I’ll reaching out to you off list. 


On Apr 14, 2020 at 1:55 PM, <Jonathan M> wrote:

My bad - This was not for Rich but for Kushal who initiated the thread taking the survey about us being "spammers". I'm contacting the administrator at Nanog.org now to figure out what I did wrong to properly post to the thread as I haven't used the mailing list before. Have a good day. Jonathan

On Mon, Apr 13, 2020 at 9:55 PM Jonathan M <jonathan-m@riskiq.net> wrote:
This may not have been approved yet by the moderator but was sent to the list about 30 minutes ago....I'm sorry, but I'm just learning how to use this list and I am concerned that my post was not properly sent--thus, replying to the thread here....thx

Re: https://twitter.com/RiskIQ_IRT/status/1249721818602070016?s=20

Hi, Rich,

I hope you are well. If you ever encounter an incident that you think could have been handled better on our end, we aspire to continuously improve, and don't claim to be perfect.

Rather than blocking our abuse notification to the abuse POC, it would be better to let us know you have concerns so that we can improve our communications. Blocking us on Twitter and shutting off communication is no better than if we were to just send your customer's domain to a blacklist without notifying you of a compromise so that it can possibly be patched. Let's keep the overall goal in mind -- it's to make the internet safer by flagging possible violations of your acceptable use policy that may lead to compromised personal data or sensitive credentials of innocent visitors online.

Before anything is posted to Twitter, I personally review the history of the event to see if we have exhausted all reasonable steps to mitigate harmful cyber activity or operations on network infrastructure short of always picking up the phone or using the fax. While we have attempted to do that in the past for each event, there is just too much harmful cyber activity going on for us to be relying on phone calls to try and reach the abuse team to ask that our ticket be prioritised after an unreasonable period of time has elapsed. We have thousands of escalations that we need to handle and most of the time though not across the board, when we call to reach the abuse teams, we are unsuccessful in reducing the time to remediation.

The goal is not to shame anyone per se. It's to create more transparency regarding a problem that we all need to work together on. It's similar to where nation state actors use public attribution as part of mitigation to improve the Internet from cyber attacks. We did not block you on Twitter, and after every tweet, we follow-up to the appropriate abuse point of contact to raise visibility of the matter, as well as to the PR team, and applicable computer emergency response teams as well as attorney generals or other applicable authorities.

We all need to work together. Please do not hesitate to contact me and I will make sure we are meeting our end of aspiring to be a good partner, and look forward to working with you as the need arises. Stay safe and healthy in these challenging times, and we wish you the best.

I'm happy to discuss offline as well. We can set up a time to discuss and improve the mitigation workflow on both sides.

Best regards,
Jonathan Matkowsky
VP, Digital Risk
RiskIQ, Inc.


On Mon, Apr 13, 2020 at 9:41 PM Tom Beecher <beecher@beecher.cc> wrote:
I would agree that Twitter is not a primary place for abuse reporting. 

If they are reporting things via your correct abuse channel and you are indeed handling them within 48 business hours, then I would also agree this much extra spray and pray is excessive. However RiskIQ is known to be pretty responsible, so if they are doing this they likely feel like they are NOT getting appropriate responses from you and are resorting to scorched earth. Have you attempted to reach out to them and make sure they have the proper direct channel for abuse reporting? 

On Mon, Apr 13, 2020 at 1:45 PM Kushal R. <kushal.r@h4g.co> wrote:
All abuse reports that we receive are dealt within 48 business hours. As far as that tweet is concerned, it’s pending for 16 days because they have been blocked from sending us any emails due to the sheer amount of emails they started sending and then our live support chats.

We send our abuse reports to, but we don’t spam them to every publicly available email address for an organisation, it isn’t difficult to lookup the Abuse POC for an IP or network and just because you do not get a response in 24 hours does not mean you forward the same report to 10 other email addresses. Similarly twitter isn’t a place to report abuse either. 


On Apr 13, 2020 at 9:37 PM, <Rich Kulawiec> wrote:

       
 On Mon, Apr 13, 2020 at 07:55:37PM +0530, Kushal R. wrote:  >  We understand these reports and deal with them as per our policies and timelines but this constant spamming by them from various channels is not appreciated. Quoting from: https://twitter.com/RiskIQ_IRT/status/1249696689985740800 which is dated 9:15 AM 4/13/2020: 5 #phishing URLs on admin12.find-textbook[.]com were reported to @Host4Geeks (Walnut, CA) from as far back as 16 days ago, and they are all STILL active 16 days is unacceptable. If you can't do better than that -- MUCH better -- then shut down your entire operation today as it's unworthy of being any part of the Internet community. ---rsk   
     

*******************************************************************
This message was sent from RiskIQ, and is intended only for the designated recipient(s). It may contain confidential or proprietary information and may be subject to confidentiality protections. If you are not a designated recipient, you may not review, copy or distribute this message. If you receive this in error, please notify the sender by reply e-mail and delete this message. Thank you.

*******************************************************************