I think if we try to agree on those ratings, we will never reach consensus ... So it is not just easier to ask the abuse-c mailboxes that don't want to process to setup an autoresponder with an specific (standard) text about that, for example: "This is an automated convirmation that you reached the correct abuse-c mailbox, but we don't process abuse cases, so your reports will be discarded." This will be still in line with the actual policy (and the proposal modifications) and will allow the operators to decide if they want to be good netcitizens or not, and the victims to decide if they want to block them. Regards, Jordi @jordipalet El 14/1/20 2:46, "anti-abuse-wg en nombre de Ronald F. Guilmette" <anti-abuse-wg-bounces@ripe.net en nombre de rfg@tristatelogic.com> escribió: In message <CD95F06AD1A1624FB3E613B62842F4D30236249784@SRV-MAIL10-MB1.inteco.local>, =?utf-8?B?w4FuZ2VsIEdvbnrDoWxleiBCZXJkYXNjbw==?= <angel.gonzalez@incibe.es> wrote: >Well, I do see the value of an option (a magic email value?) meaning "this >entity supports the use of its network for abusive purposes and will take no >action on any abuse report". > >That would save time for everyone involved, and would allow to easily block >those networks from accesing ours! These are pretty much my sentiments exactly. The only questions remaining are: 1) Should there just be a simple yes/no one-bit flag published for each resource holder, or would a scale and a range of possible "rating" values be more useful? 2) How shall the "ratings" be computed and by whom? I have provided my personal opinions on both of these points in my prior posting. Regards, rfg ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

Hi, On Tue, Jan 14, 2020 at 10:38:28AM +0100, Gert Doering wrote:

On Tue, Jan 14, 2020 at 10:36:10AM +0100, JORDI PALET MARTINEZ via anti-abuse-wg wrote:

...

So it is not just easier to ask the abuse-c mailboxes that don't want to process to setup an autoresponder with an specific (standard) text about that, for example:

"This is an automated convirmation that you reached the correct abuse-c mailbox, but we don't process abuse cases, so your reports will be discarded."

I would support that.

... but it's actually way too complicated to implement. A much simpler approach would be to make abuse-c: an optional attribute (basically, unrolling the "mandatory" part of the policy proposal that introduced it in the first place) - If you want to handle abuse reports, put something working in. - If you do not want to handle abuse reports, don't. The ARC could be extended with a question "are you aware that you are signalling 'we do not not care about abuse coming from our network'?" and if this is what LIRs *want* to signal, the message is clear. The NCC could still verify (as they do today) that an e-mail address, *if given*, is not bouncing (or coming back with a human bounce "you have reached the wrong person, stop sending me mail" if someone puts in the e-mail address of someone else). MUCH less effort. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

Well the operators are already free to decide if and when they respond to abuse reports. But this farcical system should not be legitimised by weak imbeciles such as those on this list. --------- Original Message --------- Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox") From: "JORDI PALET MARTINEZ via anti-abuse-wg" <anti-abuse-wg@ripe.net> Date: 1/14/20 8:50 pm To: "anti-abuse-wg" <anti-abuse-wg@ripe.net> Looks fine to me. If we really think that the operators should be free from taking abuse reports, then let's make it optional. As said, I personally think that an operator responsibility is to deal with abuse cases, but happy to follow what we all decide. Regards, Jordi @jordipalet El 14/1/20 10:47, "Gert Doering" <gert@space.net> escribió: Hi, On Tue, Jan 14, 2020 at 10:38:28AM +0100, Gert Doering wrote:

On Tue, Jan 14, 2020 at 10:36:10AM +0100, JORDI PALET MARTINEZ via anti-abuse-wg wrote:

...

So it is not just easier to ask the abuse-c mailboxes that don't want to process to setup an autoresponder with an specific (standard) text about that, for example:

"This is an automated convirmation that you reached the correct abuse-c mailbox, but we don't process abuse cases, so your reports will be discarded."

I would support that.

... but it's actually way too complicated to implement. A much simpler approach would be to make abuse-c: an optional attribute (basically, unrolling the "mandatory" part of the policy proposal that introduced it in the first place) - If you want to handle abuse reports, put something working in. - If you do not want to handle abuse reports, don't. The ARC could be extended with a question "are you aware that you are signalling 'we do not not care about abuse coming from our network'?" and if this is what LIRs *want* to signal, the message is clear. The NCC could still verify (as they do today) that an e-mail address, *if given*, is not bouncing (or coming back with a human bounce "you have reached the wrong person, stop sending me mail" if someone puts in the e-mail address of someone else). MUCH less effort. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

Hi, On Tue, Jan 14, 2020 at 10:50:58AM +0100, JORDI PALET MARTINEZ via anti-abuse-wg wrote:

Looks fine to me.

If we really think that the operators should be free from taking abuse reports, then let's make it optional.

As said, I personally think that an operator responsibility is to deal with abuse cases, but happy to follow what we all decide.

I do think that an operator should handle abuse reports (and we do), but *this* is not a suitable vehicle to *make him*. And if it's not going to have the desired effect, do not waste time on it. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

On Tue, 14 Jan 2020, Nick Hilliard wrote:

Gert Doering wrote on 14/01/2020 10:19:

...

And if it's not going to have the desired effect, do not waste time on it.

More to the point, the RIPE number registry should not be used as a stick for threatening to beat people up if they don't comply with our current favourite ideas about how to manage social policy on the internet.

It is a registry, not a police truncheon.

Hello, (Going perhaps a bit off-topic...) If people are not able to follow the rules of the registry, maybe they shouldn't be allowed inside the system... :-) [Fact 1] If someone provides falsified documents to the registry, that someone goes off the wagon. [Fact 2] If someone doesn't pay the registry in due time (after several warnings), that someone goes off the wagon. <please feel free to add more here, if there are more ways of falling off the "registry wagon"...> I would also feel comfortable if someone who indicates a 3rd party e-mail address as the abuse-mailbox for their _OWN_ address space, goes off the wagon (after some warnings, of course...). BTW, some years ago our physical address was added in whois to someone else's address space in a different RIR and that was _NOT_ a nice experience... Regards, Carlos

Nick

That is the most stupid thing i've read on this list. What little protection the world has from spammers and all manner of criminals, and you still think it's too much that they even so much as have to check their email account. Which criminal is paying you to say this nonsense, because no ordinary person that has ever received a spam email would ever say such crap. and if there can be no "internet police", i'm sure RIPE will have no problem if someone never pays a fee to it ever again, because it doesn't have the mandate to suspend a resource for crime, it cannot do it for non payment. or is non-payment more serious than a DDoS attack? --------- Original Message --------- Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox") From: "Gert Doering" <gert@space.net> Date: 1/14/20 9:19 pm To: "JORDI PALET MARTINEZ" <jordi.palet@consulintel.es> Cc: "anti-abuse-wg" <anti-abuse-wg@ripe.net> Hi, On Tue, Jan 14, 2020 at 10:50:58AM +0100, JORDI PALET MARTINEZ via anti-abuse-wg wrote:

Looks fine to me.

