Anti-Abuse Working Group Thursday, 14 May 10:00 - 10:45 Chairs: Alireza Vaziri, Brian Nisbet Scribe: Alun Davies A. Administrative Matters B. Update C. Policies C.1. Policy Proposal 2019-04 - Validation of "abuse-mailbox" Jordi Palet Martinez, The IPv6 Company Michele Neylon (Blacknight) commented that larger providers use forms, so you cannot oblige them to change their processes because it���s ���easier��� for you. Carlos Friacas (CSIRT) responded to this, pointing out that forms are not automation-friendly. Even if there is no "forcing" someone to change their processes, having it somehow marked on whois/rdap would help automated systems (which are operationally in need for updated contacts) to decide not to send a message that will certainly bounce. Jordi responded that he thinks it is clear that people believe forms are automation, but they are not. If this were the case, 25000 LIRs would have a form, which would be impossible to automate. This can't be changed. Peter Hessler (KLEO Connect GmbH) asked, if there is no obligation to react to abuse reports, then what is the point of this proposal? Is the goal primarily to collect statistics? Jordi agreed that they want to keep the existing policy in place. He disagreed with the suggestion that there will be no obligation to react to abuse reports. He added that this is an ongoing discussion, but if this reporting is not available, then regulators may ask for an alternative, which is something to consider. Brian added that, in talking about what would happen if regulators appear, there is a need to find the right line between the risk of that and the impact of it on the relevant policies. Carlos Friacas (CSIRT) asked whether it would be possible for someone to provide a gateway from e-mail messages to the most popular forms of the larger providers. Some kind of middleware. Jordi thought this would be useful. But not quickly enough updated every time an ISP creates a new form or updates it. Maybe it's better to consider asking for a standard. No more emails or anything like that. He added that there is not that much of a higher cost to this than processing emails, so it could work. Carlos Friacas directed a question to Peter Hessler, asking whether he sends abuse complaints when receiving spam, or has it automated, or approaches it on a case by case basis. Peter responded that he manually sends out abuse reports to a variety of sources. Some handle it, but many of the large ones (Yahoo, especially) do not. Brian added that there's no expectation that this proposal will suddenly make things magically better, forcing everyone to deal with spam correctly. Tobias Knecht (Abusix, Inc., speaking for himself), said that the burden of reporting abuse can not be put on the reporter/victim of the abuse. Jordi said this is something stated in the proposal. The cost cannot be on the victims. Even if we escalate this to the whole internet community, no one will support that. Niall O���Reilly (Tolerant Networks Ltd, speaking for himself) asked if ���standard form��� or ���API��� would be a target for a BCP? Jordi, having said he discussed this in the list last summer, said he did not think so. Although it is possible they missed something, he believes that what is there right now is sufficient. He said that if someone can tell them what is missing, they can start the work in the IETF. Michele Neylon (Blacknight) said that, while I understand your frustration with forms, you cannot force ���one size fits all���. You also forget that for some of us our ���abuse��� ingress is dealing with a wide variety of types of abuse. It���s not just network abuse. For smaller providers implementing F-AXR, it is not going to work. Brian said this goes back to the definition of abuse, and that the conversation had gotten a lot broader than than just network abuse at this point in time. Jordi said he thinks it will work because smaller providers use more and more Open Source tools and it's very common to use Fail2ban. He uses it himself, and it takes a couple of hours to implement that. So, he disagreed, but pointed out there there are lots of different opinions on the matter. A.J. Wolski (Netrunner Labs) asked for Jordi and Brian's opinion on whether the NCC would be the place to report abuse. Speaking as co-chair and member of NCC, Brian said, if he saw a proposal that the NCC would have to do that, he would object to it, because of the financial burden on the NCC. Jordi agreed, saying he doesn't think this is the right way. Brian clarified that we was talking about what it'd be like for someone to propose that. Kurt Kayser (German Federal Ministry of the Interior) added NO to RIPE NCC handling Abuse. Ivan Beveridge (IG) said the RIPE NCC is not an ISP providing the network/mail for customers. Peter Koch (DENIC eG) said he could grow some sympathy for a signalling mechanism for some standard reporting format vs ���natural text���, but that is a technical change to the attribute (or even a new one), definitely not a matter of policy Jordi said he doesn't think so. This should be responded to by the NCC. If they believe they can make it mandatory, then that's something to consider, but it's unlikely they'd do that. Leo Vegoda (And Polus LLC) said he is still struggling with the overall goal of this proposal. On the one hand it states that it focuses on just keeping the place to report abuse current but on the other hand it does not require any action from the report. Leo thinks this is a fundamental contradiction that needs to be resolved before the proposal can achieve anything useful. Jordi agreed. Said that Leo is probably missing previous versions. That version had to change after response from the community. So he's meeting them in the middle. He agrees we should mandate abuse records to be handled. But he cannot enforce that and that's it. Marco Schmidt (RIPE NCC) said that being in the middle between abuse reporter and the network operator for all abuse reports would result in a very big extra work load for the NCC. Kaveh Ranjbar (RIPE NCC) added the impact analysis would be done by the RIPE NCC. This could not be approved by membership within a budget year. Jordi went on to add that the slides say not to use forms because that's one of the problems he sees. It's using email because that's the alternative to forms. If we want to use some more automated forms, maybe there's something we're missing there. Evgeny Kuskevich (Russian Institute for Public Networks) said forms help to protect us from inappropriate script-generated complaints that keep on spamming even after proper reaction. Jordi said yes, but EXIRF allows not just automation of sending, but of processing abuse report. Spam would be automatically discarded as well. Brian thanked Jordi. D. Interactions X. A.O.B. Z. Agenda for RIPE 81