On Jul 24, 2012, at 10:37 AM, Tobias Knecht wrote:
Why is that? My experience shows that if you have an institution that is hammering your abuse mailbox with mails you usually first of all look at the content and if the content is good and you like to work with it you already know who this is and could easily move the reports to the right bin. Even on a format base you could easily forward or move ARF, X-ARF, ... reports to the right folders/bin/scripts/...
I know this is what I did when my turn came (pre-ARF days). That, and assigning a credibility score to many type of reports, so that we could automatically introduce air-gaps into the appropriate cables so as to stop the malicious traffic with minimal human intervention. Now, to this day and age, we still get to learn about a network whose abuse complaint address is spam-filtered or whatever. They have to resort to this because the humans cannot sift through the amount of traffic. I think having separate addresses (one for automatic, one for manual) would tend to reduce the amount of noise into the channel that is more closely supervised by real people, thus improving chances of the message being seen and acted upon. Of course, this presumes some level of willingness and competence.
That is a good idea, I have thought about something similar already. The main problem I see is that everybody thinks their reports are the most important, which might be right in some cases ;-)
Yes, indeed.
So if there is no auto-abuse-mailbox, I'm afraid people will send automatic mails to the abuse-mailbox, which does not help at all.
I agree, however that will leave us mostly where we are today -- so the worst case is this, the best case is a win in the overall abuse workflow.
The second point is, that we complicate things for the reporter again. Not the ones that know how to do it, but the ones that are not sure about it.
I think we'll just keep educating them -- but we'll have better tools at our disposal.
And the third and biggest issue I have with it is the definition. What is automatic and what is not? Having a spamtrap system reporting in ARF for example without any user interaction is clearly automatic. But clicking a spam-button and reporting things in a feedback loop also in ARF is manual? Or automatic? Or something in between?
True, perhaps "automatic" is not the right term -- perhaps "bulk" or "high volume" lends itself to an easier to apply scenario. What I wanted to encode with my choice of words was the fact that the recipient would be getting a large number of reports with similar structure -- either machine readable or not.
At the end it does not care, since both scenarios are in the same format and probably run through the same scripts or into the same mailbox/folder/bin/...
Perhaps, perhaps not. We cannot assume anything about the abuse report processing workflow. For instance, you might give more credence to SpamCop reports than to AOL FBLs (or the other way around) so the processing might be different.
Imho the easier way is to move and forward (Divide) the reports on a receiver side exactly in the way the receiver wants to process (conquer) them. This way the receiver has its processes completely under control.
I hope I was able to phrase my concerns in an understandable way. But never the less thank you very much for your input and please feel free to destroy my concerns.
I think your concerns are valid and were easy to understand. I also think that there's value in providing a better mechanism for the receiver. Receivers who want to do everything through a single channel, could set the two addresses to the same value. Receivers who want to action them through separate pipelines, now will have a way to do that. Receivers who prefer not to receive bulk abuse reports, can signal that. Best regards -lem