If we really think that the operators should be free from taking abuse reports, then let's make it optional.

As said, I personally think that an operator responsibility is to deal with abuse cases, but happy to follow what we all decide.

I do think that an operator should handle abuse reports (and we do), but *this* is not a suitable vehicle to *make him*. And if it's not going to have the desired effect, do not waste time on it. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

...

Best not to judge the race until it has been fully run.

I just do not understand how anyone on this list (other than a criminal or a business owner that wants to reduce over heads by abolishing an employee who has to sit and monitor an abuse desk) could be talking about making it easier for abuse to flourish. It is idiotic and is not ad hominem. This list is filled with people who argue for weeks, perhaps months, about the catastrophic world ending dangers of making an admin verify an abuse address ONCE a year .... and then someone says "let's abolish abuse desk all together" and these idiots emerge from the wood work like the termites that they are and there's no resistance? The good news is that nothing talked about on this list is ever implemented, so .. talk away you criminals. --------- Original Message --------- Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox") From: "Ronald F. Guilmette" <rfg@tristatelogic.com> Date: 1/16/20 11:47 am To: "anti-abuse-wg@ripe.net" <anti-abuse-wg@ripe.net> In message <20200115155949.af7f9f79718891d8e76b551cf73e1563.e548b98006.mailapi@ email19.asia.godaddy.com>, "Fi Shing" <phishing@storey.xxx> wrote:

That is the most stupid thing i've read on this list.

Well, I think you shouldn't be quite so harsh in your judgement. It is not immediately apparent that you have been on the list for all that long. So perhaps you should stick around for awhile longer before making such comments. If you do, I feel sure that there will be any number of stupider things that may come to your attention, including even a few from your's truly. Best not to judge the race until it has been fully run.

Which criminal is paying you to say this nonsense, because no ordinary person that has ever received a spam email would ever say such crap.

I would also offer the suggestion that such inartful commentary, being as it is, ad hominem, is not at all likely to advance your agenda. It may have felt good, but I doubt that you have changed a single mind, other than perhaps one or two who will now be persuaded to take the opposing position, relative to whatever it was that you had hoped to achieve. Regards, rfg

It would be interesting if a large number of people who actually work for the security / infosec / abuse teams of various ripe members were to attend the aawg meetings instead of a clutch of mostly IP / dns / network people.

did. a couple of interesting presos, but the plural of anecdote is not data. and a bun fight over becomig the net police. rinse repeat. i can try pushing water uphill at home. randy

Hi, Agree, This anti-abuse list seems the blocking group to any anit-abuse response measure. It's amazing that nobody cant propose anything without receiving a shower of all sorts of arguments against There is an idea that everyone has to hold, if as a community we cannot organize a policy, one of these days there will be a problem that will make governments take the opportunity to legislate and we will no longer have the free and open internet. There are a feew ideas that is simple to understand: 1 - If you have been assigned a network you have responsibilities, paying should not be the only one. 2 - There is no problem with email, since ever are made solutions to integrate with emails. There is no need to invent a new protocol. Who has a lot of abuse, invests in integrating these emails. 3 - If you have no ability to manage abuse should not have addressing, leave it to professionals. The internet is critical for everyone, the ability for actors to communicate with each other to respond to abuse must exist and RIPE must ensure that it exists. It’s like the relation with local governments, there is a set of information that has to be kept up to date to avoid problems, in RIPE it must be the same. Sergio From: anti-abuse-wg [mailto:anti-abuse-wg-bounces@ripe.net] On Behalf Of Fi Shing Sent: 16 de janeiro de 2020 04:55 To: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

...

Best not to judge the race until it has been fully run.

I just do not understand how anyone on this list (other than a criminal or a business owner that wants to reduce over heads by abolishing an employee who has to sit and monitor an abuse desk) could be talking about making it easier for abuse to flourish. It is idiotic and is not ad hominem. This list is filled with people who argue for weeks, perhaps months, about the catastrophic world ending dangers of making an admin verify an abuse address ONCE a year .... and then someone says "let's abolish abuse desk all together" and these idiots emerge from the wood work like the termites that they are and there's no resistance? The good news is that nothing talked about on this list is ever implemented, so .. talk away you criminals. --------- Original Message --------- Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox") From: "Ronald F. Guilmette" <rfg@tristatelogic.com <mailto:rfg@tristatelogic.com> > Date: 1/16/20 11:47 am To: "anti-abuse-wg@ripe.net <mailto:anti-abuse-wg@ripe.net> " <anti-abuse-wg@ripe.net <mailto:anti-abuse-wg@ripe.net> > In message <20200115155949.af7f9f79718891d8e76b551cf73e1563.e548b98006.mailapi@ <mailto:20200115155949.af7f9f79718891d8e76b551cf73e1563.e548b98006.mailapi@%0bemail19.asia.godaddy.com> email19.asia.godaddy.com>, "Fi Shing" <phishing@storey.xxx <mailto:phishing@storey.xxx> > wrote:

That is the most stupid thing i've read on this list.

Well, I think you shouldn't be quite so harsh in your judgement. It is not immediately apparent that you have been on the list for all that long. So perhaps you should stick around for awhile longer before making such comments. If you do, I feel sure that there will be any number of stupider things that may come to your attention, including even a few from your's truly. Best not to judge the race until it has been fully run.

Which criminal is paying you to say this nonsense, because no ordinary person that has ever received a spam email would ever say such crap.

I would also offer the suggestion that such inartful commentary, being as it is, ad hominem, is not at all likely to advance your agenda. It may have felt good, but I doubt that you have changed a single mind, other than perhaps one or two who will now be persuaded to take the opposing position, relative to whatever it was that you had hoped to achieve. Regards, rfg

On Thu, Jan 16, 2020 at 12:38:26PM -0000, Srgio Rocha wrote:

It's amazing that nobody cant propose anything without receiving a shower of all sorts of arguments against

It's called "democracy". As Chuchill said, it's an awful system but better than any other that have been tried. rgds, Sascha Luck

Hi, I obviously don't speak for the incident handling community, but i think this (making it optional) would be a serious step back. The current situation is already very bad when in some cases we know from the start that we are sending (automated) messages/notices to blackholes. To an extreme, there should always be a known contact responsible for any network infrastructure. If this is not the case, what's the purpose of a registry then? Regards, Carlos On Tue, 14 Jan 2020, Leo Vegoda wrote:

On Tue, Jan 14, 2020 at 1:48 AM Gert Doering <gert@space.net> wrote:

[...]

...

A much simpler approach would be to make abuse-c: an optional attribute (basically, unrolling the "mandatory" part of the policy proposal that introduced it in the first place)

This seems like a simple approach for letting network operators indicate whether or not they will act on abuse reports. If there's no way of reporting abuse then the operators clearly has no processes for evaluating reports, or acting on them. This helps everyone save time.

