Re: Handling of Abuse Complaints

[Alex Brooks <askoorb+nanog () gmail com>]

Hi,

On 29 August 2016 at 16:55, Jason Lee <jason.m.lee () gmail com> wrote:
> NANOG Community,
>
> I was curious how various players in this industry handle abuse complaints.
> I'm drafting a policy for the service provider I'm working for about
> handing of complaints registered against customer IP space. In this example
> I have a customer who is running an open resolver and have received a few
> complaints now regarding it being used as part of a DDoS attack.
>
> My initial response was to inform the customer and ask them to fix it. Now
> that its still ongoing over a month later, I'd like to take action to
> remediate the issue myself with ACLs but our customer facing team is
> pushing back and without an idea of what the industry best practice is,
> management isn't sure which way to go.
>
> I'm hoping to get an idea of how others handle these cases so I can develop
> our formal policy on this and have management sign off and be able to take
> quicker action in the future.

As you are developing a policy and procedure, you might want to have a
look at the resources provided (free) by the Messaging, Malware and
Mobile Anti-Abuse Working Group (M3AAWG).  Whilst not answering your
question directly, it can be useful to have some general abuse best
practice documents around when developing your own policies.

Lots of resources are available at
https://www.m3aawg.org/for-the-industry, including:
- Best Common Practices for Hosting and Cloud Service Providers
- Best Practices to Address Online, Mobile, and Telephony Threats
- Feedback Reporting Recommendation
- Overview of DNS Security - Port 53 Protection
- Abuse Desk Common Practices
- The Anti-Bot Code of Conduct for Internet Service Providers


There's a lot of stuff about email and email spam (including a whole
page on FBLs at https://www.m3aawg.org/fbl-resources), but there is
some stuff there on abuse in other domains as well.  It's well worth a
gander.

HTH,

Alex