Obviously every user should lock their doors / protect themselves against fraud. I am just saying that the ability of many service providers to curtail abuse of their system (without impacting legitimate uses) is very limited as it may not their customers doing the abusing and any targeted action against those customers themselvesd would be inappropriate and affect many legitimate users of their services. At what point should a network service provider remove privileges from a customer that is himself being abused but is technically unable to deal with it properly? Would the complaint not be better directed at that customer, not the provider, since they are the ones that can resolve this issue in a more targetted and appropriate manner? How does the service provider differentiate between a customer that is abusing vs one that is being abused? Deputising the service providers will not necessarily solve the problems, and possibly create many new ones. In the domain industry, we were required to provide an abuse contact, however the reports we get to that address usually deal with issues we cannot do much about other than pulling or deactivating the domain name, which is usually the nuclear option. So we spend our time forwarding abuse mails to our customers that the complainant should have sent to the customer directly. Best, volker Am 16.01.2020 um 15:16 schrieb Serge Droz via anti-abuse-wg:

Hi Volker

...

isn't making the world (and the internet) first and foremost a job of law enforcement agencies like the police and Europol? Law enforcement's job primarily is arresting criminals. And yes they do

On 16/01/2020 15:03, Volker Greimann wrote: prevention. But you can't stop locking your door or walk by fight just ignoring it, because it's LEA's job.

This is even more true on the internet, where CERT's have long been working together fighting cybercrime etc.

While there obviously is an appeal to the notion of "The best problems are some one else's problem" my believe is we don't want to have an internet or a world, for that matter, where this is how things run. The internet is a bottom up thing, it is so cool because people follow protocols, that are not law.

There was a time whn this wasn't a given: During the "Browser wars" different producer leveraged ambiguities in the HTML standard, and the end result was horrible.

We don't want this. If we delegate the problem, we've already lost.

Best Serge

-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH* T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.

Hi Jordi, your example seems a bit off though. If your contract is with your ISP and you need to complain to them, why would you complain to another ISP you have no contract with? I agree that current GDPR implementations may impact the contactibility of the customer, but that can be improved in GDPR-compliant manners that do not require playing chinese whispers down the chain. Not objecting to your 3. but you need to consider it may not be the contractual partner acting against the contract. They may be a victim as well, and therefore enforcing any actions against them may be unproductive. Would you shut down Google.com because of one link to a site violating third party rights? Best, Volker Am 16.01.2020 um 15:52 schrieb JORDI PALET MARTINEZ via anti-abuse-wg:

Hi Volker,

I don’t agree with that, because:

1. I believe the electricity sample I provided proves otherwise. My contract is with the electricity provider (the Internet provider), so I need to complain to them and they need to follow the chain. 2. For a victim, to complain directly to the customer (not the operator), will need to know the data of the “abuser” which may be protected by GDPR. 3. Customers sign a contract with the operator. The contract must have clear conditions (AUP) about the appropriate use of the network. If you act against that contract, the problem is with the operator, not victims.

By the way, if an operator has a badly designed AUP, either they are doing a bad job, or they have **no interest** in acting against abuses.

Regards,

Jordi

@jordipalet

El 16/1/20 15:44, "anti-abuse-wg en nombre de Volker Greimann" <anti-abuse-wg-bounces@ripe.net <mailto:anti-abuse-wg-bounces@ripe.net> en nombre de vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>> escribió:

Obviously every user should lock their doors / protect themselves against fraud. I am just saying that the ability of many service providers to curtail abuse of their system (without impacting legitimate uses) is very limited as it may not their customers doing the abusing and any targeted action against those customers themselvesd would be inappropriate and affect many legitimate users of their services.

At what point should a network service provider remove privileges from a customer that is himself being abused but is technically unable to deal with it properly? Would the complaint not be better directed at that customer, not the provider, since they are the ones that can resolve this issue in a more targetted and appropriate manner? How does the service provider differentiate between a customer that is abusing vs one that is being abused?  Deputising the service providers will not necessarily solve the problems, and possibly create many new ones.

In the domain industry, we were required to provide an abuse contact, however the reports we get to that address usually deal with issues we cannot do much about other than pulling or deactivating the domain name, which is usually the nuclear option. So we spend our time forwarding abuse mails to our customers that the complainant should have sent to the customer directly.

Best,

volker

Am 16.01.2020 um 15:16 schrieb Serge Droz via anti-abuse-wg:

Hi Volker

On 16/01/2020 15:03, Volker Greimann wrote:

isn't making the world (and the internet) first and foremost a job of

law enforcement agencies like the police and Europol?

Law enforcement's job primarily is arresting criminals. And yes they do

prevention. But you can't stop locking your door or walk by fight just

ignoring it, because it's LEA's job.

This is even more true on the internet, where CERT's have long been

working together fighting cybercrime etc.

While there obviously is an appeal to the notion of "The best problems

are some one else's problem" my believe is we don't want to have an

internet or a world, for that matter, where this is how things run. The

internet is a bottom up thing, it is so cool because people follow

protocols, that are not law.

There was a time whn this wasn't a given: During the "Browser wars"

different producer leveraged ambiguities in the HTML standard, and the

end result was horrible.

We don't want this. If we delegate the problem, we've already lost.

Best

Serge

-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*

T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net <http://www.key-systems.net>

Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin

Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.

