Abuse.cc ???

McBurnett_Jim · April 3, 2003, 3:05pm

I just made a number of abuse complaints to a provider and then after contacting the abuse #.
I got told that they don’t use abuse@ anymore. that abuse.cc is the new email address.

Correct me if I am wrong, but isn’t this against RFC current practice?

I won’t name the provider, and have email hostmaster@arin since they have the wrong abuse on their WHOIS…

Thanks,

Jim

Johannes_Ullrich · April 3, 2003, 3:17pm

hm. send the RFC police after them :-/... fact is that there are plenty
of domains that do not even have an abuse@ e-mail address. Never mind
the once that don't accept any abuse/security related e-mail and instead
direct you to a web form.

(personal favorite: mail bouncing from abuse@ due to mailbox full)

Frank_Louwers · April 3, 2003, 3:53pm

Providers don't seem to care about RFC or abuse@ anymore...

Belgium's biggest ISP (skynet.be) is rfc-ignorant as well. They have a
spamproblem (refuse to close down spammers, a lot of the dsl customers
have open relays or open proxies, no action whatsoever has been taken).
Because of this, they get huge amounts of complaints to abuse@skynet.be.
They couldn't handle it anymore, and redirected the senders to a webform
were you have to fillin you complaint.

They don't care about having a spamproblem, they don't care about being
rfc-ignorant, because they know that every isp in Belgium that does
spam-filtering, is whitelisting them because they are the biggest isp in
town...

Kind Regards,
Frank Louwers

Gerald · April 3, 2003, 4:10pm

I hate to play devil's advocate here, but I've been on the receiving end
of the abuse@ complaints that became unmanagable. The bulk of them
consisting of:

"Your user at x.x.x.x attacked me!" (And this is sometimes the
nameserver:53 or mailserver:113)

This is not a log file, or a source/destination port. The most commonly
left out item was Time/Time zone. The company I worked for at the time did
not harbor spammers. These were open relays, public proxies, & all
around poorly configured/maintained machines. The size of our customer
base, however, prevented a personal reply to all of them that said: "You
left out X, please try again."

With a legitimate desire to address valid complaints against customers, we
started bouncing back an acknowledgment msg that said simply if you don't
provide us all of the following, we won't reply and request it, your
submission will be ignored. We also setup an abuse-esc@ that would
circumvent the ack msg.

Problem is/was people don't read the bounce back. I know this isn't the
case with all of the abuse@ addresses, but we talked about creating a web
form for submission so we could smack the submitter on the head when they
left out relevant information.

Another aspect of the social spam problem trying to be resolved through
technical means.

Gerald

1112 · April 3, 2003, 7:38pm

Nor do they care about their SWIPs being correct or their AS info being
correct either.

To this day I have not found a single working contact for prodigy.net.mx ...

-Dan

Owen_DeLong · April 3, 2003, 10:29pm

Perhaps proposed ARIN policy 2003-1b can help with this. If ou aren't
familiar with it, I suggest reviewing it. I'm trying to gather support
and consensus for it for the meeting next week in Memphis.

It only targets ARIN, but if we can get it successfully implemented by
ARIN, perhaps the other RIRs will follow suit.

Owen

1112 · April 4, 2003, 12:27am

under this policy, army.mil would have lost their allocations ages ago.
however i doubt arin would have the balls to enforce it

-Dan

Simon_Lyall · April 4, 2003, 10:03pm

We added this to the auto-reply of our abuse@ address:

--- cut - here ----

  For complaints of port scanning or supposed hacking attempts,
  complete logs of the abuse are required. At a minimum, a log
  of abuse contains the time (including time zone) it happened,
  the hosts/ips involved and the ports involved.

  Please note that we received a large number of false complaints from people
  using personal firewall programs regarding port scanning. If you are
  submitting a complaint based on the logs from one of these programs we
  highly suggest you to read the following:

http://www.samspade.org/d/persfire.html AND
http://www.samspade.org/d/firewalls.html

--- cut - here ----

The abuse guys concentrate on spam reports, open-relay reports and
sometimes port scanning reports from proper admins (these are easy to
spot). Junk from dshield.org and the like is pushed to the bottom of the
priority list. There are just too many random packets flying about for the
personal firewall reports to be useful.

The other problem is it's hard to act against a client based on one packet
received by some person on the other side of the world running a program
they don't understand. At least with spam reports you'll get several
independant reports with full headers and if they use our servers we'll
even have our own logs.

Owen_DeLong · April 4, 2003, 10:25pm

Well... I guess we'll have to see. If you've got a better alternative, I'm
all ears. One thing that is certain... Without a policy, it cannot be
enforced.

Owen