[arin-ppml] ARIN 2021-7

Ronald F. Guilmette rfg at tristatelogic.com
Fri Jun 17 06:49:41 EDT 2022

In message <CAN2rHV-3zebUg4p9wRAwXS_hxCWnOsysTeqFxErWFx=EJWo-zg at mail.gmail.com>
Amy Potter <amybpotter at gmail.com> wrote:

>*Problem Statement:*
>The current abuse contact fields are not sufficient for the abuse reporting
>mechanisms most frequently used today. For many network providers, the
>process for dealing with network abuse usually starts with a web page. The
>web page provides instructions and may offer forms for describing the abuse
>and uploading supporting material of the nature that the service provider
>needs in order to take action. It would be helpful for these organizations
>if the abuse contact had a specific field for a machine-readable abuse URI.

99% of all online abuse has been and is still email spam.

Responsible providers long ago recognized this and implemented blocks on
outbound port 25 TCP connections other than to that subset of their
customers for whom they have a high level of trust.  Such blocks have
essentially eliminated the outbound spam problem even for the largest
of providers (e.g. Comcast, etc.)

Sadly, many providers, for whatever (cockamamie?) resons have decided not
to go that route and thus, nowadays essentially all email spam that all of
us receive comes from those providers, i.e. the ones that are either too
lazy or too inept to do the Right Thing.

These providers shift the burden of dealing wth their own spam outflows
onto the recipients.  They do so every bit as much as the spammers themselves
shift the costs of their advertising onto the recipients.

So our mailboxes fill up with spam.  This is part of the price we pay to be
open to accepting inbound email from almost anyplace on earth.

The providers who are either too lazy or too inept to implement any sorts
of preventative measures... i.e. to stop spam from even leaving their networks
in the first place... are also, it seems, too lazy and/or inept to even read
or deal with the emailed reports sent to them by the 0.01% of spam recipients
who take the time to report spams to the relevant providers.  These lazy
providers complain incessantly that they "don't have the manpower" or don't
have the resources to even read "all of those damn spam complaints", at
least if the complaints in question come to them via the exact same medium
that was the medium used to commit the abuse in the first place., i.e. email.

Apparently, what's good for the goose is not also good for the gander.  Many
providers think nothing of -my- time or -my- overflowing email inbox,
but when it comes to -their- inboxes, they just can't be bothered to read
even just the tiny fraction of the email complaints that are generated as
a result of their own spammer customers.

So instead they propose this "solution" i.e. to force all spam recipients
to jump through the hoops of each provider's own unique (and often Rube
Goldberg inspired) convoluted web maze, just to tell them that they have
a spamming customer.

This "solution" begs many obvious questions.

First, how is it in any way less labor intensive to read and understand the
nature of an abuse complaint if the complaint in question is sent in via a
web form as opposed to via email?  Either way, some living person who is
prsumably made out of flesh and bone must read and try to make sense of
the report.  So this "solution" quite obviously doesn't provide any help
AT ALL with regards to reducing the manpower required to properly analyze
and then properly act on abuse complaints.

Second, if a given provider is so overwhelmed by its incoming flood of abuse
complaints that it starts searching for some "solution" to lighten the load,
then shouldn't that incoming flood of abuse complaints itself be treated as
a huge red flag, indicating that the provider in question is doing a perfectly
abysmal job at either vetting its own clients or at disiplining them when
and if they become abusive?  (Universities, government departments, and
private firms, despite often having a lot users and a lot of IP real estate,
never seem to complain that *they* are being overwhelmed by floods of
incoming abuse complaints.  Maybe it is because *they* act responsibly to
disipline their wayward users whle -commercial- ISPs often shrik their
responsibilities for doing so.)

Once again, the "solution" for an overwehlming flood of incoming abuse
complaints is -not- to simply add some additional layer of complexity and
automation.  The solution is to fix the actual problem, which is the
massive spam outflow, and the reasons for it.  (But that would require
some amount of thinking and self-conscious introspection, which I gather
is too high a bar of expectations to place upon many commericial ISPs.)

Lastly, the question arises of how exactly it is in any way ethically
defensible for any provider to first (a) shift the burden of spam onto
recipients elsewhere (i.e. by failing to control it at the source) and
yet also (b) demand from spam recipients uncompensated free labor, i.e.
figuring out each different provider's unique abuse reporting web form.

This is, I think, quite clearly just adding insult to injury.  Provider XYZ
fails to control its own customer base, so I get spammed by one of XYZ's
customers, but then XYZ refuses to even allow me to tell them about that
unless I first pass a CAPTCHA and then also take and pass an even further
Turing Test as I attempt to navigate my way past their unique and typically
convoluted and confusing web reporting form, all just for the unparalled
pleasure of having them send my well crafted report to /dev/null, because
after all, the customer is paying them and I'm not.

The "solution" to abuse reporting isn't automation and it isn't web forms.
It's persuading commercial ISPs to give a damn.  (Universities, government
departments, and private firms such as Lockheed Martin, Hewlett Packard,
U.S. Steel, and the flower shop down the street from me always have and
always will give a damn.  The commercial ISPs... not so much.)

In case I have been in the least bit ambiguous, I oppose the proposal for
all of the foregoing reasons.  If adopted, its main effect will be to
further perpetuate the problem of network abuse.


More information about the ARIN-PPML mailing list