Re: Abuse response [Was: RE: Yahoo Mail Update]

[Chris Boyd]

On Tue, 2008-04-15 at 10:56 +0530, Suresh Ramasubramanian wrote:
> If you have high enough numbers of the stuff to report, do what large
> ISPs do among themselves, set up and offer an ARF'd / IODEF feedback
> loop or some other automated way to send complaints, that is machine
> parseable, and that's sent - by prior agreement - to a specific
> address where the ISP can process it, and quite probably prioritize it
> above all the "j00 hxx0r3d m3 by doing dns lookups" email. 

So how do the little guys play in this sandbox?  My log files and spam
reports are just as legit as the super-secret-handshake club guys are,
and I'd like to get some respect.  After all, I may be the first one to
report it.

Please keep a few things in mind though:

- It needs to be simple to use.  Web forms are a non-starter.

- The output from any parsers needs to be human readable.  There are too
many auto-whatsit formatters for us to sit down and code to every one.

- I'd like to see an actual response beyond an autoreply saying that you
can't tell me who the customer is or what actions were taken.

- I like dealing with other small operations and edus because humans
actually do read the reports, and things get done (Thanks!).

I've given up sending abuse reports to large consumer ISPs and all
freemail providers because I'm not a member of the club. Any response
that I'm lucky enough to get generally says something like "You did not
include the email headers in your complaint so we are closing this
incident" when I reported and FTP brute force.

--Chris

Re: Abuse response [Was: RE: Yahoo Mail Update]

[Brandon Butterworth]

> Abuse desk is a $0 revenue operation.  Is it not obvious what the issue is?

They're too busy spamming and phishing to respond to abuse reports?

brandon

Re: Calling TeliaSonera - time to implement prefix filtering

[Geoff Huston]

Martin Hannigan wrote:

Yes, it is operational.



On 4/15/08, Fred Reimer <[EMAIL PROTECTED]> wrote:

But isn't this what nanog is for?  It appears to be more on-topic than the
email threads.  More E than S.




As well as 62.0.0.0/8 there is 88.0.0.0/8 (originated by AS13064, with 
upstreams of AS13237 (LambdaNet) and AS 8447 (Telekom Austria)

Unlike 62.0.0.0/8, which is being announced as a stable announcement (and has 
AS 1299 (Telianet) as its upstream, 88.0.0.0/8 is being announced for periods 
of 30 seconds to 1 minute.

Last time we saw this short announce behaviour it was a spammer using the 
"vacant" addresses in the /8 block to generate spam in short bursts. I have no 
data on what is going on with 88.0.0.0/8

Here's what I see in terms of recent BGP activity for 88.0.0.0/8: 
http://88.0.0.0.8.potaroo.net and for 62.0.0.0/8: http://62.0.0.0.8.potaroo.net

Re: Abuse response [Was: RE: Yahoo Mail Update]

[Martin Hannigan]

Abuse desk is a $0 revenue operation.  Is it not obvious what the issue is?

Some of the folks that are complaining about abuse response generate
revenue addressing these issues. Give me some of that.  I'll give you
a priority line to the NOC.

Disclaimer; No offense intended to security providers, I'm just stating a fact.

Best,

Marty




On 4/15/08, Joe Abley <[EMAIL PROTECTED]> wrote:
>
>
> On 15 Apr 2008, at 11:22 , William Herrin wrote:
>
> > There's a novel idea. Require incoming senior staff at an email
> > company to work a month at the abuse desk before they can assume the
> > duties for which they were hired.
>
> At a long-previous employer we once toyed with the idea of having
> everybody in the (fairly small) operations and architecture/
> development groups spend at least a day on the helpdesk every month.
>
> The downside to such a plan from the customer's perspective is that
> I'm pretty sure most of us would have been really bad helpdesk people.
> There's a lot of skill in dealing with end-users that is rarely
> reflected in the org chart or pay scale.
>
>
> Joe
>

Re: Abuse response [Was: RE: Yahoo Mail Update]

[Valdis . Kletnieks]

On Tue, 15 Apr 2008 19:14:52 EDT, Joe Abley said:

> The downside to such a plan from the customer's perspective is that  
> I'm pretty sure most of us would have been really bad helpdesk people.  
> There's a lot of skill in dealing with end-users that is rarely  
> reflected in the org chart or pay scale.

Of course - you're asking people who are *hired* because they're good at
talking to inanimate objects made of melted sand, and asking them to
relate to animate objects (namely, customers).

Sounds like a recipe for disaster.

:)


pgphykYhcItQN.pgp
Description: PGP signature

Re: Abuse response [Was: RE: Yahoo Mail Update]

[Joe Abley]

On 15 Apr 2008, at 11:22 , William Herrin wrote:


There's a novel idea. Require incoming senior staff at an email
company to work a month at the abuse desk before they can assume the
duties for which they were hired.


At a long-previous employer we once toyed with the idea of having  
everybody in the (fairly small) operations and architecture/ 
development groups spend at least a day on the helpdesk every month.


The downside to such a plan from the customer's perspective is that  
I'm pretty sure most of us would have been really bad helpdesk people.  
There's a lot of skill in dealing with end-users that is rarely  
reflected in the org chart or pay scale.



Joe

RE: Abuse response [Was: RE: Yahoo Mail Update]

[michael.dillon]

> So, to bring this closer to nanog territory, it's a bit like 
> saying that all the sales and customer support staff should 
> be given enable access to your routers and encouraged to run 
> them on a rotating basis, so that they understand the 
> complexities of BGP and will better understand the impact 
> their decisions will have on your peering.

We encourage managers, designers, engineers, project managers, etc. to
spend a day handling customer support calls so that they understand the
impacts of their decisions/work on the customer, who ultimately pays our
paychecks. We run even more people through workshops where they spend
some time listening to recorded customer support calls, and then plan
how to prevent such problems in future so that the customers don't feel
the need to call us. Of course, none of these people are expected to go
in and reconfigure BGP sessions on routers, because there are working on
first-line support. One of the duties of first-line support is to sift
through the incoming and identify which cases need to be escalated to
second or third-line support. 

