Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

[Ángel González Berdasco]

El mar, 12-05-2020 a las 22:21 +0200, JORDI PALET MARTINEZ via anti-
abuse-wg escribió:
> You misunderstood me.  I'm not advocating de-registration of IP
> resources.  I
> meant to remove just the abuse-c email address, since it does not
> work.  As an
> alternative, as Àngel noted, there could be a tag saying that the
> email address
> is not valid, without actually removing it.
> 
> [Jordi] I got your point now, thanks!
> 
> I think it is more useful instead of removing the address, marking
> the record as invalid, and this is being done if I recall correctly
> from RIPE NCC presentations.

5.135.48.50is one of such IP addresses.
It has as abuse-c ab...@for-ns.com, which is trivially invalid: for-
ns.com mail is handled by 10 mail.for-ns.com. mail.for-ns.com has
address 176.9.154.142 Yet, there is no mail server on 176.9.154.142:25

Port 43 access provides:
> % Information related to '5.135.48.48 - 5.135.48.51'
> 
> % Abuse contact for '5.135.48.48 - 5.135.48.51' is 'ab...@for-ns.com'
> % Abuse-mailbox validation failed. Please refer to ORG-OS3-RIPE for
> further information.


I am unable to see such piece of information on the RDAP view, though:
https://rdap.db.ripe.net/ip/5.135.48.48


Best regards

-- 
INCIBE-CERT - CERT of the Spanish National Cybersecurity Institute
https://www.incibe-cert.es/

PGP Keys:
https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys



INCIBE-CERT is the Spanish National CSIRT designated for citizens,
private law entities, other entities not included in the subjective
scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen
Jurídico del Sector Público", as well as digital service providers,
operators of essential services and critical operators under the terms
of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de
las redes y sistemas de información" that transposes the Directive (EU)
2016/1148 of the European Parliament and of the Council of 6 July 2016
concerning measures for a high common level of security of network and
information systems across the Union.



Disclaimer:
This message may contain confidential information, within the framework
of the corporate Security Management System.If you are not the intended
recipient, please notify the sender and delete this message without
forwarding or retaining a copy, since any unauthorized use is strictly
prohibited by law.

Re: [anti-abuse-wg] Spamming LIR accounts

[Ángel González Berdasco]

I have been told both things. That company email accounts wouldn't fall on its 
scope (even if they contained the full name) and that such usage would be 
improperly treating PII.

GDPR seems to mostly leave that part to Directive 2002/58/EC, which isn't 
completely clear:
Article 13

Unsolicited communications

1. The use of automated calling systems without human intervention (automatic 
calling machines), facsimile machines (fax) or electronic mail for the purposes 
of direct marketing may only be allowed in respect of subscribers who have 
given their prior consent.

2. Notwithstanding paragraph 1, where a natural or legal person obtains from 
its customers their electronic contact details for electronic mail, in the 
context of the sale of a product or a service, in accordance with Directive 
95/46/EC, the same natural or legal person may use these electronic contact 
details for direct marketing of its own similar products or services provided 
that customers clearly and distinctly are given the opportunity to object, free 
of charge and in an easy manner, to such use of electronic contact details when 
they are collected and on the occasion of each message in case the customer has 
not initially refused such use.

3. Member States shall take appropriate measures to ensure that, free of 
charge, unsolicited communications for purposes of direct marketing, in cases 
other than those referred to in paragraphs 1 and 2, are not allowed either 
without the consent of the subscribers concerned or in respect of subscribers 
who do not wish to receive these communications, the choice between these 
options to be determined by national legislation.

4. In any event, the practice of sending electronic mail for purposes of direct 
marketing disguising or concealing the identity of the sender on whose behalf 
the communication is made, or without a valid address to which the recipient 
may send a request that such communications cease, shall be prohibited.

5. Paragraphs 1 and 3 shall apply to subscribers who are natural persons. 
Member States shall also ensure, in the framework of Community law and 
applicable national legislation, that the legitimate interests of subscribers 
other than natural persons with regard to unsolicited communications are 
sufficiently protected.

It talks mainly about natural persons, but others should as well have adequate, 
protections. so... ¯\_(ツ)_/¯

https://gdpr-info.eu/issues/email-marketing/
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32002L0058=EN

The fact that in RIPE database all those role accounts emails are considered 
"personal data sets" in the RIPE db may or may not also influence how it should 
be treated w.r.t its treatments.


In any case, not complying with the RIPE Database Terms and Conditions may make 
such use unlawful even if it would be otherwise acceptable.


Best regards

Ángel


El mar, 12-05-2020 a las 23:41 +0200, JORDI PALET MARTINEZ via anti-abuse-wg 
escribió:
I’m not sure if this is true in all the cases, because a physical person can 
also have PI resources and then a personal email in the database.

There is one more point, which I’m discussing with the Spanish DPA in the 
constitutional court, and it is the classification between personal and company 
emails, when they have your name and family name, you use it for personal 
matters (even if the domain is  from a company – example, you can have separate 
 emails for business and personal, bus using the same domain), and if the 
collection of data was authorized or not, and if it was just data collection or 
also spam.

Is not easy. In Spain, the spam (even with business emails) is not allowed 
according to a further law (LSSI). I guess it varies from country to country.

Anyway, I think it has been said a few days ago, harvesting the databases for 
spam is against the AUP.

Regards,
Jordi

@jordipalet





El 12/5/20 23:27, "anti-abuse-wg en nombre de Alex de Joode" 
mailto:anti-abuse-wg-boun...@ripe.net> en 
nombre de a...@idgara.nl> escribió:

A good summary Sabri.

One of the points that has not been addressed (fully) is the fact that the 
mailing went out to 'role accounts' which are normally company accounts (if 
some used a personal email  address for that, than this will have suddenly 
become a business email address), so GDPR applicability would be remote, if at 
all.

