New on RIPE Labs: How We Will Be Validating abuse-c
Dear colleagues, At the RIPE NCC we’re busy working out a process so we can start validating approximately 70,000 abuse contact email addresses in the RIPE Database. Read on RIPE Labs how we will approach this: https://labs.ripe.net/Members/angela_dallara/how-we-will-be-validating-abuse... Kind regards, Mirjam Kühne RIPE NCC
In message <405d6ae2-ca13-57d4-4c8d-09e1166cec3d@ripe.net>, Mirjam Kuehne <mir@ripe.net> wrote:
At the RIPE NCC we’re busy working out a process so we can start validating approximately 70,000 abuse contact email addresses in the RIPE Database. Read on RIPE Labs how we will approach this:
https://labs.ripe.net/Members/angela_dallara/how-we-will-be-validating-abuse...
I am not persuaded that the following two bullet points, taken together, make any real sense: * Legacy resources are not within the scope of the policy. We will not be validating the abuse contacts for these resources. * This process is about fixing invalid information -- we're not looking to apply sanctions or close down members. Given that there is, explicitly, no element of sanctions/punishment intended here, why on earth would you build and deploy an entire set of mechanisms to perform abuse-c validation, and then intentionally avoid using these new tools for some subset of all resource holders, even though they could clearly produce benefits in all cases? Another question... The above document says the following: THE PROCESS ... We will start with a verification tool which checks that there are no formatting errors in the email address, verifies DNS entries, looks for bogus or honeypot emails, and uses ping to check that the mailbox exists and can accept mail. This tool does not send any emails and won't require any action on the part of the abuse contact. If you would be so kind, could you please flesh out your notion of the intended meaning of the word "ping" in this context? Because your intent is to follow through and actually send email messages, after these initial and preliminary checks, perhaps I am just picking at nits here, but I would suggest that "ping" in the context might best be defined as a process, using SMTP, that actually checks all relevant MXes (in priority order, of course) to see if they will accept (or at least not permanently reject) a partial SMTP transaction where the RCPT TO is the address of the intended recipient, but where no DATA command is issued. I have just one last point. The above document also says: An initial test with the validation tool suggests that around 20-25% of resource holders may need to validate or update their abuse contacts. Some may not see it that way, but in my opinion that is certainly an encouraging preliminary result. I would have guessed something more on the order of 50% of all abuse-c contacts would have issues. I suspect however that the figure of 20-25% may rise significantly if this process is applied universally, as it should be, to all resource holders. Regards, rfg
Ronald, To address one point; Legacy resources are excluded because that is the way that RIPE Policy works. It was not a choice of the NCC, rather it is a consequence of history and not something easily changed. I should note there will also be a short presentation from the NCC about this work at our meeting next week. Brian Co-Chair, RIPE AAWG Brian Nisbet Network Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland +35316609040 brian.nisbet@heanet.ie www.heanet.ie Registered in Ireland, No. 275301. CRA No. 20036270
-----Original Message----- From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> On Behalf Of Ronald F. Guilmette Sent: Wednesday 10 October 2018 21:08 To: Mirjam Kuehne <mir@ripe.net> Cc: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] New on RIPE Labs: How We Will Be Validating abuse-c
In message <405d6ae2-ca13-57d4-4c8d-09e1166cec3d@ripe.net>, Mirjam Kuehne <mir@ripe.net> wrote:
At the RIPE NCC we’re busy working out a process so we can start validating approximately 70,000 abuse contact email addresses in the RIPE Database. Read on RIPE Labs how we will approach this:
https://labs.ripe.net/Members/angela_dallara/how-we-will-be-validating- abuse-c
I am not persuaded that the following two bullet points, taken together, make any real sense:
* Legacy resources are not within the scope of the policy. We will not be validating the abuse contacts for these resources.
* This process is about fixing invalid information -- we're not looking to apply sanctions or close down members.
Given that there is, explicitly, no element of sanctions/punishment intended here, why on earth would you build and deploy an entire set of mechanisms to perform abuse-c validation, and then intentionally avoid using these new tools for some subset of all resource holders, even though they could clearly produce benefits in all cases?
Another question... The above document says the following:
THE PROCESS
... We will start with a verification tool which checks that there are no formatting errors in the email address, verifies DNS entries, looks for bogus or honeypot emails, and uses ping to check that the mailbox exists and can accept mail. This tool does not send any emails and won't require any action on the part of the abuse contact.
