Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

[Suresh Ramasubramanian]

Has this even been put to a vote or is it the same group of extremely vocal 
RIPE regulars against it and the same group of extremely vocal security types 
for it?   Rough consensus has its limitations in such cases.

From: anti-abuse-wg 
Date: Saturday, 9 May 2020 at 4:22 AM
To: Nick Hilliard 
Cc: anti-abuse-wg@ripe.net 
Subject: Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of 
"abuse-mailbox")
> It's ok for consensus to be that a policy proposal be rejected
> entirely.

but how many times?

randy

Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

[Randy Bush]

> It's ok for consensus to be that a policy proposal be rejected
> entirely.

but how many times?

randy

Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

[Nick Hilliard]

JORDI PALET MARTINEZ via anti-abuse-wg wrote on 08/05/2020 12:07:

[Jordi] The job of the RIPE NCC is to implement the policies agreed
by the community. Different folks may consider different pieces of
all of our policies as "inappropriate" or "arbitrary"


which is fine, mostly. Subject to usual discretion of the RIPE NCC to 
ignore policy which is harmful to itself or others.  Various board 
members have confirmed in the past that the RIPE NCC will not buy an 
island if instructed to do so by the RIPE Community.



and the goal is
to find a point in the middle, which is what we call consensus.


The goal is to try to find consensus.  There's nothing in the concept of 
consensus about trying to find a point in the middle.


If I make a policy proposal to demand that the RIPE NCC buy an island, 
would it be reasonable to settle on a compromise which involved the RIPE 
NCC buying only half an island?


It's ok for consensus to be that a policy proposal be rejected entirely.


I believe is perfectly understandable the need to avoid using manual
forms which don't follow a single standard, which means extra work
for *everyone*.


Couple of things on this:

- if you want to standardise a mechanism for abuse reporting, then that 
would be useful and by all means, go ahead with that idea first.  There 
are many forums available for doing this.


- your proposal threatens to close down RIPE NCC members if they decline 
to support abuse reports over email.  This is unhinged.



[Jordi] The actual policy has a bigger level of micro-management, by
setting one year and not allowing the NCC to change that. I think it
is much better to explicitly allow it. One alternative, I will be
fine with that, is not define the time at all, and let the NCC to
adapt it to the needs. Would you thing this is more appropriate?


The entire policy is poorly thought-through to start with.  You can't 
fix bad policy with minor tweaks around the edges.



[Jordi] What I'm asking here is to make sure that we have stats. I'm
not changing what is an actual practice. You can always report to
*any* RIR, what you think is wrong and if you're a good internet
citizen, you should do that.


If you're a good internet citizen, you have some moral obligation to 
report abuse to an internet number resources registry?


You're completely putting the cart before the horse here.  The purpose 
of the RIRs is number resource registration.



I'm happy if you believe that my wording
is not good, and we agree on that goal, to find an alternative one.
Any suggestion?


Firstly, if you propose to collect stats about anything, you need to 
think about what sort of stats should be collected.


Secondly, you need to make a credible argument about why the RIPE NCC 
should be obliged to spend membership funds collecting these stats and 
why the RIPE NCC is a more appropriate vehicle for collecting these 
stats than other organisations which specialise in online security and 
abuse issues, particularly those which already collect statistics about 
online abuse.


Nick

Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

[Ángel González Berdasco]

On 08-05-2020 20:17 +0200, Alessandro Vesely wrote:
> On Fri 08/May/2020 13:28:10 +0200 JORDI PALET MARTINEZ wrote:
> > Hi Alessandro,
> > 
> > As I've indicated already several times (and not just in this
> > discussion), all the RIRs have forms or other methods to escalate
> > any issues.
> > 
> > The proposal is only changing "let's have stats".
> 
> 
> I read:
> 
> The RIPE NCC will validate the “abuse-mailbox:” attribute at
> least
> annually. Where the attribute is deemed incorrect, it will follow
> up in
> compliance with relevant RIPE Policies and RIPE NCC procedures.
>
> https://www.ripe.net/participate/policies/proposals/2019-04
> 
> The anonymized statistics is mentioned afterward.  It seems to result
> from
> community escalation and reporting, rather than from the abuse-
> mailbox
> validation itself.  By my proposal, instead, the output of the
> validation process is borne out when the abuse address is removed
> from the database —and the corresponding IP ranges duly transmitted.
> 
> 
> Best
> Ale

Currently there are already abuse contacts marked as having failed
validation.
Maybe it should be tagged in a different way.
I do not think removing them would be the solution, as that would be
ambiguous with not having been set at all. Plus, it is also possible
that it is actually working, and the failure was just a transient
error.

