Abuse response [Was: RE: Yahoo Mail Update]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -- "Frank Bulk - iNAME" <frnkblk@iname.com> wrote:
72 hours to respond to e-mail sent to the abuse account? That's much too long -- it should be at least a 4 hour response time during business hours, and for service providers and operators large enough to staff their network 24x7 for other reasons, 4 hour response time all the time.
Right. You're dreaming. As I mentioned in my presentation at NANOG 42 in San Jose, the biggest barrier we face in shrinking the "time-to-exploit" window with regards to contacting people responsible for assisting in mitigating malicious issues is finding someone to actually respond. I'd personally jump for joy if I could count on 72 hours, or less. Unfortunately, most abuse requests/inquiries fall into a black-hole, or bounce. Very rarely do I find a helpful individual at the end of an abuse address, and that is truly unfortunate. Me, I have pretty much given up on any domain-related avenues, since they generally end up in disappointment, and found more successes in going directly to the owners of the IP allocation, and upstream ISP, a regional/national CERT/CSIRT, or law enforcement. Mow, this has no bearing on the original subject (which I have now forgotten what it is -- oh yeah, something about Yahoo! mail), but it should be additional proof that the Bad Guys know how to manipulate the system, the system is broken, and the Bad Guys are now making much more money than we are. :-) - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFIBDMNq1pz9mNUZTMRAtuVAJ9dP9ptygn/OrEWu7XsrffzorB5NACgz6dg vGCfQkUgbyB3QMfcR076VO0= =0fOY -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
On Tue, Apr 15, 2008 at 10:16 AM, Paul Ferguson <fergdawg@netzero.net> wrote:
As I mentioned in my presentation at NANOG 42 in San Jose, the biggest barrier we face in shrinking the "time-to-exploit" window with regards to contacting people responsible for assisting in mitigating malicious issues is finding someone to actually respond.
Fergie.. you (and various others in the "send emails, expect takedowns" biz) - phish, IPR violations, whatever.. you're missing a huge, obvious point If you send manual notificattions (aka email to a crowded abuse queue) expect 24 - 72 hours response If you have high enough numbers of the stuff to report, do what large ISPs do among themselves, set up and offer an ARF'd / IODEF feedback loop or some other automated way to send complaints, that is machine parseable, and that's sent - by prior agreement - to a specific address where the ISP can process it, and quite probably prioritize it above all the "j00 hxx0r3d m3 by doing dns lookups!!!!" email. That kind of report can be handled within minutes. If you send reports with lots of legal boilerplate, or reports with long lectures on why you expect an INSTANT TAKEDOWN, and send them to a busy abuse queue, there is no way - and zero reason - for the ISP people to prioritize your complaint above all the other complaints coming in.
Unfortunately, most abuse requests/inquiries fall into a black-hole, or bounce.
Not you, but several companies that do this as a business model need to learn how to do this properly. Some of them are spectacularly incompetent at what they do too.
Me, I have pretty much given up on any domain-related avenues, since they generally end up in disappointment, and found more successes in going directly to the owners of the IP allocation, and upstream ISP, a regional/national CERT/CSIRT, or law enforcement.
Yeah? And by the time your request filters right back down to where it actualy belongs.. guess what, it takes much longer than 72 hours.
Mow, this has no bearing on the original subject (which I have now forgotten what it is -- oh yeah, something about Yahoo! mail), but it should be additional proof that the Bad Guys know how to manipulate the system, the system is broken, and the Bad Guys are now making much more money than we are. :-)
And proof that various good guys dont know how to cooperate, and various other "good guys" are in the business only to score points off other providers to make themselves look good. http://blog.washingtonpost.com/securityfix/2007/12/top_10_best_worst_antiphi... for example.. I think Brian Krebs - given what I know of his usual high standards - would certainly have regretted publishing PR and marketing generated, highly debatable, "statistics" like the ones referenced in that article. --srs
On Tue, Apr 15, 2008 at 10:56:02AM +0530, Suresh Ramasubramanian wrote:
On Tue, Apr 15, 2008 at 10:16 AM, Paul Ferguson <fergdawg@netzero.net> wrote:
As I mentioned in my presentation at NANOG 42 in San Jose, the biggest barrier we face in shrinking the "time-to-exploit" window with regards to contacting people responsible for assisting in mitigating malicious issues is finding someone to actually respond.
Fergie.. you (and various others in the "send emails, expect takedowns" biz) - phish, IPR violations, whatever.. you're missing a huge, obvious point
If you send manual notificattions (aka email to a crowded abuse queue) expect 24 - 72 hours response
If you have high enough numbers of the stuff to report, do what large ISPs do among themselves, set up and offer an ARF'd / IODEF feedback loop or some other automated way to send complaints, that is machine parseable, and that's sent - by prior agreement - to a specific address where the ISP can process it, and quite probably prioritize it above all the "j00 hxx0r3d m3 by doing dns lookups!!!!" email.
That kind of report can be handled within minutes.
Is there an equivalent mechanism for those of us at the fringes of the galaxy to report problems? What is probably needed for little folks like me is not instant response but rather an address and formatting specs so that the information is of maximum usefullness to you and we don't get auto-naks. After all, I can probably generate a few reports a week, but not hundreds per day. -- -=[L]=- This work was funded by The Corporation for Public Bad Art despite their protestations.
On Tue, 2008-04-15 at 10:56 +0530, Suresh Ramasubramanian wrote:
If you have high enough numbers of the stuff to report, do what large ISPs do among themselves, set up and offer an ARF'd / IODEF feedback loop or some other automated way to send complaints, that is machine parseable, and that's sent - by prior agreement - to a specific address where the ISP can process it, and quite probably prioritize it above all the "j00 hxx0r3d m3 by doing dns lookups!!!!" email.
So how do the little guys play in this sandbox? My log files and spam reports are just as legit as the super-secret-handshake club guys are, and I'd like to get some respect. After all, I may be the first one to report it. Please keep a few things in mind though: - It needs to be simple to use. Web forms are a non-starter. - The output from any parsers needs to be human readable. There are too many auto-whatsit formatters for us to sit down and code to every one. - I'd like to see an actual response beyond an autoreply saying that you can't tell me who the customer is or what actions were taken. - I like dealing with other small operations and edus because humans actually do read the reports, and things get done (Thanks!). I've given up sending abuse reports to large consumer ISPs and all freemail providers because I'm not a member of the club. Any response that I'm lucky enough to get generally says something like "You did not include the email headers in your complaint so we are closing this incident" when I reported and FTP brute force. --Chris
So how do the little guys play in this sandbox?
3rd-party aggregation. Where do RBLs get there data? They act as a 3rd party to aggregate data from many others.
- It needs to be simple to use. Web forms are a non-starter.
If you have the ability to accept reports via an HTTP REST application, it wouldn't hurt to put up a web form so that people can try it out.
- The output from any parsers needs to be human readable.
ARF is the only thing that meets this requirement http://mipassoc.org/arf/ However, you should consider accepting input as IODEF as well. Just use ARF for the ouput that you submit to the abuse desks.
- I'd like to see an actual response beyond an autoreply saying that you can't tell me who the customer is or what actions were taken.
Now you are asking the abuse desks to modify their software and processes to meet your needs. I can't see them ever providing a response per report, however if enough people buy into a standard reporting system, like ARF, then you might get ISPs to accept some kind of report-origin code and then allow you to periodically request resolution reports for all reports coming from that report-origin.
- I like dealing with other small operations and edus because humans actually do read the reports, and things get done (Thanks!).
If people had succeeded in cleaning up the abuse problems in 1995 when the human touch was still feasible, we would not have the situation that we have today. Automation is the only way to address the flood of abuse email, the huge number of people originating abuse, and the agile tactics of the abusers. You just have to accept that people will not read your reports, and will not act on your reports. What they will do is feed your reports into automated systems that use AI techniques to define tasks for the abuse desk to act upon. Consider this. Any single point source of abuse, say a single broadband PC in a botnet, will spew out spam or DDOS to hundreds of destinations. If 20 of these destinations submit ARF reports, and you are one of these 20, then there is a 5% chance that your report has anything wort acting upon. 95% of the time, you will be reporting something that the abuse desk has already acted upon and it would be a waste of abuse desk resources to read and reply to your report. On the other hand, it can be very useful for the automated system to process your report for statistical purposes and to provide a better understanding of how that particular botnet functions.
