adviCe on network security report

[In the message entitled "Re: adviCe on network security report" on Nov 2, 16:39, Sean Donelan writes:]

> I did a study on this a few years ago. I sent out about 20,000 abuse reports,
> all by hand, to various network around the world. They all came from this
> email address, and were clearly identified as non-robotic, personal messages.
> There were "many" bounces.
> Less that 5% received any response.
> Less than 1% received any action within 30 days.

An excellent example of not listening to ISP abuse and security folks, and
what kind of results you get by not working with them.

As mentioned, this was done a few years ago (2000, if I recall correctly).
The idea was to find out what was required, and to deliver a customizable

I know every ISP is different. Some won't respond to anything. Others will
do everything possible to figure out your complaint. But listening to the
ones in the middle, and figuring out how to work with them will probably
help improve things above 1%.

Because they take so much abuse as part of their normal job, even the
most motivated abuse people don't go out of their way to have more
people shout "You Suck" at them. On the other hand, I suspect if they
believe you can make their jobs easier and not shout at them, they can be
very gregarious about what they need.

Over the last few years, I have worked with many ISPs. The majority of the
problems had little to do with the format/style/volume of abuse complaints,
and a lot to do with empowering the abuse desks to take action. "you
suck" was not an enabling message :slight_smile:

And yes, this has made a significant change in how much abuse comes from those
ISPs, so working with the ISPs does pay off. Often it is essential to gain
upper management's attention, however, so that the abuse desks can be
empowered to take action.

But the security industry is still just beginning to understand the problems
that are faced by an ISP that suddenly gets 40,000 boxes 0wned. Delivering
tools that help them deal with these types of problems should be our focus.
Bridging the gap is what is required - it isn't the ISP's fault that the
box got owned, but the abuse that comes from that IP address is their
responsibility to mitigate as best as reasonably possible.

I don't know about other ISP networks because I am only responsible for one, but we find the huge volume of garbage/bogus/automated abuse messages makes it difficult to find the real abuse issues which we need to address. A customer who may forwarding all their email including spam to their /bigcommericalisp/ account which is then tagged as spam by the same user when it arrives at their account and then bounced to doesn't constitute a valid abuse complaint in my mind. An ICMP echo packet received by some random idiot online running some broken and poorly designed "firewall" software which says he is being attacked by one of our customers does not merit an abuse report or response. However, an infected box on our network or a customer with an open smtp relay or an owned box on one of our client's transit connections from us does merit a reaction and as quickly as possible to limit the damage they can inflict on the rest of the community and likewise from a selfish standpoint - based on the retaliation which may be directed back at us. We try to be good neighbors, but all the garbage we receive makes it difficult to be as responsive as I would like. We have our dialup support folks check through the abuse box and forward anything which falls into the interested bucket to our NOC team. However, it simply doesn't make financial sense to have a full time person or people checking through the abuse box. When something is a real problem and the person on the other end needs a quick response, they can call us or check ARIN for netblock contact info. The addresses and numbers listed there will go straight to someone who can help. I wish abuse was used as intended instead of my every idiot programmer and script writer for their own "helpful" stuff we never asked for nor does it help us at all nor does it help the users.


Tellurian Networks - Global Hosting Solutions Since 1995 | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Unfortunately that is a problem with every public reporting channel. Most
9-1-1 (or your national equivalent) centers report a majority of their calls are non-emergencies. In many cities the police will not respond
to automatic dialers calling 9-1-1 because of the extremely high false reporting rate, or put them at a very low, low response priority. Most
of the complaints the FCC gets about television and radio programming are
from people who have never seen or heard the program they are complaining

ISP abuse desks, US congressional offices, etc have all implemented things
which make contacting them by e-mail harder due to the automatic-idiot
problems. There are effective ways to contact your congressional office or ISP abuse desk, and ineffective ways. When they give suggestions about
the best way to contact them, its a good idea to listen to what they
recommend if you want to be effective.

If you just want to complain about ISPs not responding, or the police not
finding your stolen car, or 9-1-1 operators refusing calls from your automatic alarm system; you are welcome to continue complaining. It probably won't be that effective, but if it makes you feel better go ahead.

On the other hand, if you are interested in accomplishing something then
there are different actions you can take.