********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH* T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.

Your email presumes that an "ombudsman" model would resolve an issue. If a person has dedicated themselves to controlling a 200,000 strong botnet and sending spam emails through unauthorised access etc. what is sending them a fancy piece of paper or an email "asking them to be nice" going to do? For example, there are 3 types of phishing websites: 1) Outright false domain name, 2) hacked server, using legitimate domain name, 3) free website sign-up Which of these would it be appropriate to ask the criminal to behave through a letter or email? In reality, none of them, because the phisher has hacked the server, dumped the phishing website template and left, never to return. The service needs to be suspended, as the server owner cannot expect: 1) a customer to know how to fix the security vulnerability, 2) the customer to log in to their email within the next day, week or even month, it might take them years to log in. 3) the criminal not to control the customers email also etc. Often when reporting phishing websites, the response from ISP is "I have notified the customer to investigate." The question then is, in which instance would it be appropriate to ask nicely of a customer? I can't think of any examples. You are like the United Nations... "North Korea, you are killing 2 million people in concentration camps, so we are asking nicely and going to send you a piece of paper expressing how bad it is." I'm sure North Korea really cares! --------- Original Message --------- Subject: Re: [anti-abuse-wg] @EXT: RE: working in new version of 2019-04 (Validation of "abuse-mailbox") From: "Volker Greimann" <vgreimann@key-systems.net> Date: 1/17/20 2:03 am To: "anti-abuse-wg@ripe.net" <anti-abuse-wg@ripe.net> Hi Jordi, your example seems a bit off though. If your contract is with your ISP and you need to complain to them, why would you complain to another ISP you have no contract with? I agree that current GDPR implementations may impact the contactibility of the customer, but that can be improved in GDPR-compliant manners that do not require playing chinese whispers down the chain. Not objecting to your 3. but you need to consider it may not be the contractual partner acting against the contract. They may be a victim as well, and therefore enforcing any actions against them may be unproductive. Would you shut down Google.com because of one link to a site violating third party rights? Best, Volker Am 16.01.2020 um 15:52 schrieb JORDI PALET MARTINEZ via anti-abuse-wg: Hi Volker, I don't agree with that, because: I believe the electricity sample I provided proves otherwise. My contract is with the electricity provider (the Internet provider), so I need to complain to them and they need to follow the chain. For a victim, to complain directly to the customer (not the operator), will need to know the data of the “abuser” which may be protected by GDPR. Customers sign a contract with the operator. The contract must have clear conditions (AUP) about the appropriate use of the network. If you act against that contract, the problem is with the operator, not victims. By the way, if an operator has a badly designed AUP, either they are doing a bad job, or they have *no interest* in acting against abuses. Regards, Jordi @jordipalet El 16/1/20 15:44, "anti-abuse-wg en nombre de Volker Greimann" <anti-abuse-wg-bounces@ripe.net en nombre de vgreimann@key-systems.net> escribió: Obviously every user should lock their doors / protect themselves against fraud. I am just saying that the ability of many service providers to curtail abuse of their system (without impacting legitimate uses) is very limited as it may not their customers doing the abusing and any targeted action against those customers themselvesd would be inappropriate and affect many legitimate users of their services. At what point should a network service provider remove privileges from a customer that is himself being abused but is technically unable to deal with it properly? Would the complaint not be better directed at that customer, not the provider, since they are the ones that can resolve this issue in a more targetted and appropriate manner? How does the service provider differentiate between a customer that is abusing vs one that is being abused? Deputising the service providers will not necessarily solve the problems, and possibly create many new ones. In the domain industry, we were required to provide an abuse contact, however the reports we get to that address usually deal with issues we cannot do much about other than pulling or deactivating the domain name, which is usually the nuclear option. So we spend our time forwarding abuse mails to our customers that the complainant should have sent to the customer directly. Best, volker Am 16.01.2020 um 15:16 schrieb Serge Droz via anti-abuse-wg: Hi Volker On 16/01/2020 15:03, Volker Greimann wrote: isn't making the world (and the internet) first and foremost a job of law enforcement agencies like the police and Europol? Law enforcement's job primarily is arresting criminals. And yes they do prevention. But you can't stop locking your door or walk by fight just ignoring it, because it's LEA's job. This is even more true on the internet, where CERT's have long been working together fighting cybercrime etc. While there obviously is an appeal to the notion of "The best problems are some one else's problem" my believe is we don't want to have an internet or a world, for that matter, where this is how things run. The internet is a bottom up thing, it is so cool because people follow protocols, that are not law. There was a time whn this wasn't a given: During the "Browser wars" different producer leveraged ambiguities in the HTML standard, and the end result was horrible. We don't want this. If we delegate the problem, we've already lost. Best Serge -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.

In message <23ad49c8-8fc4-41fa-a8fc-cae3479ad89d@key-systems.net>, Volker Greimann <vgreimann@key-systems.net> wrote:

In the domain industry, we were required to provide an abuse contact, however the reports we get to that address usually deal with issues we cannot do much about other than pulling or deactivating the domain name, which is usually the nuclear option. So we spend our time forwarding abuse mails to our customers that the complainant should have sent to the customer directly.

Digital Ocean does the same thing. If you send them a spam complaint, they will thoughtlessly and immediately forward it on directly to their spammer customers, as you do, so that that spammer customer will then know exactly who ratted him out, and thus, who he should put out a contract on, to have that party immediately DDoS'd. You sir, and your company, are part of the problem. In fact your entire industry is also. Working together you have all succeded in serving you own financial ends while shamlessly twisting and exploiting the true meaning of GDPR, using it as a blunt instrument to demolish and bludgeon to death the perfectly usable system that used to be called "WHOIS"... in clear violation of your contractual commitments to ICANN I might add... a system (WHOIS) which is now little more than a useless joke for all practical purposes. Congratulations on maximizing your own revenue at the expense of everyone else, and at the expense of civilization and a civilized Internet. I can only hope that the facts of what you and your company have done, and what the entire domain registrar inustry has done, will ultimately become a part of your permanent epitaph, following you to wherever you go from here, which I have some hopes will not be upwards. Please let me know if I have failed to be adequately clear. Regards, rfg

In message <b741c19f-bae6-ca67-945f-052c5dfaa1e2@key-systems.net>, Volker Greimann <vgreimann@key-systems.net> wrote:

Hi Robert,

The nane is Ron, actually.

in 99,9% of the cases, the customer we forward the complaint to is not the spammer, but the service provider used by the spammer for their domain registration services, e.g. the party who has the closer relationship and can actually do something about the issue, such as disabling their customers access to the service.

