Re: [anti-abuse-wg] Question about spam to abuse inbox

[Ronald F. Guilmette]

In message , 
Randy Bush  wrote:

>we are in a 'maturing' industry...

That excuse might almost be a reasonable justification for bad behavior
and even worse operating policies if it hadn't already been in continuous
use for the past 20+ years.

The spam problem has existed on the Internet since the late 1990s.  May
we optimistically hold out some hope that this industry might be able
to get its shit together by, say, 2045?

>so margins are low and people are overworked and underpaid. 

Maybe margins are low *structurally*, because just like in the spam trade,
everybody and his brother got enticed by the low barriers to entry in the
commercial hosting business, resulting in tens of thousands of "me too"
operators that, in point of fact, have no commercial advantage, and thus
no reason to even exist.  And they are all now competing with tens of
thousands just like them, as well as trying, vainly, to compete with a
few othjer outfits you may have heard of, e.g. Amazon, Google, Microsoft.

"Margins are low" is the same excuse that polluters used back in the day
for dumping toxic waste into rivers in the dead of night.  Now it is being
trotted out as an excuse for an inability... or rather an unwillingness...
to do this simple things (like blocking outbound port 25) needed to stop
the effluent of spam from leaking out into and onto the global Internet.

Profits may be in short supply in the commecial hosting business, but
fortunately there is never any shortage of lame excuses to justify the
status quo.


Regards,
rfg


P.S.  I am at pains to stress that essentially 100% of *all* network abuse
of ALL KINDS these days originates from commercial hosting providers.

I do not, in general, get spam, or break-in attempts, or port scans, or
any other such abuse from government networks, from academic networks,
from non-profit associations, or from legitimate businesses that have
their own netblocks and that are not fundamentally in the Internet
services business.  Nor do I have to endure such crap from any of the
thousands of so-called "eyeball networks", e.g.  Comcast, etc.  Rather,
the sum total of essentially all network abuse these days is consistantly
emanating from commercial hosting providers, and specifically from the
ones that have elected to entice miscreants and criminals to their
services by having deliberately loose contractual policies or else
deliberately loose enforcement of their stated policies.

It's a fairly moronic way to try to make a living, or to turn a profit,
but I guess that when you have nothing else to offer in the way of
competitive advantage...

Re: [anti-abuse-wg] Anti-social assholes

[Suresh Ramasubramanian]

This is a standard problem with even Google

Domain name(s) registered on Google Registrar
Spam from google apps mail
Domains hosted on a google cloud IP
Redirect hosted on google firebase
Report to google safe browsing
Feed URLs to virus total - also owned by Google

Suppose you have a phish campaign that has registered say a dozen domains, how 
many web forms do you end up submitting?

Also - the language used is fast becoming a throwback to the old days of 
news.admin.net-abuse.email, I thought we’d all moved away from that sort of 
thing.

--srs

From: anti-abuse-wg  on behalf of steve payne 

Sent: Sunday, February 21, 2021 9:18:53 PM
To: JJS JJS 
Cc: anti-abuse-wg@ripe.net 
Subject: Re: [anti-abuse-wg] Anti-social assholes

The problem with the online form report abuse is that you can only submit 1 url 
at a time.

When you submit the url, then they will ask for more information. The same as 
sending to abuse@

Once you submit the additional information, you usually do not hear anything 
back from these cloud hosting providers and I rarely see anything happen.

The "abuse" they are looking for is email spam generated from their servers 
that do not follow the CAN-SPAM act. Any other type of "abuse" is not "abuse" 
as the usual response is "Oh I found what your're talking about i've fixed the 
problem".





On Sat, Feb 20, 2021 at 9:02 PM JJS JJS 
mailto:no0484...@gmail.com>> wrote:

To put it alternatively:

Imagine you walk down a street and there are lots of pubs (saloons?) that serve 
Alcohol and they all have drunken people swearing and trashing the place and 
you ask to report it to the manager but the bouncer of one premises says... 
"You have to put it in writing via email" and the next premises says "you have 
to telephone during business hours" and another says "you have to write a 
letter to an address".


