El 29/4/20 4:25, "anti-abuse-wg en nombre de No No" <anti-abuse-wg-bounces@ripe.net en nombre de no0484985@gmail.com> escribió:
In relation to the policy, where it says: "must not force the sender to use a form."
as someone that reports phishing websites, I find the use of forms helpful, as it ensures the company receives the report, particularly where they implement a CAPTCHA.
[Jordi] I disagree here and many people has also indicated the same in previous versions discussions. The problem of a form is that is not standard. If you’re reporting abuses to 100 ISPs, and each one has its own form, you really need to do it manually, you can’t automate it. Even if you do the job for automating it, they may change it and your automation may fail. This is economically non-sustainable and means that the cost of the abuse cases is on the back of the one actually reporting.
To require the resource to only accept abuse reports via email, means all the criminals have to do is flood the mailbox, making it physically impossible to receive the abuse reports.
[Jordi] That's why I’m suggesting the use of standards as one of the options. I’m happy to find a better way or wording to improve it. Do we agree that something that can be fully automatted is much better, even to filter that kind of flooding?
If the policy could be amended to include a suggestion that the abuse mailbox contain a verification procedure (such as "your email has been received. Please "click here" to confirm you sent it") it would improve efficiency all around.
[Jordi] A previous version had many many many details and it was considered to intrusive, that's why I’m going away from there.
In relation to Nick Hilliard's email, where they say:
" it is beyond inappropriate for this working group to expect the RIPE NCC to withdraw numbering resources if member organisations don't comply with an arbitrary policy which forces the use of SMTP email like this."
This is, in a nutshell, what is wrong with this RIR, and others, such as ARIN. Often I will look up abuse contacts on ARIN, to find that the abuse mailbox bounces, and a message such as "ARIN has attempted to verify this email address since 10-11-2010" - almost 10 YEARS!
So, what are you seriously suggesting? Because these people that become offended at the suggestion that it's unreasonable for someone to ensure an email address is valid once per year (very onerous i'm sure), never really say what they really mean, which is really what is inappropriate: that criminals should be able to use a resource indefinitely to pump out spam, host phishing websites, co-ordinate botnets etc... and that the person that receives this crap is not even entitled to let the resource owner know?
----
On Wed, Apr 29, 2020 at 12:01 AM Petrit Hasani <phasani@ripe.net> wrote:
Dear colleagues,
A new version of RIPE policy proposal, 2019-04, "Validation of
"abuse-mailbox"", is now available for discussion.
This proposal aims to have the RIPE NCC validate "abuse-c:" information
more often and introduces a new validation process.
Most of the text has been rewritten following the last round of
discussion and the proposal is now at version 3.0. Some key points in
this version:
- The abuse-mailbox should not force the sender to use a form
- The validation process must ensure that the abuse mailbox is able to
receive messages
- The validation should happen at least every six months
You can find the full proposal at:
https://www.ripe.net/participate/policies/proposals/2019-04
As per the RIPE Policy Development Process (PDP), the purpose of this
four-week Discussion Phase is to discuss the proposal and provide
feedback to the proposer.
At the end of the Discussion Phase, the proposer, with the agreement of
the Anti-Abuse Working Group Chairs, will decide how to proceed with the
proposal.
We encourage you to review this proposal and send your comments to
<anti-abuse-wg@ripe.net> before 27 May 2020.
Kind regards,
--
Petrit Hasani
Policy Officer
RIPE NCC