Re: [anti-abuse-wg] Decision on Proposal 2017-02
The number of outright fake networks with shell company contacts might have something to do with that eastern european number :) Or there's one or two outfits that can't make up their mind whether they are in the Netherlands, Dubai or Belize. --srs From: anti-abuse-wg on behalf of Thomas Hungenberg Sent: Tuesday, February 19, 2019 6:37 PM To: Carlos Friaças Cc: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] Decision on Proposal 2017-02 On 19.02.19 13:23, Carlos Friaças wrote: > Regarding the non-"DE" the figures are worse, right? The statistics are based on our automated reports only. Our automated system is sending 8,000+ reports per day - but only addresses abuse contacts for networks registered with country code "DE" directly. Data for networks registered with other country codes is sent with aggregated reports to the respective national CSIRTs. I don't have any statistics on bounces for reports manually sent to abuse contacts for networks in other countries directly. But yes, it looks like the number of invalid contacts for networks in other countries is (much) higher, in particular for Eastern Europe. - Thomas CERT-Bund Incident Response & Malware Analysis Team
Re: [anti-abuse-wg] Decision on Proposal 2017-02
On 19.02.19 13:23, Carlos Friaças wrote: > Regarding the non-"DE" the figures are worse, right? The statistics are based on our automated reports only. Our automated system is sending 8,000+ reports per day - but only addresses abuse contacts for networks registered with country code "DE" directly. Data for networks registered with other country codes is sent with aggregated reports to the respective national CSIRTs. I don't have any statistics on bounces for reports manually sent to abuse contacts for networks in other countries directly. But yes, it looks like the number of invalid contacts for networks in other countries is (much) higher, in particular for Eastern Europe. - Thomas CERT-Bund Incident Response & Malware Analysis Team
Re: [anti-abuse-wg] Decision on Proposal 2017-02
Sorry, my eyes were wrong. I did read 2019-02 :-) Carlos On Tue, 19 Feb 2019, Carlos Friaças via anti-abuse-wg wrote: I guess the subject is wrong :-)
Re: [anti-abuse-wg] Decision on Proposal 2017-02
FYI: Some longer-term statistics on this: Since January 2018, we have identified 157 invalid abuse contacts (our abuse reports bounced) for network objects registered with country code "DE" which we reported to RIPE NCC. RIPE NCC reached out to their members responsible for the respective objects. 150 cases have been solved by updating the abuse contact or correcting the mail server configuration - usually within only a few days. There are only 2 cases older than four weeks still unresolved. Thanks again to RIPE NCC for their great assistance! - Thomas CERT-Bund Incident Response & Malware Analysis Team On 23.03.18 10:39, Thomas Hungenberg wrote: > We had to deal with 40+ invalid abuse contacts only for resources > registered to German holders in the past three months. > Most messages bounced with "user unknown". > > We tried to reach out to the resource holders to get the invalid > abuse contacts fixed. If that failed, we reported the case to > RIPE NCC. With their assistance, a lot of additional cases could > be solved (thanks!). > > It turned out that most of the contacts were not invalid because > the resource holders wanted to ignore reporting of abuse but due to > technical problems or the contact set to a personal mailbox of > someone who had left the organization. Many resource holders were > glad to be notified of the problem. > > So while I'd still prefer a validation process that requires > human interaction to make sure messages sent to the abuse contacts > are actually read and processed, an automated check if the mailbox > exists at all would already help a lot. > I'd be glad if this automated check just for the existence of the > abuse mailbox could be done not only annually but probably even > twice or four times a year. > > > - Thomas > > CERT-Bund Incident Response & Malware Analysis Team > > > On 20.03.2018 13:54, Gert Doering wrote: >> Hi, >> >> On Tue, Mar 20, 2018 at 01:23:18PM +0100, Janos Zsako wrote: >>> At the same time, I do see some benefit in checking regularly the provided >>> e-mail address, because I am convinced that there will always be cases where >>> people simply forget to update the database. If they are reminded, they will >>> be happy to correct it. >> >> This is actually some benefit I see here - the NCC already does the >> ARC in regular intervals, so including abuse-c: in "please check that >> these are still correct" would be useful to help "those that do care but >> overlooked a necessary update". >> >> (Right now, the NCC will already ensure that contacts are correct if they >> receive a complaint from someone that contact data is wrong) >> >> So, still not really able to make up my mind whether I support or oppose >> this - staying neutral. >> >> Gert Doering >> -- NetMaster >> >
Re: [anti-abuse-wg] Decision on Proposal 2017-02
Ok, thank you Alexander, I now feel I better understand your objection. Thanks, Brian Co-Chair, RIPE AA-WG Brian Nisbet Network Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland +35316609040 brian.nis...@heanet.ie www.heanet.ie Registered in Ireland, No. 275301. CRA No. 20036270 > -Original Message- > From: anti-abuse-wg <anti-abuse-wg-boun...@ripe.net> On Behalf Of > Alexander Isavnin > Sent: Tuesday 27 March 2018 14:39 > To: anti-abuse-wg@ripe.net > Subject: Re: [anti-abuse-wg] Decision on Proposal 2017-02 > > Thanks for question, i really forgot to add important clarification paragraph > for objection. > > On 2018-03-27 14:50:13 CET, Brian Nisbet wrote: > > Alexander, > > > > Thanks for this. > > > > I'd just like to clarify something, are you objecting wholly to this > > proposal > because you would prefer stronger/more complex checks? In that you feel it > doesn't go far enough? > I'm objecting wholly to this proposal, because i doesnt' significantly improve > data quality of the whole registry and doesn't help to prevent serious abuse. > And being IT guy (and sometimes executive) i do not like implementing > something, "just because we can". > (and i had arguments, that valid abuse-c won't help against really malicious > abuse) > > If we need such kind of policy, than it should be full scale Automated > Registry > Checks (probably with all contacts, validity of routing, validity of resource > assigments, responsiveness of contacts, etc..) - in a way, which will > guarantee some measurable level on quality. (NCC Database SLA) > > But now, i prefer current situation, with trust to LIRs and light assisted > checks. > > Years ago, talking first time to Rob Blokzijl i'v asked him: "Why information > in > database is not being checked fully, with all phone numbers/emails checks, > submitting confirming papers for each assignment etc, like any activities done > in Russia?". He responded something like "It's not in tradition". And i value > such traditions. > I would like for us to stay in Western European tradition, rather than moving > to Police State tradition. > But if community decides to move - the move should be done with good and > complete approach. > > Hope you'll get me right. > > Kind regards, > Alexander Isavnin > > > Sent via RIPE Forum -- https://www.ripe.net/participate/mail/forum
Re: [anti-abuse-wg] Decision on Proposal 2017-02
Thanks for question, i really forgot to add important clarification paragraph for objection. On 2018-03-27 14:50:13 CET, Brian Nisbet wrote: > Alexander, > > Thanks for this. > > I'd just like to clarify something, are you objecting wholly to this proposal > because you would prefer stronger/more complex checks? In that you feel it > doesn't go far enough? I'm objecting wholly to this proposal, because i doesnt' significantly improve data quality of the whole registry and doesn't help to prevent serious abuse. And being IT guy (and sometimes executive) i do not like implementing something, "just because we can". (and i had arguments, that valid abuse-c won't help against really malicious abuse) If we need such kind of policy, than it should be full scale Automated Registry Checks (probably with all contacts, validity of routing, validity of resource assigments, responsiveness of contacts, etc..) - in a way, which will guarantee some measurable level on quality. (NCC Database SLA) But now, i prefer current situation, with trust to LIRs and light assisted checks. Years ago, talking first time to Rob Blokzijl i'v asked him: "Why information in database is not being checked fully, with all phone numbers/emails checks, submitting confirming papers for each assignment etc, like any activities done in Russia?". He responded something like "It's not in tradition". And i value such traditions. I would like for us to stay in Western European tradition, rather than moving to Police State tradition. But if community decides to move - the move should be done with good and complete approach. Hope you'll get me right. Kind regards, Alexander Isavnin Sent via RIPE Forum -- https://www.ripe.net/participate/mail/forum
