Abuse Contact Policy Update (Draft 7)

Proposal

1. Summary of the problem being addressed by this proposal

The current policy doesn’t imply the obligation to register an abuse contact and specifies a format for personal communication and for “automatic reporting”, which compared to other RIRs becomes confusing, as a single email will be more efficient, as, in the end, reports get copied to both emails.

As a result, some resource-holders may not have this contact information registered and up to date for their resources. In fact, there are even cases of a non-existent mailbox or one that is not actively monitored.

In practice, this contact becomes ineffective to report abuses and generally gives rise to security issues and costs for the victims. This is also contradictory with RSA, which states that information in databases must be accurate. This policy ensures that this can be automatically and periodically verified by AFRINIC, without entering in the operational details of how to do it. In fact, there is an AFRINIC activity (https://afrinic.net/stats/contact-update) that aims for the verification of the contacts, however, it has only reported for 2017. Again, this proposal, ensures that this activity is done in an automated fashion (as much as possible), saving cost to the membership and the community.

This proposal aims to solve this problem and ensure the existence of a proper abuse-c contact and the process for its utilization, which is more uniform across all the RIRs, in order to facilitate cross-region abuse reporting.

Existing policy references to a “Best Practice Paper”, which is not deemed as mandatory and in fact, is not being used by the community. This proposal doesn’t change the scope of that document, and in fact, a link between the few existing IRT objects and the new one should be automatically established.

In this way, AFRINIC abuse contact will be in line with other RIRs. APNIC, for example, is now using the IRT, but since an equivalent proposal has been accepted, an automated “link” (alias or pointer) to the pre-existing IRT will be created, so abuse-c and abuse-mailbox prevail.

There is no need to delete the other optional data today included in the IRT, it is an operational AFRINIC decision on how to handle the transition. This policy just ensures that abuse-c and abuse-mailbox are available and verified periodically.

 

2. Summary of how this proposal addresses the problem

The Internet community is based on collaboration. However, in many cases, this is not enough and we all need to be able to contact those LIRs that may be experiencing a problem in their networks and are unaware of the situation.

This proposal creates a new section in the Policy Manual to solve this problem by means of a simple, periodic verification, and establishes the basic rules for performing such verification and thus avoids unnecessary costs to third parties that need to contact the persons responsible for solving the abuses of a specific network.

The proposal guarantees that the cost of processing the abuse falls on the resource-holder whose client is causing the abuse (and from whom they receive financial compensation for the service), instead of falling on the victim, as would be the case if they had to resort to the courts, thus avoiding costs (lawyers, solicitors, etc.) and saving time for both parties.

For this, the abuse-c attribute becomes mandatory in the “aut-num”, "inetnum" and "inet6num" objects, as well as in any others that may be used in the future. This attribute is an abuse contact, which must contain at least the "abuse-mailbox" attribute.

The proposal is expected to be implemented in 90 days, to be confirmed by AFRINIC, a reasonable time frame to allow both the staff to develop the tool and the members to update their abuse-c contacts.

 

3. Proposal

3.1 Amending 8.0 of the CPM, as follows: 

 

