[arin-ppml] Policy Proposal 95: Customer Confidentiality

William Herrin bill at herrin.us
Fri Jan 29 19:41:56 EST 2010

On Fri, Jan 29, 2010 at 6:07 PM, Joe Morgan <joe at joesdatacenter.com> wrote:
> If I was going to hide a spammer would I provide the actual swip
> information in the first place?

Certainly. If you were clever about it, you'd SWIP it to look like a
bunch of entirely different residential customers. If you were subtle
about it, you could keep the antispam folks chasing their tails for
weeks before they started to smell a rat.

SWIP's point is to "keep honest people honest." You cook the books in
plain view and sooner or later someone will poke around and realize
something isn't right. So you don't cook the books. You pad your
requests a little bit, maybe you're a bit tardy deallocating departed
customers, but you don't make a big hoarding grab. And you can have
confidence that no one else will either because they have the same
hurdle you do.

Hide enough information to make public audits impossible and you
defeat the whole point of SWIP. I can't read a list of nothing but
names and make any sort of reasonable assessment whether they're
legit. Neither can you. And ARIN isn't actively trolling for fraud;
they rely on members of the community realizing that something is
squirrelly and reporting it.

Anyway, that's why I oppose this proposal... Not because it's
proponents are anything but honest but because I'd like to see them
continue to be honest. And I'd like to see any of the proponents
competitors who would abuse the process to gain advantage fail.

There is a point worth introducing to the conversation: last I
checked, trolling the whois records for the purpose of making
solicitations is against the rules. If you catch someone at it, you
ought to report them to ARIN. Anyone going after your static-IP'ed
customers will need to have IPs of their own, making them subject to
ARIN's enforcement. If ARIN's penalties opposing whois misuse is not
performing well enough, perhaps we should look at some policy
proposals to correct that more directly.

How about something like this:

"ISPs may designate up to 2% of the addresses used for internal
infrastructure to be published in whois intentionally misidentified as
an end user. Such records shall be bait for the purpose of catching
those who misuse the whois facility to solicit business. Any ARIN
member caught soliciting such a bait record shall pay damages to both
ARIN and the offended ISP consistent with the expectation that they
have similarly solicited all of the offended ISP's customers. Chronic
repeat offenders shall forfeit their number resources."

Bill Herrin

William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004

More information about the ARIN-PPML mailing list