[arin-ppml] Access to list of Number Resources with no valid POCs

Martin Hannigan hannigan at gmail.com
Wed Aug 20 07:10:39 EDT 2014

On Tue, Aug 19, 2014 at 4:33 PM, Ted Mittelstaedt <tedm at ipinc.net> wrote:

> Martin,
>   i was one of the original people involved in creating this policy and
> the requirement to sign a bulk whois was a compromise between the people
> like me who wanted full disclosure with no strings attached and the people
> who didn't want the information disclosed at all.
>   I don't think it's going to be changed.  Furthermore I will point out
> that you can use a role account email address for the important POCs,
> so your employee turnover would not be an issue.  Please accept that
> the community has judged that having valid data in the database is
> more important than your inconvenience of keeping the database current.

You can, but I'm not setting the POCs. Downstreams commonly set them to
whatever they want to. If we had the ability to modify the POC on an
assignment already made to us that would make the record keeping
requirements reasonable.

The bulk whois requirement is a product of fear, not logic, IMHO.

> John, don't think your off the hook.
>  There is one issue that Martin didn't mention that might be the cause of
> the POC validation issues.  To put it as simply as I can, the
> emails that ARIN sends out for POC validation look exactly like phishing
> emails.

It's that, but if ARIN is going to block someone from maintaining their
address it would be operationally sound to send the associated POC an email
letting them know. Second, the application. Are the lockouts automated? My
information is no. I'd argue this sets this up for abuse.

[ clip - mostly agree ]

Nobody who wrote this policy had thought that ARIN would ever resort
> to a tactic that is used by spammers and phishers and identity thieves
> thousands of times a day - which is to embed a clickable URL in the
> validation email message.
> It does not surprise me that some are complaining they missed the
> validation email.

It's not the validation email per se. But to your point, a role account,
even without abuse of bulk whois data, is abused regularly. Literally
thousands of emails per day. Yeah, yeah, filters, etc. But that's back seat
driving at its worst, blindfolded.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20140820/3ff5f582/attachment-0001.html>

More information about the ARIN-PPML mailing list