Re: [anti-abuse-wg] DRAFT: RIPE proposal - implementation of an abuse
James Davis wrote: Hello,
It is likely, that you get a problem report just a few minutes after on of your users started to send spam, because his PC is invected.
This already happens. Our contact details are published in a clear and unambiguous fashion, in all the places that you'd expect. Automated spam reporting schemes appear to have no problems contacting us. This is because as a network operator we have chosen to deal with these issues, not because we're told to.
Sorry but this is not true for all members. Most newer or smaller ISPs are pretty puzzled, when they have their first real outbreak, and even ask us for advise and help to fix their holes and others do not subscribe lists, that could give them up-to-date warnings or get enough reports, if its only a smaller problem. At least, this is our experience here with our own blacklist.
You can then look up the report (or even automate it), reset his radius password and kick him out, waiting for him to phone your support :o)
Not all ISPs can operate like that. Every one of our customers would rather we offered them help and advice on how to deal with the problem rather than taking automated action. That is why we have a CSIRT/abuse team.p
Good for you, impossible for big ISPs that have no real contact to their customers. Cutting the line is a hard method, right, but for some ISPs the only methods to get attention immediatelly. But again: its up for the member what to do with the reports ... And Im not saying, that the system would fit everybody needs, but I defny think that it would be better than the current state.
Lets say, you receive 100 reports in about 10 minutes for one IP, where this IP had no report ever ?
What is likely to happen ? What would you do ?
An incident would likely be opened in our ticketing system before that ten minutes were up, and someone would be on the phone to our customer shortly afterwards. We deal with every complaint of spam, even if it's just a single report, although the response is proportionate to the particular incident.
Great, you are part of a very small club ;o)
Like I said, you'd have to think really carefully about how you'd measure what a "bad provider" was, or you risk not only wasting your efforts but making a lot of people angry.
Sure, so that why limits have to very high and these kind of limits are up for discussion on this list. But making analysis like this public should not be the first step for the system at all, it might be a future option, if things are settled, everybody got used to the new system aso ...
We get questions like this a lot from our customers - asking us how they rank abuse wise compared to other customers and honestly there isn't an easy way to measure this.
Ok, got it ...
The proposal, whether I agree with it or not, needs a concrete answer for how you would measure a 'bad provider'.
I dont think so, because the first intention of the system is not how to define a "bad provider", it only talkes about how RIPE staff could talk to those providers. If I would implement limits, I would messure rates according to the size of the member allocations first and monitor these rates to see whats currently normal for a member. And if those rates are much higher than compared to others, I would ask the member to try to do something against that or to explain it, then slowly adjusting the allowed rates up or down again. Finally, after a long period, I would tell all members, that its time to drop the rates, if they are rising over their allowed limit or not really dropping over a long period, THEN, and only then I would call them a "bad provider", because they are obviously not capable or willing to do anything ... But thats a big step for the future. The first step should be a backlink system, to ensure that reports are read and categorized (ok, "really bad provider" will propably program something arround that backlink system to bypass it, I heared even about people that are bypassing captcha codes already with OCR-software).
Well, thats only work at RIPE NCC, its not that complicated to automated bounces ...
Say the abuse contact is abuse@foo.com and the billing contact is john.doe@foo.com, if the domain foo.com expires then no amount of e-mail is going to resolve the issue. Someone has to get on the phone and find
Clear, but a member without any working email contact ? Is that really possible ? How can you work with new allocations or changes to old one without any working email contact ?
out what's happened. This happens fairly frequently here with only around a thousand customers.
Cant believe it. Does the RIPEs system do not check automatically if (e.g.) allocations messages bounce ?
Defny right, but lets start with something ...
Starting is good when you know what direction you're heading in. It's the other half of the question that people here are more interested in :)
Interesting point ... Kind regards, Frank
James
- -- James Davis +44 1235 822 229 PGP: 0xD1622876 JANET CSIRT 0870 850 2340 (+44 1235 822 340) Lumen House, Library Avenue, Didcot, Oxfordshire, OX11 0SG -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iD8DBQFLvvqahZi14NFiKHYRAkpHAJ4s3tiryuoTmY3j8Jivot909exfkgCfYLy3 Wm34pL98ZdkkHClYthklcEg= =b+z3 -----END PGP SIGNATURE-----
JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG
-- Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank@powerweb.de
participants (1)
-
Frank Gadegast