<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Times New Roman \(Cuerpo en alfa";
panose-1:2 2 6 3 5 4 5 2 3 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EstiloCorreo18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1959725924;
mso-list-type:hybrid;
mso-list-template-ids:-196594204 67764247 67764249 67764251 67764239 67764249 67764251 67764239 67764249 67764251;}
@list l0:level1
{mso-level-number-format:alpha-lower;
mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style></head><body lang=ES link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;mso-fareast-language:EN-US'>Hi Cynthia,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;mso-fareast-language:EN-US'>I got that, sorry not having been clear. I was just expanding what I think should not be done even if some resource-holders do (any kind of filtering of what’s allowed to come in to the abuse mailbox).<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;mso-fareast-language:EN-US'>With fail2ban you can for example:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><ol style='margin-top:0cm' start=1 type=a><li class=MsoListParagraph style='margin-left:0cm;mso-list:l0 level1 lfo1'><span lang=EN-US style='font-size:12.0pt;mso-fareast-language:EN-US'>Detect intrusion attempts (SMTP, SSH, FTP, SIP, DNS, etc.), and decide if you consider an intrusion attempt something that retries more than 5 times in 10 minutes.<o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0cm;mso-list:l0 level1 lfo1'><span lang=EN-US style='font-size:12.0pt;mso-fareast-language:EN-US'>Then you send the abuse report.<o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0cm;mso-list:l0 level1 lfo1'><span lang=EN-US style='font-size:12.0pt;mso-fareast-language:EN-US'>And block that IP for 8 hours.<o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0cm;mso-list:l0 level1 lfo1'><span lang=EN-US style='font-size:12.0pt;mso-fareast-language:EN-US'>If the IP retries after that, then you can define that for “n” retries in “m” minutes, the IP is banned for 8 days … and so on.<o:p></o:p></span></li></ol><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><div><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black'>You could also configure it so warnings of “whatever” are internally send to the relevant staff for manual handling.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black'>One possible measure that you can take is to send an automated email such as “if you haven’t sent sufficient logs/details to investigate the case … your email will be ignored, so please resend it if x and y, at least, are missing”. If they continue to send emails without those details, either via an autoresponder or manually, send them a message to inform that due to the high volume of abuse reports without the relevant information, you are forced to ban them for “n days”.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black'>I think this is at the end very dependent on your own case, resources available, etc., but agree, everything on this discussion is useful!<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black'>Saludos,<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US style='font-size:12.0pt;color:black;mso-fareast-language:EN-US'>Jordi<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US style='font-size:12.0pt;color:black;mso-fareast-language:EN-US'>@jordipalet<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US style='font-size:12.0pt;color:black;mso-fareast-language:EN-US'><o:p> </o:p></span></p></div><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><div><div><p class=MsoNormal style='margin-left:35.4pt'>El 18/2/21 15:06, "Cynthia Revström" <<a href="mailto:me@cynthia.re">me@cynthia.re</a>> escribió:<o:p></o:p></p></div></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><div><p class=MsoNormal style='margin-left:35.4pt'>Hi Jordi,<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>Sorry I was probably a bit unclear, I don't filter based on content for the abuse inbox.<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>But as I don't filter based on content, I feel like in some cases I need to sort of have manual fail2ban.<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>I really like your point though and I don't know how I blanked out on a temporary block being a potential solution.<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>Because the main thing I was afraid of is, what if another one of their customers gets this address and actually has legitimate abuse emails?<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>But temporarily blocking the sender is a good enough solution to me at least considering the very low volume of abuse emails I get on a regular basis.<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>Also to clarify these emails in particular were complete nonsense such as "I am under ddos from you, please help" with no other details.<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>They were also sent with invalid SPF, and I don't think the from addresses were actually the senders.<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>Also just a few minutes ago, the abuse contact replied saying that they had taken action so I hope this specific case is now fixed.<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>I still think it is/was a useful topic though as there might be less obvious situations or situations where the abuse contact of the sender doesn't cooperate.<o:p></o:p></p></div><p class=MsoNormal style='margin-left:35.4pt'><br clear=all><o:p></o:p></p><div><div><div><p class=MsoNormal style='margin-left:35.4pt'>-Cynthia<o:p></o:p></p></div></div></div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p><div><div><p class=MsoNormal style='margin-left:35.4pt'>On Thu, Feb 18, 2021 at 1:58 PM JORDI PALET MARTINEZ via anti-abuse-wg <<a href="mailto:anti-abuse-wg@ripe.net" target="_blank">anti-abuse-wg@ripe.net</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'>In my experience, this is something you need to live with, and not filter anything in the spam folder.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'>Why? Because it can be real spam (and then you can use the abuse contact of the resource-holder for the addresses where the spam is coming from), when you report abuse cases, to facilitate the work of the involved parties, you should be allowed to attach or include headers, logs, etc. that probe that it is an abuse (from your perspective).</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'>If you filter that, then you will not receive many abuse reports …</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'>For example, some abuse mailboxes filter specific URLs or domains. If the header contains such domain, how are you going to be able to send that?</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'>I use fail2ban and block automatically specific IP addresses or ranges once the abuse has been reported and keeps repeating. Depending on the frequency of the repetitions, how many, etc., etc., I could increase automatically from a few hours to days or weeks the banning.</span><o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt;color:black'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt;color:black'>Regards,</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt;margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt;color:black'>Jordi</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt;margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt;color:black'>@jordipalet</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt;margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt;color:black'> </span><o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'> </span><o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt'>El 18/2/21 13:40, "anti-abuse-wg en nombre de Cynthia Revström via anti-abuse-wg" <<a href="mailto:anti-abuse-wg-bounces@ripe.net" target="_blank">anti-abuse-wg-bounces@ripe.net</a> en nombre de <a href="mailto:anti-abuse-wg@ripe.net" target="_blank">anti-abuse-wg@ripe.net</a>> escribió:<o:p></o:p></p></div></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt'> <o:p></o:p></p></div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt'>Hi aa-wg,<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt'>For some context, today and yesterday I have been receiving spam in the form of fake abuse notices to my abuse contact email address.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt'>Is there a generally accepted standard for when it's okay to block an address or a prefix from emailing your abuse contact?<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt'>I consider being able to contact the abuse email address of a network a rather important function, so I prefer not to block it.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt'>But also as I have more relaxed spam filters for the abuse contact to make sure nothing gets lost, it feels like blocking the address/prefix is my only option other than manually filtering through these emails (10 so far in total, today and yesterday).<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt'>So back to the question, is there a generally accepted point at which blocking an address/prefix is fine?<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt'> <o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt'>Thanks,<br clear=all><o:p></o:p></p><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:70.8pt'>-Cynthia<o:p></o:p></p></div></div></div></div></div><p class=MsoNormal style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:12.0pt;margin-left:35.4pt'><br>**********************************************<br>IPv4 is over<br>Are you ready for the new Internet ?<br><a href="http://www.theipv6company.com" target="_blank">http://www.theipv6company.com</a><br>The IPv6 Company<br><br>This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.<o:p></o:p></p></div></blockquote></div></div><br>**********************************************<br>
IPv4 is over<br>
Are you ready for the new Internet ?<br>
http://www.theipv6company.com<br>
The IPv6 Company<br>
<br>
This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.<br>
<br>
</body></html>