OK, two points: 1) *YOU* can do something about the issue if you are the registrar of record. All of this crap designed to evade any and all -responsibility- on your part is just that, crap. You hide behind multiple layers of "resellers" and try to tell the world that because you elect to do business this way, your company is can dodge all responsiblity. These lame excuses and attemps to evade personal or corporate responsibility don't work in war crimes trials and if there were any justice in the world they wouldn't work any better on the Internet. 2) You have "resellers". OK. Fine. So you forward *my* spam complaint on to your reseller. Then your reseller forwards it on to his pet spammer... you know... the one that is providing 93% of that reseller's domain registration revenue. Now, please explain to me, slowly and carefully, what it is that either compels or even motivates your reseller to take action against the party that is putting bread on his table? More to the point, please tell me what prevents that reseller from ratting me out to his pet spammer, so that his pet spammer can then DDoS "the troublemaker"? Your entire industry, with all of its sellers and re-sellers and re-re-sellers is all just one colossal layered ponzi scheme which is funded and fueled more than 90% these days by snowshoe spammers. You know it and I know it. The only people who don't know it are the people who haven't taken the time to study what is really going on. There are, at last count, something like eighty seven thousand ICANN Accredited domain name registrars, and 98% of them would be out of business tomorrow if it were not for the snowshoe spammer trade, because there is NO real money to be made just selling domain names, one or two at a time, to butcher shops and dentist's offices. You are just porcine animals, feeding at the trough of a corrupt trade made possible by what amounts to your over-arching industry lobbying organization, ICANN.

Also, our treatment of WHOIS is not in violation of ICANN contracts, but in compliance with it. Check out the Temporary Specification to the agreements that ICANN put out.

I really don't give a rat's ass what self-serving fradulent justifications ICANN has put out to try to excuse their own inaction *or* your non-compliance with your contractual commitments. The fact remains that GDPR *does not* restrict domain registrars from displaying the Organization: fields in WHOIS records, specifically when the named organizations represent things other than natural persons... which is almost always the case... and yet I can name right now any number of ICANN Accredited domain name registrars that are, and that have been, for quite some time now, very deliberately suppressing literally *all* WHOIS data fields, period. How do you justify that? How does your corrupt industry justify that?

We are working hard to bring back some model to provide access to registration data to parties with a legitimate interests, but...

Screw that! This is just a clever smoke-screen, invented by your corrupt industry to try to fool naive and stupid people into believing that there is really some complex issue here when there isn't. The Organization: field of each and every domain name WHOIS records is quite clearly SUPPOSED to contain the name of the non-natural-person to which the domain name is registered. So why do most domain name registrars suppress this data? What is your excuse for that, when GDPR clearly does not apply? I am *not* talking about your industry's lame attempts to limit access to the data to only *your* hand-picked non-troublemaker "parties with a legitimate interest". These are just industry code words for "law enforcement only" access. This is what your industry wants, because you all know good and goddamn well that law enforcement doesn't have the time, the interest, the training, or the manpower to chase down mere small-time hackers and spammers, so your industry-wide plan is to proceeding according to these two phases: 1) Suppress *all* WHOIS information, even for entities not covered by GDPR, and then... 2) When people complaint that you are violating your clear contractual commitments to ICANN (which ICANN, which also profits handsomely from the snowshoe spammer trade, is conveniently doing nothing about) then your industry offers to "compromise" by allowing WHOIS access *only* to untrained, ineffective, and mostly uninterested law enforcement. Actually, I must complement your whole industry for being so clever about all of this. You all set out, with a unity of purpose, to try to screw Internet end users and to preserve your industry and its ability to make fat profits from spammers and phishers, all while making sure that WHOIS became entirely off-limits to the public at large, just so that none of those nosey busybodies could call you out publicly for the fact that you are all these days catering, mostly, to spammers and phishers . And your plan is so far working beautifully for you. You are all working together to screw and disappear the entire WHOIS system which has existed since the very beginning of the Internet, all just so that you guys in your industry can make fat profits without even the smallest smidgeon of public accountability. I hope that you are proud of what you and your industry have accomplished. But I just have to ask: Does your mother know what you do for a living? I won't blame you if you tell me that you are too ashamed to tell her. Regards, rfg

In message <d11c5891-60aa-6581-88c1-35623b8eb2bf@key-systems.net>, Volker Greimann <vgreimann@key-systems.net> wrote:

As the abuse using domains registered through us usually does not happen on our networks, we have zero ability to detect it in advance, all we can do is take care of them after the fact, which we do dilligently. We have a team tasked exclusively with reviewing abuse complaints and taking appropriate action.

You already clarified what your idea of "appropriate action" is, i.e. ratting out the "troublemaker/complainer" to your spammer customer's reseller, so that that company can in turn rat out the "complainer" to the spammer, so that the spammer can then launch a DDoS or other type of attack. (And for the record, I have myself been DDoS'd *twice* in the past 20 years, since I have been working on network abuse issues.) I'm sorry, sir, but this is *not* my idea of "appropriate action". Far from it in fact.

Clearly you have never looked at what normal end users put in the Org fields.

I have *actually* looked at more domain name WHOIS records, and carefully studied them, that you will likely even glance at in your entire lifetime.

In our experience, they put anything in there, not just org names.

