[arin-ppml] Access to list of Number Resources with no valid POCs

Ted Mittelstaedt tedm at ipinc.net
Tue Aug 19 16:33:35 EDT 2014


Martin,

   i was one of the original people involved in creating this policy and
the requirement to sign a bulk whois was a compromise between the people
like me who wanted full disclosure with no strings attached and the 
people who didn't want the information disclosed at all.

   I don't think it's going to be changed.  Furthermore I will point out
that you can use a role account email address for the important POCs,
so your employee turnover would not be an issue.  Please accept that
the community has judged that having valid data in the database is
more important than your inconvenience of keeping the database current.

John, don't think your off the hook.

  There is one issue that Martin didn't mention that might be the cause 
of the POC validation issues.  To put it as simply as I can, the
emails that ARIN sends out for POC validation look exactly like phishing
emails.

I got one of those mails and I could hardly believe that one of the top 
Internet companies would actually send out an email that EMBEDDED A URL 
LINK in the mail message.

I opened the message in a text editor to make sure the link was actually
going to where it was supposed to go before clicking it.

Your people should know better.  How many spams a day do you get 
purporting to be from UPS/FedEX/BankofAmerica/IRS/etc. etc. etc. with
embedded links in them and an enticing email message to try to get the
people to click on the link (which of course immediately redirects them
to a broken-into server)  A lot, huh?  So what on earth makes you think
that your validation emails won't be regarded as phishes by the clueful
people who get them - network admins?

The only spamproof way of getting a proper email validation is to
ask the recipient to REPLY then you parse the replies that come back
in.

Nobody who wrote this policy had thought that ARIN would ever resort
to a tactic that is used by spammers and phishers and identity thieves
thousands of times a day - which is to embed a clickable URL in the
validation email message.

It does not surprise me that some are complaining they missed the
validation email.

Ted

On 8/18/2014 4:25 PM, John Curran wrote:
> On Aug 18, 2014, at 7:04 PM, Martin Hannigan<hannigan at gmail.com>  wrote:
>
>> John,
>>
>> The policy proposal in the archive initially stated that it should be
>> brought to the attention of the community and didn't imply roadblocks.
>> I forget how the whois requirement was inserted and I don't really
>> care since the issue is policy, ...
>
> Martin -
>
>     ARIN staff implement the policy, and the requirement is quite
>     clear in the present policy language.  I believe that there was
>     some concern about mining of the address blocks if it were to be
>     public, but again, that is a tradeoff that the community should
>     consider and determine policy accordingly.
>
>     Changing the policy language to drop the bulk whois requirement
>     would be a relatively easy change, if there is community support;
>     please let me know if you need any assistance in developing an
>     appropriate policy proposal.
>
> Thanks!
> /John
>
> John Curran
> President and CEO
> ARIN
>
> _______________________________________________
> PPML
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/arin-ppml
> Please contact info at arin.net if you experience any issues.

---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com




More information about the ARIN-PPML mailing list