Abuse response [Was: RE: Yahoo Mail Update]

Subject: Re: Abuse response [Was: RE: Yahoo Mail Update]
From: Valdis.Kletnieks@vt.edu
Date: Wed, 16 Apr 2008 12:02:02 -0400

> - I'd like to see an actual response beyond an autoreply saying that you
> can't tell me who the customer is or what actions were taken.

Well, let's see. If you're reporting abuse coming from my AS, it's almost
certainly one of 2 things:

[[ sneck causations ]]

Basically, 99.8% of the time, no response other than "We found it and dealt
with it" is actually suitable, and the other 0.2% of the time, you're about
to get dragged into an ongoing investigation, so expect a "Hold Evidence"
order on your fax in a few minutes.. :wink:

So what sort of response did you actually *want*?

Speaking strictly for myself, the wish-list for an ack is (not necessarily in
priority order):
   1) appreciation for my contributed time/effort in helping them keep _their_
      network clean.
   2) an ack that they _have_found_ the source. I generally don't care 'who'
      it was, just that they *have* been found, and STOPPED.
   3) an indication that the immediate issue has been fixed, and that steps
      have been taken to prevent future recurrance. Again, the actual
      'details' of what has been done are relatively unimportant.
   4) *WHEN* the 'fix' was implemented. Then I know if I see 'more of the
      same _before_ that time, I don't need to report it, =AND= if I see
      stuff occuring _after_ that time, that it is a 'new and different'
      problem that _does_ need to be reported.

This is more about _how_ you say things, than the details of what you actually

Replies -- _days_ later -- along the lines of "thanks for the report, due to
volume of complaints we won't be able to tell you anything about what we find,
or do" cause much grinding of teeth.

Replies that say: "This appears to be the same as something that has already
been reported to us by others. We have looked into things, confirmed it was
happening, and put a stop to it as of {timestamp}. If you see any more of this
activity from that source _after_ that time please email us immediately with
the string "{token}" in the subject line." _do_ give the originater 'warm
fuzzies', and can be more-or-less trivially generated by a good trouble-
ticket system. Especially with reasonable front-end automation for recognizing
'duplicate' complaints.

At the good end, I've gotten replies saying: "the customer has been contacted,
and they immediately took the affected machine off-line for sterilization";
even "we have been unable to contact the customer, and have pulled their
circuit until they *do* contact us."

Note: that last message was received about 4 hours after sending the problem
notice, and about 2 hours after what would have been the normal 'start of
business' in the locale of the problem. That provider wears a *BIG* white
hat in my books. Not so much for telling me what they did, but for the speed
of reaction.

Contrast those responses with a major national who doesn't send any responses
*and* has an admitted policy of giving customers _a_week_after_notification_
of having an infected machine on their network to get the machine off-line or
otherwise dealt with. And it can take _days_ to get the notification to the
customer. (they just send an email to the business contact -- notify them late
friday and the clock doesn't start running until Monday morning. *sigh*)