IF email is from = "validation@RIPE.NET" THEN deliver email,
ELSE, delete/auto-respond/jump through hoops.



-------- Original Message --------
Subject: Re: [anti-abuse-wg] [policy-announce] 2017-02 Review Phase
(Regular abuse-c Validation)
From: ox <andre@ox.co.za>
Date: Wed, January 24, 2018 4:43 pm
To: Brian Nisbet <brian.nisbet@heanet.ie>
Cc: anti-abuse-wg@ripe.net

On Tue, 23 Jan 2018 14:45:13 +0000
Brian Nisbet <brian.nisbet@heanet.ie> wrote:

> Just to be very clear, the current proposal is only in relation to
> verification.
>
> If the community wish for other processes to be put in place in
> regards to lack of action on abuse or similar, then that would
> require a wholly different proposal.
>
As Marco Schmidt explained regarding exactly this, "verification" :

> An SMTP RCPT command, as Nick mentioned, will likely be one of several
> checks that we perform. These checks will identify that the syntax and
> format of the email address is okay, the domain accepts email, and
> that the mailbox itself exists. We aim for the results to be as
> accurate as possible.

This is simply not good enough for abuse-c as the core of having a
real abuse-c is that it is monitored/real/functional and not just
an email address created with an autoresponder.

this goes to the core of the real world problem.

many resource holders create a valid email address and then link an
autoresponder to that saying:

thank you for your very valuable abuse notification! Please visit our
website link to submit a report

then on the "website/link"
create an account for this singular complaint
verify that account (jump through many hoops)
then verify the actual complaint
then confirm your details and information
etc etc

so many many hoops - all designed to waste time and to reduce actually
receiving any abuse notifications.

Sure, RIPE cannot tell resource users how to handle abuse reports or
complaints

BUT

RIPE can ensure at least that having a resource record means something?
otherwise it is pointless even having an abuse-c - as it means nothing.

so, why have an abuse-c at all?

the point is: verification, if done in this manner:

send an alphanumeric key to be entered on website after solving a capcha

proves that the abuse-c is real/monitored/etc. - and not a useless
bot/autoresponder or nonsensical resource record.

Andre