Re: adviCe on network security report
[In the message entitled "Re: adviCe on network security report" on Nov 2, 16:39, Sean Donelan writes:]
On Thu, 2 Nov 2006, Dave Rand wrote:
I did a study on this a few years ago. I sent out about 20,000 abuse reports, all by hand, to various network around the world. They all came from this email address, and were clearly identified as non-robotic, personal messages. There were "many" bounces.
Less that 5% received any response.
Less than 1% received any action within 30 days.
An excellent example of not listening to ISP abuse and security folks, and what kind of results you get by not working with them.
As mentioned, this was done a few years ago (2000, if I recall correctly). The idea was to find out what was required, and to deliver a customizable approach.
I know every ISP is different. Some won't respond to anything. Others will do everything possible to figure out your complaint. But listening to the ones in the middle, and figuring out how to work with them will probably help improve things above 1%.
Because they take so much abuse as part of their normal job, even the most motivated abuse people don't go out of their way to have more people shout "You Suck" at them. On the other hand, I suspect if they believe you can make their jobs easier and not shout at them, they can be very gregarious about what they need.
Over the last few years, I have worked with many ISPs. The majority of the problems had little to do with the format/style/volume of abuse complaints, and a lot to do with empowering the abuse desks to take action. "you suck" was not an enabling message :-) And yes, this has made a significant change in how much abuse comes from those ISPs, so working with the ISPs does pay off. Often it is essential to gain upper management's attention, however, so that the abuse desks can be empowered to take action. But the security industry is still just beginning to understand the problems that are faced by an ISP that suddenly gets 40,000 boxes 0wned. Delivering tools that help them deal with these types of problems should be our focus. Bridging the gap is what is required - it isn't the ISP's fault that the box got owned, but the abuse that comes from that IP address is their responsibility to mitigate as best as reasonably possible. --
At 05:09 PM 11/2/2006, dlr@bungi.com (Dave Rand) wrote:
Over the last few years, I have worked with many ISPs. The majority of the problems had little to do with the format/style/volume of abuse complaints, and a lot to do with empowering the abuse desks to take action. "you suck" was not an enabling message :-)
I don't know about other ISP networks because I am only responsible for one, but we find the huge volume of garbage/bogus/automated abuse messages makes it difficult to find the real abuse issues which we need to address. A customer who may forwarding all their email including spam to their /bigcommericalisp/ account which is then tagged as spam by the same user when it arrives at their account and then bounced to abuse@tellurian.net doesn't constitute a valid abuse complaint in my mind. An ICMP echo packet received by some random idiot online running some broken and poorly designed "firewall" software which says he is being attacked by one of our customers does not merit an abuse report or response. However, an infected box on our network or a customer with an open smtp relay or an owned box on one of our client's transit connections from us does merit a reaction and as quickly as possible to limit the damage they can inflict on the rest of the community and likewise from a selfish standpoint - based on the retaliation which may be directed back at us. We try to be good neighbors, but all the garbage we receive makes it difficult to be as responsive as I would like. We have our dialup support folks check through the abuse box and forward anything which falls into the interested bucket to our NOC team. However, it simply doesn't make financial sense to have a full time person or people checking through the abuse box. When something is a real problem and the person on the other end needs a quick response, they can call us or check ARIN for netblock contact info. The addresses and numbers listed there will go straight to someone who can help. I wish abuse was used as intended instead of my every idiot programmer and script writer for their own "helpful" stuff we never asked for nor does it help us at all nor does it help the users. -Robert Tellurian Networks - Global Hosting Solutions Since 1995 http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 "Well done is better than well said." - Benjamin Franklin
On Thu, 2 Nov 2006, Robert Boyle wrote:
someone who can help. I wish abuse was used as intended instead of my every idiot programmer and script writer for their own "helpful" stuff we never asked for nor does it help us at all nor does it help the users.
Unfortunately that is a problem with every public reporting channel. Most 9-1-1 (or your national equivalent) centers report a majority of their calls are non-emergencies. In many cities the police will not respond to automatic dialers calling 9-1-1 because of the extremely high false reporting rate, or put them at a very low, low response priority. Most of the complaints the FCC gets about television and radio programming are from people who have never seen or heard the program they are complaining about. ISP abuse desks, US congressional offices, etc have all implemented things which make contacting them by e-mail harder due to the automatic-idiot problems. There are effective ways to contact your congressional office or ISP abuse desk, and ineffective ways. When they give suggestions about the best way to contact them, its a good idea to listen to what they recommend if you want to be effective. If you just want to complain about ISPs not responding, or the police not finding your stolen car, or 9-1-1 operators refusing calls from your automatic alarm system; you are welcome to continue complaining. It probably won't be that effective, but if it makes you feel better go ahead. On the other hand, if you are interested in accomplishing something then there are different actions you can take.
participants (3)
-
dlr@bungi.com
-
Robert Boyle
-
Sean Donelan