You are here: Home > Participate > Join a Discussion > RIPE Forum
RIPE Forum v1.4.1

Anti-Abuse Working Group

Threaded
Collapse

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

Ángel González Berdasco

2020-01-14 00:27:48 CET

Well, I do see the value of an option (a magic email value?) meaning "this entity supports the use of its network for abusive purposes and will take no action on any abuse report".

That would save time for everyone involved, and would allow to easily block those networks from accesing ours!


Ronald F. Guilmette

2020-01-14 02:46:15 CET

In message , 
=?utf-8?B?w4FuZ2VsIEdvbnrDoWxleiBCZXJkYXNjbw==?= <angel.gonzalez _at_ incibe _dot_ es> wrote:

>Well, I do see the value of an option (a magic email value?) meaning "this
>entity supports the use of its network for abusive purposes and will take no
>action on any abuse report".
>
>That would save time for everyone involved, and would allow to easily block
>those networks from accesing ours!

These are pretty much my sentiments exactly.

The only questions remaining are:

   1)   Should there just be a simple yes/no one-bit flag published for
        each resource holder, or would a scale and a range of possible
        "rating" values be more useful?

   2)   How shall the "ratings" be computed and by whom?

I have provided my personal opinions on both of these points in my
prior posting.


Regards,
rfg


User Image

Jordi Palet Martinez

2020-01-14 10:36:10 CET

I think if we try to agree on those ratings, we will never reach consensus ...

So it is not just easier to ask the abuse-c mailboxes that don't want to process to setup an autoresponder with an specific (standard) text about that, for example:

"This is an automated convirmation that you reached the correct abuse-c mailbox, but we don't process abuse cases, so your reports will be discarded."

This will be still in line with the actual policy (and the proposal modifications) and will allow the operators to decide if they want to be good netcitizens or not, and the victims to decide if they want to block them.

Regards,
Jordi
@jordipalet
 
 

El 14/1/20 2:46, "anti-abuse-wg en nombre de Ronald F. Guilmette" <anti-abuse-wg-bounces _at_ ripe _dot_ net en nombre de rfg _at_ tristatelogic _dot_ com> escribió:

    In message , 
    =?utf-8?B?w4FuZ2VsIEdvbnrDoWxleiBCZXJkYXNjbw==?= <angel.gonzalez _at_ incibe _dot_ es> wrote:
    
    >Well, I do see the value of an option (a magic email value?) meaning "this
    >entity supports the use of its network for abusive purposes and will take no
    >action on any abuse report".
    >
    >That would save time for everyone involved, and would allow to easily block
    >those networks from accesing ours!
    
    These are pretty much my sentiments exactly.
    
    The only questions remaining are:
    
       1)   Should there just be a simple yes/no one-bit flag published for
            each resource holder, or would a scale and a range of possible
            "rating" values be more useful?
    
       2)   How shall the "ratings" be computed and by whom?
    
    I have provided my personal opinions on both of these points in my
    prior posting.
    
    
    Regards,
    rfg
    
    
    



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.





User Image

Gert Doering

2020-01-14 10:38:28 CET

Hi,

On Tue, Jan 14, 2020 at 10:36:10AM +0100, JORDI PALET MARTINEZ via anti-abuse-wg wrote:
> So it is not just easier to ask the abuse-c mailboxes that don't want to process to setup an autoresponder with an specific (standard) text about that, for example:
> 
> "This is an automated convirmation that you reached the correct abuse-c mailbox, but we don't process abuse cases, so your reports will be discarded."

I would support that.

Gert Doering
        -- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279
User Image

Gert Doering

2020-01-14 10:47:31 CET

Hi,

On Tue, Jan 14, 2020 at 10:38:28AM +0100, Gert Doering wrote:
> On Tue, Jan 14, 2020 at 10:36:10AM +0100, JORDI PALET MARTINEZ via anti-abuse-wg wrote:
> > So it is not just easier to ask the abuse-c mailboxes that don't want to process to setup an autoresponder with an specific (standard) text about that, for example:
> > 
> > "This is an automated convirmation that you reached the correct abuse-c mailbox, but we don't process abuse cases, so your reports will be discarded."
> 
> I would support that.

... but it's actually way too complicated to implement.

A much simpler approach would be to make abuse-c: an optional attribute
(basically, unrolling the "mandatory" part of the policy proposal that 
introduced it in the first place)

 - If you want to handle abuse reports, put something working in.

 - If you do not want to handle abuse reports, don't.

The ARC could be extended with a question "are you aware that you are
signalling 'we do not not care about abuse coming from our network'?"
and if this is what LIRs *want* to signal, the message is clear.

The NCC could still verify (as they do today) that an e-mail address,
*if given*, is not bouncing (or coming back with a human bounce "you have
reached the wrong person, stop sending me mail" if someone puts in the
e-mail address of someone else).

MUCH less effort.

Gert Doering
        -- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279
User Image

Jordi Palet Martinez

2020-01-14 10:50:58 CET

Looks fine to me.

If we really think that the operators should be free from taking abuse reports, then let's make it optional.

As said, I personally think that an operator responsibility is to deal with abuse cases, but happy to follow what we all decide.

Regards,
Jordi
@jordipalet
 
 

El 14/1/20 10:47, "Gert Doering" <gert _at_ space _dot_ net> escribió:

    Hi,
    
    On Tue, Jan 14, 2020 at 10:38:28AM +0100, Gert Doering wrote:
    > On Tue, Jan 14, 2020 at 10:36:10AM +0100, JORDI PALET MARTINEZ via anti-abuse-wg wrote:
    > > So it is not just easier to ask the abuse-c mailboxes that don't want to process to setup an autoresponder with an specific (standard) text about that, for example:
    > > 
    > > "This is an automated convirmation that you reached the correct abuse-c mailbox, but we don't process abuse cases, so your reports will be discarded."
    > 
    > I would support that.
    
    ... but it's actually way too complicated to implement.
    
    A much simpler approach would be to make abuse-c: an optional attribute
    (basically, unrolling the "mandatory" part of the policy proposal that 
    introduced it in the first place)
    
     - If you want to handle abuse reports, put something working in.
    
     - If you do not want to handle abuse reports, don't.
    
    The ARC could be extended with a question "are you aware that you are
    signalling 'we do not not care about abuse coming from our network'?"
    and if this is what LIRs *want* to signal, the message is clear.
    
    The NCC could still verify (as they do today) that an e-mail address,
    *if given*, is not bouncing (or coming back with a human bounce "you have
    reached the wrong person, stop sending me mail" if someone puts in the
    e-mail address of someone else).
    
    MUCH less effort.
    
    Gert Doering
            -- NetMaster
    -- 
    have you enabled IPv6 on something today...?
    
    SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Michael Emmer
    Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
    D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
    Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279
    



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.





Fi Shing

2020-01-14 11:10:53 CET

Well the operators are already free to decide if and when they respond to abuse reports.
 
But this farcical system should not be legitimised by weak imbeciles such as those on this list.
 
 
 
--------- Original Message --------- Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
From: "JORDI PALET MARTINEZ via anti-abuse-wg" <anti-abuse-wg _at_ ripe _dot_ net>
Date: 1/14/20 8:50 pm
To: "anti-abuse-wg" <anti-abuse-wg _at_ ripe _dot_ net>

Looks fine to me.
 
 If we really think that the operators should be free from taking abuse reports, then let's make it optional.
 
 As said, I personally think that an operator responsibility is to deal with abuse cases, but happy to follow what we all decide.
 
 Regards,
 Jordi
 @jordipalet
 
 
 
 El 14/1/20 10:47, "Gert Doering" <gert _at_ space _dot_ net> escribió:
 
 Hi,
 
 On Tue, Jan 14, 2020 at 10:38:28AM +0100, Gert Doering wrote:
 > On Tue, Jan 14, 2020 at 10:36:10AM +0100, JORDI PALET MARTINEZ via anti-abuse-wg wrote:
 > > So it is not just easier to ask the abuse-c mailboxes that don't want to process to setup an autoresponder with an specific (standard) text about that, for example:
 > > 
 > > "This is an automated convirmation that you reached the correct abuse-c mailbox, but we don't process abuse cases, so your reports will be discarded."
 > 
 > I would support that.
 
 ... but it's actually way too complicated to implement.
 
 A much simpler approach would be to make abuse-c: an optional attribute
 (basically, unrolling the "mandatory" part of the policy proposal that 
 introduced it in the first place)
 
 - If you want to handle abuse reports, put something working in.
 
 - If you do not want to handle abuse reports, don't.
 
 The ARC could be extended with a question "are you aware that you are
 signalling 'we do not not care about abuse coming from our network'?"
 and if this is what LIRs *want* to signal, the message is clear.
 
 The NCC could still verify (as they do today) that an e-mail address,
 *if given*, is not bouncing (or coming back with a human bounce "you have
 reached the wrong person, stop sending me mail" if someone puts in the
 e-mail address of someone else).
 
 MUCH less effort.
 
 Gert Doering
 -- NetMaster
 -- 
 have you enabled IPv6 on something today...?
 
 SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer
 Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
 D-80807 Muenchen HRB: 136055 (AG Muenchen)
 Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
 
 
 
 
 **********************************************
 IPv4 is over
 Are you ready for the new Internet ?
 http://www.theipv6company.com
 The IPv6 Company
 
 This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
User Image

Gert Doering

2020-01-14 11:19:21 CET

Hi,

On Tue, Jan 14, 2020 at 10:50:58AM +0100, JORDI PALET MARTINEZ via anti-abuse-wg wrote:
> Looks fine to me.
> 
> If we really think that the operators should be free from taking abuse reports, then let's make it optional.
> 
> As said, I personally think that an operator responsibility is to deal with abuse cases, but happy to follow what we all decide.

I do think that an operator should handle abuse reports (and we do), 
but *this* is not a suitable vehicle to *make him*.

And if it's not going to have the desired effect, do not waste time on it.

Gert Doering
        -- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279
User Image

Gert Doering

2020-01-14 11:21:18 CET

Hi,

On Tue, Jan 14, 2020 at 03:10:53AM -0700, Fi Shing wrote:
> weak imbeciles such as those on this list.

Wow.  That's a new one on my list of things I've been called.

So thankful.

Gert Doering
        -- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279

Nick Hilliard

2020-01-14 11:58:59 CET

Gert Doering wrote on 14/01/2020 10:19:
> And if it's not going to have the desired effect, do not waste time on it.

More to the point, the RIPE number registry should not be used as a 
stick for threatening to beat people up if they don't comply with our 
current favourite ideas about how to manage social policy on the internet.

It is a registry, not a police truncheon.

Nick

User Image

Carlos Friacas

2020-01-14 12:28:29 CET


On Tue, 14 Jan 2020, Nick Hilliard wrote:

> Gert Doering wrote on 14/01/2020 10:19:
>> And if it's not going to have the desired effect, do not waste time on it.
>
> More to the point, the RIPE number registry should not be used as a stick for 
> threatening to beat people up if they don't comply with our current favourite 
> ideas about how to manage social policy on the internet.
>
> It is a registry, not a police truncheon.

Hello,

(Going perhaps a bit off-topic...)

If people are not able to follow the rules of the registry, maybe they 
shouldn't be allowed inside the system... :-)

[Fact 1]
If someone provides falsified documents to the registry, that someone goes 
off the wagon.

[Fact 2]
If someone doesn't pay the registry in due time (after several warnings), 
that someone goes off the wagon.




I would also feel comfortable if someone who indicates a 3rd party e-mail 
address as the abuse-mailbox for their _OWN_ address space, goes off the 
wagon (after some warnings, of course...).
BTW, some years ago our physical address was added in whois to someone 
else's address space in a different RIR and that was _NOT_ a nice 
experience...


Regards,
Carlos


> Nick
>

Ronald F. Guilmette

2020-01-14 13:10:07 CET

In message <30174D32-225F-467E-937A-5BC42650F955 _at_ consulintel _dot_ es>, 
JORDI PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg _at_ ripe _dot_ net> wrote:

>I think if we try to agree on those ratings, we will never reach consensus

Right, and that was a part of my point about eBay-like feedback ratings
for resource holders, i.e. "Let's not even try."

Instead, let the people decide.  Let anyone register a feedback point,
positive or negative, against any resource holder, with the proviso
that if they are registering a negative feedback point, they should assert
exactly *why* they are unhappy (e.g. "mail to abuse address bounced as
undeliverable", "no response for eight days" etc.) and if possible,
provide some context also, e.g. a copy of the spam, a copy of some
logs showing hack attempts, etc.

>So it is not just easier to ask the abuse-c mailboxes that don't want to
>process to setup an autoresponder with an specific (standard) text about
that, for example:...

In the "eBay feedback" model I am proposing there is no need for *RIPE NCC*
to ask anybody about anything.  People will register negative points
against any resource holder with an undeliverable abuse address.  (I know
I will!)

I'm sorry Jordi, if this idea sounds like it is undermining everything
you have been trying to do, which is all very very admirable.  But I have
only just realized what you said above, i.e. if we really start to try
to design a system where RIPE NCC will do 100% of the work of "reviewing"
all one zillion RIPE resource holders, the size of the task will almost
be the least of the worries.   The first order problem, as you already
know since you have been doing yeoman's work on this for awhile now, is
just getting people in the various RIRs to agree on the numerous fine
details.  (Hell! You can't even get *me* to agree that a 15 day turn-
around is in any sense "reasonable", and apparently I'm not alone in
that regard.)

So, my solution is just don't.  Let the whole planet vote on whether
they think this provider or that provider are ***heads, and let the
chips fall where they may.

I'm not saying that even this idea would neessarily be piece-of-cake easy.
The first problem would be working out a way to prevent the system from
being gamed by bad actors for malicious purposes, or for positive "PR"
purposes.  (Don't get me started about the fake positive review over on
TripAdvisor.)  But I am not persuaded that these are in any sense
insoluable problems.


Regards,
rfg

User Image

Leo Vegoda

2020-01-14 16:57:32 CET

On Tue, Jan 14, 2020 at 1:48 AM Gert Doering <gert _at_ space _dot_ net> wrote:

[...]

> A much simpler approach would be to make abuse-c: an optional attribute
> (basically, unrolling the "mandatory" part of the policy proposal that
> introduced it in the first place)

This seems like a simple approach for letting network operators
indicate whether or not they will act on abuse reports. If there's no
way of reporting abuse then the operators clearly has no processes for
evaluating reports, or acting on them. This helps everyone save time.

Regards,

Leo Vegoda

Hans-Martin Mosner

2020-01-14 22:53:59 CET

Am 14.01.20 um 13:10 schrieb Ronald F. Guilmette:
> [...]
> So, my solution is just don't.  Let the whole planet vote on whether
> they think this provider or that provider are ***heads, and let the
> chips fall where they may.
>
> I'm not saying that even this idea would neessarily be piece-of-cake easy.
> The first problem would be working out a way to prevent the system from
> being gamed by bad actors for malicious purposes, or for positive "PR"
> purposes.  (Don't get me started about the fake positive review over on
> TripAdvisor.)  But I am not persuaded that these are in any sense
> insoluable problems.
>
>
> Regards,
> rfg
>
While this would probably paint a pretty solid picture of which network operators can be trusted and which can't,
there's another point besides your valid concern about abusers gaming the system: Whoever publishes the results of such
user ratings would most likely expose themselves to litigious lawsuits, which neither you nor me nor RIPE NCC really
wants to do.

Remember that some DSNBLs had a hard time due to this, some preferred to stay anonymous for that very reason. An
"abuser-friendliness" rating system targeting network operators who may be "RIPE NCC members in good standing" would
probably not live long, even if it published just clear facts ("this network operator does not want to receive and
handle abuse reports") because these facts might be used to block access from these networks and hurt their business.

I've been running mail systems since when "postmaster _at_ domain _dot_ tld" was still the first point of contact you would go to
when something bad emanated from a mailserver. Then spammers operated their own domains, and you would need to address
abuse@ for the IP range. Then network operators decided to look the other way when their well-paying customers spammed,
and reporting to abuse mailbox addresses became hopeless. I just don't do that anymore. IP-level blocking of whole
network address ranges works for me. If network operators don't want to get blocked, they need to clean up their act,
with or without abuse mailbox.

Cheers,
Hans-Martin



Ronald F. Guilmette

2020-01-15 02:52:25 CET

In message <be337bb7-211e-c377-8e97-8e16696eb3d7 _at_ heeg _dot_ de>, 
Hans-Martin Mosner <hmm _at_ heeg _dot_ de> wrote:

>While this would probably paint a pretty solid picture of which network o=
>perators can be trusted and which can't,
>there's another point besides your valid concern about abusers gaming the=
> system: Whoever publishes the results of such
>user ratings would most likely expose themselves to litigious lawsuits, w=
>hich neither you nor me nor RIPE NCC really
>wants to do.

That comment, and that concern, certainly does not seem to apply in any
country in which either eBay or TripAdvisor operate.

Do you folks on your side of the pond not receive eBay?  Are you not able to
view Tripadvisor.Com?

Here in this country (U.S.) there are actually -three- separate and clearly
discrenable legal protections that would cover and that do cover circumstances
like this.  In no particular order, they are:

     (*)  The First Amendment.
 
     (*)  47 USC 230(c)(1)

     (*)  47 USC 230(c)(2)(B)

Ref:
https://www.law.cornell.edu/uscode/text/47/230

The middle one is actually the first-order go-to provision for situations
like this, and provides for quick dismissal for any silly cases brought
against *me* for something that *you* have said on some discussion or
review web site that I just happen to provide electricity, connectivity,
and CPU cycles for.

