[anti-abuse-wg] Spam FAQs need revision, was 2011-06 New Policy

Hello All,

Joe St Sauver's comments and suggestions make perfect sense and RIPE NCC
needs to follow such a sound advice.

Joe's specific recommendation that "Consider reporting spam via a
well-established spam reporting Channel" should be promoted by ALL user
groups, and ISPs. RIPE's FAQ recommendation that "simply ignore and delete
any spam emails you get" has been one of the main causes proliferation of
Spam everywhere. By guiding users to sites like this,
http://spamlinks.net/track-report-addresses.htm, almost anyone can report a
Spam properly and keep ISP's aware of malicious traffic that passes through
their servers.

As Joe suggested, RIPE's FAQ must provide better guidance than reminding us
to simply ignore and delete any spam emails you get.

By remaining diligent, we can make this situation better for everyone.

Thank you,

Reza Farzan 

======================


> -----Original Message-----
> From: anti-abuse-wg-bounces at ripe.net 
> [mailto:anti-abuse-wg-bounces at ripe.net] On Behalf Of Joe St Sauver
> Sent: Monday, December 12, 2011 2:22 PM
> To: anti-abuse-wg at ripe.net
> Subject: Re: [anti-abuse-wg] Spam FAQs need revision, was 
> 2011-06 New Policy
> 
> Hi,
> 
> When I look at 
> http://www.ripe.net/data-tools/db/faq/faq-hacking-spamming/
> I'd probably write something that looks quite a bit different 
> than what's currently there.
> 
> For example, just starting at the top:
> 
> -- "What is spam? 
> 
>    FAQ currently says:
> 
>    "Spam is junk email, usually offering bogus products and 
> invitations to 
>    pornography sites. Sometimes, spam email is used to spread 
> viruses. You 
>    may also receive 'phishing' emails. These are emails that 
> look like they 
>    have been sent by a legitimate organisation and attempt to 
> fraudulently 
>    acquire sensitive information, such as passwords and 
> credit card details."
> 
>    I'd suggest that the definition of "spam" that's available at
>    http://www.spamhaus.org/definition.html is significantly stronger.
> 
> -- "Should I just ignore spam?"
> 
>    FAQ currently says:
> 
>    "Yes. We recommend that you simply ignore and delete any 
> spam emails you 
>    get. Spam is a universal problem and there is not much 
> that can be done 
>    to stop it. However, if you do want to try to find out 
> where the spam is 
>    originating from you can follow the steps in FAQ 5."
> 
>    I'd suggest that's a passive/defeatist approach that 
> spammers absolutely
>    adore since it fails to put any back pressure on spammers. By NOT 
>    reporting spam, service providers hosting spam-related 
> sites (and service 
>    providers with botted customers) get no feedback that will 
> allow them to 
>    clean up their issues. That really needs to change. 
> 
>    I'd suggest:
> 
>       "No. Consider reporting spam via a well-established 
> spam reporting
>       channel. This might be a "this is spam" button offered 
> as part of
>       your provider's web email interface, or via a third party spam
>       reporting service such as Spamcop 
> (http://spamcop.net/), which is
>       free. If you want to report spam directly, you may find 
> it helpful
>       to see the abuse reporting addresses available from 
> http://abuse.net/"
> 
>    I'd like to suggest that users report spam to appropriate 
> government 
>    agencies, see for example:
>    http://spamlinks.net/track-report-addresses.htm#country
> 
>    I would also note that encouraging user reporting is 
> consistent with 
>    the explanation that's provided later in the FAQ under
>    "What can I do to stop spam emails?" which goes into some detail
>    when it comes to how to actually do manual spam reporting. 
> 
> -- "What can the RIPE NCC do about the spam email I have received?"
> 
>    FAQ currently says:
> 
>    "Unfortunately, the RIPE NCC can do nothing about spam email or 
>    'phishing' email. The RIPE NCC does not send, or 
> facilitate the sending 
>    of, spam email. Nor is it responsible for any spam you 
> receive. It is 
>    also unable to investigate any complaints about spamming."
> 
>    Again, that's not the answer to this FAQ item that I'd 
> like to see. 
> 
>    I would like to see RIPE NCC acknowledge that it *does* have a role
