[anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

On Wed, Jan 15, 2020 at 2:46 PM Leo Vegoda <leo at vegoda.org> wrote:
>
> On Wed, Jan 15, 2020 at 11:02 AM Jeffrey Race <jrace at post.harvard.edu> wrote:
>
> [...]
>
> > Aside from the reciprocity issue, it's a basic engineering rule
> > that systems target their goal only when a corrective
> > feedback path exists.
>
> That feedback path does not need to be a personally written e-mail.
> Instead, it is possible to use signals like the absence of a reliable
> reporting mechanism to make decisions about not accepting some or all
> traffic from an abusing network.
>
> My main concern with proposal 2019-04 is that it would make everyone
> look the same. It then takes time and effort to distinguish the
> networks that will actually use abuse reports to fix problems from
> those that won't or just don't have the ability to do so.
>
> While I would accept Gert's proposal for making abuse-c an optional
> attribute, the reason I offered a counter proposal for publishing "a
> statement to the effect that the network operator does not act on
> abuse reports" is to add clarity at a high level.
>
> In the first case, it avoids wasting resources lodging reports that
> will be ignored. Secondly, it provides reliable statistical
> information about the networks whose operators claim to use abuse
> reports to clean things up. This would provide a metric that could be
> used both by other network operators to guide operational policies and
> governments or regulators to set theirs.

I suspect I'm somewhat confused / have lost the thread somewhere.

I really don't think that any network is likely to advertise that they
are not dealing with abuse -- it gives a bad impression, and the
marketing droids will likely want *something* listed. The same goes
for legal - saying "Meh, don't bother sending us abuse reports, we
ignore them" doesn't seem to have any PR / marketing / legal upside,
and has many downsides...

Pretend that you are a network that (largely) ignores abuse reports --
your current solution of throwing these mails away costs you nothing;
what's the upside to telling everyone that you are doing this?

I suspect that people will continue to have abuse@, hostmaster@,
abuse-c,and any other conventions filled in -- and many will just
continue to shuffle these into self-closing ticket systems / mailboxes
which never get read and / or /dev/null...

W


>
> Finally, we don't yet know what the RIPE Database Requirements TF will
> recommend. But I think that building a new business process on the
> existing model for publishing contact information assumes they won't
> recommend changes. Let's wait until they report before asking the RIPE
> NCC to build new workflows on a model that the community might want to
> change.
>
> Kind regards,
>
> Leo Vegoda
>


-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf