Search RPD Archives
[rpd] Abuse Contact Policy
JORDI PALET MARTINEZ
jordi.palet at consulintel.es
Mon Sep 21 14:41:34 UTC 2020
Hi Lamiaa,
Internet is about cooperation, I don’t think you can choose “not to reply”. You can choose “not to consider it an abuse”, but not reply at all, in my opinion, will be against the correct management of the resources, which you’re bound as an AFRINIC member. You can choose to no reply to victims if they insist in something that you told them is not an abuse, that’s fine, but you must reply to AFRINIC for the validation of any data, whois, etc.
Regarding how you run your network, I’m trying to understand your perspective, that’s it.
Regards,
Jordi
@jordipalet
El 21/9/20 14:46, "Lamiaa Chnayti" <lamiaachnayti at gmail.com> escribió:
Hey Jordi,
You keep mixing up two very simple concepts, it is ok for AFRINIC to include abuse-c as part of whois registration, just like admin-c or tech-c. But IT IS ENTIRELY absurd to have AFRINIC to verify how members reply to their Email, even down to the subject line. It is entirely the network's right to choose NOT to reply to that "victim ISP" at all because it doesn't think this is an abuse.
And again you keep asking about my personal network and how I run it, and which is entirely irrelevant to this policy discussion. You can not disqualify people by disallowing anyone not running a network in this list, so what is your point? People discussing here who are running networks or not are none of anyone's business and is not relevant to the discussion of this policy.
Regards,
Lamiaa
Le lun. 21 sept. 2020 à 10:00, JORDI PALET MARTINEZ via RPD <rpd at afrinic.net> a écrit :
Hi Lamiaa,
8.3 and 8.4 are making sure that you respond to an abuse case, *not* that you *recognize* it as an abuse. It is your choice to tell the “victim ISP”, look for me this is not an abuse, so I will not do anything about it.
AFRINIC can’t verify this automatically, because it doesn’t make sense that AFRINIC is “sending” fake abuse reports to see if they get a response.
AFRINIC can only send an email for the validation of the mailbox. It is an existing mailbox? I’m getting a response (for example, have they, once I send the validation email, clicked the link or went into MyAfrinic to input the validation code?).
8.4 also states the timing for the validation.
8.5 is the validation itself, so I guess, according to your response, that you’re ok with this specific point. If we don’t have it, AFRINIC can’t do a periodic validation.
8.6. is making sure that you don’t try to fake the validation. For instance, you could respond only to AFRINIC validations and then discard all the other emails. If we don’t have that, the policy may become useless. Note also that in fact, if you follow the RSA, *anyone* could escalate *any* lack of CPM compliance. So this is making sure that the policy text is honest and transparent.
Or do you prefer to be filtered because you don’t respond?
Clearly this proposal is not asking AFRINIC to be a police. Is only making sure that the parties *can talk*. Again: AFRINIC will not be involved in “how you handle the case”, but I least you should be able to be contacted and respond.
See this example:
If AK or Moses customers are sending me spam, or trying to intrude my network, and they have abuse contacts, I will be able to complain to them. Then we have two cases:
1. Moses responds to me and say “you’re right, this is against our AUP” (is irrelevant what the law in Moses country say, it is the contract with customers what says what is allowed or not). Let’s fix it. I will warn the customer, and if they don’t stop, we will filter their email port, or even cancel the contract (just examples, only Moses can decide what they do).
2. AK instead doesn’t care, or the mailbox is full or bouncing emails or respond “sorry in our network we allow that”. Then I can take my own decision, filter only that IP address, or the complete AK network. I can even see if this is allowed in his country and take legal actions (which usually you don’t do because is costly and more of the regulations don’t know “anything” about abuse or even Internet!).
AFRINIC will not take any measure if AK decides that is not an abuse. It is our problem not AFRINIC problem. However, if the email is bouncing, AFRINIC will revalidate the abuse-c and make sure that it works.
Is like a phone book. You have there the phones and they must be correct, or you need to update them every “n” months. The phone book doesn’t tell the purpose of each phone. If you don’t want to accept calls related to “ordering pizzas”, you tell the caller “this number is not for that”, but at least you must pick up the phone otherwise, you don’t know if it is somebody calling by error or someone that you really want to talk. And this is true for *every* whois contact.
Can you let us know how do you handle it in the networks that you operate?
Regards,
Jordi
@jordipalet
El 21/9/20 10:00, "Lamiaa Chnayti" <lamiaachnayti at gmail.com> escribió:
Hi Fernando,
I think you are very confused. I never said I have a problem with people completing their registration. Keep registration---having an abuse contact Email in the whois, just like tech contact or admin contact--I am perfectly fine with it, and I think the current policy achieves 99% it, if you want to add this contact as mandatory field I am fine with it as well.
