Re: [anti-abuse-wg] Decision on Proposal 2017-02

[Suresh Ramasubramanian]

The number of outright fake networks with shell company contacts might have 
something to do with that eastern european number :)

Or there's one or two outfits that can't make up their mind whether they are in 
the Netherlands, Dubai or Belize.

--srs


From: anti-abuse-wg  on behalf of Thomas 
Hungenberg 
Sent: Tuesday, February 19, 2019 6:37 PM
To: Carlos Friaças
Cc: anti-abuse-wg@ripe.net
Subject: Re: [anti-abuse-wg] Decision on Proposal 2017-02

On 19.02.19 13:23, Carlos Friaças wrote:
> Regarding the non-"DE" the figures are worse, right?

The statistics are based on our automated reports only.
Our automated system is sending 8,000+ reports per day - but only
addresses abuse contacts for networks registered with country code
"DE" directly. Data for networks registered with other country codes
is sent with aggregated reports to the respective national CSIRTs.

I don't have any statistics on bounces for reports manually sent
to abuse contacts for networks in other countries directly.

But yes, it looks like the number of invalid contacts for networks
in other countries is (much) higher, in particular for Eastern Europe.


- Thomas

CERT-Bund Incident Response & Malware Analysis Team

Re: [anti-abuse-wg] Decision on Proposal 2017-02

[Thomas Hungenberg]

On 19.02.19 13:23, Carlos Friaças wrote:
> Regarding the non-"DE" the figures are worse, right?

The statistics are based on our automated reports only.
Our automated system is sending 8,000+ reports per day - but only
addresses abuse contacts for networks registered with country code
"DE" directly. Data for networks registered with other country codes
is sent with aggregated reports to the respective national CSIRTs.

I don't have any statistics on bounces for reports manually sent
to abuse contacts for networks in other countries directly.

But yes, it looks like the number of invalid contacts for networks
in other countries is (much) higher, in particular for Eastern Europe.


 - Thomas

CERT-Bund Incident Response & Malware Analysis Team

Re: [anti-abuse-wg] Decision on Proposal 2017-02

[Carlos Friaças via anti-abuse-wg]

Sorry, my eyes were wrong. I did read 2019-02 :-)

Carlos

On Tue, 19 Feb 2019, Carlos Friaças via anti-abuse-wg wrote:




I guess the subject is wrong :-)

Re: [anti-abuse-wg] Decision on Proposal 2017-02

[Thomas Hungenberg]

FYI: Some longer-term statistics on this:

Since January 2018, we have identified 157 invalid abuse contacts
(our abuse reports bounced) for network objects registered with
country code "DE" which we reported to RIPE NCC.
RIPE NCC reached out to their members responsible for the
respective objects.

150 cases have been solved by updating the abuse contact or correcting
the mail server configuration - usually within only a few days.

There are only 2 cases older than four weeks still unresolved.

Thanks again to RIPE NCC for their great assistance!


 - Thomas

CERT-Bund Incident Response & Malware Analysis Team

On 23.03.18 10:39, Thomas Hungenberg wrote:
> We had to deal with 40+ invalid abuse contacts only for resources
> registered to German holders in the past three months.
> Most messages bounced with "user unknown".
> 
> We tried to reach out to the resource holders to get the invalid
> abuse contacts fixed. If that failed, we reported the case to
> RIPE NCC. With their assistance, a lot of additional cases could
> be solved (thanks!).
> 
> It turned out that most of the contacts were not invalid because
> the resource holders wanted to ignore reporting of abuse but due to
> technical problems or the contact set to a personal mailbox of
> someone who had left the organization. Many resource holders were
> glad to be notified of the problem.
> 
> So while I'd still prefer a validation process that requires
> human interaction to make sure messages sent to the abuse contacts
> are actually read and processed, an automated check if the mailbox
> exists at all would already help a lot.
> I'd be glad if this automated check just for the existence of the
> abuse mailbox could be done not only annually but probably even
> twice or four times a year.
> 
> 
>  - Thomas
> 
> CERT-Bund Incident Response & Malware Analysis Team
> 
> 
> On 20.03.2018 13:54, Gert Doering wrote:
>> Hi,
>>
>> On Tue, Mar 20, 2018 at 01:23:18PM +0100, Janos Zsako wrote:
>>> At the same time, I do see some benefit in checking regularly the provided
>>> e-mail address, because I am convinced that there will always be cases where
>>> people simply forget to update the database. If they are reminded, they will
>>> be happy to correct it.
>>
>> This is actually some benefit I see here - the NCC already does the
>> ARC in regular intervals, so including abuse-c: in "please check that
>> these are still correct" would be useful to help "those that do care but
>> overlooked a necessary update".
>>
>> (Right now, the NCC will already ensure that contacts are correct if they 
>> receive a complaint from someone that contact data is wrong)
>>
>> So, still not really able to make up my mind whether I support or oppose
>> this - staying neutral.
>>
>> Gert Doering
>> -- NetMaster
>>
> 

Re: [anti-abuse-wg] Decision on Proposal 2017-02

[Brian Nisbet]

Ok, thank you Alexander, I now feel I better understand your objection.

Thanks,

Brian
Co-Chair, RIPE AA-WG

Brian Nisbet 
Network Operations Manager
HEAnet CLG, Ireland's National Education and Research Network
1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland
+35316609040 brian.nis...@heanet.ie www.heanet.ie
Registered in Ireland, No. 275301. CRA No. 20036270


> -Original Message-
> From: anti-abuse-wg <anti-abuse-wg-boun...@ripe.net> On Behalf Of
> Alexander Isavnin
> Sent: Tuesday 27 March 2018 14:39
> To: anti-abuse-wg@ripe.net
> Subject: Re: [anti-abuse-wg] Decision on Proposal 2017-02
> 
> Thanks for question, i really forgot to add important clarification paragraph
> for objection.
> 
> On 2018-03-27 14:50:13 CET, Brian Nisbet wrote:
> > Alexander,
> >
> > Thanks for this.
> >
> > I'd just like to clarify something, are you objecting wholly to this 
> > proposal
> because you would prefer stronger/more complex checks? In that you feel it
> doesn't go far enough?
> I'm objecting wholly to this proposal, because i doesnt' significantly improve
> data quality of the whole registry and doesn't help to prevent serious abuse.
> And being IT guy (and sometimes executive) i do not like implementing
> something, "just because we can".
> (and i had arguments, that valid abuse-c won't help against really malicious
> abuse)
> 
> If we need such kind of policy, than it should be full scale Automated 
> Registry
> Checks (probably with all contacts, validity of routing, validity of resource
> assigments, responsiveness of contacts, etc..) - in a way, which will
> guarantee some measurable level on quality. (NCC Database SLA)
> 
> But now, i prefer current situation, with trust to LIRs and light assisted
> checks.
> 
> Years ago, talking first time to Rob Blokzijl i'v asked him: "Why information 
> in
> database is not being checked fully, with all phone numbers/emails checks,
> submitting confirming papers for each assignment etc, like any activities done
> in Russia?". He responded something like "It's not in tradition". And i value
> such traditions.
> I would like for us to stay in Western European tradition, rather than moving
> to Police State tradition.
> But if community decides to move - the move should be done with good and
> complete approach.
> 
> Hope you'll get me right.
> 
> Kind regards,
> Alexander Isavnin
> 
> 
> Sent via RIPE Forum -- https://www.ripe.net/participate/mail/forum

Re: [anti-abuse-wg] Decision on Proposal 2017-02

[Alexander Isavnin]

Thanks for question, i really forgot to add important clarification paragraph 
for objection.

On 2018-03-27 14:50:13 CET, Brian Nisbet wrote:
> Alexander,
> 
> Thanks for this. 
> 
> I'd just like to clarify something, are you objecting wholly to this proposal 
> because you would prefer stronger/more complex checks? In that you feel it 
> doesn't go far enough?
I'm objecting wholly to this proposal, because i doesnt' significantly improve 
data quality of the whole registry and doesn't help to prevent serious abuse.
And being IT guy (and sometimes executive) i do not like implementing 
something, "just because we can".
(and i had arguments, that valid abuse-c won't help against really malicious 
abuse)

If we need such kind of policy, than it should be full scale Automated Registry 
Checks (probably with all contacts, validity of routing, validity of resource 
assigments, responsiveness of contacts, etc..) - in a way, which will guarantee 
some measurable level on quality. (NCC Database SLA)

But now, i prefer current situation, with trust to LIRs and light assisted 
checks.

