This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[anti-abuse-wg] Abuse auto responders & Legacy resources
- Previous message (by thread): [anti-abuse-wg] DRAFT WG Minutes - RIPE75
- Next message (by thread): [anti-abuse-wg] DMARC Solution Applied to this Mailing List
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
ox
andre at ox.co.za
Sat Dec 16 06:00:43 CET 2017
Hi Everyone, Just when you thought it was safe to go in the water again..[1] (I did not expect to be posting again in 2017 :) ) Currently many people are not bothering to even monitor Abuse-C email boxes. As a real world example: 163.172.0.0 - 163.172.255.255 Right now, multiple Online SAS resources (in a bot net) is attempting to brute force web cms and there is no easy way to: Report the abuse or Notify the resource 'owner' - effectively the abuse-c has become useless and non relevant and it makes no difference that abuse-c exists as it is not monitored and means absolutely nothing. Legacy resources do this quite often and with everything: The argument is that new policies do not have to apply to legacy resources as these are somehow 'special' or 'old' or not relevant to policies. Legacy resources are actually MORE responsible for new policies than "new" resources. As legacy resources are OLD, outdated and not in line with the modern, new and present issues facing the Internet as a whole. So, my point is that as far as abuse is concerned: Policies should target legacy resources much more directly and with much more relevance as quite frequently, policy delinquency is directly tied and related to mostly legacy resources. Then, with regards the practical example: ONLINESAS-MNT's legacy range: So, the choices are: drop everything from the range - firewall only the affected port and spend our resources on tracking only the affected ip numbers (which with the eventual advent of ipv6 will make absolutely no sense) or simply just to dev/null everything from the entire range. What should concern abuse admins is that practically, the simplest, cheapest, easiest and most effective method is just to null the entire range. If we all start doing that, the planet will become less and less connected, except through the large peers with adequate resources to actively filter on a short term basis only the precise bot nets for that slice of time. ONLINESAS-MNT has configured an autoresponder that basically tells anyone sending mail there that they have to create an account on the company website, submit a ticket after figuring out how the web platform works, then interact with the system etc. Of course reporting abuse to ONLINESAS-MNT is so resource intensive, takes so long and is so involved that it is not done. My point is that ONLINESAS-MNT is not alone. managing abuse is a cost. Large companies want to make money - but they want to spend as little as possible to make that money. They are all the same. Avoiding a working abuse-c is a simple and easy way to cut down on your abuse management costs. In my opinion, this is a very bad practice and it does render the whole abuse-c as non functional anyway. As more and more companies figure out how they can avoid managing abuse, with no/limited blowback, they will all probably start doing exactly that - this will render abuse-c as pointless and futile as it will mean nothing - and it also devalues much of what RIPE/RIR does to ensure some sort of responsibility for maintaining functional data. It is patently pointless to have a resource record, like abuse-c - if it means absolutely nothing. Andre -- [1] Peter Benchley - JAWS 2 Just as an additional over share - I live by the ocean and yesterday morning we (me and my family) swam in close proximity to some great white sharks (the lifeguards then closed the beach) - beautiful creatures.
- Previous message (by thread): [anti-abuse-wg] DRAFT WG Minutes - RIPE75
- Next message (by thread): [anti-abuse-wg] DMARC Solution Applied to this Mailing List
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]