Amazon, you really should know better. Source ip: 54.240.4.4 https://search.arin.net/rdap/?query=54.240.4.4 Source Registry ARIN Kind Group Full Name Amazon SES Abuse Handle ASA152-ARIN Email email-abuse@amazon.com
RCPT To:<email-abuse@amazon.com> <<< 550 #5.1.0 Address rejected. 550 5.1.1 <email-abuse@amazon.com>... User unknown DATA <<< 503 #5.5.1 RCPT first
Jul 29 09:47:27 yuri sendmail[14067]: x6TGlQe4014062: to=<email-abuse@amazon.com>, ctladdr=<goemon@sasami.anime.net> (500/500), delay=00:00:01, xdelay=00:00:01, mailer=esmtp92, relay=amazon-smtp.amazon.com. [207.171.188.4], dsn=5.1.1, stat=User unknown
Dan, I don’t really have the time to parse the debug output you sent. If you want me, or most others, to pay attention to your post, please provide a more detailed explanation of what the deal is than “Really, amazon?” -mel
On Jul 29, 2019, at 4:03 PM, Dan Hollis <goemon@sasami.anime.net> wrote:
Amazon, you really should know better.
Source ip: 54.240.4.4
https://search.arin.net/rdap/?query=54.240.4.4
Source Registry ARIN Kind Group Full Name Amazon SES Abuse Handle ASA152-ARIN Email email-abuse@amazon.com
RCPT To:<email-abuse@amazon.com> <<< 550 #5.1.0 Address rejected. 550 5.1.1 <email-abuse@amazon.com>... User unknown DATA <<< 503 #5.5.1 RCPT first
Jul 29 09:47:27 yuri sendmail[14067]: x6TGlQe4014062: to=<email-abuse@amazon.com>, ctladdr=<goemon@sasami.anime.net> (500/500), delay=00:00:01, xdelay=00:00:01, mailer=esmtp92, relay=amazon-smtp.amazon.com. [207.171.188.4], dsn=5.1.1, stat=User unknown
Really??? You cant parse “User unknown”... Dan is simply pointed out how ridiculous it is that amazon lists a non-existent email address with Arin for abuse. So yeah... really amazon? Sent from my iPhone
On Jul 29, 2019, at 7:07 PM, Mel Beckman <mel@beckman.org> wrote:
Dan,
I don’t really have the time to parse the debug output you sent. If you want me, or most others, to pay attention to your post, please provide a more detailed explanation of what the deal is than “Really, amazon?”
-mel
On Jul 29, 2019, at 4:03 PM, Dan Hollis <goemon@sasami.anime.net> wrote:
Amazon, you really should know better.
Source ip: 54.240.4.4
https://search.arin.net/rdap/?query=54.240.4.4
Source Registry ARIN Kind Group Full Name Amazon SES Abuse Handle ASA152-ARIN Email email-abuse@amazon.com
RCPT To:<email-abuse@amazon.com> <<< 550 #5.1.0 Address rejected. 550 5.1.1 <email-abuse@amazon.com>... User unknown DATA <<< 503 #5.5.1 RCPT first
Jul 29 09:47:27 yuri sendmail[14067]: x6TGlQe4014062: to=<email-abuse@amazon.com>, ctladdr=<goemon@sasami.anime.net> (500/500), delay=00:00:01, xdelay=00:00:01, mailer=esmtp92, relay=amazon-smtp.amazon.com. [207.171.188.4], dsn=5.1.1, stat=User unknown
So why not just say so? -mel
On Jul 29, 2019, at 4:12 PM, John Von Essen <john@essenz.com> wrote:
Really??? You cant parse “User unknown”...
Dan is simply pointed out how ridiculous it is that amazon lists a non-existent email address with Arin for abuse.
So yeah... really amazon?
Sent from my iPhone
On Jul 29, 2019, at 7:07 PM, Mel Beckman <mel@beckman.org> wrote:
Dan,
I don’t really have the time to parse the debug output you sent. If you want me, or most others, to pay attention to your post, please provide a more detailed explanation of what the deal is than “Really, amazon?”
-mel
On Jul 29, 2019, at 4:03 PM, Dan Hollis <goemon@sasami.anime.net> wrote:
Amazon, you really should know better.
Source ip: 54.240.4.4
https://search.arin.net/rdap/?query=54.240.4.4
Source Registry ARIN Kind Group Full Name Amazon SES Abuse Handle ASA152-ARIN Email email-abuse@amazon.com
RCPT To:<email-abuse@amazon.com> <<< 550 #5.1.0 Address rejected. 550 5.1.1 <email-abuse@amazon.com>... User unknown DATA <<< 503 #5.5.1 RCPT first
Jul 29 09:47:27 yuri sendmail[14067]: x6TGlQe4014062: to=<email-abuse@amazon.com>, ctladdr=<goemon@sasami.anime.net> (500/500), delay=00:00:01, xdelay=00:00:01, mailer=esmtp92, relay=amazon-smtp.amazon.com. [207.171.188.4], dsn=5.1.1, stat=User unknown
"User unknown" is pretty clear. But whatever. -Dan On Mon, 29 Jul 2019, Mel Beckman wrote:
Dan,
I don’t really have the time to parse the debug output you sent. If you want me, or most others, to pay attention to your post, please provide a more detailed explanation of what the deal is than “Really, amazon?”
-mel
On Jul 29, 2019, at 4:03 PM, Dan Hollis <goemon@sasami.anime.net> wrote:
Amazon, you really should know better.
Source ip: 54.240.4.4
https://search.arin.net/rdap/?query=54.240.4.4
Source Registry ARIN Kind Group Full Name Amazon SES Abuse Handle ASA152-ARIN Email email-abuse@amazon.com
RCPT To:<email-abuse@amazon.com> <<< 550 #5.1.0 Address rejected. 550 5.1.1 <email-abuse@amazon.com>... User unknown DATA <<< 503 #5.5.1 RCPT first
Jul 29 09:47:27 yuri sendmail[14067]: x6TGlQe4014062: to=<email-abuse@amazon.com>, ctladdr=<goemon@sasami.anime.net> (500/500), delay=00:00:01, xdelay=00:00:01, mailer=esmtp92, relay=amazon-smtp.amazon.com. [207.171.188.4], dsn=5.1.1, stat=User unknown
On Tue, Jul 30, 2019 at 11:45 AM Scott Christopher <sc@ottie.org> wrote:
Dan Hollis wrote:
RCPT To:<email-abuse@amazon.com> <<< 550 #5.1.0 Address rejected. 550 5.1.1 <email-abuse@amazon.com>... User unknown DATA <<< 503 #5.5.1 RCPT first
Try jeff@amazon.com
-- S.C.
