Best practices for [email protected] mailbox and network abuse complaint handling?

Suresh Ramasubramanian ops.lists at gmail.com
Sat May 12 03:24:54 UTC 2007


On 5/11/07, K K <kkadow at gmail.com> wrote:
>
> Can anybody point me at best practices for monitoring and responding
> to abuse complaints, and good solutions for accepting complaints about
> network abuse?
> Any recommended outsourced services for processing abuse complaints?
>

Well, there's a few things

1. Mitigate [port 25 management, walled gardens and such]
=> Cut down on the number of abuse causing issues

2. Automate
=> Abacus or other abuse desk optimized ticketing system, as John Levine said
=> Feedback loops (ARF formatted) from various ISPs
=> Ditto, automated feeds from Phishtank, Netcraft, your local CERT

3. Spread the load intelligently
=> Whatever can be handled by tier 1 should be handled by tier 1

> Probably 98% of the mailbox is from are spammers who've harvested or
> randomly targeted [email protected] addresses for male enhancement, maybe 1.99%

So?  A little filtering should handle a lot of that, procmail even.
At least to file the obvious crap into a different folder that can be
looked at and blown away

> to educate management on responsible mass mailing).  But every once in
> a while there is a legitimate network-related "incident", and my team
> does need to see those messages in a timely manner.

Separate POCs as far as possible (postmaster for block related issues,
abuse for spam related issues, and a block interface like the one we
have around - http://spamblock.outblaze.com/ip.add.re.ss), and quick,
automated escalations.  Ditto tools to automate as much of the
"search" stuff as possible.

Prioritizing incidents in your queue as well (stuff like LE requests,
largescale network incidents etc can usually be spotted from the
subject line itself)

Takes time to build that kind of setup, but the time spent is well worth it

MAAWG's working on an abuse desk best practice doc over the last few
meetings, it should be well worth reading when it does come out.

--srs
-- 
Suresh Ramasubramanian (ops.lists at gmail.com)



More information about the NANOG mailing list