Abuse of service

CARNET's Abuse Service (eng. abuse = misuse) receives and processes reports related to computer security incidents and misuse of CARNET resources.

Users of the CARNET Abuse service are all persons who report an incident or violation of acceptable online behavior committed by a user of the CARNET network. The reporter themselves does not have to be a user of the CARNET network.

The facts stated in the received incident report are the primary starting point for every action. The Abuse department responsibly and accurately examines the available data to take further steps. Each report is classified according to the specified incident division. If the Department receives a report indicating multiple potential violations, the one deemed most severe is processed first. The Department respects user privacy and uses data in the manner described in the department's operating rules. The Department provides data to third parties exclusively based on a court order or at the request of the police during an investigation. All correspondence is archived.

You can contact CARNET's Abuse service by email at abuse@carnet.hr or by phone at +385 1 6661 655.

Computer incident reports are sent exclusively by email to abuse@carnet.hr.

CARNET's Abuse service operating hours are from 9 AM to 4 PM.

In accordance with the Electronic Communications Act, CARNET, as an internet service provider, is obligated to retain data related to user internet connections. Consequently, CARNET maintains a database of its users' connections. Furthermore, the same law obligates public communication network operators and publicly available electronic communication service providers to retain data on electronic communications necessary for determining the origin, destination, time, duration, and type of communication. It is prohibited to retain data that reveals the content of communication. CARNET's Abuse service responds exclusively to user reports via email. Retained data is disclosed exclusively to employees of the Ministry of the Interior and the Ministry of Justice upon presentation of a court order.

CARNET's Abuse service warns and sanctions users of the CARNET network who have violated any of the provisions „Decisions on Acceptable Use of the CARNET Network” these generally accepted norms of user behavior in communication between individuals or users in group communication.

In short, they are:

• spam – unwanted, usually advertising messages that are distributed to a disproportionately large number of users
• copyright infringement – distribution of content such as pirated software, music, movies, which is protected by the Copyright Act
• unauthorized access – (successful or unsuccessful) attempt to access someone else's computer without permission
• injury netiquette 
• Rules for opening, administering, and using user accounts on CARNET's public server
• Malware: (viruses, worms, trojans).

In more detail

• Viruses – malicious codes with self-replication capabilities; they add their code to an existing executable file, waiting for the „infected” file to be used to reactivate themselves.
• Worms – malicious code with the ability to self-replicate, which spread by copying their entire content through a communication medium, e.g., email
• Trojans – malicious codes that pose as harmless applications and require some user action to install
• Denial of ServiceDenial of Service) – a type of denial of service attack that typically overloads a specific service or network
• DDoS (Distributed Denial of Service) – a type of denial-of-service attack in which the sources of overwhelming network traffic are distributed across multiple locations on the internet
• Phishing - a set of activities in which unauthorized users, using fake emails and fake websites, e.g., of financial organizations, try to trick users into revealing confidential personal information.
  

Incidents are typically reported to Abuse departments responsible for the networks from which the attack originates. Therefore, in case of an attack on your computer, it is necessary to determine the network from which the attack is coming and report the incident to the Abuse department responsible for that network. Computers on the internet are identified by IP addresses, so it is necessary to determine the IP address of the attacker or the source of the e-mail and establish which Internet Service Provider it belongs to. Jurisdiction over IP space is divided among Regional Internet Registries.

Jurisdiction over a specific IP address can be checked on the following pages:

• Europe – RIPE
• North America – ARIN
• Latin America – LACNIC
• Asia and Pacific – APNIC
• Africa – AFRINIC.

Since it is not always easy to determine the source of an attack, if the network cannot be easily identified, send the report to your ISP's Abuse department. If the incident occurred within your organization, contact your system administrator. Report the incident to the National CERT (to the email address incident@cert.hr) if your report to the competent Abuse department has not stopped illegal network activity and therefore there is a need for intervention in resolving the incident.

For the application to be correct, it must contain the following information:

• Brief and clear description of the incident (what the user is complaining about)
• log file snippet or message header where it is clearly visible:
  • Attacker's IP address
  • date, time, and time zone of the attack.

