Anti‑Abuse Working Group

29th November 2023

At 11 a.m.:

BRIAN NISBET: Hello, good morning to you all. And welcome to the RIPE 87 session of the Anti‑Abuse Working Group. Together with my co‑chairs, Tobia Knecht and Markus Du Brun online we would like to welcome you all to this session.

So first off, I would like to thank all of the support people without whom we would be standing at a room shouting at you and desperately hoping the people on the Internet heard us, to the NCC support staff, ops team Meetecho and our wonderful stenographers so thank you all very much for making all of this work and keeping it as a record for future times.

I'd just like to remind everybody that RIPE community now has a Code of Conduct and that is covered in this Working Group, the mailing lists, the meetings etc are all covered by that.

What other administrivia, yes you can rate what we are talking about in the meeting system, you don't have to, this isn't the same as the plenary but we do welcome your feedback whether via the survey or just coming up and telling us later because we want to, on the mailing list we want to make the session and the Working Group better for all of ye.

The minutes from RIPE 86 were circulated some time ago, they have been on the website for some time, I am not aware of any issues with them, unless somebody stands up and tells me about some issues with them now, we will consider them approved.

Seeing nothing, we shall consider them approved, thank you all very much.

The agenda has been published again for about a month or so. Are there any items that anyone wishes to add to the agenda at this point in time? Keenly aware of what happened last time I asked this question in Rome but we are in a very different world now.

No, okay, then we will proceed with the agenda as published.

So recent list discussion, the standing item, the co‑chairs feel that the item a little bit further down in B around discussion and work item creation kind of covers I think the recent list discussion, because that touches on the Abuse‑c piece validation, ASNs, all of that jazz so unless there's something somebody would like to raise then we will leave that kind of discussion to the section a little bit further down.

And again, hearing nothing, we shall move on with an update from Gerardo, who is hopefully online somewhere. So there he is.


BRIAN NISBET: Good morning. So, yes, would you like to tell us awesome things about the ‑‑ all of the work and the progress that has been happening, so I will hand over to your good self from awareness to action indeed.

GERARDO VIVIERS: Well, thank you, good morning, Rome. This presentation is going to be a little bit different than what you are accustomed to in the past, I was here to tell you about where we were in the development of the abuse training so ‑‑ anti‑abuse training, so my presentation is going to take a bit of different direction. I want you guys to know about something but I want to know something from you so this is going to be a two‑way exchange, hopefully.

What has been going on in the past, this is a recap for all the people who might not know, in 2021 the Working Group requested the RIPE NCC to help in creating some anti‑abuse training material and the idea was to help new LIRs who might not be aware to handle abuse reports to be able to do their duty as good ‑‑ in 2022 we developed a webinar and at the beginning of this year, 2023, we started delivering it. So far, we have only been able to deliver it twice, it's two interactive webinars and we reached about 70 people signed up and followed the webinar. The feedback from the attendees shows that the webinars are helping raise awareness of different abuse threats and in helping them to learn how to take action in handling abuse reports.

So, let's talk about the current solution, why did we choose for a webinar? Well, it's more simple format so it's faster to develop for us basically it's developing webinar structure with learning goals and then training the trainers so they can deliver it and collaborate in delivering the sides.

The thing about the webinar is that it also has a realtime Q&A format which allows for discussion and getting feedback or actually giving us feedback, it also has the opportunity to do some direct networking between the participants and of course the trainer will facilitate discussions so the webinar allows to foster discussion amongst participants as well.

Now, the problem with webinars, as much as I like the format is does have a little down side, not everybody has time for these live webinar sessions because of time zone differences, our service region is quite large and not everybody has the time to sit an hour, an hour‑and‑a‑half to listen to us talk. The consent will be delivered once at that webinar and so people who might want to do it at a different time cannot and reaching a wider audience would require more live sessions and resources from the RIPE NCC.

So, what I'd like to talk about is maybe a suggestion for the future and that is of course the e‑learning format. And this is not to replace the webinar but to complement it. It has some characteristics that solves some of the shortcomings of the webinar format. Self paced learning which allows people to take the training at their own time, geographic barriers are removed because it's online and anybody can access it, as long as they have access to the Internet, training experience is consistent as the content will always remain the same and it's self paced so people can do it at their own time and analytics will allow us to track completion rates so to know who completed what in the e‑learning and it's also makes it scaleable for training more people because there's more cost‑effective, it doesn't take as much resources to make.

