[anti-abuse-wg] DRAFT: RIPE proposal - implementation of an

Hello Leo,

> > The benefit is clear:
> > - it will give RIPE NCC the chance to seperate good from
> >   "spam-friendly" members, prepare impresive statistics
> >   for further discussions (e.g. with Governments) and much more
> > - it will simplify the process of reporting spam
> >   and reacting to spam reports for everybody, querying
> >   whois is still too complicated and unknown to the normal
> >   end user and hard to automate for blacklists or other
> >   services, because there are about 20 different whois
> >   output formats worldwide (inserting an abuse-address into
> >   an IRT object will even make it more complicated)
> > - having an easy and unique address to report to, is another
> >   step in standarizing the report format, what would make
> >   it much more easy for members that are willing to deal
> >   with abuse reports
> 
> You didn't answer the question, though. Why would you proposal make ISPs want to deal with abuse reports when they are not doing so already? 

I did answer this a couple of times now, but ok, again.
The first version will not work against members, that are not willing
to do something against abuse that is coming from their networks.

Working against them will need some kind of "punishment", and sure there
is more to talk about first with this. But at least there will be
some kind of identification, wich one needs to be educated
or even "punished" with this kind of system.
The consequences are still for further discussion.

> As to the claim that whois is to complicated to normal end users, I would contend that normal end users should not have to try and work out where abuse actually originates from. That is something that service providers should be doing. As someone who receives abuse reports for most of the special use IPv4 addresses reserved in various RFCs I can assure you that end users have a very hard time reading mail headers or understanding the warning messages provided by their firewall software. 

whois is even too complicated for normal people even for ISPs or blacklist owners
like we are. Or even for super-professionals.

- abuse-records are mostly hidden in remark-field because the abuse-field
  isnt used very often, because its non-mandatory (yet).

- whois is showing IP ranges and ranges are often quite small, what means
  that you have to look up each range, better each IP seperatly

- whois has only a connection to the owner of the range and not to the
  member, unless you do even more queries

- queries to personal objects are limited, what makes automated systems
  impossible, if they are not starting to cache queries or read old
  database dumps or have the special right to receive as many infos
  as they need

- caching query results are causing delays, what means that the abuse contacts
  cant be correct all the time, because they could have changed already

- if the IRT object is introduced including abuse records, you will have
  to look up the normal whois AND the IRT object, and what result will
  you prefer, if both is available ?

and if you see it world-wide:
- the formatting of the world wide whois systems is not equal and sometimes
  even hard to parse, even if they nearly have the same fields
- IPv4 ranges are widely spread between all RIRs, you will need to look
  up arins whois first, to find out, where the range actually belongs to,
  and then ask that RIR
- dont forget the early registration blocks spread all over the world
- arins whois requires up to three queries to finally get the abuse contact
  hidden in several possible objects, multi-range listings with more than one
  correct answer. What field will you really look for in arins whois ?
  OrgTechHandle, OrgAbuseHandle, RAbuseEmail, OrgNOCEmail, OrgTechEmail ?
- apnics whois is now spread along several other referral whois in different countries
  and there is not clear and often changing relocation or change in the size
  of the assigned blocks for those sub-RIRs
- lacnic also spreads, brasil has its own whois
- lacnic always includes the mains RIRs abuse contats, relevant ? yes, no, both ?
- the objects changed-date is not visible on all whois worldwide
- tools that should make this more easy (like jwhois for domainname) are
  always developed with big delays and are never accurate

And many more problems, thats not what I understand as standarized ....

And if there is an RFC nearly for everything, its pretty weird,
that whois is not equal all over the world.

(well, but the same with domain whois, at least the output format could
 be the same, even if every country will hide fields or not like its
 needed by local law or commitment)

> >> A system like the one proposed would add an extra layer between the complainant and the relevant network and could well become a target for abuse itself. I am not sure how it would make network managers want to deal with abuse complaints that they are currently ignoring, though. Can you expand on that?
> > 
> > Thats right, the possible amount of reports arriving could be a real
> > problem and could use more resources than expected. The problem is,
> > that the amount is not really predictable until maybe even
> > a testbed is implemented.
> > 
> > Members that are ignoring spam reports could be at least
> > identified, whatever "punishment" ( starting from public
> > blame reaching up to real sanctions) will appear after
> > identification, is for further discussions.
> > 
> > It could start with a blacklist filled from RIPEs data,
> > lets call it the "spam report ignoring RIPE member blacklist",
> > or SRIRMB ;o)
> 
> So, if I understand your proposal correctly, you want RIPE NCC membership fees to be used to create a system that will be used to 'name and shame' RIPE NCC members. I think this brings me back to the question I asked in my last message and which you did not answer: what is the incentive for RIPE NCC members to finance this system?

Yes, because the development and maintance cost are spread on all members,
instead on only those, that are willing to do something, this would
be one way to "punish" the others :o)

And the system only has to be developed once.

And it will get even cheaper for everybody, if you add more functionality
in the next steps ...

And no member that already receives and reads and works on abuse reports
has to fear this system, that how it should be constructed.
It should help members with working abuse departments to simplify their work.
It should also be a starting point to get report formats standarized,
to simplify the lookup of abuse contacts (or even make lookups
unnessessary). It should be a start to talk about consequences
if a member ignores abuse reports.


Kind regards, Frank
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de

> 
> Regards,
> 
> Leo
>