[arin-ppml] Policy Proposal 2003-1: Required Performance of Abuse Contact

jordi.palet at consulintel.es jordi.palet at consulintel.es
Fri Aug 29 11:16:43 EDT 2025 

Hi Shawn,

I fully agree with you.

It is irresponsible to hold resources and ignore abuse reports.

Yes, no RIR is the Internet policy, but as part of the mission of the RIR is the proper management of the resources, and if a member gets resources, it has the obligation to properly manage them.

Properly manage the  is making sure that you or your customers aren’t causing troubles to other Internet users. If one of your customers is doing to, it means they are basically ignoring the terms of your contract or your have a really bad contract (proper usage policy).

Scanning others, sending spam, DDoS, etc., means a lot of cost for transit providers, the holder of the destination addresses, not to mention electricity, CPU cycles and so on, and of course, human resources.

I don’t know in ARIN service regions countries, but here in Spain, since a couple of years ago, "cold door selling” either in a physical door, by phone, SMS, WhatsApp, email, etc., is an ilegal activity, you get fined and the person who you’re disturbing has the the right to ask for compensation (now there is a request to improve the law so that compensation is automatic, no need to go to courts for requesting it). Just imagine if someone decides to ring your door bell (or phone you) every day to try to sell you something. Is not that illegal in US or Canada, for example?

If you get paid by your customers, you are responsible of properly management of your addressing space, causing any damage or losses to others by mistake, or during a few hours/days because you didn’t realized about that, etc., is understandable but ignoring that is unnaceptable.

Some year ago, I submitted to all the RIRs a policy proposal to alleviate that problem. In short the proposal was aiming to:
1) Make sure there is an abuse contact and verify it every year.
2) Ensure that the one that is listed as contact confirme he/she knows and understands the RIR policies.
3) He is able to process the abuse reports by email (not a form, which may be different for each holder).
4) He acts on the abuse reports and confirms to the sender.
5) ARIN has an escalation mailbox in case the previous points aren’t being followed and if there is a persistent lack of compliance, resources may be recovered.

In ARIN and RIPE, didn’t reached consensus. In the case of AFRINIC reached consensus, but because the lack of board, is not yet ratified and implemented.

In the case of APNIC and LACNIC, reached consensus, and I can say that for a few years, I’m having much less troubles with those 2 regions than the rest.

Is not 100% perfect, but is less than nothing. In case of LACNIC for example, recently I noticed a big increase of lack of compliance mainly from Brasil and I’ve escalated it to LACNIC.I guess some ISPs need a reminder from time to time, may be due to change of employees, etc.

I’m happy to discuss again in the list about this idea, try to find improvements (even if I think it works according to my experience in 2 regions) and resubmit it.

Clearly, being a resource holder means you have responsibility on their proper usage and ARIN has the responsibility to ensure that proper management, I’m sure the service agreement say something about that. Otherwise, could be ARIN indirectly responsible for damages?

