Abuse response [Was: RE: Yahoo Mail Update]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

72 hours to respond to e-mail sent to the abuse account? That's much too

long -- it should be at least a 4 hour response time during business hours,
and for service providers and operators large enough to staff their network
24x7 for other reasons, 4 hour response time all the time.

Right. You're dreaming.

As I mentioned in my presentation at NANOG 42 in San Jose, the
biggest barrier we face in shrinking the "time-to-exploit" window
with regards to contacting people responsible for assisting in
mitigating malicious issues is finding someone to actually
respond.

I'd personally jump for joy if I could count on 72 hours, or less.

Unfortunately, most abuse requests/inquiries fall into a black-hole,
or bounce.

Very rarely do I find a helpful individual at the end of an abuse
address, and that is truly unfortunate.

Me, I have pretty much given up on any domain-related avenues, since
they generally end up in disappointment, and found more successes in
going directly to the owners of the IP allocation, and upstream ISP,
a regional/national CERT/CSIRT, or law enforcement.

Mow, this has no bearing on the original subject (which I have now
forgotten what it is -- oh yeah, something about Yahoo! mail), but
it should be additional proof that the Bad Guys know how to
manipulate the system, the system is broken, and the Bad Guys are
now making much more money than we are.

- - ferg

As I mentioned in my presentation at NANOG 42 in San Jose, the
biggest barrier we face in shrinking the "time-to-exploit" window
with regards to contacting people responsible for assisting in
mitigating malicious issues is finding someone to actually
respond.

Fergie.. you (and various others in the "send emails, expect
takedowns" biz) - phish, IPR violations, whatever.. you're missing a
huge, obvious point

If you send manual notificattions (aka email to a crowded abuse queue)
expect 24 - 72 hours response

If you have high enough numbers of the stuff to report, do what large
ISPs do among themselves, set up and offer an ARF'd / IODEF feedback
loop or some other automated way to send complaints, that is machine
parseable, and that's sent - by prior agreement - to a specific
address where the ISP can process it, and quite probably prioritize it
above all the "j00 hxx0r3d m3 by doing dns lookups!!!!" email.

That kind of report can be handled within minutes.

If you send reports with lots of legal boilerplate, or reports with
long lectures on why you expect an INSTANT TAKEDOWN, and send them to
a busy abuse queue, there is no way - and zero reason - for the ISP
people to prioritize your complaint above all the other complaints
coming in.

Unfortunately, most abuse requests/inquiries fall into a black-hole,
or bounce.

Not you, but several companies that do this as a business model need
to learn how to do this properly. Some of them are spectacularly
incompetent at what they do too.

Me, I have pretty much given up on any domain-related avenues, since
they generally end up in disappointment, and found more successes in
going directly to the owners of the IP allocation, and upstream ISP,
a regional/national CERT/CSIRT, or law enforcement.

Yeah? And by the time your request filters right back down to where
it actualy belongs.. guess what, it takes much longer than 72 hours.

Mow, this has no bearing on the original subject (which I have now
forgotten what it is -- oh yeah, something about Yahoo! mail), but
it should be additional proof that the Bad Guys know how to
manipulate the system, the system is broken, and the Bad Guys are
now making much more money than we are.

And proof that various good guys dont know how to cooperate, and
various other "good guys" are in the business only to score points off
other providers to make themselves look good.

for example.. I think Brian Krebs - given what I know of his usual
high standards - would certainly have regretted publishing PR and
marketing generated, highly debatable, "statistics" like the ones
referenced in that article.

--srs

Is there an equivalent mechanism for those of us at the fringes of the galaxy to
report problems? What is probably needed for little folks like me is not
instant response but rather an address and formatting specs so that the information
is of maximum usefullness to you and we don't get auto-naks. After all, I can
probably generate a few reports a week, but not hundreds per day.

So how do the little guys play in this sandbox? My log files and spam
reports are just as legit as the super-secret-handshake club guys are,
and I'd like to get some respect. After all, I may be the first one to
report it.

Please keep a few things in mind though:

- It needs to be simple to use. Web forms are a non-starter.

- The output from any parsers needs to be human readable. There are too
many auto-whatsit formatters for us to sit down and code to every one.

- I'd like to see an actual response beyond an autoreply saying that you
can't tell me who the customer is or what actions were taken.

- I like dealing with other small operations and edus because humans
actually do read the reports, and things get done (Thanks!).

I've given up sending abuse reports to large consumer ISPs and all
freemail providers because I'm not a member of the club. Any response
that I'm lucky enough to get generally says something like "You did not
include the email headers in your complaint so we are closing this
incident" when I reported and FTP brute force.

