Re: Abuse Contact Handling
Since my first formal abuse desk job in 2001 to now, all at large email providers, I’ve seen a lot of junk come to abuse mailboxes, that is true. YMMV depending on what sort of network you run / service you provide and what sort of customers you take on, but you do get a non trivial number of actionable complaints. --srs From: Tom Beecher Sent: Friday, August 6, 2021 11:42:48 PM To: Suresh Ramasubramanian Cc: Mike Hammett ; Matt Corallo ; NANOG Subject: Re: Abuse Contact Handling If you’re complaining about having to maintain an abuse desk or putting a dummy address into your whois records, sturgeons law says most of the time you’re the sort of provider who doesn’t want to staff an abuse desk. At my previous job for an ISP, I was the abuse desk among my other responsibilities. Fully 50% of "abuse" reports were "STOP PINGING ME". Another 20% were one gentleman who forwarded every spam message he ever received, adamantly refusing to use the 'Report Spam' button in our webmail application. Even today, in my current role,I have had countless 'abuse' issues escalated to my level that turned out to be things that have nothing to do with our network at all. When reporters don't understand the difference between 'abuse' and 'annoyance', abuse mailboxes become nothing more than a relic of the past. On Fri, Aug 6, 2021 at 11:52 AM Suresh Ramasubramanian mailto:ops.li...@gmail.com>> wrote: If the way x is managing their network or (not) managing their customers means my network and my customers are affected .. route leaks? packet kiddies? phish sites? spammers? whatever. If what you’re doing or not doing affects someone else, expect complaints, possibly to your upstreams if you aren’t receptive to these. Not everybody mailing your abuse address is reporting random alerts their $50 home router’s firewall throws up, or is trying to spam you. OK. All that stuff happens but is easy enough to filter out, and well, spammers who add an abuse address to their lists deserve all the blocking they get. If you’re complaining about having to maintain an abuse desk or putting a dummy address into your whois records, sturgeons law says most of the time you’re the sort of provider who doesn’t want to staff an abuse desk. --srs From: NANOG mailto:gmail@nanog.org>> on behalf of Mike Hammett mailto:na...@ics-il.net>> Sent: Friday, August 6, 2021 7:51:04 PM To: Matt Corallo mailto:na...@as397444.net>> Cc: NANOG mailto:nanog@nanog.org>> Subject: Re: Abuse Contact Handling "we don’t get to tell someone they’re managing their network wrong" Sure we do. They don't have to listen, but we get to tell them. RFCs are full of things that one shall not do, must do, etc. We shame network operators all of the time for things they do that affect the global community. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com From: "Matt Corallo" mailto:na...@as397444.net>> To: "Mike Hammett" mailto:na...@ics-il.net>> Cc: "NANOG" mailto:nanog@nanog.org>> Sent: Friday, August 6, 2021 8:50:00 AM Subject: Re: Abuse Contact Handling Costs real money to figure out, for each customer scanning parts of the internet, if they’re doing it legitimately or maliciously. Costs real money to look into whether someone is spamming or just sending bulk email that customers signed up for. And what do you do if it is legitimate? Lots of abuse reports don’t follow X-ARF, so now you have to have a human process than and chose which ones to ignore. Or you just tell everyone to fill out a common web form and then the data is all nice and structured and you can process it sanely. Like Randy said, we don’t get to tell someone they’re managing their network wrong. If you don’t want to talk to AWS, don’t talk to AWS. If you want them to manage their network differently, reach out, understand their business concerns, help alleviate them. Maybe propose a second Abuse Contact type that only accepts X-ARF that they can use? There’s lots of things that could be done that are productive here. Matt On Aug 6, 2021, at 08:08, Mike Hammett mailto:na...@ics-il.net>> wrote: I suppose if they did a better job of policing their own network, they wouldn't have as much hitting their e-mail boxes. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com From: "Matt Corallo" mailto:na...@as397444.net>> To: "Mike Hammett" mailto:na...@ics-il.net>>, "NANOG" mailto:nanog@nanog.org>> Sent: Thursday, August 5, 2021 3:44:43 PM Subject: Re: Abuse Contact Handling There's a few old threads on this from last year or so, b
Re: Abuse Contact Handling
