the domain route still is there as their backstop is not going to work, so we have got to cover all options.

AUDIENCE SPEAKER: I just wanted to mention part of our networks was deaccredited a couple of weeks ago by ICANN. My son had sent them a letter to Texas last year in his return there is no such person at this such address. From there we built‑up the reason why they should be deaccredited and they were, so sending mail through the post actually is helpful.

SPEAKER: It's helpful in a country where you can rely on the postal service to return it if it doesn't get there. There are certain countries which that is not the case. I wouldn't like to apply that test to the Ukraine, for example.

AUDIENCE SPEAKER: Demitri, from .Ukraine. I would agree that if you send mail in the Ukraine you may not just get it back and remember make postal mail is as possible as fake e‑mail. On the Conficker front I have to add that we have decided to block all the Conficker generation B domains on the registry level. It was a decision that was hard to make and unfortunately the switch to Conficker C makes no way to repopulate the registry because the names are no longer known in advance.

And as far as your comments on the RIPE registering ASS for unknown parties. I think that the only way to approach that is to use a system similar to create car processing is when you see an LIR to do too many of these bad registration, find them and if the percentage is say let's higher than 2 or 3 percent, just get rid of them. It's the only way you can deal with that problem unless you want to do all the registrations yourself and that's probably not what you want to do, otherwise you wouldn't have the LIR system. Postal mail is a good thing but it would not save your ‑‑ you couldn't just rely on that as the only source of verification.

AUDIENCE SPEAKER: If somebody ‑‑ Max Tulyex ‑‑ if somebody can receive the real good by postal mail, be it fraud or credit cards, so I think there is no problems to receive the mail and send this mail back to, for example, to the RIPE NCC. So I think if postal mail will be mandatory for registration, it will delay the registration process but give no real opportunity to detect spamers or something like that. So it's ‑‑ it will make some difficult but not stop spamers.

SPEAKER: Yes and no. I take the last two points together because I think it's important.

If you require a round trip physical mail within a certain number of days, it doesn't delay the registration. If you get too many failures for that, then you can trigger and alert and say you have probably got a bad LIR. As I said in my presentation, APNIC and ARIN do not use LIRs and I think they know why they don't use LIRs because they know what the risks are. So if you send a postal mail once a year, and what NOMINET do in the UK, they give you I think about 14 days, you get a postal mail it contains a code in, a bit like ‑‑ you know, the check code that you put in when you do a Whois lookup ‑‑ capture. By the way we found that anti capture domain was on the block I was just talking about which was registered by this fake LIR. But if you put a code similar to a capture code in the postal mail, which then has to get to the recipient, now you might at first sight think to yourself, okay, anybody can open that mail and phone the message through, which is true and that's not a problem. The point is: If somebody at that address gets the code through to its destination, then if a crime has been committed, and I stress the "If" law enforcement can go and ask and find out who received that letter. And who phoned the code through or put forward ‑‑ and where did it go? There is an an audit trail which is better than no audit trail.

AUDIENCE SPEAKER: So, I say that if the law enforcement can't find out where real good likes computers, cars, disappeared after receiving it for certain a postal mail address, I think same will be with postal mail. So, it's ‑‑ it adds some difficulty but makes no advantages in real life. Maybe it's Ukraine yen specific. Maybe in our countries postal mail work in different ways.

And also, our experience about 10 percent of postal mail sent within Ukraine and Russia are lost.

SPEAKER: Yes, but we are not relying on the bounce of a postal mail to flag the problem. We are flagging it on their failure to enter the capture style code that was contained in the postal mail. So we are checking whether it got to the address given and was opened in action at that address, which is I think a worthwhile thing to check. The more we force the bad guys to do specific things that are visible and fraudulent, the more chances we have of getting them to leave a trail that law enforcement can follow. At the end of the day, with the really deliberate bad guys, law enforcement are the only people who can deal with them. Our concern needs to be to protect our networks and our reputation.

AUDIENCE SPEAKER: So you say not about send postal males to all customers, but only if there is something strange happens?

SPEAKER: I am not sure I understood that one.

CHAIR: I think that the issue of sending postal mail around the RIPE region, it was one that was touched on in the general meeting yesterday evening. I think that it's an acknowledged issues in certain countries and in certain areas around the region, so I think that I'd like you know if we could just end that particular part of the discussion there. While that may be something that gets looked at at some point, we are aware of the fact that there are issues getting mail to RIPE members and certainly in a timely fashion, so if we could acknowledge that that there are a few ear people.

