Re: [anti-abuse-wg] Anti-Abuse Training: Questions for the WG

[Ronald F. Guilmette]

In message <26f1df33-b958-bed4-f748-f82324d0b...@tana.it>, 
Alessandro Vesely  wrote:

>Shouldn't there be a standard for automatically forwarding messages destined
>to abuse-c following a path similar to that of RFC 2317 delegations?  I'd love 
>if AA training encouraged such behavior.

Although delegation of abuse report handling may sound like a good idea
in theory, in practice it is a tragically bad idea.

What happens when the customer is a spammer and abuse handling is delegated
to that customer?  Google for the term "list washing".

This isn't merely a theoretical possibility.  Digital Ocean has previously
sent me multiple response emails saying quite explicitly that they had
forwarded my spam reports to their spammer customer(s).  Those customers
will then surely cease to spam *me* but will continue to spam everyone
else on the planet.  This does not create any meaningful reduction in the
global spam load.  It simply rewards those "responsible" spammers who remove
from their target lists the email addreses of the few "complainers" who
nowadays take the time to report spam.


Regards,
rfg

Re: [anti-abuse-wg] Anti-Abuse Training: Questions for the WG

[Ángel González Berdasco]

Hello all

> Shouldn't there be a standard for automatically forwarding messages
> destined to abuse-c following a path similar to that of RFC 2317
> delegations?  I'd love if AA training encouraged such behavior.

I don't think the standard should be for automatically forwarding
messages. You would need a standard for *exchanging* the information.
Fields you would need should include IP address being reported, port
(optionally), timestamp, whether this may be shared with the customer
(default yes), RSIT taxonomy of the incident being reported, etc.

And then, among the actions that can be taken, automatically forwarding
could be one of them (and probablye the less expensive for the abuse-c
owner), but they could choose to process them differently.
But the first step is to match the report with the machine/customer.
Many abuse teams already do that automatically, although I don't know
the amount of guessing needed by the tools on their normal flows.

The first idea that comes to mind when talking about communicating
this would be to create a solution based on X-ARF, but it's not without
its shortcomings, either, so maybe a different way is felt to be
preferable.

This is an interesting discussion, although I feel it's a bigger design
issue, significantly more ambitious than the proposal of providing some
abuse training which opened this thread.


Best regards

-- 
INCIBE-CERT - Spanish National CSIRT
https://www.incibe-cert.es/

PGP keys: https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys



INCIBE-CERT is the Spanish National CSIRT designated for citizens,
private law entities, other entities not included in the subjective
scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen
Jurídico del Sector Público", as well as digital service providers,
operators of essential services and critical operators under the terms
of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de
las redes y sistemas de información" that transposes the Directive (EU)
2016/1148 of the European Parliament and of the Council of 6 July 2016
concerning measures for a high common level of security of network and
information systems across the Union.



In compliance with the General Data Protection Regulation of the EU
(Regulation EU 2016/679, of 27 April 2016) we inform you that your
personal and corporate data (as well as those included in attached
documents); and e-mail address, may be included in our records 
for the purpose derived from legal, contractual or pre-contractual
obligations or in order to respond to your queries. You may exercise
your rights of access, correction, cancellation, portability,
limitationof processing and opposition under the terms established by
current legislation and free of charge by sending an e-mail to
d...@incibe.es. The Data Controller is S.M.E. Instituto Nacional de
Ciberseguridad de España, M.P., S.A. More information is available
on our website: https://www.incibe.es/proteccion-datos-personales
and https://www.incibe.es/registro-actividad.

Re: [anti-abuse-wg] Anti-Abuse Training: Questions for the WG

[Alessandro Vesely]

Hi all,

On Mon 18/Oct/2021 18:40:06 +0200 Michele Neylon - Blacknight via anti-abuse-wg 
wrote:



3) If not, would there be other areas of Anti-Abuse training that would be of 
interest?


A lot of hosting providers aren’t LIRs, but are getting IP space from LIRs. 
Maybe providing materials that LIRs could share with their clients would help? 
There  seems to be a lot of ignorance out there.



There are also people who are not hosting providers, but host their own 
server(s) using a handful of IP addresses.  I know mailbox self-providers are 
an endangered species, but they may still happen to have an IP delegation w/o 
abuse-c.  And complainants may prefer to send reports to the top level 
delegate.  However, top level delegate may happen to have non-responding abuse 
teams.  At best, ISPs forward complaints to their clients.

Shouldn't there be a standard for automatically forwarding messages destined to 
abuse-c following a path similar to that of RFC 2317 delegations?  I'd love if 
AA training encouraged such behavior.


Best
Ale
--