John & all,
Thank you everyone for the great update. I posted this question using RFC Errata as an example but I think the same level of vulnerability is also applicable to other IETF or various NOGs open tools.
It seems generally that open Internet abuse continues and we (as communities of interest) effectively have two options - provide point protection on a one by one basis or use some form of preauthenticated security measures (transparent VPN) to isolate from the bots and malware increasingly coming from the open I.
As far as RFC Errata IMHO - I think we could add 4th option - just like we do when submitting a draft requires confirmation by email. That may trim down the load of junk submissions and relieve RPC a bit from dealing with those.
Cheers,
Robert
On Thu, Mar 31, 2022 at 3:08 AM John C Klensin <john-ietf@xxxxxxx> wrote:
--On Thursday, March 31, 2022 00:57 +0200 Robert Raszuk
<robert@xxxxxxxxxx> wrote:
> Hi,
>
> We are observing more and more bogus RFC Errata submissions
> which makes no sense technically.
>
> Some of them look like phishing attempts to get valid email
> addresses of those kind enough to respond to the author.
>
> Perhaps its time to require IETF login authentication before
> submitting RFC errata ? Interestingly the email addresses of
> folks reporting it are also never seen on any IETF WG list so
> that could also be a perhaps valid auto check.
I suggested this (after getting tangled up in one of those
submissions) some days ago. To summarize John Levine's response
and our discussion in the hope of saving time:
* An effort is in progress to get a CAPCHA into the submission
process.
* If changes such as requiring an IETF login (as both you and I
proposed) are desired, they probably have to await complete
rebuilding of the RPC's tool set for which there is now an RFP
in progress.
* The RPC does try to remove these bogus submissions down after
a few days so they don't clutter the permanent errata record.
That suggests to me that waiting several days before responding
to an errata report might represent good judgment and some
protection against attacks (if they actually are attacks).
best,
john