Re: [anti-abuse-wg] Decision on Proposal 2017-02
Alexander, Thanks for this. I'd just like to clarify something, are you objecting wholly to this proposal because you would prefer stronger/more complex checks? In that you feel it doesn't go far enough? Thanks, Brian Co-Chair, RIPE AA-WG Brian Nisbet Network Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland +35316609040 brian.nis...@heanet.ie www.heanet.ie Registered in Ireland, No. 275301. CRA No. 20036270 > -Original Message- > From: anti-abuse-wg [mailto:anti-abuse-wg-boun...@ripe.net] On Behalf Of > Alexander Isavnin > Sent: 27 March 2018 13:46 > To: anti-abuse-wg@ripe.net > Subject: Re: [anti-abuse-wg] Decision on Proposal 2017-02 > > Dear Brian, colleagues! > > I would like to remind about one of my objections: > This policy will not seriously improve data quality, because it allows to > check > only one field in database. > If one wants really to improve data quality by automated checks, more > complicated policy should be developed. > > Also, may i suggest to run "the method by which they(NCC) would plan to > implement this proposal" once, to display current situation with abuse-c in > database? > > Kind regards, > Alexander Isavnin > > Sent via RIPE Forum -- https://www.ripe.net/participate/mail/forum
Re: [anti-abuse-wg] Decision on Proposal 2017-02
Dear Brian, colleagues! I would like to remind about one of my objections: This policy will not seriously improve data quality, because it allows to check only one field in database. If one wants really to improve data quality by automated checks, more complicated policy should be developed. Also, may i suggest to run "the method by which they(NCC) would plan to implement this proposal" once, to display current situation with abuse-c in database? Kind regards, Alexander Isavnin Sent via RIPE Forum -- https://www.ripe.net/participate/mail/forum
Re: [anti-abuse-wg] Decision on Proposal 2017-02
Thomas Hungenberg(t...@cert-bund.de) on 2018.03.23 10:39:53 +0100: > > We had to deal with 40+ invalid abuse contacts only for resources > registered to German holders in the past three months. > Most messages bounced with "user unknown". > > We tried to reach out to the resource holders to get the invalid > abuse contacts fixed. If that failed, we reported the case to > RIPE NCC. With their assistance, a lot of additional cases could > be solved (thanks!). > > It turned out that most of the contacts were not invalid because > the resource holders wanted to ignore reporting of abuse but due to > technical problems or the contact set to a personal mailbox of > someone who had left the organization. Many resource holders were > glad to be notified of the problem. > > So while I'd still prefer a validation process that requires > human interaction to make sure messages sent to the abuse contacts > are actually read and processed, an automated check if the mailbox > exists at all would already help a lot. > I'd be glad if this automated check just for the existence of the > abuse mailbox could be done not only annually but probably even > twice or four times a year. I support the proposal. Thomas example shows that this check fixes a real problem, and that the number of non-working abuse contacts can easily be reduced. I fixed an abuse contact myself last week - one that i believe was automatically generated by the NCC when the contacts were introduced. A lot non-working contacts probably result from that alone. If a simple check like the one proposed by the NCC had been part of the original abuse contact implementation, i believe there would have been few complaints about it. /Benno > - Thomas > > CERT-Bund Incident Response & Malware Analysis Team > > > On 20.03.2018 13:54, Gert Doering wrote: > > Hi, > > > > On Tue, Mar 20, 2018 at 01:23:18PM +0100, Janos Zsako wrote: > >> At the same time, I do see some benefit in checking regularly the provided > >> e-mail address, because I am convinced that there will always be cases > >> where > >> people simply forget to update the database. If they are reminded, they > >> will > >> be happy to correct it. > > > > This is actually some benefit I see here - the NCC already does the > > ARC in regular intervals, so including abuse-c: in "please check that > > these are still correct" would be useful to help "those that do care but > > overlooked a necessary update". > > > > (Right now, the NCC will already ensure that contacts are correct if they > > receive a complaint from someone that contact data is wrong) > > > > So, still not really able to make up my mind whether I support or oppose > > this - staying neutral. > > > > Gert Doering > > -- NetMaster > > > --
Re: [anti-abuse-wg] Decision on Proposal 2017-02
Hi, On Tue, Mar 20, 2018 at 01:23:18PM +0100, Janos Zsako wrote: > At the same time, I do see some benefit in checking regularly the provided > e-mail address, because I am convinced that there will always be cases where > people simply forget to update the database. If they are reminded, they will > be happy to correct it. This is actually some benefit I see here - the NCC already does the ARC in regular intervals, so including abuse-c: in "please check that these are still correct" would be useful to help "those that do care but overlooked a necessary update". (Right now, the NCC will already ensure that contacts are correct if they receive a complaint from someone that contact data is wrong) So, still not really able to make up my mind whether I support or oppose this - staying neutral. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 signature.asc Description: PGP signature
Re: [anti-abuse-wg] Decision on Proposal 2017-02
" it does not prove at all that abuse reported to this address will be handled or acted upon in any way."We aren't here to enforce appropriate abuse handling (unfortunately),we are discussing how to make sure an abuse mailbox is valid. The only way to do that is to send a link to the abuse mailbox, requiring the person to access their RIPE account and to enter a CAPTCHA.Proving that an email account exists as somehow being relevant is wrong, because if i own a RIPE resource and I set my abuse mailbox to zsako AT iszt.hu, under the current proposal it will be validated as "true." There is no opportunity for you to even say "no, that's not the abuse mailbox, it's mine" because RIPE only accept bounce emails to their complaints form.More importantly, there is nothing about the current proposal that even requires a policy. RIPE could set up today this mail server check today with out the consensus of RIPE. "On the other hand, most probably there will also be people who - for some reason -will not want to handle abuse e-mails."That is a separate discussion to this one. Not wanting to handle abuse emails is different to not even having to receive them. ---- Original Message ---- Subject: Re: [anti-abuse-wg] Decision on Proposal 2017-02 From: Janos Zsako <zs...@iszt.hu> Date: Tue, March 20, 2018 11:23 pm To: Name <phish...@storey.xxx>, anti-abuse-wg@ripe.net Dear Anonymous Name, > /"And an annual checking would ensure that the contacts remain more up-to-date."/ > > Yes, an annual checking would do that. This isn't an annual checking. It involves checking if a mail server exists. I am afraid I was not clear last time. I wrote: "One can determine with a high degree of confidence whether mail sent to a given address is accepted for delivery by the mail server specified as MX in the DNS for the given e-mail address. To me it is a good start and much more than not checking anything." The acceptance of the mail is slightly more than the existence of the mail server. In particular, in one of your previous e-mails you state: 'If a resource owner sets their abuse mailbox to "ronald.mcdon...@hotmail.com", they will be deemed to have a valid abuse contact, because hotmail.com has a valid email server associated.' In the light of my clarification above, this is not the case, as the mail server (which by the way does exist), does not accept mail for this recipient: 5.5.0 Requested action not taken: mailbox unavailable. [BL2NAM02FT023.eop-nam02.prod.protection.outlook.com] ronald.mcdon...@hotmail.com ... User unknown > Mail server exists ≠ update-to-date contact > Mail server exists ≠ valid abuse mailbox At the same time, I agree that the above holds even if you replace "Mail server exists" with "Mail server accepts mail for given recipient". Unfortunately, as it has already been pointed out, the fact that a human does reply to a mail sent by the NCC during the annual check (assuming for a moment they do send such mail), it does not prove at all that abuse reported to this address will be handled or acted upon in any way. Unfortunately I agree with Gert Doering who said: "I maintain the position that those that do care can be reached today, and those that do not care will find ways to fulfill the letter of the policy, and not change their ways." At the same time, I do see some benefit in checking regularly the provided e-mail address, because I am convinced that there will always be cases where people simply forget to update the database. If they are reminded, they will be happy to correct it. On the other hand, most probably there will also be people who - for some reason - will not want to handle abuse e-mails. They will certainly find a way to ignore such mail whatever policies we put in place. Best regards, Janos
