I just made a number of abuse complaints to a provider and then after contacting the abuse #. I got told that they don't use abuse@ anymore. that abuse.cc is the new email address. Correct me if I am wrong, but isn't this against RFC current practice? I won't name the provider, and have email hostmaster@arin since they have the wrong abuse on their WHOIS.. Thanks, Jim
On Thu, 3 Apr 2003 10:05:55 -0500 "McBurnett, Jim" <jmcburnett@msmgmt.com> wrote:
I just made a number of abuse complaints to a provider and then after contacting the abuse #. I got told that they don't use abuse@ anymore. that abuse.cc is the new email address.
Correct me if I am wrong, but isn't this against RFC current practice?
hm. send the RFC police after them :-/... fact is that there are plenty of domains that do not even have an abuse@ e-mail address. Never mind the once that don't accept any abuse/security related e-mail and instead direct you to a web form. (personal favorite: mail bouncing from abuse@ due to mailbox full) -- -------------------------------------------------------------------- jullrich@euclidian.com Collaborative Intrusion Detection join http://www.dshield.org
In message <390E55B947E7C848898AEBB9E507706041E630@msmdcfs01.msmgmt.com>, "McBu rnett, Jim" writes:
I just made a number of abuse complaints to a provider and then after = contacting the abuse #.=20 I got told that they don't use abuse@ anymore. that abuse.cc is the new = email address.
Correct me if I am wrong, but isn't this against RFC current practice?
Yes -- see RFC 2142. But the IETF has no enforcement arm... --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of "Firewalls" book)
On Thu, 03 Apr 2003 10:31:39 EST, "Steven M. Bellovin" said:
Correct me if I am wrong, but isn't this against RFC current practice?
Yes -- see RFC 2142. But the IETF has no enforcement arm...
That would be NANOG's job (as much as it's anybody's). Soooo... http://www.rfc-ignorant.org
On Thu, Apr 03, 2003 at 10:05:55AM -0500, McBurnett, Jim wrote:
I just made a number of abuse complaints to a provider and then after contacting the abuse #. I got told that they don't use abuse@ anymore. that abuse.cc is the new email address. Correct me if I am wrong, but isn't this against RFC current practice?
Providers don't seem to care about RFC or abuse@ anymore... Belgium's biggest ISP (skynet.be) is rfc-ignorant as well. They have a spamproblem (refuse to close down spammers, a lot of the dsl customers have open relays or open proxies, no action whatsoever has been taken). Because of this, they get huge amounts of complaints to abuse@skynet.be. They couldn't handle it anymore, and redirected the senders to a webform were you have to fillin you complaint. They don't care about having a spamproblem, they don't care about being rfc-ignorant, because they know that every isp in Belgium that does spam-filtering, is whitelisting them because they are the biggest isp in town... Kind Regards, Frank Louwers -- Openminds bvba www.openminds.be Tweebruggenstraat 16 - 9000 Gent - Belgium
On Thu, Apr 03, 2003 at 10:05:55AM -0500, McBurnett, Jim wrote:
I just made a number of abuse complaints to a provider and then after contacting the abuse #. I got told that they don't use abuse@ anymore. that abuse.cc is the new email address. Correct me if I am wrong, but isn't this against RFC current practice?
Providers don't seem to care about RFC or abuse@ anymore...