That is not my problem and it is also not your problem. The fact that some tiny percentage of the world's population are perfect imbecils who are unable to grasp the simple and obvious concept of an "organization" as something other than a natural person is not a fact which either can or should drive global policy as it relates to the overall health and safety of the entire Internet. More to the point, how many natural persons have names that end with ", LLC" or ", Inc." or ", Ltd." or ", S.A.R.L." ? Could your company and your entire industry at least display in public WHOIS records the Organization fields that contain these suffixes? Of course you could! Will you do so? Of course not, because as I have said, you folks who are in the domain registration business are not interested at all in either transparency *or* in the health of the Internet. Your only goals are to helpfully hide the details of your crooked and wicked primary revenue-generating customers, i.e. spammers and phishers, and maximizing your own revenue at the expense of everyone else. Ladies and gentlemen, for those of you who may think that I have just gone off the deep end, and that I am just ranting against the domain name registration industry without any basis, I ask you to just consider this: There exists a domain name registrar company, NameSilo, here in the U.S. and on its web site it proudly displays the details of its bulk discount policies for domain name buyers: https://www.namesilo.com/Support/Discount-Program As you can all see, the discount schedule for bulk purchases maxes out and yields the highest level of discounts for buyers at the level where a single buyer is purchasing FIVE THOUSAND DOMAIN NAMES IN A SINGLE SITTING. So now, everyone, ask yourselves: Who needs to buy FIVE THOUSAND domain names in a single transaction? Who even WANTS to buy FIVE THOUSAND domain unique names in a single transaction? And whoever wants that, would you trust them to hold your wallet? The entire scam that is the modern domain name business is an open secret. The domain name registrars don't even hide what they are up to anymore. They display it right out in the open and on their web sites, almost as if it were something to be proud of, rather than something that they should be ashamed to tell their mothers about. I have talked to a senior official at ICANN about this practice of ICANN's accredited registrars offering discounts for bulk purchases... which are clearly and unambiguously intended to draw in the Internet criminal element... and this ICANN official said to me point blank "Yea, we know. There is nothing we can do about it." Why can't ICANN control this outrageous behavior of the part of its own contractually bound accredited registrars? The answer is as simple as it is obvious: The problem isn't that ICANN actually "can't" do anything about this explicit catering to the criminal element. The real problem is that ICANN has no incentive to put a stop to this, and in fact makes lots of money itself by the perpetuation of this sordid trade, which they and everyone else who has been paying attention all know about.

If you have the perfect method of differentiating between personal data and non-personal data, you could do a lot of good by sharing that instead of mouthing off.

See above. This isn't rocket science. But you are now displaying, on behalf of your entire crooked industry, your willful and self-serving blindness to the obvious. If the value in the Organization: field ends in "Inc." or "LLC" or "Ltd." or "Limited" or "Co.", or "Company" or "OOO" or "SRL" or "S.R.L." or "SARL" or "S.A.R.L." then guess what? That is NOT the name of a natural person. and therfroe the infomation in that field is clearly NOT covered under or by GDPR. If I thought that it would help any, then I would happily arrange to have the above comment translated for you into braille.

Not all law enforcement is Seargant Plodder.

I never said they all were. I said that they don't have the time, resources, training, or even the interest or clear legal authority to persue -any- of the tens of thousands of small-time criminals and spammers who your industry and its overriding greed have saddled the rest of us with. I also said that your whole industry is well and truly aware of this fact, which is well known to anyone and everyone who as dealt with network abuse issues on the Internet at any time within the past ten+ years, and that this is why your industry is so happy to "compromise" on the WHOIS issue by screwing the public, insuring your own near-total unaccountability, and converting the entire WHOIS system from an open and transparent system... as it was from the start of the Internet... into a closed and secret world that can only be viewed by harried, uninterested and untrained law enforcement. This is NOT acceptable. I don't like to blow my own horn too much, but I am forced to ask this question now: Who broke the case and who broke the story of the massive corruption inside AFRINIC? Was that law enforcement? Did *anybody* in law enforcement have even the first clue about *or* even give a crap about what was going on in that case? No. It was a private sector non-law-enforcement researcher who got to the bottom of that case. You and your whole industry are deliberately screwing all private sector security researchers. And why? Just so that you can all keep your whole ponzi scheme of an industry going a little bit longer, and just so that you can all make just a little bit more money by being the paid stooges and front men for the kind of folks who buy five thousand domain names at a single sitting.

And access would be granted to anyone who can demonstrate a legitimate interest...

Yes. I have already discussed your industry's "cover story" for your ongoing campaign to destroy the entire WHOIS system as we know it, and have known it, for more than 30 years. Your plan is to have some paid lacky bureaucrat sitting in some dusty office somewhere with a desk piled high with waiting applications from "legitimate interest" researchers and a huge red rubber stamp that just says "Application Denied". Proove that this is NOT the exact outcome that you and your fellow domain name registrars are hoping for. Prove that this is NOT what you all have all been scheming to achieve, ever since even before GDPR came into effect, thus giving you all a convenient excuse for doing what you had all wanted and planned to do all along, i.e. converting WHOIS from a an open, public, and transparent system into a closed and proprietary one. QUESTION: Do *I* have a "legitimate" interest in seeing WHOIS records? ANSWER: You're goddamn right I do! Can I prove that fact? No, I can't. Can any party who *isn't* litigating, and who *isn't* law enforcement and who *isn't* a trademark holder actually *prove* that they have a "legitimate interest" in looking at otherwise secret WHOIS records? No they can't. You know it, I know it everybody knows it. The truth is that your whole wicked industry just doesn't want to be in any sense accoutable. You want as few people as possible looking over your shoulders and watching what you are doing. And I can assure you that I am *not* the only one who thinks so: http://www.circleid.com/posts/20100728_taking_back_the_dns/

Actually, when it comes to whois, we mainly care about protecting the privacy rights of our customers. Not the abusers though.

