Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
I agree, perhaps these internet companies would be happy if it took 15 days for each credit card payment to take place between that company and the customer when a new customer uses their services? - Original Message - Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox") From: "Ronald F. Guilmette" Date: 1/14/20 8:34 am To: "JORDI PALET MARTINEZ" Cc: "anti-abuse-wg" In message <6afc7d17-bac4-464c-8af8-2ad852d39...@consulintel.es>, JORDI PALET MARTINEZ wrote: >I'm happy to hear other inputs, stats, data, etc. Having only just read the proposal, my comments are few: I do not understand parst of this, specifically: Section 2.0 bullet point #2. What's wrong with web forms? Section 3.0 part 3. Why on earth should it take 15 days for anyone to respond to an email?? Things on the Internet happen in millseconds. If a provider is unable to respond to an issue within 72 hours then they might as well be dead, because they have abandoned all social responsibility. Regards, rfg
Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
In message , =?utf-8?B?w4FuZ2VsIEdvbnrDoWxleiBCZXJkYXNjbw==?= wrote: >Well, I do see the value of an option (a magic email value?) meaning "this >entity supports the use of its network for abusive purposes and will take no >action on any abuse report". > >That would save time for everyone involved, and would allow to easily block >those networks from accesing ours! These are pretty much my sentiments exactly. The only questions remaining are: 1) Should there just be a simple yes/no one-bit flag published for each resource holder, or would a scale and a range of possible "rating" values be more useful? 2) How shall the "ratings" be computed and by whom? I have provided my personal opinions on both of these points in my prior posting. Regards, rfg
Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
In message , Leo Vegoda wrote: >> I will love to have in the policy that they must be investigated and acted >upon, but what I heard from the inputs in previous versions is that having >that in policy is too much and no way to reach consensus > >I don't understand the value of requiring organizations who do not >intend to investigate abuse reports to spend resources publishing an >address from which they can acknowledge the reports - only to then >delete those reports without doing anything. > >It creates hope for reporters and wastes the RIPE NCC's and the >reporters' resources by forcing unwilling organizations to spend >cycles on unproductive activity. > >Why not give networks two options? > >1. Publish a reliable method for people to submit abuse reports - and act >on it >2. Publish a statement to the effect that the network operator does >not act on abuse reports > >This would save lots of wasted effort and give everyone more reliable >information about the proportion of networks/operators who will and >won't act on abuse reports. > >There might be some value in having the RIPE NCC cooperate with >networks who want help checking that their abuse-c is working. But >this proposal seems to move the RIPE NCC from the role of a helpful >coordinator towards that of an investigator and judge. Leo Vegoda has made a lot of very good points, and there is a lot to unpack on this whole topic. Unfortnately, I don't think that I personally have enough time to unpack it all myself today. But I cannot avoid offering a few observations. It certainly appears to me to be the case that few want RIPE NCC to enter into the role of investigator, let alone judge, except when it comes to the allocation of resources. As I have been informed, time and time again, matters of network abuse are out of scope for the organization, and this is not at all likely to change. Nonetheless, and regardless, ever since the day that RIPE NCC first published an abuse reporting address in the data base, it has, in effect, injected itself, even if only to a minimal degree, into the relationship between a network abuse victim and the relevant resource holders that have clear connections to the abuse source, i.e. the IP block registrant and the relevant AS registrant. It is a bit late in the day now to undo this. Abuse reporting addresses have been published, and abuse victims now have a reasonable expectation that using any one of them will have some finite and non-zero effect. Whenever that is not the case, the relevant abuse victim may reasonably ask "Why did you, RIPE NCC, publish this abuse reporting email address when sending to it was clearly an utter waste of my time?" This is false advertising on the face of it. You cannot stand in the town square with a large sign that says "Free money!" and then not deliver. Even if it is not illegal per se, it is exceptionally rude and anti-social, and responsible adults should not go into the tiown square with such signs if they cannot or will not deliver. On the other hand, resource holders in teh RIPE region, and also, quite certainly, elsewhere continue to cling with almost religious fervor to what they claim to be their God-given rights to be irresponsible. They are not by any means alone, and are simply the Internet verssions of gun manufacturers and coal companies. The planet is awash in both corporate entities and individuals that will defend to the death their "rights" to be irresponsible. This will not change anytime soon, and the attitude among many network operators, both in the RIPE region and elsewhere, can perhaps best be summed up by paraphrasing a famous pronouncement made years ago by the former head of the National Rifle Association (NRA) here in the U.S. "You can have my social irresponsibility when you pry it from my cold