Re: [anti-abuse-wg] Anti-Abuse Training: Questions for the WG

2021-10-24 Thread Alessandro Vesely 

On Sat 23/Oct/2021 01:38:56 +0200 Ronald F. Guilmette wrote:

In message <26f1df33-b958-bed4-f748-f82324d0b...@tana.it>, Alessandro Vesely 
 wrote:


Shouldn't there be a standard for automatically forwarding messages destined
to abuse-c following a path similar to that of RFC 2317 delegations?  I'd love 
if AA training encouraged such behavior.


Although delegation of abuse report handling may sound like a good idea
in theory, in practice it is a tragically bad idea.

What happens when the customer is a spammer and abuse handling is delegated
to that customer?  Google for the term "list washing".

This isn't merely a theoretical possibility.  Digital Ocean has previously
sent me multiple response emails saying quite explicitly that they had
forwarded my spam reports to their spammer customer(s).  Those customers
will then surely cease to spam *me* but will continue to spam everyone
else on the planet.



That'd be an incentive to send spam reports, wouldn't it?



This does not create any meaningful reduction in the global spam load.  It
simply rewards those "responsible" spammers who remove from their target
lists the email addresses of the few "complainers" who nowadays take the time
to report spam.


On the other hand, there are honest mailbox providers who have not realized 
that their system has been hacked, or that their clients' credentials have been 
stolen.  And if you send a complaint to my abuse-c address, I won't get it.


For an easy guess, LIRs who offer services at regular prices —not thousand 
domain discounts— have more of the latter cases.  Still, their budget might not 
be enough for an abuse team capable of looking at each complaint.



Best
Ale

Re: [anti-abuse-wg] Anti-Abuse Training: Questions for the WG

2021-10-24 Thread Alessandro Vesely 

On Fri 22/Oct/2021 23:26:23 +0200 Ángel González Berdasco wrote:

Hello all


Shouldn't there be a standard for automatically forwarding messages
destined to abuse-c following a path similar to that of RFC 2317
delegations?  I'd love if AA training encouraged such behavior.


I don't think the standard should be for automatically forwarding
messages. You would need a standard for *exchanging* the information.
Fields you would need should include IP address being reported, port
(optionally), timestamp, whether this may be shared with the customer
(default yes), RSIT taxonomy of the incident being reported, etc.



Yeah, I didn't mean a capital 'S' Standard.  Rather some common practice.



And then, among the actions that can be taken, automatically forwarding
could be one of them (and probably the less expensive for the abuse-c
owner), but they could choose to process them differently.
But the first step is to match the report with the machine/customer.



If I were LIR.example, I'd set my abuse-c entries to something like:

   abuse-customer1@LIR.example
   abuse-customer2@LIR.example
   ...

That way messages can be forwarded without parsing them; but there's still a 
chance to look at them, if the budget allows it.




Many abuse teams already do that automatically, although I don't know
the amount of guessing needed by the tools on their normal flows.

The first idea that comes to mind when talking about communicating
this would be to create a solution based on X-ARF, but it's not without
its shortcomings, either, so maybe a different way is felt to be
preferable.



plain text, X-ARF, ARF, IODEF, https://xkcd.com/927/

Another way is to send an autoresponse which asks to fill the provider's web 
form, whereby the number of different formats grows unconstrained.


However, it'd be possible for a forwarding LIR.example to ask its clients to 
fill a web form, in order to summarize the complaint and its followup.  Most 
providers only have one or two ISPs, so the number of formats would stay low. 
And that could ease LIR's monitoring.




This is an interesting discussion, although I feel it's a bigger design
issue, significantly more ambitious than the proposal of providing some
abuse training which opened this thread.



Since the training is addressed to LIRs, a schema like the above could at least 
be aired.



Best
Ale