[anti-abuse-wg] Adding a "Security Information" contact?

Hi Max,


thank you for your reply and explanations.  Some more comments/ 
questions inline:

On Sun 03/Jul/2022 23:25:28 +0200 Max Grobecker wrote:
> Am 20.06.22 um 18:04 schrieb Alessandro Vesely:
> 
>>> Our abuse mailbox is not overflowing with these, of course, but it 
>>> makes semi-automated handling a bit painful. For example, we would 
>>> like to forward these information to our customers, but we wont 
>>> need to take further action on this, because we refuse to break 
>>> into the offices of our customers at night and patch their software.
>> sorry to bother, but I hardly got that.  Are these IP-driven 
>> messages?  Don't CERTs lookup the abuse address with RDAP or WHOIS?
> 
> The reports we get from CERT-BUND are highly IP focused. I cited one 
> of these report as an example at the end of this mail.
> In general, I think these organizations we get mail from are 
> downloading the database from RIPE and are using an offline version.


It is very expensive.  Do you think they only do European IPs, or do 
they have specialized procedures for each RIR?

Perhaps RIPE provides for maintaining remote copies of the database, 
but a caching RDAP tool would be more standard compliant.


>> Why doesn't the abuse address point (in)directly to the relevant IP 
>> user?  That is, what's wrong in automatically forwarding CERT's 
>> security notices?  I cannot understand how doing so entailS 
>> obligations to reach the customer's premises at night.
> 
> If I point the abuse address directly to an address controlled by the 
> customer, I don't get any notices - regardless of security information 
> or real abuse.
> And I'm interested in the latter one, as I want to stop the abuse, of 
> course ;-)
> Therefore all abuse reports are handled by our internal system to be 
> automatically escalated to the appropriate internal and external 
> contacts.


What I'd be curious to know is whether automatic escalation is based 
on per-customer abuse addresses or on parsing message contents looking 
for IPs.

Per-customer address is something like asn65535 at bc.grobecker.info or 
ip192.0.2.8/29 at sc.grobecker.info, which can be forwarded to the 
relevant (big or small) customer without actually opening the 
messages, but still maintaining a copy of them.  Doing so requires 
more work for maintaining the database, but less work for forwarding 
messages.


> But for notices like "Oh, we think there might be a vulnerable service 
> reachable on that IP" we don't want that whole escalation thing.
> Also, most of these notices contain a list of addresses, but 
> sometimes, these lists are not stable parseable because there seems to 
> be no standardized format.
> Reports we receive from CERT-BUND come with a CSV file which we are 
> able to parse - but in the last months there came several new other 
> services with their own data formats and I suspect, there will come more.


And the CSVs refer to multiple customers?


> If I could "route" these reports directly to the customer, this would 
> improve reporting speed and keep these away from our regular abuse 
> desk with escalations and all that stuff.


I understand you don't want your abuse desk to get involved in 
checking whether, for example, an open DNS does in fact amplify 
queries if it is open.  Is that the difference between forward and 
escalate?

Using a different field entails the extra burden to educate 
organizations like CERT-BUND to use the appropriate reporting address 
based on the kind of report.

For RDAP, those addresses could be tagged as less preferred.  Some 
RIRs do so, leaving the actual meaning a bit obscure, though. 
Alternatively, RFC 7483 provides for a "notifications" role, which in 
theory applies to an associated object.


Best
Ale
--