Years ago, talking first time to Rob Blokzijl i'v asked him: "Why information 
in database is not being checked fully, with all phone numbers/emails checks, 
submitting confirming papers for each assignment etc, like any activities done 
in Russia?". He responded something like "It's not in tradition". And i value 
such traditions.
I would like for us to stay in Western European tradition, rather than moving 
to Police State tradition.
But if community decides to move - the move should be done with good and 
complete approach.

Hope you'll get me right.

Kind regards,
Alexander Isavnin


Sent via RIPE Forum -- https://www.ripe.net/participate/mail/forum

Re: [anti-abuse-wg] Decision on Proposal 2017-02

[Brian Nisbet]

Alexander,

Thanks for this. 

I'd just like to clarify something, are you objecting wholly to this proposal 
because you would prefer stronger/more complex checks? In that you feel it 
doesn't go far enough?

Thanks,

Brian
Co-Chair, RIPE AA-WG

Brian Nisbet 
Network Operations Manager
HEAnet CLG, Ireland's National Education and Research Network
1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland
+35316609040 brian.nis...@heanet.ie www.heanet.ie
Registered in Ireland, No. 275301. CRA No. 20036270

> -Original Message-
> From: anti-abuse-wg [mailto:anti-abuse-wg-boun...@ripe.net] On Behalf Of
> Alexander Isavnin
> Sent: 27 March 2018 13:46
> To: anti-abuse-wg@ripe.net
> Subject: Re: [anti-abuse-wg] Decision on Proposal 2017-02
> 
> Dear Brian, colleagues!
> 
> I would like to remind about one of my objections:
> This policy will not seriously improve data quality, because it allows to 
> check
> only one field in database.
> If one wants really to improve data quality by automated checks, more
> complicated policy should be developed.
> 
> Also, may i suggest to run "the method by which they(NCC) would plan to
> implement this proposal" once, to display current situation with abuse-c in
> database?
> 
> Kind regards,
> Alexander Isavnin
> 
> Sent via RIPE Forum -- https://www.ripe.net/participate/mail/forum

Re: [anti-abuse-wg] Decision on Proposal 2017-02

[Alexander Isavnin]

Dear Brian, colleagues!

I would like to remind about one of my objections:
This policy will not seriously improve data quality, because it allows to check 
only one field in database. 
If one wants really to improve data quality by automated checks, more 
complicated policy should be developed.

Also, may i suggest to run "the method by which they(NCC) would plan to 
implement this proposal" once, to display current situation with abuse-c in 
database?

Kind regards,
Alexander Isavnin

Sent via RIPE Forum -- https://www.ripe.net/participate/mail/forum

Re: [anti-abuse-wg] Decision on Proposal 2017-02

[Sebastian Benoit]

Thomas Hungenberg(t...@cert-bund.de) on 2018.03.23 10:39:53 +0100:
> 
> We had to deal with 40+ invalid abuse contacts only for resources
> registered to German holders in the past three months.
> Most messages bounced with "user unknown".
> 
> We tried to reach out to the resource holders to get the invalid
> abuse contacts fixed. If that failed, we reported the case to
> RIPE NCC. With their assistance, a lot of additional cases could
> be solved (thanks!).
> 
> It turned out that most of the contacts were not invalid because
> the resource holders wanted to ignore reporting of abuse but due to
> technical problems or the contact set to a personal mailbox of
> someone who had left the organization. Many resource holders were
> glad to be notified of the problem.
> 
> So while I'd still prefer a validation process that requires
> human interaction to make sure messages sent to the abuse contacts
> are actually read and processed, an automated check if the mailbox
> exists at all would already help a lot.
> I'd be glad if this automated check just for the existence of the
> abuse mailbox could be done not only annually but probably even
> twice or four times a year.

I support the proposal. Thomas example shows that this check fixes a real
problem, and that the number of non-working abuse contacts can easily be
reduced.

I fixed an abuse contact myself last week - one that i believe was
automatically generated by the NCC when the contacts were introduced. A lot
non-working contacts probably result from that alone.

If a simple check like the one proposed by the NCC had been part of the
original abuse contact implementation, i believe there would have been few
complaints about it.

/Benno


>  - Thomas
> 
> CERT-Bund Incident Response & Malware Analysis Team
> 
> 
> On 20.03.2018 13:54, Gert Doering wrote:
> > Hi,
> > 
> > On Tue, Mar 20, 2018 at 01:23:18PM +0100, Janos Zsako wrote:
> >> At the same time, I do see some benefit in checking regularly the provided
> >> e-mail address, because I am convinced that there will always be cases 
> >> where
> >> people simply forget to update the database. If they are reminded, they 
> >> will
> >> be happy to correct it.
> > 
> > This is actually some benefit I see here - the NCC already does the
> > ARC in regular intervals, so including abuse-c: in "please check that
> > these are still correct" would be useful to help "those that do care but
> > overlooked a necessary update".
> > 
> > (Right now, the NCC will already ensure that contacts are correct if they 
> > receive a complaint from someone that contact data is wrong)
> > 
> > So, still not really able to make up my mind whether I support or oppose
> > this - staying neutral.
> > 
> > Gert Doering
> > -- NetMaster
> > 
> 

-- 

Re: [anti-abuse-wg] Decision on Proposal 2017-02

[Gert Doering]

Hi,

On Tue, Mar 20, 2018 at 01:23:18PM +0100, Janos Zsako wrote:
> At the same time, I do see some benefit in checking regularly the provided
> e-mail address, because I am convinced that there will always be cases where
> people simply forget to update the database. If they are reminded, they will
> be happy to correct it.

This is actually some benefit I see here - the NCC already does the
ARC in regular intervals, so including abuse-c: in "please check that
these are still correct" would be useful to help "those that do care but
overlooked a necessary update".

(Right now, the NCC will already ensure that contacts are correct if they 
receive a complaint from someone that contact data is wrong)

So, still not really able to make up my mind whether I support or oppose
this - staying neutral.

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AGVorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14  Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen   HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444   USt-IdNr.: DE813185279


signature.asc
Description: PGP signature

Re: [anti-abuse-wg] Decision on Proposal 2017-02

[Name]

" it does not prove at all that abuse reported to this address will be handled or acted upon in any way."We aren't here to enforce appropriate abuse handling (unfortunately),we are discussing how to make sure an abuse mailbox is valid. The only way to do that is to send a link to the abuse mailbox, requiring the person to access their RIPE account and to enter a CAPTCHA.Proving that an email account exists as somehow being relevant is wrong, because if i own a RIPE resource and I set my abuse mailbox to zsako AT iszt.hu, under the current proposal it will be validated as "true." There is no opportunity for you to even say "no, that's not the abuse mailbox, it's mine" because RIPE only accept bounce emails to their complaints form.More importantly, there is nothing about the current proposal that even requires a policy. RIPE could set up today this mail server check today with out the consensus of RIPE. "On the other hand, most probably there will also be people who - for some reason -will not want to handle abuse e-mails."That is a separate discussion to this one. Not wanting to handle abuse emails is different to not even having to receive them.


---- Original Message ----
Subject: Re: [anti-abuse-wg] Decision on Proposal 2017-02
From: Janos Zsako <zs...@iszt.hu>
Date: Tue, March 20, 2018 11:23 pm
To: Name <phish...@storey.xxx>, anti-abuse-wg@ripe.net

Dear Anonymous Name,

> /"And an annual checking would ensure that the contacts remain more up-to-date."/
> 
> Yes, an annual checking would do that. This isn't an annual checking. It involves checking if a mail server exists.

I am afraid I was not clear last time. I wrote:
"One can determine with a high degree of confidence whether mail sent to a
given address is accepted for delivery by the mail server specified as MX
in the DNS for the given e-mail address. To me it is a good start and
much more than not checking anything."

The acceptance of the mail is slightly more than the existence of the
mail server. In particular, in one of your previous e-mails you state:
'If a resource owner sets their abuse mailbox to "ronald.mcdon...@hotmail.com",
  they will be deemed to have a valid abuse contact, because hotmail.com has a
  valid email server associated.'
In the light of my clarification above, this is not the case, as the mail
server (which by the way does exist), does not accept mail for this recipient:
5.5.0 Requested action not taken: mailbox unavailable. [BL2NAM02FT023.eop-nam02.prod.protection.outlook.com]
ronald.mcdon...@hotmail.com ... User unknown

> Mail server exists ≠ update-to-date contact
> Mail server exists ≠ valid abuse mailbox

At the same time, I agree that the above holds even if you replace
"Mail server exists" with "Mail server accepts mail for given recipient".

