Details
Ref. Name: AFPUB-2018-GEN-001-DRAFT02 |
Versions: 2.0 Status: Under Discussion |
Author: Jordi Palet Martinez jordi.palet [at] theipv6company.com The IPv6 Company
|
Amends: CPM art 8.0 | ||
Submitted: 20 November 2018 |
Proposal
1.0 Summary of the problem being addressed by this proposal
The current policy doesn’t imply the obligation to register an abuse contact and specifies a format for personal communication and for “automatic reporting”, which compared to other RIRs becomes confusing, as a single email will be more efficient, as at the end, reports get copied to both emails.
As a result, some LIRs may not have this contact information registered and up to date for their resources. In fact, there are even cases of LIRs that use a non-existent mailbox or one that is not actively monitored.
In practice, this contact becomes ineffective to report abuses and generally gives rise to security issues and costs for the victims.
This proposal aims to solve this problem and ensure the existence of a proper abuse-c contact and the process for its utilization, which is more uniform across all the RIRs, in order to facilitate cross-region abuse reporting.
Existing policy references to a “Best Practice Paper”, which is not deemed as mandatory and in fact, is not being used by the community. This proposal doesn’t change the scope of that document, and in fact, a link between the few existing IRT objects and the new one, should be automatically established.
At this way, AFRINIC abuse contact will be in line with other RIRs. APNIC is now using the IRT, but since an equivalent proposal has been accepted, an automated “link” with the existing IRT will be created, so abuse-c and abuse-mailbox prevail.
There is no need to delete the other optional data today included in the IRT. This policy just ensures that the abuse-mailbox is available and verified periodically.
2.0 Summary of how this proposal addresses the problem
The Internet community is based on collaboration. However, in many cases this is not enough and we all need to be able to contact those LIRs that may be experiencing a problem in their networks and are unaware of the situation.
This proposal creates a new section in the Policy Manual to solve this problem by means of a simple, periodic verification, and establishes the basic rules for performing such verification and thus avoids unnecessary costs to third parties that need to contact the persons responsible for solving the abuses of a specific network.
The proposal guarantees that the cost of processing the abuse falls on the LIR whose client is causing the abuse (and from whom they receive financial compensation for the service), instead of falling on the victim, as would be the case if they had to resort to the courts, thus avoiding costs (lawyers, solicitors, etc.) and saving time for both parties.
For this, the abuse-c attribute becomes mandatory in the “aut-num”, "inetnum" and "inet6num" objects, as well as in any others that may be used in the future. This attribute is an abuse contact, which must contain at least the "abuse-mailbox" attribute.
The proposal is expected to be implemented in 90 days, to be confirmed by AFRINIC, a reasonable time frame to allow both the staff to develop the tool and the LIRs to update their abuse-c contacts.
3. Proposal
3.1 Amending 8.0 of the CPM, as follows:
Current |
Proposed |
8.1 Introduction This policy specifies a dedicated object that shall be used as the preferred place to publish abuse public contact information within the AFRINIC service region. The mentioned object can be referenced in the inetnum, inet6num and aut-num objects in the AFRINIC whois Database. It provides a more accurate and efficient way for abuse reports to reach the correct network contact |
8.1 Introduction This policy specifies a mandatory object that must be used to publish abuse public contact information within the AFRINIC service region. The mentioned object must be referenced in the inetnum, inet6num and aut-num objects in the AFRINIC whois Database. It provides a more accurate and efficient way for abuse reports to reach the correct contact. |
8.2 Policy details: To make available a new or use an already existing whois database object that implements the following properties:
The object should be accessible through the whois protocol. AFRINIC to publish a Best Practice Paper that encourages all members actively to use the object for publishing abuse contact information. |
8.2 Description of “abuse-c” and “abuse-mailbox” All resources allocated by AFRINIC must include a mandatory "abuse-c" contact attribute (abuse contact) in their corresponding WHOIS entry, with at least one valid, monitored and actively managed email inbox (abuse-mailbox) intended for receiving manual or automatic reports regarding abusive behavior, security issues, and the like. The "abuse-mailbox" attribute must be available in an unrestricted way via whois, APIs and future techniques. Considering the hierarchical nature of IP address objects, child objects of those directly distributed by AFRINIC may be covered by parent objects or they may have their own "abuse-c" attribute. Following usual practices, other "e-mail" attributes may be included for other purposes. |
8.3 Advantages and disadvantages of the policy
8.3.1 Advantages
8.3.2 Disadvantages This object, like all other existing objects, will face the data accuracy problem. This policy aims to address the issue of a missing place for abuse contact information and will not improve data accuracy in the whois database. Nevertheless, it is suggested to AFRINIC to offer a way to receive reports about not working or not accurate objects. |
