adviCe on network security report

Sean Donelan wrote:

Hint, hint, hint. When the abuse and security folks at ISPs give suggestions on how to best work with them, its sometimes a good idea
to listen.

What happens when the security folks are absent? This seems to be somewhat of the case concerning contacting "". Many times it starts there where someone will contact an abuse apartment that is likely not monitored. Let's be realistic here... Before someone shoots of a "your-so-off-topic-whiny-whiny-whiny" response. How many here have contacted an abuse and simply gotten 1) an autoresponder 2) no reply 3) undeliverable 4) no such account exists as opposed to getting something useful.

ISP security and abuse folks generally know how bad the problems are. That
isn't useful to getting their jobs done. They usually have better information about how bad it is than most third-parties.

See my previous sentence... What happens when they see it, shrug off a simple abuse message that may contain something useful because they're fending off a DDoS attack or something. Does an abuse message take less precendence than other security matters. What will ISP's do when someone lashes back and starts some form of class action lawsuit against an ISP whose engineers repeatedly sat around and <strike>read NANOG and whined</strike> and did nothing? Is that what it will take? So I contacted about some user there stealing my info, spamming me, doing something illegal, I messaged them 10 times, no response. How about... I sue them.

ISP security and abuse teams already receive reports from almost every group in existence. After they process the high priority work, e.g. court orders from countries around the world, reports from customers, etc; figuring out how to make the security and abuse teams lives easier is
the key to getting your complaints to the top of the pile. Rankings of other ISPs doesn't change their workload.

Out of curiousity (and I doubt many will respond publicly to this) how many people have had success versus failure when dealing with abuse issues. I'm thinking for every answered message sent to abuse (non autoresponder), one will likely see more than 7-10 failures. Failures include an autoresponse, nothing ever done, no response ever returned, a response returned a quarter of a century later...

I believe what Sean said above is key. There are several sources which are
trusted, regular and efficient. myNetwatchmen, SANS ISC, Cymru, the DA
RatOut. Then there are the pull places, such as spamhaus...

Everyone has their favorite, and it works better.

Then come customer complainst, then email reports. If there reports are in
good form and provide with good data (plus are short and to the point),
they will probably get quick attention (as soon as POSSIBLE).

You need to remember these are good folks, who get paid to lose the ISP
money by disconnecting clients...
Some do better, some do worse. Those that do nothing concern me most.

Contributing to one of the projects above (those that allow it) or forming
better complaints is the first step. Identifying the internet bad boys is


It is a self fulfilling issue. Those abuse desks who deal with the issues you
rarely end up writing to, those who don't, you inevitably end up writing to.

Which is why you get a better response when raising a new issue, or a small
issue, with someone who hasn't been notified of it before.

Broach a big established problem like pointing out that Telecom Italia is one
of the worse spewers of advance fee fraud emails on the Internet, and you
can't get anyone to take an interest. If there were anyone who cared, they
would have done something about it by now. Even the Italian government
doesn't seem to care about that one. exists for a reason.