Trying to suit everything, I would probably go for providing along the
abuse contact when was the first and last known date it worked, and -if
newer- they didn't.
An individual could contribute to the contact being marked as failed
(as it's already the case) by notifying RIPE. The rir owner could also
trigger a new check to show that it is working again.


And whatever you do with such information, is still up for local
policy. If am abuse contact is known to have been working last Monday,
but fails since yesterday, there's a good chance that it has been fixed
or it will be shortly. If it has never been verified to work and it has
been failing for seven years, well, there's probably no point in
notifying them through that address.

However, all of that would still be a local policy decision, which I
suspect would be better received. You would set your own arbitrary
thresholds there, rather than the discussion on after which X time
should RIPE pull that entry from the db. Plus, not all purposes would
treat them similarly.
In case you are reporting an abuse from two hours ago, you may only
care that it is working *right now*. However, if you were checking
whether their abuse contact status, as one of multiple points
evaluating a peering request, trying to guess how problematic your
prospective neighbour may be, you might prefer seeing that their abuse
mail has been reachable for the last 6 months.


Best regards

Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

[Alessandro Vesely]

On Fri 08/May/2020 13:28:10 +0200 JORDI PALET MARTINEZ via anti-abuse-wg wrote:
> Hi Alessandro,
> 
> As I've indicated already several times (and not just in this discussion), 
> all the RIRs have forms or other methods to escalate any issues.
> 
> The proposal is only changing "let's have stats".


I read:

The RIPE NCC will validate the “abuse-mailbox:” attribute at least
annually. Where the attribute is deemed incorrect, it will follow up in
compliance with relevant RIPE Policies and RIPE NCC procedures.
   https://www.ripe.net/participate/policies/proposals/2019-04

The anonymized statistics is mentioned afterward.  It seems to result from
community escalation and reporting, rather than from the abuse-mailbox
validation itself.  By my proposal, instead, the output of the validation
process is borne out when the abuse address is removed from the database —and
the corresponding IP ranges duly transmitted.


Best
Ale


> El 4/5/20 12:29, "anti-abuse-wg en nombre de Alessandro Vesely" 
>  escribió:
> 
> Hi,
> 
> On 29/04/2020 13:22, Gert Doering wrote:
> > 
> > If people *want* to handle abuse reports, they do so today already
> > (and if they mess up their mail reception, the NCC will check this today
> > already, and let them know).
> > 
> > If people *do not want* to handle abuse reports, this proposal will not
> > make them.
> 
> 
> The above is unquestionable truth.  There is a grey area, where a mailbox
> doesn't work because of misconfiguration, mailbox full, or similar issues.
> Validation might help in those cases.
> 
> However, statements like:
> 
> The “abuse-c:” will be mandatory for all aut-nums
> 
> are in conflict with the unquestionable truth quoted above.  Please, allow
> abuse-c to be empty!  I have to keep a dont-send list of non-responding 
> abuse
> addresses.  Some 70% of the complaints I would have sent hit that list.  
> It
> would be more practical to have an empty abuse-c entry in the first place.
> 
> In addition, having networks without abuse addresses makes them more 
> easily
> identifiable.  RIPE NCC could compile the relevant IP addresses into an 
> easily
> usable format, for example one readable by rbldns.  Rather than 
> following-up
> and threatening resource revocation, upon repeated validation failures, 
> the
> RIPE NCC should just remove the non-working abuse-c entry, thereby adding 
> the
> relevant IP addresses to the "no-complaints" list.
> 
> A web form to report bouncing abuse addresses would be useful too.
> 
> 
> Best
> Ale
> -- 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> **
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.theipv6company.com
> The IPv6 Company
> 
> This electronic message contains information which may be privileged or 
> confidential. The information is intended to be for the exclusive use of the 
> individual(s) named above and further non-explicilty authorized disclosure, 
> copying, distribution or use of the contents of this information, even if 
> partially, including attached files, is strictly prohibited and will be 
> considered a criminal offense. If you are not the intended recipient be aware 
> that any disclosure, copying, distribution or use of the contents of this 
> information, even if partially, including attached files, is strictly 
> prohibited, will be considered a criminal offense, so you must reply to the 
> original sender to inform about this communication and delete it.
> 
> 
> 
> 
> 

Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

[Sergey Myasoedov via anti-abuse-wg]

Dear Jordi,

> There are existing procedures for that in extreme cases.

I think it's now obvious that existing procedures does not work.


--
Sergey


Friday, May 8, 2020, 1:20:45 PM, you wrote:

JPMvaaw> However, I fully understand that the community prefer to do things in 
different steps.

JPMvaaw> We initially asked for the abuse mailbox.

JPMvaaw> Then we added a technical validation.

JPMvaaw> Now I'm asking for a better validations and make sure that
JPMvaaw> the reporting is feasible. I'm not asking to verify if you handle the 
abuse case or not.

JPMvaaw> *AND* I'm not asking to take *new* actions. There are
JPMvaaw> existing procedures for that in extreme cases.
JPMvaaw>  

JPMvaaw> El 30/4/20 9:51, "anti-abuse-wg en nombre de Serge Droz via
JPMvaaw> anti-abuse-wg"  anti-abuse-wg@ripe.net> escribió:

JPMvaaw> I do not disagree with this.

JPMvaaw> Serge


JPMvaaw> On 30.04.20 09:41, Hans-Martin Mosner wrote:
JPMvaaw> > Am 30.04.20 um 02:58 schrieb Suresh Ramasubramanian:
JPMvaaw> >>
JPMvaaw> >> However, being in a fiduciary role - with IPv4 being traded like
JPMvaaw> >> currency these days the description fits - RIPE NCC can’t not 
get
JPMvaaw> >> involved.
JPMvaaw> >>
JPMvaaw> > ...
JPMvaaw> >> NCC owes it to the rest of its membership and the internet 
community
JPMvaaw> >> at large to take a more active role in this matter.
JPMvaaw> >>
JPMvaaw> > This.
JPMvaaw> > 
JPMvaaw> > And as long as RIPE and/or NCC explicitly does not want to take 
action
JPMvaaw> > when RIPE members don't handle abuse from their networks 
properly, the
JPMvaaw> > whole issue of validating abuse mailbox addresses is moot. After 
all
JPMvaaw> > discussion, the toothless compromise will be that there should 
be an
JPMvaaw> > abuse mailbox, and FWIW it can be handled by Dave Null because 
nobody
JPMvaaw> > will exert pressure on the resource holder to do anything else.
JPMvaaw> > 
JPMvaaw> > Our problem on the receiving side of network abuse is not with 
the few
JPMvaaw> > good-willing but technically challenged providers whose abuse 
mailbox
JPMvaaw> > isn't working properly but with those large operators who don't 
give a
JPMvaaw> > flying f about their customer's network abuse.
JPMvaaw> > 
JPMvaaw> > Personally, I consider the anti-abuse WG a failure at this 
point. When I
JPMvaaw> > joined I had hoped to see and possibly support constructive work 
towards
JPMvaaw> > a reduction in network abuse, but apparently there are big 
players in
JPMvaaw> > this game who are not interested in such a reduction as it would
JPMvaaw> > undermine their "business".
JPMvaaw> > 
JPMvaaw> > Cheers,
JPMvaaw> > Hans-Martin
JPMvaaw> > 

JPMvaaw> -- 
JPMvaaw> Dr. Serge Droz
JPMvaaw> Chair of the FIRST Board of Directors
JPMvaaw> https://www.first.org




JPMvaaw> **
JPMvaaw> IPv4 is over
JPMvaaw> Are you ready for the new Internet ?
JPMvaaw> http://www.theipv6company.com
JPMvaaw> The IPv6 Company

