[arin-ppml] Revised/Retitled - Draft Policy ARIN-2019-5: Validation of POCs Referenced as Abuse Contacts
info at arin.net
Tue Jul 16 11:28:41 EDT 2019
The following has been revised and retitled:
* Draft Policy ARIN-2019-5: Validation of POCs Referenced as Abuse Contacts
* Draft Policy ARIN-2019-5: Validation of Abuse-mailbox
Revised text is below and can be found at:
You are encouraged to discuss all Draft Policies on PPML. The AC will
evaluate the discussion in order to assess the conformance of this draft
policy with ARIN's Principles of Internet number resource policy as
stated in the Policy Development Process (PDP). Specifically, these
* Enabling Fair and Impartial Number Resource Administration
* Technically Sound
* Supported by the Community
The PDP can be found at:
Draft Policies and Proposals under discussion can be found at:
American Registry for Internet Numbers (ARIN)
Draft Policy ARIN-2019-5: Validation of POCs Referenced as Abuse Contacts
The current policy, “3.6. Annual Validation of ARIN’s Public Whois Point
of Contact Data” does not provide sufficient validation of the actual
availablility of the abuse mailbox.
As a result, some resource-holders (LIRs and end-users) might not keep
this contact information up to date, or might use a non-responsive
mailbox which may be full or not actively monitored. Some may even
respond only to ARIN emails.
In practice, this contact becomes ineffective for reporting abuse and
generally gives rise to security issues and costs for the victims.
Furthermore, POCs are verified only every year and provide a very
relaxed response time (60 days).
Finally, the proposal seeks to standardize the abuse-c/abuse-mailbox as
a pointer to an actual abuse POC in order to facilitate development of
tools that can work across regions.
Proposed Policy Statement:
Add to section 3.6 of the NRPM as follows:
3.6.6 Policies specific to Abuse Contacts
184.108.40.206 Abuse Contact Information
The Abuse Contact will reference a POC object holding Abuse contact
information. Each org must have an Abuse Contact. Optionally, resource
records may point directly to an Abuse Contact as an override to the
corresponding organizational Abuse Contact specific to that resource.
220.127.116.11 Email Addresses in POCs used as Abuse Contacts
Emails sent to this address must ultimately reach a human processor who
evaluates each message received.
Messages cannot be automatically filtered because legitimate abuse
reports may include contents which would trigger such filters.
Reports to this mailbox may undergo initial automatic processing for the
* An automated reply assigning a ticket number, applying classification
* An indication of the required information for an abuse report to be
processed, such as pertinent logs, copy of the spam message with full
headers, or any other relevant evidence of abuse.
* The intent is to facilitate automated abuse reporting in consistent
formats lowering cost for both victims and those processing legitimate
18.104.22.168 Abuse Contact Validation Objectives Staff must develop a
validation procedure which accomplishes all of the following objectives:
1. A simple process which allows POCs to validate that the validation
request is actually from ARIN.
2. Avoids exclusively automated processing.
3. Confirms that the person performing the validation understands the
procedure and relevant policies. That the mailbox is regularly monitored
and that abuse reports receive a response.
4. Maximum validation period is 15 days.
5. If validation fails, escalate to the LIR for an additional 15 days.
The initial and escalation validation periods may be modified by ARIN
staff, if deemed appropriate. In such a case, the community shall be
notified at least 5 days prior to implementation of the change (at least
via arin-announce and arin-ppml) including the rationale for the change.
22.214.171.124 Validation of Abuse Contacts
ARIN will validate that the email listed in each POC referenced as an
abuse contact for one or more ORG or Resource records under any of the
* When the POC record is created or first referenced as an Abuse POC.
* When a referenced POC record is updated.
* No less than every 6 months
* At any other time ARIN staff deems necessary
126.96.36.199 Escalation to ARIN
To avoid fraudulent behavior (for example an email address that responds
only to ARIN emails or emails with a specific subject or content), or
failure to comply with other aspects of this policy, ARIN designates to
receive reports and to escalate any such situations. This will allow for
re-validation (per section 188.8.131.52) and even intervention by ARIN and,
where appropriate the application of the relevant policies, procedures,
or contractual requirements.
More information about the ARIN-PPML