8.3 About the "abuse-mailbox" Emails sent to "abuse-mailbox" must require manual intervention by the recipient at some point, and may not be filtered, because in certain cases this might prevent receiving the abuse reports, for example in a spam case where the abuse report could include the spam message itself or URLs or content usually classified as spam. The "abuse-mailbox" may initially send an automatic reply, for example, assigning a ticket number, applying classification procedures, requesting further information, etc. However, it should not require that the abuse reporter fills a form, as this will imply that each company that needs to report abuse cases (a task that is typically automated), would be forced to develop a specific interface for each ISP in the world that mandates filling forms, which is neither feasible nor logical, as it would place the cost of processing the abuse on those who submit the claim and are therefore victims of the abuse, instead of being paid for by the those whose client causes the abuse (and from whom they obtain income). By way of information, it is worth noting that it is reasonable to expect that the abuse reporting procedure sends, with the initial abuse report, the logs, a copy of the spam message (attaching an example of the spam email or its full headers), or equivalent evidence (depending on the abuse type). Likewise, it is reasonable to expect that the initial auto-reply email could specify that the claim will not be processed unless such evidence has been submitted, thus allowing the sender an opportunity to repeat the submission and include relevant evidence. This allows automatic reporting, for example, via fail2ban, SpamCop or others, keeping costs at a minimum for both parties involved. |
8.4 Objectives of "abuse-c"/"abuse-mailbox" validation The procedure, which will be developed by AFRINIC, must meet the following objectives: 1) A simple process that guarantees its functionality and allows the helpdesks that deal with abuse reports to verify that validation requests actually come from AFRINIC and not from third parties (which might involve security risks), avoiding, for example, a single "direct" URL for validation. 2) Avoid automated processing. 3) Confirm that the person performing the validation understands the procedure and the policy, that they regularly monitor the "abuse-mailbox", that measures are taken, and that the abuse report receives a response. 4) Validation period of no longer than 15 days. 5) If validation fails, escalate to the LIR and set a new validation period not to exceed 15 days. The “initial” and “escalation” validation periods may be modified by AFRINIC, if deemed appropriate, informing the community about the motivation. For example, it could be longer for the first validation, once this policy is implemented, and shortened afterwards once the percentage of failures decreases, so the quality of the contacts increases and consequently a decrease in the average abuse response times could be expected. (By way of example, a detailed procedure is included in this policy proposal under "Additional Information"). |
|
8.5 Validation of "abuse-c"/"abuse-mailbox" AFRINIC will validate compliance with the items above, both when the "abuse-c" and/or "abuse-mailbox" attributes are created or updated, as well as periodically, not less than once every 6 months, and whenever AFRINIC sees fit. At the discretion of AFRINIC, in general or in specific cases (for example, for confirmation in cases of escalation under 8.6), AFRINIC may use domains other than AFRINIC.*, and even modify the subject and body of the message, in order to perform said validations more effectively. AFRINIC will do a more exhaustive follow-up, in accordance with the relevant AFRINIC policies/procedures, especially those related to revocation of resources. The frequency of the periodic validation could be modified if the AFRINIC deems this appropriate and informs the community of its reasons. For example, a single validation could be done in the first year, to facilitate adherence to the policy, and then the number of annual validations could progressively increase, reaching even quarterly ones, with the aim of improving the quality of the contacts. |
|
8.6 Escalation to AFRINIC To avoid fraudulent behavior (for example, an "abuse-mailbox" that only replies to AFRINIC's emails, or to messages with a specific subject or content), or failure to comply with the remaining aspects of this policy (incorrect or lack of response to cases of abuse) and, therefore, to guarantee the quality of the services in the region with the resources allocated by AFRINIC, an escalation method should be provided (for example, a mailbox such as "This email address is being protected from spambots. You need JavaScript enabled to view it."), thus allowing for a re-validation (according to section 8.5 above) and even the intermediation by AFRINIC and, where appropriate, the application of the relevant policies/procedures, especially those related to revocation of resources. |
3.2 Additional Information
After this proposal is implemented, AFRINIC will publish the IRT also as abuse-c, in order to facilitate the search in whois for the same information, regardless if looking for abuse-c or IRT. The rest of the actual information in the IRT, can be kept as per the actual guidelines (which will need to be updated by AFRINIC). This is done in order to assimilate the IRT to the majority of the RIRs where it is abuse-c.
Example of the validation procedure.
- AFRINIC initiates the validation automatically, sending TWO consecutive emails to the "abuse-mailbox".
- These emails will be sent containing plain text only.
- The first email will contain the URL where the validation is to be performed ("validacion.AFRINIC.net") and may contain information about the procedure, a brief summary of this policy, etc.
- The second email will contain a unique alphanumeric validation code.
- The person in charge of the "abuse-mailbox" must go to the URL and paste the code received in the second email in the form.
- This URL must be designed in such a way that it prevents the use of an automated process (for example, "captcha"). In addition, it must contain a text that confirms that the person performing the validation understands the procedure and the policy, that they regularly monitor the "abuse-mailbox", that measures are taken to solve reported cases of abuse, and that the abuse report receives a response, with a "checkbox" that must be accepted in order to proceed.
