[DBWG] Abuse contacts in the WHOIS

Amreesh Phokeer amreesh at afrinic.net
Sun Nov 20 10:51:28 UTC 2016 

Hi Michel,

> On Nov 19, 2016, at 12:30 PM, Michel Odou <Michel.Odou at afrinic.net> wrote:
> 
> Hi Amreesh,
> 
> This is an interesting highlight, thanks.
> 
> Making the mnt-irt mandatory would indeed be the ideal situation but how to handle the existing inet(6)num/aut-num objects? No update will be allowed until they comply with the template and creating the irt object is not trivial (many mandatory attributes are required), which means we cannot generate it automatically. I am curious to know how APNIC handled this issue.

Indeed it’s tricky, but I’m sure there are multiple ways we can go about it. For e.g. we can create dummy IRT objects for each organisation and attach them to their corresponding inet(6)num/aut-num objects and then run a campaign to allow members to update those IRT objects. Some abuse information can also be extracted from objects containing abuse information.

> 
> Of course, we can also wait until all the resource objects have a valid mnt-irt, then make it mandatory.

We run the risk of waiting for a long time =)

> 
> Regards,
> Michel
> 
> On 19/11/2016 8:00 PM, Amreesh Phokeer wrote:
>> Hi Michel,
>> 
>> As you know, AFRINIC has an abuse contact policy [1], which is
>> unfortunately not serving its purpose.
>> The blog post/article [2] on spam tried to highlight this loophole, the
>> policy is implemented but is **optional**.
>> Table 3. shows that only 16 objects (mostly AFRINIC-owned objects) has
>> an "mnt-irt” attribute.
>> 
>> Maybe the community should make it mandatory, as APNIC did:
>> 
>> ITE-APL:~ Amreesh$ whois -hwhois.apnic.net <http://hwhois.apnic.net> -t
>> inetnum
>> % [whois.apnic.net <http://whois.apnic.net>]
>> % Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html
>> 
>> inetnum:        [mandatory]  [single]     [primary/lookup key]
>> netname:        [mandatory]  [single]     [lookup key]
>> descr:          [mandatory]  [multiple]   [ ]
>> country:        [mandatory]  [multiple]   [ ]
>> geoloc:         [optional]   [single]     [ ]
>> language:       [optional]   [multiple]   [ ]
>> org:            [optional]   [single]     [inverse key]
>> admin-c:        [mandatory]  [multiple]   [inverse key]
>> tech-c:         [mandatory]  [multiple]   [inverse key]
>> status:         [mandatory]  [single]     [ ]
>> remarks:        [optional]   [multiple]   [ ]
>> notify:         [optional]   [multiple]   [inverse key]
>> mnt-by:         [mandatory]  [multiple]   [inverse key]
>> mnt-lower:      [optional]   [multiple]   [inverse key]
>> mnt-routes:     [optional]   [multiple]   [inverse key]
>> mnt-irt:        [mandatory]  [multiple]   [inverse key]
>> <<<<<<<<<<<<<<<<<<<<
>> changed:        [mandatory]  [multiple]   [ ]
>> source:         [mandatory]  [single]     [ ]
>> 
>> 
>> [1] http://afrinic.net/en/library/policies/current/698-abuse-contact-information-in-the-afrinic-service-region]
>> <http://afrinic.net/en/library/policies/current/698-abuse-contact-information-in-the-afrinic-service-region%5D>
>> [2] https://www.researchgate.net/profile/Amreesh_Phokeer/publication/303642445_A_Survey_of_Anti-Spam_Mechanisms_and_Their_Usage_from_a_Regional_Internet_Registry's_Perspective/links/574b18ed08ae5bf2e63f33a6.pdf
>> 
>> Regards,
>> Amreesh
>> 
>>> On Oct 13, 2016, at 6:25 AM, Michel ODOU <michel.odou at afrinic.net
>>> <mailto:michel.odou at afrinic.net>> wrote:
>>> 
>>> Hi Mark,
>>> 
>>> The email adress abuse at posix.co.za is indeed stored in my.afrinic.net
>>> <http://my.afrinic.net>. On ORG-PS1-AFRINIC, it is listed as simple
>>> e-mail, not abuse-mailbox.
>>> The sanitization process on the WHOIS should include a step where data
>>> available on my.afrinic.net <http://my.afrinic.net> is retrieved and
>>> added to the WHOIS record.
>>> 
>>> Regards,
>>> Michel
>>> 
>>> On 12/10/2016 16:48, Mark Elkins wrote:
>>>> When I run "whois -h whois.afrinic.net <http://whois.afrinic.net> ORG-PS1-AFRINIC" I see no abuse
>>>> contact.
>>>> When I login to my.afrinic.net <http://my.afrinic.net>, Under my organisational Information - I
>>>> see....
>>>> 
>>>> E-mails:	
>>>>  mje at posix.co.za (Administrative)
>>>>  abuse at posix.co.za (Abuse)
>>>> 
>>>> i.e I have an "abuse" email address. I would have though that would be
