Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Maybe I’m not using the right wording.

What I’m suggesting is and “intermediation” but automated. NCC staff doesn’t 
“see” anything, just goes thru a system that logs everything and forwards to 
each other party.

 

El 17/1/20 13:04, "Volker Greimann"  escribió:

 

Hmm, if you include RIPE NCC in all responses, you will greatly increase the 
overhead and noise to signal ratio it has to deal with. It may be better to 
maintain the ability to audit the responses. instead of receiving them all.
-- 
Volker A. Greimann
General Counsel and Policy Manager
KEY-SYSTEMS GMBH

T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net

Key-Systems GmbH is a company registered at the local court of Saarbruecken, 
Germany with the registration no. HR B 18835
CEO: Alexander Siffrin

Part of the CentralNic Group PLC (LON: CNIC) a company registered in England 
and Wales with company number 8576358.

 

 

On Fri, Jan 17, 2020 at 12:00 PM JORDI PALET MARTINEZ via anti-abuse-wg 
 wrote:

I will be fine with this (having RIPE NCC as an intermediator just to send the 
abuse report), if instead of a web form (or in addition to it), it is possible 
to automate it, for example RIPE NCC also accepts x-arf via email.

RIPE NCC has the obligation to keep the information without disclosing it, so 
why we need to have a way to encypt it so RIPE NCC can’t read it? Furthermore, 
this should be an automated process. The staff is not going to handle every 
report manually. And moreover, in case of a bigger dispute, even if going to 
the courts, RIPE NCC can provide in a neutral way all the info of what happened.

However, I’ve the feeling that in order to get this working, the policy must 
mandate that all the responser from the operator which customer is producing 
the abuse, also follow the same path, so:

Abuse reporter (Victim or its ISP) -> RIPE NCC -> abuser operator -> RIPE NCC 
-> abuse reporter

Otherwise, there will not be a way for RIPE to have stats of who is responding 
to abuse cases and who is not, or even simpler than that, what abuse mailboxes 
get bounced (which will be a policy violation if happens all the time with the 
same operator). Never mind we decide or not that not-responding is an abuse-c 
violation. Stats are good, even if not published with operator names.

 

El 17/1/20 1:12, "anti-abuse-wg en nombre de ripedenis--- via anti-abuse-wg" 
 escribió:

 

Hi Sergio

 

As I read through this thread similar ideas came to my mind. The question I 
would ask is "Is it too late to take a completely different approach to abuse 
contacts and reporting via the RIPE Database?"

 

Suppose we had a standard form available via the ripe.net website for providing 
details of abuse. If you are able to find the "abuse-c:" details in the 
database now then you must know the IP address involved. The RIPE NCC could 
send the report to the abuse contact taken from the database via the specified 
IP address. This does not have to be an email interface either. We could look 
at other options. The RIPE NCC would then at least know if the report was 
successfully delivered. Using a standard form would make it much easier for the 
resource holder to interpret the information.

 

Someone said:

"Making such a scheme compulsory would be unacceptable to people who wish to 
interact with network owners without disclosing that in public ..."

I have no understanding of the technology involved here, but when I send you a 
message on WhatsApp it is encrypted end to end. WhatsApp have no idea (they 
say) of the content of the message. Would it be possible to submit a form on 
ripe.net in a way that the content of that form is encrypted and sent to the 
resource holder so the RIPE NCC have no idea of the content of the form? That 
would satisfy this concern.

 

Regardless of the outcome of the RIPE Database Requirements Task Force, 
something like this could still be implemented as it is external to the RIPE 
Database.

 

Food for thought...

 

cheers

 

denis

 

co-chair DB-WG

 

 

On Wednesday, 15 January 2020, 10:22:28 CET, Sérgio Rocha 
 wrote: 

 

 

Hi,

Maybe we can change the approach.
If RIPE website had a platform to post abuse report, that send the email for
the abuse contact, it will be possible to evaluate the responsiveness of the
abuse contact.

This way anyone that report an abuse could assess not only the response but
also the effectiveness of the actions taken by the network owner. After some
time with this evaluations we would easy to realize who manages the reports
and even who does not respond at all.

Sérgio 


-Original Message-
From: anti-abuse-wg [mailto:anti-abuse-wg-boun...@ripe.net] On Behalf Of
Gert Doering
Sent: 15 de janeiro de 2020 08:06
To: Carlos Friaças 
Cc: Gert Doering ; anti-abuse-wg 
Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation
of "abuse-mailbox")

Hi,

On Wed, Jan 15, 2020 at 07:23:38AM +, Carlos Friaças via anti-abuse-wg

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Briaut René]

STOP SPAM

Envoyé de mon iPhone par René Briaut 

Le 17 janv. 2020 à 13:04, Volker Greimann  a écrit :

Hmm, if you include RIPE NCC in all responses, you will greatly increase the 
overhead and noise to signal ratio it has to deal with. It may be better to 
maintain the ability to audit the responses. instead of receiving them all.
-- 
Volker A. Greimann
General Counsel and Policy Manager
KEY-SYSTEMS GMBH

T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net

Key-Systems GmbH is a company registered at the local court of Saarbruecken, 
Germany with the registration no. HR B 18835
CEO: Alexander Siffrin

Part of the CentralNic Group PLC (LON: CNIC) a company registered in England 
and Wales with company number 8576358.


> On Fri, Jan 17, 2020 at 12:00 PM JORDI PALET MARTINEZ via anti-abuse-wg 
>  wrote:
> I will be fine with this (having RIPE NCC as an intermediator just to send 
> the abuse report), if instead of a web form (or in addition to it), it is 
> possible to automate it, for example RIPE NCC also accepts x-arf via email.
> 
> RIPE NCC has the obligation to keep the information without disclosing it, so 
> why we need to have a way to encypt it so RIPE NCC can’t read it? 
> Furthermore, this should be an automated process. The staff is not going to 
> handle every report manually. And moreover, in case of a bigger dispute, even 
> if going to the courts, RIPE NCC can provide in a neutral way all the info of 
> what happened.
> 
> However, I’ve the feeling that in order to get this working, the policy must 
> mandate that all the responser from the operator which customer is producing 
> the abuse, also follow the same path, so:
> 
> Abuse reporter (Victim or its ISP) -> RIPE NCC -> abuser operator -> RIPE NCC 
> -> abuse reporter
> 
> Otherwise, there will not be a way for RIPE to have stats of who is 
> responding to abuse cases and who is not, or even simpler than that, what 
> abuse mailboxes get bounced (which will be a policy violation if happens all 
> the time with the same operator). Never mind we decide or not that 
> not-responding is an abuse-c violation. Stats are good, even if not published 
> with operator names.
> 
>  
> 
> El 17/1/20 1:12, "anti-abuse-wg en nombre de ripedenis--- via anti-abuse-wg" 
>  escribió:
> 
>  
> 
> Hi Sergio
> 
>  
> 
> As I read through this thread similar ideas came to my mind. The question I 
> would ask is "Is it too late to take a completely different approach to abuse 
> contacts and reporting via the RIPE Database?"
> 
>  
> 
> Suppose we had a standard form available via the ripe.net website for 
> providing details of abuse. If you are able to find the "abuse-c:" details in 
> the database now then you must know the IP address involved. The RIPE NCC 
> could send the report to the abuse contact taken from the database via the 
> specified IP address. This does not have to be an email interface either. We 
> could look at other options. The RIPE NCC would then at least know if the 
> report was successfully delivered. Using a standard form would make it much 
> easier for the resource holder to interpret the information.
> 
>  
> 
> Someone said:
> 
> "Making such a scheme compulsory would be unacceptable to people who wish to 
> interact with network owners without disclosing that in public ..."
> 
> I have no understanding of the technology involved here, but when I send you 
> a message on WhatsApp it is encrypted end to end. WhatsApp have no idea (they 
> say) of the content of the message. Would it be possible to submit a form on 
> ripe.net in a way that the content of that form is encrypted and sent to the 
> resource holder so the RIPE NCC have no idea of the content of the form? That 
> would satisfy this concern.
> 
>  
> 
> Regardless of the outcome of the RIPE Database Requirements Task Force, 
> something like this could still be implemented as it is external to the RIPE 
> Database.
> 
>  
> 
> Food for thought...
> 
>  
> 
> cheers
> 
>  
> 
> denis
> 
>  
> 
> co-chair DB-WG
> 
>  
> 
>  
> 
> On Wednesday, 15 January 2020, 10:22:28 CET, Sérgio Rocha 
>  wrote:
> 
>  
> 
>  
> 
> Hi,
> 
> Maybe we can change the approach.
> If RIPE website had a platform to post abuse report, that send the email for
> the abuse contact, it will be possible to evaluate the responsiveness of the
> abuse contact.
> 
> This way anyone that report an abuse could assess not only the response but
> also the effectiveness of the actions taken by the network owner. After some
> time with this evaluations we would easy to realize who manages the reports
> and even who does not respond at all.
> 
> Sérgio
> 
> 
> -Original Message-
> From: anti-abuse-wg [mailto:anti-abuse-wg-boun...@ripe.net] On Behalf Of
> Gert Doering
> Sent: 15 de janeiro de 2020 08:06
> To: Carlos Friaças 
> Cc: Gert Doering ; anti-abuse-wg 
> Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation
> of "abuse-mailbox")
> 
> Hi,
> 

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Volker Greimann]

Hmm, if you include RIPE NCC in all responses, you will greatly increase
the overhead and noise to signal ratio it has to deal with. It may be
better to maintain the ability to audit the responses. instead of receiving
them all.
-- 
Volker A. Greimann
General Counsel and Policy Manager
*KEY-SYSTEMS GMBH*

T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net

Key-Systems GmbH is a company registered at the local court of
Saarbruecken, Germany with the registration no. HR B 18835
CEO: Alexander Siffrin

Part of the CentralNic Group PLC (LON: CNIC) a company registered in
England and Wales with company number 8576358.


On Fri, Jan 17, 2020 at 12:00 PM JORDI PALET MARTINEZ via anti-abuse-wg <
anti-abuse-wg@ripe.net> wrote:

> I will be fine with this (having RIPE NCC as an intermediator just to send
> the abuse report), if instead of a web form (or in addition to it), it is
> possible to automate it, for example RIPE NCC also accepts x-arf via email.
>
> RIPE NCC has the obligation to keep the information without disclosing it,
> so why we need to have a way to encypt it so RIPE NCC can’t read it?
> Furthermore, this should be an automated process. The staff is not going to
> handle every report manually. And moreover, in case of a bigger dispute,
> even if going to the courts, RIPE NCC can provide in a neutral way all the
> info of what happened.
>
> However, I’ve the feeling that in order to get this working, the policy
> must mandate that all the responser from the operator which customer is
> producing the abuse, also follow the same path, so:
>
> Abuse reporter (Victim or its ISP) -> RIPE NCC -> abuser operator -> RIPE
> NCC -> abuse reporter
>
> Otherwise, there will not be a way for RIPE to have stats of who is
> responding to abuse cases and who is not, or even simpler than that, what
> abuse mailboxes get bounced (which will be a policy violation if happens
> all the time with the same operator). Never mind we decide or not that
> not-responding is an abuse-c violation. Stats are good, even if not
> published with operator names.
>
>
>
> El 17/1/20 1:12, "anti-abuse-wg en nombre de ripedenis--- via
> anti-abuse-wg"  anti-abuse-wg@ripe.net> escribió:
>
>
>
> Hi Sergio
>
>
>
> As I read through this thread similar ideas came to my mind. The question
> I would ask is "Is it too late to take a completely different approach to
> abuse contacts and reporting via the RIPE Database?"
>
>
>
> Suppose we had a standard form available via the ripe.net website for
> providing details of abuse. If you are able to find the "abuse-c:" details
> in the database now then you must know the IP address involved. The RIPE
> NCC could send the report to the abuse contact taken from the database via
> the specified IP address. This does not have to be an email interface
> either. We could look at other options. The RIPE NCC would then at least
> know if the report was successfully delivered. Using a standard form would
> make it much easier for the resource holder to interpret the information.
>
>
>
> Someone said:
>
> "Making such a scheme compulsory would be unacceptable to people who wish
> to interact with network owners without disclosing that in public ..."
>
> I have no understanding of the technology involved here, but when I send
> you a message on WhatsApp it is encrypted end to end. WhatsApp have no idea
> (they say) of the content of the message. Would it be possible to submit a
> form on ripe.net in a way that the content of that form is encrypted and
> sent to the resource holder so the RIPE NCC have no idea of the content of
> the form? That would satisfy this concern.
>
>
>
> Regardless of the outcome of the RIPE Database Requirements Task Force,
> something like this could still be implemented as it is external to the
> RIPE Database.
>
>
>
> Food for thought...
>
>
>
> cheers
>
>
>
> denis
>
>
>
> co-chair DB-WG
>
>
>
>
>
> On Wednesday, 15 January 2020, 10:22:28 CET, Sérgio Rocha <
> sergio.ro...@makeitsimple.pt> wrote:
>
>
>
>
>
> Hi,
>
> Maybe we can change the approach.
> If RIPE website had a platform to post abuse report, that send the email
> for
> the abuse contact, it will be possible to evaluate the responsiveness of
> the
> abuse contact.
>
> This way anyone that report an abuse could assess not only the response but
> also the effectiveness of the actions taken by the network owner. After
> some
> time with this evaluations we would easy to realize who manages the reports
> and even who does not respond at all.
>
> Sérgio
>
>
> -Original Message-
> From: anti-abuse-wg [mailto:anti-abuse-wg-boun...@ripe.net] On Behalf Of
> Gert Doering
> Sent: 15 de janeiro de 2020 08:06
> To: Carlos Friaças 
> Cc: Gert Doering ; anti-abuse-wg 
> Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation
> of "abuse-mailbox")
>
> Hi,
>
> On Wed, Jan 15, 2020 at 07:23:38AM +, Carlos Friaças via anti-abuse-wg
> wrote:
> > I obviously don't speak for the 

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Alessandro,

 

El 17/1/20 10:24, "anti-abuse-wg en nombre de Alessandro Vesely" 
 escribió:

Hi,

a few points:

The “abuse-mailbox:” attribute must be available in an unrestricted way
via whois, APIs and future techniques.

I'd explicitly mention RDAP here.  It's not a future technique any more

You're right, we can explicitly mention RDAP.


Confirm that the resource holder understands the procedure and the 
policy,
that they regularly monitor the abuse-mailbox, that measures are taken,
and that abuse reports receive a response.

I'd skip the last line.  In my automated abuse reports a add a header field
like "X-Auto-Response-Suppress: DR, OOF, AutoReply".  Yet, many abuse team 
send
automatic notifications that I have to skim, possibly hiding real replies 
that
need attention.  Responses are due only if needed.


Furthermore, couldn't the RIPE NCC have a web form, possibly advertised in 
RDAP
output, where receivers of NDNs from abuse-c contacts can notify that a 
given
mailbox bounces?  The effect of filling such form would be to advance the
mailbox position in the validation queue.


Finally, IMHO:

On Tue 14/Jan/2020 10:24:42 +0100 JORDI PALET MARTINEZ via anti-abuse-wg 
wrote:
> El 14/1/20 0:11, "Leo Vegoda"  escribió:
>   
>> It creates hope for reporters and wastes the RIPE NCC's and the
>> reporters' resources by forcing unwilling organizations to spend
>> cycles on unproductive activity.
>> 
>> Why not give networks two options?
>> 
>> 1. Publish a reliable method for people to submit abuse reports - 
and act on it
>> 2. Publish a statement to the effect that the network operator does
>> not act on abuse reports
>> 
>> This would save lots of wasted effort and give everyone more reliable
>> information about the proportion of networks/operators who will and
>> won't act on abuse reports.
>  
> Even if I think that the operators MUST process abuse cases, if the
> community thinks otherwise, I'm happy to support those two options in the
> proposal. For example, an autoresponder in the abuse-c mailbox for those
> that don't intend to process the abuse cases to option 2 above?

No, autoresponders waste even more resources.  In case, let's use a
conventional address like, say, noone@localhost to decline to receive abuse
reports.  There would be no attempt to validate such address.

There are a number of cases, especially in large organizations, where a 
mailbox
fails to work because email refurbishing resulted in mail loops, erroneous
forwarding, dead relays, and the like.  Having an alternative contact can 
bring
attention to the fact and reestablish the functionality.

There are cases where there is no abuse team and holders don't care.  
Sooner or
later the community will find out how to set up some kind of Don't Route Or
Peer list of those.  However, forcing them to have a "working" abuse-c is
nonsensical.



Best
Ale




> 
>
> There might be some value in having the RIPE NCC cooperate with
> networks who want help checking that their abuse-c is working. But
> this proposal seems to move the RIPE NCC from the role of a helpful
> coordinator towards that of an investigator and judge.
> 
> No, I don't think so, but I'm happy to modify the text if it looks like 
that.
> 
> 
> 
> 
> 
> **
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.theipv6company.com
> The IPv6 Company
> 
> This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.
> 
> 
> 
> 
> 





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and 

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

I will be fine with this (having RIPE NCC as an intermediator just to send the 
abuse report), if instead of a web form (or in addition to it), it is possible 
to automate it, for example RIPE NCC also accepts x-arf via email.

RIPE NCC has the obligation to keep the information without disclosing it, so 
why we need to have a way to encypt it so RIPE NCC can’t read it? Furthermore, 
this should be an automated process. The staff is not going to handle every 
report manually. And moreover, in case of a bigger dispute, even if going to 
the courts, RIPE NCC can provide in a neutral way all the info of what happened.

However, I’ve the feeling that in order to get this working, the policy must 
mandate that all the responser from the operator which customer is producing 
the abuse, also follow the same path, so:

Abuse reporter (Victim or its ISP) -> RIPE NCC -> abuser operator -> RIPE NCC 
-> abuse reporter

Otherwise, there will not be a way for RIPE to have stats of who is responding 
to abuse cases and who is not, or even simpler than that, what abuse mailboxes 
get bounced (which will be a policy violation if happens all the time with the 
same operator). Never mind we decide or not that not-responding is an abuse-c 
violation. Stats are good, even if not published with operator names.

 

El 17/1/20 1:12, "anti-abuse-wg en nombre de ripedenis--- via anti-abuse-wg" 
 escribió:

 

Hi Sergio

 

As I read through this thread similar ideas came to my mind. The question I 
would ask is "Is it too late to take a completely different approach to abuse 
contacts and reporting via the RIPE Database?"

 

Suppose we had a standard form available via the ripe.net website for providing 
details of abuse. If you are able to find the "abuse-c:" details in the 
database now then you must know the IP address involved. The RIPE NCC could 
send the report to the abuse contact taken from the database via the specified 
IP address. This does not have to be an email interface either. We could look 
at other options. The RIPE NCC would then at least know if the report was 
successfully delivered. Using a standard form would make it much easier for the 
resource holder to interpret the information.

 

Someone said:

"Making such a scheme compulsory would be unacceptable to people who wish to 
interact with network owners without disclosing that in public ..."

