[96499] in North American Network Operators' Group
Re: Best practices for abuse@ mailbox and network abuse complaint
daemon@ATHENA.MIT.EDU (Jeroen Massar)
Fri May 11 18:42:26 2007
Date: Fri, 11 May 2007 23:31:46 +0100
From: Jeroen Massar <jeroen@unfix.org>
To: K K <kkadow@gmail.com>
Cc: nanog@merit.edu
In-Reply-To: <dc718edc0705111510g7a7ed0d9x747ebd83079cc1d2@mail.gmail.com>
Errors-To: owner-nanog@merit.edu
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig450D5B6F6756B8F05C4D9070
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
K K wrote:
[..]
> I'm hoping to find either a better and widely accepted way to handle
> non-spam-related network abuse complaints (hacking, DoS, etc), or at
> least best practices for triage on the huge volume of mail that comes
> into abuse@, procedures such that the rare legitimate complaint about
> non-spam network abuse can be routed to my team in a timely manner.
whois is the right one. But IMHO the ARIN whois is a bit limited and
also odd, but that might be because I am used to seeing a different kind
of data ;)
In RIPE db we have a nice IRT (Incident Response Team) object which is
meant for this, see amongst others:
http://www.ripe.net/info/ncc/presentations/irt-tfcsirt6/sld001.html
http://www.ripe.net/db/support/security/irt/irt-h2.html
Next to that there is the 'abuse-mailbox' line which can be inserted
with most objects, similarly to irt.
These will at least allow your users to find you. Some of the tools out
there that auto-spam abuse@ when they get a silly portscan use those
fields, so at least you will get it at the right address and not at
every other single address that is listed in whois.
Greets,
Jeroen
--------------enig450D5B6F6756B8F05C4D9070
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Jeroen Massar / http://unfix.org/~jeroen/
iHUEARECADUFAkZE7tIuFIAAAAAAFQAQcGthLWFkZHJlc3NAZ251cGcub3JnamVy
b2VuQHVuZml4Lm9yZwAKCRApqihSMz58I3PiAJ9wQ2358ChOcVuO96c80ZmJzw4D
BQCgv/T7i2CytYiPlJHGME1NKcpDa9I=
=i2+x
-----END PGP SIGNATURE-----
--------------enig450D5B6F6756B8F05C4D9070--