Unless you have very good automated systems in place to ensure that the
abuse desk only gets real cases to deal with, then you should be able to
rotate managers and other employees through the abuse department to do
some of that first-line sifting. If the outcome of this is that you make
a business case for changes to abuse-desk systems and processes, then
you should involve the abuse desk staff in this development work to give
them some variety. Once those staff have automated themselves out of a
job, you can move them to some other tools development project, or
incident response work.

--Michael Dillon

Re: enterprise change/configuration management and compliance software?

[Matthew Petach]

On Mon, Apr 14, 2008 at 9:13 PM, jamie <[EMAIL PROTECTED]> wrote:
>   Gentlemen (and Ren!):;-)
>
>   I'm currently investigating options w.r.t. enterprise-wide (over 250
> device, and by 'device' i mean router and/or switch) configuration
> management (and (ideally) compliance-auditing_and_assurance) software.
>
>   We currently use Voyence (now EMC) and are looking into other options for
> various reasons, support being in the top-3 ...
>
>   So, I pose:  To you operators of multi-hundred-device networks : what do
> you use for such purposes(*) ?
>   (*)see subject

We have several thousand network devices currently in play:

[EMAIL PROTECTED]:/tftp/conf/latest> ls *.conf | wc -l
7419
[EMAIL PROTECTED]:/tftp/conf/latest>

I hand read each device configuration check-in email that goes past
to see if there's errors in the configs, security violations, or other WTF-ish
elements in the config check-in, and mail back a nag notice to the
person who changed the config.

Currently, I received between 1900 and 3000 email messages a day.

I sleep 3 hours a night.

> jamie rishaw

Hope that helps answer your question.

Matt

Re: Abuse response [Was: RE: Yahoo Mail Update]

[Steve Atkins]

On Apr 15, 2008, at 11:54 AM, William Herrin wrote:


On Tue, Apr 15, 2008 at 2:04 PM, Steve Atkins <[EMAIL PROTECTED]>  
wrote:
Unfortunately many of the skills required to be a competent abuse  
desk
worker are quite specific to an abuse desk, and are not typically  
possessed

by random technical staff.


Steve,

You don't, per chance, mean to suggest that random back-office
technical staff might not have the temper and disposition to remain
polite and helpful with the gentleman from the state capital so upset
about the interdiction of his political mailings that he's ready to
sic the regulators on you and wipe you off the map?

The problem is that the individual who -does- have those skills along
with the technical know-how to deal with the complaint itself usually
ALSO has the skills to be the customer contact for a multi-million
dollar contract. If you're a manager at a company that wants to, well,
make money, which chair will you ask that individual to sit in?


Not really.

IMO, with decent automation[1] and a reasonably close working
relationship between the abuse desk, the NOC and an internal
sysadmin/developer or two, there's not that much need for a high level
of technical know-how in the abuse desk staff.

Good people skills are certainly important, and it'd be good to
have at least one abuse desk staffer with a modicum of technical
knowledge to handle basic technical questions, and help channel
more complex ones to to NOC or developers efficiently, but the level of
technical know-how needed to be an extremely effective abuse
desk staffer is pretty low. The specific technical details they do
need to know they can pick up from their peers (both within
the abuse desk, in other groups of their company and, perhaps
most importantly, from their peer at other companies abuse desks).

It's closer to a customer support position, in skillset needed, than
anything deeply technical, though an innate ability to remain calm
under pressure is far more important in abuse than support. If you're
big enough that you need more than one person staffing your abuse
desk you can mix-n-match skills across the team too, of course.

Cheers,
  Steve

[1] Yeah, I develop abuse desk automation software, so I'm
both reasonably exposed to practices at a range of ISPs and
fairly biased in favor of good automation. :)

Re: Abuse response [Was: RE: Yahoo Mail Update]

[William Herrin]

On Tue, Apr 15, 2008 at 2:04 PM, Steve Atkins <[EMAIL PROTECTED]> wrote:
>  Unfortunately many of the skills required to be a competent abuse desk
>  worker are quite specific to an abuse desk, and are not typically possessed
>  by random technical staff.

Steve,

You don't, per chance, mean to suggest that random back-office
technical staff might not have the temper and disposition to remain
polite and helpful with the gentleman from the state capital so upset
about the interdiction of his political mailings that he's ready to
sic the regulators on you and wipe you off the map?

The problem is that the individual who -does- have those skills along
with the technical know-how to deal with the complaint itself usually
ALSO has the skills to be the customer contact for a multi-million
dollar contract. If you're a manager at a company that wants to, well,
make money, which chair will you ask that individual to sit in?

Regards,
Bill



-- 
William D. Herrin  [EMAIL PROTECTED] [EMAIL PROTECTED]
3005 Crane Dr. .. Web: 
Falls Church, VA 22042-3004

Re: Abuse response [Was: RE: Yahoo Mail Update]

[Lou Katz]

On Tue, Apr 15, 2008 at 10:56:02AM +0530, Suresh Ramasubramanian wrote:
> 
> On Tue, Apr 15, 2008 at 10:16 AM, Paul Ferguson <[EMAIL PROTECTED]> wrote:
> >  As I mentioned in my presentation at NANOG 42 in San Jose, the
> >  biggest barrier we face in shrinking the "time-to-exploit" window
> >  with regards to contacting people responsible for assisting in
> >  mitigating malicious issues is finding someone to actually
> >  respond.
> 
> Fergie.. you (and various others in the "send emails, expect
> takedowns" biz) - phish, IPR violations, whatever.. you're missing a
> huge, obvious point
> 
> If you send manual notificattions (aka email to a crowded abuse queue)
> expect 24 - 72 hours response
> 
> If you have high enough numbers of the stuff to report, do what large
> ISPs do among themselves, set up and offer an ARF'd / IODEF feedback
> loop or some other automated way to send complaints, that is machine
> parseable, and that's sent - by prior agreement - to a specific
> address where the ISP can process it, and quite probably prioritize it
> above all the "j00 hxx0r3d m3 by doing dns lookups" email.
> 
> That kind of report can be handled within minutes.

Is there an equivalent mechanism for those of us at the fringes of the galaxy to
report problems? What is probably needed for little folks like me is not
instant response but rather an address and formatting specs so that the 
information
is of maximum usefullness to you and we don't get auto-naks. After all, I can
probably generate a few reports a week, but not hundreds per day.