> > If you’re complaining about having to maintain an abuse desk or putting a > dummy address into your whois records, sturgeons law says most of the time > you’re the sort of provider who doesn’t want to staff an abuse desk. At my previous job for an ISP, I was the abuse desk among my other responsibilities. Fully 50% of "abuse" reports were "STOP PINGING ME". Another 20% were one gentleman who forwarded every spam message he ever received, adamantly refusing to use the 'Report Spam' button in our webmail application. Even today, in my current role,I have had countless 'abuse' issues escalated to my level that turned out to be things that have nothing to do with our network at all. When reporters don't understand the difference between 'abuse' and 'annoyance', abuse mailboxes become nothing more than a relic of the past. On Fri, Aug 6, 2021 at 11:52 AM Suresh Ramasubramanian wrote: > If the way x is managing their network or (not) managing their customers > means my network and my customers are affected .. > > route leaks? packet kiddies? phish sites? spammers? whatever. If what > you’re doing or not doing affects someone else, expect complaints, possibly > to your upstreams if you aren’t receptive to these. > > Not everybody mailing your abuse address is reporting random alerts their > $50 home router’s firewall throws up, or is trying to spam you. > > OK. All that stuff happens but is easy enough to filter out, and well, > spammers who add an abuse address to their lists deserve all the blocking > they get. > > If you’re complaining about having to maintain an abuse desk or putting a > dummy address into your whois records, sturgeons law says most of the time > you’re the sort of provider who doesn’t want to staff an abuse desk. > > --srs > -- > *From:* NANOG on behalf of > Mike Hammett > *Sent:* Friday, August 6, 2021 7:51:04 PM > *To:* Matt Corallo > *Cc:* NANOG > *Subject:* Re: Abuse Contact Handling > > "we don’t get to tell someone they’re managing their network wrong" > > Sure we do. They don't have to listen, but we get to tell them. RFCs are > full of things that one shall not do, must do, etc. We shame network > operators all of the time for things they do that affect the global > community. > > > > - > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > Midwest-IX > http://www.midwest-ix.com > > -- > *From: *"Matt Corallo" > *To: *"Mike Hammett" > *Cc: *"NANOG" > *Sent: *Friday, August 6, 2021 8:50:00 AM > *Subject: *Re: Abuse Contact Handling > > Costs real money to figure out, for each customer scanning parts of the > internet, if they’re doing it legitimately or maliciously. Costs real money > to look into whether someone is spamming or just sending bulk email that > customers signed up for. And what do you do if it is legitimate? Lots of > abuse reports don’t follow X-ARF, so now you have to have a human process > than and chose which ones to ignore. Or you just tell everyone to fill out > a common web form and then the data is all nice and structured and you can > process it sanely. > > Like Randy said, we don’t get to tell someone they’re managing their > network wrong. If you don’t want to talk to AWS, don’t talk to AWS. If you > want them to manage their network differently, reach out, understand their > business concerns, help alleviate them. Maybe propose a second Abuse > Contact type that only accepts X-ARF that they can use? There’s lots of > things that could be done that are productive here. > > Matt > > > On Aug 6, 2021, at 08:08, Mike Hammett wrote: > > > I suppose if they did a better job of policing their own network, they > wouldn't have as much hitting their e-mail boxes. > > > > - > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > Midwest-IX > http://www.midwest-ix.com > > -- > *From: *"Matt Corallo" > *To: *"Mike Hammett" , "NANOG" > *Sent: *Thursday, August 5, 2021 3:44:43 PM > *Subject: *Re: Abuse Contact Handling > > There's a few old threads on this from last year or so, but while > unmonitored abuse contacts are terrible, similarly, > people have installed automated abuse contact spammer systems which is > equally terrible. Thus, lots of the large hosting > providers have deemed the cost of actually putting a human on an abuse > contact is much too high. > > I'm not sure what the answer is here, but I totally get why large > providers just say "we can better protect a web form > with a captcha than an email box, go use that if there's real abuse". > > Matt > > On 8/5/21 09:14, Mike Hammett wrote: > > What does the greater operator community think of RIR abuse contacts > that are unmonitored autoresponders? > > > > > > > > - > > Mike Hammett > > Intelligent Computing Solutions > > http://www.ics-il.com > > > > Midwest-IX > > http://www.midwest-ix.com > > >
Re: Abuse Contact Handling
