This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] How Not To Ask For A Website to Be taken Down
- Previous message (by thread): [anti-abuse-wg] How Not To Ask For A Website to Be taken Down
- Next message (by thread): [anti-abuse-wg] How Not To Ask For A Website to Be taken Down
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ronald F. Guilmette
rfg at tristatelogic.com
Thu Dec 23 07:59:43 CET 2010
My apologies for not following up on this sooner. It's definitely the busy season... In message <97C58E22-A243-4A57-9602-7184B5D3522A at blacknight.ie>, "Michele Neylon :: Blacknight" <michele at blacknight.ie> wrote: >>What is it, exactly, about that message that caused you to have any >>difficulty in "working it out"? > >To start with it was sent to just about every single contact point imaginab >le except our abuse contact. The only reason it made it to our abuse team a >t all was because one of our sales staff asked me to look at it. Well, OK. Arguably that was bad form on their part. But having been "in the trenches" now myself for over 15 years, I can well and truly understand why they didn't even bother to CC: abuse@ (even though I myself would have done so). In fact there are many reasons why an intelligent and an _experienced_ person would never even waste the bits to even CC: abuse at . Here are justr a few of those reasons: #1) On a large number of commercial ISP networks, abuse@ has been aliased to /dev/null. This isn't speculation. This is fact. Certainly, a lot of commercial ISPs make a business of catering especially to the lucrative spamming trade. Thus, these ISPs in particular they have less than zero interest in _anything_ anybody might send to abuse at . (And some, like several in Russia... or that one in "Belize" I already posted about... are run by folks who are criminals themselves. So they don't even care even if you have a non-spam related "abuse" issue.) Even for the vast majority of commercial networks that are NOT specifically going out of their way to cater especially to spammers or other criminals, the decision has been made, long ago (and in many cases even BEFORE the advent of the Great Recession) that any sort of "abuse desk" type function is an unjustifiable "cost center" as opposed to a "profit center". Thus, with only rare exceptions, virtually every ISP that is any bigger than a small-time "mon and pop" operation has long ago aliased abuse@ to /dev/null because management sees no profit potential whatsoever is assigning even a fractional warm body to read that stuff. And of course, the advent of the Great Recession only speeded up the final (and now near total and global) aliasing of abuse@ to /dev/null. Even for those networks... a minority to begin with... where there existed some sense of public/community responsibility (e.g. to investigate & respond to network abuse reports) and/or a sense of the importantance and value of maintaining a good corporate reputation, the Great Recession has, for many, sharpened the coroprate focus on mere survival, while niceities like good corporate netizenship have, understandably I suppose, gone by the wayside. #2) Even for those networks where abuse@ is not aliased to /dev/null, sending anything other than a _spam_ report to that address will typically engender either (a) no response at all (with the message being silently discarded) or else (b) an irritated response of the form "Why are you sending this to abuse@??" or else (c) a more or less automated response (either from an actual program or else from a low-paid human who has been trained to act like one) the form "We're sorry, but we cannot accept abuse complaints without either (a) a full set of e-mail headers or else (b) a complete set of system intrusion logs." Obviously, in the case under discussion, which involved primarily violations of trademark rights (and with the high probability of associated phishing activity being only "unproven" and speculative) the party sending the report had no system logs nor any e-mail headers to send. #3) Although, for the various reasons noted above, and others, sending a report like this to an abuse@ address might yield no meaningful or useful action at all, the mere presence of the corporate abuse@ address, either in the To: header or in the Cc: header would most likely cause any and all other parties to whom such a report had been addressed (and who might otherwise potentially be more responsive/responsible than abuse@) to simply trash the message, e.g. because they might reasonably assume that "Oh! This was sent to abuse@ too, so the abuse department/person will surely handle it, and I don't need to get involved." #4) Last but not least, in the circles I travel in, a clear and unambiguous distinction is often drawn between "abuse ON the network" and "abuse OF the network". As we all know, the latter occurs almost every second of the day, somewhere on the Internet, and it can range from undeserved insults and slanders to sophisticated social engineering con games involving millions of dollars. But none of that "abuse ON the network" in any way threatens the operational status of any part of the net. Conversely, of course, spam and DoS attack directly threaten the operational status of either parts of the net or, in sum, even the whole thing, and thus, by tradition among the people I commonly hang out with, "abuse OF the net" is widley considered to be the only thing (a) that humans can reasonably fight and also (b) in many people's minds, it is the only thing that's _worth_ fighting for. (After all, the world and the net will go on even if you or I are heniously slandered or even defrauded, tomorrow, somewhere on the Internet.) The upshot of all this line of thinking is that some (many?) believe that it's not even the job of an ISP abuse desk to even delve into any matters that do not clearly affect network operational status. At any and all ISPs of this persuasion, a note to abuse@ regarding a clear trademark violation (and a plausible/possible phishing threat) would be discarded virtually the moment it was opened. _=_=_= I'm not saying that any if the above are ``good'' reasons why a report like the one sent to you from BofA _should_ be effectively ignored by the person or robot tasked with reading mail sent to abuse@ (at various ISPs). I am only saying that out here in the Real World, that is, alas, what often would (and does) happen. >>> If your first language isn't English then I suspect you'll dismiss it as >>> spam .. .. I know some of my staff did and they supposedly speak English >> >> Again, I am utterly baffled by your comment. Can you explain why anyone >> would ever dismiss BofA's message to you as spam? > >Read the message. Instead of simply stating that they are alerting us to an > issue they start off with a long convoluted text about their trademarks, w >hich is totally irrelevant to us. All we want to know is that someone is re >porting abuse, what type of abuse it is and where it is located. OK, now _here_ you have a point that I cannot reasonably take issue with. And your point is, I think, not only valid but also, potentially very useful. You're right. I think the way that people in the news business commonly express the point you just made is that it is bad practice to "bury the lead", i.e. its important to express the major point you are trying to make (in a news story or in an abuse report) clearly, concisely, and in the first sentence. That's a good lesson for all of us writers of abuse reports, and one I'll try, in future, never to forget myself. >You might not find this hard to understand, but I suspect this is because y >ou are used to reading these kind of emails and might be immune to how badly >worded they are. No, actually, it is more because I have some extensive experience reading legal documents (e.g. court filings) and thus I'm already so adept at hacking through the thicket of words (to find the meat) that it's almost second nature (and automatic/subconcious) to me now, kind of like people who are so practiced that they can almost play a piano concerto in their sleep. That explains why, when I see something like that BofA e-mail you posted, its verbosity and/or failure to clearly and quickly come to the point doesn't faze me in the slightest. (I guess that I have been hanging out with lawyers too long. :-) Regards, rfg
- Previous message (by thread): [anti-abuse-wg] How Not To Ask For A Website to Be taken Down
- Next message (by thread): [anti-abuse-wg] How Not To Ask For A Website to Be taken Down
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]