Hi Rich,
El 21/5/19 9:31, "anti-abuse-wg en nombre de Rich Kulawiec"
<anti-abuse-wg-boun...@ripe.net en nombre de r...@gsp.org> escribió:
This is a bad idea and should be abandoned.
The goal is fine: everyone/everything should have a valid abuse@ address
per RFC 2142, decades of best practices, and inherent accountability to
the entire Internet community. Everybody should pay attention to what
shows up there, conduct investigations, mitigate problems, report/apologize
as necessary, and so on. I've been on the record for a long time
supporting this goal and that hasn't changed.
However:
1. Sending UBE to abuse mailboxes is bad. Think about it.
We have no other way, unless we have a standard widely adopted. Is also
something being done today, with most of the abuse cases. What is wrong is to
have a different form for every possible LIR/end-user in the world. Not
workable.
2. Expecting people to follow URLs contained in messages to abuse
If you read the example procedure in the proposal, this has been sorted out.
mailboxes is a horrible idea. Penalizing them for not doing it is worse.
Penalizing member of an RIR that don't follow policies, is the right thing to
do.
(Best practice for abuse handlers is to not use a mail client that parses
HTML or a mail client with a GUI, for what I trust are obvious reasons.)
3. Whatever response mechanism is devised, it WILL be automated.
I note the reference to "captchas" and suggest reading my recent
comment on those in another recent thread here: briefly, they have long
since been quite thoroughly beaten. They are worthless, and anyone
using them or suggesting their use is woefully ignorant.
It is up to the implementation to decide what is best, and I guess it will
evolve along the time.
4. Knowing that abuse reports are accepted and read is nice, but not
terribly useful. What matters is what's done with them, and that
ranges from "investigated promptly and acted on decisively if they're
shown to be accurate" to "ignored and discarded" to "forwarded to the
abusers".
I've preferred not to go into the fine line if there must be properly
investigated and properly acted on, but this is something that the community
can decide as well. I don't think is coherent to have a business providing
Internet services and not have an AUP, or even worst, having an AUP not acting
against that. This is a business that doesn't impact only in your own customers
if you allow criminals in your network, it impacts the rest of the world, very
different level of responsibility than any other business.
And we (for a vague value of "we") already know this: we know because
we've submitted abuse reports and observed outcomes for years. We know
which operations never respond in any way and we know which ones hand
data over to abusers (or *are* the abusers). We know this by practice
and experience -- it's not something that can be automated. It takes
time and effort and expertise to figure out.
As indicated already several times, ideally, we have a standard, and then open
source or commercial tools that take care of that as much as possible. However,
meanwhile we need to act.
5. This approach fails the "what if everybody did it?" test quite badly.
Sorry, not sure to understand your point here.
6. Of course, the moment something like this is deployed -- if not
before -- bad actors will realize that copycatting it may well be
an effective tactic to directly attack abuse desk operations and/or
gather intelligence on them and/or compromise them.
Again, if you read the policy there is an example of things that can be done to
avoid that, such as periodically changing domains, subjects, etc.
---rsk
**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company
This electronic message contains information which may be privileged or
confidential. The information is intended to be for the exclusive use of the
individual(s) named above and further non-explicilty authorized disclosure,
copying, distribution or use of the contents of this information, even if
partially, including attached files, is strictly prohibited and will be
considered a criminal offense. If you are not the intended recipient be aware
that any disclosure, copying, distribution or use of the contents of this
information, even if partially, including attached files, is strictly
prohibited, will be considered a criminal offense, so you must reply to the
original sender to inform about this communication and delete it.
