Re: [anti-abuse-wg] Abuse-C attributes - required e-mail address contact method.
My two cents... The person/company who proposed this proposal used the word "complainant" to refer to someone (anyone) attempting to report a case of network abuse to its source network administrators. Personally, speaking only for myself, I object to being called a "complainant" or a "complainer", e.g. when I attempt to do the decent thing and take up _my_ valuable time to notify responsible (?) network administrators about something I feel that they themselves may want to know about, and indeed should want to know about. Of course, the Powers That Be at many networks ... the bean counters and the higher level managers... often view _any_ communication with any party other than a paying customer as a waste of time and money, and thus, the personel underneath these folks inevitably come to develop an "us versus them" attitude which leads inevitably to viewing reports generated by outsiders, aka non-paying customers, as "complaints" and the senders as "complainers" whose only (or primary) goal is to cost the receiving company time and money, rather than the opposite, i.e. attempting to _help_ the receiving company. I would argue that it is this bean counter attitute that has itself given rise to most of the abuse on the Internet, i.e. in the time since the broad commercialization of the net in the mid 1990's. If you view receiving, understanding, and acting upon notifications of bad behavior occuring on your network as nothing other than a non-profit-generating cost sink, then you are entirely less likely to ever actually *do* anything about such reports. And when you don't, the word goes out among the bad guy communities on the Internet, and your network ends up being the source of ever more network abuse. This is just the (Darwinian) way things are. Opportunistic leeches abound. If given safe homes, they and their activities proliferate. I generally expend a good deal of time and effort writing up any abuse report I send. (Note that I say "report" not "complaint".) There are plenty of ways that various networks have dreamed up to avoid reading these "complaints", i.e. because they don't immediately or obviously generate any instantaneous revenue or profits for the receipient networks. The simplest method to avoid spending any non-profit-generating company man hours on reading abuse reports is just to alias abuse@network to /dev/null. If Virgin feels that reading incoming e-mail reports is not worth their time, then I respectfully suggest that they simply enter devnull@example.com into the abuse contact e-mail address fields for all of their relevant RIPE database records. This will be maximally efficient for all concerned. (There really is no more efficient way for Virgin to process all of their incoming "complaints". And since they _are_ clearly concerned about the efficiency of this process, that would seem to be ttheir best solution.) Regards, rfg
On Tuesday 17 March 2015 01.42, Ronald F. Guilmette wrote:
My two cents...
The person/company who proposed this proposal used the word "complainant" to refer to someone (anyone) attempting to report a case of network abuse to its source network administrators.
Personally, speaking only for myself, I object to being called a "complainant" or a "complainer", e.g. when I attempt to do the decent thing and take up _my_ valuable time to notify responsible (?) network administrators about something I feel that they themselves may want to know about, and indeed should want to know about.
Of course, the Powers That Be at many networks ... the bean counters and the higher level managers... often view _any_ communication with any party other than a paying customer as a waste of time and money, and thus, the personel underneath these folks inevitably come to develop an "us versus them" attitude which leads inevitably to viewing reports generated by outsiders, aka non-paying customers, as "complaints" and the senders as "complainers" whose only (or primary) goal is to cost the receiving company time and money, rather than the opposite, i.e. attempting to _help_ the receiving company.
I would argue that it is this bean counter attitute that has itself given rise to most of the abuse on the Internet, i.e. in the time since the broad commercialization of the net in the mid 1990's.
If you view receiving, understanding, and acting upon notifications of bad behavior occuring on your network as nothing other than a non-profit-generating cost sink, then you are entirely less likely to ever actually *do* anything about such reports. And when you don't, the word goes out among the bad guy communities on the Internet, and your network ends up being the source of ever more network abuse. This is just the (Darwinian) way things are. Opportunistic leeches abound. If given safe homes, they and their activities proliferate.
