Re: [anti-abuse-wg] Question about spam to abuse inbox

[Alessandro Vesely]

On Sat 27/Feb/2021 01:40:01 +0100 Ángel González Berdasco wrote:

Cynthia Revström writes:


if you want a human to read your emails, you shouldn't automate the
sending so you end up with potential situations like that. >

No. You should actually love automated reports.

[...automated classification of automated abuse reports...]
[...held in esteem but not quoted...]

Note I'm not covering the quality of the information. In either cases,
Joe notifications could generally be either good or bad. If you find
Joe to provide reliable information, you may even want to trust their
reports automatically. If they have a lot of noise, you probably will
want to prioritize them at the bottom of your queue.



It's also to be noted that abuse teams do reply.  If the quality isn't good, 
the human who read the report replies and points out what is missing in order 
to make it actionable.  Some replies are fully automated and repetitive, some 
are based on a template on which the operator on duty can add manually written 
text.  Thus, while reports are generated automatically, replies have to be 
handled by hands, possibly deploying regexes or eyeballs to classify them.


That begs the question of whether abuse reports have valid reply addresses.



Don't assume people are lacking in basic knowledge, rather consider
that some people might have requirements other than yours, and that
it might not be as simple as you suggest.


Sadly, problems often lie at the management level, out of the hands of
the technicians which suffer them.



How much to invest in abuse handling is obviously a management decision.  It 
shapes an ISP's characteristics, quality, and costs.


From my POV, the best way to implement a couldn't-give-a-damn attitude is to 
not register an abuse address at all.  Having an automated abuse reporting 
system driven by firewall events, it is straightforward to multiply the banning 
period by months when the abuse address is empty.  Unfortunately, RIPE seems to 
have it mandatory to fill abuse-c, so one has to manually track bounces, 
distinguishing temporary hiccups from permanent failures, and equate the latter 
to empty addresses.



Best
Ale
--

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Ángel González Berdasco]

Cynthia Revström writes:
> > It seems to me that if your abuse@ email is being overloaded and
> you are unable to keep your network spam free, then you shouldn't be
> taking on any more customers until you figure things out.
> 
> As has been noted before in this thread, just because you are getting
> 200 abuse emails in a day doesn't necessarily mean you have a huge
> issue but it is a lot of emails to deal with.
> It might just be one customer who port scanned a /24 somewhere on the
> internet.

Right. However, as also mentioned, it shouldn't be that hard to group
them by IP (which would be a finer granularity than per customer), even
for unstructured mails.

And, if they are all actually the same issue, they should be very
quickly to process, as they all refer to the same incident (quickly per
report, I admit it may still take 2-3 hours to clean that inbox).


Plus, given the low value of abuse reported, for receiving 200
complaints I expect the actions from the customer account would be of
at least an order of magnitude more than that you received complaints
about. Probably much more.



Also important: how much time passed since first report to customer
abuse stopping? how many reports refer to that initial window when you
weren't aware of the abuse (by the customer itself, by those that
compromised your customer, etc.) until you got notice of that (either
from external reports or from your own monitoring) ?

Earlier you mentioned taking a week to handle the incident reports. If
the abuse continued for so long that would obviously affect more people
and cause more complaints.

It's true that not everyone reports immediately. Perhaps customer began
abuse at t₀, got suspended at t + 2 hours, and yet you receive some
complaints next day due to people aggregating their notifications daily
(this means less notifications for you, but more delay in receiving
them), but if the customer account continued rampant for days, that
would obviously make you receive a lot more reports.



> > Why do you think that because you tell yourself you are "too big"
> that you don't need to monitor your network?
> 
> I don't think anyone is saying that, but if you want a human to read
> your emails, you shouldn't automate the sending so you end up with
> potential situations like that.

No. You should actually love automated reports.
If Joe Abusehater automatically reported you every day a number of
phishing links on your systems (for example, suppose you are Twitter
and these are phishing links using your shortener), there's no problem
in automatically processing their emails with e.g. a regex:

> "Hello Cynthia,\nIt's Joe again. This time we detected a
> (?Pphishing|scam|child pornography|malware|...) link on your
> site at (?Phttps?://[^ ]+)) I would like you to take care of
> that.\nThanks, Joe"


A human read the email, then told the machine what it means and how to
handle it. If there's an email the machine doesn't know how to handle,
a human goes and takes a look.

Now suppose Joe didn't automate sending you the email. He instead hires
some sloppy operators. They sometimes use one text, sometimes a
different one. From time to time, they forget to include the url, or
don't specify the category (which, albeit probably not matching your
own categorization, probably is still helpful).

Note I'm not covering the quality of the information. In either cases,
Joe notifications could generally be either good or bad. If you find
Joe to provide reliable information, you may even want to trust their
reports automatically. If they have a lot of noise, you probably will
want to prioritize them at the bottom of your queue.




> Don't assume people are lacking in basic knowledge, rather consider
> that some people might have requirements other than yours, and that
> it might not be as simple as you suggest.
> 
> This also applies in most cases in this thread, just
> because something works for you or might seem easy for you doesn't
> mean it works for everyone in all situations. (I feel like this needs
> to be said)
> 
> -Cynthia

Sadly, problems often lie at the management level, out of the hands of
the technicians which suffer them.
Still, it would be helpful to know about the requirements that make
things so hard for your, as perhaps we could come up with some approach
simplifying your processes.


Best regards


-- 
INCIBE-CERT - Spanish National CSIRT
https://www.incibe-cert.es/

PGP keys: https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys



INCIBE-CERT is the Spanish National CSIRT designated for citizens,
private law entities, other entities not included in the subjective
scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen
Jurídico del Sector Público", as well as digital service providers,
operators of essential services and critical operators under the terms
of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad 

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Randy Bush]

> It seems to me that if your abuse@ email is being overloaded and you are
> unable to keep your network spam free, then you shouldn't be taking on any
> more customers until you figure things out.

great.  should be no problem telling the people in management who wear
shiny shoes that being socially correct is more important than money.
that is what is called a career limiting move.

randy

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Cynthia Revström via anti-abuse-wg]

> It seems to me that if your abuse@ email is being overloaded and you are
unable to keep your network spam free, then you shouldn't be taking on any
more customers until you figure things out.

As has been noted before in this thread, just because you are getting 200
abuse emails in a day doesn't necessarily mean you have a huge issue but it
is a lot of emails to deal with.
It might just be one customer who port scanned a /24 somewhere on the
internet.

> Why do you think that because you tell yourself you are "too big" that
you don't need to monitor your network?

I don't think anyone is saying that, but if you want a human to read your
emails, you shouldn't automate the sending so you end up with potential
situations like that.

> The first thing that comes to mind is having your abuse@ email checked
via a script to eliminate any actual spam to your server and parse out
legitimate emails and requests.

As was mentioned in the second email in this thread (from Jordi), just
using spam filters on content is not necessarily a good idea for the abuse
inbox.

> If you need help with something so basic or are asking these types of
questions, you shouldn't be running a network in the first place. My
::slams keyboard::
> Yes, if you can't figure newbie stuff out then what the heck are you
doing trying to host people on the internet?

Don't assume people are lacking in basic knowledge, rather consider that
some people might have requirements other than yours, and that it might not
be as simple as you suggest.

This also applies in most cases in this thread, just because something
works for you or might seem easy for you doesn't mean it works for everyone
in all situations. (I feel like this needs to be said)

-Cynthia


On Fri, Feb 26, 2021 at 10:02 PM steve payne  wrote:

> I don't agree with the "All these responses from people who don't actually
> run a network ::slams keyboard::" remarks.
>
> It seems to me that if your abuse@ email is being overloaded and you are
> unable to keep your network spam free, then you shouldn't be taking on any
> more customers until you figure things out.
>
> Why do you think that because you tell yourself you are "too big" that you
> don't need to monitor your network?
>
> If your abuse @ email is being slammed to death, it would seem you need to
> optimize this solution.
>
> The first thing that comes to mind is having your abuse@ email checked
> via a script to eliminate any actual spam to your server and parse out
> legitimate emails and requests.
>
> If you need help with something so basic or are asking these types of
> questions, you shouldn't be running a network in the first place. My
> ::slams keyboard::
>
> Yes, if you can't figure newbie stuff out then what the heck are you doing
> trying to host people on the internet?
>
> On Fri, Feb 26, 2021 at 1:19 PM Jacob Slater  wrote:
>
>> If you predicate sending reports via web form, then report forwarding
>>> from the ISP to its customer should also be done via web form.
>>>
>>
>> The relationship between an arbitrary internet user and an ISP is
>> different from the relationship between an ISP and a customer who is on a
>> contract.
>> I can (and do) require end users of my infrastructure respond to abuse
>> e-mails sent to them in specific ways. If they don't like the terms I've
>> set, they are welcome to take their business elsewhere.
>> The same relationship does not currently exist with abuse reports.
>>
>> At times I also try and
>>> send fake complaints about my IP, to see if they would forward them to
>>> me.  All of those messages fall into a black black hole where time is
>>> frozen expectations fade.  Lazy.
>>>
>>
>> It is also possible your ISP believes the report is fake and does not
>> forward it on. Alternatively, perhaps their policy is to not forward
>> reports on. They might investigate, deem it incorrect, and delete it.
>>
>>
>> I personally am opposed to banning or discouraging web forms unless we
>> standardize some system. If there is an expectation for human review on the
>> ISP side, there should be an expectation that the sender is human. If we
>> set an expectation for automated sending of abuse reports, limited machine
>> review prior to acceptance should be expected.
>>
>> Solving this is a difficult problem. From my (admittedly limited)
>> experience, I'm in agreement with Alex de Joode - a solution cannot impact
>> certain operational realities of ISPs. Limited machine review - along with
>> automation of abuse reports on the receiving side - is an operational
>> reality. False, inaccurate, incomplete, or just plain malicious abuse
>> reports are just as real as actual abuse reports.
>>
>> I would note a further operational reality: any standard we come up with
>> outside of the current method of communication (email) is likely to never
>> reach large-scale deployment. Even if we make a standard within e-mail (ex.
>> ARF), some ISPs will want (or need) details beyond what would be outlined
>> 

Re: [anti-abuse-wg] Question about spam to abuse inbox

[steve payne]

I don't agree with the "All these responses from people who don't actually
run a network ::slams keyboard::" remarks.

It seems to me that if your abuse@ email is being overloaded and you are
unable to keep your network spam free, then you shouldn't be taking on any
more customers until you figure things out.

Why do you think that because you tell yourself you are "too big" that you
don't need to monitor your network?

If your abuse @ email is being slammed to death, it would seem you need to
optimize this solution.

The first thing that comes to mind is having your abuse@ email checked via
a script to eliminate any actual spam to your server and parse out
legitimate emails and requests.

If you need help with something so basic or are asking these types of
questions, you shouldn't be running a network in the first place. My
::slams keyboard::

Yes, if you can't figure newbie stuff out then what the heck are you doing
trying to host people on the internet?