I have no understanding of the technology involved here, but when I send you a 
message on WhatsApp it is encrypted end to end. WhatsApp have no idea (they 
say) of the content of the message. Would it be possible to submit a form on 
ripe.net in a way that the content of that form is encrypted and sent to the 
resource holder so the RIPE NCC have no idea of the content of the form? That 
would satisfy this concern.

 

Regardless of the outcome of the RIPE Database Requirements Task Force, 
something like this could still be implemented as it is external to the RIPE 
Database.

 

Food for thought...

 

cheers

 

denis

 

co-chair DB-WG

 

 

On Wednesday, 15 January 2020, 10:22:28 CET, Sérgio Rocha 
 wrote: 

 

 

Hi,

Maybe we can change the approach.
If RIPE website had a platform to post abuse report, that send the email for
the abuse contact, it will be possible to evaluate the responsiveness of the
abuse contact.

This way anyone that report an abuse could assess not only the response but
also the effectiveness of the actions taken by the network owner. After some
time with this evaluations we would easy to realize who manages the reports
and even who does not respond at all.

Sérgio 


-Original Message-
From: anti-abuse-wg [mailto:anti-abuse-wg-boun...@ripe.net] On Behalf Of
Gert Doering
Sent: 15 de janeiro de 2020 08:06
To: Carlos Friaças 
Cc: Gert Doering ; anti-abuse-wg 
Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation
of "abuse-mailbox")

Hi,

On Wed, Jan 15, 2020 at 07:23:38AM +, Carlos Friaças via anti-abuse-wg
wrote:
> I obviously don't speak for the incident handling community, but i 
> think this (making it optional) would be a serious step back. The 
> current situation is already very bad when in some cases we know from 
> the start that we are sending (automated) messages/notices to blackholes.

So why is it preferrable to send mails which are not acted on, as opposed to
"not send mail because you know beforehand that the other network is not
interested"?

I can see that it is frustrating - but I still cannot support a policy
change which will not help dealing with irresponsible networks in any way,
but at the same time increases costs and workload for those that do the
right thing alrady.


> To an extreme, there should always be a known contact responsible for 
> any network infrastructure. If this is not the case, what's the 
> purpose of a registry then?

"a known contact" and "an *abuse-handling* contact" is not the same thing.

Gert Doering
-- NetMaster
--
have you enabled IPv6 on 

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Alessandro Vesely]

Hi,

a few points:

The “abuse-mailbox:” attribute must be available in an unrestricted way
via whois, APIs and future techniques.

I'd explicitly mention RDAP here.  It's not a future technique any more


Confirm that the resource holder understands the procedure and the policy,
that they regularly monitor the abuse-mailbox, that measures are taken,
and that abuse reports receive a response.

I'd skip the last line.  In my automated abuse reports a add a header field
like "X-Auto-Response-Suppress: DR, OOF, AutoReply".  Yet, many abuse team send
automatic notifications that I have to skim, possibly hiding real replies that
need attention.  Responses are due only if needed.


Furthermore, couldn't the RIPE NCC have a web form, possibly advertised in RDAP
output, where receivers of NDNs from abuse-c contacts can notify that a given
mailbox bounces?  The effect of filling such form would be to advance the
mailbox position in the validation queue.


Finally, IMHO:

On Tue 14/Jan/2020 10:24:42 +0100 JORDI PALET MARTINEZ via anti-abuse-wg wrote:
> El 14/1/20 0:11, "Leo Vegoda"  escribió:
>   
>> It creates hope for reporters and wastes the RIPE NCC's and the
>> reporters' resources by forcing unwilling organizations to spend
>> cycles on unproductive activity.
>> 
>> Why not give networks two options?
>> 
>> 1. Publish a reliable method for people to submit abuse reports - and 
>> act on it
>> 2. Publish a statement to the effect that the network operator does
>> not act on abuse reports
>> 
>> This would save lots of wasted effort and give everyone more reliable
>> information about the proportion of networks/operators who will and
>> won't act on abuse reports.
>  
> Even if I think that the operators MUST process abuse cases, if the
> community thinks otherwise, I'm happy to support those two options in the
> proposal. For example, an autoresponder in the abuse-c mailbox for those
> that don't intend to process the abuse cases to option 2 above?

No, autoresponders waste even more resources.  In case, let's use a
conventional address like, say, noone@localhost to decline to receive abuse
reports.  There would be no attempt to validate such address.

There are a number of cases, especially in large organizations, where a mailbox
fails to work because email refurbishing resulted in mail loops, erroneous
forwarding, dead relays, and the like.  Having an alternative contact can bring
attention to the fact and reestablish the functionality.

There are cases where there is no abuse team and holders don't care.  Sooner or
later the community will find out how to set up some kind of Don't Route Or
Peer list of those.  However, forcing them to have a "working" abuse-c is
nonsensical.



Best
Ale




> 
>
> There might be some value in having the RIPE NCC cooperate with
> networks who want help checking that their abuse-c is working. But
> this proposal seems to move the RIPE NCC from the role of a helpful
> coordinator towards that of an investigator and judge.
> 
> No, I don't think so, but I'm happy to modify the text if it looks like that.
> 
> 
> 
> 
> 
> **
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.theipv6company.com
> The IPv6 Company
> 
> This electronic message contains information which may be privileged or 
> confidential. The information is intended to be for the exclusive use of the 
> individual(s) named above and further non-explicilty authorized disclosure, 
> copying, distribution or use of the contents of this information, even if 
> partially, including attached files, is strictly prohibited and will be 
> considered a criminal offense. If you are not the intended recipient be aware 
> that any disclosure, copying, distribution or use of the contents of this 
> information, even if partially, including attached files, is strictly 
> prohibited, will be considered a criminal offense, so you must reply to the 
> original sender to inform about this communication and delete it.
> 
> 
> 
> 
> 

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[ripedenis--- via anti-abuse-wg]

 Hi Sergio
As I read through this thread similar ideas came to my mind. The question I 
would ask is "Is it too late to take a completely different approach to abuse 
contacts and reporting via the RIPE Database?"
Suppose we had a standard form available via the ripe.net website for providing 
details of abuse. If you are able to find the "abuse-c:" details in the 
database now then you must know the IP address involved. The RIPE NCC could 
send the report to the abuse contact taken from the database via the specified 
IP address. This does not have to be an email interface either. We could look 
at other options. The RIPE NCC would then at least know if the report was 
successfully delivered. Using a standard form would make it much easier for the 
resource holder to interpret the information.
Someone said:"Making such a scheme compulsory would be unacceptable to people 
who wish to interact with network owners without disclosing that in public 
..."I have no understanding of the technology involved here, but when I send 
you a message on WhatsApp it is encrypted end to end. WhatsApp have no idea 
(they say) of the content of the message. Would it be possible to submit a form 
on ripe.net in a way that the content of that form is encrypted and sent to the 
resource holder so the RIPE NCC have no idea of the content of the form? That 
would satisfy this concern.
Regardless of the outcome of the RIPE Database Requirements Task Force, 
something like this could still be implemented as it is external to the RIPE 
Database.
Food for thought...
cheers
denis
co-chair DB-WG

On Wednesday, 15 January 2020, 10:22:28 CET, Sérgio Rocha 
 wrote:  
 
 Hi,

Maybe we can change the approach.
If RIPE website had a platform to post abuse report, that send the email for
the abuse contact, it will be possible to evaluate the responsiveness of the
abuse contact.

This way anyone that report an abuse could assess not only the response but
also the effectiveness of the actions taken by the network owner. After some
time with this evaluations we would easy to realize who manages the reports
and even who does not respond at all.

Sérgio 

-Original Message-
From: anti-abuse-wg [mailto:anti-abuse-wg-boun...@ripe.net] On Behalf Of
Gert Doering
Sent: 15 de janeiro de 2020 08:06
To: Carlos Friaças 
Cc: Gert Doering ; anti-abuse-wg 
Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation
of "abuse-mailbox")

Hi,

On Wed, Jan 15, 2020 at 07:23:38AM +, Carlos Friaças via anti-abuse-wg
wrote:
> I obviously don't speak for the incident handling community, but i 
> think this (making it optional) would be a serious step back. The 
> current situation is already very bad when in some cases we know from 
> the start that we are sending (automated) messages/notices to blackholes.

So why is it preferrable to send mails which are not acted on, as opposed to
"not send mail because you know beforehand that the other network is not
interested"?

I can see that it is frustrating - but I still cannot support a policy
change which will not help dealing with irresponsible networks in any way,
but at the same time increases costs and workload for those that do the
right thing alrady.


> To an extreme, there should always be a known contact responsible for 
> any network infrastructure. If this is not the case, what's the 
> purpose of a registry then?

"a known contact" and "an *abuse-handling* contact" is not the same thing.

Gert Doering
        -- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Michael
Emmer
Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444        USt-IdNr.: DE813185279


  

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Suresh Ramasubramanian]

I’m afraid you’ve misunderstood me. I haven’t been talking about people going 
out to clean networks not their own. All I would like to see is people 
accepting responsibility for the networks that they do control

As for other concerns eg Volker raised about the difference between a heavily 
abused customer and a malicious actor, that is a judgement call that every 
large provider abuse team has had to face so far

--srs


From: anti-abuse-wg  on behalf of Randy Bush 

Sent: Thursday, January 16, 2020 9:38 PM
To: Suresh Ramasubramanian
Cc: anti-abuse-wg@ripe.net
Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of 
"abuse-mailbox")

> It would be interesting if a large number of people who actually work
> for the security / infosec / abuse teams of various ripe members were
> to attend the aawg meetings instead of a clutch of mostly IP / dns /
> network people.

did. a couple of interesting presos, but the plural of anecdote is not
data. and a bun fight over becomig the net police. rinse repeat. i
can try pushing water uphill at home.

randy

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Serge Droz via anti-abuse-wg]

Hi All

How about we just try this for a year and then take stock?

Best
Serge


On 16/01/2020 18:07, Andreas Worbs wrote:
> I'm completely with you.
> 
> For our US-AS i verify my contact once a year: open the mail, click the
> link, verify my data and that's it. You don't even need 5 minutes for it.
> 
> If you have an automation fpr your abuse mails? Ok, you have to adjust
> your configuration a little bit but you have to do this only once. Is it
> really a problem?
> 
> RIPE NCC will not deregister your ressources right now just because you
> missed the verification.
> 
> I would be happy if we have a mandatory abuse-c which is validated by
> the RIPE.
> 
> Rather go forward step-by-step than stop here for years. Stagnation
> means regression.
> 
> Have a good night,
> 
> Andi
> 
> Am 16.01.20 um 09:41 schrieb Serge Droz via anti-abuse-wg:
>> Hi All
>>
>> I think we already spent way more executive time on this thread than it
>> would cost us to verify e-mail addresses.
>>
>> I agree e-mail does not solve all the problems. It's hard to
>> automatically process, .
>>
>> But it is simple to use, and from my work as an incident handler it did
>> do me good in the past. I participate in fora that validate
>> abuse/emergency addresses. WHen I ask these people what their issues in
>> daily life are it's never we have to validate or contact e-mail.
>>
>>
>> And honestly: taking a step back and reading this entire thread, I'm not
>> surprised that the bad guys are winning. You know: They don't care about
>> the purty and beauty of a solution. They just do it and profit, and
>> probably have a fabulous time seeing us argue and go at each others
>> throats.
>>
>> I think we could do better.
>>
>> Best
>> Serge
> 

-- 
Dr. Serge Droz
Chair, Forum of Incident Response and Security Teams (FIRST)
Phone +41 76 542 44 93 | serge.d...@first.org | https://www.first.org



signature.asc
Description: OpenPGP digital signature

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Andreas Worbs]

I'm completely with you.

For our US-AS i verify my contact once a year: open the mail, click the
link, verify my data and that's it. You don't even need 5 minutes for it.

If you have an automation fpr your abuse mails? Ok, you have to adjust
your configuration a little bit but you have to do this only once. Is it
really a problem?

RIPE NCC will not deregister your ressources right now just because you
missed the verification.

I would be happy if we have a mandatory abuse-c which is validated by
the RIPE.

Rather go forward step-by-step than stop here for years. Stagnation
means regression.

Have a good night,

Andi

Am 16.01.20 um 09:41 schrieb Serge Droz via anti-abuse-wg:
> Hi All
>
> I think we already spent way more executive time on this thread than it
> would cost us to verify e-mail addresses.
>
> I agree e-mail does not solve all the problems. It's hard to
> automatically process, .
>
> But it is simple to use, and from my work as an incident handler it did
> do me good in the past. I participate in fora that validate
> abuse/emergency addresses. WHen I ask these people what their issues in
> daily life are it's never we have to validate or contact e-mail.
>
>
> And honestly: taking a step back and reading this entire thread, I'm not
> surprised that the bad guys are winning. You know: They don't care about
> the purty and beauty of a solution. They just do it and profit, and
> probably have a fabulous time seeing us argue and go at each others
> throats.
>
> I think we could do better.
>
> Best
> Serge

-- 
Mit freundlichem Gruß

Artfiles New Media GmbH

Andreas Worbs


Artfiles New Media GmbH | Zirkusweg 1 | 20359 Hamburg
Tel: 040 - 32 02 72 90 | Fax: 040 - 32 02 72 95
E-Mail: supp...@artfiles.de | Web: http://www.artfiles.de
Geschäftsführer: Harald Oltmanns | Tim Evers
Eingetragen im Handelsregister Hamburg - HRB 81478




signature.asc
Description: OpenPGP digital signature

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Randy Bush]

> It would be interesting if a large number of people who actually work
> for the security / infosec / abuse teams of various ripe members were
> to attend the aawg meetings instead of a clutch of mostly IP / dns /
> network people.

did.  a couple of interesting presos, but the plural of anecdote is not
data.  and a bun fight over becomig the net police.  rinse repeat.  i
can try pushing water uphill at home.

randy

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Sascha Luck [ml]]

On Thu, Jan 16, 2020 at 12:38:26PM -, Srgio Rocha wrote:


It's amazing that nobody cant propose anything without receiving a shower of 
all sorts of arguments against


It's called "democracy". As Chuchill said, it's an awful system
but better than any other that have been tried.

rgds,
Sascha Luck

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Ronald F. Guilmette]

In message <077501d5cc69$d9427020$8bc75060$@makeitsimple.pt>, 
"=?iso-8859-1?Q?S=E9rgio_Rocha?="  wrote:

>Agree, This anti-abuse list seems the blocking group to any anit-abuse
>response measure.
>
>It's amazing that nobody cant propose anything without receiving a
>shower of all sorts of arguments against

Welcome to the Working Group.  You must be new here.


Regards,
rfg

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Sérgio Rocha]

Hi,

 

Agree, This anti-abuse list seems the blocking group to any anit-abuse response 
measure.

It's amazing that nobody cant propose anything without receiving a shower of 
all sorts of arguments against

 

There is an idea that everyone has to hold, if as a community we cannot 
organize a policy, one of these days there will be a problem that will make 
governments take the opportunity to legislate and we will no longer have the 
free and open internet.

 

There are a feew ideas that is simple to understand:

 

1 - If you have been assigned a network you have responsibilities, paying 
should not be the only one.

2 - There is no problem with email, since ever are made solutions to integrate 
with emails. There is no need to invent a new protocol. Who has a lot of abuse, 
invests in integrating these emails.

3 - If you have no ability to manage abuse should not have addressing, leave it 
to professionals.

 

The internet is critical for everyone, the ability for actors to communicate 
with each other to respond to abuse must exist and RIPE must ensure that it 
exists.

It’s like the relation with local governments, there is a set of information 
that has to be kept up to date to avoid problems, in RIPE it must be the same.

 

Sergio

 

 

 

From: anti-abuse-wg [mailto:anti-abuse-wg-boun...@ripe.net] On Behalf Of Fi 
Shing
Sent: 16 de janeiro de 2020 04:55
To: anti-abuse-wg@ripe.net
Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of 
"abuse-mailbox")

 

 

>> Best not to judge the race until it has been fully run.

 

I just do not understand how anyone on this list (other than a criminal or a 
business owner that wants to reduce over heads by abolishing an employee who 
has to sit and monitor an abuse desk) could be talking about making it easier 
for abuse to flourish.

 

It is idiotic and is not ad hominem.

 

This list is filled with people who argue for weeks, perhaps months, about the 
catastrophic world ending dangers of making an admin verify an abuse address 
ONCE a year  and then someone says "let's abolish abuse desk all together" 
and these idiots emerge from the wood work like the termites that they are and 
there's no resistance?

 

The good news is that nothing talked about on this list is ever implemented, so 
.. talk away you criminals.

 

 

 

 

 

- Original Message - 

Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of 
"abuse-mailbox")
From: "Ronald F. Guilmette" mailto:r...@tristatelogic.com> >
Date: 1/16/20 11:47 am
To: "anti-abuse-wg@ripe.net  " 
mailto:anti-abuse-wg@ripe.net> >

In message <20200115155949.af7f9f79718891d8e76b551cf73e1563.e548b98006.mailapi@ 

 
email19.asia.godaddy.com>, "Fi Shing" mailto:phish...@storey.xxx> > wrote:

>That is the most stupid thing i've read on this list.

Well, I think you shouldn't be quite so harsh in your judgement. It is
not immediately apparent that you have been on the list for all that long.
So perhaps you should stick around for awhile longer before making such
comments. If you do, I feel sure that there will be any number of
stupider things that may come to your attention, including even a few
from your's truly.

Best not to judge the race until it has been fully run.

>Which criminal is paying you to say this nonsense, because no ordinary person
>that has ever received a spam email would ever say such crap.

I would also offer the suggestion that such inartful commentary, being as
it is, ad hominem, is not at all likely to advance your agenda. It may
have felt good, but I doubt that you have changed a single mind, other
than perhaps one or two who will now be persuaded to take the opposing
position, relative to whatever it was that you had hoped to achieve.


Regards,
rfg

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Ronald F. Guilmette]

In message <4be52277-cecb-603f-6840-4ee76245b...@first.org>, 
Serge Droz  wrote:

>I think we already spent way more executive time on this thread than it
>would cost us to verify e-mail addresses.

I think that I may cut that out, print it in a 48-point type face, have
it framed, and hang it on my office wall. :-)

This is true even though I expressed some similar view on some similar
situation here already some years ago.

>And honestly: taking a step back and reading this entire thread, I'm not
>surprised that the bad guys are winning. You know: They don't care about
>the purty and beauty of a solution. They just do it and profit, and
>probably have a fabulous time seeing us argue and go at each others
>throats.

I myself have certainly expressed this view previously, in private if not
also in public.


Regards,
rfg

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Serge Droz via anti-abuse-wg]

Hi All

I think we already spent way more executive time on this thread than it
would cost us to verify e-mail addresses.

I agree e-mail does not solve all the problems. It's hard to
automatically process, .

