No No, Ripe, within the yearly ~30M Euros expenses of it, is able to create such system (an organization with expenses of 1% of it is able to create such system with a small part of its expenses budget). That kind of system can be over bgp anycast with multiple worldwide locations and automatic syncing (so DDoS attacks will not affect it), and that kind of system can be (for example) for the whole 5 RIRs. Respectfully, Elad ________________________________ From: No No <no0484985@gmail.com> Sent: Wednesday, April 29, 2020 3:18 PM To: Elad Cohen <elad@netstyle.io>; anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox") RIPE etc. are the ones themselves who refuse to introduce a centralised system, because of $$$$ related concerns. It would be great, but then imagine if the spammers etc. DDoS that system for as long as they want to abuse resources. -- On Wed, Apr 29, 2020 at 9:18 PM Elad Cohen <elad@netstyle.io<mailto:elad@netstyle.io>> wrote: What is this ? "However, the community should report any situation to the RIPE NCC, which can provide (anonymous) periodical statistics to the community, which can take further decisions about that." Ripe members are informers? "divide and conquer" strategy ? Abuse email addresses (just like any other email address) are being spammed, not only by non-relevant spammers but also by automatic useless services that are installed at servers that don't take themselves any measure of proper configuration to avoid the automatic useless services. To my opinion, Ripe should create its own anti-abuse system, each LIR will have login access to it (LIR will be able to choose to receive notifications through sms / email) and to mark each abuse complaint as resolved or not (that system can also have an API so LIR's will be able to pull their abuse complaints), the main issue is that complaints to that system will not be able to be done automatically or by email - only manually by form filling with captcha. (after the LIR will mark an abuse complain as resolved - the complainer will receive an email address also to confirm with him if issue is resolved or not, non-detailed statistics will be able to be displayed to the whole community - to see the percentage of how many manual complaints weren't handled by each LIR) --- Besides the above, I also believe that we as a community should not accept complainers which are not taking the most basic configuration actions to protect their systems, and would consider these complaints as spam. In order for abuse complaints not to be abused. Respectfully, Elad ________________________________ From: anti-abuse-wg on behalf of Serge Droz via anti-abuse-wg Sent: Wednesday, April 29, 2020 11:22 AM To: anti-abuse-wg@ripe.net<mailto:anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox") Hi All I think this is a good policy. We can always find use cases where it fails, but it will help in some cases. And if some one is not able to answer an e-mail every six month, there are probably underlying issues. Also the argument, that the bad guys flood the mailbox is not really acceptable. It just means you can't filter spam. The proposal does not check how the reports are used. But it helps us to enumerate organizations, that don't act, coming up with various excuses, along the lines the best problems are some one else's problems, so let's make it some on else's problem. The fact is: Most mature organizations are perfectly capable of handling such mail boxes, even if they have a high load. Coming from the incident response side, I'm tiered of people constantly telling me, that issues are not their problem Best Serge On 28.04.20 16:01, Petrit Hasani wrote:

Dear colleagues,

A new version of RIPE policy proposal, 2019-04, "Validation of "abuse-mailbox"", is now available for discussion.

This proposal aims to have the RIPE NCC validate "abuse-c:" information more often and introduces a new validation process.

Most of the text has been rewritten following the last round of discussion and the proposal is now at version 3.0. Some key points in this version:

- The abuse-mailbox should not force the sender to use a form - The validation process must ensure that the abuse mailbox is able to receive messages - The validation should happen at least every six months

You can find the full proposal at: https://www.ripe.net/participate/policies/proposals/2019-04

As per the RIPE Policy Development Process (PDP), the purpose of this four-week Discussion Phase is to discuss the proposal and provide feedback to the proposer.

At the end of the Discussion Phase, the proposer, with the agreement of the Anti-Abuse Working Group Chairs, will decide how to proceed with the proposal.

We encourage you to review this proposal and send your comments to <anti-abuse-wg@ripe.net<mailto:anti-abuse-wg@ripe.net>> before 27 May 2020.

Kind regards, -- Petrit Hasani Policy Officer RIPE NCC

-- Dr. Serge Droz Chair of the FIRST Board of Directors https://www.first.org

Hello, The LIR in his logged in account will be able to create sub-users for specific ranges. The LIR will have an interest to do it because any unhandled abuse complaint (in the percentage statistics) will appear under the upper-LIR name. --- Please excuse me for not replying at the time of the discussion, because Brian decided to moderate me. Respectfully, Elad ________________________________ From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Alistair Mackenzie via anti-abuse-wg <anti-abuse-wg@ripe.net> Sent: Wednesday, April 29, 2020 3:46 PM To: anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox") Hi, With this solution how to you propose that sub-allocated networks manage the complaints? These networks are not typically and LIR so would have no such access to an LIR based system. The sub-allocated prefixes carry their own abuse-c which as pointed out by Gert, already gets validated by RIPE. On 29/04/2020 13:38, S�rgio Rocha wrote:

I like this approach, should be like what Elad Wrote:

�

To my opinion, Ripe should create its own anti-abuse system, each LIR will have login access to it (LIR will be able to choose to receive notifications through sms / email) and to mark each abuse complaint as resolved or not (that system can also have an API so LIR's will be able to pull their abuse complaints), the main issue is that complaints to that system will not be able to be done automatically or by email - only manually by form filling with captcha. (after the LIR will mark an abuse complain as resolved - the complainer will receive an email address also to confirm with him if issue is resolved or not, non-detailed statistics will be able to be displayed to the whole community - to see the percentage of how many manual complaints weren't handled by each LIR)�

�

No Spam, accountable, possible to integrate with LIR system, possible to have public rate about �abuse dealing�

�

�

�

�

�

*De:* anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> *Em Nome De *Elad Cohen *Enviada:* 29 de abril de 2020 11:15 *Para:* anti-abuse-wg@ripe.net; Serge Droz <serge.droz@first.org> *Assunto:* Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

�

What is this ?