Regards,

Leo Vegoda

Hi, Maybe we can change the approach. If RIPE website had a platform to post abuse report, that send the email for the abuse contact, it will be possible to evaluate the responsiveness of the abuse contact. This way anyone that report an abuse could assess not only the response but also the effectiveness of the actions taken by the network owner. After some time with this evaluations we would easy to realize who manages the reports and even who does not respond at all. Sérgio -----Original Message----- From: anti-abuse-wg [mailto:anti-abuse-wg-bounces@ripe.net] On Behalf Of Gert Doering Sent: 15 de janeiro de 2020 08:06 To: Carlos Friaças <cfriacas@fccn.pt> Cc: Gert Doering <gert@space.net>; anti-abuse-wg <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox") Hi, On Wed, Jan 15, 2020 at 07:23:38AM +0000, Carlos Friaças via anti-abuse-wg wrote:

I obviously don't speak for the incident handling community, but i think this (making it optional) would be a serious step back. The current situation is already very bad when in some cases we know from the start that we are sending (automated) messages/notices to blackholes.

So why is it preferrable to send mails which are not acted on, as opposed to "not send mail because you know beforehand that the other network is not interested"? I can see that it is frustrating - but I still cannot support a policy change which will not help dealing with irresponsible networks in any way, but at the same time increases costs and workload for those that do the right thing alrady.

To an extreme, there should always be a known contact responsible for any network infrastructure. If this is not the case, what's the purpose of a registry then?

"a known contact" and "an *abuse-handling* contact" is not the same thing. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

In message <02d201d5cb84$89d6b950$9d842bf0$@makeitsimple.pt>, "=?iso-8859-1?Q?S=E9rgio_Rocha?=" <sergio.rocha@makeitsimple.pt> wrote:

Maybe we can change the approach. If RIPE website had a platform to post abuse report, that send the email for the abuse contact, it will be possible to evaluate the responsiveness of the abuse contact.

This way anyone that report an abuse could assess not only the response but also the effectiveness of the actions taken by the network owner. After some time with this evaluations we would easy to realize who manages the reports and even who does not respond at all.

This is essentially similar to what I had proposed. As such please put me down as a: +1

Applause. --srs ________________________________ From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Richard Clayton <richard@highwayman.com> Sent: Wednesday, January 15, 2020 8:32 PM To: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox") In message <02d201d5cb84$89d6b950$9d842bf0$@makeitsimple.pt>, =?iso- 8859-1?Q?S=E9rgio_Rocha?= <sergio.rocha@makeitsimple.pt> writes

Maybe we can change the approach. If RIPE website had a platform to post abuse report, that send the email for the abuse contact, it will be possible to evaluate the responsiveness of the abuse contact.

Making such a scheme compulsory would be unacceptable to people who wish to interact with network owners without disclosing that in public ... ... sometimes because they do not wish their names to be known, sometimes because they do not wish their techniques for (and speed at) detecting abuse to become known. So making it compulsory would be completely counterproductive. Making use of such a website voluntary would also be unwise because the people who do not wish their reports to be public are probably in the majority (I speculate) so that reputation system would fail to include the majority of reports that are made (and I again speculate) the overwhelming majority of reports that are acted upon. Producing non-biased reputation systems is very hard ...

This way anyone that report an abuse could assess not only the response but also the effectiveness of the actions taken by the network owner. After some time with this evaluations we would easy to realize who manages the reports and even who does not respond at all.

... I think also there is a risk of total confusion by conflating many different types of abuse and many different types of reporter into a single system. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755

correction: year 2020* --------- Original Message --------- Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox") From: "Fi Shing" <phishing@storey.xxx> Date: 1/16/20 10:03 am To: "anti-abuse-wg@ripe.net" <anti-abuse-wg@ripe.net> Sergio, that would make too much sense. This mailing list is not only not even considering what you have said, but they are trying to remove the requirement of a network operator to even receive emails about complaints at all. Pathetic. It's the year 2019, and these "people" on this list (probably cyber criminals or are paid by cyber criminals to weaken policy) come here and say this garbage. --------- Original Message --------- Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox") From: "Sérgio Rocha" <sergio.rocha@makeitsimple.pt> Date: 1/15/20 8:16 pm To: "anti-abuse-wg" <anti-abuse-wg@ripe.net> Hi, Maybe we can change the approach. If RIPE website had a platform to post abuse report, that send the email for the abuse contact, it will be possible to evaluate the responsiveness of the abuse contact. This way anyone that report an abuse could assess not only the response but also the effectiveness of the actions taken by the network owner. After some time with this evaluations we would easy to realize who manages the reports and even who does not respond at all. Sérgio -----Original Message----- From: anti-abuse-wg [mailto:anti-abuse-wg-bounces@ripe.net] On Behalf Of Gert Doering Sent: 15 de janeiro de 2020 08:06 To: Carlos Friaças <cfriacas@fccn.pt> Cc: Gert Doering <gert@space.net>; anti-abuse-wg <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox") Hi, On Wed, Jan 15, 2020 at 07:23:38AM +0000, Carlos Friaças via anti-abuse-wg wrote:

I obviously don't speak for the incident handling community, but i think this (making it optional) would be a serious step back. The current situation is already very bad when in some cases we know from the start that we are sending (automated) messages/notices to blackholes.

So why is it preferrable to send mails which are not acted on, as opposed to "not send mail because you know beforehand that the other network is not interested"? I can see that it is frustrating - but I still cannot support a policy change which will not help dealing with irresponsible networks in any way, but at the same time increases costs and workload for those that do the right thing alrady.

To an extreme, there should always be a known contact responsible for any network infrastructure. If this is not the case, what's the purpose of a registry then?

"a known contact" and "an *abuse-handling* contact" is not the same thing. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