But it is simple to use, and from my work as an incident handler it did
do me good in the past. I participate in fora that validate
abuse/emergency addresses. WHen I ask these people what their issues in
daily life are it's never we have to validate or contact e-mail.


And honestly: taking a step back and reading this entire thread, I'm not
surprised that the bad guys are winning. You know: They don't care about
the purty and beauty of a solution. They just do it and profit, and
probably have a fabulous time seeing us argue and go at each others
throats.

I think we could do better.

Best
Serge
-- 
Dr. Serge Droz
Chair, Forum of Incident Response and Security Teams (FIRST)
Phone +41 76 542 44 93 | serge.d...@first.org | https://www.first.org

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Fi Shing]

 
>> Best not to judge the race until it has been fully run.
 
I just do not understand how anyone on this list (other than a criminal or a 
business owner that wants to reduce over heads by abolishing an employee who 
has to sit and monitor an abuse desk) could be talking about making it easier 
for abuse to flourish.
 
It is idiotic and is not ad hominem.
 
This list is filled with people who argue for weeks, perhaps months, about the 
catastrophic world ending dangers of making an admin verify an abuse address 
ONCE a year  and then someone says "let's abolish abuse desk all together" 
and these idiots emerge from the wood work like the termites that they are and 
there's no resistance?
 
The good news is that nothing talked about on this list is ever implemented, so 
.. talk away you criminals.
 
 
 
 
 
- Original Message - Subject: Re: [anti-abuse-wg] working in 
new version of 2019-04 (Validation of "abuse-mailbox")
From: "Ronald F. Guilmette" 
Date: 1/16/20 11:47 am
To: "anti-abuse-wg@ripe.net" 

In message <20200115155949.af7f9f79718891d8e76b551cf73e1563.e548b98006.mailapi@
 email19.asia.godaddy.com>, "Fi Shing"  wrote:
 
 >That is the most stupid thing i've read on this list.
 
 Well, I think you shouldn't be quite so harsh in your judgement. It is
 not immediately apparent that you have been on the list for all that long.
 So perhaps you should stick around for awhile longer before making such
 comments. If you do, I feel sure that there will be any number of
 stupider things that may come to your attention, including even a few
 from your's truly.
 
 Best not to judge the race until it has been fully run.
 
 >Which criminal is paying you to say this nonsense, because no ordinary person
 >that has ever received a spam email would ever say such crap.
 
 I would also offer the suggestion that such inartful commentary, being as
 it is, ad hominem, is not at all likely to advance your agenda. It may
 have felt good, but I doubt that you have changed a single mind, other
 than perhaps one or two who will now be persuaded to take the opposing
 position, relative to whatever it was that you had hoped to achieve.
 
 
 Regards,
 rfg

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Leo Vegoda]

Hi Jordi,

On Wed, Jan 15, 2020 at 1:54 PM JORDI PALET MARTINEZ
 wrote:

[...]

> This is an excellent point but e-mail is probably not the right medium
> for that. Standardizing protocols for reporting abuse - and therefore
> acting on those reports more quickly - would be far more helpful. But
> only organizations don't want abuse on their networks will invest in
> the people, processes, and systems, whatever the reporting medium.
>
> This is an additional step. Do you think it may be better to include in the 
> proposal, instead of plain email for the reporting, to mandate the use of 
> XARF?
>
> http://xarf.org/index.html
>
> I've been tempted several times to go that path ... so may be is time for it?

Communicating information about abuse incidents using structured data
is exactly the right way to go. E-mail is becoming less useful as each
year goes by and continuing to invest in systems that assume e-mail is
ubiquitous does not seem a good use of resources to me.

Kind regards,

Leo

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Ronald F. Guilmette]

In message , 
Richard Clayton  wrote:

>bottom line is that if you want to run a reputation site and not be
>under an obligation to remove libellous material (not fair comment) you
>would be unwise to do it outside the USA

As much as I would like to claim, on behalf of my countrymen, an absolutely
unique status in this regard, I do believe that there are any number of
other locales from whence a similar feat could be accomplished.  Iceland
seems like a possibility, but also Belize, perhaps Gibraltar, The
Dominican Republic, and quite certainly Nevis & St. Kitts.

Oh!  And the sovereign Republic of Sealand, of course.


Regards,
rfg


P.S.  I cannot help but offer the entirely gratuitous observation that
in many parts of the world it may indeed be more legally tenable to be
either a spammer or a spam-fiendly provider than it is to be a person
or other form of legal entity which publishes anything not qualifying
as glowing positive commentary about any such.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Richard Clayton]

In message <49348.1579123...@segfault.tristatelogic.com>, Ronald F.
Guilmette  writes

>I reiterate and slightly rehprase my question:
>
>Do you people in within the RIPE region see, or not see critical reviews
>on, for example, eBay, TripAdvisor, etc?

we do, but we do not see material which is likely to be libellous (words
have to chosen carefully in explaining this sort of thing because in
this space material can be defamatory but veracity means that it is most
unlikely to be adjudged a libel)

>>note that companies that operate solely in the USA can take some solace
>>from the USA SPEECH Act...
>
>The notion of "operating solely in the USA" is not one which lacks
>ambiguity, at least when it comes to Internet-based services, as I am
>sure you are all too aware.

by operate I meant that all employees and legal entities are within the
USA, not that the company restricts access to websites etc

Though it is interesting that a number of US newspaper sites have chosen
to block all EU IPs so as to avoid incurring any data protection
liability under the GDPR when serving up adverts ... but they may have
foreign correspondents so they may be making my point after all

bottom line is that if you want to run a reputation site and not be
under an obligation to remove libellous material (not fair comment) you
would be unwise to do it outside the USA

-- 
richard   Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary 
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755


signature.asc
Description: PGP signature

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Ronald F. Guilmette]

In message <20200115155949.af7f9f79718891d8e76b551cf73e1563.e548b98006.mailapi@
email19.asia.godaddy.com>, "Fi Shing"  wrote:

>That is the most stupid thing i've read on this list.

Well, I think you shouldn't be quite so harsh in your judgement.  It is
not immediately apparent that you have been on the list for all that long.
So perhaps you should stick around for awhile longer before making such
comments.  If you do, I feel sure that there will be any number of
stupider things that may come to your attention, including even a few
from your's truly.

Best not to judge the race until it has been fully run.

>Which criminal is paying you to say this nonsense, because no ordinary person
>that has ever received a spam email would ever say such crap.

I would also offer the suggestion that such inartful commentary, being as
it is, ad hominem, is not at all likely to advance your agenda.  It may
have felt good, but I doubt that you have changed a single mind, other
than perhaps one or two who will now be persuaded to take the opposing
position, relative to whatever it was that you had hoped to achieve.


Regards,
rfg

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Ronald F. Guilmette]

In message <68c5238d-b796-45b9-8735-5849140dc...@consulintel.es>, 
JORDI PALET MARTINEZ  wrote:

>When some operators aren't responding to abuse cases, or when they are boun=
>cing emails, or you get a response from someone telling "sorry I'm not the =
>right contact for this, the email is mistaken", and many other similar situ=
>ations ... the operator is telling you "we don't care about abuse from our =
>customer to other networks".

Just a quick follow-up note on this.

These days, about half of the time when I report a spam that came to me
from one of Microsoft's ASNs, I get a reply back telling me that the
spam in question came from an Outlook user, and giving me some other
reporting email address, and vaguely encouraging me to re-report the
spam to that different address.

I never do.

(This happens EVEN IF I had, in the first instance, reported the spam
to the exact email address that is given as the abuse reporting address
for the relevant ASN in the official ARIN WHOIS records.)

If the people at Microsoft who handle abuse cannot be bothered to just
simply forward a spam report from one of their own departments to
another, internally, then I am not persuaded that any part of their
organization is adequately motivated to do anything at all about it,
no matter who I sent it to.


Regards,
rfg

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Ronald F. Guilmette]

In message <58ece9f6-4d64-4315-8ee5-88574f6b4...@consulintel.es>, 
JORDI PALET MARTINEZ  wrote:

>Right, and that was a part of my point about eBay-like feedback ratings
>for resource holders, i.e. "Let's not even try."
>Instead, let the people decide.  Let anyone register a feedback point,
>positive or negative, against any resource holder, with the proviso
>that if they are registering a negative feedback point, they should assert
>exactly *why* they are unhappy (e.g. "mail to abuse address bounced as
>undeliverable", "no response for eight days" etc.) and if possible,
>provide some context also, e.g. a copy of the spam, a copy of some
>logs showing hack attempts, etc.
>
>This may have legal consequences for RIPE NCC, as somebody could use the
>system to publish untrue information for competitors ... not a good idea.

OK, two points:

1)  I cannot and will not dispute that rating systems which allow votes
from the public at large can be gamed, e.g. by unscrupulous competitors,
and indeed, it is my belief that there have already been some well-
documented cases of this.  That's not to say that I think that adequate
counter-measures could not be developed.  I think they could be.

2) As regards to the "legal" issue, I can only express my deepest sympathies
for all you folks on your side of the pond and beyond, especially as you all
seem to be at least somewhat constrained in your freedom to speak truth to
power.


Regards,
rfg

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Fi Shing]

correction: year 2020*
 
- Original Message - Subject: Re: [anti-abuse-wg] working in 
new version of 2019-04 (Validation of "abuse-mailbox")
From: "Fi Shing" 
Date: 1/16/20 10:03 am
To: "anti-abuse-wg@ripe.net" 

 Sergio, that would make too much sense.
 
This mailing list is not only not even considering what you have said, but they 
are trying to remove the requirement of a network operator to even receive 
emails about complaints at all.
 
Pathetic.
 
It's the year 2019, and these "people" on this list (probably cyber criminals 
or are paid by cyber criminals to weaken policy) come here and say this garbage.
 
 
 
- Original Message - Subject: Re: [anti-abuse-wg] working in 
new version of 2019-04 (Validation of "abuse-mailbox")
From: "Srgio Rocha" 
Date: 1/15/20 8:16 pm
To: "anti-abuse-wg" 

Hi,
 
 Maybe we can change the approach.
 If RIPE website had a platform to post abuse report, that send the email for
 the abuse contact, it will be possible to evaluate the responsiveness of the
 abuse contact.
 
 This way anyone that report an abuse could assess not only the response but
 also the effectiveness of the actions taken by the network owner. After some
 time with this evaluations we would easy to realize who manages the reports
 and even who does not respond at all.
 
 Srgio 
 
 -Original Message-
 From: anti-abuse-wg [mailto:anti-abuse-wg-boun...@ripe.net] On Behalf Of
 Gert Doering
 Sent: 15 de janeiro de 2020 08:06
 To: Carlos Friaas 
 Cc: Gert Doering ; anti-abuse-wg 
 Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation
 of "abuse-mailbox")
 
 Hi,
 
 On Wed, Jan 15, 2020 at 07:23:38AM +, Carlos Friaas via 
anti-abuse-wg
 wrote:
 > I obviously don't speak for the incident handling community, but i 
 > think this (making it optional) would be a serious step back. The 
 > current situation is already very bad when in some cases we know from 
 > the start that we are sending (automated) messages/notices to blackholes.
 
 So why is it preferrable to send mails which are not acted on, as opposed to
 "not send mail because you know beforehand that the other network is not
 interested"?
 
 I can see that it is frustrating - but I still cannot support a policy
 change which will not help dealing with irresponsible networks in any way,
 but at the same time increases costs and workload for those that do the
 right thing alrady.
 
 
 > To an extreme, there should always be a known contact responsible for 
 > any network infrastructure. If this is not the case, what's the 
 > purpose of a registry then?
 
 "a known contact" and "an *abuse-handling* contact" is not the same thing.
 
 Gert Doering
 -- NetMaster
 --
 have you enabled IPv6 on something today...?
 
 SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael
 Emmer
 Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
 D-80807 Muenchen HRB: 136055 (AG Muenchen)
 Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Fi Shing]

Sergio, that would make too much sense.
 
This mailing list is not only not even considering what you have said, but they 
are trying to remove the requirement of a network operator to even receive 
emails about complaints at all.
 
Pathetic.
 
It's the year 2019, and these "people" on this list (probably cyber criminals 
or are paid by cyber criminals to weaken policy) come here and say this garbage.
 
 
 
- Original Message - Subject: Re: [anti-abuse-wg] working in 
new version of 2019-04 (Validation of "abuse-mailbox")
From: "Srgio Rocha" 
Date: 1/15/20 8:16 pm
To: "anti-abuse-wg" 

Hi,
 
 Maybe we can change the approach.
 If RIPE website had a platform to post abuse report, that send the email for
 the abuse contact, it will be possible to evaluate the responsiveness of the
 abuse contact.
 
 This way anyone that report an abuse could assess not only the response but
 also the effectiveness of the actions taken by the network owner. After some
 time with this evaluations we would easy to realize who manages the reports
 and even who does not respond at all.
 
 Srgio 
 
 -Original Message-
 From: anti-abuse-wg [mailto:anti-abuse-wg-boun...@ripe.net] On Behalf Of
 Gert Doering
 Sent: 15 de janeiro de 2020 08:06
 To: Carlos Friaas 
 Cc: Gert Doering ; anti-abuse-wg 
 Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation
 of "abuse-mailbox")
 
 Hi,
 
 On Wed, Jan 15, 2020 at 07:23:38AM +, Carlos Friaas via 
anti-abuse-wg
 wrote:
 > I obviously don't speak for the incident handling community, but i 
 > think this (making it optional) would be a serious step back. The 
 > current situation is already very bad when in some cases we know from 
 > the start that we are sending (automated) messages/notices to blackholes.
 
 So why is it preferrable to send mails which are not acted on, as opposed to
 "not send mail because you know beforehand that the other network is not
 interested"?
 
 I can see that it is frustrating - but I still cannot support a policy
 change which will not help dealing with irresponsible networks in any way,
 but at the same time increases costs and workload for those that do the
 right thing alrady.
 
 
 > To an extreme, there should always be a known contact responsible for 
 > any network infrastructure. If this is not the case, what's the 
 > purpose of a registry then?
 
 "a known contact" and "an *abuse-handling* contact" is not the same thing.
 
 Gert Doering
 -- NetMaster
 --
 have you enabled IPv6 on something today...?
 
 SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael
 Emmer
 Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
 D-80807 Muenchen HRB: 136055 (AG Muenchen)
 Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Fi Shing]

That is the most stupid thing i've read on this list.
 
What little protection the world has from spammers and all manner of criminals, 
and you still think it's too much that they even so much as have to check their 
email account.
 
Which criminal is paying you to say this nonsense, because no ordinary person 
that has ever received a spam email would ever say such crap.
 
and if there can be no "internet police", i'm sure RIPE will have no problem if 
someone never pays a fee to it ever again, because it doesn't have the mandate 
to suspend a resource for crime, it cannot do it for non payment.
 
or is non-payment more serious than a DDoS attack?
 
 
 
- Original Message - Subject: Re: [anti-abuse-wg] working in 
new version of 2019-04 (Validation of "abuse-mailbox")
From: "Gert Doering" 
Date: 1/14/20 9:19 pm
To: "JORDI PALET MARTINEZ" 
Cc: "anti-abuse-wg" 

Hi,
 
 On Tue, Jan 14, 2020 at 10:50:58AM +0100, JORDI PALET MARTINEZ via 
anti-abuse-wg wrote:
 > Looks fine to me.
 > 
 > If we really think that the operators should be free from taking abuse 
 > reports, then let's make it optional.
 > 
 > As said, I personally think that an operator responsibility is to deal with 
 > abuse cases, but happy to follow what we all decide.
 
 I do think that an operator should handle abuse reports (and we do), 
 but *this* is not a suitable vehicle to *make him*.
 
 And if it's not going to have the desired effect, do not waste time on it.
 
 Gert Doering
 -- NetMaster
 -- 
 have you enabled IPv6 on something today...?
 
 SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer
 Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
 D-80807 Muenchen HRB: 136055 (AG Muenchen)
 Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Ronald F. Guilmette]

In message 

Leo Vegoda  wrote:

>E-mail does not scale well. It was great in the 1990s, when the
>Internet was smaller and people knew each other. About half the
>world's population now has some sort of Internet connectivity.
>Expecting organizations to be able to understand reports from such a
>diverse group of people is unreasonable.

You're right.  Email is shit.  However as long as network operators
allow their errant end-lusers to spam me via email, I expect them to
also accept reports about that via email. If they don't want to, then
fine.  They can just block outbound port 25 for their entire networks
at and in the routers.  Problem solved and everybody's happy.


Regards,
rfg

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Carlos,
 
 

El 15/1/20 22:58, "Carlos Friaças"  escribió:



Hi,



On Wed, 15 Jan 2020, JORDI PALET MARTINEZ via anti-abuse-wg wrote:

> In my opinion, the actual situation is the worst. We are validating over 
"nothing". We don't know how many of the "validated" mailboxes are real, or 
even read, full, etc.
>
> I will prefer a mandatory abuse-c which is validated in the way I'm 
proposing, as it is being done in ARIN and APNIC and soon in LACNIC.

This detail is interesting...

In my opinion it reached consensus also in the last AFRINIC meeting, but chairs 
didn't agree, and I don't want to start an appeal. So, I will retry in the next 
meeting.

> If this can't reach consensus, I prefer to know in advance "this 
> operator doesn't handle abuses" that wasting time in reporting them. I 
> will have the choice to just block their network and when several folks 
> block them and their customers complain, then they may change their 
> mind.

I was wondering if this "block" would mean blocking all prefixes announced 
by the same ASN, or just the prefix where the abuse originated from.

Well, this is up to each operator ... If it is my network, I will definitively 
block the complete ASN, because a network that doesn't process abuse, is not 
something I want to get traffic from. But is just my personal view.


> Better 50% of good and *real* validated abuse contacts than 100% from 
which I don't know how may are for real.

As i already stated, i'm more worried about someone using real e-mail 
addresses of real unrelated people than the /dev/null or unattended 
mailboxes.

When someone uses a 3rd party address without authorization+knowledge, i 
think it's reasonable to allow for a fix, instead of directly running to 
ripe-716.


Cheers,
Carlos





> El 15/1/20 8:24, "anti-abuse-wg en nombre de Carlos Friaças via 
anti-abuse-wg"  escribió:
>
>
>Hi,
>
>I obviously don't speak for the incident handling community, but i 
think
>this (making it optional) would be a serious step back. The current
>situation is already very bad when in some cases we know from the start
>that we are sending (automated) messages/notices to blackholes.
>
>To an extreme, there should always be a known contact responsible for
>any network infrastructure. If this is not the case, what's the purpose
>of a registry then?
>
>Regards,
>Carlos
>
>
>
>On Tue, 14 Jan 2020, Leo Vegoda wrote:
>
>> On Tue, Jan 14, 2020 at 1:48 AM Gert Doering  wrote:
>>
>> [...]
>>
>>> A much simpler approach would be to make abuse-c: an optional 
attribute
>>> (basically, unrolling the "mandatory" part of the policy proposal 
that
>>> introduced it in the first place)
>>
>> This seems like a simple approach for letting network operators
>> indicate whether or not they will act on abuse reports. If there's no
>> way of reporting abuse then the operators clearly has no processes 
for
>> evaluating reports, or acting on them. This helps everyone save time.
>>
>> Regards,
>>
>> Leo Vegoda
>>
>
>
>
>
>
> **
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.theipv6company.com
> The IPv6 Company
>
> This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.
>
>
>
>
>



**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the 

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Job,

You need to have that process already for ARIN and APNIC, and once implemented 
LACNIC.