Current	Proposed
8.1 Introduction This policy specifies a dedicated object that shall be used as the preferred place to publish abuse public contact information within the AFRINIC service region. The mentioned object can be referenced in the inetnum, inet6num and aut-num objects in the AFRINIC whois database. It provides a more accurate and efficient way for abuse reports to reach the correct network contact	8.1 Introduction This policy specifies a mandatory attribute (abuse-c) that must be used to publish abuse public contact information within the AFRINIC service region. The mentioned attribute must be referenced in the inetnum, inet6num and aut-num objects in the AFRINIC WHOIS database. It provides a more accurate and efficient way for abuse reports to reach the correct contact.
8.2 Policy details: To make available a new or use an already existing whois database object that implements the following properties: A unique reference by inetnum, inet6num and aut-num Contains 2 email attributes: "e-mail:" for personal communication "abuse-mailbox:" for automatic report handling The object should be accessible through the whois protocol. AFRINIC to publish a Best Practice Paper that encourages all members actively to use the object for publishing abuse contact information.	8.2 Description of “abuse-c” and “abuse-mailbox” Resources allocated/assigned by AFRINIC must include a mandatory "abuse-c" contact attribute (abuse contact), pointing to a person or role, with at least one valid, monitored and actively managed email inbox (abuse-mailbox) intended for receiving reports regarding abusive behaviour, security issues, and the like. The "abuse-mailbox" attribute must be available in an unrestricted way via WHOIS, APIs and future techniques. Considering the hierarchical nature of IP address objects, child objects of those directly distributed by AFRINIC may be covered by parent objects or they may have their own "abuse-c" attribute. Following usual practices, other "e-mail" attributes may be included for other purposes.
8.3 Advantages and disadvantages of the policy 8.3.1 Advantages Networks will be able to supply their own, direct contact information for abuse departments. Abuse complaints will not be sent to the "wrong" contact anymore. This permits greater administrative and operational flexibility, and faster abuse handling will be possible. 8.3.2 Disadvantages This object, like all other existing objects, will face the data accuracy problem. This policy aims to address the issue of a missing place for abuse contact information and will not improve data accuracy in the whois database. Nevertheless, it is suggested to AFRINIC to offer a way to receive reports about not working or not accurate objects.	8.3 About the "abuse-mailbox"  Emails sent to "abuse-mailbox": Require intervention by the recipient. Must not require the reporter to complete a form. Must guarantee that abuse reports and related logs, examples, or email headers are received.
	8.4 Objectives of "abuse-c"/"abuse-mailbox" validation The procedure, which will be developed by AFRINIC, must meet the following objectives: A simple process that guarantees the abuse contact is able to fulfil its intended purpose. Confirms that the resource holder: has read the procedure and the policy regularly monitor the abuse-mailbox measures are taken abuse reports receive a response. Initial validation period of no longer than 15 days. If validation fails, escalate to other LIR contacts and set a new validation period not to exceed 15 days.
	8.5 Validation of "abuse-c"/"abuse-mailbox" AFRINIC will validate compliance with the items above, both when the "abuse-c" and/or "abuse-mailbox" attributes are created or updated, as well as periodically, not less than once every 6 months, and whenever AFRINIC sees fit.
	8.6 Escalation to AFRINIC Fraudulent behaviour (for example, an "abuse-mailbox" that only replies to AFRINIC's emails, or to messages with a specific subject or content), or failure to comply with the remaining aspects of this policy (incorrect or lack of response to cases of abuse) can be reported to AFRINIC for a re-validation (as per section 8.5 above).
	8.7 Slow-start and progress follow-up The initial/escalation periods and the validation periodicity set by this policy can be amended yearly by AFRINIC, considering internal procedures, staffing needs and actual data, considering both, a slow-start and follow-up of the accuracy of the data. The reasons for the amendments shall be properly communicated to the community.

   

3.2 Additional information:

If this proposal reaches consensus, to comply with it, AFRINIC must rename mnt-IRT to abuse-c. It is an operational AFRINIC decision if an alias (pointer, duplicated attribute, or any other alternative) to mnt-IRT is kept and for how much time (transition period), in order to facilitate the search in whois for the same information, regardless if looking for abuse-c or mnt-IRT. It is an operational AFRINIC decision to keep and for how much time, the IRT or delete it, as well as the rest of the actual information in the IRT. AFRINIC will also decide how to better update the actual guidelines (https://www.afrinic.net/library/membership765-abuse-policy-bcp) or if they aren’t longer needed. This is done in order to assimilate the IRT to the majority of the RIRs where it is abuse-c.

As a matter of clarification, the “initial” and “escalation” validation periods may be modified by AFRINIC, if deemed appropriate, provided it informs the community of its motivation for doing so. For example, in the implementation phase, the periods could be extended, and adjusted as a higher percentage of contacts become accurate.

Similarly, the frequency of the periodic validation can be modified if AFRINIC deems this appropriate and informs the community of its reasons for doing so.

For example, a single validation might be done in the first year to facilitate adherence to the policy. The number of annual validations could increase over time, perhaps becoming quarterly, with the aim of improving the quality of the contacts.

This will facilitate AFRINIC for a “slow-start” to implement the policy and ensure that no additional staff is required in the initial implementation phases, as depending on the rate of failed contacts, they may need more time for the first passes through all the membership. For example, could be expected that the first pass takes 12-24 months, and be done by different types of members (LIRs/end-users/others), with a batch each month or even holding the next batch in case of a very high failure rate, etc.

As in all the other policies, this one doesn’t set specific different conditions for legacy holders. This is a generic AFRINIC issue that should be tackled in a uniform way for all the policy manual.

Similarly, the policy doesn’t state the consequences of lack of compliance, as this is generically stated in the RSA.