On Fri, Feb 26, 2021 at 1:19 PM Jacob Slater  wrote:

> If you predicate sending reports via web form, then report forwarding
>> from the ISP to its customer should also be done via web form.
>>
>
> The relationship between an arbitrary internet user and an ISP is
> different from the relationship between an ISP and a customer who is on a
> contract.
> I can (and do) require end users of my infrastructure respond to abuse
> e-mails sent to them in specific ways. If they don't like the terms I've
> set, they are welcome to take their business elsewhere.
> The same relationship does not currently exist with abuse reports.
>
> At times I also try and
>> send fake complaints about my IP, to see if they would forward them to
>> me.  All of those messages fall into a black black hole where time is
>> frozen expectations fade.  Lazy.
>>
>
> It is also possible your ISP believes the report is fake and does not
> forward it on. Alternatively, perhaps their policy is to not forward
> reports on. They might investigate, deem it incorrect, and delete it.
>
>
> I personally am opposed to banning or discouraging web forms unless we
> standardize some system. If there is an expectation for human review on the
> ISP side, there should be an expectation that the sender is human. If we
> set an expectation for automated sending of abuse reports, limited machine
> review prior to acceptance should be expected.
>
> Solving this is a difficult problem. From my (admittedly limited)
> experience, I'm in agreement with Alex de Joode - a solution cannot impact
> certain operational realities of ISPs. Limited machine review - along with
> automation of abuse reports on the receiving side - is an operational
> reality. False, inaccurate, incomplete, or just plain malicious abuse
> reports are just as real as actual abuse reports.
>
> I would note a further operational reality: any standard we come up with
> outside of the current method of communication (email) is likely to never
> reach large-scale deployment. Even if we make a standard within e-mail (ex.
> ARF), some ISPs will want (or need) details beyond what would be outlined
> in the standard. This will inevitably require more non-standard human
> interaction.
>
> Those who do not care to receive abuse reports will fail to respond to
> them, regardless of what we decide here.
>
> - Slater
>
>
>
>
> On Fri, Feb 26, 2021 at 3:57 PM Alessandro Vesely  wrote:
>
>> On Thu 25/Feb/2021 14:41:00 +0100 Cynthia Revström wrote:
>>
>> > I think you have misunderstood my point.
>> >
>> >> Would they send such report using their customer's own web form?
>> >
>> > No? I don't know what implied that?
>>
>>
>> If you predicate sending reports via web form, then report forwarding
>> from the ISP to its customer should also be done via web form.  That
>> is, the ISP should jump all the required hoops until it finds out
>> where and how to fill the appropriate form.  However, doing so defeats
>> the advantage of having the customer automatically identified.
>>
>>
>> >> Yes, doing so requires some work too, but heck aren't we paying for
>> that
>> > already?
>> >
>> > The person sending the abuse report is rarely a paying customer.
>> >
>> >> The right thing to do would be to arrange for the abuse mailbox address
>> > to point (in)directly to the actual user of the IP address.
>> >
>> > I am assuming you are referring to having a separate abuse contact for
>> each
>> > customer, so like abuse.cust123@domain and registering it in the RIPE
>> > Registry/DB?
>>
>>
>> Yes, exactly.  That's the extra work required from the ISP.  It is
>> paid by cust123.  Presumably, abuse.cust123@domain forwards to the
>> abuse address chosen by the customer on signing the contract.  Keeping
>> a copy allows the ISP to monitor how many complaints its customers
>> receive.
>>
>>
>> > In some cases with large customers maybe but if you are a hosting
>> provider
>> > where each customer might only have one or two IPv4 addresses, that can
>> get
>> > to an insane 

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Jacob Slater]

>
> If you predicate sending reports via web form, then report forwarding
> from the ISP to its customer should also be done via web form.
>

The relationship between an arbitrary internet user and an ISP is different
from the relationship between an ISP and a customer who is on a contract.
I can (and do) require end users of my infrastructure respond to abuse
e-mails sent to them in specific ways. If they don't like the terms I've
set, they are welcome to take their business elsewhere.
The same relationship does not currently exist with abuse reports.

At times I also try and
> send fake complaints about my IP, to see if they would forward them to
> me.  All of those messages fall into a black black hole where time is
> frozen expectations fade.  Lazy.
>

It is also possible your ISP believes the report is fake and does not
forward it on. Alternatively, perhaps their policy is to not forward
reports on. They might investigate, deem it incorrect, and delete it.


I personally am opposed to banning or discouraging web forms unless we
standardize some system. If there is an expectation for human review on the
ISP side, there should be an expectation that the sender is human. If we
set an expectation for automated sending of abuse reports, limited machine
review prior to acceptance should be expected.

Solving this is a difficult problem. From my (admittedly limited)
experience, I'm in agreement with Alex de Joode - a solution cannot impact
certain operational realities of ISPs. Limited machine review - along with
automation of abuse reports on the receiving side - is an operational
reality. False, inaccurate, incomplete, or just plain malicious abuse
reports are just as real as actual abuse reports.

I would note a further operational reality: any standard we come up with
outside of the current method of communication (email) is likely to never
reach large-scale deployment. Even if we make a standard within e-mail (ex.
ARF), some ISPs will want (or need) details beyond what would be outlined
in the standard. This will inevitably require more non-standard human
interaction.

Those who do not care to receive abuse reports will fail to respond to
them, regardless of what we decide here.

- Slater




On Fri, Feb 26, 2021 at 3:57 PM Alessandro Vesely  wrote:

> On Thu 25/Feb/2021 14:41:00 +0100 Cynthia Revström wrote:
>
> > I think you have misunderstood my point.
> >
> >> Would they send such report using their customer's own web form?
> >
> > No? I don't know what implied that?
>
>
> If you predicate sending reports via web form, then report forwarding
> from the ISP to its customer should also be done via web form.  That
> is, the ISP should jump all the required hoops until it finds out
> where and how to fill the appropriate form.  However, doing so defeats
> the advantage of having the customer automatically identified.
>
>
> >> Yes, doing so requires some work too, but heck aren't we paying for that
> > already?
> >
> > The person sending the abuse report is rarely a paying customer.
> >
> >> The right thing to do would be to arrange for the abuse mailbox address
> > to point (in)directly to the actual user of the IP address.
> >
> > I am assuming you are referring to having a separate abuse contact for
> each
> > customer, so like abuse.cust123@domain and registering it in the RIPE
> > Registry/DB?
>
>
> Yes, exactly.  That's the extra work required from the ISP.  It is
> paid by cust123.  Presumably, abuse.cust123@domain forwards to the
> abuse address chosen by the customer on signing the contract.  Keeping
> a copy allows the ISP to monitor how many complaints its customers
> receive.
>
>
> > In some cases with large customers maybe but if you are a hosting
> provider
> > where each customer might only have one or two IPv4 addresses, that can
> get
> > to an insane amount of handles and make the database really messy.
>
>
> You can keep a record for each IPv4 address with only a few Terabytes.
>
> I don't think the reason why ISPs tend to neither assign rfc2317
> reverse delegations nor customer specific abuse-mailbox is because
> they or the RIPE cannot afford enough disk space to store that data.
>
> Every now and then I ask my ISP to assign me an abuse-mailbox (which
> my previous ISP did, but then they were acquired by a bigger shark
> while the RIPE changed format to abuse-c.)  At times I also try and
> send fake complaints about my IP, to see if they would forward them to
> me.  All of those messages fall into a black black hole where time is
> frozen expectations fade.  Lazy.
>
>
> > Also the customer in question is not the only info that is relevant, like
> > is it DoS, spam, or port scanning, etc?
> >
> > But in general I think there are pros and cons to web forms and email
> > templates just as there are pros and cons to arbitrarily structured
> emails.
>
>
> For a third alternative, I recently added abuseipdb.com to my
> end-of-day abuse reporting script.  They provide an http API that
> 

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Alessandro Vesely]

On Thu 25/Feb/2021 14:41:00 +0100 Cynthia Revström wrote:


I think you have misunderstood my point.


Would they send such report using their customer's own web form?


No? I don't know what implied that?



If you predicate sending reports via web form, then report forwarding 
from the ISP to its customer should also be done via web form.  That 
is, the ISP should jump all the required hoops until it finds out 
where and how to fill the appropriate form.  However, doing so defeats 
the advantage of having the customer automatically identified.




Yes, doing so requires some work too, but heck aren't we paying for that

already?

The person sending the abuse report is rarely a paying customer.


The right thing to do would be to arrange for the abuse mailbox address

to point (in)directly to the actual user of the IP address.

I am assuming you are referring to having a separate abuse contact for each
customer, so like abuse.cust123@domain and registering it in the RIPE
Registry/DB?



Yes, exactly.  That's the extra work required from the ISP.  It is 
paid by cust123.  Presumably, abuse.cust123@domain forwards to the 
abuse address chosen by the customer on signing the contract.  Keeping 
a copy allows the ISP to monitor how many complaints its customers 
receive.




In some cases with large customers maybe but if you are a hosting provider
where each customer might only have one or two IPv4 addresses, that can get
to an insane amount of handles and make the database really messy.



You can keep a record for each IPv4 address with only a few Terabytes.

I don't think the reason why ISPs tend to neither assign rfc2317 
reverse delegations nor customer specific abuse-mailbox is because 
they or the RIPE cannot afford enough disk space to store that data.


Every now and then I ask my ISP to assign me an abuse-mailbox (which 
my previous ISP did, but then they were acquired by a bigger shark 
while the RIPE changed format to abuse-c.)  At times I also try and 
send fake complaints about my IP, to see if they would forward them to 
me.  All of those messages fall into a black black hole where time is 
frozen expectations fade.  Lazy.




Also the customer in question is not the only info that is relevant, like
is it DoS, spam, or port scanning, etc?

But in general I think there are pros and cons to web forms and email
templates just as there are pros and cons to arbitrarily structured emails.



For a third alternative, I recently added abuseipdb.com to my 
end-of-day abuse reporting script.  They provide an http API that 
allows to specify the most basic info, IP, time, and kind of abuse. 
That method has some of the advantages of forms, as it allows 
semantically bound fields, and some advantages of email messages, as 
it can be automated.



Best
Ale
--

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Alex de Joode]

I've been responsible for the abuse handling of a large dedicated hoster for 
approx 8 years and I learnt:

 * not all complainers are honest,
 * not all complainers share an understanding of what is allowed/legal etc,
 * not all complainers share an understanding of what a hoster is and can do,
 * not all complaints are 'crisp and clear',
 * not all complaints provide all data needed to  be actionable,
 * not all complaints 'make sense'
 * not all complaints are directed to the proper ISP.
A webform is a way to ensure some of these issues are addressed. 

Most ISP's want their networks to be clean. 
Most ISP's are responsive to complaints (if not please check if your complaints 
touch on issue #1-7)
Most ISP's will work with you if you take time to adapt your complaint to their 
procedure.

Most ISP's do not like to work with Don Qioxote type of ppl.
Most ISP's do not like to be told their system sucks because your fringe 
procedure does not work.

So all the armchair anti abuse handling specialists here can come up with nice 
procedures that check all imaginary boxes they feel are needed, make proposals 
that have no anti-abuse effect in practise and complaints if their proposals 
are rejected, however in the end it's the companies that process the abuse that 
need to deal with all this. And if you ensure #1-7 are not in your complaint 
you have contributed more than sending emails as the armchair specialist.

​-- 
IDGARA | Alex de Joode | a...@idgara.nl | +31651108221 


On Thu, 25-02-2021 14h 41min, Cynthia Revström via anti-abuse-wg 
 wrote:
> 
I think you have misunderstood my point.

> 
> Would they send such report using their customer's own web form?

> 
No? I don't know what implied that?

> 
> Yes, doing so requires some work too, but heck aren't we paying for that 
> already?

> 
The person sending the abuse report is rarely a paying customer.

> 
> The right thing to do would be to arrange for the abuse mailbox address to 
> point (in)directly to the actual user of the IP address.

> 
I am assuming you are referring to having a separate abuse contact for each 
customer, so like abuse.cust123@domain and registering it in the RIPE 
Registry/DB?
In some cases with large customers maybe but if you are a hosting provider 
where each customer might only have one or two IPv4 addresses, that can get to 
an insane amount of handles and make the database really messy.
Also the customer in question is not the only info that is relevant, like is it 
DoS, spam, or port scanning, etc?

> 
But in general I think there are pros and cons to web forms and email templates 
just as there are pros and cons to arbitrarily structured emails.

> 
-Cynthia


> 
> 
On Thu, Feb 25, 2021 at 10:05 AM Alessandro Vesely  wrote:
> 
> Sorry for being late to the party...
> 

> 
On Sun 21/Feb/2021 03:44:07 +0100 Cynthia Revström via anti-abuse-wg wrote:
> 
> If the hosting company provides a web form, they can have a field where they 
> 
> explicitly ask for the offending IP address.
> 
> This report could then automatically also be sent to the customer in 
> question, 
> 
> because we shouldn't assume the customer is malicious, they might just have a 
> 
> bad config that made them a relay for example.
> 

> 

> 
Would they send such report using their customer's own web form?
> 

> 
The right thing to do would be to arrange for the abuse mailbox address to 
> 
point (in)directly to the actual user of the IP address.  Yes, doing so 
> 
requires some work too, but heck aren't we paying for that already?
> 

> 

> 
Best
> 
Ale
> 
-- 
> 

> 

> 

> 

> 

> 

> 

> 

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Cynthia Revström via anti-abuse-wg]

I think you have misunderstood my point.

> Would they send such report using their customer's own web form?

No? I don't know what implied that?

> Yes, doing so requires some work too, but heck aren't we paying for that
already?

The person sending the abuse report is rarely a paying customer.

> The right thing to do would be to arrange for the abuse mailbox address
to point (in)directly to the actual user of the IP address.

I am assuming you are referring to having a separate abuse contact for each
customer, so like abuse.cust123@domain and registering it in the RIPE
Registry/DB?
In some cases with large customers maybe but if you are a hosting provider
where each customer might only have one or two IPv4 addresses, that can get
to an insane amount of handles and make the database really messy.
Also the customer in question is not the only info that is relevant, like
is it DoS, spam, or port scanning, etc?

But in general I think there are pros and cons to web forms and email
templates just as there are pros and cons to arbitrarily structured emails.

