What external reporters should I subscribe to for my Abuse Desk?
We often hear this question from abuse desk operators protecting their public networks and mailbox provider postmasters since Network security is a priority for service providers. Since the needs are a little different for the two different roles, the requirements are slightly different, so the order of the reports (while similar) is somewhat different.
What you receive today
Today, you will get OSINT abuse reports sent to abuse@ and postmaster@ addresses. These reports could include phishing, copyright, malware violations, and other abuses. Act quickly when you get these reports, or your safe harbor could be challenged. You should always pay attention to these reports and respond quickly.
Free subscription reports you need
To regain control of your network and mail server from malicious actors, you should subscribe to several free, essential subscription feedback reports.
Public Network, Abuse Desks
You must add several free subscription reports if you run an abuse desk for a public network. Follow the links we have provided to subscribe to each.
Mailbox Provider, Postmasters
If you’re an ISP, hosting provider, or stand-alone mail service, subscribe to the following reports. These don’t show up in your abuse-mailbox reports automatically, so you must request them.
- Microsoft JMRP
- Spamcop
- Spamhaus PBL
- Yahoo! (MTAs only; requires DomainKeys or DKIM)
Like the OSINT reports you already get, extract the metadata in the new reports you receive
Figuring out what’s going on with network abuse, what can wait, and what needs to be dealt with right away is all part of the job. Make sure you take the time to configure your systems to extract the metadata in the new reports. Hence, you understand what the new reports tell you, so you can take action efficiently.
Also, tag each incident by threat type.
Ensure you tag each incident to spot any issues cropping up in your network. If one person has a vulnerability or infection, others will likely have it too. If you keep track of these trends and act on them, you’ll avoid repeatedly encountering the same problem.
See also: The Importance Of Correctly Interpreting Network Abuse Reports.
Identifying your subscribers with vulnerabilities or the ones creating the abuse
Identifying the subscriber is the next step. It’s not uncommon to see a subscriber with vulnerabilities and copyright issues who get infected with a malicious payload when they share a movie or zip file. Once a machine is infected with one type of malware, it often gets other kinds. Abuse can become a regular occurrence for these subscribers. The more problems an individual subscriber has, the more difficult it is to resolve the issues.
Use playbooks to act on the problem that is being reported.
While you want to take action, remember that most subscribers need to learn why they should take action or how to resolve most issues. Even if they do, they may need more time to handle an overflowing mailbox.
If the issue is spam, explain to the user how their actions could affect other users on the mail platform, potentially leading to the mail service being blocklisted and causing delivery issues for other users. Postmasters often include a warning of service suspension or termination when this happens.
For copyright issues, inform the user of the risks of peer-to-peer file sharing and the prevalence of malware in zip files. Also, make sure to warn them about copyright infringement.
If there is a vulnerability, persist in helping them fix it, but remain gentle and precise. Don’t make them angry; be there to help.
Now, add more subscription reporters.
Now that you have established a solid flow in handling both the OSINT abuse reports and the ones mentioned above, add a few more reporters.
For both Abuse Desk Operators and Postmasters
To better understand abuse in your network or mail platform, subscribe to the following services. They offer various information to help you better understand what’s happening.
The Project Honeypot Feedback Loop
Unlike the feedback loops mentioned above, Project Honeypot operates traps that catch spam. It is distinct from Abusix and Spamhaus and can provide different results. Subscribing to their service is recommended, as it can help identify compromised users on your mail servers and malicious actors on your network.
Netcraft
If you are a network provider and operate a mailbox service or provide any-time hosting services, you should subscribe to Netcraft. Netcraft provides a “paid” real-time phishing feed that will help you get the jump on any phishing reports that might come your way.
“This is Spam” Complaint Feedback Loops
The Validity Universal Feedback Loop will allow you to see all the messages where users have clicked on “This is Spam.” While most users of this feedback loop service are email service providers looking to unsubscribe people from email lists, this service is invaluable for mailbox providers looking for potential spammers using their shared mail service. Other similar services include United Online and Zoho.
ISPs and hosting providers should expect to provide WHOIS RDNS and, in some cases, DKIM and/or DomainKeys for their shared email services. Providers should register any hosted email and web services like WordPress platforms.
While different from the traditional FBL, if you are in Europe, particularly France, you should sign up and get a membership with Signal Spam.
See also: Common Inbound Abuse Channels You Should Be Using For Solid Service Provider Security.
Also, consider an Abusix Threat Intelligence upgrade
If you’re feeling the weight of organizing your reports, let AbuseHQ lighten the load. Our threat telemetry processing from billions of messages and alerts can be further improved with a “paid” Abusix Threat Intelligence upgrade. You’ll get honeypot reports and spamvertised/ns-advertised feeds, allowing you to monitor your network abuse in real-time and take preventative action before you end up on any blocklists.
Take action
In the end, have a good and consistent process to monitor how many warnings a reporter has made, what type of event it is, and who the subscriber is. How many reports and the types of reports the subscriber has, and an efficient way to notify each subscriber. Companies like Abusix with products like AbuseHQ can help manage your public network’s vulnerabilities, compromises, attacks, fraud, copyright, child protection, and other types of abuse quickly so you can stay up-to-date on your network’s security and the trends within.
