Re: [anti-abuse-wg] Decision on Proposal 2017-02
Name, Why are you remaining anonymous ? Hervé De : anti-abuse-wg [mailto:anti-abuse-wg-bounces@ripe.net] De la part de Name Envoyé : mardi 20 mars 2018 07:56 À : anti-abuse-wg@ripe.net Objet : Re: [anti-abuse-wg] Decision on Proposal 2017-02 "And an annual checking would ensure that the contacts remain more up-to-date." Yes, an annual checking would do that. This isn't an annual checking. It involves checking if a mail server exists. Mail server exists ≠ update-to-date contact Mail server exists ≠ valid abuse mailbox -------- Original Message -------- Subject: Re: [anti-abuse-wg] Decision on Proposal 2017-02 From: <herve.clement@orange.com<mailto:herve.clement@orange.com>> Date: Tue, March 20, 2018 3:52 am To: "anti-abuse-wg@ripe.net<mailto:anti-abuse-wg@ripe.net>" <anti-abuse-wg@ripe.net<mailto:anti-abuse-wg@ripe.net>> As co-authors, if we propose this policy, that's because we believe that improving the Whois reliability is good for the Internet. With regard to the first analysis conducted by the RIPE NCC, about 10%-25% of the current 70,000 distinct abuse contact emails seem technically incorrect, this implies that between 7,000 and 17,500 email addresses are not working ones. If contacted by the RIPE NCC, resource holders will be requested to fix this information and will be able to receive abuse notifications. So there will be a significant difference between receiving something vs receiving anything. Perhaps a part of these holders don't care but they will be contactable. The other part will be educated about this abuse-c field during the process. And an annual checking would ensure that the contacts remain more up-to-date. Regards Hervé -----Message d'origine----- De : anti-abuse-wg [mailto:anti-abuse-wg-bounces@ripe.net] De la part de ox Envoyé : lundi 19 mars 2018 03:23 À : JORDI PALET MARTINEZ via anti-abuse-wg Objet : Re: [anti-abuse-wg] Decision on Proposal 2017-02 On Sun, 18 Mar 2018 13:43:54 +0000 JORDI PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg@ripe.net<mailto:anti-abuse-wg@ripe.net>> wrote: <snip>
I'm not a lawyer, but deal a lot with them, and I'm sure anyway, there are more informed voices even from the NCC that can confirm, and actually it will be interesting to confirm.
+1 I would like to also present the other side of the same argument: If the NCC provides a platform that supplies fake/false/wrong information it could also attract arguments of legal liability... Similarly, if the NCC does not provide abuse contact information there could also be legal arguments that this is a dereliction of trust with regards public resource management and that also opens up arguments of liability... So, this would be most interesting to confirm. Regards Andre _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
Dear Anonymous Name,
/"And an annual checking would ensure that the contacts remain more up-to-date."/
Yes, an annual checking would do that. This isn't an annual checking. It involves checking if a mail server exists.
I am afraid I was not clear last time. I wrote: "One can determine with a high degree of confidence whether mail sent to a given address is accepted for delivery by the mail server specified as MX in the DNS for the given e-mail address. To me it is a good start and much more than not checking anything." The acceptance of the mail is slightly more than the existence of the mail server. In particular, in one of your previous e-mails you state: 'If a resource owner sets their abuse mailbox to "Ronald.McDonald@hotmail.com", they will be deemed to have a valid abuse contact, because hotmail.com has a valid email server associated.' In the light of my clarification above, this is not the case, as the mail server (which by the way does exist), does not accept mail for this recipient: 5.5.0 Requested action not taken: mailbox unavailable. [BL2NAM02FT023.eop-nam02.prod.protection.outlook.com] Ronald.McDonald@hotmail.com ... User unknown
Mail server exists ≠ update-to-date contact Mail server exists ≠ valid abuse mailbox
At the same time, I agree that the above holds even if you replace "Mail server exists" with "Mail server accepts mail for given recipient". Unfortunately, as it has already been pointed out, the fact that a human does reply to a mail sent by the NCC during the annual check (assuming for a moment they do send such mail), it does not prove at all that abuse reported to this address will be handled or acted upon in any way. Unfortunately I agree with Gert Doering who said: "I maintain the position that those that do care can be reached today, and those that do not care will find ways to fulfill the letter of the policy, and not change their ways." At the same time, I do see some benefit in checking regularly the provided e-mail address, because I am convinced that there will always be cases where people simply forget to update the database. If they are reminded, they will be happy to correct it. On the other hand, most probably there will also be people who - for some reason - will not want to handle abuse e-mails. They will certainly find a way to ignore such mail whatever policies we put in place. Best regards, Janos
Hi, On Tue, Mar 20, 2018 at 01:23:18PM +0100, Janos Zsako wrote:
At the same time, I do see some benefit in checking regularly the provided e-mail address, because I am convinced that there will always be cases where people simply forget to update the database. If they are reminded, they will be happy to correct it.