�

"However, the community should report any situation to the RIPE NCC, which can provide (anonymous) periodical statistics to the community, which can take further decisions about that."

�

Ripe members are informers?

�

"divide and conquer" strategy ?

�

Abuse email addresses (just like any other email address) are being spammed, not only by non-relevant spammers but also by automatic useless services that are installed at servers that don't take themselves any measure of proper configuration to avoid the automatic useless services.

�

To my opinion, Ripe should create its own anti-abuse system, each LIR will have login access to it (LIR will be able to choose to receive notifications through sms / email) and to mark each abuse complaint as resolved or not (that system can also have an API so LIR's will be able to pull their abuse complaints), the main issue is that complaints to that system will not be able to be done automatically or by email - only manually by form filling with captcha. (after the LIR will mark an abuse complain as resolved - the complainer will receive an email address also to confirm with him if issue is resolved or not, non-detailed statistics will be able to be displayed to the whole community - to see the percentage of how many manual complaints weren't handled by each LIR)

�

---

�

Besides the above, I also believe that we as a community should not accept complainers which are not taking the most basic configuration actions to protect their systems, and would consider these complaints as spam. In order for abuse complaints not to be abused.

�

Respectfully,

Elad

�

�

------------------------------------------------------------------------

*From:*anti-abuse-wg on behalf of Serge Droz via anti-abuse-wg *Sent:* Wednesday, April 29, 2020 11:22 AM *To:* anti-abuse-wg@ripe.net <mailto:anti-abuse-wg@ripe.net> *Subject:* Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

�

Hi All

I think this is a good policy.

We can always find use cases where it fails, but it will help in some cases.

And if some one is not able to answer an e-mail every six month, there are probably underlying issues. Also the argument, that the bad guys flood the mailbox is not really acceptable. It just means you can't filter spam.

The proposal does not check how the reports are used. But it helps us to enumerate organizations, that don't act, coming up with various excuses, along the lines the best problems are some one else's problems, so let's make it some on else's problem.

The fact is: Most mature organizations are perfectly capable of handling such mail boxes, even if they have a high load.

Coming from the incident response side, I'm tiered of people constantly telling me, that issues are not their problem

Best Serge

...

Dear colleagues,

A new version of RIPE policy proposal, 2019-04, "Validation of "abuse-mailbox"", is now available for discussion.

This proposal aims to have the RIPE NCC validate "abuse-c:" information more often and introduces a new validation process.

Most of the text has been rewritten following the last round of discussion and the proposal is now at version 3.0. Some key points in this version:

- The abuse-mailbox should not force the sender to use a form - The validation process must ensure that the abuse mailbox is able to receive messages - The validation should happen at least every six months

You can find the full proposal at: https://www.ripe.net/participate/policies/proposals/2019-04

As per the RIPE Policy Development Process (PDP), the purpose of this four-week Discussion Phase is to discuss the proposal and provide feedback to the proposer.

At the end of the Discussion Phase, the proposer, with the agreement of the Anti-Abuse Working Group Chairs, will decide how to proceed with the proposal.

We encourage you to review this proposal and send your comments to <anti-abuse-wg@ripe.net <mailto:anti-abuse-wg@ripe.net>> before 27 May

On 28.04.20 16:01, Petrit Hasani wrote: 2020.

...

Kind regards, -- Petrit Hasani Policy Officer RIPE NCC

-- Dr. Serge Droz Chair of the FIRST Board of Directors https://www.first.org

So, it's the security guys, saying This may help a bit, but won't solve all problems. versus the infrastructure operators saying Beware! This it creating huge costs and will not help at all, and answering two mails a year will be our ruin. Sadly, this list is run by Naj sayers. Serge -- Dr. Serge Droz Chair of the FIRST Board of Directors https://www.first.org

Serge Droz via anti-abuse-wg wrote on 29/04/2020 16:55:

So, it's the security guys, saying

This may help a bit, but won't solve all problems.

versus the infrastructure operators saying

Beware! This it creating huge costs and will not help at all, and answering two mails a year will be our ruin.

The root problem is that the policy proposes to use the RIPE NCC to enforce abuse management processes. The specifics in this iteration of the document are to threaten and then act to deregister an organisation's number resources - and thereby remove their ability to conduct business - if the organisation declines to handle abuse complaints over email. To be clear, it's a fundamental right in large chunks of the RIPE service region to conduct business. If the RIPE NCC acts to threaten to remove this ability to conduct business, there would need to be sound legal justification for doing so. Nick

Suresh Ramasubramanian wrote on 29/04/2020 17:26:

Is there anything that stops NCC from doing additional due diligence such as validating abuse issues along with the invalid contact information etc, before taking such a decision?

Did you ask your corporate legal counsel for their opinion on how workable this plan is? Nick

Am 30.04.20 um 02:58 schrieb Suresh Ramasubramanian:

However, being in a fiduciary role - with IPv4 being traded like currency these days the description fits - RIPE NCC can’t not get involved.

...

NCC owes it to the rest of its membership and the internet community at large to take a more active role in this matter.

