Well, in many parts of the world, criminal activity becomes such once
a judge determines it to be. Until that happens, it is "alleged".
If the specific issue in question was already found by a judge to be
criminal, then I offer my apologies, for I completely missed that.
Otherwise, I would tend to read your messages as being "something which
[you] believe to be criminal".
Some people, for example, believe - incorrectly - that certain types of
e-mail spam are {legal, illegal, pick one}. Their opinions are
irrelevant.
If the "criminal activity" in question is such that the OP feels a need
to gather evidence and report it to the police, then I suspect that this
issue hasn't been before a judge, and is instead "alleged criminal
activity that I wish abuse@$foo would take care of on the basis of the
allegations and their own analysis of the situation."
That doesn't make it any less serious, of course, but does change the way
you need to look at the situation.
... JG
* Joe Greco:
Some people, for example, believe - incorrectly - that certain types of
e-mail spam are {legal, illegal, pick one}. Their opinions are
irrelevant.
I don't know what case prompted Ferg to post his message to NANOG, but I
know that there are cases where failing to act is comparable to ignoring
the screams for help of an "alleged" rape victim during the "alleged"
crime. There might be some reasons not to do anything (fear of DoS,
concerns for personal safety etc.), but I can assure you that ambiguity
is not one of them.
Florian Weimer wrote:
I don't know what case prompted Ferg to post his message to NANOG, but I
know that there are cases where failing to act is comparable to ignoring
the screams for help of an "alleged" rape victim during the "alleged"
crime.
I'm reminded of this story from earlier this year:
http://www.jsonline.com/story/index.aspx?id=568400
"For his effort, Van Iveren was charged with criminal trespass while using a dangerous weapon, criminal damage to property while using a dangerous weapon and disorderly conduct while using a dangerous weapon, all criminal misdemeanors that carry a maximum total penalty of 33 months in jail."
On a side note, now that I've gotten back on -post.... I will say that I've had pretty dismal experiences working with Law Enforcement over the years as a service provider. When you have to explain to the Feds just what IRC (for example) is, you've lost the battle 
After repeated attempts at getting what seems to be blatant criminal activity investigated, a provider might start to think "If Law Enforcement doesn't care, why should I?" (I've avoided falling into that trap, but it is frustrating to boot someone for illegal activities and see them go on to pull the same thing at another provider even after providing evidence to authorities.).
* Mike Lewinski:
Florian Weimer wrote:
I don't know what case prompted Ferg to post his message to NANOG, but I
know that there are cases where failing to act is comparable to ignoring
the screams for help of an "alleged" rape victim during the "alleged"
crime.
I'm reminded of this story from earlier this year:
http://www.jsonline.com/story/index.aspx?id=568400
"For his effort, Van Iveren was charged with criminal trespass while
using a dangerous weapon, criminal damage to property while using a
dangerous weapon and disorderly conduct while using a dangerous
weapon, all criminal misdemeanors that carry a maximum total penalty
of 33 months in jail."
That guy was no foreigner to the local police, apparently. I couldn't
find anything regarding the outcome of his court appearance. Of course,
if you run to the help of those in apparent need, you always risk
looking very stupid.
Anyway, if you've got a customer account that was created with a stolen
credit card, and you get complaints about activity on that account from
various parties, and you still don't act, this shows a rather
significant level of carelessness. The other side of the story is that
it takes months to get local police to forward the criminal complaint to
state police, and state police to issue an order for seizure, even in
areas of Germany where I thought we had pretty good LE coverage.
Florian Weimer wrote:
Anyway, if you've got a customer account that was created with a stolen
credit card, and you get complaints about activity on that account from
various parties, and you still don't act, this shows a rather
significant level of carelessness. The other side of the story is that
it takes months to get local police to forward the criminal complaint to
state police, and state police to issue an order for seizure, even in
areas of Germany where I thought we had pretty good LE coverage.
We also can't discount the possibility the "unresponsive" ISP is cooperating (willfully or not) with a police sting operation and can't respond in any way at all, for fear of jeopardizing it.
Though I still say a year is likely too long.
* Steve Bertrand:
Anyway, if you've got a customer account that was created with a stolen
credit card, and you get complaints about activity on that account from
various parties, and you still don't act, this shows a rather
significant level of carelessness.
Further to carelessness, this may be pushing the boundary in many places
of guilt by act of omission.
I'm not familiar with the finer points of the US criminal code. I'm
rather skeptical that such a risk actually exists (Foonet/CSI
notwithstanding). If people actually cared about compromises, I would
be more concerned that not handling abuse complaints would expose ISPs
to liability from their own customers, who would have learnt earlier
about their compromise if the ISP told them.
Part of the reason why this discussion is somewhat heated is that
there's zero incentive in most markets to deal with customer
compromises. Otherwise, people would just lean back and think, "yeah,
right, let them try and see how it works for them".
Florian Weimer wrote:
Part of the reason why this discussion is somewhat heated is that
there's zero incentive in most markets to deal with customer
compromises.
We have observed that compromised hosts on our network have a very good chance of becoming the targets of DDoS attacks. So my staff is trained to treat each abuse report as a potentially compromised computer "crying out for help" and we've been through enough multi-gigabit DDoS to know what the real pain factor is, and hence don't let them fester.