I will be fine with this (having RIPE NCC as an intermediator just to send the abuse report), if instead of a web form (or in addition to it), it is possible to automate it, for example RIPE NCC also accepts x-arf via email. RIPE NCC has the obligation to keep the information without disclosing it, so why we need to have a way to encypt it so RIPE NCC can’t read it? Furthermore, this should be an automated process. The staff is not going to handle every report manually. And moreover, in case of a bigger dispute, even if going to the courts, RIPE NCC can provide in a neutral way all the info of what happened. However, I’ve the feeling that in order to get this working, the policy must mandate that all the responser from the operator which customer is producing the abuse, also follow the same path, so: Abuse reporter (Victim or its ISP) -> RIPE NCC -> abuser operator -> RIPE NCC -> abuse reporter Otherwise, there will not be a way for RIPE to have stats of who is responding to abuse cases and who is not, or even simpler than that, what abuse mailboxes get bounced (which will be a policy violation if happens all the time with the same operator). Never mind we decide or not that not-responding is an abuse-c violation. Stats are good, even if not published with operator names. El 17/1/20 1:12, "anti-abuse-wg en nombre de ripedenis--- via anti-abuse-wg" <anti-abuse-wg-bounces@ripe.net en nombre de anti-abuse-wg@ripe.net> escribió: Hi Sergio As I read through this thread similar ideas came to my mind. The question I would ask is "Is it too late to take a completely different approach to abuse contacts and reporting via the RIPE Database?" Suppose we had a standard form available via the ripe.net website for providing details of abuse. If you are able to find the "abuse-c:" details in the database now then you must know the IP address involved. The RIPE NCC could send the report to the abuse contact taken from the database via the specified IP address. This does not have to be an email interface either. We could look at other options. The RIPE NCC would then at least know if the report was successfully delivered. Using a standard form would make it much easier for the resource holder to interpret the information. Someone said: "Making such a scheme compulsory would be unacceptable to people who wish to interact with network owners without disclosing that in public ..." I have no understanding of the technology involved here, but when I send you a message on WhatsApp it is encrypted end to end. WhatsApp have no idea (they say) of the content of the message. Would it be possible to submit a form on ripe.net in a way that the content of that form is encrypted and sent to the resource holder so the RIPE NCC have no idea of the content of the form? That would satisfy this concern. Regardless of the outcome of the RIPE Database Requirements Task Force, something like this could still be implemented as it is external to the RIPE Database. Food for thought... cheers denis co-chair DB-WG On Wednesday, 15 January 2020, 10:22:28 CET, Sérgio Rocha <sergio.rocha@makeitsimple.pt> wrote: Hi, Maybe we can change the approach. If RIPE website had a platform to post abuse report, that send the email for the abuse contact, it will be possible to evaluate the responsiveness of the abuse contact. This way anyone that report an abuse could assess not only the response but also the effectiveness of the actions taken by the network owner. After some time with this evaluations we would easy to realize who manages the reports and even who does not respond at all. Sérgio -----Original Message----- From: anti-abuse-wg [mailto:anti-abuse-wg-bounces@ripe.net] On Behalf Of Gert Doering Sent: 15 de janeiro de 2020 08:06 To: Carlos Friaças <cfriacas@fccn.pt> Cc: Gert Doering <gert@space.net>; anti-abuse-wg <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox") Hi, On Wed, Jan 15, 2020 at 07:23:38AM +0000, Carlos Friaças via anti-abuse-wg wrote:

I obviously don't speak for the incident handling community, but i think this (making it optional) would be a serious step back. The current situation is already very bad when in some cases we know from the start that we are sending (automated) messages/notices to blackholes.

So why is it preferrable to send mails which are not acted on, as opposed to "not send mail because you know beforehand that the other network is not interested"? I can see that it is frustrating - but I still cannot support a policy change which will not help dealing with irresponsible networks in any way, but at the same time increases costs and workload for those that do the right thing alrady.

To an extreme, there should always be a known contact responsible for any network infrastructure. If this is not the case, what's the purpose of a registry then?

"a known contact" and "an *abuse-handling* contact" is not the same thing. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

STOP SPAM Envoyé de mon iPhone par René Briaut Le 17 janv. 2020 à 13:04, Volker Greimann <vgreimann@key-systems.net> a écrit : Hmm, if you include RIPE NCC in all responses, you will greatly increase the overhead and noise to signal ratio it has to deal with. It may be better to maintain the ability to audit the responses. instead of receiving them all. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.

On Fri, Jan 17, 2020 at 12:00 PM JORDI PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote: I will be fine with this (having RIPE NCC as an intermediator just to send the abuse report), if instead of a web form (or in addition to it), it is possible to automate it, for example RIPE NCC also accepts x-arf via email.

RIPE NCC has the obligation to keep the information without disclosing it, so why we need to have a way to encypt it so RIPE NCC can’t read it? Furthermore, this should be an automated process. The staff is not going to handle every report manually. And moreover, in case of a bigger dispute, even if going to the courts, RIPE NCC can provide in a neutral way all the info of what happened.

However, I’ve the feeling that in order to get this working, the policy must mandate that all the responser from the operator which customer is producing the abuse, also follow the same path, so:

Abuse reporter (Victim or its ISP) -> RIPE NCC -> abuser operator -> RIPE NCC -> abuse reporter

Otherwise, there will not be a way for RIPE to have stats of who is responding to abuse cases and who is not, or even simpler than that, what abuse mailboxes get bounced (which will be a policy violation if happens all the time with the same operator). Never mind we decide or not that not-responding is an abuse-c violation. Stats are good, even if not published with operator names.

El 17/1/20 1:12, "anti-abuse-wg en nombre de ripedenis--- via anti-abuse-wg" <anti-abuse-wg-bounces@ripe.net en nombre de anti-abuse-wg@ripe.net> escribió:

Hi Sergio

As I read through this thread similar ideas came to my mind. The question I would ask is "Is it too late to take a completely different approach to abuse contacts and reporting via the RIPE Database?"

Suppose we had a standard form available via the ripe.net website for providing details of abuse. If you are able to find the "abuse-c:" details in the database now then you must know the IP address involved. The RIPE NCC could send the report to the abuse contact taken from the database via the specified IP address. This does not have to be an email interface either. We could look at other options. The RIPE NCC would then at least know if the report was successfully delivered. Using a standard form would make it much easier for the resource holder to interpret the information.

Someone said:

"Making such a scheme compulsory would be unacceptable to people who wish to interact with network owners without disclosing that in public ..."

I have no understanding of the technology involved here, but when I send you a message on WhatsApp it is encrypted end to end. WhatsApp have no idea (they say) of the content of the message. Would it be possible to submit a form on ripe.net in a way that the content of that form is encrypted and sent to the resource holder so the RIPE NCC have no idea of the content of the form? That would satisfy this concern.

Regardless of the outcome of the RIPE Database Requirements Task Force, something like this could still be implemented as it is external to the RIPE Database.

Food for thought...

cheers

denis

co-chair DB-WG

On Wednesday, 15 January 2020, 10:22:28 CET, Sérgio Rocha <sergio.rocha@makeitsimple.pt> wrote:

Hi,

Maybe we can change the approach. If RIPE website had a platform to post abuse report, that send the email for the abuse contact, it will be possible to evaluate the responsiveness of the abuse contact.

This way anyone that report an abuse could assess not only the response but also the effectiveness of the actions taken by the network owner. After some time with this evaluations we would easy to realize who manages the reports and even who does not respond at all.

Sérgio

-----Original Message----- From: anti-abuse-wg [mailto:anti-abuse-wg-bounces@ripe.net] On Behalf Of Gert Doering Sent: 15 de janeiro de 2020 08:06 To: Carlos Friaças <cfriacas@fccn.pt> Cc: Gert Doering <gert@space.net>; anti-abuse-wg <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

Hi,

On Wed, Jan 15, 2020 at 07:23:38AM +0000, Carlos Friaças via anti-abuse-wg wrote:

...

I obviously don't speak for the incident handling community, but i think this (making it optional) would be a serious step back. The current situation is already very bad when in some cases we know from the start that we are sending (automated) messages/notices to blackholes.

So why is it preferrable to send mails which are not acted on, as opposed to "not send mail because you know beforehand that the other network is not interested"?

I can see that it is frustrating - but I still cannot support a policy change which will not help dealing with irresponsible networks in any way, but at the same time increases costs and workload for those that do the right thing alrady.

...

To an extreme, there should always be a known contact responsible for any network infrastructure. If this is not the case, what's the purpose of a registry then?

"a known contact" and "an *abuse-handling* contact" is not the same thing.