Then update your ARIN records to reflect that. Fully agree with Dan on this one. -- Regards, Chris Knipe
On 30/07/2019 11:59, Chris Knipe wrote:
On Tue, Jul 30, 2019 at 11:45 AM Scott Christopher wrote:
Dan Hollis wrote:
RCPT To:<email-abuse@amazon.com> <<< 550 #5.1.0 Address rejected. 550 5.1.1 <email-abuse@amazon.com>... User unknown DATA <<< 503 #5.5.1 RCPT first
Try jeff () amazon
Then update your ARIN records to reflect that. Fully agree with Dan on this one.
Imagine ARIN did a take from RIPE NCC [Policy Proposal Idea?] and a policy came into effect of validating ALL 'OrgAbuseEmail' objects listed in the ARIN database. And revoked the resources from those that failed to respond after multiple attempts.
Christoffer Hansen wrote:
On 30/07/2019 11:59, Chris Knipe wrote:
Then update your ARIN records to reflect that. Fully agree with Dan on this one.
Imagine ARIN did a take from RIPE NCC [Policy Proposal Idea?] and a policy came into effect of validating ALL 'OrgAbuseEmail' objects listed in the ARIN database. And revoked the resources from those that failed to respond after multiple attempts.
Then imagine the media attention, public outcry, corporate lawyers from Amazon, the pressure from Congress, and an ARIN that would no longer function as an independent body anymore. . . -- S.C.
I thought it was already a requirement that the POC info had to be validated once a year and accurate?
On Jul 30, 2019, at 6:44 AM, Scott Christopher <sc@ottie.org> wrote:
Christoffer Hansen wrote:
On 30/07/2019 11:59, Chris Knipe wrote:
Then update your ARIN records to reflect that. Fully agree with Dan on this one.
Imagine ARIN did a take from RIPE NCC [Policy Proposal Idea?] and a policy came into effect of validating ALL 'OrgAbuseEmail' objects listed in the ARIN database. And revoked the resources from those that failed to respond after multiple attempts.
Then imagine the media attention, public outcry, corporate lawyers from Amazon, the pressure from Congress, and an ARIN that would no longer function as an independent body anymore. . .
-- S.C.
On 30 Jul 2019, at 6:44 AM, Scott Christopher <sc@ottie.org<mailto:sc@ottie.org>> wrote: On 30/07/2019 11:59, Chris Knipe wrote: Then update your ARIN records to reflect that. Fully agree with Dan on this one. Imagine ARIN did a take from RIPE NCC [Policy Proposal Idea?] and a policy came into effect of validating ALL 'OrgAbuseEmail' objects listed in the ARIN database. And revoked the resources from those that failed to respond after multiple attempts. Then imagine the media attention, public outcry, corporate lawyers from Amazon, the pressure from Congress, and an ARIN that would no longer function as an independent body anymore. . . Scott - Alas, you have a fundamental misunderstanding about the nature of ARIN… we don’t do anything other than implement policies that this community wants. If the community developed a policy to require Abuse POC’s validation, and said policy made clear that failure to do so was to result in revocation, then ARIN would indeed implement the policy (and that includes revocation for those who ignored the policy.) This is actually exactly the way the US Government asked us to operate in 1997 - "Creation of ARIN will give the users of IP numbers (mostly Internet service providers, corporations and other large institutions) a voice in the policies by which they are managed and allocated within the North American region.” <https://www.nsf.gov/news/news_summ.jsp?cntn_id=102819>. Further, this support was reiterated by the USG recently in 2012 - "The American Registry for Internet Numbers (ARIN) is the RIR for Canada, many Caribbean and North Atlantic islands, and the United States. The USG participates in the development of and is supportive of the policies, processes, and procedures agreed upon by the Internet technical community through ARIN.” <https://www.ntia.doc.gov/blog/2012/united-states-government-s-internet-protocol-numbering-principles> We’ve see the lawyer route as well, and I have zero doubt in both the enforceability of the ARIN registration services agreements and ARIN’s ability to operate the registry according to the community policy. So, my advice is that this community not make policy that it doesn’t want to see implemented (and if you have interest or concern about ARIN policies, then I’d recommend get involved in their development – https://www.arin.net/get-involved/) i.e. the good news is that this community gets to decide how IP addresses are managed in the region (as opposed to some federal agency) – the consequence is that we really do manage the registry as directed by this community, so please try to avoid self-immolation if at all possible... Thanks! /John John Curran President and CEO American Registry for Internet Numbers
John Curran wrote:
Scott -
Alas, you have a fundamental misunderstanding about the nature of ARIN… we don’t do anything other than implement policies that this community wants. If the community developed a policy to require Abuse POC’s validation, and said policy made clear that failure to do so was to result in revocation, then ARIN would indeed implement the policy (and that includes revocation for those who ignored the policy.)
Hello John - you are absolutely right. Since the community has shown overwhelming disapproval of Amazon's invalid abuse POC, please go ahead and revoke Amazon's resources. Maybe do this late Friday afternoon for the courtesy toward Amazon's support staff ? And since this will certainly be historic, please post an announcement to nanog-list ? Thanks, and Good luck ! S.C.
Scott, you might want to read "Policy Development Process (PDP)” https://www.arin.net/participate/policy/pdp/ in order to discover just exactly what John means by “If the community developed a policy”. You might also want to join the Public Policy Mailing List, arin-ppml@arin.net, to discuss. Scintillating discourse, I assure you. —Sandy
On Jul 31, 2019, at 10:17 AM, Scott Christopher <sc@ottie.org> wrote:
John Curran wrote:
Scott -
Alas, you have a fundamental misunderstanding about the nature of ARIN… we don’t do anything other than implement policies that this community wants. If the community developed a policy to require Abuse POC’s validation, and said policy made clear that failure to do so was to result in revocation, then ARIN would indeed implement the policy (and that includes revocation for those who ignored the policy.)
