So how do the little guys play in this sandbox?
3rd-party aggregation. Where do RBLs get there data? They act as a 3rd party to aggregate data from many others.
- It needs to be simple to use. Web forms are a non-starter.
If you have the ability to accept reports via an HTTP REST application, it wouldn't hurt to put up a web form so that people can try it out.
- The output from any parsers needs to be human readable.
ARF is the only thing that meets this requirement http://mipassoc.org/arf/ However, you should consider accepting input as IODEF as well. Just use ARF for the ouput that you submit to the abuse desks.
- I'd like to see an actual response beyond an autoreply saying that you can't tell me who the customer is or what actions were taken.
Now you are asking the abuse desks to modify their software and processes to meet your needs. I can't see them ever providing a response per report, however if enough people buy into a standard reporting system, like ARF, then you might get ISPs to accept some kind of report-origin code and then allow you to periodically request resolution reports for all reports coming from that report-origin.
- I like dealing with other small operations and edus because humans actually do read the reports, and things get done (Thanks!).
If people had succeeded in cleaning up the abuse problems in 1995 when the human touch was still feasible, we would not have the situation that we have today. Automation is the only way to address the flood of abuse email, the huge number of people originating abuse, and the agile tactics of the abusers. You just have to accept that people will not read your reports, and will not act on your reports. What they will do is feed your reports into automated systems that use AI techniques to define tasks for the abuse desk to act upon. Consider this. Any single point source of abuse, say a single broadband PC in a botnet, will spew out spam or DDOS to hundreds of destinations. If 20 of these destinations submit ARF reports, and you are one of these 20, then there is a 5% chance that your report has anything wort acting upon. 95% of the time, you will be reporting something that the abuse desk has already acted upon and it would be a waste of abuse desk resources to read and reply to your report. On the other hand, it can be very useful for the automated system to process your report for statistical purposes and to provide a better understanding of how that particular botnet functions.
I've given up sending abuse reports to large consumer ISPs and all freemail providers because I'm not a member of the club. Any response that I'm lucky enough to get generally says something like "You did not include the email headers in your complaint so we are closing this incident" when I reported and FTP brute force.
This is why we need *MORE* automation between providers. Then there is less room for human error in wading through a mass of reports trying to pick out the ones which can be fixed. --Michael Dillon