That is their choice. Sometimes with forms, it pre-loads it into a system that 
formats it for them. Sometimes there are email systems that can extract that 
information and format it anyway. But if they want you to use a form, they are 
indicating that's the best way for them to know what is happening.




On 21/02/2021 2:38 pm, Ronald F. Guilmette wrote:

I get an email spam so I report it... via email.

I *do not * don snorkle gear.  I do not contort my body into odd
shapes.  I do not make my report out-of-band, via smoke signals,
or morse code, or via modulated infrared wavelengths.

Call me old fashioned, but as I have already made plain, I do not think
that I should be required to do any of these things.  It is easier for
me just to block all of Hostdime, which I had plenty of reasons to
do already anyway.


Regards,
rfg


P.S.  Seriously, how much arrogance does it take for them to say to
me that it is OK for me to have taken up *my* time to have read the
crap that was originated by *their* customer, but *they* cannot be
bothered to read *my* mail to them?



--- Forwarded Message

Date:Sat, 20 Feb 2021 19:47:33 -0500
From:ab...@hostdime.com 
mailto:ab...@hostdime.com>>
To:  r...@tristatelogic.com
Subject: [AUTOREPLY] - Please submit complaint to https://www.hostdime.com/abus
  e-report/

Hello,

Thank you for contacting HostDime.

Please resubmit your original message at the following link for action to be co
nsidered:
- ---
HostDime Abuse Report Form
https://www.hostdime.com/abuse-report/
- ---
Thank you,
HostDime.com, Inc

NOTE: This is an automated message. Please do not reply to this email. This mai
lbox is not monitored.

--- End of Forwarded Message

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Suresh Ramasubramanian]

Depends on the provider you work for and what services they provide. Randy is 
(I think) still with NTT rather than a cloud service, vps operator type shop, 
so a lot of your questions aren’t going to apply to his environment.


--srs

From: anti-abuse-wg  on behalf of Ronald F. 
Guilmette 
Sent: Monday, February 22, 2021 3:48:23 AM
To: anti-abuse-wg@ripe.net 
Subject: Re: [anti-abuse-wg] Question about spam to abuse inbox

In message ,
Randy Bush  wrote:

>there is a fair bit of spectrum between the internet of cooperating
>competitors running their networks as prudently as they can afford
>and an internet desired by some where everything is done uniformly
>by rigid written rules.

You are using the word "afford" in this context as a blanket excuse
for incompetence and/or willful anti-social negligence.

What is the cost of adding a "cleanup fee" clause to your standard
service contracts, and why are you so abysmally bad at business that
you cannot afford to do that?

What is the cost of filtering outbound port 25 by default, and why are
you so abysmally bad at business that you cannot afford to do that?

The data is in, and applying one or both of these simple measures to
any given network has been demonstrated to reduce the need to pay
humans to staff an "abuse desk" dramatically.

Are you also unable to "afford" to implement BCP 38?


Regards,
rfg

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Ronald F. Guilmette]

In message , 
Randy Bush  wrote:

>there is a fair bit of spectrum between the internet of cooperating
>competitors running their networks as prudently as they can afford
>and an internet desired by some where everything is done uniformly
>by rigid written rules.

You are using the word "afford" in this context as a blanket excuse
for incompetence and/or willful anti-social negligence.

What is the cost of adding a "cleanup fee" clause to your standard
service contracts, and why are you so abysmally bad at business that
you cannot afford to do that?

What is the cost of filtering outbound port 25 by default, and why are
you so abysmally bad at business that you cannot afford to do that?

The data is in, and applying one or both of these simple measures to
any given network has been demonstrated to reduce the need to pay
humans to staff an "abuse desk" dramatically.

Are you also unable to "afford" to implement BCP 38?


Regards,
rfg

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Ángel González Berdasco]

On 21-02-2021 03:44 +0100, Cynthia Revström writes:
> Ronald,
> 
> Can you please stop attacking ideas (such as web forms) implying that
> they only have malicious use cases.
> 
> > I hold them responsible because they obviously
> > fail to have in place contractual clauses that would persuasively
> > deter this behavior on the part of their customers.
> 
> In many cases it is practically impossible to know if your customers
> are sending legit emails or spam without having people reporting it.
> As TLS is used in many cases now, the provider can't look at the
> network data to see what the customer is sending even on a technical
> level, disregarding any trust/potential legal issues.


> > The provider in question is a perfectly lousy coder and is thus
> > unable and/or unwilling to write code to parse emailed abuse
> > reports.
> 
> Hi, I am actually primarily a software dev and not a network
> engineer, it is not even close to as easy as you make it out to be.
> Sure you can have a regex to extract IP addresses and other messy
> things like that, but you can't be sure what that address is, it
> might be your customer, it might be the address they say you
> attacked, etc.
> My point here is that parsing free form text in this way without
> having a clearly defined structure is far from trivial.
> Also please stop assuming bad faith by saying that providers are
> "unwilling" to do this.
> If they could drastically lower the amount of manual work needed here
> with a bit of code, they absolutely would in almost all cases.

Hello Cynthia

I would say it's not as hard. Having the right tools helps a ton, but
not all companies understand that.
First of all, you want to automatically parse those reports using
ARF/X-ARF, as those are already machine parseable.
Then, you will have a lot of other reports is a mix of formats, that
you could be parsing separatedky. Although I would say that a naive
approach of “parse all IP addresses, if there is a single one in our
range, associate the report to that IP address” works in most cases.
Scanning for a few keywords (spam, DDoS, telnet, ssh…) should also
allow for an initial classification.

This is all very rough, and (as mentioned in the thread), you should
still have a human *look* at it, but could easily cut the work needed
in more than half.

If you receive those 200 Incident Reports, but they are already
classified as 185 of them relating to 203.0.113.7, you will probably
not need to evaluate all of them to conclude that there is something
bad going on with that customer.

Also, another point would be the number of clicks needed to take action
(e.g. in some systems you might need just 2-3 clicks to suspend the
customer resource and send them a warning, wheras in others you may
need a slow manual process).




> > And anyway, don't actual human beings need to look at these things,
> > in the end, in order to be able to react to each of them properly
> > and in a professional fashion? 
> 
> Web forms can have pros and cons, I am just going to take the case of
> a VPS/Dedicated server hosting company.
> 
> If the hosting company provides a web form, they can have a field
> where they explicitly ask for the offending IP address.
> This report could then automatically also be sent to the customer in
> question, because we shouldn't assume the customer is malicious, they
> might just have a bad config that made them a relay for example.
> This could make it so the report is acted upon sooner potentially as
> the hosting company might take a few days to reply but maybe the
> customer can act sooner.

It depends. In some cases, the customer is another victim. In others,
such as the customer having bought "paypa1.com", well, I think you
_should_ assume he is malicious. :)

It's not hard to figure out by a human. Yet you still need someone to
ascertain them.



> > A provider that is routinely receiving so many abuse reports that
> > it can barely keep up with them all has bigger problems that just
> > the manner in which abuse reports are received.
> 
> Due to the automated procedure by some providers for abuse reports,
> if I have one bad host sending spam, I might get an abuse report for
> every single email they receive, so even if it is just one customer I
> might wake up to 200 emails.
> But if I had a way to group it by sender IP address, that would be a
> lot more manageable.
> (this was just a hypothetical example) 
> 
> Now I absolutely agree that having an abuse email address that is
> acted upon in a reasonable amount of time (maybe a week or so) is
> still essential as the web forms aren't standardised or might rely on
> technology like captchas.
> But if you send me 200 emails about the same host in one day, I am
> probably still going to be mildly annoyed and I could see how this is
> actually unmanageable for larger providers.


Larger providers should have more people dedicated to handle abuse
reports. Unfortunately, it's a task working too many times with 

Re: [anti-abuse-wg] Anti-social assholes

[Ángel González Berdasco]

First of all, can we please avoid insulting people here, particularly
on email subjects?

I understand how we are all fed up at times with the abuse handling of
certain providers (or lack thereof) but, even if it wasn't what rfg was
intending this could easily be construed as a personal attack by
certain people on this list (completely unrelated to HostDime, I should
note) which won't help having healthy discussions with everyone
involved.

