Re: Constant Abuse Reports / Borderline Spamming from RiskIQ

[Matt Corallo via NANOG <nanog () nanog org>]

I don’t really get the point of bothering, then. AWS takes about ~forever to respond to SES phishing reports, let alone 
hosting abuse, and other, cheaper, hosts/mailers (OVH etc come up all the time) don’t bother at all. Unless you want to 
automate “1 report = drop customer”, you’re saying that we should all stop hosting anything?

> On Apr 13, 2020, at 11:50, Suresh Ramasubramanian <ops.lists () gmail com> wrote:
>
> 
> RiskIQ reports phish URLs for large brands
>
> The life cycle of a typical phish campaign is in hours but I guess people can live with 24. If you handle the 
> complaint only after two business days, that’s closing the barn door after the horse has bolted and crossed a state 
> line.
>
> --srs
> From: NANOG <nanog-bounces () nanog org> on behalf of Tom Beecher <beecher () beecher cc>
> Sent: Tuesday, April 14, 2020 12:11:18 AM
> To: Kushal R. <kushal.r () h4g co>
> Cc: Nanog <nanog () nanog org>; Rich Kulawiec <rsk () gsp org>
> Subject: Re: Constant Abuse Reports / Borderline Spamming from RiskIQ
>  
> I would agree that Twitter is not a primary place for abuse reporting. 
>
> If they are reporting things via your correct abuse channel and you are indeed handling them within 48 business 
> hours, then I would also agree this much extra spray and pray is excessive. However RiskIQ is known to be pretty 
> responsible, so if they are doing this they likely feel like they are NOT getting appropriate responses from you and 
> are resorting to scorched earth. Have you attempted to reach out to them and make sure they have the proper direct 
> channel for abuse reporting? 
>
> > On Mon, Apr 13, 2020 at 1:45 PM Kushal R. <kushal.r () h4g co> wrote:
> > All abuse reports that we receive are dealt within 48 business hours. As far as that tweet is concerned, it’s 
> > pending for 16 days because they have been blocked from sending us any emails due to the sheer amount of emails they 
> > started sending and then our live support chats.
> >
> > We send our abuse reports to, but we don’t spam them to every publicly available email address for an organisation, 
> > it isn’t difficult to lookup the Abuse POC for an IP or network and just because you do not get a response in 24 
> > hours does not mean you forward the same report to 10 other email addresses. Similarly twitter isn’t a place to 
> > report abuse either. 
> >
> >
> > On Apr 13, 2020 at 9:37 PM, <Rich Kulawiec> wrote:
> >
> >        On Mon, Apr 13, 2020 at 07:55:37PM +0530, Kushal R. wrote:  >  We understand these reports and deal with them 
> > as per our policies and timelines but this constant spamming by them from various channels is not appreciated. 
> > Quoting from: https://twitter.com/RiskIQ_IRT/status/1249696689985740800 which is dated 9:15 AM 4/13/2020: 5 
> > #phishing URLs on admin12.find-textbook[.]com were reported to @Host4Geeks (Walnut, CA) from as far back as 16 days 
> > ago, and they are all STILL active 16 days is unacceptable. If you can't do better than that -- MUCH better -- then 
> > shut down your entire operation today as it's unworthy of being any part of the Internet community. ---rsk