[anti-abuse-wg] [policy-announce] 2017-02 Review Phase (Regular abuse-c Validation)

I second Jordi's opinion that validation of the abuse-mailbox should require
human interaction of the resource holder. In addition to solving a captcha
the resource holder might need to confirm (click a checkbox) that he will
monitor the abuse-mailbox account on a regular basis and take appropriate
action to solve reported abuse cases.


     - Thomas

CERT-Bund Incident Response & Malware Analysis Team


On 18.01.2018 19:44, JORDI PALET MARTINEZ via anti-abuse-wg wrote:
> I fully agree with this proposal and should be implemented ASAP.
> 
> HOWEVER, I’ve a question regarding the impact analysis, and specially this sentence:
> 
> “To increase efficiency, this process will use an automated solution that will allow the validation of “abuse-mailbox:” attributes without sending an email. No action will be needed by resource holders that have configured their “abuse-mailbox:” attribute correctly.”
> 
> Reading the policy proposal, how the NCC concludes that it should be “without sending an email”?
> 
> I will say that the right way to do a validation (at creation/modification and yearly) is, in a way that makes sense (having an email that nobody is processing is exactly the same as not having the abuse attribute at all):
> 1) Send an email with a link that must be clicked by a human (so some kind of captcha-like mechanism should be followed)
> 2) If this link is not clicked in a period of 48 hours (not including Saturday-Sunday), an alarm should be generated so the NCC can take the relevant actions and make sure that the mailbox is actively monitored by the LIR
> 
> Regards,
> Jordi