This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")
- Previous message (by thread): [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")
- Next message (by thread): [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Rich Kulawiec
rsk at gsp.org
Tue May 21 11:30:45 CEST 2019
This is a bad idea and should be abandoned. The goal is fine: everyone/everything should have a valid abuse@ address per RFC 2142, decades of best practices, and inherent accountability to the entire Internet community. Everybody should pay attention to what shows up there, conduct investigations, mitigate problems, report/apologize as necessary, and so on. I've been on the record for a long time supporting this goal and that hasn't changed. However: 1. Sending UBE to abuse mailboxes is bad. Think about it. 2. Expecting people to follow URLs contained in messages to abuse mailboxes is a horrible idea. Penalizing them for not doing it is worse. (Best practice for abuse handlers is to not use a mail client that parses HTML or a mail client with a GUI, for what I trust are obvious reasons.) 3. Whatever response mechanism is devised, it WILL be automated. I note the reference to "captchas" and suggest reading my recent comment on those in another recent thread here: briefly, they have long since been quite thoroughly beaten. They are worthless, and anyone using them or suggesting their use is woefully ignorant. 4. Knowing that abuse reports are accepted and read is nice, but not terribly useful. What matters is what's done with them, and that ranges from "investigated promptly and acted on decisively if they're shown to be accurate" to "ignored and discarded" to "forwarded to the abusers". And we (for a vague value of "we") already know this: we know because we've submitted abuse reports and observed outcomes for years. We know which operations never respond in any way and we know which ones hand data over to abusers (or *are* the abusers). We know this by practice and experience -- it's not something that can be automated. It takes time and effort and expertise to figure out. 5. This approach fails the "what if everybody did it?" test quite badly. 6. Of course, the moment something like this is deployed -- if not before -- bad actors will realize that copycatting it may well be an effective tactic to directly attack abuse desk operations and/or gather intelligence on them and/or compromise them. ---rsk
- Previous message (by thread): [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")
- Next message (by thread): [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]