JPMvaaw> This electronic message contains information which may be
JPMvaaw> privileged or confidential. The information is intended to be
JPMvaaw> for the exclusive use of the individual(s) named above and
JPMvaaw> further non-explicilty authorized disclosure, copying,
JPMvaaw> distribution or use of the contents of this information, even
JPMvaaw> if partially, including attached files, is strictly
JPMvaaw> prohibited and will be considered a criminal offense. If you
JPMvaaw> are not the intended recipient be aware that any disclosure,
JPMvaaw> copying, distribution or use of the contents of this
JPMvaaw> information, even if partially, including attached files, is
JPMvaaw> strictly prohibited, will be considered a criminal offense,
JPMvaaw> so you must reply to the original sender to inform about this 
communication and delete it.

Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Alessandro,

As I've indicated already several times (and not just in this discussion), all 
the RIRs have forms or other methods to escalate any issues.

The proposal is only changing "let's have stats".


El 4/5/20 12:29, "anti-abuse-wg en nombre de Alessandro Vesely" 
 escribió:

Hi,

On 29/04/2020 13:22, Gert Doering wrote:
> 
> If people *want* to handle abuse reports, they do so today already
> (and if they mess up their mail reception, the NCC will check this today
> already, and let them know).
> 
> If people *do not want* to handle abuse reports, this proposal will not
> make them.


The above is unquestionable truth.  There is a grey area, where a mailbox
doesn't work because of misconfiguration, mailbox full, or similar issues.
Validation might help in those cases.

However, statements like:

The “abuse-c:” will be mandatory for all aut-nums

are in conflict with the unquestionable truth quoted above.  Please, allow
abuse-c to be empty!  I have to keep a dont-send list of non-responding 
abuse
addresses.  Some 70% of the complaints I would have sent hit that list.  It
would be more practical to have an empty abuse-c entry in the first place.

In addition, having networks without abuse addresses makes them more easily
identifiable.  RIPE NCC could compile the relevant IP addresses into an 
easily
usable format, for example one readable by rbldns.  Rather than following-up
and threatening resource revocation, upon repeated validation failures, the
RIPE NCC should just remove the non-working abuse-c entry, thereby adding 
the
relevant IP addresses to the "no-complaints" list.

A web form to report bouncing abuse addresses would be useful too.


Best
Ale
-- 


































**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

However, I fully understand that the community prefer to do things in different 
steps.

We initially asked for the abuse mailbox.

Then we added a technical validation.

Now I'm asking for a better validations and make sure that the reporting is 
feasible. I'm not asking to verify if you handle the abuse case or not.

*AND* I'm not asking to take *new* actions. There are existing procedures for 
that in extreme cases.
 

El 30/4/20 9:51, "anti-abuse-wg en nombre de Serge Droz via anti-abuse-wg" 
 escribió:

I do not disagree with this.

Serge


On 30.04.20 09:41, Hans-Martin Mosner wrote:
> Am 30.04.20 um 02:58 schrieb Suresh Ramasubramanian:
>>
>> However, being in a fiduciary role - with IPv4 being traded like
>> currency these days the description fits - RIPE NCC can’t not get
>> involved.
>>
> ...
>> NCC owes it to the rest of its membership and the internet community
>> at large to take a more active role in this matter.
>>
> This.
> 
> And as long as RIPE and/or NCC explicitly does not want to take action
> when RIPE members don't handle abuse from their networks properly, the
> whole issue of validating abuse mailbox addresses is moot. After all
> discussion, the toothless compromise will be that there should be an
> abuse mailbox, and FWIW it can be handled by Dave Null because nobody
> will exert pressure on the resource holder to do anything else.
> 
> Our problem on the receiving side of network abuse is not with the few
> good-willing but technically challenged providers whose abuse mailbox
> isn't working properly but with those large operators who don't give a
> flying f about their customer's network abuse.
> 
> Personally, I consider the anti-abuse WG a failure at this point. When I
> joined I had hoped to see and possibly support constructive work towards
> a reduction in network abuse, but apparently there are big players in
> this game who are not interested in such a reduction as it would
> undermine their "business".
> 
> Cheers,
> Hans-Martin
> 