But the problem of this policy in 8.3-8.6, is that it requires AFRINIC to monitor the members HOW to manage their abuse mailbox down to the subject line, and that is out of the scope of AFRINIC, just read my last email with logic in mind and you will understand. I suggest this policy should be very simple, adding one line to the current policy-- abuse contact is mandatory, and it's done, everything else should be deleted.
And again, you are trying to use AFRINIC for something that is not in its scope, how someone manages their mailbox is not in the scope of AFRINIC, it is like you go to your local church to ask them to arrest your neighbour who plays loud music at night when you should go to police instead. Same thing for someone running an abusive network, as many already stated, it is up to a local Jury to decide if it is simply at an annoying level or a criminal offense, but either way please do go to your local police to report it.
As for the internet, we never tell you how to behave--you are entirely at your rights in the internet to behave abusively, but it is also entirely in everyone's rights to block you, that's how de-centralizing works, no central governing, everyone plays nice because that's the only way for everyone else to play with you, and this policy here asks AFRINIC to act like a central government even down to manage people's mailbox's subject line and that is way beyond what internet meant to be.
Regards,
Lamiaa
Le dim. 20 sept. 2020 à 23:42, Fernando Frediani <fhfrediani at gmail.com> a écrit :
On 19/09/2020 13:19, Lamiaa Chnayti wrote:
<clip>
How is it in the scope of AFRINIC to decide how I manage my abuse mailbox? If I want to reply only to a specific subject line of my abuse box, it is entirely in my right to do. Even if I don't want to reply at the abuse mailbox at all, that is my right to do so and if I think no action in my network would be considered abuse (although unlikely), but it is still from the internet community point of view, entirely in my right to do so. You might choose to block me as a network, but that is also your right.
The reason internet is called INTER-NET is because of its decentralized nature, you have to play nice for others to play with you, but this community never forces anyone to play nice, it is not in the scope of AFRINIC to decide how members reply to their abuse mailbox, so if 8.3,8.4, 8.5 and 8.6 are deleted in its entirety, I might consider supporting it. Also Jordi, I feel you always have this central management type of thinking, and that is so not internet.
It is not in the scope of any RIR how anyone manage people's
mailboxes.
Nobody exists alone in the Internet. If an organization
hypothetically doesn't care at all and refuses to respond to abuse
emails it probably should re-think its existence in the Internet
business.
The Internet is what is among many reasons because of the
cooperation among its organizations, and there are certain rules
that are agreed cooperatively and must be observed by everyone
willing remain on it, otherwise it may in many cases cause serious
damage to those willing to operate in serious manner and keep it a
healthy place to most people who depend on it.
This forum is about setting rules on how registration information
about resources are kept and it may be of the wish of the
community to refuse keep registration for those who repetitively
abuse of their individual rights.
Fernando
Regards,
Lamiaa
Le ven. 18 sept. 2020 à 09:23,
JORDI PALET MARTINEZ via RPD <rpd at afrinic.net> a écrit :
Hi Lamiaa,
I don’t agree. Internet doesn't depend on
any jurisdiction; abuse is about what I (the victim
operator) consider abuse. The RFC is clear about that,
in short “Inappropriate public behaviour” (is a
mailbox so to be able to contact in case there is a
possible inappropriate behaviour in the public
Internet). If you want a clearer definition, abuse is
*anything* that I don’t want to accept in my
network because is in any way damaging it.
If I don’t want to accept a DoS, or spam,
or phising, DMCA, or whatever, this is abuse *for
me*. I’ve the right to tell you because that
abuse is coming from your network. If you believe that
is not abuse (and here is your jurisdiction in some
cases, in other just doesn’t exist, but it may be also
your “business” decision – like operators that don’t
care if their customers do spam or intrusion
attempts), you’ve the right to tell me “sorry, this is
not abuse for us”, and then I’ve the right to decide
if I should filter your network based on your
response.
Not having an abuse contact, means that
I’m not able to contact you, so we can’t talk, we
can’t investigate or agree if it is an abuse or not,
so you (the offender operator) don’t have the chance
to decide about it! Is bad for you, is bad for me. In
those cases, my best choice is to filter you. This
create problems for your customers and my customers.
We can’t depend on jurisdictions, because
then the policy will need to consider inter-relations
among every possible “pairs” of country worlds, and we
will need to update the policy based on any
jurisdiction change. The policy is not about that, is
about having a valid responsible contact, not about
deciding what is an abuse, which is among the two
parties.