The policy doesn't define what is abuse, because that definition doesn’t fall in any way in the actions from the AFRINIC perspective. Each Internet participant shall define what is abuse for them, and if others don’t respect that, they can use the abuse-c to contact them and in case of inaction to resolve the case, they should escalate the matter according to their own internal procedures, which in some cases, may also depend on their local regulations. All that is outside the scope of AFRINIC.

There is no additional GDPR impact by this policy, as this is already covered by all the existing AFRINIC regulations on that matter.

This proposal doesn't enforce any implementation timing, which is left to the operational practices, priorities and staffing needs of AFRINIC.

 

 4. References            

An equivalent proposal has been accepted in APNIC (already implemented) and LACNIC (under implementation). A new version is being worked out for RIPE and ARIN.

 

Revision History

Revision History

Date	Details
12 August 2018	Version 1: AFPUB-2018-GEN-001-DRAFT01 Initial Draft Posted to rpd
20 November 2018	Version 2: AFPUB-2018-GEN-001-DRAFT02 Initial Draft Posted to rpd
5 June 2019	Version 3: AFPUB-2018-GEN-001-DRAFT03
2nd November 2019	Version 4: AFPUB-2018-GEN-001-DRAFT04 Overall simplification of the text
21 November 2019	Version 5: AFPUB-2018-GEN-001-DRAFT05 Further clarifications of the text
5 August 2020	Version 6: AFPUB-2018-GEN-001-DRAFT06 Editorial improvements Corrected typo in 'References' (2020/09/15)
17 May 2021	Version 7: AFPUB-2018-GEN-001-DRAFT07 Further text clarifications based on the previous discussion and AI

 

AFRINIC Policy Impact Assessment

 

AFRINIC Staff Assessment

 

1 Staff Interpretation & Understanding of the proposal

This policy proposal requests AFRINIC to implement a proper abuse-c contact and abuse-mailbox. It updates Section 8.0 of the Consolidated Policy Manual. At the moment, AFRINIC WHOIS objects; aut-num, inetnum and inet6num do not contain the abuse-c attribute.

 

A - The abuse-c:-

• must be used to publish abuse public contact information within the AFRINIC service region.
• are verified automatically and periodically with the use of automation, where possible by AFRINIC in order to facilitate in/cross-region abuse reporting.
• does not replace the data included in the IRT object on the AFRINIC WHOIS database implemented at the moment
• is mandatory in resource objects “aut-num”, "inetnum" and "inet6num" in resources allocated/assigned by AFRINIC as well as other resources that may be used in the future
• present in child objects of those directly distributed by AFRINIC (Assignments, sub-allocations) can be either be new or inherited from the parent resources delegated by AFRINIC
• shall have at least one valid and actively monitored abuse-mailbox attribute
• shall point to a person or role, with at least one valid, monitored and actively managed email inbox (abuse-mailbox)
• The "abuse-mailbox" attribute must be available in an unrestricted way via WHOIS, APIs and future techniques.

 

B - Abuse-c/abuse-mailbox validation

AFRINIC shall develop the procedure for abuse-c/abuse-mailbox validation that meets the following objectives:-

1. A simple process that guarantees the abuse contact is able to fulfil its intended purpose.
2. Confirms that the resource holder:
   • has read the procedure and the policy
   • regularly monitor the abuse-mailbox
   • measures are taken
   • abuse reports receive a response.
3. initial validation period of no longer than 15 days.
4. If validation fails, escalate to other LIR contacts and set a new validation period not to exceed 15 days.

Frequency of validation conducted by AFRINIC:-

1. At the time abuse-c/abuse-mailbox are created
2. At the time abuse-c/abuse-mailbox are updated
3. Periodically - not less than once every 6 months
4. whenever AFRINIC sees fit.

 

C. Escalation to AFRINIC

AFRINIC shall ensure that reporters can escalate and report fraudulent behaviour such as:-

1. Unresponsive abuse-mailbox
2. Abuse-mailbox that only replies to AFRINIC's emails, or to messages with a specific subject or content)
3. Failure to comply with the remaining aspects of this policy (incorrect or lack of response to cases of abuse)

Such cases will trigger revalidation of the abuse-c contact.

D. AFRINIC shall:-

• Provide a reasonable time frame to allow both the staff to develop the tool and the members to update their abuse-c contacts.
• The initial policy compliance enforcement period is not specified and hence implied alignment with the 6 months validation period is assumed

Benefit to AFRINIC

• The accuracy of the WHOIS database in terms of abuse contacts will increase as its members adopt and implement an abuse contact in compliance with this policy.
• The number of abuse reports logged tickets may reduce as reporters will be able to query WHOIS DB to get the abuse email addresses to which such reports shall be directed.