AUDIENCE SPEAKER: When we discussed the domain names, we also had the discussion should we try to exercise more control on the people who try to obtain these Internet resource domain name or should we find a way to shut them down more efficiently so that we change the game? Whereas they now can register a domain name at the click of a button in a second, we need to use, at the very least, 24 hours, if not more to shut town the domain name because we need to have, to be able to identify it as being used for spam, we need to find out who is the registry or registrar. So you know the dynamics are not in our favour. I think this is a little bit the same question here. Should we try to exercise more control on the people that obtain ASNs or IP address space or should we try to change the dynamics of it? I think it's very limited, the control that RIPE can exercise on verifying all documents. Mine we all know about forged passports. It's not that easy and especially if you want to do it for something that generates a lot of economic money, they can provide a lot of forged documents that look very real but in the end cannot find the person behind it. Maybe another approach would be to try to change the dynamics and simply be able to close down those IPs obtained by ghosts, ISPs or phantom ISPs or bullet proof ISPs, whatever we call them but find a way where we can close them very quickly so it's not interesting for them to obtain it any more. It will take them a week or a month to obtain the IP addresses but they will be shut down within 24 hours once they use it for illegal activity. It's a suggestion.

SPEAKER: It's a reasonable suggestion, given that there is also a dynamic between the usability of the Internet and the availability of it to individuals on a free and equal basis, which is what it's, in my view at least, there for. There is always going to be this balance of how far can one intrude in order to protect the integrity of the Internet. This is an issue that a lot of people have vexed opinions on. They can't agree. All I would say, and I hope we would agree on this, is that the present situation sun acceptable and we should look to move the dynamic to put more pressure on the bad guys while trying to avoid interfering with the good guys and having worked in the work I am doing at spam house for the last five and a half years, I can tell you that is not an easy task or even a simple one to describe.

AUDIENCE SPEAKER: Matt Ford ISOC. I just came up here base I wanted to say I thought that that was an excellent presentation and I wanted to respond a bit to some of what I was hearing from max., although not specifically on the issue of postal mail. I think it is absolutely imperative that the community addresses these issues rapidly. I think that you know, arguments along the lines of: Well, the solution won't be perfect because you know, I can see, I can envisage ways around this. If anything that will cause the bad guys to have to expose themselves more, anything that will cause them difficulty that is you know relatively easy for the community to implement in terms of policy, in terms of new mechanisms, we need to do this as soon as possible, because the alternatives, both in terms of the degraded utility of the network and the incentives for other people to step in and tell us how to run it are not good.

SPEAKER: With your permission I'll take a copy of what you just said from the notes and add it to my version of this presentation that I am going at Internet2 in Baltimore next week. Thank you. Very heartfelt words and I appreciate them.

We can't solve the problem immediately. Solving this problem is a bit like writing a computer programme. You write something you think is going to do the job. You try it out and you find where it's going wrong. Then you go fix the bugs and just like writing a computer programme, you will never get it bug free. So, with this, we will never get it perfect. But I think we can do better than we are doing now if we communicate more about it. If we share the understanding about it with each other on hopefully a reasonable way without getting too emotional, we have all go to solve this problem together and it's not going to be easy.

AUDIENCE SPEAKER: Filiz, RIPE NCC development manager:

Just a tiny little clarification together with a comment. You mentioned the effect of having different mechanisms among RIRs, how they operate basically, if they had LIR structures or not. Just a tiny little clarification there, because our region, or our membership may be understanding one term with one semantics while it is use with another term in another region. In our region, in RIPE, there is LIR mechanism and assign domain mechanism. Which gives the LIRs some freedom to make assignments for their customers without the approval of the RIR. This means RIPE NCC doesn't see those requests as approval requests. While in, for example, in APNIC, the same system is, there they have LIRs and we have an assignment in that system too. AfriNIC, for example, has an LIR system but they don't have that assignment window system, so everything goes to the RIR. So, I hope this makes it clear, in terms of the comparison you were making.

SPEAKER: Thank you Filiz. I was aware of the AfriNIC situation, although I make the point that AfriNIC company has assigned the /20 to any tell net, the nigh jeer yen monopoly telecoms operator and there isn't such an entity at all. AfriNIC have been told that and have not fixed the problem and that block has been used by a very well known American spamer, Michael Lyndsey, to set up in the Northern California area and run the Snowshoe spam I was talking about earlier, using that block. AfriNIC have been told and haven't revoked it. My understanding was that APNIC were being quite strict in verifying that entities who got allocations out of their ranges were what they said they were. And although when, again, back in 2003, APNIC were a fairly major scandal in terms of their Whois data accuracy. I can't see any problems there at all now. Does anybody? In fact, the only RIRs that we see problems with are LACNIC and RIPE. And the LACNIC problems are a total different nature.

CHAIR: It's now 25 minutes past. Thank you Richard for all that have vast ah information.

(Applause)

CHAIR: Now, as you will see, there is a few other agenda items but they kind of all roll into the same thing and they are also not going to be a barrier between you and your caffeine.

