[anti-abuse-wg] DRAFT: RIPE proposal - implementation of an abuse

James Davis wrote:

Hello,

>> It is likely, that you get a problem report just a few minutes
>> after on of your users started to send spam, because his PC
>> is invected.
> 
> This already happens. Our contact details are published in a clear and
> unambiguous fashion, in all the places that you'd expect. Automated spam
> reporting schemes appear to have no problems contacting us. This is
> because as a network operator we have chosen to deal with these issues,
> not because we're told to.

Sorry but this is not true for all members.
Most newer or smaller ISPs are pretty puzzled, when they have their
first real outbreak, and even ask us for advise and help to fix
their holes and others do not subscribe lists, that could
give them up-to-date warnings or get enough reports, if its
only a smaller problem.

At least, this is our experience here with our own blacklist.

>> You can then look up the report (or even automate it), reset
>> his radius password and kick him out, waiting for him
>> to phone your support :o)
> 
> Not all ISPs can operate like that. Every one of our customers would
> rather we offered them help and advice on how to deal with the problem
> rather than taking automated action. That is why we have a CSIRT/abuse
> team.p

Good for you, impossible for big ISPs that have no real contact
to their customers. Cutting the line is a hard method, right,
but for some ISPs the only methods to get attention
immediatelly.

But again: its up for the member what to do with the reports ...

And Im not saying, that the system would fit everybody needs,
but I defny think that it would be better than the current state.

>> Lets say, you receive 100 reports in about 10 minutes for one
>> IP, where this IP had no report ever ?
>>
>> What is likely to happen ?
>> What would you do ?
> 
> An incident would likely be opened in our ticketing system before that
> ten minutes were up, and someone would be on the phone to our customer
> shortly afterwards. We deal with every complaint of spam, even if it's
> just a single report, although the response is proportionate to the
> particular incident.

Great, you are part of a very small club ;o)

> Like I said, you'd have to think really carefully about how you'd
> measure what a "bad provider" was, or you risk not only wasting your
> efforts but making a lot of people angry.

Sure, so that why limits have to very high and these kind of limits
are up for discussion on this list.
But making analysis like this public should not be the first step
for the system at all, it might be a future option, if things
are settled, everybody got used to the new system aso ...

> We get questions like this a lot from our customers - asking us how they
> rank abuse wise compared to other customers and honestly there isn't an
> easy way to measure this.

Ok, got it ...

> The proposal, whether I agree with it or not, needs a concrete answer
> for how you would measure a 'bad provider'.

I dont think so, because the first intention of the system is not
how to define a "bad provider", it only talkes about how RIPE
staff could talk to those providers.

If I would implement limits, I would messure rates according to
the size of the member allocations first and monitor these rates
to see whats currently normal for a member.
And if those rates are much higher than compared to others, I would
ask the member to try to do something against that or to explain
it, then slowly adjusting the allowed rates up or down again.

Finally, after a long period, I would tell all members, that
its time to drop the rates, if they are rising over their
allowed limit or not really dropping over a long period,
THEN, and only then I would call them a "bad provider",
because they are obviously not capable or willing to
do anything ...

But thats a big step for the future.
The first step should be a backlink system, to ensure
that reports are read and categorized (ok,
"really bad provider" will propably program
something arround that backlink system to bypass
it, I heared even about people that are bypassing
captcha codes already with OCR-software).

>> Well, thats only work at RIPE NCC, its not that complicated to
>> automated bounces ...
> 
> Say the abuse contact is abuse at foo.com and the billing contact is
> john.doe at foo.com, if the domain foo.com expires then no amount of e-mail
> is going to resolve the issue. Someone has to get on the phone and find

Clear, but a member without any working email contact ?
Is that really possible ?
How can you work with new allocations or changes to old one
without any working email contact ?

> out what's happened. This happens fairly frequently here with only
> around a thousand customers.

Cant believe it.
Does the RIPEs system do not check automatically if (e.g.)
allocations messages bounce ?

>> Defny right, but lets start with something ...
> 
> Starting is good when you know what direction you're heading in. It's
> the other half of the question that people here are more interested in :)

Interesting point ...


Kind regards, Frank
> 
> James
> 
> - --
> James Davis	+44 1235 822 229    	   PGP: 0xD1622876
> JANET CSIRT	0870 850 2340	        (+44 1235 822 340)
> Lumen House, Library Avenue, Didcot, Oxfordshire, OX11 0SG
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iD8DBQFLvvqahZi14NFiKHYRAkpHAJ4s3tiryuoTmY3j8Jivot909exfkgCfYLy3
> Wm34pL98ZdkkHClYthklcEg=
> =b+z3
> -----END PGP SIGNATURE-----
> 
> JANET(UK) is a trading name of The JNT Association, a company limited
> by guarantee which is registered in England under No. 2881024 
> and whose Registered Office is at Lumen House, Library Avenue,
> Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG
> 
> 
> 


-- 

Mit freundlichen Gruessen,
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de