North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Q: What do ISPs really think about security issues?

  • From: Gadi Evron
  • Date: Fri Jan 11 11:09:24 2008

On Fri, 11 Jan 2008, Suresh Ramasubramanian wrote: 

Another vendor who, after being given clear escalation paths, first
kept cc'ing our upstream abuse desk, and every role account OTHER than
abuse at our domain.  When they finally get enough clue hammered into
them to cc our abuse desk, they escalate to my work address within two
hours of that, demanding it be taken down.

Let me guess which one it is, the same one that called 2 minutes later and threatened to go to the Police on YOU?

Our abuse desk would handle tix within a business day, or even
earlier.  And email about phish takes priority right after (say) LE
requests that find their way there (instead of the special POC we
already have given most LE agencies).   So, escalating a manual
complaint after two hours is a bit thick, I'd say.

Anyway, that particular vendor  got told to take a hike, told that we
wouldnt accept any further reports from them (and that our automated
scripts kill about 20 for every one that they report anyway), and that
we'd contact the one client they seem to send these alerts for
directly and set up something more automated, where they could send us
a list (in a standard format, and verified at their end) and we'd take
it down automatically.  Of course with manual review later.

Their client's name starts with C? :)

Neither of those two takedown services (especially not the one in #2)
is going to get anything like this offered to them.  Not until they
actually learn to play nice with other ISPs.  Which comes right back
to Sean's remark that I replied to.

Sorry for the long emails, but I do wish more takedown services (and
more abuse / security desks) would read the MAAWG abuse desk best
practice document ..

http://www.maawg.org/about/publishedDocuments/Abuse_Desk_Common_Practices.pdf

Best suggestion of the thread. Now how can we make that happen? If we can give it an easily Googable name, we may be able to mention it in the press when the occasion rises. We may be able to inform them of it (nicely) in response to abuse email. What did you find works for you?


--srs

Gadi.