-Cynthia


On Thu, Feb 25, 2021 at 10:05 AM Alessandro Vesely  wrote:

> Sorry for being late to the party...
>
> On Sun 21/Feb/2021 03:44:07 +0100 Cynthia Revström via anti-abuse-wg wrote:
> > If the hosting company provides a web form, they can have a field where
> they
> > explicitly ask for the offending IP address.
> > This report could then automatically also be sent to the customer in
> question,
> > because we shouldn't assume the customer is malicious, they might just
> have a
> > bad config that made them a relay for example.
>
>
> Would they send such report using their customer's own web form?
>
> The right thing to do would be to arrange for the abuse mailbox address to
> point (in)directly to the actual user of the IP address.  Yes, doing so
> requires some work too, but heck aren't we paying for that already?
>
>
> Best
> Ale
> --
>
>
>
>
>
>
>
>

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Alessandro Vesely]

Sorry for being late to the party...

On Sun 21/Feb/2021 03:44:07 +0100 Cynthia Revström via anti-abuse-wg wrote:
If the hosting company provides a web form, they can have a field where they 
explicitly ask for the offending IP address.
This report could then automatically also be sent to the customer in question, 
because we shouldn't assume the customer is malicious, they might just have a 
bad config that made them a relay for example.



Would they send such report using their customer's own web form?

The right thing to do would be to arrange for the abuse mailbox address to 
point (in)directly to the actual user of the IP address.  Yes, doing so 
requires some work too, but heck aren't we paying for that already?



Best
Ale
--

Re: [anti-abuse-wg] Question about spam to abuse inbox

[JJS JJS]

The question I ask is... do these ISP's have such difficulty communicating
with their customer, or suspending their customer's service if the customer
were to fail to pay their fees?

I ask the same question of RIPE. If these entities which RIPE "has no
control over" fail to pay their fees, does this "inability to control"
still continue?






*" That excuse might almost be a reasonable justification for bad
behaviorand even worse operating policies if it hadn't already been in
continuoususe for the past 20+ years."*

On Mon, Feb 22, 2021 at 6:53 PM Ronald F. Guilmette 
wrote:

> In message ,
> Randy Bush  wrote:
>
> >we are in a 'maturing' industry...
>
> That excuse might almost be a reasonable justification for bad behavior
> and even worse operating policies if it hadn't already been in continuous
> use for the past 20+ years.
>
> The spam problem has existed on the Internet since the late 1990s.  May
> we optimistically hold out some hope that this industry might be able
> to get its shit together by, say, 2045?
>
> >so margins are low and people are overworked and underpaid.
>
> Maybe margins are low *structurally*, because just like in the spam trade,
> everybody and his brother got enticed by the low barriers to entry in the
> commercial hosting business, resulting in tens of thousands of "me too"
> operators that, in point of fact, have no commercial advantage, and thus
> no reason to even exist.  And they are all now competing with tens of
> thousands just like them, as well as trying, vainly, to compete with a
> few othjer outfits you may have heard of, e.g. Amazon, Google, Microsoft.
>
> "Margins are low" is the same excuse that polluters used back in the day
> for dumping toxic waste into rivers in the dead of night.  Now it is being
> trotted out as an excuse for an inability... or rather an unwillingness...
> to do this simple things (like blocking outbound port 25) needed to stop
> the effluent of spam from leaking out into and onto the global Internet.
>
> Profits may be in short supply in the commecial hosting business, but
> fortunately there is never any shortage of lame excuses to justify the
> status quo.
>
>
> Regards,
> rfg
>
>
> P.S.  I am at pains to stress that essentially 100% of *all* network abuse
> of ALL KINDS these days originates from commercial hosting providers.
>
> I do not, in general, get spam, or break-in attempts, or port scans, or
> any other such abuse from government networks, from academic networks,
> from non-profit associations, or from legitimate businesses that have
> their own netblocks and that are not fundamentally in the Internet
> services business.  Nor do I have to endure such crap from any of the
> thousands of so-called "eyeball networks", e.g.  Comcast, etc.  Rather,
> the sum total of essentially all network abuse these days is consistantly
> emanating from commercial hosting providers, and specifically from the
> ones that have elected to entice miscreants and criminals to their
> services by having deliberately loose contractual policies or else
> deliberately loose enforcement of their stated policies.
>
> It's a fairly moronic way to try to make a living, or to turn a profit,
> but I guess that when you have nothing else to offer in the way of
> competitive advantage...
>
>

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Ronald F. Guilmette]

In message , 
Randy Bush  wrote:

>we are in a 'maturing' industry...

That excuse might almost be a reasonable justification for bad behavior
and even worse operating policies if it hadn't already been in continuous
use for the past 20+ years.

The spam problem has existed on the Internet since the late 1990s.  May
we optimistically hold out some hope that this industry might be able
to get its shit together by, say, 2045?

>so margins are low and people are overworked and underpaid. 

Maybe margins are low *structurally*, because just like in the spam trade,
everybody and his brother got enticed by the low barriers to entry in the
commercial hosting business, resulting in tens of thousands of "me too"
operators that, in point of fact, have no commercial advantage, and thus
no reason to even exist.  And they are all now competing with tens of
thousands just like them, as well as trying, vainly, to compete with a
few othjer outfits you may have heard of, e.g. Amazon, Google, Microsoft.

"Margins are low" is the same excuse that polluters used back in the day
for dumping toxic waste into rivers in the dead of night.  Now it is being
trotted out as an excuse for an inability... or rather an unwillingness...
to do this simple things (like blocking outbound port 25) needed to stop
the effluent of spam from leaking out into and onto the global Internet.

Profits may be in short supply in the commecial hosting business, but
fortunately there is never any shortage of lame excuses to justify the
status quo.


Regards,
rfg


P.S.  I am at pains to stress that essentially 100% of *all* network abuse
of ALL KINDS these days originates from commercial hosting providers.

I do not, in general, get spam, or break-in attempts, or port scans, or
any other such abuse from government networks, from academic networks,
from non-profit associations, or from legitimate businesses that have
their own netblocks and that are not fundamentally in the Internet
services business.  Nor do I have to endure such crap from any of the
thousands of so-called "eyeball networks", e.g.  Comcast, etc.  Rather,
the sum total of essentially all network abuse these days is consistantly
emanating from commercial hosting providers, and specifically from the
ones that have elected to entice miscreants and criminals to their
services by having deliberately loose contractual policies or else
deliberately loose enforcement of their stated policies.

It's a fairly moronic way to try to make a living, or to turn a profit,
but I guess that when you have nothing else to offer in the way of
competitive advantage...

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Suresh Ramasubramanian]

Depends on the provider you work for and what services they provide. Randy is 
(I think) still with NTT rather than a cloud service, vps operator type shop, 
so a lot of your questions aren’t going to apply to his environment.


--srs

From: anti-abuse-wg  on behalf of Ronald F. 
Guilmette 
Sent: Monday, February 22, 2021 3:48:23 AM
To: anti-abuse-wg@ripe.net 
Subject: Re: [anti-abuse-wg] Question about spam to abuse inbox

In message ,
Randy Bush  wrote:

>there is a fair bit of spectrum between the internet of cooperating
>competitors running their networks as prudently as they can afford
>and an internet desired by some where everything is done uniformly
>by rigid written rules.

You are using the word "afford" in this context as a blanket excuse
for incompetence and/or willful anti-social negligence.

What is the cost of adding a "cleanup fee" clause to your standard
service contracts, and why are you so abysmally bad at business that
you cannot afford to do that?

What is the cost of filtering outbound port 25 by default, and why are
you so abysmally bad at business that you cannot afford to do that?

The data is in, and applying one or both of these simple measures to
any given network has been demonstrated to reduce the need to pay
humans to staff an "abuse desk" dramatically.

Are you also unable to "afford" to implement BCP 38?


Regards,
rfg

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Ronald F. Guilmette]

In message , 
Randy Bush  wrote:

>there is a fair bit of spectrum between the internet of cooperating
>competitors running their networks as prudently as they can afford
>and an internet desired by some where everything is done uniformly
>by rigid written rules.

You are using the word "afford" in this context as a blanket excuse
for incompetence and/or willful anti-social negligence.

What is the cost of adding a "cleanup fee" clause to your standard
service contracts, and why are you so abysmally bad at business that
you cannot afford to do that?

What is the cost of filtering outbound port 25 by default, and why are
you so abysmally bad at business that you cannot afford to do that?

The data is in, and applying one or both of these simple measures to
any given network has been demonstrated to reduce the need to pay
humans to staff an "abuse desk" dramatically.

Are you also unable to "afford" to implement BCP 38?


Regards,
rfg

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Ángel González Berdasco]

On 21-02-2021 03:44 +0100, Cynthia Revström writes:
> Ronald,
> 
> Can you please stop attacking ideas (such as web forms) implying that
> they only have malicious use cases.
> 
> > I hold them responsible because they obviously
> > fail to have in place contractual clauses that would persuasively
> > deter this behavior on the part of their customers.
> 
> In many cases it is practically impossible to know if your customers
> are sending legit emails or spam without having people reporting it.
> As TLS is used in many cases now, the provider can't look at the
> network data to see what the customer is sending even on a technical
> level, disregarding any trust/potential legal issues.


> > The provider in question is a perfectly lousy coder and is thus
> > unable and/or unwilling to write code to parse emailed abuse
> > reports.
> 
> Hi, I am actually primarily a software dev and not a network
> engineer, it is not even close to as easy as you make it out to be.
> Sure you can have a regex to extract IP addresses and other messy
> things like that, but you can't be sure what that address is, it
> might be your customer, it might be the address they say you
> attacked, etc.
> My point here is that parsing free form text in this way without
> having a clearly defined structure is far from trivial.
> Also please stop assuming bad faith by saying that providers are
> "unwilling" to do this.
> If they could drastically lower the amount of manual work needed here
> with a bit of code, they absolutely would in almost all cases.

Hello Cynthia

I would say it's not as hard. Having the right tools helps a ton, but
not all companies understand that.
First of all, you want to automatically parse those reports using
ARF/X-ARF, as those are already machine parseable.
Then, you will have a lot of other reports is a mix of formats, that
you could be parsing separatedky. Although I would say that a naive
approach of “parse all IP addresses, if there is a single one in our
range, associate the report to that IP address” works in most cases.
Scanning for a few keywords (spam, DDoS, telnet, ssh…) should also
allow for an initial classification.

This is all very rough, and (as mentioned in the thread), you should
still have a human *look* at it, but could easily cut the work needed
in more than half.

If you receive those 200 Incident Reports, but they are already
classified as 185 of them relating to 203.0.113.7, you will probably
not need to evaluate all of them to conclude that there is something
bad going on with that customer.

Also, another point would be the number of clicks needed to take action
(e.g. in some systems you might need just 2-3 clicks to suspend the
customer resource and send them a warning, wheras in others you may
need a slow manual process).




> > And anyway, don't actual human beings need to look at these things,
> > in the end, in order to be able to react to each of them properly
> > and in a professional fashion? 
> 
> Web forms can have pros and cons, I am just going to take the case of
> a VPS/Dedicated server hosting company.
> 
> If the hosting company provides a web form, they can have a field
> where they explicitly ask for the offending IP address.
> This report could then automatically also be sent to the customer in
> question, because we shouldn't assume the customer is malicious, they
> might just have a bad config that made them a relay for example.
> This could make it so the report is acted upon sooner potentially as
> the hosting company might take a few days to reply but maybe the
> customer can act sooner.

It depends. In some cases, the customer is another victim. In others,
such as the customer having bought "paypa1.com", well, I think you
_should_ assume he is malicious. :)

It's not hard to figure out by a human. Yet you still need someone to
ascertain them.



> > A provider that is routinely receiving so many abuse reports that
> > it can barely keep up with them all has bigger problems that just
> > the manner in which abuse reports are received.
> 
> Due to the automated procedure by some providers for abuse reports,
> if I have one bad host sending spam, I might get an abuse report for
> every single email they receive, so even if it is just one customer I
> might wake up to 200 emails.
> But if I had a way to group it by sender IP address, that would be a
> lot more manageable.
> (this was just a hypothetical example) 
> 
> Now I absolutely agree that having an abuse email address that is
> acted upon in a reasonable amount of time (maybe a week or so) is
> still essential as the web forms aren't standardised or might rely on
> technology like captchas.
> But if you send me 200 emails about the same host in one day, I am
> probably still going to be mildly annoyed and I could see how this is
> actually unmanageable for larger providers.


Larger providers should have more people dedicated to handle abuse
reports. Unfortunately, it's a task working too many times with 

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Randy Bush]

> There seems to be at least one rule common to everyone: if you want to
> run a network with an independent routing policy you'll need to use
> BGP.

