I second Jordi's opinion that validation of the abuse-mailbox should require human interaction of the resource holder. In addition to solving a captcha the resource holder might need to confirm (click a checkbox) that he will monitor the abuse-mailbox account on a regular basis and take appropriate action to solve reported abuse cases. - Thomas CERT-Bund Incident Response & Malware Analysis Team On 18.01.2018 19:44, JORDI PALET MARTINEZ via anti-abuse-wg wrote:
I fully agree with this proposal and should be implemented ASAP.
HOWEVER, I’ve a question regarding the impact analysis, and specially this sentence:
“To increase efficiency, this process will use an automated solution that will allow the validation of “abuse-mailbox:” attributes without sending an email. No action will be needed by resource holders that have configured their “abuse-mailbox:” attribute correctly.”
Reading the policy proposal, how the NCC concludes that it should be “without sending an email”?
I will say that the right way to do a validation (at creation/modification and yearly) is, in a way that makes sense (having an email that nobody is processing is exactly the same as not having the abuse attribute at all): 1) Send an email with a link that must be clicked by a human (so some kind of captcha-like mechanism should be followed) 2) If this link is not clicked in a period of 48 hours (not including Saturday-Sunday), an alarm should be generated so the NCC can take the relevant actions and make sure that the mailbox is actively monitored by the LIR
Regards, Jordi