Oh! Right! So you are telling us all, here and now, that Namesilo... one of your bretheren in the domain name industry... has absolutely -zero- direct financial interest in protecting their customers who came to them to register FIVE THOUSAND domain names. And you really expect people to believe this obvious and transparent lie? If so, I think that there are some job openings in the White House press office, here in the U.S., that you might be well suited for. Regards, rfg

Let’s try to see it from another perspective. If you’re an electricity provider, and one of your customers injects 1.000 v into the network and thus create damages to other customers (even from other electricity providers), the electricity provider must have the means to resolve the problem, disconnect that customer if needed, and pay the damages if the customer creating them don’t do that. When this happens, most of the time, the customer insurance will cover it, initially, and then claim to the electricity provider insurance, which in turn, can claim to the customer creating the trouble. If insurance doesn’t work, most of the time, law will make the electricity provider responsible at the same level of the defaulting customer (especially if this one doesn’t pay the damages). I’m sure that this is the same in every EU country. Can we agree on that? This is totally symmetric to the Internet. An operator provides a service. If a customer is creating damages, even to customers of other operators, the minimum that the provider of the defaulting customer should be able to do is: Receive the abuse report (it can be automated) Investigate the abuse (it can be automated in many cases, especially if we mandate a format for the reporting, and there are open source tools that do that for most of the cases) If it is against the AUP which its customers, take actions, warnings to the customer the first time, etc., even disconnecting the customer (of course, this means losing customers such as spammers that pay a lot …) I don’t expect to respond to the abuse, but it’s nice to do. There are many open source ticket systems that do most of this. I don’t expect to compensate the victims, but I’m sure it can be done if the victims go to the courts. No difference with the electricity example, just we don’t have (as I know) this kind of insurance for Internet abuses. Actually, it will be very nice to have those insurances, because insurance companies have the power to put together many claims in the courts, so operators that don’t care about abuse pay for it. Saludos, Jordi @jordipalet El 16/1/20 15:03, "anti-abuse-wg en nombre de Volker Greimann" <anti-abuse-wg-bounces@ripe.net en nombre de vgreimann@key-systems.net> escribió: Hi Sara, isn't making the world (and the internet) first and foremost a job of law enforcement agencies like the police and Europol? While I agree that everyone has a role to play, crime prevention and protection of the public is part of the LEA job description, right? Civil society entities certainly have a role to play, but it does not help trying to deputize them into a role they do not carry. I disagree that the contract language you quote puts any duty of care regarding the abuse of any networks by third parties on the parties to the agreement. That duty may arise from other sources, but this language is directed at its own information the party provides to RIPE NCC and the cooperation with any audits. Just because it includes the word security does not mean it refers to all thinkable security issues. The ability of any part of the internet infrastructure to curtail abuse that somehow touches services it providers is usually severely curtailed and its ability to review abuse complaints is usually limited to the resources it provides. In many cases, that is simply not enough information to go on when dealing with many common forms of abuse. Best, Volker Am 16.01.2020 um 14:23 schrieb Marcolla, Sara Veronica: Very well put, Sérgio. Thank you for voicing clearly the concern of (at least a part of) the community. We should not forget that, according to the provisions of RIPE NCC audits, “every party that has entered into an agreement with the RIPE NCC is contractually obliged to provide the RIPE NCC with complete, updated and accurate information necessary for the provision of the RIPE NCC services and to assist the RIPE NCC with audits and security checks”. Complete, accurate information goes hand in hand with a duty of care, of promptly taking actions against abuse, and should be accompanied by a social responsibility of trying to make the Internet a safe and secure place for everyone, thus not enabling actively DDoS, spammers, and criminals in general. If the community does not agree that everyone has the right to a safe, spam free, crime free Internet, maybe we have some issue to solve here first. Kind regards, Sara Europol - O3 European Cyber Crime Centre (EC3) Eisenhowerlaan 73, 2517 KK The Hague, The Netherlands www.europol.europa.eu From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> On Behalf Of Sérgio Rocha Sent: 16 January 2020 13:38 To: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox") Hi, Agree, This anti-abuse list seems the blocking group to any anit-abuse response measure. It's amazing that nobody cant propose anything without receiving a shower of all sorts of arguments against There is an idea that everyone has to hold, if as a community we cannot organize a policy, one of these days there will be a problem that will make governments take the opportunity to legislate and we will no longer have the free and open internet. There are a feew ideas that is simple to understand: 1 - If you have been assigned a network you have responsibilities, paying should not be the only one. 2 - There is no problem with email, since ever are made solutions to integrate with emails. There is no need to invent a new protocol. Who has a lot of abuse, invests in integrating these emails. 3 - If you have no ability to manage abuse should not have addressing, leave it to professionals. The internet is critical for everyone, the ability for actors to communicate with each other to respond to abuse must exist and RIPE must ensure that it exists. It’s like the relation with local governments, there is a set of information that has to be kept up to date to avoid problems, in RIPE it must be the same. Sergio From: anti-abuse-wg [mailto:anti-abuse-wg-bounces@ripe.net] On Behalf Of Fi Shing Sent: 16 de janeiro de 2020 04:55 To: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

...

Best not to judge the race until it has been fully run.

I just do not understand how anyone on this list (other than a criminal or a business owner that wants to reduce over heads by abolishing an employee who has to sit and monitor an abuse desk) could be talking about making it easier for abuse to flourish. It is idiotic and is not ad hominem. This list is filled with people who argue for weeks, perhaps months, about the catastrophic world ending dangers of making an admin verify an abuse address ONCE a year .... and then someone says "let's abolish abuse desk all together" and these idiots emerge from the wood work like the termites that they are and there's no resistance? The good news is that nothing talked about on this list is ever implemented, so .. talk away you criminals. --------- Original Message --------- Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox") From: "Ronald F. Guilmette" <rfg@tristatelogic.com> Date: 1/16/20 11:47 am To: "anti-abuse-wg@ripe.net" <anti-abuse-wg@ripe.net> In message <20200115155949.af7f9f79718891d8e76b551cf73e1563.e548b98006.mailapi@ email19.asia.godaddy.com>, "Fi Shing" <phishing@storey.xxx> wrote:

That is the most stupid thing i've read on this list.

