<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><br id="lineBreakAtBeginningOfMessage"><div><br><blockquote type="cite"><div>On Aug 29, 2025, at 7:58 AM, Mike Burns <mike@iptrading.com> wrote:</div><br class="Apple-interchange-newline"><div><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="Generator" content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Aptos",sans-serif;
color:windowtext;
font-weight:normal;
font-style:normal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--><div lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word"><div class="WordSection1"><div class="MsoNormal"><span style="font-size:11.0pt">Hi Shawn,<o:p></o:p></span></div><div class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></div><div class="MsoNormal"><span style="font-size:11.0pt">Thank you for proposing this.<o:p></o:p></span></div><div class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></div><div class="MsoNormal"><span style="font-size:11.0pt">I am opposed to your policy as well.<o:p></o:p></span></div><div class="MsoNormal"><span style="font-size:11.0pt">You are not the first to notice the disdain many network operators feel for abuse requests. </span></div></div></div></div></blockquote><div>Why? Why the disdain?</div><br><blockquote type="cite"><div><div lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word"><div class="WordSection1"><div class="MsoNormal"><span style="font-size:11.0pt"><o:p></o:p></span></div><div class="MsoNormal"><span style="font-size:11.0pt">Your arguments are good, but they fail against the wall of policing behavior.</span></div></div></div></div></blockquote><div><br></div>I disagree, I believe they fall against the wall of good governance. </div><div><br><blockquote type="cite"><div lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word"><div class="WordSection1"><div class="MsoNormal"><span style="font-size:11.0pt"><o:p></o:p></span></div><div class="MsoNormal"><span style="font-size:11.0pt">ARIN can only police behavior from those who seek new resources. After that, ARIN has no remit and no real power.</span></div></div></div></blockquote><div><br></div>This needs to change, and flys in the face of the fact that I receive emails validating my POC status. I have sent emails to abuse POC and had them bounce. Your statement here basically says that those of us who do the right thing are punished by those who lack morals, and we should pay the price simply because ARIN refuses to take a stand. </div><div><br></div><div><blockquote type="cite"><div><div lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word"><div class="WordSection1"><div class="MsoNormal"><span style="font-size:11.0pt">Those other organizations you mention, Spamhaus and the like, can operate as police but only insofar as other network operators regard them as authoritative.<o:p></o:p></span></div><div class="MsoNormal"><span style="font-size:11.0pt">ARIN has a registration services agreement that precludes revocation based on usage, effectively prohibiting ARIN from police work.</span></div></div></div></div></blockquote><div>Change the agreement. You have no idea how many times Ive work with companies that give me the "this is the way it's always been done". Who made this agreement and how do we change it?</div><br><blockquote type="cite"><div><div lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word"><div class="WordSection1"><div class="MsoNormal"><span style="font-size:11.0pt"><o:p></o:p></span></div><div class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></div><div class="MsoNormal"><span style="font-size:11.0pt">On the other hand, there are real police and real laws to address criminal behavior.</span></div></div></div></div></blockquote><div>This isn't about criminal behavior. It's about good behavior vs bad. It's about setting standards for behavior, that if not followed will resolve of non participation. Though I suppose there is an argument to be made that they are costing my customers money.</div><div><br></div><blockquote type="cite"><div><div lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word"><div class="WordSection1"><div class="MsoNormal"><span style="font-size:11.0pt"><o:p></o:p></span></div><div class="MsoNormal"><span style="font-size:11.0pt">Franky I don’t see this issue as restraining growth on the Internet.<o:p></o:p></span></div><div class="MsoNormal"><span style="font-size:11.0pt">Also I appreciate the kudos for AWS and Digital Ocean, but I am not sure dinging MS by name will be appreciated on the policy list.</span></div></div></div></div></blockquote><div><br></div><div>Sorry, understood. I don't mean to be disparaging, but as you can imagine, I am frustrated,</div><br><blockquote type="cite"><div><div lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word"><div class="WordSection1"><div class="MsoNormal"><span style="font-size:11.0pt"><o:p></o:p></span></div><div class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></div><div class="MsoNormal"><span style="font-size:11.0pt">And in terms of actualizing your policy, you have to consider the costs of complying with takedown requests in an era of CGNAT and short term DHCP leases.