Alex (LL.M)
--
IDGARA | Alex de Joode | a...@idgara.nl | +31651108221 | 
Skype:adejoode

On Tue, 12-05-2020 21h 12min, Sabri Berisha 
mailto:sa...@cluecentral.net>> wrote:
- On May 12, 2020, at 4:51 AM, Töma Gavrichenkov 
mailto:xima...@gmail.com>> wrote:



Peace,
Peace,

 On Tue, May 12, 2020 at 1:29 PM Arash Naderpour
 mailto:arash.naderp...@gmail.com>> wrote:

EU laws are for EU

 Perhaps sadly for some, but this is not how it works.  EU laws protect
 EU citizens wherever they are, or the EU citizens' personal and
 sensitive data wherever it is 

Re: [anti-abuse-wg] Spamming LIR accounts

[JORDI PALET MARTINEZ via anti-abuse-wg]

I’m not sure if this is true in all the cases, because a physical person can 
also have PI resources and then a personal email in the database.

 

There is one more point, which I’m discussing with the Spanish DPA in the 
constitutional court, and it is the classification between personal and company 
emails, when they have your name and family name, you use it for personal 
matters (even if the domain is  from a company – example, you can have separate 
 emails for business and personal, bus using the same domain), and if the 
collection of data was authorized or not, and if it was just data collection or 
also spam.

 

Is not easy. In Spain, the spam (even with business emails) is not allowed 
according to a further law (LSSI). I guess it varies from country to country.

 

Anyway, I think it has been said a few days ago, harvesting the databases for 
spam is against the AUP.

 

Regards,

Jordi

@jordipalet

 

 

 

El 12/5/20 23:27, "anti-abuse-wg en nombre de Alex de Joode" 
 escribió:

 

A good summary Sabri.

 

One of the points that has not been addressed (fully) is the fact that the 
mailing went out to 'role accounts' which are normally company accounts (if 
some used a personal email  address for that, than this will have suddenly 
become a business email address), so GDPR applicability would be remote, if at 
all.

 

Alex (LL.M)

​-- 

IDGARA | Alex de Joode | a...@idgara.nl | +31651108221 | Skype:adejoode


On Tue, 12-05-2020 21h 12min, Sabri Berisha  wrote:

- On May 12, 2020, at 4:51 AM, Töma Gavrichenkov  wrote:



Peace,

Peace,
 
 On Tue, May 12, 2020 at 1:29 PM Arash Naderpour
  wrote:


EU laws are for EU


 Perhaps sadly for some, but this is not how it works.  EU laws protect
 EU citizens wherever they are, or the EU citizens' personal and
 sensitive data wherever it is accessed, processed, or stored.


Perhaps sadly for some, but this is not how it works.

 

First of all, there is the requirement for the non-EU company to intentionally 
provide goods or services to the EU. That can be found in article 3(2)a. 

 

This means that, per EU rules, the GDPR will not apply to the mom ice cream 
shop in San Francisco that takes online orders from a EU citizen that happens 
to be visiting the U.S. The GDPR only affects companies (in or outside the EU) 
that market to EU citizens or territories.

 

Second, and most important, for a law to protect it must be enforceable. For a 
law to be enforceable, a court must be able to issue a judgement, and that 
judgement must be executable.


EU judgements based on the GDPR are not necessarily enforceable outside the EU, 
at least not in the U.S. Treaties must be in place, and a good example is the 
Hague Convention on Foreign Judgments in Civil and Commercial Matters.

 

In the U.S., foreign judgements are enforceable if they comply with the Uniform 
Foreign Money Judgments Recognition Act. This law specifies that a judgement 
may not be recognized if the foreign court did not have "personal jurisdiction" 
on the U.S. entity. If that entity does not have a physical presence in the EU, 
establishing the foreign court’s personal jurisdiction will be very difficult 
if not impossible.

 

But, for folks that did not go to law school, here is a simpler explanation: 
https://www.youtube.com/watch?v=CD2FlW79PfU :-)

 

Thanks,

Sabri



**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] Spamming LIR accounts

[Alex de Joode]

A good summary Sabri.

One of the points that has not been addressed (fully) is the fact that the 
mailing went out to 'role accounts' which are normally company accounts (if 
some used a personal email  address for that, than this will have suddenly 
become a business email address), so GDPR applicability would be remote, if at 
all.


Alex (LL.M)​-- 
IDGARA | Alex de Joode | a...@idgara.nl | +31651108221 | Skype:adejoode


On Tue, 12-05-2020 21h 12min, Sabri Berisha  wrote:
> 

- On May 12, 2020, at 4:51 AM, Töma Gavrichenkov  wrote:
> 

> 
Peace,
>  Peace,
>  
>  On Tue, May 12, 2020 at 1:29 PM Arash Naderpour
>   wrote:
> >  EU laws are for EU
 Perhaps sadly for some, but this is not how it works.  EU laws protect
 EU citizens wherever they are, or the EU citizens' personal and
 sensitive data wherever it is accessed, processed, or stored.

Perhaps sadly for some, but this is not how it works.

First of all, there is the requirement for the non-EU company to intentionally 
provide goods or services to the EU. That can be found in article 3(2)a. 

This means that, per EU rules, the GDPR will not apply to the mom ice cream 
shop in San Francisco that takes online orders from a EU citizen that happens 
to be visiting the U.S. The GDPR only affects companies (in or outside the EU) 
that market to EU citizens or territories.

Second, and most important, for a law to protect it must be enforceable. For a 
law to be enforceable, a court must be able to issue a judgement, and that 
judgement must be executable.

EU judgements based on the GDPR are not necessarily enforceable outside the EU, 
at least not in the U.S. Treaties must be in place, and a good example is the 
Hague Convention on Foreign Judgments in Civil and Commercial Matters.

In the U.S., foreign judgements are enforceable if they comply with the Uniform 
Foreign Money Judgments Recognition Act. This law specifies that a judgement 
may not be recognized if the foreign court did not have "personal jurisdiction" 
on the U.S. entity. If that entity does not have a physical presence in the EU, 
establishing the foreign court’s personal jurisdiction will be very difficult 
if not impossible.

But, for folks that did not go to law school, here is a simpler explanation: 
https://www.youtube.com/watch?v=CD2FlW79PfU :-)

Thanks,

Sabri

Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Alessandro,


El 12/5/20 19:26, "anti-abuse-wg en nombre de Alessandro Vesely" 
 escribió:

Hi Jordy,

On Tue 12/May/2020 11:34:19 +0200 JORDI PALET MARTINEZ via anti-abuse-wg 
wrote:
>> El 8/5/20 20:18, "anti-abuse-wg en nombre de Alessandro Vesely" 
 escribió:
>>  On Fri 08/May/2020 13:28:10 +0200 JORDI PALET MARTINEZ via 
anti-abuse-wg wrote:
>>> 
>>> As I've indicated already several times (and not just in this 
discussion), all the RIRs have forms or other methods to escalate any issues.
>>> 
>>> The proposal is only changing "let's have stats".
>> 
>> 
>> I read:
>> 
>> The RIPE NCC will validate the “abuse-mailbox:” attribute at 
least
>> annually. Where the attribute is deemed incorrect, it will 
follow up in
>> compliance with relevant RIPE Policies and RIPE NCC procedures.
>>
https://www.ripe.net/participate/policies/proposals/2019-04
>> 
>> The anonymized statistics is mentioned afterward.  It seems to 
result from
>> community escalation and reporting, rather than from the 
abuse-mailbox
>> validation itself.  By my proposal, instead, the output of the 
validation
>> process is borne out when the abuse address is removed from the 
database —and
>> the corresponding IP ranges duly transmitted.
> 
> [Jordi] Yes, RIPE provide stats for many things and probably this text is
> not really needed, but if we want to make sure to have this specific set 
of
> stats, *we need the text*. If we try to reach consensus in what I'm
> interpreting from your last half of the paragraph, it is very difficult to
> get consensus, and reclaiming resources must be only done in my opinion, 
in
> extreme cases. What cases are already described in
> https://www.ripe.net/publications/docs/ripe-716, not specific to abuse
> cases.

You misunderstood me.  I'm not advocating de-registration of IP resources.  
I
meant to remove just the abuse-c email address, since it does not work.  As 
an
alternative, as Àngel noted, there could be a tag saying that the email 
address
is not valid, without actually removing it.

[Jordi] I got your point now, thanks!

I think it is more useful instead of removing the address, marking the record 
as invalid, and this is being done if I recall correctly from RIPE NCC 
presentations. Because it may be a temporary failure of the address, so *not 
removing it* may bring it back in a subsequent verification.

Of course all this depends on the detailed procedure that RIPE NCC is using,  
but I don't think having so many operational details is good in a policy, 
unless (I'm not saying is the case, just speaking in general, and not about 
this specific policy) RIPE NCC is doing so badly and ignoring the community 
inputs, that the community can only enforce a specific procedure via a policy 
proposal - but still needs to reach consensus. In one of my earlier versions of 
the proposal, I had a detailed "example procedure, not part of the policy text".

Knowing if an abuse team is reachable is much more useful than statistics 
which
onehas to interpret in order to derive the same information.  Setting that
information has to be done with care, after making sure that the 
corresponding
organization has acknowledged that their abuse-c doesn't work and doesn't 
seem
to be after fixing it.

[Jordi] I think both are useful to know. Is the address valid/invalid. If 
valid, is this LIR processing abuse reports or there is information escalated 
from the community that is not?

At that point, actions like transmitting the relevant IP ranges to a DNSBL 
can
take place.  Such actions are derived from a public database and don't have 
to
be carried out by RIPE NCC.  In particular, they imply no termination.

[Jordi] Totally agree. I still think ideally, we should have X-ARF as the 
single way to do all the abuse reporting. Not sure if this could be also 
connected to provide feedback to DNSBL, but I'm not convinced RIPE NCC (or any 
other RIR) could do that ... very difficult to reach consensus on that at the 
time being. The stats might prove that on the long term and then we can change 
our minds.

Best
Ale
-- 































**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, 

Re: [anti-abuse-wg] Spamming LIR accounts

[JORDI PALET MARTINEZ via anti-abuse-wg]

Two quick points here:

 
The money collected by Data Protection Agency fines aren’t for the ones 
claiming, but for the respective governments.
If the abuse country don’t have an agreement with the EU to collect that fine, 
the EU can seize it later on, at any time, when there is a payment from the EU 
to that company or person, depending on the case.
Meanwhile, this company, which has been fined, will not be able to continue 
business with EU companies.
 

So even if procmail saves time, I feel more responsible, as citizen, to make 
sure that the law that protects me, is called upon when/if it comes the time 
for it.

 

Further to that, at least in Spain, I guess is the same in other countries, if 
you receive spam or any other abuse towards your network, you have law 
recognized compensation for the damages. Of course this is not millions of 
euros, even not a few thousands, however a collective claim against a spammer, 
which my turn the cost for the spammer in something really bad for his/her 
pocket.

 

Last, but not least, a quick google search shows that there is an agreement for 
GDPR related issues among the EU and Israel, and Israel has adapted to their 
equivalent law, which is understandable, because there is a lot of business 
among those region.

 

Regards,

Jordi

@jordipalet

 

 

 

El 12/5/20 21:49, "anti-abuse-wg en nombre de Sabri Berisha" 
 escribió:

 

- On May 12, 2020, at 12:32 PM, Töma Gavrichenkov  wrote:

 

On Tue, May 12, 2020, 10:13 PM Sabri 

First of all, there is the requirement for the non-EU company to intentionally 
provide goods or services to the EU. That can be found in article 3(2)a.

 

Well, virtually that's exactly our case: an employee of an Israeli company 
promotes their services (in multiple local EU languages such as Czech language) 
through an intentional mailing.

Yes, you are absolutely correct in that.

Second, and most important, for a law to protect it must be enforceable. For a 
law to be enforceable, a court must be able to issue a judgement, and that 
judgement must be executable.

 

Still fine: AFAIK Israeli companies with a remote offering directed to the EU 
citizens are subject to extraterritorial reaches.  At least, I've seen some of 
those working in GDPR compliance.  What do I miss here?

This is the part where I disagree. According to EU law, they are subject to 
what's called "universal jurisdiction", but unless there are treaties in place, 
or the local Israeli courts are willing to recognize foreign judgements, that 
EU law is nothing but a useless piece of paper. The EU cannot enforce their 
laws in a different country without the local courts granting jurisdiction. And 
that, in turn, means that EU laws cannot be applied to those outside of its 
reach.

