[anti-abuse-wg] DRAFT: RIPE proposal - implementation of an abuse monitor system

Hello,

> frank at powerweb.de wrote:
> > No, because the system generates email addresses [1.2.3.4 at abuse.ripe.net]
> > only related to the IP address that causes the abuse.
> 
> No, it doesn't.  The mail will go to wherever some human or robot
> *assumes* the spam cause to be.  Never seen a complaint which was
> mis-directed to because some bozo fell prey to faked headers?

Sure, thats what the backlink idea is for.
So the member is free to categorize the report himself
(where it would be detectable, if one member simply sets all his reports
 always to "false report, started not from our network" without any
 more details".

> If I understood your draft section 5 correctly, you think that there are
> actually people who consider researching "whois" records too complicated

Sure, no normal mail user in Germany I know about knows what RIPE is
or whois, they even do not know what a domain whois and e.g.
the DENIC is, even if they have a own domainname.

And that normal end user is not different in other coutries ...

> but, at the same time, are able to do a decent analysis of email headers?

Point for you.

> I've never met members of this species.  And I'd be afraid if I were

Hm, maybe the system should be enhanced to that the system tracks the source
doing it self, complicated but possible, like spamhaus or spamcop
are doing it ...

But then we have a real clearing system that has to be reliable
(instead of just forwarding spam).

In the end, this is the really first point against a system I described.

Anybody ideas to solve that ?

Otherwise the system will only good for professional and they know
what whois is (even its still more complicated and non-mandatory
information is still missing).

> *forced* (by RIPE) to read and repsond to their spam reports.
> 
> Your policy draft is extremely week on th only policy point it contains:
> 
> 	Section 5 "Advantages":
> 	[...]
> 	RIPE NCC can ensure that all allocations have a working
> 	abuse address.
> 	[...]
> 
> Like, how?  As someone else has already pointed out:  redirecting all
> reports to /dev/null would make your control system happy -- no bounces.

Well, not that bad in the first step.
They work, ok, there are not read, but the exist and work.

These days we have thousand of abuse addresses that do not work,
intentionally or not.
It would be helpful to find those, that should work, but dont
and warn the ISP about it on time ...

> It all gets back to human checks:  Internet user U complaints (at the
> RIPE) about LIR L, saying something like "unrepsonsive LIR, restract
> its allocation containing 62.67.229.200".  Your proposal would have to

Funny IP :o)

> state the further course of action (i.e., "the policy").  In particular,
> please be clear on legal issues.  When U complains about "the contact for
> 62.67.229.200", the RIPE NCC should do what?  Snail-mail two warnings,
> then "pull the plug" for 62.67.228.0/20 (or would it be the 62.67.0.0/16,
> because of "remarks: all abuse reports to abuse at level3.com")?  The very
> next day, the three distinct end users of, say, 62.67.1.1, 62.67.231.254,
> and 62.67.255.254, respectively, get a bit upset that their businesses
> have RPSLy fallen off the Internet.  Ooops.  A merry round of "A sues
> B" follows.  Anybody in this game who you think should be idemnified at
> this point?  The RIPE NCC for example?  How?

Hm, your a bit too quick here ... but I get the point.

> Shifting the focus away from "forced policies" towards "useful tools":
> 
> Any well-intentioned LIR/ISP will happily use whatever tools it can
> get its hands to be aware of any abuse of its network.  It appears
> to me that simply monitoring your network ranges on various DNSBLs
> is achieving pretty much the same benefits (for the ISP/LIR) as your

But there are that many ...

> proposol does, without inflicting any work on the RIPE NCC to forward
> spam complaints and to collect statistics.  You're kinda reinventing
> wheels many folks already use.

Yes, but I started a discussion of really important points I think (where
this list was kind of sleeping for a while).

My main question from today is still not answered (by nobody so far):

If the community willing to accept, that RIPE members cause
harm to other members without any consequences simply because they
are lazy, uneducated, ignorant or without resources to prevent problem
or maybe even because they provit or intended the problem ?

Does "free internet" means that we have to live with that ?

> You do seem to have a valid point about educating new LIRs/ISPs.

Well then ...



Kind regards, Frank
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de
> 
> 							Martin
>