As has been mentioned by a number of people during that talk, there are potentially problems with how, in the RIPE region, the bad guys, for want of a better phrase, it's been used often enough, are dealt with. And every so often on the list somebody comes on and somebody did reason plea recently and kind of said you know, why, the LIRs don't care, the RIRs don't care, why aren't these people being dealt with? And quite often in that situation we turn around and say, okay, you think something should be done, in order for something to be done, a policy has to be put in place. And then the list suddenly goes quite quiet again. Apparently writing documents is hard which I am sure Filiz would disagree with. They can be knocked out in half an hour. That's fine.

But in all seriousness, we are looking at a few things which kind of all come under the same heading.

We are looking to see in cooperation with other Working Groups whether there is policy it can put in place to improve the situation. These policies have to come from the community. All you guys, all the people that aren't here, all the people on the mailing list, and it does slightly worry me that any time anyone suddenly goes, you want to put any of those thoughts into a policy, there is nothing further. So, I would earn courage any of you and there has been many useful things said here today, to see if you can write those things down and myself and Richard and indeed the RIPE NCC staff are here to help you with formulating your thoughts and wishes into a policy which could be put to the rest of the community for its feedback.

We don't expect you to be, to have Shakespeare yen writing abilities or to knock out an O'Reilly book, but you know, even if you have a starting point, we'll do everything we can to help you formulate that into a policy suitable for dissemination.

Part and parcel of that is what I have got there under updates to RIPE 409 and indeed new documentation. We stated fairly plainly when we set this Working Group, or rather changed the charter of this Working Group, that we wanted to update RIPE 409 which is a BCP document about how to deal with people who might be spamming on your network or at your exchange point or otherwise. And now that we have kind of got a session or two under our belts and a couple of months, we are now looking at very definitely sitting down and writing that new document, which would be stripping out, completely obsoleting RIPE 409 and produce ago document which deals with a much wider amount of network abuse. We have spoke tone a couple of different groups about this who have expressed their interest in helping out, but obviously if there is anyone else who wishes to help out, then please let us know. Sorry, you have a question or a comment or otherwise.

AUDIENCE SPEAKER: I am cost afrom Greek telecommunications organisation. On that subject precisely, I just wanted to mention, I heard in the presentation earlier that the ISPs most of the times are the ones that suffer the most. Well, I can agree totally with that, and I would like to have best current practices document that describes also specific technical measures that the ISPs can enforce, so as to help the situation. I mean, I have read the RIPE 409 document and I believe it's in a bit higher level than I would like it to be. I would like to know and to have in my hands an arse knell of measures, of specific measures that can attack problems. So I believe it's a good idea to enhance this document with something like that.

CHAIR: What I am going to propose, especially as it's half three now ‑‑ and after you are slightly truncated Working Group session in Dubai I didn't think for one moment we'ding going into the coffee break today, but yeah, to a certain extent. What I am going to suggest is that there are ‑‑ there is obviously lots of ideas and lots of potential policies out there. We will publish the mailing list the minutes of this meeting, substantially sooner than we did this time. We will also obviously publish some of the high level points such as the things that have touched on policy, and indeed the updating of RIPE 409 and the changing of that and aan additional call for assistance on that. We will try and work with the community as much as possible to put in place the high level B CB, to put in place a specific document on more technical measures to look and see if there is specific policies we can create for the RIPE region. Obviously as I said, there will be a cry for help, because myself and Richard aren't quite in the position to do all of this ourselves. So... yeah, so we'll endeavour to put that together and we'll endeavour to have obviously as much as possible done before Lisbon, so we can, even if we don't have the full documents done we can see where we are and where the direction is going at that point in time.

Richard Cox: Now, this is put in as my co‑chair hat. There is something else we are going to need from you, and the representative from Greek telecommunications I think, it's O it, net, flagged this as an issue we need to think about. There is no point our writing a document that says an ISP ought to do something if I say country us a laws don't allow it. Now, there is one country in Europe, for example, where an ISP cannot delete a file even if it's Malware on a hosted server. There is one country in the RIPE region which does not allow customers to be disconnected for abuse, and so on. I have just picked out two examples. We need you to tell us, as a team, the Working Group, what limitations there are in particular countries and in those countries where those limitationings are seen to be lethal limitations, then obviously we have got to start thinking about the community talking to those governments and saying, hey, you are causing a problem.

CHAIR: If it's very brief...

AUDIENCE SPEAKER: There will always be legal matters. For all I can say, I am not a lawyer and I think we should start with something and then correct the bugs along the way. Like the...

CHAIR: Absolutely. Like I said, we'll work on putting drafts together, certainly between now and Lisbon in October, and obviously we'll be putting out another call for help on the mailing list.

Right, we are five minutes into the coffee break and that's an inhuman thing to do to you all. So thank you all very much, and we'll see you in Lisbon.

(Applause)

(Coffee break)