- The alphanumeric code will only be valid for a maximum of two working days.
- If the code is not entered within that time, the system will mark the "abuse-c" as "temporarily invalid” and will alert AFRINIC staff so that they can initiate a personalized follow-up with the LIR.
- If no reply is received confirming that the situation has been corrected, after an additional period of three business days, the "abuse-c" will be permanently marked as "invalid".
- The validation process will be repeated automatically (items 1 to 7 above). If satisfactory, the "abuse-c" will be marked as "valid"; otherwise it will be considered in breach of the policy.
4. Revision History
Date |
Details |
20 November 2018 |
Version 2: AFPUB-2018-GEN-001-DRAFT02 |
12 March 2018 |
Version 1: AFPUB-2018-GEN-001-DRAFT01 Initial Draft Posted to rpd |
5. References
A similar proposal has been discussed in the RIPE region and is waiting for co-chairs to declare consensus.
Revision History
Date |
Details |
20 November 2018 |
Version 2: AFPUB-2018-GEN-001-DRAFT02 |
12 March 2018 |
Version 1: AFPUB-2018-GEN-001-DRAFT01 Initial Draft Posted to rpd |
Staff Assessment
Proposal | AFPUB-2018-GEN-001-DRAFT02 |
Title | Abuse Contact Policy Update |
Proposal URL | https://www.afrinic.net/policy/2018-gen-001-d2#proposal |
Assessed | 20 April 2019 |
1.0 Staff Understanding of the Proposal
- Replacement policy text to current CPM 8.0 (Abuse Contact Information) - [sec 8.1]
- Introduces a mandatory "abuse-c" attribute in inetnum, inet6num and aut-num whois database objects. The value of this attribute is an e-mail address (abuse-mailbox), to which all abuse related information shall be sent. The abuse-mailbox is optional in child objects of parent direct allocations or assignments issued by AFRINIC - [sec 8.2]
- The abuse-mailbox must be valid and actively monitored - [sec 8.2]
- Email sent to the abuse-mailbox must need manual intervention by the recipient - [sec 8.3]
- AFRINIC must provision a system to validate the abuse-mailbox. The actual process is left to AFRINIC staff discretion, but could follow an example procedure in sec 3.2 of the policy proposal - [sec 8.4]
- AFRINIC must block MyAFRINIC access for non-complying members. All functions in MyAFRINIC other than updating the abuse-mailbox shall be blocked until the abuse-mailbox has been successfully validated. - [sec 8.5]
- An escalation mechanism to AFRINIC (such as through an email address) must be provided where any concerns with the validation process can be reported by community and/or members. This can also help with manual re-validations. - [sec 8.6]
2.0 Staff Comments
- There is already an existing solution through the IRT object, which is currently optional - (and which seems to address the intent of the proposal) - which can be made mandatory for directly issued resource objects by AFRINIC. An added advantage of using the IRT is that it can hold more information than just an e-mail address, such as physical address, phone numbers and PGP keys for secure communication.
- In proposal text 3.2, "After this proposal is implemented, AFRINIC will publish the IRT also as abuse-c, in order to facilitate the search in whois for the same information, regardless if looking for abuse-c or IRT..." The proposal should be clear of the exact solution in EITHER the abuse-mailbox (with an email address) and/or an IRT object. The IRT is currently a value of the "mnt-irt" attribute. It is not clear if the "IRT" should be a value for the abuse-c attribute, or if the "abuse-mailbox" referenced in an "irt" should be the value of the abuse-c attribute, or if the "mnt-irt" attribute should be renamed to "abuse-c". In any case, the proposal needs to be clearer on one solution, but we recommend maintaining the IRT and making it mandatory.
- In proposed 8.5 where MyAFRINIC access to members with invalid abuse contacts is blocked, the blocked accounts would be unable to vote at the AGMM or other elections requiring the members to vote online, as this is done through MyAFRINIC. (Legal Adviser's opinion in Sec 3.0 below). The proposal though is not clear about the meaning of "blocking of that account's access to its resources". We suggest re-wording to specify that no database objects (including WHOIS and IRR objects) may be edited except to an add abuse-c or abuse-mailbox. If the author intends voting to be blocked, the punitive measure is certainly disproportionate to the offence, but is not an illegal act in Mauritius law.
- In proposed 8.6, it’s better to not specify an email address (for manual interventions and escalations), as this could change. It's better to reword like "AFRINIC should provide a method to report or escalate.. invalid abuse email addresses"
3.0 Comments from Legal Adviser
Non-compliance with an administrative obligation such as updating of contact information cannot be construed as such a serious offence to warrant the blocking of access which would lead to loss of voting rights. This ultimate sanction is disproportionate with the non-compliance and should be reviewed. It is not however an illegal act in Mauritius law.
4.0 Implementation
4.1 Timeline & Impact : About 6 months of software development work.
4.2 Implementation Requirements : Modifications to WHOIS codebase depending on the solution that will eventually be ratified.