An ISP network abuse team is usually flooded with ongoing reports of server network abuse. They often are so inundated, they only get a chance to look through 60% of their daily reports. One way of prioritizing the reports the team receives is to rate the reporters of the abuse. To help you differentiate between your reporters, here are the different types your team will encounter:
The Standardized Low Volume Reporter: High priority
These types of reporters are the most complicating network abuse team can encounter. They submit reports that deal with highly illegal activities including child exploitation, drugs, arms deals, terrorism, human trafficking, and snuff videos.
These are not the types of reports a team will encounter on a daily basis, but when they come in they need to be handled with great care and in coordination with the legal department and law enforcement teams. Every effort must be made to ensure that all tasks are actioned according to regulated procedures, all evidence is carefully collected and no mistakes are made.
The Standardized Mass Reporter: High to medium priority
This type of reporter is a great help for all network abuse teams. They provide you with huge volumes of data and masses of reports that you can automate and action immediately. This gives you a good overall view of what is occurring on your network, and the evidence you need to take immediate action. These types of reporters use standard formats that are easily parseable and tend to include security vendors and spam reports.
The Standardized Medium Volume Reporter: Medium priority
These reporters include phishing reports, blacklist reports, and brand protection reports. These reports tend to be lower in volume, but your team should prioritize them as they contain a lot of additional information about the evidence. These reports use standard formats that are easily parseable, but due to the smaller volumes of evidence, they are not as easy to handle automatically.
The Low Non-standardized Volume Reporter: Medium to low priority
These are usually reports from a private person sending or forwarding you a spam message, and asking you to make it go away. The biggest problems a network abuse team usually faces with these types of reports are missing details about the incident or formats that cannot be parsed automatically.
Three tips on how to handle these types of reports:
- Do them manually. Work through them and make sure you have them covered. The reporter has gone through a lot of effort to help you keep your network clean, so give them the time they deserve.
- If you cannot parse it automatically or the content is not complete, send him a link to a form to fill out to ensure that you get all the details. Once you have all the details, you can parse them.
- The faster you solve issues inside your network, the less non-automated traffic you will receive. When you solve spamming issues in minutes, compared to hours or even days, the likelihood of seeing a personal report tends to disappear.
How to effectively deal with the different types of reports
When the reports come in, your team needs to be able to discern the high priority reports that need immediate action. But when a network abuse agent is dealing with a bulging mailbox, this can be tricky.
If you see high or medium volume reports coming from a reporter and they’re not in a machine parseable format, let them instantly know that they should switch to something machine parseable, like XARF, which is considered to become part of a MAAWG best practice.