How do people view the automated generation of abuse reports? I’ve seen lots of (understandable) moaning about large providers not handling abuse reports, and lots of (understandable) suggestions that ARIN test for the reachability of abuse contacts. On the flip side, I run a Tor exit node (as well as bridge nodes, which appear to be used exclusively by Chinese, Russian, and Iranian IPs, indicating Tor is, contrary to popular belief, used in large part for its intended purpose). Because people seem to include “you tried three to log in three times and got the password wrong” in their definition of abuse, I’ve had to provide bogus abuse contacts (and include actual abuse comments in the comments section). I’ve tried reaching out to other operators suggesting that they cut it out, as they are the reason many operators do not provide functional abuse contacts, usually with a response of “so stop attacking my serverz!!!1one”. Is it time to have ARIN add a “abuse contact available only after captcha” option? Matt
On Mon, Oct 07, 2019 at 05:28:08PM -0700, Matt Corallo wrote:
Because people seem to include “you tried three to log in three times and got the password wrong” in their definition of abuse, I’ve had to provide bogus abuse contacts (and include actual abuse comments in the comments section). I’ve tried reaching out to other operators suggesting that they cut it out, as they are the reason many operators do not provide functional abuse contacts, usually with a response of “so stop attacking my serverz!!!1one”.
Fight fire with fire, and report their abuse of your abuse contact as abuse to their (or their upstream's) abuse contact? More seriously, though, if someone insists on reporting (automatically or otherwise) seriously bogus "abuse" a couple of times, I don't think it's unreasonable to block / filter that specific reporter from further calls on your attention. What would also be reasonable, I think, is to require automatically generated abuse reports to themselves be automatically processable. That requires some way of *detecting* automatic generation, of course, but it might encourage a few people to adopt machine-readable abuse reports.
Is it time to have ARIN add a “abuse contact available only after captcha” option?
I'd prefer if it wasn't, because it seems somewhat of a "baby/bathwater" solution, just to deal with a few GWFs (GsWF?).
On the flip side, I run a Tor exit node (as well as bridge nodes, which appear to be used exclusively by Chinese, Russian, and Iranian IPs, indicating Tor is, contrary to popular belief, used in large part for its intended purpose).
[Rearranging this paragraph because it is a side-bar from the main issue] I suspect that if you checked the stats on your guard nodes (if you have any) the stats would be somewhat different. Bridges, by their nature, are less likely to be used by miscreants because they're harder to get (have to ask BridgeDB) and nobody gets all of them. If you're just out to anaonymise your source IP and you're in a location that doesn't imprison and torture you for reading the news, it's a lot easier to just use a regular guard/middle/exit circuit. I'm not calling this out because I'm a Tor-hater; on the contrary, I too run Tor nodes (bridges and relays; no exit nodes). It's just that it's somewhat misleading to suggest that Tor isn't the tool of choice for people who'd prefer to cause mischief without anyone knowing what they're up to. I support Tor because the benefits outweigh the unpleasantness it (necessarily) permits. - (Another) Matt
participants (3)
-
Matt Corallo -
Matt Palmer -
Rich Kulawiec