This. And as long as RIPE and/or NCC explicitly does not want to take action when RIPE members don't handle abuse from their networks properly, the whole issue of validating abuse mailbox addresses is moot. After all discussion, the toothless compromise will be that there should be an abuse mailbox, and FWIW it can be handled by Dave Null because nobody will exert pressure on the resource holder to do anything else. Our problem on the receiving side of network abuse is not with the few good-willing but technically challenged providers whose abuse mailbox isn't working properly but with those large operators who don't give a flying f about their customer's network abuse. Personally, I consider the anti-abuse WG a failure at this point. When I joined I had hoped to see and possibly support constructive work towards a reduction in network abuse, but apparently there are big players in this game who are not interested in such a reduction as it would undermine their "business". Cheers, Hans-Martin

However, I fully understand that the community prefer to do things in different steps. We initially asked for the abuse mailbox. Then we added a technical validation. Now I'm asking for a better validations and make sure that the reporting is feasible. I'm not asking to verify if you handle the abuse case or not. *AND* I'm not asking to take *new* actions. There are existing procedures for that in extreme cases. El 30/4/20 9:51, "anti-abuse-wg en nombre de Serge Droz via anti-abuse-wg" <anti-abuse-wg-bounces@ripe.net en nombre de anti-abuse-wg@ripe.net> escribió: I do not disagree with this. Serge On 30.04.20 09:41, Hans-Martin Mosner wrote: > Am 30.04.20 um 02:58 schrieb Suresh Ramasubramanian: >> >> However, being in a fiduciary role - with IPv4 being traded like >> currency these days the description fits - RIPE NCC can’t not get >> involved. >> > ... >> NCC owes it to the rest of its membership and the internet community >> at large to take a more active role in this matter. >> > This. > > And as long as RIPE and/or NCC explicitly does not want to take action > when RIPE members don't handle abuse from their networks properly, the > whole issue of validating abuse mailbox addresses is moot. After all > discussion, the toothless compromise will be that there should be an > abuse mailbox, and FWIW it can be handled by Dave Null because nobody > will exert pressure on the resource holder to do anything else. > > Our problem on the receiving side of network abuse is not with the few > good-willing but technically challenged providers whose abuse mailbox > isn't working properly but with those large operators who don't give a > flying f about their customer's network abuse. > > Personally, I consider the anti-abuse WG a failure at this point. When I > joined I had hoped to see and possibly support constructive work towards > a reduction in network abuse, but apparently there are big players in > this game who are not interested in such a reduction as it would > undermine their "business". > > Cheers, > Hans-Martin > -- Dr. Serge Droz Chair of the FIRST Board of Directors https://www.first.org ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

Hi Sergey, El 8/5/20 16:28, "anti-abuse-wg en nombre de Sergey Myasoedov via anti-abuse-wg" <anti-abuse-wg-bounces@ripe.net en nombre de anti-abuse-wg@ripe.net> escribió: Dear Jordi, > There are existing procedures for that in extreme cases. I think it's now obvious that existing procedures does not work. [Jordi] I don't think so, however if that's the case, it is transversal to all the policies, not just one. It will not make sense to me to address it only for abuse cases, and not for other policy violations. -- Sergey Friday, May 8, 2020, 1:20:45 PM, you wrote: JPMvaaw> However, I fully understand that the community prefer to do things in different steps. JPMvaaw> We initially asked for the abuse mailbox. JPMvaaw> Then we added a technical validation. JPMvaaw> Now I'm asking for a better validations and make sure that JPMvaaw> the reporting is feasible. I'm not asking to verify if you handle the abuse case or not. JPMvaaw> *AND* I'm not asking to take *new* actions. There are JPMvaaw> existing procedures for that in extreme cases. JPMvaaw> JPMvaaw> El 30/4/20 9:51, "anti-abuse-wg en nombre de Serge Droz via JPMvaaw> anti-abuse-wg" <anti-abuse-wg-bounces@ripe.net en nombre de JPMvaaw> anti-abuse-wg@ripe.net> escribió: JPMvaaw> I do not disagree with this. JPMvaaw> Serge JPMvaaw> On 30.04.20 09:41, Hans-Martin Mosner wrote: JPMvaaw> > Am 30.04.20 um 02:58 schrieb Suresh Ramasubramanian: JPMvaaw> >> JPMvaaw> >> However, being in a fiduciary role - with IPv4 being traded like JPMvaaw> >> currency these days the description fits - RIPE NCC can’t not get JPMvaaw> >> involved. JPMvaaw> >> JPMvaaw> > ... JPMvaaw> >> NCC owes it to the rest of its membership and the internet community JPMvaaw> >> at large to take a more active role in this matter. JPMvaaw> >> JPMvaaw> > This. JPMvaaw> > JPMvaaw> > And as long as RIPE and/or NCC explicitly does not want to take action JPMvaaw> > when RIPE members don't handle abuse from their networks properly, the JPMvaaw> > whole issue of validating abuse mailbox addresses is moot. After all JPMvaaw> > discussion, the toothless compromise will be that there should be an JPMvaaw> > abuse mailbox, and FWIW it can be handled by Dave Null because nobody JPMvaaw> > will exert pressure on the resource holder to do anything else. JPMvaaw> > JPMvaaw> > Our problem on the receiving side of network abuse is not with the few JPMvaaw> > good-willing but technically challenged providers whose abuse mailbox JPMvaaw> > isn't working properly but with those large operators who don't give a JPMvaaw> > flying f about their customer's network abuse. JPMvaaw> > JPMvaaw> > Personally, I consider the anti-abuse WG a failure at this point. When I JPMvaaw> > joined I had hoped to see and possibly support constructive work towards JPMvaaw> > a reduction in network abuse, but apparently there are big players in JPMvaaw> > this game who are not interested in such a reduction as it would JPMvaaw> > undermine their "business". JPMvaaw> > JPMvaaw> > Cheers, JPMvaaw> > Hans-Martin JPMvaaw> > JPMvaaw> -- JPMvaaw> Dr. Serge Droz JPMvaaw> Chair of the FIRST Board of Directors JPMvaaw> https://www.first.org JPMvaaw> ********************************************** JPMvaaw> IPv4 is over JPMvaaw> Are you ready for the new Internet ? JPMvaaw> http://www.theipv6company.com JPMvaaw> The IPv6 Company JPMvaaw> This electronic message contains information which may be JPMvaaw> privileged or confidential. The information is intended to be JPMvaaw> for the exclusive use of the individual(s) named above and JPMvaaw> further non-explicilty authorized disclosure, copying, JPMvaaw> distribution or use of the contents of this information, even JPMvaaw> if partially, including attached files, is strictly JPMvaaw> prohibited and will be considered a criminal offense. If you JPMvaaw> are not the intended recipient be aware that any disclosure, JPMvaaw> copying, distribution or use of the contents of this JPMvaaw> information, even if partially, including attached files, is JPMvaaw> strictly prohibited, will be considered a criminal offense, JPMvaaw> so you must reply to the original sender to inform about this communication and delete it. ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

Suresh Ramasubramanian wrote on 30/04/2020 01:58:

Why would I ask about something I am posting as an individual in my personal capacity?

because your day job involves abuse / security and in that capacity you may have access to good quality legal resources.

