Hello, After a weekend of heavy spam last month, we decided to fire some reports over to the abuse contacts for each relevant IP or domain - some US/Europe based, others from more "obscure" locations. We've not had a reply from any of the reports sent over, other than some automated bounces. Each report from us contained detailed information about IP, date, headers, spam content, relevant ranges etc ... How many of you (honestly) actively manage and respond to abuse@ contact details listed in WHOIS? Or have had any luck with abuse@ contacts in the past? Who's good and who isn't? Apologies in advance if this has been around before - I'm new here. (: Gav
Or have had any luck with abuse@ contacts in the past? Who's good and who isn't?
http://www.rfc-ignorant.org/tools/submit_form.php?table=abuse
On Dec 7, 2010, at 10:39 AM, Gavin Pearce wrote:
After a weekend of heavy spam last month, we decided to fire some reports over to the abuse contacts for each relevant IP or domain - some US/Europe based, others from more "obscure" locations.
We've not had a reply from any of the reports sent over, other than some automated bounces. Each report from us contained detailed information about IP, date, headers, spam content, relevant ranges etc ...
How many of you (honestly) actively manage and respond to abuse@ contact details listed in WHOIS? Or have had any luck with abuse@ contacts in the past? Who's good and who isn't?
I answer ours, and I've sent a few abuse complaints (sometimes in error...) I haven't kept count, but I'd say I get an answer at least 50% of the time.
How many of you (honestly) actively manage and respond to abuse@ contact details listed in WHOIS? Or have had any luck with abuse@ contacts in the past? Who's good and who isn't?
I answer ours, and I've sent a few abuse complaints (sometimes in error...) I haven't kept count, but I'd say I get an answer at least 50% of the time.
My support team and I always answer ours. The only mail auto deleted is when the person contacting us actually tried to send us a copy of the virus they received. Damn they got all pissed when the mail was auto dropped. Wayne
On 2010/12/07 11:39 AM, Gavin Pearce wrote:
How many of you (honestly) actively manage and respond to abuse@ contact details listed in WHOIS? Or have had any luck with abuse@ contacts in the past? Who's good and who isn't?
I answer our abuse@ address and file reports daily. I get automated responses from the free providers, but have little faith they care enough to fix the problem. RIPE regions seem to process reports with an attitude that they care, while LACNIC, AFRINIC, and Asian providers seem to ignore all reports if you can even find a working abuse@ contact. Smaller providers in the ARIN region also seem to do a good job. -- /Jason
On Tue, Dec 07, 2010 at 04:39:54PM -0000, Gavin Pearce wrote:
How many of you (honestly) actively manage and respond to abuse@ contact details listed in WHOIS? Or have had any luck with abuse@ contacts in the past? Who's good and who isn't?
Inbound: wherever I am, I try to make it a point of emphasis that incoming mail to abuse very likely represent someone trying to help us by doing the job that we failed to do, and as such, it deserves very high priority, and -- if correct -- our gratitude. Outbound: mixed. I've had excellent response from academic institutions (most recently Indiana University) and from some commercial operations (e.g., mail.com). I've had responses somewhere between "non-existent", "miserable", and "random" from major freemail providers. ---rsk
On Tue, Dec 07, 2010 at 04:39:54PM -0000, Gavin Pearce wrote:
How many of you (honestly) actively manage and respond to abuse@ contact details listed in WHOIS? Or have had any luck with abuse@ contacts in the past? Who's good and who isn't?
Inbound: wherever I am, I try to make it a point of emphasis that incoming mail to abuse very likely represent someone trying to help us by doing the job that we failed to do, and as such, it deserves very high priority, and -- if correct -- our gratitude.
Outbound: mixed. I've had excellent response from academic institutions (most recently Indiana University) and from some commercial operations (e.g., mail.com). I've had responses somewhere between "non-existent", "miserable", and "random" from major freemail providers.