If you are reporting spam or an off-topic Usenet message, you must also include the message content (examples of a correct spam report and a correct off-topic post report can be found in the FAQs on this page).

You can see how to get to the email header in one of the answers on this page, as well as how to get to a Usenet message header.

It is important to note that IP addresses for broadband internet access services change with each connection, so the IP address alone is not sufficient for definitively identifying users. Therefore, it is important to state the exact time of the incident with the time zone for each IP address, to the second.

All time zones are defined in relation to Coordinated Universal Time (Coordinated Universal Time – UTC). The reference point for time zones is the prime meridian that passes through the Royal Observatory in Greenwich, London. That is why the term „Greenwich Mean Time” is still often used today.Greenwich Mean Time - GMT). For example, Croatia is in the CET time zone, which corresponds to UTC+1. If it's 2 PM in Croatia, it's 1 PM UTC. During daylight saving time, CEST time, which corresponds to the UTC+2 time zone, is used instead of CET time.

Unacceptable behavior on the CARNET network is defined by the document „Decision on Acceptable Use of the CARNET Network” to generally accepted norms of user behavior in communication between individuals or users in group communication. Any prohibited action described in the rulebook or code of conduct is subject to sanctions by CARNET's Abuse Service in the form of a warning, and in case of repeated behavior or more serious incidents, temporary or permanent denial of internet access service.

Some unacceptable behaviors include:

• distribution of copyrighted material
• Sale or lending of one's own and use of another's electronic identity
• disseminating offensive, demeaning, or discriminatory material
• sending unsolicited emails
• disabling or disrupting the operation of an individual service
• malware distribution
• seeking security vulnerabilities without the permission of the owner of the system being tested
• data destruction
• invasion of privacy.

Also, in case of serious offenses, CARNET's Abuse service will report actions prohibited by the laws of the Republic of Croatia to the competent state authorities.

For example, the Criminal Code prohibits:

• spread of racial and other discrimination
• distribution, procurement, and possession of child pornography on a computer system, violation of the secrecy, integrity, and availability of computer data, programs, or systems
• Computer forgery
• computer fraud.
  

It can be assumed that the computer is infected with a virus if problems such as the following occur:

• significantly slowed computer performance
• Unknown programs launch themselves (usually in multiple instances)
• unexplained computer shutdowns or restarts
• loss of functionality of computer protection programs (antivirus, antispyware)
• some other explicitly non-standard behaviors
• Some websites cannot be opened (typically antivirus software manufacturer websites).
• The requested web pages are not opening, but some other pages are.
• There are also some symptoms that are a bit harder to check, such as unknown processes running in the background.
  

To report an unwanted email correctly, it must contain the following information:

• The subject line or message body must clearly state that it is an unsolicited email.
• the header of the disputed message is mandatory where this is clearly visible
• Attacker's IP address
• date, exact time, and time zone of the attack
• copy of the part of the message that proves it's spam.

It is important to note that IP addresses for broadband internet access services change with each connection, so the IP address alone is not sufficient for definitively identifying users. Therefore, it is important to state the exact time of the incident with the time zone for each IP address, to the second.

I received the following spam message:

From xxx@yahoo.com Sun Nov 6 21:40:21 2005

Received: from localhost (xxx.xxx.carnet.hr [999.999.999.999]) by mars.aros.net (8.13.3/8.13.1) with SMTP id jA74eJUr088160 for ; Sun, 1 Nov 2005 21:40:21 -0700 (MST) (envelope-from geoffrey@yahoo.com)

Mon, 01 Nov 2005 05:40:16 +0100

From: “Fried”

To:

Subject: Best quality drags

Message-ID: <000601c5e0b8$c128d490$f95bcf52@pc>

MIME-Version: 1.0

Content-Type: multipart/alternative; boundary=”----=_NextPart_000_0003_01C5E0C9.82D73F40"

X-Priority: 3 X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2900.2180

X-MimeOLE: Produced by Microsoft MimeOLE V6.00.2900.2180

X-Virus-Scanned: ClamAV version 0.86.2, clamav-milter version 0.86 on mars.aros.net

X-Virus-Status: Clean

If you are reporting an email-related incident, such as receiving a message with a virus or spam, you will need the full message header for proper incident reporting. The content of the “From:” field alone is not sufficient for correctly identifying the sender of the disputed message, as it is most often forged.