Gert Doering -- NetMaster -- have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

On Wed, 15 Jan 2020, Gert Doering wrote:

Hi,

Hi, (please see inline)

On Wed, Jan 15, 2020 at 07:23:38AM +0000, Carlos Friaças via anti-abuse-wg wrote:

...

I obviously don't speak for the incident handling community, but i think this (making it optional) would be a serious step back. The current situation is already very bad when in some cases we know from the start that we are sending (automated) messages/notices to blackholes.

So why is it preferrable to send mails which are not acted on, as opposed to "not send mail because you know beforehand that the other network is not interested"?

I think Serge already took care of that answer/issue :-) And in our case we do count the # of bounces we get resulting from the abuse complaints we send out.

I can see that it is frustrating - but I still cannot support a policy change which will not help dealing with irresponsible networks in any way, but at the same time increases costs and workload for those that do the right thing alrady.

I guess you are not convinced with the 10 min/year argument then :-(

...

To an extreme, there should always be a known contact responsible for any network infrastructure. If this is not the case, what's the purpose of a registry then?

"a known contact" and "an *abuse-handling* contact" is not the same thing.

I don't really like the case where "a known contact" is used as a last resort contact because there is an abuse issue. Hence, the value i see on a mandatory definition of an abuse contact -- while any network can still decide to use the same contact for both (or more) purposes. Cheers, Carlos

Gert Doering -- NetMaster -- have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

Hi All So maybe a word from an "Incident Responder". I do feel very much, that we should have an abuse conntact, and it should be tested to wok, in the sense that some one reads the mail sent there. Here are my reasons: - Having such a mailbox may increase the pressure for orgs to actually do something. My experience from previous job showed, that keep sending abuse reports, despite complaints about "spam" eventually convinced a lot of orgs to act. Essentially you take away the excuste "Oh, but we didn't know" - Even for orgs that don't react having such a conntact helps, because it allows us to build up a history of ignored requests, which cann then be used to reminde these orgs that they actually are part of the problem. It is a sad fact, that a threat to your reputation, even if it's only in colsed community, seems to sometimes help convincing said org to reract. Finally if, at some state more drastic action would be necessary (Think Russian Bussines Network at the time), you can build a case. - Lastly: It makes our life as Incident responders easier to have a uniform way of sending reports, even if not all of them are followed up. I kind of don't buy into "There is no point on placing a burden on orgs that choose not to act". Best Serge On 15/01/2020 08:23, Carlos Friaças via anti-abuse-wg wrote:

Hi,

I obviously don't speak for the incident handling community, but i think this (making it optional) would be a serious step back. The current situation is already very bad when in some cases we know from the start that we are sending (automated) messages/notices to blackholes.

To an extreme, there should always be a known contact responsible for any network infrastructure. If this is not the case, what's the purpose of a registry then?

Regards, Carlos

On Tue, 14 Jan 2020, Leo Vegoda wrote:

...

On Tue, Jan 14, 2020 at 1:48 AM Gert Doering <gert@space.net> wrote:

[...]

...

A much simpler approach would be to make abuse-c: an optional attribute (basically, unrolling the "mandatory" part of the policy proposal that introduced it in the first place)

This seems like a simple approach for letting network operators indicate whether or not they will act on abuse reports. If there's no way of reporting abuse then the operators clearly has no processes for evaluating reports, or acting on them. This helps everyone save time.

Regards,

Leo Vegoda

-- Dr. Serge Droz Chair, Forum of Incident Response and Security Teams (FIRST) Phone +41 76 542 44 93 | serge.droz@first.org | https://www.first.org

Hi Gert Sorry I misunderstood you then. But honestly, this does not really place a burden on you. RIPE can automate this, and you simply reply to a message. We do this, e.g. in TF-CSIRT twice a year, and it does help, event the good guys, that realize they have an issue and did not receive their mail. In fact, it's become a bit of a competition to be the first to reply to the challenge. So the extra work is what, 10 minutes / year, if the system is setup properly? So I think the balance is hugely positive. Just my two cents. Serge On 15/01/2020 09:18, Gert Doering wrote:

Hi,

On Wed, Jan 15, 2020 at 09:14:59AM +0100, Serge Droz via anti-abuse-wg wrote:

...

I kind of don't buy into "There is no point on placing a burden on orgs that choose not to act".

This is not what I said. My stance on this is: placing extra burdens on orgs *that do the right thing today* (with extra verification hoops) should be balanced against "will it change the situation wrt orgs that do not care".

And I think the balance is negative - extra work for the good guys, and no relevant incentive for the bad guys to actually *act on* their abuse reports.

Gert Doering -- NetMaster

-- Dr. Serge Droz Chair, Forum of Incident Response and Security Teams (FIRST) Phone +41 76 542 44 93 | serge.droz@first.org | https://www.first.org

What we do today is not a validation if I can use Gert or Serge or any "null" email in all my abuse contacts and nobody notice it, and then you start getting abuse reports from other folks ... This is creating lots of wasted time to both you and the abuse case reporters. El 15/1/20 9:59, "anti-abuse-wg en nombre de Gert Doering" <anti-abuse-wg-bounces@ripe.net en nombre de gert@space.net> escribió: Hi, On Wed, Jan 15, 2020 at 09:24:21AM +0100, Serge Droz wrote: > Sorry I misunderstood you then. But honestly, this does not really place > a burden on you. It does. Even if it's just 5 minutes per Mail - I need to train abuse handlers what to do with this sort of message, etc. > So I think the balance is hugely positive. Nobody has been able to demonstrate why it would have a positive effect at all. So how can the balance be "hugely positive"? E-Mail addresses *are* validated today. Just not in an as labour-intensive way on the receipient like the proposers want to install. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

Hi Nick, Not really, I think you're reading a different text ... I'm not intending to ask RIPE to verify if the operators resolve the abuse cases. The point here is to amend the existing policy to do a *good* validation of the abuse mailbox. The actual policy only makes a "technical" validation, so it checks that the mailbox exists and is the right one and allows sending abuse reports, and that's it. If the mailbox is full, if it is never read, if it belongs to a /dev/null or not the right person or team, even if it if you have my email in your abuse-c, all that, passes the validation. Regards, Jordi @jordipalet El 15/1/20 13:14, "anti-abuse-wg en nombre de Nick Hilliard" <anti-abuse-wg-bounces@ripe.net en nombre de nick@foobar.org> escribió: Serge Droz via anti-abuse-wg wrote on 15/01/2020 08:24: > So the extra work is what, 10 minutes / year, if the system is setup > properly? Serge, The policy proposal here is: if the registry doesn't comply, then it is in explicit violation of RIPE policies. According to the "Closure of Members, Deregistration of Internet Resources and Legacy Internet Resources" document (currently RIPE 716), if you don't comply with RIPE policies or RIPE NCC procedures, then the RIPE NCC is obliged to follow up with the resource holder and if they continue not to comply, then the number resources will be withdrawn. The purpose behind RIPE-716 is to ensure accurate registration of number resources, which the core function of the RIPE registry. Jordi has confirmed that the intention behind 2019-04 is to force resource holders to comply with the abuse handling procedures defined in his policy, and that if they don't comply for whatever reason, that their number resources are withdrawn under the terms of RIPE-716. To be clear, deregistration of resources would make it difficult or impossible for almost any holder of addresses to continue their business. So what's being proposed here is that RIPE-716 - whose purpose was to ensure integrity and accuracy of the the RIPE registry - should now be repurposed as a mechanism to enforce social behaviour practices on the Internet. There are some pretty serious and fundamental problems with this. Many of these problems were discussed in the context of RIPE policy 2019-03 ("Resource Hijacking is a RIPE Policy Violation"), and some of them were formally addressed in the RIPE NCC review of that policy. Nick ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

