Automatic abuse reports

William Herrin <> said:

That's the main problem: you can generate the report but if it's about
some doofus in Dubai what are the odds of it doing any good?

It's much worse than that.

Several 500 pound gorillas expect you to jump through various hoops to report
abuse. Have you tried reporting a drop box to Yahoo or Google lately?

On top of that, many outfits big enough to own a CIDR block are outsourcing
their mail to Google. Google has a good spam filter. It's good enough to
reject spam reports to abuse@<hosted-by-google>

I wonder what would happen if RIRs required working abuse mailboxes. There
are two levels of "working". The first is doesn't bounce or get rejected
with a sensible reason. The second is actually gets acted upon.

If you were magically appointed big-shot in charge of everything, how long
would you let an ISP host a spammer's web site or DNS server or ...? What
about retail ISPs with zillions of zombied systems?

I expect this from the doofus in $pain_in_the_butt_county but I am surprised when I see this behavior
from large companies and I really don't understand it. Having a working abuse/response system is beneficial
to us all including the gorillas. There is a cost to us if we're spending expensive engineering time,
and network resources to deal with the traffic. Also there is an intangible affect on our customers opinion
of our service.

The only thing I can think of is that they are making the decisions about how important their abuse desk
is based solely on the cost of running that desk. They are seeing it as a cost center and not thinking
about it's long term benefit to the entire network. I can't think of a way to remove the incentive for this
short term thinking.

If I were the big cheese of the internet?
1. Transit providers would properly implement RFC 2827 filtering facing their downstream single homed customers.
If you only connect to me and I send you x.x.x.0/24 down your T1 I shouldn't be getting y.y.y.0 traffic from you.
This is easy to do.

2. Tier 1 backbone providers should be willing to de-peer non responsive global networks. I've lost faith in
regulations to actually curb the flow but the tier 1 providers may have the leverage to encourage good behavior.
For example if $pain_in_the_butt telco in $pain_in_the_butt country has to start paying for transit to get to
$big_tier_1 then maybe they would clean up their act. The problem with this is I can't think of a financial way
to get buy in to for idea from the business types in these companies.

3. There needs to be more responsible network citizenship among the providers large enough to have an AS number.
It's harder to do ingress filtering if your customers are running BGP, I can see reasonable cases where a
customer might throw traffic at me from source addresses that I didn't expect. At this point you should require your customers to
police their internal network and be willing to give up on their revenue if they refuse to do so.
Perhaps requiring a 24 hour human response to abuse@ emails as a condition of having an AS from an RIR or as a
requirement for turning up a BGP connection? We expect a good NOC for a peer but care less about a customer in most

4. Large eyeball networks would see the value in protecting their own people and would implement RFC2827 as close
to their customers as possible. As soon as you can drop that packet on the floor the better. The giant zombie
bot armies are a pain to them to.

Thats all I can think of at 4am, I bet you can see why nobody would ever appoint me big cheese of the internet.

Sam Moats

I can't speak directly for them, as I'm not an official company
spokesperson, but this conversation has got my dander up enough that I
can't keep my big mouth shut.

I know of at least one 500 pound gorilla (with zillions of retail
customers, and their share of 500 pound gorillas as customers (and
everything in between)) that has a working and effective abuse@
address, one that can and does aggregate and pass on abuse complaints,
and that can and does suspend service over failure to fix. On
occasion, I understand even significant customers have been not just
suspended but terminated over failure to follow the ToS/AUP.

The company in question accepts abuse complaints in ARF, MARF, X-ARF
and IODEF format, among others, and (I cannot emphasize this enough)
does act on them.

Anyone who suggests roundfiling abuse@ complaints is (IMNSHO) actively
working to make the problem worse, not better. Anyone who thinks that
all networks do roundfile abuse@ complaints would seem to be making an

Note, once again, that these are my opinions, and not my employers',
so much so that I can't even tell you directly who my employer is. Not
that it's hard to find out, but I'm so very much not speaking in an
official capacity here.

There are good guys out there :-), and some are gorilla sized thats why I
obfuscated the names in my response. No offense intended to the goood ones.
Sam Moats

The end users can, by inquiring about the abuse desk, before agreeing to
sign up for service.

In this manner "Not having a good abuse" desk becomes a cost center, in
the form of suppressed opportunities for future revenue.

Federal entities, etc, when soliciting for proposals from ISPs and service
providers.... in addition to the "Must have IPv6 support",

could add a line "Must have a highly-responsive abuse desk/abuse contact;
with 4 professional references from email or network operators in the
industry who have worked with the abuse desk";

must aggregate and report matters of potential abuse or complaints
regarding subscriber's outgoing mail or IP traffic within 3 hours on
average, during business hours.... and within 5 hours 24x7 ... etc...

Don't have access to a normal PC right now but I agreed with this approach so much that I'm typing a response on a 10 button pad.

Spam needs to become a financial liability rather than a lucrative revenue stream. That's the only way this is going to change.