If the way x is managing their network or (not) managing their customers means my network and my customers are affected .. route leaks? packet kiddies? phish sites? spammers? whatever. If what you’re doing or not doing affects someone else, expect complaints, possibly to your upstreams if you aren’t receptive to these. Not everybody mailing your abuse address is reporting random alerts their $50 home router’s firewall throws up, or is trying to spam you. OK. All that stuff happens but is easy enough to filter out, and well, spammers who add an abuse address to their lists deserve all the blocking they get. If you’re complaining about having to maintain an abuse desk or putting a dummy address into your whois records, sturgeons law says most of the time you’re the sort of provider who doesn’t want to staff an abuse desk. --srs From: NANOG on behalf of Mike Hammett Sent: Friday, August 6, 2021 7:51:04 PM To: Matt Corallo Cc: NANOG Subject: Re: Abuse Contact Handling "we don’t get to tell someone they’re managing their network wrong" Sure we do. They don't have to listen, but we get to tell them. RFCs are full of things that one shall not do, must do, etc. We shame network operators all of the time for things they do that affect the global community. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com From: "Matt Corallo" To: "Mike Hammett" Cc: "NANOG" Sent: Friday, August 6, 2021 8:50:00 AM Subject: Re: Abuse Contact Handling Costs real money to figure out, for each customer scanning parts of the internet, if they’re doing it legitimately or maliciously. Costs real money to look into whether someone is spamming or just sending bulk email that customers signed up for. And what do you do if it is legitimate? Lots of abuse reports don’t follow X-ARF, so now you have to have a human process than and chose which ones to ignore. Or you just tell everyone to fill out a common web form and then the data is all nice and structured and you can process it sanely. Like Randy said, we don’t get to tell someone they’re managing their network wrong. If you don’t want to talk to AWS, don’t talk to AWS. If you want them to manage their network differently, reach out, understand their business concerns, help alleviate them. Maybe propose a second Abuse Contact type that only accepts X-ARF that they can use? There’s lots of things that could be done that are productive here. Matt On Aug 6, 2021, at 08:08, Mike Hammett wrote: I suppose if they did a better job of policing their own network, they wouldn't have as much hitting their e-mail boxes. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com From: "Matt Corallo" To: "Mike Hammett" , "NANOG" Sent: Thursday, August 5, 2021 3:44:43 PM Subject: Re: Abuse Contact Handling There's a few old threads on this from last year or so, but while unmonitored abuse contacts are terrible, similarly, people have installed automated abuse contact spammer systems which is equally terrible. Thus, lots of the large hosting providers have deemed the cost of actually putting a human on an abuse contact is much too high. I'm not sure what the answer is here, but I totally get why large providers just say "we can better protect a web form with a captcha than an email box, go use that if there's real abuse". Matt On 8/5/21 09:14, Mike Hammett wrote: > What does the greater operator community think of RIR abuse contacts that are > unmonitored autoresponders? > > > > - > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > Midwest-IX > http://www.midwest-ix.com
Re: Abuse Contact Handling
"we don’t get to tell someone they’re managing their network wrong" Sure we do. They don't have to listen, but we get to tell them. RFCs are full of things that one shall not do, must do, etc. We shame network operators all of the time for things they do that affect the global community. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com - Original Message - From: "Matt Corallo" To: "Mike Hammett" Cc: "NANOG" Sent: Friday, August 6, 2021 8:50:00 AM Subject: Re: Abuse Contact Handling Costs real money to figure out, for each customer scanning parts of the internet, if they’re doing it legitimately or maliciously. Costs real money to look into whether someone is spamming or just sending bulk email that customers signed up for. And what do you do if it is legitimate? Lots of abuse reports don’t follow X-ARF, so now you have to have a human process than and chose which ones to ignore. Or you just tell everyone to fill out a common web form and then the data is all nice and structured and you can process it sanely. Like Randy said, we don’t get to tell someone they’re managing their network wrong. If you don’t want to talk to AWS, don’t talk to AWS. If you want them to manage their network differently, reach out, understand their business concerns, help alleviate them. Maybe propose a second Abuse Contact type that only accepts X-ARF that they can use? There’s lots of things that could be done that are productive here. Matt On Aug 6, 2021, at 08:08, Mike Hammett wrote: I suppose if they did a better job of policing their own network, they wouldn't have as much hitting their e-mail boxes. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com - Original Message - From: "Matt Corallo" To: "Mike Hammett" , "NANOG" Sent: Thursday, August 5, 2021 3:44:43 PM Subject: Re: Abuse Contact Handling There's a few old threads on this from last year or so, but while unmonitored abuse contacts are terrible, similarly, people have installed automated abuse contact spammer systems which is equally terrible. Thus, lots of the large hosting providers have deemed the cost of actually putting a human on an abuse contact is much too high. I'm not sure what the answer is here, but I totally get why large providers just say "we can better protect a web form with a captcha than an email box, go use that if there's real abuse". Matt On 8/5/21 09:14, Mike Hammett wrote: > What does the greater operator community think of RIR abuse contacts that are > unmonitored autoresponders? > > > > - > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > Midwest-IX > http://www.midwest-ix.com
Re: Abuse Contact Handling
Costs real money to figure out, for each customer scanning parts of the internet, if they’re doing it legitimately or maliciously. Costs real money to look into whether someone is spamming or just sending bulk email that customers signed up for. And what do you do if it is legitimate? Lots of abuse reports don’t follow X-ARF, so now you have to have a human process than and chose which ones to ignore. Or you just tell everyone to fill out a common web form and then the data is all nice and structured and you can process it sanely. Like Randy said, we don’t get to tell someone they’re managing their network wrong. If you don’t want to talk to AWS, don’t talk to AWS. If you want them to manage their network differently, reach out, understand their business concerns, help alleviate them. Maybe propose a second Abuse Contact type that only accepts X-ARF that they can use? There’s lots of things that could be done that are productive here. Matt > On Aug 6, 2021, at 08:08, Mike Hammett wrote: > > I suppose if they did a better job of policing their own network, they > wouldn't have as much hitting their e-mail boxes. > > > > - > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > Midwest-IX > http://www.midwest-ix.com > > From: "Matt Corallo" > To: "Mike Hammett" , "NANOG" > Sent: Thursday, August 5, 2021 3:44:43 PM > Subject: Re: Abuse Contact Handling > > There's a few old threads on this from last year or so, but while unmonitored > abuse contacts are terrible, similarly, > people have installed automated abuse contact spammer systems which is > equally terrible. Thus, lots of the large hosting > providers have deemed the cost of actually putting a human on an abuse > contact is much too high. > > I'm not sure what the answer is here, but I totally get why large providers > just say "we can better protect a web form > with a captcha than an email box, go use that if there's real abuse". > > Matt > > On 8/5/21 09:14, Mike Hammett wrote: > > What does the greater operator community think of RIR abuse contacts that > > are unmonitored autoresponders? > > > > > > > > - > > Mike Hammett > > Intelligent Computing Solutions > > http://www.ics-il.com > > > > Midwest-IX > > http://www.midwest-ix.com
Re: Abuse Contact Handling
Is it even worth sending abuse reports anymore? Currently we just block bad IPs at our network border and move on but we have seen quite an uptick lately in attacks and probes from domestic IPs (US) on our VoIP platforms.Our #1 offender is coming from Microsoft Azure IPs. We have talked internally about sending abuse reports to various networks but I'm wondering if it's even worth the effort. -richey On Thu, Aug 5, 2021 at 10:44 PM goemon--- via NANOG wrote: > > On Thu, 5 Aug 2021, Matt Corallo wrote: > > Thus, lots of the large hosting providers have deemed the cost of > > actually putting a human on an abuse contact is much too high. > > it seems they have decided that ending up on DBL is their abuse > monitoring/reporting mechanism. > > -Dan
Re: Abuse Contact Handling
I suppose if they did a better job of policing their own network, they wouldn't have as much hitting their e-mail boxes. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com - Original Message - From: "Matt Corallo" To: "Mike Hammett" , "NANOG" Sent: Thursday, August 5, 2021 3:44:43 PM Subject: Re: Abuse Contact Handling There's a few old threads on this from last year or so, but while unmonitored abuse contacts are terrible, similarly, people have installed automated abuse contact spammer systems which is equally terrible. Thus, lots of the large hosting providers have deemed the cost of actually putting a human on an abuse contact is much too high. I'm not sure what the answer is here, but I totally get why large providers just say "we can better protect a web form with a captcha than an email box, go use that if there's real abuse". Matt On 8/5/21 09:14, Mike Hammett wrote: > What does the greater operator community think of RIR abuse contacts that are > unmonitored autoresponders? > > > > - > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > Midwest-IX > http://www.midwest-ix.com
Re: Abuse Contact Handling
On Thu, 5 Aug 2021, Matt Corallo wrote: Thus, lots of the large hosting providers have deemed the cost of actually putting a human on an abuse contact is much too high. it seems they have decided that ending up on DBL is their abuse monitoring/reporting mechanism. -Dan
Re: Abuse Contact Handling
> One thing I've been thinking for long time is to consider policy > proposals to enforce the usage of the abuse mailbox together with > X-ARF/RFC5965/RFC6650. That will automate probably a so big % of abuse > handling that makes sense even if you need to make some programming, > even if there are already today open source tools for that. i try to minimize telling other operators how to run their networks, and hope they treat me similarly. educate, facilitate, don't legislate. why is it that many ops feel the need to wrap/defend abuse reporting mechanisms? my guess, and it is just a guess, is volume, and the volume of false positives, automated over-reaction (you pinged my server!!!), or trivial whining. my experience is that, once i got past the spam/whining defenses, ops are quite cooperative. perhaps my trying to be polite helps. i do not assume i know how to run your network better than you do. perhaps if we figured out how to stop DoSsing abuse systems, they would evolve back to being easier to use. though it is hard to wind back defenses. so it goes. randy --- ra...@psg.com `gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com` signatures are back, thanks to dmarc header butchery
Re: Abuse Contact Handling
One thing I've been thinking for long time is to consider policy proposals to enforce the usage of the abuse mailbox together with X-ARF/RFC5965/RFC6650. That will automate probably a so big % of abuse handling that makes sense even if you need to make some programming, even if there are already today open source tools for that. El 5/8/21 22:46, "NANOG en nombre de Matt Corallo" escribió: There's a few old threads on this from last year or so, but while unmonitored abuse contacts are terrible, similarly, people have installed automated abuse contact spammer systems which is equally terrible. Thus, lots of the large hosting providers have deemed the cost of actually putting a human on an abuse contact is much too high. I'm not sure what the answer is here, but I totally get why large providers just say "we can better protect a web form with a captcha than an email box, go use that if there's real abuse". Matt On 8/5/21 09:14, Mike Hammett wrote: > What does the greater operator community think of RIR abuse contacts that are unmonitored autoresponders? > > > > - > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > Midwest-IX > http://www.midwest-ix.com ** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
Re: Abuse Contact Handling
There's a few old threads on this from last year or so, but while unmonitored abuse contacts are terrible, similarly, people have installed automated abuse contact spammer systems which is equally terrible. Thus, lots of the large hosting providers have deemed the cost of actually putting a human on an abuse contact is much too high. I'm not sure what the answer is here, but I totally get why large providers just say "we can better protect a web form with a captcha than an email box, go use that if there's real abuse". Matt On 8/5/21 09:14, Mike Hammett wrote: What does the greater operator community think of RIR abuse contacts that are unmonitored autoresponders? - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com
Re: Abuse Contact Handling
In several RIRs we addressed it via a policy, already implemented for some years in APNIC (very useful results up to now), and recently implemented in LACNIC: AFRINIC https://www.afrinic.net/policy/proposals/2018-gen-001-d7 APNIC https://www.apnic.net/community/policy/proposals/prop-125 LACNIC https://www.lacnic.net/4419/2/lacnic/12-registration-and-validation-of-abuse-c-and-abuse-mailbox In RIPE and ARIN it failed (even if there is something similar, but not so efficient). I plan to resubmit at some point, just thinking in alternative approches. Regards, Jordi @jordipalet El 5/8/21 15:16, "NANOG en nombre de Mike Hammett" escribió: What does the greater operator community think of RIR abuse contacts that are unmonitored autoresponders? - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
Abuse Contact Handling
What does the greater operator community think of RIR abuse contacts that are unmonitored autoresponders? - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com