Re: [anti-abuse-wg] Decision on Proposal 2017-02
Dear Anonymous Name, /"And an annual checking would ensure that the contacts remain more up-to-date."/ Yes, an annual checking would do that. This isn't an annual checking. It involves checking if a mail server exists. I am afraid I was not clear last time. I wrote: "One can determine with a high degree of confidence whether mail sent to a given address is accepted for delivery by the mail server specified as MX in the DNS for the given e-mail address. To me it is a good start and much more than not checking anything." The acceptance of the mail is slightly more than the existence of the mail server. In particular, in one of your previous e-mails you state: 'If a resource owner sets their abuse mailbox to "ronald.mcdon...@hotmail.com", they will be deemed to have a valid abuse contact, because hotmail.com has a valid email server associated.' In the light of my clarification above, this is not the case, as the mail server (which by the way does exist), does not accept mail for this recipient: 5.5.0 Requested action not taken: mailbox unavailable. [BL2NAM02FT023.eop-nam02.prod.protection.outlook.com] ronald.mcdon...@hotmail.com ... User unknown Mail server exists ≠ update-to-date contact Mail server exists ≠ valid abuse mailbox At the same time, I agree that the above holds even if you replace "Mail server exists" with "Mail server accepts mail for given recipient". Unfortunately, as it has already been pointed out, the fact that a human does reply to a mail sent by the NCC during the annual check (assuming for a moment they do send such mail), it does not prove at all that abuse reported to this address will be handled or acted upon in any way. Unfortunately I agree with Gert Doering who said: "I maintain the position that those that do care can be reached today, and those that do not care will find ways to fulfill the letter of the policy, and not change their ways." At the same time, I do see some benefit in checking regularly the provided e-mail address, because I am convinced that there will always be cases where people simply forget to update the database. If they are reminded, they will be happy to correct it. On the other hand, most probably there will also be people who - for some reason - will not want to handle abuse e-mails. They will certainly find a way to ignore such mail whatever policies we put in place. Best regards, Janos
Re: [anti-abuse-wg] Decision on Proposal 2017-02
Name, Why are you remaining anonymous ? Hervé De : anti-abuse-wg [mailto:anti-abuse-wg-boun...@ripe.net] De la part de Name Envoyé : mardi 20 mars 2018 07:56 À : anti-abuse-wg@ripe.net Objet : Re: [anti-abuse-wg] Decision on Proposal 2017-02 "And an annual checking would ensure that the contacts remain more up-to-date." Yes, an annual checking would do that. This isn't an annual checking. It involves checking if a mail server exists. Mail server exists ≠ update-to-date contact Mail server exists ≠ valid abuse mailbox Original Message Subject: Re: [anti-abuse-wg] Decision on Proposal 2017-02 From: <herve.clem...@orange.com<mailto:herve.clem...@orange.com>> Date: Tue, March 20, 2018 3:52 am To: "anti-abuse-wg@ripe.net<mailto:anti-abuse-wg@ripe.net>" <anti-abuse-wg@ripe.net<mailto:anti-abuse-wg@ripe.net>> As co-authors, if we propose this policy, that's because we believe that improving the Whois reliability is good for the Internet. With regard to the first analysis conducted by the RIPE NCC, about 10%-25% of the current 70,000 distinct abuse contact emails seem technically incorrect, this implies that between 7,000 and 17,500 email addresses are not working ones. If contacted by the RIPE NCC, resource holders will be requested to fix this information and will be able to receive abuse notifications. So there will be a significant difference between receiving something vs receiving anything. Perhaps a part of these holders don't care but they will be contactable. The other part will be educated about this abuse-c field during the process. And an annual checking would ensure that the contacts remain more up-to-date. Regards Hervé -Message d'origine- De : anti-abuse-wg [mailto:anti-abuse-wg-boun...@ripe.net] De la part de ox Envoyé : lundi 19 mars 2018 03:23 À : JORDI PALET MARTINEZ via anti-abuse-wg Objet : Re: [anti-abuse-wg] Decision on Proposal 2017-02 On Sun, 18 Mar 2018 13:43:54 + JORDI PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg@ripe.net<mailto:anti-abuse-wg@ripe.net>> wrote: > I'm not a lawyer, but deal a lot with them, and I'm sure anyway, there > are more informed voices even from the NCC that can confirm, and > actually it will be interesting to confirm. > +1 I would like to also present the other side of the same argument: If the NCC provides a platform that supplies fake/false/wrong information it could also attract arguments of legal liability... Similarly, if the NCC does not provide abuse contact information there could also be legal arguments that this is a dereliction of trust with regards public resource management and that also opens up arguments of liability... So, this would be most interesting to confirm. Regards Andre _ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. _ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
Re: [anti-abuse-wg] Decision on Proposal 2017-02
"And an annual checking would ensure that the contacts remain more up-to-date."Yes, an annual checking would do that. This isn't an annual checking. It involves checking if a mail server exists.Mail server exists ≠ update-to-date contactMail server exists ≠ valid abuse mailbox Original Message Subject: Re: [anti-abuse-wg] Decision on Proposal 2017-02 From: <herve.clem...@orange.com> Date: Tue, March 20, 2018 3:52 am To: "anti-abuse-wg@ripe.net" <anti-abuse-wg@ripe.net> As co-authors, if we propose this policy, that's because we believe that improving the Whois reliability is good for the Internet. With regard to the first analysis conducted by the RIPE NCC, about 10%-25% of the current 70,000 distinct abuse contact emails seem technically incorrect, this implies that between 7,000 and 17,500 email addresses are not working ones. If contacted by the RIPE NCC, resource holders will be requested to fix this information and will be able to receive abuse notifications. So there will be a significant difference between receiving something vs receiving anything. Perhaps a part of these holders don't care but they will be contactable. The other part will be educated about this abuse-c field during the process. And an annual checking would ensure that the contacts remain more up-to-date. Regards Hervé -Message d'origine- De : anti-abuse-wg [mailto:anti-abuse-wg-boun...@ripe.net] De la part de ox Envoyé : lundi 19 mars 2018 03:23 À : JORDI PALET MARTINEZ via anti-abuse-wg Objet : Re: [anti-abuse-wg] Decision on Proposal 2017-02 On Sun, 18 Mar 2018 13:43:54 + JORDI PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote: > I'm not a lawyer, but deal a lot with them, and I'm sure anyway, there > are more informed voices even from the NCC that can confirm, and > actually it will be interesting to confirm. > +1 I would like to also present the other side of the same argument: If the NCC provides a platform that supplies fake/false/wrong information it could also attract arguments of legal liability... Similarly, if the NCC does not provide abuse contact information there could also be legal arguments that this is a dereliction of trust with regards public resource management and that also opens up arguments of liability... So, this would be most interesting to confirm. Regards Andre _ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
