Hi Jordi, Sorry I was probably a bit unclear, I don't filter based on content for the abuse inbox. But as I don't filter based on content, I feel like in some cases I need to sort of have manual fail2ban.
I really like your point though and I don't know how I blanked out on a temporary block being a potential solution. Because the main thing I was afraid of is, what if another one of their customers gets this address and actually has legitimate abuse emails? But temporarily blocking the sender is a good enough solution to me at least considering the very low volume of abuse emails I get on a regular basis. Also to clarify these emails in particular were complete nonsense such as "I am under ddos from you, please help" with no other details. They were also sent with invalid SPF, and I don't think the from addresses were actually the senders. Also just a few minutes ago, the abuse contact replied saying that they had taken action so I hope this specific case is now fixed. I still think it is/was a useful topic though as there might be less obvious situations or situations where the abuse contact of the sender doesn't cooperate. -Cynthia On Thu, Feb 18, 2021 at 1:58 PM JORDI PALET MARTINEZ via anti-abuse-wg < anti-abuse-wg@ripe.net> wrote: > In my experience, this is something you need to live with, and not filter > anything in the spam folder. > > > > Why? Because it can be real spam (and then you can use the abuse contact > of the resource-holder for the addresses where the spam is coming from), > when you report abuse cases, to facilitate the work of the involved > parties, you should be allowed to attach or include headers, logs, etc. > that probe that it is an abuse (from your perspective). > > > > If you filter that, then you will not receive many abuse reports … > > > > For example, some abuse mailboxes filter specific URLs or domains. If the > header contains such domain, how are you going to be able to send that? > > > > I use fail2ban and block automatically specific IP addresses or ranges > once the abuse has been reported and keeps repeating. Depending on the > frequency of the repetitions, how many, etc., etc., I could increase > automatically from a few hours to days or weeks the banning. > > > > Regards, > > Jordi > > @jordipalet > > > > > > > > El 18/2/21 13:40, "anti-abuse-wg en nombre de Cynthia Revström via > anti-abuse-wg" <anti-abuse-wg-boun...@ripe.net en nombre de > anti-abuse-wg@ripe.net> escribió: > > > > Hi aa-wg, > > > > For some context, today and yesterday I have been receiving spam in the > form of fake abuse notices to my abuse contact email address. > > > > Is there a generally accepted standard for when it's okay to block an > address or a prefix from emailing your abuse contact? > > > > I consider being able to contact the abuse email address of a network a > rather important function, so I prefer not to block it. > > But also as I have more relaxed spam filters for the abuse contact to make > sure nothing gets lost, it feels like blocking the address/prefix is my > only option other than manually filtering through these emails (10 so far > in total, today and yesterday). > > > > So back to the question, is there a generally accepted point at which > blocking an address/prefix is fine? > > > > Thanks, > > -Cynthia > > ********************************************** > IPv4 is over > Are you ready for the new Internet ? > http://www.theipv6company.com > The IPv6 Company > > This electronic message contains information which may be privileged or > confidential. The information is intended to be for the exclusive use of > the individual(s) named above and further non-explicilty authorized > disclosure, copying, distribution or use of the contents of this > information, even if partially, including attached files, is strictly > prohibited and will be considered a criminal offense. If you are not the > intended recipient be aware that any disclosure, copying, distribution or > use of the contents of this information, even if partially, including > attached files, is strictly prohibited, will be considered a criminal > offense, so you must reply to the original sender to inform about this > communication and delete it. > >
