Constant Abuse Reports / Borderline Spamming from RiskIQ
From the past few months we have been receiving a constant stream of abuse reports from a company that calls themselves RiskIQ (RiskIQ.com). The problem isn’t the abuse reports themselves but the way they send them. We receive copies of the report, on our sales, billing, TECH-POCs and almost everything other email address of ours that is available publicly. It doesn’t end there, they even online on our website and start using our support live chat and as recently as tomorrow they I see that they have now started using Twitter (@riskiq_irt) to do the same. We understand these reports and deal with them as per our policies and timelines but this constant spamming by them from various channels is not appreciated. Does anyone have a similar experience with them?
RiskIQ is a known good player. If there’s a stream of abuse reports maybe removing whatever customer it is might be a good idea? I am not sure why they are sending out mail to every contact they can find though. Are abuse tickets resolved in a timely manner? From: NANOG <nanog-bounces@nanog.org> Date: Monday, 13 April 2020 at 7:57 PM To: NANOG list <nanog@nanog.org> Subject: Constant Abuse Reports / Borderline Spamming from RiskIQ
From the past few months we have been receiving a constant stream of abuse reports from a company that calls themselves RiskIQ (RiskIQ.com).
The problem isn’t the abuse reports themselves but the way they send them. We receive copies of the report, on our sales, billing, TECH-POCs and almost everything other email address of ours that is available publicly. It doesn’t end there, they even online on our website and start using our support live chat and as recently as tomorrow they I see that they have now started using Twitter (@riskiq_irt) to do the same. We understand these reports and deal with them as per our policies and timelines but this constant spamming by them from various channels is not appreciated. Does anyone have a similar experience with them?
On 2020-04-13 17:25, Kushal R. wrote:
From the past few months we have been receiving a constant stream of abuse reports from a company that calls themselves RiskIQ (RiskIQ.com).
The problem isn’t the abuse reports themselves but the way they send them. We receive copies of the report, on our sales, billing, TECH-POCs and almost everything other email address of ours that is available publicly. It doesn’t end there, they even online on our website and start using our support live chat and as recently as tomorrow they I see that they have now started using Twitter (@riskiq_irt) to do the same.
We understand these reports and deal with them as per our policies and timelines but this constant spamming by them from various channels is not appreciated.
Does anyone have a similar experience with them?
If the problem of abuse legit and arises with enviable constancy, maybe it is time to take fundamental measures to combat abuse? I had to block port 25 by default on some operators and create a self-care web page for removing it, with the requirement to read legal agreement where consequences stated, if the client start spamming. For those who are bruteforcing other people's servers / credentials, soft-throttling ACL had to be implemented. And as they wrote earlier, it’s better to kick out exceptionally bad customers than to destroy your reputation.
Speaking of spam, I just sent a message in and got auto responses from: chad@rankleads.com kundservice@axofinans.se Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Mon, Apr 13, 2020 at 10:53 AM Denys Fedoryshchenko < nuclearcat@nuclearcat.com> wrote:
On 2020-04-13 17:25, Kushal R. wrote:
From the past few months we have been receiving a constant stream of abuse reports from a company that calls themselves RiskIQ (RiskIQ.com).
The problem isn’t the abuse reports themselves but the way they send them. We receive copies of the report, on our sales, billing, TECH-POCs and almost everything other email address of ours that is available publicly. It doesn’t end there, they even online on our website and start using our support live chat and as recently as tomorrow they I see that they have now started using Twitter (@riskiq_irt) to do the same.
We understand these reports and deal with them as per our policies and timelines but this constant spamming by them from various channels is not appreciated.
Does anyone have a similar experience with them?
If the problem of abuse legit and arises with enviable constancy, maybe it is time to take fundamental measures to combat abuse? I had to block port 25 by default on some operators and create a self-care web page for removing it, with the requirement to read legal agreement where consequences stated, if the client start spamming. For those who are bruteforcing other people's servers / credentials, soft-throttling ACL had to be implemented. And as they wrote earlier, it’s better to kick out exceptionally bad customers than to destroy your reputation.
On Mon, Apr 13, 2020 at 7:25 AM Kushal R. <kushal.r@h4g.co> wrote:
The problem isn’t the abuse reports themselves but the way they send them. We receive copies of the report, on our sales, billing, TECH-POCs and almost everything other email address of ours that is available publicly. It doesn’t end there, they even online on our website and start using our support live chat and as recently as tomorrow they I see that they have now started using Twitter (@riskiq_irt) to do the same.
Hi Kushal, It seems like they've escalated to "name and shame." I notice that the site they complained about on their Twitter feed on April 6 is still alive on your infrastructure at 103.83.192.6 right now. Perhaps your abuse management practices could be improved. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/
On Mon, Apr 13, 2020 at 07:55:37PM +0530, Kushal R. wrote:
We understand these reports and deal with them as per our policies and timelines but this constant spamming by them from various channels is not appreciated.
Quoting from: https://twitter.com/RiskIQ_IRT/status/1249696689985740800 which is dated 9:15 AM 4/13/2020: 5 #phishing URLs on admin12.find-textbook[.]com were reported to @Host4Geeks (Walnut, CA) from as far back as 16 days ago, and they are all STILL active 16 days is unacceptable. If you can't do better than that -- MUCH better -- then shut down your entire operation today as it's unworthy of being any part of the Internet community. ---rsk
All abuse reports that we receive are dealt within 48 business hours. As far as that tweet is concerned, it’s pending for 16 days because they have been blocked from sending us any emails due to the sheer amount of emails they started sending and then our live support chats. We send our abuse reports to, but we don’t spam them to every publicly available email address for an organisation, it isn’t difficult to lookup the Abuse POC for an IP or network and just because you do not get a response in 24 hours does not mean you forward the same report to 10 other email addresses. Similarly twitter isn’t a place to report abuse either.