>    in combatting network abuse, particularly when it comes to 
> ensuring 
>    that the resources it manages are not abused. For example, 
> if RIPE NCC 
>    learns that a network resource has been acquired under fraudulent 
>    pretenses for the purpose of engaging in network abuse, or 
> a network 
>    resource has bogus point of contact information, those 
> behaviors are 
>    not acceptable and will result in a review by RIPE NCC 
> and, if that 
>    abuse is confirmed, those resources will be reclaimed.
> 
>    Obviously that would also imply a change to 
> 
>    "Why are there no contact details or incorrect contact details for 
>    reporting spam email listed in the RIPE Database for the 
> IP address 
>    I searched on?" 
> 
>    which states
> 
>    "The records in the Regional Internet Registries'(RIR) 
> databases are 
>    entered and maintained by the organisations that receive 
> IP addresses 
>    from each RIR. The RIRs do not check the accuracy of any 
> of the records 
>    in the database or make any changes to the data maintained 
> by these 
>    organisations. The RIPE NCC has no power to update any of 
> these records."
> 
>    If nothing else, that FAQ answer should *at least* be 
> updated to correct 
>    factual inaccuracies because at least *some* other RIRs 
> *DO* check and/or
>    correct inaccuracies in their databases, e.g., see, in the 
> case of ARIN, 
>    APNIC and LACNIC, see:
> 
>    -- https://www.arin.net/policy/nrpm.html#three6
> 
>       "3.6 Annual Whois POC Validation
> 
>       "3.6.1 Method of Annual Verification
> 
>       "During ARINs annual Whois POC validation, an email 
> will be sent to 
>       every POC in the Whois database. Each POC will have a 
> maximum of 60 
>       days to respond with an affirmative that their Whois contact 
>       information is correct and complete. Unresponsive POC 
> email addresses 
>       shall be marked as such in the database. If ARIN staff 
> deems a POC to 
>       be completely and permanently abandoned or otherwise 
> illegitimate, 
>       the POC record shall be marked invalid. ARIN will 
> maintain, and make 
>       readily available to the community, a current list of 
> number resources 
>       with no valid POC; this data will be subject to the 
> current bulk Whois 
>       policy."
> 
>    -- 
> http://www.apnic.net/apnic-info/whois_search/abuse-and-spammin
> g/invalid-contact-form
> 
>       "Use this form to report invalid contact details found 
> in the APNIC
>       Whois Database. APNIC will take appropriate steps to 
> try to have the 
>       database objects updated."
> 
>       See also 
> http://www.apnic.net/policy/policy-environment#processing
>       at 7.1 ("Validity of IP address delegations")
> 
>    -- http://lacnic.net/en/politicas/manual7-1.html 
> ("Resource Recovery")
> 
>       See also http://lacnic.net/en/politicas/manual7-1.html
> 
>       "The organizations receiving IPs addresses from LACNIC have the 
>       commitment to keep their registration information updated.
> 
>       "But, in the case it is noticed that some information 
> is invalid we 
>       ask you to communicated the fact to 
> hostmaster at lacnic.net informing 
>       the IP address with invalid registration information."
> 
>    So, RIPE may not have processes for keeping their part of 
> the global
>    databases accurate, but other RIRs do...
> 
> There are also many redundancies in the FAQ, e.g., see the 
> "Can I stop spam?"
> item vis-a-vis "Should I just ignore spam?"
> 
> Or "I want to know more about spam" vs. "Where can I find 
> more information about spam"
> 
> Or "How do I found out who's behind a suspect message?" vs.
> the tutorial on reading headers that's in "What can I do to 
> stop spam emails?"
> 
> And there are other duplications of that sort in the FAQ... I 
> think it probably grew over time, but as stuff got slotted 
> into the document, no deconfliction and reconciliation ever 
> took place. I think that work to do that would strengthen the 
> document and make it considerably stronger.
> 
> Regards,
> 
> Joe
> 
> 
> 
> 
> 
> =======
> Email scanned by PC Tools - No viruses or spyware found.
> (Email Guard: 9.0.0.888, Virus/Spyware Database: 6.18870) 
> http://www.pctools.com/ =======
>