Hi Leo, El 13/1/20 18:16, "Leo Vegoda" <leo@vegoda.org> escribió: Hi Jordi, all, On Mon, Jan 13, 2020 at 6:58 AM JORDI PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote: Hi all, I'm working in a new version of the proposal 2019-04 (Validation of "abuse-mailbox"). In the last discussion phase, the only detailed response to this proposal that I got was from Carlos Friacas (which I will respond in detail later-on, as this may also help to revive the discussion). The main question/issue here is still that the actual policy is just a "technical validation". It confirms that there is a mailbox but it doesn't confirm that: 1) Accept emails for abuse reporting 2) The mailbox is the right one and not from someone else, not related to the abuse processing 3) The mailbox is attended and not a black-hole, so nobody pay attention to the abuse reports, or even worst, not full Anything not fulfilling that is useless (as will not fulfil the mission for that mailbox), and then we don't need an abuse-c at all. Can you please clarify what you mean by "fulfil the mission for that mailbox" and the "intended I was referring about the goal of the abuse-c (even without this policy proposal). Why we want it if is not a real one, able to get abuse reports, and so on? purpose" you mention in section 3.1 of the new text? The reason I ask is that the purpose does not seem to be defined in an earlier section. My reading of what you have written is that this became policy it would require that reports can be made and that these reports must be acknowledged. But it seems that there would be no obligation for reports to be investigated or acted upon. I will love to have in the policy that they must be investigated and acted upon, but what I heard from the inputs in previous versions is that having that in policy is too much and no way to reach consensus … Have I misunderstood what is intended? Thanks, Leo Vegoda ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

In message <CAPfiqja6fi8FzCUrgEoeaRbv-dGyKp2n7yRQTdXVoYgrc4rhFw@mail.gmail.com>, Leo Vegoda <leo@vegoda.org> wrote:

...

I will love to have in the policy that they must be investigated and acted upon, but what I heard from the inputs in previous versions is that having that in policy is too much and no way to reach consensus

I don't understand the value of requiring organizations who do not intend to investigate abuse reports to spend resources publishing an address from which they can acknowledge the reports - only to then delete those reports without doing anything.

It creates hope for reporters and wastes the RIPE NCC's and the reporters' resources by forcing unwilling organizations to spend cycles on unproductive activity.

Why not give networks two options?

1. Publish a reliable method for people to submit abuse reports - and act on it 2. Publish a statement to the effect that the network operator does not act on abuse reports

This would save lots of wasted effort and give everyone more reliable information about the proportion of networks/operators who will and won't act on abuse reports.

There might be some value in having the RIPE NCC cooperate with networks who want help checking that their abuse-c is working. But this proposal seems to move the RIPE NCC from the role of a helpful coordinator towards that of an investigator and judge.

