<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Times New Roman \(Cuerpo en alfa";
panose-1:2 2 6 3 5 4 5 2 3 4;}
@font-face
{font-family:"helvetica neue";
panose-1:2 0 5 3 0 0 0 2 0 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EstiloCorreo18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=ES link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span lang=ES-TRAD style='font-size:12.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><div><div><p class=MsoNormal style='margin-left:35.4pt'>El 16/7/19 19:27, "Scott Leibrand" <<a href="mailto:scottleibrand@gmail.com">scottleibrand@gmail.com</a>> escribió:<o:p></o:p></p></div></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><div><p class=MsoNormal style='margin-left:35.4pt'>Ok, glad to hear the intent regarding automated processing is closer to what I would consider appropriate.<o:p></o:p></p><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>How about:<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>"All emails sent to this address must be processed appropriately, ultimately reaching a human processor who evaluates each message that cannot be appropriately handled by any automated systems."<o:p></o:p></p><p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'>That looks perfect to me! Thanks!<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US><o:p> </o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>And what about the requirement that "That the mailbox is regularly monitored and that abuse reports receive a response."? What kind of response is intended there? It seems to imply something more than the "initial automatic processing" mentioned earlier.<o:p></o:p></p><p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'>If you have a system that process automatically as many as possible abuse cases including some kind of automatic response to the ticket once the case is closed, and then you rely the remaining ones to a mailbox, there is a need to have someone monitoring that one, right ? Because the automated system has not been able to “resolve” the case, was not able to “respond” about that closure of the case, so I expect that the human behind that case is then manually triggering a response.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'>This is actually also the way I see the validation will work. Because it is not an abuse report, if nobody is checking the “to be manually handled cases” the validation will not be completed and will need to be escalated to other contacts. For example, the employee that was taking of those manual tickets is no longer in the company, and nobody realized to modify that contact.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US><o:p> </o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>-Scott<o:p></o:p></p></div></div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p><div><div><p class=MsoNormal style='margin-left:35.4pt'>On Tue, Jul 16, 2019 at 10:05 AM JORDI PALET MARTINEZ via ARIN-PPML <<a href="mailto:arin-ppml@arin.net">arin-ppml@arin.net</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'>Hi Scott,</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'>I guess there is some misunderstanding in that part of the text. May be “ultimately” is not doing the intended “work”. The idea is “last resort”.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'>The idea is not that messages are processed only by humans. If it can be automatically processed that’s fine and perfect. The goal is that if “that doesn’t work” then somebody need to take care of it.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'>See <a href="http://3.6.6.3" target="_blank">3.6.6.3</a>:</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'>2. </span><span style='font-size:12.0pt;font-family:"helvetica neue";color:#333333;background:white'>Avoids exclusively automated processing.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'> </span><o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt;color:black'>Regards,</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt;margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt;color:black'>Jordi</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt;margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt;color:black'>@jordipalet</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt;margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt;color:black'> </span><o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'> </span><o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt'>El 16/7/19 18:39, "ARIN-PPML en nombre de Scott Leibrand" <<a href="mailto:arin-ppml-bounces@arin.net" target="_blank">arin-ppml-bounces@arin.net</a> en nombre de <a href="mailto:scottleibrand@gmail.com" target="_blank">scottleibrand@gmail.com</a>> escribió:<o:p></o:p></p></div></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt'> <o:p></o:p></p></div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt'>Strongly opposed as written.