I see great pains being taken to have NCC stay hands off and arms length from abuse issues at its members. I understand the motivation.

However, being in a fiduciary role - with IPv4 being traded like currency these days the description fits - RIPE NCC can’t not get involved.

I am concerned that this is eventually going to lead to heavy handed state regulation if a regulator gets involved after some particularly egregious misbehaviour by a (hypothetical at this point but the risk exists or might even exist now) shell company that gets itself membership, even LIR status and then uses a large allocation of IPs exclusively for crime.

NCC owes it to the rest of its membership and the internet community at large to take a more active role in this matter.

Though those of us that are saying this are probably voices in the wilderness at this point.

Couple of general observations: - internet abuse is a specific instance of general societal abuse. It's a complex problem and one where punishment / the threat of punishment is one of many methods of handling it, and arguably not one of the better ones from a general application point of view. - The RIPE NCC is not constituted to evaluate what is and isn't legal in the 75+ countries that it services. E.g. should it revoke numbering resources due to CSAM because that's illegal in NL? What about blasphemous material, which is such a no-no in several other service countries that it attracts capital punishment? It's a difficult proposition to suggest that the RIPE NCC should start getting into the business of evaluating what is and isn't abuse. - we already have structures in place to handle evaluation of what constitutes acceptable or unacceptable behaviour. The international nature of the internet has strained this to the point where it often doesn't work. - there's a consistent undercurrent of thought here of feeling that because other societal mechanisms for controlling abuse have not stopped abuse on the internet, that the RIPE NCC is obliged to act. This assumption needs to be questioned. - almost all of the policy proposals in AAWG over the last several years have been aimed at using the RIPE number registry as a social behaviour enforcement mechanism. There are other ways of handling social behaviour issues, e.g. standards creation + compliance, community forums, etc, etc, etc. - complex problems aren't amenable to simple fixes. - the primary concern expressed by the people I've talked to in law enforcement is: "where should the warrant be served?" - the RIPE NCC operates in a complex legal environment. There's a substantial risk that the types of proposals that are being pushed in AAWG would be found to be illegal and would open the organisation up to damages or prosecution if applied (e.g shutting down a company because they insisted on using a web form instead of SMTP for handling abuse reports). Alex de Joode's emails in the last round of discussion indicated some of the difficulties involved here. Nothing in any of this invalidates the frustration that everyone has for continued problems relating to fraud and abuse. Nick

On Thu, Apr 30, 2020 at 12:42:09PM +0000, Suresh Ramasubramanian wrote:

RIPE NCC need not decide whether a behaviour is legal or not in order to prohibit use of resources that it allocates for such behaviour.

Wearing a T-shirt, shorts and flip flops is perfectly legal and yet you can be refused entry into a fancy restaurant if you wear them.

Nobody gets to sue the restaurant for refusing admission by claiming that tshirts and flip flops are perfectly legal attire, and even nudity is legal in some parts of Europe (German topless and nude beaches say).

If this restaurant were the only source of food in a region, it would damn well be illegal to refuse service no matter how (or if) the client is dressed. Why are we havijg thjis discussion yet again? rgds, Sascha Luck

--srs ________________________________ From: Nick Hilliard <nick@foobar.org> Sent: Thursday, April 30, 2020 5:43:04 PM To: Suresh Ramasubramanian <ops.lists@gmail.com> Cc: anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

Suresh Ramasubramanian wrote on 30/04/2020 01:58:

...

Why would I ask about something I am posting as an individual in my personal capacity?

because your day job involves abuse / security and in that capacity you may have access to good quality legal resources.

...

I see great pains being taken to have NCC stay hands off and arms length from abuse issues at its members. I understand the motivation.

However, being in a fiduciary role - with IPv4 being traded like currency these days the description fits - RIPE NCC can�t not get involved.

I am concerned that this is eventually going to lead to heavy handed state regulation if a regulator gets involved after some particularly egregious misbehaviour by a (hypothetical at this point but the risk exists or might even exist now) shell company that gets itself membership, even LIR status and then uses a large allocation of IPs exclusively for crime.

NCC owes it to the rest of its membership and the internet community at large to take a more active role in this matter.

Though those of us that are saying this are probably voices in the wilderness at this point.

Couple of general observations:

- internet abuse is a specific instance of general societal abuse. It's a complex problem and one where punishment / the threat of punishment is one of many methods of handling it, and arguably not one of the better ones from a general application point of view.

- The RIPE NCC is not constituted to evaluate what is and isn't legal in the 75+ countries that it services. E.g. should it revoke numbering resources due to CSAM because that's illegal in NL? What about blasphemous material, which is such a no-no in several other service countries that it attracts capital punishment? It's a difficult proposition to suggest that the RIPE NCC should start getting into the business of evaluating what is and isn't abuse.

- we already have structures in place to handle evaluation of what constitutes acceptable or unacceptable behaviour. The international nature of the internet has strained this to the point where it often doesn't work.

- there's a consistent undercurrent of thought here of feeling that because other societal mechanisms for controlling abuse have not stopped abuse on the internet, that the RIPE NCC is obliged to act. This assumption needs to be questioned.