Re: [anti-abuse-wg] Decision on Proposal 2017-02
As co-authors, if we propose this policy, that's because we believe that improving the Whois reliability is good for the Internet. With regard to the first analysis conducted by the RIPE NCC, about 10%-25% of the current 70,000 distinct abuse contact emails seem technically incorrect, this implies that between 7,000 and 17,500 email addresses are not working ones. If contacted by the RIPE NCC, resource holders will be requested to fix this information and will be able to receive abuse notifications. So there will be a significant difference between receiving something vs receiving anything. Perhaps a part of these holders don't care but they will be contactable. The other part will be educated about this abuse-c field during the process. And an annual checking would ensure that the contacts remain more up-to-date. Regards Hervé -Message d'origine- De : anti-abuse-wg [mailto:anti-abuse-wg-boun...@ripe.net] De la part de ox Envoyé : lundi 19 mars 2018 03:23 À : JORDI PALET MARTINEZ via anti-abuse-wg Objet : Re: [anti-abuse-wg] Decision on Proposal 2017-02 On Sun, 18 Mar 2018 13:43:54 + JORDI PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg@ripe.net<mailto:anti-abuse-wg@ripe.net>> wrote: > I'm not a lawyer, but deal a lot with them, and I'm sure anyway, there > are more informed voices even from the NCC that can confirm, and > actually it will be interesting to confirm. > +1 I would like to also present the other side of the same argument: If the NCC provides a platform that supplies fake/false/wrong information it could also attract arguments of legal liability... Similarly, if the NCC does not provide abuse contact information there could also be legal arguments that this is a dereliction of trust with regards public resource management and that also opens up arguments of liability... So, this would be most interesting to confirm. Regards Andre _ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
Re: [anti-abuse-wg] Decision on Proposal 2017-02
On Sun, 18 Mar 2018 13:43:54 + JORDI PALET MARTINEZ via anti-abuse-wgwrote: > I'm not a lawyer, but deal a lot with them, and I'm sure anyway, > there are more informed voices even from the NCC that can confirm, > and actually it will be interesting to confirm. > +1 I would like to also present the other side of the same argument: If the NCC provides a platform that supplies fake/false/wrong information it could also attract arguments of legal liability... Similarly, if the NCC does not provide abuse contact information there could also be legal arguments that this is a dereliction of trust with regards public resource management and that also opens up arguments of liability... So, this would be most interesting to confirm. Regards Andre
Re: [anti-abuse-wg] Decision on Proposal 2017-02
Hi, On Sun, Mar 18, 2018 at 01:29:14PM +0100, Karl-Josef Ziegler wrote: > Andre Ox wrote: > > > But having some sort of policy is a start, even though > > what we are actually ending up with is not much at all and even then > > there are those that think even having a watery (watered down, > > toothless, etc) policy is a future threat. > > Yes, I agree. Making only a small step - even if it may be only symbolic - > is still better than making no steps at all. I disagree with this view. Politics should not be doing "something, just to be seen doing something!" - that way lies nothing useful. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 signature.asc Description: PGP signature
Re: [anti-abuse-wg] Decision on Proposal 2017-02
Hi Erik, I think any policy or membership agreements will not affect the liability of the NCC in front of third parties because operational misconducts of any provider. Is the same way as if we believe that we can be blamed for fake info at the whois, spam, criminal cases, or whatever, unless of course, we setup an explicit rule to go against the law (like "you're free to use the resources for criminal activities"). So, I will say more on the other way around: as many policies/tools we have to verify the authenticity of data and compliance of policies, as less responsible we can be of any liabilities in front of third parties. However, as a community we are *internally* responsible to setup the rules (policies and membership agreement) that we want to be respected, and the way we want to act *internally* if those rules are not respected (never mind if is breaking a policy or not paying the invoices or whatever). I'm not a lawyer, but deal a lot with them, and I'm sure anyway, there are more informed voices even from the NCC that can confirm, and actually it will be interesting to confirm. Regards, Jordi -Mensaje original- De: anti-abuse-wg <anti-abuse-wg-boun...@ripe.net> en nombre de Erik Bais <eb...@a2b-internet.com> Fecha: domingo, 18 de marzo de 2018, 13:22 Para: "anti-abuse-wg@ripe.net" <anti-abuse-wg@ripe.net> Asunto: Re: [anti-abuse-wg] Decision on Proposal 2017-02 I still have some serious concerns about this proposal. I wonder how this might have an effect on the conduit role of (transit)-networks. And if the RIPE NCC will be requested to report (by the community or by legal court actions) or will be held liable in some way shape or form for the accurate information in case a resource holder will end up in a court case because they are not responsive on abuse complains. As a community we should tread carefully if we want to push the RIPE NCC in the middle of those kind of legal cases or want it to be held accountable on that. Especially in case of Copyright complaints for instance. The RIPE NCC is having agreements / contracts with all resource holders for ownership via End-User Agreements or LIR agreements, however in case of acting on operational topics like abuse handling, that SHOULD NOT be a part of it. Having a working method of abuse handling is a task of the resource holder themselves. If they decide to not act on or not have a valid abuse contact, it is their own responsibility. With all subsequent consequences. The RIPE NCC provides a datamodel in the RIPE DB to populate the field, but it should not get involved in validation of the information. The amount of work involved in validating just that specific field with no guarantee on or added value on actual responsiveness after it is validated, is a waste of community funds. Because those who want to respond on abuse complaints are already having working abuse contacts and those who don't, still won't. I fear that this task will be more or similar resource consuming than implementing 2007-01 .. ( Direct Internet Resource Assignments to End Users from the RIPE NCC ) Especially since it is stated that this should be done on a yearly basis. So in the end, it looks like expensive window dressing which might open up the RIPE NCC with a legal liability. However novel the intent is of authors. I would strongly advice against this. Regards, Erik Bais ** IPv4 is over Are you ready for the new Internet ? http://www.consulintel.es The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
Re: [anti-abuse-wg] Decision on Proposal 2017-02
I still have some serious concerns about this proposal. I wonder how this might have an effect on the conduit role of (transit)-networks. And if the RIPE NCC will be requested to report (by the community or by legal court actions) or will be held liable in some way shape or form for the accurate information in case a resource holder will end up in a court case because they are not responsive on abuse complains. As a community we should tread carefully if we want to push the RIPE NCC in the middle of those kind of legal cases or want it to be held accountable on that. Especially in case of Copyright complaints for instance. The RIPE NCC is having agreements / contracts with all resource holders for ownership via End-User Agreements or LIR agreements, however in case of acting on operational topics like abuse handling, that SHOULD NOT be a part of it. Having a working method of abuse handling is a task of the resource holder themselves. If they decide to not act on or not have a valid abuse contact, it is their own responsibility. With all subsequent consequences. The RIPE NCC provides a datamodel in the RIPE DB to populate the field, but it should not get involved in validation of the information. The amount of work involved in validating just that specific field with no guarantee on or added value on actual responsiveness after it is validated, is a waste of community funds. Because those who want to respond on abuse complaints are already having working abuse contacts and those who don't, still won't. I fear that this task will be more or similar resource consuming than implementing 2007-01 .. ( Direct Internet Resource Assignments to End Users from the RIPE NCC ) Especially since it is stated that this should be done on a yearly basis. So in the end, it looks like expensive window dressing which might open up the RIPE NCC with a legal liability. However novel the intent is of authors. I would strongly advice against this. Regards, Erik Bais
