<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Dear Community, <div class=""><br class=""></div><div class="">Once more regarding this abuse contact policy or abuse-c, irrespective of the lack of a clear definition of what constitutes or entails an abuse, there is no guarantee that the abuse contact mail box will be routinely checked and the properly defined concept to determine if an abuse cases is valid and hence, take necessary action as pointed out by @Chloe. </div><div class=""><br class=""></div><div class="">Similarly, despite this not being within the scope of the AFRINIC, members can be made to provide the abuse-c as part of the Whois registration process just like the admin-c and tech-c without necessarily making this “policy”. Also, @Patrick in accordance with your response to @Gaby on the possible consequences of no abuse-c provided, </div><div class=""><br class=""></div><div class="">“<font color="#ff2600" class="">T<span style="font-family: -webkit-standard; font-size: medium; background-color: rgb(255, 255, 255);" class="">his is no different in my opinion from not providing contacts for other</span><span style="font-family: -webkit-standard; font-size: medium; background-color: rgb(255, 255, 255);" class=""> required whois </span></font></div><font color="#ff2600" class=""><span style="font-family: -webkit-standard; font-size: medium; background-color: rgb(255, 255, 255);" class="">contacts. Someone posted the text for admin-c and tech-c.</span><span style="background-color: rgb(255, 255, 255);" class=""><font face="-webkit-standard" size="3" class=""> For new applicants if you don’t provide say an admin-c, it could</font></span></font><div class=""><font color="#ff2600" class=""><span style="background-color: rgb(255, 255, 255);" class=""><font face="-webkit-standard" size="3" class="">mean you don’t get resources. </font></span><span style="font-family: -webkit-standard; font-size: medium; background-color: rgb(255, 255, 255);" class="">That would be the same for no abuse contacts. </span><span style="font-family: -webkit-standard; font-size: medium; background-color: rgb(255, 255, 255);" class="">For existing holders you could lose your resources etc. I do not see the </span><span style="font-family: -webkit-standard; font-size: medium; background-color: rgb(255, 255, 255);" class="">need to provide extra penalties for this. Note that this is just contact </span><span style="font-family: -webkit-standard; font-size: medium; background-color: rgb(255, 255, 255);" class="">information. Not penalties for “abuse”. </span></font></div><div class=""><font color="#ff2600" face="-webkit-standard" size="3" class=""><span style="background-color: rgb(255, 255, 255);" class=""><br class=""></span></font></div><div class=""><font face="-webkit-standard" size="3" class=""><span style="background-color: rgb(255, 255, 255);" class="">I believe that this is far too much and sounds more like blackmailing the members to comply with the abuse contact which i think is not necessary because by just adding this to the Whois registration procedure, the members will voluntarily comply or cooperate. </span></font></div><div class=""><font face="-webkit-standard" size="3" class=""><span style="background-color: rgb(255, 255, 255);" class=""><br class=""></span></font></div><div class=""><font face="-webkit-standard" size="3" class=""><span style="background-color: rgb(255, 255, 255);" class="">Elvis </span></font></div><div class=""><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Oct 3, 2020, at 02:10, Patrick Okui <<a href="mailto:pokui@psg.com" class="">pokui@psg.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/xhtml; charset=utf-8" class="">
<div class="">
<div style="font-family:sans-serif" class=""><div style="white-space:normal" class=""><p dir="auto" class="">Dear Chloe,</p><p dir="auto" class="">I’ll try to separate your message into individual contention points because otherwise it’s impossible to track where we are on each one.</p><p dir="auto" class="">#### 1. Consequences for not providing abuse-c.</p><p dir="auto" class="">I have dealt with this particular objection in a response to Gaby as seen here: <a href="https://lists.afrinic.net/pipermail/rpd/2020/011555.html" class="">https://lists.afrinic.net/pipermail/rpd/2020/011555.html</a></p><p dir="auto" class="">The short version is, if we decide that this info is mandatory then it has the same consequences as not providing admin-c and tech-c. If this is a new request for resources, it gets denied. If it’s existing resources the holder runs the risk of having them reclaimed. AFRINIC would (as with all cases of violation of the RSA) liaise with the member to see they comply with this.</p><p dir="auto" class="">#### 2. Providing a contact that is not being read/responded to.</p><p dir="auto" class="">The text of the policy proposal we’re discussing is at <a href="https://www.afrinic.net/policy/proposals/2018-gen-001-d6#proposal" class="">https://www.afrinic.net/policy/proposals/2018-gen-001-d6#proposal</a> If you read that you’ll see that part of this policy is exactly saying that</p><p dir="auto" class="">- The abuse contact can’t be some unattended destination.</p><p dir="auto" class="">- AFRINIC will periodically check that the contact is one that’s responded to.