- almost all of the policy proposals in AAWG over the last several years have been aimed at using the RIPE number registry as a social behaviour enforcement mechanism. There are other ways of handling social behaviour issues, e.g. standards creation + compliance, community forums, etc, etc, etc.

- complex problems aren't amenable to simple fixes.

- the primary concern expressed by the people I've talked to in law enforcement is: "where should the warrant be served?"

- the RIPE NCC operates in a complex legal environment. There's a substantial risk that the types of proposals that are being pushed in AAWG would be found to be illegal and would open the organisation up to damages or prosecution if applied (e.g shutting down a company because they insisted on using a web form instead of SMTP for handling abuse reports). Alex de Joode's emails in the last round of discussion indicated some of the difficulties involved here.

Nothing in any of this invalidates the frustration that everyone has for continued problems relating to fraud and abuse.

Nick

What would get discussed in an anti abuse wg? All the reasons why the organisation due to which the wg exists must sit on their thumbs and do nothing about abuse? --srs ________________________________ From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Sascha Luck [ml] <aawg@c4inet.net> Sent: Thursday, April 30, 2020 6:31:11 PM To: anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox") On Thu, Apr 30, 2020 at 12:42:09PM +0000, Suresh Ramasubramanian wrote:

RIPE NCC need not decide whether a behaviour is legal or not in order to prohibit use of resources that it allocates for such behaviour.

Wearing a T-shirt, shorts and flip flops is perfectly legal and yet you can be refused entry into a fancy restaurant if you wear them.

Nobody gets to sue the restaurant for refusing admission by claiming that tshirts and flip flops are perfectly legal attire, and even nudity is legal in some parts of Europe (German topless and nude beaches say).

If this restaurant were the only source of food in a region, it would damn well be illegal to refuse service no matter how (or if) the client is dressed. Why are we havijg thjis discussion yet again? rgds, Sascha Luck

--srs ________________________________ From: Nick Hilliard <nick@foobar.org> Sent: Thursday, April 30, 2020 5:43:04 PM To: Suresh Ramasubramanian <ops.lists@gmail.com> Cc: anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

Suresh Ramasubramanian wrote on 30/04/2020 01:58:

...

Why would I ask about something I am posting as an individual in my personal capacity?

because your day job involves abuse / security and in that capacity you may have access to good quality legal resources.

...

I see great pains being taken to have NCC stay hands off and arms length from abuse issues at its members. I understand the motivation.

However, being in a fiduciary role - with IPv4 being traded like currency these days the description fits - RIPE NCC can’t not get involved.

I am concerned that this is eventually going to lead to heavy handed state regulation if a regulator gets involved after some particularly egregious misbehaviour by a (hypothetical at this point but the risk exists or might even exist now) shell company that gets itself membership, even LIR status and then uses a large allocation of IPs exclusively for crime.

NCC owes it to the rest of its membership and the internet community at large to take a more active role in this matter.

Though those of us that are saying this are probably voices in the wilderness at this point.

Couple of general observations:

- internet abuse is a specific instance of general societal abuse. It's a complex problem and one where punishment / the threat of punishment is one of many methods of handling it, and arguably not one of the better ones from a general application point of view.

- The RIPE NCC is not constituted to evaluate what is and isn't legal in the 75+ countries that it services. E.g. should it revoke numbering resources due to CSAM because that's illegal in NL? What about blasphemous material, which is such a no-no in several other service countries that it attracts capital punishment? It's a difficult proposition to suggest that the RIPE NCC should start getting into the business of evaluating what is and isn't abuse.

- we already have structures in place to handle evaluation of what constitutes acceptable or unacceptable behaviour. The international nature of the internet has strained this to the point where it often doesn't work.

- there's a consistent undercurrent of thought here of feeling that because other societal mechanisms for controlling abuse have not stopped abuse on the internet, that the RIPE NCC is obliged to act. This assumption needs to be questioned.

- almost all of the policy proposals in AAWG over the last several years have been aimed at using the RIPE number registry as a social behaviour enforcement mechanism. There are other ways of handling social behaviour issues, e.g. standards creation + compliance, community forums, etc, etc, etc.

- complex problems aren't amenable to simple fixes.

- the primary concern expressed by the people I've talked to in law enforcement is: "where should the warrant be served?"

- the RIPE NCC operates in a complex legal environment. There's a substantial risk that the types of proposals that are being pushed in AAWG would be found to be illegal and would open the organisation up to damages or prosecution if applied (e.g shutting down a company because they insisted on using a web form instead of SMTP for handling abuse reports). Alex de Joode's emails in the last round of discussion indicated some of the difficulties involved here.

Nothing in any of this invalidates the frustration that everyone has for continued problems relating to fraud and abuse.

Nick

Brian always have the right sentences at the right moments. Respectfully, Elad ________________________________ From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Brian Nisbet <brian.nisbet@heanet.ie> Sent: Thursday, April 30, 2020 4:16 PM To: Suresh Ramasubramanian <ops.lists@gmail.com>; Sascha Luck [ml] <aawg@c4inet.net>; anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox") I will interject here and say that the WG exists because of the community, not the NCC. There may be perceived hair splitting here, but it is important. Obviously 2019-04 does directly ask the NCC to take an action, but we aren't here because of that organisation, we're here because we care about the operation of the Internet. As to why we're having this discussion again, it's because the Co-Chairs judged that a sufficient portion of the Working Group wanted us to and I think the conversation so far has proven that judgement to be correct. There may be intractable issues here, it's possible we're even asking the wrong questions and certainly we would love to hear from voices that haven't been active in this conversation before, in addition to those who have. This isn't a simple problem, for a variety of reasons, including that 70+ country, 20,000+ members consideration, but remember, Jordi isn't the only person who can propose policies or policy changes and I would encourage others to think about other questions we could ask? Thanks, Brian Co-Chair, RIPE AA-WG Brian Nisbet Service Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland +35316609040 brian.nisbet@heanet.ie www.heanet.ie Registered in Ireland, No. 275301. CRA No. 20036270 ________________________________ From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Suresh Ramasubramanian <ops.lists@gmail.com> Sent: Thursday 30 April 2020 14:07 To: Sascha Luck [ml] <aawg@c4inet.net>; anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox") CAUTION[External]: This email originated from outside of the organisation. Do not click on links or open the attachments unless you recognise the sender and know the content is safe. What would get discussed in an anti abuse wg? All the reasons why the organisation due to which the wg exists must sit on their thumbs and do nothing about abuse? --srs ________________________________ From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Sascha Luck [ml] <aawg@c4inet.net> Sent: Thursday, April 30, 2020 6:31:11 PM To: anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox") On Thu, Apr 30, 2020 at 12:42:09PM +0000, Suresh Ramasubramanian wrote:

RIPE NCC need not decide whether a behaviour is legal or not in order to prohibit use of resources that it allocates for such behaviour.

Wearing a T-shirt, shorts and flip flops is perfectly legal and yet you can be refused entry into a fancy restaurant if you wear them.

Nobody gets to sue the restaurant for refusing admission by claiming that tshirts and flip flops are perfectly legal attire, and even nudity is legal in some parts of Europe (German topless and nude beaches say).

If this restaurant were the only source of food in a region, it would damn well be illegal to refuse service no matter how (or if) the client is dressed. Why are we havijg thjis discussion yet again? rgds, Sascha Luck

--srs ________________________________ From: Nick Hilliard <nick@foobar.org> Sent: Thursday, April 30, 2020 5:43:04 PM To: Suresh Ramasubramanian <ops.lists@gmail.com> Cc: anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

Suresh Ramasubramanian wrote on 30/04/2020 01:58:

...

Why would I ask about something I am posting as an individual in my personal capacity?

because your day job involves abuse / security and in that capacity you may have access to good quality legal resources.

...

I see great pains being taken to have NCC stay hands off and arms length from abuse issues at its members. I understand the motivation.

However, being in a fiduciary role - with IPv4 being traded like currency these days the description fits - RIPE NCC can’t not get involved.

I am concerned that this is eventually going to lead to heavy handed state regulation if a regulator gets involved after some particularly egregious misbehaviour by a (hypothetical at this point but the risk exists or might even exist now) shell company that gets itself membership, even LIR status and then uses a large allocation of IPs exclusively for crime.

NCC owes it to the rest of its membership and the internet community at large to take a more active role in this matter.

Though those of us that are saying this are probably voices in the wilderness at this point.

Couple of general observations:

- internet abuse is a specific instance of general societal abuse. It's a complex problem and one where punishment / the threat of punishment is one of many methods of handling it, and arguably not one of the better ones from a general application point of view.

- The RIPE NCC is not constituted to evaluate what is and isn't legal in the 75+ countries that it services. E.g. should it revoke numbering resources due to CSAM because that's illegal in NL? What about blasphemous material, which is such a no-no in several other service countries that it attracts capital punishment? It's a difficult proposition to suggest that the RIPE NCC should start getting into the business of evaluating what is and isn't abuse.

- we already have structures in place to handle evaluation of what constitutes acceptable or unacceptable behaviour. The international nature of the internet has strained this to the point where it often doesn't work.

- there's a consistent undercurrent of thought here of feeling that because other societal mechanisms for controlling abuse have not stopped abuse on the internet, that the RIPE NCC is obliged to act. This assumption needs to be questioned.

- almost all of the policy proposals in AAWG over the last several years have been aimed at using the RIPE number registry as a social behaviour enforcement mechanism. There are other ways of handling social behaviour issues, e.g. standards creation + compliance, community forums, etc, etc, etc.

- complex problems aren't amenable to simple fixes.

- the primary concern expressed by the people I've talked to in law enforcement is: "where should the warrant be served?"

- the RIPE NCC operates in a complex legal environment. There's a substantial risk that the types of proposals that are being pushed in AAWG would be found to be illegal and would open the organisation up to damages or prosecution if applied (e.g shutting down a company because they insisted on using a web form instead of SMTP for handling abuse reports). Alex de Joode's emails in the last round of discussion indicated some of the difficulties involved here.

Nothing in any of this invalidates the frustration that everyone has for continued problems relating to fraud and abuse.

Nick

I can think of at least a dozen other such groups where most of the discussion is actually operational and on those topics. The only reason I find it useful to be on this wg is to look at abuse issues specific to the ripe region --srs ________________________________ From: Nick Hilliard <nick@foobar.org> Sent: Thursday, April 30, 2020 7:58:14 PM To: Suresh Ramasubramanian <ops.lists@gmail.com> Cc: Sascha Luck [ml] <aawg@c4inet.net>; anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox") Suresh Ramasubramanian wrote on 30/04/2020 14:07:

What would get discussed in an anti abuse wg?

Carrots? Almost all the discussion in AAWG seems to be single-tracked on turning the RIPE NCC registry into a stick. E.g. industry standards / best practices, liaison with other anti-abuse groups, community engagement, measurement, etc. Nick

Suresh Ramasubramanian wrote on 30/04/2020 13:42:

RIPE NCC need not decide whether a behaviour is legal or not in order to prohibit use of resources that it allocates for such behaviour.

You're putting the car before the horse. You're assuming that the RIPE NCC has a right to tell organisations what they can or cannot do with their addresses. Why do you think they do? And under what circumstances? And if they did have this right, why would you think that this right wouldn't come with the obligation to enforce this, and to assume liability in the case where they couldn't enforce it? Serge is correct to state that rights always come with responsibilities - they're different sides of the same coin. This is what concerns me about the proposals that have been put in front of AAWG - there's very little acknowledgement on the part of the proposers that there would be substantial downstream consequences if they were adopted. Nick

Wearing a T-shirt, shorts and flip flops is perfectly legal and yet you can be refused entry into a fancy restaurant if you wear them.

