[anti-abuse-wg] DRAFT: RIPE proposal - implementation of an abuse

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dipl-Inform. Frank Gadegast wrote:

> You dont need to know the real one until you have one for every IP.

As I mentioned, you might simply want to contact the abuse team
regarding a more general issue. Quite often if I can't find a published
abuse contact for foo.com so I'll dig www.foo.com and then lookup the
returned address in the RIPE DB - I'm not at all interested in an
address specific to that IP address though.

> Metric ?

Metric as in a standard of measurement. Sorry that probably wasn't very
clear language on my part.

> And that prooves what ?

I have 17 million+ users, and a remit to provide very open network
access to them. It's inevitable that somewhere on the network someone is
sending large volumes of spam, what's important is how quickly and
effecitvely we react to that incident.

Someone from RIPE calling us, to offer us a training course we don't
need, because last year we had a few hosts sending 100,000+ spam e-mails
isn't a useful use of anyone's resources.

This, and my comment about NAT, are just illustrations of how you need
to be careful over deciding what you consider to be a large volume of
reports.

> Well at least you will hear about incidents with the new system
> and thats more thats currently happening.

We already hear about incidents. Almost all the address space used on
our network has an irt object published and reports reach us at the
correct address.  I'm not convinced that any abuse team who really wants
to make themselves contactable has problems doing so (whether they are
aware of the irt object or not is another matter).

The difficulty is in convincing network owners that they need abuse
teams that take the issue seriously :)

> Yes, thats why I stated that.
> A solution could be, that the RIPE system will return a link
> to the report sender, that has to be clicked, before the report
> will be forwarded to the member.
> 
> Will that help ?

Sorry I missed that in my original reading.

> A member abuse address could be resetted automatically to the members
> main email adress (but is very likely to be read by the member).
> The member would not want that many emails arrive at that main address
> and fix the abuse address asap.
> 
> This process could be automated at RIPE system.

I don't know anything about RIPE's existing processes for making sure
that member information is correct but I suspect that it still requires
human effort as a last resort.

> Another idea to stop spam coming in, could be to open
> the whole system only to RIPE members first !
> 
> The ISP could work together and all others stay out.
> 
> Will that be a solution ?

No, I suspect most of our reports come from non RIPE members. The link
confirmation would be enough, although you'd need some way to deal with
automated reports.

>> No, it'll just ensure that the reports end up being delivered to an
> 
> Thats far more, that we have now ...

Shuffling bits from one mailbox to another doesn't constitute actual
progress. You need to give a reason for the recipient to care enough
about the reports to do something - and if they have that reason they'll
take care of making themselves contactable for you :)

James

- --
James Davis	+44 1235 822 229    	   PGP: 0xD1622876
JANET CSIRT	0870 850 2340	        (+44 1235 822 340)
Lumen House, Library Avenue, Didcot, Oxfordshire, OX11 0SG
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFLvgCNhZi14NFiKHYRAnvWAJ9z0cWJq/rXaNZgyEPcG3MhdEODhgCfb2OZ
MMz5kWuRdgtPKF3vuY9L2OI=
=DfbR
-----END PGP SIGNATURE-----

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG