[anti-abuse-wg] On the abuse handling policy of manitu.net (AS34240)

Am 20.02.21 um 01:39 schrieb Volker Greimann:
> It sounds GDPR legal. After all, they are telling you exactly what will happen with anything that you send there, so
> by sending it there in full knowledge, you are essentially consenting to that processing of your data.

That may or may not be true, I'm not a legal expert. It sounds essentially like a protective clause that indemnifies
them in case they've given your data to a criminal who then begins to harrass you.

Note that the reasonability of such protective clauses may be dubious, and their legality tends to be undefined until
they are tested in courts. Protective clauses often don't fully consider the rights of one side, for example I would be
fairly sure that giving my private data to a spamming customer who stays anonymous to me would be a blatant violation of
*my* rights.

> Also, German courts have ruled that in-between service providers are only liable for taking action after the
> complainant has raised the issue with the party that is directly violating the rights of the complainant, or their
> hosting provider and those efforts have proven futile or can be objectively deemed to be futile from the outset.
> And finally, who says their customers are the abusers? In many cases, their customers may be the victims as well,
> without their knowledge, for example due to compromised CMS and would indeed be the best person to address the issue
> you may want to see resolved.

I have been working as a part-time postmaster for quite a bit over 30 years, and I'm am pretty capable of distinguishing
between compromised resources (web sites or mail accounts) and spammer-owned resources in most cases, thank you very
much :-)

As an abuse reporter, I need to decide which parties I can or cannot trust in which respects.

If a hosting company hosts customers for prolonged times that are to the best of my knowledge blatant abusers, I simply
cannot trust that company to handle my abuse reports properly. Whether they claim to keep my personal data safe or give
it to their customer doesn't really matter, I must assume that they are acting in the interests of their abusive
customers and therefore not in my interest. The only sensible action is to block their network completely to protect my
users. I'm not trying to talk to such a provider anymore.

In the case of Manitu, I'd probably give them the benefit of the doubt as they are actively sponsoring a useful DNSBL
and a spamfighting forum, and I'm not aware of any spammers hosted by them.

When I see that abuse is most likely caused by compromised resources, I tend to send abuse reports through spamcop which
should be delivered with enough technical info to analyze the problem but still somewhat shield my identity. Of course,
dynamic IPs are a special case, they are blocked without discussion, and providers who don't respond to and act on abuse
reports will be blocked, too.

I just don't have enough time to play games with providers. We are doing them a favor by notifying them of problems in
their network, we don't request a service. If they don't want to be notified, so be it.

Cheers,
Hans-Martin