 

It would be different if said entity (whether that's a person or business) had 
any assets in the EU. In that case they could be seized upon a monetary 
judgement. Which is the case with Google, Facebook etc. 

 

In more simpler terms: EU courts can award you 100 million euros, but without a 
way to collect it you're still poor.

 

Hence my recommendation to just plonk the guy into oblivion instead of pursuing 
a theoretical and practically impossible avenue (GDPR enforcement).

 

Just procmail the guy's emails, and vote for the other candidates. Saves you a 
lot of headaches :)

 

Thanks,

 

Sabri



**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] Spamming LIR accounts

[Randy Bush]

would those helpful folk kindly giving us legal opinions please tell us
your legal credentials?  it would help us better calibrate your legal
assertions.  thanks.

randy

Re: [anti-abuse-wg] Spamming LIR accounts

[Sabri Berisha]

- On May 12, 2020, at 12:32 PM, Töma Gavrichenkov  
wrote: 

> On Tue, May 12, 2020, 10:13 PM Sabri

>> First of all, there is the requirement for the non-EU company to 
>> intentionally
>> provide goods or services to the EU. That can be found in article 3(2)a.

> Well, virtually that's exactly our case: an employee of an Israeli company
> promotes their services (in multiple local EU languages such as Czech 
> language)
> through an intentional mailing.

Yes, you are absolutely correct in that. 

>> Second, and most important, for a law to protect it must be enforceable. For 
>> a
>> law to be enforceable, a court must be able to issue a judgement, and that
>> judgement must be executable.

> Still fine: AFAIK Israeli companies with a remote offering directed to the EU
> citizens are subject to extraterritorial reaches. At least, I've seen some of
> those working in GDPR compliance. What do I miss here?

This is the part where I disagree. According to EU law, they are subject to 
what's called "universal jurisdiction", but unless there are treaties in place, 
or the local Israeli courts are willing to recognize foreign judgements, that 
EU law is nothing but a useless piece of paper. The EU cannot enforce their 
laws in a different country without the local courts granting jurisdiction. And 
that, in turn, means that EU laws cannot be applied to those outside of its 
reach. 

It would be different if said entity (whether that's a person or business) had 
any assets in the EU. In that case they could be seized upon a monetary 
judgement. Which is the case with Google, Facebook etc. 

In more simpler terms: EU courts can award you 100 million euros, but without a 
way to collect it you're still poor. 

Hence my recommendation to just plonk the guy into oblivion instead of pursuing 
a theoretical and practically impossible avenue (GDPR enforcement). 

Just procmail the guy's emails, and vote for the other candidates. Saves you a 
lot of headaches :) 

Thanks, 

Sabri 

Re: [anti-abuse-wg] Spamming LIR accounts

[Töma Gavrichenkov]

Peace,

On Tue, May 12, 2020, 10:13 PM Sabri

> First of all, there is the requirement for the non-EU company to
> *intentionally* provide goods or services to the EU. That can be found in
> article 3(2)a.
>

Well, virtually that's exactly our case: an employee of an Israeli company
promotes their services (in multiple local EU languages such as Czech
language) through an intentional mailing.


Second, and most important, for a law to protect it must be enforceable.
> For a law to be enforceable, a court must be able to issue a judgement, and
> that judgement must be executable.
>

Still fine: AFAIK Israeli companies with a remote offering directed to the
EU citizens are subject to extraterritorial reaches.  At least, I've seen
some of those working in GDPR compliance.  What do I miss here?

--
Töma

Re: [anti-abuse-wg] Spamming LIR accounts

[Sabri Berisha]

- On May 12, 2020, at 4:51 AM, Töma Gavrichenkov  wrote: 

Peace, 

> Peace,

> On Tue, May 12, 2020 at 1:29 PM Arash Naderpour
>  wrote:

>> EU laws are for EU
> Perhaps sadly for some, but this is not how it works. EU laws protect
> EU citizens wherever they are, or the EU citizens' personal and
> sensitive data wherever it is accessed, processed, or stored.

Perhaps sadly for some, but this is not how it works. 

First of all, there is the requirement for the non-EU company to intentionally 
provide goods or services to the EU. That can be found in article 3(2)a. 

This means that, per EU rules, the GDPR will not apply to the mom ice cream 
shop in San Francisco that takes online orders from a EU citizen that happens 
to be visiting the U.S. The GDPR only affects companies (in or outside the EU) 
that market to EU citizens or territories. 

Second, and most important, for a law to protect it must be enforceable. For a 
law to be enforceable, a court must be able to issue a judgement, and that 
judgement must be executable. 

EU judgements based on the GDPR are not necessarily enforceable outside the EU, 
at least not in the U.S. Treaties must be in place, and a good example is the 
Hague Convention on Foreign Judgments in Civil and Commercial Matters. 

In the U.S., foreign judgements are enforceable if they comply with the Uniform 
Foreign Money Judgments Recognition Act. This law specifies that a judgement 
may not be recognized if the foreign court did not have "personal jurisdiction" 
on the U.S. entity. If that entity does not have a physical presence in the EU, 
establishing the foreign court’s personal jurisdiction will be very difficult 
if not impossible. 

