Constant Abuse Reports / Borderline Spamming from RiskIQ

From the past few months we have been receiving a constant stream of abuse reports from a company that calls themselves RiskIQ (RiskIQ.com).

The problem isn’t the abuse reports themselves but the way they send them. We receive copies of the report, on our sales, billing, TECH-POCs and almost everything other email address of ours that is available publicly. It doesn’t end there, they even online on our website and start using our support live chat and as recently as tomorrow they I see that they have now started using Twitter (@riskiq_irt) to do the same.

We understand these reports and deal with them as per our policies and timelines but this constant spamming by them from various channels is not appreciated.

Does anyone have a similar experience with them?

RiskIQ is a known good player. If there’s a stream of abuse reports maybe removing whatever customer it is might be a good idea?

I am not sure why they are sending out mail to every contact they can find though. Are abuse tickets resolved in a timely manner?

If the problem of abuse legit and arises with enviable constancy, maybe it is time to take fundamental measures to combat abuse?
I had to block port 25 by default on some operators and create a self-care web page for removing it,
  with the requirement to read legal agreement where consequences stated, if the client start spamming.
For those who are bruteforcing other people's servers / credentials, soft-throttling ACL had to be implemented.
And as they wrote earlier, it’s better to kick out exceptionally bad customers than to destroy your reputation.

Speaking of spam, I just sent a message in and got auto responses from:
chad@rankleads.com

kundservice@axofinans.se

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

Hi Kushal,

It seems like they've escalated to "name and shame." I notice that the
site they complained about on their Twitter feed on April 6 is still
alive on your infrastructure at 103.83.192.6 right now. Perhaps your
abuse management practices could be improved.

Regards,
Bill Herrin

Quoting from: https://twitter.com/RiskIQ_IRT/status/1249696689985740800
which is dated 9:15 AM 4/13/2020:

  5 #phishing URLs on admin12.find-textbook[.]com were reported
  to @Host4Geeks (Walnut, CA) from as far back as 16 days ago,
  and they are all STILL active

16 days is unacceptable. If you can't do better than that -- MUCH
better -- then shut down your entire operation today as it's unworthy of
being any part of the Internet community.

---rsk

All abuse reports that we receive are dealt within 48 business hours. As far as that tweet is concerned, it’s pending for 16 days because they have been blocked from sending us any emails due to the sheer amount of emails they started sending and then our live support chats.

We send our abuse reports to, but we don’t spam them to every publicly available email address for an organisation, it isn’t difficult to lookup the Abuse POC for an IP or network and just because you do not get a response in 24 hours does not mean you forward the same report to 10 other email addresses. Similarly twitter isn’t a place to report abuse either.

I would agree that Twitter is not a primary place for abuse reporting.

If they are reporting things via your correct abuse channel and you are indeed handling them within 48 business hours, then I would also agree this much extra spray and pray is excessive. However RiskIQ is known to be pretty responsible, so if they are doing this they likely feel like they are NOT getting appropriate responses from you and are resorting to scorched earth. Have you attempted to reach out to them and make sure they have the proper direct channel for abuse reporting?

RiskIQ reports phish URLs for large brands

The life cycle of a typical phish campaign is in hours but I guess people can live with 24. If you handle the complaint only after two business days, that’s closing the barn door after the horse has bolted and crossed a state line.

–srs

I don’t really get the point of bothering, then. AWS takes about ~forever to respond to SES phishing reports, let alone hosting abuse, and other, cheaper, hosts/mailers (OVH etc come up all the time) don’t bother at all. Unless you want to automate “1 report = drop customer”, you’re saying that we should all stop hosting anything?

This is not an acceptable answer.

-Dan

Hi Kushal,

I would venture a guess that's why they've escalated to calling you
out on Twitter.

Don't shoot the messenger. However irritating they may be, if they
reported a real problem (as it appears they did) it's strongly in your
interest to fix it.

Regards.
Bill Herrin

Handle it in a reasonable amount of time, and please prioritize phishing somewhere after the usual threat to life / child abuse type cases (which are, fortunately, comparatively rare). Phishes put people at risk of losing their life savings, and especially with covid already threatening to make that happen, that’s something we must all work to prevent.

There are providers that are good at handling abuse and responding as well (if only with boilerplate text and an automated ticket closure email, that’s fine… as long as the threat is addressed I wouldn’t even need a reply) while there are others that have substantial abuse automation but are slow to respond at times, while others have no significant abuse prevention AND are slow to respond.

If, for whatever reason, the abuse load on a network goes out of control then the network does get pressured by escalation in one form or the other. Corporate contacts in this individual’s case, could be reports to various upstreams in some other case.

–srs

At eight business hours per calendar day, and five business days per
(typical) calendar week, 48 business hours is... a week and a bit, calendar
wise.

