This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")
- Previous message (by thread): [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")
- Next message (by thread): [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
JORDI PALET MARTINEZ
jordi.palet at consulintel.es
Tue May 21 13:21:02 CEST 2019
Hi Rich, El 21/5/19 9:31, "anti-abuse-wg en nombre de Rich Kulawiec" <anti-abuse-wg-bounces at ripe.net en nombre de rsk at gsp.org> escribió: This is a bad idea and should be abandoned. The goal is fine: everyone/everything should have a valid abuse@ address per RFC 2142, decades of best practices, and inherent accountability to the entire Internet community. Everybody should pay attention to what shows up there, conduct investigations, mitigate problems, report/apologize as necessary, and so on. I've been on the record for a long time supporting this goal and that hasn't changed. However: 1. Sending UBE to abuse mailboxes is bad. Think about it. We have no other way, unless we have a standard widely adopted. Is also something being done today, with most of the abuse cases. What is wrong is to have a different form for every possible LIR/end-user in the world. Not workable. 2. Expecting people to follow URLs contained in messages to abuse If you read the example procedure in the proposal, this has been sorted out. mailboxes is a horrible idea. Penalizing them for not doing it is worse. Penalizing member of an RIR that don't follow policies, is the right thing to do. (Best practice for abuse handlers is to not use a mail client that parses HTML or a mail client with a GUI, for what I trust are obvious reasons.) 3. Whatever response mechanism is devised, it WILL be automated. I note the reference to "captchas" and suggest reading my recent comment on those in another recent thread here: briefly, they have long since been quite thoroughly beaten. They are worthless, and anyone using them or suggesting their use is woefully ignorant. It is up to the implementation to decide what is best, and I guess it will evolve along the time. 4. Knowing that abuse reports are accepted and read is nice, but not terribly useful. What matters is what's done with them, and that ranges from "investigated promptly and acted on decisively if they're shown to be accurate" to "ignored and discarded" to "forwarded to the abusers". I've preferred not to go into the fine line if there must be properly investigated and properly acted on, but this is something that the community can decide as well. I don't think is coherent to have a business providing Internet services and not have an AUP, or even worst, having an AUP not acting against that. This is a business that doesn't impact only in your own customers if you allow criminals in your network, it impacts the rest of the world, very different level of responsibility than any other business. And we (for a vague value of "we") already know this: we know because we've submitted abuse reports and observed outcomes for years. We know which operations never respond in any way and we know which ones hand data over to abusers (or *are* the abusers). We know this by practice and experience -- it's not something that can be automated. It takes time and effort and expertise to figure out. As indicated already several times, ideally, we have a standard, and then open source or commercial tools that take care of that as much as possible. However, meanwhile we need to act. 5. This approach fails the "what if everybody did it?" test quite badly. Sorry, not sure to understand your point here. 6. Of course, the moment something like this is deployed -- if not before -- bad actors will realize that copycatting it may well be an effective tactic to directly attack abuse desk operations and/or gather intelligence on them and/or compromise them. Again, if you read the policy there is an example of things that can be done to avoid that, such as periodically changing domains, subjects, etc. ---rsk ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
- Previous message (by thread): [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")
- Next message (by thread): [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]