[anti-spam-wg] Re: BCP on limiting e-mail abuse

  • To: "RIPE anti-spam WG" anti-spam-wg@localhost
  • From: "Rodney Tillotson" <R.Tillotson@localhost
  • Date: Wed, 4 Oct 2006 14:50:33 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks for comments from a few people.
Others still welcome.

Rodney Tillotson.


[Markus Stumpf]
(who makes several points that will be important for the next
version):

> I get the impression that the anti-spam practices advised (at
> least 1-3) are outdated for at least 3-5 years.

The limited aim is to track the LINX BCP from which the current
document was derived. It may be helpful to start again, and (as
I said) that's a separate job.

> > Of course many products have entirely legitimate uses in handling
> > mailing lists run on an opt-in basis ...
> 
> As Opt-In does not provide authentication in any way it is totally
> useless with regard to authorization.
> With simple Opt-In one cannot tell authentic requests from fake
> requests.

You are, of course, right; the real problem is that the name is given
different meanings and qualifications by various people. The other
references are more precise, and I think the fairly loose statement
here is appropriate.

> Sending out automated ACKs to each and every message to the abuse
> report will harrass a *lot* of innocent users ...

This version doesn't mention automated acknowledgments at all.
A future one would probably say SHOULD NOT, with MUST NOT for cases
where there is no reason to believe the address of the apparent
sender.

> I have lost track on the database discussion, but I still would
> prefer to make RP records in DNS mandatory, anyway.

That would be a change; the idea is to document current practice
(and Wilfried has commented about using the RIPE database).

> > ISPs are required to accept and process emailed reports of abuse
> > by their customers.
> 
> I had to read this sentence more than one time, ...

Fair comment. There are lots of similar changes we should make, but
this version is intended to follow the original as much as possible.
Perhaps this is better (but a bit longer):

ISPs are required to accept and process emailed reports about abuse
by their own customers, whatever person or organization may send the
reports.

> > ISPs MUST keep other logs for a reasonable period ...

> This may be in violation of national data protections laws.
> I'd suggest to add "unless this is in violation of local data
> protection laws".

Good idea ("reasonable" was intended to cover it, but never mind).


[Esa Laitinen]
(who also makes some good points for the next version):

> In appendix B, the LINX BCP documents seem to be MIA.

Oversight by me, fixed in a new draft.
Links were right when I prepared the draft but the world has
moved on.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFFI7wJzHL8ns8C6+kRApZlAKDOA8q6IybbawqM2AjWoA+7NR4bSgCcDe1x
0BBvsK+mi9FUe0+yvraUaXo=
=sPJW
-----END PGP SIGNATURE-----