But, for folks that did not go to law school, here is a simpler explanation: [ 
https://www.youtube.com/watch?v=CD2FlW79PfU | 
https://www.youtube.com/watch?v=CD2FlW79PfU ] :-) 

Thanks, 

Sabri 

Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

[Alessandro Vesely]

Hi Jordy,

On Tue 12/May/2020 11:34:19 +0200 JORDI PALET MARTINEZ via anti-abuse-wg wrote:
>> El 8/5/20 20:18, "anti-abuse-wg en nombre de Alessandro Vesely" 
>>  escribió:
>>  On Fri 08/May/2020 13:28:10 +0200 JORDI PALET MARTINEZ via anti-abuse-wg 
>> wrote:
>>> 
>>> As I've indicated already several times (and not just in this discussion), 
>>> all the RIRs have forms or other methods to escalate any issues.
>>> 
>>> The proposal is only changing "let's have stats".
>> 
>> 
>> I read:
>> 
>> The RIPE NCC will validate the “abuse-mailbox:” attribute at least
>> annually. Where the attribute is deemed incorrect, it will follow up 
>> in
>> compliance with relevant RIPE Policies and RIPE NCC procedures.
>>
>> https://www.ripe.net/participate/policies/proposals/2019-04
>> 
>> The anonymized statistics is mentioned afterward.  It seems to result 
>> from
>> community escalation and reporting, rather than from the abuse-mailbox
>> validation itself.  By my proposal, instead, the output of the validation
>> process is borne out when the abuse address is removed from the database 
>> —and
>> the corresponding IP ranges duly transmitted.
> 
> [Jordi] Yes, RIPE provide stats for many things and probably this text is
> not really needed, but if we want to make sure to have this specific set of
> stats, *we need the text*. If we try to reach consensus in what I'm
> interpreting from your last half of the paragraph, it is very difficult to
> get consensus, and reclaiming resources must be only done in my opinion, in
> extreme cases. What cases are already described in
> https://www.ripe.net/publications/docs/ripe-716, not specific to abuse
> cases.

You misunderstood me.  I'm not advocating de-registration of IP resources.  I
meant to remove just the abuse-c email address, since it does not work.  As an
alternative, as Àngel noted, there could be a tag saying that the email address
is not valid, without actually removing it.

Knowing if an abuse team is reachable is much more useful than statistics which
onehas to interpret in order to derive the same information.  Setting that
information has to be done with care, after making sure that the corresponding
organization has acknowledged that their abuse-c doesn't work and doesn't seem
to be after fixing it.

At that point, actions like transmitting the relevant IP ranges to a DNSBL can
take place.  Such actions are derived from a public database and don't have to
be carried out by RIPE NCC.  In particular, they imply no termination.


Best
Ale
-- 

Re: [anti-abuse-wg] Spamming LIR accounts

[Töma Gavrichenkov]

Peace,

On Tue, May 12, 2020 at 1:29 PM Arash Naderpour
 wrote:
> EU laws are for EU

Perhaps sadly for some, but this is not how it works.  EU laws protect
EU citizens wherever they are, or the EU citizens' personal and
sensitive data wherever it is accessed, processed, or stored.

--
Töma

Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

[Nick Hilliard]

Suresh Ramasubramanian wrote on 11/05/2020 18:23:
All I am asking is that cobblers stick to their last. People with 
backgrounds in routing and networking are not necessarily the people in 
their organizations that handle abuse issues.


From another point of view, you're asking for the RIPE NCC RIR 
component to change its fundamental nature from being a registry to 
being an enforcement agency.


It's ok for people who don't handle abuse issues on a daily basis to 
have an opinion about this.


Nick

Re: [anti-abuse-wg] Spamming LIR accounts

[Arash Naderpour]

Hi Jordi,

EU laws are for EU and not all countries care if they can do bussines with
EU, lots of assumption i guess.

Regards,

Arash


On Tue, 12 May 2020, 20:12 JORDI PALET MARTINEZ via anti-abuse-wg, <
anti-abuse-wg@ripe.net> wrote:

> I don't think EU laws are useless towards non-EU countries that break them.
>
> In the case of privacy, they will not be able to keep doing business with
> the EU.
>
> In a more understanding way, EU (or EU members) reach agreements with
> specific countries so the sanctions can be applied as well, including fines.
>
> For example, when speaking about GDPR, countries like Mauritius and
> Uruguay, have signed those agreements. I believe the reason is to allow
> mutual business, it makes a lot of sense: if you are offering applications
> that collect our citizen data, you must follow our rules, or we will find
> someone that want to follows them.
>
> We do this every other day, in any economic activity. I know that if you
> violate speed limit in one country the fine will be collected from your
> account in many other countries, it is just reciprocity.
>
> Regards,
> Jordi
> @jordipalet
>
>
>
> El 10/5/20 20:54, "anti-abuse-wg en nombre de Sabri Berisha" <
> anti-abuse-wg-boun...@ripe.net en nombre de sa...@cluecentral.net>
> escribió:
>
> - On May 7, 2020, at 2:26 AM, Nick Hilliard n...@foobar.org wrote:
>
> Hi,
>
> (And to you Töma, Peace :))
>
> > Töma Gavrichenkov wrote on 07/05/2020 10:03:
> >> What does GDPR have to say about this?
> >
> > You mean the Privacy and Electronic Communications Regulations /
> PECR.
> > Spamming is prohibited under article 13.
> >
> > National transcriptions of this legislation have implemented this as
> a
> > civil offence in some EU countries and a criminal offence in others.
>
> Yes, and as long as the sender is safe in a non-EU country, none of the
> EU "laws" will apply to them nor will they care.
>
> It's the same thing as saying bad things about Thailand's king while
> shouting from a pedestal on St. Petersburg Square.
>
> I don't know about you guys, but I have a very effective system for
> dealing with this kind of crap.
>
> It's called *plonk*.
>
> Thanks,
>
> Sabri
>
>
>
>
> **
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.theipv6company.com
> The IPv6 Company
>
> This electronic message contains information which may be privileged or
> confidential. The information is intended to be for the exclusive use of
> the individual(s) named above and further non-explicilty authorized
> disclosure, copying, distribution or use of the contents of this
> information, even if partially, including attached files, is strictly
> prohibited and will be considered a criminal offense. If you are not the
> intended recipient be aware that any disclosure, copying, distribution or
> use of the contents of this information, even if partially, including
> attached files, is strictly prohibited, will be considered a criminal
> offense, so you must reply to the original sender to inform about this
> communication and delete it.
>
>
>
>
>
>

Re: [anti-abuse-wg] Spamming LIR accounts

[JORDI PALET MARTINEZ via anti-abuse-wg]

I don't think EU laws are useless towards non-EU countries that break them.

In the case of privacy, they will not be able to keep doing business with the 
EU.

In a more understanding way, EU (or EU members) reach agreements with specific 
countries so the sanctions can be applied as well, including fines.