If you would be so kind, could you please flesh out your notion of the intended meaning of the word "ping" in this context?
Because your intent is to follow through and actually send email messages, after these initial and preliminary checks, perhaps I am just picking at nits here, but I would suggest that "ping" in the context might best be defined as a process, using SMTP, that actually checks all relevant MXes (in priority order, of course) to see if they will accept (or at least not permanently reject) a partial SMTP transaction where the RCPT TO is the address of the intended recipient, but where no DATA command is issued.
I have just one last point. The above document also says:
An initial test with the validation tool suggests that around 20-25% of resource holders may need to validate or update their abuse contacts.
Some may not see it that way, but in my opinion that is certainly an encouraging preliminary result. I would have guessed something more on the order of 50% of all abuse-c contacts would have issues. I suspect however that the figure of 20-25% may rise significantly if this process is applied universally, as it should be, to all resource holders.
Regards, rfg
To also add: To ping an email address: Ping, in the EU/UK, is new/modern vernacular and means : To test the reachability of an email address. It will involve speaking smtp to the MX and verify that the MX will receive email for example@example.com It is also probably derived from the old network utility that was used to test the reachability of an IP number in the old days. I assume Ronald's objection to the term means that it does not mean that in the US, so I then only comment that the present version is just fine as it applies to RIPE... 2c Andre On Thu, 11 Oct 2018 08:00:28 +0000 Brian Nisbet <brian.nisbet@heanet.ie> wrote:
Ronald,
To address one point; Legacy resources are excluded because that is the way that RIPE Policy works. It was not a choice of the NCC, rather it is a consequence of history and not something easily changed.
I should note there will also be a short presentation from the NCC about this work at our meeting next week.
Brian Co-Chair, RIPE AAWG
Brian Nisbet Network Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland +35316609040 brian.nisbet@heanet.ie www.heanet.ie Registered in Ireland, No. 275301. CRA No. 20036270
-----Original Message----- From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> On Behalf Of Ronald F. Guilmette Sent: Wednesday 10 October 2018 21:08 To: Mirjam Kuehne <mir@ripe.net> Cc: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] New on RIPE Labs: How We Will Be Validating abuse-c
In message <405d6ae2-ca13-57d4-4c8d-09e1166cec3d@ripe.net>, Mirjam Kuehne <mir@ripe.net> wrote:
At the RIPE NCC we’re busy working out a process so we can start validating approximately 70,000 abuse contact email addresses in the RIPE Database. Read on RIPE Labs how we will approach this:
https://labs.ripe.net/Members/angela_dallara/how-we-will-be-validating- abuse-c
I am not persuaded that the following two bullet points, taken together, make any real sense:
* Legacy resources are not within the scope of the policy. We will not be validating the abuse contacts for these resources.
* This process is about fixing invalid information -- we're not looking to apply sanctions or close down members.
Given that there is, explicitly, no element of sanctions/punishment intended here, why on earth would you build and deploy an entire set of mechanisms to perform abuse-c validation, and then intentionally avoid using these new tools for some subset of all resource holders, even though they could clearly produce benefits in all cases?
Another question... The above document says the following:
THE PROCESS
... We will start with a verification tool which checks that there are no formatting errors in the email address, verifies DNS entries, looks for bogus or honeypot emails, and uses ping to check that the mailbox exists and can accept mail. This tool does not send any emails and won't require any action on the part of the abuse contact.
If you would be so kind, could you please flesh out your notion of the intended meaning of the word "ping" in this context?
Because your intent is to follow through and actually send email messages, after these initial and preliminary checks, perhaps I am just picking at nits here, but I would suggest that "ping" in the context might best be defined as a process, using SMTP, that actually checks all relevant MXes (in priority order, of course) to see if they will accept (or at least not permanently reject) a partial SMTP transaction where the RCPT TO is the address of the intended recipient, but where no DATA command is issued.
I have just one last point. The above document also says:
An initial test with the validation tool suggests that around 20-25% of resource holders may need to validate or update their abuse contacts.
Some may not see it that way, but in my opinion that is certainly an encouraging preliminary result. I would have guessed something more on the order of 50% of all abuse-c contacts would have issues. I suspect however that the figure of 20-25% may rise significantly if this process is applied universally, as it should be, to all resource holders.
