<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

Abuse address attribute in RIPE whois?

  • To: RIPE Anti-Spam WG < >
  • From: amar < >
  • Date: Tue, 21 Aug 2001 16:40:35 +0100
  • Organization: Telia Net

All,

Maybe a litte OT or wrong WG. But I see that this could maybe
be a benefit for all involved.

In the wake of Code Red, more broadband deployments and so on I
have seen an increasing number of abuse complaints that has been
sent to addresses that do not have anything to do with abuse
reports/complaints. Sent to the addresses that can be found under
"update:"

There is a plug-in for Norton Personal Firewall called "The "Who's 
There?" Firewall Advisor. That automaticly looks up the source of
the IP-address that has been logged in the firewall. The user then
just clicks "notify" and the program creates a pre-defined mail
ready to be sent to the responsible ISP.

Here is the problem. They use the address found at the end in the
inetnum object. Even that You have a created information under the
"descr:" fields saying:

inetnum:      192.168.0.0 - 192.168.255.255
netname:      EU-ISP
descr:        Foo Bar ISP Inc.
descr:        ISP
descr:        ---------------------------
descr:        Intrusion and abuse reports
descr:        should be sent to
descr:        abuse@localhost
descr:        ---------------------------

They *never* use this information.

And the reason why they instead have choosen to send the abuse 
report to the person that have created/updated the object is 
this ( taken from their webpage):

"Addresses should usually be chosen starting from the bottom of the 
 dialog, since information toward the bottom tends to be more specific 
 than at the top. Alternatively, you can attempt to contact a network 
 administrator using other WHOIS information, such as their phone 
 number or mailing address"

 http://www2.opendoor.com/whosthere/UG/WTWTDialog.html#likely_email

This is not the only program that uses this approach. An the same
pattern can be found among many users.

This is starting to get really annoying. Not only the fact that you
recive a lot of mail that you have to forward to the right address.
But also the fact that most of the ISP:s abuse department will not
get the complaints direct. And by that delay the whole investigation
into the matter.

My question is if there is an interest to create an "draft" for an
identifier in the inetnum object that could be used for abuse reports.
Like the "X-Complaints-To:" in NNTP. That identifier could the be used
by programs like the one mentioned in this mail. And could also be
easier to find on each assignment. As most LIRs have only created info
about this in the object for the whole block.

Any interest?

Regards

-- amar




  • Post To The List:
<<< Chronological >>> Author    Subject <<< Threads >>>