Re: adviCe on network security report
On Thu, 2 Nov 2006, Robert Boyle wrote: someone who can help. I wish abuse was used as intended instead of my every idiot programmer and script writer for their own helpful stuff we never asked for nor does it help us at all nor does it help the users. Unfortunately that is a problem with every public reporting channel. Most 9-1-1 (or your national equivalent) centers report a majority of their calls are non-emergencies. In many cities the police will not respond to automatic dialers calling 9-1-1 because of the extremely high false reporting rate, or put them at a very low, low response priority. Most of the complaints the FCC gets about television and radio programming are from people who have never seen or heard the program they are complaining about. ISP abuse desks, US congressional offices, etc have all implemented things which make contacting them by e-mail harder due to the automatic-idiot problems. There are effective ways to contact your congressional office or ISP abuse desk, and ineffective ways. When they give suggestions about the best way to contact them, its a good idea to listen to what they recommend if you want to be effective. If you just want to complain about ISPs not responding, or the police not finding your stolen car, or 9-1-1 operators refusing calls from your automatic alarm system; you are welcome to continue complaining. It probably won't be that effective, but if it makes you feel better go ahead. On the other hand, if you are interested in accomplishing something then there are different actions you can take.
Re: adviCe on network security report
Sean Donelan wrote: Hint, hint, hint. When the abuse and security folks at ISPs give suggestions on how to best work with them, its sometimes a good idea to listen. What happens when the security folks are absent? This seems to be somewhat of the case concerning contacting [EMAIL PROTECTED]. Many times it starts there where someone will contact an abuse apartment that is likely not monitored. Let's be realistic here... Before someone shoots of a your-so-off-topic-whiny-whiny-whiny response. How many here have contacted an abuse and simply gotten 1) an autoresponder 2) no reply 3) undeliverable 4) no such account exists as opposed to getting something useful. ISP security and abuse folks generally know how bad the problems are. That isn't useful to getting their jobs done. They usually have better information about how bad it is than most third-parties. See my previous sentence... What happens when they see it, shrug off a simple abuse message that may contain something useful because they're fending off a DDoS attack or something. Does an abuse message take less precendence than other security matters. What will ISP's do when someone lashes back and starts some form of class action lawsuit against an ISP whose engineers repeatedly sat around and strikeread NANOG and whined/strike and did nothing? Is that what it will take? So I contacted [EMAIL PROTECTED] about some user there stealing my info, spamming me, doing something illegal, I messaged them 10 times, no response. How about... I sue them. ISP security and abuse teams already receive reports from almost every group in existence. After they process the high priority work, e.g. court orders from countries around the world, reports from customers, etc; figuring out how to make the security and abuse teams lives easier is the key to getting your complaints to the top of the pile. Rankings of other ISPs doesn't change their workload. Out of curiousity (and I doubt many will respond publicly to this) how many people have had success versus failure when dealing with abuse issues. I'm thinking for every answered message sent to abuse (non autoresponder), one will likely see more than 7-10 failures. Failures include an autoresponse, nothing ever done, no response ever returned, a response returned a quarter of a century later... -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo echo @infiltrated|sed 's/^/sil/g;s/$/.net/g' http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 How a man plays the game shows something of his character - how he loses shows all - Mr. Luckey
Re: adviCe on network security report
On Thu, 2 Nov 2006, J. Oquendo wrote: ISP security and abuse teams already receive reports from almost every group in existence. After they process the high priority work, e.g. court orders from countries around the world, reports from customers, etc; figuring out how to make the security and abuse teams lives easier is the key to getting your complaints to the top of the pile. Rankings of other ISPs doesn't change their workload. Out of curiousity (and I doubt many will respond publicly to this) how many people have had success versus failure when dealing with abuse issues. I'm thinking for every answered message sent to abuse (non autoresponder), one will likely see more than 7-10 failures. Failures include an autoresponse, nothing ever done, no response ever returned, a response returned a quarter of a century later... I believe what Sean said above is key. There are several sources which are trusted, regular and efficient. myNetwatchmen, SANS ISC, Cymru, the DA RatOut. Then there are the pull places, such as spamhaus... Everyone has their favorite, and it works better. Then come customer complainst, then email reports. If there reports are in good form and provide with good data (plus are short and to the point), they will probably get quick attention (as soon as POSSIBLE). You need to remember these are good folks, who get paid to lose the ISP money by disconnecting clients... Some do better, some do worse. Those that do nothing concern me most. Contributing to one of the projects above (those that allow it) or forming better complaints is the first step. Identifying the internet bad boys is second. Gadi.
Re: adviCe on network security report
On Thursday 02 Nov 2006 14:54, you wrote: I'm thinking for every answered message sent to abuse (non autoresponder), one will likely see more than 7-10 failures. It is a self fulfilling issue. Those abuse desks who deal with the issues you rarely end up writing to, those who don't, you inevitably end up writing to. Which is why you get a better response when raising a new issue, or a small issue, with someone who hasn't been notified of it before. Broach a big established problem like pointing out that Telecom Italia is one of the worse spewers of advance fee fraud emails on the Internet, and you can't get anyone to take an interest. If there were anyone who cared, they would have done something about it by now. Even the Italian government doesn't seem to care about that one. rfc-ignorant.org exists for a reason.