Re: [anti-abuse-wg] Decision on Proposal 2017-02
On Sat, 17 Mar 2018 11:52:06 +0100 Gert Doeringwrote: > Hi, > On Sat, Mar 17, 2018 at 10:53:55AM +0200, ox wrote: > > To answer the question though: This proposal does make the world a > > better place. > > If a resource holder wishes to be allocated scarce public resources > > such a resource holder should also be responsible about the > > operations of such scarce public resources. > In which way, exactly, would this proposal have an effect to achieve > this goal (a goal that I share, to state it explicitly)? > I maintain the position that those that do care can be reached today, > and those that do not care will find ways to fulfill the letter of > the policy, and not change their ways. > So, to repeat Malcolm's position: if we introduce new work for the > NCC and the LIRs, does it improve things enough to be the right thing > to do? > (As a side note, we recently were contacted by the NCC because one of > our 'sponsoring LIR' customers had changed their primary domain and > forgot to update their contact details in the RIPE DB, thus, making > them unreachable. Someone noticed, complained to the NCC, the NCC > contacted the sponsoring LIR, and contact details were corrected. > Things seem to work today where people care...) > simply because it does not really stop a determined thief from stealing your car, should we stop installing locks on car doors? the "new work" that you are talking about is establishing that submitted data is accurate. in the RIR case, this is paramount anyway and for LIR, submit real and updated data oh, and do not use: mickeymo...@example.com - if you want public resources, is not unreasonable at all. Yes, you are quite correct. (I agree completely) you have those who care and those who do not. And yes, those that do not care will find ways around it. But having some sort of policy is a start, even though what we are actually ending up with is not much at all and even then there are those that think even having a watery (watered down, toothless, etc) policy is a future threat. in practice there exists a problem and it is a real problem, so my view is simply 'baby steps' - so, of course this means that Sascha is also correct as there are people (like me) who will in the future argue for even more... - but to now use this compromise of those that want more with those that want nothing - as an actual reason to object, is ludicrous and frankly objectionable in itself. (and should not be taken into consideration as any real objection anyway) Regards Andre
Re: [anti-abuse-wg] Decision on Proposal 2017-02
"I maintain the position that those that do care can be reached today, andthose that do not care will find ways to fulfill the letter of the policy,and not change their ways."There has already been discussion about cancelling resources of people who don't comply. Firstly, there is nothing in this policy to comply with. It consists of RIPE checking if a mail server exists. If a resource owner sets their abuse mailbox to "ronald.mcdon...@hotmail.com", they will be deemed to have a valid abuse contact, because hotmail.com has a valid email server associated.The original intention was for resource owners to have to click a link in an email to prove the email address exists & that there's someone monitoring it. But that was so utterly difficult it looks to have been abandoned.Secondly, they have tried to say that talking about consequences is a conversation "for another day." (ie: never).So, if you are against this policy, you should be happy because it's garbage anyway.The original reason for the discussion was that RIPE were having to contact resource owners when the abuse email address didn't work. This outcome doesn't even do that. They will still be contacting as many people as they were before this policy (which doesn't even need to be a policy) will be introduced. Original Message ---- Subject: Re: [anti-abuse-wg] Decision on Proposal 2017-02 From: Gert Doering <g...@space.net> Date: Sat, March 17, 2018 9:52 pm To: ox <an...@ox.co.za> Cc: anti-abuse-wg@ripe.net Hi, On Sat, Mar 17, 2018 at 10:53:55AM +0200, ox wrote: > To answer the question though: This proposal does make the world a > better place. > > If a resource holder wishes to be allocated scarce public resources > such a resource holder should also be responsible about the operations > of such scarce public resources. In which way, exactly, would this proposal have an effect to achieve this goal (a goal that I share, to state it explicitly)? I maintain the position that those that do care can be reached today, and those that do not care will find ways to fulfill the letter of the policy, and not change their ways. So, to repeat Malcolm's position: if we introduce new work for the NCC and the LIRs, does it improve things enough to be the right thing to do? (As a side note, we recently were contacted by the NCC because one of our 'sponsoring LIR' customers had changed their primary domain and forgot to update their contact details in the RIPE DB, thus, making them unreachable. Someone noticed, complained to the NCC, the NCC contacted the sponsoring LIR, and contact details were corrected. Things seem to work today where people care...) Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Re: [anti-abuse-wg] Decision on Proposal 2017-02
Hi, On Sat, Mar 17, 2018 at 10:53:55AM +0200, ox wrote: > To answer the question though: This proposal does make the world a > better place. > > If a resource holder wishes to be allocated scarce public resources > such a resource holder should also be responsible about the operations > of such scarce public resources. In which way, exactly, would this proposal have an effect to achieve this goal (a goal that I share, to state it explicitly)? I maintain the position that those that do care can be reached today, and those that do not care will find ways to fulfill the letter of the policy, and not change their ways. So, to repeat Malcolm's position: if we introduce new work for the NCC and the LIRs, does it improve things enough to be the right thing to do? (As a side note, we recently were contacted by the NCC because one of our 'sponsoring LIR' customers had changed their primary domain and forgot to update their contact details in the RIPE DB, thus, making them unreachable. Someone noticed, complained to the NCC, the NCC contacted the sponsoring LIR, and contact details were corrected. Things seem to work today where people care...) Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 signature.asc Description: PGP signature
Re: [anti-abuse-wg] Decision on Proposal 2017-02
On Sat, 17 Mar 2018 08:43:45 +0100 Gert Doeringwrote: > Reading comments like *this* as an argument *for* the proposal makes > me wonder if I should reconsider being neutral about it. > What Malcolm said is something that carefully needs to be considered: > what is the real goal to be achieved, and does this proposal help in > any way to get there? If *not*, extra measures that use up resources > and could have unforeseen consequences, should not be implemented. > What Sasha said is also something that carefully needs to be > considered, and not just waved away as "he's just being > irresponsible". > To ask you: in which ways will this proposal help the internet make > less of a "shit hole"? Those that care already have working abuse > contacts, those that care not will find ways to fulfill the letter of > the policy, and still care not. I am not the American president and I actually object to the common use of the words "Shit Hole" as much as I object to women being grabbed by the pussy by powerful men, I guess. maybe I am just too conservative, maybe I am an assh*le myself, I do not know. Either way, I do choose to take offense. To answer the question though: This proposal does make the world a better place. If a resource holder wishes to be allocated scarce public resources such a resource holder should also be responsible about the operations of such scarce public resources. Andre
Re: [anti-abuse-wg] Decision on Proposal 2017-02
