Details
Abuse Contact Policy Update |
|||
ID: |
AFPUB-2018-GEN-001-DRAFT03 |
Date Submitted: 5 June 2019 Version: 3.0 Amends: CPM art 8.0 |
|
Author: |
Jordi Palet Martinez jordi.palet at theipv6company.com The IPv6 Company
|
||
Obsoletes: |
|
Proposal
1.0 Summary of the problem being addressed by this proposal
The current policy doesn’t imply the obligation to register an abuse contact and specifies a format for personal communication and for “automatic reporting”, which compared to other RIRs becomes confusing, as a single email will be more efficient, as at the end, reports get copied to both emails.
As a result, some resource-holders may not have this contact information registered and up to date for their resources. In fact, there are even cases of non-existent mailbox or one that is not actively monitored.
In practice, this contact becomes ineffective to report abuses and generally gives rise to security issues and costs for the victims.
This proposal aims to solve this problem and ensure the existence of a proper abuse-c contact and the process for its utilization, which is more uniform across all the RIRs, in order to facilitate cross-region abuse reporting.
Existing policy references to a “Best Practice Paper”, which is not deemed as mandatory and in fact, is not being used by the community. This proposal doesn’t change the scope of that document, and in fact, a link between the few existing IRT objects and the new one, should be automatically established.
At this way, AfriNIC abuse contact will be in line with other RIRs. APNIC is now using the IRT, but since an equivalent proposal has been accepted, an automated “link” (alias) to the pre-existing IRT will be created, so abuse-c and abuse-mailbox prevail.
There is no need to delete the other optional data today included in the IRT. This policy just ensures that the abuse-mailbox is available and verified periodically.
2.0 Summary of how this proposal addresses the problem
The Internet community is based on collaboration. However, in many cases this is not enough and we all need to be able to contact those LIRs that may be experiencing a problem in their networks and are unaware of the situation.
This proposal creates a new section in the Policy Manual to solve this problem by means of a simple, periodic verification, and establishes the basic rules for performing such verification and thus avoids unnecessary costs to third parties that need to contact the persons responsible for solving the abuses of a specific network.
The proposal guarantees that the cost of processing the abuse falls on the resource-holder whose client is causing the abuse (and from whom they receive financial compensation for the service), instead of falling on the victim, as would be the case if they had to resort to the courts, thus avoiding costs (lawyers, solicitors, etc.) and saving time for both parties.
For this, the abuse-c attribute becomes mandatory in the “aut-num”, "inetnum" and "inet6num" objects, as well as in any others that may be used in the future. This attribute is an abuse contact, which must contain at least the "abuse-mailbox" attribute.
The proposal is expected to be implemented in 90 days, to be confirmed by AfriNIC, a reasonable time frame to allow both the staff to develop the tool and the LIRs to update their abuse-c contacts.
3. Proposal
3.1 Amending 8.0 of the CPM, as follows:
Current |
Proposed |
8.1 Introduction This policy specifies a dedicated object that shall be used as the preferred place to publish abuse public contact information within the AFRINIC service region. The mentioned object can be referenced in the inetnum, inet6num and aut-num objects in the AFRINIC whois Database. It provides a more accurate and efficient way for abuse reports to reach the correct network contact |
8.1 Introduction This policy specifies a mandatory object that must be used to publish abuse public contact information within the AFRINIC service region. The mentioned object must be referenced in the inetnum, inet6num and aut-num objects in the AFRINIC whois Database. It provides a more accurate and efficient way for abuse reports to reach the correct contact. |
8.2 Policy details: To make available a new or use an already existing whois database object that implements the following properties:
The object should be accessible through the whois protocol. AFRINIC to publish a Best Practice Paper that encourages all members actively to use the object for publishing abuse contact information. |
8.2 Description of “abuse-c” and “abuse-mailbox” Resources allocated/assigned by AfriNIC must include a mandatory "abuse-c" contact attribute (abuse contact) in their corresponding WHOIS entry, with at least one valid, monitored and actively managed email inbox (abuse-mailbox) intended for receiving manual or automatic reports regarding abusive behavior, security issues, and the like. The "abuse-mailbox" attribute must be available in an unrestricted way via whois, APIs and future techniques. Considering the hierarchical nature of IP address objects, child objects of those directly distributed by AfriNIC may be covered by parent objects or they may have their own "abuse-c" attribute. Following usual practices, other "e-mail" attributes may be included for other purposes. |
8.3 Advantages and disadvantages of the policy 8.3.1 Advantages
8.3.2 Disadvantages This object, like all other existing objects, will face the data accuracy problem. This policy aims to address the issue of a missing place for abuse contact information and will not improve data accuracy in the whois database. Nevertheless, it is suggested to AFRINIC to offer a way to receive reports about not working or not accurate objects. |
