Abuse Ticketing Systems

Mailman List Mirror (Read Only)
1

Are there any particularly useful ticketing systems for handling the sorts and volume of complaints an abuse desk sees?

Currently my company has deployed Remedy internally and while it is particularly useful in managing work requests and our noc's incident response, it seems to be completely unsuited for our abuse desk needs. I've been recommended to Abacus and would be interested in anyone's experience with it. If someone has had a painless and successful experience using Remedy to handle abuse desk ticketing I'd love to hear a little about the overall engineering of the system to handle it.

2

Try Request Tracker, it's very flexible and free.

http://www.bestpractical.com

3

If anyone has had a painless and successful experience with Remedy, I'd
love to hear about that, as well. :wink:

I second the RT route. Budget half a day to get it up on a test box and
it's pretty easy from there. In particular you may want to look at the
version of RT tuned for Incident Response -

http://bestpractical.com/rtir/

John

4

Aside from RT, you may also want to take a look at OTRS - http://otrs.org/.

Todd

5

I have been looking around, but haven't found it yet.. Is there a text list of who owns what netblock worldwide? ISP/Location/Contact. I am not looking for anything searchable, but rather, a large, up to date list that I can import to a database..

Thanks
John

6

Poke around the ftp sites of the four RIRs until you find address registration data. Don't expect to see a single dump format across RIRs.

Joe

7

For bonus points, does anybody have a good estimate of what percentage
of the registration data doesn't match reality, due to missing SWIPs
and the infamous "allocated to a reseller who allocated to a re-re-seller
who..." issues? (Not talking actively hijacked, just all the "forgot
to file the paperwork" allocations...)

8

I have been looking around, but haven't found it yet.. Is there a text list
of who owns what netblock worldwide? ISP/Location/Contact. I am not looking
for anything searchable, but rather, a large, up to date list that I can
import to a database..

in general, we try not to make life that easy for spammers and scammers

randy

9

We're working on this question at the operator (ASN) level for a couple of projects. I can't produce a list immediately, but there seem to be at least 600-700 ASNs that were consistently routed between Oct 01 and Oct 03 that have no easily matchable whois data in any registry.

Probably the best you can come up with the the converse; the percentage of operators who take the (varied kinds of) trouble to identify themselves broadly to the community, thereby making themselves at least implicitly available for large-scale event management, etc. I think if you sum up the unique users of various extra-whois tools (nsp-sec, INOC-DBA, Jared's NOC list, etc.), you come up something like 3-4k operators. For those 3000+/- you can be reasonably confident that their whois data is correct; the other 15.5k actively routed ASNs (much less the routed netblocks, and less still the idled ASNs and netblocks) are anyone's guess...

Tom

10

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yo Randy!

in general, we try not to make life that easy for spammers and scammers

Too late. That horse ran out the barn when Verisgn sold their whois data.

At this point keeping the data hard to get just makes it harder on
abuse admins.

RGDS
GARY
- ---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
  gem@rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676

11

Certainly matches up with what my gut feeling was telling me....

And of course, the irony is that those 3K ASNs will probably exchange billions
of packets with us on total autopilot, and I'll almost never need to find the
owner, but the fact that I'm unable to identify who's *really* responsible for
a given specific /24 makes an address in that /24 all the more desirable to the
sort of people who will end up making me look for the /24's owner, when I'd
much rather never have had any conscious knowledge of that particular /24 being
routable at all...

12

Last time I looked, VRSN did not have whois data on netblock owners.

Alex

13

Perhaps I should have made my inquiry/intentions a little more specific.
Just in the thinking out loud stage here, but..
I would like to put an interactive help system together. One where, the user would have the option to forward some types of complaints directly to the hosting provider/ISP through a web portal. Form data would be collected, trends analyzed, if a particular address space is consistently behaving irresponsibly, it would be forwarded to an agent for further investigation.
At which point, depending on the type of, and number of problems, further steps could be taken to correct the problem, ex administrative contact, resolving a hijack site to a warning page, or worst case: filtering that network entirely. We already do this to some degree, but I am looking for a way to make it more reflexive, automated, and give the users a more direct course of action that releases our help desk from some of the burden..

John

14

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yo John!

... but I am looking for a
way to make it more reflexive, automated, and give the users a more direct
course of action that releases our help desk from some of the burden..