Leo Vegoda has made a lot of very good points, and there is a lot to unpack on this whole topic. Unfortnately, I don't think that I personally have enough time to unpack it all myself today. But I cannot avoid offering a few observations. It certainly appears to me to be the case that few want RIPE NCC to enter into the role of investigator, let alone judge, except when it comes to the allocation of resources. As I have been informed, time and time again, matters of network abuse are out of scope for the organization, and this is not at all likely to change. Nonetheless, and regardless, ever since the day that RIPE NCC first published an abuse reporting address in the data base, it has, in effect, injected itself, even if only to a minimal degree, into the relationship between a network abuse victim and the relevant resource holders that have clear connections to the abuse source, i.e. the IP block registrant and the relevant AS registrant. It is a bit late in the day now to undo this. Abuse reporting addresses have been published, and abuse victims now have a reasonable expectation that using any one of them will have some finite and non-zero effect. Whenever that is not the case, the relevant abuse victim may reasonably ask "Why did you, RIPE NCC, publish this abuse reporting email address when sending to it was clearly an utter waste of my time?" This is false advertising on the face of it. You cannot stand in the town square with a large sign that says "Free money!" and then not deliver. Even if it is not illegal per se, it is exceptionally rude and anti-social, and responsible adults should not go into the tiown square with such signs if they cannot or will not deliver. On the other hand, resource holders in teh RIPE region, and also, quite certainly, elsewhere continue to cling with almost religious fervor to what they claim to be their God-given rights to be irresponsible. They are not by any means alone, and are simply the Internet verssions of gun manufacturers and coal companies. The planet is awash in both corporate entities and individuals that will defend to the death their "rights" to be irresponsible. This will not change anytime soon, and the attitude among many network operators, both in the RIPE region and elsewhere, can perhaps best be summed up by paraphrasing a famous pronouncement made years ago by the former head of the National Rifle Association (NRA) here in the U.S. "You can have my social irresponsibility when you pry it from my cold dead hands!" It has been shown, repeatedly, that it is utterly futile to try to engage any of the folks holding this general point of view, or to try to reason with them and explain that in the long run, their enterprises and the public reputations of those enterprises will be materially harmed by their unwillingness to give a damn. An old adage is appropriate here -- "You can lead a horse to water, but you can't make him drink." It is empirically demonstratable that a nearly religious fervor, borne, I'm sure, of the demented ideology of Ayn Rand, when coupled with a determined and short- sighted self interest, cannot be undone by words alone. Thus we have an arguably untenable situation. RIPE NCC has irreversably injected itself into the expectations of millions of network abuse victims worldwide, even has it has less than zero authority to actually do anything truly meaningful with respect to their issues. And this impass is made even more blatantly intractable by the adamant insistance of some network operators that they have a divine right to be irresponsible if they so choose. Where then lies a solution for this thorny dilemma? Despite the seemingly intractable nature of this apparent conflict, the internet itself is already rife with solutions to exactly such problems. My hope is that it will not have escaped the attention of anyone here that eBay long ago developed and fielded a kind of social responsibilitty index for both buyers and seller on that platform. This is represented as a running "feedback" score for each of eBay's now innumerable market participants. It isn't perfect, but in practice it works surprisingly well. Bad actors on the platform are identified early and often, and sellers with poor feedback ratings are studiously avoided by astute buyers. Furthermore, all this occurs with surprisingly little manual intervention on the part of eBay staff. RIPE NCC, having already permanently and irrevokably inserted itself into the relationship between network abuse consumers and network abuse producers is obligated now, in my opinion, to do at least -something- to qualify its implicit recommendations regarding abuse reporting addresses. To fail to do so would represent, as I have said, false advertising, if not in letter then at least in spirit. Now we are engaged in a debate which asks how far RIPE NCC should go in order to try to insure that the abuse reporting addresses it is publishing, and that it has been publishing for some time now, actually have any practical value in specific individual cases. I would submit that a proper assesment of this is neither amenable to automation nor would the results of any such assesment continue to be valid over time. If I am correct that there exists no univerally applicable means to automate such assesments, then the answer is clear. Humans and not machines must provide the assesments. The humans in question can either be RIPE NCC staff... assuming that RIPE NCC is given a budget and mandate several times as large as what it currently enjoys on an annual basis... or it can be the vast hoards of Internet users themselves who feel motivated to take the time to raise an objection to a case of network abuse. The choice here is a no-brainer. I doubt that there exists on the entire continent of europe a sufficient number of qualifed technical people, as would be needed for RIPE NCC to conduct detailed assesments of its some 25,000 direct customers and their ability and willingness to handle network abuse reports in anything approaching a responsible manner. In contrast, the combined wisdom of what amounts to a crowd- sourced opinion bank would cost very little to implement, would require only modest and rare manual interventions, and would likely provide useful ratings, not easily subject to gaming strategies, and ones that might even be more accurate than whatever NCC could manage on its own, even if it were given budget for an additional 1,000 talented professionals to perform resource holder abuse handling assements as their one and only assigned task. Free market Milton Friedman acolytes should, I think, find this idea irresistable. "Let the free market decide." Network abuse and the responses to it are unambiguously social problems. The best, most efficient, and fairest solution to most social problems, I'm convinced, has been known since the time of Gutenberg. We need only avail ourselves of the tools at hand, collect information into a single unified and convenient repository, and then publish, in order to shine a light on all of the relevant information which is currently hidden from general view due to being dispersed and disorganized. RIPE NCC could do this, and the Internet would be better for it. Regards, rfg

Hi Leo El 14/1/20 0:11, "Leo Vegoda" <leo@vegoda.org> escribió: On Mon, Jan 13, 2020 at 1:50 PM JORDI PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote: [...] > I will love to have in the policy that they must be investigated and acted upon, but what I heard from the inputs in previous versions is that having that in policy is too much and no way to reach consensus … I don't understand the value of requiring organizations who do not intend to investigate abuse reports to spend resources publishing an address from which they can acknowledge the reports - only to then delete those reports without doing anything. This is not handled by this proposal. The existing policy already mandates that: https://www.ripe.net/participate/policies/proposals/2017-02 It creates hope for reporters and wastes the RIPE NCC's and the reporters' resources by forcing unwilling organizations to spend cycles on unproductive activity. Why not give networks two options? 1. Publish a reliable method for people to submit abuse reports - and act on it 2. Publish a statement to the effect that the network operator does not act on abuse reports This would save lots of wasted effort and give everyone more reliable information about the proportion of networks/operators who will and won't act on abuse reports. Even if I think that the operators MUST process abuse cases, if the community thinks otherwise, I'm happy to support those two options in the proposal. For example, an autoresponder in the abuse-c mailbox for those that don't intend to process the abuse cases to option 2 above? There might be some value in having the RIPE NCC cooperate with networks who want help checking that their abuse-c is working. But this proposal seems to move the RIPE NCC from the role of a helpful coordinator towards that of an investigator and judge. No, I don't think so, but I'm happy to modify the text if it looks like that. ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

