abusereporting
Suresh Ramasubramanian
suresh at outblaze.com
Sun Feb 8 11:00:56 UTC 2004
>>>>> "Mikael" == Mikael Abrahamsson <swmike at swm.pp.se> writes:
Mikael> On Sun, 8 Feb 2004, Suresh Ramasubramanian wrote:
Mikael> I have asked about this before. Wouldnt it be very nice if
Mikael> there was a standardized way to report IP-number and
Mikael> timestamp and type of complaint?
There isn't one yet.
Some people are trying to put together a simplistic looking BCP -
http://www.tmisnet.com/~strads/spam/bcp.html
Mikael> I've seen something produced by some workgroup (RIPE?) but
Mikael> that was a huge document about XML and it seemed
Mikael> non-trivial to implement. I was more into the idea of
Mikael> having basically email headers like:
There is a RIPE WG on spam (I think chaired by Rodney Tillotson from
JANET/CERT). But I don't recall something like this being proposed
.. and XML is a rather unruly beast to manage, especially for joe
user.
Your idea of headers might work - or something on the lines of send-pr
on *bsd. All that the NOC staff receiving it would require is that it
stays simple, without stuff like :
Frenzied abuse
Screenshots from fancy IDS / software firewall products
Long lectures on why spam / DDoS / other network abuse is bad
A short two or three line summary of the issue, accurate timestamps
and a set of excerpts from your logs (not a whole lot, just enough to
make the situation obvious) should be enough.
Another big help is giving the NOC access to a good ticketing system
which understands the difference between customer support and net
abuse handling (here, your customers are the problems, for starters).
RT3 has a lot of code (courtesy Paul Vixie and the other people at
MAPS who were hacking on it) - but there's a nice new product called
Abacus - http://word-to-the-wise.com/abacus that looks promising.
srs
More information about the NANOG
mailing list