[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Constant Abuse Reports / Borderline Spamming from RiskIQ

At a previous employer much earlier in my career, we inherited some simple
webhosting from a company acquisition. In one of the early meetings we had
about integrating it, someone from our support team asked some questions
about the abuse report procedures, etc. Our owner came straight out and
said "Just make sure we handle anything that could create legal problems,
the rest I don't really care what you do."

I would suspect that's not an uncommon attitude in that industry.

On Thu, Apr 16, 2020 at 2:15 AM Brandon Martin <lists.nanog at monmotha.net>

> On 4/15/20 11:33 PM, Ross Tajvar wrote:
> > Can you give some examples of the things you mention above? I'm not
> > doing much in terms of customer filtering and would be interested to
> > hear what others consider best practice.
> My experience is that there's two groups of customers that are
> problematic from an abuse standpoint:
> * Those who intend to abuse your network
> * Those who enable others to abuse your network
> The former are of course a little easier to detect up front and much,
> much easier to give the axe when they do commit AUP violations.  It
> looks like others have already given some hints as to how to detect
> these kinds of folks up-front.  I'd also recommend looking for
> references for any new customer who wants a very large amount of
> resources, explicitly wants to send email, is bringing their own IP
> space (especially if they are leasing it), etc.
> The latter are far more problematic for legitimate operations.  I don't
> really run "hosting" providers as I'm mostly in the business of mid- and
> last-mile networks, but I always try to ask anyone who's either buying a
> plan that explicitly permits "hosting" or who is asking for personal-use
> exemptions to anti-hosting provisions in the AUP (which I do permit)
> what their intent is.  I don't really care so much what they're doing as
> long as they know what they're doing and that I get a vibe from them
> that they are competent.  "I want to host my wordpress blog" is an
> instant red flag since compromised wordpress instances are one of the
> biggest sources of snowshoe hosting in my experience.
> --
> Brandon Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200416/d981c159/attachment.html>