Unfortunately, as it has already been pointed out, the fact that a human does
reply to a mail sent by the NCC during the annual check (assuming for a moment
they do send such mail), it does not prove at all that abuse reported to
this address will be handled or acted upon in any way.

Unfortunately I agree with Gert Doering who said:
"I maintain the position that those that do care can be reached today, and
those that do not care will find ways to fulfill the letter of the policy,
and not change their ways."

At the same time, I do see some benefit in checking regularly the provided
e-mail address, because I am convinced that there will always be cases where
people simply forget to update the database. If they are reminded, they will
be happy to correct it.

On the other hand, most probably there will also be people who - for some reason -
will not want to handle abuse e-mails. They will certainly find a way to ignore
such mail whatever policies we put in place.

Best regards,
Janos

Re: [anti-abuse-wg] Decision on Proposal 2017-02

[Janos Zsako]

Dear Anonymous Name,


/"And an annual checking would ensure that the contacts remain more 
up-to-date."/

Yes, an annual checking would do that. This isn't an annual checking. It 
involves checking if a mail server exists.


I am afraid I was not clear last time. I wrote:
"One can determine with a high degree of confidence whether mail sent to a
given address is accepted for delivery by the mail server specified as MX
in the DNS for the given e-mail address. To me it is a good start and
much more than not checking anything."

The acceptance of the mail is slightly more than the existence of the
mail server. In particular, in one of your previous e-mails you state:
'If a resource owner sets their abuse mailbox to "ronald.mcdon...@hotmail.com",
 they will be deemed to have a valid abuse contact, because hotmail.com has a
 valid email server associated.'
In the light of my clarification above, this is not the case, as the mail
server (which by the way does exist), does not accept mail for this recipient:
5.5.0 Requested action not taken: mailbox unavailable. 
[BL2NAM02FT023.eop-nam02.prod.protection.outlook.com]
ronald.mcdon...@hotmail.com ... User unknown


Mail server exists ≠ update-to-date contact
Mail server exists ≠ valid abuse mailbox


At the same time, I agree that the above holds even if you replace
"Mail server exists" with "Mail server accepts mail for given recipient".

Unfortunately, as it has already been pointed out, the fact that a human does
reply to a mail sent by the NCC during the annual check (assuming for a moment
they do send such mail), it does not prove at all that abuse reported to
this address will be handled or acted upon in any way.

Unfortunately I agree with Gert Doering who said:
"I maintain the position that those that do care can be reached today, and
those that do not care will find ways to fulfill the letter of the policy,
and not change their ways."

At the same time, I do see some benefit in checking regularly the provided
e-mail address, because I am convinced that there will always be cases where
people simply forget to update the database. If they are reminded, they will
be happy to correct it.

On the other hand, most probably there will also be people who - for some 
reason -
will not want to handle abuse e-mails. They will certainly find a way to ignore
such mail whatever policies we put in place.

Best regards,
Janos

Re: [anti-abuse-wg] Decision on Proposal 2017-02

[herve.clement]

Name,

Why are you remaining anonymous ?

Hervé

De : anti-abuse-wg [mailto:anti-abuse-wg-boun...@ripe.net] De la part de Name
Envoyé : mardi 20 mars 2018 07:56
À : anti-abuse-wg@ripe.net
Objet : Re: [anti-abuse-wg] Decision on Proposal 2017-02

"And an annual checking would ensure that the contacts remain more up-to-date."


Yes, an annual checking would do that. This isn't an annual checking. It 
involves checking if a mail server exists.


Mail server exists ≠ update-to-date contact
Mail server exists ≠ valid abuse mailbox











 Original Message 
Subject: Re: [anti-abuse-wg] Decision on Proposal 2017-02
From: <herve.clem...@orange.com<mailto:herve.clem...@orange.com>>
Date: Tue, March 20, 2018 3:52 am
To: "anti-abuse-wg@ripe.net<mailto:anti-abuse-wg@ripe.net>" 
<anti-abuse-wg@ripe.net<mailto:anti-abuse-wg@ripe.net>>
As co-authors, if we propose this policy, that's because we believe that 
improving the Whois reliability is good for the Internet.
With regard to the first analysis conducted by the RIPE NCC, about 10%-25% of 
the current 70,000 distinct abuse contact emails seem technically incorrect, 
this implies that between 7,000 and 17,500 email addresses are not working ones.
If contacted by the RIPE NCC, resource holders will be requested to fix this 
information and will be able to receive abuse notifications. So there will be a 
significant difference between receiving something vs receiving anything.
Perhaps a part of these holders don't care but they will be contactable. The 
other part will be educated about this abuse-c field during the process.
And an annual checking would ensure that the contacts remain more up-to-date.

Regards

Hervé

-Message d'origine-
De : anti-abuse-wg [mailto:anti-abuse-wg-boun...@ripe.net] De la part de ox
Envoyé : lundi 19 mars 2018 03:23
À : JORDI PALET MARTINEZ via anti-abuse-wg
Objet : Re: [anti-abuse-wg] Decision on Proposal 2017-02

On Sun, 18 Mar 2018 13:43:54 +
JORDI PALET MARTINEZ via anti-abuse-wg 
<anti-abuse-wg@ripe.net<mailto:anti-abuse-wg@ripe.net>> wrote:

> I'm not a lawyer, but deal a lot with them, and I'm sure anyway, there
> are more informed voices even from the NCC that can confirm, and
> actually it will be interesting to confirm.
>
+1

I would like to also present the other side of the same argument:

If the NCC provides a platform that supplies fake/false/wrong information it 
could also attract arguments of legal liability...

Similarly, if the NCC does not provide abuse contact information there could 
also be legal arguments that this is a dereliction of trust with regards public 
resource management and that also opens up arguments of liability...

So, this would be most interesting to confirm.

Regards

Andre


_



Ce message et ses pieces jointes peuvent contenir des informations 
confidentielles ou privilegiees et ne doivent donc

pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce 
message par erreur, veuillez le signaler

a l'expediteur et le detruire ainsi que les pieces jointes. Les messages 
electroniques etant susceptibles d'alteration,

Orange decline toute responsabilite si ce message a ete altere, deforme ou 
falsifie. Merci.



This message and its attachments may contain confidential or privileged 
information that may be protected by law;

they should not be distributed, used or copied without authorisation.

If you have received this email in error, please notify the sender and delete 
this message and its attachments.

As emails may be altered, Orange is not liable for messages that have been 
modified, changed or falsified.

Thank you.

_

Ce message et ses pieces jointes peuvent contenir des informations 
confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce 
message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages 
electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou 
falsifie. Merci.

This message and its attachments may contain confidential or privileged 
information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete 
this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been 
modified, changed or falsified.
Thank you.

Re: [anti-abuse-wg] Decision on Proposal 2017-02

[Name]

"And an annual checking would ensure that the contacts remain more up-to-date."Yes, an annual checking would do that. This isn't an annual checking. It involves checking if a mail server exists.Mail server exists ≠ update-to-date contactMail server exists ≠ valid abuse mailbox


 Original Message 
Subject: Re: [anti-abuse-wg] Decision on Proposal 2017-02
From: <herve.clem...@orange.com>
Date: Tue, March 20, 2018 3:52 am
To: "anti-abuse-wg@ripe.net" <anti-abuse-wg@ripe.net>

As co-authors, if we propose this policy, that's because we believe that improving the Whois reliability is good for the Internet. With regard to the first analysis conducted by the RIPE NCC, about 10%-25% of the current 70,000 distinct abuse contact emails seem technically incorrect, this implies that between 7,000 and 17,500 email addresses are not working ones. If contacted by the RIPE NCC, resource holders will be requested to fix this information and will be able to receive abuse notifications. So there will be a significant difference between receiving something vs receiving anything.  Perhaps a part of these holders don't care but they will be contactable. The other part will be educated about this abuse-c field during the process.  And an annual checking would ensure that the contacts remain more up-to-date.   Regards   Hervé   -Message d'origine- De : anti-abuse-wg [mailto:anti-abuse-wg-boun...@ripe.net] De la part de ox Envoyé : lundi 19 mars 2018 03:23 À : JORDI PALET MARTINEZ via anti-abuse-wg Objet : Re: [anti-abuse-wg] Decision on Proposal 2017-02   On Sun, 18 Mar 2018 13:43:54 + JORDI PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote:   > I'm not a lawyer, but deal a lot with them, and I'm sure anyway, there  > are more informed voices even from the NCC that can confirm, and  > actually it will be interesting to confirm. >  +1   I would like to also present the other side of the same argument:   If the NCC provides a platform that supplies fake/false/wrong information it could also attract arguments of legal liability...   Similarly, if the NCC does not provide abuse contact information there could also be legal arguments that this is a dereliction of trust with regards public resource management and that also opens up arguments of liability...   So, this would be most interesting to confirm.   Regards   Andre    _

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.
  

