In message <CAN2rHV-3zebUg4p9wRAwXS_hxCWnOsysTeqFxErWFx=ejwo...@mail.gmail.com> Amy Potter <[email protected]> wrote:
>*Problem Statement:* > >The current abuse contact fields are not sufficient for the abuse reporting >mechanisms most frequently used today. For many network providers, the >process for dealing with network abuse usually starts with a web page. The >web page provides instructions and may offer forms for describing the abuse >and uploading supporting material of the nature that the service provider >needs in order to take action. It would be helpful for these organizations >if the abuse contact had a specific field for a machine-readable abuse URI. 99% of all online abuse has been and is still email spam. Responsible providers long ago recognized this and implemented blocks on outbound port 25 TCP connections other than to that subset of their customers for whom they have a high level of trust. Such blocks have essentially eliminated the outbound spam problem even for the largest of providers (e.g. Comcast, etc.) Sadly, many providers, for whatever (cockamamie?) resons have decided not to go that route and thus, nowadays essentially all email spam that all of us receive comes from those providers, i.e. the ones that are either too lazy or too inept to do the Right Thing. These providers shift the burden of dealing wth their own spam outflows onto the recipients. They do so every bit as much as the spammers themselves shift the costs of their advertising onto the recipients. So our mailboxes fill up with spam. This is part of the price we pay to be open to accepting inbound email from almost anyplace on earth. The providers who are either too lazy or too inept to implement any sorts of preventative measures... i.e. to stop spam from even leaving their networks in the first place... are also, it seems, too lazy and/or inept to even read or deal with the emailed reports sent to them by the 0.01% of spam recipients who take the time to report spams to the relevant providers. These lazy providers complain incessantly that they "don't have the manpower" or don't have the resources to even read "all of those damn spam complaints", at least if the complaints in question come to them via the exact same medium that was the medium used to commit the abuse in the first place., i.e. email. Apparently, what's good for the goose is not also good for the gander. Many providers think nothing of -my- time or -my- overflowing email inbox, but when it comes to -their- inboxes, they just can't be bothered to read even just the tiny fraction of the email complaints that are generated as a result of their own spammer customers. So instead they propose this "solution" i.e. to force all spam recipients to jump through the hoops of each provider's own unique (and often Rube Goldberg inspired) convoluted web maze, just to tell them that they have a spamming customer. This "solution" begs many obvious questions. First, how is it in any way less labor intensive to read and understand the nature of an abuse complaint if the complaint in question is sent in via a web form as opposed to via email? Either way, some living person who is prsumably made out of flesh and bone must read and try to make sense of the report. So this "solution" quite obviously doesn't provide any help AT ALL with regards to reducing the manpower required to properly analyze and then properly act on abuse complaints. Second, if a given provider is so overwhelmed by its incoming flood of abuse complaints that it starts searching for some "solution" to lighten the load, then shouldn't that incoming flood of abuse complaints itself be treated as a huge red flag, indicating that the provider in question is doing a perfectly abysmal job at either vetting its own clients or at disiplining them when and if they become abusive? (Universities, government departments, and private firms, despite often having a lot users and a lot of IP real estate, never seem to complain that *they* are being overwhelmed by floods of incoming abuse complaints. Maybe it is because *they* act responsibly to disipline their wayward users whle -commercial- ISPs often shrik their responsibilities for doing so.) Once again, the "solution" for an overwehlming flood of incoming abuse complaints is -not- to simply add some additional layer of complexity and automation. The solution is to fix the actual problem, which is the massive spam outflow, and the reasons for it. (But that would require some amount of thinking and self-conscious introspection, which I gather is too high a bar of expectations to place upon many commericial ISPs.) Lastly, the question arises of how exactly it is in any way ethically defensible for any provider to first (a) shift the burden of spam onto recipients elsewhere (i.e. by failing to control it at the source) and yet also (b) demand from spam recipients uncompensated free labor, i.e. figuring out each different provider's unique abuse reporting web form. This is, I think, quite clearly just adding insult to injury. Provider XYZ fails to control its own customer base, so I get spammed by one of XYZ's customers, but then XYZ refuses to even allow me to tell them about that unless I first pass a CAPTCHA�and then also take and pass an even further Turing Test as I attempt to navigate my way past their unique and typically convoluted and confusing web reporting form, all just for the unparalled pleasure of having them send my well crafted report to /dev/null, because after all, the customer is paying them and I'm not. The "solution" to abuse reporting isn't automation and it isn't web forms. It's persuading commercial ISPs to give a damn. (Universities, government departments, and private firms such as Lockheed Martin, Hewlett Packard, U.S. Steel, and the flower shop down the street from me always have and always will give a damn. The commercial ISPs... not so much.) In case I have been in the least bit ambiguous, I oppose the proposal for all of the foregoing reasons. If adopted, its main effect will be to further perpetuate the problem of network abuse. Regards, rfg
_______________________________________________ ARIN-PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List ([email protected]). Unsubscribe or manage your mailing list subscription at: https://lists.arin.net/mailman/listinfo/arin-ppml Please contact [email protected] if you experience any issues.