Nobody gets to sue the restaurant for refusing admission by claiming that tshirts and flip flops are perfectly legal attire, and even nudity is legal in some parts of Europe (German topless and nude beaches say).

--srs

Can NCC members decide to stop following ripe policies one day? Regards, Arash On Fri, 1 May 2020, 00:02 No No, <no0484985@gmail.com> wrote:

*>> You're assuming that the RIPE NCC has a right to tell organisations what they can or cannot do with their addresses.*

It's not *their* addresses, it's RIPE's addresses, which they allocated. It's not *their* resources that are abused, it's the peer enabled relationship that carries their bull crap across networks.

If they want to set up a computer in a field surrounded by cows, and it sends spam to itself or DDoS itself, that's fine.

----

On Thu, Apr 30, 2020 at 11:57 PM Nick Hilliard <nick@foobar.org> wrote:

...

Suresh Ramasubramanian wrote on 30/04/2020 13:42:

...

RIPE NCC need not decide whether a behaviour is legal or not in order to prohibit use of resources that it allocates for such behaviour.

You're putting the car before the horse. You're assuming that the RIPE NCC has a right to tell organisations what they can or cannot do with their addresses. Why do you think they do? And under what circumstances? And if they did have this right, why would you think that this right wouldn't come with the obligation to enforce this, and to assume liability in the case where they couldn't enforce it? Serge is correct to state that rights always come with responsibilities - they're different sides of the same coin.

This is what concerns me about the proposals that have been put in front of AAWG - there's very little acknowledgement on the part of the proposers that there would be substantial downstream consequences if they were adopted.

Nick

...

Wearing a T-shirt, shorts and flip flops is perfectly legal and yet you can be refused entry into a fancy restaurant if you wear them.

Nobody gets to sue the restaurant for refusing admission by claiming that tshirts and flip flops are perfectly legal attire, and even nudity is legal in some parts of Europe (German topless and nude beaches say).

--srs

Hi, On Wed, 29 Apr 2020, Nick Hilliard wrote:

Serge Droz via anti-abuse-wg wrote on 29/04/2020 16:55:

...

So, it's the security guys, saying

This may help a bit, but won't solve all problems.

+1 here.

...

versus the infrastructure operators saying

Beware! This it creating huge costs and will not help at all, and answering two mails a year will be our ruin.

The root problem is that the policy proposes to use the RIPE NCC to enforce abuse management processes.

The specifics in this iteration of the document are to threaten and then act to deregister an organisation's number resources - and thereby remove their ability to conduct business - if the organisation declines to handle abuse complaints over email.

If the "deregistration" could be placed outside of the picture (in a new version?), what's the next major hurdle then...? I mean, if "deregistration" is not possible when validation fails (continuously), there might still be positive outcomes (transparency...), if the price tag on the RIPE NCC is not that big. I don't see an impact analysis yet, but if it's affordable for other RIRs, maybe it will be also for the RIPE NCC -- who knows?

To be clear, it's a fundamental right in large chunks of the RIPE service region to conduct business. If the RIPE NCC acts to threaten to remove this ability to conduct business,

Very glad it's "business", not "abuse" :-)) Carlos

there would need to be sound legal justification for doing so.

Nick

On 29.04.20 18:22, Nick Hilliard wrote:

To be clear, it's a fundamental right in large chunks of the RIPE service region to conduct business.  If the RIPE NCC acts to threaten to remove this ability to conduct business, there would need to be sound legal justification for doing so.

Most rights come with legally required responsibilities. I don't see why this is different here. Best Serge -- Dr. Serge Droz Chair of the FIRST Board of Directors https://www.first.org

