Hi George, all,
I just looked at the presentation that you have done earlier today and have
some inputs about possible ways to improve it.
1. Slides 9-10
1.1. About receiving spam
The abuse mailbox should receive *all* the emails to be able to receive abuse
reports about spam. If you filter emails that contain headers from spam, then
you are ruining the purpose of the abuse-c. Clearly this could be improved, as
an operational decision, by making some kind of automation, but in such way
that ensures that only real spam is dropped. Note that the other RIRs are also
using (at some point), validation links via the abuse-c email.
1.2. About clicking links
I provided an example procedure in the policy proposal to avoid this. I've
copied this below my signature. See points 1-5. If that procedure is followed,
I think it is obvious that you will avoid this problem. I missed to ensure
during the previous implementation presentations, that you are following a
procedure that avoids this problem. Of course, you can even avoid needing to
send the validation link if you just say in the email with the code "you need
to go to your MyAPNIC account to use this code" ... Maybe also an alternative
is to use email certificates from APNIC.
2. Slide 11
2.1. About the validation cycle.
In more recent versions of this policy, in other RIRs, I have included specific
text so APNIC can accommodate both, the validation periods and the cycle
validation. The idea is that you can do a slow start (which seems not to be
needed in the case of APNIC due to the 87% validation success -
congratulations!), but you can also adjust the timing depending on the staff
available to escalating the validation, or to move from 6 months to 1 year once
the "99%" of the contacts are valid, and if needed, for example, the contacts
get bad, move again to 6 months or even 3 months to get them again on track.
2.2. Deprecating IRT.
The policy proposal included in the ADDITIONAL INFORMATION section:
"a. Since this proposal is implemented, APNIC will publish the IRT also as
abuse-c, in order to facilitate the search in whois, for the same information,
regardless if looking for abuse-c or IRT. This is done in order to assimilate
the IRT to the majority of the RIRs where it is abuse-c."
So clearly, the idea was that we move from the IRT to abuse-c, so to align as
much as possible all the 5 RIRs (in ARIN is POC, and AFRINIC is also IRT, but
there is a policy proposal like this one, an in fact there are only a
ridiculous fraction of IRT objects because is not mandatory right now).
I've one question I've. What is the status of implementation at each NIR?
Now, regarding the points that I've commented above, I will be happy to get
additional inputs and send a policy proposal in a few days. I don't think we
should do anything about 1.1. 1.2 and 2.2 should be addressed as part of the
operational procedure by the staff. We can address 2.1. Something else?
Now, a possible idea to improve this will be move the policy to make mandatory
the use of XARF "eXtended Abuse Reporting Format" (RFC5965/RFC6692). There is
already open source (and commercial tools) that allow it. This will resolve the
problem 1.1 above and provide much better tools to the resource-holders to
avoid manual monitoring as much as possible, automate the abuse processing, etc.
Can we get some inputs about if this is perceived as interesting by the
community?
Maybe we can draft the policy proposal in such way that XARF can be optional at
this stage, and later on, if there is a good adoption %, in 1-2 years, move to
mandatory?
I will send a policy proposal to update this upon getting some inputs. I guess
Aftab will be happy to join as well, and happy to get other people on-board!
Regards,
Jordi
@jordipalet
c. Example of the validation procedure.
1) APNIC initiates the validation automatically, sending TWO consecutive emails
to each of the mailboxes.
2) These emails will be sent containing plain text only.
3) The first email will contain the URL where the validation is to be performed
("validation.apnic.net") and may contain information about the procedure, a
brief summary of this policy, etc.
4) The second email will contain a unique alphanumeric validation code.
5) The person in charge of the each of the mailboxes must go to the URL and
paste the code received in the second email in the form.
6) This URL must be designed in such a way that it prevents the use of an
automated process (for example, "captcha"). In addition, it must contain a text
that confirms that the person performing the validation understands the
procedure and the policy, that they regularly monitor the mailboxes, that
measures are taken to solve reported cases of abuse, and that the abuse report
receives a response, with a "checkbox" that must be accepted in order to
proceed.
7) The alphanumeric code will only be valid for a maximum of fifteen days.
8) If the code is not entered within that time, the system will mark the IRT as
"temporarily invalid” and will send a reminder with another unique code and
alert APNIC staff, so they can initiate a personalized follow-up with the LIR.
9) If no reply is received confirming that the situation has been corrected,
after an additional period of three business days, the IRT will be permanently
marked as "invalid".
10) Once the issue has been resolved, the validation process will be repeated
automatically (items 1 to 7 above). If satisfactory, the IRT will be marked as
"valid"; otherwise it will be considered in breach of the policy.
**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company
This electronic message contains information which may be privileged or
confidential. The information is intended to be for the exclusive use of the
individual(s) named above and further non-explicilty authorized disclosure,
copying, distribution or use of the contents of this information, even if
partially, including attached files, is strictly prohibited and will be
considered a criminal offense. If you are not the intended recipient be aware
that any disclosure, copying, distribution or use of the contents of this
information, even if partially, including attached files, is strictly
prohibited, will be considered a criminal offense, so you must reply to the
original sender to inform about this communication and delete it.
* sig-policy: APNIC SIG on resource management policy *
_______________________________________________
sig-policy mailing list
sig-policy@lists.apnic.net
https://mailman.apnic.net/mailman/listinfo/sig-policy