Hi Alessandro, El 17/1/20 10:24, "anti-abuse-wg en nombre de Alessandro Vesely" <anti-abuse-wg-bounces@ripe.net en nombre de vesely@tana.it> escribió: Hi, a few points: The “abuse-mailbox:” attribute must be available in an unrestricted way via whois, APIs and future techniques. I'd explicitly mention RDAP here. It's not a future technique any more You're right, we can explicitly mention RDAP. Confirm that the resource holder understands the procedure and the policy, that they regularly monitor the abuse-mailbox, that measures are taken, and that abuse reports receive a response. I'd skip the last line. In my automated abuse reports a add a header field like "X-Auto-Response-Suppress: DR, OOF, AutoReply". Yet, many abuse team send automatic notifications that I have to skim, possibly hiding real replies that need attention. Responses are due only if needed. Furthermore, couldn't the RIPE NCC have a web form, possibly advertised in RDAP output, where receivers of NDNs from abuse-c contacts can notify that a given mailbox bounces? The effect of filling such form would be to advance the mailbox position in the validation queue. Finally, IMHO: On Tue 14/Jan/2020 10:24:42 +0100 JORDI PALET MARTINEZ via anti-abuse-wg wrote: > El 14/1/20 0:11, "Leo Vegoda" <leo@vegoda.org> escribió: > >> It creates hope for reporters and wastes the RIPE NCC's and the >> reporters' resources by forcing unwilling organizations to spend >> cycles on unproductive activity. >> >> Why not give networks two options? >> >> 1. Publish a reliable method for people to submit abuse reports - and act on it >> 2. Publish a statement to the effect that the network operator does >> not act on abuse reports >> >> This would save lots of wasted effort and give everyone more reliable >> information about the proportion of networks/operators who will and >> won't act on abuse reports. > > Even if I think that the operators MUST process abuse cases, if the > community thinks otherwise, I'm happy to support those two options in the > proposal. For example, an autoresponder in the abuse-c mailbox for those > that don't intend to process the abuse cases to option 2 above? No, autoresponders waste even more resources. In case, let's use a conventional address like, say, noone@localhost to decline to receive abuse reports. There would be no attempt to validate such address. There are a number of cases, especially in large organizations, where a mailbox fails to work because email refurbishing resulted in mail loops, erroneous forwarding, dead relays, and the like. Having an alternative contact can bring attention to the fact and reestablish the functionality. There are cases where there is no abuse team and holders don't care. Sooner or later the community will find out how to set up some kind of Don't Route Or Peer list of those. However, forcing them to have a "working" abuse-c is nonsensical. Best Ale > > > There might be some value in having the RIPE NCC cooperate with > networks who want help checking that their abuse-c is working. But > this proposal seems to move the RIPE NCC from the role of a helpful > coordinator towards that of an investigator and judge. > > No, I don't think so, but I'm happy to modify the text if it looks like that. > > > > > > ********************************************** > IPv4 is over > Are you ready for the new Internet ? > http://www.theipv6company.com > The IPv6 Company > > This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it. > > > > > ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

Hi Randy, As I just said, ideally we should ask for abuse-c reports to be procesed, but I know many folks don't like it. But at least, we need to make sure that if you have an abuse-c, it is a "real" and "working" one so you're able to actually send the reports there. If ignored, that's another problem. I don't know if in Spain law say that you must have a post box, or if you are violating the law if is full and the extra post that you get is going to make the street dirty (in this case you're violating a different law). I'm not asking to go there. I'm asking to have a functional mailbox, not how you operate your abuse cases. El 13/1/20 18:53, "anti-abuse-wg en nombre de Randy Bush" <anti-abuse-wg-bounces@ripe.net en nombre de randy@psg.com> escribió: well, not exactly as i see it. abuse-c: is the op's way of saying "please send any abuse related information here." it is not a legal or social contract to act on it (and i suspect that next year the wannabe net police will want to enumerate exactly *how* they must act in 93 different circumstances), read it, reply to it, ... dunno about spain, but most juristictions i know say post is delivered to my post box, but not what i must do with it. randy ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

