Abuse, triage and data sharing

The recent subscription bombs have started me thinking about how online organizations handle abuse, or don’t as the case may be. Deciding what to address is all about severity. More severe incidents are handled first. Triage is critical, there’s never really enough time or resources to investigate abuse.
biohazardmail
What makes an event severe? The answer is more complicated that one might think. Some of the things that ISP folks look at while triaging incoming complaints include:

  • Type of incident (phishing, spam, hacking, dDOS, criminal activity, etc.)
  • Real world effects (spear phishing, child exploitation, theft, network instability, etc.)
  • Source of complaints (individual reports, trusted reporters, details provided, FBL messages, blocklist notices etc.)
  • Legal issues (subpoenas, search warrants, DMCA complaints)

ISP abuse desks deal with a whole lot more than just spam complaints. Some of it is icky work that involves things most of us should be glad we never have to think about.
In the ESP space, though, triage is different. Typically abuse desks at ESPs monitor for blocking and then monitor complaints about volume. There are fewer problems that employees need to deal with.
For a while now I’ve been slightly concerned that so much of ESP abuse handling is about the volume of complaints and blocking. There is quite a bit of abuse that runs “under the radar” because the numbers just aren’t there. I mean, I get it. It’s almost the only way to handle the sheer volume of complaints that come into an average ESP abuse desk.
But I wonder if we’re missing more subtle forms of abuse, ones that have a high personal impact? The recent subscription bomb has somewhat answered the question. The bomb was unnoticed by most ESPs until Spamhaus started blocking the IPs involved.
The number of victims is small. Most of them are not at mailbox providers that provide FBLs. This got attention because Spamhaus was part of the target. But what if it happens again and Spamhaus addresses aren’t involved? How many ESPs will notice their involvement?
I don’t really have an actual answer. But the abuse is real and the abuse is causing real harm. ESPs measure harm by volume, often without any modifiers for the type of harm. Happily, many of the types of abuse that cause significant harm are done in the shadows and ESPs are out in the open. It’s not the same.
Maybe better communication would help? There are multiple private groups where information is shared about things like this. MAAWG is one example, but there are also lots of ad hoc mailing lists and discussion channels. I’m on a few, I know folks who are on a bunch that I’m not on. There’s a well developed back channel to share information. And because we’re in a security space some of it has to be back channel.
I’m not sure what the answer is. I’m not sure there is one answer. Continuing to develop back channels and networks to share information is clearly part of the answer. But maybe there’s a place for more open sharing of information. The challenge, as always, is sharing with the right people.
Someone asked me on twitter last week if there was a way to get information about mailbox providers having bad days. I didn’t have a good answer – although for things like that I’m much happier to blog and tweet about them. It’s these more complex issues that are harder to share publicly.
So what have I not thought of? What’s your solution?
 

How many blocklists do we need?
NY Times on unsubscribing by email

Related Posts

Do you have an abuse@ address?

I’ve mentioned multiple times before that I really don’t like using personal contacts until and unless the published or official channels fail. I don’t hold this opinion just about resolving delivery issues, but also use official channels when reporting spam to one of my addresses or spam traps.
My usual complaints contain a plain text copy of the mail, including full headers and a short summary of the email address it was sent to. “This is an address that was part of a leak from…” or “This is an address scraped off my website. It’s been removed from the website since 2004” or “This address isn’t used to sign up for any mail.”
Sadly, there are a number of “legitimate” ESPs that don’t have or don’t monitor their abuse address. In some cases it’s an oversight or a break down of internal mail handling. But in most cases, it’s a sign that the ESP doesn’t actually handle abuse.
It’s frustrating to watch an ESP post long blog posts about “best practices” and “effective delivery” and “not spamming” and yet not be able to actually stop their own customers from spamming. It’s not even that I necessarily want them to disconnect their spamming customers (although that would be nice) but suppressing the address that I’ve told them was a spamtrap seems trivial. And yet, a month after my first complaint and weeks after escalating to a personal contact, I’m still getting spam.
The 5 things every ESP should do to handle spam complaints.

Read More

Mary Litynski Award winner Jayne Hitchcock

This morning the Messaging, Mobile and Malware Anti-Abuse Working Group announced the winner of the Mary Litynski Award.
Congratulations to Jayne Hitchcock of WHO@ for her work over the last 2 decades fighting online abuse and cyberstalking.
I’ve never actually met Jayne, but I do remember following her story in the late 90s. She started off trying to protect people from being scammed by Woodside Literary Agency. In return for her work to inform and protect people the principals of Woodside set out on a multi-year harassment campaign against her.
This was in the late 90s and the Internet was very new. There weren’t any laws. There weren’t really abuse desks. We had to protect each other. Law enforcement didn’t know what to do with problems. There weren’t any laws against harassment online. The word “cyberstalking” was created by a reporter when describing what was happening to Jayne.
Jayne has been a force for good online and she and her volunteers help people who are victims of abuse online and cyberstalking. She’s been instrumental in getting anti-cyberstalking laws passed and helping law enforcement understand why online abuse is an issue and that it should be addressed.

Read More

Mandrill changes

Last week Mandrill announced that they were discontinuing their free services and all customers would be required to have a corresponding paid Mailchimp account.

Read More