"An autoresponder asking people to fill out a webform should not be accepted as a valid solution"
Autoresponders/webforms should actually be encouraged, because a stand alone email address means that all a spammer/attacker has to do to is flood that email account with bogus data and the valid reports will either get lost amongst the genuine ones, or the inbox will become full. A CAPTCHA can increase the reliability of reports.
A ticket/web-form solution also removes the possibility of what i spoke about before, where administrators install spam filters on their email system and don't exclude the abuse email box from the spam filter, resulting in spam complaints being rejected.
-------- Original Message --------
Subject: Re: [anti-abuse-wg] [policy-announce] 2017-02 Review Phase
(Regular abuse-c Validation)
From: Thomas Hungenberg <t...@cert-bund.de>
Date: Tue, January 23, 2018 10:51 pm
To: anti-abuse-wg@ripe.net
On 22.01.2018 14:19, Gert Doering wrote:
> I do see the need for a working abuse contact, and I do see the need of
> sanctions in case a policy is violated, but "deregister all resources,
> because your mail server was broken when we tested" is too extreme
> (exaggeration for emphasis).
I fully agree a resource should not be withdrawn just because the
abuse-mailbox is (temporarily) invalid or the holder once misses
to complete the verification process in time - if he otherwise takes
care of malicious activity emerging from his resources.
However, I think RIPE-563 (and related policies) should state that
resource holders have to provide a valid abuse-mailbox which is
monitored on a regular basis and have to take care of complaints
regarding malicious activity reported to this mailbox.
An autoresponder asking people to fill out a webform should not be
accepted as a valid solution as this does not work for CERTs and
other security teams reporting hundreds of abuse cases per day to
the responsible resource owners (in an automated fashion).
Also, irrespective of how the abuse-c verification process will be
implemented, IMHO there is a need for a defined process on how resources
can be withdrawn (as a last resort) if the holder is constantly ignoring
abuse complaints or even wittingly accepts malicious activity emerging
from his resources (e.g. bullet proof hosting).
- Thomas
CERT-Bund Incident Response & Malware Analysis Team