Thanks


JJS JJS writes:
> To put it alternatively: 
> Imagine you walk down a street and there are lots of pubs (saloons?)
> that serve Alcohol and they all have drunken people swearing and
> trashing the place and you ask to report it to the manager but the
> bouncer of one premises says... "You have to put it in writing via
> email" and the next premises says "you have to telephone during
> business hours" and another says "you have to write a letter to an
> address".
> 
> That is their choice. Sometimes with forms, it pre-loads it into a
> system that formats it for them. Sometimes there are email systems
> that can extract that information and format it anyway. But if they
> want you to use a form, they are indicating that's the best way for
> them to know what is happening.

That's perfectly fine. They can prefer receiving abuse complaints via a
form. Or using separate reporting emails for phishing / spam / child
abuse… Or receiving everything in one big mail. Or as separate emails
for every url, even if it only differs in a trailing slash. Some would
like to get a call for urgent matters. Or they would prefer that you
were logged in on their system.

That's all fine, as far as they are *preferences*.

I have my preferences as well. I may accommodate them if it's easy for
me, but perhaps only if that doesn't make it too burdensome for me.
For instance, I may have to fill my own ticket with what was reported
to the provider. This is zero-cost for reports performed by email, but
may mean taking three times more if choosing to report instead via an
abuse form. Which may not always have available on a given day to 
jumping through hoops in order to please yet another provider that day
(and, sadly, the lack of response don't encourage taking the extra
effort of doing it _their way_. There are providers doing great, but
too many deaf ears out there).

Best regards

-- 
INCIBE-CERT - Spanish National CSIRT
https://www.incibe-cert.es/

PGP keys: https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys



INCIBE-CERT is the Spanish National CSIRT designated for citizens,
private law entities, other entities not included in the subjective
scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen
Jurídico del Sector Público", as well as digital service providers,
operators of essential services and critical operators under the terms
of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de
las redes y sistemas de información" that transposes the Directive (EU)
2016/1148 of the European Parliament and of the Council of 6 July 2016
concerning measures for a high common level of security of network and
information systems across the Union.



In compliance with the General Data Protection Regulation of the EU
(Regulation EU 2016/679, of 27 April 2016) we inform you that your
personal and corporate data (as well as those included in attached
documents); and e-mail address, may be included in our records 
for the purpose derived from legal, contractual or pre-contractual
obligations or in order to respond to your queries. You may exercise
your rights of access, correction, cancellation, portability,
limitationof processing and opposition under the terms established by
current legislation and free of charge by sending an e-mail to
d...@incibe.es. The Data Controller is S.M.E. Instituto Nacional de
Ciberseguridad de España, M.P., S.A. More information is available
on our website: https://www.incibe.es/proteccion-datos-personales
and https://www.incibe.es/registro-actividad.

[anti-abuse-wg] Sorry for derailing

[Hans-Martin Mosner]

Folks, I need to apologize for derailing Cynthia's topic. I had a feeling that 
this might happen, I should have listened
to that feeling and just stop it.

I know that we will continue to have different opinions on some matters, such 
as how to handle abuse reports. As long as
we exchange arguments about which approach is preferential in which situation, 
all is well. Once we get into name
calling and questioning each other's competence, things deteriorate quickly. 
Let's not do that.

It is sadly very hard to reach agreement on even very basic issues, and the 
more one is convinced that one's point of
view is correct the more one is likely to belittle different opinions. We 
should be able to present our views and
discuss them rationally without resolving to ad hominem attacks. It's ok to say 
"I stay by my opinion and will do it
that way" but it's not ok to say "you're an idiot if you do it differently".

Opinions on who should bear the main burden in resolving abuse issues naturally 
differ a lot depending what role in the
process you take. It might be helpful to state one's own role when arguing for 
one's view, and to recognize the role of
others defending different viewpoints.

Cheers,
Hans-Martin

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Randy Bush]

> There seems to be at least one rule common to everyone: if you want to
> run a network with an independent routing policy you'll need to use
> BGP.