Of course every time there's an update we have to update it centrally in the e‑learning platform and we don't to have live sessions scheduled.

So, the benefits of the e‑learning format, it can allow us to sustain the momentum by allowing synchronous option and this would further further the goal of empowering change on a larger scale. So ‑‑ and here comes my question to you, guys: As a Working Group ‑‑ this is where I pass the ball over to you, we don't need to know this now but we would really like to see the Working Group getting more involved and maybe starting a discussion about the direction the anti‑abuse training should be taking. So thank you for your time and attention and I am open for questions.

BRIAN NISBET: Cool, hang on! It takes me a moment or two to get up from my seat, sorry. So first off, thank you so much, and I mean it's great to help that obviously there's been a good response. Thoughts? From anybody? Do you know, we were talking about trying to improve the ability to handle abuse, again, there is more time for feedback but just having heard Gerardo's thoughts there, any feedback? Do we think we in fact need a six‑week intensive course in person in everybody's house? Or you know ‑‑ I suppose one question from me, Gerardo, is this: Is it an instead of or along with?

GERARDO VIVIERS: Along with business business okay. So the webinars would still be taking place on occasion?

GERARDO VIVIERS: Yes. The idea of the webinars is to have live interaction with the trainers and to be able to ask questions and also be able to chat with each other during the webinar. Maybe express different opinions or share techniques. The e‑learning would help people who want to learn about the topic to be able to access this knowledge or at least these skills, techniques, whatever it is, at their own time, because that's ‑‑ yeah, that's why I said the difference between the webinar and the e‑learning is mostly the time that people can access this training.


GERARDO VIVIERS: But also on the e‑learning side you can make material that's not only for the network operators but maybe for people who are users of the Internet and they want to learn about how they can handle maybe some abuse situation, hint hint mailing list discussion.

BRIAN NISBET: Indeed, and I mean that sounds like a very interesting thing.

SPEAKER: Hello, I'm Moin. With all my hats off I would like to speak for myself. I actually have had some experience previously working as a trader in various parts of the different world and I also have done it during the time of Covid where it actually went from webinars and on‑line‑based ones but I think like there is one thing that actually misses what we are doing online, that is we can't actually replace it, so that's the point I want to mention actually here.

BRIAN NISBET: Okay. Okay, cool.


BRIAN NISBET: Anything else, folks? Does the room feel generally this is a good direction to go in or does anybody violently object. I am going to take a certain amount of silence indicates consent at this point in time. So, as nobody is objecting, I mean, it would be nice if we had a bit more active participation, in the next section, get your standing up at the mic boots ready for the next section. Thank you, Gerardo, let's go in this direction, I think that's a useful thing and I think there's absolutely conversation to be had about extending that, the e‑learning towards users as well as operators.

GERARDO VIVIERS: Like I said we don't right now, I would see people discussing the topic so we will see what happens on the mailing list after the meeting.

BRIAN NISBET: Okay. Cool. Thank you very much.


So, I am going to hand over to Tobias now, sit down, slack, something.

TOBIAS KNECHT: Hello everybody from my side, we as the Chairs of the Working Group had a little bit of discussion over the last few months about how we were going to continue with the Working Group if we want to do something else, if we want to do something else and if we just want to check different ways out and to get engagement and get work done at the end of the day it's called a Working Group. So one of the ideas came then when we saw the recent list discussion as Brian already said, this is a big part of the recent list discussion, there was a discussion about people not responding to e‑mails that go to the abuse mailbox. And within that discussion, there was a lot of other discussions opening up like the verification of Abuse‑c or validation of Abuse‑c but also the ASN clean‑up and so on and so forth and so our idea is, or our idea is and this is what we want to do from now, and more, is, we want to ask you, as the community, more for input about what do you think of abusive behaviour that we should tackle as a Working Group. Because so far every once in a while something comes up in a mailing list but we feel there's a lot of discussions not in the mailing list but RIPE meetings or is there something we could do or somebody thinks there is something that should be done about so we would like to hear from you guys in the community, then we are going to try to pull all the information together, be this is what we did this time as well which you will see in a few minutes, pull all the information and what's the status quo, where are we at the moment and then start having a conversation and find people that want to push certain topics into the right direction, whatever these topics are, if this is going to go into a policy proposal or to conversations between you and RIPE NCC and the community, that RIPE NCC might not necessarily need a policy or whatever it is, we just want to get more conversations and more discussions together in here.