Below are brief instructions to help you find the message header in several popular email clients.

• Outlook Express – In the list of received messages, right-click on the message in question to activate the drop-down menu, and select “Properties” from it. A tab will appear; select “Details” on it. The email header is located in the text box. Right-click anywhere within the box. In the drop-down menu, select “Select all”. The header text will darken. Right-click anywhere in the text again, and this time select “Copy” from the drop-down menu.
• Mozilla Thunderbird – In the list of received messages, click to highlight the message in question. Press “Ctrl” and “U” simultaneously on your keyboard. A new window will open, which will contain the message and its entire header.
• Eudora – In the list of received messages, double-clicking on the problematic email will open it in a separate window. The displayed message does not contain the full header. To see it, click on the icon that says “Blah blah,” which will add the full header to the beginning of the message.
• Gmail webmail service – After opening the disputed message on the line where the sender's name is located, click the arrow next to the button. After the menu opens, select “Show original,” which will open a new window with the email headers.
• Netscape Mail 6 – select message, from menu View select an option Headers -> All. The message header will appear in the message window, then click the icon Forward or from the menu Message select an option Forward.
  

There are several ways attackers can get your email address.

The most common ways are:

• a person whose computer is infected with a virus has your email address in their address book
• You entered your email address on a website you can't be sure will keep your data safe.
• You posted your email address in a publicly accessible place (website, news group, forum
• you subscribed to mailing lists (even if they don't provide a subscriber list, an attacker might have managed to illegally obtain the list).
  

It's important to note the purpose of reporting off-topic posts to CARNET's Abuse service. For the work to be carried out with quality, it is essential to receive quality and well-founded reports from users, especially since the Abuse service cannot actively monitor all active news groups, primarily due to their numbers. Users should report instances of targeted and repeated crossposting, intentional disruption of discussion participants, severe and targeted insults, intentional posting of off-topic messages, and so on. Reporting every misspoken word, borderline off-topic posts, accidental off-topic posts, and so on, is counterproductive and does not contribute to establishing order. Usenet.

After you conclude that you can submit an application, first describe in one or two sentences what you are complaining about, and then attach a detailed header of the contested document. mail content mail.

I am reporting your user for sending an off-topic message because it to news the group that deals with hardware offers sent a message requesting hardware, despite the existence of the hr.potraznja.hardver group.

Path: Iskon!fu-berlin.de!news.glorb.com!nntp-server.pubsub.com!CARNet.hr!not-for-mail From: “roginator” ” ) >

Newsgroups: hr.classifieds.hardware

Subject: Buying Hardware

Date: Wed, 2 Nov 2005 19:56:25 +0100

Organization: CARNET, Croatia

5 lines

Message-ID:

NNTP-Posting-Host: xxx.xxx.carnet.hr

X-Trace: xxx.srce.hr 1130957786 9184 999.999.999.999 (1 Nov 2005 18:56:26 GMT)

X-Complaints-To: abuse@carnet.hr

NNTP-Posting-Date: Wed, 1 Nov 2005 18:56:26 +0000 (UTC)

X-Priority: 3

X-MSMail-Priority: Normal

X-Newsreader: Microsoft Outlook Express 6.00.2900.2180

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-RFC2646: Format=Flowed; Original

X-Antivirus: avast! (VPS 0543-2, 10/27/2005), Outbound message

X-Antivirus-Status: Clean

Xref: Iskon hr.offer.hardware:33531

Are you reporting an incident related to Usenet, for example, a nethema-less post, you will need the full message header for proper incident reporting. The content of the “From:” field alone is not sufficient for correct identification of the sender of the disputed message.

Below are brief instructions to help you access the message header for several of the more popular news clients.