On Apr 13, 2020 at 9:37 PM, <Rich Kulawiec (mailto:rsk@gsp.org)> wrote:
On Mon, Apr 13, 2020 at 07:55:37PM +0530, Kushal R. wrote: > We understand these reports and deal with them as per our policies and timelines but this constant spamming by them from various channels is not appreciated. Quoting from: https://twitter.com/RiskIQ_IRT/status/1249696689985740800 which is dated 9:15 AM 4/13/2020: 5 #phishing URLs on admin12.find-textbook[.]com were reported to @Host4Geeks (Walnut, CA) from as far back as 16 days ago, and they are all STILL active 16 days is unacceptable. If you can't do better than that -- MUCH better -- then shut down your entire operation today as it's unworthy of being any part of the Internet community. ---rsk
I would agree that Twitter is not a primary place for abuse reporting. If they are reporting things via your correct abuse channel and you are indeed handling them within 48 business hours, then I would also agree this much extra spray and pray is excessive. However RiskIQ is known to be pretty responsible, so if they are doing this they likely feel like they are NOT getting appropriate responses from you and are resorting to scorched earth. Have you attempted to reach out to them and make sure they have the proper direct channel for abuse reporting? On Mon, Apr 13, 2020 at 1:45 PM Kushal R. <kushal.r@h4g.co> wrote:
All abuse reports that we receive are dealt within 48 business hours. As far as that tweet is concerned, it’s pending for 16 days because they have been blocked from sending us any emails due to the sheer amount of emails they started sending and then our live support chats.
We send our abuse reports to, but we don’t spam them to every publicly available email address for an organisation, it isn’t difficult to lookup the Abuse POC for an IP or network and just because you do not get a response in 24 hours does not mean you forward the same report to 10 other email addresses. Similarly twitter isn’t a place to report abuse either.
On Apr 13, 2020 at 9:37 PM, <Rich Kulawiec <rsk@gsp.org>> wrote:
On Mon, Apr 13, 2020 at 07:55:37PM +0530, Kushal R. wrote: > We understand these reports and deal with them as per our policies and timelines but this constant spamming by them from various channels is not appreciated. Quoting from: https://twitter.com/RiskIQ_IRT/status/1249696689985740800 which is dated 9:15 AM 4/13/2020: 5 #phishing URLs on admin12.find-textbook[.]com were reported to @Host4Geeks (Walnut, CA) from as far back as 16 days ago, and they are all STILL active 16 days is unacceptable. If you can't do better than that -- MUCH better -- then shut down your entire operation today as it's unworthy of being any part of the Internet community. ---rsk
RiskIQ reports phish URLs for large brands The life cycle of a typical phish campaign is in hours but I guess people can live with 24. If you handle the complaint only after two business days, that’s closing the barn door after the horse has bolted and crossed a state line. --srs ________________________________ From: NANOG <nanog-bounces@nanog.org> on behalf of Tom Beecher <beecher@beecher.cc> Sent: Tuesday, April 14, 2020 12:11:18 AM To: Kushal R. <kushal.r@h4g.co> Cc: Nanog <nanog@nanog.org>; Rich Kulawiec <rsk@gsp.org> Subject: Re: Constant Abuse Reports / Borderline Spamming from RiskIQ I would agree that Twitter is not a primary place for abuse reporting. If they are reporting things via your correct abuse channel and you are indeed handling them within 48 business hours, then I would also agree this much extra spray and pray is excessive. However RiskIQ is known to be pretty responsible, so if they are doing this they likely feel like they are NOT getting appropriate responses from you and are resorting to scorched earth. Have you attempted to reach out to them and make sure they have the proper direct channel for abuse reporting? On Mon, Apr 13, 2020 at 1:45 PM Kushal R. <kushal.r@h4g.co<mailto:kushal.r@h4g.co>> wrote: All abuse reports that we receive are dealt within 48 business hours. As far as that tweet is concerned, it’s pending for 16 days because they have been blocked from sending us any emails due to the sheer amount of emails they started sending and then our live support chats. We send our abuse reports to, but we don’t spam them to every publicly available email address for an organisation, it isn’t difficult to lookup the Abuse POC for an IP or network and just because you do not get a response in 24 hours does not mean you forward the same report to 10 other email addresses. Similarly twitter isn’t a place to report abuse either. On Apr 13, 2020 at 9:37 PM, <Rich Kulawiec<mailto:rsk@gsp.org>> wrote: On Mon, Apr 13, 2020 at 07:55:37PM +0530, Kushal R. wrote: > We understand these reports and deal with them as per our policies and timelines but this constant spamming by them from various channels is not appreciated. Quoting from: https://twitter.com/RiskIQ_IRT/status/1249696689985740800 which is dated 9:15 AM 4/13/2020: 5 #phishing URLs on admin12.find-textbook[.]com were reported to @Host4Geeks (Walnut, CA) from as far back as 16 days ago, and they are all STILL active 16 days is unacceptable. If you can't do better than that -- MUCH better -- then shut down your entire operation today as it's unworthy of being any part of the Internet community. ---rsk
I don’t really get the point of bothering, then. AWS takes about ~forever to respond to SES phishing reports, let alone hosting abuse, and other, cheaper, hosts/mailers (OVH etc come up all the time) don’t bother at all. Unless you want to automate “1 report = drop customer”, you’re saying that we should all stop hosting anything?
On Apr 13, 2020, at 11:50, Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
RiskIQ reports phish URLs for large brands
The life cycle of a typical phish campaign is in hours but I guess people can live with 24. If you handle the complaint only after two business days, that’s closing the barn door after the horse has bolted and crossed a state line.
--srs From: NANOG <nanog-bounces@nanog.org> on behalf of Tom Beecher <beecher@beecher.cc> Sent: Tuesday, April 14, 2020 12:11:18 AM To: Kushal R. <kushal.r@h4g.co> Cc: Nanog <nanog@nanog.org>; Rich Kulawiec <rsk@gsp.org> Subject: Re: Constant Abuse Reports / Borderline Spamming from RiskIQ
I would agree that Twitter is not a primary place for abuse reporting.
If they are reporting things via your correct abuse channel and you are indeed handling them within 48 business hours, then I would also agree this much extra spray and pray is excessive. However RiskIQ is known to be pretty responsible, so if they are doing this they likely feel like they are NOT getting appropriate responses from you and are resorting to scorched earth. Have you attempted to reach out to them and make sure they have the proper direct channel for abuse reporting?
On Mon, Apr 13, 2020 at 1:45 PM Kushal R. <kushal.r@h4g.co> wrote: All abuse reports that we receive are dealt within 48 business hours. As far as that tweet is concerned, it’s pending for 16 days because they have been blocked from sending us any emails due to the sheer amount of emails they started sending and then our live support chats.
We send our abuse reports to, but we don’t spam them to every publicly available email address for an organisation, it isn’t difficult to lookup the Abuse POC for an IP or network and just because you do not get a response in 24 hours does not mean you forward the same report to 10 other email addresses. Similarly twitter isn’t a place to report abuse either.
On Apr 13, 2020 at 9:37 PM, <Rich Kulawiec> wrote:
On Mon, Apr 13, 2020 at 07:55:37PM +0530, Kushal R. wrote: > We understand these reports and deal with them as per our policies and timelines but this constant spamming by them from various channels is not appreciated. Quoting from: https://twitter.com/RiskIQ_IRT/status/1249696689985740800 which is dated 9:15 AM 4/13/2020: 5 #phishing URLs on admin12.find-textbook[.]com were reported to @Host4Geeks (Walnut, CA) from as far back as 16 days ago, and they are all STILL active 16 days is unacceptable. If you can't do better than that -- MUCH better -- then shut down your entire operation today as it's unworthy of being any part of the Internet community. ---rsk
Handle it in a reasonable amount of time, and please prioritize phishing somewhere after the usual threat to life / child abuse type cases (which are, fortunately, comparatively rare). Phishes put people at risk of losing their life savings, and especially with covid already threatening to make that happen, that’s something we must all work to prevent. There are providers that are good at handling abuse and responding as well (if only with boilerplate text and an automated ticket closure email, that’s fine.. as long as the threat is addressed I wouldn’t even need a reply) while there are others that have substantial abuse automation but are slow to respond at times, while others have no significant abuse prevention AND are slow to respond. If, for whatever reason, the abuse load on a network goes out of control then the network does get pressured by escalation in one form or the other. Corporate contacts in this individual’s case, could be reports to various upstreams in some other case. --srs From: Matt Corallo <nanog@as397444.net> Date: Tuesday, 14 April 2020 at 12:41 AM To: Suresh Ramasubramanian <ops.lists@gmail.com> Cc: Tom Beecher <beecher@beecher.cc>, Kushal R. <kushal.r@h4g.co>, Nanog <nanog@nanog.org>, Rich Kulawiec <rsk@gsp.org> Subject: Re: Constant Abuse Reports / Borderline Spamming from RiskIQ I don’t really get the point of bothering, then. AWS takes about ~forever to respond to SES phishing reports, let alone hosting abuse, and other, cheaper, hosts/mailers (OVH etc come up all the time) don’t bother at all. Unless you want to automate “1 report = drop customer”, you’re saying that we should all stop hosting anything? On Apr 13, 2020, at 11:50, Suresh Ramasubramanian <ops.lists@gmail.com> wrote: RiskIQ reports phish URLs for large brands The life cycle of a typical phish campaign is in hours but I guess people can live with 24. If you handle the complaint only after two business days, that’s closing the barn door after the horse has bolted and crossed a state line. --srs ________________________________ From: NANOG <nanog-bounces@nanog.org> on behalf of Tom Beecher <beecher@beecher.cc> Sent: Tuesday, April 14, 2020 12:11:18 AM To: Kushal R. <kushal.r@h4g.co> Cc: Nanog <nanog@nanog.org>; Rich Kulawiec <rsk@gsp.org> Subject: Re: Constant Abuse Reports / Borderline Spamming from RiskIQ I would agree that Twitter is not a primary place for abuse reporting. If they are reporting things via your correct abuse channel and you are indeed handling them within 48 business hours, then I would also agree this much extra spray and pray is excessive. However RiskIQ is known to be pretty responsible, so if they are doing this they likely feel like they are NOT getting appropriate responses from you and are resorting to scorched earth. Have you attempted to reach out to them and make sure they have the proper direct channel for abuse reporting? On Mon, Apr 13, 2020 at 1:45 PM Kushal R. <kushal.r@h4g.co<mailto:kushal.r@h4g.co>> wrote: All abuse reports that we receive are dealt within 48 business hours. As far as that tweet is concerned, it’s pending for 16 days because they have been blocked from sending us any emails due to the sheer amount of emails they started sending and then our live support chats. We send our abuse reports to, but we don’t spam them to every publicly available email address for an organisation, it isn’t difficult to lookup the Abuse POC for an IP or network and just because you do not get a response in 24 hours does not mean you forward the same report to 10 other email addresses. Similarly twitter isn’t a place to report abuse either. On Apr 13, 2020 at 9:37 PM, <Rich Kulawiec<mailto:rsk@gsp.org>> wrote: On Mon, Apr 13, 2020 at 07:55:37PM +0530, Kushal R. wrote: > We understand these reports and deal with them as per our policies and timelines but this constant spamming by them from various channels is not appreciated. Quoting from: https://twitter.com/RiskIQ_IRT/status/1249696689985740800 which is dated 9:15 AM 4/13/2020: 5 #phishing URLs on admin12.find-textbook[.]com were reported to @Host4Geeks (Walnut, CA) from as far back as 16 days ago, and they are all STILL active 16 days is unacceptable. If you can't do better than that -- MUCH better -- then shut down your entire operation today as it's unworthy of being any part of the Internet community. ---rsk
On Mon, Apr 13, 2020 at 12:11:44PM -0700, Matt Corallo via NANOG wrote:
I don???t really get the point of bothering, then. AWS takes about ~forever to respond to SES phishing reports, let alone hosting abuse, and other, cheaper, hosts/mailers (OVH etc come up all the time) don???t bother at all. Unless you want to automate ???1 report = drop customer???, you???re saying that we should all stop hosting anything?
No, you don't have to stop hosting anything/everything. But there are all kinds of things that can be done to detect problematic customers before you sign them up and once they're in place. None of those things are panaceas but all of them done in combination (a) reduce the chances that you'll have a mess to clean up later and (b) enhance one's reputation as a place NOT to go for dubious activities, which in turn discourages future miscreants from trying to get in the door. ---rsk
On Wed, Apr 15, 2020 at 8:52 AM Rich Kulawiec <rsk@gsp.org> wrote:
there are all kinds of things that can be done to detect problematic customers before you sign them up and once they're in place.
Hey Rich, Can you give some examples of the things you mention above? I'm not doing much in terms of customer filtering and would be interested to hear what others consider best practice. -Ross
The first warning sign would be where they discuss your AUP and exceptions / corner cases to it --srs ________________________________ From: NANOG <nanog-bounces@nanog.org> on behalf of Ross Tajvar <ross@tajvar.io> Sent: Thursday, April 16, 2020 9:03:58 AM To: Rich Kulawiec <rsk@gsp.org> Cc: North American Network Operators' Group <nanog@nanog.org> Subject: Re: Constant Abuse Reports / Borderline Spamming from RiskIQ On Wed, Apr 15, 2020 at 8:52 AM Rich Kulawiec <rsk@gsp.org<mailto:rsk@gsp.org>> wrote: there are all kinds of things that can be done to detect problematic customers before you sign them up and once they're in place. Hey Rich, Can you give some examples of the things you mention above? I'm not doing much in terms of customer filtering and would be interested to hear what others consider best practice. -Ross
On 4/15/20 11:33 PM, Ross Tajvar wrote:
Can you give some examples of the things you mention above? I'm not doing much in terms of customer filtering and would be interested to hear what others consider best practice.
My experience is that there's two groups of customers that are problematic from an abuse standpoint: * Those who intend to abuse your network * Those who enable others to abuse your network The former are of course a little easier to detect up front and much, much easier to give the axe when they do commit AUP violations. It looks like others have already given some hints as to how to detect these kinds of folks up-front. I'd also recommend looking for references for any new customer who wants a very large amount of resources, explicitly wants to send email, is bringing their own IP space (especially if they are leasing it), etc. The latter are far more problematic for legitimate operations. I don't really run "hosting" providers as I'm mostly in the business of mid- and last-mile networks, but I always try to ask anyone who's either buying a plan that explicitly permits "hosting" or who is asking for personal-use exemptions to anti-hosting provisions in the AUP (which I do permit) what their intent is. I don't really care so much what they're doing as long as they know what they're doing and that I get a vibe from them that they are competent. "I want to host my wordpress blog" is an instant red flag since compromised wordpress instances are one of the biggest sources of snowshoe hosting in my experience. -- Brandon Martin
At a previous employer much earlier in my career, we inherited some simple webhosting from a company acquisition. In one of the early meetings we had about integrating it, someone from our support team asked some questions about the abuse report procedures, etc. Our owner came straight out and said "Just make sure we handle anything that could create legal problems, the rest I don't really care what you do." I would suspect that's not an uncommon attitude in that industry. On Thu, Apr 16, 2020 at 2:15 AM Brandon Martin <lists.nanog@monmotha.net> wrote:
On 4/15/20 11:33 PM, Ross Tajvar wrote:
Can you give some examples of the things you mention above? I'm not doing much in terms of customer filtering and would be interested to hear what others consider best practice.
My experience is that there's two groups of customers that are problematic from an abuse standpoint:
* Those who intend to abuse your network * Those who enable others to abuse your network
The former are of course a little easier to detect up front and much, much easier to give the axe when they do commit AUP violations. It looks like others have already given some hints as to how to detect these kinds of folks up-front. I'd also recommend looking for references for any new customer who wants a very large amount of resources, explicitly wants to send email, is bringing their own IP space (especially if they are leasing it), etc.
The latter are far more problematic for legitimate operations. I don't really run "hosting" providers as I'm mostly in the business of mid- and last-mile networks, but I always try to ask anyone who's either buying a plan that explicitly permits "hosting" or who is asking for personal-use exemptions to anti-hosting provisions in the AUP (which I do permit) what their intent is. I don't really care so much what they're doing as long as they know what they're doing and that I get a vibe from them that they are competent. "I want to host my wordpress blog" is an instant red flag since compromised wordpress instances are one of the biggest sources of snowshoe hosting in my experience. -- Brandon Martin
On Wed, Apr 15, 2020 at 11:33:58PM -0400, Ross Tajvar wrote:
Can you give some examples of the things you mention above? I'm not doing much in terms of customer filtering and would be interested to hear what others consider best practice.
Sure. These are just examples and are by no means exhaustive. Also, some will work better than others depending on who you are, what services you offer, where you are, etc. There's no substitute for human judgment seasoned with experience. 1. Let's start with a timely one. Whenever there's a national or global crisis, scammers begin registering domains to exploit it. For instance: Thousands of COVID-19 scam and malware sites are being created on a daily basis https://www.zdnet.com/article/thousands-of-covid-19-scam-and-malware-sites-a... [I'll omit the long rant about why ICANN is responsible for this and should be ashamed of what they've not only allowed, but encouraged.] That story contains a link to a repository where somebody is tracking these. I pulled that list a month ago and there were 7500 entries. Now there are over 25,000. (Caveat for anybody doing the same: note carefully the methodology. There are legitimate domains/subdomains/hosts in there, although they're rapidly being swamped by the bogus ones. So don't just blindly use the data: filter out the 1-2% of legitimate entries.) So, if it's April 2020, and a customer comes to you and wants to set up web service for a domain or fifty that have "covid", "corona", "virus", etc., in their names: they're probably up to something. 2. There are longstanding versions of (1) as well. Domains with strings in them like "bulk", "seo", "credit", etc., or domains with variations on the names of financial institutions, or domains which are typos of well-known domains, etc., are all suspect. *That doesn't mean they're all bogus.* It just means that a human being should give them closer scrutiny before the process goes forward. 3. Look at the diversity of their domains. This sort of is a rehash of what I said in (2), but: if all their domains are about one or two topics, yeah, it's probably someone with a business and a hobby or something like that. But if they have domains that suggest they're running 17 different businesses, then look closer. 4. Look at whether they've been, that is, where they were hosted previously, by checking their DNS history. If they've hopped through four different hosts in the last seven months, something is going on. (Note: a few months ago a bunch of cheap VPS services all simultaneously ceased operations. If they were on one of those, then they may have just been caught up in the mess, so don't count that against them.) 5. Check Spamhaus. 6. Find out how many domains they have. People doing legitimate things may have 5 or 17 or something like that. People who have 5,000 are up to something. (Note: I've been doing research in this area for many years. I know of zero instances where registrants with thousands of domains were doing something legitimate. There may still be a counterexample out there, but I haven't seen it yet.) 7. MLM (multi-level marketing) is a red flag. So is Bitcoin et.al. 8. A business putatively located in Iowa but with contact email addresses @163.com or @yandex.com is dubious. Same for other incongruous information: it might really be okay, or it might be a hint that they're up to something. Most of these are just indicators: they're not definitive. And there are counterexamples all over the place. Plus, this list isn't exhaustive: like I said they're just examples. That's why I said at the beginning that there's no substitute for human judgment seasoned with experience. That takes time and probably more than a few bad experiences. But it's worth it, because it's easier to solve problems before you have them. ---rsk
On Mon, 13 Apr 2020, Kushal R. wrote:
As far as that tweet is concerned, it’s pending for 16 days because they have been blocked from sending us any emails due to the sheer amount of emails they started sending and then our live support chats.
This is not an acceptable answer. -Dan
On Mon, Apr 13, 2020 at 10:45 AM Kushal R. <kushal.r@h4g.co> wrote:
All abuse reports that we receive are dealt within 48 business hours. As far as that tweet is concerned, it’s pending for 16 days because they have been blocked from sending us any emails
Hi Kushal, I would venture a guess that's why they've escalated to calling you out on Twitter. Don't shoot the messenger. However irritating they may be, if they reported a real problem (as it appears they did) it's strongly in your interest to fix it. Regards. Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/
On Mon, Apr 13, 2020 at 11:14:11PM +0530, Kushal R. wrote:
All abuse reports that we receive are dealt within 48 business hours.
At eight business hours per calendar day, and five business days per (typical) calendar week, 48 business hours is... a week and a bit, calendar wise. - Matt
We are a 24x7 operation.
On Apr 14, 2020 at 12:20 PM, <Matt Palmer (mailto:mpalmer@hezmatt.org)> wrote:
On Mon, Apr 13, 2020 at 11:14:11PM +0530, Kushal R. wrote: > All abuse reports that we receive are dealt within 48 business hours. At eight business hours per calendar day, and five business days per (typical) calendar week, 48 business hours is... a week and a bit, calendar wise. - Matt
[Hideously mangled quoting fixed] On Tue, Apr 14, 2020 at 02:51:55PM +0530, Kushal R. wrote:
Matt Palmer wrote:
On Mon, Apr 13, 2020 at 11:14:11PM +0530, Kushal R. wrote:
All abuse reports that we receive are dealt within 48 business hours.
At eight business hours per calendar day, and five business days per (typical) calendar week, 48 business hours is... a week and a bit, calendar wise.
We are a 24x7 operation.
Then why not just say "withing 48 hours", rather than the weaselish "48 business hours"? Makes it seem like you're trying to clever-word yourself an alibi. - Matt
On Tue, Apr 14, 2020, 18:14 Matt Palmer <mpalmer@hezmatt.org> wrote:
[Hideously mangled quoting fixed]
On Tue, Apr 14, 2020 at 02:51:55PM +0530, Kushal R. wrote:
Matt Palmer wrote:
On Mon, Apr 13, 2020 at 11:14:11PM +0530, Kushal R. wrote:
All abuse reports that we receive are dealt within 48 business hours.
At eight business hours per calendar day, and five business days per (typical) calendar week, 48 business hours is... a week and a bit, calendar wise.
We are a 24x7 operation.
Then why not just say "withing 48 hours", rather than the weaselish "48 business hours"? Makes it seem like you're trying to clever-word yourself an alibi.
- Matt
The Internet never sleeps. Every hour on the Internet *is* a business hour. (If you think otherwise, there's a good chance you're not running a global operation.) Matt
[ Copied to Jonathan @ RiskIQ because I don't believed he's subscribed. ] On Mon, Apr 13, 2020 at 11:14:11PM +0530, Kushal R. wrote:
All abuse reports that we receive are dealt within 48 business hours. As far as that tweet is concerned, it???s pending for 16 days because they have been blocked from sending us any emails due to the sheer amount of emails they started sending and then our live support chats. >
There's a lot to unpack here, both for you and for RiskIQ. Let's start with you. Your home page says that you host over 100,000 web sites. Your home page says that you have over 10,000 customers. Your home page says that you have 24x7x365 support. (Which is wrong, by the way. It's either 24x7 or 24x365 or maybe 24x7x52 depending on what you're trying to express. There is no such thing as 24x7x365. But let's press on:) Given all that, why don't you have have a 24-hour abuse desk that is empowered to act immediately on reports? Do you not understand that -- as Suresh has pointed out -- the lifetime of many abusive activities is measured in hours and that a 48-hour turnaround is far too slow to be effective? Your "about" page says that you're a leading web hosting company. Alright then: *lead*. Show us that you're one of the best at this. Be one of the operations that we can point to and say "this is how it's supposed to be done". Because right now you're the opposite of that. Also: don't use abuse.support@. Use abuse@, per RFC 2142. There is zero reason not to go along with the standard. If you want to alias it internally fine, but at least get this rudimentary thing right. *This is why we have standards*. By the way: did you know that there are multiple COVID-19 scammers who have set up shop on your service in past few weeks? I'm very curious as to why a "leading web hosting company" would allow such a thing to happen, given that much of it's trivial to prevent. And now: RiskIQ, it's your turn. If an operation has exhibited the competence to read and implement RFC 2142, and thus has a working abuse@ address that goes to some combination of people and automation that deals with abuse reports, then that's the one you should be using. If it has a security@ address then that's appropriate for those kinds of events. And while there are obviously cases where it's appropriate to send to both, it's never appropriate to send this stuff to role accounts like sales@ or info@ or anything like that. So: knock it off. What about operations that haven't done that? Okay, that's where you look up their registered contacts. There is of course no reason for addresses like abuse.support@ when abuse@ will do perfectly fine for everyone on this planet but if that's what has to be done, then (a) use it and (b) try to convince them to use abuse@ like competent people who have read RFC 2142 do. We'll all be happy if you succeed. Sending reports repeatedly may make you feel better by venting your frustration, but it won't solve the problem. (Now, if new information arrives about a report you've already filed, then a supplemental message is appropriate.) Bombarding people either means you're (a) annoying people who were already doing something or (b) annoying people who were never going to do anything anyway. So knock that off too. Bugging people in live support chats is probably equally pointless. So if you're doing that: stop. (Actually: given my experience over the past few decades "live support chats" are pretty much pointless, but that's a whole 'nother problem and if I have to deliver *that* rant, I'll need scotch before noon. So again, pressing on:) As to naming-and-shaming on the web or Twitter or wherever: sure, if you want. But if you're going to do that then it's probably worth doing a bit more formally, a la Spamhaus, with a web page that has a unique URL and supporting evidence and an explanation and so on. (Do keep in mind that operations like Twitter are transient and thus not a good choice if you're trying to create a permanent record.) ---rsk
So I’m taking this thread for a total test-drive and we’re going down this random ally... I call our NOC “24x7x365” I hear that in my head as “twenty-four (hour) - BY - Seven (days a week) - BY - 365 (days a year, indicating we don’t close on any holidays). Is that really not a thing? I swear I’ve been hearing it as a term of art in the industry for 20 years. Google has 1.42m results for 24x7x365 - but 72mil for 24x7. Should I change my website or what? Thanks for indulging me :) -Ben. -Ben Cannon CEO 6x7 Networks & 6x7 Telecom, LLC ben@6by7.net <mailto:ben@6by7.net>
On Apr 15, 2020, at 5:45 AM, Rich Kulawiec <rsk@gsp.org> wrote:
Your home page says that you have 24x7x365 support.