</p><p dir="auto" class="">- If someone complains that they didn’t get a response, then AFRINIC will check that and then either tell the person they seem to be mistaken OR get in touch with the member to update their abuse-c to something that is attended to.</p><p dir="auto" class="">#### 3. AFRINIC defining abuse so they can mediate in complaints.</p><p dir="auto" class="">This is finally your answer to the email I wrote earlier. I would not want AFRINIC to become a mediator in abuse cases. All AFRINIC needs to do is ensure they have the listed contacts for people to discuss. If the two people fail to agree they can fall back to filtering each other or court cases etc.</p><p dir="auto" class="">The only goal is to allow AFRINIC to specifically state that if you need to contact network X about a possible abuse case, then use the following email (that we’ve checked to be working). As a registry, that falls within their roles and mandate. Anything else would not.</p><p dir="auto" class="">#### 4. Use of this policy (mandatory contacts) minus AFRINIC abuse mediation.</p><p dir="auto" class="">- If you read point d. of Madhvi’s email at <a href="https://lists.afrinic.net/pipermail/rpd/2020/011534.html" class="">https://lists.afrinic.net/pipermail/rpd/2020/011534.html</a> you will see that currently AFRINIC ends up responding to abuse complaints on behalf of members. It is not mentioned in that email but part of the reason is the parent objects have the AFRINIC abuse contact.</p><p dir="auto" class="">- If you read Frank’s post at <a href="https://lists.afrinic.net/pipermail/rpd/2020/010971.html" class="">https://lists.afrinic.net/pipermail/rpd/2020/010971.html</a> you’ll notice he was detailing what someone could try in order to track down the person to contact for abuse. The original poster knew of this process and was asking if AFRINIC would help make it easier by getting people to publish abuse contact data.</p><p dir="auto" class="">This proposal addresses the above two points from the view of the RIR and from operators. As you’ve mentioned when operators get contacted they usually can sort things out. In many cases the “abuse” is unintentional from compromised or infected devices. Right now figuring out who to talk to to get a response from the operator is quite the process.</p><p dir="auto" class="">Note that Jaco also addressed some of your very concerns at <a href="https://lists.afrinic.net/pipermail/rpd/2020/011549.html" class="">https://lists.afrinic.net/pipermail/rpd/2020/011549.html</a> in different words.</p><p dir="auto" class="">On 2 Oct 2020, at 17:48 EAT, Chloe Kung wrote:</p>
</div>
<blockquote style="border-left:2px solid #5855D5; color:#5855D5; margin:0 0 5px; padding-left:5px" class=""><div id="C0473AAE-095A-4020-900B-ED145E92E70D" class="">
<div lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word" class="">
<div style="page:WordSection1" class=""><p style="font-family:"Calibri", sans-serif; font-size:11pt; margin:0" class=""><span style="mso-fareast-language:ZH-TW" class=""> </span></p><div style="font-family: Calibri, sans-serif; font-size: 11pt; margin: 0px;" class=""><span style="mso-fareast-language:ZH-TW" class="">Dear Patrick,
</span></div><p style="font-family:"Calibri", sans-serif; font-size:11pt; margin:0" class=""><span style="mso-fareast-language:ZH-TW" class=""> </span></p><div style="font-family: Calibri, sans-serif; font-size: 11pt; margin: 0px;" class=""><span style="mso-fareast-language:ZH-TW" class="">I see your point and thank you very much. Before I respond to that, I just want to say it actually leads to my another reason for objecting this proposal for it doesn’t state what will be the consequences
nor does it guarantee the abuse email will be checked on a routine basis. Then I think it will only become a meaningless policy.
</span></div><p style="font-family:"Calibri", sans-serif; font-size:11pt; margin:0" class=""><span style="mso-fareast-language:ZH-TW" class=""> </span></p><div style="font-family: Calibri, sans-serif; font-size: 11pt; margin: 0px;" class=""><span style="mso-fareast-language:ZH-TW" class="">If all Afrinic needs to do when it’s getting involved is to ask whether or not someone’s abuse contact responded, and should not be doing anything beyond that, then why would we even need this proposal
? The way I see it is that, I imagine abuse cases have existed and happened before, so if they really care, both the complainants and the complainees would already have a more effective way to do it. And for those who doesn’t really care, having this abuse
contact set up mandatorily doesn’t not help. </span></div><p style="font-family:"Calibri", sans-serif; font-size:11pt; margin:0" class=""><span style="mso-fareast-language:ZH-TW" class=""> </span></p><div style="font-family: Calibri, sans-serif; font-size: 11pt; margin: 0px;" class=""><span style="mso-fareast-language:ZH-TW" class="">Let’s say if now Afrinic is going to do just a little more than that, maybe giving a warning. Then I suppose they will at least have to look into the case ? And so under such circumstances Afrinic
will need to have a clear/ defined concept to determine if the abuse case is valid and if further actions are needed ? Though I believe this is out of the scope of RIRs.