The process is the same. You implement it once (I'm not counting the minutes 
that can take to implement it) and it seems simple to me: the abuse-mailbox get 
twice a year a verification email, a responsible guy in the abuse-team must act 
on it, clicking on the verification link.

So, if you have already the process for other RIRs, what is the extra cost? (2 
minutes)

I think is much less that the time you can save, and this is the balance that 
we need to look for.


El 15/1/20 22:56, "Job Snijders"  escribió:

On Wed, Jan 15, 2020 at 10:41:54PM +0100, JORDI PALET MARTINEZ via 
anti-abuse-wg wrote:
> Exactly 2 minutes a year (1 minute each time you click the link in the
> email from RIPE NCC).
> 
> And because you invest 2 minutes a year, you will save a lot of time
> (many hours/days) yourself, trying to report abuses to invalid
> mailboxes!

I am not sure it is just two minutes a year, it is desiging and
monitoring an additional work process to be executed in corporations. I
am of course not sure how much it is, but certainly more than two
minutes.

Kind regards,

Job




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Warren,

When some operators aren't responding to abuse cases, or when they are bouncing 
emails, or you get a response from someone telling "sorry I'm not the right 
contact for this, the email is mistaken", and many other similar situations ... 
the operator is telling you "we don't care about abuse from our customer to 
other networks".

There is not different to say that explicitly by making the abuse-c optional, 
so those that don't want to handle the abuse reports, just don't have it.

There is no difference in having the email bouncing than having an 
autoresponder saying "we don't care" ... 
 

El 15/1/20 21:15, "anti-abuse-wg en nombre de Warren Kumari" 
 escribió:

On Wed, Jan 15, 2020 at 2:46 PM Leo Vegoda  wrote:
>
> On Wed, Jan 15, 2020 at 11:02 AM Jeffrey Race  
wrote:
>
> [...]
>
> > Aside from the reciprocity issue, it's a basic engineering rule
> > that systems target their goal only when a corrective
> > feedback path exists.
>
> That feedback path does not need to be a personally written e-mail.
> Instead, it is possible to use signals like the absence of a reliable
> reporting mechanism to make decisions about not accepting some or all
> traffic from an abusing network.
>
> My main concern with proposal 2019-04 is that it would make everyone
> look the same. It then takes time and effort to distinguish the
> networks that will actually use abuse reports to fix problems from
> those that won't or just don't have the ability to do so.
>
> While I would accept Gert's proposal for making abuse-c an optional
> attribute, the reason I offered a counter proposal for publishing "a
> statement to the effect that the network operator does not act on
> abuse reports" is to add clarity at a high level.
>
> In the first case, it avoids wasting resources lodging reports that
> will be ignored. Secondly, it provides reliable statistical
> information about the networks whose operators claim to use abuse
> reports to clean things up. This would provide a metric that could be
> used both by other network operators to guide operational policies and
> governments or regulators to set theirs.

I suspect I'm somewhat confused / have lost the thread somewhere.

I really don't think that any network is likely to advertise that they
are not dealing with abuse -- it gives a bad impression, and the
marketing droids will likely want *something* listed. The same goes
for legal - saying "Meh, don't bother sending us abuse reports, we
ignore them" doesn't seem to have any PR / marketing / legal upside,
and has many downsides...

Pretend that you are a network that (largely) ignores abuse reports --
your current solution of throwing these mails away costs you nothing;
what's the upside to telling everyone that you are doing this?

I suspect that people will continue to have abuse@, hostmaster@,
abuse-c,and any other conventions filled in -- and many will just
continue to shuffle these into self-closing ticket systems / mailboxes
which never get read and / or /dev/null...

W


>
> Finally, we don't yet know what the RIPE Database Requirements TF will
> recommend. But I think that building a new business process on the
> existing model for publishing contact information assumes they won't
> recommend changes. Let's wait until they report before asking the RIPE
> NCC to build new workflows on a model that the community might want to
> change.
>
> Kind regards,
>
> Leo Vegoda
>


-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Carlos Friaças via anti-abuse-wg]

Hi,



On Wed, 15 Jan 2020, JORDI PALET MARTINEZ via anti-abuse-wg wrote:


In my opinion, the actual situation is the worst. We are validating over "nothing". We 
don't know how many of the "validated" mailboxes are real, or even read, full, etc.

I will prefer a mandatory abuse-c which is validated in the way I'm proposing, 
as it is being done in ARIN and APNIC and soon in LACNIC.


This detail is interesting...



If this can't reach consensus, I prefer to know in advance "this 
operator doesn't handle abuses" that wasting time in reporting them. I 
will have the choice to just block their network and when several folks 
block them and their customers complain, then they may change their 
mind.


I was wondering if this "block" would mean blocking all prefixes announced 
by the same ASN, or just the prefix where the abuse originated from.




Better 50% of good and *real* validated abuse contacts than 100% from which I 
don't know how may are for real.


As i already stated, i'm more worried about someone using real e-mail 
addresses of real unrelated people than the /dev/null or unattended 
mailboxes.


When someone uses a 3rd party address without authorization+knowledge, i 
think it's reasonable to allow for a fix, instead of directly running to 
ripe-716.



Cheers,
Carlos






El 15/1/20 8:24, "anti-abuse-wg en nombre de Carlos Friaças via anti-abuse-wg" 
 escribió:


   Hi,

   I obviously don't speak for the incident handling community, but i think
   this (making it optional) would be a serious step back. The current
   situation is already very bad when in some cases we know from the start
   that we are sending (automated) messages/notices to blackholes.

   To an extreme, there should always be a known contact responsible for
   any network infrastructure. If this is not the case, what's the purpose
   of a registry then?

   Regards,
   Carlos



   On Tue, 14 Jan 2020, Leo Vegoda wrote:

   > On Tue, Jan 14, 2020 at 1:48 AM Gert Doering  wrote:
   >
   > [...]
   >
   >> A much simpler approach would be to make abuse-c: an optional attribute
   >> (basically, unrolling the "mandatory" part of the policy proposal that
   >> introduced it in the first place)
   >
   > This seems like a simple approach for letting network operators
   > indicate whether or not they will act on abuse reports. If there's no
   > way of reporting abuse then the operators clearly has no processes for
   > evaluating reports, or acting on them. This helps everyone save time.
   >
   > Regards,
   >
   > Leo Vegoda
   >





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Leo,


El 15/1/20 18:09, "anti-abuse-wg en nombre de Leo Vegoda" 
 escribió:

On Wed, Jan 15, 2020 at 12:16 AM Serge Droz via anti-abuse-wg
 wrote:

[...]

> - Lastly: It makes our life as Incident responders easier to have a
> uniform way of sending reports, even if not all of them are followed up.

This is an excellent point but e-mail is probably not the right medium
for that. Standardizing protocols for reporting abuse - and therefore
acting on those reports more quickly - would be far more helpful. But
only organizations don't want abuse on their networks will invest in
the people, processes, and systems, whatever the reporting medium.

This is an additional step. Do you think it may be better to include in the 
proposal, instead of plain email for the reporting, to mandate the use of XARF?

http://xarf.org/index.html

I've been tempted several times to go that path ... so may be is time for it?


> I kind of don't buy into "There is no point on placing a burden on orgs
> that choose not to act".

It's not about the burden on the organizations that don't want to act.
It's about providing a clear signal to the reporting organizations
that there is no point reporting. That should allow reporting
organizations to decide on next steps more quickly.





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

What we do today is not a validation if I can use Gert or Serge or any "null" 
email in all my abuse contacts and nobody notice it, and then you start getting 
abuse reports from other folks ... This is creating lots of wasted time to both 
you and the abuse case reporters.
 

El 15/1/20 9:59, "anti-abuse-wg en nombre de Gert Doering" 
 escribió:

Hi,

On Wed, Jan 15, 2020 at 09:24:21AM +0100, Serge Droz wrote:
> Sorry I misunderstood you then. But honestly, this does not really place
> a burden on you.

It does.  Even if it's just 5 minutes per Mail - I need to train abuse 
handlers what to do with this sort of message, etc.

> So I think the balance is hugely positive.

Nobody has been able to demonstrate why it would have a positive effect
at all.  So how can the balance be "hugely positive"?

E-Mail addresses *are* validated today.  Just not in an as labour-intensive
way on the receipient like the proposers want to install.

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael 
Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Exactly 2 minutes a year (1 minute each time you click the link in the email 
from RIPE NCC).

And because you invest 2 minutes a year, you will save a lot of time (many 
hours/days) yourself, trying to report abuses to invalid mailboxes!
 

El 15/1/20 9:24, "anti-abuse-wg en nombre de Serge Droz via anti-abuse-wg" 
 escribió:

Hi Gert

Sorry I misunderstood you then. But honestly, this does not really place
a burden on you.

RIPE can automate this, and you simply reply to a message. We do this,
e.g. in TF-CSIRT twice a year, and it does help, event the good guys,
that realize they have an issue and did not receive their mail.

In fact, it's become a bit of a competition to be the first to reply to
the challenge.

So the extra work is what, 10 minutes / year, if the system is setup
properly?

So I think the balance is hugely positive.

Just my two cents.

Serge


On 15/01/2020 09:18, Gert Doering wrote:
> Hi,
> 
> On Wed, Jan 15, 2020 at 09:14:59AM +0100, Serge Droz via anti-abuse-wg 
wrote:
>> I kind of don't buy into "There is no point on placing a burden on orgs
>> that choose not to act".
> 
> This is not what I said.  My stance on this is: placing extra burdens on
> orgs *that do the right thing today* (with extra verification hoops)
> should be balanced against "will it change the situation wrt orgs that
> do not care".
> 
> And I think the balance is negative - extra work for the good guys, and
> no relevant incentive for the bad guys to actually *act on* their abuse
> reports.
> 
> Gert Doering
> -- NetMaster
> 

-- 
Dr. Serge Droz
Chair, Forum of Incident Response and Security Teams (FIRST)
Phone +41 76 542 44 93 | serge.d...@first.org | https://www.first.org





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

In my opinion, the actual situation is the worst. We are validating over 
"nothing". We don't know how many of the "validated" mailboxes are real, or 
even read, full, etc.

I will prefer a mandatory abuse-c which is validated in the way I'm proposing, 
as it is being done in ARIN and APNIC and soon in LACNIC.

If this can't reach consensus, I prefer to know in advance "this operator 
doesn't handle abuses" that wasting time in reporting them. I will have the 
choice to just block their network and when several folks block them and their 
customers complain, then they may change their mind.

Better 50% of good and *real* validated abuse contacts than 100% from which I 
don't know how may are for real.
 

El 15/1/20 8:24, "anti-abuse-wg en nombre de Carlos Friaças via anti-abuse-wg" 
 escribió:


Hi,

I obviously don't speak for the incident handling community, but i think 
this (making it optional) would be a serious step back. The current 
situation is already very bad when in some cases we know from the start 
that we are sending (automated) messages/notices to blackholes.

To an extreme, there should always be a known contact responsible for 
any network infrastructure. If this is not the case, what's the purpose 
of a registry then?

Regards,
Carlos



On Tue, 14 Jan 2020, Leo Vegoda wrote:

> On Tue, Jan 14, 2020 at 1:48 AM Gert Doering  wrote:
>
> [...]
>
>> A much simpler approach would be to make abuse-c: an optional attribute
>> (basically, unrolling the "mandatory" part of the policy proposal that
>> introduced it in the first place)
>
> This seems like a simple approach for letting network operators
> indicate whether or not they will act on abuse reports. If there's no
> way of reporting abuse then the operators clearly has no processes for
> evaluating reports, or acting on them. This helps everyone save time.
>
> Regards,
>
> Leo Vegoda
>





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Ronald,


El 14/1/20 13:10, "anti-abuse-wg en nombre de Ronald F. Guilmette" 
 escribió:

In message <30174d32-225f-467e-937a-5bc42650f...@consulintel.es>, 
JORDI PALET MARTINEZ via anti-abuse-wg  wrote:

>I think if we try to agree on those ratings, we will never reach consensus

Right, and that was a part of my point about eBay-like feedback ratings
for resource holders, i.e. "Let's not even try."

Instead, let the people decide.  Let anyone register a feedback point,
positive or negative, against any resource holder, with the proviso
that if they are registering a negative feedback point, they should assert
exactly *why* they are unhappy (e.g. "mail to abuse address bounced as
undeliverable", "no response for eight days" etc.) and if possible,
provide some context also, e.g. a copy of the spam, a copy of some
logs showing hack attempts, etc.


This may have legal consequences for RIPE NCC, as somebody could use the system 
to publish untrue information for competitors ... not a good idea.


>So it is not just easier to ask the abuse-c mailboxes that don't want to
>process to setup an autoresponder with an specific (standard) text about
that, for example:...

In the "eBay feedback" model I am proposing there is no need for *RIPE NCC*
to ask anybody about anything.  People will register negative points
against any resource holder with an undeliverable abuse address.  (I know
I will!)

I'm sorry Jordi, if this idea sounds like it is undermining everything
you have been trying to do, which is all very very admirable.  But I have
only just realized what you said above, i.e. if we really start to try
to design a system where RIPE NCC will do 100% of the work of "reviewing"

No ... this is an automated process. It is working already in ARIN, in APNIC 
and now will be also implemented in LACNIC.

It is just an email sent to each abuse-c twice a year, and they have 15 days to 
click in the link to verify that this mailbox is working.

RIPE NCC will only take care of the failed emails. It may mean some extra work 
at the beginning, but after a pass will be less and less work. Some of those 
emails that fail, have already been escalated by RIPE NCC with the existing 
policy, so it means even less work.

all one zillion RIPE resource holders, the size of the task will almost
be the least of the worries.   The first order problem, as you already
know since you have been doing yeoman's work on this for awhile now, is
just getting people in the various RIRs to agree on the numerous fine
details.  (Hell! You can't even get *me* to agree that a 15 day turn-
around is in any sense "reasonable", and apparently I'm not alone in
that regard.)

So, my solution is just don't.  Let the whole planet vote on whether
they think this provider or that provider are ***heads, and let the
chips fall where they may.

I'm not saying that even this idea would neessarily be piece-of-cake easy.
The first problem would be working out a way to prevent the system from
being gamed by bad actors for malicious purposes, or for positive "PR"
purposes.  (Don't get me started about the fake positive review over on
TripAdvisor.)  But I am not persuaded that these are in any sense
insoluable problems.


Regards,
rfg





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Ronald F. Guilmette]

In message <9ew8xocpiyhef...@highwayman.com>, 
Richard Clayton  wrote:

>these (which are the most interesting parts of the Communications
>Decency Act that did not get invalidated by the application of the First
>Amendment which swept away much of it) provide a safe harbour for the
>people operating platforms regarding what the users of those platforms
>say ... so yes this is very much on point
>
>within the EU (and the RIPE region is far bigger than that) there is NOT
>an equivalent regime -- there is a safe harbour (under the ECommerce
>Directive) for hosting companies but ONLY up to the point at which they
>have "actual knowledge" that material is problematic (eg that it is
>defamatory) after that they are on the hook if they fail to act
>appropriately
>
>companies such as EBay and TripAdvisor are well aware of this and
>operate their platforms accordingly -- so this means that problematic
>material will not be visible within the EU (and doubtless in other RIPE
>region countries) ... whether they remove it entirely (so that US
>residents miss out) I could not say, you'd need to ask each company
>individually as to how they configure their systems

I reiterate and slightly rehprase my question:

Do you people in within the RIPE region see, or not see critical reviews
on, for example, eBay, TripAdvisor, etc?

It is being seriously suggested that eBay erases or makes magically and
selectively invisible just those bad seller (or buyer) reviews which
implicate some draconian defamation laws that exist in some one of
the fiefdoms of Europe, perhaps even one small enough to be entirely
covered in shag carpeting?  It is being seriously suggested that
TripAdvisor likewise selectively erases complaints about lousey coffee
at each and every litigious brothel in Amsterdam?

If this is what is being suggested, then color me skeptical.

>note that companies that operate solely in the USA can take some solace
>from the USA SPEECH Act...

The notion of "operating solely in the USA" is not one which lacks
ambiguity, at least when it comes to Internet-based services, as I am
sure you are all too aware.

Still, pragmatics and commerce, like time and tide, wait for no man.
And the services I have named and used as examples *do* exist, *do*
survive, and *do* provide, collect, organize, and disseminate reviews
entered by globe-spanning armies of individual end users.

I would argue that if they can do it, we can do it.

As regards to jurisdiction and legal responsibility, I would be more than
happy to host the thing here in the United States, and take full, personal,
and sole legal responsibility for it.  I am not afraid, because 47 USC 230(c)
is both abundantly clear and already very much tested, in real courts of
law, and it has consistantly prevailed.  The operator of a platform is
*not* legally liable for the speech of others.  Not in these United States
anyway.

I would do these things, but I cannot -build- such a review platform,
because frankly, I just don't have the time.

That small fact doesn't make it a fundamentally Bad or Unworkable idea.


Regards,
rfg

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

I couldn't stop laughing for more than 30 minutes ... this is what they call 
(and they pay for) laughter therapy ?

Tks!
 
 

El 14/1/20 12:52, "anti-abuse-wg en nombre de Ronald F. Guilmette" 
 escribió:

In message <671286eb-7fad-4d70-addd-efa0a680b...@consulintel.es>, 
JORDI PALET MARTINEZ via anti-abuse-wg  wrote:

>>Section 3.0 part 3.  Why on earth should it take 15 days for
>>anyone to respond to an email??  Things on the Internet happen
>>in millseconds.  If a provider is unable to respond to an issue
>>within 72 hours then they might as well be dead, because they
>>have abandoned all social responsibility.
>>
>>I fully agree! My original proposal was only 3 working days, but the
>>community told me "no way". This was the same input I got in APNIC
>>and LACNIC (in both regions it reached consensus with 15 days).
>>
>>So, I will keep 15 days ...
>
>I think this is provable, and also transparently obvious and colossal
>bullshit, but that's just my opinion.
>
>And mine!, but as a proposal author, I need to try to match as much as 
poss=
>ible the wishes of the community.

You are hereby officially absolved from all guilt in the matter.

In nomine patri et fili spiritu sancte.

Go in peace my son, and do what you have to do.


Regards,
rfg





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

This is the key point.

We already agreed to have a mandatory abuse-c.

We can change our mind and make it optional.

But one way or the other, should be a *real* one. A validation that can be 
faked just using (for example) Carlos email, is not a good procedure. It 
doesn't make sense at all.

