" it does not prove at all that abuse reported to this address will be handled or acted upon in any way."

We aren't here to enforce appropriate abuse handling (unfortunately),

we are discussing how to make sure an abuse mailbox is valid. The only way to do that is to send a link to the abuse mailbox, requiring the person to access their RIPE account and to enter a CAPTCHA.

Proving that an email account exists as somehow being relevant is wrong, because if i own a RIPE resource and I set my abuse mailbox to zsako AT iszt.hu, under the current proposal it will be validated as "true." There is no opportunity for you to even say "no, that's not the abuse mailbox, it's mine" because RIPE only accept bounce emails to their complaints form.


More importantly, there is nothing about the current proposal that even requires a policy. RIPE could set up today this mail server check today with out the consensus of RIPE.
 
"On the other hand, most probably there will also be people who - for some reason -
will not want to handle abuse e-mails."

That is a separate discussion to this one. Not wanting to handle abuse emails is different to not even having to receive them.



-------- Original Message --------
Subject: Re: [anti-abuse-wg] Decision on Proposal 2017-02
From: Janos Zsako <zsako@iszt.hu>
Date: Tue, March 20, 2018 11:23 pm
To: Name <phishing@storey.xxx>, anti-abuse-wg@ripe.net

Dear Anonymous Name,

> /"And an annual checking would ensure that the contacts remain more up-to-date."/
>
> Yes, an annual checking would do that. This isn't an annual checking. It involves checking if a mail server exists.

I am afraid I was not clear last time. I wrote:
"One can determine with a high degree of confidence whether mail sent to a
given address is accepted for delivery by the mail server specified as MX
in the DNS for the given e-mail address. To me it is a good start and
much more than not checking anything."

The acceptance of the mail is slightly more than the existence of the
mail server. In particular, in one of your previous e-mails you state:
'If a resource owner sets their abuse mailbox to "Ronald.McDonald@hotmail.com",
they will be deemed to have a valid abuse contact, because hotmail.com has a
valid email server associated.'
In the light of my clarification above, this is not the case, as the mail
server (which by the way does exist), does not accept mail for this recipient:
5.5.0 Requested action not taken: mailbox unavailable. [BL2NAM02FT023.eop-nam02.prod.protection.outlook.com]
Ronald.McDonald@hotmail.com ... User unknown

> Mail server exists ≠ update-to-date contact
> Mail server exists ≠ valid abuse mailbox

At the same time, I agree that the above holds even if you replace
"Mail server exists" with "Mail server accepts mail for given recipient".

Unfortunately, as it has already been pointed out, the fact that a human does
reply to a mail sent by the NCC during the annual check (assuming for a moment
they do send such mail), it does not prove at all that abuse reported to
this address will be handled or acted upon in any way.

Unfortunately I agree with Gert Doering who said:
"I maintain the position that those that do care can be reached today, and
those that do not care will find ways to fulfill the letter of the policy,
and not change their ways."

At the same time, I do see some benefit in checking regularly the provided
e-mail address, because I am convinced that there will always be cases where
people simply forget to update the database. If they are reminded, they will
be happy to correct it.

On the other hand, most probably there will also be people who - for some reason -
will not want to handle abuse e-mails. They will certainly find a way to ignore
such mail whatever policies we put in place.

Best regards,
Janos