This is actually some benefit I see here - the NCC already does the ARC in regular intervals, so including abuse-c: in "please check that these are still correct" would be useful to help "those that do care but overlooked a necessary update". (Right now, the NCC will already ensure that contacts are correct if they receive a complaint from someone that contact data is wrong) So, still not really able to make up my mind whether I support or oppose this - staying neutral. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
We had to deal with 40+ invalid abuse contacts only for resources registered to German holders in the past three months. Most messages bounced with "user unknown". We tried to reach out to the resource holders to get the invalid abuse contacts fixed. If that failed, we reported the case to RIPE NCC. With their assistance, a lot of additional cases could be solved (thanks!). It turned out that most of the contacts were not invalid because the resource holders wanted to ignore reporting of abuse but due to technical problems or the contact set to a personal mailbox of someone who had left the organization. Many resource holders were glad to be notified of the problem. So while I'd still prefer a validation process that requires human interaction to make sure messages sent to the abuse contacts are actually read and processed, an automated check if the mailbox exists at all would already help a lot. I'd be glad if this automated check just for the existence of the abuse mailbox could be done not only annually but probably even twice or four times a year. - Thomas CERT-Bund Incident Response & Malware Analysis Team On 20.03.2018 13:54, Gert Doering wrote:
Hi,
On Tue, Mar 20, 2018 at 01:23:18PM +0100, Janos Zsako wrote:
At the same time, I do see some benefit in checking regularly the provided e-mail address, because I am convinced that there will always be cases where people simply forget to update the database. If they are reminded, they will be happy to correct it.
This is actually some benefit I see here - the NCC already does the ARC in regular intervals, so including abuse-c: in "please check that these are still correct" would be useful to help "those that do care but overlooked a necessary update".
(Right now, the NCC will already ensure that contacts are correct if they receive a complaint from someone that contact data is wrong)
So, still not really able to make up my mind whether I support or oppose this - staying neutral.
Gert Doering -- NetMaster
Thomas Hungenberg(th@cert-bund.de) on 2018.03.23 10:39:53 +0100:
We had to deal with 40+ invalid abuse contacts only for resources registered to German holders in the past three months. Most messages bounced with "user unknown".
We tried to reach out to the resource holders to get the invalid abuse contacts fixed. If that failed, we reported the case to RIPE NCC. With their assistance, a lot of additional cases could be solved (thanks!).
It turned out that most of the contacts were not invalid because the resource holders wanted to ignore reporting of abuse but due to technical problems or the contact set to a personal mailbox of someone who had left the organization. Many resource holders were glad to be notified of the problem.
So while I'd still prefer a validation process that requires human interaction to make sure messages sent to the abuse contacts are actually read and processed, an automated check if the mailbox exists at all would already help a lot. I'd be glad if this automated check just for the existence of the abuse mailbox could be done not only annually but probably even twice or four times a year.
I support the proposal. Thomas example shows that this check fixes a real problem, and that the number of non-working abuse contacts can easily be reduced. I fixed an abuse contact myself last week - one that i believe was automatically generated by the NCC when the contacts were introduced. A lot non-working contacts probably result from that alone. If a simple check like the one proposed by the NCC had been part of the original abuse contact implementation, i believe there would have been few complaints about it. /Benno
- Thomas
CERT-Bund Incident Response & Malware Analysis Team
On 20.03.2018 13:54, Gert Doering wrote:
Hi,
On Tue, Mar 20, 2018 at 01:23:18PM +0100, Janos Zsako wrote:
At the same time, I do see some benefit in checking regularly the provided e-mail address, because I am convinced that there will always be cases where people simply forget to update the database. If they are reminded, they will be happy to correct it.
This is actually some benefit I see here - the NCC already does the ARC in regular intervals, so including abuse-c: in "please check that these are still correct" would be useful to help "those that do care but overlooked a necessary update".
(Right now, the NCC will already ensure that contacts are correct if they receive a complaint from someone that contact data is wrong)
So, still not really able to make up my mind whether I support or oppose this - staying neutral.
Gert Doering -- NetMaster
--
FYI: Some longer-term statistics on this: Since January 2018, we have identified 157 invalid abuse contacts (our abuse reports bounced) for network objects registered with country code "DE" which we reported to RIPE NCC. RIPE NCC reached out to their members responsible for the respective objects. 150 cases have been solved by updating the abuse contact or correcting the mail server configuration - usually within only a few days. There are only 2 cases older than four weeks still unresolved. Thanks again to RIPE NCC for their great assistance! - Thomas CERT-Bund Incident Response & Malware Analysis Team On 23.03.18 10:39, Thomas Hungenberg wrote:
We had to deal with 40+ invalid abuse contacts only for resources registered to German holders in the past three months. Most messages bounced with "user unknown".
We tried to reach out to the resource holders to get the invalid abuse contacts fixed. If that failed, we reported the case to RIPE NCC. With their assistance, a lot of additional cases could be solved (thanks!).
It turned out that most of the contacts were not invalid because the resource holders wanted to ignore reporting of abuse but due to technical problems or the contact set to a personal mailbox of someone who had left the organization. Many resource holders were glad to be notified of the problem.
