Subject: Re: Abuse response [Was: RE: Yahoo Mail Update] From: Valdis.Kletnieks@vt.edu Date: Wed, 16 Apr 2008 12:02:02 -0400
On Wed, 16 Apr 2008 00:38:33 CDT, Chris Boyd said:
- I'd like to see an actual response beyond an autoreply saying that you can't tell me who the customer is or what actions were taken.
Well, let's see. If you're reporting abuse coming from my AS, it's almost certainly one of 2 things:
[[ sneck causations ]]
Basically, 99.8% of the time, no response other than "We found it and dealt with it" is actually suitable, and the other 0.2% of the time, you're about to get dragged into an ongoing investigation, so expect a "Hold Evidence" order on your fax in a few minutes.. ;)
So what sort of response did you actually *want*?
Speaking strictly for myself, the wish-list for an ack is (not necessarily in priority order): 1) appreciation for my contributed time/effort in helping them keep _their_ network clean. 2) an ack that they _have_found_ the source. I generally don't care 'who' it was, just that they *have* been found, and STOPPED. 3) an indication that the immediate issue has been fixed, and that steps have been taken to prevent future recurrance. Again, the actual 'details' of what has been done are relatively unimportant. 4) *WHEN* the 'fix' was implemented. Then I know if I see 'more of the same _before_ that time, I don't need to report it, =AND= if I see stuff occuring _after_ that time, that it is a 'new and different' problem that _does_ need to be reported. This is more about _how_ you say things, than the details of what you actually say. Replies -- _days_ later -- along the lines of "thanks for the report, due to volume of complaints we won't be able to tell you anything about what we find, or do" cause much grinding of teeth. Replies that say: "This appears to be the same as something that has already been reported to us by others. We have looked into things, confirmed it was happening, and put a stop to it as of {timestamp}. If you see any more of this activity from that source _after_ that time please email us immediately with the string "{token}" in the subject line." _do_ give the originater 'warm fuzzies', and can be more-or-less trivially generated by a good trouble- ticket system. Especially with reasonable front-end automation for recognizing 'duplicate' complaints. At the good end, I've gotten replies saying: "the customer has been contacted, and they immediately took the affected machine off-line for sterilization"; even "we have been unable to contact the customer, and have pulled their circuit until they *do* contact us." Note: that last message was received about 4 hours after sending the problem notice, and about 2 hours after what would have been the normal 'start of business' in the locale of the problem. That provider wears a *BIG* white hat in my books. Not so much for telling me what they did, but for the speed of reaction. Contrast those responses with a major national who doesn't send any responses *and* has an admitted policy of giving customers _a_week_after_notification_ of having an infected machine on their network to get the machine off-line or otherwise dealt with. And it can take _days_ to get the notification to the customer. (they just send an email to the business contact -- notify them late friday and the clock doesn't start running until Monday morning. *sigh*)