Well, I think you shouldn't be quite so harsh in your judgement. It is not immediately apparent that you have been on the list for all that long. So perhaps you should stick around for awhile longer before making such comments. If you do, I feel sure that there will be any number of stupider things that may come to your attention, including even a few from your's truly. Best not to judge the race until it has been fully run.

Which criminal is paying you to say this nonsense, because no ordinary person that has ever received a spam email would ever say such crap.

I would also offer the suggestion that such inartful commentary, being as it is, ad hominem, is not at all likely to advance your agenda. It may have felt good, but I doubt that you have changed a single mind, other than perhaps one or two who will now be persuaded to take the opposing position, relative to whatever it was that you had hoped to achieve. Regards, rfg ******************* DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated. ******************* -- Volker A. Greimann ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

El 16/1/20 15:25, "anti-abuse-wg en nombre de Ronald F. Guilmette" <anti-abuse-wg-bounces@ripe.net en nombre de rfg@tristatelogic.com> escribió: In message <FE63ED86-8823-4F7D-81BD-DD08AA130FA9@consulintel.es>, JORDI PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote: >I'm sure that this is the same in every EU country. Can we agree on that? Quite certainly not! Doing so would break ALL established precedent! I used EU on purpose here. I didn't want to say every RIPE NCC country. I really think the electricity case I've described works that way in EU countries. Anyone believes not? Any lawyer in the list can provides hints why yes or why not? When was the last time this working group agreed on *anything*? Regards, rfg P.S. And anyway, as I myself have just been reminded, RIPE != EU. ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

​Jordi, Nice analogy, but when you add the eCommerce Directive into the mix, where a network provider (or hosting provider) is not liable for what their users do, the outcome changes. Only if you have knowledge there might be a possibility for liability, but if you do not accept abuse notices, and therefore do not have knowledge you are not liable. Also note there is no monitoring obligation, but if you do monitor you can gain knowledge and become liable for -everything-. So the current legal environment (in the EU) isn't very 'pro' abuse handling. ​-- IDGARA | Alex de Joode | alex@idgara.nl | +31651108221 | Skype:adejoode On Thu, 16-01-2020 15h 18min, JORDI PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote:

Let’s try to see it from another perspective. If you’re an electricity provider, and one of your customers injects 1.000 v into the network and thus create damages to other customers (even from other electricity providers), the electricity provider must have the means to resolve the problem, disconnect that customer if needed, and pay the damages if the customer creating them don’t do that. When this happens, most of the time, the customer insurance will cover it, initially, and then claim to the electricity provider insurance, which in turn, can claim to the customer creating the trouble. If insurance doesn’t work, most of the time, law will make the electricity provider responsible at the same level of the defaulting customer (especially if this one doesn’t pay the damages). I’m sure that this is the same in every EU country. Can we agree on that? This is totally symmetric to the Internet. An operator provides a service. If a customer is creating damages, even to customers of other operators, the minimum that the provider of the defaulting customer should be able to do is: * Receive the abuse report (it can be automated) * Investigate the abuse (it can be automated in many cases, especially if we mandate a format for the reporting, and there are open source tools that do that for most of the cases) * If it is against the AUP which its customers, take actions, warnings to the customer the first time, etc., even disconnecting the customer (of course, this means losing customers such as spammers that pay a lot …) I don’t expect to respond to the abuse, but it’s nice to do. There are many open source ticket systems that do most of this. I don’t expect to compensate the victims, but I’m sure it can be done if the victims go to the courts. No difference with the electricity example, just we don’t have (as I know) this kind of insurance for Internet abuses. Actually, it will be very nice to have those insurances, because insurance companies have the power to put together many claims in the courts, so operators that don’t care about abuse pay for it. Saludos, Jordi @jordipalet El 16/1/20 15:03, "anti-abuse-wg en nombre de Volker Greimann" <anti-abuse-wg-bounces@ripe.net en nombre de vgreimann@key-systems.net> escribió: Hi Sara, isn't making the world (and the internet) first and foremost a job of law enforcement agencies like the police and Europol? While I agree that everyone has a role to play, crime prevention and protection of the public is part of the LEA job description, right? Civil society entities certainly have a role to play, but it does not help trying to deputize them into a role they do not carry. I disagree that the contract language you quote puts any duty of care regarding the abuse of any networks by third parties on the parties to the agreement. That duty may arise from other sources, but this language is directed at its own information the party provides to RIPE NCC and the cooperation with any audits. Just because it includes the word security does not mean it refers to all thinkable security issues. The ability of any part of the internet infrastructure to curtail abuse that somehow touches services it providers is usually severely curtailed and its ability to review abuse complaints is usually limited to the resources it provides. In many cases, that is simply not enough information to go on when dealing with many common forms of abuse. Best, Volker Am 16.01.2020 um 14:23 schrieb Marcolla, Sara Veronica:

Very well put, Sérgio. Thank you for voicing clearly the concern of (at least a part of) the community. We should not forget that, according to the provisions of RIPE NCC audits, “every party that has entered into an agreement with the RIPE NCC is contractually obliged to provide the RIPE NCC with complete, updated and accurate information necessary for the provision of the RIPE NCC services and to assist the RIPE NCC with audits and security checks”. Complete, accurate information goes hand in hand with a duty of care, of promptly taking actions against abuse, and should be accompanied by a social responsibility of trying to make the Internet a safe and secure place for everyone, thus not enabling actively DDoS, spammers, and criminals in general. If the community does not agree that everyone has the right to a safe, spam free, crime free Internet, maybe we have some issue to solve here first. Kind regards, Sara Europol - O3 European Cyber Crime Centre (EC3) Eisenhowerlaan 73, 2517 KK The Hague, The Netherlands www.europol.europa.eu From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> On Behalf Of Sérgio Rocha