Hi, On Fri, Mar 16, 2018 at 04:33:47PM -0700, Name wrote: > So he has no basis of objection, but don't even think > of implementing something that might actually go towards helping the internet > in the future, because it's a slippery slope and Adolf Hitler 2.0 will reign > supreme, even though this proposal (as it turned out) does absolutely nothing > to verify abuse mailbox attributes, but the mere fact this has come up as > discussion is incredibly dangerous, because it shows there might be someone > within any of the LIR who is acknowledging that maybe they are responsible > for the internet being a shit hole, and that simply cannot happen, because > then resource owners might actually have to do some work. What a horrible > thought. Reading comments like *this* as an argument *for* the proposal makes me wonder if I should reconsider being neutral about it. What Malcolm said is something that carefully needs to be considered: what is the real goal to be achieved, and does this proposal help in any way to get there? If *not*, extra measures that use up resources and could have unforeseen consequences, should not be implemented. What Sasha said is also something that carefully needs to be considered, and not just waved away as "he's just being irresponsible". To ask you: in which ways will this proposal help the internet make less of a "shit hole"? Those that care already have working abuse contacts, those that care not will find ways to fulfill the letter of the policy, and still care not. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 signature.asc Description: PGP signature
Re: [anti-abuse-wg] Decision on Proposal 2017-02
So he has no basis of objection, but don't even think of implementing something that might actually go towards helping the internet in the future, because it's a slippery slope and Adolf Hitler 2.0 will reign supreme, even though this proposal (as it turned out) does absolutely nothing to verify abuse mailbox attributes, but the mere fact this has come up as discussion is incredibly dangerous, because it shows there might be someone within any of the LIR who is acknowledging that maybe they are responsible for the internet being a shit hole, and that simply cannot happen, because then resource owners might actually have to do some work. What a horrible thought. Original Message Subject: Re: [anti-abuse-wg] Decision on Proposal 2017-02 From: "Sascha Luck [ml]" <a...@c4inet.net> Date: Sat, March 17, 2018 1:48 am To: Brian Nisbet <brian.nis...@heanet.ie> Cc: "anti-abuse-wg@ripe.net" <anti-abuse-wg@ripe.net> On Fri, Mar 16, 2018 at 08:59:55AM +, Brian Nisbet wrote: >Ah, ok, my apologies. So, because I'd like to be clear here, you are objecting to this proposal on the basis of something that may or may not happen in the future? If you want to be uncharitable, yes. However, this is the *last* point at which it is even *possible* for me to object to what I see as a dangerous slippy slope. >Ok, but do you have any issues with 2017-02 as written, bearing in mind what Marco and myself have already said about the policies around non-adherence to RIPE policies? > Yes, it adds another thing to an already long list of things that can trigger a monopoly provider to deny service to its (involuntary) customers. If you're determined to manufacture consensus by declaring an entire class of objections, to whit: medium to long term consequences of such a proposal, out of bounds; there is not much I can do. The record will show I've made my stand and history shall judge. rgds, Sascha Luck >> Also one point I raised remains so far entirely unaddressed - why does a >> proposal and its implementation plan prescribe the use of email (in 2018!) for >> contact information? > >As always, if you wish to propose something that involves other media, please do. But at present, this is the medium in use. > >Thanks, > >Brian >Co-Chair, RIPE AA-WG > >> >> -Original Message- >> >> From: anti-abuse-wg <anti-abuse-wg-boun...@ripe.net> On Behalf Of >> >> Sascha Luck [ml] >> >> Sent: Thursday 15 March 2018 17:04 >> >> To: anti-abuse-wg@ripe.net >> >> Subject: Re: [anti-abuse-wg] Decision on Proposal 2017-02 >> >> >> >> On Wed, Mar 14, 2018 at 03:33:42PM +0100, Sander Steffann wrote: >> >> >This proposal is a first step to catch low hanging fruit. Yes: there >> >> >are many things that can (should) be improved, but getting consensus >> >> >on these controversial topics is difficult. So the proposers are >> >> >taking it one step at a time. Based on the discussion on this >> >> >mailing list those steps apparently have to be very small, but at >> >> >least there is the possibility of movement :) >> >> >> >> Correctly and perfectly summarised. A textbook example of early-stage >> >> frog- boiling. >> >> https://en.wikipedia.org/wiki/Boiling_frog >> >> >> >> The road to oppressive and onerous regulation is taken a small step >> >> at a time in the 21st century and that's why it is important to >> >> resist such attempts NOW while it is possible to do so without great >> personal sacrifice. >> >> >> >> For the avoidance of doubt, the above constitutes (continuing) >> >> opposition to 2017-02. >> >> >> >> rgds, >> >> Sascha Luck >> >> >> >
Re: [anti-abuse-wg] Decision on Proposal 2017-02
On Fri, Mar 16, 2018 at 08:59:55AM +, Brian Nisbet wrote: Ah, ok, my apologies. So, because I'd like to be clear here, you are objecting to this proposal on the basis of something that may or may not happen in the future? If you want to be uncharitable, yes. However, this is the *last* point at which it is even *possible* for me to object to what I see as a dangerous slippy slope. Ok, but do you have any issues with 2017-02 as written, bearing in mind what Marco and myself have already said about the policies around non-adherence to RIPE policies? Yes, it adds another thing to an already long list of things that can trigger a monopoly provider to deny service to its (involuntary) customers. If you're determined to manufacture consensus by declaring an entire class of objections, to whit: medium to long term consequences of such a proposal, out of bounds; there is not much I can do. The record will show I've made my stand and history shall judge. rgds, Sascha Luck Also one point I raised remains so far entirely unaddressed - why does a proposal and its implementation plan prescribe the use of email (in 2018!) for contact information? As always, if you wish to propose something that involves other media, please do. But at present, this is the medium in use. Thanks, Brian Co-Chair, RIPE AA-WG >> -Original Message- >> From: anti-abuse-wg <anti-abuse-wg-boun...@ripe.net> On Behalf Of >> Sascha Luck [ml] >> Sent: Thursday 15 March 2018 17:04 >> To: anti-abuse-wg@ripe.net >> Subject: Re: [anti-abuse-wg] Decision on Proposal 2017-02 >> >> On Wed, Mar 14, 2018 at 03:33:42PM +0100, Sander Steffann wrote: >> >This proposal is a first step to catch low hanging fruit. Yes: there >> >are many things that can (should) be improved, but getting consensus >> >on these controversial topics is difficult. So the proposers are >> >taking it one step at a time. Based on the discussion on this >> >mailing list those steps apparently have to be very small, but at >> >least there is the possibility of movement :) >> >> Correctly and perfectly summarised. A textbook example of early-stage >> frog- boiling. >> https://en.wikipedia.org/wiki/Boiling_frog >> >> The road to oppressive and onerous regulation is taken a small step >> at a time in the 21st century and that's why it is important to >> resist such attempts NOW while it is possible to do so without great personal sacrifice. >> >> For the avoidance of doubt, the above constitutes (continuing) >> opposition to 2017-02. >> >> rgds, >> Sascha Luck >> >
Re: [anti-abuse-wg] Decision on Proposal 2017-02
