<HTML><HEAD></HEAD>
<BODY dir=ltr>
<DIV dir=ltr>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: 'Calibri'; COLOR: #000000">
<DIV>
<DIV
style='FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: "Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; DISPLAY: inline'>Peter,</DIV></DIV>
<DIV>
<DIV
style='FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: "Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; DISPLAY: inline'>You
are being the victim of a swindler. He is passing himself off as a well-known
lawyer, Mark J. Silberman, to take your money.</DIV></DIV>
<DIV>
<DIV
style='FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: "Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; DISPLAY: inline'> </DIV></DIV>
<DIV>
<DIV
style='FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: "Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; DISPLAY: inline'>If
you make contact - munged (at) gmail.com - you will know how he
acts.</DIV></DIV>
<DIV>
<DIV
style='FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: "Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; DISPLAY: inline'> </DIV></DIV>
<DIV>
<DIV
style='FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: "Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; DISPLAY: inline'>Report
to </DIV><A href="mailto:antispam_gdnoc@189.cn">antispam_gdnoc@189.cn</A>.</DIV>
<DIV>
<DIV
style='FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: "Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; DISPLAY: inline'> </DIV></DIV>
<DIV>
<DIV
style='FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: "Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; DISPLAY: inline'>Marilson</DIV></DIV>
<DIV>
<DIV
style='FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: "Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; DISPLAY: inline'></DIV>
<DIV style="FONT: 10pt tahoma">
<DIV style="BACKGROUND: #f5f5f5">
<DIV style="font-color: black"><B>From:</B> <A
title=anti-abuse-wg-request@ripe.net
href="mailto:anti-abuse-wg-request@ripe.net">anti-abuse-wg-request@ripe.net</A>
</DIV>
<DIV><B>Sent:</B> Sunday, November 20, 2016 9:00 AM</DIV>
<DIV><B>To:</B> <A title=anti-abuse-wg@ripe.net
href="mailto:anti-abuse-wg@ripe.net">anti-abuse-wg@ripe.net</A> </DIV>
<DIV><B>Subject:</B> anti-abuse-wg Digest, Vol 61, Issue 6</DIV></DIV></DIV>
<DIV> </DIV></DIV>
<DIV
style='FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: "Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; DISPLAY: inline'>Send
anti-abuse-wg mailing list submissions to<BR>anti-abuse-wg@ripe.net<BR><BR>To
subscribe or unsubscribe via the World Wide Web,
visit<BR>https://lists.ripe.net/mailman/listinfo/anti-abuse-wg<BR>or, via email,
send a message with subject or body 'help'
to<BR>anti-abuse-wg-request@ripe.net<BR><BR>You can reach the person managing
the list at<BR>anti-abuse-wg-owner@ripe.net<BR><BR>When replying, please edit
your Subject line so it is more specific<BR>than "Re: Contents of anti-abuse-wg
digest..."<BR><BR><BR>Today's Topics:<BR><BR> 1. Re: New on RIPE
Labs: Reasons Dynamic Addresses Change<BR>
(Ramakrishna)<BR> 2. What's the point in this type of spam ? (peter
h)<BR> 3. Re: What's the point in this type of spam ?
