Feel free to ignore my incoherent rambling ;)
I'm not sure there's a better way than just notifying the abuse email
for the IP owner. Certainly doing so is sound, and while I can't recall
the last time I received a complaint for a problem that wasn't already
solved I certainly don't mind seeing them. But if the unspoken question
is "Will this be effective" that's another thing entirely. We know there
are abuse contacts that don't receive mail, others that ignore it
(whether maliciously or simply not staffed or automated properly).
Another reporter may be of some value, but I don't see it having a huge
impact.
I gave up reporting long ago because even when you find an abuse
department that listens, they rarely seem able to address the cause of
it. So like you've got CloudProviderA reading an abuse complaint about
192.168.1.501 and the culprit has already spun up 300 new cloud servers
and created 30 new accounts under different aliases with residential IPs
and matching geolocation by the time they finish reading the email.
"Well that account is terminated, next."
What I'd like to see more of is a good way to share amongst each other,
in a controlled environment, information that helps prevent the abuse
beforehand. For example:
If you search your SMTP logs for an outbound email to
borismakarov...@gmail.com, you have identified a compromised email
account that will soon begin sending spam.
If all of us had that information as soon as possible, compromised email
accounts would tank.
On 2025-03-13 12:50, Michael Peddemors via mailop wrote:
Background:
Compromised email accounts are on the rise, from almost every sector,
and often it is the same actors and infrastructures that are being used
as a source to send out their malware and phishing from these
compromised accounts. Historically, while we identify these threats, we
have only used it to protect our own customers, albeit we do share some
of this intel with RBL's to make that information more widely
available.
But given the high profile of some of the email servers that are being
abused, eg government email servers, we are considering actually
reporting this information back to the email operators who have the
compromised/abused accounts.
However, we need to do this in an automated way, that creates real
value for the email operators, while not adding an undue burden to our
teams.
The challenge is that because of the diverse nature of email operators,
that simply sending an email to abuse@ seems unlikely to work in many
cases, and of course.. the recipient has to be assured that our data is
indeed accurate..
There are so many different use cases:
* Small operator with a cPanel server
* Large hosting provider with many shared servers
* Enterprise and Governments still using Zimbra
* Gmail, o365, Apple
* Other large email hosting platforms
* Foreign Operators
While, it would be nice to see everyone adopting DROP lists, and AUTH
lists, that isn't likely to happen anytime soon..
So, assuming we see one of the above types of operators, leaking
dangerous content, where the authenticating IP is on a known threat
database (eg, a bullet proof hoster, or IP associated with a well known
APT actor), the questions are:
* Should we notify the operator?
* How BEST to notify the operator?
Of course, we could just reject the email as normal, (but usually the
only person that would even notice is the bad actor themselves), we
could report the email server to an RBL given it is sending dangerous
information (of course, Gmail and o365 might be hard to do that).
And of course, no use sending alerts, if they will simply be ignored..
Like to hear from the community, any and all ideas surrounding the
topic of feedback intel to email operators when they have compromised
emails, from sources that they should block to protect their
customers..
Comments?
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