:)

> Unfortunately it seems dealing with abuse emerging from the networks
> one runs is not a common, basic, rule for everyone.
> 
> Also, network admins should stick to run networks, and not try to
> handle abuse by themselves. But a lot of networks don't have anyone to
> do that (or have a business model in which all abuse reports are
> discarded by default), hence the chaos.

we are in a 'maturing' industry and in trying times.  so margins are low
and people are overworked and underpaid.  non-critical things start to
fall by the wayside.

when it comes to protocols, i am a naggumite.  i disagreed with dr
postel's dictum at the time; we should not accept crap from the other
side.  when it comes to ops, i try to be more tolerant.  it's hard
times, and we all make mistakes (see fun threads on nanog) or can not
cover all desired functions as well as the peanut gallery loudly
demands.

randy

---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com`
signatures are back, thanks to dmarc header mangling

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Carlos Friaças via anti-abuse-wg]

Hi,

There seems to be at least one rule common to everyone: if you want to run 
a network with an independent routing policy you'll need to use BGP.


Unfortunately it seems dealing with abuse emerging from the networks one 
runs is not a common, basic, rule for everyone.


Also, network admins should stick to run networks, and not try to handle 
abuse by themselves. But a lot of networks don't have anyone to do that 
(or have a business model in which all abuse reports are discarded by 
default), hence the chaos.


Regards,
Carlos


On Sun, 21 Feb 2021, Randy Bush wrote:


there is a fair bit of spectrum between the internet of cooperating
competitors running their networks as prudently as they can afford
and an internet desired by some where everything is done uniformly
by rigid written rules.

what i find interesting is that a number of the folk here who
loudly espouse the latter don't actually run networks.

randy

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Randy Bush]

there is a fair bit of spectrum between the internet of cooperating
competitors running their networks as prudently as they can afford
and an internet desired by some where everything is done uniformly
by rigid written rules.

what i find interesting is that a number of the folk here who
loudly espouse the latter don't actually run networks.

randy

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Cynthia Revström via anti-abuse-wg]

I give up, I am just wasting my time trying to argue, I want to make it
clear I still disagree with you but arguing is a waste of time.

-Cynthia

On Sun, Feb 21, 2021, 05:30 Ronald F. Guilmette 
wrote:

> In message  u1e9un9ccc8uy-f7...@mail.gmail.com>,
> =?UTF-8?Q?Cynthia_Revstr=C3=B6m?=  wrote:
>
> >Can you please stop attacking ideas (such as web forms) implying that they
> >only have malicious use cases.
>
> You have missed my point entirely.
>
> Web-based abuse reporting forms are not merely "an idea" any more than
> discrimination is merely an "idea".  Rather it is an attitude and a
> way of life.  It is the Internet equivalent of refusing to wear a
> face mask, for the good of all, in a crowded elevator in the middle of
> a global pandemic.  It is demonstratably and provably a selfish and
> self-serving anti-social behavior pattern.  I don't know where you
> live, but where I live we have already had more than enough of this
> kind of attitude, and this kind of childish anti-social behavior.
>
> >> I hold them responsible because they obviously
> >> fail to have in place contractual clauses that would persuasively
> >> deter this behavior on the part of their customers.
> >
> >In many cases it is practically impossible to know if your customers are
> >sending legit emails or spam without having people reporting it.
>
> Again, you have missed my point quite entirely.
>
> Some providers have clauses in their service contracts that say explicitly
> that custiomers who are caught spamming will face a manditory (and heavy)
> "cleanup fee".  Many other providers do not have such clauses in their
> standard service contracts.  Can you guess which providers are the sources
> of most spams?
>
> >> The provider in question is a perfectly lousy coder and is thus
> >> unable and/or unwilling to write code to parse emailed abuse
> >> reports.
> >
> >Hi, I am actually primarily a software dev and not a network engineer, it
> >is not even close to as easy as you make it out to be.
>
> Fine.  Have it your way.  The point can be argued either way, but I see no
> point in us doing so at this moment, since I made a different and
> *overriding*
> point that renders this question of parsing abuse reports sent via email
> moot.
>
> I say again, any professional treatment of an abuse report will necessarily
> require a human being to actually LOOK at the bloody thing.  When viewed
> with that context, the manner in which the report arrives is utterly
> irrelevant.
>
> If a human being is, in the end, going to end up looking at the bloody
> thing
> anyway, then what difference does it make if the report arrives via email
> or via a web form?  None.  None at all.
>
> >My point here is that parsing free form text in this way without having a
> >clearly defined structure is far from trivial.
> >Also please stop assuming bad faith by saying that providers are
> >"unwilling" to do this.
>
> I do not assume.  I observe.  And I've been doing this a LONG time.
>
> With the highly prohable exception of my friend Michele Neylon, it has
> been my experience that those providers that set up web-based abuse
> reporting forms ignore most or all of what they receive via those
> forms.  Either that or they just forward the reports on to their pet
> spammers, whichj is provably even WORSE thanm idf they had just dropped
> the reports into /dev/null.
>
> >> And anyway, don't actual human beings need to look at these things,
> >> in the end, in order to be able to react to each of them properly
> >> and in a professional fashion?
> >
> >Web forms can have pros and cons, I am just going to take the case of a
> >VPS/Dedicated server hosting company.
> >
> >If the hosting company provides a web form, they can have a field where
> >they explicitly ask for the offending IP address.
>
> Oh!  So you want and indeed *demand* that the spam *victim* should be
> obliged to fish this tidbit of information out of the headers, so that
> the actual offending network doesn't have to do that part of the analysis
> work, yes?
>
> Where I come from, that's called cost shifting... onto the victim...
> and it is no more morally or ethically defensible than trying to
> justify sexual abuse by saying that the victim wore a short skirt.
>
> >This report could then automatically also be sent to the customer in
> >question
>
> Do you really not understand why this is an extraordinarily BAD IDEA?
>
> >(I believe Hetzner as an example does this or something similar.)
>
> Yes, Hetzner has more than once ratted me out to their spammer customers.
>
> Are you seriously holding that company up as a shining example of ethical
> behavor for others to follow or be guided by??
>
> >> A provider that is routinely receiving so many abuse reports that
> >> it can barely keep up with them all has bigger problems that just
> >> the manner in which abuse reports are received.
> >
> >Due to the automated procedure by some providers for abuse reports, if I
> >have one bad host 

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Q via anti-abuse-wg]

 Hello all,

> I believe Hetzner as an example does this or something similar.

They indeed do. I've noticed it especially with reports from the German
Federal Office for Information Security when I've left
portmapper open to the internet or something else equally harmless in its
intent. Much better dealt with by the customer
directly, as Hetzner could do almost nothing in this case.

Thanks,
Q
Director

[image: https://as207960.net] 


https://as207960.net
AS207960 Cyfyngedig
Phone: +44 29 2010 2455 (ext 601)
Fax: +44 29 2010 2455
Address: 13 Pen-y-lan Terrace, Caerdydd, Cymru, CF23 9EU

AS207960 Cyfyngedig, trading as Glauca Digital, is:

   - a limited company registered in Wales (№ 12417574
   
)

   - a registered data controller with the Information Commissioner's
   Office (№ ZA782876
   )
   - registered for VAT in the EU (№ EU372013983)



On Sun, 21 Feb 2021 at 02:44, Cynthia Revström via anti-abuse-wg <
anti-abuse-wg@ripe.net> wrote:

> Ronald,
>
> Can you please stop attacking ideas (such as web forms) implying that they
> only have malicious use cases.
>
> > I hold them responsible because they obviously
> > fail to have in place contractual clauses that would persuasively
> > deter this behavior on the part of their customers.
>
> In many cases it is practically impossible to know if your customers are
> sending legit emails or spam without having people reporting it.
> As TLS is used in many cases now, the provider can't look at the network
> data to see what the customer is sending even on a technical level,
> disregarding any trust/potential legal issues.
>
> > The provider in question is a perfectly lousy coder and is thus
> > unable and/or unwilling to write code to parse emailed abuse
> > reports.
>
> Hi, I am actually primarily a software dev and not a network engineer, it
> is not even close to as easy as you make it out to be.
> Sure you can have a regex to extract IP addresses and other messy things
> like that, but you can't be sure what that address is, it might be your
> customer, it might be the address they say you attacked, etc.
> My point here is that parsing free form text in this way without having a
> clearly defined structure is far from trivial.
> Also please stop assuming bad faith by saying that providers are
> "unwilling" to do this.
> If they could drastically lower the amount of manual work needed here with
> a bit of code, they absolutely would in almost all cases.
>
> > And anyway, don't actual human beings need to look at these things,
> > in the end, in order to be able to react to each of them properly
> > and in a professional fashion?
>
> Web forms can have pros and cons, I am just going to take the case of a
> VPS/Dedicated server hosting company.
>
> If the hosting company provides a web form, they can have a field where
> they explicitly ask for the offending IP address.
> This report could then automatically also be sent to the customer in
> question, because we shouldn't assume the customer is malicious, they might
> just have a bad config that made them a relay for example.
> This could make it so the report is acted upon sooner potentially as the
> hosting company might take a few days to reply but maybe the customer can
> act sooner.
> (I believe Hetzner as an example does this or something similar.)
>
>
> > A provider that is routinely receiving so many abuse reports that
> > it can barely keep up with them all has bigger problems that just
> > the manner in which abuse reports are received.
>
> Due to the automated procedure by some providers for abuse reports, if I
> have one bad host sending spam, I might get an abuse report for every
> single email they receive, so even if it is just one customer I might wake
> up to 200 emails.
> But if I had a way to group it by sender IP address, that would be a lot
> more manageable.
> (this was just a hypothetical example)
>
> Now I absolutely agree that having an abuse email address that is acted
> upon in a reasonable amount of time (maybe a week or so) is still essential
> as the web forms aren't standardised or might rely on technology like
> captchas.
> But if you send me 200 emails about the same host in one day, I am
> probably still going to be mildly annoyed and I could see how this is
> actually unmanageable for larger providers.
>
> I think the true solution here is just to have a standard email template
> or similar so providers could easily and reliably parse it automatically
> (at least partially).
> just a very quick example that I didn't consider for more than a minute:
> the standard could be as easy as just beginning every report email with
> "abuse-host=192.0.2.20,192.0.2.21\n\n" and whatever other fields are needed.
>
> -Cynthia
>
>
> On Sun, Feb 21, 

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Ronald F. Guilmette]

In message 
, 
=?UTF-8?Q?Cynthia_Revstr=C3=B6m?=  wrote:

>Can you please stop attacking ideas (such as web forms) implying that they
>only have malicious use cases.

You have missed my point entirely.

Web-based abuse reporting forms are not merely "an idea" any more than
discrimination is merely an "idea".  Rather it is an attitude and a
way of life.  It is the Internet equivalent of refusing to wear a
face mask, for the good of all, in a crowded elevator in the middle of
a global pandemic.  It is demonstratably and provably a selfish and
self-serving anti-social behavior pattern.  I don't know where you
live, but where I live we have already had more than enough of this
kind of attitude, and this kind of childish anti-social behavior.

>> I hold them responsible because they obviously
>> fail to have in place contractual clauses that would persuasively
>> deter this behavior on the part of their customers.
>
>In many cases it is practically impossible to know if your customers are
>sending legit emails or spam without having people reporting it.

Again, you have missed my point quite entirely.

Some providers have clauses in their service contracts that say explicitly
that custiomers who are caught spamming will face a manditory (and heavy)
"cleanup fee".  Many other providers do not have such clauses in their
standard service contracts.  Can you guess which providers are the sources
of most spams?

>> The provider in question is a perfectly lousy coder and is thus
>> unable and/or unwilling to write code to parse emailed abuse
>> reports.
>
>Hi, I am actually primarily a software dev and not a network engineer, it
>is not even close to as easy as you make it out to be.

Fine.  Have it your way.  The point can be argued either way, but I see no
point in us doing so at this moment, since I made a different and *overriding*
point that renders this question of parsing abuse reports sent via email
moot.

I say again, any professional treatment of an abuse report will necessarily
require a human being to actually LOOK at the bloody thing.  When viewed
with that context, the manner in which the report arrives is utterly
irrelevant.

If a human being is, in the end, going to end up looking at the bloody thing
anyway, then what difference does it make if the report arrives via email
or via a web form?  None.  None at all.

>My point here is that parsing free form text in this way without having a
>clearly defined structure is far from trivial.
>Also please stop assuming bad faith by saying that providers are
>"unwilling" to do this.

I do not assume.  I observe.  And I've been doing this a LONG time.

With the highly prohable exception of my friend Michele Neylon, it has
been my experience that those providers that set up web-based abuse
reporting forms ignore most or all of what they receive via those
forms.  Either that or they just forward the reports on to their pet
spammers, whichj is provably even WORSE thanm idf they had just dropped
the reports into /dev/null.

