BCP for Abuse Desk

Of late, I have found many large ISPs that are employing anti-spam filters on
their abuse@ addresses.

Needless to say, they seem surprised that their customers have any abuse
issues involving spam at all :slight_smile:

I know that there was a Abuse Desk BCP working group started a few years ago.
Can anyone give me an update on BCP practices that I can refer ISPs to?

Of late, I have found many large ISPs that are employing anti-spam filters on
their abuse@ addresses.

Needless to say, they seem surprised that their customers have any abuse
issues involving spam at all :slight_smile:

Paging Randy Bush - one of your competitors is on the phone... :slight_smile:

I know that there was a Abuse Desk BCP working group started a few years ago.
Can anyone give me an update on BCP practices that I can refer ISPs to?

http://asrg.sp.am/subgroups/bcp.shtml says:

"Previous BCP subgroup has been active from September of 2003 until December of
2003 when it was shutdown due to lack of active members. This subgroup is
currently in formation, will be restarting as soon as we have enough interested
participants."

Oooh... Kaay..

Really though, all the BCP you need is:

1) Make sure the 'postmast@' and 'abuse@' addresses accept mail and actually
go to live people that can take action (rather than routing to /dev/null or
bouncing because the mailbox is full).
2) Don't put a spam filter in front of the spam reporting address.
3) Take *meaningful* action that actually fixes the problem.
  3a) Don't send back a "this spam isn't from us" canned message when the
  headers clearly show it came from you, etc....
  3b) No pink contracts.
  3c) Do a basic check on new customers. http://www.spamhaus.org/Rokso/ is
  a good start.
  3d) Make sure your ToS allows nuking a spamming/abusive host.
  3e) Then *use* that clause in the ToS when needed.

There's a maawg bcp or two on this in development, and if you're going
to be at the Brussels MAAWG mtg (www.maawg.org) next month I'll be
doing a bof on just that, 6/27 evening.

srs

Subject: Re: BCP for Abuse Desk

(various good stuff deleted for brevity)

  3d) Make sure your ToS allows nuking a spamming/abusive host.
  3e) Then *use* that clause in the ToS when needed.

Each of the ISP's I worked for had such a clause. I felt it
was a double edged sword. The only choices were to use it or
not to use it, and on non-clear cut cases the business side of
a company may be reluctant to heave a paying customer out the
door. I would advocate service contracts that allow a graduated
response including, but not limited to, getting rid of the
customer. That way, there are penalties available even in cases
of "unintentional" network abuse.

As I said, "when needed". As you correctly noted, sometimes it's
more helpful to the bottom line if it remains an unmentioned stick
while you find a carrot to wave at the customer. If a well-phrased
phone call or two and a helpfully informative e-mail can get the problem
resolved, you obviously didn't *need* to nuke. :slight_smile:

Not a BCP but we have a section for ISP Abuse Desks at http://www.spamhaus.org/isp/ with useful info including a FAQ for Abuse Issues and Handling, Feedback Loops, Port 25 blocking, etc., plus an online AUP builder. These are at:

ISP Abuse Issues FAQ:
http://www.spamhaus.org/faq/answers.lasso?section=ISP%20Spam%20Issues

ISP Acceptable Use Policy builder:
http://www.spamhaus.org/isp/create_aup.lasso

   Steve Linford
   The Spamhaus Project
   http://www.spamhaus.org

I've found that the reserving the right to nullroute an offending host's IP address for repeated spam offenses is a good intermediate step between simple notifications and contract/circuit termination. It lets the customer know you mean business while still preserving the customer's account status; if the offender is a web hoster, it winds up being a particularly effective tool, as the threat of collateral damage from other sites hosted on the same IP is pretty compelling.

Of course, it's important to be willing to remove the nullroute as soon as the customer confirms that the problem has been dealt with, otherwise it does effectively become a partial termination of services.

-C