We are not saying the RIR will need to verify that an abuse case is 
investigated or resolved. This is not the point.

El 14/1/20 12:28, "anti-abuse-wg en nombre de Carlos Friaças via 
anti-abuse-wg"  escribió:



On Tue, 14 Jan 2020, Nick Hilliard wrote:

> Gert Doering wrote on 14/01/2020 10:19:
>> And if it's not going to have the desired effect, do not waste time on 
it.
>
> More to the point, the RIPE number registry should not be used as a stick 
for 
> threatening to beat people up if they don't comply with our current 
favourite 
> ideas about how to manage social policy on the internet.
>
> It is a registry, not a police truncheon.

Hello,

(Going perhaps a bit off-topic...)

If people are not able to follow the rules of the registry, maybe they 
shouldn't be allowed inside the system... :-)

[Fact 1]
If someone provides falsified documents to the registry, that someone goes 
off the wagon.

[Fact 2]
If someone doesn't pay the registry in due time (after several warnings), 
that someone goes off the wagon.




I would also feel comfortable if someone who indicates a 3rd party e-mail 
address as the abuse-mailbox for their _OWN_ address space, goes off the 
wagon (after some warnings, of course...).
BTW, some years ago our physical address was added in whois to someone 
else's address space in a different RIR and that was _NOT_ a nice 
experience...


Regards,
Carlos


> Nick
>





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Warren Kumari]

On Wed, Jan 15, 2020 at 2:46 PM Leo Vegoda  wrote:
>
> On Wed, Jan 15, 2020 at 11:02 AM Jeffrey Race  wrote:
>
> [...]
>
> > Aside from the reciprocity issue, it's a basic engineering rule
> > that systems target their goal only when a corrective
> > feedback path exists.
>
> That feedback path does not need to be a personally written e-mail.
> Instead, it is possible to use signals like the absence of a reliable
> reporting mechanism to make decisions about not accepting some or all
> traffic from an abusing network.
>
> My main concern with proposal 2019-04 is that it would make everyone
> look the same. It then takes time and effort to distinguish the
> networks that will actually use abuse reports to fix problems from
> those that won't or just don't have the ability to do so.
>
> While I would accept Gert's proposal for making abuse-c an optional
> attribute, the reason I offered a counter proposal for publishing "a
> statement to the effect that the network operator does not act on
> abuse reports" is to add clarity at a high level.
>
> In the first case, it avoids wasting resources lodging reports that
> will be ignored. Secondly, it provides reliable statistical
> information about the networks whose operators claim to use abuse
> reports to clean things up. This would provide a metric that could be
> used both by other network operators to guide operational policies and
> governments or regulators to set theirs.

I suspect I'm somewhat confused / have lost the thread somewhere.

I really don't think that any network is likely to advertise that they
are not dealing with abuse -- it gives a bad impression, and the
marketing droids will likely want *something* listed. The same goes
for legal - saying "Meh, don't bother sending us abuse reports, we
ignore them" doesn't seem to have any PR / marketing / legal upside,
and has many downsides...

Pretend that you are a network that (largely) ignores abuse reports --
your current solution of throwing these mails away costs you nothing;
what's the upside to telling everyone that you are doing this?

I suspect that people will continue to have abuse@, hostmaster@,
abuse-c,and any other conventions filled in -- and many will just
continue to shuffle these into self-closing ticket systems / mailboxes
which never get read and / or /dev/null...

W


>
> Finally, we don't yet know what the RIPE Database Requirements TF will
> recommend. But I think that building a new business process on the
> existing model for publishing contact information assumes they won't
> recommend changes. Let's wait until they report before asking the RIPE
> NCC to build new workflows on a model that the community might want to
> change.
>
> Kind regards,
>
> Leo Vegoda
>


-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Gert Doering]

Hi,

On Wed, Jan 15, 2020 at 11:45:10AM -0800, Leo Vegoda wrote:
> While I would accept Gert's proposal for making abuse-c an optional
> attribute, the reason I offered a counter proposal for publishing "a
> statement to the effect that the network operator does not act on
> abuse reports" is to add clarity at a high level.

Works for me.

Mine is "absence signals disinterest", while yours is "explicitly stating
disinterest", which is indeed a much clearer signal that can not be
confused with "oh, we never came around to register an abuse-c, so sorry".

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279


signature.asc
Description: PGP signature

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Leo Vegoda]

On Wed, Jan 15, 2020 at 11:02 AM Jeffrey Race  wrote:

[...]

> Aside from the reciprocity issue, it's a basic engineering rule
> that systems target their goal only when a corrective
> feedback path exists.

That feedback path does not need to be a personally written e-mail.
Instead, it is possible to use signals like the absence of a reliable
reporting mechanism to make decisions about not accepting some or all
traffic from an abusing network.

My main concern with proposal 2019-04 is that it would make everyone
look the same. It then takes time and effort to distinguish the
networks that will actually use abuse reports to fix problems from
those that won't or just don't have the ability to do so.

While I would accept Gert's proposal for making abuse-c an optional
attribute, the reason I offered a counter proposal for publishing "a
statement to the effect that the network operator does not act on
abuse reports" is to add clarity at a high level.

In the first case, it avoids wasting resources lodging reports that
will be ignored. Secondly, it provides reliable statistical
information about the networks whose operators claim to use abuse
reports to clean things up. This would provide a metric that could be
used both by other network operators to guide operational policies and
governments or regulators to set theirs.

Finally, we don't yet know what the RIPE Database Requirements TF will
recommend. But I think that building a new business process on the
existing model for publishing contact information assumes they won't
recommend changes. Let's wait until they report before asking the RIPE
NCC to build new workflows on a model that the community might want to
change.

Kind regards,

Leo Vegoda

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Randy Bush]

> To an extreme, there should always be a known contact responsible for
> any network infrastructure.

there are, admin and tech

randy, not advocating for or against abuse-c

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Leo Vegoda]

On Wed, Jan 15, 2020 at 9:25 AM Jeffrey Race  wrote:
>
> e-mail must be allowed because most victims
> are not organizations but individual net users

E-mail does not scale well. It was great in the 1990s, when the
Internet was smaller and people knew each other. About half the
world's population now has some sort of Internet connectivity.
Expecting organizations to be able to understand reports from such a
diverse group of people is unreasonable.

Lots of organizations won't have specialized abuse handling teams. If
they don't have a specialized abuse handling team then they are
unlikely to have people who understand the reports or processes for
acting on them. Forcing these organizations to pretend that they will
read and understand and then act on a report will never make it so.

So let's stop pretending and put energy into something more productive
than asking people to set up an autoresponder for an e-mail address
whose mailbox will never be checked by a human.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Leo Vegoda]

On Wed, Jan 15, 2020 at 12:16 AM Serge Droz via anti-abuse-wg
 wrote:

[...]

> - Lastly: It makes our life as Incident responders easier to have a
> uniform way of sending reports, even if not all of them are followed up.

This is an excellent point but e-mail is probably not the right medium
for that. Standardizing protocols for reporting abuse - and therefore
acting on those reports more quickly - would be far more helpful. But
only organizations don't want abuse on their networks will invest in
the people, processes, and systems, whatever the reporting medium.

> I kind of don't buy into "There is no point on placing a burden on orgs
> that choose not to act".

It's not about the burden on the organizations that don't want to act.
It's about providing a clear signal to the reporting organizations
that there is no point reporting. That should allow reporting
organizations to decide on next steps more quickly.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Michele Neylon - Blacknight]

+1000



--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
https://www.blacknight.com/
https://blacknight.blog/
Intl. +353 (0) 59  9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/
Some thoughts: https://ceo.hosting/ 
---
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845

On 15/01/2020, 12:49, "anti-abuse-wg on behalf of Nick Hilliard" 
 wrote:

JORDI PALET MARTINEZ via anti-abuse-wg wrote on 15/01/2020 12:38:
> and allows sending abuse reports

You're demanding that resource holders handle abuse reports by email and 
how to handle that mailbox, i.e. telling them how to run their businesses.

It's not appropriate for the RIPE NCC to get involved with this sort of 
thing.

Nick

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Suresh Ramasubramanian]

Is Dutch law really the inhibitor here?  Or the possibilities that Richard 
outlined?
I seem to recall previous opta nl proposals that took a sensible view of 
network abuse, some years back


--srs


From: anti-abuse-wg  on behalf of Brian Nisbet 

Sent: Wednesday, January 15, 2020 6:35 PM
To: Ronald F. Guilmette; anti-abuse-wg@ripe.net
Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of 
"abuse-mailbox")

Folks,

While not attempting to discuss the merits or otherwise of a reputation system 
(other than the fact I've seen many of them proposed and we still have lots of 
problems), I would say one thing on your comments below, Ronald.

The RIPE NCC service region is not just the EU, it isn't just the continent of 
Europe. It includes many other countries such as Russia and the entirety of the 
Middle East. With 70+ countries involved it is a lot harder to do something 
that is acceptable everywhere, even while the NCC itself is governed under 
Dutch law.

Just a useful reminder.

Brian

Brian Nisbet
Service Operations Manager
HEAnet CLG, Ireland's National Education and Research Network
1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland
+35316609040 brian.nis...@heanet.ie www.heanet.ie
Registered in Ireland, No. 275301. CRA No. 20036270

> -Original Message-
> From: anti-abuse-wg  On Behalf Of
> Ronald F. Guilmette
> Sent: Wednesday 15 January 2020 01:52
> To: anti-abuse-wg@ripe.net
> Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of
> "abuse-mailbox")
>
> In message ,
> Hans-Martin Mosner  wrote:
>
> >While this would probably paint a pretty solid picture of which network
> >o= perators can be trusted and which can't, there's another point
> >besides your valid concern about abusers gaming the=
> > system: Whoever publishes the results of such user ratings would most
> >likely expose themselves to litigious lawsuits, w= hich neither you nor
> >me nor RIPE NCC really wants to do.
>
> That comment, and that concern, certainly does not seem to apply in any
> country in which either eBay or TripAdvisor operate.
>
> Do you folks on your side of the pond not receive eBay? Are you not able to
> view Tripadvisor.Com?
>
> Here in this country (U.S.) there are actually -three- separate and clearly
> discrenable legal protections that would cover and that do cover
> circumstances like this. In no particular order, they are:
>
> (*) The First Amendment.
>
> (*) 47 USC 230(c)(1)
>
> (*) 47 USC 230(c)(2)(B)
>
> Ref:
> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww
> .law.cornell.edu%2Fuscode%2Ftext%2F47%2F230data=02%7C01%7Cb
> rian.nisbet%40heanet.ie%7C4346c5c89cb4424339be08d7995da2a1%7Ccd9e82
> 69dfb648e082538b7baf8d3391%7C0%7C0%7C637146499755991832sdat
> a=JcDbohTPkHP6aa4TkUU%2BL%2FswCYndB5tol4HPXak2M9Y%3Dres
> erved=0
>
> The middle one is actually the first-order go-to provision for situations like
> this, and provides for quick dismissal for any silly cases brought against 
> *me*
> for something that *you* have said on some discussion or review web site
> that I just happen to provide electricity, connectivity, and CPU cycles for.
>
> One would hope that european law might have some counterpart for that,
> but I confess that I really have no idea about that, one way or the other.
>
> So, um, is the european continent utterly devoid of any and all web sites
> where reviews can or do appear? Does europe have its own GDPR
> mandated Great Firewall to keep the evil likes of eBay and TripAdvisor out?
>
> Or were you, Hans-Martin, just saying that in europe, free speech is reserved
> only for those who can afford it, and who conveniently have hoards of
> corporate lawyers covering their backsides?
>
> Asking seriously, because I don't know the answer. I'm just puzzled by this
> whole thing, and this concern about lawsuits.
>
>
> Regards,
> rfg

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Suresh Ramasubramanian]

Applause.


--srs


From: anti-abuse-wg  on behalf of Richard 
Clayton 
Sent: Wednesday, January 15, 2020 8:32 PM
To: anti-abuse-wg@ripe.net
Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of 
"abuse-mailbox")

In message <02d201d5cb84$89d6b950$9d842bf0$@makeitsimple.pt>, =?iso-
8859-1?Q?S=E9rgio_Rocha?=  writes

>Maybe we can change the approach.
>If RIPE website had a platform to post abuse report, that send the email for
>the abuse contact, it will be possible to evaluate the responsiveness of the
>abuse contact.

Making such a scheme compulsory would be unacceptable to people who wish
to interact with network owners without disclosing that in public ...

... sometimes because they do not wish their names to be known,
sometimes because they do not wish their techniques for (and speed at)
detecting abuse to become known.

So making it compulsory would be completely counterproductive.

Making use of such a website voluntary would also be unwise because the
people who do not wish their reports to be public are probably in the
majority (I speculate) so that reputation system would fail to include
the majority of reports that are made (and I again speculate) the
overwhelming majority of reports that are acted upon.

Producing non-biased reputation systems is very hard ...

>This way anyone that report an abuse could assess not only the response but
>also the effectiveness of the actions taken by the network owner. After some
>time with this evaluations we would easy to realize who manages the reports
>and even who does not respond at all.

... I think also there is a risk of total confusion by conflating many
different types of abuse and many different types of reporter into a
single system.

--
richard Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Richard Clayton]

In message <02d201d5cb84$89d6b950$9d842bf0$@makeitsimple.pt>, =?iso-
8859-1?Q?S=E9rgio_Rocha?=  writes

>Maybe we can change the approach.
>If RIPE website had a platform to post abuse report, that send the email for
>the abuse contact, it will be possible to evaluate the responsiveness of the
>abuse contact.

Making such a scheme compulsory would be unacceptable to people who wish
to interact with network owners without disclosing that in public ...

... sometimes because they do not wish their names to be known,
sometimes because they do not wish their techniques for (and speed at)
detecting abuse to become known.

So making it compulsory would be completely counterproductive.

Making use of such a website voluntary would also be unwise because the
people who do not wish their reports to be public are probably in the
majority (I speculate) so that reputation system would fail to include
the majority of reports that are made (and I again speculate) the
overwhelming majority of reports that are acted upon.

Producing non-biased reputation systems is very hard ...

>This way anyone that report an abuse could assess not only the response but
>also the effectiveness of the actions taken by the network owner. After some
>time with this evaluations we would easy to realize who manages the reports
>and even who does not respond at all.

... I think also there is a risk of total confusion by conflating many
different types of abuse and many different types of reporter into a
single system.

-- 
richard   Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary 
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755


signature.asc
Description: PGP signature

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Richard Clayton]

In message <44130.1579053...@segfault.tristatelogic.com>, Ronald F.
Guilmette  writes

>That comment, and that concern, certainly does not seem to apply in any
>country in which either eBay or TripAdvisor operate.
>
>Do you folks on your side of the pond not receive eBay?  Are you not able to
>view Tripadvisor.Com?
>
>Here in this country (U.S.) there are actually -three- separate and clearly
>discrenable legal protections that would cover and that do cover circumstances
>like this.  In no particular order, they are:
>
> (*)  The First Amendment.

that constrains the US Government as to what laws they pass ... it does
not constrain corporate policy (so a bit of a red herring)

of course there are constitutions in many countries in the RIPE region,
but none (AFAIK) are quite as sweeping in this area

> (*)  47 USC 230(c)(1)
>
> (*)  47 USC 230(c)(2)(B)

these (which are the most interesting parts of the Communications
Decency Act that did not get invalidated by the application of the First
Amendment which swept away much of it) provide a safe harbour for the
people operating platforms regarding what the users of those platforms
say ... so yes this is very much on point

within the EU (and the RIPE region is far bigger than that) there is NOT
an equivalent regime -- there is a safe harbour (under the ECommerce
Directive) for hosting companies but ONLY up to the point at which they
have "actual knowledge" that material is problematic (eg that it is
defamatory) after that they are on the hook if they fail to act
appropriately

companies such as EBay and TripAdvisor are well aware of this and
operate their platforms accordingly -- so this means that problematic
material will not be visible within the EU (and doubtless in other RIPE
region countries) ... whether they remove it entirely (so that US
residents miss out) I could not say, you'd need to ask each company
individually as to how they configure their systems

note that companies that operate solely in the USA can take some solace
from the USA SPEECH Act (which addresses the issue of enforcing
"foreign" libel judgments in the USA) but of course eBay etc operate in
Europe as well --- and of course RIPE NCC is based in The Netherlands

viz: failure to remove libels would be costly

>The middle one is actually the first-order go-to provision for situations
>like this, and provides for quick dismissal for any silly cases brought
>against *me* for something that *you* have said on some discussion or
>review web site that I just happen to provide electricity, connectivity,
>and CPU cycles for.

since I understand you to be in the USA, you're correct

>One would hope that european law might have some counterpart for that,
>but I confess that I really have no idea about that, one way or the other.

basically not -- at least once there is "actual knowledge"

please note IANAL, but I do follow these issues so the above is mainly
correct :)

-- 
richard   Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary 
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755


signature.asc
Description: PGP signature

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Brian Nisbet]

Folks, 

While not attempting to discuss the merits or otherwise of a reputation system 
(other than the fact I've seen many of them proposed and we still have lots of 
problems), I would say one thing on your comments below, Ronald.

The RIPE NCC service region is not just the EU, it isn't just the continent of 
Europe. It includes many other countries such as Russia and the entirety of the 
Middle East. With 70+ countries involved it is a lot harder to do something 
that is acceptable everywhere, even while the NCC itself is governed under 
Dutch law.

Just a useful reminder.