>> And anyway, don't actual human beings need to look at these things,
>> in the end, in order to be able to react to each of them properly
>> and in a professional fashion?
>
>Web forms can have pros and cons, I am just going to take the case of a
>VPS/Dedicated server hosting company.
>
>If the hosting company provides a web form, they can have a field where
>they explicitly ask for the offending IP address.

Oh!  So you want and indeed *demand* that the spam *victim* should be
obliged to fish this tidbit of information out of the headers, so that
the actual offending network doesn't have to do that part of the analysis
work, yes?

Where I come from, that's called cost shifting... onto the victim...
and it is no more morally or ethically defensible than trying to
justify sexual abuse by saying that the victim wore a short skirt.

>This report could then automatically also be sent to the customer in
>question

Do you really not understand why this is an extraordinarily BAD IDEA?

>(I believe Hetzner as an example does this or something similar.)

Yes, Hetzner has more than once ratted me out to their spammer customers.

Are you seriously holding that company up as a shining example of ethical
behavor for others to follow or be guided by??

>> A provider that is routinely receiving so many abuse reports that
>> it can barely keep up with them all has bigger problems that just
>> the manner in which abuse reports are received.
>
>Due to the automated procedure by some providers for abuse reports, if I
>have one bad host sending spam, I might get an abuse report for every
>single email they receive, so even if it is just one customer I might wake
>up to 200 emails.

So you're saying that you work as an outsourced abuse department for various
providers?  And you're OK with spammers being allowed to send out 200 spams,
but you really don't want to then have to deal with 200 reports of same?

I just want top make sure that I understand hat you're 

Re: [anti-abuse-wg] Question about spam to abuse inbox

[John Levine]

In article  
you write:
>-=-=-=-=-=-
>
>Ronald,
>
>Can you please stop attacking ideas (such as web forms) implying that they
>only have malicious use cases.

There are plenty of sensible use cases for web forms.

But requiring them for abuse reporting is not one of them.  If you want to set
up a web form in addition to accepting ARF or IODEF reports, sure, go ahead.
Or if your staff wants to fill in your forms based on the e-mailed reports, that
is fine, too.

>My point here is that parsing free form text in this way without having a
>clearly defined structure is far from trivial.
>Also please stop assuming bad faith by saying that providers are
>"unwilling" to do this.

There are plenty of providers who deal effectively with e-mailed abuse reports.
There are even packages you can buy to help you do it.

To repeat the obvious, the Internet is a set of networks that interconnect for
their mututal benefit.  If a network's traffic becomes more trouble than it's
worth, we all know what happens.  So if it's too much trouble for you to deal 
with
abuse reports, it's likely to be too much trouble for the rest of us to deal 
with
your packets.

R's,
John

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Cynthia Revström via anti-abuse-wg]

Ronald,

Can you please stop attacking ideas (such as web forms) implying that they
only have malicious use cases.

> I hold them responsible because they obviously
> fail to have in place contractual clauses that would persuasively
> deter this behavior on the part of their customers.

In many cases it is practically impossible to know if your customers are
sending legit emails or spam without having people reporting it.
As TLS is used in many cases now, the provider can't look at the network
data to see what the customer is sending even on a technical level,
disregarding any trust/potential legal issues.

> The provider in question is a perfectly lousy coder and is thus
> unable and/or unwilling to write code to parse emailed abuse
> reports.

Hi, I am actually primarily a software dev and not a network engineer, it
is not even close to as easy as you make it out to be.
Sure you can have a regex to extract IP addresses and other messy things
like that, but you can't be sure what that address is, it might be your
customer, it might be the address they say you attacked, etc.
My point here is that parsing free form text in this way without having a
clearly defined structure is far from trivial.
Also please stop assuming bad faith by saying that providers are
"unwilling" to do this.
If they could drastically lower the amount of manual work needed here with
a bit of code, they absolutely would in almost all cases.

> And anyway, don't actual human beings need to look at these things,
> in the end, in order to be able to react to each of them properly
> and in a professional fashion?

Web forms can have pros and cons, I am just going to take the case of a
VPS/Dedicated server hosting company.

If the hosting company provides a web form, they can have a field where
they explicitly ask for the offending IP address.
This report could then automatically also be sent to the customer in
question, because we shouldn't assume the customer is malicious, they might
just have a bad config that made them a relay for example.
This could make it so the report is acted upon sooner potentially as the
hosting company might take a few days to reply but maybe the customer can
act sooner.
(I believe Hetzner as an example does this or something similar.)


> A provider that is routinely receiving so many abuse reports that
> it can barely keep up with them all has bigger problems that just
> the manner in which abuse reports are received.

Due to the automated procedure by some providers for abuse reports, if I
have one bad host sending spam, I might get an abuse report for every
single email they receive, so even if it is just one customer I might wake
up to 200 emails.
But if I had a way to group it by sender IP address, that would be a lot
more manageable.
(this was just a hypothetical example)

Now I absolutely agree that having an abuse email address that is acted
upon in a reasonable amount of time (maybe a week or so) is still essential
as the web forms aren't standardised or might rely on technology like
captchas.
But if you send me 200 emails about the same host in one day, I am probably
still going to be mildly annoyed and I could see how this is actually
unmanageable for larger providers.

I think the true solution here is just to have a standard email template or
similar so providers could easily and reliably parse it automatically (at
least partially).
just a very quick example that I didn't consider for more than a minute:
the standard could be as easy as just beginning every report email with
"abuse-host=192.0.2.20,192.0.2.21\n\n" and whatever other fields are needed.

-Cynthia


On Sun, Feb 21, 2021 at 2:51 AM Ronald F. Guilmette 
wrote:

> In message <20210218200036.066496e36...@ary.qy>,
> "John Levine"  wrote:
>
> >Report web forms are out of the question because they do not scale. I
> >send about a hundred abuse reports a day about spam received from all
> >over the Internet, and I have no interest in using your form or anyone
> >else's to make a manual special case for under 1% of my reports.
>
> I'm real glad that John posted the above comment, as he has saved me
> from having to do so myself.  (But I will take this opportunity to
> elaborate on what John said anyway.)
>
> I am in 1000% agreement with John on this.  Abuse reporting forms do
> not scale... at least not for the *victims* of the abuse.
>
> I report email spams... by far the most common form of network abuse...
> to dozens of different providers every week.  At the moment in time
> when I send each of these reports, I have already been abused by each
> of these providers.  (I hold them responsible because they obviously
> fail to have in place contractual clauses that would persuasively
> deter this behavior on the part of their customers.)
>
> To make me "jump through the hoops" of first even just *finding* each
> provider's unique abuse reporting web form, and then navigating it
> sufficiently well to insure that I have dotted all of the i's 

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Ronald F. Guilmette]

In message <20210218200036.066496e36...@ary.qy>, 
"John Levine"  wrote:

>Report web forms are out of the question because they do not scale. I
>send about a hundred abuse reports a day about spam received from all
>over the Internet, and I have no interest in using your form or anyone
>else's to make a manual special case for under 1% of my reports.

I'm real glad that John posted the above comment, as he has saved me
from having to do so myself.  (But I will take this opportunity to
elaborate on what John said anyway.)

I am in 1000% agreement with John on this.  Abuse reporting forms do
not scale... at least not for the *victims* of the abuse.

I report email spams... by far the most common form of network abuse...
to dozens of different providers every week.  At the moment in time
when I send each of these reports, I have already been abused by each
of these providers.  (I hold them responsible because they obviously
fail to have in place contractual clauses that would persuasively
deter this behavior on the part of their customers.)

To make me "jump through the hoops" of first even just *finding* each
provider's unique abuse reporting web form, and then navigating it
sufficiently well to insure that I have dotted all of the i's and
crossed all of the t's, as required, uniquely, for each different
provider, just *adds* injury to the insult that I have already suffered
at the hands of these same providers, and these same networks.

The demand to use a web-based reporting form is itself a form of cost
shifting.  It shifts more of the costs of dealing with network abuse
onto the victims of abuse and away from the providfers that are actually
originating the abuse in the first place.   In that sense it is arguably
the same as spam itself.  Email spam only exists because it is a way
of shifting the costs of advertising onto the recipient and away from
the senders.  Likewise, demanding that I must find my way to, and then
properly complete *your* unique web reporting form is yet another way
of shifting the costs of dealing with *your* abuse of *my* inbox away
from yourself and onto me.  Sure, it is maximally convenient FOR YOU,
but how about a little more consideration for the victim?

As John and others have noted, if I take up *my* time and effort to
report to you abuse that is coming from *your* network, then I am NOT
doing that for *my* benefit.  Rather all of the benefits of abuse
reports flow to the network operator of the network where the abuse
originated.

I am not an imbecile, and I can easily enough block any arbitrary sender
in my own local configuration, either by full email address, or by
domain name, or by IP address range.  Thus, nothing obligates me to
report any spam, and I can easily enough prevent myself from gettting
spammed twice or more from the same source.  So how does it benefit
*me* as a spam recipient, or send in a spam report?

The answer is that it doesn't.  Period, full stop. I only do it out of
a sense of community responsibility, i.e. to do my part to help pick
up trash that other people leave lying around on the Internet.  In an
ideal world the networks/providers who are the recipients of my spam
reports would be greatful for my help in truing to keep their networks
clean, EVEN TO THE POINT WHERE THEY SHOULD PAY ME OUT OF GRATITUDE upon
receiving any professionally prepared report from me.  But they don't.
(Sigh.)  At the very least they should have the minimal courtesy and
respect to not make the task of sending them a report more cumbersome
and more tedious than it needs to be.   Web reporting forms do the
exact opposite, and they are thus every bit as anti-social as spam
itself.


Regards,
rfg


P.S.  Some providers try to justify or excuse their clearly anti-social 
demand that everyone reporting abuse to them must use a web form by
claiming that they get too abuse many reports, on a regular basis, to
allow them to do anything sane or useful with such reports UNLESS they
come to them via a web form.

This is 1000% bullshit, and it indicates two things:

   1)  The provider in question is a perfectly lousy coder and is thus
   unable and/or unwilling to write code to parse emailed abuse
   reports.

   And anyway, don't actual human beings need to look at these things,
   in the end, in order to be able to react to each of them properly
   and in a professional fashion?  If so, then how does the additional
   automation of a web form even provide any real or useful service to
   *either* the originator of an abuse report *or* to the sender of
   such a report?  It doesn't, clearly.  It is just a way of maximally
   inconveniencing the originators of abuse reports, and thus to
   quite apparently deter them from reporting AT ALL.

   In fact, for me, any time a provider says to me "Oh, you need to
   use our web form to report that" I take any such statement as a
   nearly 100% reliable indicator that the 

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Ronald F. Guilmette]

In message <0a339f88-8746-458d-a868-7bd3058b8...@consulintel.es>, 
JORDI PALET MARTINEZ  wrote:

>I see it in the other way around. Forms are not useful at all. You need to
>manually fill in the form, unless you modify the automated reporting tools for
>?each? ?form-holder?. Many of them also ask you to create an account in their
>ticketing system, but because you?re not their customer, you actually can?t do
>it, or can?t use it, etc. ? When I tried to follow the steps, with major
>datacenters, such as OVH (one very common hoster of ?bad? customers, not to say
>criminals), they never solve the issues, or you can?t see the ?results? of the
>investigation (I tend to think that never investigated in fact ?).

It's really too bad that this WG could never even agree to define the term
"abuse".

If there was a definition of "abuse", the perhaps some further forward
movement would be possible, specifically, as should be obvious from what
Jordi posted (which reflects the common and shared experience of most of
us) if we had a definition of "abuse" to start from, then we might be
able to move on to developing a Best Practices document for -responding-
to various kinds of abuse reports.

It's crystal clear, and has been already for many many years, that many
networks are so far away from what might be called "optimal" abuse report
handing that many are actually doing things that no only do not prevent
or deter abuse, but rather, the actions of some networks are actually and
actively encouraging, fostering, and supporting abuse.

Unlike the present situation here on earth, on any sane planet there would
at least be some generally agreed upon yardstick that would allow the
community to say definitively, and based on evidence, that "Provider X is
doing a perfectly abysmal job of handling abuse reports" or conversely that
"Provider Y is doing a fine job of professionally handing abuse reports."
Unfortunately, as of now, here on planet earth we can only share unscientific
anecdotes and (possibly biased) personal opinions.


Regards,
rfg

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Cynthia Revström via anti-abuse-wg]

Hi Ronald,

You would find one example if you looked at my second email in the thread,
but I am re-sending for your convenience.
> Also to clarify these emails in particular were complete nonsense such as
"I am under ddos from you, please help" with no other details.
> They were also sent with invalid SPF, and I don't think the from
addresses were actually the senders.

The others were similar, just one sentence, like "Please check the attached
abuse report pdf" with no attachments.
And due to me being almost entirely certain the addresses in the "from"
headers not being the actual sender, I did not reply asking for more
information.