Hello John - you are absolutely right. Since the community has shown overwhelming disapproval of Amazon's invalid abuse POC, please go ahead and revoke Amazon's resources.
Maybe do this late Friday afternoon for the courtesy toward Amazon's support staff ?
And since this will certainly be historic, please post an announcement to nanog-list ?
Thanks, and Good luck !
S.C.
Sandra Murphy wrote:
Scott, you might want to read "Policy Development Process (PDP)” https://www.arin.net/participate/policy/pdp/ in order to discover just exactly what John means by “If the community developed a policy”.
You might also want to join the Public Policy Mailing List, arin-ppml@arin.net, to discuss. Scintillating discourse, I assure you.
Yes - I am aware of how ARIN functions, its mandate, its governance, etc. What I have been saying is that, if ARIN did something so brazen as to revoke Amazon's resources because of some bounced PoC emails, the impact would be *dramatic* and likely lead to the end of ARIN. Just think about this for a minute. :) Obviously this will not happen because ARIN is so righteously competent. :) I wasn't criticizing ARIN (or anybody) I was just answering a hypothetical. -- S.C.
Actually if ARIN doesn’t pull the resources, after notification and a grace period to get them fixed, then what is the point in writing policy requiring that they be up to date and working? There needs to be checks and balances for systems to work. The only thing is what should the grace period be?
On 1 Aug 2019, at 7:31 am, Scott Christopher <sc@ottie.org> wrote:
Sandra Murphy wrote:
Scott, you might want to read "Policy Development Process (PDP)” https://www.arin.net/participate/policy/pdp/ in order to discover just exactly what John means by “If the community developed a policy”.
You might also want to join the Public Policy Mailing List, arin-ppml@arin.net, to discuss. Scintillating discourse, I assure you.
Yes - I am aware of how ARIN functions, its mandate, its governance, etc.
What I have been saying is that, if ARIN did something so brazen as to revoke Amazon's resources because of some bounced PoC emails, the impact would be *dramatic* and likely lead to the end of ARIN. Just think about this for a minute. :) Obviously this will not happen because ARIN is so righteously competent. :)
I wasn't criticizing ARIN (or anybody) I was just answering a hypothetical.
-- S.C.
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On Wed, Jul 31, 2019 at 5:29 PM Mark Andrews <marka@isc.org> wrote:
Actually if ARIN doesn’t pull the resources, after notification and a grace period to get them fixed, then what is the point in writing policy requiring that they be up to date and working? There needs to be checks and balances for systems to work. The only
It simplifies complaint language/interaction if there is an actual official RIR policy being violated. If the abuse POC bounces, then you can contact the Admin and Technical WHOIS e-mail addresses to tell them about the issue, and why they should care. "You should care, because your non-functioning abuse is a violation of ARIN Registry Policy." If none of the WHOIS e-mail works, then try calling to report the issue as a last resort. Finally, if none of those go directly to a working contact.... then it seems like the only option left is blacklisting. And seems like the RIRs ought to have a policy where when they confirm this; financial sanctions as in penalty fines would be in order to retain those for whatever organization not taking any of their IP Address Registration and availability of contacts seriously.
thing is what should the grace period be?
-- -Sid
On 31 Jul 2019, at 5:31 PM, Scott Christopher <sc@ottie.org<mailto:sc@ottie.org>> wrote: ... What I have been saying is that, if ARIN did something so brazen as to revoke Amazon's resources because of some bounced PoC emails, the impact would be *dramatic* and likely lead to the end of ARIN. Just think about this for a minute. :) Obviously this will not happen because ARIN is so righteously competent. :) Scott - ARIN revokes resources because of other administrative matters (e.g. not paying one’s ARIN fees), and while there is obviously quite a bit of process and notice to avoid this if all possible, we do indeed revoke and networks go down as a result. <https://www.arin.net/resources/fees/returns/#revocation (This isn’t much different that what happens when an organization fails to renew their organizational domain name and then disappears from the net – failure to follow contractual terms results in consequences sometimes rather dramatic, and it’s not the registry’s fault nor is there meaningful legal recourse for halfwitted self-inflicted harm…) If the community passes a new policy that makes clear that ARIN is to exercise contractual authority for violations of that policy, then we will establish a similar set of processes (with appropriate notice provisions) and then implement. As I have noted previously, I have zero doubt in the enforceability of the ARIN registration services agreements in this regard – so please carefully consider proposed policy both from the overall community benefit being sought, and from the implications faced as a number resource holder having to comply oneself with the new obligations. Thanks! /John John Curran President and CEO American Registry for Internet Numbers
On 8/3/19 9:15 PM, John Curran wrote:
As I have noted previously, I have zero doubt in the enforceability of the ARIN registration services agreements in this regard – so please carefully consider proposed policy both from the overall community benefit being sought, and from the implications faced as a number resource holder having to comply oneself with the new obligations.
Actually, I would re-write the last part of the last sentence as "...and from the implications faced as a number resource holder having to comply oneself with the long-standing and well-known obligations of all network operators." I'm a small network operator that has been around and following "the rules" for many years. I do understand why you are constrained by the legal authority you have. In some respects, I (and others) pine for the old NSFNET days, when negligence -- particularly willful negligence -- was rewarded with disconnection. "The rules" have been around for years, and are codified in the RFCs that are widely published and available to all at zero cost. (That wasn't always true, as it wasn't until the DDN Protocol Handbook volumes were published in 1985 that the RFCs were available to everyone. I seem to recall there was an FTP site that provided the RFC documents before that, but my memory is hazy on that.) I had access to all the RFCs at the University of Illinois Center for Advanced Computation, as I was working at the place as a worker on ARPAnet. During my career as a web server admin, mail admin, and network admin, I followed "the rules" strictly. As the main abuse contact during my time at a web hosting company, my postmaster@ and abuse@ contact addresses were according to Hoyle, and published with the company ASN, netblock, and domain registration records. It took a little convincing for the owner of the shop to buy in, and to back up my responses to abuse reports. I would have expected any ARIN contracts to include by reference the RFCs that constituted "the rules". I have never seen the contracts, so I don't know how they are formulated. That said, I would have expected legacy space to fall under "the rules", particularly with respect to role electronic mail addresses. I don't have a dog in this fight. Currently, I don't "own" any IPv4 address space, nor am I running BGP.
