Search RPD Archives
Limit search to: Subject & Body Subject Author
Sort by:

[rpd] Decisions ... Abuse contact

Patrick Okui pokui at psg.com
Fri Oct 2 17:10:22 UTC 2020


Dear Chloe,

I’ll try to separate your message into individual contention points
because otherwise it’s impossible to track where we are on each one.

#### 1. Consequences for not providing abuse-c.

I have dealt with this particular objection in a response to Gaby as
seen here: https://lists.afrinic.net/pipermail/rpd/2020/011555.html

The short version is, if we decide that this info is mandatory then it
has the same consequences as not providing admin-c and tech-c. If this
is a new request for resources, it gets denied. If it’s existing
resources the holder runs the risk of having them reclaimed. AFRINIC
would (as with all cases of violation of the RSA) liaise with the member
to see they comply with this.

#### 2. Providing a contact that is not being read/responded to.

The text of the policy proposal we’re discussing is at
https://www.afrinic.net/policy/proposals/2018-gen-001-d6#proposal If you
read that you’ll see that part of this policy is exactly saying that

- The abuse contact can’t be some unattended destination.

- AFRINIC will periodically check that the contact is one that’s
responded to.

- If someone complains that they didn’t get a response, then AFRINIC
will check that and then either tell the person they seem to be mistaken
OR get in touch with the member to update their abuse-c to something
that is attended to.

#### 3. AFRINIC defining abuse so they can mediate in complaints.

This is finally your answer to the email I wrote earlier. I would not
want AFRINIC to become a mediator in abuse cases. All AFRINIC needs to
do is ensure they have the listed contacts for people to discuss. If the
two people fail to agree they can fall back to filtering each other or
court cases etc.

The only goal is to allow AFRINIC to specifically state that if you need
to contact network X about a possible abuse case, then use the following
email (that we’ve checked to be working). As a registry, that falls
within their roles and mandate. Anything else would not.

#### 4. Use of this policy (mandatory contacts) minus AFRINIC abuse
mediation.

- If you read point d. of Madhvi’s email at
https://lists.afrinic.net/pipermail/rpd/2020/011534.html you will see
that currently AFRINIC ends up responding to abuse complaints on behalf
of members. It is not mentioned in that email but part of the reason is
the parent objects have the AFRINIC abuse contact.

- If you read Frank’s post at
https://lists.afrinic.net/pipermail/rpd/2020/010971.html you’ll notice
he was detailing what someone could try in order to track down the
person to contact for abuse. The original poster knew of this process
and was asking if AFRINIC would help make it easier by getting people to
publish abuse contact data.

This proposal addresses the above two points from the view of the RIR
and from operators. As you’ve mentioned when operators get contacted
they usually can sort things out. In many cases the “abuse” is
unintentional from compromised or infected devices. Right now figuring
out who to talk to to get a response from the operator is quite the
process.

Note that Jaco also addressed some of your very concerns at
https://lists.afrinic.net/pipermail/rpd/2020/011549.html in different
words.

On 2 Oct 2020, at 17:48 EAT, Chloe Kung wrote:


> Dear Patrick,

>

> I see your point and thank you very much. Before I respond to that, I

> just want to say it actually leads to my another reason for objecting

> this proposal for it doesn’t state what will be the consequences nor

> does it guarantee the abuse email will be checked on a routine basis.

> Then I think it will only become a meaningless policy.

>

> If all Afrinic needs to do when it’s getting involved is to ask

> whether or not someone’s abuse contact responded, and should not be

> doing anything beyond that, then why would we even need this proposal

> ? The way I see it is that, I imagine abuse cases have existed and

> happened before, so if they really care, both the complainants and the

> complainees would already have a more effective way to do it. And for

> those who doesn’t really care, having this abuse contact set up

> mandatorily doesn’t not help.

>

> Let’s say if now Afrinic is going to do just a little more than

> that, maybe giving a warning. Then I suppose they will at least have

> to look into the case ? And so under such circumstances Afrinic will

> need to have a clear/ defined concept to determine if the abuse case

> is valid and if further actions are needed ? Though I believe this is

> out of the scope of RIRs.

>

> Best,

> Chloe

> From: Patrick Okui <pokui at psg.com>

> Date: Thursday, October 1, 2020 at 02:58

> To: Chloe Kung <chloe.kung.public at gmail.com>

> Cc: "rpd at afrinic.net" <rpd at afrinic.net>, Jaco Kroon <jaco at uls.co.za>

> Subject: Re: [rpd] Decisions ... Abuse contact

>

>

> Dear Chloe, all, [response inline]

>

> On 30 Sep 2020, at 17:53 EAT, Chloe Kung wrote:

>

> Like for objection d; no proper definition of the term Abuse, there is

> still a need to address on it. Yes the proposal is about

> “building” abuse contact, but just like what Jordi has said, “

> The policy only needs to state what the staff should evaluate and

> thus, what members should do”, if the definition of the word/ act of

> Abuse is not clear, how can the staff evaluate such action then? Let's

> say if they interpret those cases in their own different ways, it will

> not be fair to any of the parties nor would it be something we want I

> suppose. And there are high chance of having mis-interpretation too!

>

> Note that we have a tech-c contact for technical issues. There is no

> definition of what constitutes ‘technical’ issues for a tech-c

> contact. The requirement in this proposal is therefore not to define

> abuse. The requirement is for the holder of resources to specify where

> abuse complaints (by the definition of the person complaining) should

> go. Validation is only that it is a working destination that is

> active.

>

> If someone sends you non abuse (by your definition) to your abuse

> contact your response is simply “This doesn’t constitute abuse

> because XYZ”. XYZ can be as simple as “the laws in my country and

> my AUP don’t prohibit such behaviour” or “connecting to port 80

> is how browsers work”. If someone escalates to AFRINIC the only

> thing AFRINIC will ask is “Did Chloe’s abuse contact respond?”.

> Beyond that AFRINIC should not get involved.

>

> Please give an example of a situation where a complaint requires

> AFRINIC to describe abuse.

>

> --

> patrick






--
patrick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20201002/f5627a43/attachment-0001.html>


More information about the RPD mailing list