For the next time, especially for such a short thread, please look
beyond the first message before questioning my determination in this way.

-Cynthia


On Sun, Feb 21, 2021 at 1:13 AM Ronald F. Guilmette 
wrote:

> In message <
> cakw1m3nkecdjlwzopmfwgd+vs50pkgieoz1rgbauvpd1d9k...@mail.gmail.com>
> =?UTF-8?Q?Cynthia_Revstr=C3=B6m?=  wrote:
>
> >For some context, today and yesterday I have been receiving spam in the
> >form of fake abuse notices to my abuse contact email address.
>
>
> Example please?
>
> In what sense are these "fake"?
>
>
> Regards,
> rfg
>
>

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Ronald F. Guilmette]

In message 
=?UTF-8?Q?Cynthia_Revstr=C3=B6m?=  wrote:

>For some context, today and yesterday I have been receiving spam in the
>form of fake abuse notices to my abuse contact email address.


Example please?

In what sense are these "fake"?


Regards,
rfg

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Volker Greimann]

Blocking abusive users of the abuse contact address is common practice as
they essentially prevent effective and timely reaction to the actual abuse
cases.
-- 
Volker A. Greimann
General Counsel and Policy Manager
*KEY-SYSTEMS GMBH*

T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net

Key-Systems GmbH is a company registered at the local court of
Saarbruecken, Germany with the registration no. HR B 18835
CEO: Oliver Fries and Robert Birkner

Part of the CentralNic Group PLC (LON: CNIC) a company registered in
England and Wales with company number 8576358.

This email and any files transmitted are confidential and intended only for
the person(s) directly addressed. If you are not the intended recipient,
any use, copying, transmission, distribution, or other forms of
dissemination is strictly prohibited. If you have received this email in
error, please notify the sender immediately and permanently delete this
email with any files that may be attached.



Virus-free.
www.avast.com

<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

On Thu, Feb 18, 2021 at 9:08 PM JORDI PALET MARTINEZ via anti-abuse-wg <
anti-abuse-wg@ripe.net> wrote:

> The policy proposal was precisely suggesting XARF, not enforcing it.
>
> It is the smarter and cheaper way to resolve the problem for everyone.
>
> I usually send (automated) in order of 1.000-1.500 abuse reports per day.
> It will be impossible to handle even just 1% if I need to fill-in forms.
> I'm sure I'm not alone on that.
>
> If you want to keep the forms, they can still exist, just provide the XARF
> for automatically filling the form.
>
> There is no way to assume that victims must pay for the cost of abuse
> reporting. We will need to scale this to governments and consumer
> associations at some point. I will much prefer that the technical community
> is able to avoid that and resolve in a smarter way.
>
> Regards,
> Jordi
> @jordipalet
>
>
>
> El 18/2/21 21:01, "anti-abuse-wg en nombre de John Levine" <
> anti-abuse-wg-boun...@ripe.net en nombre de jo...@taugh.com> escribió:
>
> In article <
> db8pr09mb3324537f4168bea955a0ab07cd...@db8pr09mb3324.eurprd09.prod.outlook.com>
> you write:
> >Abuse reports are a nuisance � anyone who thinks otherwise needs to
> get their head examined.
>
> Of course they are.  But abuse from your customers is a nuisance, too,
> and if you have any sense
> you will welcome reports about it so you can fix the problem before
> everyone else blocks you in
> self-defense.
>
> >However a lot of us will deal with abuse reports, but will not put up
> with people telling us how we should receive them.
>
> There are standard ways to send abuse reports, like ARF defined in RFC
> 5965 and IODEF defined in RFC 7970. Smart people realize that when we
> send you an abuse report, we are doing it for your benefit, and you
> will accept them.
>
> Report web forms are out of the question because they do not scale. I
> send about a hundred abuse reports a day about spam received from all
> over the Internet, and I have no interest in using your form or anyone
> else's to make a manual special case for under 1% of my reports.
>
> R's,
> John
>
>
>
>
> **
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.theipv6company.com
> The IPv6 Company
>
> This electronic message contains information which may be privileged or
> confidential. The information is intended to be for the exclusive use of
> the individual(s) named above and further non-explicilty authorized
> disclosure, copying, distribution or use of the contents of this
> information, even if partially, including attached files, is strictly
> prohibited and will be considered a criminal offense. If you are not the
> intended recipient be aware that any disclosure, copying, distribution or
> use of the contents of this information, even if partially, including
> attached files, is strictly prohibited, will be considered a criminal
> offense, so you must reply to the original sender to inform about this
> communication and delete it.
>
>
>
>
>
>

Re: [anti-abuse-wg] Question about spam to abuse inbox

[JORDI PALET MARTINEZ via anti-abuse-wg]

The policy proposal was precisely suggesting XARF, not enforcing it.

It is the smarter and cheaper way to resolve the problem for everyone.

I usually send (automated) in order of 1.000-1.500 abuse reports per day. It 
will be impossible to handle even just 1% if I need to fill-in forms. I'm sure 
I'm not alone on that.

If you want to keep the forms, they can still exist, just provide the XARF for 
automatically filling the form.

There is no way to assume that victims must pay for the cost of abuse 
reporting. We will need to scale this to governments and consumer associations 
at some point. I will much prefer that the technical community is able to avoid 
that and resolve in a smarter way.

Regards,
Jordi
@jordipalet
 
 

El 18/2/21 21:01, "anti-abuse-wg en nombre de John Levine" 
 escribió:

In article 

 you write:
>Abuse reports are a nuisance � anyone who thinks otherwise needs to get 
their head examined.

Of course they are.  But abuse from your customers is a nuisance, too, and 
if you have any sense
you will welcome reports about it so you can fix the problem before 
everyone else blocks you in
self-defense.

>However a lot of us will deal with abuse reports, but will not put up
with people telling us how we should receive them.

There are standard ways to send abuse reports, like ARF defined in RFC
5965 and IODEF defined in RFC 7970. Smart people realize that when we
send you an abuse report, we are doing it for your benefit, and you
will accept them.

Report web forms are out of the question because they do not scale. I
send about a hundred abuse reports a day about spam received from all
over the Internet, and I have no interest in using your form or anyone
else's to make a manual special case for under 1% of my reports.

R's,
John




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] Question about spam to abuse inbox

[John Levine]

In article 

 you write:
>Abuse reports are a nuisance � anyone who thinks otherwise needs to get their 
>head examined.

Of course they are.  But abuse from your customers is a nuisance, too, and if 
you have any sense
you will welcome reports about it so you can fix the problem before everyone 
else blocks you in
self-defense.

>However a lot of us will deal with abuse reports, but will not put up
with people telling us how we should receive them.

There are standard ways to send abuse reports, like ARF defined in RFC
5965 and IODEF defined in RFC 7970. Smart people realize that when we
send you an abuse report, we are doing it for your benefit, and you
will accept them.

Report web forms are out of the question because they do not scale. I
send about a hundred abuse reports a day about spam received from all
over the Internet, and I have no interest in using your form or anyone
else's to make a manual special case for under 1% of my reports.

R's,
John

Re: [anti-abuse-wg] Question about spam to abuse inbox

[JORDI PALET MARTINEZ via anti-abuse-wg]

Any provider can do whatever he wishes, no problem on that, but then the others 
can filter that network and then explain the customers about that.

 

Hopefully at some point the governments, consumer associations, etc. will play 
a role on that, because it looks to me, based on actual experience, is mainly 
the organizations in RIPE region who deny the evidence.

 

 

Regards,

Jordi

@jordipalet

 

 

 

El 18/2/21 18:53, "Michele Neylon - Blacknight"  
escribió:

 

Jordi

 

At least you are consistent in your belief that you can dictate how we all run 
our businesses

 

I can’t and won’t comment on providers who are unresponsive etc., but I 
sincerely doubt that the medium of the reports has any impact on that.

 

I will note, however, that other providers who use forms do so in order that 
they can collect all the evidence they need in one place at one time. 

 

However you cannot dictate to me how we will accept reports. If we decide that 
all reports need to go via form so that they can be routed to the correct place 
then that is our decision and you can either cooperate or not. 

 

Regards

 

Michele

 

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/

https://blacknight.blog/

Intl. +353 (0) 59  9183072

Direct Dial: +353 (0)59 9183090

Personal blog: https://michele.blog/

Some thoughts: https://ceo.hosting/ 

---

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845

 

From: anti-abuse-wg  on behalf of JORDI PALET 
MARTINEZ via anti-abuse-wg 
Date: Thursday, 18 February 2021 at 15:59
To: anti-abuse-wg@ripe.net 
Subject: Re: [anti-abuse-wg] Question about spam to abuse inbox

I see it in the other way around. Forms are not useful at all. You need to 
manually fill in the form, unless you modify the automated reporting tools for 
“each” “form-holder”. Many of them also ask you to create an account in their 
ticketing system, but because you’re not their customer, you actually can’t do 
it, or can’t use it, etc. … When I tried to follow the steps, with major 
datacenters, such as OVH (one very common hoster of “bad” customers, not to say 
criminals), they never solve the issues, or you can’t see the “results” of the 
investigation (I tend to think that never investigated in fact …).

 

Most of the abuse reports that we send by email are responded, typically 
automatically, and there is a reaction to them *when* we have already attached 
the relevant logs.

 

The problem continues to be those that don’t get the emails, bounce, don’t read 
them, etc., or force to fill the forms. In those case, we just permanently ban 
the full ranges, if the abuse continues. No other way. We keep records of all 
that, in case of legal issues, so to be able to probe the ignorance of the 
abuse-mailbox.

 

Regards,

Jordi

@jordipalet

 

 

 

El 18/2/21 16:41, "anti-abuse-wg en nombre de Javier Martín" 
 
escribió:

 

Hello.

 

The subject of abuse emails are, with few exceptions, a useless thing, it 
depends on the good faith of the recipient.

For our part, we continue to have servers from large companies attacking us for 
more than 6 months and after dozens of emails no one has helped us.

 

Regards.

Javier

Sobre 18/02/2021 16:33:07, Michele Neylon - Blacknight via anti-abuse-wg 
 escribió:

Hans-Martin

 

I’d disagree

 

For larger companies the types of abuse reported will go to different places 
and teams. They’re also better for collecting the data you need to be able to 
act on a report.

 

Abuse reports are a nuisance – anyone who thinks otherwise needs to get their 
head examined. 

 

However a lot of us will deal with abuse reports, but will not put up with 
people telling us how we should receive them. 

 

Regards

 

Michele

 

 

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/

https://blacknight.blog/

Intl. +353 (0) 59  9183072

Direct Dial: +353 (0)59 9183090

Personal blog: https://michele.blog/

Some thoughts: https://ceo.hosting/ 

---

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845

 

From: anti-abuse-wg  on behalf of Hans-Martin 
Mosner 
Date: Thursday, 18 February 2021 at 15:27
To: anti-abuse-wg@ripe.net 
Subject: Re: [anti-abuse-wg] Question about spam to abuse inbox

Am 18.02.21 um 15:02 schrieb Michele Neylon - Blacknight via anti-abuse-wg:

 

I know quite a few companies now use specific forms for handling reports of 
different types of reports and have moved away from email almost entirely, 
which makes a lot of sense.

 

At the risk of derailing this interesting and useful topic, I have to disagree 
with the use of forms to report abuse. In the cases I've seen, those forms are 
hard to fi

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Michele Neylon - Blacknight via anti-abuse-wg]

Jordi

At least you are consistent in your belief that you can dictate how we all run 
our businesses

I can’t and won’t comment on providers who are unresponsive etc., but I 
sincerely doubt that the medium of the reports has any impact on that.

I will note, however, that other providers who use forms do so in order that 
they can collect all the evidence they need in one place at one time.

However you cannot dictate to me how we will accept reports. If we decide that 
all reports need to go via form so that they can be routed to the correct place 
then that is our decision and you can either cooperate or not.

Regards

Michele

--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
https://www.blacknight.com/
https://blacknight.blog/
Intl. +353 (0) 59  9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/
Some thoughts: https://ceo.hosting/
---
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845

From: anti-abuse-wg  on behalf of JORDI PALET 
MARTINEZ via anti-abuse-wg 
Date: Thursday, 18 February 2021 at 15:59
To: anti-abuse-wg@ripe.net 
Subject: Re: [anti-abuse-wg] Question about spam to abuse inbox
I see it in the other way around. Forms are not useful at all. You need to 
manually fill in the form, unless you modify the automated reporting tools for 
“each” “form-holder”. Many of them also ask you to create an account in their 
ticketing system, but because you’re not their customer, you actually can’t do 
it, or can’t use it, etc. … When I tried to follow the steps, with major 
datacenters, such as OVH (one very common hoster of “bad” customers, not to say 
criminals), they never solve the issues, or you can’t see the “results” of the 
investigation (I tend to think that never investigated in fact …).

Most of the abuse reports that we send by email are responded, typically 
automatically, and there is a reaction to them *when* we have already attached 
the relevant logs.

The problem continues to be those that don’t get the emails, bounce, don’t read 
them, etc., or force to fill the forms. In those case, we just permanently ban 
the full ranges, if the abuse continues. No other way. We keep records of all 
that, in case of legal issues, so to be able to probe the ignorance of the 
abuse-mailbox.

Regards,
Jordi
@jordipalet



El 18/2/21 16:41, "anti-abuse-wg en nombre de Javier Martín" 
mailto:anti-abuse-wg-boun...@ripe.net> en 
nombre de javier.mar...@centrored.net<mailto:javier.mar...@centrored.net>> 
escribió:

Hello.

The subject of abuse emails are, with few exceptions, a useless thing, it 
depends on the good faith of the recipient.
For our part, we continue to have servers from large companies attacking us for 
more than 6 months and after dozens of emails no one has helped us.

Regards.
Javier

Sobre 18/02/2021 16:33:07, Michele Neylon - Blacknight via anti-abuse-wg 
 escribió:
Hans-Martin

I’d disagree

For larger companies the types of abuse reported will go to different places 
and teams. They’re also better for collecting the data you need to be able to 
act on a report.

Abuse reports are a nuisance – anyone who thinks otherwise needs to get their 
head examined.

However a lot of us will deal with abuse reports, but will not put up with 
people telling us how we should receive them.

Regards

Michele


--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
https://www.blacknight.com/
https://blacknight.blog/
Intl. +353 (0) 59  9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/
Some thoughts: https://ceo.hosting/
---
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845

From: anti-abuse-wg  on behalf of Hans-Martin 
Mosner 
Date: Thursday, 18 February 2021 at 15:27
To: anti-abuse-wg@ripe.net 
Subject: Re: [anti-abuse-wg] Question about spam to abuse inbox
Am 18.02.21 um 15:02 schrieb Michele Neylon - Blacknight via anti-abuse-wg:

I know quite a few companies now use specific forms for handling reports of 
different types of reports and have moved away from email almost entirely, 
which makes a lot of sense.


At the risk of derailing this interesting and useful topic, I have to disagree 
with the use of forms to report abuse. In the cases I've seen, those forms are 
hard to find, are a burden to fill out, require me to add information that is 
completely irrelevant to the abuse incident, and don't allow me to add relevant 
information (such as a complete mail header). Not getting a response only adds 
to the feeling that I've wasted my time...

It may make a lot of sense for companies who see abuse reports as a nuisance, 
though :-)

There are better ways to increase the quality of abuse reports received. The 
best is to respond positively

Re: [anti-abuse-wg] Question about spam to abuse inbox

[JORDI PALET MARTINEZ via anti-abuse-wg]

I see it in the other way around. Forms are not useful at all. You need to 
manually fill in the form, unless you modify the automated reporting tools for 
“each” “form-holder”. Many of them also ask you to create an account in their 
ticketing system, but because you’re not their customer, you actually can’t do 
it, or can’t use it, etc. … When I tried to follow the steps, with major 
datacenters, such as OVH (one very common hoster of “bad” customers, not to say 
criminals), they never solve the issues, or you can’t see the “results” of the 
investigation (I tend to think that never investigated in fact …).

 

Most of the abuse reports that we send by email are responded, typically 
automatically, and there is a reaction to them *when* we have already attached 
the relevant logs.

 

The problem continues to be those that don’t get the emails, bounce, don’t read 
them, etc., or force to fill the forms. In those case, we just permanently ban 
the full ranges, if the abuse continues. No other way. We keep records of all 
that, in case of legal issues, so to be able to probe the ignorance of the 
abuse-mailbox.

 

Regards,

Jordi

@jordipalet

 

 

 

El 18/2/21 16:41, "anti-abuse-wg en nombre de Javier Martín" 
 
escribió:

 

Hello.

 

The subject of abuse emails are, with few exceptions, a useless thing, it 
depends on the good faith of the recipient.

For our part, we continue to have servers from large companies attacking us for 
more than 6 months and after dozens of emails no one has helped us.

 

Regards.

Javier

Sobre 18/02/2021 16:33:07, Michele Neylon - Blacknight via anti-abuse-wg 
 escribió:

Hans-Martin

 

I’d disagree

 

For larger companies the types of abuse reported will go to different places 
and teams. They’re also better for collecting the data you need to be able to 
act on a report.

 

Abuse reports are a nuisance – anyone who thinks otherwise needs to get their 
head examined. 

 

However a lot of us will deal with abuse reports, but will not put up with 
people telling us how we should receive them. 

 

Regards

 

Michele

 

 

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/

https://blacknight.blog/

Intl. +353 (0) 59  9183072

Direct Dial: +353 (0)59 9183090

Personal blog: https://michele.blog/

Some thoughts: https://ceo.hosting/ 

---

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845

 

From: anti-abuse-wg  on behalf of Hans-Martin 
Mosner 
Date: Thursday, 18 February 2021 at 15:27
To: anti-abuse-wg@ripe.net 
Subject: Re: [anti-abuse-wg] Question about spam to abuse inbox

Am 18.02.21 um 15:02 schrieb Michele Neylon - Blacknight via anti-abuse-wg:

 

I know quite a few companies now use specific forms for handling reports of 
different types of reports and have moved away from email almost entirely, 
which makes a lot of sense.

 

At the risk of derailing this interesting and useful topic, I have to disagree 
with the use of forms to report abuse. In the cases I've seen, those forms are 
hard to find, are a burden to fill out, require me to add information that is 
completely irrelevant to the abuse incident, and don't allow me to add relevant 
information (such as a complete mail header). Not getting a response only adds 
to the feeling that I've wasted my time...

It may make a lot of sense for companies who see abuse reports as a nuisance, 
though :-)

There are better ways to increase the quality of abuse reports received. The 
best is to respond positively to informative and verifiable abuse reports with 
timely and appropriate replies and, above all, actions.

Cheers,
Hans-Martin




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Michele Neylon - Blacknight via anti-abuse-wg]

Javier

I can well imagine.

We’ve been hit with multiple phishing attacks and getting some companies to 
respond AND take action was painful.

Regards

Michele

--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
https://www.blacknight.com/
https://blacknight.blog/
Intl. +353 (0) 59  9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/
Some thoughts: https://ceo.hosting/
---
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845

From: Javier Martín 
Date: Thursday, 18 February 2021 at 15:40
To: Michele Neylon - Blacknight , Hans-Martin Mosner 
, Michele Neylon - Blacknight via anti-abuse-wg 

Subject: Re: [anti-abuse-wg] Question about spam to abuse inbox
Hello.

The subject of abuse emails are, with few exceptions, a useless thing, it 
depends on the good faith of the recipient.
For our part, we continue to have servers from large companies attacking us for 
more than 6 months and after dozens of emails no one has helped us.

Regards.
Javier

Sobre 18/02/2021 16:33:07, Michele Neylon - Blacknight via anti-abuse-wg 
 escribió:
Hans-Martin

I’d disagree

For larger companies the types of abuse reported will go to different places 
and teams. They’re also better for collecting the data you need to be able to 
act on a report.

Abuse reports are a nuisance – anyone who thinks otherwise needs to get their 
head examined.

However a lot of us will deal with abuse reports, but will not put up with 
people telling us how we should receive them.

Regards

Michele


--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
https://www.blacknight.com/
https://blacknight.blog/
Intl. +353 (0) 59  9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/
Some thoughts: https://ceo.hosting/
---
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845

From: anti-abuse-wg  on behalf of Hans-Martin 
Mosner 
Date: Thursday, 18 February 2021 at 15:27
To: anti-abuse-wg@ripe.net 
Subject: Re: [anti-abuse-wg] Question about spam to abuse inbox
Am 18.02.21 um 15:02 schrieb Michele Neylon - Blacknight via anti-abuse-wg:

I know quite a few companies now use specific forms for handling reports of 
different types of reports and have moved away from email almost entirely, 
which makes a lot of sense.


At the risk of derailing this interesting and useful topic, I have to disagree 
with the use of forms to report abuse. In the cases I've seen, those forms are 
hard to find, are a burden to fill out, require me to add information that is 
completely irrelevant to the abuse incident, and don't allow me to add relevant 
information (such as a complete mail header). Not getting a response only adds 
to the feeling that I've wasted my time...

It may make a lot of sense for companies who see abuse reports as a nuisance, 
though :-)

There are better ways to increase the quality of abuse reports received. The 
best is to respond positively to informative and verifiable abuse reports with 
timely and appropriate replies and, above all, actions.

Cheers,
Hans-Martin

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Javier Martín]

Hello.

The subject of abuse emails are, with few exceptions, a useless thing, it 
depends on the good faith of the recipient.
For our part, we continue to have servers from large companies attacking us for 
more than 6 months and after dozens of emails no one has helped us.

Regards.
Javier
Sobre 18/02/2021 16:33:07, Michele Neylon - Blacknight via anti-abuse-wg 
 escribió:
Hans-Martin
 
I’d disagree
 
For larger companies the types of abuse reported will go to different places 
and teams. They’re also better for collecting the data you need to be able to 
act on a report.
 
Abuse reports are a nuisance – anyone who thinks otherwise needs to get their 
head examined.
 
However a lot of us will deal with abuse reports, but will not put up with 
people telling us how we should receive them.
 
Regards
 
Michele
 
 
--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
https://www.blacknight.com/
https://blacknight.blog/
Intl. +353 (0) 59  9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/
Some thoughts: https://ceo.hosting/
---
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845
 
From: anti-abuse-wg  on behalf of Hans-Martin 
Mosner 
Date: Thursday, 18 February 2021 at 15:27
To: anti-abuse-wg@ripe.net 
Subject: Re: [anti-abuse-wg] Question about spam to abuse inbox
Am 18.02.21 um 15:02 schrieb Michele Neylon - Blacknight via anti-abuse-wg:
 
I know quite a few companies now use specific forms for handling reports of 
different types of reports and have moved away from email almost entirely, 
which makes a lot of sense.
 
At the risk of derailing this interesting and useful topic, I have to disagree 
with the use of forms to report abuse. In the cases I've seen, those forms are 
hard to find, are a burden to fill out, require me to add information that is 
completely irrelevant to the abuse incident, and don't allow me to add relevant 
information (such as a complete mail header). Not getting a response only adds 
to the feeling that I've wasted my time...
It may make a lot of sense for companies who see abuse reports as a nuisance, 
though :-)
There are better ways to increase the quality of abuse reports received. The 
best is to respond positively to informative and verifiable abuse reports with 
timely and appropriate replies and, above all, actions.
Cheers,
Hans-Martin

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Michele Neylon - Blacknight via anti-abuse-wg]

Hans-Martin

I’d disagree

For larger companies the types of abuse reported will go to different places 
and teams. They’re also better for collecting the data you need to be able to 
act on a report.

Abuse reports are a nuisance – anyone who thinks otherwise needs to get their 
head examined.

However a lot of us will deal with abuse reports, but will not put up with 
people telling us how we should receive them.

Regards

Michele


--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
https://www.blacknight.com/
https://blacknight.blog/
Intl. +353 (0) 59  9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/
Some thoughts: https://ceo.hosting/
---
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845

From: anti-abuse-wg  on behalf of Hans-Martin 
Mosner 
Date: Thursday, 18 February 2021 at 15:27
To: anti-abuse-wg@ripe.net 
Subject: Re: [anti-abuse-wg] Question about spam to abuse inbox
Am 18.02.21 um 15:02 schrieb Michele Neylon - Blacknight via anti-abuse-wg:

I know quite a few companies now use specific forms for handling reports of 
different types of reports and have moved away from email almost entirely, 
which makes a lot of sense.


At the risk of derailing this interesting and useful topic, I have to disagree 
with the use of forms to report abuse. In the cases I've seen, those forms are 
hard to find, are a burden to fill out, require me to add information that is 
completely irrelevant to the abuse incident, and don't allow me to add relevant 
information (such as a complete mail header). Not getting a response only adds 
to the feeling that I've wasted my time...

It may make a lot of sense for companies who see abuse reports as a nuisance, 
though :-)

There are better ways to increase the quality of abuse reports received. The 
best is to respond positively to informative and verifiable abuse reports with 
timely and appropriate replies and, above all, actions.