Malcolm (and, indeed, Sascha), I did not intent to be flippant in my answer. I apologise that it came across in that way. It was meant as a genuine attempt to gain better understanding of the basis for the objection, not an attempt to dismiss or mischaracterise, although I can understand that it came across in that way. I believe the points that Marco and I have made still stand in regards to the possible outcome of not adhering to this policy and whether that is a change or a valid reason for objection. Thank, Brian Co-Chair, RIPE AA-WG Brian Nisbet Network Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland +35316609040 brian.nis...@heanet.ie www.heanet.ie Registered in Ireland, No. 275301. CRA No. 20036270 > -Original Message- > From: Malcolm Hutty <malc...@linx.net> > Sent: Friday 16 March 2018 09:28 > To: Brian Nisbet <brian.nis...@heanet.ie>; anti-abuse-wg@ripe.net > Subject: Re: [anti-abuse-wg] Decision on Proposal 2017-02 > > On 16/03/2018 08:59, Brian Nisbet wrote: > >> Nothing, and I didn't state that it was. The problem is that, once > >> accepted, the implementation is out of the hands of this community or > >> indeed everyone bar the NCC Board. They can make it as onerous and > >> oppressive as they want. > > Ah, ok, my apologies. So, because I'd like to be clear here, you are > objecting to this proposal on the basis of something that may or may not > happen in the future? > > > > Brian, > > As a matter of principle I must object to that as a completely unfair > mischaracterisation of what Sascha just said. > > To object to a proposal "on the basis of something that may or may not > happen in the future" makes it sound speculative, and thus unreasonable. > > To object to a proposal on the basis that it *authorises* something > undesirable to happen is perfectly reasonable; such an objection is on the > basis that the measure before us would transfer the decision as to whether > that thing should happen from us to (in this case) the NCC. > That's something that is happening now, not something in the future. > > You may disagree with Sascha as to whether 2017-02 does in fact authorise > the NCC to do something undesirable, but it's not fair to rule out his > concerns > merely because the supposedly undesirable outcome is only authorised > rather than required. > > I think it really important that we recognise that when authorising the NCC to > act, it is a legitimate objection to say that we wouldn't want them to > exercise > that authority in a particular way, and the scope of what is authorised ought > to be limited in some way. I am far more concerned about that as a principle > than I am about the outcome for this proposal in particular. > > Kind Regards, > > Malcolm. > > -- > Malcolm Hutty | tel: +44 20 7645 3523 >Head of Public Affairs | Read the LINX Public Affairs blog London Internet > Exchange | http://publicaffairs.linx.net/ > > London Internet Exchange Ltd >Monument Place, 24 Monument Street London EC3R 8AJ > > Company Registered in England No. 3137929 >Trinity Court, Trinity Street, Peterborough PE1 1DA
Re: [anti-abuse-wg] Decision on Proposal 2017-02
> -Original Message- > From: Sascha Luck [ml] <a...@c4inet.net> > Sent: Thursday 15 March 2018 18:45 > To: Brian Nisbet <brian.nis...@heanet.ie> > Cc: anti-abuse-wg@ripe.net > Subject: Re: [anti-abuse-wg] Decision on Proposal 2017-02 > > On Thu, Mar 15, 2018 at 05:08:29PM +, Brian Nisbet wrote: > >For instance, what about the suggested implementation is onerous or > oppressive? > > Nothing, and I didn't state that it was. The problem is that, once accepted, > the implementation is out of the hands of this community or indeed > everyone bar the NCC Board. They can make it as onerous and oppressive as > they want. Ah, ok, my apologies. So, because I'd like to be clear here, you are objecting to this proposal on the basis of something that may or may not happen in the future? > Furthermore, from the general tenor of this discussion I can't help assuming > that 2017-02 won't be the end of it and I have to take this into account when > considering the (de)merits of 2017-02. Ok, but do you have any issues with 2017-02 as written, bearing in mind what Marco and myself have already said about the policies around non-adherence to RIPE policies? > Also one point I raised remains so far entirely unaddressed - why does a > proposal and its implementation plan prescribe the use of email (in 2018!) for > contact information? As always, if you wish to propose something that involves other media, please do. But at present, this is the medium in use. Thanks, Brian Co-Chair, RIPE AA-WG > >> -Original Message- > >> From: anti-abuse-wg <anti-abuse-wg-boun...@ripe.net> On Behalf Of > >> Sascha Luck [ml] > >> Sent: Thursday 15 March 2018 17:04 > >> To: anti-abuse-wg@ripe.net > >> Subject: Re: [anti-abuse-wg] Decision on Proposal 2017-02 > >> > >> On Wed, Mar 14, 2018 at 03:33:42PM +0100, Sander Steffann wrote: > >> >This proposal is a first step to catch low hanging fruit. Yes: there > >> >are many things that can (should) be improved, but getting consensus > >> >on these controversial topics is difficult. So the proposers are > >> >taking it one step at a time. Based on the discussion on this > >> >mailing list those steps apparently have to be very small, but at > >> >least there is the possibility of movement :) > >> > >> Correctly and perfectly summarised. A textbook example of early-stage > >> frog- boiling. > >> https://en.wikipedia.org/wiki/Boiling_frog > >> > >> The road to oppressive and onerous regulation is taken a small step > >> at a time in the 21st century and that's why it is important to > >> resist such attempts NOW while it is possible to do so without great > personal sacrifice. > >> > >> For the avoidance of doubt, the above constitutes (continuing) > >> opposition to 2017-02. > >> > >> rgds, > >> Sascha Luck > >> > >
Re: [anti-abuse-wg] Decision on Proposal 2017-02
On Thu, 15 Mar 2018 18:44:44 + "Sascha Luck [ml]"wrote: > On Thu, Mar 15, 2018 at 05:08:29PM +, Brian Nisbet wrote: > >For instance, what about the suggested implementation is onerous or > >oppressive? > Nothing, and I didn't state that it was. The problem is that, once > accepted, the implementation is out of the hands of this > community or indeed everyone bar the NCC Board. They can make it > as onerous and oppressive as they want. > within the implementation. (wherein there is nothing onerous or oppressive - as all seem to agree...) > Furthermore, from the general tenor of this discussion I can't > help assuming that 2017-02 won't be the end of it and I have to > take this into account when considering the (de)merits of > 2017-02. > to object because you may object in the future to something unspecified or unknown is the same as just objecting for the sake of objecting. > Also one point I raised remains so far entirely unaddressed - why > does a proposal and its implementation plan prescribe the use of > email (in 2018!) for contact information? > because everyone has email. not everyone has telegram, whatsup, insertnameofyourcommshere or simply 'trusts' all java(script)/apps from wherever... Regards Andre
Re: [anti-abuse-wg] Decision on Proposal 2017-02
What is there to oppose about 2017-02?A completely ineffective policy, that doesn't even need to be a policy, that doesn't solve any of the original stated issues, which does nothing to change the system as is, which does NOTHING to verify abuse attributes, and you're bitching about it?You remind me of the national rifle association in the USA. 30 people get killed in a school, and asking for a basic background check for a firearm purchaser is simply too much to ask for. Original Message Subject: Re: [anti-abuse-wg] Decision on Proposal 2017-02 From: "Sascha Luck [ml]" <a...@c4inet.net> Date: Fri, March 16, 2018 4:03 am To: anti-abuse-wg@ripe.net On Wed, Mar 14, 2018 at 03:33:42PM +0100, Sander Steffann wrote: >This proposal is a first step to catch low hanging fruit. Yes: there are many things that can (should) be improved, but getting consensus on these controversial topics is difficult. So the proposers are taking it one step at a time. Based on the discussion on this mailing list those steps apparently have to be very small, but at least there is the possibility of movement :) Correctly and perfectly summarised. A textbook example of early-stage frog-boiling. https://en.wikipedia.org/wiki/Boiling_frog The road to oppressive and onerous regulation is taken a small step at a time in the 21st century and that's why it is important to resist such attempts NOW while it is possible to do so without great personal sacrifice. For the avoidance of doubt, the above constitutes (continuing) opposition to 2017-02. rgds, Sascha Luck
Re: [anti-abuse-wg] Decision on Proposal 2017-02
On Thu, Mar 15, 2018 at 05:08:29PM +, Brian Nisbet wrote: For instance, what about the suggested implementation is onerous or oppressive? Nothing, and I didn't state that it was. The problem is that, once accepted, the implementation is out of the hands of this community or indeed everyone bar the NCC Board. They can make it as onerous and oppressive as they want. Furthermore, from the general tenor of this discussion I can't help assuming that 2017-02 won't be the end of it and I have to take this into account when considering the (de)merits of 2017-02. Also one point I raised remains so far entirely unaddressed - why does a proposal and its implementation plan prescribe the use of email (in 2018!) for contact information? rgds, Sascha Luck -Original Message- From: anti-abuse-wg <anti-abuse-wg-boun...@ripe.net> On Behalf Of Sascha Luck [ml] Sent: Thursday 15 March 2018 17:04 To: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] Decision on Proposal 2017-02 On Wed, Mar 14, 2018 at 03:33:42PM +0100, Sander Steffann wrote: >This proposal is a first step to catch low hanging fruit. Yes: there >are many things that can (should) be improved, but getting consensus on >these controversial topics is difficult. So the proposers are taking it >one step at a time. Based on the discussion on this mailing list those >steps apparently have to be very small, but at least there is the >possibility of movement :) Correctly and perfectly summarised. A textbook example of early-stage frog- boiling. https://en.wikipedia.org/wiki/Boiling_frog The road to oppressive and onerous regulation is taken a small step at a time in the 21st century and that's why it is important to resist such attempts NOW while it is possible to do so without great personal sacrifice. For the avoidance of doubt, the above constitutes (continuing) opposition to 2017-02. rgds, Sascha Luck
