Handle it in a reasonable amount of time, and please prioritize phishing somewhere after the usual threat to life / child abuse type cases (which are, fortunately, comparatively rare).  Phishes put people at risk of losing their life savings, and especially with covid already threatening to make that happen, that’s something we must all work to prevent.

 

There are providers that are good at handling abuse and responding as well (if only with boilerplate text and an automated ticket closure email, that’s fine.. as long as the threat is addressed I wouldn’t even need a reply) while there are others that have substantial abuse automation but are slow to respond at times, while others have no significant abuse prevention AND are slow to respond.  

 

If, for whatever reason, the abuse load on a network goes out of control then the network does get pressured by escalation in one form or the other. Corporate contacts in this individual’s case, could be reports to various upstreams in some other case.  

 

--srs

From: Matt Corallo <nanog@as397444.net>
Date: Tuesday, 14 April 2020 at 12:41 AM
To: Suresh Ramasubramanian <ops.lists@gmail.com>
Cc: Tom Beecher <beecher@beecher.cc>, Kushal R. <kushal.r@h4g.co>, Nanog <nanog@nanog.org>, Rich Kulawiec <rsk@gsp.org>
Subject: Re: Constant Abuse Reports / Borderline Spamming from RiskIQ

I don’t really get the point of bothering, then. AWS takes about ~forever to respond to SES phishing reports, let alone hosting abuse, and other, cheaper, hosts/mailers (OVH etc come up all the time) don’t bother at all. Unless you want to automate “1 report = drop customer”, you’re saying that we should all stop hosting anything?



On Apr 13, 2020, at 11:50, Suresh Ramasubramanian <ops.lists@gmail.com> wrote:



RiskIQ reports phish URLs for large brands

 

The life cycle of a typical phish campaign is in hours but I guess people can live with 24. If you handle the complaint only after two business days, that’s closing the barn door after the horse has bolted and crossed a state line.

 

--srs


From: NANOG <nanog-bounces@nanog.org> on behalf of Tom Beecher <beecher@beecher.cc>
Sent: Tuesday, April 14, 2020 12:11:18 AM
To: Kushal R. <kushal.r@h4g.co>
Cc: Nanog <nanog@nanog.org>; Rich Kulawiec <rsk@gsp.org>
Subject: Re: Constant Abuse Reports / Borderline Spamming from RiskIQ

 

I would agree that Twitter is not a primary place for abuse reporting. 

 

If they are reporting things via your correct abuse channel and you are indeed handling them within 48 business hours, then I would also agree this much extra spray and pray is excessive. However RiskIQ is known to be pretty responsible, so if they are doing this they likely feel like they are NOT getting appropriate responses from you and are resorting to scorched earth. Have you attempted to reach out to them and make sure they have the proper direct channel for abuse reporting? 

 

On Mon, Apr 13, 2020 at 1:45 PM Kushal R. <kushal.r@h4g.co> wrote:

All abuse reports that we receive are dealt within 48 business hours. As far as that tweet is concerned, it’s pending for 16 days because they have been blocked from sending us any emails due to the sheer amount of emails they started sending and then our live support chats.

 

We send our abuse reports to, but we don’t spam them to every publicly available email address for an organisation, it isn’t difficult to lookup the Abuse POC for an IP or network and just because you do not get a response in 24 hours does not mean you forward the same report to 10 other email addresses. Similarly twitter isn’t a place to report abuse either. 




On Apr 13, 2020 at 9:37 PM, <Rich Kulawiec> wrote:

       On Mon, Apr 13, 2020 at 07:55:37PM +0530, Kushal R. wrote:  >  We understand these reports and deal with them as per our policies and timelines but this constant spamming by them from various channels is not appreciated. Quoting from: https://twitter.com/RiskIQ_IRT/status/1249696689985740800 which is dated 9:15 AM 4/13/2020: 5 #phishing URLs on admin12.find-textbook[.]com were reported to @Host4Geeks (Walnut, CA) from as far back as 16 days ago, and they are all STILL active 16 days is unacceptable. If you can't do better than that -- MUCH better -- then shut down your entire operation today as it's unworthy of being any part of the Internet community. ---rsk