-- 
Dr. Serge Droz
Chair of the FIRST Board of Directors
https://www.first.org




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

El 29/4/20 14:23, "anti-abuse-wg en nombre de Gert Doering" 
 escribió:

Hi,

On Wed, Apr 29, 2020 at 01:44:42PM +0200, Serge Droz via anti-abuse-wg 
wrote:
> >> Coming from the incident response side, I'm tiered of people constantly
> >> telling me, that issues are not their problem
> > 
> > How would this proposal help with said problem?
> 
> - It will catch the cases where some miss configuration happened indeed

This is already caught today.  The RIPE NCC *does* abuse-c mailbox
validation today.

[Jordi] But is not working, it is just a technical validation.

> - It will make it impossible for orgs to say "We never received a report"

How so?  Yes, there is a mailbox.  But if someone doesn't care, why 
would they not still claim "I have never seen a report"?

[Jordi] We need to know stats about those cases.

> - It allows us to enumerate better who does good work and who doesn't.

And how does *this proposal* have any influence on this?

[Jordi] I agree here with Gert. Personally, I will like to know who is not 
handling abuse cases, so I can filter its network. As "what is best for the 
community, at the time being", and the way I phrased it in the proposal I just 
want to have stats, not pointing to anyone.

I'm usually more of an reporter than a responder, but I've seen both
sides - and [as I've said before...] you don't get orgs that do not care
to magically expend resources on abuse handling by introducing more
mailbox verification procedures.

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael 
Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279



**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

 

El 29/4/20 13:18, "anti-abuse-wg en nombre de Elad Cohen" 
 escribió:

 

What is this ?

 

"However, the community should report any situation to the RIPE NCC, which can 
provide (anonymous) periodical statistics to the community, which can take 
further decisions about that."

 

Ripe members are informers?

 

"divide and conquer" strategy ?

 

[Jordi] I’ve explained the intent before. The reporting to the RIPE NCC (and 
all the other RIRs) of anything which may be relevant is not acting as 
“informer”, but collaboration in order to discover isues and improve. Can you 
suggest a better wording?

 

Abuse email addresses (just like any other email address) are being spammed, 
not only by non-relevant spammers but also by automatic useless services that 
are installed at servers that don't take themselves any measure of proper 
configuration to avoid the automatic useless services.

 

To my opinion, Ripe should create its own anti-abuse system, each LIR will have 
login access to it (LIR will be able to choose to receive notifications through 
sms / email) and to mark each abuse complaint as resolved or not (that system 
can also have an API so LIR's will be able to pull their abuse complaints), the 
main issue is that complaints to that system will not be able to be done 
automatically or by email - only manually by form filling with captcha. (after 
the LIR will mark an abuse complain as resolved - the complainer will receive 
an email address also to confirm with him if issue is resolved or not, 
non-detailed statistics will be able to be displayed to the whole community - 
to see the percentage of how many manual complaints weren't handled by each LIR)

 

[Jordi] Maybe you could submit a proposal for that?

 

---

 

Besides the above, I also believe that we as a community should not accept 
complainers which are not taking the most basic configuration actions to 
protect their systems, and would consider these complaints as spam. In order 
for abuse complaints not to be abused.

 

[Jordi] I disagree here. Is like you tell a shop owner, you’re guilty because 
you didn’t took enough measures. Too many measures sometimes avoid getting real 
customers coming in.

 

Respectfully,

Elad

 

 

From: anti-abuse-wg on behalf of Serge Droz via anti-abuse-wg
Sent: Wednesday, April 29, 2020 11:22 AM
To: anti-abuse-wg@ripe.net
Subject: Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of 
"abuse-mailbox") 

 

Hi All

I think this is a good policy.

We can always find use cases where it fails, but it will help in some
cases.

And if some one is not able to answer an e-mail every six month, there
are probably underlying issues. Also the argument, that the bad guys
flood the mailbox is not really acceptable. It just means you can't
filter spam.

