Abuse Desks

Wed Apr 29 17:14:01 UTC 2020

I obviously agree it *can* be an indication of a bigger issue, but it isn't always. Lets take an example from one of my
(isolated netblocks):

~$ whois 208.68.4.129
Comment:        ---------------
Comment:        208.68.4.128/28 and 208.68.7.128/28 provide privacy services
Comment:        (incl running tor exit node(s)!)
Comment:        Abuse reports will be handled but there is likely not much that can be done.
Comment:        Send abuse to abuse at privacysvcs net.
Comment:        ---------------
...
RAbuseEmail:  see-comments-no-bots at example.com

Now you can decide to pass judgement on the idea that someone may want to run a Tor exit node (my data says a good chunk
of users are regular internet users in Iran, so I'm happy with it), but that's beside the point. Only a few outbound
ports are allowed, and SSH is appropriately rate-limited. And yet there's a reason the registered abuse email is a dummy
one - if its not, not only do I get a flood of automated crap, but I get angry idiots complaining about lack of response.

If I dont put a dummy email there, I don't get legitimate reports hidden under the giant pile of, literally one failed
SSH login, or wouldn't be in a position to respond to them quickly. If I do put a dummy email there, I miss legitimate
reports for other hosts.

I'm open to ideas on what to do here, but the abuse system as it exists today is clearly broken for me, and its clearly
broken for AWS/GCP/Azure/OVH/etc - have you ever tried emailing their registered abuse contacts? I have, the problem
doesn't go away and there are no responses.

The answer is balance, of course, but my concept of balance is your concept of abuse. Either way the situation we've
ended up in is that the whole thing is nigh useless, especially given most of the real crap out there comes from hosting
providers like the above who don't have the bandwidth to respond.

Matt

On 4/29/20 7:55 AM, Rich Kulawiec wrote:
> On Tue, Apr 28, 2020 at 12:40:12PM -0400, Matt Corallo via NANOG wrote:
>> Please don't use this kind of crap to send automated "we received 3 login attempts on our SSH box..waaaaaaaaa" emails.
>> This is why folks don't have abuse contacts that are responsive to real issues anymore.
> 
> [ "you" = rhetorical "you", throughout ]
> 
> No, the reason that folks don't have responsive abuse contacts is that
> they're some combination of:
> 
> 	- lazy
> 	- cheap [1]
> 	- incompetent
> 	- unprofessional
> 	- actively supporting the abusers
> 
> A "we received 3 login attempts on our SSH box" complaint should be read,
> investigated, and acted on.  It means that something is going on that
> shouldn't, and so for your own sake, as well as for the well-being of
> your Internet neighbors, you should find out what that is.
> 
> That "for your own sake" clause is often overlooked.  An incoming abuse
> complaint is sometimes the canary in the coal mine.  Ignoring it because
> it appears to be trivial at first glance is extremely foolish.
> 
> The lesson of the 75-cent accounting error is now 34 years old.  This would
> be a really good time to learn from it.
> 
> You should also consider that -- thanks to the negligence and incompetence of
> many abuse desks -- a lot of people simply don't bother reporting incidents
> any more.  Thus what presents to you, on the surface, as "we received 3
> login attempts on our SSH box" may in fact be one isolated report of
> a much larger incident.  It thus requires your immediate attention, if you
> want to even pretend to be a responsible, competent professional.
> 
> Incidentally, an excellent way to reduce the number of "we received 3
> login attempts on our SSH box" complaints is to deal with all of them,
> thus decreasing incident occurence, which will of course result in a
> corresponding decrease in complaints.  An even better way is to run
> your operation in such a way that you detect and deal with as many
> such things as possible before anybody needs to file a complaint.
> After all, if they can see the traffic arriving on their side, you can
> see it leaving on yours.
> 
> ---rsk
> 
> [1] I note, for example, that Charter -- which is mentioned in the
> original message in this thread -- currently has a market capitalization
> of 116.63 billion dollars.  Surely they could spare a tiny fraction of
> that to appropriately staff a 24x7 multi-lingual abuse desk with senior
> engineers and empower/equip them to do what needs to done.  That's
> what a professional operation would do.
> 