Tell me what is different from AFRINIC
than the rest of the world, because none of the RIRs
have defined abuse in their policies. I even don’t
recall that having appeared in the discussions!
If
you want, I’m happy to change the title of the
proposal to “supposed abuse contact”, that may be
clearing your point?
Again,
this is not about defining what is abuse, this is
among the parties. It is about making sure that
there is a valid responsible contact in case of
anyone needs to report what he considers an abuse.
AFRINIC will not punish anyone that believes that
his customer is not doing an abuse because in his
country is not an abuse.
Regards,
Jordi
@jordipalet
El
18/9/20 9:59, "Lamiaa Chnayti" <lamiaachnayti at gmail.com>
escribió:
Hello
Jordi,
RFC2142
only defines a tiny portion of the network abuse. In
real world operation, abuse consists of a much
boarder range : DMCA(copy rights) claims,
unsolicited emails , phishing websites , trade mark
disputes etc.
All
those are legal issues that vary vastly across
different juridictions in which no one but each of
the juridiction’s judges can decide if it is an
abuse or an illegal activity. Claiming that RFC2142
defines not even 1% of real world abuse is
laughable.
Regards,
Lamiaa
Le jeu.
17 sept. 2020 à 15:51, JORDI PALET MARTINEZ via
RPD <rpd at afrinic.net>
a écrit :
Hi
Lamiaa,
I’ve
said this already. This policy doesn’t
enforce abuse, it enforces that the abuse
contact is there, and works.
Today
AFRINIC is paying for the cost of the
abuse handling because only a tiny
fraction of the members has the abuse
contacts in place.
If
the contacts in the RIR database aren’t
actual and accurate, this is a clear
violation of the RSA. So what is
unacceptable is not having the contacts,
not on the other way around.
Abuse
is not defined by the RIRs, everybody
knows it and this is the reason why NONE
of the RIRs have re-defined it, because it
is already stated in RFC2142. Can you
justify why AFRINIC is different and need
a definition?
How
you define it in the networks that you
operate?
Regards,
Jordi
@jordipalet
El 17/9/20
10:49, "Lamiaa Chnayti" <lamiaachnayti at gmail.com>
escribió:
Hello,
I
will have to agree with Lucilla on what
she said and would like to add to it
that :
Firstly, Abuse
enforcement is out of scope for RIRs.
Secondly, RIRs
have no ability to define what is
“abuse”, one abuse or even criminal
activity could be entirely a legal
operation in a different jurisdiction.
Finally, making
a member forcefully reply to abuse
contact Emails are a waste of resources
and totally pointless, it is entirely up
to the member to define what they think
is acceptable in their network operation
and how they react to it. AFRINIC has no
mandate to force any member to reply to
an “abuse”, since AFRINIC doesn’t even
have the ability to identify what is
considered an abuse.
Therefore the
entire policy is out of scope for the
RIR operation.
Regards,
Lamiaa
Le jeu. 17
sept. 2020 à 07:42, JORDI PALET MARTINEZ
via RPD <rpd at afrinic.net>
a écrit :
Hi Lucilla,
Today we already have
mnt-IRT, and everybody who operate
networks understand what it is an
abuse. If you operate networks you
know that *anything* which
is a non-authorized use of a
network is an abuse.
If you send spam,
attack networks, try to intrude
networks, etc., all those are
abuse.
What the policy ask
is to make sure that in AFRINIC
everybody has an abuse contact
(today we have mnt-IRT, but is not
mandatory, and as a results many
African networks are filtered
because lack of that – and
consequently they do not respond
to abuse cases -, which exist in
all the other regions of the
world).
Not having an abuse
means more chances of legal
actions, more cost, for both the
victims and the ISPs. Having
that means that you have more
chances to resolve it in
goodfaith.
One of the *most
important* Afrinic
missions is to have accuracy on
the database, which includes
accuracy on the contacts. We are
not fulfilling that in this
situation.
Remember that *all*
the other RIRs have already this
kind of policy. This one is like
the one that has been
implemented in APNIC, and the
accuracy of the contacts is now
87.5% as reported this month in
the last APNIC meeting. In that
report *none* of the
members indicated any of the
issues that you indicated
(didn't happened as well in the
other regions).
You know who is
interested in not having abuse
contacts? Those that use their
networks for doing abuse
(hijacking, spam, DoS,
intrusions, etc.).