--Chris

So how do the little guys play in this sandbox?

3rd-party aggregation. Where do RBLs get there data?
They act as a 3rd party to aggregate data from many others.

- It needs to be simple to use. Web forms are a non-starter.

If you have the ability to accept reports via an HTTP REST
application, it wouldn't hurt to put up a web form so that
people can try it out.

- The output from any parsers needs to be human readable.

ARF is the only thing that meets this requirement

However, you should consider accepting input as IODEF as
well. Just use ARF for the ouput that you submit to the
abuse desks.

- I'd like to see an actual response beyond an autoreply
saying that you can't tell me who the customer is or what
actions were taken.

Now you are asking the abuse desks to modify their software
and processes to meet your needs. I can't see them ever
providing a response per report, however if enough people
buy into a standard reporting system, like ARF, then you
might get ISPs to accept some kind of report-origin code
and then allow you to periodically request resolution reports
for all reports coming from that report-origin.

- I like dealing with other small operations and edus because
humans actually do read the reports, and things get done (Thanks!).

If people had succeeded in cleaning up the abuse problems in 1995
when the human touch was still feasible, we would not have the
situation that we have today. Automation is the only way to address
the flood of abuse email, the huge number of people originating
abuse, and the agile tactics of the abusers.

You just have to accept that people will not read your reports, and
will not act on your reports. What they will do is feed your reports
into automated systems that use AI techniques to define tasks for the
abuse desk to act upon.

Consider this. Any single point source of abuse, say a single broadband
PC in a botnet, will spew out spam or DDOS to hundreds of destinations.
If 20 of these destinations submit ARF reports, and you are one of
these 20, then there is a 5% chance that your report has anything wort
acting upon. 95% of the time, you will be reporting something that the
abuse desk has already acted upon and it would be a waste of abuse desk
resources to read and reply to your report. On the other hand, it can
be very useful for the automated system to process your report for
statistical purposes and to provide a better understanding of how
that particular botnet functions.

I've given up sending abuse reports to large consumer ISPs
and all freemail providers because I'm not a member of the
club. Any response that I'm lucky enough to get generally
says something like "You did not include the email headers in
your complaint so we are closing this incident" when I
reported and FTP brute force.

This is why we need *MORE* automation between providers. Then there
is less room for human error in wading through a mass of reports trying
to pick out the ones which can be fixed.

--Michael Dillon

I agree with this and with pretty much everything else you wrote.

But...

If an operation is permitting itself to be such a systemic, persistent
source of abuse that the number of abuse reports it's receiving (which
everyone knows is tiny fraction of the number it *could* be receiving)
requires automation...isn't that a pretty good sign that whatever's
being done to control abuse isn't working?

The solution to that isn't to put in place higher levels of automation:
the solution to to that is to *solve the underlying problems* so that
higher levels of automation aren't necessary.

---Rsk

So who's the third-party for the little guy that aggregates abuse reports?
I know we consume Spamcop reports which works very well for us. I'm not
sure who feeds them data. Ideally I would like to be able to submit data to
them in an automated fashion, but the spam appliance I have doesn't have
that checkbox.

If the abuse desk has already acted upon it, why not have the automated
system let me know?

Frank

Well, let's see. If you're reporting abuse coming from my AS, it's almost
certainly one of 2 things:

1) Some poor soul got zombied in a drive-by fruiting and was part of a botnet.
At this point, it doesn't really matter *who* the customer was, because he was
essentially a Joe Sixpack. Action taken is almost certainly some variant on
"he's been told to disinfect the machine before getting back on the net". So
it's unclear what, if anything, you want us to do, except possibly send you
a canned "We found the machine and dealt with it" after the fact.

2) Somebody decided to intentionally do something naughty. At that point,
it's a very good likelyhood that we *can't* tell you who it was, because
there may be some combination of litigation and prosecution (and in our case,
most likely some internal judicial action) so there's a whole swarm of privacy
laws and "we don't comment on ongoing investigations/litigations" policy. And
since these things can drag on for weeks or months, there may not be any
final resolution for quite some time, so all you'll get back is a "We found
the problem and it will eventually be disposed of"...

Basically, 99.8% of the time, no response other than "We found it and dealt
with it" is actually suitable, and the other 0.2% of the time, you're about
to get dragged into an ongoing investigation, so expect a "Hold Evidence"
order on your fax in a few minutes..

So what sort of response did you actually *want*?