Abuse response [Was: RE: Yahoo Mail Update]

• Previous message (by thread): Abuse response [Was: RE: Yahoo Mail Update]
• Next message (by thread): Abuse response [Was: RE: Yahoo Mail Update]
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Apr 15, 2008 at 10:16 AM, Paul Ferguson <fergdawg at netzero.net> wrote:
>  As I mentioned in my presentation at NANOG 42 in San Jose, the
>  biggest barrier we face in shrinking the "time-to-exploit" window
>  with regards to contacting people responsible for assisting in
>  mitigating malicious issues is finding someone to actually
>  respond.

Fergie.. you (and various others in the "send emails, expect
takedowns" biz) - phish, IPR violations, whatever.. you're missing a
huge, obvious point

If you send manual notificattions (aka email to a crowded abuse queue)
expect 24 - 72 hours response

If you have high enough numbers of the stuff to report, do what large
ISPs do among themselves, set up and offer an ARF'd / IODEF feedback
loop or some other automated way to send complaints, that is machine
parseable, and that's sent - by prior agreement - to a specific
address where the ISP can process it, and quite probably prioritize it
above all the "j00 hxx0r3d m3 by doing dns lookups!!!!" email.

That kind of report can be handled within minutes.

If you send reports with lots of legal boilerplate, or reports with
long lectures on why you expect an INSTANT TAKEDOWN, and send them to
a busy abuse queue, there is no way - and zero reason - for the ISP
people to prioritize your complaint above all the other complaints
coming in.

>  Unfortunately, most abuse requests/inquiries fall into a black-hole,
>  or bounce.

Not you, but several companies that do this as a business model need
to learn how to do this properly.  Some of them are spectacularly
incompetent at what they do too.

>  Me, I have pretty much given up on any domain-related avenues, since
>  they generally end up in disappointment, and found more successes in
>  going directly to the owners of the IP allocation, and upstream ISP,
>  a regional/national CERT/CSIRT, or law enforcement.

Yeah?  And by the time your request filters right back down to where
it actualy belongs.. guess what, it takes much longer than 72 hours.

>  Mow, this has no bearing on the original subject (which I have now
>  forgotten what it is -- oh yeah, something about Yahoo! mail), but
>  it should be additional proof that the Bad Guys know how to
>  manipulate the system, the system is broken, and the Bad Guys are
>  now making much more money than we are. :-)

And proof that various good guys dont know how to cooperate, and
various other "good guys" are in the business only to score points off
other providers to make themselves look good.

http://blog.washingtonpost.com/securityfix/2007/12/top_10_best_worst_antiphishing.html
for example.. I think Brian Krebs - given what I know of his usual
high standards - would certainly have regretted publishing PR and
marketing generated, highly debatable, "statistics" like the ones
referenced in that article.

--srs

• Previous message (by thread): Abuse response [Was: RE: Yahoo Mail Update]
• Next message (by thread): Abuse response [Was: RE: Yahoo Mail Update]
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]