So, that's why I also sent an e‑mail the other week, three weeks ago, even longer, about be prepared for this meeting, if you have inputs about the topics that were on the mailing list, please let's have that conversation and discussion right after and if we are not ‑‑ if you are not going to want to participate or have nothing, that means Brian and I need to make it a little bit more controversial so we are getting conversations and maybe that's a path to go.

But the three topics that we were talking about on the mailing list again was the abuse e‑mail ignored, as the opener for that whole conversation, abuse e‑mail verification was one and the ASN clean‑up was second one.

So what we thought as mentioned we want to get the status quo, what's already happening in RIPE NCC so thank you to Marco who will give us a presentation about what in these topics has already been done by RIPE NCC so we have the right starting point to figure out if this is enough or if we want to have more or whatever the outcome is of that and what you as a community think in that regard. Thank you for that, and Marco, please.

MARCHO SCHMIDT: Marco Schmidt, manager of registration services, I am here to present you a couple of data points that hopefully will be useful for you for the ongoing discussions and as actually Tobias just mentioned, a plan to present here the status quo, then I will actually leave the stage because the idea is to have an open discussion but I am here together with my colleague Jeremy Walder there, he is mentioned there as one of the authors and I will be happy to participate in this actual discussion, for now to allow me to show you how we currently do things and I hope you find it useful.

First off about Abuse‑c validation, there were some questions. Currently how we do it, we are using an external verification tool. This tool does a couple of checks, it checks if the formatting is correct, if the DNS is well‑configured, if it responds to a ping and so on. And this is completely non‑intrusive, there's no e‑mails sent and the holder of this Abuse‑c contact is not impacted by it if everything works well.

If this test fails, we go to next phase, we send out an e‑mail verification link to that e‑mail to exclude some false positives and also a ticket is created by the RIPE NCC to then follow up, it's first an automated process and if this doesn't help it becomes a manual process.

Some numbers here, we have currently around 90,000 different Abuse‑c contacts in the RIPE database and they are split in around 20,000 in LIR organisations of our members, they have different accounts and there must be Abuse‑c contact link to it. We have another 58,000 abuse contacts in resource objects which can be an allocation object, sub‑allocation and assignment and so on. And then we have another 15,000 abuse contacts in independent resource objects, AS numbers and also PI assignments, IPv4 and IPv6.

So if you divide this 90,000 e‑mails, that we have to verify annually, it's roughly 2000 per week, and a lot of automated and around 6 to 8% of those e‑mails fail. It doesn't necessarily mean that they are not working, sometimes it was just a time out and next automated test works or the verification link is clicked and all is fine but still, a couple of them really seems to be not working and what we do in those cases we contact them to verify it and if, for abuse contacts in resource objects or in independent resources, if we cannot get hold of the responsible person we basically replace that e‑mail with a comment, with the working abuse contact of the LIR or the sponsoring LIR because they sold some responsibility for these resources as well.

It's getting more workload impacting if it's an invalid abuse contact of an organisation, an LIR organisation because then we have to do an investigation, it can be quite extensive, we look into it, okay, did something happen to this company, did it change names and domain, it maybe went into liquidation was there something else going on?

We e‑mail and try to call all contacts that we can find that we have in our records and do some online research and also if the resources are announced we get even contact with the upstream provider to help them to get in contact with.

If this all doesn't work and this member remains unresponsive, then the membership can be terminated and I think it's important to point out of it's of unresponsiveness, it's not really a policy validation, they are not responding to us for a long time, several months and many different contact attempts.

Now, a few facts about current AS number clean‑up, that's a project that started in 2017, and it's the idea to verify AS numbers that doesn't seem to be in use any more. Our parameters for this is that we don't see any registration change in the last 13 months, there was no transfer, no issuing, no sponsorship change and also it doesn't appear visible for at least 13 months and then we do send an e‑mail to the LIR and if it's an independent resource of an end user to the sponsoring LIR. And once that LIR confirms okay, we don't need it any more, we don't need it any time soon, we return this AS number and so far we have contacted over 4,000 of these ASN holders and as you see the return rate is rather high so it is more than the half.

And that's it from my side. Thank you so much.


TOBIAS KNECHT: Thank you, Marco, for preparing this. So, this is the status quo about Abuse‑c verification, or validation and it's the status quo on what's happening with the AS number or with unused AS numbers at the moment. I am not sure if anybody that was in the mailing list and had this conversation or this discussion is now, today, in the room, but are there any questions and Marco is happy to answer questions but are there any questions about that or any ideas or any things that need to be discussed from the community right now? Now the question is did you prepare and do your homework?

