[arin-discuss] The joy of SWIPping

Paul Vixie paul at vix.com
Mon May 12 15:05:48 EDT 2008


> > as far as that goes, is there general support here for the idea of the
> > RIRs running mail forwarders for well-formatted non-robotic abuse
> > complaints that can be forwarded to the registered operator of the
> > netblock, without exposing the operator's internal ticket system e-mail
> > address via whois?
> 
> Are you suggesting that the RIRs act as front-end filters/forwarders for
> member org abuse@'s?  That seems to me to be way out of the scope of the
> current responsibilities of RIRs, and I can see it being a scaling nightmare
> for them.

it's a natural trust chokepoint, and private sector alternatives can't launch.

> Are we looking for ways for ARIN to expand (hire more staff) and burn more
> money (buy, house, operate clusters of mail servers)?

since i'm an arin trustee, i have to take that question seriously.  "no."  if
i were not a trustee, i would have ignored the question altogether.  JFYI.

> Did you maybe mean LIRs?

LIRs should also be doing this, yes, and also domain registrars and registries.

but, my observation is that services akin to spamcop have wrecked the whois
data, by essentially spamming network operators with low-grade complaints (in
strange useless formats, often falsely positive) which has caused network
operators to publish only worthless ticket system ("ignore-bot") addresses in
their whois.  RIRs and LIRs have more information about network operators than
goes into whois.  billing information, for example, and authentication
information for online records changes.

my proposal is that these "natural trust chokepoints" be augmented to allow
bona fide human-originated communication, most of which will probably be abuse
complaints, to be submitted to the RIR (and LIR and domain registrar and so on
but that's not a topic for this mailing list, we're all about RIRs here), who
would then forward it to the network operator's unpublished human-answered
ticket system.

a few years ago somebody gave me a present, a 300K node www-based botnet.  it
has got down to less than 10K nodes, so i guess folks have been buying new
computers or upgrading their anti-virus software or whatever.  but i sure would
like to have a way to tell the owners of these machines, "hey! wake up!".  my
only knowledge of their identity is their IP address at a certain date+time,
and that ought to be enough, but it's not.

but it could be.



More information about the ARIN-discuss mailing list