One would hope that european law might have some counterpart for that,
but I confess that I really have no idea about that, one way or the other.

So, um, is the european continent utterly devoid of any and all web sites
where reviews can or do appear?  Does europe have its own GDPR mandated
Great Firewall to keep the evil likes of eBay and TripAdvisor out?

Or were you, Hans-Martin, just saying that in europe, free speech is reserved
only for those who can afford it, and who conveniently have hoards of corporate
lawyers covering their backsides?

Asking seriously, because I don't know the answer.  I'm just puzzled by this
whole thing, and this concern about lawsuits.


Regards,
rfg

User Image

Carlos Friacas

2020-01-15 08:23:38 CET

Hi,

I obviously don't speak for the incident handling community, but i think 
this (making it optional) would be a serious step back. The current 
situation is already very bad when in some cases we know from the start 
that we are sending (automated) messages/notices to blackholes.

To an extreme, there should always be a known contact responsible for 
any network infrastructure. If this is not the case, what's the purpose 
of a registry then?

Regards,
Carlos



On Tue, 14 Jan 2020, Leo Vegoda wrote:

> On Tue, Jan 14, 2020 at 1:48 AM Gert Doering <gert _at_ space _dot_ net> wrote:
>
> [...]
>
>> A much simpler approach would be to make abuse-c: an optional attribute
>> (basically, unrolling the "mandatory" part of the policy proposal that
>> introduced it in the first place)
>
> This seems like a simple approach for letting network operators
> indicate whether or not they will act on abuse reports. If there's no
> way of reporting abuse then the operators clearly has no processes for
> evaluating reports, or acting on them. This helps everyone save time.
>
> Regards,
>
> Leo Vegoda
>

User Image

Gert Doering

2020-01-15 09:06:15 CET

Hi,

On Wed, Jan 15, 2020 at 07:23:38AM +0000, Carlos Friaças via anti-abuse-wg wrote:
> I obviously don't speak for the incident handling community, but i think 
> this (making it optional) would be a serious step back. The current 
> situation is already very bad when in some cases we know from the start 
> that we are sending (automated) messages/notices to blackholes.

So why is it preferrable to send mails which are not acted on, as
opposed to "not send mail because you know beforehand that the other
network is not interested"?

I can see that it is frustrating - but I still cannot support a policy
change which will not help dealing with irresponsible networks in any
way, but at the same time increases costs and workload for those that
do the right thing alrady.


> To an extreme, there should always be a known contact responsible for 
> any network infrastructure. If this is not the case, what's the purpose 
> of a registry then?

"a known contact" and "an *abuse-handling* contact" is not the same thing.

Gert Doering
        -- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279

Serge Droz

2020-01-15 09:14:59 CET

Hi All

So maybe a word from an "Incident Responder".

I do feel very much, that we should have an abuse conntact, and it
should be tested to wok, in the sense that some one reads the mail sent
there.

Here are my reasons:

- Having such a mailbox may increase the pressure for orgs to actually
do something. My experience from previous job showed, that keep sending
abuse reports, despite complaints about "spam" eventually convinced a
lot of orgs to act. Essentially you take away the excuste "Oh, but we
didn't know"

- Even for orgs that don't react having such a conntact helps, because
it allows us to build up a history of ignored requests, which cann then
be used to reminde these orgs that they actually are part of the
problem. It is a sad fact, that a threat to your reputation, even if
it's only in colsed community, seems to sometimes help convincing said
org to reract. Finally if, at some state more drastic action would be
necessary (Think Russian Bussines Network at the time), you can build a
case.

- Lastly: It makes our life as Incident responders easier to have a
uniform way of sending reports, even if not all of them are followed up.

I kind of don't buy into "There is no point on placing a burden on orgs
that choose not to act".

Best
Serge

On 15/01/2020 08:23, Carlos Friaças via anti-abuse-wg wrote:
> 
> Hi,
> 
> I obviously don't speak for the incident handling community, but i think
> this (making it optional) would be a serious step back. The current
> situation is already very bad when in some cases we know from the start
> that we are sending (automated) messages/notices to blackholes.
> 
> To an extreme, there should always be a known contact responsible for
> any network infrastructure. If this is not the case, what's the purpose
> of a registry then?
> 
> Regards,
> Carlos
> 
> 
> 
> On Tue, 14 Jan 2020, Leo Vegoda wrote:
> 
>> On Tue, Jan 14, 2020 at 1:48 AM Gert Doering <gert _at_ space _dot_ net> wrote:
>>
>> [...]
>>
>>> A much simpler approach would be to make abuse-c: an optional attribute
>>> (basically, unrolling the "mandatory" part of the policy proposal that
>>> introduced it in the first place)
>>
>> This seems like a simple approach for letting network operators
>> indicate whether or not they will act on abuse reports. If there's no
>> way of reporting abuse then the operators clearly has no processes for
>> evaluating reports, or acting on them. This helps everyone save time.
>>
>> Regards,
>>
>> Leo Vegoda
>>
> 

-- 
Dr. Serge Droz
Chair, Forum of Incident Response and Security Teams (FIRST)
Phone +41 76 542 44 93 | serge.droz _at_ first _dot_ org | https://www.first.org

User Image

Gert Doering

2020-01-15 09:18:51 CET

Hi,

On Wed, Jan 15, 2020 at 09:14:59AM +0100, Serge Droz via anti-abuse-wg wrote:
> I kind of don't buy into "There is no point on placing a burden on orgs
> that choose not to act".

This is not what I said.  My stance on this is: placing extra burdens on
orgs *that do the right thing today* (with extra verification hoops)
should be balanced against "will it change the situation wrt orgs that
do not care".

And I think the balance is negative - extra work for the good guys, and
no relevant incentive for the bad guys to actually *act on* their abuse
reports.

Gert Doering
        -- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279

Serge Droz

2020-01-15 09:24:21 CET

Hi Gert

Sorry I misunderstood you then. But honestly, this does not really place
a burden on you.

RIPE can automate this, and you simply reply to a message. We do this,
e.g. in TF-CSIRT twice a year, and it does help, event the good guys,
that realize they have an issue and did not receive their mail.

In fact, it's become a bit of a competition to be the first to reply to
the challenge.

So the extra work is what, 10 minutes / year, if the system is setup
properly?

So I think the balance is hugely positive.

Just my two cents.

Serge


On 15/01/2020 09:18, Gert Doering wrote:
> Hi,
> 
> On Wed, Jan 15, 2020 at 09:14:59AM +0100, Serge Droz via anti-abuse-wg wrote:
>> I kind of don't buy into "There is no point on placing a burden on orgs
>> that choose not to act".
> 
> This is not what I said.  My stance on this is: placing extra burdens on
> orgs *that do the right thing today* (with extra verification hoops)
> should be balanced against "will it change the situation wrt orgs that
> do not care".
> 
> And I think the balance is negative - extra work for the good guys, and
> no relevant incentive for the bad guys to actually *act on* their abuse
> reports.
> 
> Gert Doering
>         -- NetMaster
> 

-- 
Dr. Serge Droz
Chair, Forum of Incident Response and Security Teams (FIRST)
Phone +41 76 542 44 93 | serge.droz _at_ first _dot_ org | https://www.first.org

User Image

Gert Doering

2020-01-15 09:59:04 CET

Hi,

On Wed, Jan 15, 2020 at 09:24:21AM +0100, Serge Droz wrote:
> Sorry I misunderstood you then. But honestly, this does not really place
> a burden on you.

It does.  Even if it's just 5 minutes per Mail - I need to train abuse 
handlers what to do with this sort of message, etc.

> So I think the balance is hugely positive.

Nobody has been able to demonstrate why it would have a positive effect
at all.  So how can the balance be "hugely positive"?

E-Mail addresses *are* validated today.  Just not in an as labour-intensive
way on the receipient like the proposers want to install.

Gert Doering
        -- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279
User Image

Sergio Rocha

2020-01-15 10:16:58 CET

Hi,

Maybe we can change the approach.
If RIPE website had a platform to post abuse report, that send the email for
the abuse contact, it will be possible to evaluate the responsiveness of the
abuse contact.

This way anyone that report an abuse could assess not only the response but
also the effectiveness of the actions taken by the network owner. After some
time with this evaluations we would easy to realize who manages the reports
and even who does not respond at all.

Sérgio 

-----Original Message-----
From: anti-abuse-wg [mailto:anti-abuse-wg-bounces _at_ ripe _dot_ net] On Behalf Of
Gert Doering
Sent: 15 de janeiro de 2020 08:06
To: Carlos Friaças <cfriacas _at_ fccn _dot_ pt>
Cc: Gert Doering <gert _at_ space _dot_ net>; anti-abuse-wg <anti-abuse-wg _at_ ripe _dot_ net>
Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation
of "abuse-mailbox")

Hi,

On Wed, Jan 15, 2020 at 07:23:38AM +0000, Carlos Friaças via anti-abuse-wg
wrote:
> I obviously don't speak for the incident handling community, but i 
> think this (making it optional) would be a serious step back. The 
> current situation is already very bad when in some cases we know from 
> the start that we are sending (automated) messages/notices to blackholes.

So why is it preferrable to send mails which are not acted on, as opposed to
"not send mail because you know beforehand that the other network is not
interested"?

I can see that it is frustrating - but I still cannot support a policy
change which will not help dealing with irresponsible networks in any way,
but at the same time increases costs and workload for those that do the
right thing alrady.


> To an extreme, there should always be a known contact responsible for 
> any network infrastructure. If this is not the case, what's the 
> purpose of a registry then?

"a known contact" and "an *abuse-handling* contact" is not the same thing.

Gert Doering
        -- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Michael
Emmer
Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279



User Image

Carlos Friacas

2020-01-15 10:30:00 CET


On Wed, 15 Jan 2020, Gert Doering wrote:

> Hi,

Hi,
(please see inline)


> On Wed, Jan 15, 2020 at 07:23:38AM +0000, Carlos Friaças via anti-abuse-wg wrote:
>> I obviously don't speak for the incident handling community, but i think
>> this (making it optional) would be a serious step back. The current
>> situation is already very bad when in some cases we know from the start
>> that we are sending (automated) messages/notices to blackholes.
>
> So why is it preferrable to send mails which are not acted on, as
> opposed to "not send mail because you know beforehand that the other
> network is not interested"?

I think Serge already took care of that answer/issue :-)

And in our case we do count the # of bounces we get resulting from the 
abuse complaints we send out.


> I can see that it is frustrating - but I still cannot support a policy
> change which will not help dealing with irresponsible networks in any
> way, but at the same time increases costs and workload for those that
> do the right thing alrady.

I guess you are not convinced with the 10 min/year argument then :-(


>> To an extreme, there should always be a known contact responsible for
>> any network infrastructure. If this is not the case, what's the purpose
>> of a registry then?
>
> "a known contact" and "an *abuse-handling* contact" is not the same thing.

I don't really like the case where "a known contact" is used as a last 
resort contact because there is an abuse issue. Hence, the value i see on 
a mandatory definition of an abuse contact -- while any network can still 
decide to use the same contact for both (or more) purposes.


Cheers,
Carlos



> Gert Doering
>        -- NetMaster
> -- 
> have you enabled IPv6 on something today...?
>
> SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Michael Emmer
> Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
> D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
> Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279
>
User Image

Carlos Friacas

2020-01-15 10:33:55 CET

Hi Sergio, All,

It seems you are proposing a new reputation system, to be managed by the 
RIPE NCC.

If this is the case, you can always try to draft a new policy proposal :-)

Cheers,
Carlos



On Wed, 15 Jan 2020, Sérgio Rocha wrote:

> Hi,
>
> Maybe we can change the approach.
> If RIPE website had a platform to post abuse report, that send the email for
> the abuse contact, it will be possible to evaluate the responsiveness of the
> abuse contact.
>
> This way anyone that report an abuse could assess not only the response but
> also the effectiveness of the actions taken by the network owner. After some
> time with this evaluations we would easy to realize who manages the reports
> and even who does not respond at all.
>
> Sérgio
>
> -----Original Message-----
> From: anti-abuse-wg [mailto:anti-abuse-wg-bounces _at_ ripe _dot_ net] On Behalf Of
> Gert Doering
> Sent: 15 de janeiro de 2020 08:06
> To: Carlos Friaças <cfriacas _at_ fccn _dot_ pt>
> Cc: Gert Doering <gert _at_ space _dot_ net>; anti-abuse-wg <anti-abuse-wg _at_ ripe _dot_ net>
> Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation
> of "abuse-mailbox")
>
> Hi,
>
> On Wed, Jan 15, 2020 at 07:23:38AM +0000, Carlos Friaças via anti-abuse-wg
> wrote:
>> I obviously don't speak for the incident handling community, but i
>> think this (making it optional) would be a serious step back. The
>> current situation is already very bad when in some cases we know from
>> the start that we are sending (automated) messages/notices to blackholes.
>
> So why is it preferrable to send mails which are not acted on, as opposed to
> "not send mail because you know beforehand that the other network is not
> interested"?
>
> I can see that it is frustrating - but I still cannot support a policy
> change which will not help dealing with irresponsible networks in any way,
> but at the same time increases costs and workload for those that do the
> right thing alrady.
>
>
>> To an extreme, there should always be a known contact responsible for
>> any network infrastructure. If this is not the case, what's the
>> purpose of a registry then?
>
> "a known contact" and "an *abuse-handling* contact" is not the same thing.
>
> Gert Doering
>        -- NetMaster
> --
> have you enabled IPv6 on something today...?
>
> SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Michael
> Emmer
> Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
> D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
> Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279
>
>
>

Ronald F. Guilmette

2020-01-15 12:37:03 CET

In message <20200115080615.GQ72330 _at_ Space _dot_ Net>, 
Gert Doering <gert _at_ space _dot_ net> wrote:

>So why is it preferrable to send mails which are not acted on, as
>opposed to "not send mail because you know beforehand that the other
>network is not interested"?

Not sure that I understand fully the context of the question here, 
but in relation to what I suggested, which would be an "eBay-like"
public review collection & publication service, it would be, and is,
always helpful to know which networks just don't give a damn about
being responsible in responding to abuse arising from their networks.
Because there are these things called blacklists.

>I can see that it is frustrating - but I still cannot support a policy
>change which will not help dealing with irresponsible networks in any
>way, but at the same time increases costs and workload for those that
>do the right thing alrady.

As I have said, "You can lead a horse to water, but you can't make him
drink."

No matter how much any of us here might wish it, we should at
long last resign ourselves to the unambigous and ever-present reality
that no significant portion of the RIPE connunity is ever going to be
persuaded to do -anything- in the way of forcing, or even just strongly
encouraging good behavior and/or social responsibility on the part of
independent individual network operators.  It just isn't going to happen,
ever.  We should thus move on and should take heed of ancient wisdom of
1 Corinthians 13:11:

    When I was a child, I spake as a child, I understood as a child,
    I thought as a child: but when I became a man, I put away childish
    things.

It is a childish thing to still hope or believe that any part of RIPE
or its community will ever take any meaningful action to *directly*
influence the behavior of networks that simply wish to minimize their
costs and maximize their revenue through a corporate strategy of ignoring
all acts of customer network abuse.

This is why I have suggested that, at the very least, RIPE NCC could set
up and maintain just a basic review "platform" where the public at large
can at least make it known to all observers which networks are the assholes
and which ones aren't.

>> To an extreme, there should always be a known contact responsible for
>> any network infrastructure.

Yes, but the operative word there is "should".  Who will *mandate* and
*enforce* this rule?  Not RIPE NCC and not the RIPE community.  I and
others have been on this list for years and years and the result is
as recurrent as it is entirely predictable by now.  There are those,
here and elsewhere, who religiously cling to their God-given "right"
to refuse, stubbornly, adamantly, and absolutely, to be told what to
do or how to responsibly run their networks by any other party, including
even the RIPE community.  (Hell!  Some of them are apparently not even
entirely convinced that they have any clear obligations to stay within
the bounds proscribed by criminal law!)

Thus, in short, it is well past time to move on and to put away childish
things, specifically the eternal and ever-unfulfilled forlorn hope that
either RIPE or it's community will someday, at long last, come to its
senses and start demanding even some minimal level of responsibility
and/or accountability from its members.

The only small thing that RIPE -might- actually be able to do to improve
the present situation... without all of the usual vetos from all of the
usual quarters... would be for it to set up a public review platform so
that members of the public at large could at least document, in full
public view, which networks are the shitheads and which are the good guys.
That way RIPE is not expressing *any* viewpoint itself... not about any
network and not even about what does or does not constitute "abuse" or
"responsible network behavior"... and thus just this one small thing
might actually be achievable, where all of the years of ranting and raving,
of tearing of hair and gnashing of teeth about the wanton abuse of the
Internet by networks within the RIPE community has achieved -zero-, zip,
nada, nothing of any substance in the way of prudently setting even just
a minimum floor on behavior, let alone actually enforcing that minimal
floor.

Time to put away childish things and childish hopes that RIPE will be
someday persuaded to be a part of the solution.  For the moment it
remains, as it has remained for quite some years now, a part of the
problem.  RIPE will never itself enforce -any- code of network behavior.
Period.   Full stop.  There are too many people making too much money
based on the present utter absence of any behaviorly rules, much less
enforcement, to allow that to change any time soon.

Get over it and move on.