On Sun, Aug 04, 2019 at 12:12:48AM -0700, Stephen Satchell wrote:
"The rules" have been around for years, and are codified in the RFCs that are widely published and available to all at zero cost. (That wasn't always true, as it wasn't until the DDN Protocol Handbook volumes were published in 1985 that the RFCs were available to everyone. I seem to recall there was an FTP site that provided the RFC documents before that, but my memory is hazy on that.)
IIRC, the CSnet CIC provided an RFC-by-mail service in the mid to late 1980's. It allowed anyone to request any RFC by number, e.g., sending it "rfc123" would result in a response containing that RFC. I also share your recollection of an earlier FTP site but a few minutes of checking old documents hasn't turned up its name and it's fallen out of long-term memory, at least for the moment.
During my career as a web server admin, mail admin, and network admin, I followed "the rules" strictly. As the main abuse contact during my time at a web hosting company, my postmaster@ and abuse@ contact addresses were according to Hoyle, and published with the company ASN, netblock, and domain registration records.
I've done the same -- imperfectly, to be sure, I've certainly tried. Half my grump with Amazon here is that they have, for all practical purposes, unlimited money and unlimited personnel. They should be the go-to example for How To Do It Right. They should be the model (or one of the models) that we're all trying to emulate, the gold standard that we can all point to. But they're not. The other half of my grump is that they're enormous, and therefore capable of inflicting enormous damage. The larger an operation, the more critical it is that abuse/security/et.al. be fully supported, highly responsive, empowered to act decisively, etc. But they're not. And I have yet to see anyone from Amazon (a) admit this and (b) ask for help fixing it. ---rsk
On Mon, Aug 12, 2019 at 15:26:22PM -0400, Rich Kulawiec wrote:
I also share your recollection of an earlier FTP site but a few minutes of checking old documents hasn't turned up its name and it's fallen out of long-term memory, at least for the moment.
ftp://rfc-editor.org (also via conventional http/s) -- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York
On Aug 12, 2019, at 3:52 PM, Henry Yen <henry@AegisInfoSys.com> wrote:
ftp://rfc-editor.org <ftp://rfc-editor.org/> ftp://rfc-editor.org <ftp://rfc-editor.org/> still mounts perfectly well using macOS Finder but shows to be now devoid of useful content via ftp.
James R. Cutler James.cutler@consultant.com GPG keys: hkps://hkps.pool.sks-keyservers.net
On 8/12/19 3:26 PM, Rich Kulawiec wrote:
Half my grump with Amazon here is that they have, for all practical purposes, unlimited money and unlimited personnel. They should be the go-to example for How To Do It Right. They should be the model (or one of the models) that we're all trying to emulate, the gold standard that we can all point to.
But they're not.
The other half of my grump is that they're enormous, and therefore capable of inflicting enormous damage. The larger an operation, the more critical it is that abuse/security/et.al. be fully supported, highly responsive, empowered to act decisively, etc.
But they're not.
And I have yet to see anyone from Amazon (a) admit this and (b) ask for help fixing it.
The larger they are, the more immune from having to follow the rules they think they are. -- -------------------------------------------- Bruce H. McIntosh Network Engineer II University of Florida Information Technology bhm@ufl.edu 352-273-1066
On Mon, 12 Aug 2019, Bruce H McIntosh wrote:
On 8/12/19 3:26 PM, Rich Kulawiec wrote:
Half my grump with Amazon here is that they have, for all practical purposes, unlimited money and unlimited personnel. They should be the go-to example for How To Do It Right. They should be the model (or one of the models) that we're all trying to emulate, the gold standard that we can all point to.
But they're not.
The other half of my grump is that they're enormous, and therefore capable of inflicting enormous damage. The larger an operation, the more critical it is that abuse/security/et.al. be fully supported, highly responsive, empowered to act decisively, etc.
But they're not.
And I have yet to see anyone from Amazon (a) admit this and (b) ask for help fixing it.
The larger they are, the more immune from having to follow the rules they think they are.
SBL seems the only way to wake them up. -Dan
On 12 Aug 2019, at 3:26 PM, Rich Kulawiec <rsk@gsp.org> wrote:
On Sun, Aug 04, 2019 at 12:12:48AM -0700, Stephen Satchell wrote:
"The rules" have been around for years, and are codified in the RFCs that are widely published and available to all at zero cost. (That wasn't always true, as it wasn't until the DDN Protocol Handbook volumes were published in 1985 that the RFCs were available to everyone. I seem to recall there was an FTP site that provided the RFC documents before that, but my memory is hazy on that.)
IIRC, the CSnet CIC provided an RFC-by-mail service in the mid to late 1980's. It allowed anyone to request any RFC by number, e.g., sending it "rfc123" would result in a response containing that RFC.
Indeed - it was the "CSNET Information Server" <info-server@sh.cs.net>, and it not only served RFCs but also a variety of other DDN/NSF/Merit/IETF internet informational documents... With the shutdown of the CSNET Coordination and Information Center (CSNET CIC) in 1991, the email-based info-server function was transferred to the NSF Network Service Center (NNSC) <info-server@nnsc.nsf.net> where it operated until of all the various Internet informational/registry/directory services were transferred into the consolidated InterNIC contract. FYI, /John
John Curran wrote: ...
As I have noted previously, I have zero doubt in the enforceability of the ARIN registration services agreements in this regard – so please carefully consider proposed policy both from the overall community benefit being sought, and from the implications faced as a number resource holder having to comply oneself with the new obligations.