(Which is wrong, by the way. It's either 24x7 or 24x365 or maybe 24x7x52 depending on what you're trying to express. There is no such thing as 24x7x365. But let's press on:)
(Rich’s excellent critique deleted for brevity)
---rsk
No. 24x7x365 is fine. Sheesh. On Wed, Apr 15, 2020, 10:10 PM Ben Cannon <ben@6by7.net> wrote:
So I’m taking this thread for a total test-drive and we’re going down this random ally...
I call our NOC “24x7x365” I hear that in my head as “twenty-four (hour) - BY - Seven (days a week) - BY - 365 (days a year, indicating we don’t close on any holidays).
Is that really not a thing? I swear I’ve been hearing it as a term of art in the industry for 20 years. Google has 1.42m results for 24x7x365 - but 72mil for 24x7.
Should I change my website or what?
Thanks for indulging me :)
-Ben.
-Ben Cannon CEO 6x7 Networks & 6x7 Telecom, LLC ben@6by7.net
On Apr 15, 2020, at 5:45 AM, Rich Kulawiec <rsk@gsp.org> wrote:
Your home page says that you have 24x7x365 support.
(Which is wrong, by the way. It's either 24x7 or 24x365 or maybe 24x7x52 depending on what you're trying to express. There is no such thing as 24x7x365. But let's press on:)
(Rich’s excellent critique deleted for brevity)
---rsk
24x7 is way more common, but does leave ambiguity as to holiday coverage. (there are some 24x7 businesses that close for holidays). 24x7x365 is on the rise as a way to specify that you’re open holidays too. End of the day, I’m not sure it matters which one you use. Likely any Google search for 24x7 would return the superset {24x7,24x7x365} while a search for 24x7x365 would return the subset {24x7x365}. IANASEOE, but I suspect that in terms of SEO and general search, you’re probably better off with 24x7x365. Owen
On Apr 16, 2020, at 01:25 , Mike Hale <eyeronic.design@gmail.com> wrote:
No. 24x7x365 is fine. Sheesh.
On Wed, Apr 15, 2020, 10:10 PM Ben Cannon <ben@6by7.net <mailto:ben@6by7.net>> wrote: So I’m taking this thread for a total test-drive and we’re going down this random ally...
I call our NOC “24x7x365” I hear that in my head as “twenty-four (hour) - BY - Seven (days a week) - BY - 365 (days a year, indicating we don’t close on any holidays).
Is that really not a thing? I swear I’ve been hearing it as a term of art in the industry for 20 years. Google has 1.42m results for 24x7x365 - but 72mil for 24x7.
Should I change my website or what?
Thanks for indulging me :)
-Ben.
-Ben Cannon CEO 6x7 Networks & 6x7 Telecom, LLC ben@6by7.net <mailto:ben@6by7.net>
On Apr 15, 2020, at 5:45 AM, Rich Kulawiec <rsk@gsp.org <mailto:rsk@gsp.org>> wrote:
Your home page says that you have 24x7x365 support.
(Which is wrong, by the way. It's either 24x7 or 24x365 or maybe 24x7x52 depending on what you're trying to express. There is no such thing as 24x7x365. But let's press on:)
(Rich’s excellent critique deleted for brevity)
---rsk
Sorry I can't resist... If you're going for accuracy, does 24x365 mean you close one day this year? Or should you actually be saying 24x365.25, or even more accurately 24x365.2425 (but still not exact). Oh wait, we missed the leap seconds in there, which there isn't any real way to average out since they occur at semi-random intervals. So I don't know what we should adjust the 24 to... I just look at 24x7x365 as shorthand for "24 hours a day, 7 days a week, 365 days a year", which is a common saying meaning always open. It isn't a mathematical formula. It doesn't have to be exact or make mathematical sense. There are lots of things that if you think about too hard they don't make sense. The one this week I thought about was "hunger benefit". Does that mean we're raising money to increase hunger? One could go on and on trying to correct logical inconsistencies in our use of language. It's fun on occasion to point them out, but saying that something has to be corrected just because it doesn't make logical or mathematical sense just seems as sill as some of the phrases that we laugh about being logically inconsistent. On Thu, Apr 16, 2020 at 2:35 AM Owen DeLong <owen@delong.com> wrote:
24x7 is way more common, but does leave ambiguity as to holiday coverage. (there are some 24x7 businesses that close for holidays).
24x7x365 is on the rise as a way to specify that you’re open holidays too.
End of the day, I’m not sure it matters which one you use.
Likely any Google search for 24x7 would return the superset {24x7,24x7x365} while a search for 24x7x365 would return the subset {24x7x365}.
IANASEOE, but I suspect that in terms of SEO and general search, you’re probably better off with 24x7x365.
Owen
On Apr 16, 2020, at 01:25 , Mike Hale <eyeronic.design@gmail.com> wrote:
No. 24x7x365 is fine. Sheesh.