Re: [anti-abuse-wg] Decision on Proposal 2017-02
On 14/03/2018 13:32, Marco Schmidt wrote: > Please let me reiterate that the RIPE NCC will not activate the > closure procedure simply for failure to maintain the "abuse-mailbox:" > attribute. > > The closure procedure could be activated if the resource holder refuses > to provide correct abuse contact information or is unresponsive over a > longer period (during which the RIPE NCC will have made several attemps > to contact the resource holder via different channels). Marco, Thank you for your detailed mail. However I do not understand how the two sentences quoted above are consistent with each other. Is it that you won't activate the closure procedure *solely* for failure to maintain abuse-mailbox, but might activate it if this was compounded with some other breach? How would you feel if the policy was amended to say something along the lines of "For the pupose of RIPE-676 paragraph 1.6.2.1.1 (Violation of RIPE Policys and RIPE NCC Procedures), failure to maintain the abuse-mailbox attribute shall not be deemed sufficient reason to terminate the SSA in itself, but may be deemed an aggravating factor contributing towards a decision to terminate the SSA." Kind Regards, Malcolm. -- Malcolm Hutty | tel: +44 20 7645 3523 Head of Public Affairs | Read the LINX Public Affairs blog London Internet Exchange | http://publicaffairs.linx.net/ London Internet Exchange Ltd Monument Place, 24 Monument Street London EC3R 8AJ Company Registered in England No. 3137929 Trinity Court, Trinity Street, Peterborough PE1 1DA
Re: [anti-abuse-wg] Decision on Proposal 2017-02 & Next Steps
So an admin sets their email to "f...@hotmail.com" and it passes, because hotmail has a valid email server and its "syntax" is correct?It can be validated as human by CAPTCHA:https://en.wikipedia.org/wiki/CAPTCHAThe current wording is wasting everyone's time, and seriously, does it need a change in policy if it's implemented as is? How does it change a single thing? Original Message ---- Subject: Re: [anti-abuse-wg] Decision on Proposal 2017-02 & Next Steps From: Janos Zsako <zs...@iszt.hu> Date: Wed, March 14, 2018 11:29 pm To: Name <phish...@storey.xxx>, anti-abuse-wg@ripe.net Dear Anonymous "Name", > How do you check the email address is valid if you don't email it? > > https://www.ripe.net/participate/policies/proposals/2017-02 I think the NCC will be able to tell more details when the plans are ready. For now, the relevant part is probably: > The RIPE NCC will validate the technical parameters of an “abuse-mailbox:” attribute, such as syntax, domain and mail server configuration, to determine if it is correctly configured to receive messages. One can determine with a high degree of confidence whether mail sent to a given address is accepted for delivery by the mail server specified as MX in the DNS for the given e-mail address. To me it is a good start and much more than not checking anything. One can probably not test whether the accepted mail is indeed delivered and even less whether is is eventually read by a human. The latter cannot be checked even if one does send the e-mail and even get a reply (generally speaking one cannot be certain the response was sent by a human). Therefore, I would leave the details to the NCC for now. Best regards, Janos
Re: [anti-abuse-wg] Decision on Proposal 2017-02 & Next Steps
And apologies for the subject change, which I meant to edit. We’ve a new email system in work which needs training. Brian Brian Nisbet Network Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland +35316609040 brian.nis...@heanet.ie www.heanet.ie Registered in Ireland, No. 275301. CRA No. 20036270 From: Brian Nisbet Sent: Wednesday 14 March 2018 11:31 To: 'Name' <phish...@storey.xxx>; anti-abuse-wg@ripe.net Subject: RE: SPAM-heanet-- RE: [anti-abuse-wg] Decision on Proposal 2017-02 & Next Steps Hi, I haven’t given an exhaustive list of all of the emails sent, but they are all in the archive. I believe I have covered some of the main points below. While I don’t feel a number of them are valid, as discussed, they were stated as initial reasons for objection. Given my statements below I now wish people to either clarify their reasons for objection or say they no longer object or something in between. We’ll then review this at the end of the current phase. Thanks, Brian Brian Nisbet Network Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland +35316609040 brian.nis...@heanet.ie<mailto:brian.nis...@heanet.ie> www.heanet.ie<http://www.heanet.ie> Registered in Ireland, No. 275301. CRA No. 20036270 From: Name <phish...@storey.xxx<mailto:phish...@storey.xxx>> Sent: Tuesday 13 March 2018 01:28 To: Brian Nisbet <brian.nis...@heanet.ie<mailto:brian.nis...@heanet.ie>>; anti-abuse-wg@ripe.net<mailto:anti-abuse-wg@ripe.net> Subject: SPAM-heanet-- RE: [anti-abuse-wg] Decision on Proposal 2017-02 & Next Steps "we do not believe rough consensus has been reached." Who spoke out against it, and what did they say? I haven't seen anything that says that consensus has not been reached. What does "consensus" look like? Original Message Subject: [anti-abuse-wg] Decision on Proposal 2017-02 & Next Steps From: Brian Nisbet <brian.nis...@heanet.ie<mailto:brian.nis...@heanet.ie>> Date: Mon, March 12, 2018 11:57 pm To: "anti-abuse-wg@ripe.net<mailto:anti-abuse-wg@ripe.net>" <anti-abuse-wg@ripe.net<mailto:anti-abuse-wg@ripe.net>> Colleagues, We've been thinking about this for some time and attempting to find a way through the various comments and messages in regards to 2017-02. We believe the best option at this point is to extend the review phase of this proposal for a further 4 weeks as we do not believe rough consensus has been reached. However we also do not believe that there has been sufficient clear argument to reject the proposal. We think that during this time it would be useful if those who engaged in the discussion but did not express a preference could do so. It would also be useful if those who commented on the first version of the proposal, especially those who objected, still objected after the second version was published. It should also be noted that the NCC have laid out the method by which they would plan to implement this proposal, so we do not believe that discussion around alternative methods nor additional checks is germane. It is also clear that the ARC will be used in conjunction with the automated checks. It is also clear that this will not require "make work" from any admins to answer. Finally we need to address the objections around the possible implications of organisations *not* following this policy. It is clear that 2017-02 does not attempt to introduce any additional processes nor change how the NCC would act in cases where policies are not followed. We believe this has been clarified. If members of the community have an issue with these procedures then we think that's a separate discussion, rather than a valid reason to object to 2017-02 Other than those listed above, there was a feeling expressed that this will not make any meaningful difference. Both the RIPE NCC and the proposers have said that this work to improve the quality of data will be greatly appreciated. We would also mention that policies can be further amended in the future. So, if everyone could take a look at the latest version of 2017-02 again that would be appreciated. If you have already stated your support there is no need to do so. If you are opposed, then please consider the above and the various discussions and see if you are still opposed to this version of the proposal. If so, can you please state which reasons for opposition have not been clarified nor resolved. Obviously if you haven't stated a preference either way, as I mention above, this is your opportunity to do so! Thanks, Brian Co-Chair, RIPE AA-WG Brian Nisbet Network Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFS