<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-IN" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US">Yes this simply adds to paperwork and extra coding. It should be relatively trivial with an abuse report / IR oriented ticketing system to separate out genuine DDoS from random
desktop firewall complaints about port scans from spam reports from all the outright spam that directly reaches such accounts.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:12.0pt;color:black">From:
</span></b><span style="font-size:12.0pt;color:black">anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Carlos Friaças via anti-abuse-wg <anti-abuse-wg@ripe.net><br>
<b>Date: </b>Saturday, 11 June 2022 at 12:28 PM<br>
<b>To: </b>Ángel González Berdasco <angel.gonzalez@incibe.es><br>
<b>Cc: </b>gert@space.net <gert@space.net>, anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net><br>
<b>Subject: </b>Re: [anti-abuse-wg] Adding a "Security Information" contact?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt"><br>
Hi,<br>
(CSIRT hat on)<br>
<br>
I don't really agree with the vision where the taxonomy needs to be <br>
overloaded into object fields.<br>
<br>
I always perceived the abuse-c field already as the security-c.<br>
People interested in processing security/abuse issues will take messages <br>
received on the abuse-mailbox: seriously.<br>
<br>
Moreover, there are also irt objects.<br>
<br>
Regards,<br>
Carlos<br>
<br>
<br>
<br>
On Tue, 7 Jun 2022, Ángel González Berdasco via anti-abuse-wg wrote:<br>
<br>
> El mar, 07-06-2022 a las 13:14 +0200, Gert Doering escribió:<br>
>> Hi,<br>
>><br>
>> On Tue, Jun 07, 2022 at 11:02:19AM +0000, Ángel González Berdasco via<br>
>> anti-abuse-wg wrote:<br>
>>> I don't think the problem would be to add a new attribute if<br>
>> needed.<br>
>>> The problem would be to *define* what should go there (and then get<br>
>>> everyone downstream to use that new attribute)<br>
>><br>
>> This... so, what would you suggest?<br>
>><br>
>> Gert Doering<br>
>> -- NetMaster<br>
>> --<br>
><br>
> I would use the Reference Security Incident Taxonomy (RSIT) as<br>
> the classification source, which is the taxonomy used by (most of) the<br>
> CSIRT community. See [1]<br>
><br>
> So the PTY-MAXGROBECKER network could have:<br>
><br>
> abuse-c: GROBECKER-ABUSE<br>
><br>
> and the GROBECKER-ABUSE object:<br>
> abuse-mailbox: general@abuse.grobecker.info<br>
> abuse-mailbox-vulnerable: vulnerability-reports@abuse.grobecker.info<br>
> abuse-mailbox-fraud: fraudabuses@abuse.grobecker.info<br>
><br>
> where 'vulnerable', 'fraud', etc. are the machine readable tags defined<br>
> in the RSIT for the values in the classification column.<br>
><br>
> Thus, when CERT BUND wanted to report an unpatched Confluence, they<br>
> would have an incident of type: "Vulnerable ? Vulnerable System", find<br>
> that there is a 'abuse-mailbox-vulnerable' attribute and report it<br>
> there.<br>
><br>
> Whereas if it was a phishing landing page (incident of type Fraud ?<br>
> Phishing), that would go to fraudabuses@abuse.grobecker.info (from<br>
> 'abuse-mailbox-fraud')<br>
><br>
> But if it was a host sending out spam, (incident classification Abusive<br>
> Content ? Spam), having no "abuse-mailbox-abusive-content", it would<br>
> fall back to abuse-mailbox and direct it to<br>
> general@abuse.grobecker.info.<br>
><br>
><br>
><br>
> Does something like this seem sensible to others?<br>
><br>
><br>
> Best regards<br>
><br>
><br>
><br>
> 1-<br>
> <a href="https://github.com/enisaeu/Reference-Security-Incident-Taxonomy-Task-Force/blob/master/working_copy/humanv1.md">
https://github.com/enisaeu/Reference-Security-Incident-Taxonomy-Task-Force/blob/master/working_copy/humanv1.md</a><br>
><br>
> -- <br>
> INCIBE-CERT - Spanish National CSIRT<br>
> <a href="https://www.incibe-cert.es/">https://www.incibe-cert.es/</a><br>
><br>
> PGP keys: <a href="https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys">
https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys</a><br>
><br>
> ====================================================================<br>
><br>
> INCIBE-CERT is the Spanish National CSIRT designated for citizens,<br>
> private law entities, other entities not included in the subjective<br>
> scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen<br>
> Jurídico del Sector Público", as well as digital service providers,<br>
> operators of essential services and critical operators under the terms<br>
> of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de<br>
> las redes y sistemas de información" that transposes the Directive (EU)<br>
> 2016/1148 of the European Parliament and of the Council of 6 July 2016<br>
> concerning measures for a high common level of security of network and<br>
> information systems across the Union.<br>
><br>
> ====================================================================<br>
><br>
> In compliance with the General Data Protection Regulation of the EU<br>
> (Regulation EU 2016/679, of 27 April 2016) we inform you that your<br>
> personal and corporate data (as well as those included in attached<br>
> documents); and e-mail address, may be included in our records<br>
> for the purpose derived from legal, contractual or pre-contractual<br>
> obligations or in order to respond to your queries. You may exercise<br>
> your rights of access, correction, cancellation, portability,<br>
> limitationof processing and opposition under the terms established by<br>
> current legislation and free of charge by sending an e-mail to<br>
> dpd@incibe.es. The Data Controller is S.M.E. Instituto Nacional de<br>
> Ciberseguridad de España, M.P., S.A. More information is available<br>
> on our website: <a href="https://www.incibe.es/proteccion-datos-personales">https://www.incibe.es/proteccion-datos-personales</a><br>
> and <a href="https://www.incibe.es/registro-actividad">https://www.incibe.es/registro-actividad</a>.<br>
><br>
> ====================================================================<br>
><br>
> -- <br>
><br>
> To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit:
<a href="https://mailman.ripe.net/">https://mailman.ripe.net/</a><br>
><o:p></o:p></span></p>
</div>
</div>
</body>
</html>