Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Abuse Contacts - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Abuse Contacts

A couple of months ago my boss asked me to take over the Abuse for our company. Little did I know when he asked me to take over the abuse it was I who would be abused. This has been a real eye opener for me and I have learned some very valuable lessons and have a few more gray hairs than I used to have.  One of the things that I have learned is that finding someone who can explain to you why your server has been forbidden is like looking for a needle in a haystack. 

One of our servers that hosts multi customers was blocked by one of the big boys.  Now the only way I new it was blocked was because I started getting bombarded with complaints from our customers that the email that they were trying to send to a "group" of people were rejecting. I asked them to send me some of the emails so that I could look at them.  I hadn't gotten any abuse reports or emails from the company inspite of the fact that I do have an abuse@ email address setup.  Therefore, I had nothing to go on. After a couple of days and begging and pleading for someone at the company to point me in the right direction I have found out what was going on and the mail is flowing again.

I, for one wish everyone would handle these incidents the same way. I wish that an email could be sent to the abuse@ email address saying - hey bozo - you got a problem - clean up your act.  Well maybe a little bit nicer.  At any rate, not notifying us that we are being blocked and why we are being blocked is just not very nice.  I just spent the better part of 2 days digging through logs, looking at RBL sites and attempting to find someone who could explain why my server was being "spanked". 

So for those of you out there that just pull the plug, maybe you could also send the abuse@ email address a little message.  I don't mind so much the pulling of the plug, but mind the hours that I spent trying to figure out why the plug was pulled.

I would rather have a little abuse from you then a lot of abuse from a lot of customers.

 

Deborah

278 Posts
ISC Handler
I have found that e-mail messages sent to abuse@ usually get answered with an automated canned reply - if at all. I'd send an e-mail if I knew that a real person would receive the message, would understand the problem, and would be in a position to do something about correcting the issue.
Jerry

12 Posts
Same experience here.
All of the abuse mails i ever sent cause of infected websites or servers were never been realized.

Guess it's also the difference if a organization like the ISC wrote an abuse@ or "Mr.HomeUser".
Anonymous
</i>Actually, I have had pretty good luck with ISPs responding to infected computer abuse. Insight Broadband did a pretty good job the last time I contacted them.

I have found the smaller the ISP, the better the response.
Jason

4 Posts
Speaking from a few years of experience on both sides of abuse@ and as a mailserver admin... I see hundreds (sometimes thousands) of new spam sources every day banging on my mailservers, it's just not practical to send an email to the ISP for every one of them that I block. Pay close attention to the content of reject messages, many ISPs will try to give you good clues or links to more info in their reject string. Also each ISP seems to have a different way of dealing with "why am I blocked?" queries. If you send such a query to us at $smallISP it's fairly obvious who to contact and you can expect a mailserver admin to respond within a business day. Huge ISPs seem to strive to answer such queries with minimal human intervention, which can work but only if they have a really well designed system. Some large ISPs will set up a 'feedback loop' with you upon request, where they send you notice every time they see spam from your domain... have a look at http://www.spamhaus.org/faq/answers.lasso?section=ISP%20Spam%20Issues#119
Anonymous
About two years ago, we had been getting repeatedly 'attacked' by a server owned/managed by the State of Florida (don't remember the governmetn department offhand, but it was a florida.gov host). It took almost 6 months before I finally managed to get a response (after emails and phone calls to abuse@, webmaster@, and the state's IS Department), and then it was only 'it has been resolved' (it wasn't). We finally added their IP range to an ACL in our Internet router and simply rejected all traffic from them (problem solved). Only once have I ever received a 'real' response from an abuse@ email, and that was from someplace in Europe (who, by the way, resolved the issue immediately).
Lee

21 Posts
Deborah,

The problem with abuse@(domain) is that all sorts of stuff gets sent to those accounts so the simplest thing for ISPs is to take them in order.

A few things to make your life easier:

1) Keep a list of "postmaster" webpages for the big boys and check them regularly for updates. Some will give you phone numbers to call and others will give you email addresses or web based forms to use.

2) Have your company join MAAWG or APWG. This helps you in 3 ways. A) Both organizations maintain contact lists; B) They provide a great mechanism for meeting others in the messaging abuse community; C) They are an excellent way to keep up on what is happening with regard to messaging abuse. MAAWG membership is more expensive than APWG (FYI).

4) Check your bounce logs. Many receivers will incldue information or a link as to why they are blocking you.

Just a few thoughts.

dotzero
Anonymous

Sign Up for Free or Log In to start participating in the conversation!