<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style></style></head><body lang=ES link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;mso-fareast-language:EN-US'>Hi Denis,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><div><div><p class=MsoNormal style='margin-left:35.4pt'>El 17/1/20 0:30, "<a href="mailto:ripedenis@yahoo.co.uk">ripedenis@yahoo.co.uk</a>" <<a href="mailto:ripedenis@yahoo.co.uk">ripedenis@yahoo.co.uk</a>> escribió:<o:p></o:p></p></div></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>Colleagues</span><span style='font-size:12.0pt;font-family:"Helvetica Neue"'><o:p></o:p></span></p></div></div><div id="ydp222ed11eyahoo_quoted_9552941811"><div><div><div id=ydp222ed11eyiv0011432852><div><div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>I have just read this whole thread, it took a while (I should get sick more often and spend a day in bed reading emails). I have a few points to make. Some are similar to points already raised but I will reinforce them. I cut out the bits I want to respond to, but sorry I have not included the authors (you will know if it's you).<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>"If I need to use a web form, which is not standard, for every abuse report that I need to submit, there is no sufficient time in the world to fill all them."<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>So instead each resource holder must interpret randomly written emails and find any relevant information from within lots of junk.<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Helvetica Neue"'>There are open source tools to extract the logs from an automated abuse reporting system (for example fail2ban), and it very easy to configure them for your own needs. In any case, much easier than having a different web form non-standard for every ISP that requires that.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Helvetica Neue"'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Helvetica Neue"'>Of course, as said, ideally a standard system could be used. May be is time to specify it in the policy, and this is something that I’m already considering in the next version, depending on what I can interpret from all this discussion.</span><span lang=EN-US style='font-size:12.0pt'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>"ever since the day that RIPE NCC first<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>published an abuse reporting address in the data base, it has, in<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>effect, injected itself, even if only to a minimal degree, into<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>the relationship between a network abuse victim and the relevant<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>resource holders that have clear connections to the abuse source"<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>To be clear, the RIPE NCC is the data controller, not the data content provider. The RIPE NCC does not publish the abuse contacts, they facilitate resource holders to publish them.<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>"make abuse-c: an optional attribute<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>(basically, unrolling the "mandatory" part of the policy proposal that<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>introduced it in the first place)"<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>As co-author/designer of "abuse-c:" one of the original aims of the "abuse-c:" attribute was to provide one single point of contact for a resource holder's abuse reports. If it is made optional, abuse reports would simply be sent to the "admin-c:", "tech-c:", "notify:", etc email addresses, as they were before. People will simply search the database for any email address associated with the resource holder and spam them all. It won't stop abuse reports being sent 'somewhere'. And once someone has had to go to the trouble of finding a list of email addresses to use for the resource holder who has no "abuse-c:", then they will probably do the same for all reports they send. So those of you who do respond to abuse complaints will find complaints being sent to a whole host of your email addresses from the RIPE Database. We lose the 'keep it in one well defined location' benefit.<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue"'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'>I agree with you on this. I think the alternative is the autoresponder I mention. So keep the abuse-c mandatory, but tell the reporters “I will ignore your report”.<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>"at the very least, RIPE NCC could set<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>up and maintain just a basic review "platform" where the public at large<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>can at least make it known to all observers which networks are the assholes<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>and which ones aren't."<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>This would be an excellent way for a network operator to 'take out' their competitors.<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>"While I would accept Gert's proposal for making abuse-c an optional<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>attribute, the reason I offered a counter proposal for publishing "a<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>statement to the effect that the network operator does not act on<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>abuse reports" is to add clarity at a high level."<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>How many operators are going to make such a statement? It would become an invitation to block their traffic. If that was the alternative to any verification then they know if they don't make such a statement there will be no penalty. So just don't make a statement and still ignore the reports.<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue"'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'>Yes and not. Money talks. But at least you know what you can expect from any operator, instead of insisting in sending reports and wasting time trying to contact them. May be the point to have in the policy is that if you don’t have a valid abuse-c (so it is mandatory), either you choose to respond to abuses, or you have an autoresponder to tell you are not taking care of them. If you don’t have one or the other, it is a policy violation.<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>"i'm more worried about someone using real e-mail<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>addresses of real unrelated people than the /dev/null or unattended<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>mailboxes."<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>Separately to this discussion we need to have a mechanism to say "Remove my email address from this resource", as Google has when someone uses your gmail address as a recovery address. (A service I use on a weekly basis)<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue"'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'>I guess this is not needed. If someone is using my email in a non-related contact at the RIPE databases, and I notice it, clearly, I can tell to RIPE NCC: this is fake, please remove it. Otherwise RIPE NCC may be liable for the damages.<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>"Nice analogy, but when you add the eCommerce Directive into the mix, where a network provider (or hosting provider) is not liable for what their users do, the outcome changes. Only if you have knowledge there might be a possibility for liability, but if you do not accept abuse notices, and therefore do not have knowledge you are not liable. Also note there is no monitoring obligation, but if you do monitor you can gain knowledge and become liable for -everything-."<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>If you hide behind this type of logic, the EU in particular could easily change the law so that refusal to accept notifications renders you liable as if you had received it. 'Ignorance of the law is no excuse' comes to mind.<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue"'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'>Well this is already part of the law, at least in Spain, up to a certain point. If you refuse receiving a legal notification (legal in the sense accepted by each specific type of notification, sometimes just a certified post or a fax, or a burofax, certified email – yes there are legal services to do that, etc.), it is the same as if you actually received it.<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>">It's amazing that nobody cant propose anything without receiving a shower of all sorts of arguments against<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>It's called 'democracy'."<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>Many of the countries in the RIPE region are not democracies (including the UK now).<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>Having been on this mailing list for many years, as others have said, this discussion has gone round in circles so many times. It really makes it hard to follow what the general view is. To me there seems to be 2 camps. One camp wants to 'do something' to try to improve the situation. The other camp wants to do nothing for a variety of reasons (not the RIPE NCC's job, gets tangled up with other policies, too much work/time, a burden on those who do the right thing, won't help with those who avoid it, we are engineers not social workers or police). These are the same reasons used against almost every policy proposal on this list. We are in a new decade now. We have to take a more holistic view of the RIPE Database and services around it. I started at the RIPE NCC as a software engineer working on the database. But over time I became involved in almost every aspect of it, including legal, policy, feature design, contracts, etc. I thought the days of demarcation lines went out in the 70s when an engineer thought only about engineering issues. Abuse (in all its forms) is a problem on the internet. Some organisations work hard to tackle it, others ignore it. As a community (of holistic engineers) we need to try things out to reduce abuse. There have been so many negative comments in this thread and so few positive ones. It isn't just LEAs that watch what we do, it's governments as well. If we don't 'try' to reduce abuse, we may find a form of GDPR coming down the line for abuse on the internet. Then every organisation, large and small, will be rushing to their lawyers to ensure they are GDPR(abuse) compliant. Avoiding a little effort now may involve a huge effort later. We are no longer a little group of chatty engineers. We are prominent figures in a global, life critical service. Lets try to be a little more positive and constructive....<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>cheers<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>denis<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'>co-chair DB-WG<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'><o:p> </o:p></span></p></div></div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:10.0pt;font-family:"Helvetica Neue";color:#26282A'><o:p> </o:p></span></p></div></div></div></div></div></div><br>**********************************************<br> IPv4 is over<br> Are you ready for the new Internet ?<br> http://www.theipv6company.com<br> The IPv6 Company<br> <br> This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.<br> <br> </body></html>