Abuse@ contacts

Gavin_Pearce · December 7, 2010, 4:39pm

Hello,

After a weekend of heavy spam last month, we decided to fire some
reports over to the abuse contacts for each relevant IP or domain - some
US/Europe based, others from more "obscure" locations.

We've not had a reply from any of the reports sent over, other than some
automated bounces. Each report from us contained detailed information
about IP, date, headers, spam content, relevant ranges etc ...

How many of you (honestly) actively manage and respond to abuse@ contact
details listed in WHOIS? Or have had any luck with abuse@ contacts in
the past? Who's good and who isn't?

Apologies in advance if this has been around before - I'm new here. (:

Gav

Simon_Waters1 · December 7, 2010, 4:53pm

Or have had any luck with abuse@ contacts in
the past? Who's good and who isn't?

http://www.rfc-ignorant.org/tools/submit_form.php?table=abuse

Daniel_Seagraves · December 7, 2010, 5:14pm

I answer ours, and I've sent a few abuse complaints (sometimes in error...)
I haven't kept count, but I'd say I get an answer at least 50% of the time.

Wayne_Lee · December 7, 2010, 5:26pm

How many of you (honestly) actively manage and respond to abuse@ contact
details listed in WHOIS? Or have had any luck with abuse@ contacts in
the past? Who's good and who isn't?

I answer ours, and I've sent a few abuse complaints (sometimes in error...)
I haven't kept count, but I'd say I get an answer at least 50% of the time.

My support team and I always answer ours. The only mail auto deleted
is when the person contacting us actually tried to send us a copy of
the virus they received. Damn they got all pissed when the mail was
auto dropped.

Wayne

Jason_Bertoch1 · December 7, 2010, 5:32pm

I answer our abuse@ address and file reports daily. I get automated responses from the free providers, but have little faith they care enough to fix the problem. RIPE regions seem to process reports with an attitude that they care, while LACNIC, AFRINIC, and Asian providers seem to ignore all reports if you can even find a working abuse@ contact. Smaller providers in the ARIN region also seem to do a good job.

Rich_Kulawiec · December 7, 2010, 7:10pm

Inbound: wherever I am, I try to make it a point of emphasis that
incoming mail to abuse very likely represent someone trying to help
us by doing the job that we failed to do, and as such, it deserves
very high priority, and -- if correct -- our gratitude.

Outbound: mixed. I've had excellent response from academic institutions
(most recently Indiana University) and from some commercial operations
(e.g., mail.com). I've had responses somewhere between "non-existent",
"miserable", and "random" from major freemail providers.

---rsk

Joe_Greco · December 7, 2010, 7:25pm

Having watched this issue for years, I'll say that there's a large body
of good abuse desks you'll never need to talk to, because the very
qualities that cause a network to host a responsive abuse desk are in
many cases the same things that drive engineering and other processes
that minimize the chances for abuse in the first place. For the best
networks, the abuse desk exists entirely as a fire alarm, never meant
to receive any volume of meaningful complaints, because there should be
no abusive traffic originating. This includes many corporate networks.

Middle ground are many schools, where policy is to run a clean network,
but practical realities of students and faculty result in some problems.
They truly appreciate abuse reports, because so few people bother to
send them in this era, and doing so helps make the Internet a nicer
place to be. On the other hand, other schools have clearly given the
issue no thought, or don't wish to deal with the problems...

Commercial service providers are more of a mixed bag. Many are very
clueful and want to run a clean network. Others look at the abuse desk
as a money-losing black hole that serves mainly to cause customer churn.
Cheap webhosts and the like are typically under pressure to keep costs
low. You may end up with an abuse desk that overreacts, or that doesn't
care until the volume of complaints becomes deafening.

... JG

Christopher_Morrow · December 7, 2010, 8:44pm

Hello,

After a weekend of heavy spam last month, we decided to fire some
reports over to the abuse contacts for each relevant IP or domain - some
US/Europe based, others from more "obscure" locations.

We've not had a reply from any of the reports sent over, other than some
automated bounces. Each report from us contained detailed information
about IP, date, headers, spam content, relevant ranges etc ...

How many of you (honestly) actively manage and respond to abuse@ contact
details listed in WHOIS? Or have had any luck with abuse@ contacts in
the past? Who's good and who isn't?

lack or reply to abuse@ does not mean the box is unmonitored... just
that they don't feel it's helpful to reply to inbound mail with ..
more mail, especially when much of the inbound mail is automated.

Apologies in advance if this has been around before - I'm new here. (:

sure.

-chris

Shaun_Ewing · December 7, 2010, 10:00pm

How many of you (honestly) actively manage and respond to abuse@ contact
details listed in WHOIS? Or have had any luck with abuse@ contacts in
the past? Who's good and who isn't?

We monitor our abuse queues, but when the email is just a stock standard
incident (eg: spam or phishing) we don't actually reply to the emails
unless more information is required.

As mentioned previously, a lot of the traffic in abuse queues is automated
and you might have anywhere up to 100 emails for a single incident. In
these cases, we merge the messages into one ticket, handle the case and
close it off.

The nature of our business (hosting) means that we do get a decent amount
of abuse traffic - ranging from compromised out of date CMSs used to send
spam or host phishing sites right through to fraudulent accounts again
used to send spam.

Rather than hire additional staff to respond to the each abuse email
individually we prefer to invest in systems to stop the abuse in the first
place. For example, all outbound email from our shared hosting network is
checked for spam/viruses and any unusual traffic (such as a spike from a
customer who typically only sends a few messages a day) is flagged.

-Shaun

Suresh_Ramasubramani · December 8, 2010, 4:33am

Speaking as someone who's been running abuse desks since the mid 90s
[still late to the party compared to other posters in this thread like
say, Joe Greco, but what the heck, hi joe, hope you agree]

Add to it the fact that you get far less "actual email" coming into
abuse desks these days. Far more email that's scripted / at least
semi automated by smaller trap operators / some small ISPs /
spamcop.net

ARF'd feedback loops from the large providers (which are mutually
provided to each other - each large provider offers one, and
subscribes to those provided by other SPs) are usually sent to a
separate address and auto processed.