Sent: 16 January 2020 13:38 To: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

Hi, Agree, This anti-abuse list seems the blocking group to any anit-abuse response measure. It's amazing that nobody cant propose anything without receiving a shower of all sorts of arguments against There is an idea that everyone has to hold, if as a community we cannot organize a policy, one of these days there will be a problem that will make governments take the opportunity to legislate and we will no longer have the free and open internet. There are a feew ideas that is simple to understand: 1 - If you have been assigned a network you have responsibilities, paying should not be the only one. 2 - There is no problem with email, since ever are made solutions to integrate with emails. There is no need to invent a new protocol. Who has a lot of abuse, invests in integrating these emails. 3 - If you have no ability to manage abuse should not have addressing, leave it to professionals. The internet is critical for everyone, the ability for actors to communicate with each other to respond to abuse must exist and RIPE must ensure that it exists. It’s like the relation with local governments, there is a set of information that has to be kept up to date to avoid problems, in RIPE it must be the same. Sergio From: anti-abuse-wg [mailto:anti-abuse-wg-bounces@ripe.net] On Behalf Of Fi Shing

Sent: 16 de janeiro de 2020 04:55 To: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

...

Best not to judge the race until it has been fully run.

I just do not understand how anyone on this list (other than a criminal or a business owner that wants to reduce over heads by abolishing an employee who has to sit and monitor an abuse desk) could be talking about making it easier for abuse to flourish. It is idiotic and is not ad hominem. This list is filled with people who argue for weeks, perhaps months, about the catastrophic world ending dangers of making an admin verify an abuse address ONCE a year .... and then someone says "let's abolish abuse desk all together" and these idiots emerge from the wood work like the termites that they are and there's no resistance? The good news is that nothing talked about on this list is ever implemented, so .. talk away you criminals.

--------- Original Message --------- Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

From: "Ronald F. Guilmette" <rfg@tristatelogic.com> Date: 1/16/20 11:47 am To: "anti-abuse-wg@ripe.net" <anti-abuse-wg@ripe.net>

In message <20200115155949.af7f9f79718891d8e76b551cf73e1563.e548b98006.mailapi@ email19.asia.godaddy.com>, "Fi Shing" <phishing@storey.xxx> wrote:

...

That is the most stupid thing i've read on this list.

Well, I think you shouldn't be quite so harsh in your judgement. It is not immediately apparent that you have been on the list for all that long. So perhaps you should stick around for awhile longer before making such comments. If you do, I feel sure that there will be any number of stupider things that may come to your attention, including even a few from your's truly.

Best not to judge the race until it has been fully run.

...

Which criminal is paying you to say this nonsense, because no ordinary person that has ever received a spam email would ever say such crap.

I would also offer the suggestion that such inartful commentary, being as it is, ad hominem, is not at all likely to advance your agenda. It may have felt good, but I doubt that you have changed a single mind, other than perhaps one or two who will now be persuaded to take the opposing position, relative to whatever it was that you had hoped to achieve.

Regards, rfg

******************* DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated. ******************* -- Volker A. Greimann ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

In message <A882C67B-0BB5-4EE3-B4CF-7C5EE62CD931@consulintel.es>, JORDI PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg@ripe.net> writes

So, if I'm reading it correctly (not being a lawyer), a service provider not acting against abuse when it has been informed of so, is liable.

don't get confused between the "Hosting" and "Mere Conduit" provisions

I'm sure if the service provider tries to avoid being "informed" by not looking at notifications (email, postal, fax, etc.), they will also be liable in front of courts.

correct, but that's a "Hosting" aspect and that's not necessarily the issue when considering spam (which is certainly some of what is being considered under the generic "abuse" label) -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755

In message <1609071E-BF44-4E1D-9C81-98616F11BF59@consulintel.es>, JORDI PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg@ripe.net> writes

El 16/1/20 21:37, "anti-abuse-wg en nombre de Richard Clayton" <anti-abuse-wg- bounces@ripe.net en nombre de richard@highwayman.com> escribió:

In message <A882C67B-0BB5-4EE3-B4CF-7C5EE62CD931@consulintel.es>, JORDI PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg@ripe.net> writes

...

I'm sure if the service provider tries to avoid being "informed" by not looking at notifications (email, postal, fax, etc.), they will also be liable in front of courts.

correct, but that's a "Hosting" aspect and that's not necessarily the issue when considering spam (which is certainly some of what is being considered under the generic "abuse" label)

I'm not sure to understand what do you mean. In my opinion, if the hosting provider is the resource-holder of the addresses being used for any abuse (including spam), he is the responsible against the law and he is consequently liable of possible damages.

The ECommerce Directive gives a free pass to companies that just pass packets around ("Mere Conduit") ... so if you complain to AS<n> that there is a spammer using their network and they do nothing then suing them is unlikely to be productive. You need, in such a matter, to take proceedings against the spammer (and the Court may assist you in compelling the network provider to reveal what they know about the spammer). The ECommerce Directive also gives a free pass to a hosting company in respect of material they publish such as (where this thread started) a website claiming the people operating AS<n> are pondscum and regularly rape their mothers ... but once the hosting company has "actual knowledge" of this defamatory material then they must act to remove it. If they do not do so then you can take legal proceedings against them for continuing to publish the libel. You may have some opinion of your own as to whether this is right (and this, as covered earlier, is not the same in the USA) ... ... but until you explain exactly the legal basis on which you intend to proceed against a resource holder and exactly the sort of harm which they are facilitating (not all abuse is the same in law) then it's impossible to say whether some special situation applies (and your opinion about liability is correct) or whether the overarching provisions of the ECommerce Directive (which override laws that appear to say something else) mean that you cannot proceed against a network provider at all or a hosting company that does not have actual knowledge. IANAL, jurisdictions differ (but Directives bind all EU Member States) -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755

