On Tue, Apr 28, 2020 at 12:40:12PM -0400, Matt Corallo via NANOG wrote:
Please don't use this kind of crap to send automated "we received 3 login attempts on our SSH box..waaaaaaaaa" emails. This is why folks don't have abuse contacts that are responsive to real issues anymore.
[ "you" = rhetorical "you", throughout ] No, the reason that folks don't have responsive abuse contacts is that they're some combination of: - lazy - cheap [1] - incompetent - unprofessional - actively supporting the abusers A "we received 3 login attempts on our SSH box" complaint should be read, investigated, and acted on. It means that something is going on that shouldn't, and so for your own sake, as well as for the well-being of your Internet neighbors, you should find out what that is. That "for your own sake" clause is often overlooked. An incoming abuse complaint is sometimes the canary in the coal mine. Ignoring it because it appears to be trivial at first glance is extremely foolish. The lesson of the 75-cent accounting error is now 34 years old. This would be a really good time to learn from it. You should also consider that -- thanks to the negligence and incompetence of many abuse desks -- a lot of people simply don't bother reporting incidents any more. Thus what presents to you, on the surface, as "we received 3 login attempts on our SSH box" may in fact be one isolated report of a much larger incident. It thus requires your immediate attention, if you want to even pretend to be a responsible, competent professional. Incidentally, an excellent way to reduce the number of "we received 3 login attempts on our SSH box" complaints is to deal with all of them, thus decreasing incident occurence, which will of course result in a corresponding decrease in complaints. An even better way is to run your operation in such a way that you detect and deal with as many such things as possible before anybody needs to file a complaint. After all, if they can see the traffic arriving on their side, you can see it leaving on yours. ---rsk [1] I note, for example, that Charter -- which is mentioned in the original message in this thread -- currently has a market capitalization of 116.63 billion dollars. Surely they could spare a tiny fraction of that to appropriately staff a 24x7 multi-lingual abuse desk with senior engineers and empower/equip them to do what needs to done. That's what a professional operation would do.