:)

> Unfortunately it seems dealing with abuse emerging from the networks
> one runs is not a common, basic, rule for everyone.
> 
> Also, network admins should stick to run networks, and not try to
> handle abuse by themselves. But a lot of networks don't have anyone to
> do that (or have a business model in which all abuse reports are
> discarded by default), hence the chaos.

we are in a 'maturing' industry and in trying times.  so margins are low
and people are overworked and underpaid.  non-critical things start to
fall by the wayside.

when it comes to protocols, i am a naggumite.  i disagreed with dr
postel's dictum at the time; we should not accept crap from the other
side.  when it comes to ops, i try to be more tolerant.  it's hard
times, and we all make mistakes (see fun threads on nanog) or can not
cover all desired functions as well as the peanut gallery loudly
demands.

randy

---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com`
signatures are back, thanks to dmarc header mangling

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Carlos Friaças via anti-abuse-wg]

Hi,

There seems to be at least one rule common to everyone: if you want to run 
a network with an independent routing policy you'll need to use BGP.


Unfortunately it seems dealing with abuse emerging from the networks one 
runs is not a common, basic, rule for everyone.


Also, network admins should stick to run networks, and not try to handle 
abuse by themselves. But a lot of networks don't have anyone to do that 
(or have a business model in which all abuse reports are discarded by 
default), hence the chaos.


Regards,
Carlos


On Sun, 21 Feb 2021, Randy Bush wrote:


there is a fair bit of spectrum between the internet of cooperating
competitors running their networks as prudently as they can afford
and an internet desired by some where everything is done uniformly
by rigid written rules.

what i find interesting is that a number of the folk here who
loudly espouse the latter don't actually run networks.

randy

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Randy Bush]

there is a fair bit of spectrum between the internet of cooperating
competitors running their networks as prudently as they can afford
and an internet desired by some where everything is done uniformly
by rigid written rules.

what i find interesting is that a number of the folk here who
loudly espouse the latter don't actually run networks.

randy

Re: [anti-abuse-wg] Anti-social assholes

[steve payne]

P.S.

I forgot to include "We don't have access to the server so we will have to
wait until the customer responds".

You can't see the data the server is sending or the spam links i've
supplied to you?

After they say they "fixed the problem", you can clearly see that it's
still not fixed and any further attempt to reply goes ignored.

That has been my experience with most cloud hosting providers.

On Sun, Feb 21, 2021 at 8:48 AM steve payne  wrote:

> The problem with the online form report abuse is that you can only submit
> 1 url at a time.
>
> When you submit the url, then they will ask for more information. The same
> as sending to abuse@
>
> Once you submit the additional information, you usually do not hear
> anything back from these cloud hosting providers and I rarely see anything
> happen.
>
> The "abuse" they are looking for is email spam generated from their
> servers that do not follow the CAN-SPAM act. Any other type of "abuse" is
> not "abuse" as the usual response is "Oh I found what your're talking about
> i've fixed the problem".
>
>
>
>
>
> On Sat, Feb 20, 2021 at 9:02 PM JJS JJS  wrote:
>
>> To put it alternatively:
>>
>> Imagine you walk down a street and there are lots of pubs (saloons?) that
>> serve Alcohol and they all have drunken people swearing and trashing the
>> place and you ask to report it to the manager but the bouncer of one
>> premises says... "You have to put it in writing via email" and the next
>> premises says "you have to telephone during business hours" and another
>> says "you have to write a letter to an address".
>>
>>
>> That is their choice. Sometimes with forms, it pre-loads it into a system
>> that formats it for them. Sometimes there are email systems that can
>> extract that information and format it anyway. But if they want you to use
>> a form, they are indicating that's the best way for them to know what is
>> happening.
>>
>>
>>
>>
>> On 21/02/2021 2:38 pm, Ronald F. Guilmette wrote:
>>
>> I get an email spam so I report it... via email.
>>
>> I *do not * don snorkle gear.  I do not contort my body into odd
>> shapes.  I do not make my report out-of-band, via smoke signals,
>> or morse code, or via modulated infrared wavelengths.
>>
>> Call me old fashioned, but as I have already made plain, I do not think
>> that I should be required to do any of these things.  It is easier for
>> me just to block all of Hostdime, which I had plenty of reasons to
>> do already anyway.
>>
>>
>> Regards,
>> rfg
>>
>>
>> P.S.  Seriously, how much arrogance does it take for them to say to
>> me that it is OK for me to have taken up *my* time to have read the
>> crap that was originated by *their* customer, but *they* cannot be
>> bothered to read *my* mail to them?
>>
>>
>>
>> --- Forwarded Message
>>
>> Date:Sat, 20 Feb 2021 19:47:33 -0500
>> From:ab...@hostdime.com 
>> To:  r...@tristatelogic.com
>> Subject: [AUTOREPLY] - Please submit complaint to 
>> https://www.hostdime.com/abus
>>e-report/
>>
>> Hello,
>>
>> Thank you for contacting HostDime.
>>
>> Please resubmit your original message at the following link for action to be 
>> co
>> nsidered:
>> - ---
>> HostDime Abuse Report Formhttps://www.hostdime.com/abuse-report/
>> - ---
>> Thank you,
>> HostDime.com, Inc
>>
>> NOTE: This is an automated message. Please do not reply to this email. This 
>> mai
>> lbox is not monitored.
>>
>> --- End of Forwarded Message
>>
>>
>>