Hi Alex, El 16/1/20 16:30, "anti-abuse-wg en nombre de Alex de Joode" <anti-abuse-wg-bounces@ripe.net en nombre de alex@idgara.nl> escribió: Hi Sara, The issue with your statement below is that RIPE NCC cannot (legally, under Dutch contract law) disconnect resources if a resource holder (or more likely his customer) does not (properly) deal with abuse complaints. (for instance due to reasons of proportionality) ​ Currently RIPE NCC mandates an email address for receiving abuse notices (which is good, as companies can specify a specific address that is monitored by people who can take action, and notifiers have a way to find out where to sent notices for speedy resolution). The availability of this address is checked by RIPE. So the current system basically works to enhance the infrastructure for those that are willing to deal with abuse notices. This is where we disagree: The current system doesn’t work. Only checks that “a mailbox” exist, but not that the mailbox works, isn’t full, bounces, or it has your email address for *your* abuse-c. It seems a simple issue, but a policy amendment is required to make the RIPE NCC to change this and make it coherent same as in ARIN, APNIC and (as soon as implemented) LACNIC. Some within this community do feel this is not enough. That as RIPE controls resources, RIPE should be put in a position to leverage these resources in such a way as to ensure all it's resource holders deal with abuse notice in a proper way. This would then lead to a crime free internet and everybody is happy. Implementing this is a fundament shift in the role and responsibility of RIPE. A large and vocal group here, do not believe this "deputisation" is the direction RIPE should pursue. That does not mean they are in favour of a "un-safe, spam infested, crime ridden internet", they just feel this issue should be address via leveraging RIPE resouces. ​-- IDGARA | Alex de Joode | alex@idgara.nl | +31651108221 | Skype:adejoode On Thu, 16-01-2020 14h 23min, "Marcolla, Sara Veronica" <Sara.Marcolla@europol.europa.eu> wrote: Very well put, Sérgio. Thank you for voicing clearly the concern of (at least a part of) the community. We should not forget that, according to the provisions of RIPE NCC audits, “every party that has entered into an agreement with the RIPE NCC is contractually obliged to provide the RIPE NCC with complete, updated and accurate information necessary for the provision of the RIPE NCC services and to assist the RIPE NCC with audits and security checks”. Complete, accurate information goes hand in hand with a duty of care, of promptly taking actions against abuse, and should be accompanied by a social responsibility of trying to make the Internet a safe and secure place for everyone, thus not enabling actively DDoS, spammers, and criminals in general. If the community does not agree that everyone has the right to a safe, spam free, crime free Internet, maybe we have some issue to solve here first. Kind regards, Sara Europol - O3 European Cyber Crime Centre (EC3) Eisenhowerlaan 73, 2517 KK The Hague, The Netherlands www.europol.europa.eu From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> On Behalf Of Sérgio Rocha Sent: 16 January 2020 13:38 To: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox") Hi, Agree, This anti-abuse list seems the blocking group to any anit-abuse response measure. It's amazing that nobody cant propose anything without receiving a shower of all sorts of arguments against There is an idea that everyone has to hold, if as a community we cannot organize a policy, one of these days there will be a problem that will make governments take the opportunity to legislate and we will no longer have the free and open internet. There are a feew ideas that is simple to understand: 1 - If you have been assigned a network you have responsibilities, paying should not be the only one. 2 - There is no problem with email, since ever are made solutions to integrate with emails. There is no need to invent a new protocol. Who has a lot of abuse, invests in integrating these emails. 3 - If you have no ability to manage abuse should not have addressing, leave it to professionals. The internet is critical for everyone, the ability for actors to communicate with each other to respond to abuse must exist and RIPE must ensure that it exists. It’s like the relation with local governments, there is a set of information that has to be kept up to date to avoid problems, in RIPE it must be the same. Sergio From: anti-abuse-wg [mailto:anti-abuse-wg-bounces@ripe.net] On Behalf Of Fi Shing Sent: 16 de janeiro de 2020 04:55 To: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

...

Best not to judge the race until it has been fully run.

I just do not understand how anyone on this list (other than a criminal or a business owner that wants to reduce over heads by abolishing an employee who has to sit and monitor an abuse desk) could be talking about making it easier for abuse to flourish. It is idiotic and is not ad hominem. This list is filled with people who argue for weeks, perhaps months, about the catastrophic world ending dangers of making an admin verify an abuse address ONCE a year .... and then someone says "let's abolish abuse desk all together" and these idiots emerge from the wood work like the termites that they are and there's no resistance? The good news is that nothing talked about on this list is ever implemented, so .. talk away you criminals. --------- Original Message --------- Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox") From: "Ronald F. Guilmette" <rfg@tristatelogic.com> Date: 1/16/20 11:47 am To: "anti-abuse-wg@ripe.net" <anti-abuse-wg@ripe.net> In message <20200115155949.af7f9f79718891d8e76b551cf73e1563.e548b98006.mailapi@ email19.asia.godaddy.com>, "Fi Shing" <phishing@storey.xxx> wrote:

That is the most stupid thing i've read on this list.

Well, I think you shouldn't be quite so harsh in your judgement. It is not immediately apparent that you have been on the list for all that long. So perhaps you should stick around for awhile longer before making such comments. If you do, I feel sure that there will be any number of stupider things that may come to your attention, including even a few from your's truly. Best not to judge the race until it has been fully run.

Which criminal is paying you to say this nonsense, because no ordinary person that has ever received a spam email would ever say such crap.

I would also offer the suggestion that such inartful commentary, being as it is, ad hominem, is not at all likely to advance your agenda. It may have felt good, but I doubt that you have changed a single mind, other than perhaps one or two who will now be persuaded to take the opposing position, relative to whatever it was that you had hoped to achieve. Regards, rfg ******************* DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated. ******************* ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.