Regards,
rfg

Ronald F. Guilmette

2020-01-15 13:02:56 CET

In message <02d201d5cb84$89d6b950$9d842bf0$@makeitsimple.pt>, 
"=?iso-8859-1?Q?S=E9rgio_Rocha?=" <sergio.rocha _at_ makeitsimple _dot_ pt> wrote:

>Maybe we can change the approach.
>If RIPE website had a platform to post abuse report, that send the email for
>the abuse contact, it will be possible to evaluate the responsiveness of the
>abuse contact.
>
>This way anyone that report an abuse could assess not only the response but
>also the effectiveness of the actions taken by the network owner. After some
>time with this evaluations we would easy to realize who manages the reports
>and even who does not respond at all.

This is essentially similar to what I had proposed.  As such please put
me down as a:

+1


Nick Hilliard

2020-01-15 13:13:41 CET

Serge Droz via anti-abuse-wg wrote on 15/01/2020 08:24:
> So the extra work is what, 10 minutes / year, if the system is setup
> properly?

Serge,

The policy proposal here is: if the registry doesn't comply, then it is 
in explicit violation of RIPE policies.

According to the "Closure of Members, Deregistration of Internet 
Resources and Legacy Internet Resources" document (currently RIPE 
716), if you don't comply with RIPE policies or RIPE NCC procedures, 
then the RIPE NCC is obliged to follow up with the resource holder and 
if they continue not to comply, then the number resources will be withdrawn.

The purpose behind RIPE-716 is to ensure accurate registration of number 
resources, which the core function of the RIPE registry.

Jordi has confirmed that the intention behind 2019-04 is to force 
resource holders to comply with the abuse handling procedures defined in 
his policy, and that if they don't comply for whatever reason, that 
their number resources are withdrawn under the terms of RIPE-716.

To be clear, deregistration of resources would make it difficult or 
impossible for almost any holder of addresses to continue their business.

So what's being proposed here is that RIPE-716 - whose purpose was to 
ensure integrity and accuracy of the the RIPE registry - should now be 
repurposed as a mechanism to enforce social behaviour practices on the 
Internet.

There are some pretty serious and fundamental problems with this.

Many of these problems were discussed in the context of RIPE policy 
2019-03 ("Resource Hijacking is a RIPE Policy Violation"), and some of 
them were formally addressed in the RIPE NCC review of that policy.

Nick

User Image

Jordi Palet Martinez

2020-01-15 13:38:20 CET

Hi Nick,

Not really, I think you're reading a different text ... I'm not intending to ask RIPE to verify if the operators resolve the abuse cases.

The point here is to amend the existing policy to do a *good* validation of the abuse mailbox.

The actual policy only makes a "technical" validation, so it checks that the mailbox exists and is the right one and allows sending abuse reports, and that's it.

If the mailbox is full, if it is never read, if it belongs to a /dev/null or not the right person or team, even if it if you have my email in your abuse-c, all that, passes the validation.

Regards,
Jordi
@jordipalet
 
 

El 15/1/20 13:14, "anti-abuse-wg en nombre de Nick Hilliard" <anti-abuse-wg-bounces _at_ ripe _dot_ net en nombre de nick _at_ foobar _dot_ org> escribió:

    Serge Droz via anti-abuse-wg wrote on 15/01/2020 08:24:
    > So the extra work is what, 10 minutes / year, if the system is setup
    > properly?
    
    Serge,
    
    The policy proposal here is: if the registry doesn't comply, then it is 
    in explicit violation of RIPE policies.
    
    According to the "Closure of Members, Deregistration of Internet 
    Resources and Legacy Internet Resources" document (currently RIPE 
    716), if you don't comply with RIPE policies or RIPE NCC procedures, 
    then the RIPE NCC is obliged to follow up with the resource holder and 
    if they continue not to comply, then the number resources will be withdrawn.
    
    The purpose behind RIPE-716 is to ensure accurate registration of number 
    resources, which the core function of the RIPE registry.
    
    Jordi has confirmed that the intention behind 2019-04 is to force 
    resource holders to comply with the abuse handling procedures defined in 
    his policy, and that if they don't comply for whatever reason, that 
    their number resources are withdrawn under the terms of RIPE-716.
    
    To be clear, deregistration of resources would make it difficult or 
    impossible for almost any holder of addresses to continue their business.
    
    So what's being proposed here is that RIPE-716 - whose purpose was to 
    ensure integrity and accuracy of the the RIPE registry - should now be 
    repurposed as a mechanism to enforce social behaviour practices on the 
    Internet.
    
    There are some pretty serious and fundamental problems with this.
    
    Many of these problems were discussed in the context of RIPE policy 
    2019-03 ("Resource Hijacking is a RIPE Policy Violation"), and some of 
    them were formally addressed in the RIPE NCC review of that policy.
    
    Nick
    
    



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.





Nick Hilliard

2020-01-15 13:48:41 CET

JORDI PALET MARTINEZ via anti-abuse-wg wrote on 15/01/2020 12:38:
> and allows sending abuse reports

You're demanding that resource holders handle abuse reports by email and 
how to handle that mailbox, i.e. telling them how to run their businesses.

It's not appropriate for the RIPE NCC to get involved with this sort of 
thing.

Nick

User Image

Brian Nisbet

2020-01-15 14:04:23 CET

Folks, 

While not attempting to discuss the merits or otherwise of a reputation system (other than the fact I've seen many of them proposed and we still have lots of problems), I would say one thing on your comments below, Ronald.

The RIPE NCC service region is not just the EU, it isn't just the continent of Europe. It includes many other countries such as Russia and the entirety of the Middle East. With 70+ countries involved it is a lot harder to do something that is acceptable everywhere, even while the NCC itself is governed under Dutch law.

Just a useful reminder.

Brian

Brian Nisbet 
Service Operations Manager
HEAnet CLG, Ireland's National Education and Research Network
1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland
+35316609040 brian.nisbet _at_ heanet _dot_ ie www.heanet.ie
Registered in Ireland, No. 275301. CRA No. 20036270

> -----Original Message-----
> From: anti-abuse-wg <anti-abuse-wg-bounces _at_ ripe _dot_ net> On Behalf Of
> Ronald F. Guilmette
> Sent: Wednesday 15 January 2020 01:52
> To: anti-abuse-wg _at_ ripe _dot_ net
> Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of
> "abuse-mailbox")
> 
> In message <be337bb7-211e-c377-8e97-8e16696eb3d7 _at_ heeg _dot_ de>,
> Hans-Martin Mosner <hmm _at_ heeg _dot_ de> wrote:
> 
> >While this would probably paint a pretty solid picture of which network
> >o= perators can be trusted and which can't, there's another point
> >besides your valid concern about abusers gaming the=
> > system: Whoever publishes the results of such user ratings would most
> >likely expose themselves to litigious lawsuits, w= hich neither you nor
> >me nor RIPE NCC really wants to do.
> 
> That comment, and that concern, certainly does not seem to apply in any
> country in which either eBay or TripAdvisor operate.
> 
> Do you folks on your side of the pond not receive eBay?  Are you not able to
> view Tripadvisor.Com?
> 
> Here in this country (U.S.) there are actually -three- separate and clearly
> discrenable legal protections that would cover and that do cover
> circumstances like this.  In no particular order, they are:
> 
>      (*)  The First Amendment.
> 
>      (*)  47 USC 230(c)(1)
> 
>      (*)  47 USC 230(c)(2)(B)
> 
> Ref:
> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww
> .law.cornell.edu%2Fuscode%2Ftext%2F47%2F230&data=02%7C01%7Cb
> rian.nisbet%40heanet.ie%7C4346c5c89cb4424339be08d7995da2a1%7Ccd9e82
> 69dfb648e082538b7baf8d3391%7C0%7C0%7C637146499755991832&sdat
> a=JcDbohTPkHP6aa4TkUU%2BL%2FswCYndB5tol4HPXak2M9Y%3D&res
> erved=0
> 
> The middle one is actually the first-order go-to provision for situations like
> this, and provides for quick dismissal for any silly cases brought against *me*
> for something that *you* have said on some discussion or review web site
> that I just happen to provide electricity, connectivity, and CPU cycles for.
> 
> One would hope that european law might have some counterpart for that,
> but I confess that I really have no idea about that, one way or the other.
> 
> So, um, is the european continent utterly devoid of any and all web sites
> where reviews can or do appear?  Does europe have its own GDPR
> mandated Great Firewall to keep the evil likes of eBay and TripAdvisor out?
> 
> Or were you, Hans-Martin, just saying that in europe, free speech is reserved
> only for those who can afford it, and who conveniently have hoards of
> corporate lawyers covering their backsides?
> 
> Asking seriously, because I don't know the answer.  I'm just puzzled by this
> whole thing, and this concern about lawsuits.
> 
> 
> Regards,
> rfg


User Image

Richard Clayton

2020-01-15 15:58:49 CET

In message <44130.1579053145 _at_ segfault.tristatelogic _dot_ com>, Ronald F.
Guilmette <rfg _at_ tristatelogic _dot_ com> writes

>That comment, and that concern, certainly does not seem to apply in any
>country in which either eBay or TripAdvisor operate.
>
>Do you folks on your side of the pond not receive eBay?  Are you not able to
>view Tripadvisor.Com?
>
>Here in this country (U.S.) there are actually -three- separate and clearly
>discrenable legal protections that would cover and that do cover circumstances
>like this.  In no particular order, they are:
>
>     (*)  The First Amendment.

that constrains the US Government as to what laws they pass ... it does
not constrain corporate policy (so a bit of a red herring)

of course there are constitutions in many countries in the RIPE region,
but none (AFAIK) are quite as sweeping in this area

>     (*)  47 USC 230(c)(1)
>
>     (*)  47 USC 230(c)(2)(B)

these (which are the most interesting parts of the Communications
Decency Act that did not get invalidated by the application of the First
Amendment which swept away much of it) provide a safe harbour for the
people operating platforms regarding what the users of those platforms
say ... so yes this is very much on point

within the EU (and the RIPE region is far bigger than that) there is NOT
an equivalent regime -- there is a safe harbour (under the ECommerce
Directive) for hosting companies but ONLY up to the point at which they
have "actual knowledge" that material is problematic (eg that it is
defamatory) after that they are on the hook if they fail to act
appropriately

companies such as EBay and TripAdvisor are well aware of this and
operate their platforms accordingly -- so this means that problematic
material will not be visible within the EU (and doubtless in other RIPE
region countries) ... whether they remove it entirely (so that US
residents miss out) I could not say, you'd need to ask each company
individually as to how they configure their systems

note that companies that operate solely in the USA can take some solace
from the USA SPEECH Act (which addresses the issue of enforcing
"foreign" libel judgments in the USA) but of course eBay etc operate in
Europe as well --- and of course RIPE NCC is based in The Netherlands

viz: failure to remove libels would be costly

>The middle one is actually the first-order go-to provision for situations
>like this, and provides for quick dismissal for any silly cases brought
>against *me* for something that *you* have said on some discussion or
>review web site that I just happen to provide electricity, connectivity,
>and CPU cycles for.

since I understand you to be in the USA, you're correct

>One would hope that european law might have some counterpart for that,
>but I confess that I really have no idea about that, one way or the other.

basically not -- at least once there is "actual knowledge"

please note IANAL, but I do follow these issues so the above is mainly
correct :)

-- 
richard                                                   Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary 
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755
User Image

Richard Clayton

2020-01-15 16:00:27 CET

In message <02d201d5cb84$89d6b950$9d842bf0$@makeitsimple.pt>, =?iso-
8859-1?Q?S=E9rgio_Rocha?= <sergio.rocha _at_ makeitsimple _dot_ pt> writes

>Maybe we can change the approach.
>If RIPE website had a platform to post abuse report, that send the email for
>the abuse contact, it will be possible to evaluate the responsiveness of the
>abuse contact.

Making such a scheme compulsory would be unacceptable to people who wish
to interact with network owners without disclosing that in public ...

... sometimes because they do not wish their names to be known,
sometimes because they do not wish their techniques for (and speed at)
detecting abuse to become known.

So making it compulsory would be completely counterproductive.

Making use of such a website voluntary would also be unwise because the
people who do not wish their reports to be public are probably in the
majority (I speculate) so that reputation system would fail to include
the majority of reports that are made (and I again speculate) the
overwhelming majority of reports that are acted upon.

Producing non-biased reputation systems is very hard ...

>This way anyone that report an abuse could assess not only the response but
>also the effectiveness of the actions taken by the network owner. After some
>time with this evaluations we would easy to realize who manages the reports
>and even who does not respond at all.

... I think also there is a risk of total confusion by conflating many
different types of abuse and many different types of reporter into a
single system.

-- 
richard                                                   Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary 
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755

Suresh Ramasubramanian

2020-01-15 17:11:13 CET

Applause.


--srs

________________________________
From: anti-abuse-wg <anti-abuse-wg-bounces _at_ ripe _dot_ net> on behalf of Richard Clayton <richard _at_ highwayman _dot_ com>
Sent: Wednesday, January 15, 2020 8:32 PM
To: anti-abuse-wg _at_ ripe _dot_ net
Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

In message <02d201d5cb84$89d6b950$9d842bf0$@makeitsimple.pt>, =?iso-
8859-1?Q?S=E9rgio_Rocha?= <sergio.rocha _at_ makeitsimple _dot_ pt> writes

>Maybe we can change the approach.
>If RIPE website had a platform to post abuse report, that send the email for
>the abuse contact, it will be possible to evaluate the responsiveness of the
>abuse contact.

Making such a scheme compulsory would be unacceptable to people who wish
to interact with network owners without disclosing that in public ...

... sometimes because they do not wish their names to be known,
sometimes because they do not wish their techniques for (and speed at)
detecting abuse to become known.

So making it compulsory would be completely counterproductive.

Making use of such a website voluntary would also be unwise because the
people who do not wish their reports to be public are probably in the
majority (I speculate) so that reputation system would fail to include
the majority of reports that are made (and I again speculate) the
overwhelming majority of reports that are acted upon.

Producing non-biased reputation systems is very hard ...

>This way anyone that report an abuse could assess not only the response but
>also the effectiveness of the actions taken by the network owner. After some
>time with this evaluations we would easy to realize who manages the reports
>and even who does not respond at all.

... I think also there is a risk of total confusion by conflating many
different types of abuse and many different types of reporter into a
single system.

--
richard Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755

Suresh Ramasubramanian

2020-01-15 17:16:21 CET

Is Dutch law really the inhibitor here?  Or the possibilities that Richard outlined?
I seem to recall previous opta nl proposals that took a sensible view of network abuse, some years back


--srs

________________________________
From: anti-abuse-wg <anti-abuse-wg-bounces _at_ ripe _dot_ net> on behalf of Brian Nisbet <brian.nisbet _at_ heanet _dot_ ie>
Sent: Wednesday, January 15, 2020 6:35 PM
To: Ronald F. Guilmette; anti-abuse-wg _at_ ripe _dot_ net
Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

Folks,

While not attempting to discuss the merits or otherwise of a reputation system (other than the fact I've seen many of them proposed and we still have lots of problems), I would say one thing on your comments below, Ronald.

The RIPE NCC service region is not just the EU, it isn't just the continent of Europe. It includes many other countries such as Russia and the entirety of the Middle East. With 70+ countries involved it is a lot harder to do something that is acceptable everywhere, even while the NCC itself is governed under Dutch law.

Just a useful reminder.

Brian

Brian Nisbet
Service Operations Manager
HEAnet CLG, Ireland's National Education and Research Network
1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland
+35316609040 brian.nisbet _at_ heanet _dot_ ie www.heanet.ie
Registered in Ireland, No. 275301. CRA No. 20036270

> -----Original Message-----
> From: anti-abuse-wg <anti-abuse-wg-bounces _at_ ripe _dot_ net> On Behalf Of
> Ronald F. Guilmette
> Sent: Wednesday 15 January 2020 01:52
> To: anti-abuse-wg _at_ ripe _dot_ net
> Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of
> "abuse-mailbox")
>
> In message <be337bb7-211e-c377-8e97-8e16696eb3d7 _at_ heeg _dot_ de>,
> Hans-Martin Mosner <hmm _at_ heeg _dot_ de> wrote:
>
> >While this would probably paint a pretty solid picture of which network
> >o= perators can be trusted and which can't, there's another point
> >besides your valid concern about abusers gaming the=
> > system: Whoever publishes the results of such user ratings would most
> >likely expose themselves to litigious lawsuits, w= hich neither you nor
> >me nor RIPE NCC really wants to do.
>
> That comment, and that concern, certainly does not seem to apply in any
> country in which either eBay or TripAdvisor operate.
>
> Do you folks on your side of the pond not receive eBay? Are you not able to
> view Tripadvisor.Com?
>
> Here in this country (U.S.) there are actually -three- separate and clearly
> discrenable legal protections that would cover and that do cover
> circumstances like this. In no particular order, they are:
>
> (*) The First Amendment.
>
> (*) 47 USC 230(c)(1)
>
> (*) 47 USC 230(c)(2)(B)
>
> Ref:
> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww
> .law.cornell.edu%2Fuscode%2Ftext%2F47%2F230&data=02%7C01%7Cb
> rian.nisbet%40heanet.ie%7C4346c5c89cb4424339be08d7995da2a1%7Ccd9e82
> 69dfb648e082538b7baf8d3391%7C0%7C0%7C637146499755991832&sdat
> a=JcDbohTPkHP6aa4TkUU%2BL%2FswCYndB5tol4HPXak2M9Y%3D&res
> erved=0
>
> The middle one is actually the first-order go-to provision for situations like
> this, and provides for quick dismissal for any silly cases brought against *me*
> for something that *you* have said on some discussion or review web site
> that I just happen to provide electricity, connectivity, and CPU cycles for.
>
> One would hope that european law might have some counterpart for that,
> but I confess that I really have no idea about that, one way or the other.
>
> So, um, is the european continent utterly devoid of any and all web sites
> where reviews can or do appear? Does europe have its own GDPR
> mandated Great Firewall to keep the evil likes of eBay and TripAdvisor out?
>
> Or were you, Hans-Martin, just saying that in europe, free speech is reserved
> only for those who can afford it, and who conveniently have hoards of
> corporate lawyers covering their backsides?
>
> Asking seriously, because I don't know the answer. I'm just puzzled by this
> whole thing, and this concern about lawsuits.
>
>
> Regards,
> rfg


User Image

Michele Neylon

2020-01-15 17:54:34 CET

+1000



--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
https://www.blacknight.com/
https://blacknight.blog/
Intl. +353 (0) 59  9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/
Some thoughts: https://ceo.hosting/ 
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845

On 15/01/2020, 12:49, "anti-abuse-wg on behalf of Nick Hilliard" <anti-abuse-wg-bounces _at_ ripe _dot_ net on behalf of nick _at_ foobar _dot_ org> wrote:

    JORDI PALET MARTINEZ via anti-abuse-wg wrote on 15/01/2020 12:38:
    > and allows sending abuse reports
    
    You're demanding that resource holders handle abuse reports by email and 
    how to handle that mailbox, i.e. telling them how to run their businesses.
    