-- 

-=[L]=-
This work was funded by The Corporation for Public Bad Art despite their 
protestations.

ARIN to Issue from 173 /8 and 174 /8

[Member Services]

Hello-

ARIN was issued the IPv4 address blocks 173 /8 and 174 /8 by the IANA on 
4 February 2008.  

ARIN will be issuing /20 and shorter prefixes from these blocks to 
customers within the next 2 weeks.  Network operators may wish to adjust 
any filters in place accordingly.


For informational purposes, a list of ARIN's currently administered IP 
blocks can be found at:


http://www.arin.net/reference/ip_blocks.html

Regards,

Leslie Nobile
Director, Registration Services
American Registry for Internet Numbers (ARIN)

Re: Abuse response [Was: RE: Yahoo Mail Update]

[Steve Atkins]

On Apr 15, 2008, at 10:33 AM, Rich Kulawiec wrote:


On Tue, Apr 15, 2008 at 11:22:59AM -0400, William Herrin wrote:

There's a novel idea. Require incoming senior staff at an email
company to work a month at the abuse desk before they can assume the
duties for which they were hired.

My hunch says that's a non-starter. It also doesn't keep qualified
folks at the abuse desk; it shuffles them through.


Require all technical staff and their management to work at the abuse
desk on a rotating basis.  This should provide them with ample  
motivation

to develop effective methods for controlling abuse generation, thus
reducing the requirement for abuse mitigation, thus reducing the time
they have to spend doing it.


Unfortunately many of the skills required to be a competent abuse desk
worker are quite specific to an abuse desk, and are not typically  
possessed

by random technical staff.

So, to bring this closer to nanog territory, it's a bit like saying  
that all the
sales and customer support staff should be given enable access to your  
routers

and encouraged to run them on a rotating basis, so that they understand
the complexities of BGP and will better understand the impact their  
decisions

will have on your peering.

Cheers,
  Steve

Re: Calling TeliaSonera - time to implement prefix filtering

[sthaug]

> > I think he was saying that Delta Telecom don't *own* 
> > 62.0.0.0/8 and therefore shouldn't be advertising it. 
> > Following that Telia shouldn't be accepting the route and 
> > then re-announcing it to peers ...
> 
> Of course! ... /8? ... Azerbaijan? ... What was I thinking?...
> 
> Still, it would be better to contact the upstream directly
> and work back through the peering chain because this kind 
> of thing is usually a result of education deficit, not malice.

Probably in theory. In practice, it's not obvious. I *did* get a
private response from a Telia person after my posting to Nanog,
and this person alerted their routing registry. The 62.0.0.0/8
prefix is now gone - whether as as result of my posting to Nanog
or not, I have no means of knowing.

Steinar Haug, Nethelp consulting, [EMAIL PROTECTED]

Re: Abuse response [Was: RE: Yahoo Mail Update]

[Rich Kulawiec]

On Tue, Apr 15, 2008 at 11:22:59AM -0400, William Herrin wrote:
> There's a novel idea. Require incoming senior staff at an email
> company to work a month at the abuse desk before they can assume the
> duties for which they were hired.
> 
> My hunch says that's a non-starter. It also doesn't keep qualified
> folks at the abuse desk; it shuffles them through.

Require all technical staff and their management to work at the abuse
desk on a rotating basis.  This should provide them with ample motivation
to develop effective methods for controlling abuse generation, thus
reducing the requirement for abuse mitigation, thus reducing the time
they have to spend doing it.

---Rsk

RE: enterprise change/configuration management and compliance software?

[Yamasaki, Charles]

Look into Ziptie.org

 

We use  Alterpoint's Network Authority.

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
jamie
Sent: Monday, April 14, 2008 9:13 PM
To: nanog@merit.edu
Subject: enterprise change/configuration management and compliance
software?

 

`
  Gentlemen (and Ren!):;-)

  I'm currently investigating options w.r.t. enterprise-wide (over 250
device, and by 'device' i mean router and/or switch) configuration
management (and (ideally) compliance-auditing_and_assurance) software.

  We currently use Voyence (now EMC) and are looking into other options
for various reasons, support being in the top-3 ...

  So, I pose:  To you operators of multi-hundred-device networks : what
do you use for such purposes(*) ?
 (*)see subject
   
  This topic seemed to spark lively debate on efnet, so i thought it
appropriate to ask here.  Feel free to respond privately (and I will
post summaries to the list), or direct.

  In any case, for the benefit of all, I will post in any case my/our
findings.


  Thanks in advance,

jamie rishaw

Re: Calling TeliaSonera - time to implement prefix filtering

[Martin Hannigan]

Yes, it is operational.

Best,

Marty



On 4/15/08, Fred Reimer <[EMAIL PROTECTED]> wrote:
> But isn't this what nanog is for?  It appears to be more on-topic than the
> email threads.  More E than S.
>
> Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS
> Senior Network Engineer
> Coleman Technologies, Inc.
> 954-298-1697
>
>
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> > [EMAIL PROTECTED]
> > Sent: Tuesday, April 15, 2008 9:51 AM
> > To: nanog@merit.edu
> > Subject: RE: Calling TeliaSonera - time to implement prefix filtering
> >
> >
> >
> > > >> aut-num:AS29049
> > > >> and *of course* they don't own 62.0.0.0/8.
> > > >
> > > > Own!?
> > >
> > > I think he was saying that Delta Telecom don't *own*
> > > 62.0.0.0/8 and therefore shouldn't be advertising it.
> > > Following that Telia shouldn't be accepting the route and
> > > then re-announcing it to peers ...
> >
> > Of course! ... /8? ... Azerbaijan? ... What was I thinking?...
> >
> > Still, it would be better to contact the upstream directly
> > and work back through the peering chain because this kind
> > of thing is usually a result of education deficit, not malice.
> >
> > --Michael Dillon
>

Re: Abuse response [Was: RE: Yahoo Mail Update]

[Paul Ferguson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -- Joe Provo <[EMAIL PROTECTED]> wrote:

>It cannot be understated that even packet pushers and code grinders
who care get stranded in companies where abuse handling is deemed 
by management to be a cost center that only saps resources.  Paul, 
you are doing a serious disservice to those folks in specific, and
working around such suit-induced damage in general, by dismissing 
any steps involving automation.
>

Well, I did not intend to do disservice to anyone's efforts, but
the point I am trying to make is that there still is no good way
for people to report malicious activity to the legitimate owners
of the content or the netblock.