BRIAN NISBET: Allow me, I am just going to kind of add from my own point of view that AP I suppose this is the thing, this is a Working Group, this is not Brian, Tobias and Markus come up with all these things. These things all came out, these policies, came out of work from the Working Group and we would like ‑ I mean, people are talking about issues and it's not up to us and it's not up to the NCC, outside of us all being members of the community, to fix this or lead all of this. And I think it's really important that if people have issues and I am sure, I mean I know Jordi is in Address Policy and that clash isn't great this morning, he has ideas. Are there others? I am not even saying if you stand up to the mic you have to write a policy, it would be great if you wanted to, as I pointed out to somebody on the unofficial telegram chat, anybody can write a policy. Just input, is this a problem, is this something would you like to see more done on? Do you have ideas in this regard because if not, ain't nothing going to change, and we will kind of sit here and in six months' time that will happen or indeed somebody will come along are a policy suggestion that you don't like, and maybe you will react then or maybe you won't. I know, this is a small group of people, it's not about any of you as individuals, please do not take it that way but also, this is the opportunity for you to give input as is the mailing list. So, or you are going to have a really long coffee break.

TOBIAS KNECHT: Not also about the two topics that Marco talked about, I think the abuse e‑mail ignored, I think that's a topic that has been coming up over again and maybe somebody has experience on how somebody handled it here, whatever you want to share, share, otherwise it's going to be a long coffee break.

BRIAN NISBET: We are not just people in the room, you can interact and ask questions on Meetecho.

ALEJANDRO FERNANDEZ‑CERNUDA: I come from a different world so if it's not prepared just let me know. Alejandro Fernandez‑Cernuda, Global Cyber Alliance ‑‑ I was at a meeting in Brussels with European TLD I SAC which is a new project and for that community NIS 2 is incentive for action and for ‑‑ I don't know what's the feeling in this community or this Working Group about NIS 2 and what is coming after that? That's it.

TOBIAS KNECHT: I think if I understood correctly, I think it's a good question what the community feels about it, that's exactly what we want to see and what we want to gather as information. I think my personal perspective, and this is not me speaking as a Chair but as myself, is, in the past, what happened if the community hasn't changed things and hasn't improved things then usually somebody else came and forced, I don't want to call it improvement but forced things on the community that were supposed to improve things but didn't, and then stuff started coming from the community because the stuff that came from outside the community was painful enough to get people moving. That's maybe also a little bit controversial part I mentioned earlier. So I think it's soup community is part of it. It's totally fine if everybody in the room is I haven't thought about it, it's totally fine. If you all think what RIPE NCC is doing is perfect and good, let's keep doing what they are doing and I think the numbers are looking really, really good. The general point is we need to figure out where do we want to move things, we can't have conversations on the mailing list and saying oh, yeah, AS numbers are the issue or abuse validation is the issue but then not come and say okay, we agree we need to do something in that area. So, that's what I am saying, maybe people that have been in the mailing list are not in the room or Meetecho today but to be very blunt we can't just complain and not do anything because stuff won't change and we are not going to get better at stuff, if that answers the question ‑‑

SPEAKER: Kind of.

BRIAN NISBET: I think as Tobias said and this is it, this, too, is ‑‑ I mean, well amongst many other things going to be a lot of work over next 12 months but primarily it's a reaction from the EU on we don't think you are doing enough in a bunch of areas and that's what we know, we know that's ‑‑ especially an entity like the EU which is very fond of regulation, does. And to be fair, I am a fan of regulation as well but and it's ‑‑ it's a failure, some of it, is a failure to act on behalf of the industry, on behalf of people in this building, people not in this building, is there, you know, is there something as we see clarity on national legislation, which is of course is still across 27 countries, which is only a third of the NCC service region, which is a very important part and a much smaller proportion of the RIPE community but you know, is that something that we should be discussing as a Working Group? Is that ‑‑ is there ways this Working Group can help in that, help organisations to do some of that or to try and demystify some of the mist or, you know, is the answer just everyone just get ISOC 2701 and let a little of your soul die every day?

But these are these questions and if we are not ‑‑ if we are not doing anything, then, well, there's nothing for us to say as a community what we are trying to act to do this.