<o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt'>This policy would require that all "abuse reports receive a response" from "a human processor who evaluates each message received", which constitutes an inappropriate interference in the business operations of ISPs, and presents a denial of service vector. There are many entirely appropriate automated actions that well-run ISPs take in response to abuse reports that don't involve "a human processor who evaluates each message received", and don't necessarily require a response to the original reporter. The first project I undertook at my first job was writing a mostly-automated abuse processing system that properly dealt with all incoming abuse@ email, but would not be compliant with this policy language as written because it took fully automated action when appropriate.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt'>If you want to impose such onerous requirements on ISPs, the appropriate method to do so is via legislation (as was done for the DMCA), not by ARIN number resource administration policy.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt'>-Scott<o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt'> <o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt'>On Tue, Jul 16, 2019 at 8:29 AM ARIN <<a href="mailto:info@arin.net" target="_blank">info@arin.net</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt'>The following has been revised and retitled:<br><br>* Draft Policy ARIN-2019-5: Validation of POCs Referenced as Abuse Contacts<br><br>Formerly:<br><br>* Draft Policy ARIN-2019-5: Validation of Abuse-mailbox<br><br>Revised text is below and can be found at:<br><a href="https://www.arin.net/participate/policy/drafts/2019_5/" target="_blank">https://www.arin.net/participate/policy/drafts/2019_5/</a><br><br>You are encouraged to discuss all Draft Policies on PPML. The AC will <br>evaluate the discussion in order to assess the conformance of this draft <br>policy with ARIN's Principles of Internet number resource policy as <br>stated in the Policy Development Process (PDP). Specifically, these <br>principles are:<br><br>* Enabling Fair and Impartial Number Resource Administration<br>* Technically Sound<br>* Supported by the Community<br><br>The PDP can be found at:<br><a href="https://www.arin.net/participate/policy/pdp/" target="_blank">https://www.arin.net/participate/policy/pdp/</a><br><br>Draft Policies and Proposals under discussion can be found at:<br><a href="https://www.arin.net/participate/policy/drafts/" target="_blank">https://www.arin.net/participate/policy/drafts/</a><br><br>Regards,<br><br>Sean Hopkins<br>Policy Analyst<br>American Registry for Internet Numbers (ARIN)<br><br><br><br>Draft Policy ARIN-2019-5: Validation of POCs Referenced as Abuse Contacts<br><br>Problem Statement:<br><br>The current policy, “3.6. Annual Validation of ARIN’s Public Whois Point <br>of Contact Data” does not provide sufficient validation of the actual <br>availablility of the abuse mailbox.<br><br>As a result, some resource-holders (LIRs and end-users) might not keep <br>this contact information up to date, or might use a non-responsive <br>mailbox which may be full or not actively monitored. Some may even <br>respond only to ARIN emails.<br><br>In practice, this contact becomes ineffective for reporting abuse and <br>generally gives rise to security issues and costs for the victims.<br><br>Furthermore, POCs are verified only every year and provide a very <br>relaxed response time (60 days).<br><br>Finally, the proposal seeks to standardize the abuse-c/abuse-mailbox as <br>a pointer to an actual abuse POC in order to facilitate development of <br>tools that can work across regions.<br><br>Proposed Policy Statement:<br><br>Add to section 3.6 of the NRPM as follows:<br><br>3.6.6 Policies specific to Abuse Contacts<br><br>3.6.6.1 Abuse Contact Information<br><br>The Abuse Contact will reference a POC object holding Abuse contact <br>information. Each org must have an Abuse Contact. Optionally, resource <br>records may point directly to an Abuse Contact as an override to the <br>corresponding organizational Abuse Contact specific to that resource.<br><br>3.6.6.2 Email Addresses in POCs used as Abuse Contacts<br><br>Emails sent to this address must ultimately reach a human processor who <br>evaluates each message received.<br><br>Messages cannot be automatically filtered because legitimate abuse <br>reports may include contents which would trigger such filters.