(ox)<BR><BR><BR>----------------------------------------------------------------------<BR><BR>Message:
1<BR>Date: Sat, 19 Nov 2016 06:41:43 -0800<BR>From: Ramakrishna
<ramapad@cs.umd.edu><BR>To: anti-abuse-wg@ripe.net<BR>Subject: Re:
[anti-abuse-wg] New on RIPE Labs: Reasons Dynamic<BR>Addresses
Change<BR>Message-ID:<BR><CAAYmKkJ3DjUf7bd9pUktFwr8QjV3QtNAWMF41VzTeFbqskE4kQ@mail.gmail.com><BR>Content-Type:
text/plain; charset="utf-8"<BR><BR>> ok... so first of all the address
changes within DTAG and most other<BR>german SOHO DSL providers, from what i
heard back then, goes back to the<BR>days of dialup... a couple of years ago
they apparently still were<BR>forced by law (or something) to also offer DSL on
a 'charge per time<BR>use' basis, and also disconnect virtual channels every
once in a while,<BR>something to do with anti-competition to the telephone
dialup network..<BR>which apparently is why most german dsl providers still do
that.<BR><BR>Ah, thanks for providing the historical context for why German
DSL<BR>providers change addresses so frequently. I am skeptical, however,
that<BR>there is a law requiring German DSL providers to disconnect
virtual<BR>channels 'every once in a while' because I asked several German
colleagues<BR>about such a law and they were unable to find one (I would be
delighted if<BR>you can point me to one!).<BR><BR>> secondly... if your
authentication and telling users apart has anything<BR>to do with layer 3, your
authentication method is just crap, not well<BR>thought of, etc.<BR><BR>There
are other use-cases for IP addresses as end-host identifiers that I<BR>outlined
in my post (such as counting the number of users in a system by<BR>counting the
number of distinct IP addresses). I am personally interested<BR>in measuring
outages by pinging IP addresses belonging to residential CPEs.<BR>My premise for
detecting outages is that an address that sends responses to<BR>active probes is
alive and well, and that a previously responsive address<BR>that has stopped
responding to probes could be experiencing an outage. This<BR>premise is
incorrect when I am pinging a dynamic address that has been<BR>withdrawn from
the CPE; thus, I would love to analyze dynamic reassignment<BR>behavior across
ISPs.<BR><BR>I agree that using IP addresses for identifying users for
authentication<BR>purposes isn't ideal but sometimes, IP addresses are the
easiest way to<BR>identify users. Other times, they are the only ways to
identify users. For<BR>example, if one is defending against a DoS attack, the
most straightforward<BR>and efficient approach is to blacklist that IP address
temporarily. How<BR>long that address can continue to remain in the blacklist is
the question<BR>that we aim to answer.<BR><BR>> as for wikipedia, it also
leaks ips all over the place. (basically<BR>inciting users to ddos each
other,although probably a less common result<BR>than with IRC.)<BR><BR>Well,
wikipedia is only one example of a well-known company that employs IP<BR>address
based blacklists. In private conversation with Google and
several<BR>content-delivery networks (including one where I interned earlier
this<BR>year), I learned that IP addresses are very much a part of
host-reputation<BR>systems. So although IP addresses as end-hosts isn't ideal,
it's a common<BR>assumption and our work shows that the assumption can actually
even be<BR>valid for weeks at a time in North American
ISPs.<BR><BR>Cheers,<BR>Rama<BR>http://www.cs.umd.edu/~ramapad/<BR>--------------
next part --------------<BR>An HTML attachment was scrubbed...<BR>URL:
<https://lists.ripe.net/ripe/mail/archives/anti-abuse-wg/attachments/20161119/0ffe4c0a/attachment-0001.html><BR><BR>------------------------------<BR><BR>Message:
2<BR>Date: Sat, 19 Nov 2016 19:01:43 +0100<BR>From: peter h
<peter@hk.ipsec.se><BR>To: anti-abuse-wg@ripe.net<BR>Subject:
[anti-abuse-wg] What's the point in this type of spam ?<BR>Message-ID:
<201611191901.44498.peter@hk.ipsec.se><BR>Content-Type: text/plain;
charset="iso-8859-1"<BR><BR>The last days i have been sent a number of these
threats, they come from <BR>different addresses ( stolen computers ) but contain
no links or attatchements.<BR><BR>Is the goal to harass the gmail user ( it's
munged by me to protect an innocent person )<BR><BR><BR>Received: from
14.145.207.224 ([113.68.244.108])<BR>by ipsec.se (8.13.6/8.13.6) with SMTP id
uAILTOwC091474<BR>for <peter@ipsec.nu>; Fri, 18 Nov 2016 22:29:32 +0100
(CET)<BR>Message-Id: <201611182129.uAILTOwC091474@ipsec.se><BR>Received:
from unknown (HELO localhost) (mark.silberman78@gmail.com@177.205.66.120)<BR>by
113.68.244.108 with ESMTPA; Sat, 19 Nov 2016 05:29:22 +0800<BR>From:
m-**-.-munged-78@gmail.com<BR>To: peter@ipsec.nu<BR>Subject: You are
hacked!<BR>Date: Sat, 19 Nov 2016 05:21:56 +0800<BR>Content-Type: <BR>X-UID:
5404<BR>X-Length: 910<BR><BR>Your email peter@ipsec.nu has been hacked and spam
is sent to all your contacts!<BR>If you don't have a lawyer, you may contact me
at <BR><munged>@gmail.com<BR><BR>Best
Regards,<BR>M**-<BR>m**-.-munged-78@gmail.com<BR><BR>--
<BR> Peter H?kanson
<BR><BR> There's never money to do it
right, but always money to do it<BR>
again ... and again ... and again ... and
again.<BR> ( Det ?r billigare att g?ra
r?tt. Det ?r dyrt att laga fel.
