On Tue, Apr 15, 2008 at 10:16 AM, Paul Ferguson <fergdawg@netzero.net> wrote:
As I mentioned in my presentation at NANOG 42 in San Jose, the biggest barrier we face in shrinking the "time-to-exploit" window with regards to contacting people responsible for assisting in mitigating malicious issues is finding someone to actually respond.
Fergie.. you (and various others in the "send emails, expect takedowns" biz) - phish, IPR violations, whatever.. you're missing a huge, obvious point If you send manual notificattions (aka email to a crowded abuse queue) expect 24 - 72 hours response If you have high enough numbers of the stuff to report, do what large ISPs do among themselves, set up and offer an ARF'd / IODEF feedback loop or some other automated way to send complaints, that is machine parseable, and that's sent - by prior agreement - to a specific address where the ISP can process it, and quite probably prioritize it above all the "j00 hxx0r3d m3 by doing dns lookups!!!!" email. That kind of report can be handled within minutes. If you send reports with lots of legal boilerplate, or reports with long lectures on why you expect an INSTANT TAKEDOWN, and send them to a busy abuse queue, there is no way - and zero reason - for the ISP people to prioritize your complaint above all the other complaints coming in.
Unfortunately, most abuse requests/inquiries fall into a black-hole, or bounce.
Not you, but several companies that do this as a business model need to learn how to do this properly. Some of them are spectacularly incompetent at what they do too.
Me, I have pretty much given up on any domain-related avenues, since they generally end up in disappointment, and found more successes in going directly to the owners of the IP allocation, and upstream ISP, a regional/national CERT/CSIRT, or law enforcement.
Yeah? And by the time your request filters right back down to where it actualy belongs.. guess what, it takes much longer than 72 hours.
Mow, this has no bearing on the original subject (which I have now forgotten what it is -- oh yeah, something about Yahoo! mail), but it should be additional proof that the Bad Guys know how to manipulate the system, the system is broken, and the Bad Guys are now making much more money than we are. :-)
And proof that various good guys dont know how to cooperate, and various other "good guys" are in the business only to score points off other providers to make themselves look good. http://blog.washingtonpost.com/securityfix/2007/12/top_10_best_worst_antiphi... for example.. I think Brian Krebs - given what I know of his usual high standards - would certainly have regretted publishing PR and marketing generated, highly debatable, "statistics" like the ones referenced in that article. --srs