Thomas, Just to be very clear, the current proposal is only in relation to verification. If the community wish for other processes to be put in place in regards to lack of action on abuse or similar, then that would require a wholly different proposal. Thanks, Brian Co-Chair, RIPE AA-W Thomas Hungenberg wrote on 23/01/2018 11:51:
On 22.01.2018 14:19, Gert Doering wrote:
I do see the need for a working abuse contact, and I do see the need of sanctions in case a policy is violated, but "deregister all resources, because your mail server was broken when we tested" is too extreme (exaggeration for emphasis).
I fully agree a resource should not be withdrawn just because the abuse-mailbox is (temporarily) invalid or the holder once misses to complete the verification process in time - if he otherwise takes care of malicious activity emerging from his resources.
However, I think RIPE-563 (and related policies) should state that resource holders have to provide a valid abuse-mailbox which is monitored on a regular basis and have to take care of complaints regarding malicious activity reported to this mailbox. An autoresponder asking people to fill out a webform should not be accepted as a valid solution as this does not work for CERTs and other security teams reporting hundreds of abuse cases per day to the responsible resource owners (in an automated fashion).
Also, irrespective of how the abuse-c verification process will be implemented, IMHO there is a need for a defined process on how resources can be withdrawn (as a last resort) if the holder is constantly ignoring abuse complaints or even wittingly accepts malicious activity emerging from his resources (e.g. bullet proof hosting).
- Thomas
CERT-Bund Incident Response & Malware Analysis Team