Hi Ronald, El 13/1/20 22:34, "Ronald F. Guilmette" <rfg@tristatelogic.com> escribió: In message <6AFC7D17-BAC4-464C-8AF8-2AD852D39B29@consulintel.es>, JORDI PALET MARTINEZ <jordi.palet@consulintel.es> wrote: >I'm happy to hear other inputs, stats, data, etc. Having only just read the proposal, my comments are few: I do not understand parst of this, specifically: Section 2.0 bullet point #2. What's wrong with web forms? If I need to use a web form, which is not standard, for every abuse report that I need to submit, there is no sufficient time in the world to fill all them. Every ISP has their own URL, forms with different fields, etc. You want to develop tools for each ISP in the world that decides to use a form to automate the abuse submission process? Instead, ensuring that you are able to use, for example fail2ban, means that any abuse case is automatically reported via email (including the logs to probe the abuse). Section 3.0 part 3. Why on earth should it take 15 days for anyone to respond to an email?? Things on the Internet happen in millseconds. If a provider is unable to respond to an issue within 72 hours then they might as well be dead, because they have abandoned all social responsibility. I fully agree! My original proposal was only 3 working days, but the community told me "no way". This was the same input I got in APNIC and LACNIC (in both regions it reached consensus with 15 days). So, I will keep 15 days ... Regards, rfg ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

Hi Ronald, El 14/1/20 0:17, "anti-abuse-wg en nombre de Ronald F. Guilmette" <anti-abuse-wg-bounces@ripe.net en nombre de rfg@tristatelogic.com> escribió: In message <55D65BF8-A430-4BDC-AE58-63FF3DCA4DEC@consulintel.es>, JORDI PALET MARTINEZ <jordi.palet@consulintel.es> wrote: > Section 2.0 bullet point #2. What's wrong with web forms? > >If I need to use a web form, which is not standard, for every abuse report... OHHHHHHHHHHH! Your proposal did not make it at all clear that the web forms you were making reference to were ones that the resource holder might put in place in order to provide a way for abuse victims to file a report. I agree completely that those things are intolerable, and I will go further and say that any resoirce holder who puts such a form online should properly be consigned to the fifth ring of hell. Sorry! I had misconstrued. When your proposal mentioned web forms I had assumed that you were making reference to some form that the RIPE NCC might put online and that the resources holders would need to type something into (e.g. a unique magic cookei) in order to fully confirm that they are in fact receiving emails to their documented abuse reporting email addresses. No worries. I will tidy up the text to make it clearer! Thanks! I think that the verification email messages that RIPE NCC sends out resource holders should indeed contain a link to web form, on the RIPE web site, where the recipient resource holder should be required to make at least some minimal demonstration that it has at least one actual conscious and sentient human being looking at the inbound emails that are sent to its abuse address. Please clarify in your proposal what exactly your use of the term "web form" was intended to convey. TYhank you. > Section 3.0 part 3. Why on earth should it take 15 days for > anyone to respond to an email?? Things on the Internet happen > in millseconds. If a provider is unable to respond to an issue > within 72 hours then they might as well be dead, because they > have abandoned all social responsibility. > >I fully agree! My original proposal was only 3 working days, but the >community told me "no way". This was the same input I got in APNIC >and LACNIC (in both regions it reached consensus with 15 days). > >So, I will keep 15 days ... I think this is provable, and also transparently obvious and colossal bullshit, but that's just my opinion. And mine!, but as a proposal author, I need to try to match as much as possible the wishes of the community. I say again. Things happen on the Internet in milliseconds. Any service provider that can't react to an email within 72 hours should be removed from the Internet of Responsible Adults and relegated to the agricultural industry, or to the study of geology, or at any rate to some profession where things are calm and leisurely, perhaps including the delivery of regular postal mail. If anyone wants to make his fortune by being an absentee landlord, just gathering in revenue and not taking any day to day responsibility for anything, let them get into the vacation rentals business and get the **** off the Internet. Regards, rfg ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

I couldn't stop laughing for more than 30 minutes ... this is what they call (and they pay for) laughter therapy ? Tks! El 14/1/20 12:52, "anti-abuse-wg en nombre de Ronald F. Guilmette" <anti-abuse-wg-bounces@ripe.net en nombre de rfg@tristatelogic.com> escribió: In message <671286EB-7FAD-4D70-ADDD-EFA0A680B5E8@consulintel.es>, JORDI PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote: > > Section 3.0 part 3. Why on earth should it take 15 days for > > anyone to respond to an email?? Things on the Internet happen > > in millseconds. If a provider is unable to respond to an issue > > within 72 hours then they might as well be dead, because they > > have abandoned all social responsibility. > > > >I fully agree! My original proposal was only 3 working days, but the > >community told me "no way". This was the same input I got in APNIC > >and LACNIC (in both regions it reached consensus with 15 days). > > > >So, I will keep 15 days ... > > I think this is provable, and also transparently obvious and colossal > bullshit, but that's just my opinion. > >And mine!, but as a proposal author, I need to try to match as much as poss= >ible the wishes of the community. You are hereby officially absolved from all guilt in the matter. In nomine patri et fili spiritu sancte. Go in peace my son, and do what you have to do. Regards, rfg ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.