Can you explain if
the network that you operate has
an abuse contact an how if one
of your customes is trying to
penetrate my network or do a
DoS, I will be able to contact
you and if you will do anything
or just ignore it?
Regards,
Jordi
@jordipalet
El
17/9/20 2:21, "lucilla fornaro"
<lucillafornarosawamoto at gmail.com>
escribió:
Dear
all,
I
have some concerns about the
“Abuse Contact Policy”.
First
of all, it does not offer a
specific and regulated
description of the term
“abuse” and this opens the
door to potentially bigger
problems: a surplus of
reports, discrimination/legal
issues, and a waste of
resources. Around the world,
we can perceive what abuse is
in very different ways.
Afrinic
is not entitled to force
members to report abuses and
most importantly, this
proposal does not represent
Afrinic’s purpose.
I,
therefore, oppose this policy.
Thank
you,
Lucilla
_______________________________________________
RPD mailing list RPD at afrinic.net https://lists.afrinic.net/mailman/listinfo/rpd
**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company
This electronic message contains
information which may be privileged or
confidential. The information is
intended to be for the exclusive use
of the individual(s) named above and
further non-explicilty authorized
disclosure, copying, distribution or
use of the contents of this
information, even if partially,
including attached files, is strictly
prohibited and will be considered a
criminal offense. If you are not the
intended recipient be aware that any
disclosure, copying, distribution or
use of the contents of this
information, even if partially,
including attached files, is strictly
prohibited, will be considered a
criminal offense, so you must reply to
the original sender to inform about
this communication and delete it.
_______________________________________________
RPD mailing list
RPD at afrinic.net
https://lists.afrinic.net/mailman/listinfo/rpd
**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company
This electronic message contains information
which may be privileged or confidential. The
information is intended to be for the
exclusive use of the individual(s) named above
and further non-explicilty authorized
disclosure, copying, distribution or use of
the contents of this information, even if
partially, including attached files, is
strictly prohibited and will be considered a
criminal offense. If you are not the intended
recipient be aware that any disclosure,
copying, distribution or use of the contents
of this information, even if partially,
including attached files, is strictly
prohibited, will be considered a criminal
offense, so you must reply to the original
sender to inform about this communication and
delete it.
_______________________________________________
RPD mailing list
RPD at afrinic.net
https://lists.afrinic.net/mailman/listinfo/rpd
Le jeu.
17 sept. 2020 à 15:49, JORDI PALET MARTINEZ via
RPD <rpd at afrinic.net>
a écrit :
Hi
Lamiaa,
I’ve
said this already. This policy doesn’t
enforce abuse, it enforces that the abuse
contact is there, and works.
Today
AFRINIC is paying for the cost of the abuse
handling because only a tiny fraction of the
members has the abuse contacts in place.
If the
contacts in the RIR database aren’t actual
and accurate, this is a clear violation of
the RSA. So what is unacceptable is not
having the contacts, not on the other way
around.
Abuse is
not defined by the RIRs, everybody knows it
and this is the reason why NONE of the RIRs
have re-defined it, because it is already
stated in RFC2142. Can you justify why
AFRINIC is different and need a definition?
How you
define it in the networks that you operate?
Regards,
Jordi
@jordipalet
El 17/9/20
10:49, "Lamiaa Chnayti" <lamiaachnayti at gmail.com>
escribió:
Hello,
I
will have to agree with Lucilla on what
she said and would like to add to it that
:
Firstly, Abuse
enforcement is out of scope for RIRs.
Secondly, RIRs
have no ability to define what is “abuse”,
one abuse or even criminal activity could
be entirely a legal operation in a
different jurisdiction.
Finally, making
a member forcefully reply to abuse contact
Emails are a waste of resources and
totally pointless, it is entirely up to
the member to define what they think is
acceptable in their network operation and
how they react to it. AFRINIC has no
mandate to force any member to reply to an
“abuse”, since AFRINIC doesn’t even have
the ability to identify what is considered
an abuse.
Therefore the
entire policy is out of scope for the RIR
operation.
Regards,
Lamiaa
Le jeu. 17
sept. 2020 à 07:42, JORDI PALET MARTINEZ
via RPD <rpd at afrinic.net>
a écrit :
Hi
Lucilla,
Today
we already have mnt-IRT, and
everybody who operate networks
understand what it is an abuse. If
you operate networks you know that *anything*
which is a non-authorized use of a
network is an abuse.
If
you send spam, attack networks, try
to intrude networks, etc., all those
are abuse.
What
the policy ask is to make sure that
in AFRINIC everybody has an abuse
contact (today we have mnt-IRT, but
is not mandatory, and as a results
many African networks are filtered
because lack of that – and
consequently they do not respond to
abuse cases -, which exist in all
the other regions of the world).