I completely agree that ARIN can revoke an organization's resources. Nobody has ever doubted that. What I have been saying is that if ARIN revoked Amazon's resources because of a trivial matter of bounced Abuse PoC, even if the small "community" of network operators and other interested parties passed a rule supporting this, the backlash would be *enormous* and lead to media attention, litigation, police, investigation by U.S. Congress, etc. The interests of the public affected by a global Amazon/AWS outage would greatly outweigh the rights of this small "community" which would ultimately be stripped away, I'd think. This is moot, of course, because ARIN would give ample notices and time to Amazon and they would dutifully comply. But the original poster to which I replied invited us to imagine such a situation. S.C.
On 4 Aug 2019, at 4:16 AM, Scott Christopher <sc@ottie.org<mailto:sc@ottie.org>> wrote: ... What I have been saying is that if ARIN revoked Amazon's resources because of a trivial matter of bounced Abuse PoC, even if the small "community" of network operators and other interested parties passed a rule supporting this, the backlash would be *enormous* and lead to media attention, litigation, police, investigation by U.S. Congress, etc. Scott, That may be the case – for example anyone can initiate litigation for any perceived slight, whereas successful litigation is generally requires actual contractual breach or other cause of action. The interests of the public affected by a global Amazon/AWS outage would greatly outweigh the rights of this small "community" which would ultimately be stripped away, I'd think. It is possible, but far more likely an outcome in circumstances where ARIN contributed in some manner; e.g. an operational outage which was an element in the overall global event. (hence our particular care in certain areas, e.g. ensuring folks know the conditions for use of our RPKI repository, and their duty to handle NOTFOUND and fall back appropriately per best practices…) Thanks, /John John Curran President and CEO American Registry for Internet Numbers
On Sun, Aug 4, 2019 at 5:17 AM Scott Christopher <sc@ottie.org> wrote:
John Curran wrote:
...
As I have noted previously, I have zero doubt in the enforceability of the ARIN registration services agreements in this regard – so please carefully consider proposed policy both from the overall community benefit being sought, and from the implications faced as a number resource holder having to comply oneself with the new obligations.
I completely agree that ARIN can revoke an organization's resources. Nobody has ever doubted that.
What I have been saying is that if ARIN revoked Amazon's resources because of a trivial matter of bounced Abuse PoC, even if the small "community" of network operators and other interested parties passed a rule supporting this, the backlash would be *enormous* and lead to media attention, litigation, police, investigation by U.S. Congress, etc.
The interests of the public affected by a global Amazon/AWS outage would greatly outweigh the rights of this small "community" which would ultimately be stripped away, I'd think.
This is moot, of course, because ARIN would give ample notices and time to Amazon and they would dutifully comply. But the original poster to which I replied invited us to imagine such a situation.
I don't think that "companies with tons of lawyers" should be a factor in making resource allocation policies. But considering either small or big networks, an escalation path would reduce friction and increase overall compliance... for instance, failure to have functioning abuse PoC could lead first to being inegible to receive new resources. Rubens
Rubens Kuhl wrote:
I don't think that "companies with tons of lawyers" should be a factor in making resource allocation policies. But considering either small or big networks, an escalation path would reduce friction and increase overall compliance... for instance, failure to have functioning abuse PoC could lead first to being inegible to receive new resources.
It's not about $BIGCORP having lots of corporate lawyers imposing its will on the small guys - it's about Amazon's role as a public utility, upon which many many many important things depend. S.C.
On Mon, Aug 5, 2019 at 2:16 AM Scott Christopher <sc@ottie.org> wrote:
[...]
It's not about $BIGCORP having lots of corporate lawyers imposing its will on the small guys - it's about Amazon's role as a public utility, upon which many many many important things depend.
S.C.
I must have missed the news amidst all the interest rate changes and tariff tweets... ...apparently Amazon has become a public utility now? I look forward with bemusement to the PUC tariff filings for AWS pricing. ^_^;; Matt
On 8/9/19 4:03 PM, Matthew Petach wrote:
...apparently Amazon has become a public utility now?
I look forward with bemusement to the PUC tariff filings for AWS pricing. ^_^;;
Don't scoff too hard. How do you think that telephone service became a utility? Utilities didn't grow on trees, they became utilities when some bureaucrats convinced legislators to "promote" successful service providers to utility status. Especially when such providers are providing a service as a monopoly. Particularly a "natural" monopoly. AWS has competitors, but if the number of providers remains small (like fingers of one hand) the politicians wil step in. And it wouldn't be the PUC, as Amazon is a company national in scope. It would be something like the FCC. Public Utility Commissions are at the local (usually county) or state level.
On Fri, Aug 9, 2019 at 4:31 PM Stephen Satchell <list@satchell.net> wrote:
On 8/9/19 4:03 PM, Matthew Petach wrote:
...apparently Amazon has become a public utility now?
I look forward with bemusement to the PUC tariff filings for AWS pricing. ^_^;;
[...]
And it wouldn't be the PUC, as Amazon is a company national in scope. It would be something like the FCC. Public Utility Commissions are at the local (usually county) or state level.
That was somewhat the point. Public utilities make some amount of sense when there's a local natural monopoly. With a global company, there's no such thing as a local natural monopoly in play; how would you assign oversight to a global entity? Which "public" would be the ones being protected? The city of Seattle, WA, where Amazon is headquartered? The State of Washington? The United States, at a federal level? What about the "public" that uses Amazon in all the other countries of the world? There's no way to make a global entity a regulated public utility; we don't have an organization that has that level of oversight across country boundaries, unless you start thinking about entities that can enforce *treaties* between countries. And I'm not sure I'd want our Ambassadors being the ones at the table deciding how best to regulate Amazon. :/
On 8/13/19 3:10 PM, Matthew Petach wrote:
With a global company, there's no such thing as a local natural monopoly in play; how would you assign oversight to a global entity? Which "public" would be the ones being protected? The city of Seattle, WA, where Amazon is headquartered? The State of Washington? The United States, at a federal level? What about the "public" that uses Amazon in all the other countries of the world?
Consider how radio, television, and telephony grew and became regulated. (For a moment there, it felt like a discussion that I would have on the CyberTelecomm mailing list.) Each country would regulate the monopoly in the manner best suited for that country. Amazon would need to set up divisions in each country, or union of countries such as the EU.
