[anti-abuse-wg] DRAFT: RIPE proposal - implementation of an abuse

On 8 Apr 2010, at 19:27, Frank Gadegast , Dipl-Inform. Frank Gadegast wrote:

>> 
>>> You dont need to know the real one until you have one for every IP.
>> 
>> As I mentioned, you might simply want to contact the abuse team
>> regarding a more general issue. Quite often if I can't find a published
>> abuse contact for foo.com so I'll dig www.foo.com and then lookup the
>> returned address in the RIPE DB - I'm not at all interested in an
>> address specific to that IP address though.
> 
> well, you can still look it up.
> 
> But see it this way:
> - most provider use anti spam tools like SpamAssassin to protect there
>  customer
> - SA surely lists the IP that was connecting and causing the spam
> - you can then automatically forward the spam plus a initial text,
>  describing that you do not want this to the general "IP like" address
> - and the monitoring system will then forward it to the
>  right RIPE member (and to EVERY member)

So if a machine on a network were compromised / abused and a large amount of spam was sent out, how many of these emails would you see being relayed via RIPE to the abuse contact??

> 
> 
> You can then look up the report (or even automate it), reset
> his radius password and kick him out, waiting for him
> to phone your support :o)

Not everyone has the same business model


> 
> Or you could redirect him to a webpage describing that there
> are too many reports coming in for his IP in a whatever time.
> Its all up you.
> 
> My dream system looks like this:
> - abuse reports will get standarized

that would be helpful


> - monitoring systems will be developed at all RIRs

Monitoring for what exactly???

> - spam detection will be automated at the providers side
>  and send standarized reports to the RIRs monitoring system
> 
> - and the RIRs member automates and scans the incoming reports
>  like he wants (maybe by devining minimum values and limits)
>  and automates the blockage and information of his users
> 
> Sounds great ?
> 
> Well, thats actually what we are doing already with our own users.
> If we detect incoming spam with high scores a couple of times
> in a short time we kick the users offline automatically and redirect
> him next time he loggs in to a information page, where he finds
> our support numbers :o)
> 
> Wroks simply great, and I would love to get closer to such a system
> together with ALL ISP


And again you are working under the false assumption that ALL RIPE members offer the same services as you do and in the same way.

> 
> "Bad providers" could be even published by RIPE :o)


Are you insane? RIPE cannot open itself up for that kind of liability

>> 
> 
> Well, thats only work at RIPE NCC, its not that complicated to
> automated bounces ...

So you say .. 

You cannot speak for all providers / RIPE members.

You are also suggesting putting a very heavy load on RIPE's systems which someone will have to pay for. Who?

> 
> 
>> confirmation would be enough, although you'd need some way to deal with
>> automated reports.
> 
> Well, the monitoring system could send always the same backlink
> for the same IP, so that the ISP could still count the amount
> of incoming reports for one IP automatically and then
> "answers" it as being closed with just clicking ONE link.
> 
> Good idea ?

So you expect RIPE members to completely rework their abuse desks to fit into your view of the world?

I can't see that happening, because not all RIPE members are the same or work in the same way.


Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
ICANN Accredited Registrar
http://www.blacknight.com/
http://blog.blacknight.com/
http://mneylon.tel
Intl. +353 (0) 59  9183072
US: 213-233-1612 
UK: 0844 484 9361
Locall: 1850 929 929
Twitter: http://twitter.com/mneylon
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,Ireland  Company No.: 370845