Hello all
Shouldn't there be a standard for automatically forwarding messages destined to abuse-c following a path similar to that of RFC 2317 delegations? I'd love if AA training encouraged such behavior.
I don't think the standard should be for automatically forwarding messages. You would need a standard for *exchanging* the information. Fields you would need should include IP address being reported, port (optionally), timestamp, whether this may be shared with the customer (default yes), RSIT taxonomy of the incident being reported, etc. And then, among the actions that can be taken, automatically forwarding could be one of them (and probablye the less expensive for the abuse-c owner), but they could choose to process them differently. But the first step is to match the report with the machine/customer. Many abuse teams already do that automatically, although I don't know the amount of guessing needed by the tools on their normal flows. The first idea that comes to mind when talking about communicating this would be to create a solution based on X-ARF, but it's not without its shortcomings, either, so maybe a different way is felt to be preferable. This is an interesting discussion, although I feel it's a bigger design issue, significantly more ambitious than the proposal of providing some abuse training which opened this thread. Best regards -- INCIBE-CERT - Spanish National CSIRT https://www.incibe-cert.es/ PGP keys: https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys ==================================================================== INCIBE-CERT is the Spanish National CSIRT designated for citizens, private law entities, other entities not included in the subjective scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen Jurídico del Sector Público", as well as digital service providers, operators of essential services and critical operators under the terms of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de las redes y sistemas de información" that transposes the Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. ==================================================================== In compliance with the General Data Protection Regulation of the EU (Regulation EU 2016/679, of 27 April 2016) we inform you that your personal and corporate data (as well as those included in attached documents); and e-mail address, may be included in our records for the purpose derived from legal, contractual or pre-contractual obligations or in order to respond to your queries. You may exercise your rights of access, correction, cancellation, portability, limitationof processing and opposition under the terms established by current legislation and free of charge by sending an e-mail to dpd@incibe.es. The Data Controller is S.M.E. Instituto Nacional de Ciberseguridad de España, M.P., S.A. More information is available on our website: https://www.incibe.es/proteccion-datos-personales and https://www.incibe.es/registro-actividad. ====================================================================