- - ferg

-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFIBMyPq1pz9mNUZTMRAoiwAKDrdTSosQIT0r1BeRh2tvIQ5+at1QCgmS5W
gdgRZ+CokBXlcfCehWtJKQg=
=QDXi
-END PGP SIGNATURE-



--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/

Re: Abuse response [Was: RE: Yahoo Mail Update]

[Jack Bates]

William Herrin wrote:


Without conceding the garbage collection issue, let me ask you
directly: how do you propose to motivate qualified folks to keep
working the abuse desk?



Ask AOL?

-Jack

Re: Abuse response [Was: RE: Yahoo Mail Update]

[William Herrin]

On Tue, Apr 15, 2008 at 10:55 AM, Marshall Eubanks
<[EMAIL PROTECTED]> wrote:
>  On Apr 15, 2008, at 10:31 AM, William Herrin wrote:
> > how do you propose to motivate qualified folks to keep
> > working the abuse desk?
>
>  That is a good question. (I feel sure that many actually doing the job
> would opt for a rise in pay.)
>  Maybe certain jobs should become apprentice-like positions
>  that you need to get through to rise in a networking organization.

Marshall,

There's a novel idea. Require incoming senior staff at an email
company to work a month at the abuse desk before they can assume the
duties for which they were hired.

My hunch says that's a non-starter. It also doesn't keep qualified
folks at the abuse desk; it shuffles them through.

Any other ideas?

Regards,
Bill Herrin


-- 
William D. Herrin  [EMAIL PROTECTED] [EMAIL PROTECTED]
3005 Crane Dr. .. Web: 
Falls Church, VA 22042-3004

Re: Abuse Reporting (non-SMTP Abuse)

[Steve Atkins]

On Apr 15, 2008, at 7:31 AM, Jim Popovitch wrote:


On Tue, Apr 15, 2008 at 3:39 AM,  <[EMAIL PROTECTED]> wrote:


http://xml.coverpages.org/iodef.html


SO, is it generally accepted to use IODEF to report non-SMTP abuse
(web/port scans, etc)?


Probably not, unless you're sending it to someone who has asked
for iodef format reports. Unlike ARF they're only machine readable.

Cheers,
  Steve

RE: enterprise change/configuration management and compliance software?

[Fred Reimer]

There are tons of products out there.  You could try looking at Cisco
Network Compliance Manager.  It supposedly has built-in compliance rules for
financial institutions (GLB, SOX, etc).  If you want to pay, people will
gladly take your money.

 

Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS

Senior Network Engineer

Coleman Technologies, Inc.

954-298-1697

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
jamie
Sent: Tuesday, April 15, 2008 9:35 AM
To: Phil Regnauld
Cc: nanog@merit.edu
Subject: Re: enterprise change/configuration management and compliance
software?

 

 

On Tue, Apr 15, 2008 at 2:31 AM, Phil Regnauld <[EMAIL PROTECTED]> wrote:

jamie (j) writes:
> `

> device, and by 'device' i mean router and/or switch) configuration
> management (and (ideally) compliance-auditing_and_assurance) software.
>
>   We currently use Voyence (now EMC) and are looking into other options
for
> various reasons, support being in the top-3 ...

   So I guess using something tried, tested and free like Rancid + ISC's
audit
   scripts are not within scope ?


That was my first thought, but the in the industry I'm currently in
(financial), open sourceware for things like this is a definite [fail].
 


>   So, I pose:  To you operators of multi-hundred-device networks : what do
> you use for such purposes(*) ?

   Rancid :) (+ and now some home developed stuff)


fail
 

 


>   This topic seemed to spark lively debate on efnet,

   The current weather would spark lively debate on most IRC channels.

   Phil



haha.  depends on the day and what other scandals were ao



smime.p7s
Description: S/MIME cryptographic signature

RE: Calling TeliaSonera - time to implement prefix filtering

[Fred Reimer]

But isn't this what nanog is for?  It appears to be more on-topic than the
email threads.  More E than S.

Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS
Senior Network Engineer
Coleman Technologies, Inc.
954-298-1697


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> [EMAIL PROTECTED]
> Sent: Tuesday, April 15, 2008 9:51 AM
> To: nanog@merit.edu
> Subject: RE: Calling TeliaSonera - time to implement prefix filtering
> 
> 
> 
> > >> aut-num:AS29049
> > >> and *of course* they don't own 62.0.0.0/8.
> > >
> > > Own!?
> >
> > I think he was saying that Delta Telecom don't *own*
> > 62.0.0.0/8 and therefore shouldn't be advertising it.
> > Following that Telia shouldn't be accepting the route and
> > then re-announcing it to peers ...
> 
> Of course! ... /8? ... Azerbaijan? ... What was I thinking?...
> 
> Still, it would be better to contact the upstream directly
> and work back through the peering chain because this kind
> of thing is usually a result of education deficit, not malice.
> 
> --Michael Dillon


smime.p7s
Description: S/MIME cryptographic signature

Re: Abuse response [Was: RE: Yahoo Mail Update]

[Marshall Eubanks]

On Apr 15, 2008, at 10:31 AM, William Herrin wrote:


On Tue, Apr 15, 2008 at 10:00 AM, Marshall Eubanks
<[EMAIL PROTECTED]> wrote:


On Apr 15, 2008, at 9:43 AM, William Herrin wrote:

That is one place that modern antispam efforts fall apart. It's the
same problem that afflicts tech support in general. The problem  
exists

for the same reason that large-city McDonalds workers don't speak
English: Anyone with sufficient clue to run an abuse desk is well
qualified for more interesting, important and higher-paid work where
they don't get yelled at all the time. Like administering mail  
servers

or writing mail software.

There's a reason we pay garbage collectors a small fortune to do a  
job

that requires no skill whatsoever.


Do you _know_ any garbage collectors ? I do, and I would disagree  
with both

clauses of that sentence.


Marshall,

No, but I know a few people who have (briefly) worked abuse desks and
neither the tech support nor the McDonalds problem are difficult to
observe.

