Hi Angel, Thanks a lot for the inputs, see below in-line. Regards, Jordi El 16/5/19 16:36, "anti-abuse-wg en nombre de Ángel González Berdasco" <anti-abuse-wg-bounces@ripe.net en nombre de angel.gonzalez@incibe.es> escribió: Marco Schmidt writes: > Dear colleagues, > > A new RIPE Policy proposal, 2019-04, "Validation of "abuse-mailbox"", > is now available for discussion. > > This proposal aims to have the RIPE NCC validate "abuse-c:" > information more often, and introduces a new validation process that > requires manual input from resource holders. > > You can find the full proposal at: > https://www.ripe.net/participate/policies/proposals/2019-04 > (...) Looks good. A couple of notes. In addition to the first notice, it may be worth to add 'reminders' instead of escalating directly to the LIR, such as sending a reminder after one week (day 7), and another on the 14th day, prior to escalation. My original proposal had many additional details and complexity, including warnings, blocking the account, etc., but conversations with the staff bring down some my original ideas as they are considered "operational details", in the expectation to discuss them in the list and re-add them if the community may think they must be explicitly part of the policy proposal. *This should not be necessary,* as the resource owner should have put the means so that emails received on the abuse-c are not lost, and someone actually reviews them, without having to insist on them. But I foresee that would improve the response process. Clearly, I fully agree. Also, the resource holder should be able to manually request a new mailbox validation if the provided code is expired (eg. the main person in charge was on holiday and their backup did not handle it). I think this is not needed, because the NCC, after the validation fails, will be in touch with the resource holder, again may be an operational issue, but again, if the community think that it should be explicit in the proposal, I'm also happy about that. RIPE should log the time taken by the different holders to validate their abuse-c, so that those statistics can be used in the future to better understand the effectivity of this process. Very good point. Again, I think it is an operational aspect. I will suggest the impact analysis to consider if they already do this by default, or we need to explicitly say this. Many of those aspects can be part of the policy proposal as "other information", not necessarily as policy text. Finally, I have been thinking how to improve the phrase «Commonly, if a ticket number has been generated, it should be kept (typically as part of the subject) through successive communications.» I came out with replacing it with this new paragraph: «It is quite common to have ticket numbers/identifiers associated to abuse reports in order to be able to differentiate them, which are typically included as part of the subject. Replies (either manual or automated) by the resource holder should maintain any identifiers used by the reporter, optionally adding their own one. And any reply by the abuse reporter should keep as well the identifier holding the ticket number on the resource holder system.» Fine for me. Let's see what others believe. Best regards -- INCIBE-CERT - CERT of the Spanish National Cybersecurity Institute https://www.incibe-cert.es/ PGP Keys: https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys ======================================================================== INCIBE-CERT is the Spanish National CSIRT designated for citizens, private law entities, other entities not included in the subjective scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen Jurídico del Sector Público", as well as digital service providers, operators of essential services and critical operators under the terms of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de las redes y sistemas de información" that transposes the Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. ======================================================================== ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.