Re: Constant Abuse Reports / Borderline Spamming from RiskIQ

[Suresh Ramasubramanian <ops.lists () gmail com>]

Handle it in a reasonable amount of time, and please prioritize phishing somewhere after the usual threat to life / 
child abuse type cases (which are, fortunately, comparatively rare).  Phishes put people at risk of losing their life 
savings, and especially with covid already threatening to make that happen, that’s something we must all work to 
prevent.

There are providers that are good at handling abuse and responding as well (if only with boilerplate text and an 
automated ticket closure email, that’s fine.. as long as the threat is addressed I wouldn’t even need a reply) while 
there are others that have substantial abuse automation but are slow to respond at times, while others have no 
significant abuse prevention AND are slow to respond.

If, for whatever reason, the abuse load on a network goes out of control then the network does get pressured by 
escalation in one form or the other. Corporate contacts in this individual’s case, could be reports to various 
upstreams in some other case.

--srs
From: Matt Corallo <nanog () as397444 net>
Date: Tuesday, 14 April 2020 at 12:41 AM
To: Suresh Ramasubramanian <ops.lists () gmail com>
Cc: Tom Beecher <beecher () beecher cc>, Kushal R. <kushal.r () h4g co>, Nanog <nanog () nanog org>, Rich Kulawiec <rsk 
() gsp org>
Subject: Re: Constant Abuse Reports / Borderline Spamming from RiskIQ
I don’t really get the point of bothering, then. AWS takes about ~forever to respond to SES phishing reports, let alone 
hosting abuse, and other, cheaper, hosts/mailers (OVH etc come up all the time) don’t bother at all. Unless you want to 
automate “1 report = drop customer”, you’re saying that we should all stop hosting anything?


On Apr 13, 2020, at 11:50, Suresh Ramasubramanian <ops.lists () gmail com> wrote:

RiskIQ reports phish URLs for large brands

The life cycle of a typical phish campaign is in hours but I guess people can live with 24. If you handle the complaint 
only after two business days, that’s closing the barn door after the horse has bolted and crossed a state line.

--srs
________________________________
From: NANOG <nanog-bounces () nanog org> on behalf of Tom Beecher <beecher () beecher cc>
Sent: Tuesday, April 14, 2020 12:11:18 AM
To: Kushal R. <kushal.r () h4g co>
Cc: Nanog <nanog () nanog org>; Rich Kulawiec <rsk () gsp org>
Subject: Re: Constant Abuse Reports / Borderline Spamming from RiskIQ

I would agree that Twitter is not a primary place for abuse reporting.

If they are reporting things via your correct abuse channel and you are indeed handling them within 48 business hours, 
then I would also agree this much extra spray and pray is excessive. However RiskIQ is known to be pretty responsible, 
so if they are doing this they likely feel like they are NOT getting appropriate responses from you and are resorting 
to scorched earth. Have you attempted to reach out to them and make sure they have the proper direct channel for abuse 
reporting?

On Mon, Apr 13, 2020 at 1:45 PM Kushal R. <kushal.r () h4g co<mailto:kushal.r () h4g co>> wrote:
All abuse reports that we receive are dealt within 48 business hours. As far as that tweet is concerned, it’s pending 
for 16 days because they have been blocked from sending us any emails due to the sheer amount of emails they started 
sending and then our live support chats.

We send our abuse reports to, but we don’t spam them to every publicly available email address for an organisation, it 
isn’t difficult to lookup the Abuse POC for an IP or network and just because you do not get a response in 24 hours 
does not mean you forward the same report to 10 other email addresses. Similarly twitter isn’t a place to report abuse 
either.



On Apr 13, 2020 at 9:37 PM, <Rich Kulawiec<mailto:rsk () gsp org>> wrote:

       On Mon, Apr 13, 2020 at 07:55:37PM +0530, Kushal R. wrote:  >  We understand these reports and deal with them as 
per our policies and timelines but this constant spamming by them from various channels is not appreciated. Quoting 
from: https://twitter.com/RiskIQ_IRT/status/1249696689985740800 which is dated 9:15 AM 4/13/2020: 5 #phishing URLs on 
admin12.find-textbook[.]com were reported to @Host4Geeks (Walnut, CA) from as far back as 16 days ago, and they are all 
STILL active 16 days is unacceptable. If you can't do better than that -- MUCH better -- then shut down your entire 
operation today as it's unworthy of being any part of the Internet community. ---rsk