    It's not appropriate for the RIPE NCC to get involved with this sort of 
    thing.
    
    Nick
    
    

User Image

Leo Vegoda

2020-01-15 18:09:10 CET

On Wed, Jan 15, 2020 at 12:16 AM Serge Droz via anti-abuse-wg
<anti-abuse-wg _at_ ripe _dot_ net> wrote:

[...]

> - Lastly: It makes our life as Incident responders easier to have a
> uniform way of sending reports, even if not all of them are followed up.

This is an excellent point but e-mail is probably not the right medium
for that. Standardizing protocols for reporting abuse - and therefore
acting on those reports more quickly - would be far more helpful. But
only organizations don't want abuse on their networks will invest in
the people, processes, and systems, whatever the reporting medium.

> I kind of don't buy into "There is no point on placing a burden on orgs
> that choose not to act".

It's not about the burden on the organizations that don't want to act.
It's about providing a clear signal to the reporting organizations
that there is no point reporting. That should allow reporting
organizations to decide on next steps more quickly.

User Image

Leo Vegoda

2020-01-15 18:45:10 CET

On Wed, Jan 15, 2020 at 9:25 AM Jeffrey Race <jrace _at_ post.harvard _dot_ edu> wrote:
>
> e-mail must be allowed because most victims
> are not organizations but individual net users

E-mail does not scale well. It was great in the 1990s, when the
Internet was smaller and people knew each other. About half the
world's population now has some sort of Internet connectivity.
Expecting organizations to be able to understand reports from such a
diverse group of people is unreasonable.

Lots of organizations won't have specialized abuse handling teams. If
they don't have a specialized abuse handling team then they are
unlikely to have people who understand the reports or processes for
acting on them. Forcing these organizations to pretend that they will
read and understand and then act on a report will never make it so.

So let's stop pretending and put energy into something more productive
than asking people to set up an autoresponder for an e-mail address
whose mailbox will never be checked by a human.

User Image

Randy Bush

2020-01-15 19:49:27 CET

> To an extreme, there should always be a known contact responsible for
> any network infrastructure.

there are, admin and tech

randy, not advocating for or against abuse-c

User Image

Randy Bush

2020-01-15 19:55:16 CET

> The policy proposal here is: if the registry doesn't comply, then it
> is in explicit violation of RIPE policies.
> 
> According to the "Closure of Members, Deregistration of Internet
> Resources and Legacy Internet Resources" document (currently RIPE
> 716), if you don't comply with RIPE policies or RIPE NCC procedures,
> then the RIPE NCC is obliged to follow up with the resource holder and
> if they continue not to comply, then the number resources will be
> withdrawn.
> 
> The purpose behind RIPE-716 is to ensure accurate registration of
> number resources, which the core function of the RIPE registry.
> 
> Jordi has confirmed that the intention behind 2019-04 is to force
> resource holders to comply with the abuse handling procedures defined
> in his policy, and that if they don't comply for whatever reason, that
> their number resources are withdrawn under the terms of RIPE-716.
> 
> To be clear, deregistration of resources would make it difficult or
> impossible for almost any holder of addresses to continue their
> business.
> 
> So what's being proposed here is that RIPE-716 - whose purpose was to
> ensure integrity and accuracy of the the RIPE registry - should now be
> repurposed as a mechanism to enforce social behaviour practices on the
> Internet.
> 
> There are some pretty serious and fundamental problems with this.
> 
> Many of these problems were discussed in the context of RIPE policy
> 2019-03 ("Resource Hijacking is a RIPE Policy Violation"), and some of
> them were formally addressed in the RIPE NCC review of that policy.

exactly

the ncc is supposed to be a registry, not a police force.  enforcing
proper quality registration is turning out to be hard and contentious
enough in these days of ipv4 resource struggles.

randy

User Image

Leo Vegoda

2020-01-15 20:45:10 CET

On Wed, Jan 15, 2020 at 11:02 AM Jeffrey Race <jrace _at_ post.harvard _dot_ edu> wrote:

[...]

> Aside from the reciprocity issue, it's a basic engineering rule
> that systems target their goal only when a corrective
> feedback path exists.

That feedback path does not need to be a personally written e-mail.
Instead, it is possible to use signals like the absence of a reliable
reporting mechanism to make decisions about not accepting some or all
traffic from an abusing network.

My main concern with proposal 2019-04 is that it would make everyone
look the same. It then takes time and effort to distinguish the
networks that will actually use abuse reports to fix problems from
those that won't or just don't have the ability to do so.

While I would accept Gert's proposal for making abuse-c an optional
attribute, the reason I offered a counter proposal for publishing "a
statement to the effect that the network operator does not act on
abuse reports" is to add clarity at a high level.

In the first case, it avoids wasting resources lodging reports that
will be ignored. Secondly, it provides reliable statistical
information about the networks whose operators claim to use abuse
reports to clean things up. This would provide a metric that could be
used both by other network operators to guide operational policies and
governments or regulators to set theirs.

Finally, we don't yet know what the RIPE Database Requirements TF will
recommend. But I think that building a new business process on the
existing model for publishing contact information assumes they won't
recommend changes. Let's wait until they report before asking the RIPE
NCC to build new workflows on a model that the community might want to
change.

Kind regards,

Leo Vegoda

User Image

Gert Doering

2020-01-15 20:49:34 CET

Hi,

On Wed, Jan 15, 2020 at 11:45:10AM -0800, Leo Vegoda wrote:
> While I would accept Gert's proposal for making abuse-c an optional
> attribute, the reason I offered a counter proposal for publishing "a
> statement to the effect that the network operator does not act on
> abuse reports" is to add clarity at a high level.

Works for me.

Mine is "absence signals disinterest", while yours is "explicitly stating
disinterest", which is indeed a much clearer signal that can not be
confused with "oh, we never came around to register an abuse-c, so sorry".

Gert Doering
        -- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279
User Image

Warren Kumari

2020-01-15 21:14:20 CET

On Wed, Jan 15, 2020 at 2:46 PM Leo Vegoda <leo _at_ vegoda _dot_ org> wrote:
>
> On Wed, Jan 15, 2020 at 11:02 AM Jeffrey Race <jrace _at_ post.harvard _dot_ edu> wrote:
>
> [...]
>
> > Aside from the reciprocity issue, it's a basic engineering rule
> > that systems target their goal only when a corrective
> > feedback path exists.
>
> That feedback path does not need to be a personally written e-mail.
> Instead, it is possible to use signals like the absence of a reliable
> reporting mechanism to make decisions about not accepting some or all
> traffic from an abusing network.
>
> My main concern with proposal 2019-04 is that it would make everyone
> look the same. It then takes time and effort to distinguish the
> networks that will actually use abuse reports to fix problems from
> those that won't or just don't have the ability to do so.
>
> While I would accept Gert's proposal for making abuse-c an optional
> attribute, the reason I offered a counter proposal for publishing "a
> statement to the effect that the network operator does not act on
> abuse reports" is to add clarity at a high level.
>
> In the first case, it avoids wasting resources lodging reports that
> will be ignored. Secondly, it provides reliable statistical
> information about the networks whose operators claim to use abuse
> reports to clean things up. This would provide a metric that could be
> used both by other network operators to guide operational policies and
> governments or regulators to set theirs.

I suspect I'm somewhat confused / have lost the thread somewhere.

I really don't think that any network is likely to advertise that they
are not dealing with abuse -- it gives a bad impression, and the
marketing droids will likely want *something* listed. The same goes
for legal - saying "Meh, don't bother sending us abuse reports, we
ignore them" doesn't seem to have any PR / marketing / legal upside,
and has many downsides...

Pretend that you are a network that (largely) ignores abuse reports --
your current solution of throwing these mails away costs you nothing;
what's the upside to telling everyone that you are doing this?

I suspect that people will continue to have abuse@, hostmaster@,
abuse-c,and any other conventions filled in -- and many will just
continue to shuffle these into self-closing ticket systems / mailboxes
which never get read and / or /dev/null...

W


>
> Finally, we don't yet know what the RIPE Database Requirements TF will
> recommend. But I think that building a new business process on the
> existing model for publishing contact information assumes they won't
> recommend changes. Let's wait until they report before asking the RIPE
> NCC to build new workflows on a model that the community might want to
> change.
>
> Kind regards,
>
> Leo Vegoda
>


-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

User Image

Jordi Palet Martinez

2020-01-15 22:25:13 CET

This is the key point.

We already agreed to have a mandatory abuse-c.

We can change our mind and make it optional.

But one way or the other, should be a *real* one. A validation that can be faked just using (for example) Carlos email, is not a good procedure. It doesn't make sense at all.

We are not saying the RIR will need to verify that an abuse case is investigated or resolved. This is not the point.

El 14/1/20 12:28, "anti-abuse-wg en nombre de Carlos Friaças via anti-abuse-wg" <anti-abuse-wg-bounces _at_ ripe _dot_ net en nombre de anti-abuse-wg _at_ ripe _dot_ net> escribió:

    
    
    On Tue, 14 Jan 2020, Nick Hilliard wrote:
    
    > Gert Doering wrote on 14/01/2020 10:19:
    >> And if it's not going to have the desired effect, do not waste time on it.
    >
    > More to the point, the RIPE number registry should not be used as a stick for 
    > threatening to beat people up if they don't comply with our current favourite 
    > ideas about how to manage social policy on the internet.
    >
    > It is a registry, not a police truncheon.
    
    Hello,
    
    (Going perhaps a bit off-topic...)
    
    If people are not able to follow the rules of the registry, maybe they 
    shouldn't be allowed inside the system... :-)
    
    [Fact 1]
    If someone provides falsified documents to the registry, that someone goes 
    off the wagon.
    
    [Fact 2]
    If someone doesn't pay the registry in due time (after several warnings), 
    that someone goes off the wagon.
    
    
    
    
    I would also feel comfortable if someone who indicates a 3rd party e-mail 
    address as the abuse-mailbox for their _OWN_ address space, goes off the 
    wagon (after some warnings, of course...).
    BTW, some years ago our physical address was added in whois to someone 
    else's address space in a different RIR and that was _NOT_ a nice 
    experience...
    
    
    Regards,
    Carlos
    
    
    > Nick
    >
    
    



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.





Ronald F. Guilmette

2020-01-15 22:33:08 CET

In message <9EW8XOCpiyHeFAtx _at_ highwayman _dot_ com>, 
Richard Clayton <richard _at_ highwayman _dot_ com> wrote:

>these (which are the most interesting parts of the Communications
>Decency Act that did not get invalidated by the application of the First
>Amendment which swept away much of it) provide a safe harbour for the
>people operating platforms regarding what the users of those platforms
>say ... so yes this is very much on point
>
>within the EU (and the RIPE region is far bigger than that) there is NOT
>an equivalent regime -- there is a safe harbour (under the ECommerce
>Directive) for hosting companies but ONLY up to the point at which they
>have "actual knowledge" that material is problematic (eg that it is
>defamatory) after that they are on the hook if they fail to act
>appropriately
>
>companies such as EBay and TripAdvisor are well aware of this and
>operate their platforms accordingly -- so this means that problematic
>material will not be visible within the EU (and doubtless in other RIPE
>region countries) ... whether they remove it entirely (so that US
>residents miss out) I could not say, you'd need to ask each company
>individually as to how they configure their systems

I reiterate and slightly rehprase my question:

Do you people in within the RIPE region see, or not see critical reviews
on, for example, eBay, TripAdvisor, etc?

It is being seriously suggested that eBay erases or makes magically and
selectively invisible just those bad seller (or buyer) reviews which
implicate some draconian defamation laws that exist in some one of
the fiefdoms of Europe, perhaps even one small enough to be entirely
covered in shag carpeting?  It is being seriously suggested that
TripAdvisor likewise selectively erases complaints about lousey coffee
at each and every litigious brothel in Amsterdam?

If this is what is being suggested, then color me skeptical.

>note that companies that operate solely in the USA can take some solace
>from the USA SPEECH Act...

The notion of "operating solely in the USA" is not one which lacks
ambiguity, at least when it comes to Internet-based services, as I am
sure you are all too aware.

Still, pragmatics and commerce, like time and tide, wait for no man.
And the services I have named and used as examples *do* exist, *do*
survive, and *do* provide, collect, organize, and disseminate reviews
entered by globe-spanning armies of individual end users.

I would argue that if they can do it, we can do it.

As regards to jurisdiction and legal responsibility, I would be more than
happy to host the thing here in the United States, and take full, personal,
and sole legal responsibility for it.  I am not afraid, because 47 USC 230(c)
is both abundantly clear and already very much tested, in real courts of
law, and it has consistantly prevailed.  The operator of a platform is
*not* legally liable for the speech of others.  Not in these United States
anyway.

I would do these things, but I cannot -build- such a review platform,
because frankly, I just don't have the time.

That small fact doesn't make it a fundamentally Bad or Unworkable idea.


Regards,
rfg

User Image

Jordi Palet Martinez

2020-01-15 22:33:49 CET

Hi Ronald,


El 14/1/20 13:10, "anti-abuse-wg en nombre de Ronald F. Guilmette" <anti-abuse-wg-bounces _at_ ripe _dot_ net en nombre de rfg _at_ tristatelogic _dot_ com> escribió:

    In message <30174D32-225F-467E-937A-5BC42650F955 _at_ consulintel _dot_ es>, 
    JORDI PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg _at_ ripe _dot_ net> wrote:
    
    >I think if we try to agree on those ratings, we will never reach consensus
    
    Right, and that was a part of my point about eBay-like feedback ratings
    for resource holders, i.e. "Let's not even try."
    
    Instead, let the people decide.  Let anyone register a feedback point,
    positive or negative, against any resource holder, with the proviso
    that if they are registering a negative feedback point, they should assert
    exactly *why* they are unhappy (e.g. "mail to abuse address bounced as
    undeliverable", "no response for eight days" etc.) and if possible,
    provide some context also, e.g. a copy of the spam, a copy of some
    logs showing hack attempts, etc.


This may have legal consequences for RIPE NCC, as somebody could use the system to publish untrue information for competitors ... not a good idea.

    
    >So it is not just easier to ask the abuse-c mailboxes that don't want to
    >process to setup an autoresponder with an specific (standard) text about
    that, for example:...
    
    In the "eBay feedback" model I am proposing there is no need for *RIPE NCC*
    to ask anybody about anything.  People will register negative points
    against any resource holder with an undeliverable abuse address.  (I know
    I will!)
    
    I'm sorry Jordi, if this idea sounds like it is undermining everything
    you have been trying to do, which is all very very admirable.  But I have
    only just realized what you said above, i.e. if we really start to try
    to design a system where RIPE NCC will do 100% of the work of "reviewing"

No ... this is an automated process. It is working already in ARIN, in APNIC and now will be also implemented in LACNIC.

It is just an email sent to each abuse-c twice a year, and they have 15 days to click in the link to verify that this mailbox is working.

RIPE NCC will only take care of the failed emails. It may mean some extra work at the beginning, but after a pass will be less and less work. Some of those emails that fail, have already been escalated by RIPE NCC with the existing policy, so it means even less work.

    all one zillion RIPE resource holders, the size of the task will almost
    be the least of the worries.   The first order problem, as you already
    know since you have been doing yeoman's work on this for awhile now, is
    just getting people in the various RIRs to agree on the numerous fine
    details.  (Hell! You can't even get *me* to agree that a 15 day turn-
    around is in any sense "reasonable", and apparently I'm not alone in
    that regard.)
    
    So, my solution is just don't.  Let the whole planet vote on whether
    they think this provider or that provider are ***heads, and let the
    chips fall where they may.
    
    I'm not saying that even this idea would neessarily be piece-of-cake easy.
    The first problem would be working out a way to prevent the system from
    being gamed by bad actors for malicious purposes, or for positive "PR"
    purposes.  (Don't get me started about the fake positive review over on
    TripAdvisor.)  But I am not persuaded that these are in any sense
    insoluable problems.
    
    
    Regards,
    rfg
    
    



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.





User Image

Jordi Palet Martinez

2020-01-15 22:39:07 CET

In my opinion, the actual situation is the worst. We are validating over "nothing". We don't know how many of the "validated" mailboxes are real, or even read, full, etc.