Without conceding the garbage collection issue, let me ask you
directly: how do you propose to motivate qualified folks to keep
working the abuse desk?


That is a good question. (I feel sure that many actually doing the job  
would opt for a rise in pay.)

Maybe certain jobs should become apprentice-like positions
that you need to get through to rise in a networking organization. I  
know that Craig Newmark (of Craig's List)
spends a couple of hours per day going through abuse complaints and  
user issues personally. I
haven't heard too many complaints about Craig's List, and it seems  
reasonable to suspect a connection there.
That has the advantage of being cheap to implement, in dollars if not  
in political capital.


Regards
Marshall




Regards,
Bill Herrin

--
William D. Herrin  [EMAIL PROTECTED] [EMAIL PROTECTED]
3005 Crane Dr. .. Web: 
Falls Church, VA 22042-3004

Re: Abuse response [Was: RE: Yahoo Mail Update]

[William Herrin]

On Tue, Apr 15, 2008 at 10:00 AM, Marshall Eubanks
<[EMAIL PROTECTED]> wrote:
>
>  On Apr 15, 2008, at 9:43 AM, William Herrin wrote:
> > That is one place that modern antispam efforts fall apart. It's the
> > same problem that afflicts tech support in general. The problem exists
> > for the same reason that large-city McDonalds workers don't speak
> > English: Anyone with sufficient clue to run an abuse desk is well
> > qualified for more interesting, important and higher-paid work where
> > they don't get yelled at all the time. Like administering mail servers
> > or writing mail software.
> >
> > There's a reason we pay garbage collectors a small fortune to do a job
> > that requires no skill whatsoever.
>
>  Do you _know_ any garbage collectors ? I do, and I would disagree with both
> clauses of that sentence.

Marshall,

No, but I know a few people who have (briefly) worked abuse desks and
neither the tech support nor the McDonalds problem are difficult to
observe.

Without conceding the garbage collection issue, let me ask you
directly: how do you propose to motivate qualified folks to keep
working the abuse desk?

Regards,
Bill Herrin

-- 
William D. Herrin  [EMAIL PROTECTED] [EMAIL PROTECTED]
3005 Crane Dr. .. Web: 
Falls Church, VA 22042-3004

Re: Abuse Reporting (non-SMTP Abuse)

[Jim Popovitch]

On Tue, Apr 15, 2008 at 3:39 AM,  <[EMAIL PROTECTED]> wrote:
>
>  http://xml.coverpages.org/iodef.html

SO, is it generally accepted to use IODEF to report non-SMTP abuse
(web/port scans, etc)?Everyone seems to be on the SMTP bandwagon
this week, what about the miscreant customers of  Internet Access
Providers?

-Jim P.

Re: Abuse response [Was: RE: Yahoo Mail Update]

[Marshall Eubanks]

On Apr 15, 2008, at 9:43 AM, William Herrin wrote:



On Tue, Apr 15, 2008 at 8:34 AM, Rich Kulawiec <[EMAIL PROTECTED]> wrote:
- Automation is far less important than clue.  Attempting to  
compensate
for lack of a sufficient number of sufficiently-intelligent,  
experienced,
diligent staff with automation is a known-losing strategy, as  
anyone who

has ever dealt with an IVR system knows.


Rich,

That is one place that modern antispam efforts fall apart. It's the
same problem that afflicts tech support in general. The problem exists
for the same reason that large-city McDonalds workers don't speak
English: Anyone with sufficient clue to run an abuse desk is well
qualified for more interesting, important and higher-paid work where
they don't get yelled at all the time. Like administering mail servers
or writing mail software.

There's a reason we pay garbage collectors a small fortune to do a job
that requires no skill whatsoever.



Do you _know_ any garbage collectors ? I do, and I would disagree with  
both clauses of that sentence.


Regards
Marshall


Regards,
Bill Herrin


--
William D. Herrin  [EMAIL PROTECTED] [EMAIL PROTECTED]
3005 Crane Dr. .. Web: 
Falls Church, VA 22042-3004

Re: Abuse response

[Rich Kulawiec]

On Tue, Apr 15, 2008 at 02:01:26PM +0100, [EMAIL PROTECTED] wrote:
> > - Automation is far less important than clue.  Attempting to
> > compensate for lack of a sufficient number of sufficiently-
> > intelligent, experienced, diligent staff with automation is
> > a known-losing strategy, as anyone who has ever dealt with
> > an IVR system knows.
> 
> Given that most of us use routers instead of pigeons to transport
> our packets, I would suggest that railing against automation is
> a lost cause here.

I'm not suggesting that automation is bad.  I'm suggesting that trying
to use it as a substitute for certain things, like "clue", is bad.
When used *in conjunction with clue*, it's marvelous.

> This sounds like a blanket condemnation of the majority of ISPs 
> in today's Internet. 

Yes, it is.  I regard it as everyone's primary responsibility to ensure
that their operation isn't a (systemic, persistent) operational hazard
to the entire rest of the Internet.  That's really not a lot to ask...
and there was a time when it wasn't necessary to ask, because everyone
just did it.  Where has that sense of professional responsibility gone?

> Why is it that spamtraps are not mentioned at all in MAAWG's best 
> practices documents except the one for senders, i.e. mailing list
> operators?

I can't answer that, as I didn't write them.  But everyone (who's
been paying attention) has known for many years that spamtraps are
useful for catching at least *some* of the problem, with the useful
feature that the worse the problem is, the higher the probability this
particular detection method will work.  Another example I'll give of
a loose-but-useful detection method is that any site which does mass
hosting should be screening all new customer domains for patterns like
"pay.*pal.*\." and "\.cit.*bank.*\." and flagging for human attention any
that match.  Again, this won't catch everything, but it will at least give
a fighting chance of catching *something*, thus hopefully pre-empting some
abuse before it happens and thus minimizing cleanup labor/cost/impact.
In addition, this sort of thing actively discourages abusers: sufficiently
diligent use of many tactics like this causes them to stay away in droves,
which in turn reduces abuse desk workload.  But (to go back to the first
point) none of it works without smart, skilled, empowered, people, and
while automation is an assist, it's no substitute.