TOBIAS KNECHT: You mentioned 2701. I have heard there is discussions about people wanting to put abuse management and abuse work into the certification process as well for ISPs, for hosting providers or Telcos so there is also some movement and I am not sure, my last experience with that certification is 20 years old, if that's going to come it's going to be painful for a lot of companies right away.

BRIAN NISBET: How many people in this room reckon the organisation they work for is going to be considered important or essential under NIS 2? How many people know what NIS 2 is? That's a little better. NIS 2 is the set of regulations the EU is coming up with, having realised NIS 1 was vague at best, around important and essential institutions, around reporting, around good security compliance and practice, really aimed at crucial industries like you know energy and power and things like that but also DNS operators, also research institutions, also a whole big grey area but I don't want to get too much into a NIS 2 question but it's an excellent question and thank you for raising it but it does bring up all of this. If we are saying as a community we are happy with this stuff, okay, we hope other people are happy, too. If we are saying as a community we are not and there seems to be a persistent kind of grist in the mill with people going it's not good enough how do we improve it to a level that we as a community are happy with because I don't want to have to hire someone who is job it is to respond to a ping from the NCC or a ping to say we are still alive but there's got to be some middle ground there. I am talking too much.

TOBIAS KNECHT: We don't want to push you now today, it's really about putting the seed in and saying okay, guys, if you have ideas or if you have stumble upon things on your day‑to‑day work where you think this is not good, it needs to be fixed and addressed, now matter how small it might be, for you there might be a tonne of other people that run into the same issues, bring it up, put it on the mailing list and send it to us as chairs so we can facilitate and put it on the list and agenda and say look, this is the points that we want to discuss, this is the things that we want to move forward and then find people that want to champion those things, together with the community with NCC or even together with third parties, I think looking at NIS 2 and other processing that outside this community it's always good and keep up to date and give feedback to those communities and those organisations as well and I think that's one of the things we would like to see more ‑‑ not enforce but we would like to encourage more because only then we have a way to participate in the stuff that's happening out there. Because otherwise ‑‑ otherwise there's stuff coming that is not ‑‑ that's not going to be making you all happy. It's going to be painful again and we have seen this several times before.

BRIAN NISBET: I think it's easy sometimes to forget that this Working Group, all Working Groups, have the ability to directly influence this; I mean Abuse‑c didn't spring fully formed from the head of Zeus nor was it Address Policy, it was this Working Group who put that policy through and created it and worked on and reached consensus on it and I think it's easy to forget, sometimes, at a meeting, that this community has the ability to produce policies which affect how the Internet works. You know, and it's ‑‑ I think it's easy to forget, sometimes, but again, it doesn't have to be, as Tobias says, about these things, it can be something else entirely about abuse, we can talk about it this, it doesn't have to be a policy, it could be the training we created, that was that thing, it could be a variety of things. We have talked a lot about guides on abuse and that has fallen by the wayside and there are other bodies doing better or more things, but anyway we don't want to belabour the point.

TOBIAS KNECHT: Think about it and let us know, we are looking forward to feedback and then we are going to keep working from there, next RIPE meeting is happening definitely

BRIAN NISBET: Indeed by the next RIPE meeting we will actually have legislation, the legislation will be published, national bodies will have described NIS 2 into their own laws, and we will all be trying to figure out what the hell it means for October 2024 and whether there are important points there that we can work on as a community and I think groups like the co‑op Working Group will be looking at that as well, but yeah. One last moment in case anybody suddenly ‑‑ has a bolt of inspiration? Okay.

Please look at this, the slides from the NCC are up there, the numbers are there and it's not to say those numbers are a shield of steel against improvement but the work is happening and I think it's ‑‑ it's a useful discussion and useful awareness, because it gives us a basis for things to improve.

So, speaking of all of that kind of thing, yes, Tobias, it is you again. So, yes, so ‑‑ we are going to talk about some global abuse reporting and I think some statistics and all that.

TOBIAS KNECHT: Sorry, I thought there was another point in between but that's fine.

Yeah, let me talk about global reporting and now, I am speaking not as a Chair, I am speaking as a founder of company called abuse X what we call global reporting base and where you can come in as supporters for the whole good of the Internet.

So, first of all, what is global reporting and why is it important?

As we know, we are running ‑‑ we are here in the Anti‑Abuse Working Group. The Anti‑Abuse Working Group is supposed to help companies that run abuse teams and abuse desks, that's why we do the training, how to handle abuse complaints and how to build an abuse desk, as telco, mobile operator, you name it, whoever has a customer network or customers in a specific subscriber network, usually receives abuse reports and they need to be handled.

