Automated Abuse Reports

Matt Palmer mpalmer at hezmatt.org
Tue Oct 8 04:08:36 UTC 2019


On Mon, Oct 07, 2019 at 05:28:08PM -0700, Matt Corallo wrote:
> Because people seem to include “you tried three to log
> in three times and got the password wrong” in their definition of abuse,
> I’ve had to provide bogus abuse contacts (and include actual abuse
> comments in the comments section).  I’ve tried reaching out to other
> operators suggesting that they cut it out, as they are the reason many
> operators do not provide functional abuse contacts, usually with a
> response of “so stop attacking my serverz!!!1one”.

Fight fire with fire, and report their abuse of your abuse contact as abuse
to their (or their upstream's) abuse contact?  More seriously, though, if
someone insists on reporting (automatically or otherwise) seriously bogus
"abuse" a couple of times, I don't think it's unreasonable to block / filter
that specific reporter from further calls on your attention.

What would also be reasonable, I think, is to require automatically
generated abuse reports to themselves be automatically processable.  That
requires some way of *detecting* automatic generation, of course, but it
might encourage a few people to adopt machine-readable abuse reports.

> Is it time to have ARIN add a “abuse contact available only after captcha”
> option?

I'd prefer if it wasn't, because it seems somewhat of a "baby/bathwater"
solution, just to deal with a few GWFs (GsWF?).

> On the flip side, I run a Tor exit node (as well as bridge nodes, which
> appear to be used exclusively by Chinese, Russian, and Iranian IPs,
> indicating Tor is, contrary to popular belief, used in large part for its
> intended purpose).

[Rearranging this paragraph because it is a side-bar from the main issue]

I suspect that if you checked the stats on your guard nodes (if you have
any) the stats would be somewhat different.  Bridges, by their nature, are
less likely to be used by miscreants because they're harder to get (have to
ask BridgeDB) and nobody gets all of them.  If you're just out to anaonymise
your source IP and you're in a location that doesn't imprison and torture
you for reading the news, it's a lot easier to just use a regular
guard/middle/exit circuit.

I'm not calling this out because I'm a Tor-hater; on the contrary, I too run
Tor nodes (bridges and relays; no exit nodes).  It's just that it's somewhat
misleading to suggest that Tor isn't the tool of choice for people who'd
prefer to cause mischief without anyone knowing what they're up to.  I
support Tor because the benefits outweigh the unpleasantness it
(necessarily) permits.

- (Another) Matt




More information about the NANOG mailing list