For example, when speaking about GDPR, countries like Mauritius and Uruguay, 
have signed those agreements. I believe the reason is to allow mutual business, 
it makes a lot of sense: if you are offering applications that collect our 
citizen data, you must follow our rules, or we will find someone that want to 
follows them.

We do this every other day, in any economic activity. I know that if you 
violate speed limit in one country the fine will be collected from your account 
in many other countries, it is just reciprocity.

Regards,
Jordi
@jordipalet
 
 

El 10/5/20 20:54, "anti-abuse-wg en nombre de Sabri Berisha" 
 escribió:

- On May 7, 2020, at 2:26 AM, Nick Hilliard n...@foobar.org wrote:

Hi,

(And to you Töma, Peace :))

> Töma Gavrichenkov wrote on 07/05/2020 10:03:
>> What does GDPR have to say about this?
> 
> You mean the Privacy and Electronic Communications Regulations / PECR.
> Spamming is prohibited under article 13.
> 
> National transcriptions of this legislation have implemented this as a
> civil offence in some EU countries and a criminal offence in others.

Yes, and as long as the sender is safe in a non-EU country, none of the
EU "laws" will apply to them nor will they care.

It's the same thing as saying bad things about Thailand's king while 
shouting from a pedestal on St. Petersburg Square.

I don't know about you guys, but I have a very effective system for
dealing with this kind of crap.

It's called *plonk*.

Thanks,

Sabri




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] About "consensus" and "voting"...

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Nick, all,

In many situations "rough consensus" was reached after many versions. Sometimes 
is a matter of finding the right balance, "the point in the middle" I was 
referring before. Even if it takes 10 versions instead of just 2.

The issue is for the chairs, not an easy task, in the way to determine if 
objections are valid. Objections aren't just a matter of "taste", which is not 
valid, as very well described in RFC7282.

Regards,
Jordi
@jordipalet
 
 

El 9/5/20 23:36, "anti-abuse-wg en nombre de Nick Hilliard" 
 escribió:

Hi Carlos,

Carlos Friaças wrote on 09/05/2020 22:25:
> On Sat, 9 May 2020, Nick Hilliard wrote:
>> Suresh Ramasubramanian wrote on 09/05/2020 15:23:
>>> Having one might at least lay this discussion to rest once and for 
>>> all. I?ve seen variants of it for several years now.
>>
>> But imagine if someone contacted a bunch of their colleagues and said: 
>> "look, there's this policy proposal going on in RIPE AAWG and it would 
>> be really great if you could just join up on the mailing list and add 
>> in a +1, thanks!"
>>
>> Therein lies the problem - or at least one of the problems - with 
>> voting: it's wide open to manipulation.
> 
> Same goes for "it takes only 2 or 3 voices to break consensus".
> 
> Even if arguments are somewhat "creative"...

no, and in fact this is the point of consensus.  It depends on informed 
judgement and assessment, not a handful of dissenting voices, or people 
shouting, or votes or anything else.  It's worth reading RFC 7282. 
There is a lot of wisdom in that document.

>> In the sense that you're concerned that there's stalemate regarding 
>> some of these proposals, there isn't according to the PDP: no 
>> consensus is a legitimate and clear outcome, and when there is no 
>> consensus, the policy does not proceed.
> 
> The *proposal* does not proceed... the policy can already be in place, 
> but remains unchanged.

The existing reached consensus despite a number of dissenting voices :-)

Personally, I think the policy does more harm than good, but it is what 
it is.  I'm not going to put in a proposal to remove it because that 
probably wouldn't reach consensus and it would end up wasting working 
group time.

Nick




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] About "consensus" and "voting"...

[JORDI PALET MARTINEZ via anti-abuse-wg]

I think we all need to re-read, from time to time, RFC7282.

 

Regards,

Jordi

@jordipalet

 

 

 

El 9/5/20 18:21, "anti-abuse-wg en nombre de Sérgio Rocha" 
 
escribió:

 

Hi everyone

 

Otherwise we change the way the working Groups works it will remain unchanged 
for ever. 

 

I agree that we must get a way to vote or another democratic way to get 
decisions.

 

If we don't change something in the process it better close this mailing lists 
that only exist to give the fake image that the community it's working

 

SR

 

 

 

Enviado a partir do meu smartphone Samsung Galaxy.

 

 

 

 Mensagem original 

De : Carlos Friaças via anti-abuse-wg  

Data: 09/05/20 13:41 (GMT+00:00) 

Para: Suresh Ramasubramanian  

Cc: Gert Doering , anti-abuse-wg@ripe.net 

Assunto: [anti-abuse-wg] About "consensus" and "voting"... 

 


Hi Suresh, Gert, All,

"member organizations represented by" -- this only happens at the RIPE NCC 
GM, twice a year.

The PDP doesn't happen at the RIPE NCC GM, afaik, whether we like it or 
not.

When polarisation is obvious, "consensus" is impossible and everything 
tend to remain as is...

Cheers,
Carlos


On Sat, 9 May 2020, Suresh Ramasubramanian wrote:

> 
> In a case where the community is polarised to this extent it would be better 
> to break with procedure and call a vote for once.? With member organizations 
> represented by their abuse team heads, rather than IP / routing people, so 
> that
> the organisation?s stance on this is clear.
> 
> ?
> 
> From: Gert Doering 
> Date: Saturday, 9 May 2020 at 3:57 PM
> To: Suresh Ramasubramanian 
> Cc: Randy Bush , Nick Hilliard , 
> anti-abuse-wg@ripe.net 
> Subject: Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of 
> "abuse-mailbox")
> 
> Hi,
> 
> On Sat, May 09, 2020 at 01:12:32AM +, Suresh Ramasubramanian wrote:
> > Has this even been put to a vote or is it the same group of extremely vocal 
> > RIPE regulars against it and the same group of extremely vocal security 
> > types for it??? Rough consensus has its limitations in such cases.
> 
> There is no voting.
> 
> It's either "there is sufficient support and counterarguments have been
> adequately addressed" or "no consensus, rewrite or withdraw".
> 
> Gert Doering
> ??? -- NetMaster
> --
> have you enabled IPv6 on something today...?
> 
> SpaceNet AG? Vorstand: Sebastian v. Bomhard, Michael Emmer
> Joseph-Dollinger-Bogen 14??? Aufsichtsratsvors.: A. Grundner-Culemann
> D-80807 Muenchen HRB: 136055 (AG Muenchen)
> Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
> 
> 
> 



