North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Best practices for [email protected] mailbox and network abuse complaint handling?

  • From: Suresh Ramasubramanian
  • Date: Fri May 11 23:27:35 2007
  • Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=TX87PkNbpn8jITc1Vnch0hLs0PovZ/PubH1gdl+bNq5jjNLr1FV2co0UWcQq4mbWg5y1UBiwb+CCeJknCxQREtYPhIltQ+tgUGc2oh1dCqSb8OkReHrSwUckB+bnCshXUlh9gwhHlUDC410Tm2goYI064VfMvdRF3VKlrXpVuY0=
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=LT3qUQjKSMCL+CHBaY1AqgM5yC96LJkKx+5nXCfT3+DOOQ4KDXC2dp6f7WDpjIkLRPKBlUIvaNSIhYKhJvqLh9grScUCMhJ8A58qi1RLHuyAVzI+KFSPEhfCivE7VEm7RXgMufPM1Fx18WGqqgkrnuDPkkKWwoxH9P/5Vs9aRlk=

On 5/11/07, K K <[email protected]> wrote: 

Can anybody point me at best practices for monitoring and responding
to abuse complaints, and good solutions for accepting complaints about
network abuse?
Any recommended outsourced services for processing abuse complaints?


Well, there's a few things

1. Mitigate [port 25 management, walled gardens and such]
=> Cut down on the number of abuse causing issues

2. Automate
=> Abacus or other abuse desk optimized ticketing system, as John Levine said
=> Feedback loops (ARF formatted) from various ISPs
=> Ditto, automated feeds from Phishtank, Netcraft, your local CERT

3. Spread the load intelligently
=> Whatever can be handled by tier 1 should be handled by tier 1

Probably 98% of the mailbox is from are spammers who've harvested or
randomly targeted [email protected] addresses for male enhancement, maybe 1.99%


So?  A little filtering should handle a lot of that, procmail even.
At least to file the obvious crap into a different folder that can be
looked at and blown away

to educate management on responsible mass mailing).  But every once in
a while there is a legitimate network-related "incident", and my team
does need to see those messages in a timely manner.


Separate POCs as far as possible (postmaster for block related issues,
abuse for spam related issues, and a block interface like the one we
have around - http://spamblock.outblaze.com/ip.add.re.ss), and quick,
automated escalations.  Ditto tools to automate as much of the
"search" stuff as possible.

Prioritizing incidents in your queue as well (stuff like LE requests,
largescale network incidents etc can usually be spotted from the
subject line itself)

Takes time to build that kind of setup, but the time spent is well worth it

MAAWG's working on an abuse desk best practice doc over the last few
meetings, it should be well worth reading when it does come out.

--srs
--
Suresh Ramasubramanian ([email protected])