Brian

Brian Nisbet 
Service Operations Manager
HEAnet CLG, Ireland's National Education and Research Network
1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland
+35316609040 brian.nis...@heanet.ie www.heanet.ie
Registered in Ireland, No. 275301. CRA No. 20036270

> -Original Message-
> From: anti-abuse-wg  On Behalf Of
> Ronald F. Guilmette
> Sent: Wednesday 15 January 2020 01:52
> To: anti-abuse-wg@ripe.net
> Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of
> "abuse-mailbox")
> 
> In message ,
> Hans-Martin Mosner  wrote:
> 
> >While this would probably paint a pretty solid picture of which network
> >o= perators can be trusted and which can't, there's another point
> >besides your valid concern about abusers gaming the=
> > system: Whoever publishes the results of such user ratings would most
> >likely expose themselves to litigious lawsuits, w= hich neither you nor
> >me nor RIPE NCC really wants to do.
> 
> That comment, and that concern, certainly does not seem to apply in any
> country in which either eBay or TripAdvisor operate.
> 
> Do you folks on your side of the pond not receive eBay?  Are you not able to
> view Tripadvisor.Com?
> 
> Here in this country (U.S.) there are actually -three- separate and clearly
> discrenable legal protections that would cover and that do cover
> circumstances like this.  In no particular order, they are:
> 
>  (*)  The First Amendment.
> 
>  (*)  47 USC 230(c)(1)
> 
>  (*)  47 USC 230(c)(2)(B)
> 
> Ref:
> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww
> .law.cornell.edu%2Fuscode%2Ftext%2F47%2F230data=02%7C01%7Cb
> rian.nisbet%40heanet.ie%7C4346c5c89cb4424339be08d7995da2a1%7Ccd9e82
> 69dfb648e082538b7baf8d3391%7C0%7C0%7C637146499755991832sdat
> a=JcDbohTPkHP6aa4TkUU%2BL%2FswCYndB5tol4HPXak2M9Y%3Dres
> erved=0
> 
> The middle one is actually the first-order go-to provision for situations like
> this, and provides for quick dismissal for any silly cases brought against 
> *me*
> for something that *you* have said on some discussion or review web site
> that I just happen to provide electricity, connectivity, and CPU cycles for.
> 
> One would hope that european law might have some counterpart for that,
> but I confess that I really have no idea about that, one way or the other.
> 
> So, um, is the european continent utterly devoid of any and all web sites
> where reviews can or do appear?  Does europe have its own GDPR
> mandated Great Firewall to keep the evil likes of eBay and TripAdvisor out?
> 
> Or were you, Hans-Martin, just saying that in europe, free speech is reserved
> only for those who can afford it, and who conveniently have hoards of
> corporate lawyers covering their backsides?
> 
> Asking seriously, because I don't know the answer.  I'm just puzzled by this
> whole thing, and this concern about lawsuits.
> 
> 
> Regards,
> rfg

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Nick Hilliard]

JORDI PALET MARTINEZ via anti-abuse-wg wrote on 15/01/2020 12:38:

and allows sending abuse reports


You're demanding that resource holders handle abuse reports by email and 
how to handle that mailbox, i.e. telling them how to run their businesses.


It's not appropriate for the RIPE NCC to get involved with this sort of 
thing.


Nick

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Nick,

Not really, I think you're reading a different text ... I'm not intending to 
ask RIPE to verify if the operators resolve the abuse cases.

The point here is to amend the existing policy to do a *good* validation of the 
abuse mailbox.

The actual policy only makes a "technical" validation, so it checks that the 
mailbox exists and is the right one and allows sending abuse reports, and 
that's it.

If the mailbox is full, if it is never read, if it belongs to a /dev/null or 
not the right person or team, even if it if you have my email in your abuse-c, 
all that, passes the validation.

Regards,
Jordi
@jordipalet
 
 

El 15/1/20 13:14, "anti-abuse-wg en nombre de Nick Hilliard" 
 escribió:

Serge Droz via anti-abuse-wg wrote on 15/01/2020 08:24:
> So the extra work is what, 10 minutes / year, if the system is setup
> properly?

Serge,

The policy proposal here is: if the registry doesn't comply, then it is 
in explicit violation of RIPE policies.

According to the "Closure of Members, Deregistration of Internet 
Resources and Legacy Internet Resources" document (currently RIPE 
716), if you don't comply with RIPE policies or RIPE NCC procedures, 
then the RIPE NCC is obliged to follow up with the resource holder and 
if they continue not to comply, then the number resources will be withdrawn.

The purpose behind RIPE-716 is to ensure accurate registration of number 
resources, which the core function of the RIPE registry.

Jordi has confirmed that the intention behind 2019-04 is to force 
resource holders to comply with the abuse handling procedures defined in 
his policy, and that if they don't comply for whatever reason, that 
their number resources are withdrawn under the terms of RIPE-716.

To be clear, deregistration of resources would make it difficult or 
impossible for almost any holder of addresses to continue their business.

So what's being proposed here is that RIPE-716 - whose purpose was to 
ensure integrity and accuracy of the the RIPE registry - should now be 
repurposed as a mechanism to enforce social behaviour practices on the 
Internet.

There are some pretty serious and fundamental problems with this.

Many of these problems were discussed in the context of RIPE policy 
2019-03 ("Resource Hijacking is a RIPE Policy Violation"), and some of 
them were formally addressed in the RIPE NCC review of that policy.

Nick





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Nick Hilliard]

Serge Droz via anti-abuse-wg wrote on 15/01/2020 08:24:

So the extra work is what, 10 minutes / year, if the system is setup
properly?


Serge,

The policy proposal here is: if the registry doesn't comply, then it is 
in explicit violation of RIPE policies.


According to the "Closure of Members, Deregistration of Internet 
Resources and Legacy Internet Resources" document (currently RIPE 
716), if you don't comply with RIPE policies or RIPE NCC procedures, 
then the RIPE NCC is obliged to follow up with the resource holder and 
if they continue not to comply, then the number resources will be withdrawn.


The purpose behind RIPE-716 is to ensure accurate registration of number 
resources, which the core function of the RIPE registry.


Jordi has confirmed that the intention behind 2019-04 is to force 
resource holders to comply with the abuse handling procedures defined in 
his policy, and that if they don't comply for whatever reason, that 
their number resources are withdrawn under the terms of RIPE-716.


To be clear, deregistration of resources would make it difficult or 
impossible for almost any holder of addresses to continue their business.


So what's being proposed here is that RIPE-716 - whose purpose was to 
ensure integrity and accuracy of the the RIPE registry - should now be 
repurposed as a mechanism to enforce social behaviour practices on the 
Internet.


There are some pretty serious and fundamental problems with this.

Many of these problems were discussed in the context of RIPE policy 
2019-03 ("Resource Hijacking is a RIPE Policy Violation"), and some of 
them were formally addressed in the RIPE NCC review of that policy.


Nick

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Ronald F. Guilmette]

In message <02d201d5cb84$89d6b950$9d842bf0$@makeitsimple.pt>, 
"=?iso-8859-1?Q?S=E9rgio_Rocha?="  wrote:

>Maybe we can change the approach.
>If RIPE website had a platform to post abuse report, that send the email for
>the abuse contact, it will be possible to evaluate the responsiveness of the
>abuse contact.
>
>This way anyone that report an abuse could assess not only the response but
>also the effectiveness of the actions taken by the network owner. After some
>time with this evaluations we would easy to realize who manages the reports
>and even who does not respond at all.

This is essentially similar to what I had proposed.  As such please put
me down as a:

+1

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Ronald F. Guilmette]

In message <20200115080615.gq72...@space.net>, 
Gert Doering  wrote:

>So why is it preferrable to send mails which are not acted on, as
>opposed to "not send mail because you know beforehand that the other
>network is not interested"?

Not sure that I understand fully the context of the question here, 
but in relation to what I suggested, which would be an "eBay-like"
public review collection & publication service, it would be, and is,
always helpful to know which networks just don't give a damn about
being responsible in responding to abuse arising from their networks.
Because there are these things called blacklists.

>I can see that it is frustrating - but I still cannot support a policy
>change which will not help dealing with irresponsible networks in any
>way, but at the same time increases costs and workload for those that
>do the right thing alrady.

As I have said, "You can lead a horse to water, but you can't make him
drink."

No matter how much any of us here might wish it, we should at
long last resign ourselves to the unambigous and ever-present reality
that no significant portion of the RIPE connunity is ever going to be
persuaded to do -anything- in the way of forcing, or even just strongly
encouraging good behavior and/or social responsibility on the part of
independent individual network operators.  It just isn't going to happen,
ever.  We should thus move on and should take heed of ancient wisdom of
1 Corinthians 13:11:

When I was a child, I spake as a child, I understood as a child,
I thought as a child: but when I became a man, I put away childish
things.

It is a childish thing to still hope or believe that any part of RIPE
or its community will ever take any meaningful action to *directly*
influence the behavior of networks that simply wish to minimize their
costs and maximize their revenue through a corporate strategy of ignoring
all acts of customer network abuse.

This is why I have suggested that, at the very least, RIPE NCC could set
up and maintain just a basic review "platform" where the public at large
can at least make it known to all observers which networks are the assholes
and which ones aren't.

>> To an extreme, there should always be a known contact responsible for
>> any network infrastructure.

Yes, but the operative word there is "should".  Who will *mandate* and
*enforce* this rule?  Not RIPE NCC and not the RIPE community.  I and
others have been on this list for years and years and the result is
as recurrent as it is entirely predictable by now.  There are those,
here and elsewhere, who religiously cling to their God-given "right"
to refuse, stubbornly, adamantly, and absolutely, to be told what to
do or how to responsibly run their networks by any other party, including
even the RIPE community.  (Hell!  Some of them are apparently not even
entirely convinced that they have any clear obligations to stay within
the bounds proscribed by criminal law!)

Thus, in short, it is well past time to move on and to put away childish
things, specifically the eternal and ever-unfulfilled forlorn hope that
either RIPE or it's community will someday, at long last, come to its
senses and start demanding even some minimal level of responsibility
and/or accountability from its members.

The only small thing that RIPE -might- actually be able to do to improve
the present situation... without all of the usual vetos from all of the
usual quarters... would be for it to set up a public review platform so
that members of the public at large could at least document, in full
public view, which networks are the shitheads and which are the good guys.
That way RIPE is not expressing *any* viewpoint itself... not about any
network and not even about what does or does not constitute "abuse" or
"responsible network behavior"... and thus just this one small thing
might actually be achievable, where all of the years of ranting and raving,
of tearing of hair and gnashing of teeth about the wanton abuse of the
Internet by networks within the RIPE community has achieved -zero-, zip,
nada, nothing of any substance in the way of prudently setting even just
a minimum floor on behavior, let alone actually enforcing that minimal
floor.

Time to put away childish things and childish hopes that RIPE will be
someday persuaded to be a part of the solution.  For the moment it
remains, as it has remained for quite some years now, a part of the
problem.  RIPE will never itself enforce -any- code of network behavior.
Period.   Full stop.  There are too many people making too much money
based on the present utter absence of any behaviorly rules, much less
enforcement, to allow that to change any time soon.

Get over it and move on.


Regards,
rfg

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Carlos Friaças via anti-abuse-wg]

Hi Sergio, All,

It seems you are proposing a new reputation system, to be managed by the 
RIPE NCC.


If this is the case, you can always try to draft a new policy proposal :-)

Cheers,
Carlos



On Wed, 15 Jan 2020, Sérgio Rocha wrote:


Hi,

Maybe we can change the approach.
If RIPE website had a platform to post abuse report, that send the email for
the abuse contact, it will be possible to evaluate the responsiveness of the
abuse contact.

This way anyone that report an abuse could assess not only the response but
also the effectiveness of the actions taken by the network owner. After some
time with this evaluations we would easy to realize who manages the reports
and even who does not respond at all.

Sérgio

-Original Message-
From: anti-abuse-wg [mailto:anti-abuse-wg-boun...@ripe.net] On Behalf Of
Gert Doering
Sent: 15 de janeiro de 2020 08:06
To: Carlos Friaças 
Cc: Gert Doering ; anti-abuse-wg 
Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation
of "abuse-mailbox")

Hi,

On Wed, Jan 15, 2020 at 07:23:38AM +, Carlos Friaças via anti-abuse-wg
wrote:

I obviously don't speak for the incident handling community, but i
think this (making it optional) would be a serious step back. The
current situation is already very bad when in some cases we know from
the start that we are sending (automated) messages/notices to blackholes.


So why is it preferrable to send mails which are not acted on, as opposed to
"not send mail because you know beforehand that the other network is not
interested"?

I can see that it is frustrating - but I still cannot support a policy
change which will not help dealing with irresponsible networks in any way,
but at the same time increases costs and workload for those that do the
right thing alrady.



To an extreme, there should always be a known contact responsible for
any network infrastructure. If this is not the case, what's the
purpose of a registry then?


"a known contact" and "an *abuse-handling* contact" is not the same thing.

Gert Doering
   -- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael
Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Carlos Friaças via anti-abuse-wg]

On Wed, 15 Jan 2020, Gert Doering wrote:


Hi,


Hi,
(please see inline)



On Wed, Jan 15, 2020 at 07:23:38AM +, Carlos Friaças via anti-abuse-wg 
wrote:

I obviously don't speak for the incident handling community, but i think
this (making it optional) would be a serious step back. The current
situation is already very bad when in some cases we know from the start
that we are sending (automated) messages/notices to blackholes.


So why is it preferrable to send mails which are not acted on, as
opposed to "not send mail because you know beforehand that the other
network is not interested"?


I think Serge already took care of that answer/issue :-)

And in our case we do count the # of bounces we get resulting from the 
abuse complaints we send out.




I can see that it is frustrating - but I still cannot support a policy
change which will not help dealing with irresponsible networks in any
way, but at the same time increases costs and workload for those that
do the right thing alrady.


I guess you are not convinced with the 10 min/year argument then :-(



To an extreme, there should always be a known contact responsible for
any network infrastructure. If this is not the case, what's the purpose
of a registry then?


"a known contact" and "an *abuse-handling* contact" is not the same thing.


I don't really like the case where "a known contact" is used as a last 
resort contact because there is an abuse issue. Hence, the value i see on 
a mandatory definition of an abuse contact -- while any network can still 
decide to use the same contact for both (or more) purposes.



Cheers,
Carlos




Gert Doering
   -- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Sérgio Rocha]

Hi,

Maybe we can change the approach.
If RIPE website had a platform to post abuse report, that send the email for
the abuse contact, it will be possible to evaluate the responsiveness of the
abuse contact.

This way anyone that report an abuse could assess not only the response but
also the effectiveness of the actions taken by the network owner. After some
time with this evaluations we would easy to realize who manages the reports
and even who does not respond at all.

Sérgio 

-Original Message-
From: anti-abuse-wg [mailto:anti-abuse-wg-boun...@ripe.net] On Behalf Of
Gert Doering
Sent: 15 de janeiro de 2020 08:06
To: Carlos Friaças 
Cc: Gert Doering ; anti-abuse-wg 
Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation
of "abuse-mailbox")

Hi,

On Wed, Jan 15, 2020 at 07:23:38AM +, Carlos Friaças via anti-abuse-wg
wrote:
> I obviously don't speak for the incident handling community, but i 
> think this (making it optional) would be a serious step back. The 
> current situation is already very bad when in some cases we know from 
> the start that we are sending (automated) messages/notices to blackholes.

So why is it preferrable to send mails which are not acted on, as opposed to
"not send mail because you know beforehand that the other network is not
interested"?

I can see that it is frustrating - but I still cannot support a policy
change which will not help dealing with irresponsible networks in any way,
but at the same time increases costs and workload for those that do the
right thing alrady.


> To an extreme, there should always be a known contact responsible for 
> any network infrastructure. If this is not the case, what's the 
> purpose of a registry then?

"a known contact" and "an *abuse-handling* contact" is not the same thing.

Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael
Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Gert Doering]

Hi,

On Wed, Jan 15, 2020 at 09:24:21AM +0100, Serge Droz wrote:
> Sorry I misunderstood you then. But honestly, this does not really place
> a burden on you.

It does.  Even if it's just 5 minutes per Mail - I need to train abuse 
handlers what to do with this sort of message, etc.

> So I think the balance is hugely positive.

Nobody has been able to demonstrate why it would have a positive effect
at all.  So how can the balance be "hugely positive"?

E-Mail addresses *are* validated today.  Just not in an as labour-intensive
way on the receipient like the proposers want to install.

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279


signature.asc
Description: PGP signature

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Gert Doering]

Hi,

On Wed, Jan 15, 2020 at 09:14:59AM +0100, Serge Droz via anti-abuse-wg wrote:
> I kind of don't buy into "There is no point on placing a burden on orgs
> that choose not to act".

This is not what I said.  My stance on this is: placing extra burdens on
orgs *that do the right thing today* (with extra verification hoops)
should be balanced against "will it change the situation wrt orgs that
do not care".

And I think the balance is negative - extra work for the good guys, and
no relevant incentive for the bad guys to actually *act on* their abuse
reports.

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279


signature.asc
Description: PGP signature

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Serge Droz via anti-abuse-wg]

Hi All

So maybe a word from an "Incident Responder".

I do feel very much, that we should have an abuse conntact, and it
should be tested to wok, in the sense that some one reads the mail sent
there.

Here are my reasons:

- Having such a mailbox may increase the pressure for orgs to actually
do something. My experience from previous job showed, that keep sending
abuse reports, despite complaints about "spam" eventually convinced a
lot of orgs to act. Essentially you take away the excuste "Oh, but we
didn't know"

- Even for orgs that don't react having such a conntact helps, because
it allows us to build up a history of ignored requests, which cann then
be used to reminde these orgs that they actually are part of the
problem. It is a sad fact, that a threat to your reputation, even if
it's only in colsed community, seems to sometimes help convincing said
org to reract. Finally if, at some state more drastic action would be
necessary (Think Russian Bussines Network at the time), you can build a
case.

- Lastly: It makes our life as Incident responders easier to have a
uniform way of sending reports, even if not all of them are followed up.

I kind of don't buy into "There is no point on placing a burden on orgs
that choose not to act".

Best
Serge

On 15/01/2020 08:23, Carlos Friaças via anti-abuse-wg wrote:
> 
> Hi,
> 
> I obviously don't speak for the incident handling community, but i think
> this (making it optional) would be a serious step back. The current
> situation is already very bad when in some cases we know from the start
> that we are sending (automated) messages/notices to blackholes.
> 
> To an extreme, there should always be a known contact responsible for
> any network infrastructure. If this is not the case, what's the purpose
> of a registry then?
> 
> Regards,
> Carlos
> 
> 
> 
> On Tue, 14 Jan 2020, Leo Vegoda wrote:
> 
>> On Tue, Jan 14, 2020 at 1:48 AM Gert Doering  wrote:
>>
>> [...]
>>
>>> A much simpler approach would be to make abuse-c: an optional attribute
>>> (basically, unrolling the "mandatory" part of the policy proposal that
>>> introduced it in the first place)
>>
>> This seems like a simple approach for letting network operators
>> indicate whether or not they will act on abuse reports. If there's no
>> way of reporting abuse then the operators clearly has no processes for
>> evaluating reports, or acting on them. This helps everyone save time.
>>
>> Regards,
>>
>> Leo Vegoda
>>
> 

-- 
Dr. Serge Droz
Chair, Forum of Incident Response and Security Teams (FIRST)
Phone +41 76 542 44 93 | serge.d...@first.org | https://www.first.org

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Gert Doering]

Hi,

On Wed, Jan 15, 2020 at 07:23:38AM +, Carlos Friaças via anti-abuse-wg 
wrote:
> I obviously don't speak for the incident handling community, but i think 
> this (making it optional) would be a serious step back. The current 
> situation is already very bad when in some cases we know from the start 
> that we are sending (automated) messages/notices to blackholes.

So why is it preferrable to send mails which are not acted on, as
opposed to "not send mail because you know beforehand that the other
network is not interested"?

I can see that it is frustrating - but I still cannot support a policy
change which will not help dealing with irresponsible networks in any
way, but at the same time increases costs and workload for those that
do the right thing alrady.


> To an extreme, there should always be a known contact responsible for 
> any network infrastructure. If this is not the case, what's the purpose 
> of a registry then?

"a known contact" and "an *abuse-handling* contact" is not the same thing.