Regards,
Jordi

@jordipalet


> El 29 ago 2025, a las 16:31, Shawn Bakhtiar <shashaness at gmail.com> escribió:
> 
> Good morning Scott, Paul,
> 
> I'm not sure who Matt is, so far the only reasonable response I've received have been from Bill, who's right about doing my homework on the topic, and I truly appreciate his time and effort in leading me in a good direction.
> 
> You and Paul's suggestion, on the other hand, to simply block / report / sue, I find completely lacking, and frankly sad.
> 
> Your suggestions reeks of the those supposedly (edumicated) computer engineers I see managing servers, who simply throw CPU and memory at a problems instead of caring about or addressing the underlying root cause of an issue. Do either of you run OSSEC on servers you manage?
> 
> Your argument is tantamount to, I don't know what to do, so I'll just kick the can down to a policing organization who actually has very little skill or ability to meaningfully do anything about it. I've been there and done that, it's all but pointless. After 40 years of government and private work (long before the modern form of the internet was even a verb), I can assure you, your suggestion is lacking at best, and.... well... let's just leave it there, before I break the protocols of politeness :)
> 
> it is a shirking of responsibility for an organization that claims as part of it mission statement "...member-based organization that supports the operation and growth of the Internet."
> 
> I would argue that letting this behavior continue would neither be supportive nor promote growth (unless we're taking about the growth of Microsoft and others who abuse their size).
> 
> I'm not talking about a few vulnerability scans done by Universities et al, I'm taking about being hammered by 100s of popup-script-kiddie-servers made popular by products like Kali Linux, and the fact that some providers like AWS take it seriously while others like Microsoft completely ignore emails sent to registered abuse emails. 
> 
> It perplexes me to no bounds to see Amazon AWS (of all people), Digital Ocean, and many others, being a good netizen, and doing it (despite ARIN's inability to define a very common sense policy,  responding to abuse emails, assigning support tickets, and taking action on them, while Microsoft (we all know who they are) does not, and I'm beginning to see why. 
> 
> This I did not expect. 
> 
> You have quickly dismissed a real concern, without engaging in any meaningful debate. If what you say is remotely true, than why does Spanhuase exists? why does Abuse Radar exists? Why are their so many REAL COMMUNITY BASED organizations forming to dealing with an very serious issue, that law enforcement has no capabilities to deal with and apparently ARIN (the very governing body of IP addresses) doesn't care to do anything about, even though a very sound and reasonable policy was written, but never adopted, probably due to naysayers like yourself and Paul.
> 
> Lazy and bad. <-- period!
> 
> Curious though, you and Paul have attempted to dismissing me quite quickly and out of hand, but if I may, why not implement the policy, what do you think is going to happen? Why would it be bad to hold abuse POCs accountable for what their IP address is doing? What hardship do you think this will cause the community, other than you personally not wanting to be responsible for the IP addresses under your charge?
> 
> Again, I'm not asking ARIN to police it, I'm asking them to govern it. I'm not asking for people to be sent to jail or fined, I'm asking for the governing body to take action in stopping the behavior (preferable without the need for behemoth, slow, broadsword agencies like law enforcement having to get involved, they have a whole lot of issues they need to fix before they can even approach an issue like this).
> 
> I've been a POC for more than my fare share of ranges, I don't recall this ever being in issue, and I know I took my responsibility for the IP addresses under my charge very seriously. I would create a ticket, follow up with my end users, and if deemed inappropriate or against our policy, their privileges would be revoked. 
> 
> Telling me that ARIN isn't the police is like telling me the sky is not green. Obviously. 
> 
> However, it is the governing body, for the assignment of IP addresses. If the idea behind the abuse email was NOT to have it used to take down bad actors, then why even have it at all?
> 
> Why are some organization voluntarily doing what you and Paul find so offensive a policy, and why are you and Paul so much against it, other than a blanket statement the ARIN is not the police (again this obvious). However IT IS the governing body, and does bear responsibility for how the community behaves.
> 
> Honestly curious,
> Shawn
> 
> 
> 
>> On Aug 28, 2025, at 5:14 PM, Scott Leibrand <scottleibrand at gmail.com> wrote:
>> 