I've given up sending abuse reports to large consumer ISPs and all freemail providers because I'm not a member of the club. Any response that I'm lucky enough to get generally says something like "You did not include the email headers in your complaint so we are closing this incident" when I reported and FTP brute force.
This is why we need *MORE* automation between providers. Then there is less room for human error in wading through a mass of reports trying to pick out the ones which can be fixed. --Michael Dillon
On Wed, Apr 16, 2008 at 11:07:42AM +0100, michael.dillon@bt.com wrote:
If people had succeeded in cleaning up the abuse problems in 1995 when the human touch was still feasible, we would not have the situation that we have today. Automation is the only way to address the flood of abuse email, the huge number of people originating abuse, and the agile tactics of the abusers.
I agree with this and with pretty much everything else you wrote. But... If an operation is permitting itself to be such a systemic, persistent source of abuse that the number of abuse reports it's receiving (which everyone knows is tiny fraction of the number it *could* be receiving) requires automation...isn't that a pretty good sign that whatever's being done to control abuse isn't working? The solution to that isn't to put in place higher levels of automation: the solution to to that is to *solve the underlying problems* so that higher levels of automation aren't necessary. ---Rsk
So who's the third-party for the little guy that aggregates abuse reports? I know we consume Spamcop reports which works very well for us. I'm not sure who feeds them data. Ideally I would like to be able to submit data to them in an automated fashion, but the spam appliance I have doesn't have that checkbox. If the abuse desk has already acted upon it, why not have the automated system let me know? Frank -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of michael.dillon@bt.com Sent: Wednesday, April 16, 2008 5:08 AM To: nanog@merit.edu Subject: RE: Abuse response [Was: RE: Yahoo Mail Update]
So how do the little guys play in this sandbox?
3rd-party aggregation. Where do RBLs get there data? They act as a 3rd party to aggregate data from many others. <snip> Consider this. Any single point source of abuse, say a single broadband PC in a botnet, will spew out spam or DDOS to hundreds of destinations. If 20 of these destinations submit ARF reports, and you are one of these 20, then there is a 5% chance that your report has anything wort acting upon. 95% of the time, you will be reporting something that the abuse desk has already acted upon and it would be a waste of abuse desk resources to read and reply to your report. On the other hand, it can be very useful for the automated system to process your report for statistical purposes and to provide a better understanding of how that particular botnet functions. <snip> --Michael Dillon
On Wed, 16 Apr 2008 00:38:33 CDT, Chris Boyd said:
- I'd like to see an actual response beyond an autoreply saying that you can't tell me who the customer is or what actions were taken.
Well, let's see. If you're reporting abuse coming from my AS, it's almost certainly one of 2 things: 1) Some poor soul got zombied in a drive-by fruiting and was part of a botnet. At this point, it doesn't really matter *who* the customer was, because he was essentially a Joe Sixpack. Action taken is almost certainly some variant on "he's been told to disinfect the machine before getting back on the net". So it's unclear what, if anything, you want us to do, except possibly send you a canned "We found the machine and dealt with it" after the fact. 2) Somebody decided to intentionally do something naughty. At that point, it's a very good likelyhood that we *can't* tell you who it was, because there may be some combination of litigation and prosecution (and in our case, most likely some internal judicial action) so there's a whole swarm of privacy laws and "we don't comment on ongoing investigations/litigations" policy. And since these things can drag on for weeks or months, there may not be any final resolution for quite some time, so all you'll get back is a "We found the problem and it will eventually be disposed of"... Basically, 99.8% of the time, no response other than "We found it and dealt with it" is actually suitable, and the other 0.2% of the time, you're about to get dragged into an ongoing investigation, so expect a "Hold Evidence" order on your fax in a few minutes.. ;) So what sort of response did you actually *want*?
participants (8)
-
Chris Boyd -
Frank Bulk -
Lou Katz -
michael.dillon@bt.com -
Paul Ferguson -
Rich Kulawiec -
Suresh Ramasubramanian -
Valdis.Kletnieks@vt.edu