I will prefer a mandatory abuse-c which is validated in the way I'm proposing, as it is being done in ARIN and APNIC and soon in LACNIC.

If this can't reach consensus, I prefer to know in advance "this operator doesn't handle abuses" that wasting time in reporting them. I will have the choice to just block their network and when several folks block them and their customers complain, then they may change their mind.

Better 50% of good and *real* validated abuse contacts than 100% from which I don't know how may are for real.
 

El 15/1/20 8:24, "anti-abuse-wg en nombre de Carlos Friaças via anti-abuse-wg" <anti-abuse-wg-bounces _at_ ripe _dot_ net en nombre de anti-abuse-wg _at_ ripe _dot_ net> escribió:

    
    Hi,
    
    I obviously don't speak for the incident handling community, but i think 
    this (making it optional) would be a serious step back. The current 
    situation is already very bad when in some cases we know from the start 
    that we are sending (automated) messages/notices to blackholes.
    
    To an extreme, there should always be a known contact responsible for 
    any network infrastructure. If this is not the case, what's the purpose 
    of a registry then?
    
    Regards,
    Carlos
    
    
    
    On Tue, 14 Jan 2020, Leo Vegoda wrote:
    
    > On Tue, Jan 14, 2020 at 1:48 AM Gert Doering <gert _at_ space _dot_ net> wrote:
    >
    > [...]
    >
    >> A much simpler approach would be to make abuse-c: an optional attribute
    >> (basically, unrolling the "mandatory" part of the policy proposal that
    >> introduced it in the first place)
    >
    > This seems like a simple approach for letting network operators
    > indicate whether or not they will act on abuse reports. If there's no
    > way of reporting abuse then the operators clearly has no processes for
    > evaluating reports, or acting on them. This helps everyone save time.
    >
    > Regards,
    >
    > Leo Vegoda
    >
    
    



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.





User Image

Jordi Palet Martinez

2020-01-15 22:41:54 CET

Exactly 2 minutes a year (1 minute each time you click the link in the email from RIPE NCC).

And because you invest 2 minutes a year, you will save a lot of time (many hours/days) yourself, trying to report abuses to invalid mailboxes!
 

El 15/1/20 9:24, "anti-abuse-wg en nombre de Serge Droz via anti-abuse-wg" <anti-abuse-wg-bounces _at_ ripe _dot_ net en nombre de anti-abuse-wg _at_ ripe _dot_ net> escribió:

    Hi Gert
    
    Sorry I misunderstood you then. But honestly, this does not really place
    a burden on you.
    
    RIPE can automate this, and you simply reply to a message. We do this,
    e.g. in TF-CSIRT twice a year, and it does help, event the good guys,
    that realize they have an issue and did not receive their mail.
    
    In fact, it's become a bit of a competition to be the first to reply to
    the challenge.
    
    So the extra work is what, 10 minutes / year, if the system is setup
    properly?
    
    So I think the balance is hugely positive.
    
    Just my two cents.
    
    Serge
    
    
    On 15/01/2020 09:18, Gert Doering wrote:
    > Hi,
    > 
    > On Wed, Jan 15, 2020 at 09:14:59AM +0100, Serge Droz via anti-abuse-wg wrote:
    >> I kind of don't buy into "There is no point on placing a burden on orgs
    >> that choose not to act".
    > 
    > This is not what I said.  My stance on this is: placing extra burdens on
    > orgs *that do the right thing today* (with extra verification hoops)
    > should be balanced against "will it change the situation wrt orgs that
    > do not care".
    > 
    > And I think the balance is negative - extra work for the good guys, and
    > no relevant incentive for the bad guys to actually *act on* their abuse
    > reports.
    > 
    > Gert Doering
    >         -- NetMaster
    > 
    
    -- 
    Dr. Serge Droz
    Chair, Forum of Incident Response and Security Teams (FIRST)
    Phone +41 76 542 44 93 | serge.droz _at_ first _dot_ org | https://www.first.org
    
    



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.





User Image

Jordi Palet Martinez

2020-01-15 22:44:11 CET

What we do today is not a validation if I can use Gert or Serge or any "null" email in all my abuse contacts and nobody notice it, and then you start getting abuse reports from other folks ... This is creating lots of wasted time to both you and the abuse case reporters.
 

El 15/1/20 9:59, "anti-abuse-wg en nombre de Gert Doering" <anti-abuse-wg-bounces _at_ ripe _dot_ net en nombre de gert _at_ space _dot_ net> escribió:

    Hi,
    
    On Wed, Jan 15, 2020 at 09:24:21AM +0100, Serge Droz wrote:
    > Sorry I misunderstood you then. But honestly, this does not really place
    > a burden on you.
    
    It does.  Even if it's just 5 minutes per Mail - I need to train abuse 
    handlers what to do with this sort of message, etc.
    
    > So I think the balance is hugely positive.
    
    Nobody has been able to demonstrate why it would have a positive effect
    at all.  So how can the balance be "hugely positive"?
    
    E-Mail addresses *are* validated today.  Just not in an as labour-intensive
    way on the receipient like the proposers want to install.
    
    Gert Doering
            -- NetMaster
    -- 
    have you enabled IPv6 on something today...?
    
    SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Michael Emmer
    Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
    D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
    Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279
    



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.





User Image

Jordi Palet Martinez

2020-01-15 22:54:04 CET

Hi Leo,


El 15/1/20 18:09, "anti-abuse-wg en nombre de Leo Vegoda" <anti-abuse-wg-bounces _at_ ripe _dot_ net en nombre de leo _at_ vegoda _dot_ org> escribió:

    On Wed, Jan 15, 2020 at 12:16 AM Serge Droz via anti-abuse-wg
    <anti-abuse-wg _at_ ripe _dot_ net> wrote:
    
    [...]
    
    > - Lastly: It makes our life as Incident responders easier to have a
    > uniform way of sending reports, even if not all of them are followed up.
    
    This is an excellent point but e-mail is probably not the right medium
    for that. Standardizing protocols for reporting abuse - and therefore
    acting on those reports more quickly - would be far more helpful. But
    only organizations don't want abuse on their networks will invest in
    the people, processes, and systems, whatever the reporting medium.

This is an additional step. Do you think it may be better to include in the proposal, instead of plain email for the reporting, to mandate the use of XARF?

http://xarf.org/index.html

I've been tempted several times to go that path ... so may be is time for it?

    
    > I kind of don't buy into "There is no point on placing a burden on orgs
    > that choose not to act".
    
    It's not about the burden on the organizations that don't want to act.
    It's about providing a clear signal to the reporting organizations
    that there is no point reporting. That should allow reporting
    organizations to decide on next steps more quickly.
    
    



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.





Job Snijders

2020-01-15 22:56:03 CET

On Wed, Jan 15, 2020 at 10:41:54PM +0100, JORDI PALET MARTINEZ via anti-abuse-wg wrote:
> Exactly 2 minutes a year (1 minute each time you click the link in the
> email from RIPE NCC).
> 
> And because you invest 2 minutes a year, you will save a lot of time
> (many hours/days) yourself, trying to report abuses to invalid
> mailboxes!

I am not sure it is just two minutes a year, it is desiging and
monitoring an additional work process to be executed in corporations. I
am of course not sure how much it is, but certainly more than two
minutes.

Kind regards,

Job

User Image

Carlos Friacas

2020-01-15 22:58:17 CET


Hi,



On Wed, 15 Jan 2020, JORDI PALET MARTINEZ via anti-abuse-wg wrote:

> In my opinion, the actual situation is the worst. We are validating over "nothing". We don't know how many of the "validated" mailboxes are real, or even read, full, etc.
>
> I will prefer a mandatory abuse-c which is validated in the way I'm proposing, as it is being done in ARIN and APNIC and soon in LACNIC.

This detail is interesting...



> If this can't reach consensus, I prefer to know in advance "this 
> operator doesn't handle abuses" that wasting time in reporting them. I 
> will have the choice to just block their network and when several folks 
> block them and their customers complain, then they may change their 
> mind.

I was wondering if this "block" would mean blocking all prefixes announced 
by the same ASN, or just the prefix where the abuse originated from.


> Better 50% of good and *real* validated abuse contacts than 100% from which I don't know how may are for real.

As i already stated, i'm more worried about someone using real e-mail 
addresses of real unrelated people than the /dev/null or unattended 
mailboxes.

When someone uses a 3rd party address without authorization+knowledge, i 
think it's reasonable to allow for a fix, instead of directly running to 
ripe-716.


Cheers,
Carlos





> El 15/1/20 8:24, "anti-abuse-wg en nombre de Carlos Friaças via anti-abuse-wg" <anti-abuse-wg-bounces _at_ ripe _dot_ net en nombre de anti-abuse-wg _at_ ripe _dot_ net> escribió:
>
>
>    Hi,
>
>    I obviously don't speak for the incident handling community, but i think
>    this (making it optional) would be a serious step back. The current
>    situation is already very bad when in some cases we know from the start
>    that we are sending (automated) messages/notices to blackholes.
>
>    To an extreme, there should always be a known contact responsible for
>    any network infrastructure. If this is not the case, what's the purpose
>    of a registry then?
>
>    Regards,
>    Carlos
>
>
>
>    On Tue, 14 Jan 2020, Leo Vegoda wrote:
>
>    > On Tue, Jan 14, 2020 at 1:48 AM Gert Doering <gert _at_ space _dot_ net> wrote:
>    >
>    > [...]
>    >
>    >> A much simpler approach would be to make abuse-c: an optional attribute
>    >> (basically, unrolling the "mandatory" part of the policy proposal that
>    >> introduced it in the first place)
>    >
>    > This seems like a simple approach for letting network operators
>    > indicate whether or not they will act on abuse reports. If there's no
>    > way of reporting abuse then the operators clearly has no processes for
>    > evaluating reports, or acting on them. This helps everyone save time.
>    >
>    > Regards,
>    >
>    > Leo Vegoda
>    >
>
>
>
>
>
> **********************************************
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.theipv6company.com
> The IPv6 Company
>
> This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
>
>
>
>
>
User Image

Jordi Palet Martinez

2020-01-15 23:02:42 CET

Hi Warren,

When some operators aren't responding to abuse cases, or when they are bouncing emails, or you get a response from someone telling "sorry I'm not the right contact for this, the email is mistaken", and many other similar situations ... the operator is telling you "we don't care about abuse from our customer to other networks".

There is not different to say that explicitly by making the abuse-c optional, so those that don't want to handle the abuse reports, just don't have it.

There is no difference in having the email bouncing than having an autoresponder saying "we don't care" ... 
 

El 15/1/20 21:15, "anti-abuse-wg en nombre de Warren Kumari" <anti-abuse-wg-bounces _at_ ripe _dot_ net en nombre de warren _at_ kumari _dot_ net> escribió:

    On Wed, Jan 15, 2020 at 2:46 PM Leo Vegoda <leo _at_ vegoda _dot_ org> wrote:
    >
    > On Wed, Jan 15, 2020 at 11:02 AM Jeffrey Race <jrace _at_ post.harvard _dot_ edu> wrote:
    >
    > [...]
    >
    > > Aside from the reciprocity issue, it's a basic engineering rule
    > > that systems target their goal only when a corrective
    > > feedback path exists.
    >
    > That feedback path does not need to be a personally written e-mail.
    > Instead, it is possible to use signals like the absence of a reliable
    > reporting mechanism to make decisions about not accepting some or all
    > traffic from an abusing network.
    >
    > My main concern with proposal 2019-04 is that it would make everyone
    > look the same. It then takes time and effort to distinguish the
    > networks that will actually use abuse reports to fix problems from
    > those that won't or just don't have the ability to do so.
    >
    > While I would accept Gert's proposal for making abuse-c an optional
    > attribute, the reason I offered a counter proposal for publishing "a
    > statement to the effect that the network operator does not act on
    > abuse reports" is to add clarity at a high level.
    >
    > In the first case, it avoids wasting resources lodging reports that
    > will be ignored. Secondly, it provides reliable statistical
    > information about the networks whose operators claim to use abuse
    > reports to clean things up. This would provide a metric that could be
    > used both by other network operators to guide operational policies and
    > governments or regulators to set theirs.
    
    I suspect I'm somewhat confused / have lost the thread somewhere.
    
    I really don't think that any network is likely to advertise that they
    are not dealing with abuse -- it gives a bad impression, and the
    marketing droids will likely want *something* listed. The same goes
    for legal - saying "Meh, don't bother sending us abuse reports, we
    ignore them" doesn't seem to have any PR / marketing / legal upside,
    and has many downsides...
    
    Pretend that you are a network that (largely) ignores abuse reports --
    your current solution of throwing these mails away costs you nothing;
    what's the upside to telling everyone that you are doing this?
    
    I suspect that people will continue to have abuse@, hostmaster@,
    abuse-c,and any other conventions filled in -- and many will just
    continue to shuffle these into self-closing ticket systems / mailboxes
    which never get read and / or /dev/null...
    
    W
    
    
    >
    > Finally, we don't yet know what the RIPE Database Requirements TF will
    > recommend. But I think that building a new business process on the
    > existing model for publishing contact information assumes they won't
    > recommend changes. Let's wait until they report before asking the RIPE
    > NCC to build new workflows on a model that the community might want to
    > change.
    >
    > Kind regards,
    >
    > Leo Vegoda
    >
    
    
    -- 
    I don't think the execution is relevant when it was obviously a bad
    idea in the first place.
    This is like putting rabid weasels in your pants, and later expressing
    regret at having chosen those particular rabid weasels and that pair
    of pants.
       ---maf
    
    



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.





User Image

Jordi Palet Martinez

2020-01-15 23:06:09 CET

Hi Job,

You need to have that process already for ARIN and APNIC, and once implemented LACNIC.

The process is the same. You implement it once (I'm not counting the minutes that can take to implement it) and it seems simple to me: the abuse-mailbox get twice a year a verification email, a responsible guy in the abuse-team must act on it, clicking on the verification link.

So, if you have already the process for other RIRs, what is the extra cost? (2 minutes)

I think is much less that the time you can save, and this is the balance that we need to look for.


El 15/1/20 22:56, "Job Snijders" <job _at_ ntt _dot_ net> escribió:

    On Wed, Jan 15, 2020 at 10:41:54PM +0100, JORDI PALET MARTINEZ via anti-abuse-wg wrote:
    > Exactly 2 minutes a year (1 minute each time you click the link in the
    > email from RIPE NCC).
    > 
    > And because you invest 2 minutes a year, you will save a lot of time
    > (many hours/days) yourself, trying to report abuses to invalid
    > mailboxes!
    
    I am not sure it is just two minutes a year, it is desiging and
    monitoring an additional work process to be executed in corporations. I
    am of course not sure how much it is, but certainly more than two
    minutes.
    
    Kind regards,
    
    Job
    



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.





User Image

Jordi Palet Martinez

2020-01-15 23:09:41 CET

Hi Carlos,
 
 

El 15/1/20 22:58, "Carlos Friaças" <cfriacas _at_ fccn _dot_ pt> escribió:

    
    
    Hi,
    
    
    
    On Wed, 15 Jan 2020, JORDI PALET MARTINEZ via anti-abuse-wg wrote:
    
    > In my opinion, the actual situation is the worst. We are validating over "nothing". We don't know how many of the "validated" mailboxes are real, or even read, full, etc.
    >
    > I will prefer a mandatory abuse-c which is validated in the way I'm proposing, as it is being done in ARIN and APNIC and soon in LACNIC.
    
    This detail is interesting...
    
In my opinion it reached consensus also in the last AFRINIC meeting, but chairs didn't agree, and I don't want to start an appeal. So, I will retry in the next meeting.    
    
    > If this can't reach consensus, I prefer to know in advance "this 
    > operator doesn't handle abuses" that wasting time in reporting them. I 
    > will have the choice to just block their network and when several folks 
    > block them and their customers complain, then they may change their 
    > mind.
    
    I was wondering if this "block" would mean blocking all prefixes announced 
    by the same ASN, or just the prefix where the abuse originated from.

Well, this is up to each operator ... If it is my network, I will definitively block the complete ASN, because a network that doesn't process abuse, is not something I want to get traffic from. But is just my personal view.
    
    
    > Better 50% of good and *real* validated abuse contacts than 100% from which I don't know how may are for real.
    
    As i already stated, i'm more worried about someone using real e-mail 
    addresses of real unrelated people than the /dev/null or unattended 
    mailboxes.
    
    When someone uses a 3rd party address without authorization+knowledge, i 
    think it's reasonable to allow for a fix, instead of directly running to 
    ripe-716.
    
    
    Cheers,
    Carlos
    
    
    
    
    
    > El 15/1/20 8:24, "anti-abuse-wg en nombre de Carlos Friaças via anti-abuse-wg" <anti-abuse-wg-bounces _at_ ripe _dot_ net en nombre de anti-abuse-wg _at_ ripe _dot_ net> escribió:
    >
    >
    >    Hi,
    >
    >    I obviously don't speak for the incident handling community, but i think
    >    this (making it optional) would be a serious step back. The current
    >    situation is already very bad when in some cases we know from the start
    >    that we are sending (automated) messages/notices to blackholes.
    >
    >    To an extreme, there should always be a known contact responsible for
    >    any network infrastructure. If this is not the case, what's the purpose
    >    of a registry then?
    >
    >    Regards,
    >    Carlos
    >
    >
    >
    >    On Tue, 14 Jan 2020, Leo Vegoda wrote:
    >
    >    > On Tue, Jan 14, 2020 at 1:48 AM Gert Doering <gert _at_ space _dot_ net> wrote:
    >    >
    >    > [...]
    >    >
    >    >> A much simpler approach would be to make abuse-c: an optional attribute
    >    >> (basically, unrolling the "mandatory" part of the policy proposal that
    >    >> introduced it in the first place)
    >    >
    >    > This seems like a simple approach for letting network operators
    >    > indicate whether or not they will act on abuse reports. If there's no
    >    > way of reporting abuse then the operators clearly has no processes for
    >    > evaluating reports, or acting on them. This helps everyone save time.
    >    >
    >    > Regards,
    >    >
    >    > Leo Vegoda
    >    >
    >
    >
    >
    >
    >
    > **********************************************
    > IPv4 is over
    > Are you ready for the new Internet ?
    > http://www.theipv6company.com
    > The IPv6 Company
    >
    > This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
    >
    >
    >
    >
    >



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.