<o:p></o:p></span></div><div class="MsoNormal"><span style="font-size:11.0pt">I haven’t reviewed the discussion of the policy the last time it was broached, but I expect you will find some of these same arguments deployed.<o:p></o:p></span></div><div class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></div></div></div></div></blockquote><div><br></div><div>Amazon does it, Digital Ocean does, DataPacket and many others are already practicing this policy, and argument of cost is moot, when the good guys are already doing it. I did it, and I'm a mom and pop operation. X does not get the square here, and any past arguments made on this point, are completly moot, given the effectiveness of the policy when practices by certain participents. </div><div><br></div><div>As in my previous examples, those who do it, are effective and I have plenty of emails to prove it. Those who don't practice it have IP addresses that have been up for months now, with no remediation. </div><br><blockquote type="cite"><div><div lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word"><div class="WordSection1"><div class="MsoNormal"><span style="font-size:11.0pt">Regards,<o:p></o:p></span></div><div class="MsoNormal"><span style="font-size:11.0pt">Mike Burns<o:p></o:p></span></div><div class="MsoNormal"><span style="font-size:11.0pt">PS It doesn’t matter who anybody IS on the list. It’s their arguments that matter, only.</span></div></div></div></div></blockquote><div><br></div>I truly appreciate that, and I appreciate everyones engagement and understanding of the frustration I feel at something that seems so simple to do, yet such resistance and hand in the air approach, I don't get it.<br><blockquote type="cite"><div><div lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word"><div class="WordSection1"><div class="MsoNormal"><span style="font-size:11.0pt"><o:p></o:p></span></div><div class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></div><div class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></div><div><div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in"><div class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> ARIN-PPML <arin-ppml-bounces@arin.net> <b>On Behalf Of </b>Shawn Bakhtiar<br><b>Sent:</b> Friday, August 29, 2025 10:32 AM<br><b>To:</b> Scott Leibrand <scottleibrand@gmail.com>; pmcnary@cameron.net<br><b>Cc:</b> ARIN-PPML@arin.net<br><b>Subject:</b> Re: [arin-ppml] Policy Proposal 2003-1: Required Performance of Abuse Contact<o:p></o:p></span></div></div></div><div class="MsoNormal"><o:p> </o:p></div><div class="MsoNormal">Good morning Scott, Paul,<o:p></o:p></div><div><div class="MsoNormal"><o:p> </o:p></div></div><div><div><div class="MsoNormal">I'm not sure who Matt is, so far the only reasonable response I've received have been from Bill, who's right about doing my homework on the topic, and I truly appreciate his time and effort in leading me in a good direction.<o:p></o:p></div></div><div><div class="MsoNormal"><o:p> </o:p></div></div><div><div class="MsoNormal">You and Paul's suggestion, on the other hand, to simply block / report / sue, I find completely lacking, and frankly sad.<o:p></o:p></div></div><div><div class="MsoNormal"><o:p> </o:p></div></div><div><div class="MsoNormal">Your suggestions reeks of the those supposedly (edumicated) computer engineers I see managing servers, who simply throw CPU and memory at a problems instead of caring about or addressing the underlying root cause of an issue. Do either of you run OSSEC on servers you manage?<o:p></o:p></div></div><div><div class="MsoNormal"><o:p> </o:p></div></div><div><div class="MsoNormal">Your argument is tantamount to, I don't know what to do, so I'll just kick the can down to a policing organization who actually has very little skill or ability to meaningfully do anything about it. I've been there and done that, it's all but pointless. After 40 years of government and private work (long before the modern form of the internet was even a verb), I can assure you, your suggestion is lacking at best, and.... well... let's just leave it there, before I break the protocols of politeness :)<o:p></o:p></div></div><div><div class="MsoNormal"><o:p> </o:p></div></div><div><div class="MsoNormal">it is a shirking of responsibility for an organization that claims as part of it mission statement "...member-based organization that supports the operation and growth of the Internet."<o:p></o:p></div></div><div><div class="MsoNormal"><br><br><o:p></o:p></div></div><div><div class="MsoNormal">I would argue that letting this behavior continue would neither be supportive nor promote growth (unless we're taking about the growth of Microsoft and others who abuse their size).