So while I'd still prefer a validation process that requires human interaction to make sure messages sent to the abuse contacts are actually read and processed, an automated check if the mailbox exists at all would already help a lot. I'd be glad if this automated check just for the existence of the abuse mailbox could be done not only annually but probably even twice or four times a year.
- Thomas
CERT-Bund Incident Response & Malware Analysis Team
On 20.03.2018 13:54, Gert Doering wrote:
Hi,
On Tue, Mar 20, 2018 at 01:23:18PM +0100, Janos Zsako wrote:
At the same time, I do see some benefit in checking regularly the provided e-mail address, because I am convinced that there will always be cases where people simply forget to update the database. If they are reminded, they will be happy to correct it.
This is actually some benefit I see here - the NCC already does the ARC in regular intervals, so including abuse-c: in "please check that these are still correct" would be useful to help "those that do care but overlooked a necessary update".
(Right now, the NCC will already ensure that contacts are correct if they receive a complaint from someone that contact data is wrong)
So, still not really able to make up my mind whether I support or oppose this - staying neutral.
Gert Doering -- NetMaster
I guess the subject is wrong :-) On Tue, 19 Feb 2019, Thomas Hungenberg wrote:
FYI: Some longer-term statistics on this:
Since January 2018, we have identified 157 invalid abuse contacts (our abuse reports bounced) for network objects registered with country code "DE" which we reported to RIPE NCC. RIPE NCC reached out to their members responsible for the respective objects.
We sent out 2318 abuse reports this year (since 1st Jan 2019), and only 63 bounced. Not sure how many of these 63 are RIPE-related, but will have to investigate :-)
150 cases have been solved by updating the abuse contact or correcting the mail server configuration - usually within only a few days.
There are only 2 cases older than four weeks still unresolved.
That's excellent. Regarding the non-"DE" the figures are worse, right? Best Regards, Carlos
Thanks again to RIPE NCC for their great assistance!
- Thomas
Sorry, my eyes were wrong. I did read 2019-02 :-) Carlos On Tue, 19 Feb 2019, Carlos Friaças via anti-abuse-wg wrote:
I guess the subject is wrong :-)
On 19.02.19 13:23, Carlos Friaças wrote:
Regarding the non-"DE" the figures are worse, right?
The statistics are based on our automated reports only. Our automated system is sending 8,000+ reports per day - but only addresses abuse contacts for networks registered with country code "DE" directly. Data for networks registered with other country codes is sent with aggregated reports to the respective national CSIRTs. I don't have any statistics on bounces for reports manually sent to abuse contacts for networks in other countries directly. But yes, it looks like the number of invalid contacts for networks in other countries is (much) higher, in particular for Eastern Europe. - Thomas CERT-Bund Incident Response & Malware Analysis Team
The number of outright fake networks with shell company contacts might have something to do with that eastern european number :) Or there's one or two outfits that can't make up their mind whether they are in the Netherlands, Dubai or Belize. --srs ________________________________ From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Thomas Hungenberg <th@cert-bund.de> Sent: Tuesday, February 19, 2019 6:37 PM To: Carlos Friaças Cc: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] Decision on Proposal 2017-02 On 19.02.19 13:23, Carlos Friaças wrote:
Regarding the non-"DE" the figures are worse, right?
The statistics are based on our automated reports only. Our automated system is sending 8,000+ reports per day - but only addresses abuse contacts for networks registered with country code "DE" directly. Data for networks registered with other country codes is sent with aggregated reports to the respective national CSIRTs. I don't have any statistics on bounces for reports manually sent to abuse contacts for networks in other countries directly. But yes, it looks like the number of invalid contacts for networks in other countries is (much) higher, in particular for Eastern Europe. - Thomas CERT-Bund Incident Response & Malware Analysis Team
Hej Thomas, du skrev inte vilka partners som kan erbjuda slaves. Förr ringde/mailade jag staff@swip.net och fick alltid hjälp. Kan ha berott på att volvo var en av deras första kunder :-) Jag har hittat clodns, och testar med dem. Har du några synpunkter på dem ? De svenska ISP jag talat med verkar helt ointresserade om de inte får gör allt. Då skickar jag hellre mina pengar till bulgarien. Mvh peter h On Tuesday 19 February 2019 14.06, Thomas Hungenberg wrote:
On 19.02.19 13:23, Carlos Friaças wrote:
Regarding the non-"DE" the figures are worse, right?
The statistics are based on our automated reports only. Our automated system is sending 8,000+ reports per day - but only addresses abuse contacts for networks registered with country code "DE" directly. Data for networks registered with other country codes is sent with aggregated reports to the respective national CSIRTs.
I don't have any statistics on bounces for reports manually sent to abuse contacts for networks in other countries directly.
But yes, it looks like the number of invalid contacts for networks in other countries is (much) higher, in particular for Eastern Europe.
- Thomas
CERT-Bund Incident Response & Malware Analysis Team
-- Peter Håkanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det är billigare att göra rätt. Det är dyrt att laga fel. )
participants (9)
-
Carlos Friaças -
Gert Doering -
herve.clement@orange.com -
Janos Zsako -
Name -
peter h -
Sebastian Benoit -
Suresh Ramasubramanian -
Thomas Hungenberg