On Thu, Dec 23, 2010 at 7:59 PM, Ronald F. Guilmette
<rfg@tristatelogic.com> wrote:
#2) Even for those networks where abuse@ is not aliased to /dev/null,
sending anything other than a _spam_ report to that address will typically
engender either (a) no response at all (with the message being silently
discarded) or else (b) an irritated response of the form "Why are you
sending this to abuse@??" or else (c) a more or less automated response
(either from an actual program or else from a low-paid human who has been
trained to act like one) the form "We're sorry, but we cannot accept
abuse complaints without either (a) a full set of e-mail headers or else
(b) a complete set of system intrusion logs."
I find myself taking exception to this and whilst I usually lurk in the background here I think it needs to be said:
- I would expect any malicious or illegal behavior to be reported to abuse@
- Whilst Spam reports will form the vast majority of these, I expect my Abuse-Queue-Staff to be plucking the _non_-Spam reports out for early attention (as other types of abuse are more frequently time sensitive).
Those who do tech support are familiar with the idea of triage in a customer-facing sense; the stuff that's likely to have large ramifications, either in scale, or PR, or cost, will get early attention because that's just commonsense.
For stuff happening in real-time that's a serious issue (say a DoS) I have (as an engineer) taken both emails and phonecalls directly - but I still expect a report to abuse@ so that the appropriate records are able to be created and placed on file for future legal or customer-service obligations.
This logic has applied for ISPs operating with 1000 to 500,000 customers.
Unfortunately as your organisation gets larger, the 'human touch' of handling abuse cases seems to dissapear and you do wind up with lesser-cloo'd people dealing with the complaints, and using templated answers that infuriate those who're actually taking the time to report abuse. The number of people these days who simply block, or ignore, abusive internet behavior, is counter-productive to those ISPs who are resultantly blind as to the actual negative impact their customers are having.
So with these points in mind, (a) above is possible, but a move that demonstrates poor 'internet citizenship' on the part of the ISP, (b) shouldn't ever happen, and in my experience only happens when you land an idiot at the other end, and (c) again demonstrates poor internet citizenship. To the point where I will actively take my business away from any organisation that operates that way.
My current issue is with Yahoo's requirement that all complaints comply with ARF. They're one of the biggest sources of spam and have opted to require complaints to fit into their particular brand of round-shaped-hole or they're going to ignore the report. I refuse to waste more of my time reporting spammers, and instead am much more prepared to simply block their domain(s) with a reject line similar to 'mail will not be accepted until Yahoo stops with the head-in-sand technique of operating, and instead deals with the spammers in its midst'.
If your operation is big enough to spin millions of dollars per year in revenue, you're big enough to be a responsible netizen and show some respect to anyone taking the time to report abuse. Because if you deliberately ignore complaints, you become responsible for the behavior itself and become an accessory to the abuse, or crime, in effect.
#3) Although, for the various reasons noted above, and others, sending a
report like this to an abuse@ address might yield no meaningful or useful
action at all, the mere presence of the corporate abuse@ address, either
in the To: header or in the Cc: header would most likely cause any and
all other parties to whom such a report had been addressed (and who might
otherwise potentially be more responsive/responsible than abuse@) to simply
trash the message, e.g. because they might reasonably assume that "Oh!
This was sent to abuse@ too, so the abuse department/person will surely
handle it, and I don't need to get involved."
If your abuse@ team are of any value, they will of course do exactly that. If you're an 'other recipient' then in good concience you should at least be checking with them to ensure it's followed up. That's customer service 101. Is the risk to your reputation worth it?
#4) Last but not least, in the circles I travel in, a clear and unambiguous
distinction is often drawn between "abuse ON the network" and "abuse OF the
network". As we all know, the latter occurs almost every second of the day,
somewhere on the Internet, and it can range from undeserved insults and
slanders to sophisticated social engineering con games involving millions
of dollars. But none of that "abuse ON the network" in any way threatens
the operational status of any part of the net. Conversely, of course, spam
and DoS attack directly threaten the operational status of either parts of
the net or, in sum, even the whole thing, and thus, by tradition among the
people I commonly hang out with, "abuse OF the net" is widley considered to
be the only thing (a) that humans can reasonably fight and also (b) in many
people's minds, it is the only thing that's _worth_ fighting for. (After
all, the world and the net will go on even if you or I are heniously slandered
or even defrauded, tomorrow, somewhere on the Internet.)
If someone reports a customer of mine breaching T&C I will expect our customer care team to enforce T&C. Antisocial behavior might not be a T&C breach. If it crosses that line, however, we'll act as a reasonable ISP should.
If the customers conduct is illegal, or a DoS, or spam, or other behavior which will negatively affect our own online reputation, we'll similarly take steps to respond. Often an external report is the way that we find out about this behavior - we don't have eyes everywhere.
The upshot of all this line of thinking is that some (many?) believe that
it's not even the job of an ISP abuse desk to even delve into any matters
that do not clearly affect network operational status. At any and all
ISPs of this persuasion, a note to abuse@ regarding a clear trademark
violation (and a plausible/possible phishing threat) would be discarded
virtually the moment it was opened.
The ISP is responsible for being a good online citzen (morally). But they're also obliged to preserve their own reputation if they want to ensure folks won't simply blackhole their traffic, so if they choose to turn a blind eye to the problems their customers cause, ultimately it will affect their bottom line. The ISP will then care - so the ISP's Abuse Desk, being the group who deal with the outside world in respects abusive behavior online, should be prepared to deal with this.
Across the several ISP's I've worked for, this is certainly the case. And I will actively steer business away from any ISP who chooses to reneg on this obligation.
Mark.