Search RPD Archives
Limit search to: Subject & Body Subject Author
Sort by:

[AfriNIC-rpd] abuse contact information in whois database (AFPUB-2010-GEN-002)

Tobias Knecht tk at abusix.com
Wed Jun 16 18:32:21 UTC 2010 

>>     1.363 unique AS Numbers
>>   340.583 unique IP Addresses
>> 2.564.952 all over hits on our reference system
>>
>> I can not exactly tell you how many whois requests that would have been,
>> because we are caching and at the moment just using the direct allocated
>> ranges for exactly these query issues.
> 
> If you are caching, it shouldn't be a problem.  The numbers would still
> be on the low side in terms of query rate.

That's what we are doing.
What about a mandatory abuse contact object and a DNS based list?

>> If there will be consensus on the object part there would even be a
>> possibility of setting up some kind of RBLDNSD Service where you put in
>> ip and get back abuse@ contact. Something like this
>> http://abusix.org/service/abuse-contact-db-beta
> 
> As an end-user, I would probably re-purpose rbldnsd to do the job if the
> data was available through bulk whois.  The data could also be "mined"
> on the fly but that requires more work.

If the RIR is offering this service, why should it be mined. It would be
much easier to generate a daily rbldnsd file and offer it that way, than
offering bulk data and or an abuse finder API like RIPE is doing at the
moment.

>> I fully agree on that. It really depends on how this would work.
>>
>> Think about it this way:
>> Mandatory IRT Object for inet(6)num and asnum.
>> Mandatory abuse-mailbox attribute in that IRT Object.
>>
>> whois -B 193.174.0.0/15 (all data - restricted queries)
>> whois  193.174.0.0/15 (less data - restricted queries)
>> whois  -b 193.174.0.0/15 (only abuse mailbox attribute - unrestricted)
> 
> If you put unrestricted, people will read that literally.  By the way,
> FBLs are more effective as abuse mailboxes can be flooded by messages
> from individual users reporting ping "attacks". :-)  If I recall
> correctly, there is a end-user application that can automatically
> generate such reports.

To be honest, FBLs are not. FBLs are nice to tell a marketing company
they should unsubscribe the users, but the false positves rate is way to
high. Reports from Honeypots, real spamtrap hits, ssh attacks, sql
injection tries, phishing websites are much more reliable than a FBL
could ever be. Our customers do not even order FBLs for exactly the
false positives problem.

By the way, last week on huge anti spam summit in Barcelona, the biggest
issue was a to find a solution against outgoing spam and almost every
ISP was agreeing, that automatic abuse handling and direct escalation
would be the best way to get things done.

The more complaints you are receiving the easier it is to handle things
automatically. And the only thing you have to do at the end, decide
which reporter is how trustworthy and not clicking through a ticket
system all day long.

Thanks,

Tobias






-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20100616/46783256/attachment.sig>

More information about the RPD mailing list