Ronald F. Guilmette

2020-01-15 23:10:01 CET

In message 7g _at_ mail.gmail _dot_ com>
Leo Vegoda <leo _at_ vegoda _dot_ org> wrote:

>E-mail does not scale well. It was great in the 1990s, when the
>Internet was smaller and people knew each other. About half the
>world's population now has some sort of Internet connectivity.
>Expecting organizations to be able to understand reports from such a
>diverse group of people is unreasonable.

You're right.  Email is shit.  However as long as network operators
allow their errant end-lusers to spam me via email, I expect them to
also accept reports about that via email. If they don't want to, then
fine.  They can just block outbound port 25 for their entire networks
at and in the routers.  Problem solved and everybody's happy.


Regards,
rfg

Fi Shing

2020-01-15 23:59:49 CET

That is the most stupid thing i've read on this list.
 
What little protection the world has from spammers and all manner of criminals, and you still think it's too much that they even so much as have to check their email account.
 
Which criminal is paying you to say this nonsense, because no ordinary person that has ever received a spam email would ever say such crap.
 
and if there can be no "internet police", i'm sure RIPE will have no problem if someone never pays a fee to it ever again, because it doesn't have the mandate to suspend a resource for crime, it cannot do it for non payment.
 
or is non-payment more serious than a DDoS attack?
 
 
 
--------- Original Message --------- Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
From: "Gert Doering" <gert _at_ space _dot_ net>
Date: 1/14/20 9:19 pm
To: "JORDI PALET MARTINEZ" <jordi.palet _at_ consulintel _dot_ es>
Cc: "anti-abuse-wg" <anti-abuse-wg _at_ ripe _dot_ net>

Hi,
 
 On Tue, Jan 14, 2020 at 10:50:58AM +0100, JORDI PALET MARTINEZ via anti-abuse-wg wrote:
 > Looks fine to me.
 > 
 > If we really think that the operators should be free from taking abuse reports, then let's make it optional.
 > 
 > As said, I personally think that an operator responsibility is to deal with abuse cases, but happy to follow what we all decide.
 
 I do think that an operator should handle abuse reports (and we do), 
 but *this* is not a suitable vehicle to *make him*.
 
 And if it's not going to have the desired effect, do not waste time on it.
 
 Gert Doering
 -- NetMaster
 -- 
 have you enabled IPv6 on something today...?
 
 SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer
 Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
 D-80807 Muenchen HRB: 136055 (AG Muenchen)
 Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

Fi Shing

2020-01-16 00:03:44 CET

Sergio, that would make too much sense.
 
This mailing list is not only not even considering what you have said, but they are trying to remove the requirement of a network operator to even receive emails about complaints at all.
 
Pathetic.
 
It's the year 2019, and these "people" on this list (probably cyber criminals or are paid by cyber criminals to weaken policy) come here and say this garbage.
 
 
 
--------- Original Message --------- Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
From: "Sérgio Rocha" <sergio.rocha _at_ makeitsimple _dot_ pt>
Date: 1/15/20 8:16 pm
To: "anti-abuse-wg" <anti-abuse-wg _at_ ripe _dot_ net>

Hi,
 
 Maybe we can change the approach.
 If RIPE website had a platform to post abuse report, that send the email for
 the abuse contact, it will be possible to evaluate the responsiveness of the
 abuse contact.
 
 This way anyone that report an abuse could assess not only the response but
 also the effectiveness of the actions taken by the network owner. After some
 time with this evaluations we would easy to realize who manages the reports
 and even who does not respond at all.
 
 Sérgio 
 
 -----Original Message-----
 From: anti-abuse-wg [mailto:anti-abuse-wg-bounces _at_ ripe _dot_ net] On Behalf Of
 Gert Doering
 Sent: 15 de janeiro de 2020 08:06
 To: Carlos Friaças <cfriacas _at_ fccn _dot_ pt>
 Cc: Gert Doering <gert _at_ space _dot_ net>; anti-abuse-wg <anti-abuse-wg _at_ ripe _dot_ net>
 Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation
 of "abuse-mailbox")
 
 Hi,
 
 On Wed, Jan 15, 2020 at 07:23:38AM +0000, Carlos Friaças via anti-abuse-wg
 wrote:
 > I obviously don't speak for the incident handling community, but i 
 > think this (making it optional) would be a serious step back. The 
 > current situation is already very bad when in some cases we know from 
 > the start that we are sending (automated) messages/notices to blackholes.
 
 So why is it preferrable to send mails which are not acted on, as opposed to
 "not send mail because you know beforehand that the other network is not
 interested"?
 
 I can see that it is frustrating - but I still cannot support a policy
 change which will not help dealing with irresponsible networks in any way,
 but at the same time increases costs and workload for those that do the
 right thing alrady.
 
 
 > To an extreme, there should always be a known contact responsible for 
 > any network infrastructure. If this is not the case, what's the 
 > purpose of a registry then?
 
 "a known contact" and "an *abuse-handling* contact" is not the same thing.
 
 Gert Doering
 -- NetMaster
 --
 have you enabled IPv6 on something today...?
 
 SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael
 Emmer
 Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
 D-80807 Muenchen HRB: 136055 (AG Muenchen)
 Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

Fi Shing

2020-01-16 00:05:33 CET

correction: year 2020*
 
--------- Original Message --------- Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
From: "Fi Shing" <phishing _at_ storey _dot_ xxx>
Date: 1/16/20 10:03 am
To: "anti-abuse-wg _at_ ripe _dot_ net" <anti-abuse-wg _at_ ripe _dot_ net>

 Sergio, that would make too much sense.
 
This mailing list is not only not even considering what you have said, but they are trying to remove the requirement of a network operator to even receive emails about complaints at all.
 
Pathetic.
 
It's the year 2019, and these "people" on this list (probably cyber criminals or are paid by cyber criminals to weaken policy) come here and say this garbage.
 
 
 
--------- Original Message --------- Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
From: "Sérgio Rocha" <sergio.rocha _at_ makeitsimple _dot_ pt>
Date: 1/15/20 8:16 pm
To: "anti-abuse-wg" <anti-abuse-wg _at_ ripe _dot_ net>

Hi,
 
 Maybe we can change the approach.
 If RIPE website had a platform to post abuse report, that send the email for
 the abuse contact, it will be possible to evaluate the responsiveness of the
 abuse contact.
 
 This way anyone that report an abuse could assess not only the response but
 also the effectiveness of the actions taken by the network owner. After some
 time with this evaluations we would easy to realize who manages the reports
 and even who does not respond at all.
 
 Sérgio 
 
 -----Original Message-----
 From: anti-abuse-wg [mailto:anti-abuse-wg-bounces _at_ ripe _dot_ net] On Behalf Of
 Gert Doering
 Sent: 15 de janeiro de 2020 08:06
 To: Carlos Friaças <cfriacas _at_ fccn _dot_ pt>
 Cc: Gert Doering <gert _at_ space _dot_ net>; anti-abuse-wg <anti-abuse-wg _at_ ripe _dot_ net>
 Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation
 of "abuse-mailbox")
 
 Hi,
 
 On Wed, Jan 15, 2020 at 07:23:38AM +0000, Carlos Friaças via anti-abuse-wg
 wrote:
 > I obviously don't speak for the incident handling community, but i 
 > think this (making it optional) would be a serious step back. The 
 > current situation is already very bad when in some cases we know from 
 > the start that we are sending (automated) messages/notices to blackholes.
 
 So why is it preferrable to send mails which are not acted on, as opposed to
 "not send mail because you know beforehand that the other network is not
 interested"?
 
 I can see that it is frustrating - but I still cannot support a policy
 change which will not help dealing with irresponsible networks in any way,
 but at the same time increases costs and workload for those that do the
 right thing alrady.
 
 
 > To an extreme, there should always be a known contact responsible for 
 > any network infrastructure. If this is not the case, what's the 
 > purpose of a registry then?
 
 "a known contact" and "an *abuse-handling* contact" is not the same thing.
 
 Gert Doering
 -- NetMaster
 --
 have you enabled IPv6 on something today...?
 
 SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael
 Emmer
 Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
 D-80807 Muenchen HRB: 136055 (AG Muenchen)
 Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

Ronald F. Guilmette

2020-01-16 01:12:56 CET

In message <58ECE9F6-4D64-4315-8EE5-88574F6B4AA9 _at_ consulintel _dot_ es>, 
JORDI PALET MARTINEZ <jordi.palet _at_ consulintel _dot_ es> wrote:

>    Right, and that was a part of my point about eBay-like feedback ratings
>    for resource holders, i.e. "Let's not even try."
>    Instead, let the people decide.  Let anyone register a feedback point,
>    positive or negative, against any resource holder, with the proviso
>    that if they are registering a negative feedback point, they should assert
>    exactly *why* they are unhappy (e.g. "mail to abuse address bounced as
>    undeliverable", "no response for eight days" etc.) and if possible,
>    provide some context also, e.g. a copy of the spam, a copy of some
>    logs showing hack attempts, etc.
>
>This may have legal consequences for RIPE NCC, as somebody could use the
>system to publish untrue information for competitors ... not a good idea.

OK, two points:

1)  I cannot and will not dispute that rating systems which allow votes
from the public at large can be gamed, e.g. by unscrupulous competitors,
and indeed, it is my belief that there have already been some well-
documented cases of this.  That's not to say that I think that adequate
counter-measures could not be developed.  I think they could be.

2) As regards to the "legal" issue, I can only express my deepest sympathies
for all you folks on your side of the pond and beyond, especially as you all
seem to be at least somewhat constrained in your freedom to speak truth to
power.


Regards,
rfg

Ronald F. Guilmette

2020-01-16 01:36:38 CET

In message <68C5238D-B796-45B9-8735-5849140DCD51 _at_ consulintel _dot_ es>, 
JORDI PALET MARTINEZ <jordi.palet _at_ consulintel _dot_ es> wrote:

>When some operators aren't responding to abuse cases, or when they are boun=
>cing emails, or you get a response from someone telling "sorry I'm not the =
>right contact for this, the email is mistaken", and many other similar situ=
>ations ... the operator is telling you "we don't care about abuse from our =
>customer to other networks".

Just a quick follow-up note on this.

These days, about half of the time when I report a spam that came to me
from one of Microsoft's ASNs, I get a reply back telling me that the
spam in question came from an Outlook user, and giving me some other
reporting email address, and vaguely encouraging me to re-report the
spam to that different address.

I never do.

(This happens EVEN IF I had, in the first instance, reported the spam
to the exact email address that is given as the abuse reporting address
for the relevant ASN in the official ARIN WHOIS records.)

If the people at Microsoft who handle abuse cannot be bothered to just
simply forward a spam report from one of their own departments to
another, internally, then I am not persuaded that any part of their
organization is adequately motivated to do anything at all about it,
no matter who I sent it to.


Regards,
rfg

Ronald F. Guilmette

2020-01-16 01:47:20 CET

In message <20200115155949.af7f9f79718891d8e76b551cf73e1563.e548b98006.mailapi@
email19.asia.godaddy.com>, "Fi Shing" <phishing _at_ storey _dot_ xxx> wrote:

>That is the most stupid thing i've read on this list.

Well, I think you shouldn't be quite so harsh in your judgement.  It is
not immediately apparent that you have been on the list for all that long.
So perhaps you should stick around for awhile longer before making such
comments.  If you do, I feel sure that there will be any number of
stupider things that may come to your attention, including even a few
from your's truly.

Best not to judge the race until it has been fully run.

>Which criminal is paying you to say this nonsense, because no ordinary person
>that has ever received a spam email would ever say such crap.

I would also offer the suggestion that such inartful commentary, being as
it is, ad hominem, is not at all likely to advance your agenda.  It may
have felt good, but I doubt that you have changed a single mind, other
than perhaps one or two who will now be persuaded to take the opposing
position, relative to whatever it was that you had hoped to achieve.


Regards,
rfg

User Image

Richard Clayton

2020-01-16 01:49:19 CET

In message <49348.1579123988 _at_ segfault.tristatelogic _dot_ com>, Ronald F.
Guilmette <rfg _at_ tristatelogic _dot_ com> writes

>I reiterate and slightly rehprase my question:
>
>Do you people in within the RIPE region see, or not see critical reviews
>on, for example, eBay, TripAdvisor, etc?

we do, but we do not see material which is likely to be libellous (words
have to chosen carefully in explaining this sort of thing because in
this space material can be defamatory but veracity means that it is most
unlikely to be adjudged a libel)

>>note that companies that operate solely in the USA can take some solace
>>from the USA SPEECH Act...
>
>The notion of "operating solely in the USA" is not one which lacks
>ambiguity, at least when it comes to Internet-based services, as I am
>sure you are all too aware.

by operate I meant that all employees and legal entities are within the
USA, not that the company restricts access to websites etc

Though it is interesting that a number of US newspaper sites have chosen
to block all EU IPs so as to avoid incurring any data protection
liability under the GDPR when serving up adverts ... but they may have
foreign correspondents so they may be making my point after all

bottom line is that if you want to run a reputation site and not be
under an obligation to remove libellous material (not fair comment) you
would be unwise to do it outside the USA

-- 
richard                                                   Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary 
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755

Ronald F. Guilmette

2020-01-16 02:09:10 CET

In message <ltfqNUBPM7HeFA88 _at_ highwayman _dot_ com>, 
Richard Clayton <richard _at_ highwayman _dot_ com> wrote:

>bottom line is that if you want to run a reputation site and not be
>under an obligation to remove libellous material (not fair comment) you
>would be unwise to do it outside the USA

As much as I would like to claim, on behalf of my countrymen, an absolutely
unique status in this regard, I do believe that there are any number of
other locales from whence a similar feat could be accomplished.  Iceland
seems like a possibility, but also Belize, perhaps Gibraltar, The
Dominican Republic, and quite certainly Nevis & St. Kitts.

Oh!  And the sovereign Republic of Sealand, of course.


Regards,
rfg


P.S.  I cannot help but offer the entirely gratuitous observation that
in many parts of the world it may indeed be more legally tenable to be
either a spammer or a spam-fiendly provider than it is to be a person
or other form of legal entity which publishes anything not qualifying
as glowing positive commentary about any such.

User Image

Leo Vegoda

2020-01-16 03:16:45 CET

Hi Jordi,

On Wed, Jan 15, 2020 at 1:54 PM JORDI PALET MARTINEZ
<jordi.palet _at_ consulintel _dot_ es> wrote:

[...]

>     This is an excellent point but e-mail is probably not the right medium
>     for that. Standardizing protocols for reporting abuse - and therefore
>     acting on those reports more quickly - would be far more helpful. But
>     only organizations don't want abuse on their networks will invest in
>     the people, processes, and systems, whatever the reporting medium.
>
> This is an additional step. Do you think it may be better to include in the proposal, instead of plain email for the reporting, to mandate the use of XARF?
>
> http://xarf.org/index.html
>
> I've been tempted several times to go that path ... so may be is time for it?

Communicating information about abuse incidents using structured data
is exactly the right way to go. E-mail is becoming less useful as each
year goes by and continuing to invest in systems that assume e-mail is
ubiquitous does not seem a good use of resources to me.

Kind regards,

Leo

Fi Shing

2020-01-16 05:54:52 CET

 
>> Best not to judge the race until it has been fully run.
 
I just do not understand how anyone on this list (other than a criminal or a business owner that wants to reduce over heads by abolishing an employee who has to sit and monitor an abuse desk) could be talking about making it easier for abuse to flourish.
 
It is idiotic and is not ad hominem.
 
This list is filled with people who argue for weeks, perhaps months, about the catastrophic world ending dangers of making an admin verify an abuse address ONCE a year .... and then someone says "let's abolish abuse desk all together" and these idiots emerge from the wood work like the termites that they are and there's no resistance?
 
The good news is that nothing talked about on this list is ever implemented, so .. talk away you criminals.
 
 
 
 
 
--------- Original Message --------- Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
From: "Ronald F. Guilmette" <rfg _at_ tristatelogic _dot_ com>
Date: 1/16/20 11:47 am
To: "anti-abuse-wg _at_ ripe _dot_ net" <anti-abuse-wg _at_ ripe _dot_ net>

In message <20200115155949.af7f9f79718891d8e76b551cf73e1563.e548b98006.mailapi@
 email19.asia.godaddy.com>, "Fi Shing" <phishing _at_ storey _dot_ xxx> wrote:
 
 >That is the most stupid thing i've read on this list.
 
 Well, I think you shouldn't be quite so harsh in your judgement. It is
 not immediately apparent that you have been on the list for all that long.
 So perhaps you should stick around for awhile longer before making such
 comments. If you do, I feel sure that there will be any number of
 stupider things that may come to your attention, including even a few
 from your's truly.
 
 Best not to judge the race until it has been fully run.
 
 >Which criminal is paying you to say this nonsense, because no ordinary person
 >that has ever received a spam email would ever say such crap.
 
