An owner of a network block of IP addresses must register an abuse email contact with the RIR (Regional Internet Registry) that allocates the block.
In some RIRs, an abuse contact (RIPE / ARIN / LACNIC / APNIC ) is even mandatory. This is so that any abuse from that network can be reported to that owner.
Handling abuse that comes from your network is critical to:
1. Maintain a good reputation
2. Retaining customers
3. Avoid costly legal action (both civil and criminal) and significant fines.
However, we frequently see several bad practices:
1. Bouncing addresses
The mail system will be returning the messages as non-deliverable to the sender in 2 main situations:
1. The email address provided isn’t valid
2. The mailbox is full
This means that no one can report abuse from your networks to you, which is a terrible sign.
2. Spam filtering
By their very nature, abuse reports will contain IP addresses, domain names, and sample data.
This may lead to any spam filtering to identify the reports as spam and potentially reject them. Which will cause them to bounce.
Organizations should handle abuse addresses carefully with regard to filtering. All messages sent to the abuse address should be delivered to the mailbox.
You can tag the messages as spam in the message headers, but these shouldn’t be modified, rejected, or delivered to a ‘Spam’ folder. Otherwise, important messages might be missed.
3. Freemail addresses
It should go without saying that using a “free” email address as an abuse mailbox is a terrible idea.
Google, Hotmail, Outlook, etc., are designed as “consumer” services. Thus, they will have strict rate limiting, limited mailbox quotas, and heavy spam filtering. Making them a very poor choice as the destination address for an abuse mailbox.
4. Not accepting email reports
Abuse reports will be sent in all sorts of formats.
Some will be manual others will be automated. These varying formats are one of the main challenges to abuse handling and one of the main reasons we are pushing for using easily parsable formats like X-ARF.
We’ve seen a small number of cases where an auto-responder is applied to the abuse contact. In these cases, it states that abuse reports are only accepted by filling out an online abuse form.
Having an auto-responder burdens the abuse reporter to fill out a manual form. You will therefore miss important reports and discard all the automated reports sent to you.
5. Ignoring abuse reports or being unable to handle reports promptly.
Another case is when there is a working abuse@ address, and the messages are delivered, but no one:
1. Monitors this mailbox
2. Takes action on the issues reported
3. Can keep up with the volume of reports received
Abuse reporters will quickly work out that they are repeatedly sending abuse reports for the same issues and that nothing is being done or happening very slowly.
The next steps
To wrap this up, make sure that:
1. All your network ranges have the correct abuse-contact configured, and it works correctly
2. You are monitoring it and taking action on all reported issues
Otherwise, reporters will quickly conclude that you don’t care about abuse, and bad things will happen.
