The recent subscription bombs have started me thinking about how online organizations handle abuse, or don’t as the case may be. Deciding what to address is all about severity. More severe incidents are handled first. Triage is critical, there’s never really enough time or resources to investigate abuse.
What makes an event severe? The answer is more complicated that one might think. Some of the things that ISP folks look at while triaging incoming complaints include:
- Type of incident (phishing, spam, hacking, dDOS, criminal activity, etc.)
- Real world effects (spear phishing, child exploitation, theft, network instability, etc.)
- Source of complaints (individual reports, trusted reporters, details provided, FBL messages, blocklist notices etc.)
- Legal issues (subpoenas, search warrants, DMCA complaints)
ISP abuse desks deal with a whole lot more than just spam complaints. Some of it is icky work that involves things most of us should be glad we never have to think about.
In the ESP space, though, triage is different. Typically abuse desks at ESPs monitor for blocking and then monitor complaints about volume. There are fewer problems that employees need to deal with.
For a while now I’ve been slightly concerned that so much of ESP abuse handling is about the volume of complaints and blocking. There is quite a bit of abuse that runs “under the radar” because the numbers just aren’t there. I mean, I get it. It’s almost the only way to handle the sheer volume of complaints that come into an average ESP abuse desk.
But I wonder if we’re missing more subtle forms of abuse, ones that have a high personal impact? The recent subscription bomb has somewhat answered the question. The bomb was unnoticed by most ESPs until Spamhaus started blocking the IPs involved.
The number of victims is small. Most of them are not at mailbox providers that provide FBLs. This got attention because Spamhaus was part of the target. But what if it happens again and Spamhaus addresses aren’t involved? How many ESPs will notice their involvement?
I don’t really have an actual answer. But the abuse is real and the abuse is causing real harm. ESPs measure harm by volume, often without any modifiers for the type of harm. Happily, many of the types of abuse that cause significant harm are done in the shadows and ESPs are out in the open. It’s not the same.
Maybe better communication would help? There are multiple private groups where information is shared about things like this. MAAWG is one example, but there are also lots of ad hoc mailing lists and discussion channels. I’m on a few, I know folks who are on a bunch that I’m not on. There’s a well developed back channel to share information. And because we’re in a security space some of it has to be back channel.
I’m not sure what the answer is. I’m not sure there is one answer. Continuing to develop back channels and networks to share information is clearly part of the answer. But maybe there’s a place for more open sharing of information. The challenge, as always, is sharing with the right people.
Someone asked me on twitter last week if there was a way to get information about mailbox providers having bad days. I didn’t have a good answer – although for things like that I’m much happier to blog and tweet about them. It’s these more complex issues that are harder to share publicly.
So what have I not thought of? What’s your solution?
“how online organizations handle abuse, or don’t as the case may be”
Problem with the system in general. The abuse@ addresses are essentially worthless.
Abuse addresses are not worthless if people were actually there manning them and the ESPs actually cared about the abuse from complaints handling to customers who send crap through their network to the outside. How many ESPs actually have active individuals/departments dedicated for monitoring their network for abuse yet are part of MAAWG (not the complaint handling stuff)?
I’m afraid I’ll have to disagree with Ed. Through abuse, and coming from an ESP perspective, we’re able to detect behavior that we wouldn’t necessarily be able to otherwise, which, in some cases can lead to the termination of the client’s account/contract (something I personally love doing, to be frank, spammers get no mercy).
“Most of them are not at mailbox providers that provide FBLs.”
That seems like an obvious place to stick part of a solution. Since triage is important, it’d be a lot more useful and effective if postmaster@example could send “here’s the 100,000 spams we got from you” rather than users 1 through N @example each sending “here’s a spam I got from you”.
Huey, you and I both know that having a postmaster@ address (or something like, I dunno, admin@) doesn’t mean that person’s complaints are legit or should be acted on.
I do. But I’m also pretty sure that the postmaster@ of senate.gov could probably get their phone calls answered, in the same way that AOL, Gmail, and Yahoo can get their phone calls answered.
I mean, it’s great that you, Spamhaus, and Krebs have shown a light on this last episode, but wouldn’t it be nice if the government could do a little more of its own heavy lifting?