[anti-abuse-wg] *** Re: [policy-announce] 2017-02 Review Phase (Regular abuse-c Validation)

IF receive complaints from public about abuse-c non functional THEN do additional verification

On Tue, 23 Jan 2018 23:45:39 -0700
"Name" <phishing at storey.xxx> wrote:
> IF email is from = "validation at RIPE.NET" THEN deliver email,
> ELSE, delete/auto-respond/jump through hoops.
> 
> -------- Original Message --------
> Subject: Re: [anti-abuse-wg] [policy-announce] 2017-02 Review Phase
> (Regular abuse-c Validation)
> From: ox <andre at ox.co.za>
> Date: Wed, January 24, 2018 4:43 pm
> To: Brian Nisbet <brian.nisbet at heanet.ie>
> Cc: anti-abuse-wg at ripe.net
> 
> On Tue, 23 Jan 2018 14:45:13 +0000
> Brian Nisbet <brian.nisbet at heanet.ie> wrote:
> 
> > Just to be very clear, the current proposal is only in relation to
> > verification.
> >
> > If the community wish for other processes to be put in place in
> > regards to lack of action on abuse or similar, then that would
> > require a wholly different proposal.
> >
> As Marco Schmidt explained regarding exactly this, "verification" :
> 
> > An SMTP RCPT command, as Nick mentioned, will likely be one of
> > several checks that we perform. These checks will identify that the
> > syntax and format of the email address is okay, the domain accepts
> > email, and that the mailbox itself exists. We aim for the results
> > to be as accurate as possible.
> 
> This is simply not good enough for abuse-c as the core of having a
> real abuse-c is that it is monitored/real/functional and not just
> an email address created with an autoresponder.
> 
> this goes to the core of the real world problem.
> 
> many resource holders create a valid email address and then link an
> autoresponder to that saying:
> 
> thank you for your very valuable abuse notification! Please visit our
> website link to submit a report
> 
> then on the "website/link"
> create an account for this singular complaint
> verify that account (jump through many hoops)
> then verify the actual complaint
> then confirm your details and information
> etc etc
> 
> so many many hoops - all designed to waste time and to reduce actually
> receiving any abuse notifications.
> 
> Sure, RIPE cannot tell resource users how to handle abuse reports or
> complaints
> 
> BUT
> 
> RIPE can ensure at least that having a resource record means
> something? otherwise it is pointless even having an abuse-c - as it
> means nothing.
> 
> so, why have an abuse-c at all?
> 
> the point is: verification, if done in this manner:
> 
> send an alphanumeric key to be entered on website after solving a
> capcha
> 
> proves that the abuse-c is real/monitored/etc. - and not a useless
> bot/autoresponder or nonsensical resource record.
> 
> Andre
> 
>