<HTML dir=ltr><HEAD><TITLE>Re: Best practices for abuse@ mailbox and network abuse complaint handling?</TITLE>
<META http-equiv=Content-Type content="text/html; charset=unicode">
<META content="MSHTML 6.00.6000.16448" name=GENERATOR></HEAD>
<BODY>
<DIV id=idOWAReplyText68237 dir=ltr>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2>At one place I worked at abuse@, webmaster@, hostmaster@, and all other generic addresses where aliases on the level 1 helpdesk mailbox. Since the L1 desk's address was plastered all over the public site, they already had the pleasure of dealing with tons of spam and clueless users. In the event that someone had a legit network complaint, they would open a ticket and forward to the appropriate group. </FONT></DIV>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>The only down side was the additional training. The most time consuming component was we needed to train the L1 staff how to read email headers and determine if the originated from our network. </FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>Hope that helps,</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2>Adam Stasiniewicz</FONT></DIV></DIV>
<DIV dir=ltr><BR>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> owner-nanog@merit.edu on behalf of K K<BR><B>Sent:</B> Fri 5/11/2007 5:10 PM<BR><B>To:</B> nanog@merit.edu<BR><B>Subject:</B> Re: Best practices for abuse@ mailbox and network abuse complaint handling?<BR></FONT><BR></DIV>
<DIV><BR>
<P><FONT size=2>The issue I see with most of the options (abuse.net, spamcop, etc) is<BR>they're focused on the spam problem, while my department is made up of<BR>network operations, information security, and CERT, anything to do<BR>with web servers, domains, and SMTP is handled by a different business<BR>unit in another state entirely.<BR><BR>While 99.99% of our abuse@ mail is either spam or complaints about<BR>spoofed spam forging our domains as the source and has nothing to do<BR>with network operations, about once a month something truly network<BR>related will come into that mailbox, and my team won't be alerted to<BR>these events in a timely manner. Only fix I can see right now is for<BR>us to make it part of our daily workload to troll the abuse@ mailbox<BR>on the off chance that something in there is relevant to network<BR>operations/security/CERT. Is this what other NANOs do?<BR><BR>The clueful victims will look up our ASN/ARIN records and eventually<BR>make the right phone call -- or report the problem to law enforcement,<BR>who definitely know how to reach us ;)<BR><BR>I'm hoping to find either a better and widely accepted way to handle<BR>non-spam-related network abuse complaints (hacking, DoS, etc), or at<BR>least best practices for triage on the huge volume of mail that comes<BR>into abuse@, procedures such that the rare legitimate complaint about<BR>non-spam network abuse can be routed to my team in a timely manner.<BR><BR><BR>Thanks,<BR><BR> Kevin<BR></FONT></P></DIV></BODY></HTML>