<div dir="ltr"><i>"
A statement by the registrant that they are not willing to employ an abuse team would be the best evidence."</i><div><i><br></i></div><div>... Followed by swift de-registration of all IP resources.</div><div><br></div><div>---</div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, May 9, 2020 at 8:28 PM Alessandro Vesely <<a href="mailto:vesely@tana.it">vesely@tana.it</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Fri 08/May/2020 21:30:14 +0200 Ángel González Berdasco wrote:<br>
> On 08-05-2020 20:17 +0200, Alessandro Vesely wrote:<br>
>> On Fri 08/May/2020 13:28:10 +0200 JORDI PALET MARTINEZ wrote:<br>
>>> Hi Alessandro,<br>
>>> <br>
>>> As I've indicated already several times (and not just in this<br>
>>> discussion), all the RIRs have forms or other methods to escalate<br>
>>> any issues.<br>
>>> <br>
>>> The proposal is only changing "let's have stats".<br>
>> <br>
>> <br>
>> I read:<br>
>> <br>
>> The RIPE NCC will validate the “abuse-mailbox:” attribute at<br>
>> least annually. Where the attribute is deemed incorrect, it<br>
>> will follow up in compliance with relevant RIPE Policies and<br>
>> RIPE NCC procedures.<br>
>> <br>
>> <a href="https://www.ripe.net/participate/policies/proposals/2019-04" rel="noreferrer" target="_blank">https://www.ripe.net/participate/policies/proposals/2019-04</a><br>
>> <br>
>> The anonymized statistics is mentioned afterward. It seems to result<br>
>> from community escalation and reporting, rather than from the<br>
>> abuse-mailbox validation itself. By my proposal, instead, the output of<br>
>> the validation process is borne out when the abuse address is removed from<br>
>> the database —and the corresponding IP ranges duly transmitted.<br>
> <br>
> Currently there are already abuse contacts marked as having failed<br>
> validation.<br>
> Maybe it should be tagged in a different way.<br>
> I do not think removing them would be the solution, as that would be<br>
> ambiguous with not having been set at all. Plus, it is also possible<br>
> that it is actually working, and the failure was just a transient<br>
> error.<br>
<br>
<br>
Before removing or marking as invalid an abuse-mailbox, RIPE NCC has to make<br>
absolutely sure that that is a permanent condition. A statement by the<br>
registrant that they are not willing to employ an abuse team would be the best<br>
evidence.<br>
<br>
Then someone, possibly external, has to read the database and produce a list of<br>
the relevant IP addresses, so that MTAs having a suitable policy can<br>
immediately deploy it.<br>
<br>
As for removing vs. marking as invalid, the only consideration is that tools<br>
for retrieving abuse-addresses via rdap can hardly cope with the latter.<br>
However, they can probably check an exclusion list. So, it would work both ways.<br>
<br>
<br>
> An individual could contribute to the contact being marked as failed<br>
> (as it's already the case) by notifying RIPE.<br>
<br>
<br>
Is it? How? There is a contact form <a href="https://www.ripe.net/contact-form" rel="noreferrer" target="_blank">https://www.ripe.net/contact-form</a> where<br>
the topic can be selected to be "RIPE Database". However, I happened to report<br>
a bounce from an abuse address and see a reply from RIPE NCC Support asking<br>
"Could you please let us know which action is requested from our side?"<br>
<br>
The first steps of the validation process could be easily automated. The<br>
failure reporting web form could even show the first and last known dates when<br>
the reported address was tested.<br>
<br>
<br>
> The rir owner could also trigger a new check to show that it is working<br>
> again.<br>
<br>
Right. That should result in immediate rehabilitation.<br>
<br>
<br>
> And whatever you do with such information, is still up for local<br>
> policy. If am abuse contact is known to have been working last Monday,<br>
> but fails since yesterday, there's a good chance that it has been fixed<br>
> or it will be shortly. If it has never been verified to work and it has<br>
> been failing for seven years, well, there's probably no point in<br>
> notifying them through that address.<br>
<br>
<br>
Transient failures can happen, especially with heavily loaded mailboxes.<br>
However, the state of an abuse-mailbox should be a clear yes/no, not flipping<br>
too often.<br>
<br>
<br>
> However, all of that would still be a local policy decision, which I<br>
> suspect would be better received. You would set your own arbitrary<br>
> thresholds there, rather than the discussion on after which X time<br>
> should RIPE pull that entry from the db. Plus, not all purposes would<br>
> treat them similarly.<br>
> In case you are reporting an abuse from two hours ago, you may only<br>
> care that it is working *right now*. However, if you were checking<br>
> whether their abuse contact status, as one of multiple points<br>
> evaluating a peering request, trying to guess how problematic your<br>
> prospective neighbour may be, you might prefer seeing that their abuse<br>
> mail has been reachable for the last 6 months.<br>
<br>
<br>
I'd leave to RIPE NCC to determine how to reliably set an abuse contact status.<br>
If I, as an MTA admin, had to extract data from the RIPE database, trying to<br>
understand the reliability of abuse-c data, such as the first and last known<br>
dates it worked, I'd probably give up. OTOH, if I only had to rsync an IP list<br>
having a very low false positive rate, I'd probably go for it.<br>
<br>
If RIPE NCC remove or mark as invalid just the abuse-c's of acknowledged<br>
non-responding or non-existing abuse teams, then the FP rate ought to be very low.<br>
<br>
There will always be the case of the MTA which badly contracted with an<br>
unconcerned ISP. Their FP rate will account for the 0.x%, and they will keep<br>
complaining until they change provider. That's already the way email works for<br>
those large mailbox providers who can afford a reliable IP reputation system.<br>
<br>
<br>
Best<br>
Ale<br>
-- <br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</blockquote></div>