>> Just block them, as Matt suggested. Or sue them, if they're harming your business in some meaningful way that can't be trivially handled by blocking their abusive subnets. Or contact law enforcement if there's actual criminal trespass or some other law being broken.
>> 
>> ARIN is not set up to be the Internet police, and I would oppose any efforts to make it try to play that role. As Matt eloquently elucidated, any requirements ARIN could enforce would likely make things worse for everyone holding ARIN IP addresses for very little tangible social benefit.
>> 
>> -Scott
>> 
>> On Thu, Aug 28, 2025 at 4:57 PM Shawn Bakhtiar <shashaness at gmail.com <mailto:shashaness at gmail.com>> wrote:
>>> Thank You Bill!
>>> 
>>> I really appreciate the input, and these are all great suggestions. I will certainly do my homework and reach out again to the group with more specific questions on the topic. 
>>> 
>>> As I said  in my email to Alison, 
>>> 
>>> AWS (of all people), auto responds to any email sent to the abuse email on record for a given IP segment. It includes a ticket number, and without me having to follow up (usually a few days later) an email back often having remediated the issue, or in the rare instances where the they did not remedy the issue, explaining why the behavior is not abuse or a violation of their policies. 
>>> 
>>> Digital Ocean does the same thing (without a ticket number). So do several midsize providers. Hit and miss with anything smaller than a /24.
>>> 
>>> Microsoft (where the preponderance of abusive behaviors come from) and Google. Do nothing. Literally nothing. I have OSSEC notification logs in which a single IP address with a Microsoft abuse POC, continues to scan different customer's networks, looking for Wordpress vulnerabilities, and has done so for over a month, without any remediation. 
>>> 
>>> The aforementioned policy is a common sense one already being (voluntarily) done by a good number of the providers out there. I am very curious as to what objections anyone could have to it, and how we can address those concerns so we can put what seems like a very common sense policy into place. We need to bring accountability back to the internet.
>>> 
>>> Again, thank you for the guidance, I look forward to any and all questions, comments, and or concerns.
>>> 
>>> > On Aug 28, 2025, at 3:24 AM, William Herrin <bill at herrin.us <mailto:bill at herrin.us>> wrote:
>>> > 
>>> > On Wed, Aug 27, 2025 at 11:45 AM Shawn Bakhtiar <shashaness at gmail.com <mailto:shashaness at gmail.com>> wrote:
>>> >> I would like to re-introduce the following Policy Proposal from 2003 to hold abuse POCs accountable.
>>> >> https://www.arin.net/vault/participate/policy/drafts/2003/2003_1/
>>> > 
>>> >>> Changes to ARIN’s policies may be made via submission of a policy proposal
>>> >>> via ARIN’s Policy Devcelopment Process - more details available here
>>> >>> - https://www.arin.net/participate/policy/pdp/
>>> > 
>>> > Hi Shawn,
>>> > 
>>> > I note that the practical question of "how do I submit a policy
>>> > proposal" is not answered in
>>> > https://www.arin.net/participate/policy/pdp/, or if it is, it's buried
>>> > so deeply I can't find it.
>>> > 
>>> > What you probably want is the policy proposal template, which you can
>>> > find here: https://www.arin.net/participate/policy/pdp/appendix_b/
>>> > 
>>> > You can also discuss policy changes here on the mailing list without
>>> > making a formal proposal. That would enable you to gather information
>>> > which could inform a formal proposal.
>>> > 
>>> > I recommend you sift through the mailing list archives at
>>> > https://lists.arin.net/pipermail/arin-ppml/ and read the original
>>> > discussions around proposal 2003-1. This can help you understand what
>>> > defects in that proposal led to it failing to reach consensus.
>>> > 
>>> > Finally, I note that there have been other off and on discussions
>>> > about the published POCs and their utility. It might be worth digging
>>> > into them as well. Try a Google search such as, "site:lists.arin.net <http://lists.arin.net/>
>>> > abuse poc"
>>> > 
>>> > Regards,
>>> > Bill Herrin
>>> > 
>>> > 
>>> > 
>>> > -- 
>>> > William Herrin
>>> > bill at herrin.us <mailto:bill at herrin.us>
>>> > https://bill.herrin.us/
>>> 
>>> _______________________________________________
>>> ARIN-PPML
>>> You are receiving this message because you are subscribed to
>>> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net <mailto:ARIN-PPML at arin.net>).
>>> Unsubscribe or manage your mailing list subscription at:
>>> https://lists.arin.net/mailman/listinfo/arin-ppml
>>> Please contact info at arin.net <mailto:info at arin.net> if you experience any issues.
> 
> _______________________________________________
> ARIN-PPML
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-ppml
> Please contact info at arin.net if you experience any issues.



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20250829/65de6eeb/attachment-0001.htm>

More information about the ARIN-PPML mailing list