Cheers,
Hans-Martin

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Hans-Martin Mosner]

Am 18.02.21 um 15:02 schrieb Michele Neylon - Blacknight via anti-abuse-wg:
>
>  
>
> I know quite a few companies now use specific forms for handling reports of 
> different types of reports and have moved
> away from email almost entirely, which makes a lot of sense.
>
>  
>
At the risk of derailing this interesting and useful topic, I have to disagree 
with the use of forms to report abuse. In
the cases I've seen, those forms are hard to find, are a burden to fill out, 
require me to add information that is
completely irrelevant to the abuse incident, and don't allow me to add relevant 
information (such as a complete mail
header). Not getting a response only adds to the feeling that I've wasted my 
time...

It may make a lot of sense for companies who see abuse reports as a nuisance, 
though :-)

There are better ways to increase the quality of abuse reports received. The 
best is to respond positively to
informative and verifiable abuse reports with timely and appropriate replies 
and, above all, actions.

Cheers,
Hans-Martin

Re: [anti-abuse-wg] Question about spam to abuse inbox

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Cynthia,

 

I got that, sorry not having been clear. I was just expanding what I think 
should not be done even if some resource-holders do (any kind of filtering of 
what’s allowed to come in to the abuse mailbox).

 

With fail2ban you can for example:

 
Detect intrusion attempts (SMTP, SSH, FTP, SIP, DNS, etc.),  and decide if you 
consider an intrusion attempt something that retries more than 5 times in 10 
minutes.
Then you send the abuse report.
And block that IP for 8 hours.
If the IP retries after that, then you can define that for “n” retries in “m” 
minutes, the IP is banned for 8 days … and so on.
 

You could also configure it so warnings of “whatever” are internally send to 
the relevant staff for manual handling.

 

One possible measure that you can take is to send an automated email such as 
“if you haven’t sent sufficient logs/details to investigate the case … your 
email will be ignored, so please resend it if x and y, at least, are missing”. 
If they continue to send emails without those details, either via an 
autoresponder or manually, send them a message to inform that due to the high 
volume of abuse reports without the relevant information, you are forced to ban 
them for “n days”.

 

I think this is at the end very dependent on your own case, resources 
available, etc., but agree, everything on this discussion is useful!

 

Saludos,

Jordi

@jordipalet

 

 

 

El 18/2/21 15:06, "Cynthia Revström"  escribió:

 

Hi Jordi,

 

Sorry I was probably a bit unclear, I don't filter based on content for the 
abuse inbox.

But as I don't filter based on content, I feel like in some cases I need to 
sort of have manual fail2ban.

 

I really like your point though and I don't know how I blanked out on a 
temporary block being a potential solution.

Because the main thing I was afraid of is, what if another one of their 
customers gets this address and actually has legitimate abuse emails?

But temporarily blocking the sender is a good enough solution to me at least 
considering the very low volume of abuse emails I get on a regular basis.

 

Also to clarify these emails in particular were complete nonsense such as "I am 
under ddos from you, please help" with no other details.

They were also sent with invalid SPF, and I don't think the from addresses were 
actually the senders.

 

Also just a few minutes ago, the abuse contact replied saying that they had 
taken action so I hope this specific case is now fixed.

I still think it is/was a useful topic though as there might be less obvious 
situations or situations where the abuse contact of the sender doesn't 
cooperate.


-Cynthia

 

 

On Thu, Feb 18, 2021 at 1:58 PM JORDI PALET MARTINEZ via anti-abuse-wg 
 wrote:

In my experience, this is something you need to live with, and not filter 
anything in the spam folder.

 

Why? Because it can be real spam (and then you can use the abuse contact of the 
resource-holder for the addresses where the spam is coming from), when you 
report abuse cases, to facilitate the work of the involved parties, you should 
be allowed to attach or include headers, logs, etc. that probe that it is an 
abuse (from your perspective).

 

If you filter that, then you will not receive many abuse reports …

 

For example, some abuse mailboxes filter specific URLs or domains. If the 
header contains such domain, how are you going to be able to send that?

 

I use fail2ban and block automatically specific IP addresses or ranges once the 
abuse has been reported and keeps repeating. Depending on the frequency of the 
repetitions, how many, etc., etc., I could increase automatically from a few 
hours to days or weeks the banning.

 

Regards,

Jordi

@jordipalet

 

 

 

El 18/2/21 13:40, "anti-abuse-wg en nombre de Cynthia Revström via 
anti-abuse-wg"  escribió:

 

Hi aa-wg,

 

For some context, today and yesterday I have been receiving spam in the form of 
fake abuse notices to my abuse contact email address.

 

Is there a generally accepted standard for when it's okay to block an address 
or a prefix from emailing your abuse contact?

 

I consider being able to contact the abuse email address of a network a rather 
important function, so I prefer not to block it.

But also as I have more relaxed spam filters for the abuse contact to make sure 
nothing gets lost, it feels like blocking the address/prefix is my only option 
other than manually filtering through these emails (10 so far in total, today 
and yesterday).

 

So back to the question, is there a generally accepted point at which blocking 
an address/prefix is fine?

 

Thanks,
-Cynthia


**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty 

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Michele Neylon - Blacknight via anti-abuse-wg]

Cynthia

We’ve had to block some services from our abuse mailbox as they were sending us 
an insane volume of low quality reports.

I’m not sure what the cut off point would be, but we’ve tried to engage with 
some of these services in the past and they never reply so they’re basically 
spammers as far as we’re concerned and dealing with their useless reports was a 
waste of our resources.

I know quite a few companies now use specific forms for handling reports of 
different types of reports and have moved away from email almost entirely, 
which makes a lot of sense.

Regards

Michele


--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
https://www.blacknight.com/
https://blacknight.blog/
Intl. +353 (0) 59  9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/
Some thoughts: https://ceo.hosting/
---
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845

From: anti-abuse-wg  on behalf of Cynthia 
Revström via anti-abuse-wg 
Date: Thursday, 18 February 2021 at 12:40
To: anti-abuse-wg@ripe.net 
Subject: [anti-abuse-wg] Question about spam to abuse inbox
Hi aa-wg,

For some context, today and yesterday I have been receiving spam in the form of 
fake abuse notices to my abuse contact email address.

Is there a generally accepted standard for when it's okay to block an address 
or a prefix from emailing your abuse contact?

I consider being able to contact the abuse email address of a network a rather 
important function, so I prefer not to block it.
But also as I have more relaxed spam filters for the abuse contact to make sure 
nothing gets lost, it feels like blocking the address/prefix is my only option 
other than manually filtering through these emails (10 so far in total, today 
and yesterday).

So back to the question, is there a generally accepted point at which blocking 
an address/prefix is fine?

Thanks,
-Cynthia

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Ángel González Berdasco]

Hello all

First of all, I'm glad Cynthia opened this discussion, as it's a
typical complaint for requiring abuse mailboxes. It's good to have a
healthy discussion about that.

With regards to the query itself, I do think it is acceptable to block
the sending email. If after manual inspection those messages have
absolutely no reason to be there (automatically sent spamming mails), I
think it may be ok to block further messages from that sender.

You could do as Jordi suggests and notify the abuse contact of the
sender as well, warning them that you may proceed to block further
messages from that sender (so at least you warned them, even though
it's probably ignored).

As for the block itself, I can see reasons for doing it both at the
incoming MTA, so it shows a rejection reason on why they are not
allowed access to the abuse mailbox, or at the last level, where the
email is received and stored (so you have those evidences if needed)
but otherwise ignored.


Please note that blocking based on the sender (mail envelope or From:
header) after evidence of directly being spammed from them is quite
different than filtering based on *content*.
That one is much more problematic, since those filters would typically
match as well reports of such abuse coming from your network, which
is precisely the kind of thing you want to be reported. Not to mention
the irony that you send those mails but would avoid receiving them
yourself.
I'm not aware of a way of telling apart the real abusive message vs
someone reporting the abuse message (specially when sent by end-users). 
You could try to detect specific cases, but I suspect that would still
be prone to false positives.


Best regards


El jue, 18-02-2021 a las 13:57 +0100, JORDI PALET MARTINEZ escribió:
> In my experience, this is something you need to live with, and not
> filter anything in the spam folder.
>  
> Why? Because it can be real spam (and then you can use the abuse
> contact of the resource-holder for the addresses where the spam is
> coming from), when you report abuse cases, to facilitate the work of
> the involved parties, you should be allowed to attach or include
> headers, logs, etc. that probe that it is an abuse (from your
> perspective).
>  
> If you filter that, then you will not receive many abuse reports …
>  
> For example, some abuse mailboxes filter specific URLs or domains. If
> the header contains such domain, how are you going to be able to send
> that?
>  
> I use fail2ban and block automatically specific IP addresses or
> ranges once the abuse has been reported and keeps repeating.
> Depending on the frequency of the repetitions, how many, etc., etc.,
> I could increase automatically from a few hours to days or weeks the
> banning.
>  
> Regards,
> Jordi
> 
> @jordipalet
> 
>  
> 
>  
>  
> El 18/2/21 13:40, "anti-abuse-wg en nombre de Cynthia Revström via
> anti-abuse-wg"  anti-abuse-wg@ripe.net> escribió:
>  
> Hi aa-wg,
>  
> For some context, today and yesterday I have been receiving spam in
> the form of fake abuse notices to my abuse contact email address.
>  
> Is there a generally accepted standard for when it's okay to block an
> address or a prefix from emailing your abuse contact?
>  
> I consider being able to contact the abuse email address of a
> network a rather important function, so I prefer not to block it.
> But also as I have more relaxed spam filters for the abuse contact to
> make sure nothing gets lost, it feels like blocking the
> address/prefix is my only option other than manually filtering
> through these emails (10 so far in total, today and yesterday).
>  
> So back to the question, is there a generally accepted point at which
> blocking an address/prefix is fine?
>  
> Thanks,
> -Cynthia
> 
> **
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.theipv6company.com
> The IPv6 Company
> 
> This electronic message contains information which may be privileged
> or confidential. The information is intended to be for the exclusive
> use of the individual(s) named above and further non-explicilty
> authorized disclosure, copying, distribution or use of the contents
> of this information, even if partially, including attached files, is
> strictly prohibited and will be considered a criminal offense. If you
> are not the intended recipient be aware that any disclosure, copying,
> distribution or use of the contents of this information, even if
> partially, including attached files, is strictly prohibited, will be
> considered a criminal offense, so you must reply to the original
> sender to inform about this communication and delete it.
> 

Re: [anti-abuse-wg] Question about spam to abuse inbox

[JORDI PALET MARTINEZ via anti-abuse-wg]

In my experience, this is something you need to live with, and not filter 
anything in the spam folder.

 

Why? Because it can be real spam (and then you can use the abuse contact of the 
resource-holder for the addresses where the spam is coming from), when you 
report abuse cases, to facilitate the work of the involved parties, you should 
be allowed to attach or include headers, logs, etc. that probe that it is an 
abuse (from your perspective).

 

If you filter that, then you will not receive many abuse reports …

 

For example, some abuse mailboxes filter specific URLs or domains. If the 
header contains such domain, how are you going to be able to send that?

 

I use fail2ban and block automatically specific IP addresses or ranges once the 
abuse has been reported and keeps repeating. Depending on the frequency of the 
repetitions, how many, etc., etc., I could increase automatically from a few 
hours to days or weeks the banning.

 

Regards,

Jordi

@jordipalet

 

 

 

El 18/2/21 13:40, "anti-abuse-wg en nombre de Cynthia Revström via 
anti-abuse-wg"  escribió:

 

Hi aa-wg,

 

For some context, today and yesterday I have been receiving spam in the form of 
fake abuse notices to my abuse contact email address.

 

Is there a generally accepted standard for when it's okay to block an address 
or a prefix from emailing your abuse contact?

 

I consider being able to contact the abuse email address of a network a rather 
important function, so I prefer not to block it.

But also as I have more relaxed spam filters for the abuse contact to make sure 
nothing gets lost, it feels like blocking the address/prefix is my only option 
other than manually filtering through these emails (10 so far in total, today 
and yesterday).

 

So back to the question, is there a generally accepted point at which blocking 
an address/prefix is fine?

 

Thanks,
-Cynthia



**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

[anti-abuse-wg] Question about spam to abuse inbox

[Cynthia Revström via anti-abuse-wg]

Hi aa-wg,

For some context, today and yesterday I have been receiving spam in the
form of fake abuse notices to my abuse contact email address.

Is there a generally accepted standard for when it's okay to block an
address or a prefix from emailing your abuse contact?

I consider being able to contact the abuse email address of a network a
rather important function, so I prefer not to block it.
But also as I have more relaxed spam filters for the abuse contact to make
sure nothing gets lost, it feels like blocking the address/prefix is my
only option other than manually filtering through these emails (10 so far
in total, today and yesterday).

So back to the question, is there a generally accepted point at which
blocking an address/prefix is fine?

Thanks,
-Cynthia