<br><br>Reports to this mailbox may undergo initial automatic processing for the <br>following purposes:<br><br>* An automated reply assigning a ticket number, applying classification <br>procedures, etc.<br>* An indication of the required information for an abuse report to be <br>processed, such as pertinent logs, copy of the spam message with full <br>headers, or any other relevant evidence of abuse.<br>* The intent is to facilitate automated abuse reporting in consistent <br>formats lowering cost for both victims and those processing legitimate <br>abuse reports.<br><br>3.6.6.3 Abuse Contact Validation Objectives Staff must develop a <br>validation procedure which accomplishes all of the following objectives:<br><br>1. A simple process which allows POCs to validate that the validation <br>request is actually from ARIN.<br>2. Avoids exclusively automated processing.<br>3. Confirms that the person performing the validation understands the <br>procedure and relevant policies. That the mailbox is regularly monitored <br>and that abuse reports receive a response.<br>4. Maximum validation period is 15 days.<br>5. If validation fails, escalate to the LIR for an additional 15 days.<br><br>The initial and escalation validation periods may be modified by ARIN <br>staff, if deemed appropriate. In such a case, the community shall be <br>notified at least 5 days prior to implementation of the change (at least <br>via arin-announce and arin-ppml) including the rationale for the change.<br><br>3.6.6.4 Validation of Abuse Contacts<br><br>ARIN will validate that the email listed in each POC referenced as an <br>abuse contact for one or more ORG or Resource records under any of the <br>following circumstances:<br><br>* When the POC record is created or first referenced as an Abuse POC.<br>* When a referenced POC record is updated.<br>* No less than every 6 months<br>* At any other time ARIN staff deems necessary<br><br>3.6.6.5 Escalation to ARIN<br><br>To avoid fraudulent behavior (for example an email address that responds <br>only to ARIN emails or emails with a specific subject or content), or <br>failure to comply with other aspects of this policy, ARIN designates to <br>receive reports and to escalate any such situations. This will allow for <br>re-validation (per section 3.6.6.4) and even intervention by ARIN and, <br>where appropriate the application of the relevant policies, procedures, <br>or contractual requirements.<br>_______________________________________________<br>ARIN-PPML<br>You are receiving this message because you are subscribed to<br>the ARIN Public Policy Mailing List (<a href="mailto:ARIN-PPML@arin.net" target="_blank">ARIN-PPML@arin.net</a>).<br>Unsubscribe or manage your mailing list subscription at:<br><a href="https://lists.arin.net/mailman/listinfo/arin-ppml" target="_blank">https://lists.arin.net/mailman/listinfo/arin-ppml</a><br>Please contact <a href="mailto:info@arin.net" target="_blank">info@arin.net</a> if you experience any issues.<o:p></o:p></p></blockquote></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt'>_______________________________________________ ARIN-PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List (<a href="mailto:ARIN-PPML@arin.net" target="_blank">ARIN-PPML@arin.net</a>). Unsubscribe or manage your mailing list subscription at: <a href="https://lists.arin.net/mailman/listinfo/arin-ppml" target="_blank">https://lists.arin.net/mailman/listinfo/arin-ppml</a> Please contact <a href="mailto:info@arin.net" target="_blank">info@arin.net</a> if you experience any issues. <o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:12.0pt;margin-left:35.4pt'><br>**********************************************<br>IPv4 is over<br>Are you ready for the new Internet ?<br><a href="http://www.theipv6company.com" target="_blank">http://www.theipv6company.com</a><br>The IPv6 Company<br><br>This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.<o:p></o:p></p></div><p class=MsoNormal style='margin-left:35.4pt'>_______________________________________________<br>ARIN-PPML<br>You are receiving this message because you are subscribed to<br>the ARIN Public Policy Mailing List (<a href="mailto:ARIN-PPML@arin.net" target="_blank">ARIN-PPML@arin.net</a>).<br>Unsubscribe or manage your mailing list subscription at:<br><a href="https://lists.arin.net/mailman/listinfo/arin-ppml" target="_blank">https://lists.arin.net/mailman/listinfo/arin-ppml</a><br>Please contact <a href="mailto:info@arin.net" target="_blank">info@arin.net</a> if you experience any issues.<o:p></o:p></p></blockquote></div></div></div><br>**********************************************<br>
IPv4 is over<br>
Are you ready for the new Internet ?<br>
http://www.theipv6company.com<br>
The IPv6 Company<br>
<br>
This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.<br>
<br>
</body></html>