This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")

Previous message (by thread): [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")
Next message (by thread): [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Rich Kulawiec rsk at gsp.org
Tue May 21 11:30:45 CEST 2019

This is a bad idea and should be abandoned.

The goal is fine: everyone/everything should have a valid abuse@ address
per RFC 2142, decades of best practices, and inherent accountability to
the entire Internet community.  Everybody should pay attention to what
shows up there, conduct investigations, mitigate problems, report/apologize
as necessary, and so on.  I've been on the record for a long time
supporting this goal and that hasn't changed.

However:

1. Sending UBE to abuse mailboxes is bad.  Think about it.

2. Expecting people to follow URLs contained in messages to abuse
mailboxes is a horrible idea.  Penalizing them for not doing it is worse.
(Best practice for abuse handlers is to not use a mail client that parses
HTML or a mail client with a GUI, for what I trust are obvious reasons.)

3. Whatever response mechanism is devised, it WILL be automated.
I note the reference to "captchas" and suggest reading my recent
comment on those in another recent thread here: briefly, they have long
since been quite thoroughly beaten.  They are worthless, and anyone
using them or suggesting their use is woefully ignorant.

4. Knowing that abuse reports are accepted and read is nice, but not
terribly useful.  What matters is what's done with them, and that
ranges from "investigated promptly and acted on decisively if they're
shown to be accurate" to "ignored and discarded" to "forwarded to the
abusers".

And we (for a vague value of "we") already know this: we know because
we've submitted abuse reports and observed outcomes for years.  We know
which operations never respond in any way and we know which ones hand
data over to abusers (or *are* the abusers).  We know this by practice
and experience -- it's not something that can be automated.  It takes
time and effort and expertise to figure out.

5. This approach fails the "what if everybody did it?" test quite badly.

6. Of course, the moment something like this is deployed -- if not
before -- bad actors will realize that copycatting it may well be
an effective tactic to directly attack abuse desk operations and/or
gather intelligence on them and/or compromise them.

---rsk

Previous message (by thread): [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")
Next message (by thread): [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ anti-abuse-wg Archives ]