Abuse, triage and data sharing

The recent subscription bombs have started me thinking about how online organizations handle abuse, or don’t as the case may be. Deciding what to address is all about severity. More severe incidents are handled first. Triage is critical, there’s never really enough time or resources to investigate abuse.
biohazardmail
What makes an event severe? The answer is more complicated that one might think. Some of the things that ISP folks look at while triaging incoming complaints include:

  • Type of incident (phishing, spam, hacking, dDOS, criminal activity, etc.)
  • Real world effects (spear phishing, child exploitation, theft, network instability, etc.)
  • Source of complaints (individual reports, trusted reporters, details provided, FBL messages, blocklist notices etc.)
  • Legal issues (subpoenas, search warrants, DMCA complaints)

ISP abuse desks deal with a whole lot more than just spam complaints. Some of it is icky work that involves things most of us should be glad we never have to think about.
In the ESP space, though, triage is different. Typically abuse desks at ESPs monitor for blocking and then monitor complaints about volume. There are fewer problems that employees need to deal with.
For a while now I’ve been slightly concerned that so much of ESP abuse handling is about the volume of complaints and blocking. There is quite a bit of abuse that runs “under the radar” because the numbers just aren’t there. I mean, I get it. It’s almost the only way to handle the sheer volume of complaints that come into an average ESP abuse desk.
But I wonder if we’re missing more subtle forms of abuse, ones that have a high personal impact? The recent subscription bomb has somewhat answered the question. The bomb was unnoticed by most ESPs until Spamhaus started blocking the IPs involved.
The number of victims is small. Most of them are not at mailbox providers that provide FBLs. This got attention because Spamhaus was part of the target. But what if it happens again and Spamhaus addresses aren’t involved? How many ESPs will notice their involvement?
I don’t really have an actual answer. But the abuse is real and the abuse is causing real harm. ESPs measure harm by volume, often without any modifiers for the type of harm. Happily, many of the types of abuse that cause significant harm are done in the shadows and ESPs are out in the open. It’s not the same.
Maybe better communication would help? There are multiple private groups where information is shared about things like this. MAAWG is one example, but there are also lots of ad hoc mailing lists and discussion channels. I’m on a few, I know folks who are on a bunch that I’m not on. There’s a well developed back channel to share information. And because we’re in a security space some of it has to be back channel.
I’m not sure what the answer is. I’m not sure there is one answer. Continuing to develop back channels and networks to share information is clearly part of the answer. But maybe there’s a place for more open sharing of information. The challenge, as always, is sharing with the right people.
Someone asked me on twitter last week if there was a way to get information about mailbox providers having bad days. I didn’t have a good answer – although for things like that I’m much happier to blog and tweet about them. It’s these more complex issues that are harder to share publicly.
So what have I not thought of? What’s your solution?
 

Related Posts

The truth matters.

bullhornCall within the next 10 minutes…
Consumers with last names starting with O – Z can call tomorrow…
Only 5 seats left at this price!
 
All of these are common marketing techniques designed to prompt consumers to buy. It’s not a new idea, create a sense of urgency and people are more likely to buy.
I think some marketers are so used to making outrageous claims to support their marketing goals, that it doesn’t occur to them that the truth matters to some people.
There’s almost no better way to get me to send in a spam complaint than to send me an email with a claim about how I opted in.
Example:

Read More

December 2014: The month in email

2014 has been a busy and exciting year at Word to the Wise (look for more on that in a year-end wrap-up post next week!) and this month was particularly thrilling for us as we officially doubled our size with the addition of Josh and Meri on our client services team.
If you’re a regular reader of our blog, you’ve probably spotted Josh’s byline on a few posts: Google’s Inbox Team answers questions on Reddit, which looks at what this new email client portends for both consumers and email marketers, and M3AAWG Recommends TLS, which reviews M3AAWG’s recommendation that mailbox providers phase out SSL encryption in favor of TLS. Look for more smart insights from Josh in 2015.
Steve contributed a post on the proper syntax for displaying a friendly email address, and a very helpful guide for generating useful test data that doesn’t compromise personally identifiable information from your actual customer data. He also detailed the brief DBL false positive from Spamhaus’ new “Abused-Legit” sub-zone and best practices for handling unrecognized responses.
I wrote about some of the subtleties inherent in how brands decide to “converse” with customers in email and other channels. We’ll just keep saying it: companies need to respect the inbox as personal space. I want to thank both Steve and Josh for picking up my slack on blogging. 7+ years is a long time to try and say new things on the blog and I needed a bit of a break.

Read More

Random thoughts on reporting abuse

stop_atOn IRC today, someone mentioned an Ars Technica article discussing how a research team tried to contact Xfinity about a security flaw in their home security system.

Read More