Re: [anti-abuse-wg] Anti-social assholes

[steve payne]

The problem with the online form report abuse is that you can only submit 1
url at a time.

When you submit the url, then they will ask for more information. The same
as sending to abuse@

Once you submit the additional information, you usually do not hear
anything back from these cloud hosting providers and I rarely see anything
happen.

The "abuse" they are looking for is email spam generated from their servers
that do not follow the CAN-SPAM act. Any other type of "abuse" is not
"abuse" as the usual response is "Oh I found what your're talking about
i've fixed the problem".





On Sat, Feb 20, 2021 at 9:02 PM JJS JJS  wrote:

> To put it alternatively:
>
> Imagine you walk down a street and there are lots of pubs (saloons?) that
> serve Alcohol and they all have drunken people swearing and trashing the
> place and you ask to report it to the manager but the bouncer of one
> premises says... "You have to put it in writing via email" and the next
> premises says "you have to telephone during business hours" and another
> says "you have to write a letter to an address".
>
>
> That is their choice. Sometimes with forms, it pre-loads it into a system
> that formats it for them. Sometimes there are email systems that can
> extract that information and format it anyway. But if they want you to use
> a form, they are indicating that's the best way for them to know what is
> happening.
>
>
>
>
> On 21/02/2021 2:38 pm, Ronald F. Guilmette wrote:
>
> I get an email spam so I report it... via email.
>
> I *do not * don snorkle gear.  I do not contort my body into odd
> shapes.  I do not make my report out-of-band, via smoke signals,
> or morse code, or via modulated infrared wavelengths.
>
> Call me old fashioned, but as I have already made plain, I do not think
> that I should be required to do any of these things.  It is easier for
> me just to block all of Hostdime, which I had plenty of reasons to
> do already anyway.
>
>
> Regards,
> rfg
>
>
> P.S.  Seriously, how much arrogance does it take for them to say to
> me that it is OK for me to have taken up *my* time to have read the
> crap that was originated by *their* customer, but *they* cannot be
> bothered to read *my* mail to them?
>
>
>
> --- Forwarded Message
>
> Date:Sat, 20 Feb 2021 19:47:33 -0500
> From:ab...@hostdime.com 
> To:  r...@tristatelogic.com
> Subject: [AUTOREPLY] - Please submit complaint to 
> https://www.hostdime.com/abus
> e-report/
>
> Hello,
>
> Thank you for contacting HostDime.
>
> Please resubmit your original message at the following link for action to be 
> co
> nsidered:
> - ---
> HostDime Abuse Report Formhttps://www.hostdime.com/abuse-report/
> - ---
> Thank you,
> HostDime.com, Inc
>
> NOTE: This is an automated message. Please do not reply to this email. This 
> mai
> lbox is not monitored.
>
> --- End of Forwarded Message
>
>
>

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Cynthia Revström via anti-abuse-wg]

I give up, I am just wasting my time trying to argue, I want to make it
clear I still disagree with you but arguing is a waste of time.

