There are many things to consider (some semi random topics to consider).
  1. what do you consider abuse? 
    1. only technical abuse (portscanes, spam, brute force attacks etc)
    2. or also 'content abuses' (doxxing, hate speech, csam etc)
    3. what about harmful content, will that be considered abuse
    4. what about unwanted content?
    5. how does this all relate to freedom of expression?
    6. what rights do your customers have
    7. to what extent are you willing to act as the sheriff ?
  2. there should be a dedicated working address for receiving abuse notices/complaints. (we have that covered for the most part)
    1. do you issue a ticket number as a reference?
    2. how can a complainer escalate?
  3. making a abuse complaint should be made as easy as possible
    1. however, (for streamlinening puposes) a webform, or registration in a support system should be acceptable (some complainers are really stupid)
    2. if a complaint does not include the minimal information to assess the validity, a request for more information could be sent, while the original complaint is closed
    3. every company is different, has different policies, procedures and customers, educating frequent complainers is needed to ensure to most efficient way of dealing with abuse.
  4. you have to make a decision about the information you forward to your client so they are able to resolve the issue
    1. full message, always? only to reseller? also to enduser?
    2. does a complainer have a reasonable expectation of privacy?
      1. is this different for the automated copyright abuse sending mills?
      2. what if the 'proof' of an abuse, would reviel the means? (ie spamtrap address)
        1. how much proof do you need to forward this as an issue to your client?
  5. you should have a process to contact the customer
    1. directly by the abuse desk,
    2. via sales (so they know their client generates 'issues')
  6. you should have a process to restrict or limit usage of resources
    1. directly by the abuse desk,
    2. via networking


  • Abuse handling is not the same as support handling. Abuse reporters don't want help, they expect that it is in your own interest as a network operator to curb abuse originating from your network, and their reports are intended to help you reach that goal. This results in some Don'ts (I'm seeing all of these in reponse to abuse reports):
    • don't reject their messages because they are not your customers,
    • don't require them to register with some support system,
    • don't send meaningless auto-replies,
    • don't try to teach them (unless they are really doing something wrong).
  • Although there may be conflicts with protecting your user's privacy, reporters really appreciate to know whether their reports have a meaningful effect as they sometimes spend considerable amounts of time. Positive feedback ("we've terminated that customer", or "we've worked with the customer to fix their exploitable software/account") is a huge encouragement to continue reporting abuse. If there is no detectable reaction (either in form of an answer or an observable stop of abuse) then an abuse reporter might determine that blocking your network is a more effective use of their time.
  • Many types of abuse originating from your network are signs of substandard security and warnings of possibly more damaging future exploits. Work proactively with your customers when you find systemic problems. For example, on one of the services that I look after, we had one or two mail account password compromises which led to spam bursts. We established a strict password policy, checking the password database for easily breakable passwords, and contacting all users with weak passwords so they changed them to secure passwords. Similarly, we proactively check customer's websites for exploitable plugins. What kinds of proactive abuse prevention works in your case might be vastly different, but not doing anything is gross negligence.
  • Abuse desk workers need authority to contact customers and to restrict their use of your resources. One basic prerequisite for contacting customers is that you know them. If your operation does not establish appropriate KYC rules you're bound to be an attractive provider for abusers. Of course, the amount of info you need for an e-mail account and for renting out a server are different, and you may be limited by privacy laws, but if you simply refuse to take responsibility while not disclosing information on who *is* actually responsible you're in for blocking.
Cheers,
Hans-Martin