This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] Question about spam to abuse inbox
- Previous message (by thread): [anti-abuse-wg] Question about spam to abuse inbox
- Next message (by thread): [anti-abuse-wg] Question about spam to abuse inbox
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ángel González Berdasco
angel.gonzalez at incibe.es
Thu Feb 18 14:20:53 CET 2021
Hello all First of all, I'm glad Cynthia opened this discussion, as it's a typical complaint for requiring abuse mailboxes. It's good to have a healthy discussion about that. With regards to the query itself, I do think it is acceptable to block the sending email. If after manual inspection those messages have absolutely no reason to be there (automatically sent spamming mails), I think it may be ok to block further messages from that sender. You could do as Jordi suggests and notify the abuse contact of the sender as well, warning them that you may proceed to block further messages from that sender (so at least you warned them, even though it's probably ignored). As for the block itself, I can see reasons for doing it both at the incoming MTA, so it shows a rejection reason on why they are not allowed access to the abuse mailbox, or at the last level, where the email is received and stored (so you have those evidences if needed) but otherwise ignored. Please note that blocking based on the sender (mail envelope or From: header) after evidence of directly being spammed from them is quite different than filtering based on *content*. That one is much more problematic, since those filters would typically match as well reports of such abuse coming from your network, which is precisely the kind of thing you want to be reported. Not to mention the irony that you send those mails but would avoid receiving them yourself. I'm not aware of a way of telling apart the real abusive message vs someone reporting the abuse message (specially when sent by end-users). You could try to detect specific cases, but I suspect that would still be prone to false positives. Best regards El jue, 18-02-2021 a las 13:57 +0100, JORDI PALET MARTINEZ escribió: > In my experience, this is something you need to live with, and not > filter anything in the spam folder. > > Why? Because it can be real spam (and then you can use the abuse > contact of the resource-holder for the addresses where the spam is > coming from), when you report abuse cases, to facilitate the work of > the involved parties, you should be allowed to attach or include > headers, logs, etc. that probe that it is an abuse (from your > perspective). > > If you filter that, then you will not receive many abuse reports … > > For example, some abuse mailboxes filter specific URLs or domains. If > the header contains such domain, how are you going to be able to send > that? > > I use fail2ban and block automatically specific IP addresses or > ranges once the abuse has been reported and keeps repeating. > Depending on the frequency of the repetitions, how many, etc., etc., > I could increase automatically from a few hours to days or weeks the > banning. > > Regards, > Jordi > > @jordipalet > > > > > > El 18/2/21 13:40, "anti-abuse-wg en nombre de Cynthia Revström via > anti-abuse-wg" <anti-abuse-wg-bounces at ripe.net en nombre de > anti-abuse-wg at ripe.net> escribió: > > Hi aa-wg, > > For some context, today and yesterday I have been receiving spam in > the form of fake abuse notices to my abuse contact email address. > > Is there a generally accepted standard for when it's okay to block an > address or a prefix from emailing your abuse contact? > > I consider being able to contact the abuse email address of a > network a rather important function, so I prefer not to block it. > But also as I have more relaxed spam filters for the abuse contact to > make sure nothing gets lost, it feels like blocking the > address/prefix is my only option other than manually filtering > through these emails (10 so far in total, today and yesterday). > > So back to the question, is there a generally accepted point at which > blocking an address/prefix is fine? > > Thanks, > -Cynthia > > ********************************************** > IPv4 is over > Are you ready for the new Internet ? > http://www.theipv6company.com > The IPv6 Company > > This electronic message contains information which may be privileged > or confidential. The information is intended to be for the exclusive > use of the individual(s) named above and further non-explicilty > authorized disclosure, copying, distribution or use of the contents > of this information, even if partially, including attached files, is > strictly prohibited and will be considered a criminal offense. If you > are not the intended recipient be aware that any disclosure, copying, > distribution or use of the contents of this information, even if > partially, including attached files, is strictly prohibited, will be > considered a criminal offense, so you must reply to the original > sender to inform about this communication and delete it. >
- Previous message (by thread): [anti-abuse-wg] Question about spam to abuse inbox
- Next message (by thread): [anti-abuse-wg] Question about spam to abuse inbox
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]