---Rsk

RE: Calling TeliaSonera - time to implement prefix filtering

[michael.dillon]

> >> aut-num:AS29049
> >> and *of course* they don't own 62.0.0.0/8.
> > 
> > Own!?
> 
> I think he was saying that Delta Telecom don't *own* 
> 62.0.0.0/8 and therefore shouldn't be advertising it. 
> Following that Telia shouldn't be accepting the route and 
> then re-announcing it to peers ...

Of course! ... /8? ... Azerbaijan? ... What was I thinking?...

Still, it would be better to contact the upstream directly
and work back through the peering chain because this kind 
of thing is usually a result of education deficit, not malice.

--Michael Dillon

Re: Abuse response [Was: RE: Yahoo Mail Update]

[William Herrin]

On Tue, Apr 15, 2008 at 8:34 AM, Rich Kulawiec <[EMAIL PROTECTED]> wrote:
>  - Automation is far less important than clue.  Attempting to compensate
>  for lack of a sufficient number of sufficiently-intelligent, experienced,
>  diligent staff with automation is a known-losing strategy, as anyone who
>  has ever dealt with an IVR system knows.

Rich,

That is one place that modern antispam efforts fall apart. It's the
same problem that afflicts tech support in general. The problem exists
for the same reason that large-city McDonalds workers don't speak
English: Anyone with sufficient clue to run an abuse desk is well
qualified for more interesting, important and higher-paid work where
they don't get yelled at all the time. Like administering mail servers
or writing mail software.

There's a reason we pay garbage collectors a small fortune to do a job
that requires no skill whatsoever.

Regards,
Bill Herrin


-- 
William D. Herrin  [EMAIL PROTECTED] [EMAIL PROTECTED]
3005 Crane Dr. .. Web: 
Falls Church, VA 22042-3004

Re: Calling TeliaSonera - time to implement prefix filtering

[sthaug]

> I think he was saying that Delta Telecom don't *own* 62.0.0.0/8 and 
> therefore shouldn't be advertising it. Following that Telia shouldn't be 
> accepting the route and then re-announcing it to peers ...

Exactly.

Steinar Haug, Nethelp consulting, [EMAIL PROTECTED]

Re: enterprise change/configuration management and compliance software?

[jamie]

On Tue, Apr 15, 2008 at 2:31 AM, Phil Regnauld <[EMAIL PROTECTED]> wrote:

> jamie (j) writes:
> > `
> > device, and by 'device' i mean router and/or switch) configuration
> > management (and (ideally) compliance-auditing_and_assurance) software.
> >
> >   We currently use Voyence (now EMC) and are looking into other options
> for
> > various reasons, support being in the top-3 ...
>
> So I guess using something tried, tested and free like Rancid +
> ISC's audit
>scripts are not within scope ?


That was my first thought, but the in the industry I'm currently in
(financial), open sourceware for things like this is a definite [fail].


>
> >   So, I pose:  To you operators of multi-hundred-device networks : what
> do
> > you use for such purposes(*) ?
>
> Rancid :) (+ and now some home developed stuff)


fail


>
>
> >   This topic seemed to spark lively debate on efnet,
>
> The current weather would spark lively debate on most IRC
> channels.
>
>Phil
>


haha.  depends on the day and what other scandals were ao

Re: Calling TeliaSonera - time to implement prefix filtering

[James Blessing]

[EMAIL PROTECTED] wrote:
We're currently receiving the following prefix from 
TeliaSonera on one of our IP transit links in Oslo:



aut-num:AS29049
as-name:Delta-Telecom-AS
descr:  Delta Telecom LTD.
descr:  International Communication Operator
descr:  Azerbaijan Republic

and *of course* they don't own 62.0.0.0/8.


Own!?


I think he was saying that Delta Telecom don't *own* 62.0.0.0/8 and 
therefore shouldn't be advertising it. Following that Telia shouldn't be 
accepting the route and then re-announcing it to peers ...


J
--
COO
Entanet International
T: 0870 770 9580
W: http://www.enta.net/

RE: Abuse response

[michael.dillon]

> - Automation is far less important than clue.  Attempting to
> compensate for lack of a sufficient number of sufficiently-
> intelligent, experienced, diligent staff with automation is
> a known-losing strategy, as anyone who has ever dealt with
> an IVR system knows.

Given that most of us use routers instead of pigeons to transport
our packets, I would suggest that railing against automation is
a lost cause here.

> - Poorly-desigged and poorly-run operations markedly increase 
> the workload for their own abuse desks.

This sounds like a blanket condemnation of the majority of ISPs 
in today's Internet. 

> - A nominally competent abuse desk handles reports quickly 
> and efficiently.
> A good abuse desk DOES NOT NEED all those reports because it 
> already knows.
> (For example, large email providers should have large numbers 
> of spamtraps scattered all over the 'net and should be using 
> simple methods to correlate what arrives at them to provide 
> themselves with an early "heads up".  This won't catch 
> everything, of course, but it doesn't have to.)

Why is it that spamtraps are not mentioned at all in MAAWG's best 
practices documents except the one for senders, i.e. mailing list
operators?

Note that if an ISP does have a network of spamtraps, then they have
an automated reporting system, which you denounced in your first point.

I agree that simply automating things will not make anything better, but
intelligent automation is good for you and me and the ISP who implements
it. An intelligent automation system could identify a spam source and
immediately block the port 25 traffic until it can be investigated by
a human being.

--Michael Dillon

RE: Calling TeliaSonera - time to implement prefix filtering

[michael.dillon]

> We're currently receiving the following prefix from 
> TeliaSonera on one of our IP transit links in Oslo:

> aut-num:AS29049
> as-name:Delta-Telecom-AS
> descr:  Delta Telecom LTD.
> descr:  International Communication Operator
> descr:  Azerbaijan Republic
> 
> and *of course* they don't own 62.0.0.0/8.

Own!?
How can you tell who actually owns any network these days. According to
Lars Nyberg, President and CEO of TeliaSonera, TeliaSonera is committed
to Azerbaijan and will continue delivering world class service. This
statement was made at a press conference in Baku, the capital of
Azerbaijan, in January.

It took about 30 seconds of googling to learn that this Swedish/Finnish
merged company is in a joint venture with a Turkish company and that
joint venture is in another joint venture with the Azerbaijani
government. TeliaSonera owns a majority of the stake in the first joint
venture (Fintur Holdings BV) which owns a majority stake in the second
joint venture (Azercell Telecom). 