There's no way to make a global entity a regulated public utility; we don't have an organization that has that level of oversight across country boundaries, unless you start thinking about entities that can enforce *treaties* between countries.
Actually, you'd be surprised to learn we already have infrastructure in place to do exactly that. The International Telecommunication Union is a fine example of how this could be done. Study up on it. From my experience in the telco and modem world, the individual countries have working parties for each element. The working parties develop Standards (the initial cap is intentional) within each country. The output from the working parties in each country send their recommendations to a government bureau -- in the United States, that would be a working party associated with the State Department. (For example, my work on in-band modem control went through TIA/EIA TR-29, which then was passed on to Study Group D, which went to the ITU.)
And I'm not sure I'd want our Ambassadors being the ones at the table deciding how best to regulate Amazon. :/
That's just the point. The regulation would *not* be done by ambassadors. The treaties, rule, regulations, and procedures are *already* in place to smooth the process through people that are not political appointees. Regulation of Amazon would probably be broken into parts: technical, policy, managment, auditing, perhaps more. Policy would originate in the USA with Congress, with help from the industry. Other parts would be parceled out to the people better (not necessarily the best) equipped to do the job. And that's my pair-o-pennies on the subject. Other people may have differing opinions.
[Speaking ONLY FOR MYSELF AS AN INDIVIDUAL.] On Aug 4, 2019, at 8:15 AM, Rubens Kuhl <rubensk@gmail.com> wrote:
On Sun, Aug 4, 2019 at 5:17 AM Scott Christopher <sc@ottie.org> wrote: John Curran wrote:
...
As I have noted previously, I have zero doubt in the enforceability of the ARIN registration services agreements in this regard – so please carefully consider proposed policy both from the overall community benefit being sought, and from the implications faced as a number resource holder having to comply oneself with the new obligations.
I completely agree that ARIN can revoke an organization's resources. Nobody has ever doubted that.
What I have been saying is that if ARIN revoked Amazon's resources because of a trivial matter of bounced Abuse PoC, even if the small "community" of network operators and other interested parties passed a rule supporting this, the backlash would be *enormous* and lead to media attention, litigation, police, investigation by U.S. Congress, etc.
The interests of the public affected by a global Amazon/AWS outage would greatly outweigh the rights of this small "community" which would ultimately be stripped away, I'd think.
This is moot, of course, because ARIN would give ample notices and time to Amazon and they would dutifully comply. But the original poster to which I replied invited us to imagine such a situation.
I don't think that "companies with tons of lawyers" should be a factor in making resource allocation policies. But considering either small or big networks, an escalation path would reduce friction and increase overall compliance... for instance, failure to have functioning abuse PoC could lead first to being inegible to receive new resources.
I would love for “companies with tons of lawyers” to be irrelevant to policy creation and implementation. However, ARIN has to exist to enforce policy and support the community. If there is an existential threat to the corporation, e.g. legal risks, that must be taken into account. To be clear, this does not mean a company with lots of lawyers should be allowed to direct policy. ARIN’s policies should and do come from the communities and their elected representatives (the AC). But to say that ARIN should not consider the legal implications goes a bit too far, IMHO. [Reminder: Speaking ONLY FOR MYSELF AS AN INDIVIDUAL.] -- TTFN, patrick
On Tue, Jul 30, 2019 at 1:20 PM Christoffer Hansen <christoffer@netravnen.de> wrote:
Imagine ARIN did a take from RIPE NCC [Policy Proposal Idea?] and a policy came into effect of validating ALL 'OrgAbuseEmail' objects listed in the ARIN database.
Just to be precise, such a policy (2019-04) is still in a discussion phase in RIPE and has already seen significant resistance. You can, however, point fingers at APNIC instead, where pretty much the same policy proposal from the same authors (prop-125) was already implemented in apnic-127-v006 "Internet Number Resource Policies". I think they will be planning to reach out to ARIN with the same text right after the RIPE process ends this way or another. -- Töma
On Tue, 30 Jul 2019 16:02:58 +0300, T�ma Gavrichenkov said:
On Tue, Jul 30, 2019 at 1:20 PM Christoffer Hansen <christoffer@netravnen.de> wrote:
Imagine ARIN did a take from RIPE NCC [Policy Proposal Idea?] and a policy came into effect of validating ALL 'OrgAbuseEmail' objects listed in the ARIN database.
Just to be precise, such a policy (2019-04) is still in a discussion phase in RIPE and has already seen significant resistance.
OK, I'll bite. What reasons are they giving for their resistance? (And if known, what are the *real* reasons if different?)
OK, I'll bite. What reasons are they giving for their resistance? (And if known, what are the *real* reasons if different?)
https://www.ripe.net/ripe/mail/archives/ncc-services-wg/2018-October/thread.... -- Steve P
On Wed, Jul 31, 2019 at 3:35 PM Valdis Klētnieks <valdis.kletnieks@vt.edu> wrote:
On Tue, 30 Jul 2019 16:02:58 +0300, Töma Gavrichenkov said:
such a policy (2019-04) is still in a discussion phase in RIPE and has already seen significant resistance.
OK, I'll bite. What reasons are they giving for their resistance?
Here's a good place to start: https://ripe78.ripe.net/archives/steno/37/ ^F, "You're done", enjoy! -- Töma
On Wed, Jul 31, 2019 at 4:04 PM Töma Gavrichenkov <ximaera@gmail.com> wrote:
OK, I'll bite. What reasons are they giving for their resistance?
Here's a good place to start: https://ripe78.ripe.net/archives/steno/37/ ^F, "You're done", enjoy!
P.S. Suddenly there's an important mistake in the transcript: the boiling frog argument was introduced by Piotr Strzyzewski (RIPE NCC Exec Board), not Petr Špaček (CZ.NIC). Slavic names are always a challenge for scribes (look up "grzegorz brzęczyszczykiewicz" on Youtube). -- Töma
On Tue, Jul 30, 2019 at 04:02:58PM +0300, T??ma Gavrichenkov wrote:
On Tue, Jul 30, 2019 at 1:20 PM Christoffer Hansen <christoffer@netravnen.de> wrote:
Imagine ARIN did a take from RIPE NCC [Policy Proposal Idea?] and a policy came into effect of validating ALL 'OrgAbuseEmail' objects listed in the ARIN database.