+1000 -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 On 15/01/2020, 12:49, "anti-abuse-wg on behalf of Nick Hilliard" <anti-abuse-wg-bounces@ripe.net on behalf of nick@foobar.org> wrote: JORDI PALET MARTINEZ via anti-abuse-wg wrote on 15/01/2020 12:38: > and allows sending abuse reports You're demanding that resource holders handle abuse reports by email and how to handle that mailbox, i.e. telling them how to run their businesses. It's not appropriate for the RIPE NCC to get involved with this sort of thing. Nick

Exactly 2 minutes a year (1 minute each time you click the link in the email from RIPE NCC). And because you invest 2 minutes a year, you will save a lot of time (many hours/days) yourself, trying to report abuses to invalid mailboxes! El 15/1/20 9:24, "anti-abuse-wg en nombre de Serge Droz via anti-abuse-wg" <anti-abuse-wg-bounces@ripe.net en nombre de anti-abuse-wg@ripe.net> escribió: Hi Gert Sorry I misunderstood you then. But honestly, this does not really place a burden on you. RIPE can automate this, and you simply reply to a message. We do this, e.g. in TF-CSIRT twice a year, and it does help, event the good guys, that realize they have an issue and did not receive their mail. In fact, it's become a bit of a competition to be the first to reply to the challenge. So the extra work is what, 10 minutes / year, if the system is setup properly? So I think the balance is hugely positive. Just my two cents. Serge On 15/01/2020 09:18, Gert Doering wrote: > Hi, > > On Wed, Jan 15, 2020 at 09:14:59AM +0100, Serge Droz via anti-abuse-wg wrote: >> I kind of don't buy into "There is no point on placing a burden on orgs >> that choose not to act". > > This is not what I said. My stance on this is: placing extra burdens on > orgs *that do the right thing today* (with extra verification hoops) > should be balanced against "will it change the situation wrt orgs that > do not care". > > And I think the balance is negative - extra work for the good guys, and > no relevant incentive for the bad guys to actually *act on* their abuse > reports. > > Gert Doering > -- NetMaster > -- Dr. Serge Droz Chair, Forum of Incident Response and Security Teams (FIRST) Phone +41 76 542 44 93 | serge.droz@first.org | https://www.first.org ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

Hi Job, You need to have that process already for ARIN and APNIC, and once implemented LACNIC. The process is the same. You implement it once (I'm not counting the minutes that can take to implement it) and it seems simple to me: the abuse-mailbox get twice a year a verification email, a responsible guy in the abuse-team must act on it, clicking on the verification link. So, if you have already the process for other RIRs, what is the extra cost? (2 minutes) I think is much less that the time you can save, and this is the balance that we need to look for. El 15/1/20 22:56, "Job Snijders" <job@ntt.net> escribió: On Wed, Jan 15, 2020 at 10:41:54PM +0100, JORDI PALET MARTINEZ via anti-abuse-wg wrote: > Exactly 2 minutes a year (1 minute each time you click the link in the > email from RIPE NCC). > > And because you invest 2 minutes a year, you will save a lot of time > (many hours/days) yourself, trying to report abuses to invalid > mailboxes! I am not sure it is just two minutes a year, it is desiging and monitoring an additional work process to be executed in corporations. I am of course not sure how much it is, but certainly more than two minutes. Kind regards, Job ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

Hi Leo, El 15/1/20 18:09, "anti-abuse-wg en nombre de Leo Vegoda" <anti-abuse-wg-bounces@ripe.net en nombre de leo@vegoda.org> escribió: On Wed, Jan 15, 2020 at 12:16 AM Serge Droz via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote: [...] > - Lastly: It makes our life as Incident responders easier to have a > uniform way of sending reports, even if not all of them are followed up. This is an excellent point but e-mail is probably not the right medium for that. Standardizing protocols for reporting abuse - and therefore acting on those reports more quickly - would be far more helpful. But only organizations don't want abuse on their networks will invest in the people, processes, and systems, whatever the reporting medium. This is an additional step. Do you think it may be better to include in the proposal, instead of plain email for the reporting, to mandate the use of XARF? http://xarf.org/index.html I've been tempted several times to go that path ... so may be is time for it? > I kind of don't buy into "There is no point on placing a burden on orgs > that choose not to act". It's not about the burden on the organizations that don't want to act. It's about providing a clear signal to the reporting organizations that there is no point reporting. That should allow reporting organizations to decide on next steps more quickly. ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

To an extreme, there should always be a known contact responsible for any network infrastructure.

there are, admin and tech randy, not advocating for or against abuse-c

Hi, On Wed, 15 Jan 2020, JORDI PALET MARTINEZ via anti-abuse-wg wrote:

In my opinion, the actual situation is the worst. We are validating over "nothing". We don't know how many of the "validated" mailboxes are real, or even read, full, etc.

I will prefer a mandatory abuse-c which is validated in the way I'm proposing, as it is being done in ARIN and APNIC and soon in LACNIC.

This detail is interesting...

If this can't reach consensus, I prefer to know in advance "this operator doesn't handle abuses" that wasting time in reporting them. I will have the choice to just block their network and when several folks block them and their customers complain, then they may change their mind.

I was wondering if this "block" would mean blocking all prefixes announced by the same ASN, or just the prefix where the abuse originated from.

Better 50% of good and *real* validated abuse contacts than 100% from which I don't know how may are for real.

As i already stated, i'm more worried about someone using real e-mail addresses of real unrelated people than the /dev/null or unattended mailboxes. When someone uses a 3rd party address without authorization+knowledge, i think it's reasonable to allow for a fix, instead of directly running to ripe-716. Cheers, Carlos

El 15/1/20 8:24, "anti-abuse-wg en nombre de Carlos Friaças via anti-abuse-wg" <anti-abuse-wg-bounces@ripe.net en nombre de anti-abuse-wg@ripe.net> escribió:

Hi,

I obviously don't speak for the incident handling community, but i think this (making it optional) would be a serious step back. The current situation is already very bad when in some cases we know from the start that we are sending (automated) messages/notices to blackholes.

To an extreme, there should always be a known contact responsible for any network infrastructure. If this is not the case, what's the purpose of a registry then?

Regards, Carlos

On Tue, 14 Jan 2020, Leo Vegoda wrote:

...

On Tue, Jan 14, 2020 at 1:48 AM Gert Doering <gert@space.net> wrote:

[...]