Not having an abuse
means more chances of legal
actions, more cost, for both the
victims and the ISPs. Having that
means that you have more chances
to resolve it in goodfaith.
One of the *most
important* Afrinic missions
is to have accuracy on the
database, which includes accuracy
on the contacts. We are not
fulfilling that in this situation.
Remember that *all*
the other RIRs have already this
kind of policy. This one is like
the one that has been implemented
in APNIC, and the accuracy of the
contacts is now 87.5% as reported
this month in the last APNIC
meeting. In that report *none*
of the members indicated any of
the issues that you indicated
(didn't happened as well in the
other regions).
You know who is
interested in not having abuse
contacts? Those that use their
networks for doing abuse
(hijacking, spam, DoS, intrusions,
etc.).
Can you explain if
the network that you operate has
an abuse contact an how if one of
your customes is trying to
penetrate my network or do a DoS,
I will be able to contact you and
if you will do anything or just
ignore it?
Regards,
Jordi
@jordipalet
El
17/9/20 2:21, "lucilla fornaro"
<lucillafornarosawamoto at gmail.com>
escribió:
Dear
all,
I
have some concerns about the
“Abuse Contact Policy”.
First
of all, it does not offer a
specific and regulated
description of the term “abuse”
and this opens the door to
potentially bigger problems: a
surplus of reports,
discrimination/legal issues, and
a waste of resources. Around the
world, we can perceive what
abuse is in very different ways.
Afrinic
is not entitled to force members
to report abuses and most
importantly, this proposal does
not represent Afrinic’s purpose.
I,
therefore, oppose this policy.
Thank
you,
Lucilla
_______________________________________________
RPD mailing list RPD at afrinic.net
https://lists.afrinic.net/mailman/listinfo/rpd
**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company
This electronic message contains
information which may be privileged or
confidential. The information is
intended to be for the exclusive use of
the individual(s) named above and
further non-explicilty authorized
disclosure, copying, distribution or use
of the contents of this information,
even if partially, including attached
files, is strictly prohibited and will
be considered a criminal offense. If you
are not the intended recipient be aware
that any disclosure, copying,
distribution or use of the contents of
this information, even if partially,
including attached files, is strictly
prohibited, will be considered a
criminal offense, so you must reply to
the original sender to inform about this
communication and delete it.
_______________________________________________
RPD mailing list
RPD at afrinic.net
https://lists.afrinic.net/mailman/listinfo/rpd
**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company
This electronic message contains information
which may be privileged or confidential. The
information is intended to be for the exclusive
use of the individual(s) named above and further
non-explicilty authorized disclosure, copying,
distribution or use of the contents of this
information, even if partially, including
attached files, is strictly prohibited and will
be considered a criminal offense. If you are not
the intended recipient be aware that any
disclosure, copying, distribution or use of the
contents of this information, even if partially,
including attached files, is strictly
prohibited, will be considered a criminal
offense, so you must reply to the original
sender to inform about this communication and
delete it.
_______________________________________________
RPD mailing list
RPD at afrinic.net
https://lists.afrinic.net/mailman/listinfo/rpd
--
Lamiaa
CHNAYTI
**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company
This electronic message contains information which may be
privileged or confidential. The information is intended to
be for the exclusive use of the individual(s) named above
and further non-explicilty authorized disclosure, copying,
distribution or use of the contents of this information,
even if partially, including attached files, is strictly
prohibited and will be considered a criminal offense. If you
are not the intended recipient be aware that any disclosure,
copying, distribution or use of the contents of this
information, even if partially, including attached files, is
strictly prohibited, will be considered a criminal offense,
so you must reply to the original sender to inform about
this communication and delete it.
_______________________________________________
RPD mailing list
RPD at afrinic.net
https://lists.afrinic.net/mailman/listinfo/rpd
_______________________________________________
RPD mailing list
RPD at afrinic.net
https://lists.afrinic.net/mailman/listinfo/rpd
_______________________________________________
RPD mailing list
RPD at afrinic.net
https://lists.afrinic.net/mailman/listinfo/rpd
--
Lamiaa CHNAYTI
_______________________________________________ RPD mailing list RPD at afrinic.net https://lists.afrinic.net/mailman/listinfo/rpd
**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company
This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
_______________________________________________
RPD mailing list
RPD at afrinic.net
https://lists.afrinic.net/mailman/listinfo/rpd
**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company
This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20200921/de2e3512/attachment-0001.html>
More information about the RPD
mailing list