• Outlook Express – select the message and press the CTRL and F3 keys simultaneously. In the window Message source A message will appear with the entire header, so select all the content in the window and copy it,.
• Mozilla Thunderbird – In the list of received messages, click to highlight the message in question. Press “Ctrl” and “U” simultaneously on your keyboard. A new window will open, which will contain the message and its entire header.
• Google Groups – select message, click Show Options and then on Show Original. Copy the complete header and message and send it to the relevant Abuse department.
  

Scammers often copy the visual appearance of real emails from banks and other companies. Recently, fake messages have been completely identical to the originals, however, there are certain details that reveal the scam:

• The message is asking for personal information
• Message authenticity
• links
• email bodybody) is a picture
• unrealistic promises.

In any case, no one has the right, not even a system engineer maintaining the email server, to ask for your user password. Your user password is secret and known only to you, and you should use it responsibly. Phishing Websites are difficult to recognize because attackers copy the visual identity of legitimate sites very well.

Such fake pages often have the following characteristics:

• The website domain is similar to a legitimate site's domain, but not exactly the same
• The login page where you enter your password is not https, but http.
• even if protected https access exists, the site's certificate is invalid.
  

Some firewalls, especially if configured to be more sensitive, report certain actions (which other applications consider normal and use them to function) as intrusion attempts. If you notice this happening frequently, under different conditions, it's very likely a mass computer scan. This phenomenon is an indicator of an intrusion attempt, but if your operating system is updated, the danger is minimal. You do not need to report such attacks because there are services that report such attacks with all necessary data to the competent abuse services.

CARNET's Abuse service uses the AAI@EduHr authentication and authorization infrastructure of science and higher education and the HUSO system infrastructureHosting (service for secondary and primary schools). Accordingly, CARNET's Abuse service uses the email address obtained from each institution's LDAP directory, the HUSO system, and the internal database of member institutions.

For academic institution users, the login is sent to the email address defined in the institution's LDAP directory. Depending on the institution, users can contact their institution's system administrator to change the address. CARNET's Abuse service cannot change email addresses.

For students and teachers, the application is sent to the email address defined in the HUSO system. These addresses are in the format name.surname@skole.hr and cannot be changed.

Incident reports originating from IP ranges of institutions or schools should be sent to the e-mail addresses of CARNET system engineers, i.e., resource administrators listed in the CARNET Service for Members database. For a specific institution, and upon request from a CARNET coordinator or directory administrator, reports can be sent to an arbitrary address.

CARNET's Abuse service does not provide support for configuring antivirus or other programs. For assistance with program configuration, please contact the appropriate service of the program's manufacturer that you are using.

CARNET's Abuse department does not provide support for cleaning computers of malware, reinstalling operating systems, installing antivirus and other tools, etc. The Abuse department may offer advice on recommended practices for computer system protection.

Unless it was intentionally caused by direct user action, the computer has been infected with a virus that is sending out unwanted emails (spam).

The first thing that needs to be done is to scan computers connected to the internet with antivirus and Antispyware There are free scanning tools as well as commercial versions. 

Since no security system is 100 percent effective, it's possible for an antivirus tool to report that a computer has been cleaned when it actually hasn't. There are situations where malware goes undetected and continues to cause problems. As a final and safest solution to the problem, it's necessary to reinstall the operating system, install all patches, and install an antivirus program and firewall. firewall).

It is also important to note that all that malware needs to send unwanted messages is an internet connection port 25 (SMTP port). Removal mail software (like MS Outlook, Mozilla Thunderbird my computer has no effect because the malware has built-in mail client used to send spam. As a temporary measure, until the problem is resolved otherwise, it is possible to set up a firewall to block network traffic to port 25 This way, it prevents any email from being sent, even through email clients.

As a final and most secure solution to the problem, the operating system needs to be reinstalled, all patches installed, and an antivirus program and firewall installed.

Once the problem is resolved and the computer is cleaned, it would definitely be advisable to take preventive steps so that the problem does not recur. It is good practice to disable the use of the computer with administrative privileges and create user accounts with the minimal privileges necessary to perform the tasks for which the computer is intended. We also recommend using one of the tools that can restore the computer to its original, previously saved state. After saving the state of a computer that is known to be working correctly and “virus-free” (for example, after a fresh operating system installation), it is possible, in case of problems, to restore the computer to its original uncompromised state in a relatively simple and quick way. There is a free Microsoft tool for this purpose. Steady State or commercial solutions like tools Deep Freeze. More information can be found on the page sys.portal.

