Hi All So maybe a word from an "Incident Responder". I do feel very much, that we should have an abuse conntact, and it should be tested to wok, in the sense that some one reads the mail sent there. Here are my reasons: - Having such a mailbox may increase the pressure for orgs to actually do something. My experience from previous job showed, that keep sending abuse reports, despite complaints about "spam" eventually convinced a lot of orgs to act. Essentially you take away the excuste "Oh, but we didn't know" - Even for orgs that don't react having such a conntact helps, because it allows us to build up a history of ignored requests, which cann then be used to reminde these orgs that they actually are part of the problem. It is a sad fact, that a threat to your reputation, even if it's only in colsed community, seems to sometimes help convincing said org to reract. Finally if, at some state more drastic action would be necessary (Think Russian Bussines Network at the time), you can build a case. - Lastly: It makes our life as Incident responders easier to have a uniform way of sending reports, even if not all of them are followed up. I kind of don't buy into "There is no point on placing a burden on orgs that choose not to act". Best Serge On 15/01/2020 08:23, Carlos Friaças via anti-abuse-wg wrote:
Hi,
I obviously don't speak for the incident handling community, but i think this (making it optional) would be a serious step back. The current situation is already very bad when in some cases we know from the start that we are sending (automated) messages/notices to blackholes.
To an extreme, there should always be a known contact responsible for any network infrastructure. If this is not the case, what's the purpose of a registry then?
Regards, Carlos
On Tue, 14 Jan 2020, Leo Vegoda wrote:
On Tue, Jan 14, 2020 at 1:48 AM Gert Doering <gert@space.net> wrote:
[...]
A much simpler approach would be to make abuse-c: an optional attribute (basically, unrolling the "mandatory" part of the policy proposal that introduced it in the first place)
This seems like a simple approach for letting network operators indicate whether or not they will act on abuse reports. If there's no way of reporting abuse then the operators clearly has no processes for evaluating reports, or acting on them. This helps everyone save time.
Regards,
Leo Vegoda
-- Dr. Serge Droz Chair, Forum of Incident Response and Security Teams (FIRST) Phone +41 76 542 44 93 | serge.droz@first.org | https://www.first.org