Hi Max, thank you for your reply and explanations. Some more comments/ questions inline: On Sun 03/Jul/2022 23:25:28 +0200 Max Grobecker wrote:
Am 20.06.22 um 18:04 schrieb Alessandro Vesely:
Our abuse mailbox is not overflowing with these, of course, but it makes semi-automated handling a bit painful. For example, we would like to forward these information to our customers, but we wont need to take further action on this, because we refuse to break into the offices of our customers at night and patch their software. sorry to bother, but I hardly got that. Are these IP-driven messages? Don't CERTs lookup the abuse address with RDAP or WHOIS?
The reports we get from CERT-BUND are highly IP focused. I cited one of these report as an example at the end of this mail. In general, I think these organizations we get mail from are downloading the database from RIPE and are using an offline version.
It is very expensive. Do you think they only do European IPs, or do they have specialized procedures for each RIR? Perhaps RIPE provides for maintaining remote copies of the database, but a caching RDAP tool would be more standard compliant.
Why doesn't the abuse address point (in)directly to the relevant IP user? That is, what's wrong in automatically forwarding CERT's security notices? I cannot understand how doing so entailS obligations to reach the customer's premises at night.
If I point the abuse address directly to an address controlled by the customer, I don't get any notices - regardless of security information or real abuse. And I'm interested in the latter one, as I want to stop the abuse, of course ;-) Therefore all abuse reports are handled by our internal system to be automatically escalated to the appropriate internal and external contacts.
What I'd be curious to know is whether automatic escalation is based on per-customer abuse addresses or on parsing message contents looking for IPs. Per-customer address is something like asn65535@bc.grobecker.info or ip192.0.2.8/29@sc.grobecker.info, which can be forwarded to the relevant (big or small) customer without actually opening the messages, but still maintaining a copy of them. Doing so requires more work for maintaining the database, but less work for forwarding messages.
But for notices like "Oh, we think there might be a vulnerable service reachable on that IP" we don't want that whole escalation thing. Also, most of these notices contain a list of addresses, but sometimes, these lists are not stable parseable because there seems to be no standardized format. Reports we receive from CERT-BUND come with a CSV file which we are able to parse - but in the last months there came several new other services with their own data formats and I suspect, there will come more.
And the CSVs refer to multiple customers?
If I could "route" these reports directly to the customer, this would improve reporting speed and keep these away from our regular abuse desk with escalations and all that stuff.
I understand you don't want your abuse desk to get involved in checking whether, for example, an open DNS does in fact amplify queries if it is open. Is that the difference between forward and escalate? Using a different field entails the extra burden to educate organizations like CERT-BUND to use the appropriate reporting address based on the kind of report. For RDAP, those addresses could be tagged as less preferred. Some RIRs do so, leaving the actual meaning a bit obscure, though. Alternatively, RFC 7483 provides for a "notifications" role, which in theory applies to an associated object. Best Ale --