I still have no idea who owns what AS or IP address range, but it seems
to be reasonable for TeliaSonera, an Azerbaijani telecom company, to be
announcing an IP address range assigned to another Azerbaijani telecom
company. Have you asked TeliaSonera why they are announcing the prefix?

Yes, it is possible that someone in Azerbaijan made a mistake in
configuring their router, but rather than complain on NANOG, it would be
better to work back through the chain of BGP peers and help educate the
people who made the mistake.

--Michael Dillon

Re: Abuse response [Was: RE: Yahoo Mail Update]

[Rich Kulawiec]

I largely concur with the points that Paul's making, and would
like to augment them with these:

- Automation is far less important than clue.  Attempting to compensate
for lack of a sufficient number of sufficiently-intelligent, experienced,
diligent staff with automation is a known-losing strategy, as anyone who
has ever dealt with an IVR system knows.

- Trustability is unrelated to size.  There are one-person operations
out there that are obviously far more trustable than huge ones.

- Don't built what you can't control.  Abuse handling needs to be
factored into service offerings and growth decisions, not blown off
and thereby forcibly delegated to the entire rest of the Internet.

- Poorly-desigged and poorly-run operations markedly increase the
workload for their own abuse desks.

- A nominally competent abuse desk handles reports quickly and efficiently.
A good abuse desk DOES NOT NEED all those reports because it already knows.
(For example, large email providers should have large numbers of spamtraps
scattered all over the 'net and should be using simple methods to correlate
what arrives at them to provide themselves with an early "heads up".  This
won't catch everything, of course, but it doesn't have to.)

---Rsk

Re: Abuse response [Was: RE: Yahoo Mail Update]

[Joe Provo]

On Tue, Apr 15, 2008 at 12:31:33PM +0530, Suresh Ramasubramanian wrote:
> 
> On Tue, Apr 15, 2008 at 11:55 AM, Paul Ferguson <[EMAIL PROTECTED]> wrote:
[snip]
> >  It should be simple -- not require a freeking full-blown "standard".
> 
> Its a standard. And it allows automated parsing of these complaints.
> And automation increases processing speeds by orders of magnitude..
> you dont have to wait for an abuse desker to get to your email and
> pick it out of a queue with hundreds of other report emails, and
> several thousand pieces of spam [funny how [EMAIL PROTECTED] type addresses
> end up in so many spammer lists..]

It cannot be understated that even packet pushers and code grinders
who care get stranded in companies where abuse handling is deemed 
by management to be a cost center that only saps resources.  Paul, 
you are doing a serious disservice to those folks in specific, and
working around such suit-induced damage in general, by dismissing 
any steps involving automation.

Cheers,

Joe

-- 
 RSUC / GweepNet / Spunk / FnB / Usenix / SAGE

Calling TeliaSonera - time to implement prefix filtering

[sthaug]

We're currently receiving the following prefix from TeliaSonera on one
of our IP transit links in Oslo:

62.0.0.0/8 *[BGP/170] 4d 22:23:07, localpref 100
  AS path: 1299 29049 I
AS 29049 is:

aut-num:AS29049
as-name:Delta-Telecom-AS
descr:  Delta Telecom LTD.
descr:  International Communication Operator
descr:  Azerbaijan Republic

and *of course* they don't own 62.0.0.0/8.

TeliaSonera: It's about time you started implementing prefix filtering
on your customer links. Our other transit providers do this.

Steinar Haug, Nethelp consulting, [EMAIL PROTECTED]

Re: Abuse response [Was: RE: Yahoo Mail Update]

[mark seiden-via mac]

do you remember the days when some of us would only take routing table  
updates

from andrew partan, because we trusted him?

that's what it's like now wrt takedowns.

do not minimize the use of malicious takedowns by twits and bad guys,  
who fabricate a report

of misfeasance to get their enemies taken down.


On Apr 15, 2008, at 7:47 AM, Paul Ferguson wrote:



-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -- "Suresh Ramasubramanian" <[EMAIL PROTECTED]> wrote:


If you send reports with lots of legal boilerplate, or reports with
long lectures on why you expect an INSTANT TAKEDOWN, and send them to
a busy abuse queue, there is no way - and zero reason - for the ISP
people to prioritize your complaint above all the other complaints
coming in.


Having elided the rest of this exchange, and also understanding
exactly what you are talking about, I encourage you to elaborate
on the point you are trying to make...

As you well know, there are many of us who have been working on
this particular issue for years, with wildly varying degrees of
success.

There is no pat answer...

- - ferg

-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFIBEFTq1pz9mNUZTMRArvBAJ0XvKGXrL5yCKttE/0g1cxpkuWwAwCcCnw8
7Y8Q1TPWRnpvVH/5fdh5r2c=
=Gcoo
-END PGP SIGNATURE-

--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawg(at)netzero.net
ferg's tech blog: http://fergdawg.blogspot.com/

Re: enterprise change/configuration management and compliance software?

[Peter Dambier]

Well,

at Exodus we started talkimg about IASON.

In the long run everybody was afraid of IASON. They dared not
work on it.

Later I developed some bits and parts.

When we changed hardware in a small company (200 PCs, 20 servers
5 HP Procurve switches and two routers) IASON would discover
the switches as fast as they were powered and would move them
to a management network.

Operators and management were not amused.
IASON was changing passwords and ip-addresses :)

That has been the only try.

They idea is still a prolog based AI system, learning and knowing
every hardware, how it is configures and connected.

You move a PC from one location to another because people do move
or because a port on a switch has gone dead. IASON reprogrammes
switches and ports so you get the same VLAN.

Somebody is replacing a switch for whatever reason. IASON finds
the new switch and sees the connected pcs and uplinks. It reconfigures
the switch so as to replace the old one. You do net even need to
mind where everything was connected. IASON can change across vendors.

I guess it will take same time - but in the long run we will get it
and it will be open source.

