[anti-abuse-wg] DRAFT: RIPE proposal - implementation of an abuse

On Friday 09 April 2010 10.38, Michele Neylon :: Blacknight wrote:
> 
> On 8 Apr 2010, at 19:27, Frank Gadegast , Dipl-Inform. Frank Gadegast wrote:
> 
> >> 
> >>> You dont need to know the real one until you have one for every IP.
> >> 
> >> As I mentioned, you might simply want to contact the abuse team
> >> regarding a more general issue. Quite often if I can't find a published
> >> abuse contact for foo.com so I'll dig www.foo.com and then lookup the
> >> returned address in the RIPE DB - I'm not at all interested in an
> >> address specific to that IP address though.
> > 
> > well, you can still look it up.
> > 
> > But see it this way:
> > - most provider use anti spam tools like SpamAssassin to protect there
> >  customer
> > - SA surely lists the IP that was connecting and causing the spam
> > - you can then automatically forward the spam plus a initial text,
> >  describing that you do not want this to the general "IP like" address
> > - and the monitoring system will then forward it to the
> >  right RIPE member (and to EVERY member)
> 
> So if a machine on a network were compromised / abused and a large amount of spam was sent out, how many of these emails would you see being relayed via RIPE to the abuse contact??
proportional to the number of spam. Are you suprised that lot's of spam
generates lots of complaints ?
> 
> > 
> > 
> > You can then look up the report (or even automate it), reset
> > his radius password and kick him out, waiting for him
> > to phone your support :o)
> 
> Not everyone has the same business model
Some does better the others. For those that has no means of
blocking a bad behaving customer the would need to rethink their model.
> 
> 
> > 
> > Or you could redirect him to a webpage describing that there
> > are too many reports coming in for his IP in a whatever time.
> > Its all up you.
> > 
> > My dream system looks like this:
> > - abuse reports will get standarized
> 
> that would be helpful
> 
> 
> > - monitoring systems will be developed at all RIRs
> 
> Monitoring for what exactly???
Analysing incoming abusereports ( and acting accordingly)
> 
> > - spam detection will be automated at the providers side
> >  and send standarized reports to the RIRs monitoring system
> > 
> > - and the RIRs member automates and scans the incoming reports
> >  like he wants (maybe by devining minimum values and limits)
> >  and automates the blockage and information of his users
> > 
> > Sounds great ?
> > 
> > Well, thats actually what we are doing already with our own users.
> > If we detect incoming spam with high scores a couple of times
> > in a short time we kick the users offline automatically and redirect
> > him next time he loggs in to a information page, where he finds
> > our support numbers :o)
> > 
> > Wroks simply great, and I would love to get closer to such a system
> > together with ALL ISP
> 
> 
> And again you are working under the false assumption that ALL RIPE members offer the same services as you do and in the same way.
Nope, some lazy ISP's will have to adjust their procedures.
Allowed to use an ip-range is both a benefit and an obligation. Society at large does 
not work when rogue individuals mis-behaves and ignores "common rules-of-conduct". 
> 
> > 
> > "Bad providers" could be even published by RIPE :o)
> 
> 
> Are you insane? RIPE cannot open itself up for that kind of liability
Why ? If ranges are supplied with an explicit rules-of-use, the if
the provider does not follow the (agreed rules) it's not RIPE's problem.
The key here is to couple assignment of ranges to specific rules for use.
> 
> >> 
> > 
> > Well, thats only work at RIPE NCC, its not that complicated to
> > automated bounces ...
> 
> So you say .. 
> 
> You cannot speak for all providers / RIPE members.
> 
> You are also suggesting putting a very heavy load on RIPE's systems which someone will have to pay for. Who?
Why not take a fee per ip-address / year ? This is something i suggested to IETF ages ago, 
and it would have made allocations much more fair. Noone would like to pay
for resources they don't need, and everyone would have a decent chance of getting
addresses when they need.

> 
> > 
> > 
> >> confirmation would be enough, although you'd need some way to deal with
> >> automated reports.
> > 
> > Well, the monitoring system could send always the same backlink
> > for the same IP, so that the ISP could still count the amount
> > of incoming reports for one IP automatically and then
> > "answers" it as being closed with just clicking ONE link.
> > 
> > Good idea ?
> 
> So you expect RIPE members to completely rework their abuse desks to fit into your view of the world?
Why not ? The world changes and if some refuses to follow thay will find themselfs
outside the loop.
> 
> I can't see that happening, because not all RIPE members are the same or work in the same way.

Unfortently.

> 
> 
> Mr Michele Neylon
> Blacknight Solutions
> Hosting & Colocation, Brand Protection
> ICANN Accredited Registrar
> http://www.blacknight.com/
> http://blog.blacknight.com/
> http://mneylon.tel
> Intl. +353 (0) 59  9183072
> US: 213-233-1612 
> UK: 0844 484 9361
> Locall: 1850 929 929
> Twitter: http://twitter.com/mneylon
> -------------------------------
> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
> Road,Graiguecullen,Carlow,Ireland  Company No.: 370845


-- 
        Peter Håkanson   

        There's never money to do it right, but always money to do it
        again ... and again ... and again ... and again.
        ( Det är billigare att göra rätt. Det är dyrt att laga fel. )