dead hands!" It has been shown, repeatedly, that it is utterly futile to try to engage any of the folks holding this general point of view, or to try to reason with them and explain that in the long run, their enterprises and the public reputations of those enterprises will be materially harmed by their unwillingness to give a damn. An old adage is appropriate here -- "You can lead a horse to water, but you can't make him drink." It is empirically demonstratable that a nearly religious fervor, borne, I'm sure, of the demented ideology of Ayn Rand, when coupled with a determined and short- sighted self interest, cannot be undone by words alone. Thus we have an arguably untenable situation. RIPE NCC has irreversably injected itself into the expectations of millions of network abuse victims worldwide, even has it has less than zero authority to actually do anything truly meaningful with respect to their issues. And this impass is made even more blatantly intractable by the adamant insistance of some network operators that they have a divine right to be irresponsible if they so choose. Where then lies a solution for this thorny dilemma? Despit
Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
Well, I do see the value of an option (a magic email value?) meaning "this entity supports the use of its network for abusive purposes and will take no action on any abuse report". That would save time for everyone involved, and would allow to easily block those networks from accesing ours!
Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
In message <55d65bf8-a430-4bdc-ae58-63ff3dca4...@consulintel.es>, JORDI PALET MARTINEZ wrote: >Section 2.0 bullet point #2. What's wrong with web forms? > >If I need to use a web form, which is not standard, for every abuse report... OHHH! Your proposal did not make it at all clear that the web forms you were making reference to were ones that the resource holder might put in place in order to provide a way for abuse victims to file a report. I agree completely that those things are intolerable, and I will go further and say that any resoirce holder who puts such a form online should properly be consigned to the fifth ring of hell. Sorry! I had misconstrued. When your proposal mentioned web forms I had assumed that you were making reference to some form that the RIPE NCC might put online and that the resources holders would need to type something into (e.g. a unique magic cookei) in order to fully confirm that they are in fact receiving emails to their documented abuse reporting email addresses. I think that the verification email messages that RIPE NCC sends out resource holders should indeed contain a link to web form, on the RIPE web site, where the recipient resource holder should be required to make at least some minimal demonstration that it has at least one actual conscious and sentient human being looking at the inbound emails that are sent to its abuse address. Please clarify in your proposal what exactly your use of the term "web form" was intended to convey. TYhank you. >Section 3.0 part 3. Why on earth should it take 15 days for >anyone to respond to an email?? Things on the Internet happen >in millseconds. If a provider is unable to respond to an issue >within 72 hours then they might as well be dead, because they >have abandoned all social responsibility. > >I fully agree! My original proposal was only 3 working days, but the >community told me "no way". This was the same input I got in APNIC >and LACNIC (in both regions it reached consensus with 15 days). > >So, I will keep 15 days ... I think this is provable, and also transparently obvious and colossal bullshit, but that's just my opinion. I say again. Things happen on the Internet in milliseconds. Any service provider that can't react to an email within 72 hours should be removed from the Internet of Responsible Adults and relegated to the agricultural industry, or to the study of geology, or at any rate to some profession where things are calm and leisurely, perhaps including the delivery of regular postal mail. If anyone wants to make his fortune by being an absentee landlord, just gathering in revenue and not taking any day to day responsibility for anything, let them get into the vacation rentals business and get the off the Internet. Regards, rfg
Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
On Mon, Jan 13, 2020 at 1:50 PM JORDI PALET MARTINEZ via anti-abuse-wg wrote: [...] > I will love to have in the policy that they must be investigated and acted > upon, but what I heard from the inputs in previous versions is that having > that in policy is too much and no way to reach consensus … I don't understand the value of requiring organizations who do not intend to investigate abuse reports to spend resources publishing an address from which they can acknowledge the reports - only to then delete those reports without doing anything. It creates hope for reporters and wastes the RIPE NCC's and the reporters' resources by forcing unwilling organizations to spend cycles on unproductive activity. Why not give networks two options? 1. Publish a reliable method for people to submit abuse reports - and act on it 2. Publish a statement to the effect that the network operator does not act on abuse reports This would save lots of wasted effort and give everyone more reliable information about the proportion of networks/operators who will and won't act on abuse reports. There might be some value in having the RIPE NCC cooperate with networks who want help checking that their abuse-c is working. But this proposal seems to move the RIPE NCC from the role of a helpful coordinator towards that of an investigator and judge.
Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
Hi Randy, As I just said, ideally we should ask for abuse-c reports to be procesed, but I know many folks don't like it. But at least, we need to make sure that if you have an abuse-c, it is a "real" and "working" one so you're able to actually send the reports there. If ignored, that's another problem. I don't know if in Spain law say that you must have a post box, or if you are violating the law if is full and the extra post that you get is going to make the street dirty (in this case you're violating a different law). I'm not asking to go there. I'm asking to have a functional mailbox, not how you operate your abuse cases. El 13/1/20 18:53, "anti-abuse-wg en nombre de Randy Bush" escribió: well, not exactly as i see it. abuse-c: is the op's way of saying "please send any abuse related information here." it is not a legal or social contract to act on it (and i suspect that next year the wannabe net police will want to enumerate exactly *how* they must act in 93 different circumstances), read it, reply to it, ... dunno about spain, but most juristictions i know say post is delivered to my post box, but not what i must do with it. randy ** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
Hi Ronald, El 13/1/20 22:34, "Ronald F. Guilmette" escribió: In message <6afc7d17-bac4-464c-8af8-2ad852d39...@consulintel.es>, JORDI PALET MARTINEZ wrote: >I'm happy to hear other inputs, stats, data, etc. Having only just read the proposal, my comments are few: I do not understand parst of this, specifically: Section 2.0 bullet point #2. What's wrong with web forms? If I need to use a web form, which is not standard, for every abuse report that I need to submit, there is no sufficient time in the world to fill all them. Every ISP has their own URL, forms with different fields, etc. You want to develop tools for each ISP in the world that decides to use a form to automate the abuse submission process? Instead, ensuring that you are able to use, for example fail2ban, means that any abuse case is automatically reported via email (including the logs to probe the abuse). Section 3.0 part 3. Why on earth should it take 15 days for anyone to respond to an email?? Things on the Internet happen in millseconds. If a provider is unable to respond to an issue within 72 hours then they might as well be dead, because they have abandoned all social responsibility. I fully agree! My original proposal was only 3 working days, but the community told me "no way". This was the same input I got in APNIC and LACNIC (in both regions it reached consensus with 15 days). So, I will keep 15 days ... Regards, rfg ** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
Hi Leo, El 13/1/20 18:16, "Leo Vegoda" escribió: Hi Jordi, all, On Mon, Jan 13, 2020 at 6:58 AM JORDI PALET MARTINEZ via anti-abuse-wg wrote: Hi all, I'm working in a new version of the proposal 2019-04 (Validation of "abuse-mailbox"). In the last discussion phase, the only detailed response to this proposal that I got was from Carlos Friacas (which I will respond in detail later-on, as this may also help to revive the discussion). The main question/issue here is still that the actual policy is just a "technical validation". It confirms that there is a mailbox but it doesn't confirm that: 1) Accept emails for abuse reporting 2) The mailbox is the right one and not from someone else, not related to the abuse processing 3) The mailbox is attended and not a black-hole, so nobody pay attention to the abuse reports, or even worst, not full Anything not fulfilling that is useless (as will not fulfil the mission for that mailbox), and then we don't need an abuse-c at all. Can you please clarify what you mean by "fulfil the mission for that mailbox" and the "intended I was referring about the goal of the abuse-c (even without this policy proposal). Why we want it if is not a real one, able to get abuse reports, and so on? purpose" you mention in section 3.1 of the new text? The reason I ask is that the purpose does not seem to be defined in an earlier section. My reading of what you have written is that this became policy it would require that reports can be made and that these reports must be acknowledged. But it seems that there would be no obligation for reports to be investigated or acted upon. I will love to have in the policy that they must be investigated and acted upon, but what I heard from the inputs in previous versions is that having that in policy is too much and no way to reach consensus … Have I misunderstood what is intended? Thanks, Leo Vegoda ** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
In message <6afc7d17-bac4-464c-8af8-2ad852d39...@consulintel.es>, JORDI PALET MARTINEZ wrote: >I'm happy to hear other inputs, stats, data, etc. Having only just read the proposal, my comments are few: I do not understand parst of this, specifically: Section 2.0 bullet point #2. What's wrong with web forms? Section 3.0 part 3. Why on earth should it take 15 days for anyone to respond to an email?? Things on the Internet happen in millseconds. If a provider is unable to respond to an issue within 72 hours then they might as well be dead, because they have abandoned all social responsibility. Regards, rfg
Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
well, not exactly as i see it. abuse-c: is the op's way of saying "please send any abuse related information here." it is not a legal or social contract to act on it (and i suspect that next year the wannabe net police will want to enumerate exactly *how* they must act in 93 different circumstances), read it, reply to it, ... dunno about spain, but most juristictions i know say post is delivered to my post box, but not what i must do with it. randy
Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
Hi Jordi, all, On Mon, Jan 13, 2020 at 6:58 AM JORDI PALET MARTINEZ via anti-abuse-wg < anti-abuse-wg@ripe.net> wrote: > Hi all, > > I'm working in a new version of the proposal 2019-04 (Validation of > "abuse-mailbox"). > > In the last discussion phase, the only detailed response to this proposal > that I got was from Carlos Friacas (which I will respond in detail > later-on, as this may also help to revive the discussion). > > The main question/issue here is still that the actual policy is just a > "technical validation". It confirms that there is a mailbox but it doesn't > confirm that: > 1) Accept emails for abuse reporting > 2) The mailbox is the right one and not from someone else, not related to > the abuse processing > 3) The mailbox is attended and not a black-hole, so nobody pay attention > to the abuse reports, or even worst, not full > > Anything not fulfilling that is useless (as will not fulfil the mission > for that mailbox), and then we don't need an abuse-c at all. Can you please clarify what you mean by "fulfil the mission for that mailbox" and the "intended purpose" you mention in section 3.1 of the new text? The reason I ask is that the purpose does not seem to be defined in an earlier section. My reading of what you have written is that this became policy it would require that reports can be made and that these reports must be acknowledged. But it seems that there would be no obligation for reports to be investigated or acted upon. Have I misunderstood what is intended? Thanks, Leo Vegoda
[anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
Hi all, I'm working in a new version of the proposal 2019-04 (Validation of "abuse-mailbox"). In the last discussion phase, the only detailed response to this proposal that I got was from Carlos Friacas (which I will respond in detail later-on, as this may also help to revive the discussion). The main question/issue here is still that the actual policy is just a "technical validation". It confirms that there is a mailbox but it doesn't confirm that: 1) Accept emails for abuse reporting 2) The mailbox is the right one and not from someone else, not related to the abuse processing 3) The mailbox is attended and not a black-hole, so nobody pay attention to the abuse reports, or even worst, not full Anything not fulfilling that is useless (as will not fulfil the mission for that mailbox), and then we don't need an abuse-c at all. Even more, I think we can say that an invalid contact, it is against the role of the RIR for having accurate data. It will be interesting if the staff can provide actual data from the existing policy (ripe-705), such as: 1) Has the validation already been performed in all the contacts or only a % of the LIRs and end-users? 2) How many have failed in the first run? 3) After that failure (for those that failed), have the contacts been updated, or only a % of them? Has this helped to located "not anymore existing LIRs or end-users"? How much time, average, takes for the invalid contacts to be corrected? Have them been validated again after some months? 4) How many (%) of those that didn't failed we know that are real abuse-c contacts and not just an existing mailbox that may be not from the right person/team, or even bouncing emails or nobody reading them? I'm happy to hear other inputs, stats, data, etc. Regards, Jordi @jordipalet ** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