**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Nick,


El 8/5/20 23:58, "Nick Hilliard"  escribió:

JORDI PALET MARTINEZ via anti-abuse-wg wrote on 08/05/2020 12:07:
> [Jordi] The job of the RIPE NCC is to implement the policies agreed
> by the community. Different folks may consider different pieces of
> all of our policies as "inappropriate" or "arbitrary"

which is fine, mostly. Subject to usual discretion of the RIPE NCC to 
ignore policy which is harmful to itself or others.  Various board 
members have confirmed in the past that the RIPE NCC will not buy an 
island if instructed to do so by the RIPE Community.

> and the goal is
> to find a point in the middle, which is what we call consensus.

The goal is to try to find consensus.  There's nothing in the concept of 
consensus about trying to find a point in the middle.

If I make a policy proposal to demand that the RIPE NCC buy an island, 
would it be reasonable to settle on a compromise which involved the RIPE 
NCC buying only half an island?

It's ok for consensus to be that a policy proposal be rejected entirely.

[Jordi] I guess there is a translation problem here. For us in Spain, something 
in the middle means a middle term or "compromise" to find an agreement, not to 
buy half of the island ;-) even less when I'm not trying to buy any island! 
Consensus is very well described in many nice sentences in RFC7282 (by the way, 
remember that is not just consensus, we use it for short, but actually it is 
"rough consensus"). For example:

"Coming to consensus is when everyone (including the person making the
   objection) comes to the conclusion that either the objections are
   valid, and therefore make a change to address the objection, or that
   the objection was not really a matter of importance, but merely a
   matter of taste.  Of course, coming to full consensus like that does
   not always happen.  That's why in the IETF, we talk about "rough
   consensus"."

*** See also "5. Consensus is the path, not the destination", it requires time 
and sometimes many cycles (many versions), is the only way we have, is slow, by 
in my opinion is the right way.


> I believe is perfectly understandable the need to avoid using manual
> forms which don't follow a single standard, which means extra work
> for *everyone*.

Couple of things on this:

- if you want to standardise a mechanism for abuse reporting, then that 
would be useful and by all means, go ahead with that idea first.  There 
are many forums available for doing this.

[Jordi] The standard is already defined and this version of the proposal 
included it. Now we need to agree if we want to use it or not, and at the time 
being I wrote it as one choice. Maybe the community prefers making it as the 
only valid option. We do that very often in many other proposals. Why not for 
abuse reporting?

- your proposal threatens to close down RIPE NCC members if they decline 
to support abuse reports over email.  This is unhinged.

[Jordi] No, this is not my proposal, this is already *any policy violation* , 
and actually the actual policy already do that, but in an unclear way. I'm 
trying to expose it being more honest and transparent with the interpretation 
of the actual text:
"The RIPE NCC will validate the “abuse-mailbox:” attribute at least annually. 
Where the attribute is deemed incorrect, it will follow up in compliance with 
relevant RIPE Policies and RIPE NCC procedures."

> [Jordi] The actual policy has a bigger level of micro-management, by
> setting one year and not allowing the NCC to change that. I think it
> is much better to explicitly allow it. One alternative, I will be
> fine with that, is not define the time at all, and let the NCC to
> adapt it to the needs. Would you thing this is more appropriate?

The entire policy is poorly thought-through to start with.  You can't 
fix bad policy with minor tweaks around the edges.

[Jordi] Well, we disagree here, many documents reached consensus thru 
contributions from people, even if it was a bad document (I don't think it is 
the case) from the start.


> [Jordi] What I'm asking here is to make sure that we have stats. I'm
> not changing what is an actual practice. You can always report to
> *any* RIR, what you think is wrong and if you're a good internet
> citizen, you should do that.

If you're a good internet citizen, you have some moral obligation to 
report abuse to an internet number resources registry?

[Jordi] This is my opinion, not just in the Internet community. If I see 
something wrong in "any community", I need to cooperate to make it better. 
Otherwise I can't complain. If you don't like the food in the restaurant, you 
either stop eating there or complain so they improve ... If you don't like how 
your city major does his job, you will complain, even provide suggestions, or 
not vote him anymore and convince 

Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Alessandro,
 

El 8/5/20 20:18, "anti-abuse-wg en nombre de Alessandro Vesely" 
 escribió:

On Fri 08/May/2020 13:28:10 +0200 JORDI PALET MARTINEZ via anti-abuse-wg 
wrote:
> Hi Alessandro,
> 
> As I've indicated already several times (and not just in this 
discussion), all the RIRs have forms or other methods to escalate any issues.
> 
> The proposal is only changing "let's have stats".


I read:

The RIPE NCC will validate the “abuse-mailbox:” attribute at least
annually. Where the attribute is deemed incorrect, it will follow up in
compliance with relevant RIPE Policies and RIPE NCC procedures.
   https://www.ripe.net/participate/policies/proposals/2019-04

The anonymized statistics is mentioned afterward.  It seems to result from
community escalation and reporting, rather than from the abuse-mailbox
validation itself.  By my proposal, instead, the output of the validation
process is borne out when the abuse address is removed from the database 
—and
the corresponding IP ranges duly transmitted.

[Jordi] Yes, RIPE provide stats for many things and probably this text is not 
really needed, but if we want to make sure to have this specific set of stats, 
*we need the text*. If we try to reach consensus in what I'm interpreting from 
your last half of the paragraph, it is very difficult to get consensus, and 
reclaiming resources must be only done in my opinion, in extreme cases. What 
cases are already described in https://www.ripe.net/publications/docs/ripe-716, 
not specific to abuse cases.