The proposal does not check how the reports are used. But it helps us to
enumerate organizations, that don't act, coming up with various excuses,
along the lines the best problems are some one else's problems, so let's
make it some on else's problem.

The fact is: Most mature organizations are perfectly capable of handling
such mail boxes, even if they have a high load.

Coming from the incident response side, I'm tiered of people constantly
telling me, that issues are not their problem

Best
Serge





On 28.04.20 16:01, Petrit Hasani wrote:
> Dear colleagues,
> 
> A new version of RIPE policy proposal, 2019-04, "Validation of
> "abuse-mailbox"", is now available for discussion.
> 
> This proposal aims to have the RIPE NCC validate "abuse-c:" information
> more often and introduces a new validation process.
> 
> Most of the text has been rewritten following the last round of
> discussion and the proposal is now at version 3.0. Some key points in
> this version:
> 
> - The abuse-mailbox should not force the sender to use a form
> - The validation process must ensure that the abuse mailbox is able to
> receive messages
> - The validation should happen at least every six months
> 
> You can find the full proposal at:
> https://www.ripe.net/participate/policies/proposals/2019-04
> 
> As per the RIPE Policy Development Process (PDP), the purpose of this
> four-week Discussion Phase is to discuss the proposal and provide
> feedback to the proposer.
> 
> At the end of the Discussion Phase, the proposer, with the agreement of
> the Anti-Abuse Working Group Chairs, will decide how to proceed with the
> proposal.
> 
> We encourage you to review this proposal and send your comments to
>  before 27 May 2020.
> 
> Kind regards,
> --
> Petrit Hasani
> Policy Officer
> RIPE NCC
> 
> 
> 
> 
> 

-- 
Dr. Serge Droz
Chair of the FIRST Board of Directors
https://www.first.org



**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 

Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

 

El 29/4/20 4:25, "anti-abuse-wg en nombre de No No" 
 escribió:

 

In relation to the policy, where it says: "must not force the sender to use a 
form."

 

as someone that reports phishing websites, I find the use of forms helpful, as 
it ensures the company receives the report, particularly where they implement a 
CAPTCHA. 

 

[Jordi] I disagree here and many people has also indicated the same in previous 
versions discussions. The problem of a form is that is not standard. If you’re 
reporting abuses to 100 ISPs, and each one has its own form, you really need to 
do it manually, you can’t automate it. Even if you do the job for automating 
it, they may change it and your automation may fail. This is economically 
non-sustainable and means that the cost of the abuse cases is on the back of 
the one actually reporting.

 

To require the resource to only accept abuse reports via email, means all the 
criminals have to do is flood the mailbox, making it physically impossible to 
receive the abuse reports.

 

[Jordi] That's why I’m suggesting the use of standards as one of the options. 
I’m happy to find a better way or wording to improve it. Do we agree that 
something that can be fully automatted is much better, even to filter that kind 
of flooding?

 

If the policy could be amended to include a suggestion that the abuse mailbox 
contain a verification procedure (such as "your email has been received. Please 
"click here" to confirm you sent it") it would improve efficiency all around.

 

[Jordi] A previous version had many many many details and it was considered to 
intrusive, that's why I’m going away from there.

 

In relation to Nick Hilliard's email, where they say:

 

" it is beyond inappropriate for this working group to expect the RIPE NCC to 
withdraw numbering resources if member organisations  don't comply with an 
arbitrary policy which forces the use of SMTP email like this."

 

This is, in a nutshell, what is wrong with this RIR, and others, such as ARIN. 
Often I will look up abuse contacts on ARIN, to find that the abuse mailbox 
bounces, and a message such as "ARIN has attempted to verify this email address 
since 10-11-2010" - almost 10 YEARS!

 

So, what are you seriously suggesting? Because these people that become 
offended at the suggestion that it's unreasonable for someone to ensure an 
email address is valid once per year (very onerous i'm sure), never really say 
what they really mean, which is really what is inappropriate: that criminals 
should be able to use a resource indefinitely to pump out spam, host phishing 
websites, co-ordinate botnets etc... and that the person that receives this 
crap is not even entitled to let the resource owner know?

