On Sun, 14 Mar 2004, Yakov Shafranovich wrote:
First of all, I would like to clarify that I am refering to abuse
reporting not just for open relays, but also for hijacked machines and
spammers abusing AUPs of their connectivity provider.
Many of the abusers I have reported included hijacked machines performing
various kinds of abuse, including sending viruses out. If it can be
abused, I've probably experienced it and reported it.
I didn't quote any percentages. Just my experiences that nearly all of my
bad experiences have involved radical antispammers. The rest of my
experiences have been largely satisfactory, with the exception of the far
east, where language barriers impede effective communication. But this is
mostly a language problem, not a lack of care problem. When it has been
important, I've found a native speaker to make the complaint.
But, as I showed by example, the anti-spam leaders don't think they need
to address their own abuse, and are often the people conducting abuse.
If you want to discuss responses to abuse, you first have to look at the
responses to abuse by the leadership of the anti-spam movement. You have
very little credibility without that.
However, most providers do address abuse. If I were to make up a
percentage, I would put it at around 99% have good abuse programs. It is a
very rare case where there is no acceptance of abuse reports. As you
note, sometimes it is a matter of getting the necessary attention at the
provider. But often, the complaints about lack of provider response are
just a result of the anti-spammers' own actions to spam the providers
abuse addresses with inappropriate or insufficient information. Often,
the anti-spammers try to remove information to generate more complaints
and prevent response to complaints.
Unfortunatly my experience with with abuse reporting has been different
than yours. In most cases when I reported network abuse, very little
action has been taken. In one memorable recent case, it took over three
weeks and a threatening fax to the CEO's office to stop a hijacked
machine on a DSL network of a US "baby bell" from speweing viruses to my
email address.
You were successful with a fax to the attention of the CEO. But if others
spam the fax line with hundreds of complaints, the fax line will get
turned off.
Radicals have tried to get end-users to complain directly to the ISPs that
the end users (often ignorantly and wrongly) think are responsible.
Radicals also alter the messages so that one cannot identify the person
abused. SpamCop, as I said before is particularly bad about this. Such
reports cannot be accepted, and are not going to be accepted.
Non-response in such a case isn't a fault of the provider.
Here is an excerpt from a gem posted by Barry Shein (CEO of another Boston
ISP) to Spam-l: (11 Feb 1999)
====================
I see several of you probing in my logs, but you've gone suddenly silent.
Is it because the holes are all closed now and there's no fun in saying
that?
I recall clearly getting rather reamed when I was a nascent spamfighter
by Mr. Shein and posted an apparent spam from std.com.
I don't recall the incident, but are you using words like "nascent"
and "apparent" to try to say you were actually wrong and the spam did
not come from our site, that you fell for a forged header or something?
Why is so much said here so fishy and full of mitigating phrasing?
====================
Further having a bunch of end users try to report abuse about a forged
header to the wrong ISP just overwhelms the abuse desk, and slows their
response.
Additionally, the feedback I have been getting from some of the people
who write and sell software for abuse desks at ISPs has been that most
ISPs do not respond to individual abuse reports until the report count
reaches some magic number irrevelant of the number of spams actually
being reported.
That's probably not an unreasonable approach. Real abuse usually
generates a lot of complaints. Yet, quite a lot of people make spam
reports to get off non-spam mailing lists to which they are too lazy or
too ignorant to unsubscribe. This type of false reporting is typically
low numbered, and can obviously be ignored. So there is a lot to be said
of a statistical approach, especially at large providers where such
statistics are significant enough to be useful. Is there something wrong
with that?
In any case, it seems IMHO that there exists a percentage of ISPs that
either ignore or mishandle abuse reports.
Absolutely true, there are such ISPs. I gave you two examples. But they
are few and far between. I just gave you an example of Paul Vixie
(ISC.ORG) and his service provider (Bill Manning of EP.NET) refusing to
have either an AUP or accept abuse reports on a user that has already been
booted from other ISPs, and is clearly and verifiably making defamatory
statements. As I said, if anti-spammers aren't going to accept reports and
curb abuse, who will? They have very little credibility as a result.
Given that, should the IETF pursue development of standards to make
abuse reporting easier to facilitate the work of those ISPs that
actually do handle abuse reports properly?
I'm not against a protocol to help share abuse reports. However, I haven't
seen this as much of a problem. As a network operator, I know what other
network operators are looking for in terms of logs and evidence of
misbehavior. It is quite a lot different from what radical antispammers
demand, but those demands don't meet even the thinnest standard for
breaking a contract. This is not really any different from, say, a lawyer
knowing what elements make up a legal case, and where to file a case. The
elements and format vary somewhat depending on the topic, and particular
court, but every lawyer knows what they are, or ought to. Likewise, the
network professionals generally know what is needed for an abuse report,
or ought to.
I see the main problem of spam //reporting// as an end user education
problem. End users aren't likely to be the users of spam-reporting
protocols. I can just hear the complaints: "I've been spammed, and now
the ISP wants me to download a program to submit a report about it" We
already have BCPs that suggest standard email addresses for abuse.
Common sense or their provider ought to indicate the necessary evidence.
However, if the providers (as exemplified by Paul Vixie and Bill Manning)
won't accept abuse reports and act responsibly, there is trifling little a
protocol will do to correct that.
I would be against any "web of trust" in which radical anti-spammers are
involved because we already know that they can't be trusted to tell the
truth, or rather, to lie pathologically, and such people have been known
to in the past and they continue to use such systems as a means of
defamation and revenge. "web of trust" sounds like just another pretty
name for a blacklist. The blacklist is simply the critical component to
"remove or authenticate the trust".
Further, such "web of trust" doesn't prevent spam any more than it
prevents viruses. So this isn't a solution, or even a partial solution.
It is just another scheme cooked up either by radicals or perhaps the
simply naive to conduct abuse. If it wasn't conceived for that purpose,
then like blacklists, that is still the purpose to which it will be
inevitably turned.
--Dean