...

A much simpler approach would be to make abuse-c: an optional attribute (basically, unrolling the "mandatory" part of the policy proposal that introduced it in the first place)

This seems like a simple approach for letting network operators indicate whether or not they will act on abuse reports. If there's no way of reporting abuse then the operators clearly has no processes for evaluating reports, or acting on them. This helps everyone save time.

Regards,

Leo Vegoda

********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

In message <30174D32-225F-467E-937A-5BC42650F955@consulintel.es>, JORDI PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote:

I think if we try to agree on those ratings, we will never reach consensus

So it is not just easier to ask the abuse-c mailboxes that don't want to process to setup an autoresponder with an specific (standard) text about

Right, and that was a part of my point about eBay-like feedback ratings for resource holders, i.e. "Let's not even try." Instead, let the people decide. Let anyone register a feedback point, positive or negative, against any resource holder, with the proviso that if they are registering a negative feedback point, they should assert exactly *why* they are unhappy (e.g. "mail to abuse address bounced as undeliverable", "no response for eight days" etc.) and if possible, provide some context also, e.g. a copy of the spam, a copy of some logs showing hack attempts, etc. that, for example:... In the "eBay feedback" model I am proposing there is no need for *RIPE NCC* to ask anybody about anything. People will register negative points against any resource holder with an undeliverable abuse address. (I know I will!) I'm sorry Jordi, if this idea sounds like it is undermining everything you have been trying to do, which is all very very admirable. But I have only just realized what you said above, i.e. if we really start to try to design a system where RIPE NCC will do 100% of the work of "reviewing" all one zillion RIPE resource holders, the size of the task will almost be the least of the worries. The first order problem, as you already know since you have been doing yeoman's work on this for awhile now, is just getting people in the various RIRs to agree on the numerous fine details. (Hell! You can't even get *me* to agree that a 15 day turn- around is in any sense "reasonable", and apparently I'm not alone in that regard.) So, my solution is just don't. Let the whole planet vote on whether they think this provider or that provider are ***heads, and let the chips fall where they may. I'm not saying that even this idea would neessarily be piece-of-cake easy. The first problem would be working out a way to prevent the system from being gamed by bad actors for malicious purposes, or for positive "PR" purposes. (Don't get me started about the fake positive review over on TripAdvisor.) But I am not persuaded that these are in any sense insoluable problems. Regards, rfg

In message <be337bb7-211e-c377-8e97-8e16696eb3d7@heeg.de>, Hans-Martin Mosner <hmm@heeg.de> wrote:

While this would probably paint a pretty solid picture of which network o= perators can be trusted and which can't, there's another point besides your valid concern about abusers gaming the= system: Whoever publishes the results of such user ratings would most likely expose themselves to litigious lawsuits, w= hich neither you nor me nor RIPE NCC really wants to do.

That comment, and that concern, certainly does not seem to apply in any country in which either eBay or TripAdvisor operate. Do you folks on your side of the pond not receive eBay? Are you not able to view Tripadvisor.Com? Here in this country (U.S.) there are actually -three- separate and clearly discrenable legal protections that would cover and that do cover circumstances like this. In no particular order, they are: (*) The First Amendment. (*) 47 USC 230(c)(1) (*) 47 USC 230(c)(2)(B) Ref: https://www.law.cornell.edu/uscode/text/47/230 The middle one is actually the first-order go-to provision for situations like this, and provides for quick dismissal for any silly cases brought against *me* for something that *you* have said on some discussion or review web site that I just happen to provide electricity, connectivity, and CPU cycles for. One would hope that european law might have some counterpart for that, but I confess that I really have no idea about that, one way or the other. So, um, is the european continent utterly devoid of any and all web sites where reviews can or do appear? Does europe have its own GDPR mandated Great Firewall to keep the evil likes of eBay and TripAdvisor out? Or were you, Hans-Martin, just saying that in europe, free speech is reserved only for those who can afford it, and who conveniently have hoards of corporate lawyers covering their backsides? Asking seriously, because I don't know the answer. I'm just puzzled by this whole thing, and this concern about lawsuits. Regards, rfg

Is Dutch law really the inhibitor here? Or the possibilities that Richard outlined? I seem to recall previous opta nl proposals that took a sensible view of network abuse, some years back --srs ________________________________ From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Brian Nisbet <brian.nisbet@heanet.ie> Sent: Wednesday, January 15, 2020 6:35 PM To: Ronald F. Guilmette; anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox") Folks, While not attempting to discuss the merits or otherwise of a reputation system (other than the fact I've seen many of them proposed and we still have lots of problems), I would say one thing on your comments below, Ronald. The RIPE NCC service region is not just the EU, it isn't just the continent of Europe. It includes many other countries such as Russia and the entirety of the Middle East. With 70+ countries involved it is a lot harder to do something that is acceptable everywhere, even while the NCC itself is governed under Dutch law. Just a useful reminder. Brian Brian Nisbet Service Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland +35316609040 brian.nisbet@heanet.ie www.heanet.ie Registered in Ireland, No. 275301. CRA No. 20036270

-----Original Message----- From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> On Behalf Of Ronald F. Guilmette Sent: Wednesday 15 January 2020 01:52 To: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

In message <be337bb7-211e-c377-8e97-8e16696eb3d7@heeg.de>, Hans-Martin Mosner <hmm@heeg.de> wrote:

...

While this would probably paint a pretty solid picture of which network o= perators can be trusted and which can't, there's another point besides your valid concern about abusers gaming the= system: Whoever publishes the results of such user ratings would most likely expose themselves to litigious lawsuits, w= hich neither you nor me nor RIPE NCC really wants to do.

That comment, and that concern, certainly does not seem to apply in any country in which either eBay or TripAdvisor operate.

Do you folks on your side of the pond not receive eBay? Are you not able to view Tripadvisor.Com?

Here in this country (U.S.) there are actually -three- separate and clearly discrenable legal protections that would cover and that do cover circumstances like this. In no particular order, they are:

(*) The First Amendment.

(*) 47 USC 230(c)(1)

(*) 47 USC 230(c)(2)(B)

Ref: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww .law.cornell.edu%2Fuscode%2Ftext%2F47%2F230&data=02%7C01%7Cb rian.nisbet%40heanet.ie%7C4346c5c89cb4424339be08d7995da2a1%7Ccd9e82 69dfb648e082538b7baf8d3391%7C0%7C0%7C637146499755991832&sdat a=JcDbohTPkHP6aa4TkUU%2BL%2FswCYndB5tol4HPXak2M9Y%3D&res erved=0

The middle one is actually the first-order go-to provision for situations like this, and provides for quick dismissal for any silly cases brought against *me* for something that *you* have said on some discussion or review web site that I just happen to provide electricity, connectivity, and CPU cycles for.

One would hope that european law might have some counterpart for that, but I confess that I really have no idea about that, one way or the other.

So, um, is the european continent utterly devoid of any and all web sites where reviews can or do appear? Does europe have its own GDPR mandated Great Firewall to keep the evil likes of eBay and TripAdvisor out?