Elad You are entitled to your opinion however while what you describe might be attractive to you it is not attractive or anyway useful to companies such as ourselves. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com https://blacknight.blog / http://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park, Sleaty Road, Graiguecullen, Carlow, R93 X265,Ireland Company No.: 370845 From: Elad Cohen <elad@netstyle.io> Date: Wednesday 29 April 2020 at 17:07 To: Michele Neylon <michele@blacknight.com>, "anti-abuse-wg@ripe.net" <anti-abuse-wg@ripe.net>, Serge Droz <serge.droz@first.org> Subject: Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox") Michele, Ripe have many many expenses in the ~30M euros yearly expenses that are not related to the core goals of Ripe and can be avoid. To my opinion, this kind of anti-abuse system expense will be low and much more needed than many other expenses in the ~30M euros yearly expenses of Ripe. There will be an API for the system with an option for email notifications just like abuse complaints are received in email messages now, so there will be no overhead to your staff. Regarding the reporters - this overhead can protect from flood of automatic tools abuse complaints - if the reporter cannot fill a form and solve a captcha then the abuse complaint is not important enough to him. Regarding the little to no value that you wrote, through this system there will be no spam of abuse, no spam to the abuse publicly visible email address, there will be an API to LIR's internal systems for them to better track and to better handle abuse complaints, there will be tracking if abuse complaints were handled and public visibility of the percentage (of unhandled abuse complaints) of each LIR, in Ripe website. Respectfully, Elad ________________________________ From: Michele Neylon - Blacknight <michele@blacknight.com> Sent: Wednesday, April 29, 2020 6:50 PM To: Elad Cohen <elad@netstyle.io>; anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net>; Serge Droz <serge.droz@first.org> Subject: Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox") Elad I strongly oppose this concept. It’s not up to RIPE to run this and we don’t pay RIPE fees to have them waste resources on this kind of thing. It’s an extra overhead for RIPE, for our staff and for reporters and it would be bring little to no value. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com https://blacknight.blog / http://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park, Sleaty Road, Graiguecullen, Carlow, R93 X265,Ireland Company No.: 370845 From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Elad Cohen <elad@netstyle.io> Date: Wednesday 29 April 2020 at 12:18 To: "anti-abuse-wg@ripe.net" <anti-abuse-wg@ripe.net>, Serge Droz <serge.droz@first.org> Subject: Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox") What is this ? "However, the community should report any situation to the RIPE NCC, which can provide (anonymous) periodical statistics to the community, which can take further decisions about that." Ripe members are informers? "divide and conquer" strategy ? Abuse email addresses (just like any other email address) are being spammed, not only by non-relevant spammers but also by automatic useless services that are installed at servers that don't take themselves any measure of proper configuration to avoid the automatic useless services. To my opinion, Ripe should create its own anti-abuse system, each LIR will have login access to it (LIR will be able to choose to receive notifications through sms / email) and to mark each abuse complaint as resolved or not (that system can also have an API so LIR's will be able to pull their abuse complaints), the main issue is that complaints to that system will not be able to be done automatically or by email - only manually by form filling with captcha. (after the LIR will mark an abuse complain as resolved - the complainer will receive an email address also to confirm with him if issue is resolved or not, non-detailed statistics will be able to be displayed to the whole community - to see the percentage of how many manual complaints weren't handled by each LIR) --- Besides the above, I also believe that we as a community should not accept complainers which are not taking the most basic configuration actions to protect their systems, and would consider these complaints as spam. In order for abuse complaints not to be abused. Respectfully, Elad ________________________________ From: anti-abuse-wg on behalf of Serge Droz via anti-abuse-wg Sent: Wednesday, April 29, 2020 11:22 AM To: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox") Hi All I think this is a good policy. We can always find use cases where it fails, but it will help in some cases. And if some one is not able to answer an e-mail every six month, there are probably underlying issues. Also the argument, that the bad guys flood the mailbox is not really acceptable. It just means you can't filter spam. The proposal does not check how the reports are used. But it helps us to enumerate organizations, that don't act, coming up with various excuses, along the lines the best problems are some one else's problems, so let's make it some on else's problem. The fact is: Most mature organizations are perfectly capable of handling such mail boxes, even if they have a high load. Coming from the incident response side, I'm tiered of people constantly telling me, that issues are not their problem Best Serge On 28.04.20 16:01, Petrit Hasani wrote:

Dear colleagues,

A new version of RIPE policy proposal, 2019-04, "Validation of "abuse-mailbox"", is now available for discussion.

This proposal aims to have the RIPE NCC validate "abuse-c:" information more often and introduces a new validation process.

Most of the text has been rewritten following the last round of discussion and the proposal is now at version 3.0. Some key points in this version:

- The abuse-mailbox should not force the sender to use a form - The validation process must ensure that the abuse mailbox is able to receive messages - The validation should happen at least every six months

You can find the full proposal at: https://www.ripe.net/participate/policies/proposals/2019-04

As per the RIPE Policy Development Process (PDP), the purpose of this four-week Discussion Phase is to discuss the proposal and provide feedback to the proposer.

At the end of the Discussion Phase, the proposer, with the agreement of the Anti-Abuse Working Group Chairs, will decide how to proceed with the proposal.

We encourage you to review this proposal and send your comments to <anti-abuse-wg@ripe.net> before 27 May 2020.

Kind regards, -- Petrit Hasani Policy Officer RIPE NCC

-- Dr. Serge Droz Chair of the FIRST Board of Directors https://www.first.org

Richard Clayton wrote:

...

There will be an API for the system with an option for email notifications just like abuse complaints are received in email messages now, so there will be no overhead to your staff. Regarding the reporters - this overhead can protect from flood of automatic tools abuse complaints - if the reporter cannot fill a form and solve a captcha then the abuse complaint is not important enough to him.

I don't think you quite understand the scale at which many abuse detection systems identify activity which needs to be dealt with (and indeed will be dealt with in an extremely timely manner once a report has been made).

Solving CAPTCHAs gets old very quickly.

...

Regarding the little to no value that you wrote, through this system there will be no spam of abuse, no spam to the abuse publicly visible email address, there will be an API to LIR's internal systems for them to better track and to better handle abuse complaints, there will be tracking if abuse complaints were handled and public visibility of the percentage (of unhandled abuse complaints) of each LIR, in Ripe website.

This paragraph make me think that you have never been the receiver of email which has been generated as a result of filling in a web form... spam (and indeed abuse such as mail-bombing) is remarkably common.

CAPTCHAs are indeed the wrong tool to such form. You would want instead some kind or authentication token for reporters (ok, maybe you can request a captcha if you are not logged in, but clicking on bicycles until the data-mining captcha provider is satisfied you are not a bot is not constructive at all). Such form *could* work. One format in order to report to any LIR in RIPE. The receiver could process the structured data automatically and even take action without human intervention if the reporter reputation (or the combined reputation of everyone that did so) is high enough.

It is also extremely common for genuine reporters to fill in incorrect or incomplete information and making forms robust against this issue is extremely complex.

It would have to be properly structured with all the needed fields for every case, and its API would need to support the multiple use cases, and integrate with (or replace) the multiple ticketing tools used out there for abuse handling. Ironically, such tool would mean imposing a much bigger requirement on the members and the way they handled abuse than every abuse-mailbox proposal we have discussed on this list. Regards -- INCIBE-CERT - CERT of the Spanish National Cybersecurity Institute https://www.incibe-cert.es/ PGP Keys: https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys ======================================================================== INCIBE-CERT is the Spanish National CSIRT designated for citizens, private law entities, other entities not included in the subjective scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen Jurídico del Sector Público", as well as digital service providers, operators of essential services and critical operators under the terms of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de las redes y sistemas de información" that transposes the Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. ========================================================================