 I would also offer the suggestion that such inartful commentary, being as
 it is, ad hominem, is not at all likely to advance your agenda. It may
 have felt good, but I doubt that you have changed a single mind, other
 than perhaps one or two who will now be persuaded to take the opposing
 position, relative to whatever it was that you had hoped to achieve.
 
 
 Regards,
 rfg

Suresh Ramasubramanian

2020-01-16 07:12:12 CET

It would be interesting if a large number of people who actually work for the security / infosec / abuse teams of various ripe members were to attend the aawg meetings instead of a clutch of mostly IP / dns / network people.

That won’t take away the impact of organisations that don’t want to do any abuse handling at all or the IP / dns people that turn up, but might mitigate their pernicious effect on this process to an extent.

--srs

________________________________
From: anti-abuse-wg <anti-abuse-wg-bounces _at_ ripe _dot_ net> on behalf of Fi Shing <phishing _at_ storey _dot_ xxx>
Sent: Thursday, January 16, 2020 10:25 AM
To: anti-abuse-wg _at_ ripe _dot_ net
Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")


>> Best not to judge the race until it has been fully run.

I just do not understand how anyone on this list (other than a criminal or a business owner that wants to reduce over heads by abolishing an employee who has to sit and monitor an abuse desk) could be talking about making it easier for abuse to flourish.

It is idiotic and is not ad hominem.

This list is filled with people who argue for weeks, perhaps months, about the catastrophic world ending dangers of making an admin verify an abuse address ONCE a year .... and then someone says "let's abolish abuse desk all together" and these idiots emerge from the wood work like the termites that they are and there's no resistance?

The good news is that nothing talked about on this list is ever implemented, so .. talk away you criminals.





--------- Original Message ---------
Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
From: "Ronald F. Guilmette" <rfg _at_ tristatelogic _dot_ com>
Date: 1/16/20 11:47 am
To: "anti-abuse-wg _at_ ripe _dot_ net" <anti-abuse-wg _at_ ripe _dot_ net>

In message <20200115155949.af7f9f79718891d8e76b551cf73e1563.e548b98006.mailapi@
email19.asia.godaddy.com>, "Fi Shing" <phishing _at_ storey _dot_ xxx> wrote:

>That is the most stupid thing i've read on this list.

Well, I think you shouldn't be quite so harsh in your judgement. It is
not immediately apparent that you have been on the list for all that long.
So perhaps you should stick around for awhile longer before making such
comments. If you do, I feel sure that there will be any number of
stupider things that may come to your attention, including even a few
from your's truly.

Best not to judge the race until it has been fully run.

>Which criminal is paying you to say this nonsense, because no ordinary person
>that has ever received a spam email would ever say such crap.

I would also offer the suggestion that such inartful commentary, being as
it is, ad hominem, is not at all likely to advance your agenda. It may
have felt good, but I doubt that you have changed a single mind, other
than perhaps one or two who will now be persuaded to take the opposing
position, relative to whatever it was that you had hoped to achieve.


Regards,
rfg

Serge Droz

2020-01-16 09:41:31 CET

Hi All

I think we already spent way more executive time on this thread than it
would cost us to verify e-mail addresses.

I agree e-mail does not solve all the problems. It's hard to
automatically process, .....

But it is simple to use, and from my work as an incident handler it did
do me good in the past. I participate in fora that validate
abuse/emergency addresses. WHen I ask these people what their issues in
daily life are it's never we have to validate or contact e-mail.


And honestly: taking a step back and reading this entire thread, I'm not
surprised that the bad guys are winning. You know: They don't care about
the purty and beauty of a solution. They just do it and profit, and
probably have a fabulous time seeing us argue and go at each others
throats.

I think we could do better.

Best
Serge
-- 
Dr. Serge Droz
Chair, Forum of Incident Response and Security Teams (FIRST)
Phone +41 76 542 44 93 | serge.droz _at_ first _dot_ org | https://www.first.org

Ronald F. Guilmette

2020-01-16 11:44:08 CET

In message <4be52277-cecb-603f-6840-4ee76245b0dd _at_ first _dot_ org>, 
Serge Droz <serge.droz _at_ first _dot_ org> wrote:

>I think we already spent way more executive time on this thread than it
>would cost us to verify e-mail addresses.

I think that I may cut that out, print it in a 48-point type face, have
it framed, and hang it on my office wall. :-)

This is true even though I expressed some similar view on some similar
situation here already some years ago.

>And honestly: taking a step back and reading this entire thread, I'm not
>surprised that the bad guys are winning. You know: They don't care about
>the purty and beauty of a solution. They just do it and profit, and
>probably have a fabulous time seeing us argue and go at each others
>throats.

I myself have certainly expressed this view previously, in private if not
also in public.


Regards,
rfg

User Image

Sergio Rocha

2020-01-16 13:38:26 CET

Hi,

 

Agree, This anti-abuse list seems the blocking group to any anit-abuse response measure.

It's amazing that nobody cant propose anything without receiving a shower of all sorts of arguments against

 

There is an idea that everyone has to hold, if as a community we cannot organize a policy, one of these days there will be a problem that will make governments take the opportunity to legislate and we will no longer have the free and open internet.

 

There are a feew ideas that is simple to understand:

 

1 - If you have been assigned a network you have responsibilities, paying should not be the only one.

2 - There is no problem with email, since ever are made solutions to integrate with emails. There is no need to invent a new protocol. Who has a lot of abuse, invests in integrating these emails.

3 - If you have no ability to manage abuse should not have addressing, leave it to professionals.

 

The internet is critical for everyone, the ability for actors to communicate with each other to respond to abuse must exist and RIPE must ensure that it exists.

It’s like the relation with local governments, there is a set of information that has to be kept up to date to avoid problems, in RIPE it must be the same.

 

Sergio

 

 

 

From: anti-abuse-wg [mailto:anti-abuse-wg-bounces _at_ ripe _dot_ net] On Behalf Of Fi Shing
Sent: 16 de janeiro de 2020 04:55
To: anti-abuse-wg _at_ ripe _dot_ net
Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

 

 

>> Best not to judge the race until it has been fully run.

 

I just do not understand how anyone on this list (other than a criminal or a business owner that wants to reduce over heads by abolishing an employee who has to sit and monitor an abuse desk) could be talking about making it easier for abuse to flourish.

 

It is idiotic and is not ad hominem.

 

This list is filled with people who argue for weeks, perhaps months, about the catastrophic world ending dangers of making an admin verify an abuse address ONCE a year .... and then someone says "let's abolish abuse desk all together" and these idiots emerge from the wood work like the termites that they are and there's no resistance?

 

The good news is that nothing talked about on this list is ever implemented, so .. talk away you criminals.

 

 

 

 

 

--------- Original Message --------- 

Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
From: "Ronald F. Guilmette" <rfg _at_ tristatelogic _dot_ com rfg _at_ tristatelogic _dot_ com> >
Date: 1/16/20 11:47 am
To: "anti-abuse-wg _at_ ripe _dot_ net anti-abuse-wg _at_ ripe _dot_ net> " <anti-abuse-wg _at_ ripe _dot_ net anti-abuse-wg _at_ ripe _dot_ net> >

In message <20200115155949.af7f9f79718891d8e76b551cf73e1563.e548b98006.mailapi@  
email19.asia.godaddy.com>, "Fi Shing" <phishing _at_ storey _dot_ xxx phishing _at_ storey _dot_ xxx> > wrote:

>That is the most stupid thing i've read on this list.

Well, I think you shouldn't be quite so harsh in your judgement. It is
not immediately apparent that you have been on the list for all that long.
So perhaps you should stick around for awhile longer before making such
comments. If you do, I feel sure that there will be any number of
stupider things that may come to your attention, including even a few
from your's truly.

Best not to judge the race until it has been fully run.

>Which criminal is paying you to say this nonsense, because no ordinary person
>that has ever received a spam email would ever say such crap.

I would also offer the suggestion that such inartful commentary, being as
it is, ad hominem, is not at all likely to advance your agenda. It may
have felt good, but I doubt that you have changed a single mind, other
than perhaps one or two who will now be persuaded to take the opposing
position, relative to whatever it was that you had hoped to achieve.


Regards,
rfg

Ronald F. Guilmette

2020-01-16 15:03:19 CET

In message <077501d5cc69$d9427020$8bc75060$@makeitsimple.pt>, 
"=?iso-8859-1?Q?S=E9rgio_Rocha?=" <sergio.rocha _at_ makeitsimple _dot_ pt> wrote:

>Agree, This anti-abuse list seems the blocking group to any anit-abuse
>response measure.
>
>It's amazing that nobody cant propose anything without receiving a
>shower of all sorts of arguments against

Welcome to the Working Group.  You must be new here.


Regards,
rfg

Sascha Luck [ml]

2020-01-16 17:04:39 CET

On Thu, Jan 16, 2020 at 12:38:26PM -0000, Srgio Rocha wrote:

>It's amazing that nobody cant propose anything without receiving a shower of all sorts of arguments against

It's called "democracy". As Chuchill said, it's an awful system
but better than any other that have been tried.

rgds,
Sascha Luck


User Image

Randy Bush

2020-01-16 17:08:08 CET

> It would be interesting if a large number of people who actually work
> for the security / infosec / abuse teams of various ripe members were
> to attend the aawg meetings instead of a clutch of mostly IP / dns /
> network people.

did.  a couple of interesting presos, but the plural of anecdote is not
data.  and a bun fight over becomig the net police.  rinse repeat.  i
can try pushing water uphill at home.

randy

User Image

Andreas Worbs

2020-01-16 18:07:12 CET

I'm completely with you.

For our US-AS i verify my contact once a year: open the mail, click the
link, verify my data and that's it. You don't even need 5 minutes for it.

If you have an automation fpr your abuse mails? Ok, you have to adjust
your configuration a little bit but you have to do this only once. Is it
really a problem?

RIPE NCC will not deregister your ressources right now just because you
missed the verification.

I would be happy if we have a mandatory abuse-c which is validated by
the RIPE.

Rather go forward step-by-step than stop here for years. Stagnation
means regression.

Have a good night,

Andi

Am 16.01.20 um 09:41 schrieb Serge Droz via anti-abuse-wg:
> Hi All
>
> I think we already spent way more executive time on this thread than it
> would cost us to verify e-mail addresses.
>
> I agree e-mail does not solve all the problems. It's hard to
> automatically process, .....
>
> But it is simple to use, and from my work as an incident handler it did
> do me good in the past. I participate in fora that validate
> abuse/emergency addresses. WHen I ask these people what their issues in
> daily life are it's never we have to validate or contact e-mail.
>
>
> And honestly: taking a step back and reading this entire thread, I'm not
> surprised that the bad guys are winning. You know: They don't care about
> the purty and beauty of a solution. They just do it and profit, and
> probably have a fabulous time seeing us argue and go at each others
> throats.
>
> I think we could do better.
>
> Best
> Serge

-- 
Mit freundlichem Gruß

Artfiles New Media GmbH

Andreas Worbs


Artfiles New Media GmbH | Zirkusweg 1 | 20359 Hamburg
Tel: 040 - 32 02 72 90 | Fax: 040 - 32 02 72 95
E-Mail: support _at_ artfiles _dot_ de | Web: http://www.artfiles.de
Geschäftsführer: Harald Oltmanns | Tim Evers
Eingetragen im Handelsregister Hamburg - HRB 81478


Serge Droz

2020-01-16 18:11:23 CET

Hi All

How about we just try this for a year and then take stock?

Best
Serge


On 16/01/2020 18:07, Andreas Worbs wrote:
> I'm completely with you.
> 
> For our US-AS i verify my contact once a year: open the mail, click the
> link, verify my data and that's it. You don't even need 5 minutes for it.
> 
> If you have an automation fpr your abuse mails? Ok, you have to adjust
> your configuration a little bit but you have to do this only once. Is it
> really a problem?
> 
> RIPE NCC will not deregister your ressources right now just because you
> missed the verification.
> 
> I would be happy if we have a mandatory abuse-c which is validated by
> the RIPE.
> 
> Rather go forward step-by-step than stop here for years. Stagnation
> means regression.
> 
> Have a good night,
> 
> Andi
> 
> Am 16.01.20 um 09:41 schrieb Serge Droz via anti-abuse-wg:
>> Hi All
>>
>> I think we already spent way more executive time on this thread than it
>> would cost us to verify e-mail addresses.
>>
>> I agree e-mail does not solve all the problems. It's hard to
>> automatically process, .....
>>
>> But it is simple to use, and from my work as an incident handler it did
>> do me good in the past. I participate in fora that validate
>> abuse/emergency addresses. WHen I ask these people what their issues in
>> daily life are it's never we have to validate or contact e-mail.
>>
>>
>> And honestly: taking a step back and reading this entire thread, I'm not
>> surprised that the bad guys are winning. You know: They don't care about
>> the purty and beauty of a solution. They just do it and profit, and
>> probably have a fabulous time seeing us argue and go at each others
>> throats.
>>
>> I think we could do better.
>>
>> Best
>> Serge
> 

-- 
Dr. Serge Droz
Chair, Forum of Incident Response and Security Teams (FIRST)
Phone +41 76 542 44 93 | serge.droz _at_ first _dot_ org | https://www.first.org

Suresh Ramasubramanian

2020-01-17 00:32:26 CET

I’m afraid you’ve misunderstood me. I haven’t been talking about people going out to clean networks not their own. All I would like to see is people accepting responsibility for the networks that they do control

As for other concerns eg Volker raised about the difference between a heavily abused customer and a malicious actor, that is a judgement call that every large provider abuse team has had to face so far

--srs

________________________________
From: anti-abuse-wg <anti-abuse-wg-bounces _at_ ripe _dot_ net> on behalf of Randy Bush <randy _at_ psg _dot_ com>
Sent: Thursday, January 16, 2020 9:38 PM
To: Suresh Ramasubramanian
Cc: anti-abuse-wg _at_ ripe _dot_ net
Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

> It would be interesting if a large number of people who actually work
> for the security / infosec / abuse teams of various ripe members were
> to attend the aawg meetings instead of a clutch of mostly IP / dns /
> network people.

did. a couple of interesting presos, but the plural of anecdote is not
data. and a bun fight over becomig the net police. rinse repeat. i
can try pushing water uphill at home.

randy

ripedenis@yahoo.co.uk

2020-01-17 01:10:20 CET

 Hi Sergio
As I read through this thread similar ideas came to my mind. The question I would ask is "Is it too late to take a completely different approach to abuse contacts and reporting via the RIPE Database?"
Suppose we had a standard form available via the ripe.net website for providing details of abuse. If you are able to find the "abuse-c:" details in the database now then you must know the IP address involved. The RIPE NCC could send the report to the abuse contact taken from the database via the specified IP address. This does not have to be an email interface either. We could look at other options. The RIPE NCC would then at least know if the report was successfully delivered. Using a standard form would make it much easier for the resource holder to interpret the information.
Someone said:"Making such a scheme compulsory would be unacceptable to people who wish to interact with network owners without disclosing that in public ..."I have no understanding of the technology involved here, but when I send you a message on WhatsApp it is encrypted end to end. WhatsApp have no idea (they say) of the content of the message. Would it be possible to submit a form on ripe.net in a way that the content of that form is encrypted and sent to the resource holder so the RIPE NCC have no idea of the content of the form? That would satisfy this concern.
Regardless of the outcome of the RIPE Database Requirements Task Force, something like this could still be implemented as it is external to the RIPE Database.
Food for thought...
cheers
denis
co-chair DB-WG

    On Wednesday, 15 January 2020, 10:22:28 CET, Sérgio Rocha <sergio.rocha _at_ makeitsimple _dot_ pt> wrote:  
 
 Hi,

Maybe we can change the approach.
If RIPE website had a platform to post abuse report, that send the email for
the abuse contact, it will be possible to evaluate the responsiveness of the
abuse contact.

This way anyone that report an abuse could assess not only the response but
also the effectiveness of the actions taken by the network owner. After some
time with this evaluations we would easy to realize who manages the reports
and even who does not respond at all.

Sérgio 

-----Original Message-----
From: anti-abuse-wg [mailto:anti-abuse-wg-bounces _at_ ripe _dot_ net] On Behalf Of
Gert Doering
Sent: 15 de janeiro de 2020 08:06
To: Carlos Friaças <cfriacas _at_ fccn _dot_ pt>
Cc: Gert Doering <gert _at_ space _dot_ net>; anti-abuse-wg <anti-abuse-wg _at_ ripe _dot_ net>
Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation
of "abuse-mailbox")

Hi,

On Wed, Jan 15, 2020 at 07:23:38AM +0000, Carlos Friaças via anti-abuse-wg
wrote:
> I obviously don't speak for the incident handling community, but i 
> think this (making it optional) would be a serious step back. The 
> current situation is already very bad when in some cases we know from 
> the start that we are sending (automated) messages/notices to blackholes.

So why is it preferrable to send mails which are not acted on, as opposed to
"not send mail because you know beforehand that the other network is not
interested"?

I can see that it is frustrating - but I still cannot support a policy
change which will not help dealing with irresponsible networks in any way,
but at the same time increases costs and workload for those that do the
right thing alrady.


> To an extreme, there should always be a known contact responsible for 
> any network infrastructure. If this is not the case, what's the 
> purpose of a registry then?

"a known contact" and "an *abuse-handling* contact" is not the same thing.

