[arin-ppml] Access to list of Number Resources with no valid POCs

Ted Mittelstaedt tedm at ipinc.net
Wed Aug 20 12:41:36 EDT 2014

On 8/20/2014 4:10 AM, Martin Hannigan wrote:
> On Tue, Aug 19, 2014 at 4:33 PM, Ted Mittelstaedt <tedm at ipinc.net
> <mailto:tedm at ipinc.net>> wrote:
>     Martin,
>        i was one of the original people involved in creating this policy and
>     the requirement to sign a bulk whois was a compromise between the people
>     like me who wanted full disclosure with no strings attached and the
>     people who didn't want the information disclosed at all.
>        I don't think it's going to be changed.  Furthermore I will point out
>     that you can use a role account email address for the important POCs,
>     so your employee turnover would not be an issue.  Please accept that
>     the community has judged that having valid data in the database is
>     more important than your inconvenience of keeping the database current.
> You can, but I'm not setting the POCs. Downstreams commonly set them to
> whatever they want to. If we had the ability to modify the POC on an
> assignment already made to us that would make the record keeping
> requirements reasonable.

You have other ways - since they are getting IP addressing from you, you 
just point to the section of the contract they signed that requires them 
to put in valid POC data, right?

Since your legally obligated to supply valid POC on assignments by your
own contract with ARIN I think your lawyers would have a conniption fit
if you were not extending this same contractual requirement to your
customers.  Maybe you should enlighten them if such language does not
exist? ;-)

> The bulk whois requirement is a product of fear, not logic, IMHO.

I won't argue that one.

>     John, don't think your off the hook.
>       There is one issue that Martin didn't mention that might be the
>     cause of the POC validation issues.  To put it as simply as I can, the
>     emails that ARIN sends out for POC validation look exactly like phishing
>     emails.
> It's that, but if ARIN is going to block someone from maintaining their
> address it would be operationally sound to send the associated POC an
> email letting them know. Second, the application. Are the lockouts
> automated? My information is no. I'd argue this sets this up for abuse.

Unfortunately, once you have a database (in this case, POCs) that you 
have spent a large amount of effort on cleaning and maintaining, the 
temptation is to link a lot of additional stuff into it.  Arguably, the
WHOIS database is also considered by the community as authoritative for
IP assignments so linking it into other permissions on the block is
implied as legitimate.

This is, by the way, an artifact of IPv4 shortage politics.  But, with
the rise of criminals on the Internet we are finding that it's not a bad
idea to hold people's feet to the fire and identify who IP block holders

You can probably argue that theoretically this is a bad thing - but if 
you look at for example car license plates, states (in the US at least)
tie a whole lot of stuff into vehicle license plates nowadays.

> [ clip - mostly agree ]
>     Nobody who wrote this policy had thought that ARIN would ever resort
>     to a tactic that is used by spammers and phishers and identity thieves
>     thousands of times a day - which is to embed a clickable URL in the
>     validation email message.
>     It does not surprise me that some are complaining they missed the
>     validation email.
> It's not the validation email per se. But to your point, a role account,
> even without abuse of bulk whois data, is abused regularly. Literally
> thousands of emails per day. Yeah, yeah, filters, etc. But that's back
> seat driving at its worst, blindfolded.

Well, I guess it's germane that the POC does not contain just an email,
there's supposed to be a phone number and street address that is valid
as well.

We are most concerned with email since we need it for immediate 
notification in the event a criminal is using an IP number for 
something, but the other data is just as important.  Unfortunately there
isn't as easy a way to validate that as to validate an email address.

I guess that all I can say is this should help concentrate Internet 
admins attention on penalizing spammers.  If we don't like getting all 
of that junk mail on our role addresses, it's our Internet, we can do 
something about it instead of complaining.  The Spam isn't coming from
alien visitors who are inducing it into our fiber links - it's coming
from netblocks that us administrators ultimately control.

Remember AGIS went bankrupt when the head network admin refused orders 
of the owner of that network to continue to provide a safe haven for 
spammers.  Ultimately spam is stopped by you, and me, and every
other admin out there, gunning for those spammers one at a time.


> Best,
> -M<

More information about the ARIN-PPML mailing list