Kind regards
Peter

Phil Regnauld wrote:
> jamie (j) writes:
>> `
>> device, and by 'device' i mean router and/or switch) configuration
>> management (and (ideally) compliance-auditing_and_assurance) software.
>>
>>   We currently use Voyence (now EMC) and are looking into other options for
>> various reasons, support being in the top-3 ...
> 
>   So I guess using something tried, tested and free like Rancid + ISC's 
> audit
>   scripts are not within scope ?
> 
>>   So, I pose:  To you operators of multi-hundred-device networks : what do
>> you use for such purposes(*) ?
> 
>   Rancid :) (+ and now some home developed stuff)
> 
>>   This topic seemed to spark lively debate on efnet,
> 
>   The current weather would spark lively debate on most IRC channels.
> 
>   Phil 

-- 
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Rimbacher Strasse 16
D-69509 Moerlenbach-Bonsweiher
+49(6209)795-816 (Telekom)
+49(6252)750-308 (VoIP: sipgate.de)
mail: [EMAIL PROTECTED]
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/
http://www.cesidianroot.com/

Re: Yahoo Mail Update

[JC Dill]

Frank Bulk - iNAME wrote:


Yes, internet service providers and operators don't need to listen, but I
can't see how Yahoo's e-mail and abuse handling history arises out of good
business decisions. 


How would Yahoo benefit from better staffing of their abuse desk?  What 
do they gain, besides the respect of their peers in the ISP industry? 
Do you know of anyone (outside the ISP industry) who knows anything 
about Yahoo's email and abuse handling history, and who uses this 
information as part of a buying decision WRT the services sold by Yahoo?


I don't.  Through my participation on dozens of discussion groups 
(mailing lists, usenet groups, web forums, etc.) I know hundreds of 
people who collectively:


1)  Have a free Yahoo email address
2)  Have a paid Yahoo email address
3)  Pay for a website and/or domain name hosted by Yahoo
4)  Pay for advertising on Yahoo
5)  Click on ads on Yahoo
6)  Have SBC-Global/Yahoo as their DSL provider
7)  Have Yahoo as their Home page (a result of 6)

etc.  None of them know or care that the ISP industry thinks Yahoo is 
irresponsible in their email and abuse handling practices.



Staffing an abuse desk is costly.  If you are big enough that you can 
get away with doing it at the lowest levels possible - if it doesn't 
hurt your bottom line to shift some of your spam problem onto the abuse 
desks of other ISPs, if you are big enough that other ISPs can't afford 
to play hardball with you because your abuse handling practices aren't 
up to their standards, then it makes perfect financial sense to do it at 
the lowest level you can get away with.  Yahoo knows that if it comes to 
a game of chicken that the other side will be hurt more, and blink first.


(Same thing with Cogent and the Tier 1 networks that try to de-peer with 
Cogent - they know that a Tier 1 can't afford the complaints they get 
from their end users if they can't reach a site hosted on Cogent, so 
Cogent can afford to let the Tier 1 break peering, and then reestablish 
it after they suffer the expense of the support calls from their angry 
customer.  Cogent just rides out the storm, knowing that if they simply 
"do nothing" the other side will blink first.)


Now, if a major *website/webhost* (Cogent-sized) wanted to play chicken 
with Yahoo and block access to the website from Yahoo IPs because of the 
spam problem coming from Yahoo, then maybe THAT would be a game of 
chicken that Yahoo couldn't afford to wait out (because of all the 
complaints that would flood Yahoo's support center, etc.).  However the 
website/webhost would need to be able to afford the drop in traffic that 
this ban would produce, and what's in it for them?  Again, where is the 
benefit of this action?  It would cost them lost revenue (lost 
advertising revenue for the website, lost bandwidth revenue for a 
webhost) - for what purpose?


If anyone else (a smaller ISP that is mainly eyeballs, or a small 
website or web host) tries it, they will be hurting themselves rather 
than putting any real pressure on Yahoo to change.



"I urge all my competitors to do that."

jc

RE: Abuse response

[michael.dillon]

> The boilerplate is no damned use.  PIRT - and you - should be 
> focusing on feedback loops, and that would practically 
> guarantee instant takedown, especially when the notification 
> is sent by trusted parties.
> 
> >  Again, our success rate is somewhere in the 50% neighborhood.
> 
> With the larger providers it will get to 100% once you go the 
> feedback loop route.
> 
> Do ARF, do IODEF etc.

Yep.

http://mipassoc.org/arf/

http://xml.coverpages.org/iodef.html

--Michael Dillon

P.S. some more URLs that should be known to all

http://asrg.sp.am/
http://www.claws-and-paws.com/spam-l/
http://puck.nether.net/mailman/listinfo/nsp-security
http://www.maawg.org/about/publishedDocuments

Re: enterprise change/configuration management and compliance software?

[Phil Regnauld]

jamie (j) writes:
> `
> device, and by 'device' i mean router and/or switch) configuration
> management (and (ideally) compliance-auditing_and_assurance) software.
> 
>   We currently use Voyence (now EMC) and are looking into other options for
> various reasons, support being in the top-3 ...

So I guess using something tried, tested and free like Rancid + ISC's 
audit
scripts are not within scope ?

>   So, I pose:  To you operators of multi-hundred-device networks : what do
> you use for such purposes(*) ?

Rancid :) (+ and now some home developed stuff)

>   This topic seemed to spark lively debate on efnet,

The current weather would spark lively debate on most IRC channels.

Phil 

Re: Abuse response [Was: RE: Yahoo Mail Update]

[Suresh Ramasubramanian]

On Tue, Apr 15, 2008 at 11:55 AM, Paul Ferguson <[EMAIL PROTECTED]> wrote:
>  Really.
>
>  How many people are actually doing IODEF?
>
>  http://www.terena.org/activities/tf-csirt/iodef/

AISI - for example - and AISI feeds the top 25 australian ISPs - takes
IODEF as an input

And MAAWG does ARF, quite simple to use as well .. but they would take
a standard format (with an RFC yet) if you and some other major
players

1. Offer iodef (or say ARF) feeds
2. Tell them youre offering these feeds

>  It should be simple -- not require a freeking full-blown "standard".

Its a standard. And it allows automated parsing of these complaints.
And automation increases processing speeds by orders of magnitude..
you dont have to wait for an abuse desker to get to your email and
pick it out of a queue with hundreds of other report emails, and
several thousand pieces of spam [funny how [EMAIL PROTECTED] type addresses
end up in so many spammer lists..]

srs