And so, to go back a little bit in the history of that, when I started in that area this was 1999, a long time ago, running an abuse team for big German telco, we didn't have a lot of data because we couldn't look into the traffic that ‑‑ that our customers did because of privacy and thank God we were not able and we are still not able to do this today. But to find comprised accounts, comprised machines, comprised resources, e‑mail mailboxes, servers, whatever, you need to get information, you need to get data. Usually that data comes mostly in most cases from the third parties, from the outside. There is plenty of companies that you might, or organisations you might have stumbled upon, shadow server, there's spam cops, abuse X is sending these reports as well so this information and this data that is being sent to abuse mailboxes all over the world is more or less how an abuse desk is capable to find out what's going wrong within their network and to find out which customers causing problem to everybody else on the Internet and then targeting those customers and fixing the problem together with them so they can clean up their network and keep up their reputation and get out of legal trouble, when we are talking about copyright, so at the end of the day an abuse team or desk is more or less a data processor, very, very similar in enterprises to security operation centres. They receive a tonne of threat intelligence as well and do their works and work this pragmatically down and do exactly the procedures they need to do. The same is true for an abuse desk, we are not talking about enterprise and corporate networks, we are talking about ISP and hosting provider telco subscriber networks.

And this is a very, very important piece and it becomes more and more important, again 20 years, 24 years ago, there was maybe a handful abuse teams all over Europe, meanwhile all the big companies have their own teams, I would say there's at least 25 companies nowadays that have more people and staff in their abuse team than the whole abuse community was 20 years ago. So this is a growing, I don't want to say it's a growing market, we are a growing ‑‑ it's a growing thing because it becomes necessary and unfortunately we haven't seen a lot of improvement in a lot of cases so the abuse on the Internet is still there, it's still happening, it's not going to go anywhere, it's not going to go away.

So why it is important, exactly for that reason: We need to inform those ISPs and Telcos that something in their network is going wrong and they should take care about that. So global reporting was set up at the very beginning as an Open Source and it's still very, very free, we are doing it for free so I am not going to sell you anything, we are doing this for free, we build tools for free over the last two decades, stuff like X ARF, the extended abuse format that has been mentioned in this Working Group several times, we have built at the very beginning something called the abuse contact database which is kind of a clone of the Whois databases of the world to find the Abuse‑c because parsing Whois sometimes in the past at least was a very, very tricky thing, still is in some cases so we maintain a database where you put an IP address and get an abuse address out, so very simple and high performing so for people to be able to report.

So, as mentioned, the abuse desks need support because everybody here in the room, I guess, who runs networks and works in companies that run the biggest networks on the planet, you guys have a tonne of data about abusive behaviour that you are facing on a database. I think everybody here in the room can ‑‑ has some examples about when somebody ‑‑ some IP addresses if it's a DDoS attack or port scans or whatever stuff it is in your companies you see that every day, we see it every day, RIPE NCC sees it every day so that stuff is just out there. And this is exactly where it becomes important. The data that might not be really interesting for you that you might just throw away or not even look at or think whatever, I don't care and this is, this is nothing that I really ‑‑ that I really should care, abuse desks really, really care about that type of data. It's the mundane, the mundane port scans, it's the mundane spam e‑mails, it's the mundane dictionary attacks or whatever else that is happening out there, that lets ISPs and their abuseness identify comprised machines on their network and if you are an ISP or hosting provider, the same is true for your organisation and your abuse desk internally as well. And we are talking about also, when we are talking about hosting, work press accounts, phishing websites, drive‑by downloads, all the stuff that is happening out there that is building up the BOTs over and over again, the FBI and governments can't even turn off BOTs fast enough, they are spreading faster than ever and it's becoming a bigger problem. It's not being talked about any more that much as it has been talked about 10 or 12 years ago but the situation on comprised accounts within a lot of networks is getting bigger, especially if abuse desks do not exist or if an abuse desk does not get visibility into what's really happening in their network. That's the call from action from our side, I will tell you how to do it if you are interested in that and what we can offer to make that very, very simple for you but the offer or the call to action for you guys is if you have data that you think this is really, really important or this is really stuff that can help an abuse desk whatever it is, make it available for these abuse desks, tell them it is happening, tell it to your own, it's really, really important.