</span></div><p style="font-family:"Calibri", sans-serif; font-size:11pt; margin:0" class=""><span style="mso-fareast-language:ZH-TW" class=""> </span></p><div style="font-family: Calibri, sans-serif; font-size: 11pt; margin: 0px;" class=""><span style="mso-fareast-language:ZH-TW" class="">Best,</span></div><div style="font-family: Calibri, sans-serif; font-size: 11pt; margin: 0px;" class=""><span style="mso-fareast-language:ZH-TW" class="">Chloe</span></div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in" class=""><div style="font-family: Calibri, sans-serif; font-size: 11pt; margin: 0px;" class=""><b class=""><span style="font-size: 12pt;" class="">From: </span></b><span style="font-size: 12pt;" class="">Patrick Okui <<a href="mailto:pokui@psg.com" class="">pokui@psg.com</a>><br class="">
<b class="">Date: </b>Thursday, October 1, 2020 at 02:58<br class="">
<b class="">To: </b>Chloe Kung <<a href="mailto:chloe.kung.public@gmail.com" class="">chloe.kung.public@gmail.com</a>><br class="">
<b class="">Cc: </b>"<a href="mailto:rpd@afrinic.net" class="">rpd@afrinic.net</a>" <<a href="mailto:rpd@afrinic.net" class="">rpd@afrinic.net</a>>, Jaco Kroon <<a href="mailto:jaco@uls.co.za" class="">jaco@uls.co.za</a>><br class="">
<b class="">Subject: </b>Re: [rpd] Decisions ... Abuse contact</span></div>
</div>
<div class=""><p style="font-family:"Calibri", sans-serif; font-size:11pt; margin:0" class=""> </p>
</div>
<div class="">
<div class=""><p class=""><span style="font-family:"Arial",sans-serif" class="">Dear Chloe, all, [response inline]</span></p><p class=""><span style="font-family:"Arial",sans-serif" class="">On 30 Sep 2020, at 17:53 EAT, Chloe Kung wrote:</span></p>
<blockquote style="border:none;border-left:solid #5855D5 1.5pt;padding:0in 0in 0in 4.0pt;margin-left:0in;margin-right:0in;margin-bottom:3.75pt" class=""><p class=""><span style="font-family:"Arial",sans-serif;color:#5855D5" class="">Like for objection d; no proper definition of the term Abuse, there is still a need to address on it. Yes the proposal is about “building” abuse contact, but just like what Jordi has said, “ The
policy only needs to state what the staff should evaluate and thus, what members should do”, if the definition of the word/ act of Abuse is not clear, how can the staff evaluate such action then? Let's say if they interpret those cases in their own different
ways, it will not be fair to any of the parties nor would it be something we want I suppose. And there are high chance of having mis-interpretation too!</span></p>
</blockquote><p class=""><span style="font-family:"Arial",sans-serif" class="">Note that we have a tech-c contact for technical issues. There is no definition of what constitutes ‘technical’ issues for a tech-c contact. The requirement in this proposal is therefore not to define abuse. The
requirement is for the holder of resources to specify where abuse complaints (by the definition
<em class=""><span style="font-family:"Arial",sans-serif" class="">of the person complaining</span></em>) should go. Validation is only that it is a working destination that is active.</span></p><p class=""><span style="font-family:"Arial",sans-serif" class="">If someone sends you non abuse (by
<em class=""><span style="font-family:"Arial",sans-serif" class="">your</span></em> definition) to your abuse contact your response is simply “This doesn’t constitute abuse because XYZ”. XYZ can be as simple as “the laws in my country and my AUP don’t prohibit such behaviour”
or “connecting to port 80 is how browsers work”. If someone escalates to AFRINIC the only thing AFRINIC will ask is “Did Chloe’s abuse contact respond?”. Beyond that AFRINIC should not get involved.</span></p><p class=""><span style="font-family:"Arial",sans-serif" class="">Please give an example of a situation where a complaint requires AFRINIC to describe abuse.</span></p><p class=""><span style="font-family:"Arial",sans-serif" class="">--<br class="">
patrick</span></p>
</div>
</div>
</div>
</div></div></blockquote>
<div style="white-space:normal" class=""><blockquote style="border-left:2px solid #5855D5; color:#5855D5; margin:0 0 5px; padding-left:5px" class="">
</blockquote><br class=""><br class=""><p dir="auto" class="">--<br class="">
patrick</p>
</div>
</div>
</div>
_______________________________________________<br class="">RPD mailing list<br class=""><a href="mailto:RPD@afrinic.net" class="">RPD@afrinic.net</a><br class="">https://lists.afrinic.net/mailman/listinfo/rpd<br class=""></div></blockquote></div><br class=""></div></div></body></html>