>>>> the correct source of an abuse email address to be used whenever a
>>>> record that is associated with me needs an abuse address and there is
>>>> not one actually directly associated with that record. Its then easy to
>>>> manage this nice "default" source for the abuse email address.
>>>> 
>>>> On Wed, 2016-10-12 at 16:19 +0400, Michel ODOU wrote:
>>>>> Dear WG members,
>>>>> 
>>>>> As you may have noticed, most of the time, the WHOIS does not display
>>>>> the abuse contact when you do a query for an inetnum or inet6num or
>>>>> autnum resource.
>>>>> 
>>>>> $> whois -h whois.afrinic.net <http://whois.afrinic.net> 196/8
>>>>> % This is the AfriNIC Whois server.
>>>>> 
>>>>> % Note: this output has been filtered.
>>>>> %       To receive output for a database update, use the "-B" flag.
>>>>> 
>>>>> % Information related to '196.0.0.0 - 196.255.255.255'
>>>>> 
>>>>> % No abuse contact registered for 196.0.0.0 - 196.255.255.255
>>>>> 
>>>>> inetnum:        196.0.0.0 - 196.255.255.255
>>>>> netname:        ORG-AFNC1-AFRINIC-20050414
>>>>> ...
>>>>> 
>>>>> 
>>>>> How is this supposed to work? The WHOIS used to get the abuse mailbox
>>>>> attribute of the organisation referenced in the covering inetnums.
>>>>> However, looking at the WHOIS DB, we have 5 organisations that have a
>>>>> valid abuse-mailbox attribute (over 2081). There is worse:
>>>>> approximately 125 organisations have an abuse email address specified
>>>>> in a wrong attribute like notify or remarks. While it is interesting
>>>>> to have this information, it is almost impossible to parse correctly
>>>>> and to display it as a valid abuse email contact.
>>>>> 
>>>>> There is more : the abuse-mailbox attribute is in fact present in 5
>>>>> objects: irt, mntner, organisation, person and role.
>>>>> 
>>>>> It is not easy to determine which one to display as an abuse contact.
>>>>> To help solving this issue, since 2012, a policy encourages the use
>>>>> of the irt object to carry the abuse contact information, among
>>>>> others (http://www.afrinic.net/en/library/policies/current/698-afpub-
>>>>> 2010-gen-006). However, the policy does not force the use of this
>>>>> object and so far, only a few objects use it (125/130014 inetnums,
>>>>> 5/14616 inet6nums and 13/1673 autnums).
>>>>> 
>>>>> Our colleague Amreesh wrote a very interesting paper describing the
>>>>> issue with many details. You will find it here : http://afrinic.net/b
>>>>> log/component/content/article?id=6:afrinic-publishes-an-article-on-
>>>>> spam-from-an-rir-perspective
>>>>> 
>>>>> ---
>>>>> 
>>>>> The ideal situation would be, of course, to be able to retrieve the
>>>>> abuse mailbox every time it is necessary, which would for example
>>>>> help us having a webservice that would return the abuse contact for a
>>>>> given resource.
>>>>> 
>>>>> From our perspective, the solution would be:
>>>>> Remove the abuse-mailbox attribute from the mntner, person and role
>>>>> objects.
>>>>> Make the abuse-mailbox mandatory in the organisation object. For the
>>>>> organisations that are already in the DB and that do not have a valid
>>>>> abuse-mailbox attribute, the e-mail attribute will be used.
>>>>> [Sanitize the DB to add abuse-mailbox attributes on the organisations
>>>>> that have an abuse contact email specified in a remark or notify
>>>>> attribute (this has to be done manually and would be an optional
>>>>> third phase)]
>>>>> For the query, the process would be:
>>>>> If the resource (inetnum, inet6num or autnum) has an mnt-irt, display
>>>>> the abuse-mailbox of that object.
>>>>> Else, display the abuse-mailbox of the referenced organisation.
>>>>> Please let me know what you think about this.
>>>>> 
>>>>> Regards,
>>>>> Michel
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> DBWG mailing list
>>>>> DBWG at afrinic.net
>>>>> https://lists.afrinic.net/mailman/listinfo/dbwg
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> DBWG mailing list
>>>>> DBWG at afrinic.net
>>>>> https://lists.afrinic.net/mailman/listinfo/dbwg
>>> 
>>> _______________________________________________
>>> DBWG mailing list
>>> DBWG at afrinic.net <mailto:DBWG at afrinic.net>
>>> https://lists.afrinic.net/mailman/listinfo/dbwg
>>

More information about the DBWG mailing list