Just to be precise, such a policy (2019-04) is still in a discussion phase in RIPE and has already seen significant resistance.
You can, however, point fingers at APNIC instead, where pretty much the same policy proposal from the same authors (prop-125) was already implemented in apnic-127-v006 "Internet Number Resource Policies".
I think they will be planning to reach out to ARIN with the same text right after the RIPE process ends this way or another.
Uh, ARIN-2019-5 has been in the ARIN PDP since March of this year. See https://www.arin.net/participate/policy/drafts/2019_5/ Most recent related PPML thread: https://lists.arin.net/pipermail/arin-ppml/2019-July/067241.html Cheers, Joe -- Posted from my personal account - see X-Disclaimer header. Joe Provo / Gweep / Earthling
On Thu, Aug 1, 2019, 1:25 AM Joe Provo <nanog-post@rsuc.gweep.net> wrote:
On Tue, Jul 30, 2019 at 04:02:58PM +0300, T??ma Gavrichenkov wrote:
I think they will be planning to reach out to ARIN with the same text
right after the RIPE process ends this way or another.
Uh, ARIN-2019-5 has been in the ARIN PDP since March of this year. See https://www.arin.net/participate/policy/drafts/2019_5/ Most recent related PPML thread: https://lists.arin.net/pipermail/arin-ppml/2019-July/067241.html
Whoops, you're right. My bad, I haven't been following ARIN processes lately. -- Töma
On 2019-07-30 10:59, Chris Knipe wrote:
On Tue, Jul 30, 2019 at 11:45 AM Scott Christopher <sc@ottie.org> wrote:
Dan Hollis wrote:
RCPT To:<email-abuse@amazon.com> <<< 550 #5.1.0 Address rejected. 550 5.1.1 <email-abuse@amazon.com>... User unknown DATA <<< 503 #5.5.1 RCPT first
Try jeff@amazon.com
-- S.C.
Then update your ARIN records to reflect that. Fully agree with Dan on this one.
Even if it existed it would just be an autoresponder telling you that your email wasn't read and to go resubmit the report on their website. Maybe they should change it to noreply@amazon.com. Rob
On 30/07/2019 13:56, Robert McKay wrote:
Even if it existed it would just be an autoresponder telling you that your email wasn't read and to go resubmit the report on their website.
Both yes and now. See below:* """ We are sorry to hear that you received unwanted email through Amazon SES. Please note, this reporting address is only for mail sent via Amazon SES (emails originated from 54.240.0.0/18). If you have a complaint about other AWS abuse (e.g. EC2), please submit your complaint here: https://aws.amazon.com/forms/report-abuse If you did not provide the following information, please contact email-abuse@amazon.com again with: 1. The full headers of the objectionable email message. For examples of how to find email headers, see https://support.google.com/mail/answer/22454?hl=en . 2. The type of abuse you are experiencing. For example, you didn't sign up to receive emails from the sender, the sender doesn’t have an opt-out option, etc. Thank you for the report! Sincerely, The Amazon SES Team """ *) The contents I got back after firing Test E-mail from $CORP email account on O365 infrastructure. Christoffer
On 30/07/2019 01:03, Dan Hollis wrote:
Jul 29 09:47:27 yuri sendmail[14067]: x6TGlQe4014062: to=<email-abuse@amazon.com>, ctladdr=<goemon@sasami.anime.net> (500/500), delay=00:00:01, xdelay=00:00:01, mailer=esmtp92, relay=amazon-smtp.amazon.com. [207.171.188.4], dsn=5.1.1, stat=User unknown
... :wondering: Works fine for me. If sending from $CORP e-mail account hosted on O365 infrastructure. Christoffer
----- Original Message -----
From: "Christoffer Hansen" <christoffer@netravnen.de>
On 30/07/2019 01:03, Dan Hollis wrote:
Jul 29 09:47:27 yuri sendmail[14067]: x6TGlQe4014062: to=<email-abuse@amazon.com>, ctladdr=<goemon@sasami.anime.net> (500/500), delay=00:00:01, xdelay=00:00:01, mailer=esmtp92, relay=amazon-smtp.amazon.com. [207.171.188.4], dsn=5.1.1, stat=User unknown
... :wondering: Works fine for me. If sending from $CORP e-mail account hosted on O365 infrastructure.
Yup; I think that was most of his point: POC Email addresses MUST be whitelisted ahead of/through every protection device/software you deploy on incoming mail. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Yes, this is egregious, but on the other hand even when the abuse reporting mechanisms are working my experience has been that they emit no response (other than -- maybe -- boilerplate) and take no action, so it's not terribly surprising. ---rsk
To contact AWS SES about spam or abuse the correct email address is abuse@amazonaws.com On Wednesday, July 31, 2019, 9:53:59 AM EDT, Rich Kulawiec <rsk@gsp.org> wrote: Yes, this is egregious, but on the other hand even when the abuse reporting mechanisms are working my experience has been that they emit no response (other than -- maybe -- boilerplate) and take no action, so it's not terribly surprising. ---rsk
On Wed, 31 Jul 2019 16:36:08 -0000, Richard Williams via NANOG said:
To contact AWS SES about spam or abuse the correct email address is abuse@amazonaws.com
You know that, and I know that, but why doesn't the person at AWS whose job it is to keep the ARIN info correct and up to date know that?
Valdis Klētnieks wrote:
On Wed, 31 Jul 2019 16:36:08 -0000, Richard Williams via NANOG said:
To contact AWS SES about spam or abuse the correct email address is abuse@amazonaws.com
You know that, and I know that, but why doesn't the person at AWS whose job it is to keep the ARIN info correct and up to date know that?
Because it will get spammed if publicly listed in WHOIS. -- S.C.