On Wed, Apr 15, 2020, 10:10 PM Ben Cannon <ben@6by7.net> wrote:
So I’m taking this thread for a total test-drive and we’re going down this random ally...
I call our NOC “24x7x365” I hear that in my head as “twenty-four (hour) - BY - Seven (days a week) - BY - 365 (days a year, indicating we don’t close on any holidays).
Is that really not a thing? I swear I’ve been hearing it as a term of art in the industry for 20 years. Google has 1.42m results for 24x7x365 - but 72mil for 24x7.
Should I change my website or what?
Thanks for indulging me :)
-Ben.
-Ben Cannon CEO 6x7 Networks & 6x7 Telecom, LLC ben@6by7.net
On Apr 15, 2020, at 5:45 AM, Rich Kulawiec <rsk@gsp.org> wrote:
Your home page says that you have 24x7x365 support.
(Which is wrong, by the way. It's either 24x7 or 24x365 or maybe 24x7x52 depending on what you're trying to express. There is no such thing as 24x7x365. But let's press on:)
(Rich’s excellent critique deleted for brevity)
---rsk
-- - Forrest
Honestly, sometimes I include the "Three-Hundred Sixty-Five and a Quarter” on conference calls. Side note: What you describe is in-fact part of how languages change and evolve. (over time, sufficiently common incorrect use becomes. well. correct.) -Ben Cannon CEO 6x7 Networks & 6x7 Telecom, LLC ben@6by7.net <mailto:ben@6by7.net>
On Apr 16, 2020, at 3:07 AM, Forrest Christian (List Account) <lists@packetflux.com> wrote:
Sorry I can't resist...
If you're going for accuracy, does 24x365 mean you close one day this year? Or should you actually be saying 24x365.25, or even more accurately 24x365.2425 (but still not exact).
Oh wait, we missed the leap seconds in there, which there isn't any real way to average out since they occur at semi-random intervals. So I don't know what we should adjust the 24 to...
I just look at 24x7x365 as shorthand for "24 hours a day, 7 days a week, 365 days a year", which is a common saying meaning always open. It isn't a mathematical formula. It doesn't have to be exact or make mathematical sense.
There are lots of things that if you think about too hard they don't make sense. The one this week I thought about was "hunger benefit". Does that mean we're raising money to increase hunger? One could go on and on trying to correct logical inconsistencies in our use of language. It's fun on occasion to point them out, but saying that something has to be corrected just because it doesn't make logical or mathematical sense just seems as sill as some of the phrases that we laugh about being logically inconsistent.
On Thu, Apr 16, 2020 at 2:35 AM Owen DeLong <owen@delong.com <mailto:owen@delong.com>> wrote: 24x7 is way more common, but does leave ambiguity as to holiday coverage. (there are some 24x7 businesses that close for holidays).
24x7x365 is on the rise as a way to specify that you’re open holidays too.
End of the day, I’m not sure it matters which one you use.
Likely any Google search for 24x7 would return the superset {24x7,24x7x365} while a search for 24x7x365 would return the subset {24x7x365}.
IANASEOE, but I suspect that in terms of SEO and general search, you’re probably better off with 24x7x365.
Owen
On Apr 16, 2020, at 01:25 , Mike Hale <eyeronic.design@gmail.com <mailto:eyeronic.design@gmail.com>> wrote:
No. 24x7x365 is fine. Sheesh.
On Wed, Apr 15, 2020, 10:10 PM Ben Cannon <ben@6by7.net <mailto:ben@6by7.net>> wrote: So I’m taking this thread for a total test-drive and we’re going down this random ally...
I call our NOC “24x7x365” I hear that in my head as “twenty-four (hour) - BY - Seven (days a week) - BY - 365 (days a year, indicating we don’t close on any holidays).
Is that really not a thing? I swear I’ve been hearing it as a term of art in the industry for 20 years. Google has 1.42m results for 24x7x365 - but 72mil for 24x7.
Should I change my website or what?
Thanks for indulging me :)
-Ben.
-Ben Cannon CEO 6x7 Networks & 6x7 Telecom, LLC ben@6by7.net <mailto:ben@6by7.net>
On Apr 15, 2020, at 5:45 AM, Rich Kulawiec <rsk@gsp.org <mailto:rsk@gsp.org>> wrote:
Your home page says that you have 24x7x365 support.
(Which is wrong, by the way. It's either 24x7 or 24x365 or maybe 24x7x52 depending on what you're trying to express. There is no such thing as 24x7x365. But let's press on:)
(Rich’s excellent critique deleted for brevity)
---rsk
-- - Forrest
On 4/16/20 4:48 PM, Ben Cannon wrote:
Side note: What you describe is in-fact part of how languages change and evolve. (over time, sufficiently common incorrect use becomes. well. correct.)
Top posting will never be correct, even if the entire world does it. :-) -- Bryan Fields 727-409-1194 - Voice http://bryanfields.net
What? On Thu, Apr 16, 2020 at 2:48 PM Bryan Fields <Bryan@bryanfields.net> wrote:
On 4/16/20 4:48 PM, Ben Cannon wrote:
Side note: What you describe is in-fact part of how languages change and evolve. (over time, sufficiently common incorrect use becomes. well. correct.)
Top posting will never be correct, even if the entire world does it.
:-) -- Bryan Fields
727-409-1194 - Voice http://bryanfields.net
-- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
On Thu, Apr 16, 2020 at 3:07 AM Forrest Christian (List Account) <lists@packetflux.com> wrote:
If you're going for accuracy, does 24x365 mean you close one day this year? Or should you actually be saying 24x365.25, or even more accurately 24x365.2425 (but still not exact).
How can you be that pedantic and not factor in leap seconds? 24x7x365 is common usage meaning that yes, you really are open all day every day even 24-hours on Sunday and Holidays. It's not at all unusual for a 24/7 store to close Sunday evening and reopen early Monday morning. Regards. Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/
On Wed, 15 Apr 2020 22:06:52 -0700, Ben Cannon said:
I call our NOC “24x7x365” I hear that in my head as “twenty-four (hour) - BY - Seven (days a week) - BY - 365 (days a year, indicating we don’t close on any holidays).
x365 is fine, to distinguish from 24x7x360 operations that are running on autopilot on Thanksgiving, Christmas and New Year and such....