And that is exactly why it will not happen. A lot of the registrars
have gone over to the other side. Ever try to get any domain contact
info out of nameking?

RGDS
GARY
- ---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
  gem@rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676

15

I realize that there may be no way to contact many of these people, but, it is a step towards identifying problem networks. If badhosting.com is responsible for a given percentage of the garbage that comes through our pipes, and I can leverage user input to identify this, then I can use this to create more responsive filtering policies..

16

That irony may disappear soon, but perhaps not in a good way. Observing the general policy trend across the registries, it seems that all are moving toward a system where publicly available contact information for any/all assigned numbers is optimized for resource management, while preserving maximum flexibility for anonymous operation. That is to say, operators may eventually provide visible whois entries that include only a workable email address (e.g., ASN54321@genericemailservice.com) and a cell phone number. So long as these contacts are sufficient to request/remit annual registry renewal fees, the whois requirement will be satisfied.

Opinions vary as to whether this is a good thing or a bad thing. Some advocates suggest that anonymity will help mitigate some security issues, although it seems to me a little incongruous that security through obscurity is advocated in this sphere at the same time that it is ridiculed in other contexts. Anyway, during the ARIN public forum last week there were repeated suggestions that the "scope and purpose" of whois database be clarified once and for all, at least at the institutional (ARIN) level. I for one would hate to see operator identity (i.e., as you say "who's *really* responsible" for a given number) disappear from that that "scope and purpose," especially without considering that change and all of its implications very very carefully.

Tom

17

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yo John!

I realize that there may be no way to contact many of these people, but, it is
a step towards identifying problem networks. If badhosting.com is responsible
for a given percentage of the garbage that comes through our pipes, and I can
leverage user input to identify this, then I can use this to create more
responsive filtering policies..

I apologize for my wording if anyone took my comments as against your
project. Any way to automate response to network abuse is a "Good
Thing" (tm).

My complaint is that registrars are locking up more and more information
so it is harder to track the bad guys. The spammers already have
everyone's email addresses from their spyware and list trading. Keeping
netblock and domain owners private helps the bad guys way more than it
hurts the good guys.

RGDS
GARY
- ---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
  gem@rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676

18

Please describe exactly what you want to do with the data. If its specific
action based on some network name or per their ASN, I can probably deliver
it (assuming this function has community value for more then just your
needs). But providing entire list - is too open for abuse and also may
violate RIR policies for not redistributing bulk whois data in "bulk form".

If you want to do it yourself - feel free to contact every RIR (its only 4
of them) and sign for bulk whois agreements (and RIPE and APNIC already
provide their whois database free actually if you look around) and write
scripts and program to put it all in the database format that you want.

19

Again guys.. just in the thinking out loud stage..
But it does surprise me that this information is not freely available, and accessible to all without hindrance, registration or obligations of any kind.
There is the argument that this information could be used by the wrong people to do the wrong thing, but I am guessing many of those people already have this data. Arguably, the people most likely to be causing problems, are the very ones who seek anonymity through a process that is apparently not as defined and regulated as it needs to be in order to assure proper identification and subsequent accountability.
It is all about that accountability, action and response. If badhosting.com insists on harboring CWS, spam engines, and the like, wouldn't it be better if everyone knew, down to the last host, every address they own? If this information were freely available, posted in plain view, script friendly, and a dynamic resource, I suspect a lot of problems could, (at least in part), be made to disappear, or at the very least, automated tracking systems, and abuse reports could be made to be more reliable.
Every enterprise is absolutely dependent on its financial viability, if the owner of badhosting.com woke up on Monday morning to find half of north america was no longer visible to his clients, he would either a) grow a conscience, or, b) go out of business - either one would be just fine with me.

John

20

Again so what is it you'are asking:
1. Function to list ip blocks for the same organization that often causes
    abuse reports for your customers?
    - see spews and spamhaus lists, for biggest abusers they do pretty good
      job of tracking any ip blocks assigned to them
2. Function to list ip blocks announced by the same organization per ASN?
    - you can already do it yourself - "sh ip bgp regexp _asn_")

And yes if somebody wants to abuse public database, they'll find a way to
get the data they want - but at least on the surface it should not be
easy. So even if one bad guy already has this data, I'm not interested in
making it easy for another bad guy to get it.