On Jul 31, 2019, at 1:13 PM, Scott Christopher <sc@ottie.org> wrote:
Valdis Klētnieks wrote:
On Wed, 31 Jul 2019 16:36:08 -0000, Richard Williams via NANOG said:
To contact AWS SES about spam or abuse the correct email address is abuse@amazonaws.com
You know that, and I know that, but why doesn't the person at AWS whose job it is to keep the ARIN info correct and up to date know that?
Because it will get spammed if publicly listed in WHOIS.
Not an excuse. I’m saying this on behalf of ALL the other ASNs that keep their POCs up to date.
On 2019-07-31 23:13, Scott Christopher wrote:
Valdis Klētnieks wrote:
On Wed, 31 Jul 2019 16:36:08 -0000, Richard Williams via NANOG said:
To contact AWS SES about spam or abuse the correct email address is abuse@amazonaws.com
You know that, and I know that, but why doesn't the person at AWS whose job it is to keep the ARIN info correct and up to date know that?
Because it will get spammed if publicly listed in WHOIS.
They can send autoreply with correct address (even as picture, but yes, From: can be spoofed, so might be bad idea), make error message with link to captcha, custom error in reject (e.g. web url to submit report), and etc. So many ways to be more helpful in such critical matters. But at least not "User not found".
On 7/31/19 1:28 PM, Brian J. Murrell wrote:
On Wed, 2019-07-31 at 23:13 +0300, Scott Christopher wrote:
Because it will get spammed if publicly listed in WHOIS.
I will take that at *least* as ironic as you meant it.
I don't know about your network, but I have five role mail accounts, and all five get spam, even with spam filters enabled. Oh, forgot about abuse@, which has no filter but LOTS of spam. What's fun is to let it sit a couple of days, then sort by subject. Delete the "conversations". That gets down to the zero or one piece of ham. But then again, I've locked down my network so abuse doesn't get out, even when someone manages to get by the MAC filters on the wireless router.
On Wed, Jul 31, 2019 at 11:13:48PM +0300, Scott Christopher wrote:
Because it will get spammed if publicly listed in WHOIS.
Yes. It will. Are you telling us that Amazon, with its enormous financial and personnel resources, doesn't have ANYBODY on staff who knows how to properly manage an abuse@ address -- part of which includes dealing with that exact problem? ---rsk
Rich Kulawiec wrote:
On Wed, Jul 31, 2019 at 11:13:48PM +0300, Scott Christopher wrote:
Because it will get spammed if publicly listed in WHOIS.
Yes. It will. Are you telling us that Amazon, with its enormous financial and personnel resources, doesn't have ANYBODY on staff who knows how to properly manage an abuse@ address -- part of which includes dealing with that exact problem?
They do, but it's just time-consuming and inefficient. You can't spam-filter the content of abuse@ obviously. But in addition to spam, random (read: non-technical) people will send complaints outside of the usual purview of spam, network abuse, DMCA, etc. They find some FAQ on the web telling them to determine the PoC on whois.domaintools.com and then they start firing crap. I prefer openness and transparency and the general spirit of WHOIS but, in practice, you really do need the limit the PoC information to a trusted group of insiders. -- S.C.
On Thu, Aug 01, 2019 at 12:54:07AM +0300, Scott Christopher wrote:
Rich Kulawiec wrote:
On Wed, Jul 31, 2019 at 11:13:48PM +0300, Scott Christopher wrote:
Because it will get spammed if publicly listed in WHOIS.
Yes. It will. Are you telling us that Amazon, with its enormous financial and personnel resources, doesn't have ANYBODY on staff who knows how to properly manage an abuse@ address -- part of which includes dealing with that exact problem?
They do, but it's just time-consuming and inefficient. You can't spam-filter the content of abuse@ obviously.
Actually, yes, you can -- but probably not in the way you're thinking, because if you do it *that* way you will break [some of the] required functionality.
But in addition to spam, random (read: non-technical) people will send complaints outside of the usual purview of spam, network abuse, DMCA, etc. They find some FAQ on the web telling them to determine the PoC on whois.domaintools.com and then they start firing crap.
This is not my first day on the job. I'm aware of what shows up at role addresses. However, handling the problems you enumerate here is a straightforward (albeit occasionally tedious) matter that any operations engineer above entry-level should be able to handle. Doubly so because people like me have done them the favor of writing about it (here and elsewhere), so they can use our experience without needing to repeat our numerous mistakes.
I prefer openness and transparency and the general spirit of WHOIS but, in practice, you really do need the limit the PoC information to a trusted group of insiders.
First, there's no such thing as a trusted group of insiders. Second, even if such a group existed, limiting PoC information to them is impossible. Think about it. Third, besides WHOIS PoC, RFC 2142 (and decades of best practices) specify abuse@, postmaster@, etc. My expectation is that anyone equipped with baseline competence will be fully prepared to handle traffic to those addresses (as applicable) effectively at whatever scale their operation requires. ---rsk
On 7/31/19 12:04 PM, Valdis Klētnieks wrote:
On Wed, 31 Jul 2019 16:36:08 -0000, Richard Williams via NANOG said:
To contact AWS SES about spam or abuse the correct email address is abuse@amazonaws.com
You know that, and I know that, but why doesn't the person at AWS whose job it is to keep the ARIN info correct and up to date know that?
C'mon, you already know the answer to this: there is no such person. Someone gets a mail once a year and MIGHT, JUST MIGHT, pass it on to someone who knows what to do.
participants (30)
-
Brian J. Murrell
-
Bruce H McIntosh
-
Chris Knipe
-
Christoffer Hansen
-
Dan Hollis
-
Denys Fedoryshchenko
-
Henry Yen
-
James R Cutler
-
Jay R. Ashworth
-
Joe Provo
-
John Curran
-
John Curran
-
John Von Essen
-
Landon Stewart
-
Mark Andrews
-
Matt Hoppes
-
Matthew Petach
-
Mel Beckman
-
Patrick W. Gilmore
-
Rich Kulawiec
-
Richard Williams
-
Robert McKay
-
Rubens Kuhl
-
Sandra Murphy
-
Scott Christopher
-
Sid
-
Stephen Satchell
-
Steve Pointer
-
Töma Gavrichenkov
-
Valdis Klētnieks