Re: [anti-abuse-wg] Decision on Proposal 2017-02

[herve.clement]

As co-authors, if we propose this policy, that's because we believe that 
improving the Whois reliability is good for the Internet.

With regard to the first analysis conducted by the RIPE NCC, about 10%-25% of 
the current 70,000 distinct abuse contact emails seem technically incorrect, 
this implies that between 7,000 and 17,500 email addresses are not working ones.

If contacted by the RIPE NCC, resource holders will be requested to fix this 
information and will be able to receive abuse notifications. So there will be a 
significant difference between receiving something vs receiving anything.

Perhaps a part of these holders don't care but they will be contactable. The 
other part will be educated about this abuse-c field during the process.

And an annual checking would ensure that the contacts remain more up-to-date.



Regards



Hervé



-Message d'origine-
De : anti-abuse-wg [mailto:anti-abuse-wg-boun...@ripe.net] De la part de ox
Envoyé : lundi 19 mars 2018 03:23
À : JORDI PALET MARTINEZ via anti-abuse-wg
Objet : Re: [anti-abuse-wg] Decision on Proposal 2017-02



On Sun, 18 Mar 2018 13:43:54 +

JORDI PALET MARTINEZ via anti-abuse-wg 
<anti-abuse-wg@ripe.net<mailto:anti-abuse-wg@ripe.net>> wrote:



> I'm not a lawyer, but deal a lot with them, and I'm sure anyway, there

> are more informed voices even from the NCC that can confirm, and

> actually it will be interesting to confirm.

>

+1



I would like to also present the other side of the same argument:



If the NCC provides a platform that supplies fake/false/wrong information it 
could also attract arguments of legal liability...



Similarly, if the NCC does not provide abuse contact information there could 
also be legal arguments that this is a dereliction of trust with regards public 
resource management and that also opens up arguments of liability...



So, this would be most interesting to confirm.



Regards



Andre



_

Ce message et ses pieces jointes peuvent contenir des informations 
confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce 
message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages 
electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou 
falsifie. Merci.

This message and its attachments may contain confidential or privileged 
information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete 
this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been 
modified, changed or falsified.
Thank you.

Re: [anti-abuse-wg] Decision on Proposal 2017-02

[ox]

On Sun, 18 Mar 2018 13:43:54 +
JORDI PALET MARTINEZ via anti-abuse-wg  wrote:
 
> I'm not a lawyer, but deal a lot with them, and I'm sure anyway,
> there are more informed voices even from the NCC that can confirm,
> and actually it will be interesting to confirm.
> 
+1

I would like to also present the other side of the same argument:

If the NCC provides a platform that supplies fake/false/wrong
information it could also attract arguments of legal liability...

Similarly, if the NCC does not provide abuse contact information there
could also be legal arguments that this is a dereliction of trust with
regards public resource management and that also opens up arguments 
of liability...

So, this would be most interesting to confirm.

Regards

Andre

Re: [anti-abuse-wg] Decision on Proposal 2017-02

[Gert Doering]

Hi,

On Sun, Mar 18, 2018 at 01:29:14PM +0100, Karl-Josef Ziegler wrote:
> Andre Ox wrote:
> 
> > But having some sort of policy is a start, even though
> > what we are actually ending up with is not much at all and even then
> > there are those that think even having a watery (watered down,
> > toothless, etc) policy is a future threat.
> 
> Yes, I agree. Making only a small step - even if it may be only symbolic - 
> is still better than making no steps at all.

I disagree with this view.  Politics should not be doing "something, just
to be seen doing something!" - that way lies nothing useful.

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AGVorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14  Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen   HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444   USt-IdNr.: DE813185279


signature.asc
Description: PGP signature

Re: [anti-abuse-wg] Decision on Proposal 2017-02

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Erik,

I think any policy or membership agreements will not affect the liability of 
the NCC in front of third parties because operational misconducts of any 
provider.

Is the same way as if we believe that we can be blamed for fake info at the 
whois, spam, criminal cases, or whatever, unless of course, we setup an 
explicit rule to go against the law (like "you're free to use the resources for 
criminal activities").

So, I will say more on the other way around: as many policies/tools we have to 
verify the authenticity of data and compliance of policies, as less responsible 
we can be of any liabilities in front of third parties.

However, as a community we are *internally* responsible to setup the rules 
(policies and membership agreement) that we want to be respected, and the way 
we want to act *internally* if those rules are not respected (never mind if is 
breaking a policy or not paying the invoices or whatever).

I'm not a lawyer, but deal a lot with them, and I'm sure anyway, there are more 
informed voices even from the NCC that can confirm, and actually it will be 
interesting to confirm.

Regards,
Jordi
 

-Mensaje original-
De: anti-abuse-wg <anti-abuse-wg-boun...@ripe.net> en nombre de Erik Bais 
<eb...@a2b-internet.com>
Fecha: domingo, 18 de marzo de 2018, 13:22
Para: "anti-abuse-wg@ripe.net" <anti-abuse-wg@ripe.net>
Asunto: Re: [anti-abuse-wg] Decision on Proposal 2017-02

I still have some serious concerns about this proposal.  

I wonder how this might have an effect on the conduit role of 
(transit)-networks.  
And if the RIPE NCC will be requested to report (by the community or by 
legal court actions) or will be held liable in some way shape or form for the 
accurate information in case a resource holder will end up in a court case 
because they are not responsive on abuse complains. 

As a community we should tread carefully if we want to push the RIPE NCC in 
the middle of those kind of legal cases or want it to be held accountable on 
that. 
Especially in case of Copyright complaints for instance.   

The RIPE NCC is having agreements / contracts with all resource holders for 
ownership via End-User Agreements or LIR agreements, however in case of acting 
on operational topics like abuse handling, that SHOULD NOT be a part of it.  

Having a working method of abuse handling is a task of the resource holder 
themselves. If they decide to not act on or not have a valid abuse contact, it 
is their own responsibility. With all subsequent consequences. 
The RIPE NCC provides a datamodel in the RIPE DB to populate the field, but 
it should not get involved in validation of the information.  

The amount of work involved in validating just that specific field with no 
guarantee on or added value on actual responsiveness after it is validated, is 
a waste of community funds. 
Because those who want to respond on abuse complaints are already having 
working abuse contacts and those who don't, still won't.  
I fear that this task will be more or similar resource consuming than 
implementing 2007-01 .. ( Direct Internet Resource Assignments to End Users 
from the RIPE NCC ) 
Especially since it is stated that this should be done on a yearly basis. 

So in the end, it looks like expensive window dressing which might open up 
the RIPE NCC with a legal liability.  However novel the intent is of authors. 

I would strongly advice against this.  

Regards,
Erik Bais 





**
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] Decision on Proposal 2017-02

[Erik Bais]

I still have some serious concerns about this proposal.  

I wonder how this might have an effect on the conduit role of 
(transit)-networks.  
And if the RIPE NCC will be requested to report (by the community or by legal 
court actions) or will be held liable in some way shape or form for the 
accurate information in case a resource holder will end up in a court case 
because they are not responsive on abuse complains. 

As a community we should tread carefully if we want to push the RIPE NCC in the 
middle of those kind of legal cases or want it to be held accountable on that. 
Especially in case of Copyright complaints for instance.   

The RIPE NCC is having agreements / contracts with all resource holders for 
ownership via End-User Agreements or LIR agreements, however in case of acting 
on operational topics like abuse handling, that SHOULD NOT be a part of it.  

Having a working method of abuse handling is a task of the resource holder 
themselves. If they decide to not act on or not have a valid abuse contact, it 
is their own responsibility. With all subsequent consequences. 
The RIPE NCC provides a datamodel in the RIPE DB to populate the field, but it 
should not get involved in validation of the information.  

