Abuse Contacts – How NOT to do it!

Abuse Contacts - How NOT to do it! cover

Abuse contact information includes contact information (usually of the network administrator) that can be used to report IPs engaged in suspicious activities. This information can include the abuse contact's email address, postal/ZIP code, city, state, country, name, network, and phone number. Abuse Contacts are usually set up as part of the records that are kept by your Regional Internet Registry (RIR) who are responsible for allocating IP addresses.

This allows anyone to do a lookup to see where to report abuse to, based on the IP address of the source of the abuse. We provide a free high-volume lookup service called the Abusix ContactDB as one of the ways that you can do this.

Because abuse reporting is so important, there are a number of long-established rules that we covered in a previous blog post.

As part of our Global Reporting project, we send lots of abuse reports and therefore, see a lot of poor practices and bad configurations.

Here is a very good example of this:

This was received in response to one of our automated reports. This is an example of a “Challenge Response” spam filter, which in my opinion, is a really, really bad way to filter your email and definitely not something that you want on your abuse mailbox.

“Challenge Response” systems send a “Challenge” email back to anyone that has sent you a message for the first time. It will contain a link that you have to click or a CAPTCHA like the example above that you have to complete and once you do, your original message will be delivered to the recipient, otherwise the message will be deleted after a certain amount of time.

This is a massively flawed method of filtering. It requires lots of exclusions for things like Airlines, Insurance companies, etc., and for anyone that sends transactional or automated messages because, by design, an automated system cannot complete the challenge. Worse still, the vast majority of genuine spam will forge the sending address, likely picking a genuine email address that belongs to someone else. That unwitting person will then be inundated with challenges for messages that they never sent.

So it’s not really proper filtering, but more like outsourcing your spam filtering to someone else who never asked for the job. I never personally complete these challenges out of principle because they are so flawed.

So it goes without saying that this should never be used in front of an abuse mailbox as it is in this example because the vast majority of abuse reports are going to come from automated reporting systems, and these reports will simply vanish and won’t be dealt with. The above abuse contact is responsible for 1,276 IP addresses that will be missing a lot of genuine reports. Ensure your own abuse reporting practice aren’t like this!

Share the Post:

Related Posts