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279


signature.asc
Description: PGP signature

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Carlos Friaças via anti-abuse-wg]

Hi,

I obviously don't speak for the incident handling community, but i think 
this (making it optional) would be a serious step back. The current 
situation is already very bad when in some cases we know from the start 
that we are sending (automated) messages/notices to blackholes.


To an extreme, there should always be a known contact responsible for 
any network infrastructure. If this is not the case, what's the purpose 
of a registry then?


Regards,
Carlos



On Tue, 14 Jan 2020, Leo Vegoda wrote:


On Tue, Jan 14, 2020 at 1:48 AM Gert Doering  wrote:

[...]


A much simpler approach would be to make abuse-c: an optional attribute
(basically, unrolling the "mandatory" part of the policy proposal that
introduced it in the first place)


This seems like a simple approach for letting network operators
indicate whether or not they will act on abuse reports. If there's no
way of reporting abuse then the operators clearly has no processes for
evaluating reports, or acting on them. This helps everyone save time.

Regards,

Leo Vegoda

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Ronald F. Guilmette]

In message , 
Hans-Martin Mosner  wrote:

>While this would probably paint a pretty solid picture of which network o=
>perators can be trusted and which can't,
>there's another point besides your valid concern about abusers gaming the=
> system: Whoever publishes the results of such
>user ratings would most likely expose themselves to litigious lawsuits, w=
>hich neither you nor me nor RIPE NCC really
>wants to do.

That comment, and that concern, certainly does not seem to apply in any
country in which either eBay or TripAdvisor operate.

Do you folks on your side of the pond not receive eBay?  Are you not able to
view Tripadvisor.Com?

Here in this country (U.S.) there are actually -three- separate and clearly
discrenable legal protections that would cover and that do cover circumstances
like this.  In no particular order, they are:

 (*)  The First Amendment.
 
 (*)  47 USC 230(c)(1)

 (*)  47 USC 230(c)(2)(B)

Ref:
https://www.law.cornell.edu/uscode/text/47/230

The middle one is actually the first-order go-to provision for situations
like this, and provides for quick dismissal for any silly cases brought
against *me* for something that *you* have said on some discussion or
review web site that I just happen to provide electricity, connectivity,
and CPU cycles for.

One would hope that european law might have some counterpart for that,
but I confess that I really have no idea about that, one way or the other.

So, um, is the european continent utterly devoid of any and all web sites
where reviews can or do appear?  Does europe have its own GDPR mandated
Great Firewall to keep the evil likes of eBay and TripAdvisor out?

Or were you, Hans-Martin, just saying that in europe, free speech is reserved
only for those who can afford it, and who conveniently have hoards of corporate
lawyers covering their backsides?

Asking seriously, because I don't know the answer.  I'm just puzzled by this
whole thing, and this concern about lawsuits.


Regards,
rfg

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Hans-Martin Mosner]

Am 14.01.20 um 13:10 schrieb Ronald F. Guilmette:
> [...]
> So, my solution is just don't.  Let the whole planet vote on whether
> they think this provider or that provider are ***heads, and let the
> chips fall where they may.
>
> I'm not saying that even this idea would neessarily be piece-of-cake easy.
> The first problem would be working out a way to prevent the system from
> being gamed by bad actors for malicious purposes, or for positive "PR"
> purposes.  (Don't get me started about the fake positive review over on
> TripAdvisor.)  But I am not persuaded that these are in any sense
> insoluable problems.
>
>
> Regards,
> rfg
>
While this would probably paint a pretty solid picture of which network 
operators can be trusted and which can't,
there's another point besides your valid concern about abusers gaming the 
system: Whoever publishes the results of such
user ratings would most likely expose themselves to litigious lawsuits, which 
neither you nor me nor RIPE NCC really
wants to do.

Remember that some DSNBLs had a hard time due to this, some preferred to stay 
anonymous for that very reason. An
"abuser-friendliness" rating system targeting network operators who may be 
"RIPE NCC members in good standing" would
probably not live long, even if it published just clear facts ("this network 
operator does not want to receive and
handle abuse reports") because these facts might be used to block access from 
these networks and hurt their business.

I've been running mail systems since when "postmas...@domain.tld" was still the 
first point of contact you would go to
when something bad emanated from a mailserver. Then spammers operated their own 
domains, and you would need to address
abuse@ for the IP range. Then network operators decided to look the other way 
when their well-paying customers spammed,
and reporting to abuse mailbox addresses became hopeless. I just don't do that 
anymore. IP-level blocking of whole
network address ranges works for me. If network operators don't want to get 
blocked, they need to clean up their act,
with or without abuse mailbox.

Cheers,
Hans-Martin

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Leo Vegoda]

On Tue, Jan 14, 2020 at 1:48 AM Gert Doering  wrote:

[...]

> A much simpler approach would be to make abuse-c: an optional attribute
> (basically, unrolling the "mandatory" part of the policy proposal that
> introduced it in the first place)

This seems like a simple approach for letting network operators
indicate whether or not they will act on abuse reports. If there's no
way of reporting abuse then the operators clearly has no processes for
evaluating reports, or acting on them. This helps everyone save time.

Regards,

Leo Vegoda

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Ronald F. Guilmette]

In message <30174d32-225f-467e-937a-5bc42650f...@consulintel.es>, 
JORDI PALET MARTINEZ via anti-abuse-wg  wrote:

>I think if we try to agree on those ratings, we will never reach consensus

Right, and that was a part of my point about eBay-like feedback ratings
for resource holders, i.e. "Let's not even try."

Instead, let the people decide.  Let anyone register a feedback point,
positive or negative, against any resource holder, with the proviso
that if they are registering a negative feedback point, they should assert
exactly *why* they are unhappy (e.g. "mail to abuse address bounced as
undeliverable", "no response for eight days" etc.) and if possible,
provide some context also, e.g. a copy of the spam, a copy of some
logs showing hack attempts, etc.

>So it is not just easier to ask the abuse-c mailboxes that don't want to
>process to setup an autoresponder with an specific (standard) text about
that, for example:...

In the "eBay feedback" model I am proposing there is no need for *RIPE NCC*
to ask anybody about anything.  People will register negative points
against any resource holder with an undeliverable abuse address.  (I know
I will!)

I'm sorry Jordi, if this idea sounds like it is undermining everything
you have been trying to do, which is all very very admirable.  But I have
only just realized what you said above, i.e. if we really start to try
to design a system where RIPE NCC will do 100% of the work of "reviewing"
all one zillion RIPE resource holders, the size of the task will almost
be the least of the worries.   The first order problem, as you already
know since you have been doing yeoman's work on this for awhile now, is
just getting people in the various RIRs to agree on the numerous fine
details.  (Hell! You can't even get *me* to agree that a 15 day turn-
around is in any sense "reasonable", and apparently I'm not alone in
that regard.)

So, my solution is just don't.  Let the whole planet vote on whether
they think this provider or that provider are ***heads, and let the
chips fall where they may.

I'm not saying that even this idea would neessarily be piece-of-cake easy.
The first problem would be working out a way to prevent the system from
being gamed by bad actors for malicious purposes, or for positive "PR"
purposes.  (Don't get me started about the fake positive review over on
TripAdvisor.)  But I am not persuaded that these are in any sense
insoluable problems.


Regards,
rfg

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Ronald F. Guilmette]

In message <671286eb-7fad-4d70-addd-efa0a680b...@consulintel.es>, 
JORDI PALET MARTINEZ via anti-abuse-wg  wrote:

>>Section 3.0 part 3.  Why on earth should it take 15 days for
>>anyone to respond to an email??  Things on the Internet happen
>>in millseconds.  If a provider is unable to respond to an issue
>>within 72 hours then they might as well be dead, because they
>>have abandoned all social responsibility.
>>
>>I fully agree! My original proposal was only 3 working days, but the
>>community told me "no way". This was the same input I got in APNIC
>>and LACNIC (in both regions it reached consensus with 15 days).
>>
>>So, I will keep 15 days ...
>
>I think this is provable, and also transparently obvious and colossal
>bullshit, but that's just my opinion.
>
>And mine!, but as a proposal author, I need to try to match as much as poss=
>ible the wishes of the community.

You are hereby officially absolved from all guilt in the matter.

In nomine patri et fili spiritu sancte.

Go in peace my son, and do what you have to do.


Regards,
rfg

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Carlos Friaças via anti-abuse-wg]

On Tue, 14 Jan 2020, Nick Hilliard wrote:


Gert Doering wrote on 14/01/2020 10:19:

And if it's not going to have the desired effect, do not waste time on it.


More to the point, the RIPE number registry should not be used as a stick for 
threatening to beat people up if they don't comply with our current favourite 
ideas about how to manage social policy on the internet.


It is a registry, not a police truncheon.


Hello,

(Going perhaps a bit off-topic...)

If people are not able to follow the rules of the registry, maybe they 
shouldn't be allowed inside the system... :-)


[Fact 1]
If someone provides falsified documents to the registry, that someone goes 
off the wagon.


[Fact 2]
If someone doesn't pay the registry in due time (after several warnings), 
that someone goes off the wagon.


the "registry wagon"...>



I would also feel comfortable if someone who indicates a 3rd party e-mail 
address as the abuse-mailbox for their _OWN_ address space, goes off the 
wagon (after some warnings, of course...).
BTW, some years ago our physical address was added in whois to someone 
else's address space in a different RIR and that was _NOT_ a nice 
experience...



Regards,
Carlos



Nick

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Nick Hilliard]

Gert Doering wrote on 14/01/2020 10:19:

And if it's not going to have the desired effect, do not waste time on it.


More to the point, the RIPE number registry should not be used as a 
stick for threatening to beat people up if they don't comply with our 
current favourite ideas about how to manage social policy on the internet.


It is a registry, not a police truncheon.

Nick

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Gert Doering]

Hi,

On Tue, Jan 14, 2020 at 03:10:53AM -0700, Fi Shing wrote:
> weak imbeciles such as those on this list.

Wow.  That's a new one on my list of things I've been called.

So thankful.

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279


signature.asc
Description: PGP signature

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Gert Doering]

Hi,

On Tue, Jan 14, 2020 at 10:50:58AM +0100, JORDI PALET MARTINEZ via 
anti-abuse-wg wrote:
> Looks fine to me.
> 
> If we really think that the operators should be free from taking abuse 
> reports, then let's make it optional.
> 
> As said, I personally think that an operator responsibility is to deal with 
> abuse cases, but happy to follow what we all decide.

I do think that an operator should handle abuse reports (and we do), 
but *this* is not a suitable vehicle to *make him*.

And if it's not going to have the desired effect, do not waste time on it.

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279


signature.asc
Description: PGP signature

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Fi Shing]

Well the operators are already free to decide if and when they respond to abuse 
reports.
 
But this farcical system should not be legitimised by weak imbeciles such as 
those on this list.
 
 
 
- Original Message - Subject: Re: [anti-abuse-wg] working in 
new version of 2019-04 (Validation of "abuse-mailbox")
From: "JORDI PALET MARTINEZ via anti-abuse-wg" 
Date: 1/14/20 8:50 pm
To: "anti-abuse-wg" 

Looks fine to me.
 
 If we really think that the operators should be free from taking abuse 
reports, then let's make it optional.
 
 As said, I personally think that an operator responsibility is to deal with 
abuse cases, but happy to follow what we all decide.
 
 Regards,
 Jordi
 @jordipalet
 
 
 
 El 14/1/20 10:47, "Gert Doering"  escribi:
 
 Hi,
 
 On Tue, Jan 14, 2020 at 10:38:28AM +0100, Gert Doering wrote:
 > On Tue, Jan 14, 2020 at 10:36:10AM +0100, JORDI PALET MARTINEZ via 
 > anti-abuse-wg wrote:
 > > So it is not just easier to ask the abuse-c mailboxes that don't want to 
 > > process to setup an autoresponder with an specific (standard) text about 
 > > that, for example:
 > > 
 > > "This is an automated convirmation that you reached the correct abuse-c 
 > > mailbox, but we don't process abuse cases, so your reports will be 
 > > discarded."
 > 
 > I would support that.
 
 ... but it's actually way too complicated to implement.
 
 A much simpler approach would be to make abuse-c: an optional attribute
 (basically, unrolling the "mandatory" part of the policy proposal that 
 introduced it in the first place)
 
 - If you want to handle abuse reports, put something working in.
 
 - If you do not want to handle abuse reports, don't.
 
 The ARC could be extended with a question "are you aware that you are
 signalling 'we do not not care about abuse coming from our network'?"
 and if this is what LIRs *want* to signal, the message is clear.
 
 The NCC could still verify (as they do today) that an e-mail address,
 *if given*, is not bouncing (or coming back with a human bounce "you have
 reached the wrong person, stop sending me mail" if someone puts in the
 e-mail address of someone else).
 
 MUCH less effort.
 
 Gert Doering
 -- NetMaster
 -- 
 have you enabled IPv6 on something today...?
 
 SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer
 Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
 D-80807 Muenchen HRB: 136055 (AG Muenchen)
 Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
 
 
 
 
 **
 IPv4 is over
 Are you ready for the new Internet ?
 http://www.theipv6company.com
 The IPv6 Company
 
 This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Looks fine to me.

If we really think that the operators should be free from taking abuse reports, 
then let's make it optional.

As said, I personally think that an operator responsibility is to deal with 
abuse cases, but happy to follow what we all decide.

Regards,
Jordi
@jordipalet
 
 

El 14/1/20 10:47, "Gert Doering"  escribió:

Hi,

On Tue, Jan 14, 2020 at 10:38:28AM +0100, Gert Doering wrote:
> On Tue, Jan 14, 2020 at 10:36:10AM +0100, JORDI PALET MARTINEZ via 
anti-abuse-wg wrote:
> > So it is not just easier to ask the abuse-c mailboxes that don't want 
to process to setup an autoresponder with an specific (standard) text about 
that, for example:
> > 
> > "This is an automated convirmation that you reached the correct abuse-c 
mailbox, but we don't process abuse cases, so your reports will be discarded."
> 
> I would support that.

... but it's actually way too complicated to implement.

A much simpler approach would be to make abuse-c: an optional attribute
(basically, unrolling the "mandatory" part of the policy proposal that 
introduced it in the first place)

 - If you want to handle abuse reports, put something working in.

 - If you do not want to handle abuse reports, don't.

The ARC could be extended with a question "are you aware that you are
signalling 'we do not not care about abuse coming from our network'?"
and if this is what LIRs *want* to signal, the message is clear.

The NCC could still verify (as they do today) that an e-mail address,
*if given*, is not bouncing (or coming back with a human bounce "you have
reached the wrong person, stop sending me mail" if someone puts in the
e-mail address of someone else).

MUCH less effort.

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael 
Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Gert Doering]

Hi,

On Tue, Jan 14, 2020 at 10:38:28AM +0100, Gert Doering wrote:
> On Tue, Jan 14, 2020 at 10:36:10AM +0100, JORDI PALET MARTINEZ via 
> anti-abuse-wg wrote:
> > So it is not just easier to ask the abuse-c mailboxes that don't want to 
> > process to setup an autoresponder with an specific (standard) text about 
> > that, for example:
> > 
> > "This is an automated convirmation that you reached the correct abuse-c 
> > mailbox, but we don't process abuse cases, so your reports will be 
> > discarded."
> 
> I would support that.

... but it's actually way too complicated to implement.

A much simpler approach would be to make abuse-c: an optional attribute
(basically, unrolling the "mandatory" part of the policy proposal that 
introduced it in the first place)

 - If you want to handle abuse reports, put something working in.

 - If you do not want to handle abuse reports, don't.

The ARC could be extended with a question "are you aware that you are
signalling 'we do not not care about abuse coming from our network'?"
and if this is what LIRs *want* to signal, the message is clear.

The NCC could still verify (as they do today) that an e-mail address,
*if given*, is not bouncing (or coming back with a human bounce "you have
reached the wrong person, stop sending me mail" if someone puts in the
e-mail address of someone else).

MUCH less effort.

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279


signature.asc
Description: PGP signature

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Gert Doering]

Hi,

On Tue, Jan 14, 2020 at 10:36:10AM +0100, JORDI PALET MARTINEZ via 
anti-abuse-wg wrote:
> So it is not just easier to ask the abuse-c mailboxes that don't want to 
> process to setup an autoresponder with an specific (standard) text about 
> that, for example:
> 
> "This is an automated convirmation that you reached the correct abuse-c 
> mailbox, but we don't process abuse cases, so your reports will be discarded."

I would support that.

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279


signature.asc
Description: PGP signature

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

I think if we try to agree on those ratings, we will never reach consensus ...

So it is not just easier to ask the abuse-c mailboxes that don't want to 
process to setup an autoresponder with an specific (standard) text about that, 
for example:

"This is an automated convirmation that you reached the correct abuse-c 
mailbox, but we don't process abuse cases, so your reports will be discarded."

This will be still in line with the actual policy (and the proposal 
modifications) and will allow the operators to decide if they want to be good 
netcitizens or not, and the victims to decide if they want to block them.

Regards,
Jordi
@jordipalet
 
 

El 14/1/20 2:46, "anti-abuse-wg en nombre de Ronald F. Guilmette" 
 escribió:

In message 
, 
=?utf-8?B?w4FuZ2VsIEdvbnrDoWxleiBCZXJkYXNjbw==?=  
wrote:

>Well, I do see the value of an option (a magic email value?) meaning "this
>entity supports the use of its network for abusive purposes and will take 
no
>action on any abuse report".
>
>That would save time for everyone involved, and would allow to easily block
>those networks from accesing ours!

These are pretty much my sentiments exactly.

The only questions remaining are:

   1)   Should there just be a simple yes/no one-bit flag published for
each resource holder, or would a scale and a range of possible
"rating" values be more useful?

   2)   How shall the "ratings" be computed and by whom?

I have provided my personal opinions on both of these points in my
prior posting.


Regards,
rfg






**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Ronald,


El 14/1/20 0:17, "anti-abuse-wg en nombre de Ronald F. Guilmette" 
 escribió:

In message <55d65bf8-a430-4bdc-ae58-63ff3dca4...@consulintel.es>, 
JORDI PALET MARTINEZ  wrote:

>Section 2.0 bullet point #2.  What's wrong with web forms?
>
>If I need to use a web form, which is not standard, for every abuse 
report...

OHHH!  Your proposal did not make it at all clear that the
web forms you were making reference to were ones that the resource
holder might put in place in order to provide a way for abuse 
victims to file a report.

I agree completely that those things are intolerable, and I will go
further and say that any resoirce holder who puts such a form online
should properly be consigned to the fifth ring of hell.

Sorry!  I had misconstrued.  When your proposal mentioned web forms
I had assumed that you were making reference to some form that the
RIPE NCC might put online and that the resources holders would need
to type something into (e.g. a unique magic cookei) in order to
fully confirm that they are in fact receiving emails to their
documented abuse reporting email addresses.

No worries. I will tidy up the text to make it clearer! Thanks!