8.3 About the "abuse-mailbox" Emails sent to "abuse-mailbox" must require manual intervention by the recipient at some point, and may not be filtered, because in certain cases this might prevent receiving the abuse reports. For example, in a spam case where the abuse report could include the spam message itself or URLs or content usually classified as spam. The "abuse-mailbox" may initially send an automatic reply, for example, assigning a ticket number, applying classification procedures, requesting further information, etc. However, it should not require that the abuse reporter fills a form, as this will imply that each company that needs to report abuse cases (a task that is typically automated), would be forced to develop a specific interface for each ISP in the world that mandates filling forms, which is neither feasible nor logical, as it would place the cost of processing the abuse on those who submit the claim and are therefore victims of the abuse, instead of being paid for by the those whose client causes the abuse (and from whom they obtain income). By way of information, it is worth noting that it is reasonable to expect that the abuse reporting procedure sends, with the initial abuse report, the logs, a copy of the spam message (attaching an example of the spam email or its full headers), or equivalent evidence (depending on the abuse type). Likewise, it is reasonable to expect that the initial auto-reply email could specify that the claim will not be processed unless such evidence has been submitted, thus allowing the sender an opportunity to repeat the submission and include relevant evidence. This allows automatic reporting, for example, via fail2ban, SpamCop or others, keeping costs at a minimum for both parties involved. Commonly, if a ticket number has been generated, it should be kept (typically as part of the subject) through successive communications. |
8.4 Objectives of "abuse-c"/"abuse-mailbox" validation The procedure, which will be developed by AFRINIC, must meet the following objectives:
The “initial” and “escalation” validation periods may be modified by AFRINIC, if deemed appropriate, informing the community about the motivation. For example, it could be longer for the first validation, once this policy is implemented, and shortened afterwards once the percentage of failures decreases, so the quality of the contacts increases and consequently a decrease in the average abuse response times could be expected. (By way of example, a detailed procedure is included in this policy proposal under "Additional Information"). |
|
8.5 Validation of "abuse-c"/"abuse-mailbox" AFRINIC will validate compliance with the items above, both when the "abuse-c" and/or "abuse-mailbox" attributes are created or updated, as well as periodically, not less than once every 6 months, and whenever AFRINIC sees fit. Lack of compliance will lead to a more exhaustive follow-up, warnings and blocking of certain services, at AFRINIC discretion, in accordance with the relevant policies/procedures. The frequency of the periodic validation could be modified if the AFRINIC deems this appropriate and informs the community of its reasons. For example, a single validation could be done in the first year, to facilitate adherence to the policy, and then the number of annual validations could progressively increase, reaching even quarterly ones, with the aim of improving the quality of the contacts. |
|
8.6 Escalation to AFRINIC In order to allow escalation of fraudulent behavior (for example, an "abuse-mailbox" that only replies to AFRINIC's emails, or to messages with a specific subject or content), or failure to comply with the remaining aspects of this policy (incorrect or lack of response to cases of abuse), an escalation method should be provided, thus allowing for a re-validation (according to section 8.5 above). |
3.2 Additional information:
Since this proposal is implemented, AFRINIC will publish the IRT as an alias to the abuse-c, in order to facilitate the search in whois for the same information, regardless if looking for abuse-c or IRT. The rest of the actual information in the IRT, can be kept as per the actual guidelines (which will need to be updated AFRINIC). This is done in order to assimilate the IRT to the majority of the RIRs where it is abuse-c.
Example of the validation procedure.
- AFRINIC initiates the validation automatically, sending TWO consecutive emails to the "abuse-mailbox".
- These emails will be sent containing plain text only.
- At the discretion of AFRINIC, in general or in specific cases (for example, for confirmation in cases of escalation under 8.6), AFRINIC may use domains other than afrinic.*, and even modify the subject and body of the message, in order to perform said validations more effectively.
- The first email will contain the URL where the validation is to be performed ("validacion.afrinic.net") and may contain information about the procedure, a brief summary of this policy, etc.
- The second email will contain a unique alphanumeric validation code.
- The person in charge of the "abuse-mailbox" must go to the URL and paste the code received in the second email in the form.
- This URL must be designed in such a way that it prevents the use of an automated process (for example, "captcha"). In addition, it must contain a text that confirms that the person performing the validation understands the procedure and the policy, that they regularly monitor the "abuse-mailbox", that measures are taken to solve reported cases of abuse, and that the abuse report receives a response, with a "checkbox" that must be accepted in order to proceed.
