On Sun, 14 Mar 2004, Yakov Shafranovich wrote: > First of all, I would like to clarify that I am refering to abuse > reporting not just for open relays, but also for hijacked machines and > spammers abusing AUPs of their connectivity provider. Many of the abusers I have reported included hijacked machines performing various kinds of abuse, including sending viruses out. If it can be abused, I've probably experienced it and reported it. I didn't quote any percentages. Just my experiences that nearly all of my bad experiences have involved radical antispammers. The rest of my experiences have been largely satisfactory, with the exception of the far east, where language barriers impede effective communication. But this is mostly a language problem, not a lack of care problem. When it has been important, I've found a native speaker to make the complaint. But, as I showed by example, the anti-spam leaders don't think they need to address their own abuse, and are often the people conducting abuse. If you want to discuss responses to abuse, you first have to look at the responses to abuse by the leadership of the anti-spam movement. You have very little credibility without that. However, most providers do address abuse. If I were to make up a percentage, I would put it at around 99% have good abuse programs. It is a very rare case where there is no acceptance of abuse reports. As you note, sometimes it is a matter of getting the necessary attention at the provider. But often, the complaints about lack of provider response are just a result of the anti-spammers' own actions to spam the providers abuse addresses with inappropriate or insufficient information. Often, the anti-spammers try to remove information to generate more complaints and prevent response to complaints. > Unfortunatly my experience with with abuse reporting has been different > than yours. In most cases when I reported network abuse, very little > action has been taken. In one memorable recent case, it took over three > weeks and a threatening fax to the CEO's office to stop a hijacked > machine on a DSL network of a US "baby bell" from speweing viruses to my > email address. You were successful with a fax to the attention of the CEO. But if others spam the fax line with hundreds of complaints, the fax line will get turned off. Radicals have tried to get end-users to complain directly to the ISPs that the end users (often ignorantly and wrongly) think are responsible. Radicals also alter the messages so that one cannot identify the person abused. SpamCop, as I said before is particularly bad about this. Such reports cannot be accepted, and are not going to be accepted. Non-response in such a case isn't a fault of the provider. Here is an excerpt from a gem posted by Barry Shein (CEO of another Boston ISP) to Spam-l: (11 Feb 1999) ==================== I see several of you probing in my logs, but you've gone suddenly silent. Is it because the holes are all closed now and there's no fun in saying that? >I recall clearly getting rather reamed when I was a nascent spamfighter >by Mr. Shein and posted an apparent spam from std.com. I don't recall the incident, but are you using words like "nascent" and "apparent" to try to say you were actually wrong and the spam did not come from our site, that you fell for a forged header or something? Why is so much said here so fishy and full of mitigating phrasing? ==================== Further having a bunch of end users try to report abuse about a forged header to the wrong ISP just overwhelms the abuse desk, and slows their response. > Additionally, the feedback I have been getting from some of the people > who write and sell software for abuse desks at ISPs has been that most > ISPs do not respond to individual abuse reports until the report count > reaches some magic number irrevelant of the number of spams actually > being reported. That's probably not an unreasonable approach. Real abuse usually generates a lot of complaints. Yet, quite a lot of people make spam reports to get off non-spam mailing lists to which they are too lazy or too ignorant to unsubscribe. This type of false reporting is typically low numbered, and can obviously be ignored. So there is a lot to be said of a statistical approach, especially at large providers where such statistics are significant enough to be useful. Is there something wrong with that? > In any case, it seems IMHO that there exists a percentage of ISPs that > either ignore or mishandle abuse reports. Absolutely true, there are such ISPs. I gave you two examples. But they are few and far between. I just gave you an example of Paul Vixie (ISC.ORG) and his service provider (Bill Manning of EP.NET) refusing to have either an AUP or accept abuse reports on a user that has already been booted from other ISPs, and is clearly and verifiably making defamatory statements. As I said, if anti-spammers aren't going to accept reports and curb abuse, who will? They have very little credibility as a result. > Given that, should the IETF pursue development of standards to make > abuse reporting easier to facilitate the work of those ISPs that > actually do handle abuse reports properly? I'm not against a protocol to help share abuse reports. However, I haven't seen this as much of a problem. As a network operator, I know what other network operators are looking for in terms of logs and evidence of misbehavior. It is quite a lot different from what radical antispammers demand, but those demands don't meet even the thinnest standard for breaking a contract. This is not really any different from, say, a lawyer knowing what elements make up a legal case, and where to file a case. The elements and format vary somewhat depending on the topic, and particular court, but every lawyer knows what they are, or ought to. Likewise, the network professionals generally know what is needed for an abuse report, or ought to. I see the main problem of spam //reporting// as an end user education problem. End users aren't likely to be the users of spam-reporting protocols. I can just hear the complaints: "I've been spammed, and now the ISP wants me to download a program to submit a report about it" We already have BCPs that suggest standard email addresses for abuse. Common sense or their provider ought to indicate the necessary evidence. However, if the providers (as exemplified by Paul Vixie and Bill Manning) won't accept abuse reports and act responsibly, there is trifling little a protocol will do to correct that. I would be against any "web of trust" in which radical anti-spammers are involved because we already know that they can't be trusted to tell the truth, or rather, to lie pathologically, and such people have been known to in the past and they continue to use such systems as a means of defamation and revenge. "web of trust" sounds like just another pretty name for a blacklist. The blacklist is simply the critical component to "remove or authenticate the trust". Further, such "web of trust" doesn't prevent spam any more than it prevents viruses. So this isn't a solution, or even a partial solution. It is just another scheme cooked up either by radicals or perhaps the simply naive to conduct abuse. If it wasn't conceived for that purpose, then like blacklists, that is still the purpose to which it will be inevitably turned. --Dean