This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] Question about spam to abuse inbox
- Previous message (by thread): [anti-abuse-wg] Question about spam to abuse inbox
- Next message (by thread): [anti-abuse-wg] Question about spam to abuse inbox
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ángel González Berdasco
angel.gonzalez at incibe.es
Sat Feb 27 01:40:01 CET 2021
Cynthia Revström writes: > > It seems to me that if your abuse@ email is being overloaded and > you are unable to keep your network spam free, then you shouldn't be > taking on any more customers until you figure things out. > > As has been noted before in this thread, just because you are getting > 200 abuse emails in a day doesn't necessarily mean you have a huge > issue but it is a lot of emails to deal with. > It might just be one customer who port scanned a /24 somewhere on the > internet. Right. However, as also mentioned, it shouldn't be that hard to group them by IP (which would be a finer granularity than per customer), even for unstructured mails. And, if they are all actually the same issue, they should be very quickly to process, as they all refer to the same incident (quickly per report, I admit it may still take 2-3 hours to clean that inbox). Plus, given the low value of abuse reported, for receiving 200 complaints I expect the actions from the customer account would be of at least an order of magnitude more than that you received complaints about. Probably much more. Also important: how much time passed since first report to customer abuse stopping? how many reports refer to that initial window when you weren't aware of the abuse (by the customer itself, by those that compromised your customer, etc.) until you got notice of that (either from external reports or from your own monitoring) ? Earlier you mentioned taking a week to handle the incident reports. If the abuse continued for so long that would obviously affect more people and cause more complaints. It's true that not everyone reports immediately. Perhaps customer began abuse at t₀, got suspended at t + 2 hours, and yet you receive some complaints next day due to people aggregating their notifications daily (this means less notifications for you, but more delay in receiving them), but if the customer account continued rampant for days, that would obviously make you receive a lot more reports. > > Why do you think that because you tell yourself you are "too big" > that you don't need to monitor your network? > > I don't think anyone is saying that, but if you want a human to read > your emails, you shouldn't automate the sending so you end up with > potential situations like that. No. You should actually love automated reports. If Joe Abusehater automatically reported you every day a number of phishing links on your systems (for example, suppose you are Twitter and these are phishing links using your shortener), there's no problem in automatically processing their emails with e.g. a regex: > "Hello Cynthia,\nIt's Joe again. This time we detected a > (?P<type>phishing|scam|child pornography|malware|...) link on your > site at (?P<url>https?://[^ ]+)) I would like you to take care of > that.\nThanks, Joe" A human read the email, then told the machine what it means and how to handle it. If there's an email the machine doesn't know how to handle, a human goes and takes a look. Now suppose Joe didn't automate sending you the email. He instead hires some sloppy operators. They sometimes use one text, sometimes a different one. From time to time, they forget to include the url, or don't specify the category (which, albeit probably not matching your own categorization, probably is still helpful). Note I'm not covering the quality of the information. In either cases, Joe notifications could generally be either good or bad. If you find Joe to provide reliable information, you may even want to trust their reports automatically. If they have a lot of noise, you probably will want to prioritize them at the bottom of your queue. > Don't assume people are lacking in basic knowledge, rather consider > that some people might have requirements other than yours, and that > it might not be as simple as you suggest. > > This also applies in most cases in this thread, just > because something works for you or might seem easy for you doesn't > mean it works for everyone in all situations. (I feel like this needs > to be said) > > -Cynthia Sadly, problems often lie at the management level, out of the hands of the technicians which suffer them. Still, it would be helpful to know about the requirements that make things so hard for your, as perhaps we could come up with some approach simplifying your processes. Best regards -- INCIBE-CERT - Spanish National CSIRT https://www.incibe-cert.es/ PGP keys: https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys ==================================================================== INCIBE-CERT is the Spanish National CSIRT designated for citizens, private law entities, other entities not included in the subjective scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen Jurídico del Sector Público", as well as digital service providers, operators of essential services and critical operators under the terms of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de las redes y sistemas de información" that transposes the Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. ==================================================================== In compliance with the General Data Protection Regulation of the EU (Regulation EU 2016/679, of 27 April 2016) we inform you that your personal and corporate data (as well as those included in attached documents); and e-mail address, may be included in our records for the purpose derived from legal, contractual or pre-contractual obligations or in order to respond to your queries. You may exercise your rights of access, correction, cancellation, portability, limitationof processing and opposition under the terms established by current legislation and free of charge by sending an e-mail to dpd at incibe.es. The Data Controller is S.M.E. Instituto Nacional de Ciberseguridad de España, M.P., S.A. More information is available on our website: https://www.incibe.es/proteccion-datos-personales and https://www.incibe.es/registro-actividad. ====================================================================
- Previous message (by thread): [anti-abuse-wg] Question about spam to abuse inbox
- Next message (by thread): [anti-abuse-wg] Question about spam to abuse inbox
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]