Sent this directly to Ronald by mistake, it was meant for the list... ---------- Forwarded message ---------- From: Mark Foster <blakjak@gmail.com> Date: Fri, Dec 24, 2010 at 9:48 AM Subject: Re: [anti-abuse-wg] How Not To Ask For A Website to Be taken Down On Thu, Dec 23, 2010 at 7:59 PM, Ronald F. Guilmette <rfg@tristatelogic.com>wrote:
#2) Even for those networks where abuse@ is not aliased to /dev/null, sending anything other than a _spam_ report to that address will typically engender either (a) no response at all (with the message being silently discarded) or else (b) an irritated response of the form "Why are you sending this to abuse@??" or else (c) a more or less automated response (either from an actual program or else from a low-paid human who has been trained to act like one) the form "We're sorry, but we cannot accept abuse complaints without either (a) a full set of e-mail headers or else (b) a complete set of system intrusion logs."
I find myself taking exception to this and whilst I usually lurk in the background here I think it needs to be said: - I would expect any malicious or illegal behavior to be reported to abuse@ - Whilst Spam reports will form the vast majority of these, I expect my Abuse-Queue-Staff to be plucking the _non_-Spam reports out for early attention (as other types of abuse are more frequently time sensitive). Those who do tech support are familiar with the idea of triage in a customer-facing sense; the stuff that's likely to have large ramifications, either in scale, or PR, or cost, will get early attention because that's just commonsense. For stuff happening in real-time that's a serious issue (say a DoS) I have (as an engineer) taken both emails and phonecalls directly - but I still expect a report to abuse@ so that the appropriate records are able to be created and placed on file for future legal or customer-service obligations. This logic has applied for ISPs operating with 1000 to 500,000 customers. Unfortunately as your organisation gets larger, the 'human touch' of handling abuse cases seems to dissapear and you do wind up with lesser-cloo'd people dealing with the complaints, and using templated answers that infuriate those who're actually taking the time to report abuse. The number of people these days who simply block, or ignore, abusive internet behavior, is counter-productive to those ISPs who are resultantly blind as to the actual negative impact their customers are having. So with these points in mind, (a) above is possible, but a move that demonstrates poor 'internet citizenship' on the part of the ISP, (b) shouldn't ever happen, and in my experience only happens when you land an idiot at the other end, and (c) again demonstrates poor internet citizenship. To the point where I will actively take my business away from any organisation that operates that way. My current issue is with Yahoo's requirement that all complaints comply with ARF. They're one of the biggest sources of spam and have opted to require complaints to fit into their particular brand of round-shaped-hole or they're going to ignore the report. I refuse to waste more of my time reporting spammers, and instead am much more prepared to simply block their domain(s) with a reject line similar to 'mail will not be accepted until Yahoo stops with the head-in-sand technique of operating, and instead deals with the spammers in its midst'. If your operation is big enough to spin millions of dollars per year in revenue, you're big enough to be a responsible netizen and show some respect to anyone taking the time to report abuse. Because if you deliberately ignore complaints, you become responsible for the behavior itself and become an accessory to the abuse, or crime, in effect.
#3) Although, for the various reasons noted above, and others, sending a report like this to an abuse@ address might yield no meaningful or useful action at all, the mere presence of the corporate abuse@ address, either in the To: header or in the Cc: header would most likely cause any and all other parties to whom such a report had been addressed (and who might otherwise potentially be more responsive/responsible than abuse@) to simply trash the message, e.g. because they might reasonably assume that "Oh! This was sent to abuse@ too, so the abuse department/person will surely handle it, and I don't need to get involved."
If your abuse@ team are of any value, they will of course do exactly that. If you're an 'other recipient' then in good concience you should at least be checking with them to ensure it's followed up. That's customer service 101. Is the risk to your reputation worth it?
#4) Last but not least, in the circles I travel in, a clear and unambiguous distinction is often drawn between "abuse ON the network" and "abuse OF the network". As we all know, the latter occurs almost every second of the day, somewhere on the Internet, and it can range from undeserved insults and slanders to sophisticated social engineering con games involving millions of dollars. But none of that "abuse ON the network" in any way threatens the operational status of any part of the net. Conversely, of course, spam and DoS attack directly threaten the operational status of either parts of the net or, in sum, even the whole thing, and thus, by tradition among the people I commonly hang out with, "abuse OF the net" is widley considered to be the only thing (a) that humans can reasonably fight and also (b) in many people's minds, it is the only thing that's _worth_ fighting for. (After all, the world and the net will go on even if you or I are heniously slandered or even defrauded, tomorrow, somewhere on the Internet.)
If someone reports a customer of mine breaching T&C I will expect our customer care team to enforce T&C. Antisocial behavior might not be a T&C breach. If it crosses that line, however, we'll act as a reasonable ISP should. If the customers conduct is illegal, or a DoS, or spam, or other behavior which will negatively affect our own online reputation, we'll similarly take steps to respond. Often an external report is the way that we find out about this behavior - we don't have eyes everywhere.
The upshot of all this line of thinking is that some (many?) believe that it's not even the job of an ISP abuse desk to even delve into any matters that do not clearly affect network operational status. At any and all ISPs of this persuasion, a note to abuse@ regarding a clear trademark violation (and a plausible/possible phishing threat) would be discarded virtually the moment it was opened.
The ISP is responsible for being a good online citzen (morally). But they're also obliged to preserve their own reputation if they want to ensure folks won't simply blackhole their traffic, so if they choose to turn a blind eye to the problems their customers cause, ultimately it will affect their bottom line. The ISP will then care - so the ISP's Abuse Desk, being the group who deal with the outside world in respects abusive behavior online, should be prepared to deal with this. Across the several ISP's I've worked for, this is certainly the case. And I will actively steer business away from any ISP who chooses to reneg on this obligation. Mark.