I think that the verification email messages that RIPE NCC sends out
resource holders should indeed contain a link to web form, on the RIPE
web site, where the recipient resource holder should be required to
make at least some minimal demonstration that it has at least one
actual conscious and sentient human being looking at the inbound
emails that are sent to its abuse address.

Please clarify in your proposal what exactly your use of the term
"web form" was intended to convey.  TYhank you.

>Section 3.0 part 3.  Why on earth should it take 15 days for
>anyone to respond to an email??  Things on the Internet happen
>in millseconds.  If a provider is unable to respond to an issue
>within 72 hours then they might as well be dead, because they
>have abandoned all social responsibility.
>
>I fully agree! My original proposal was only 3 working days, but the
>community told me "no way". This was the same input I got in APNIC
>and LACNIC (in both regions it reached consensus with 15 days).
>
>So, I will keep 15 days ...

I think this is provable, and also transparently obvious and colossal
bullshit, but that's just my opinion.

And mine!, but as a proposal author, I need to try to match as much as possible 
the wishes of the community.

I say again.  Things happen on the Internet in milliseconds.  Any
service provider that can't react to an email within 72 hours should
be removed from the Internet of Responsible Adults and relegated to
the agricultural industry, or to the study of geology, or at any rate
to some profession where things are calm and leisurely, perhaps
including the delivery of regular postal mail.

If anyone wants to make his fortune by being an absentee landlord,
just gathering in revenue and not taking any day to day responsibility
for anything, let them get into the vacation rentals business and get
the  off the Internet.


Regards,
rfg





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Leo
 


El 14/1/20 0:11, "Leo Vegoda"  escribió:

On Mon, Jan 13, 2020 at 1:50 PM JORDI PALET MARTINEZ via anti-abuse-wg
 wrote:

[...]

> I will love to have in the policy that they must be investigated and 
acted upon, but what I heard from the inputs in previous versions is that 
having that in policy is too much and no way to reach consensus …

I don't understand the value of requiring organizations who do not
intend to investigate abuse reports to spend resources publishing an
address from which they can acknowledge the reports - only to then
delete those reports without doing anything.
  
This is not handled by this proposal. The existing policy already mandates that:

https://www.ripe.net/participate/policies/proposals/2017-02

  
It creates hope for reporters and wastes the RIPE NCC's and the
reporters' resources by forcing unwilling organizations to spend
cycles on unproductive activity.

Why not give networks two options?

1. Publish a reliable method for people to submit abuse reports - and act 
on it
2. Publish a statement to the effect that the network operator does
not act on abuse reports

This would save lots of wasted effort and give everyone more reliable
information about the proportion of networks/operators who will and
won't act on abuse reports.
 
Even if I think that the operators MUST process abuse cases, if the community 
thinks otherwise, I'm happy to support those two options in the proposal. For 
example, an autoresponder in the abuse-c mailbox for those that don't intend to 
process the abuse cases to option 2 above?

   
There might be some value in having the RIPE NCC cooperate with
networks who want help checking that their abuse-c is working. But
this proposal seems to move the RIPE NCC from the role of a helpful
coordinator towards that of an investigator and judge.

No, I don't think so, but I'm happy to modify the text if it looks like that.





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Gert Doering]

Hi,

On Mon, Jan 13, 2020 at 03:11:23PM -0800, Leo Vegoda wrote:
> On Mon, Jan 13, 2020 at 1:50 PM JORDI PALET MARTINEZ via anti-abuse-wg
>  wrote:
> 
> [...]
> 
> > I will love to have in the policy that they must be investigated and acted 
> > upon, but what I heard from the inputs in previous versions is that having 
> > that in policy is too much and no way to reach consensus ???
> 
> I don't understand the value of requiring organizations who do not
> intend to investigate abuse reports to spend resources publishing an
> address from which they can acknowledge the reports - only to then
> delete those reports without doing anything.
> 
> It creates hope for reporters and wastes the RIPE NCC's and the
> reporters' resources by forcing unwilling organizations to spend
> cycles on unproductive activity.

This.

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279


signature.asc
Description: PGP signature

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Fi Shing]

I agree, perhaps these internet companies would be happy if it took 15 days for 
each credit card payment to take place between that company and the customer 
when a new customer uses their services?
 
 
 
 
- Original Message - Subject: Re: [anti-abuse-wg] working in 
new version of 2019-04 (Validation of "abuse-mailbox")
From: "Ronald F. Guilmette" 
Date: 1/14/20 8:34 am
To: "JORDI PALET MARTINEZ" 
Cc: "anti-abuse-wg" 

In message <6afc7d17-bac4-464c-8af8-2ad852d39...@consulintel.es>, 
 JORDI PALET MARTINEZ  wrote:
 
 >I'm happy to hear other inputs, stats, data, etc.
 
 Having only just read the proposal, my comments are few:
 
 I do not understand parst of this, specifically:
 
 Section 2.0 bullet point #2. What's wrong with web forms?
 
 Section 3.0 part 3. Why on earth should it take 15 days for
 anyone to respond to an email?? Things on the Internet happen
 in millseconds. If a provider is unable to respond to an issue
 within 72 hours then they might as well be dead, because they
 have abandoned all social responsibility.
 
 
 Regards,
 rfg

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Ronald F. Guilmette]

In message 
, 
=?utf-8?B?w4FuZ2VsIEdvbnrDoWxleiBCZXJkYXNjbw==?=  
wrote:

>Well, I do see the value of an option (a magic email value?) meaning "this
>entity supports the use of its network for abusive purposes and will take no
>action on any abuse report".
>
>That would save time for everyone involved, and would allow to easily block
>those networks from accesing ours!

These are pretty much my sentiments exactly.

The only questions remaining are:

   1)   Should there just be a simple yes/no one-bit flag published for
each resource holder, or would a scale and a range of possible
"rating" values be more useful?

   2)   How shall the "ratings" be computed and by whom?

I have provided my personal opinions on both of these points in my
prior posting.


Regards,
rfg

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Ronald F. Guilmette]

In message 
, 
Leo Vegoda  wrote:

>> I will love to have in the policy that they must be investigated and acted
>upon, but what I heard from the inputs in previous versions is that having
>that in policy is too much and no way to reach consensus
>
>I don't understand the value of requiring organizations who do not
>intend to investigate abuse reports to spend resources publishing an
>address from which they can acknowledge the reports - only to then
>delete those reports without doing anything.
>
>It creates hope for reporters and wastes the RIPE NCC's and the
>reporters' resources by forcing unwilling organizations to spend
>cycles on unproductive activity.
>
>Why not give networks two options?
>
>1. Publish a reliable method for people to submit abuse reports - and act
>on it
>2. Publish a statement to the effect that the network operator does
>not act on abuse reports
>
>This would save lots of wasted effort and give everyone more reliable
>information about the proportion of networks/operators who will and
>won't act on abuse reports.
>
>There might be some value in having the RIPE NCC cooperate with
>networks who want help checking that their abuse-c is working. But
>this proposal seems to move the RIPE NCC from the role of a helpful
>coordinator towards that of an investigator and judge.

Leo Vegoda has made a lot of very good points, and there is a lot
to unpack on this whole topic.  Unfortnately, I don't think that
I personally have enough time to unpack it all myself today.  But
I cannot avoid offering a few observations.

It certainly appears to me to be the case that few want RIPE NCC to
enter into the role of investigator, let alone judge, except when it
comes to the allocation of resources.  As I have been informed, time
and time again, matters of network abuse are out of scope for the
organization, and this is not at all likely to change.

Nonetheless, and regardless, ever since the day that RIPE NCC first
published an abuse reporting address in the data base, it has, in
effect, injected itself, even if only to a minimal degree, into
the relationship between a network abuse victim and the relevant
resource holders that have clear connections to the abuse source,
i.e. the IP block registrant and the relevant AS registrant.  It
is a bit late in the day now to undo this.  Abuse reporting addresses
have been published, and abuse victims now have a reasonable
expectation that using any one of them will have some finite and
non-zero effect.  Whenever that is not the case, the relevant abuse
victim may reasonably ask "Why did you, RIPE NCC, publish this abuse
reporting email address when sending to it was clearly an utter
waste of my time?"  This is false advertising on the face of it.
You cannot stand in the town square with a large sign that says
"Free money!" and then not deliver.  Even if it is not illegal
per se, it is exceptionally rude and anti-social, and responsible
adults should not go into the tiown square with such signs if they
cannot or will not deliver.

On the other hand, resource holders in teh RIPE region, and also,
quite certainly, elsewhere continue to cling with almost religious
fervor to what they claim to be their God-given rights to be
irresponsible.  They are not by any means alone, and are simply
the Internet verssions of gun manufacturers and coal companies.
The planet is awash in both corporate entities and individuals
that will defend to the death their "rights" to be irresponsible.
This will not change anytime soon, and the attitude among many
network operators, both in the RIPE region and elsewhere, can
perhaps best be summed up by paraphrasing a famous pronouncement
made years ago by the former head of the National Rifle Association
(NRA) here in the U.S. "You can have my social irresponsibility
when you pry it from my cold dead hands!"

It has been shown, repeatedly, that it is utterly futile to try to
engage any of the folks holding this general point of view, or to
try to reason with them and explain that in the long run, their
enterprises and the public reputations of those enterprises will
be materially harmed by their unwillingness to give a damn.  An
old adage is appropriate here -- "You can lead a horse to water,
but you can't make him drink."  It is empirically demonstratable
that a nearly religious fervor, borne, I'm sure, of the demented
ideology of Ayn Rand, when coupled with a determined and short-
sighted self interest, cannot be undone by words alone.

Thus we have an arguably untenable situation.  RIPE NCC has
irreversably injected itself into the expectations of millions of
network abuse victims worldwide, even has it has less than zero
authority to actually do anything truly meaningful with respect
to their issues.  And this impass is made even more blatantly
intractable by the adamant insistance of some network operators
that they have a divine right to be irresponsible if they so choose.

Where then lies a solution for this thorny dilemma?

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Ángel González Berdasco]

Well, I do see the value of an option (a magic email value?) meaning "this 
entity supports the use of its network for abusive purposes and will take no 
action on any abuse report".

That would save time for everyone involved, and would allow to easily block 
those networks from accesing ours!

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Ronald F. Guilmette]

In message <55d65bf8-a430-4bdc-ae58-63ff3dca4...@consulintel.es>, 
JORDI PALET MARTINEZ  wrote:

>Section 2.0 bullet point #2.  What's wrong with web forms?
>
>If I need to use a web form, which is not standard, for every abuse report...

OHHH!  Your proposal did not make it at all clear that the
web forms you were making reference to were ones that the resource
holder might put in place in order to provide a way for abuse 
victims to file a report.

I agree completely that those things are intolerable, and I will go
further and say that any resoirce holder who puts such a form online
should properly be consigned to the fifth ring of hell.

Sorry!  I had misconstrued.  When your proposal mentioned web forms
I had assumed that you were making reference to some form that the
RIPE NCC might put online and that the resources holders would need
to type something into (e.g. a unique magic cookei) in order to
fully confirm that they are in fact receiving emails to their
documented abuse reporting email addresses.

I think that the verification email messages that RIPE NCC sends out
resource holders should indeed contain a link to web form, on the RIPE
web site, where the recipient resource holder should be required to
make at least some minimal demonstration that it has at least one
actual conscious and sentient human being looking at the inbound
emails that are sent to its abuse address.

Please clarify in your proposal what exactly your use of the term
"web form" was intended to convey.  TYhank you.

>Section 3.0 part 3.  Why on earth should it take 15 days for
>anyone to respond to an email??  Things on the Internet happen
>in millseconds.  If a provider is unable to respond to an issue
>within 72 hours then they might as well be dead, because they
>have abandoned all social responsibility.
>
>I fully agree! My original proposal was only 3 working days, but the
>community told me "no way". This was the same input I got in APNIC
>and LACNIC (in both regions it reached consensus with 15 days).
>
>So, I will keep 15 days ...

I think this is provable, and also transparently obvious and colossal
bullshit, but that's just my opinion.

I say again.  Things happen on the Internet in milliseconds.  Any
service provider that can't react to an email within 72 hours should
be removed from the Internet of Responsible Adults and relegated to
the agricultural industry, or to the study of geology, or at any rate
to some profession where things are calm and leisurely, perhaps
including the delivery of regular postal mail.

If anyone wants to make his fortune by being an absentee landlord,
just gathering in revenue and not taking any day to day responsibility
for anything, let them get into the vacation rentals business and get
the  off the Internet.


Regards,
rfg

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Randy,

As I just said, ideally we should ask for abuse-c reports to be procesed, but I 
know many folks don't like it.

But at least, we need to make sure that if you have an abuse-c, it is a "real" 
and "working" one so you're able to actually send the reports there. If 
ignored, that's another problem.

I don't know if in Spain law say that you must have a post box, or if you are 
violating the law if is full and the extra post that you get is going to make 
the street dirty (in this case you're violating a different law). I'm not 
asking to go there. I'm asking to have a functional mailbox, not how you 
operate your abuse cases.

El 13/1/20 18:53, "anti-abuse-wg en nombre de Randy Bush" 
 escribió:

well, not exactly as i see it.  abuse-c: is the op's way of saying
"please send any abuse related information here."  it is not a legal or
social contract to act on it (and i suspect that next year the wannabe
net police will want to enumerate exactly *how* they must act in 93
different circumstances), read it, reply to it, ...

dunno about spain, but most juristictions i know say post is delivered
to my post box, but not what i must do with it.

randy





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Ronald,

 

El 13/1/20 22:34, "Ronald F. Guilmette"  escribió:

In message <6afc7d17-bac4-464c-8af8-2ad852d39...@consulintel.es>, 
 JORDI PALET MARTINEZ  wrote:

>I'm happy to hear other inputs, stats, data, etc.

Having only just read the proposal, my comments are few:

I do not understand parst of this, specifically:

Section 2.0 bullet point #2.  What's wrong with web forms?

If I need to use a web form, which is not standard, for every abuse report that 
I need to submit, there is no sufficient time in the world to fill all them. 
Every ISP has their own URL, forms with different fields, etc. You want to 
develop tools for each ISP in the world that decides to use a form to automate 
the abuse submission process?

Instead, ensuring that you are able to use, for example fail2ban, means that 
any abuse case is automatically reported via email (including the logs to probe 
the abuse).

Section 3.0 part 3.  Why on earth should it take 15 days for
anyone to respond to an email??  Things on the Internet happen
in millseconds.  If a provider is unable to respond to an issue
within 72 hours then they might as well be dead, because they
have abandoned all social responsibility.
 
I fully agree! My original proposal was only 3 working days, but the community 
told me "no way". This was the same input I got in APNIC and LACNIC (in both 
regions it reached consensus with 15 days).

So, I will keep 15 days ...


Regards,
rfg





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Leo,

 

 

El 13/1/20 18:16, "Leo Vegoda"  escribió:

 

Hi Jordi, all,

 

On Mon, Jan 13, 2020 at 6:58 AM JORDI PALET MARTINEZ via anti-abuse-wg 
 wrote:

Hi all,

I'm working in a new version of the proposal 2019-04 (Validation of 
"abuse-mailbox").

In the last discussion phase, the only detailed response to this proposal that 
I got was from Carlos Friacas (which I will respond in detail later-on, as this 
may also help to revive the discussion).

The main question/issue here is still that the actual policy is just a 
"technical validation". It confirms that there is a mailbox but it doesn't 
confirm that:
1) Accept emails for abuse reporting
2) The mailbox is the right one and not from someone else, not related to the 
abuse processing
3) The mailbox is attended and not a black-hole, so nobody pay attention to the 
abuse reports, or even worst, not full

Anything not fulfilling that is useless (as will not fulfil the mission for 
that mailbox), and then we don't need an abuse-c at all.

 

Can you please clarify what you mean by "fulfil the mission for that mailbox" 
and the "intended 

 

I was referring about the goal of the abuse-c (even without this policy 
proposal). Why we want it if is not a real one, able to get abuse reports, and 
so on?

 

purpose" you mention in section 3.1 of the new text? The reason I ask is that 
the purpose does not seem to be defined in an earlier section. My reading of 
what you have written is that this became policy it would require that reports 
can be made and that these reports must be acknowledged. But it seems that 
there would be no obligation for reports to be investigated or acted upon.

 

I will love to have in the policy that they must be investigated and acted 
upon, but what I heard from the inputs in previous versions is that having that 
in policy is too much and no way to reach consensus …

 

Have I misunderstood what is intended?

 

Thanks,

 

Leo Vegoda



**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Ronald F. Guilmette]

In message <6afc7d17-bac4-464c-8af8-2ad852d39...@consulintel.es>, 
 JORDI PALET MARTINEZ  wrote:

>I'm happy to hear other inputs, stats, data, etc.

Having only just read the proposal, my comments are few:

I do not understand parst of this, specifically:

Section 2.0 bullet point #2.  What's wrong with web forms?

Section 3.0 part 3.  Why on earth should it take 15 days for
anyone to respond to an email??  Things on the Internet happen
in millseconds.  If a provider is unable to respond to an issue
within 72 hours then they might as well be dead, because they
have abandoned all social responsibility.


Regards,
rfg

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Randy Bush]

well, not exactly as i see it.  abuse-c: is the op's way of saying
"please send any abuse related information here."  it is not a legal or
social contract to act on it (and i suspect that next year the wannabe
net police will want to enumerate exactly *how* they must act in 93
different circumstances), read it, reply to it, ...

dunno about spain, but most juristictions i know say post is delivered
to my post box, but not what i must do with it.

randy

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Leo Vegoda]

Hi Jordi, all,

On Mon, Jan 13, 2020 at 6:58 AM JORDI PALET MARTINEZ via anti-abuse-wg <
anti-abuse-wg@ripe.net> wrote:

> Hi all,
>
> I'm working in a new version of the proposal 2019-04 (Validation of
> "abuse-mailbox").
>
> In the last discussion phase, the only detailed response to this proposal
> that I got was from Carlos Friacas (which I will respond in detail
> later-on, as this may also help to revive the discussion).
>
> The main question/issue here is still that the actual policy is just a
> "technical validation". It confirms that there is a mailbox but it doesn't
> confirm that:
> 1) Accept emails for abuse reporting
> 2) The mailbox is the right one and not from someone else, not related to
> the abuse processing
> 3) The mailbox is attended and not a black-hole, so nobody pay attention
> to the abuse reports, or even worst, not full
>
> Anything not fulfilling that is useless (as will not fulfil the mission
> for that mailbox), and then we don't need an abuse-c at all.


Can you please clarify what you mean by "fulfil the mission for that
mailbox" and the "intended purpose" you mention in section 3.1 of the new
text? The reason I ask is that the purpose does not seem to be defined in
an earlier section. My reading of what you have written is that this became
policy it would require that reports can be made and that these reports
must be acknowledged. But it seems that there would be no obligation for
reports to be investigated or acted upon.

Have I misunderstood what is intended?

Thanks,

Leo Vegoda