What's the status quo on our side, Abusix started 25 years with the global reporting project more or less which was very, very simple: We had a huge spam ‑ network which we were still maintaining at that time and we started sending e‑mails back with a shell script at the time because we were lazy and this was the fastest, automatically pulling data from Whois and passaging the message in some weird format and sending it out to the abuse desk, we did this at the beginning with sponsors providers in Europe and we got to a volume of about 7 to 8 million e‑mails per day as a fun weekend project of a few dudes who didn't have anything better to do on a weekend, that's how the whole thing started. Abuse contact database came out of that, and meanwhile, we are running one of the biggest platforms for global reporting and are also reporting for other companies and other ISPs and enterprises that give data to us and hand that data over to abuse desk. Just as an example one of the first was Swisscom which is a name big enough to be recognised in here and this is our usual e‑mail would look like, we are telling hey, this is Abusix, we are doing this, we are doing the addressing, the formatting, we are putting that stuff into XRF which looks like that, but you can find x‑arf as Open Source project under GitHub if you are interested in adding to report things, happy to do so, we are happy to build that into the format and specification but it's a very, very simple JSON format, machine readable but also as mentioned on the slide before, human readable so even a small tiny abuse desk with a few e‑mails a week can take care about the abuse we are reporting.

We are starting to report these things for more and more companies, we are notifying at the moment roughly 1,000 abuse desks per day with multiple reports about stuff happening within their network. We are sending at the moment about 10 different event times like BOT net and in some case we have access to sinkholes where we know what malware computers are comprised with, which is very, very helpful for abuse desk to tell the customer, hey, this is a configurer problem, here is the download link to removal tool and so on and so forth. And we are starting, we are sending on behalf at the moment 10 companies, roughly 25 smaller organisations, that give data to us and we are onboarding ten new companies at the moment and the number is growing.

So more data for abuse desks will make it better for them because they get a better view about what's really happening within their network.

So at the end of the day this is what we call a win‑win win situation, it's a win for the abuse desk, it's a win for you because the chances that if you report that data you see less of the crap and it's win for us because we can facilitate the data and use it for some statistical things we use and we share with the community as we have done in the past.

So, how ‑‑ what's next and how is that working, how can you participate in that?

What we are doing at the moment is we are reporting on our honeypot data and spam, if you are interested in us running in a customer network or anywhere, we have our honey pots, we just need access to machinery, we take the data, it's being reported, if it goes back to your abuse desk you profit from that as well. Global reporting as a general, that's the type if you are interested and you have data available we can share with abuse desks all over the world just let us know, we have happy to have a conversation to see whatever, if you have auth locks or dictionary attacks on web portals, happy to use that data and make use of that data and report that as well. The only thing you need to forward that data somehow, this is what we are a conversation into our system, the rest is completely done by us, we are even taking care about the support as far as we can care about support so we can even report anonymously if you don't want to have your name on the reports, totally fine for us.

The last one just to mention it, something we started just recently, is the typical e‑mail feedback loops, if you receive an e‑mail in your Yahoo and you click on this spam usually sends it back to the sender of this e‑mail and tells the recipient doesn't want to have that e‑mail, there was some weirdness in the community because the company that did these services was starting to charge people for it and we said it's not going to happen after 23 years, they did it for free and in my opinion did a money grab here so we said we can do this as well, this is very easy for us and so we started taking over a tonne of companies that didn't want to pay for the service so we do it for free.

So if you are interested in helping abuse desks and yourself in that regard, let us know, each out to me, I am available today, I have to go back tonight unfortunately or just send an e‑mail to support at Abusix, if there is any questions please let me know


BRIAN NISBET: Indeed. Comments, questions? No. Nothing in Meetecho either. No. Okay. Thank you very much, I mean it's great, you know. So, yeah, thank you for doing it. Okay. Trying not to make bad jokes about giving everyone the half hour back. Any other business, folks? We have reached that time of the session. No. And I think the last point there is to consider, even suggest now, but certainly to consider the agenda for RIPE 88 and we will be a lot further north than here, in Krakow, which I am very much looking forward to. But if there is nothing extra, then I will simply thank the various support people, the NCC, Meetecho, AV folks, stenographers for their support, all of you here and remotely, and on the mailing list, and the Working Group and on behalf of myself and Tobias and Markus, we will hopefully see you on the mailing list as discussed and also in Krakow in May of next year. Thank you all very much.

SPEAKER: There is someone in the Meetecho queue.