Best
Ale


> El 4/5/20 12:29, "anti-abuse-wg en nombre de Alessandro Vesely" 
 escribió:
> 
> Hi,
> 
> On 29/04/2020 13:22, Gert Doering wrote:
> > 
> > If people *want* to handle abuse reports, they do so today already
> > (and if they mess up their mail reception, the NCC will check this 
today
> > already, and let them know).
> > 
> > If people *do not want* to handle abuse reports, this proposal will 
not
> > make them.
> 
> 
> The above is unquestionable truth.  There is a grey area, where a 
mailbox
> doesn't work because of misconfiguration, mailbox full, or similar 
issues.
> Validation might help in those cases.
> 
> However, statements like:
> 
> The “abuse-c:” will be mandatory for all aut-nums
> 
> are in conflict with the unquestionable truth quoted above.  Please, 
allow
> abuse-c to be empty!  I have to keep a dont-send list of 
non-responding abuse
> addresses.  Some 70% of the complaints I would have sent hit that 
list.  It
> would be more practical to have an empty abuse-c entry in the first 
place.
> 
> In addition, having networks without abuse addresses makes them more 
easily
> identifiable.  RIPE NCC could compile the relevant IP addresses into 
an easily
> usable format, for example one readable by rbldns.  Rather than 
following-up
> and threatening resource revocation, upon repeated validation 
failures, the
> RIPE NCC should just remove the non-working abuse-c entry, thereby 
adding the
> relevant IP addresses to the "no-complaints" list.
> 
> A web form to report bouncing abuse addresses would be useful too.
> 
> 
> Best
> Ale
> -- 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> **
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.theipv6company.com
> The IPv6 Company
> 
> This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.
> 
> 
> 
> 
> 




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 

Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Sergey,

El 8/5/20 16:28, "anti-abuse-wg en nombre de Sergey Myasoedov via 
anti-abuse-wg"  escribió:

Dear Jordi,

> There are existing procedures for that in extreme cases.

I think it's now obvious that existing procedures does not work.

[Jordi] I don't think so, however if that's the case, it is transversal to all 
the policies, not just one. It will not make sense to me to address it only for 
abuse cases, and not for other policy violations.


--
Sergey


Friday, May 8, 2020, 1:20:45 PM, you wrote:

JPMvaaw> However, I fully understand that the community prefer to do things 
in different steps.

JPMvaaw> We initially asked for the abuse mailbox.

JPMvaaw> Then we added a technical validation.

JPMvaaw> Now I'm asking for a better validations and make sure that
JPMvaaw> the reporting is feasible. I'm not asking to verify if you handle 
the abuse case or not.

JPMvaaw> *AND* I'm not asking to take *new* actions. There are
JPMvaaw> existing procedures for that in extreme cases.
JPMvaaw>  

JPMvaaw> El 30/4/20 9:51, "anti-abuse-wg en nombre de Serge Droz via
JPMvaaw> anti-abuse-wg"  anti-abuse-wg@ripe.net> escribió:

JPMvaaw> I do not disagree with this.

JPMvaaw> Serge


JPMvaaw> On 30.04.20 09:41, Hans-Martin Mosner wrote:
JPMvaaw> > Am 30.04.20 um 02:58 schrieb Suresh Ramasubramanian:
JPMvaaw> >>
JPMvaaw> >> However, being in a fiduciary role - with IPv4 being traded 
like
JPMvaaw> >> currency these days the description fits - RIPE NCC can’t 
not get
JPMvaaw> >> involved.
JPMvaaw> >>
JPMvaaw> > ...
JPMvaaw> >> NCC owes it to the rest of its membership and the internet 
community
JPMvaaw> >> at large to take a more active role in this matter.
JPMvaaw> >>
JPMvaaw> > This.
JPMvaaw> > 
JPMvaaw> > And as long as RIPE and/or NCC explicitly does not want to 
take action
JPMvaaw> > when RIPE members don't handle abuse from their networks 
properly, the
JPMvaaw> > whole issue of validating abuse mailbox addresses is moot. 
After all
JPMvaaw> > discussion, the toothless compromise will be that there 
should be an
JPMvaaw> > abuse mailbox, and FWIW it can be handled by Dave Null 
because nobody
JPMvaaw> > will exert pressure on the resource holder to do anything 
else.
JPMvaaw> > 
JPMvaaw> > Our problem on the receiving side of network abuse is not 
with the few
JPMvaaw> > good-willing but technically challenged providers whose 
abuse mailbox
JPMvaaw> > isn't working properly but with those large operators who 
don't give a
JPMvaaw> > flying f about their customer's network abuse.
JPMvaaw> > 
JPMvaaw> > Personally, I consider the anti-abuse WG a failure at this 
point. When I
JPMvaaw> > joined I had hoped to see and possibly support constructive 
work towards
JPMvaaw> > a reduction in network abuse, but apparently there are big 
players in
JPMvaaw> > this game who are not interested in such a reduction as it 
would
JPMvaaw> > undermine their "business".
JPMvaaw> > 
JPMvaaw> > Cheers,
JPMvaaw> > Hans-Martin
JPMvaaw> > 

JPMvaaw> -- 
JPMvaaw> Dr. Serge Droz
JPMvaaw> Chair of the FIRST Board of Directors
JPMvaaw> https://www.first.org




JPMvaaw> **
JPMvaaw> IPv4 is over
JPMvaaw> Are you ready for the new Internet ?
JPMvaaw> http://www.theipv6company.com
JPMvaaw> The IPv6 Company

JPMvaaw> This electronic message contains information which may be
JPMvaaw> privileged or confidential. The information is intended to be
JPMvaaw> for the exclusive use of the individual(s) named above and
JPMvaaw> further non-explicilty authorized disclosure, copying,
JPMvaaw> distribution or use of the contents of this information, even
JPMvaaw> if partially, including attached files, is strictly
JPMvaaw> prohibited and will be considered a criminal offense. If you
JPMvaaw> are not the intended recipient be aware that any disclosure,
JPMvaaw> copying, distribution or use of the contents of this
JPMvaaw> information, even if partially, including attached files, is
JPMvaaw> strictly prohibited, will be considered a criminal offense,
JPMvaaw> so you must reply to the original sender to inform about this 
communication and delete it.













**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of