<o:p></o:p></div></div><div class="MsoNormal"><o:p> </o:p></div><div><div class="MsoNormal">I'm not talking about a few vulnerability scans done by Universities et al, I'm taking about being hammered by 100s of popup-script-kiddie-servers made popular by products like Kali Linux, and the fact that some providers like AWS take it seriously while others like Microsoft completely ignore emails sent to registered abuse emails. <o:p></o:p></div></div><div><div class="MsoNormal"><o:p> </o:p></div></div><div><div class="MsoNormal">It perplexes me to no bounds to see Amazon AWS (of all people), Digital Ocean, and many others, being a good netizen, and doing it (despite ARIN's inability to define a very common sense policy, responding to abuse emails, assigning support tickets, and taking action on them, while Microsoft (we all know who they are) does not, and I'm beginning to see why. <o:p></o:p></div></div><div><div class="MsoNormal"><o:p> </o:p></div></div><div><div class="MsoNormal">This I did not expect. <o:p></o:p></div></div><div><div class="MsoNormal"><o:p> </o:p></div></div><div><div class="MsoNormal">You have quickly dismissed a real concern, without engaging in any meaningful debate. If what you say is remotely true, than why does Spanhuase exists? why does Abuse Radar exists? Why are their so many REAL COMMUNITY BASED organizations forming to dealing with an very serious issue, that law enforcement has no capabilities to deal with and apparently ARIN (the very governing body of IP addresses) doesn't care to do anything about, even though a very sound and reasonable policy was written, but never adopted, probably due to naysayers like yourself and Paul.<o:p></o:p></div></div><div><div class="MsoNormal"><o:p> </o:p></div></div><div><div class="MsoNormal">Lazy and bad. <-- period!<o:p></o:p></div></div><div><div class="MsoNormal"><o:p> </o:p></div></div><div><div class="MsoNormal">Curious though, you and Paul have attempted to dismissing me quite quickly and out of hand, but if I may, why not implement the policy, what do you think is going to happen? Why would it be bad to hold abuse POCs accountable for what their IP address is doing? What hardship do you think this will cause the community, other than you personally not wanting to be responsible for the IP addresses under your charge?<o:p></o:p></div></div><div><div class="MsoNormal"><o:p> </o:p></div></div><div><div class="MsoNormal">Again, I'm not asking ARIN to police it, I'm asking them to govern it. I'm not asking for people to be sent to jail or fined, I'm asking for the governing body to take action in stopping the behavior (preferable without the need for behemoth, slow, broadsword agencies like law enforcement having to get involved, they have a whole lot of issues they need to fix before they can even approach an issue like this).<o:p></o:p></div></div><div><div class="MsoNormal"><o:p> </o:p></div></div><div><div class="MsoNormal">I've been a POC for more than my fare share of ranges, I don't recall this ever being in issue, and I know I took my responsibility for the IP addresses under my charge very seriously. I would create a ticket, follow up with my end users, and if deemed inappropriate or against our policy, their privileges would be revoked. <o:p></o:p></div></div><div><div class="MsoNormal"><o:p> </o:p></div></div><div><div class="MsoNormal">Telling me that ARIN isn't the police is like telling me the sky is not green. Obviously. <o:p></o:p></div></div><div><div class="MsoNormal"><o:p> </o:p></div></div><div><div class="MsoNormal">However, it is the governing body, for the assignment of IP addresses. If the idea behind the abuse email was NOT to have it used to take down bad actors, then why even have it at all?<o:p></o:p></div></div><div><div class="MsoNormal"><o:p> </o:p></div></div><div><div class="MsoNormal">Why are some organization voluntarily doing what you and Paul find so offensive a policy, and why are you and Paul so much against it, other than a blanket statement the ARIN is not the police (again this obvious). However IT IS the governing body, and does bear responsibility for how the community behaves.<o:p></o:p></div></div><div><div class="MsoNormal"><o:p> </o:p></div></div><div><div class="MsoNormal">Honestly curious,<o:p></o:p></div></div><div><div class="MsoNormal">Shawn<o:p></o:p></div></div><div><div class="MsoNormal"><o:p> </o:p></div></div><div><div class="MsoNormal"><o:p> </o:p></div></div><div><div class="MsoNormal"><o:p> </o:p></div></div><div><blockquote style="margin-top:5.0pt;margin-bottom:5.0pt" type="cite"><div><div class="MsoNormal">On Aug 28, 2025, at 5:14<span style="font-family:"Arial",sans-serif"> </span>PM, Scott Leibrand <<a href="mailto:scottleibrand@gmail.com">scottleibrand@gmail.com</a>> wrote:<o:p></o:p></div></div><div class="MsoNormal"><o:p> </o:p></div><div><div><div class="MsoNormal">Just block them, as Matt suggested. Or sue them, if they're harming your business in some meaningful way that can't be trivially handled by blocking their abusive subnets. Or contact law enforcement if there's actual criminal trespass or some other law being broken.<o:p></o:p></div><div><div class="MsoNormal"><o:p> </o:p></div></div><div><div class="MsoNormal">ARIN is not set up to be the Internet police, and I would oppose any efforts to make it try to play that role. As Matt eloquently elucidated, any requirements ARIN could enforce would likely make things worse for everyone holding ARIN IP addresses for very little tangible social benefit.