IF receive complaints from public about abuse-c non functional THEN do additional verification On Tue, 23 Jan 2018 23:45:39 -0700 "Name" <phishing@storey.xxx> wrote:
IF email is from = "validation@RIPE.NET" THEN deliver email, ELSE, delete/auto-respond/jump through hoops.
-------- Original Message -------- Subject: Re: [anti-abuse-wg] [policy-announce] 2017-02 Review Phase (Regular abuse-c Validation) From: ox <andre@ox.co.za> Date: Wed, January 24, 2018 4:43 pm To: Brian Nisbet <brian.nisbet@heanet.ie> Cc: anti-abuse-wg@ripe.net
On Tue, 23 Jan 2018 14:45:13 +0000 Brian Nisbet <brian.nisbet@heanet.ie> wrote:
Just to be very clear, the current proposal is only in relation to verification.
If the community wish for other processes to be put in place in regards to lack of action on abuse or similar, then that would require a wholly different proposal.
As Marco Schmidt explained regarding exactly this, "verification" :
An SMTP RCPT command, as Nick mentioned, will likely be one of several checks that we perform. These checks will identify that the syntax and format of the email address is okay, the domain accepts email, and that the mailbox itself exists. We aim for the results to be as accurate as possible.
This is simply not good enough for abuse-c as the core of having a real abuse-c is that it is monitored/real/functional and not just an email address created with an autoresponder.
this goes to the core of the real world problem.
many resource holders create a valid email address and then link an autoresponder to that saying:
thank you for your very valuable abuse notification! Please visit our website link to submit a report
then on the "website/link" create an account for this singular complaint verify that account (jump through many hoops) then verify the actual complaint then confirm your details and information etc etc
so many many hoops - all designed to waste time and to reduce actually receiving any abuse notifications.
Sure, RIPE cannot tell resource users how to handle abuse reports or complaints
BUT
RIPE can ensure at least that having a resource record means something? otherwise it is pointless even having an abuse-c - as it means nothing.
so, why have an abuse-c at all?
the point is: verification, if done in this manner:
send an alphanumeric key to be entered on website after solving a capcha
proves that the abuse-c is real/monitored/etc. - and not a useless bot/autoresponder or nonsensical resource record.
Andre