[anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

Hi,


After reviewing version 2, i'm not very sure about:


1) "Require intervention by the recipient"

Some reports will not require intervention, they work only as a warning 
for a possible device infection. Some incident response teams may also 
decide not to process certain categories of reports/incidents.
One of our examples is the huge set of reports we receive related to the 
webcrawling activity that feeds into the portuguese web archive 
(arquivo.pt). Some networks/servers are more sensible to webcrawling and 
have automated report generation mechanisms. That's also something that 
must be considered. We can't expect a manual intervention by the recipient 
if the sender has an automated process...


2) "Must guarantee that abuse reports and related logs, examples, or email 
headers are received".

I think this one can be tweaked: The recipient domain's policy might be 
to discard messages bigger than <N> megabytes (we have that in my org's 
domain, but not on the CSIRT's domain). Hence, i would say to add ", upto 
a reasonable limit in size" to the sentence.


3) About "5.0 Escalation to the RIPE NCC"

It's also important to note that a domain is entirely free to block 
incoming messages from another given domain. So, if someone receives 500 
reports/day from the same mailbox, or from several mailboxes of the same 
domain, it's perfectly normal to blacklist the sending domain locally...


4) About the 1 year to 6 months change, i'm OK with it as long as it's 
feasible for the NCC's system -- but i guess the I.A. might clarify that.


Final comments: I think the proposal is useful, and it's important to note 
that if something de-rails (abuse-wise), then the most probable line of 
action seems to be an ARC, which is already part of the NCC's duties 
anyway.


Regards,
Carlos



On Tue, 1 Oct 2019, Marco Schmidt wrote:

> 
> Dear colleagues,
> 
> A new version of RIPE Policy proposal, 2019-04, "Validation of "abuse-mailbox"", is now available for discussion.
> 
> This proposal aims to have the RIPE NCC validate "abuse-c:" information more often, and introduces a new validation process that
> requires input from resource holders.
> 
> The proposal has been updated following the last round of discussion and is now at version v2.0. Some of the differences from
> version v1.0 include:
> - Removes ambiguous examples from the policy text
> - Defines mandatory elements of the abuse handling procedures
> - Removes the prohibtion of automated processing of the abuse reports
> 
> You can find the full proposal at:
> https://www.ripe.net/participate/policies/proposals/2019-04
> 
> As per the RIPE Policy Development Process (PDP), the purpose of this four-week Discussion Phase is to discuss the proposal and
> provide feedback to the proposer.
> 
> At the end of the Discussion Phase, the proposer, with the agreement of the Anti-Abuse Working Group Chairs, decides how to proceed
> with the proposal.
> 
> We encourage you to review this proposal and send your comments to <anti-abuse-wg at ripe.net> before 30 October 2019.
> 
> Kind regards,
> 
> Marco Schmidt
> Policy Officer
> RIPE NCC
> 
> 
>