Best practices for [email protected] mailbox and network abuse complaint handling?

Jeroen Massar jeroen at unfix.org
Fri May 11 22:31:46 UTC 2007


K K wrote:
[..]
> I'm hoping to find either a better and widely accepted way to handle
> non-spam-related network abuse complaints (hacking, DoS, etc), or at
> least best practices for triage on the huge volume of mail that comes
> into [email protected],  procedures such that the rare legitimate complaint about
> non-spam network abuse can be routed to my team in a timely manner.

whois is the right one. But IMHO the ARIN whois is a bit limited and
also odd, but that might be because I am used to seeing a different kind
of data ;)

In RIPE db we have a nice IRT (Incident Response Team) object which is
meant for this, see amongst others:
http://www.ripe.net/info/ncc/presentations/irt-tfcsirt6/sld001.html
http://www.ripe.net/db/support/security/irt/irt-h2.html

Next to that there is the 'abuse-mailbox' line which can be inserted
with most objects, similarly to irt.

These will at least allow your users to find you. Some of the tools out
there that auto-spam [email protected] when they get a silly portscan use those
fields, so at least you will get it at the right address and not at
every other single address that is listed in whois.

Greets,
 Jeroen


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 311 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20070511/37f857da/attachment.sig>


More information about the NANOG mailing list