BRIAN NISBET: Apologies. Niall, I think you have put your hand up but I don't know if you have actually requested to get mic? Yes. You are muted, Niall.

NIALL O'REILLY: Is that better?

BRIAN NISBET: We can hear you.

NIALL O'REILLY: I thought I was aiming for item X or maybe item ‑‑

BRIAN NISBET: We can back

NIALL O'REILLY: But I didn't get the signals in in time. There's something I am wondering ‑‑ I am Niall O'Reilly, and I am the RIPE vice‑chair but I want to not wear that hat for this question. This is more from a small scale domestic networker than from the RIPE vice‑chair and I am wondering whether the Working Group is interested in taking under its scope the collateral damage that's done to people who are at the wrong end of the power imbalance by the way the abuse management ecosystem has developed?

BRIAN NISBET: That's a big question for a Wednesday afternoon.

NIALL O'REILLY: Maybe I should take it up on the mailing list, I thought since you had an AOB I should put it in earlier rather than later.

BRIAN NISBET: Absolutely, I mean I think it's certainly an interesting question. I suppose the question I will ask you at this point in time, and maybe again a mail will be ‑‑ would be preferred, is if you would like to go into more detail about what you mean by that? I think I know what you mean but I am not sure everybody else does.

NIALL O'REILLY: Yeah. There are a number of things that are ‑‑ people who are doing their own thing in their own homes, because this is where I am coming from, find themselves obstructed in various ways by things that are ‑‑ have become habitual and perhaps are justified on the basis oh, we have that do that for security but there's a lot of badness going out there in the Internet which isn't stopped by the security measures and there's an extent to which some of the things that are ostensibly justified by security are just punishing the innocent and I don't think that's a good thing and I don't know whether this Working Group or this wider community is the place to do something with it but I thought I should ask the question.

BRIAN NISBET: Yeah, I mean, and I am obviously ‑‑ it's not up to me, I don't know if anybody ‑‑ what I am saying is that opening that to the room, but I think a mail to the mailing list would be a good thing certainly, as well, Niall.

NIALL O'REILLY: Then I will try to put something together and thank you for your helpful suggestion.

BRIAN NISBET: Cool. Thank you. Unless there are any reactions in the room. Are there any hyper mega global corporations who want to make any comments or tell us all to be nice to Niall. No, cool, thank you very much. Oh, we have ‑‑ I am missing something about Meetecho here, about if somebody could help me and let Michele Neylon. We have voice so.

MICHELE NEYLON: Can you hear me?

BRIAN NISBET: Yeah, we can hear you.

MICHELE NEYLON: Michele Neylon from Blacknight in Ireland. AS 39122 amongst other things. Niall might be talking about something that I think is of interest to a lot of us but I am not sure why he is being so vague but I think it's the kind of thing if he could articulate more clearly on the list and provide actual specifics even if the specifics are more a case of company X and company Y, rather than saying giving a particular company's name, it would be helpful, because I have an understanding of what he is talking about but it might not be correct; you have an understanding of what he is talking about and again, it might not be correct, it would be helpful to understand exactly what he is talking about, but the problem I suppose is going to be understanding where we can best articulate that, so, you know, it's ‑‑ for example, you are saying okay, company X on their network is using technology Y for some reason or other there's an issue with that technology, whatever that issue might be, getting the company to change that is going to be an uphill struggle, if it's a case of another company outside the network is doing the name of "security" and the impact is that people can't buy tickets for events which is what we are seeing happening, that's something I would love to see a way of resolving sanely, again companies are entitled to protect their networks but I think there are issues with collateral damage at times and really, understanding who to address that to in some cases is hard. Thanks.


NIALL O'REILLY: Same button, just reclicked twice. Thanks to Michele Neylon, I should probably follow up with him on getting some ‑‑ on articulating this. The second question is even if it's articulated how feasible is it to address and what's the best way to do that? And that's a next level ‑‑ that's a next level problem.

BRIAN NISBET: Absolutely. I think let's start the conversation and see if there is something that can be done or discussed.

NIALL O'REILLY: And as Michele says in the chat I know where to find him. Thanks. Thanks, Brian.

BRIAN NISBET: Thank you. Three Irish men talking to each other, two in Ireland and one in Rome, the glories of the internet. Okay folks, seeing nobody else in the queue, again thank you all very much for your time today, so yes, you do have a nice lead‑in to lunch and enjoy the rest of the meeting. Thank you all very much.