 



 

 

 

 

 

 

On Wed, Apr 29, 2020 at 12:01 AM Petrit Hasani  wrote:

Dear colleagues,

A new version of RIPE policy proposal, 2019-04, "Validation of
"abuse-mailbox"", is now available for discussion.

This proposal aims to have the RIPE NCC validate "abuse-c:" information
more often and introduces a new validation process.

Most of the text has been rewritten following the last round of
discussion and the proposal is now at version 3.0. Some key points in
this version:

- The abuse-mailbox should not force the sender to use a form
- The validation process must ensure that the abuse mailbox is able to
receive messages
- The validation should happen at least every six months

You can find the full proposal at:
https://www.ripe.net/participate/policies/proposals/2019-04

As per the RIPE Policy Development Process (PDP), the purpose of this
four-week Discussion Phase is to discuss the proposal and provide
feedback to the proposer.

At the end of the Discussion Phase, the proposer, with the agreement of
the Anti-Abuse Working Group Chairs, will decide how to proceed with the
proposal.

We encourage you to review this proposal and send your comments to
 before 27 May 2020.

Kind regards,
--
Petrit Hasani
Policy Officer
RIPE NCC







**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Nick, all,

I was waiting a few days because I though it will be easier wait for most of 
the participants to be able to react and then try to summarize and respond to 
all the comments in a single email.

I'm going to try to do it anyway with as fewer emails as I can. This means 
trying to avoid repeating myself, in the interest of everyone, but if you feel 
that I'm missing anything which is key, please, let me know.

I would suggest to wait a couple of hours, so I stop replying in order to ask 
something that I will be replying already in minutes ...

So ... My responses below, in line, as [Jordi]
 
 

El 28/4/20 21:28, "anti-abuse-wg en nombre de Nick Hilliard" 
 escribió:

Petrit Hasani wrote on 28/04/2020 15:01:
> A new version of RIPE policy proposal, 2019-04, "Validation of
> "abuse-mailbox"", is now available for discussion.

The updated version of this policy proposal is here:

> https://www.ripe.net/participate/policies/proposals/2019-04/draft

The proposal has the following problems, each of which would be 
sufficient reason it its own right to reject the proposal:

> and must not force the sender to use a form.

It's not the job of the RIPE NCC to tell its members how to handle abuse 
reports, and it is beyond inappropriate for this working group to expect 
the RIPE NCC to withdraw numbering resources if member organisations 
don't comply with an arbitrary policy which forces the use of SMTP email 
like this.

[Jordi] The job of the RIPE NCC is to implement the policies agreed by the 
community. Different folks may consider different pieces of all of our policies 
as "inappropriate" or "arbitrary" and the goal is to find a point in the 
middle, which is what we call consensus. I believe is perfectly understandable 
the need to avoid using manual forms which don't follow a single standard, 
which means extra work for *everyone*.

> [...] is present and can receive messages at least every six months*.
> If the validation fails, the RIPE NCC
and:

> *The RIPE NCC may change the validation period depending on the level
> of accuracy of the contacts. For example, switching from six-month to
> one-year period once contact accuracy has improved.

This addition proposes to micromanage the RIPE NCC even further. 
Arbitrary time-scales like this are operational details which have no 
place in a well-thought-out policy.

[Jordi] The actual policy has a bigger level of micro-management, by setting 
one year and not allowing the NCC to change that. I think it is much better to 
explicitly allow it. One alternative, I will be fine with that, is not define 
the time at all, and let the NCC to adapt it to the needs. Would you thing this 
is more appropriate?

> This validation process will not check how the abuse cases are
> processed. The community should escalate/report back to the RIPE NCC,
> so anonymised statistics can be collected and periodically
> published.

> However, the community should report any situation to the RIPE NCC,
> which can provide (anonymous) periodical statistics to the community,
> which can take further decisions about that.

This proposes that the RIPE NCC becomes an abuse reporting clearinghouse 
based on unsubstantiated community gossip.  This is inappropriate in 
many different ways.

[Jordi] What I'm asking here is to make sure that we have stats. I'm not 
changing what is an actual practice. You can always report to *any* RIR, what 
you think is wrong and if you're a good internet citizen, you should do that. 
I'm happy if you believe that my wording is not good, and we agree on that 
goal, to find an alternative one. Any suggestion?