The amount of work involved in validating just that specific field with no 
guarantee on or added value on actual responsiveness after it is validated, is 
a waste of community funds. 
Because those who want to respond on abuse complaints are already having 
working abuse contacts and those who don't, still won't.  
I fear that this task will be more or similar resource consuming than 
implementing 2007-01 .. ( Direct Internet Resource Assignments to End Users 
from the RIPE NCC ) 
Especially since it is stated that this should be done on a yearly basis. 

So in the end, it looks like expensive window dressing which might open up the 
RIPE NCC with a legal liability.  However novel the intent is of authors. 

I would strongly advice against this.  

Regards,
Erik Bais 

Re: [anti-abuse-wg] Decision on Proposal 2017-02

[ox]

On Sat, 17 Mar 2018 11:52:06 +0100
Gert Doering  wrote:
> Hi,
> On Sat, Mar 17, 2018 at 10:53:55AM +0200, ox wrote:
> > To answer the question though: This proposal does make the world a
> > better place.
> > If a resource holder wishes to be allocated scarce public resources
> > such a resource holder should also be responsible about the
> > operations of such scarce public resources.  
> In which way, exactly, would this proposal have an effect to achieve 
> this goal (a goal that I share, to state it explicitly)?
> I maintain the position that those that do care can be reached today,
> and those that do not care will find ways to fulfill the letter of
> the policy, and not change their ways.
> So, to repeat Malcolm's position: if we introduce new work for the
> NCC and the LIRs, does it improve things enough to be the right thing
> to do?
> (As a side note, we recently were contacted by the NCC because one of
> our 'sponsoring LIR' customers had changed their primary domain and 
> forgot to update their contact details in the RIPE DB, thus, making
> them unreachable.  Someone noticed, complained to the NCC, the NCC
> contacted the sponsoring LIR, and contact details were corrected.
> Things seem to work today where people care...)
> 
simply because it does not really stop a determined thief from
stealing your car, should we stop installing locks on car doors?

the "new work" that you are talking about is establishing that
submitted data is accurate. in the RIR case, this is paramount anyway
and for LIR, submit real and updated data oh, and do not use:
mickeymo...@example.com - if you want public resources, is not
unreasonable at all.

Yes, you are quite correct. (I agree completely) you have those who
care and those who do not.  And yes, those that do not care will find
ways around it. But having some sort of policy is a start, even though
what we are actually ending up with is not much at all and even then
there are those that think even having a watery (watered down,
toothless, etc) policy is a future threat.

in practice there exists a problem and it is a real problem, so my
view is simply 'baby steps' - so, of course this means that Sascha is
also correct as there are people (like me) who will in the future argue
for even more... - but to now use this compromise of those that want
more with those that want nothing - as an actual reason to object, is
ludicrous and frankly objectionable in itself. (and should not be taken
into consideration as any real objection anyway)

Regards

Andre

Re: [anti-abuse-wg] Decision on Proposal 2017-02

[Name]

"I maintain the position that those that do care can be reached today, andthose that do not care will find ways to fulfill the letter of the policy,and not change their ways."There has already been discussion about cancelling resources of people who don't comply. Firstly, there is nothing in this policy to comply with. It consists of RIPE checking if a mail server exists. If a resource owner sets their abuse mailbox to "ronald.mcdon...@hotmail.com", they will be deemed to have a valid abuse contact, because hotmail.com has a valid email server associated.The original intention was for resource owners to have to click a link in an email to prove the email address exists & that there's someone monitoring it. But that was so utterly difficult it looks to have been abandoned.Secondly, they have tried to say that talking about consequences is a conversation "for another day." (ie: never).So, if you are against this policy, you should be happy because it's garbage anyway.The original reason for the discussion was that RIPE were having to contact resource owners when the abuse email address didn't work. This outcome doesn't even do that. They will still be contacting as many people as they were before this policy (which doesn't even need to be a policy) will be introduced.


 Original Message ----
Subject: Re: [anti-abuse-wg] Decision on Proposal 2017-02
From: Gert Doering <g...@space.net>
Date: Sat, March 17, 2018 9:52 pm
To: ox <an...@ox.co.za>
Cc: anti-abuse-wg@ripe.net

Hi,

On Sat, Mar 17, 2018 at 10:53:55AM +0200, ox wrote:
> To answer the question though: This proposal does make the world a
> better place.
> 
> If a resource holder wishes to be allocated scarce public resources
> such a resource holder should also be responsible about the operations
> of such scarce public resources.

In which way, exactly, would this proposal have an effect to achieve 
this goal (a goal that I share, to state it explicitly)?

I maintain the position that those that do care can be reached today, and
those that do not care will find ways to fulfill the letter of the policy,
and not change their ways.

So, to repeat Malcolm's position: if we introduce new work for the NCC 
and the LIRs, does it improve things enough to be the right thing to do?


(As a side note, we recently were contacted by the NCC because one of
our 'sponsoring LIR' customers had changed their primary domain and 
forgot to update their contact details in the RIPE DB, thus, making them
unreachable.  Someone noticed, complained to the NCC, the NCC contacted 
the sponsoring LIR, and contact details were corrected.  Things seem to
work today where people care...)

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AGVorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14  Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen   HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444   USt-IdNr.: DE813185279

Re: [anti-abuse-wg] Decision on Proposal 2017-02

[Gert Doering]

Hi,

On Sat, Mar 17, 2018 at 10:53:55AM +0200, ox wrote:
> To answer the question though: This proposal does make the world a
> better place.
> 
> If a resource holder wishes to be allocated scarce public resources
> such a resource holder should also be responsible about the operations
> of such scarce public resources.

In which way, exactly, would this proposal have an effect to achieve 
this goal (a goal that I share, to state it explicitly)?

I maintain the position that those that do care can be reached today, and
those that do not care will find ways to fulfill the letter of the policy,
and not change their ways.

So, to repeat Malcolm's position: if we introduce new work for the NCC 
and the LIRs, does it improve things enough to be the right thing to do?


(As a side note, we recently were contacted by the NCC because one of
our 'sponsoring LIR' customers had changed their primary domain and 
forgot to update their contact details in the RIPE DB, thus, making them
unreachable.  Someone noticed, complained to the NCC, the NCC contacted 
the sponsoring LIR, and contact details were corrected.  Things seem to
work today where people care...)

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AGVorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14  Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen   HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444   USt-IdNr.: DE813185279


signature.asc
Description: PGP signature

Re: [anti-abuse-wg] Decision on Proposal 2017-02

[ox]

On Sat, 17 Mar 2018 08:43:45 +0100
Gert Doering  wrote:
> Reading comments like *this* as an argument *for* the proposal makes
> me wonder if I should reconsider being neutral about it.
> What Malcolm said is something that carefully needs to be considered:
> what is the real goal to be achieved, and does this proposal help in
> any way to get there?  If *not*, extra measures that use up resources
> and could have unforeseen consequences, should not be implemented.
> What Sasha said is also something that carefully needs to be
> considered, and not just waved away as "he's just being
> irresponsible".
> To ask you: in which ways will this proposal help the internet make
> less of a "shit hole"?  Those that care already have working abuse 
> contacts, those that care not will find ways to fulfill the letter of
> the policy, and still care not.

I am not the American president and I actually object to the common use
of the words "Shit Hole" as much as I object to women being grabbed by
the pussy by powerful men, I guess.

maybe I am just too conservative, maybe I am an assh*le myself, I do
not know. 

Either way, I do choose to take offense.

To answer the question though: This proposal does make the world a
better place.

If a resource holder wishes to be allocated scarce public resources
such a resource holder should also be responsible about the operations
of such scarce public resources.

Andre

Re: [anti-abuse-wg] Decision on Proposal 2017-02

[Gert Doering]

Hi,

On Fri, Mar 16, 2018 at 04:33:47PM -0700, Name wrote:
> So he has no basis of objection, but don't even think 
> of implementing something that might actually go towards helping the internet 
> in the future, because it's a slippery slope and Adolf Hitler 2.0 will reign 
> supreme, even though this proposal (as it turned out) does absolutely nothing 
> to verify abuse mailbox attributes, but the mere fact this has come up as 
> discussion is incredibly dangerous, because it shows there might be someone 
> within any of the LIR who is acknowledging that maybe they are responsible 
> for the internet being a shit hole, and that simply cannot happen, because 
> then resource owners might actually have to do some work. What a horrible 
> thought.

Reading comments like *this* as an argument *for* the proposal makes me
wonder if I should reconsider being neutral about it.