I generally expend a good deal of time and effort writing up any abuse report I send. (Note that I say "report" not "complaint".) There are plenty of ways that various networks have dreamed up to avoid reading these "complaints", i.e. because they don't immediately or obviously generate any instantaneous revenue or profits for the receipient networks. The simplest method to avoid spending any non-profit-generating company man hours on reading abuse reports is just to alias abuse@network to /dev/null. If Virgin feels that reading incoming e-mail reports is not worth their time, then I respectfully suggest that they simply enter devnull@example.com into the abuse contact e-mail address fields for all of their relevant RIPE database records. This will be maximally efficient for all concerned. (There really is no more efficient way for Virgin to process all of their incoming "complaints". And since they _are_ clearly concerned about the efficiency of this process, that would seem to be ttheir best solution.)
Regards, rfg
Wonderful ! A masterpiece ! Well formulated, well written and ON THE SPOT ! Thanks -- Peter Håkanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det är billigare att göra rätt. Det är dyrt att laga fel. )
On Tue, Mar 17, 2015 at 07:39:22AM +0100, peter h wrote:
On Tuesday 17 March 2015 01.42, Ronald F. Guilmette wrote:
My two cents... [...]
Wonderful ! A masterpiece ! Well formulated, well written and ON THE SPOT !
I agree fully. My two cents: There are feedback loops from large places and SpamCop, that should account for the overwhelming majority of reports, and there are isolated reports from net citizens. The flows from the feedback loop places have a lower quality of individual reports (high fraction of "mail that i do not want" that is not really spam) but their strength is the volume, they have a fixed format and so processing of those reports should be easy to automate - they do not need to enter the queue of mails inspected manually. I believe that there are products for abuse desks on the market that do these splittings already. It is a known fact that very few people nowadays take the time to send reports manually. It is also a known fact that spammers have learnt about the effects of feedback loops and plan their activity accordingly. So, for instance, they have a vision of the world which is something like World = { Gmail, Hotmail/Office365/WindowsLive, Yahoo, General Internet } and they develop an independent delivery strategy for each category. So, those flows of reports are likely to be different. An IP hitting Yahoo at some point in time is not necessarily hitting also the "General Internet" at the same time, etc. Most people here work in the "General Internet" realm. The big places tend to have their own teams and resources, and their defense strategies are not well known and often kept opaque for obvious reasons. In contrast, the "General Internet" is more open, and for the spammers it is a dangerous territory. Some spammers avoid it completely, concentrating only on the big platforms. Other spammers spend a lot of efforts to identify the traps used by major blocking list services and avoid them, forcing those services to take measures to prevent easy trap detection. Some of these spammers (mostly of the 'snowshoe' category) seem to have some success in these endeavours - thanks to the negative feedback of hundreds or thousands of terminations! - and manage to survive at ISPs for longer times through avoidance of known traps. The "General Internet" does not have many feedback loops, and therefore reports from users there - particularly experienced users that invest time in composing their reports - should be taken as PURE GOLD, because they provide independent informations on the "tiny" subset of the Internet mail recipients which is not hosted on the big platforms and that is defended mostly through an open community effort, but also because they often offer a viewpoint of the Internet that nobody else has. These efforts very often results in spam operations brought down, with benefits for the large platforms too (this is why spammers consider dangerous the "General Internet"!). So, every effort should be made to make life _easier_ for this almost estinct species - the abuse reporters - because their diversity is one of our biggest assets. furio
In message <20150317111746.GA5971@spin.it>, furio ercolessi <furio+as@spin.it> wrote:
... The flows from the feedback loop places have a lower quality of individual reports (high fraction of "mail that i do not want" that is not really spam) but their strength is the volume, they have a fixed format and so processing of those reports should be easy to automate - they do not need to enter the queue of mails inspected manually. I believe that there are products for abuse desks on the market that do these splittings already.
I would just add that the separation Furio just described should be quite trivial for pretty much anyone with even minimal experience with, for example, Procmail, or even bash or awk or grep to automate locally, e.g. based on the e-mail source information (e.g. envelope sender address). There's no real need to go outside and purchase a "separator" tool. However _parsing_ the various formats of feedback loop e-mails is a different matter. Regards, rfg
participants (3)
-
furio ercolessi -
peter h -
Ronald F. Guilmette