[anti-abuse-wg] Question about spam to abuse inbox

Cynthia Revström writes:
> > It seems to me that if your abuse@ email is being overloaded and
> you are unable to keep your network spam free, then you shouldn't be
> taking on any more customers until you figure things out.
> 
> As has been noted before in this thread, just because you are getting
> 200 abuse emails in a day doesn't necessarily mean you have a huge
> issue but it is a lot of emails to deal with.
> It might just be one customer who port scanned a /24 somewhere on the
> internet.

Right. However, as also mentioned, it shouldn't be that hard to group
them by IP (which would be a finer granularity than per customer), even
for unstructured mails.

And, if they are all actually the same issue, they should be very
quickly to process, as they all refer to the same incident (quickly per
report, I admit it may still take 2-3 hours to clean that inbox).


Plus, given the low value of abuse reported, for receiving 200
complaints I expect the actions from the customer account would be of
at least an order of magnitude more than that you received complaints
about. Probably much more.



Also important: how much time passed since first report to customer
abuse stopping? how many reports refer to that initial window when you
weren't aware of the abuse (by the customer itself, by those that
compromised your customer, etc.) until you got notice of that (either
from external reports or from your own monitoring) ?

Earlier you mentioned taking a week to handle the incident reports. If
the abuse continued for so long that would obviously affect more people
and cause more complaints.

It's true that not everyone reports immediately. Perhaps customer began
abuse at t₀, got suspended at t + 2 hours, and yet you receive some
complaints next day due to people aggregating their notifications daily
(this means less notifications for you, but more delay in receiving
them), but if the customer account continued rampant for days, that
would obviously make you receive a lot more reports.



> > Why do you think that because you tell yourself you are "too big"
> that you don't need to monitor your network?
> 
> I don't think anyone is saying that, but if you want a human to read
> your emails, you shouldn't automate the sending so you end up with
> potential situations like that.

No. You should actually love automated reports.
If Joe Abusehater automatically reported you every day a number of
phishing links on your systems (for example, suppose you are Twitter
and these are phishing links using your shortener), there's no problem
in automatically processing their emails with e.g. a regex:

> "Hello Cynthia,\nIt's Joe again. This time we detected a
> (?P<type>phishing|scam|child pornography|malware|...) link on your
> site at (?P<url>https?://[^ ]+)) I would like you to take care of
> that.\nThanks, Joe"


A human read the email, then told the machine what it means and how to
handle it. If there's an email the machine doesn't know how to handle,
a human goes and takes a look.

Now suppose Joe didn't automate sending you the email. He instead hires
some sloppy operators. They sometimes use one text, sometimes a
different one. From time to time, they forget to include the url, or
don't specify the category (which, albeit probably not matching your
own categorization, probably is still helpful).

Note I'm not covering the quality of the information. In either cases,
Joe notifications could generally be either good or bad. If you find
Joe to provide reliable information, you may even want to trust their
reports automatically. If they have a lot of noise, you probably will
want to prioritize them at the bottom of your queue.




> Don't assume people are lacking in basic knowledge, rather consider
> that some people might have requirements other than yours, and that
> it might not be as simple as you suggest.
> 
> This also applies in most cases in this thread, just
> because something works for you or might seem easy for you doesn't
> mean it works for everyone in all situations. (I feel like this needs
> to be said)
> 
> -Cynthia

Sadly, problems often lie at the management level, out of the hands of
the technicians which suffer them.
Still, it would be helpful to know about the requirements that make
things so hard for your, as perhaps we could come up with some approach
simplifying your processes.


Best regards


-- 
INCIBE-CERT - Spanish National CSIRT
https://www.incibe-cert.es/

PGP keys: https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys

====================================================================

INCIBE-CERT is the Spanish National CSIRT designated for citizens,
private law entities, other entities not included in the subjective
scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen
Jurídico del Sector Público", as well as digital service providers,
operators of essential services and critical operators under the terms
of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de
las redes y sistemas de información" that transposes the Directive (EU)
2016/1148 of the European Parliament and of the Council of 6 July 2016
concerning measures for a high common level of security of network and
information systems across the Union.

====================================================================

In compliance with the General Data Protection Regulation of the EU
(Regulation EU 2016/679, of 27 April 2016) we inform you that your
personal and corporate data (as well as those included in attached
documents); and e-mail address, may be included in our records 
for the purpose derived from legal, contractual or pre-contractual
obligations or in order to respond to your queries. You may exercise
your rights of access, correction, cancellation, portability,
limitationof processing and opposition under the terms established by
current legislation and free of charge by sending an e-mail to
dpd at incibe.es. The Data Controller is S.M.E. Instituto Nacional de
Ciberseguridad de España, M.P., S.A. More information is available
on our website: https://www.incibe.es/proteccion-datos-personales
and https://www.incibe.es/registro-actividad.

====================================================================