Or were you, Hans-Martin, just saying that in europe, free speech is reserved only for those who can afford it, and who conveniently have hoards of corporate lawyers covering their backsides?

Asking seriously, because I don't know the answer. I'm just puzzled by this whole thing, and this concern about lawsuits.

Regards, rfg

In message <9EW8XOCpiyHeFAtx@highwayman.com>, Richard Clayton <richard@highwayman.com> wrote:

these (which are the most interesting parts of the Communications Decency Act that did not get invalidated by the application of the First Amendment which swept away much of it) provide a safe harbour for the people operating platforms regarding what the users of those platforms say ... so yes this is very much on point

within the EU (and the RIPE region is far bigger than that) there is NOT an equivalent regime -- there is a safe harbour (under the ECommerce Directive) for hosting companies but ONLY up to the point at which they have "actual knowledge" that material is problematic (eg that it is defamatory) after that they are on the hook if they fail to act appropriately

companies such as EBay and TripAdvisor are well aware of this and operate their platforms accordingly -- so this means that problematic material will not be visible within the EU (and doubtless in other RIPE region countries) ... whether they remove it entirely (so that US residents miss out) I could not say, you'd need to ask each company individually as to how they configure their systems

I reiterate and slightly rehprase my question: Do you people in within the RIPE region see, or not see critical reviews on, for example, eBay, TripAdvisor, etc? It is being seriously suggested that eBay erases or makes magically and selectively invisible just those bad seller (or buyer) reviews which implicate some draconian defamation laws that exist in some one of the fiefdoms of Europe, perhaps even one small enough to be entirely covered in shag carpeting? It is being seriously suggested that TripAdvisor likewise selectively erases complaints about lousey coffee at each and every litigious brothel in Amsterdam? If this is what is being suggested, then color me skeptical.

note that companies that operate solely in the USA can take some solace from the USA SPEECH Act...

The notion of "operating solely in the USA" is not one which lacks ambiguity, at least when it comes to Internet-based services, as I am sure you are all too aware. Still, pragmatics and commerce, like time and tide, wait for no man. And the services I have named and used as examples *do* exist, *do* survive, and *do* provide, collect, organize, and disseminate reviews entered by globe-spanning armies of individual end users. I would argue that if they can do it, we can do it. As regards to jurisdiction and legal responsibility, I would be more than happy to host the thing here in the United States, and take full, personal, and sole legal responsibility for it. I am not afraid, because 47 USC 230(c) is both abundantly clear and already very much tested, in real courts of law, and it has consistantly prevailed. The operator of a platform is *not* legally liable for the speech of others. Not in these United States anyway. I would do these things, but I cannot -build- such a review platform, because frankly, I just don't have the time. That small fact doesn't make it a fundamentally Bad or Unworkable idea. Regards, rfg

In message <ltfqNUBPM7HeFA88@highwayman.com>, Richard Clayton <richard@highwayman.com> wrote:

bottom line is that if you want to run a reputation site and not be under an obligation to remove libellous material (not fair comment) you would be unwise to do it outside the USA

As much as I would like to claim, on behalf of my countrymen, an absolutely unique status in this regard, I do believe that there are any number of other locales from whence a similar feat could be accomplished. Iceland seems like a possibility, but also Belize, perhaps Gibraltar, The Dominican Republic, and quite certainly Nevis & St. Kitts. Oh! And the sovereign Republic of Sealand, of course. Regards, rfg P.S. I cannot help but offer the entirely gratuitous observation that in many parts of the world it may indeed be more legally tenable to be either a spammer or a spam-fiendly provider than it is to be a person or other form of legal entity which publishes anything not qualifying as glowing positive commentary about any such.

In message <58ECE9F6-4D64-4315-8EE5-88574F6B4AA9@consulintel.es>, JORDI PALET MARTINEZ <jordi.palet@consulintel.es> wrote:

Right, and that was a part of my point about eBay-like feedback ratings for resource holders, i.e. "Let's not even try." Instead, let the people decide. Let anyone register a feedback point, positive or negative, against any resource holder, with the proviso that if they are registering a negative feedback point, they should assert exactly *why* they are unhappy (e.g. "mail to abuse address bounced as undeliverable", "no response for eight days" etc.) and if possible, provide some context also, e.g. a copy of the spam, a copy of some logs showing hack attempts, etc.

This may have legal consequences for RIPE NCC, as somebody could use the system to publish untrue information for competitors ... not a good idea.

OK, two points: 1) I cannot and will not dispute that rating systems which allow votes from the public at large can be gamed, e.g. by unscrupulous competitors, and indeed, it is my belief that there have already been some well- documented cases of this. That's not to say that I think that adequate counter-measures could not be developed. I think they could be. 2) As regards to the "legal" issue, I can only express my deepest sympathies for all you folks on your side of the pond and beyond, especially as you all seem to be at least somewhat constrained in your freedom to speak truth to power. Regards, rfg

In message <4be52277-cecb-603f-6840-4ee76245b0dd@first.org>, Serge Droz <serge.droz@first.org> wrote:

I think we already spent way more executive time on this thread than it would cost us to verify e-mail addresses.

I think that I may cut that out, print it in a 48-point type face, have it framed, and hang it on my office wall. :-) This is true even though I expressed some similar view on some similar situation here already some years ago.

And honestly: taking a step back and reading this entire thread, I'm not surprised that the bad guys are winning. You know: They don't care about the purty and beauty of a solution. They just do it and profit, and probably have a fabulous time seeing us argue and go at each others throats.

I myself have certainly expressed this view previously, in private if not also in public. Regards, rfg

Hi All How about we just try this for a year and then take stock? Best Serge On 16/01/2020 18:07, Andreas Worbs wrote:

I'm completely with you.

For our US-AS i verify my contact once a year: open the mail, click the link, verify my data and that's it. You don't even need 5 minutes for it.

If you have an automation fpr your abuse mails? Ok, you have to adjust your configuration a little bit but you have to do this only once. Is it really a problem?

RIPE NCC will not deregister your ressources right now just because you missed the verification.

I would be happy if we have a mandatory abuse-c which is validated by the RIPE.

Rather go forward step-by-step than stop here for years. Stagnation means regression.

Have a good night,

Andi

Am 16.01.20 um 09:41 schrieb Serge Droz via anti-abuse-wg:

...

Hi All

I think we already spent way more executive time on this thread than it would cost us to verify e-mail addresses.

I agree e-mail does not solve all the problems. It's hard to automatically process, .....

But it is simple to use, and from my work as an incident handler it did do me good in the past. I participate in fora that validate abuse/emergency addresses. WHen I ask these people what their issues in daily life are it's never we have to validate or contact e-mail.

And honestly: taking a step back and reading this entire thread, I'm not surprised that the bad guys are winning. You know: They don't care about the purty and beauty of a solution. They just do it and profit, and probably have a fabulous time seeing us argue and go at each others throats.

I think we could do better.

Best Serge

-- Dr. Serge Droz Chair, Forum of Incident Response and Security Teams (FIRST) Phone +41 76 542 44 93 | serge.droz@first.org | https://www.first.org