Gert Doering
        -- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Michael
Emmer
Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444        USt-IdNr.: DE813185279


  

Volker Greimann

2020-01-17 13:04:29 CET

Hmm, if you include RIPE NCC in all responses, you will greatly increase
the overhead and noise to signal ratio it has to deal with. It may be
better to maintain the ability to audit the responses. instead of receiving
them all.
-- 
Volker A. Greimann
General Counsel and Policy Manager
*KEY-SYSTEMS GMBH*

T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net

Key-Systems GmbH is a company registered at the local court of
Saarbruecken, Germany with the registration no. HR B 18835
CEO: Alexander Siffrin

Part of the CentralNic Group PLC (LON: CNIC) a company registered in
England and Wales with company number 8576358.


On Fri, Jan 17, 2020 at 12:00 PM JORDI PALET MARTINEZ via anti-abuse-wg <
anti-abuse-wg _at_ ripe _dot_ net> wrote:

> I will be fine with this (having RIPE NCC as an intermediator just to send
> the abuse report), if instead of a web form (or in addition to it), it is
> possible to automate it, for example RIPE NCC also accepts x-arf via email.
>
> RIPE NCC has the obligation to keep the information without disclosing it,
> so why we need to have a way to encypt it so RIPE NCC can’t read it?
> Furthermore, this should be an automated process. The staff is not going to
> handle every report manually. And moreover, in case of a bigger dispute,
> even if going to the courts, RIPE NCC can provide in a neutral way all the
> info of what happened.
>
> However, I’ve the feeling that in order to get this working, the policy
> must mandate that all the responser from the operator which customer is
> producing the abuse, also follow the same path, so:
>
> Abuse reporter (Victim or its ISP) -> RIPE NCC -> abuser operator -> RIPE
> NCC -> abuse reporter
>
> Otherwise, there will not be a way for RIPE to have stats of who is
> responding to abuse cases and who is not, or even simpler than that, what
> abuse mailboxes get bounced (which will be a policy violation if happens
> all the time with the same operator). Never mind we decide or not that
> not-responding is an abuse-c violation. Stats are good, even if not
> published with operator names.
>
>
>
> El 17/1/20 1:12, "anti-abuse-wg en nombre de ripedenis--- via
> anti-abuse-wg" <anti-abuse-wg-bounces _at_ ripe _dot_ net en nombre de
> anti-abuse-wg _at_ ripe _dot_ net> escribió:
>
>
>
> Hi Sergio
>
>
>
> As I read through this thread similar ideas came to my mind. The question
> I would ask is "Is it too late to take a completely different approach to
> abuse contacts and reporting via the RIPE Database?"
>
>
>
> Suppose we had a standard form available via the ripe.net website for
> providing details of abuse. If you are able to find the "abuse-c:" details
> in the database now then you must know the IP address involved. The RIPE
> NCC could send the report to the abuse contact taken from the database via
> the specified IP address. This does not have to be an email interface
> either. We could look at other options. The RIPE NCC would then at least
> know if the report was successfully delivered. Using a standard form would
> make it much easier for the resource holder to interpret the information.
>
>
>
> Someone said:
>
> "Making such a scheme compulsory would be unacceptable to people who wish
> to interact with network owners without disclosing that in public ..."
>
> I have no understanding of the technology involved here, but when I send
> you a message on WhatsApp it is encrypted end to end. WhatsApp have no idea
> (they say) of the content of the message. Would it be possible to submit a
> form on ripe.net in a way that the content of that form is encrypted and
> sent to the resource holder so the RIPE NCC have no idea of the content of
> the form? That would satisfy this concern.
>
>
>
> Regardless of the outcome of the RIPE Database Requirements Task Force,
> something like this could still be implemented as it is external to the
> RIPE Database.
>
>
>
> Food for thought...
>
>
>
> cheers
>
>
>
> denis
>
>
>
> co-chair DB-WG
>
>
>
>
>
> On Wednesday, 15 January 2020, 10:22:28 CET, Sérgio Rocha <
> sergio.rocha _at_ makeitsimple _dot_ pt> wrote:
>
>
>
>
>
> Hi,
>
> Maybe we can change the approach.
> If RIPE website had a platform to post abuse report, that send the email
> for
> the abuse contact, it will be possible to evaluate the responsiveness of
> the
> abuse contact.
>
> This way anyone that report an abuse could assess not only the response but
> also the effectiveness of the actions taken by the network owner. After
> some
> time with this evaluations we would easy to realize who manages the reports
> and even who does not respond at all.
>
> Sérgio
>
>
> -----Original Message-----
> From: anti-abuse-wg [mailto:anti-abuse-wg-bounces _at_ ripe _dot_ net] On Behalf Of
> Gert Doering
> Sent: 15 de janeiro de 2020 08:06
> To: Carlos Friaças <cfriacas _at_ fccn _dot_ pt>
> Cc: Gert Doering <gert _at_ space _dot_ net>; anti-abuse-wg <anti-abuse-wg _at_ ripe _dot_ net>
> Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation
> of "abuse-mailbox")
>
> Hi,
>
> On Wed, Jan 15, 2020 at 07:23:38AM +0000, Carlos Friaças via anti-abuse-wg
> wrote:
> > I obviously don't speak for the incident handling community, but i
> > think this (making it optional) would be a serious step back. The
> > current situation is already very bad when in some cases we know from
> > the start that we are sending (automated) messages/notices to blackholes.
>
> So why is it preferrable to send mails which are not acted on, as opposed
> to
> "not send mail because you know beforehand that the other network is not
> interested"?
>
> I can see that it is frustrating - but I still cannot support a policy
> change which will not help dealing with irresponsible networks in any way,
> but at the same time increases costs and workload for those that do the
> right thing alrady.
>
>
> > To an extreme, there should always be a known contact responsible for
> > any network infrastructure. If this is not the case, what's the
> > purpose of a registry then?
>
> "a known contact" and "an *abuse-handling* contact" is not the same thing.
>
> Gert Doering
>         -- NetMaster
> --
> have you enabled IPv6 on something today...?
>
> SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Michael
> Emmer
> Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
> D-80807 Muenchen                HRB: 136055 (AG Muenchen)
> Tel: +49 (0)89/32356-444        USt-IdNr.: DE813185279
>
>
> **********************************************
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.theipv6company.com
> The IPv6 Company
>
> This electronic message contains information which may be privileged or
> confidential. The information is intended to be for the exclusive use of
> the individual(s) named above and further non-explicilty authorized
> disclosure, copying, distribution or use of the contents of this
> information, even if partially, including attached files, is strictly
> prohibited and will be considered a criminal offense. If you are not the
> intended recipient be aware that any disclosure, copying, distribution or
> use of the contents of this information, even if partially, including
> attached files, is strictly prohibited, will be considered a criminal
> offense, so you must reply to the original sender to inform about this
> communication and delete it.
>
>

Briaut René

2020-01-17 13:40:16 CET

STOP SPAM

Envoyé de mon iPhone par René Briaut 

Le 17 janv. 2020 à 13:04, Volker Greimann <vgreimann _at_ key-systems _dot_ net> a écrit :

Hmm, if you include RIPE NCC in all responses, you will greatly increase the overhead and noise to signal ratio it has to deal with. It may be better to maintain the ability to audit the responses. instead of receiving them all.
-- 
Volker A. Greimann
General Counsel and Policy Manager
KEY-SYSTEMS GMBH

T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net

Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835
CEO: Alexander Siffrin

Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.


> On Fri, Jan 17, 2020 at 12:00 PM JORDI PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg _at_ ripe _dot_ net> wrote:
> I will be fine with this (having RIPE NCC as an intermediator just to send the abuse report), if instead of a web form (or in addition to it), it is possible to automate it, for example RIPE NCC also accepts x-arf via email.
> 
> RIPE NCC has the obligation to keep the information without disclosing it, so why we need to have a way to encypt it so RIPE NCC can’t read it? Furthermore, this should be an automated process. The staff is not going to handle every report manually. And moreover, in case of a bigger dispute, even if going to the courts, RIPE NCC can provide in a neutral way all the info of what happened.
> 
> However, I’ve the feeling that in order to get this working, the policy must mandate that all the responser from the operator which customer is producing the abuse, also follow the same path, so:
> 
> Abuse reporter (Victim or its ISP) -> RIPE NCC -> abuser operator -> RIPE NCC -> abuse reporter
> 
> Otherwise, there will not be a way for RIPE to have stats of who is responding to abuse cases and who is not, or even simpler than that, what abuse mailboxes get bounced (which will be a policy violation if happens all the time with the same operator). Never mind we decide or not that not-responding is an abuse-c violation. Stats are good, even if not published with operator names.
> 
>  
> 
> El 17/1/20 1:12, "anti-abuse-wg en nombre de ripedenis--- via anti-abuse-wg" <anti-abuse-wg-bounces _at_ ripe _dot_ net en nombre de anti-abuse-wg _at_ ripe _dot_ net> escribió:
> 
>  
> 
> Hi Sergio
> 
>  
> 
> As I read through this thread similar ideas came to my mind. The question I would ask is "Is it too late to take a completely different approach to abuse contacts and reporting via the RIPE Database?"
> 
>  
> 
> Suppose we had a standard form available via the ripe.net website for providing details of abuse. If you are able to find the "abuse-c:" details in the database now then you must know the IP address involved. The RIPE NCC could send the report to the abuse contact taken from the database via the specified IP address. This does not have to be an email interface either. We could look at other options. The RIPE NCC would then at least know if the report was successfully delivered. Using a standard form would make it much easier for the resource holder to interpret the information.
> 
>  
> 
> Someone said:
> 
> "Making such a scheme compulsory would be unacceptable to people who wish to interact with network owners without disclosing that in public ..."
> 
> I have no understanding of the technology involved here, but when I send you a message on WhatsApp it is encrypted end to end. WhatsApp have no idea (they say) of the content of the message. Would it be possible to submit a form on ripe.net in a way that the content of that form is encrypted and sent to the resource holder so the RIPE NCC have no idea of the content of the form? That would satisfy this concern.
> 
>  
> 
> Regardless of the outcome of the RIPE Database Requirements Task Force, something like this could still be implemented as it is external to the RIPE Database.
> 
>  
> 
> Food for thought...
> 
>  
> 
> cheers
> 
>  
> 
> denis
> 
>  
> 
> co-chair DB-WG
> 
>  
> 
>  
> 
> On Wednesday, 15 January 2020, 10:22:28 CET, Sérgio Rocha <sergio.rocha _at_ makeitsimple _dot_ pt> wrote:
> 
>  
> 
>  
> 
> Hi,
> 
> Maybe we can change the approach.
> If RIPE website had a platform to post abuse report, that send the email for
> the abuse contact, it will be possible to evaluate the responsiveness of the
> abuse contact.
> 
> This way anyone that report an abuse could assess not only the response but
> also the effectiveness of the actions taken by the network owner. After some
> time with this evaluations we would easy to realize who manages the reports
> and even who does not respond at all.
> 
> Sérgio
> 
> 
> -----Original Message-----
> From: anti-abuse-wg [mailto:anti-abuse-wg-bounces _at_ ripe _dot_ net] On Behalf Of
> Gert Doering
> Sent: 15 de janeiro de 2020 08:06
> To: Carlos Friaças <cfriacas _at_ fccn _dot_ pt>
> Cc: Gert Doering <gert _at_ space _dot_ net>; anti-abuse-wg <anti-abuse-wg _at_ ripe _dot_ net>
> Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation
> of "abuse-mailbox")
> 
> Hi,
> 
> On Wed, Jan 15, 2020 at 07:23:38AM +0000, Carlos Friaças via anti-abuse-wg
> wrote:
> > I obviously don't speak for the incident handling community, but i 
> > think this (making it optional) would be a serious step back. The 
> > current situation is already very bad when in some cases we know from 
> > the start that we are sending (automated) messages/notices to blackholes.
> 
> So why is it preferrable to send mails which are not acted on, as opposed to
> "not send mail because you know beforehand that the other network is not
> interested"?
> 
> I can see that it is frustrating - but I still cannot support a policy
> change which will not help dealing with irresponsible networks in any way,
> but at the same time increases costs and workload for those that do the
> right thing alrady.
> 
> 
> > To an extreme, there should always be a known contact responsible for 
> > any network infrastructure. If this is not the case, what's the 
> > purpose of a registry then?
> 
> "a known contact" and "an *abuse-handling* contact" is not the same thing.
> 
> Gert Doering
>         -- NetMaster
> --
> have you enabled IPv6 on something today...?
> 
> SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Michael
> Emmer
> Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
> D-80807 Muenchen                HRB: 136055 (AG Muenchen)
> Tel: +49 (0)89/32356-444        USt-IdNr.: DE813185279
> 
> 
> 
> **********************************************
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.theipv6company.com
> The IPv6 Company
> 
> This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
> 

ripedenis@yahoo.co.uk

2020-01-17 15:04:19 CET

 
  Yes of course it would have to be an automated process. A benefit of encrypting all the data is that it keeps the RIPE NCC out of any legal actions that may follow. They are simply a forwarding service and have no other details.
cheers
denis
co-chair DB-WG
    On Friday, 17 January 2020, 11:59:51 CET, JORDI PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg _at_ ripe _dot_ net> wrote:  
 
 
I will be fine with this (having RIPE NCC as an intermediator just to send the abuse report), if instead of a web form (or in addition to it), it is possible to automate it, for example RIPE NCC also accepts x-arf via email.

RIPE NCC has the obligation to keep the information without disclosing it, so why we need to have a way to encypt it so RIPE NCC can’t read it? Furthermore, this should be an automated process. The staff is not going to handle every report manually. And moreover, in case of a bigger dispute, even if going to the courts, RIPE NCC can provide in a neutral way all the info of what happened.

However, I’ve the feeling that in order to get this working, the policy must mandate that all the responser from the operator which customer is producing the abuse, also follow the same path, so:

Abuse reporter (Victim or its ISP) -> RIPE NCC -> abuser operator -> RIPE NCC -> abuse reporter

Otherwise, there will not be a way for RIPE to have stats of who is responding to abuse cases and who is not, or even simpler than that, what abuse mailboxes get bounced (which will be a policy violation if happens all the time with the same operator). Never mind we decide or not that not-responding is an abuse-c violation. Stats are good, even if not published with operator names.

  

El 17/1/20 1:12, "anti-abuse-wg en nombre de ripedenis--- via anti-abuse-wg" <anti-abuse-wg-bounces _at_ ripe _dot_ net en nombre de anti-abuse-wg _at_ ripe _dot_ net> escribió:

  

Hi Sergio

  

As I read through this thread similar ideas came to my mind. The question I would ask is "Is it too late to take a completely different approach to abuse contacts and reporting via the RIPE Database?"

  

Suppose we had a standard form available via the ripe.net website for providing details of abuse. If you are able to find the "abuse-c:" details in the database now then you must know the IP address involved. The RIPE NCC could send the report to the abuse contact taken from the database via the specified IP address. This does not have to be an email interface either. We could look at other options. The RIPE NCC would then at least know if the report was successfully delivered. Using a standard form would make it much easier for the resource holder to interpret the information.

  

Someone said:

"Making such a scheme compulsory would be unacceptable to people who wish to interact with network owners without disclosing that in public ..."

I have no understanding of the technology involved here, but when I send you a message on WhatsApp it is encrypted end to end. WhatsApp have no idea (they say) of the content of the message. Would it be possible to submit a form on ripe.net in a way that the content of that form is encrypted and sent to the resource holder so the RIPE NCC have no idea of the content of the form? That would satisfy this concern.

  

Regardless of the outcome of the RIPE Database Requirements Task Force, something like this could still be implemented as it is external to the RIPE Database.

  

Food for thought...

  

cheers

  

denis

  

co-chair DB-WG

  

  

On Wednesday, 15 January 2020, 10:22:28 CET, Sérgio Rocha <sergio.rocha _at_ makeitsimple _dot_ pt> wrote: 

  

  

Hi,

Maybe we can change the approach.
If RIPE website had a platform to post abuse report, that send the email for
the abuse contact, it will be possible to evaluate the responsiveness of the
abuse contact.

This way anyone that report an abuse could assess not only the response but
also the effectiveness of the actions taken by the network owner. After some
time with this evaluations we would easy to realize who manages the reports
and even who does not respond at all.

Sérgio 



-----Original Message-----
From: anti-abuse-wg [mailto:anti-abuse-wg-bounces _at_ ripe _dot_ net] On Behalf Of
Gert Doering
Sent: 15 de janeiro de 2020 08:06
To: Carlos Friaças <cfriacas _at_ fccn _dot_ pt>
Cc: Gert Doering <gert _at_ space _dot_ net>; anti-abuse-wg <anti-abuse-wg _at_ ripe _dot_ net>
Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation
of "abuse-mailbox")

Hi,

On Wed, Jan 15, 2020 at 07:23:38AM +0000, Carlos Friaças via anti-abuse-wg
wrote:
> I obviously don't speak for the incident handling community, but i 
> think this (making it optional) would be a serious step back. The 
> current situation is already very bad when in some cases we know from 
> the start that we are sending (automated) messages/notices to blackholes.

So why is it preferrable to send mails which are not acted on, as opposed to
"not send mail because you know beforehand that the other network is not
interested"?

I can see that it is frustrating - but I still cannot support a policy
change which will not help dealing with irresponsible networks in any way,
but at the same time increases costs and workload for those that do the
right thing alrady.


> To an extreme, there should always be a known contact responsible for 
> any network infrastructure. If this is not the case, what's the 
> purpose of a registry then?

"a known contact" and "an *abuse-handling* contact" is not the same thing.

Gert Doering
        -- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Michael
Emmer
Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444        USt-IdNr.: DE813185279


**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.