What Malcolm said is something that carefully needs to be considered: what
is the real goal to be achieved, and does this proposal help in any way
to get there?  If *not*, extra measures that use up resources and could 
have unforeseen consequences, should not be implemented.

What Sasha said is also something that carefully needs to be considered, 
and not just waved away as "he's just being irresponsible".


To ask you: in which ways will this proposal help the internet make
less of a "shit hole"?  Those that care already have working abuse 
contacts, those that care not will find ways to fulfill the letter of
the policy, and still care not.

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AGVorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14  Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen   HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444   USt-IdNr.: DE813185279


signature.asc
Description: PGP signature

Re: [anti-abuse-wg] Decision on Proposal 2017-02

[Name]

So he has no basis of objection, but don't even think of implementing something that might actually go towards helping the internet in the future, because it's a slippery slope and Adolf Hitler 2.0 will reign supreme, even though this proposal (as it turned out) does absolutely nothing to verify abuse mailbox attributes, but the mere fact this has come up as discussion is incredibly dangerous, because it shows there might be someone within any of the LIR who is acknowledging that maybe they are responsible for the internet being a shit hole, and that simply cannot happen, because then resource owners might actually have to do some work. What a horrible thought.


 Original Message 
Subject: Re: [anti-abuse-wg] Decision on Proposal 2017-02
From: "Sascha Luck [ml]" <a...@c4inet.net>
Date: Sat, March 17, 2018 1:48 am
To: Brian Nisbet <brian.nis...@heanet.ie>
Cc: "anti-abuse-wg@ripe.net" <anti-abuse-wg@ripe.net>

On Fri, Mar 16, 2018 at 08:59:55AM +, Brian Nisbet wrote:
>Ah, ok, my apologies. So, because I'd like to be clear here, you are objecting to this proposal on the basis of something that may or may not happen in the future?

If you want to be uncharitable, yes. However, this is the *last*
point at which it is even *possible* for me to object to what I
see as a dangerous slippy slope. 

>Ok, but do you have any issues with 2017-02 as written, bearing in mind what Marco and myself have already said about the policies around non-adherence to RIPE policies?
>

Yes, it adds another thing to an already long list of things that
can trigger a monopoly provider to deny service to its
(involuntary) customers. 

If you're determined to manufacture consensus by declaring an
entire class of objections, to whit: medium to long term
consequences of such a proposal, out of bounds; there is not much
I can do. The record will show I've made my stand and history
shall judge.

rgds,
Sascha Luck 

>> Also one point I raised remains so far entirely unaddressed - why does a
>> proposal and its implementation plan prescribe the use of email (in 2018!) for
>> contact information?
>
>As always, if you wish to propose something that involves other media, please do. But at present, this is the medium in use.
>
>Thanks,
>
>Brian
>Co-Chair, RIPE AA-WG
>
>> >> -Original Message-
>> >> From: anti-abuse-wg <anti-abuse-wg-boun...@ripe.net> On Behalf Of
>> >> Sascha Luck [ml]
>> >> Sent: Thursday 15 March 2018 17:04
>> >> To: anti-abuse-wg@ripe.net
>> >> Subject: Re: [anti-abuse-wg] Decision on Proposal 2017-02
>> >>
>> >> On Wed, Mar 14, 2018 at 03:33:42PM +0100, Sander Steffann wrote:
>> >> >This proposal is a first step to catch low hanging fruit. Yes: there
>> >> >are many things that can (should) be improved, but getting consensus
>> >> >on these controversial topics is difficult. So the proposers are
>> >> >taking it one step at a time. Based on the discussion on this
>> >> >mailing list those steps apparently have to be very small, but at
>> >> >least there is the possibility of movement :)
>> >>
>> >> Correctly and perfectly summarised. A textbook example of early-stage
>> >> frog- boiling.
>> >> https://en.wikipedia.org/wiki/Boiling_frog
>> >>
>> >> The road to oppressive and onerous regulation is taken a small step
>> >> at a time in the 21st century and that's why it is important to
>> >> resist such attempts NOW while it is possible to do so without great
>> personal sacrifice.
>> >>
>> >> For the avoidance of doubt, the above constitutes (continuing)
>> >> opposition to 2017-02.
>> >>
>> >> rgds,
>> >> Sascha Luck
>> >>
>> >

Re: [anti-abuse-wg] Decision on Proposal 2017-02

[Sascha Luck [ml]]

On Fri, Mar 16, 2018 at 08:59:55AM +, Brian Nisbet wrote:

Ah, ok, my apologies. So, because I'd like to be clear here, you are objecting 
to this proposal on the basis of something that may or may not happen in the 
future?


If you want to be uncharitable, yes. However, this is the *last*
point at which it is even *possible* for me to object to what I
see as a dangerous slippy slope. 


Ok, but do you have any issues with 2017-02 as written, bearing in mind what 
Marco and myself have already said about the policies around non-adherence to 
RIPE policies?



Yes, it adds another thing to an already long list of things that
can trigger a monopoly provider to deny service to its
(involuntary) customers. 


If you're determined to manufacture consensus by declaring an
entire class of objections, to whit: medium to long term
consequences of such a proposal, out of bounds; there is not much
I can do. The record will show I've made my stand and history
shall judge.

rgds,
Sascha Luck 


Also one point I raised remains so far entirely unaddressed - why does a
proposal and its implementation plan prescribe the use of email (in 2018!) for
contact information?


As always, if you wish to propose something that involves other media, please 
do. But at present, this is the medium in use.

Thanks,

Brian
Co-Chair, RIPE AA-WG


>> -Original Message-
>> From: anti-abuse-wg <anti-abuse-wg-boun...@ripe.net> On Behalf Of
>> Sascha Luck [ml]
>> Sent: Thursday 15 March 2018 17:04
>> To: anti-abuse-wg@ripe.net
>> Subject: Re: [anti-abuse-wg] Decision on Proposal 2017-02
>>
>> On Wed, Mar 14, 2018 at 03:33:42PM +0100, Sander Steffann wrote:
>> >This proposal is a first step to catch low hanging fruit. Yes: there
>> >are many things that can (should) be improved, but getting consensus
>> >on these controversial topics is difficult. So the proposers are
>> >taking it one step at a time. Based on the discussion on this
>> >mailing list those steps apparently have to be very small, but at
>> >least there is the possibility of movement :)
>>
>> Correctly and perfectly summarised. A textbook example of early-stage
>> frog- boiling.
>> https://en.wikipedia.org/wiki/Boiling_frog
>>
>> The road to oppressive and onerous regulation is taken a small step
>> at a time in the 21st century and that's why it is important to
>> resist such attempts NOW while it is possible to do so without great
personal sacrifice.
>>
>> For the avoidance of doubt, the above constitutes (continuing)
>> opposition to 2017-02.
>>
>> rgds,
>> Sascha Luck
>>
>

Re: [anti-abuse-wg] Decision on Proposal 2017-02

[Brian Nisbet]

Malcolm (and, indeed, Sascha),

I did not intent to be flippant in my answer. I apologise that it came across 
in that way. It was meant as a genuine attempt to gain better understanding of 
the basis for the objection, not an attempt to dismiss or mischaracterise, 
although I can understand that it came across in that way.

I believe the points that Marco and I have made still stand in regards to the 
possible outcome of not adhering to this policy and whether that is a change or 
a valid reason for objection. 