Regards, rfg
On Thu, 11 Oct 2018, Brian Nisbet wrote:
Ronald,
To address one point; Legacy resources are excluded because that is the way that RIPE Policy works. It was not a choice of the NCC, rather it is a consequence of history and not something easily changed.
Indeed. Not the NCC's choice nor the RIPE community's. But perhaps it could be beneficial if the legacy resource owners/holders abide to providing a valid abuse contact when entering a contractual agreement either with the NCC or a LIR, in order to get services like rDNS, or Certication (RPKI) -- i.e. this issue may also fall under the services-wg. As a legacy resource holder (too), i don't really see any inconvenience in extending this to legacy resource space covered by contracts. Regards, Carlos
I should note there will also be a short presentation from the NCC about this work at our meeting next week.
Brian Co-Chair, RIPE AAWG
Brian Nisbet Network Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland +35316609040 brian.nisbet@heanet.ie www.heanet.ie Registered in Ireland, No. 275301. CRA No. 20036270
-----Original Message----- From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> On Behalf Of Ronald F. Guilmette Sent: Wednesday 10 October 2018 21:08 To: Mirjam Kuehne <mir@ripe.net> Cc: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] New on RIPE Labs: How We Will Be Validating abuse-c
In message <405d6ae2-ca13-57d4-4c8d-09e1166cec3d@ripe.net>, Mirjam Kuehne <mir@ripe.net> wrote:
At the RIPE NCC weâ??re busy working out a process so we can start validating approximately 70,000 abuse contact email addresses in the RIPE Database. Read on RIPE Labs how we will approach this:
https://labs.ripe.net/Members/angela_dallara/how-we-will-be-validating- abuse-c
I am not persuaded that the following two bullet points, taken together, make any real sense:
* Legacy resources are not within the scope of the policy. We will not be validating the abuse contacts for these resources.
* This process is about fixing invalid information -- we're not looking to apply sanctions or close down members.
Given that there is, explicitly, no element of sanctions/punishment intended here, why on earth would you build and deploy an entire set of mechanisms to perform abuse-c validation, and then intentionally avoid using these new tools for some subset of all resource holders, even though they could clearly produce benefits in all cases?
Another question... The above document says the following:
THE PROCESS
... We will start with a verification tool which checks that there are no formatting errors in the email address, verifies DNS entries, looks for bogus or honeypot emails, and uses ping to check that the mailbox exists and can accept mail. This tool does not send any emails and won't require any action on the part of the abuse contact.
If you would be so kind, could you please flesh out your notion of the intended meaning of the word "ping" in this context?
Because your intent is to follow through and actually send email messages, after these initial and preliminary checks, perhaps I am just picking at nits here, but I would suggest that "ping" in the context might best be defined as a process, using SMTP, that actually checks all relevant MXes (in priority order, of course) to see if they will accept (or at least not permanently reject) a partial SMTP transaction where the RCPT TO is the address of the intended recipient, but where no DATA command is issued.
I have just one last point. The above document also says:
An initial test with the validation tool suggests that around 20-25% of resource holders may need to validate or update their abuse contacts.
Some may not see it that way, but in my opinion that is certainly an encouraging preliminary result. I would have guessed something more on the order of 50% of all abuse-c contacts would have issues. I suspect however that the figure of 20-25% may rise significantly if this process is applied universally, as it should be, to all resource holders.
Regards, rfg
Dear Ronald, Thank you for your questions. Brian has already clarified the point about legacy resources. Regarding the automated validation process - we're still working out the details, but according to our current planning it will be very similar to your suggestion. Kind regards Angela Dall'Ara IP Resource Analyst RIPE NCC On 11/10/2018 10:11, ac wrote:
To also add:
To ping an email address:
Ping, in the EU/UK, is new/modern vernacular and means : To test the reachability of an email address. It will involve speaking smtp to the MX and verify that the MX will receive email for example@example.com
It is also probably derived from the old network utility that was used to test the reachability of an IP number in the old days.
I assume Ronald's objection to the term means that it does not mean that in the US, so I then only comment that the present version is just fine as it applies to RIPE...
2c
Andre
On Thu, 11 Oct 2018 08:00:28 +0000 Brian Nisbet <brian.nisbet@heanet.ie> wrote:
Ronald,
To address one point; Legacy resources are excluded because that is the way that RIPE Policy works. It was not a choice of the NCC, rather it is a consequence of history and not something easily changed.
I should note there will also be a short presentation from the NCC about this work at our meeting next week.
Brian Co-Chair, RIPE AAWG
Brian Nisbet Network Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland +35316609040 brian.nisbet@heanet.ie www.heanet.ie Registered in Ireland, No. 275301. CRA No. 20036270
-----Original Message----- From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> On Behalf Of Ronald F. Guilmette Sent: Wednesday 10 October 2018 21:08 To: Mirjam Kuehne <mir@ripe.net> Cc: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] New on RIPE Labs: How We Will Be Validating abuse-c
In message <405d6ae2-ca13-57d4-4c8d-09e1166cec3d@ripe.net>, Mirjam Kuehne <mir@ripe.net> wrote:
At the RIPE NCC we’re busy working out a process so we can start validating approximately 70,000 abuse contact email addresses in the RIPE Database. Read on RIPE Labs how we will approach this:
https://labs.ripe.net/Members/angela_dallara/how-we-will-be-validating- abuse-c I am not persuaded that the following two bullet points, taken together, make any real sense:
* Legacy resources are not within the scope of the policy. We will not be validating the abuse contacts for these resources.
* This process is about fixing invalid information -- we're not looking to apply sanctions or close down members.
Given that there is, explicitly, no element of sanctions/punishment intended here, why on earth would you build and deploy an entire set of mechanisms to perform abuse-c validation, and then intentionally avoid using these new tools for some subset of all resource holders, even though they could clearly produce benefits in all cases?
Another question... The above document says the following:
THE PROCESS
... We will start with a verification tool which checks that there are no formatting errors in the email address, verifies DNS entries, looks for bogus or honeypot emails, and uses ping to check that the mailbox exists and can accept mail. This tool does not send any emails and won't require any action on the part of the abuse contact.
If you would be so kind, could you please flesh out your notion of the intended meaning of the word "ping" in this context?
Because your intent is to follow through and actually send email messages, after these initial and preliminary checks, perhaps I am just picking at nits here, but I would suggest that "ping" in the context might best be defined as a process, using SMTP, that actually checks all relevant MXes (in priority order, of course) to see if they will accept (or at least not permanently reject) a partial SMTP transaction where the RCPT TO is the address of the intended recipient, but where no DATA command is issued.
I have just one last point. The above document also says:
An initial test with the validation tool suggests that around 20-25% of resource holders may need to validate or update their abuse contacts.
Some may not see it that way, but in my opinion that is certainly an encouraging preliminary result. I would have guessed something more on the order of 50% of all abuse-c contacts would have issues. I suspect however that the figure of 20-25% may rise significantly if this process is applied universally, as it should be, to all resource holders.
Regards, rfg
In message <DB5PR06MB1590D86126B81C0E1845FB3B94E10@DB5PR06MB1590.eurprd06.prod. outlook.com>, Brian Nisbet <brian.nisbet@heanet.ie> wrote:
To address one point; Legacy resources are excluded because that is the way that RIPE Policy works.
That's rather like saying that the reason we have hurricanes is because God works in mysterious ways. Maybe you should elaborate and explain. I would appreciate it if you did. I'm sure that will be enlightening and educational, at least for me, as I'm still not even sure that I fully grasp or understand the concept of "legacy" resources within the RIPE region. (Up till now I had always been told that "legacy" resources only existed as such within the ARIN region.) Regards, rfg
Hi, On Thu, 11 Oct 2018, Ronald F. Guilmette wrote:
In message <DB5PR06MB1590D86126B81C0E1845FB3B94E10@DB5PR06MB1590.eurprd06.prod. outlook.com>, Brian Nisbet <brian.nisbet@heanet.ie> wrote:
To address one point; Legacy resources are excluded because that is the way that RIPE Policy works.
That's rather like saying that the reason we have hurricanes is because God works in mysterious ways.
RIPE policies tend NOT to apply to address space issued *before* the RIPE NCC was created.
Maybe you should elaborate and explain. I would appreciate it if you did.
I'm sure that will be enlightening and educational, at least for me, as I'm still not even sure that I fully grasp or understand the concept of "legacy" resources within the RIPE region. (Up till now I had always been told that "legacy" resources only existed as such within the ARIN region.)