Re: adviCe on network security report
[In the message entitled Re: adviCe on network security report on Nov 2, 8:54, J. Oquendo writes:] Out of curiousity (and I doubt many will respond publicly to this) how many people have had success versus failure when dealing with abuse issues. I'm thinking for every answered message sent to abuse (non autoresponder), one will likely see more than 7-10 failures. Failures include an autoresponse, nothing ever done, no response ever returned, a response returned a quarter of a century later... I did a study on this a few years ago. I sent out about 20,000 abuse reports, all by hand, to various network around the world. They all came from this email address, and were clearly identified as non-robotic, personal messages. There were many bounces. Less that 5% received any response. Less than 1% received any action within 30 days. With apologies to Sean, I know that ISP abuse desks are overworked, and under-empowered. *MANY* of the abuse desks today use spam content filters (!) on their abuse desks, which certainly cut down on the number of spam reports they get! However, this is an unacceptable way to run, in my personal opinion. Part of the problem is scale. The industry has not given ISPs the tools to deal with masses of end user computers. The vast majority of the problems today are compromised end-user computers. Many ISPs are unaware, even at the abuse desk level, of the number of compromised computers on their networks. Some ISPs, the exception rather than the norm, do take an active role in monitoring their networks, and alerting customers to unusual behavior. Typically, this is done with custom applications, usually written in-house. And yes, the company I work for is working on solutions for this. --
Re: adviCe on network security report
On Thu, 2 Nov 2006, Dave Rand wrote: I did a study on this a few years ago. I sent out about 20,000 abuse reports, all by hand, to various network around the world. They all came from this email address, and were clearly identified as non-robotic, personal messages. There were many bounces. Less that 5% received any response. Less than 1% received any action within 30 days. An excellent example of not listening to ISP abuse and security folks, and what kind of results you get by not working with them. I don't know why security complaint vendors haven't figured this out. The music industry complaint vendors were doing a much better of job of listening to ISPs security and abuse groups and trying to make things work as smoothly as possible for ISPs. Its not anywhere near 100%, but they make the effort to get their reports working within as many different ISP's systems as they can. The financial industry is behind the music industry, but is also trying to work with ISPs. I know every ISP is different. Some won't respond to anything. Others will do everything possible to figure out your complaint. But listening to the ones in the middle, and figuring out how to work with them will probably help improve things above 1%. Because they take so much abuse as part of their normal job, even the most motivated abuse people don't go out of their way to have more people shout You Suck at them. On the other hand, I suspect if they believe you can make their jobs easier and not shout at them, they can be very gregarious about what they need.
Re: adviCe on network security report
[In the message entitled Re: adviCe on network security report on Nov 2, 16:39, Sean Donelan writes:] On Thu, 2 Nov 2006, Dave Rand wrote: I did a study on this a few years ago. I sent out about 20,000 abuse reports, all by hand, to various network around the world. They all came from this email address, and were clearly identified as non-robotic, personal messages. There were many bounces. Less that 5% received any response. Less than 1% received any action within 30 days. An excellent example of not listening to ISP abuse and security folks, and what kind of results you get by not working with them. As mentioned, this was done a few years ago (2000, if I recall correctly). The idea was to find out what was required, and to deliver a customizable approach. I know every ISP is different. Some won't respond to anything. Others will do everything possible to figure out your complaint. But listening to the ones in the middle, and figuring out how to work with them will probably help improve things above 1%. Because they take so much abuse as part of their normal job, even the most motivated abuse people don't go out of their way to have more people shout You Suck at them. On the other hand, I suspect if they believe you can make their jobs easier and not shout at them, they can be very gregarious about what they need. Over the last few years, I have worked with many ISPs. The majority of the problems had little to do with the format/style/volume of abuse complaints, and a lot to do with empowering the abuse desks to take action. you suck was not an enabling message :-) And yes, this has made a significant change in how much abuse comes from those ISPs, so working with the ISPs does pay off. Often it is essential to gain upper management's attention, however, so that the abuse desks can be empowered to take action. But the security industry is still just beginning to understand the problems that are faced by an ISP that suddenly gets 40,000 boxes 0wned. Delivering tools that help them deal with these types of problems should be our focus. Bridging the gap is what is required - it isn't the ISP's fault that the box got owned, but the abuse that comes from that IP address is their responsibility to mitigate as best as reasonably possible. --
Re: adviCe on network security report
At 05:09 PM 11/2/2006, [EMAIL PROTECTED] (Dave Rand) wrote: Over the last few years, I have worked with many ISPs. The majority of the problems had little to do with the format/style/volume of abuse complaints, and a lot to do with empowering the abuse desks to take action. you suck was not an enabling message :-) I don't know about other ISP networks because I am only responsible for one, but we find the huge volume of garbage/bogus/automated abuse messages makes it difficult to find the real abuse issues which we need to address. A customer who may forwarding all their email including spam to their /bigcommericalisp/ account which is then tagged as spam by the same user when it arrives at their account and then bounced to [EMAIL PROTECTED] doesn't constitute a valid abuse complaint in my mind. An ICMP echo packet received by some random idiot online running some broken and poorly designed firewall software which says he is being attacked by one of our customers does not merit an abuse report or response. However, an infected box on our network or a customer with an open smtp relay or an owned box on one of our client's transit connections from us does merit a reaction and as quickly as possible to limit the damage they can inflict on the rest of the community and likewise from a selfish standpoint - based on the retaliation which may be directed back at us. We try to be good neighbors, but all the garbage we receive makes it difficult to be as responsive as I would like. We have our dialup support folks check through the abuse box and forward anything which falls into the interested bucket to our NOC team. However, it simply doesn't make financial sense to have a full time person or people checking through the abuse box. When something is a real problem and the person on the other end needs a quick response, they can call us or check ARIN for netblock contact info. The addresses and numbers listed there will go straight to someone who can help. I wish abuse was used as intended instead of my every idiot programmer and script writer for their own helpful stuff we never asked for nor does it help us at all nor does it help the users. -Robert Tellurian Networks - Global Hosting Solutions Since 1995 http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 Well done is better than well said. - Benjamin Franklin