Thank,

Brian
Co-Chair, RIPE AA-WG




Brian Nisbet 
Network Operations Manager
HEAnet CLG, Ireland's National Education and Research Network
1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland
+35316609040 brian.nis...@heanet.ie www.heanet.ie
Registered in Ireland, No. 275301. CRA No. 20036270


> -Original Message-
> From: Malcolm Hutty <malc...@linx.net>
> Sent: Friday 16 March 2018 09:28
> To: Brian Nisbet <brian.nis...@heanet.ie>; anti-abuse-wg@ripe.net
> Subject: Re: [anti-abuse-wg] Decision on Proposal 2017-02
> 
> On 16/03/2018 08:59, Brian Nisbet wrote:
> >> Nothing, and I didn't state that it was. The problem is that, once
> >> accepted, the implementation is out of the hands of this community or
> >> indeed everyone bar the NCC Board. They can make it as onerous and
> >> oppressive as they want.
> > Ah, ok, my apologies. So, because I'd like to be clear here, you are
> objecting to this proposal on the basis of something that may or may not
> happen in the future?
> >
> 
> Brian,
> 
> As a matter of principle I must object to that as a completely unfair
> mischaracterisation of what Sascha just said.
> 
> To object to a proposal "on the basis of something that may or may not
> happen in the future" makes it sound speculative, and thus unreasonable.
> 
> To object to a proposal on the basis that it *authorises* something
> undesirable to happen is perfectly reasonable; such an objection is on the
> basis that the measure before us would transfer the decision as to whether
> that thing should happen from us to (in this case) the NCC.
> That's something that is happening now, not something in the future.
> 
> You may disagree with Sascha as to whether 2017-02 does in fact authorise
> the NCC to do something undesirable, but it's not fair to rule out his 
> concerns
> merely because the supposedly undesirable outcome is only authorised
> rather than required.
> 
> I think it really important that we recognise that when authorising the NCC to
> act, it is a legitimate objection to say that we wouldn't want them to 
> exercise
> that authority in a particular way, and the scope of what is authorised ought
> to be limited in some way. I am far more concerned about that as a principle
> than I am about the outcome for this proposal in particular.
> 
> Kind Regards,
> 
> Malcolm.
> 
> --
> Malcolm Hutty | tel: +44 20 7645 3523
>Head of Public Affairs | Read the LINX Public Affairs blog  London Internet
> Exchange | http://publicaffairs.linx.net/
> 
>  London Internet Exchange Ltd
>Monument Place, 24 Monument Street London EC3R 8AJ
> 
>  Company Registered in England No. 3137929
>Trinity Court, Trinity Street, Peterborough PE1 1DA

Re: [anti-abuse-wg] Decision on Proposal 2017-02

[Brian Nisbet]

> -Original Message-
> From: Sascha Luck [ml] <a...@c4inet.net>
> Sent: Thursday 15 March 2018 18:45
> To: Brian Nisbet <brian.nis...@heanet.ie>
> Cc: anti-abuse-wg@ripe.net
> Subject: Re: [anti-abuse-wg] Decision on Proposal 2017-02
> 
> On Thu, Mar 15, 2018 at 05:08:29PM +, Brian Nisbet wrote:
> >For instance, what about the suggested implementation is onerous or
> oppressive?
> 
> Nothing, and I didn't state that it was. The problem is that, once accepted,
> the implementation is out of the hands of this community or indeed
> everyone bar the NCC Board. They can make it as onerous and oppressive as
> they want.

Ah, ok, my apologies. So, because I'd like to be clear here, you are objecting 
to this proposal on the basis of something that may or may not happen in the 
future?

> Furthermore, from the general tenor of this discussion I can't help assuming
> that 2017-02 won't be the end of it and I have to take this into account when
> considering the (de)merits of 2017-02.

Ok, but do you have any issues with 2017-02 as written, bearing in mind what 
Marco and myself have already said about the policies around non-adherence to 
RIPE policies?
 
> Also one point I raised remains so far entirely unaddressed - why does a
> proposal and its implementation plan prescribe the use of email (in 2018!) for
> contact information?

As always, if you wish to propose something that involves other media, please 
do. But at present, this is the medium in use.

Thanks,

Brian
Co-Chair, RIPE AA-WG

> >> -Original Message-
> >> From: anti-abuse-wg <anti-abuse-wg-boun...@ripe.net> On Behalf Of
> >> Sascha Luck [ml]
> >> Sent: Thursday 15 March 2018 17:04
> >> To: anti-abuse-wg@ripe.net
> >> Subject: Re: [anti-abuse-wg] Decision on Proposal 2017-02
> >>
> >> On Wed, Mar 14, 2018 at 03:33:42PM +0100, Sander Steffann wrote:
> >> >This proposal is a first step to catch low hanging fruit. Yes: there
> >> >are many things that can (should) be improved, but getting consensus
> >> >on these controversial topics is difficult. So the proposers are
> >> >taking it one step at a time. Based on the discussion on this
> >> >mailing list those steps apparently have to be very small, but at
> >> >least there is the possibility of movement :)
> >>
> >> Correctly and perfectly summarised. A textbook example of early-stage
> >> frog- boiling.
> >> https://en.wikipedia.org/wiki/Boiling_frog
> >>
> >> The road to oppressive and onerous regulation is taken a small step
> >> at a time in the 21st century and that's why it is important to
> >> resist such attempts NOW while it is possible to do so without great
> personal sacrifice.
> >>
> >> For the avoidance of doubt, the above constitutes (continuing)
> >> opposition to 2017-02.
> >>
> >> rgds,
> >> Sascha Luck
> >>
> >

Re: [anti-abuse-wg] Decision on Proposal 2017-02

[ox]

On Thu, 15 Mar 2018 18:44:44 +
"Sascha Luck [ml]"  wrote:
> On Thu, Mar 15, 2018 at 05:08:29PM +, Brian Nisbet wrote:
> >For instance, what about the suggested implementation is onerous or
> >oppressive?  
> Nothing, and I didn't state that it was. The problem is that, once
> accepted, the implementation is out of the hands of this
> community or indeed everyone bar the NCC Board. They can make it
> as onerous and oppressive as they want. 
> 
within the implementation. (wherein there is nothing onerous or
oppressive - as all seem to agree...) 

> Furthermore, from the general tenor of this discussion I can't
> help assuming that 2017-02 won't be the end of it and I have to
> take this into account when considering the (de)merits of
> 2017-02.
>
to object because you may object in the future to something
unspecified or unknown is the same as just objecting for the sake of
objecting.
 
> Also one point I raised remains so far entirely unaddressed - why
> does a proposal and its implementation plan prescribe the use of
> email (in 2018!) for contact information?
> 
because everyone has email.

not everyone has telegram, whatsup, insertnameofyourcommshere or simply
'trusts' all java(script)/apps from wherever...

Regards

Andre

Re: [anti-abuse-wg] Decision on Proposal 2017-02

[Name]

What is there to oppose about 2017-02?A completely ineffective policy, that doesn't even need to be a policy, that doesn't solve any of the original stated issues, which does nothing to change the system as is, which does NOTHING to verify abuse attributes, and you're bitching about it?You remind me of the national rifle association in the USA. 30 people get killed in a school, and asking for a basic background check for a firearm purchaser is simply too much to ask for.


 Original Message 
Subject: Re: [anti-abuse-wg] Decision on Proposal 2017-02
From: "Sascha Luck [ml]" <a...@c4inet.net>
Date: Fri, March 16, 2018 4:03 am
To: anti-abuse-wg@ripe.net

On Wed, Mar 14, 2018 at 03:33:42PM +0100, Sander Steffann wrote:
>This proposal is a first step to catch low hanging fruit. Yes: there are many things that can (should) be improved, but getting consensus on these controversial topics is difficult. So the proposers are taking it one step at a time. Based on the discussion on this mailing list those steps apparently have to be very small, but at least there is the possibility of movement :)

Correctly and perfectly summarised. A textbook example of
early-stage frog-boiling.
https://en.wikipedia.org/wiki/Boiling_frog

The road to oppressive and onerous regulation is taken a small
step at a time in the 21st century and that's why it is important
to resist such attempts NOW while it is possible to do so without
great personal sacrifice. 

For the avoidance of doubt, the above constitutes (continuing)
opposition to 2017-02.

rgds,
Sascha Luck

Re: [anti-abuse-wg] Decision on Proposal 2017-02

[Sascha Luck [ml]]

On Thu, Mar 15, 2018 at 05:08:29PM +, Brian Nisbet wrote:

For instance, what about the suggested implementation is onerous or oppressive?


Nothing, and I didn't state that it was. The problem is that, once
accepted, the implementation is out of the hands of this
community or indeed everyone bar the NCC Board. They can make it
as onerous and oppressive as they want. 


Furthermore, from the general tenor of this discussion I can't
help assuming that 2017-02 won't be the end of it and I have to
take this into account when considering the (de)merits of
2017-02.

Also one point I raised remains so far entirely unaddressed - why
does a proposal and its implementation plan prescribe the use of
email (in 2018!) for contact information?

rgds,
Sascha Luck



-Original Message-
From: anti-abuse-wg <anti-abuse-wg-boun...@ripe.net> On Behalf Of
Sascha Luck [ml]
Sent: Thursday 15 March 2018 17:04
To: anti-abuse-wg@ripe.net
Subject: Re: [anti-abuse-wg] Decision on Proposal 2017-02

On Wed, Mar 14, 2018 at 03:33:42PM +0100, Sander Steffann wrote:
>This proposal is a first step to catch low hanging fruit. Yes: there
>are many things that can (should) be improved, but getting consensus on
>these controversial topics is difficult. So the proposers are taking it
>one step at a time. Based on the discussion on this mailing list those
>steps apparently have to be very small, but at least there is the
>possibility of movement :)

Correctly and perfectly summarised. A textbook example of early-stage frog-
boiling.
https://en.wikipedia.org/wiki/Boiling_frog

The road to oppressive and onerous regulation is taken a small step at a time
in the 21st century and that's why it is important to resist such attempts NOW
while it is possible to do so without great personal sacrifice.