<o:p></o:p></div></div><div><div class="MsoNormal"><o:p> </o:p></div></div><div><div class="MsoNormal">-Scott<o:p></o:p></div></div></div><div class="MsoNormal"><o:p> </o:p></div><div><div><div class="MsoNormal">On Thu, Aug 28, 2025 at 4:57<span style="font-family:"Arial",sans-serif"> </span>PM Shawn Bakhtiar <<a href="mailto:shashaness@gmail.com">shashaness@gmail.com</a>> wrote:<o:p></o:p></div></div><blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in" type="cite"><div class="MsoNormal">Thank You Bill!<br><br>I really appreciate the input, and these are all great suggestions. I will certainly do my homework and reach out again to the group with more specific questions on the topic. <br><br>As I said in my email to Alison, <br><br>AWS (of all people), auto responds to any email sent to the abuse email on record for a given IP segment. It includes a ticket number, and without me having to follow up (usually a few days later) an email back often having remediated the issue, or in the rare instances where the they did not remedy the issue, explaining why the behavior is not abuse or a violation of their policies. <br><br>Digital Ocean does the same thing (without a ticket number). So do several midsize providers. Hit and miss with anything smaller than a /24.<br><br>Microsoft (where the preponderance of abusive behaviors come from) and Google. Do nothing. Literally nothing. I have OSSEC notification logs in which a single IP address with a Microsoft abuse POC, continues to scan different customer's networks, looking for Wordpress vulnerabilities, and has done so for over a month, without any remediation. <br><br>The aforementioned policy is a common sense one already being (voluntarily) done by a good number of the providers out there. I am very curious as to what objections anyone could have to it, and how we can address those concerns so we can put what seems like a very common sense policy into place. We need to bring accountability back to the internet.<br><br>Again, thank you for the guidance, I look forward to any and all questions, comments, and or concerns.<br><br>> On Aug 28, 2025, at 3:24<span style="font-family:"Arial",sans-serif"> </span>AM, William Herrin <<a href="mailto:bill@herrin.us" target="_blank">bill@herrin.us</a>> wrote:<br>> <br>> On Wed, Aug 27, 2025 at 11:45<span style="font-family:"Arial",sans-serif"> </span>AM Shawn Bakhtiar <<a href="mailto:shashaness@gmail.com" target="_blank">shashaness@gmail.com</a>> wrote:<br>>> I would like to re-introduce the following Policy Proposal from 2003 to hold abuse POCs accountable.<br>>> <a href="https://www.arin.net/vault/participate/policy/drafts/2003/2003_1/" target="_blank">https://www.arin.net/vault/participate/policy/drafts/2003/2003_1/</a><br>> <br>>>> Changes to ARIN’s policies may be made via submission of a policy proposal<br>>>> via ARIN’s Policy Devcelopment Process - more details available here<br>>>> - <a href="https://www.arin.net/participate/policy/pdp/" target="_blank">https://www.arin.net/participate/policy/pdp/</a><br>> <br>> Hi Shawn,<br>> <br>> I note that the practical question of "how do I submit a policy<br>> proposal" is not answered in<br>> <a href="https://www.arin.net/participate/policy/pdp/" target="_blank">https://www.arin.net/participate/policy/pdp/</a>, or if it is, it's buried<br>> so deeply I can't find it.<br>> <br>> What you probably want is the policy proposal template, which you can<br>> find here: <a href="https://www.arin.net/participate/policy/pdp/appendix_b/" target="_blank">https://www.arin.net/participate/policy/pdp/appendix_b/</a><br>> <br>> You can also discuss policy changes here on the mailing list without<br>> making a formal proposal. That would enable you to gather information<br>> which could inform a formal proposal.<br>> <br>> I recommend you sift through the mailing list archives at<br>> <a href="https://lists.arin.net/pipermail/arin-ppml/" target="_blank">https://lists.arin.net/pipermail/arin-ppml/</a> and read the original<br>> discussions around proposal 2003-1. This can help you understand what<br>> defects in that proposal led to it failing to reach consensus.<br>> <br>> Finally, I note that there have been other off and on discussions<br>> about the published POCs and their utility. It might be worth digging<br>> into them as well. Try a Google search such as, "site:<a href="http://lists.arin.net/" target="_blank">lists.arin.net</a><br>> abuse poc"<br>> <br>> Regards,<br>> Bill Herrin<br>> <br>> <br>> <br>> -- <br>> William Herrin<br>> <a href="mailto:bill@herrin.us" target="_blank">bill@herrin.us</a><br>> <a href="https://bill.herrin.us/" target="_blank">https://bill.herrin.us/</a><br><br>_______________________________________________<br>ARIN-PPML<br>You are receiving this message because you are subscribed to<br>the ARIN Public Policy Mailing List (<a href="mailto:ARIN-PPML@arin.net" target="_blank">ARIN-PPML@arin.net</a>).<br>Unsubscribe or manage your mailing list subscription at:<br><a href="https://lists.arin.net/mailman/listinfo/arin-ppml" target="_blank">https://lists.arin.net/mailman/listinfo/arin-ppml</a><br>Please contact <a href="mailto:info@arin.net" target="_blank">info@arin.net</a> if you experience any issues.<o:p></o:p></div></blockquote></div></div></blockquote></div><div class="MsoNormal"><o:p> </o:p></div></div></div></div></div></blockquote></div><br></body></html>