It emerged from the ARIN region, yes. But in the "pre-RIR era" Jon Postel and others handing out IPv4 address space also distributed to orgs outside the (current) ARIN service region. Some years ago, the RIRs agreed on a process to "transfer" those records from the ARIN database to the other RIR's databases, depending on where the resource holder was based. Some of those transferred records are maintained in the "destination databases", but part of them are simply frozen... I'm aware about this because we also have some legacy space, and i also helped some of our Universities to recover control over their legacy space objects. Regards, Carlos
Regards, rfg
Dear Ronald, Please allow me to provide some clarification. On 2018-10-11 21:17:03 CET, Ronald F. Guilmette wrote:
Maybe you should elaborate and explain. I would appreciate it if you did.
I'm sure that will be enlightening and educational, at least for me, as I'm still not even sure that I fully grasp or understand the concept of "legacy" resources within the RIPE region. (Up till now I had always been told that "legacy" resources only existed as such within the ARIN region.)
The RIPE Policy "RIPE NCC Services to Legacy Internet Resource Holders" states in its scope: "[...] Any existing or future RIPE policy referring to resources shall not apply to legacy resources unless the policy explicitly includes legacy resources in its scope. [...]" https://www.ripe.net/publications/docs/ripe-639#1-2-scope The RIPE Policy "Abuse Contact Management in the RIPE Database" does not fulfil this requirement. It would require a successful policy proposal to change that. In 2016 such proposal was made, but the proposer decided to withdraw the proposal due to the inability to find an acceptable agreement which satisfied all parties. https://www.ripe.net/participate/policies/proposals/2016-01 I hope this clarifies. Kind regards, Marco Schmidt Policy Officer RIPE NCC Sent via RIPE Forum -- https://www.ripe.net/participate/mail/forum
In message <E1gArD9-0007Bj-FW@www-apps-1.ripe.net>, Marco Schmidt <mschmidt@ripe.net> wrote:
Please allow me to provide some clarification. ... The RIPE Policy "RIPE NCC Services to Legacy Internet Resource Holders" states in its scope: "[...] Any existing or future RIPE policy referring to resources shall not apply to legacy resources unless the policy explicitly includes legacy resources in its scope. [...]" https://www.ripe.net/publications/docs/ripe-639#1-2-scope
The RIPE Policy "Abuse Contact Management in the RIPE Database" does not fulfil this requirement.
It would require a successful policy proposal to change that. In 2016 such proposal was made, but the proposer decided to withdraw the proposal due to the inability to find an acceptable agreement which satisfied all parties.
That's sooooo dumb.
I hope this clarifies.
It does and I thank you for the clarification. Regards, rfg
On Wed, Oct 10, 2018 at 01:21:44PM +0200, Mirjam Kuehne wrote:
https://labs.ripe.net/Members/angela_dallara/how-we-will-be-validating-abuse...
thanks for designing and sharing this sensible approach. Please allow a few questions (maybe for the WG presentation): o "We will start with a verification tool which checks that there are no formatting errors in the email address, verifies DNS entries, looks for bogus or honeypot emails ... Could you elaborate a bit on the latter two? o "An initial test with the validation tool suggests that around 20-25% of resource holders may need to validate or update their abuse contacts." Understanding that the sentence says "initial test", but mentions "resource holders", is this 20-25% of the 70.000 addresses? Thanks, Peter
Maximize success in SMS marketing can be achieved using the necessary applications and software. Personally, I would recommend this service https://testelium.com/ Sent via RIPE Forum -- https://www.ripe.net/participate/mail/forum
Please convert this spammer to an ex-user On Monday 03 December 2018 09.28, Walter Marshall via anti-abuse-wg wrote:
Maximize success in SMS marketing can be achieved using the necessary applications and software. Personally, I would recommend this service https://testelium.com/
Sent via RIPE Forum -- https://www.ripe.net/participate/mail/forum
-- Peter Håkanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det är billigare att göra rätt. Det är dyrt att laga fel. )
Maximize success in SMS marketing can be achieved using the necessary applications and software. Personally, I would recommend this service Sent via RIPE Forum -- https://www.ripe.net/participate/mail/forum
participants (10)
-
ac -
Angela Dall'Ara -
Brian Nisbet -
Carlos Friaças -
Marco Schmidt -
Mirjam Kuehne -
peter h -
Peter Koch -
Ronald F. Guilmette -
Walter Marshall