Please inform us about the resolution of the issue via email, including the relevant incident ID in the subject line.

As with sending an unsolicited email, if not intentionally caused by a direct user action, the computer is infected with a virus that is attempting to gain unauthorized access to another computer system.

The first thing that needs to be done is to scan computers connected to the internet with antivirus and Anti-spywareand tools. There are free scanning tools as well as commercial variants. 

Since no security system is 100 percent effective, it's possible for an antivirus program to report that a computer is clean when it's not. There are situations where malware goes undetected and continues to cause problems. As a final and most secure solution to the problem, it is necessary to reinstall the operating system, install all patches, and install an antivirus program and firewall.

Once the problem is removed and the computer is cleaned, it would certainly be advisable to take preventive steps so that the problem does not recur. It is good practice to disable computer use with administrative privileges and create user accounts with the minimum privileges necessary to perform the tasks for which the computer is intended. We also recommend using one of the tools that have the ability to restore the computer to its original, previously saved state. After saving the state of a computer known to be correct and „virus-free” (for example, after a fresh operating system installation), it is possible, in case of problems, to restore the computer to its original uncompromised state in a relatively simple and fast way. For this purpose, there is a free Microsoft tool Steady State or commercial solutions like tools Deep Freeze. More information can be found on the page sys.portal.

Please inform us about the resolution of the issue via email, including the relevant incident ID in the subject line.

Unfortunately, malware creators have become increasingly ingenious in how they evade detection by antivirus tools. There is no guarantee that any of the tools will clean all malicious software, so it is possible that the computer is still infected even if the antivirus tool reports it as clean.

The only way to be sure your computer is completely clean is to reinstall the operating system.

Today, there is no security system in the world that will protect you 100% from viruses and other malicious software. What can be done is to reduce the chance of computer infection with security tools (like antivirus, Antispyware and firewall), a more secure operating system configuration, and more cautious use of email clients and web browsers.

You can find more about this topic on this website in the section „Online safety”.

According to CARNET's document „Decision on Acceptable Use of the CARNET Network” Distribution and downloading of copyrighted content is prohibited. Reproduction, distribution, storage, or processing of a copyrighted work is also prohibited by the Copyright and Related Rights Act. Copyrighted works also include films, computer games, and computer programs for which the author has not explicitly given permission for download or distribution.

After receiving a notice from CARNET's Abuse Service, you must remove the disputed material and be sure to notify CARNET's Abuse Service by replying to the received email. You must also cease any further copyright infringements.

Reproduction, distribution, storage, or processing of copyrighted material is prohibited by the Copyright and Related Rights Act. This legal provision also applies to the distribution and download of movies, games, computer programs, and other materials via the internet.

So, downloading copyrighted content via the internet is not allowed!

No, peer-to-peer protocols are not forbidden. By the laws of the Republic of Croatia and CARNET's document „Decision on Acceptable Use of the CARNET Network” Distribution and downloading of content protected by the Copyright and Related Rights Act are prohibited.

In other words, the use of peer-to-peer Protocols for exchanging computer games, movies, applications, and other material copyrighted by the author are not permitted.

Complaint of infringement netiquette you received because you violated one of the generally accepted norms of behavior in communication within the group. More about netiquette can you find Here.

This behavior needs to stop in further communication by Usenet service.

A user who has been sanctioned through CARNET's Abuse service has the right to appeal to the Director of CARNET. The appeal must be submitted in writing, and the Director of CARNET will decide on the appeal within 30 days of the appeal being submitted.

You can enable forwarding in the following way:

• Log in to the school webmail system at https://webmail.skole.hr/
• Click on the “Filters” option and then on the “Forward” option”
• Enter one or more email addresses to which you want messages to be forwarded
• If you want copies of messages to remain on the account, select that option by checking the box.
• Click the “Save” button to save the settings.

More information about CARNET's webmail system can be found at CARNET webmail.