-Cynthia

On Sun, Feb 21, 2021, 05:30 Ronald F. Guilmette 
wrote:

> In message  u1e9un9ccc8uy-f7...@mail.gmail.com>,
> =?UTF-8?Q?Cynthia_Revstr=C3=B6m?=  wrote:
>
> >Can you please stop attacking ideas (such as web forms) implying that they
> >only have malicious use cases.
>
> You have missed my point entirely.
>
> Web-based abuse reporting forms are not merely "an idea" any more than
> discrimination is merely an "idea".  Rather it is an attitude and a
> way of life.  It is the Internet equivalent of refusing to wear a
> face mask, for the good of all, in a crowded elevator in the middle of
> a global pandemic.  It is demonstratably and provably a selfish and
> self-serving anti-social behavior pattern.  I don't know where you
> live, but where I live we have already had more than enough of this
> kind of attitude, and this kind of childish anti-social behavior.
>
> >> I hold them responsible because they obviously
> >> fail to have in place contractual clauses that would persuasively
> >> deter this behavior on the part of their customers.
> >
> >In many cases it is practically impossible to know if your customers are
> >sending legit emails or spam without having people reporting it.
>
> Again, you have missed my point quite entirely.
>
> Some providers have clauses in their service contracts that say explicitly
> that custiomers who are caught spamming will face a manditory (and heavy)
> "cleanup fee".  Many other providers do not have such clauses in their
> standard service contracts.  Can you guess which providers are the sources
> of most spams?
>
> >> The provider in question is a perfectly lousy coder and is thus
> >> unable and/or unwilling to write code to parse emailed abuse
> >> reports.
> >
> >Hi, I am actually primarily a software dev and not a network engineer, it
> >is not even close to as easy as you make it out to be.
>
> Fine.  Have it your way.  The point can be argued either way, but I see no
> point in us doing so at this moment, since I made a different and
> *overriding*
> point that renders this question of parsing abuse reports sent via email
> moot.
>
> I say again, any professional treatment of an abuse report will necessarily
> require a human being to actually LOOK at the bloody thing.  When viewed
> with that context, the manner in which the report arrives is utterly
> irrelevant.
>
> If a human being is, in the end, going to end up looking at the bloody
> thing
> anyway, then what difference does it make if the report arrives via email
> or via a web form?  None.  None at all.
>
> >My point here is that parsing free form text in this way without having a
> >clearly defined structure is far from trivial.
> >Also please stop assuming bad faith by saying that providers are
> >"unwilling" to do this.
>
> I do not assume.  I observe.  And I've been doing this a LONG time.
>
> With the highly prohable exception of my friend Michele Neylon, it has
> been my experience that those providers that set up web-based abuse
> reporting forms ignore most or all of what they receive via those
> forms.  Either that or they just forward the reports on to their pet
> spammers, whichj is provably even WORSE thanm idf they had just dropped
> the reports into /dev/null.
>
> >> And anyway, don't actual human beings need to look at these things,
> >> in the end, in order to be able to react to each of them properly
> >> and in a professional fashion?
> >
> >Web forms can have pros and cons, I am just going to take the case of a
> >VPS/Dedicated server hosting company.
> >
> >If the hosting company provides a web form, they can have a field where
> >they explicitly ask for the offending IP address.
>
> Oh!  So you want and indeed *demand* that the spam *victim* should be
> obliged to fish this tidbit of information out of the headers, so that
> the actual offending network doesn't have to do that part of the analysis
> work, yes?
>
> Where I come from, that's called cost shifting... onto the victim...
> and it is no more morally or ethically defensible than trying to
> justify sexual abuse by saying that the victim wore a short skirt.
>
> >This report could then automatically also be sent to the customer in
> >question
>
> Do you really not understand why this is an extraordinarily BAD IDEA?
>
> >(I believe Hetzner as an example does this or something similar.)
>
> Yes, Hetzner has more than once ratted me out to their spammer customers.
>
> Are you seriously holding that company up as a shining example of ethical
> behavor for others to follow or be guided by??
>
> >> A provider that is routinely receiving so many abuse reports that
> >> it can barely keep up with them all has bigger problems that just
> >> the manner in which abuse reports are received.
> >
> >Due to the automated procedure by some providers for abuse reports, if I
> >have one bad host 

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Q via anti-abuse-wg]

 Hello all,

> I believe Hetzner as an example does this or something similar.