)<BR><BR><BR><BR>------------------------------<BR><BR>Message: 3<BR>Date: Sun,
20 Nov 2016 07:53:34 +0200<BR>From: ox <andre@ox.co.za><BR>To: peter h
<peter@hk.ipsec.se><BR>Cc: anti-abuse-wg@ripe.net<BR>Subject: Re:
[anti-abuse-wg] What's the point in this type of spam ?<BR>Message-ID:
<mailman.2.1479639602.27612.anti-abuse-wg@ripe.net><BR>Content-Type:
text/plain; charset=US-ASCII<BR><BR>On Sat, 19 Nov 2016 19:01:43 +0100<BR>peter
h <peter@hk.ipsec.se> wrote:<BR>> The last days i have been sent a
number of these threats, they come<BR>> from different addresses ( stolen
computers ) but contain no links or<BR>> attatchements.<BR>> Is the goal
to harass the gmail user ( it's munged by me to protect<BR>> an innocent
person )<BR>><BR><BR>There is not a single one of the trillions of spams that
are senseless.<BR><BR>All spam has a reason to exist and no spam is ever
senseless - not even<BR>a single one...<BR><BR>There are a few goals with your
spam as it is rich with possibilities.<BR>The vast majority of spam only has a
singular goal and your spam is<BR>rich in possibilities :)<BR><BR>The most
obvious is to confuse/poison (some/basic) anti spam systems:<BR>> Received:
from 14.145.207.224 ([113.68.244.108])<BR>> Received: from unknown (HELO
localhost)<BR>> (mark.silberman78@gmail.com@177.205.66.120) by
113.68.244.108<BR><BR>My software handles any headers that deviate from the
expected with extreme care<BR>as there are only a limited number of reasons why
headers are different than expected <BR><BR>Other goals (and their are many with
your example of Shotgun spam<BR>(named after shotgun weddings) <BR><BR>Goals may
be to solicit a relationship with victims, cyber criminals are finding <BR>it
more challenging to open dialog and engage with shotgun victims<BR><BR>It may be
to target the @gmail account holder, to receive spam that<BR>Google will allow
as it will be from other victims (think denial of<BR>service or just to
attack/assault a gmail account holder)<BR><BR>and of course many other
reasons<BR><BR>hth<BR><BR>andre<BR><BR> <BR><BR>> <BR>> Received:
from 14.145.207.224 ([113.68.244.108])<BR>> by ipsec.se (8.13.6/8.13.6) with
SMTP id uAILTOwC091474<BR>> for <peter@ipsec.nu>; Fri, 18 Nov 2016
22:29:32 +0100 (CET)<BR>> Message-Id:
<201611182129.uAILTOwC091474@ipsec.se><BR>> Received: from unknown
(HELO localhost)<BR>> (mark.silberman78@gmail.com@177.205.66.120) by
113.68.244.108 with<BR>> ESMTPA; Sat, 19 Nov 2016 05:29:22 +0800
From:<BR>> m-**-.-munged-78@gmail.com To: peter@ipsec.nu<BR>> Subject: You
are hacked!<BR>> Date: Sat, 19 Nov 2016 05:21:56 +0800<BR>> Content-Type:
<BR>> X-UID: 5404<BR>> X-Length: 910<BR>> <BR>> Your email
peter@ipsec.nu has been hacked and spam is sent to all<BR>> your contacts! If
you don't have a lawyer, you may contact me at <BR>>
<munged>@gmail.com<BR>> <BR>> Best Regards,<BR>> M**-<BR>>
m**-.-munged-78@gmail.com<BR>> <BR><BR><BR><BR><BR>End of anti-abuse-wg
Digest, Vol 61, Issue
6<BR>********************************************<BR></DIV></DIV></DIV></BODY></HTML>