> It should be clear that the policy intent is not to look into how the
> abuse mailbox is monitored or how abuse cases are handled.

It's difficult to take this seriously when the intent of most of the 
rest of the text in the proposal is about using the RIPE NCC to monitor 
how abuse cases are handled and to ensure that the abuse mailbox is 
monitored.

[Jordi] I can't agree here. If you compare the different versions, you will see 
that I've taken in consideration the inputs on this and removed lots of text 
that were considered as telling the resource holders how to do it. The proposal 
no longer looks if you have a person, a robot, or whatever to monitor de abuse 
mailbox, or if you ignore the cases.

The proposal is self-contradictory, intrusive into NCC membership 
business processes and there is no compelling reason to believe that the 
proposal will end up reducing the amount of abuse on the internet.

[Jordi] Again, the proposal is trying to ensure that we have stats. Then we, as 
a community, can decide if we need to do anything or not. I don't think this is 
intrusive at all and if we compare with other policies, that also tell us how 
you do the things, because many 

Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

I fully agree with Gert here.

The proposal is not trying to punish anyone, just to improve things, make sure 
that errors are discovered and corrected, and for that we need to have stats 
and tools.

And this is why it was also removed from this version text that we had in 
previous versions about that.
 

El 29/4/20 8:38, "anti-abuse-wg en nombre de Gert Doering" 
 escribió:

Hi,

On Wed, Apr 29, 2020 at 12:31:39PM +1000, No No wrote:
> I would also like to make another suggestion:
> 
> That where the RIPE has to manually verify an abuse mailbox, the costs of
> that verification should be levelled against the resource holder as a fee,
> for example: $2 per IPv4 address
> 
> and,
> 
> failing manual verification, that a countdown be implemented and sent to
> the abuse mailbox, in the form of: "Click here within 7 days to ensure 
your
> resources are not de-registered" and then if they fail to click that link,
> the automatic de-registering of the IP address/resources, and the 
immediate
> sale of that IPv4 address/space to the highest bidder.

And *this* is exactly why this proposal is the beginning of a slippery
slope that leads to "no way!" land.

Mail system misconfigurations happen, even for the best of us.

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael 
Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279



**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

[anti-abuse-wg] @EXT: Europol Safety Guide for the "New Normal" after COVID-19

[Marcolla, Sara Veronica]

Dear Anti-Abuse WG readers,

Over the course of the past 6 weeks Europol has been releasing on weekly basis 
new material relating to COVID-19, all is available in the Europol landing 
page: 
https://www.europol.europa.eu/staying-safe-during-covid-19-what-you-need-to-know
 and it gets published via the Europol and EC3 social media channels (Twitter, 
Facebook, Instagram and LinkedIn).

This week we have launched a new product that may be of your interest: an 
infographic covering a safety guide for 'the new normal', looking ahead and 
complementing the information contain in the latest Europol public report 
issued a few days ago.

You can find the report here: 
https://www.europol.europa.eu/sites/default/files/documents/report_beyond_the_pandemic.pdf
And the infographic here: 
https://www.europol.europa.eu/activities-services/public-awareness-and-prevention-guides/safety-guide-for-new-normal-after-covid-19

The infographic comes in full and in 4 themed cards (if you wish to have them 
for use in your social media and/or in your company, you can drop me a 
message). This message was shared with ICANN GAC and the RIPE Cooperation WG as 
well, inter alia.

Kind regards,

Sara Marcolla

Europol - O3 European Cyber Crime Centre (EC3)

Eisenhowerlaan 73, 2517 KK
The Hague, The Netherlands
www.europol.europa.eu






***

DISCLAIMER : This message is sent in confidence and is only intended for the 
named recipient. If you receive this message by mistake, you may not use, copy, 
distribute or forward this message, or any part of its contents or rely upon 
the information contained in it.
Please notify the sender immediately by e-mail and delete the relevant e-mails 
from any computer. This message does not constitute a commitment by Europol 
unless otherwise indicated.

***