Re: Constant Abuse Reports / Borderline Spamming from RiskIQ

[Tom Beecher <beecher () beecher cc>]

Jonathan-

First time posts to the list are , pardon the phrase, quarantined out of
the gate. Once it's obvious that it's not spam or a problem individual,
that gets released and future messages go straight out.

This is still a manual process done by one person in the NANOG
organization, so it's not always that fast. You likely just got caught up
in that, and didn't do anything incorrectly.

On Tue, Apr 14, 2020 at 4:25 AM Jonathan M <jonathan-m () riskiq net> wrote:

> My bad - This was not for Rich but for Kushal who initiated the thread
> taking the survey about us being "spammers". I'm contacting the
> administrator at Nanog.org now to figure out what I did wrong to properly
> post to the thread as I haven't used the mailing list before. Have a good
> day. Jonathan
>
> On Mon, Apr 13, 2020 at 9:55 PM Jonathan M <jonathan-m () riskiq net> wrote:
>
> > This may not have been approved yet by the moderator but was sent to the
> > list about 30 minutes ago....I'm sorry, but I'm just learning how to use
> > this list and I am concerned that my post was not properly sent--thus,
> > replying to the thread here....thx
> >
> > Re: https://twitter.com/RiskIQ_IRT/status/1249721818602070016?s=20
> >
> > Hi, Rich,
> >
> > I hope you are well. If you ever encounter an incident that you think
> > could have been handled better on our end, we aspire to continuously
> > improve, and don't claim to be perfect.
> >
> > Rather than blocking our abuse notification to the abuse POC, it would be
> > better to let us know you have concerns so that we can improve our
> > communications. Blocking us on Twitter and shutting off communication is no
> > better than if we were to just send your customer's domain to a blacklist
> > without notifying you of a compromise so that it can possibly be patched.
> > Let's keep the overall goal in mind -- it's to make the internet safer by
> > flagging possible violations of your acceptable use policy that may lead to
> > compromised personal data or sensitive credentials of innocent visitors
> > online.
> >
> > Before anything is posted to Twitter, I personally review the history of
> > the event to see if we have exhausted all reasonable steps to mitigate
> > harmful cyber activity or operations on network infrastructure short of
> > always picking up the phone or using the fax. While we have attempted to do
> > that in the past for each event, there is just too much harmful cyber
> > activity going on for us to be relying on phone calls to try and reach the
> > abuse team to ask that our ticket be prioritised after an unreasonable
> > period of time has elapsed. We have thousands of escalations that we need
> > to handle and most of the time though not across the board, when we call to
> > reach the abuse teams, we are unsuccessful in reducing the time to
> > remediation.
> >
> > The goal is not to shame anyone per se. It's to create more transparency
> > regarding a problem that we all need to work together on. It's similar to
> > where nation state actors use public attribution as part of mitigation to
> > improve the Internet from cyber attacks. We did not block you on Twitter,
> > and after every tweet, we follow-up to the appropriate abuse point of
> > contact to raise visibility of the matter, as well as to the PR team, and
> > applicable computer emergency response teams as well as attorney generals
> > or other applicable authorities.
> >
> > We all need to work together. Please do not hesitate to contact me and I
> > will make sure we are meeting our end of aspiring to be a good partner, and
> > look forward to working with you as the need arises. Stay safe and healthy
> > in these challenging times, and we wish you the best.
> >
> > I'm happy to discuss offline as well. We can set up a time to discuss and
> > improve the mitigation workflow on both sides.
> >
> > Best regards,
> > Jonathan Matkowsky
> > VP, Digital Risk
> > RiskIQ, Inc.
> >
> >
> > On Mon, Apr 13, 2020 at 9:41 PM Tom Beecher <beecher () beecher cc> wrote:
> >
> > > I would agree that Twitter is not a primary place for abuse reporting.
> > >
> > > If they are reporting things via your correct abuse channel and you are
> > > indeed handling them within 48 business hours, then I would also agree this
> > > much extra spray and pray is excessive. However RiskIQ is known to be
> > > pretty responsible, so if they are doing this they likely feel like they
> > > are NOT getting appropriate responses from you and are resorting to
> > > scorched earth. Have you attempted to reach out to them and make sure they
> > > have the proper direct channel for abuse reporting?
> > >
> > > On Mon, Apr 13, 2020 at 1:45 PM Kushal R. <kushal.r () h4g co> wrote:
> > >
> > > > All abuse reports that we receive are dealt within 48 business hours.
> > > > As far as that tweet is concerned, it’s pending for 16 days because they
> > > > have been blocked from sending us any emails due to the sheer amount of
> > > > emails they started sending and then our live support chats.
> > > >
> > > > We send our abuse reports to, but we don’t spam them to every publicly
> > > > available email address for an organisation, it isn’t difficult to lookup
> > > > the Abuse POC for an IP or network and just because you do not get a
> > > > response in 24 hours does not mean you forward the same report to 10 other
> > > > email addresses. Similarly twitter isn’t a place to report abuse either.
> > > >
> > > >
> > > > On Apr 13, 2020 at 9:37 PM, <Rich Kulawiec <rsk () gsp org>> wrote:
> > > >
> > > >
> > > >  On Mon, Apr 13, 2020 at 07:55:37PM +0530, Kushal R. wrote:  >  We understand these reports and deal with them as 
> > > > per our policies and timelines but this constant spamming by them from various channels is not appreciated. 
> > > > Quoting from: https://twitter.com/RiskIQ_IRT/status/1249696689985740800 which is dated 9:15 AM 4/13/2020: 5 
> > > > #phishing URLs on admin12.find-textbook[.]com were reported to @Host4Geeks (Walnut, CA) from as far back as 16 
> > > > days ago, and they are all STILL active 16 days is unacceptable. If you can't do better than that -- MUCH better 
> > > > -- then shut down your entire operation today as it's unworthy of being any part of the Internet community. ---rsk
> *******************************************************************
> This message was sent from RiskIQ, and is intended only for the designated
> recipient(s). It may contain confidential or proprietary information and
> may be subject to confidentiality protections. If you are not a designated
> recipient, you may not review, copy or distribute this message. If you
> receive this in error, please notify the sender by reply e-mail and delete
> this message. Thank you.
>
> *******************************************************************