This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] On the abuse handling policy of manitu.net (AS34240)
- Previous message (by thread): [anti-abuse-wg] On the abuse handling policy of manitu.net (AS34240)
- Next message (by thread): [anti-abuse-wg] On the abuse handling policy of manitu.net (AS34240)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ángel González Berdasco
angel.gonzalez at incibe.es
Sat Feb 20 00:09:41 CET 2021
JORDI PALET MARTINEZ writes: > Even worst ... > > You've read that, but automated systems will not do, just use the > abuse mailbox. > > Anyway, I think in general the information will get if an automated > abuse report is sent, will be not personal, but from an organization. > > In fact, if they send personal data to the "abuser", I think they > will be breaking the GDPR, because you need an explicit consent to > transfer personal data to third parties, right? > > And of course, in front of law, all this text is "wet paper". If > there is a claim because an abuse case, and their customer doesn't > respond, they may be liable. > > Regards, > Jordi > @jordipalet It can make sense. When there's an abusive resource that usually falls in one of these two cases: a) The customer was compromised by the bad guy b) The customer itself is the evil guy For case a) it absolutely makes sense to notify the customer. Moreso, the *should* notify them (independently of other measures they may take). If the isn't aware of the issue, they will hardly fix the vulnerabilities on their site. For case b) the customer SHALL NOT be notified. The provider itself must handle the complaint, not the evil guy. Now, every company has its own procedures. A few will directly delete the customer account, even in case a). Some will suspend the website and let the customer clean it themselves. Others will roll the site back to a previous backup, or otherwise delete the extraneous files themselves. Some companies pass along the complaints to the customer. Specially when the server is fully administered by the customer, as seems to be offered by this company ("dedizierte Root-Server"). Some companies will overview that the customer do handle such compliants in a satisfactory way. I'm afraid others won't. But I see no problem in that they forward _certain_ reports to the customer. Ideally, the company itself would have someone hadling the queue and classifying if the report is spam and must be discarded, if it should be passed to the customer to take actio (albeit not necessarily providing the details of the sender!), or investigated by the provider. Using an automated mechanism does result in faster processing, at the cost of lower quality. I appreciate that they openly reveal their policy. We reported some case explicitely stating not to send it to the customer, just to receive a "We have passed this to the customer" response. I sorely miss that they included a slow way to contact them in that banner (the hostmaster account, I guess?) for the case you don't want it forwarded but, if properly managed (which we don't know if they do), an automated system which automatically handles most reports could be acceptable. Not ideal, but still somewhat acceptable. Note we don't know if it's a dumb system that forwards everything, or if it's smart enough to identify the typology of most mails and decide based on a number of factors if it should be forwarded or not. Nor how this compares with the humans that would otherwise be handling such queue manually. Best regards -- INCIBE-CERT - Spanish National CSIRT https://www.incibe-cert.es/ PGP keys: https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys ==================================================================== INCIBE-CERT is the Spanish National CSIRT designated for citizens, private law entities, other entities not included in the subjective scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen Jurídico del Sector Público", as well as digital service providers, operators of essential services and critical operators under the terms of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de las redes y sistemas de información" that transposes the Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. ==================================================================== In compliance with the General Data Protection Regulation of the EU (Regulation EU 2016/679, of 27 April 2016) we inform you that your personal and corporate data (as well as those included in attached documents); and e-mail address, may be included in our records for the purpose derived from legal, contractual or pre-contractual obligations or in order to respond to your queries. You may exercise your rights of access, correction, cancellation, portability, limitationof processing and opposition under the terms established by current legislation and free of charge by sending an e-mail to dpd at incibe.es. The Data Controller is S.M.E. Instituto Nacional de Ciberseguridad de España, M.P., S.A. More information is available on our website: https://www.incibe.es/proteccion-datos-personales and https://www.incibe.es/registro-actividad. ====================================================================
- Previous message (by thread): [anti-abuse-wg] On the abuse handling policy of manitu.net (AS34240)
- Next message (by thread): [anti-abuse-wg] On the abuse handling policy of manitu.net (AS34240)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]