They indeed do. I've noticed it especially with reports from the German
Federal Office for Information Security when I've left
portmapper open to the internet or something else equally harmless in its
intent. Much better dealt with by the customer
directly, as Hetzner could do almost nothing in this case.

Thanks,
Q
Director

[image: https://as207960.net] 


https://as207960.net
AS207960 Cyfyngedig
Phone: +44 29 2010 2455 (ext 601)
Fax: +44 29 2010 2455
Address: 13 Pen-y-lan Terrace, Caerdydd, Cymru, CF23 9EU

AS207960 Cyfyngedig, trading as Glauca Digital, is:

   - a limited company registered in Wales (№ 12417574
   
)

   - a registered data controller with the Information Commissioner's
   Office (№ ZA782876
   )
   - registered for VAT in the EU (№ EU372013983)



On Sun, 21 Feb 2021 at 02:44, Cynthia Revström via anti-abuse-wg <
anti-abuse-wg@ripe.net> wrote:

> Ronald,
>
> Can you please stop attacking ideas (such as web forms) implying that they
> only have malicious use cases.
>
> > I hold them responsible because they obviously
> > fail to have in place contractual clauses that would persuasively
> > deter this behavior on the part of their customers.
>
> In many cases it is practically impossible to know if your customers are
> sending legit emails or spam without having people reporting it.
> As TLS is used in many cases now, the provider can't look at the network
> data to see what the customer is sending even on a technical level,
> disregarding any trust/potential legal issues.
>
> > The provider in question is a perfectly lousy coder and is thus
> > unable and/or unwilling to write code to parse emailed abuse
> > reports.
>
> Hi, I am actually primarily a software dev and not a network engineer, it
> is not even close to as easy as you make it out to be.
> Sure you can have a regex to extract IP addresses and other messy things
> like that, but you can't be sure what that address is, it might be your
> customer, it might be the address they say you attacked, etc.
> My point here is that parsing free form text in this way without having a
> clearly defined structure is far from trivial.
> Also please stop assuming bad faith by saying that providers are
> "unwilling" to do this.
> If they could drastically lower the amount of manual work needed here with
> a bit of code, they absolutely would in almost all cases.
>
> > And anyway, don't actual human beings need to look at these things,
> > in the end, in order to be able to react to each of them properly
> > and in a professional fashion?
>
> Web forms can have pros and cons, I am just going to take the case of a
> VPS/Dedicated server hosting company.
>
> If the hosting company provides a web form, they can have a field where
> they explicitly ask for the offending IP address.
> This report could then automatically also be sent to the customer in
> question, because we shouldn't assume the customer is malicious, they might
> just have a bad config that made them a relay for example.
> This could make it so the report is acted upon sooner potentially as the
> hosting company might take a few days to reply but maybe the customer can
> act sooner.
> (I believe Hetzner as an example does this or something similar.)
>
>
> > A provider that is routinely receiving so many abuse reports that
> > it can barely keep up with them all has bigger problems that just
> > the manner in which abuse reports are received.
>
> Due to the automated procedure by some providers for abuse reports, if I
> have one bad host sending spam, I might get an abuse report for every
> single email they receive, so even if it is just one customer I might wake
> up to 200 emails.
> But if I had a way to group it by sender IP address, that would be a lot
> more manageable.
> (this was just a hypothetical example)
>
> Now I absolutely agree that having an abuse email address that is acted
> upon in a reasonable amount of time (maybe a week or so) is still essential
> as the web forms aren't standardised or might rely on technology like
> captchas.
> But if you send me 200 emails about the same host in one day, I am
> probably still going to be mildly annoyed and I could see how this is
> actually unmanageable for larger providers.
>
> I think the true solution here is just to have a standard email template
> or similar so providers could easily and reliably parse it automatically
> (at least partially).
> just a very quick example that I didn't consider for more than a minute:
> the standard could be as easy as just beginning every report email with
> "abuse-host=192.0.2.20,192.0.2.21\n\n" and whatever other fields are needed.
>
> -Cynthia
>
>
> On Sun, Feb 21,