abusereporting

Sun Feb 8 11:00:56 UTC 2004

>>>>> "Mikael" == Mikael Abrahamsson <swmike at swm.pp.se> writes:

    Mikael> On Sun, 8 Feb 2004, Suresh Ramasubramanian wrote:

    Mikael> I have asked about this before. Wouldnt it be very nice if
    Mikael> there was a standardized way to report IP-number and
    Mikael> timestamp and type of complaint?

There isn't one yet.

Some people are trying to put together a simplistic looking BCP -
http://www.tmisnet.com/~strads/spam/bcp.html

    Mikael> I've seen something produced by some workgroup (RIPE?) but
    Mikael> that was a huge document about XML and it seemed
    Mikael> non-trivial to implement. I was more into the idea of
    Mikael> having basically email headers like:

There is a RIPE WG on spam (I think chaired by Rodney Tillotson from
JANET/CERT).  But I don't recall something like this being proposed
.. and XML is a rather unruly beast to manage, especially for joe
user.

Your idea of headers might work - or something on the lines of send-pr
on *bsd.  All that the NOC staff receiving it would require is that it
stays simple, without stuff like :

Frenzied abuse
Screenshots from fancy IDS / software firewall products
Long lectures on why spam / DDoS / other network abuse is bad

A short two or three line summary of the issue, accurate timestamps
and a set of excerpts from your logs (not a whole lot, just enough to
make the situation obvious) should be enough.

Another big help is giving the NOC access to a good ticketing system
which understands the difference between customer support and net
abuse handling (here, your customers are the problems, for starters).
RT3 has a lot of code (courtesy Paul Vixie and the other people at
MAPS who were hacking on it) - but there's a nice new product called
Abacus - http://word-to-the-wise.com/abacus that looks promising.

       srs