I hate to play devil's advocate here, but I've been on the receiving end of the abuse@ complaints that became unmanagable. The bulk of them consisting of: "Your user at x.x.x.x attacked me!" (And this is sometimes the nameserver:53 or mailserver:113) This is not a log file, or a source/destination port. The most commonly left out item was Time/Time zone. The company I worked for at the time did not harbor spammers. These were open relays, public proxies, & all around poorly configured/maintained machines. The size of our customer base, however, prevented a personal reply to all of them that said: "You left out X, please try again." With a legitimate desire to address valid complaints against customers, we started bouncing back an acknowledgment msg that said simply if you don't provide us all of the following, we won't reply and request it, your submission will be ignored. We also setup an abuse-esc@ that would circumvent the ack msg. Problem is/was people don't read the bounce back. I know this isn't the case with all of the abuse@ addresses, but we talked about creating a web form for submission so we could smack the submitter on the head when they left out relevant information. Another aspect of the social spam problem trying to be resolved through technical means. Gerald
On Thu, 3 Apr 2003, Gerald wrote:
I hate to play devil's advocate here, but I've been on the receiving end of the abuse@ complaints that became unmanagable. The bulk of them consisting of:
"Your user at x.x.x.x attacked me!" (And this is sometimes the nameserver:53 or mailserver:113)
We added this to the auto-reply of our abuse@ address: --- cut - here ---- For complaints of port scanning or supposed hacking attempts, complete logs of the abuse are required. At a minimum, a log of abuse contains the time (including time zone) it happened, the hosts/ips involved and the ports involved. Please note that we received a large number of false complaints from people using personal firewall programs regarding port scanning. If you are submitting a complaint based on the logs from one of these programs we highly suggest you to read the following: http://www.samspade.org/d/persfire.html AND http://www.samspade.org/d/firewalls.html --- cut - here ---- The abuse guys concentrate on spam reports, open-relay reports and sometimes port scanning reports from proper admins (these are easy to spot). Junk from dshield.org and the like is pushed to the bottom of the priority list. There are just too many random packets flying about for the personal firewall reports to be useful. The other problem is it's hard to act against a client based on one packet received by some person on the other side of the world running a program they don't understand. At least with spam reports you'll get several independant reports with full headers and if they use our servers we'll even have our own logs. -- Simon Lyall. | Newsmaster | Work: simon.lyall@ihug.co.nz Senior Network/System Admin | Postmaster | Home: simon@darkmere.gen.nz Ihug Ltd, Auckland, NZ | Asst Doorman | Web: http://www.darkmere.gen.nz
On Thu, 3 Apr 2003, Frank Louwers wrote:
Providers don't seem to care about RFC or abuse@ anymore...
Nor do they care about their SWIPs being correct or their AS info being correct either. To this day I have not found a single working contact for prodigy.net.mx ... -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Perhaps proposed ARIN policy 2003-1b can help with this. If ou aren't familiar with it, I suggest reviewing it. I'm trying to gather support and consensus for it for the meeting next week in Memphis. It only targets ARIN, but if we can get it successfully implemented by ARIN, perhaps the other RIRs will follow suit. Owen --On Thursday, April 3, 2003 11:38 -0800 Dan Hollis <goemon@anime.net> wrote:
On Thu, 3 Apr 2003, Frank Louwers wrote:
Providers don't seem to care about RFC or abuse@ anymore...
Nor do they care about their SWIPs being correct or their AS info being correct either.
To this day I have not found a single working contact for prodigy.net.mx ...
-Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
On Thu, 3 Apr 2003, Owen DeLong wrote:
Perhaps proposed ARIN policy 2003-1b can help with this. If ou aren't familiar with it, I suggest reviewing it. I'm trying to gather support and consensus for it for the meeting next week in Memphis.
under this policy, army.mil would have lost their allocations ages ago. however i doubt arin would have the balls to enforce it :-) -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Well... I guess we'll have to see. If you've got a better alternative, I'm all ears. One thing that is certain... Without a policy, it cannot be enforced. Owen --On Thursday, April 3, 2003 4:27 PM -0800 Dan Hollis <goemon@anime.net> wrote:
On Thu, 3 Apr 2003, Owen DeLong wrote:
Perhaps proposed ARIN policy 2003-1b can help with this. If ou aren't familiar with it, I suggest reviewing it. I'm trying to gather support and consensus for it for the meeting next week in Memphis.
under this policy, army.mil would have lost their allocations ages ago. however i doubt arin would have the balls to enforce it :-)
-Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
participants (9)
-
Dan Hollis -
Frank Louwers -
Gerald -
Johannes Ullrich -
McBurnett, Jim -
Owen DeLong -
Simon Lyall -
Steven M. Bellovin -
Valdis.Kletnieks@vt.edu