 

2 AFRINIC Recommendations

None

 

3 AFRINIC Clarification Requests

None

 

4 Impact on Registry Functions

If this proposed policy reaches consensus;

1. an improvement in the accuracy and currency of registry data is expected, as the “abuse-mailbox:” attributes are expected to be current and correct.
2. the number of abuse emails that are directed to AFRINIC queues due to lack of abuse contacts currently are expected to reduce.

 

Month	Jun-20	Jul-20	Aug-20	Sep-20	Oct-20	Nov-20	Dec-20	Jan-21	Feb-21	Mar-21	Apr-21	May-21
No. of tickets	557	1054	129	100	61	81	112	117	86	133	106	122

 

4.1 Processes

The process(es) that drive the management of contact information of resource members will be amended to include the abuse contact.

4.2 Procedures

MS procedures will require updates as follows:-

• A new procedure/sub-process to be developed for the validation of the abuse-c/abuse-mailbox.

4.3 Documentation

Website update with an abuse-c policy guideline

4.4 Systems - RPKI

No Impact

4.5 Systems - WHOIS

The abuse-c shall be a person/role object on the whois database. abuse-mailbox is already an attribute of the person/role object.

• The abuse-c attribute shall be added on the WHOIS database as an attribute to inetnum, inet6num and aut-num objects
• deprecate IRT object
• Remove mnt-irt attributes from inetnum, inet6num and aut-num objects.
• Add validation rules to force abuse-mailbox on person and role objects which are referenced via the abuse-c attribute.
• A WHOIS query of the inetnum, inet6num and aut-num shall provide the abuse contact in the response.

 

Analysis Breakdown

Object	Count in WHOIS DB	Protected by MNT-IRT
inetnum	139268	232
inet6num	31230	33
aut-num	1915	32

 

Member organisations: 28 Out of a total of 1857 resource members have adopted the current abuse contact policy and 27 IRT objects (out of 42 IRT objects created in the WHOIS DB) are referenced in their resources on the whois database.

4.6 Systems - MyAFRINIC

Since members are able to manage their contact information from MyAFRINIC, software development will be required to implement this policy on MyAFRINIC

1. Coding will be required to ensure creation/updates/import of abused contacts
2. Abuse contacts shall not have login credentials on MyAFRINIC unless if it is being used in another role as well and hence will be maintained by admin/tech contacts
3. Update of the resource issuance/update business rules to make abuse-c mandatory(all or excl legacy TBC)
4. Updates of the sub-allocation and assignment forms with business rule around abuse-c
5. A tool to validate the mailboxes as mandated by this policy proposal will have to be implemented and abuse contacts flagged as valid/invalid
6. A tool to enable members to implement the abuse-c will be developed.

4.7 Systems - NMRP

Since the abuse-c will become mandatory, changes will be needed on NMRP as well where the applicant should provide the abuse-mailbox email to be added to the resources if the request is approved.

4.8 Systems - Infrastructure

No impact

4.9 Systems - Netsuite

No impact

4.10 Impact on Resource Holders

In addition to the existing person/role objects that serve as administrative and technical contacts, members shall:-

1. provide an abuse-c contact to AFRINIC that is valid, monitored and actively managed
2. ensure that emails sent to the abuse-mailbox in the abuse-c contact
   • Require their intervention
   • Must not require the reporter to complete a form.
   • Must guarantee that abuse reports and related logs, examples, or email headers are received.
3. Ensure that their internal abuse handling procedures reflect the above in order to comply with the policy.
4. Service support (inclusive of help desk/resource applications) shall be offered only to members who are in compliance with this policy.
5. Ensure that they keep their contact information, inclusive of abuse-c accurate at all times so as to be in compliance with this policy and the RSA

 

5 Financial Impact

No impact

 

6 Legal impact

In case this policy reaches consensus, non-compliance with this policy by an AFRINIC member will be considered a breach of the RSA clause and the member will be encouraged to remedy the breach. Persistent non-compliance may entail revocation of the RSA as per the clause.

 

7 Implementation timelines

AFRINIC has taken note that it can amend yearly, the initial/escalation periods and the validation periodicity set by this policy, considering internal procedures, staffing needs and actual data, considering both, a slow-start and follow-up of the accuracy of the data. The reasons for the amendments shall be properly communicated to the community.

In this regard, should this policy gain consensus, AFRINIC will adopt a phased implementation while keeping the community informed.