- Matt

We are a 24x7 operation.

Jonathan-

First time posts to the list are , pardon the phrase, quarantined out of the gate. Once it’s obvious that it’s not spam or a problem individual, that gets released and future messages go straight out.

This is still a manual process done by one person in the NANOG organization, so it’s not always that fast. You likely just got caught up in that, and didn’t do anything incorrectly.

[Hideously mangled quoting fixed]

[Hideously mangled quoting fixed]

Matt Palmer wrote:

All abuse reports that we receive are dealt within 48 business hours.

At eight business hours per calendar day, and five business days per
(typical) calendar week, 48 business hours is… a week and a bit,
calendar wise.

We are a 24x7 operation.

Then why not just say “withing 48 hours”, rather than the weaselish “48
business hours”? Makes it seem like you’re trying to clever-word yourself
an alibi.

• Matt

The Internet never sleeps.

Every hour on the Internet is a business hour.

(If you think otherwise, there’s a good chance you’re not running a global operation.)

Matt

[ Copied to Jonathan @ RiskIQ because I don't believed he's subscribed. ]

All abuse reports that we receive are dealt within 48 business
hours. As far as that tweet is concerned, it???s pending for 16 days
because they have been blocked from sending us any emails due to the sheer
amount of emails they started sending and then our live support chats. >

There's a lot to unpack here, both for you and for RiskIQ.

Let's start with you.

Your home page says that you host over 100,000 web sites.
Your home page says that you have over 10,000 customers.
Your home page says that you have 24x7x365 support.

  (Which is wrong, by the way. It's either 24x7 or 24x365
  or maybe 24x7x52 depending on what you're trying to express.
  There is no such thing as 24x7x365. But let's press on:)

Given all that, why don't you have have a 24-hour abuse desk that is
empowered to act immediately on reports? Do you not understand that --
as Suresh has pointed out -- the lifetime of many abusive activities
is measured in hours and that a 48-hour turnaround is far too slow
to be effective?

Your "about" page says that you're a leading web hosting company.

Alright then: *lead*. Show us that you're one of the best at this.
Be one of the operations that we can point to and say "this is
how it's supposed to be done".

Because right now you're the opposite of that.

Also: don't use abuse.support@. Use abuse@, per RFC 2142. There is
zero reason not to go along with the standard. If you want to alias
it internally fine, but at least get this rudimentary thing right.
*This is why we have standards*.

By the way: did you know that there are multiple COVID-19 scammers
who have set up shop on your service in past few weeks? I'm very
curious as to why a "leading web hosting company" would allow such
a thing to happen, given that much of it's trivial to prevent.

And now: RiskIQ, it's your turn.

If an operation has exhibited the competence to read and implement
RFC 2142, and thus has a working abuse@ address that goes to some
combination of people and automation that deals with abuse reports,
then that's the one you should be using. If it has a security@ address
then that's appropriate for those kinds of events. And while there
are obviously cases where it's appropriate to send to both, it's never
appropriate to send this stuff to role accounts like sales@ or info@
or anything like that. So: knock it off.

What about operations that haven't done that? Okay, that's where you
look up their registered contacts. There is of course no reason for
addresses like abuse.support@ when abuse@ will do perfectly fine for
everyone on this planet but if that's what has to be done, then (a) use it
and (b) try to convince them to use abuse@ like competent people who
have read RFC 2142 do. We'll all be happy if you succeed.

Sending reports repeatedly may make you feel better by venting your
frustration, but it won't solve the problem. (Now, if new information
arrives about a report you've already filed, then a supplemental message
is appropriate.) Bombarding people either means you're (a) annoying
people who were already doing something or (b) annoying people who were
never going to do anything anyway. So knock that off too.

Bugging people in live support chats is probably equally pointless.
So if you're doing that: stop.

  (Actually: given my experience over the past few decades "live
  support chats" are pretty much pointless, but that's a whole
  'nother problem and if I have to deliver *that* rant, I'll
  need scotch before noon. So again, pressing on:)

As to naming-and-shaming on the web or Twitter or wherever: sure, if
you want. But if you're going to do that then it's probably worth doing
a bit more formally, a la Spamhaus, with a web page that has a
unique URL and supporting evidence and an explanation and so on.
(Do keep in mind that operations like Twitter are transient and thus
not a good choice if you're trying to create a permanent record.)

---rsk

No, you don't have to stop hosting anything/everything. But there are
all kinds of things that can be done to detect problematic customers
before you sign them up and once they're in place. None of those
things are panaceas but all of them done in combination (a) reduce
the chances that you'll have a mess to clean up later and (b) enhance
one's reputation as a place NOT to go for dubious activities, which
in turn discourages future miscreants from trying to get in the door.

---rsk