Abuse response [Was: RE: Yahoo Mail Update]

Wed Apr 16 19:48:02 UTC 2008

> Subject: Re: Abuse response [Was: RE: Yahoo Mail Update]
> From: Valdis.Kletnieks at vt.edu
> Date: Wed, 16 Apr 2008 12:02:02 -0400
>
> On Wed, 16 Apr 2008 00:38:33 CDT, Chris Boyd said:
>
> > - I'd like to see an actual response beyond an autoreply saying that you
> > can't tell me who the customer is or what actions were taken.
>
> Well, let's see.   If you're reporting abuse coming from my AS, it's almost
> certainly one of 2 things:

[[  sneck    causations ]]

> Basically, 99.8% of the time, no response other than "We found it and dealt
> with it" is actually suitable, and the other 0.2% of the time, you're about
> to get dragged into an ongoing investigation, so expect a "Hold Evidence"
> order on your fax in a few minutes.. ;)
>
> So what sort of response did you actually *want*?

Speaking strictly for myself, the wish-list for an ack is (not necessarily in
priority order):
   1) appreciation for my contributed time/effort in helping them keep _their_ 
      network clean.
   2) an ack that they _have_found_ the source.  I generally don't care 'who' 
      it was, just that they *have* been found, and STOPPED.
   3) an indication that the immediate issue has been fixed, and that steps
      have been taken to prevent future recurrance.    Again, the actual
      'details' of what has been done are relatively unimportant.
   4) *WHEN* the 'fix' was implemented.  Then I know if I see 'more of the 
      same _before_ that time, I don't need to report it, =AND= if I see
      stuff occuring _after_ that time, that it is a 'new and different'
      problem that _does_ need to be reported.

This is more about _how_ you say things, than the details of what you actually
say.

Replies -- _days_ later -- along the lines of "thanks for the report, due to 
volume of complaints we won't be able to tell you anything about what we find,
or do" cause much grinding of teeth.

Replies that say: "This appears to be the same as something that has already
been reported to us by others.  We have looked into things, confirmed it was
happening, and put a stop to it as of {timestamp}.  If you see any more of this
activity from that source _after_ that time please email us immediately with
the string "{token}" in the subject line." _do_ give the originater 'warm
fuzzies', and can be  more-or-less trivially generated by a good trouble-
ticket system.  Especially with reasonable front-end automation for recognizing
'duplicate' complaints.

At the good end, I've gotten replies saying: "the customer has been contacted,
and they immediately took the affected machine off-line for sterilization";
even "we have been unable to contact the customer, and have pulled their 
circuit until they *do* contact us."  

Note: that last message was received about 4 hours after sending the problem 
notice, and about 2 hours after what would have been the normal 'start of 
business' in the locale of the problem.  That provider wears a *BIG* white
hat in my books.  Not so much for telling me what they did, but for the speed
of reaction.  

Contrast those responses with a major national who doesn't send any responses
*and* has an admitted policy of giving customers _a_week_after_notification_ 
of having an infected machine on their network to get the machine off-line or 
otherwise dealt with.  And it can take _days_ to get the notification to the 
customer. (they just send an email to the business contact -- notify them late
friday and the clock doesn't start running until Monday morning.  *sigh*)