For the avoidance of doubt, the above constitutes (continuing) opposition to
2017-02.

rgds,
Sascha Luck

Re: [anti-abuse-wg] Decision on Proposal 2017-02

[Malcolm Hutty]

On 14/03/2018 13:32, Marco Schmidt wrote:
> Please let me reiterate that the RIPE NCC will not activate the
> closure procedure simply for failure to maintain the "abuse-mailbox:"
> attribute.
> 
> The closure procedure could be activated if the resource holder refuses
> to provide correct abuse contact information or is unresponsive over a
> longer period (during which the RIPE NCC will have made several attemps
> to contact the resource holder via different channels).

Marco,

Thank you for your detailed mail. However I do not understand how the
two sentences quoted above are consistent with each other. Is it that
you won't activate the closure procedure *solely* for failure to
maintain abuse-mailbox, but might activate it if this was compounded
with some other breach?

How would you feel if the policy was amended to say something along the
lines of

"For the pupose of RIPE-676 paragraph 1.6.2.1.1 (Violation of RIPE
Policys and RIPE NCC Procedures), failure to maintain the abuse-mailbox
attribute shall not be deemed sufficient reason to terminate the SSA in
itself, but may be deemed an aggravating factor contributing towards a
decision to terminate the SSA."

Kind Regards,

Malcolm.

-- 
Malcolm Hutty | tel: +44 20 7645 3523
   Head of Public Affairs | Read the LINX Public Affairs blog
 London Internet Exchange | http://publicaffairs.linx.net/

 London Internet Exchange Ltd
   Monument Place, 24 Monument Street London EC3R 8AJ

 Company Registered in England No. 3137929
   Trinity Court, Trinity Street, Peterborough PE1 1DA

Re: [anti-abuse-wg] Decision on Proposal 2017-02 & Next Steps

[Name]

So an admin sets their email to "f...@hotmail.com" and it passes, because hotmail has a valid email server and its "syntax" is correct?It can be validated as human by CAPTCHA:https://en.wikipedia.org/wiki/CAPTCHAThe current wording is wasting everyone's time, and seriously, does it need a change in policy if it's implemented as is? How does it change a single thing?


 Original Message ----
Subject: Re: [anti-abuse-wg] Decision on Proposal 2017-02 & Next Steps
From: Janos Zsako <zs...@iszt.hu>
Date: Wed, March 14, 2018 11:29 pm
To: Name <phish...@storey.xxx>, anti-abuse-wg@ripe.net

Dear Anonymous "Name",

> How do you check the email address is valid if you don't email it?
> 
> https://www.ripe.net/participate/policies/proposals/2017-02

I think the NCC will be able to tell more details when the plans are ready.

For now, the relevant part is probably:

> The RIPE NCC will validate the technical parameters of an “abuse-mailbox:” attribute, such as syntax, domain and mail server configuration, to determine if it is correctly configured to receive messages.

One can determine with a high degree of confidence whether mail sent to a
given address is accepted for delivery by the mail server specified as MX
in the DNS for the given e-mail address. To me it is a good start and
much more than not checking anything.

One can probably not test whether the accepted mail is indeed delivered
and even less whether is is eventually read by a human. The latter cannot
be checked even if one does send the e-mail and even get a reply (generally
speaking one cannot be certain the response was sent by a human).

Therefore, I would leave the details to the NCC for now.

Best regards,
Janos

Re: [anti-abuse-wg] Decision on Proposal 2017-02 & Next Steps

[Brian Nisbet]

And apologies for the subject change, which I meant to edit. We’ve a new email 
system in work which needs training.

Brian

Brian Nisbet
Network Operations Manager
HEAnet CLG, Ireland's National Education and Research Network
1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland
+35316609040 brian.nis...@heanet.ie www.heanet.ie
Registered in Ireland, No. 275301. CRA No. 20036270

From: Brian Nisbet
Sent: Wednesday 14 March 2018 11:31
To: 'Name' <phish...@storey.xxx>; anti-abuse-wg@ripe.net
Subject: RE: SPAM-heanet-- RE: [anti-abuse-wg] Decision on Proposal 2017-02 & 
Next Steps

Hi,

I haven’t given an exhaustive list of all of the emails sent, but they are all 
in the archive. I believe I have covered some of the main points below. While I 
don’t feel a number of them are valid, as discussed, they were stated as 
initial reasons for objection.

Given my statements below I now wish people to either clarify their reasons for 
objection or say they no longer object or something in between.

We’ll then review this at the end of the current phase.

Thanks,

Brian

Brian Nisbet
Network Operations Manager
HEAnet CLG, Ireland's National Education and Research Network
1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland
+35316609040 brian.nis...@heanet.ie<mailto:brian.nis...@heanet.ie> 
www.heanet.ie<http://www.heanet.ie>
Registered in Ireland, No. 275301. CRA No. 20036270

From: Name <phish...@storey.xxx<mailto:phish...@storey.xxx>>
Sent: Tuesday 13 March 2018 01:28
To: Brian Nisbet <brian.nis...@heanet.ie<mailto:brian.nis...@heanet.ie>>; 
anti-abuse-wg@ripe.net<mailto:anti-abuse-wg@ripe.net>
Subject: SPAM-heanet-- RE: [anti-abuse-wg] Decision on Proposal 2017-02 & Next 
Steps

"we do not believe rough consensus has been reached."


Who spoke out against it, and what did they say? I haven't seen anything that 
says that consensus has not been reached.

What does "consensus" look like?



 Original Message 
Subject: [anti-abuse-wg] Decision on Proposal 2017-02 & Next Steps
From: Brian Nisbet <brian.nis...@heanet.ie<mailto:brian.nis...@heanet.ie>>
Date: Mon, March 12, 2018 11:57 pm
To: "anti-abuse-wg@ripe.net<mailto:anti-abuse-wg@ripe.net>" 
<anti-abuse-wg@ripe.net<mailto:anti-abuse-wg@ripe.net>>

Colleagues,

We've been thinking about this for some time and attempting to find a way 
through the various comments and messages in regards to 2017-02.

We believe the best option at this point is to extend the review phase of this 
proposal for a further 4 weeks as we do not believe rough consensus has been 
reached. However we also do not believe that there has been sufficient clear 
argument to reject the proposal.

We think that during this time it would be useful if those who engaged in the 
discussion but did not express a preference could do so.

It would also be useful if those who commented on the first version of the 
proposal, especially those who objected, still objected after the second 
version was published.

It should also be noted that the NCC have laid out the method by which they 
would plan to implement this proposal, so we do not believe that discussion 
around alternative methods nor additional checks is germane. It is also clear 
that the ARC will be used in conjunction with the automated checks. It is also 
clear that this will not require "make work" from any admins to answer.

Finally we need to address the objections around the possible implications of 
organisations *not* following this policy. It is clear that 2017-02 does not 
attempt to introduce any additional processes nor change how the NCC would act 
in cases where policies are not followed. We believe this has been clarified. 
If members of the community have an issue with these procedures then we think 
that's a separate discussion, rather than a valid reason to object to 2017-02

Other than those listed above, there was a feeling expressed that this will not 
make any meaningful difference. Both the RIPE NCC and the proposers have said 
that this work to improve the quality of data will be greatly appreciated. We 
would also mention that policies can be further amended in the future.

So, if everyone could take a look at the latest version of 2017-02 again that 
would be appreciated.

If you have already stated your support there is no need to do so.

If you are opposed, then please consider the above and the various discussions 
and see if you are still opposed to this version of the proposal. If so, can 
you please state which reasons for opposition have not been clarified nor 
resolved.

Obviously if you haven't stated a preference either way, as I mention above, 
this is your opportunity to do so!

Thanks,

Brian
Co-Chair, RIPE AA-WG

Brian Nisbet
Network Operations Manager
HEAnet CLG, Ireland's National Education and Research Network
1st Floor, 5 George's Dock, IFS