- The alphanumeric code will only be valid for a maximum of 15 working days.
- If the code is not entered within that time, the system will mark the "abuse-c" as "temporarily invalid” and will alert AFRINIC staff so that they can initiate a personalized follow-up with the resource-holder.
- If no reply is received confirming that the situation has been corrected, after an additional period of 15 business days, the "abuse-c" will be permanently marked as "invalid".
- AFRINIC must ensure that all possible means of “warning” the resource-holder are put in place, such as periodic emails to other email boxes, alert pop-ups, etc. All those must contain the policy text and reminders about consequences in case of continued policy violation. Means of blocking access to certain services should be also considered.
- The validation process will be repeated automatically (items 1 to 8 above). If satisfactory, the "abuse-c" will be marked as "valid"; otherwise it will be considered in breach of the policy.
- There must be tools such as a form, mailbox (for example, a mailbox such as "abuse-escalation@afrinic.net"), or others in the future, to escalate lack of compliance with this policy and even the intermediation by AFRINIC and, where appropriate, the application of the relevant policies/procedures, especially those related to revocation of resources.
References
An equivalent proposal has been accepted in APNIC and is under discussion in the ARIN, LACNIC and RIPE regions.
Staff Assessment
Proposal |
AFPUB-2018-GEN-001-DRAFT03 |
Title |
Abuse Contact Policy Update – v3 |
Proposal UR |
https://afrinic.net/policy/proposals/2018-gen-001-d3#proposal |
Assessed |
20 July 2019 |
1.0 Staff Understanding of the Proposal
- Replacement policy text to current CPM 8.0 (Abuse Contact Information) - [sec 8.1]
- Introduces a mandatory "abuse-c" attribute in inetnum, inet6num and aut-num whois database objects. The value of this attribute is an e-mail address (abuse-mailbox), to which all abuse related information shall be sent. The abuse-mailbox is optional in child objects of parent direct allocations or assignments issued by AFRINIC - [sec 8.2]
- The abuse-mailbox must be valid and actively monitored through period verification - [sec 8.2]
- Email sent to the abuse-mailbox must need manual intervention by the recipient at some point- [sec 8.3]
- AFRINIC must provision a system to validate the abuse-mailbox. The actual process is left to AFRINIC staff discretion, but could follow an example procedure in sec 3.2 of the policy proposal, with a recommended minimum validation interval of at least once every 6 months - [sec 8.4]
- Abuse-c mailboxes that fail validation tests will lead to eventual blocking of certain services, at AFRINIC discretion (and in accordance with the relevant policies/procedures) - [sec 8.5]
- An escalation mechanism to AFRINIC must be provided where any concerns with the validation process can be reported by community and/or members. This can also help with manual re-validations. - [sec 8.6]
2.0 Staff Comments
- There is already an existing solution through the IRT object, which is currently optional - (and which seems to address the intent of the proposal) - which can be made mandatory for directly issued resource objects by AFRINIC. An added advantage of using the IRT is that it can hold more information than just an e-mail address, such as physical address, phone numbers and PGP keys for secure communication.
- During the AFRINIC30 Public Policy Meeting, the author clarified that the IRT can be an 'alias' of the abuse-c. We note however that it is confusing to use IRT as an alias to the abuse-c and the other way round - we would not know how to implement such a requirement unless the author guides with detailed specifications through the policy proposal or through the (DBWG) database working group.
- In proposed 8.5 where abuse-c mailboxes that fail validation tests will lead to eventual blocking of certain services, at AFRINIC discretion (and in accordance with the relevant policies/procedures). The policy proposal needs to be clear on what specific services shall be blocked. However, it's important to note that without this clause in the first place, a breach of the policy (such as lack of valid abuse-c if this proposal were to pass) amounts a breach of the RSA, which can lead to eventual revocation of the same RSA and associated services.
3.0 Legal Observations
None
- Implementation:
- Timeline & Impact: About 6 months of software development work.
- Implementation Requirements: Modifications to WHOIS codebase depending on the solution that will eventually be ratified.
Revision History
Revision History
Date |
Details |
12 August 2018 |
Version 1: AFPUB-2018-GEN-001-DRAFT01 Initial Draft Posted to rpd |
20 November 2018 |
Version 2: AFPUB-2018-GEN-001-DRAFT02 Version 2 Posted to rpd |
5 June 2019 |
Version 3: AFPUB-2018-GEN-001-DRAFT03
|