Abuse Desks

Rich Kulawiec rsk at gsp.org
Wed Apr 29 11:55:54 UTC 2020


On Tue, Apr 28, 2020 at 12:40:12PM -0400, Matt Corallo via NANOG wrote:
> Please don't use this kind of crap to send automated "we received 3 login attempts on our SSH box..waaaaaaaaa" emails.
> This is why folks don't have abuse contacts that are responsive to real issues anymore.

[ "you" = rhetorical "you", throughout ]

No, the reason that folks don't have responsive abuse contacts is that
they're some combination of:

	- lazy
	- cheap [1]
	- incompetent
	- unprofessional
	- actively supporting the abusers

A "we received 3 login attempts on our SSH box" complaint should be read,
investigated, and acted on.  It means that something is going on that
shouldn't, and so for your own sake, as well as for the well-being of
your Internet neighbors, you should find out what that is.

That "for your own sake" clause is often overlooked.  An incoming abuse
complaint is sometimes the canary in the coal mine.  Ignoring it because
it appears to be trivial at first glance is extremely foolish.

The lesson of the 75-cent accounting error is now 34 years old.  This would
be a really good time to learn from it.

You should also consider that -- thanks to the negligence and incompetence of
many abuse desks -- a lot of people simply don't bother reporting incidents
any more.  Thus what presents to you, on the surface, as "we received 3
login attempts on our SSH box" may in fact be one isolated report of
a much larger incident.  It thus requires your immediate attention, if you
want to even pretend to be a responsible, competent professional.

Incidentally, an excellent way to reduce the number of "we received 3
login attempts on our SSH box" complaints is to deal with all of them,
thus decreasing incident occurence, which will of course result in a
corresponding decrease in complaints.  An even better way is to run
your operation in such a way that you detect and deal with as many
such things as possible before anybody needs to file a complaint.
After all, if they can see the traffic arriving on their side, you can
see it leaving on yours.

---rsk

[1] I note, for example, that Charter -- which is mentioned in the
original message in this thread -- currently has a market capitalization
of 116.63 billion dollars.  Surely they could spare a tiny fraction of
that to appropriately staff a 24x7 multi-lingual abuse desk with senior
engineers and empower/equip them to do what needs to done.  That's
what a professional operation would do.



More information about the NANOG mailing list