(since it's Friday and we're all stressed) I can't believe that out of everything I wrote that we're going to discuss the semantics of this, but then again: yes I can. I should have known. I should have known. I. Should. Have. Known. *bangs head on desk* *reaches for scotch* Alrighty then: 24x7 means every hour of the week, as in "24 by 7". 24x365 means every hour of the year. (modulo those with 366 days but please let's not go there because this is bad enough) (oh wait, too late, someone upthread already went there) (and then leap seconds reared their ugly head, oh good grief) 24x7x365 thus means every hour of 7 years. YES, I know, I know. 60x24x7...no. NO. I will not go there. Nor will you. Just stop. I swear I will turn this car around *right now*. Yeah, I know it's in common use. Like any number of other things in common use (e.g., "going forward" -- really? like there's another direction to go?) it's...annoying. I suspect that someone who just wasn't thinking started this in an attempt to out-promote people who merely said 24x7 or 24x365, and it propagated outwards. If that hypothesis is correct and there is thus a patient 0 for this epidemic, I very much want to find them and pummel them with a bag of Oxford commas. ----rsk
On Fri, Apr 17, 2020 at 6:09 PM Rich Kulawiec <rsk@gsp.org> wrote:
24x7 means every hour of the week, as in "24 by 7".
24x365 means every hour of the year. (modulo those with 366 days but please let's not go there because this is bad enough) (oh wait, too late, someone upthread already went there) (and then leap seconds reared their ugly head, oh good grief)
24x7x365 thus means every hour of 7 years. YES, I know, I know.
If we're gonna do this, let's at least inform the discussion with a few citations: https://www.lawinsider.com/dictionary/24x7x365 https://www.macmillandictionary.com/us/buzzword/entries/24-7-365.html https://en.wikipedia.org/wiki/24/7_service Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/
Rich. I am truly sorry. 💖 also this was great thank you. -Ben
On Apr 17, 2020, at 6:09 PM, Rich Kulawiec <rsk@gsp.org> wrote:
(since it's Friday and we're all stressed)
I can't believe that out of everything I wrote that we're going to discuss the semantics of this, but then again: yes I can. I should have known. I should have known. I. Should. Have. Known. *bangs head on desk* *reaches for scotch* Alrighty then:
24x7 means every hour of the week, as in "24 by 7".
24x365 means every hour of the year. (modulo those with 366 days but please let's not go there because this is bad enough) (oh wait, too late, someone upthread already went there) (and then leap seconds reared their ugly head, oh good grief)
24x7x365 thus means every hour of 7 years. YES, I know, I know.
60x24x7...no. NO. I will not go there. Nor will you. Just stop. I swear I will turn this car around *right now*.
Yeah, I know it's in common use. Like any number of other things in common use (e.g., "going forward" -- really? like there's another direction to go?) it's...annoying.
I suspect that someone who just wasn't thinking started this in an attempt to out-promote people who merely said 24x7 or 24x365, and it propagated outwards. If that hypothesis is correct and there is thus a patient 0 for this epidemic, I very much want to find them and pummel them with a bag of Oxford commas.
----rsk
On 2020-04-18, at 03:08, Rich Kulawiec <rsk@gsp.org> wrote:
24x7x365 thus means every hour of 7 years. YES, I know, I know.
Clearly, it means the NOC only operates in the seven years of great abundance that precede the seven years of famine (Genesis 41:29 etc.). I think I have seen such NOCs before :-) Grüße, Carsten
We’ve got a 24/7 NOC and respond to abuse reports in either real-time in as close to real-time as we can, I’d send another message if it went 24 hours without a reply too. We also have a ticket system that replies immediately so they know the e-mail went through, and we track it like a real company that does real things. -Ben
On Apr 13, 2020, at 10:46 AM, Kushal R. <kushal.r@h4g.co> wrote:
All abuse reports that we receive are dealt within 48 business hours. As far as that tweet is concerned, it’s pending for 16 days because they have been blocked from sending us any emails due to the sheer amount of emails they started sending and then our live support chats.
We send our abuse reports to, but we don’t spam them to every publicly available email address for an organisation, it isn’t difficult to lookup the Abuse POC for an IP or network and just because you do not get a response in 24 hours does not mean you forward the same report to 10 other email addresses. Similarly twitter isn’t a place to report abuse either.
On Apr 13, 2020 at 9:37 PM, <Rich Kulawiec> wrote:
On Mon, Apr 13, 2020 at 07:55:37PM +0530, Kushal R. wrote: > We understand these reports and deal with them as per our policies and timelines but this constant spamming by them from various channels is not appreciated. Quoting from: https://twitter.com/RiskIQ_IRT/status/1249696689985740800 which is dated 9:15 AM 4/13/2020: 5 #phishing URLs on admin12.find-textbook[.]com were reported to @Host4Geeks (Walnut, CA) from as far back as 16 days ago, and they are all STILL active 16 days is unacceptable. If you can't do better than that -- MUCH better -- then shut down your entire operation today as it's unworthy of being any part of the Internet community. ---rsk
On 4/13/20 07:25, Kushal R. wrote:
From the past few months we have been receiving a constant stream of abuse reports from a company that calls themselves RiskIQ (RiskIQ.com).
The problem isn’t the abuse reports themselves but the way they send them. We receive copies of the report, on our sales, billing, TECH-POCs and almost everything other email address of ours that is available publicly.
Are the abuse reports valid? Have you addressed the cause and stopped the abuse? -- Jay Hennigan - jay@west.net Network Engineering - CCIE #7880 503 897-8550 - WB6RDV
participants (22)
-
Ben Cannon
-
Brandon Martin
-
Bryan Fields
-
Carsten Bormann
-
Dan Hollis
-
Denys Fedoryshchenko
-
Forrest Christian (List Account)
-
Jay Hennigan
-
Josh Luthman
-
Kushal R.
-
Matt Corallo
-
Matt Palmer
-
Matthew Petach
-
Mike Hale
-
Owen DeLong
-
Raymond Dijkxhoorn
-
Rich Kulawiec
-
Ross Tajvar
-
Suresh Ramasubramanian
-
Tom Beecher
-
Valdis Klētnieks
-
William Herrin