Having watched this issue for years, I'll say that there's a large body of good abuse desks you'll never need to talk to, because the very qualities that cause a network to host a responsive abuse desk are in many cases the same things that drive engineering and other processes that minimize the chances for abuse in the first place. For the best networks, the abuse desk exists entirely as a fire alarm, never meant to receive any volume of meaningful complaints, because there should be no abusive traffic originating. This includes many corporate networks. Middle ground are many schools, where policy is to run a clean network, but practical realities of students and faculty result in some problems. They truly appreciate abuse reports, because so few people bother to send them in this era, and doing so helps make the Internet a nicer place to be. On the other hand, other schools have clearly given the issue no thought, or don't wish to deal with the problems... Commercial service providers are more of a mixed bag. Many are very clueful and want to run a clean network. Others look at the abuse desk as a money-losing black hole that serves mainly to cause customer churn. Cheap webhosts and the like are typically under pressure to keep costs low. You may end up with an abuse desk that overreacts, or that doesn't care until the volume of complaints becomes deafening. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Tue, Dec 7, 2010 at 11:39 AM, Gavin Pearce <Gavin.Pearce@3seven9.com> wrote:
Hello,
After a weekend of heavy spam last month, we decided to fire some reports over to the abuse contacts for each relevant IP or domain - some US/Europe based, others from more "obscure" locations.
We've not had a reply from any of the reports sent over, other than some automated bounces. Each report from us contained detailed information about IP, date, headers, spam content, relevant ranges etc ...
How many of you (honestly) actively manage and respond to abuse@ contact details listed in WHOIS? Or have had any luck with abuse@ contacts in the past? Who's good and who isn't?
lack or reply to abuse@ does not mean the box is unmonitored... just that they don't feel it's helpful to reply to inbound mail with .. more mail, especially when much of the inbound mail is automated.
Apologies in advance if this has been around before - I'm new here. (:
sure. -chris
From: Gavin Pearce <Gavin.Pearce@3seven9.com>
How many of you (honestly) actively manage and respond to abuse@ contact details listed in WHOIS? Or have had any luck with abuse@ contacts in the past? Who's good and who isn't?
We monitor our abuse queues, but when the email is just a stock standard incident (eg: spam or phishing) we don't actually reply to the emails unless more information is required. As mentioned previously, a lot of the traffic in abuse queues is automated and you might have anywhere up to 100 emails for a single incident. In these cases, we merge the messages into one ticket, handle the case and close it off. The nature of our business (hosting) means that we do get a decent amount of abuse traffic - ranging from compromised out of date CMSs used to send spam or host phishing sites right through to fraudulent accounts again used to send spam. Rather than hire additional staff to respond to the each abuse email individually we prefer to invest in systems to stop the abuse in the first place. For example, all outbound email from our shared hosting network is checked for spam/viruses and any unusual traffic (such as a spike from a customer who typically only sends a few messages a day) is flagged. -Shaun
On Wed, Dec 8, 2010 at 3:30 AM, Shaun Ewing <s.ewing@aussiehq.com.au> wrote:
As mentioned previously, a lot of the traffic in abuse queues is automated and you might have anywhere up to 100 emails for a single incident. In these cases, we merge the messages into one ticket, handle the case and close it off.
Speaking as someone who's been running abuse desks since the mid 90s [still late to the party compared to other posters in this thread like say, Joe Greco, but what the heck, hi joe, hope you agree] Add to it the fact that you get far less "actual email" coming into abuse desks these days. Far more email that's scripted / at least semi automated by smaller trap operators / some small ISPs / spamcop.net ARF'd feedback loops from the large providers (which are mutually provided to each other - each large provider offers one, and subscribes to those provided by other SPs) are usually sent to a separate address and auto processed. -- Suresh Ramasubramanian (ops.lists@gmail.com)
participants (10)
-
Christopher Morrow -
Daniel Seagraves -
Gavin Pearce -
Jason Bertoch -
Joe Greco -
Rich Kulawiec -
Shaun Ewing -
Simon Waters -
Suresh Ramasubramanian -
Wayne Lee