Hello, At Vivid Computers / Vivid Net, all abuse(a)vivid.net.nz email comes to myself - as the Systems Administrator - for prompt action. Michael Hallager Networkstuff Limited http://www.networkstuff.co.nz

...

-----Original Message-----

From: Steve Phillips [mailto:steve(a)focb.co.nz]

...

Has anyone else here had problems with NZ ISP abuse complaint responses

?

...

mainly in response to SPAM reports where they refuse to do anything

until

...

they get blacklisted but also covering network abuse (DOS type

scenario's

...

and the like) ?

Yep, although in most cases it appears to be from a lack of organisation in getting the complaints to the right person rather than a systemic neglect of the issue. Recently I tried for 2 weeks through proper channels to get an obviously infected ADSL customer disabled and informed of their problem, to no avail, and culminating in the Helpdesk telling me that the Abuse people only worked form midnight to 8am a couple of days a week!!!!

Obviously what he meant was that the person that dealt with it in the NOC was next rostered on for a midnight to 8am shift, but it's NOT what he said.

Anyway, I posted the details on this list and someone from the appropriate ISP saw it and had the issue resolved in 30 minutes.

But there should be some sort of internally monitored helpdesk with escalation for complaints like that - I know of a number of (admittedly corporate and not cheap - HEAT and Magic spring to mind) that do this sort of thing very well).

Out of interest, are any ISP reps here prepared to admit how they track issues, specifically something like complaints to abuse(a)isp.co.nz where there could be a lot of incoming jobs?

Cheers - Neil G

_______________________________________________ Nznog mailing list Nznog(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

-- Michael Hallager Managing Director Networkstuff Limited http://www.networkstuff.co.nz michael @ networkstuff.co.nz

I've found the same thing with Paradise/Telstra Clear's responses. Edward. ----- Original Message ----- From: To: Sent: Friday, July 04, 2003 4:15 PM Subject: RE: [nznog] Abuse desk responses

...

-----Original Message----- From: Steve Phillips [mailto:steve(a)focb.co.nz] Has anyone else here had problems with NZ ISP abuse complaint responses ? mainly in response to SPAM reports where they refuse to do anything until they get blacklisted but also covering network abuse (DOS type scenario's and the like) ?

Yep, although in most cases it appears to be from a lack of organisation in getting the complaints to the right person rather than a systemic neglect of the issue. Recently I tried for 2 weeks through proper channels to get an obviously infected ADSL customer disabled and informed of their problem, to no avail, and culminating in the Helpdesk telling me that the Abuse people only worked form midnight to 8am a couple of days a week!!!!

Obviously what he meant was that the person that dealt with it in the NOC was next rostered on for a midnight to 8am shift, but it's NOT what he said.

Anyway, I posted the details on this list and someone from the appropriate ISP saw it and had the issue resolved in 30 minutes.

But there should be some sort of internally monitored helpdesk with escalation for complaints like that - I know of a number of (admittedly corporate and not cheap - HEAT and Magic spring to mind) that do this sort of thing very well).

Out of interest, are any ISP reps here prepared to admit how they track issues, specifically something like complaints to abuse(a)isp.co.nz where there could be a lot of incoming jobs?

Cheers - Neil G

_______________________________________________ Nznog mailing list Nznog(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Well not to name anyone, (well actually I have to :-) ). I ran across on open relay at the beginning of the year and contacted abuse(a)xtra.co.nz twice but never heard back and the relay's still there. It's been listed on orbs since 2003-01-18 18:20. 202.37.237.83 smtp.repco.co.nz jfp. ------------------------------------------------------------------------ Jean-Francois Pirus Clearfield Software Ltd Phone (+64-9) 358 2081 4th Floor 8-10 Whitaker Place Fax (+64-9) 358 2083 P O Box 2348 Auckland, New Zealand ------------------------------------------------------------------------

On Mon, 7 Jul 2003, Barry Murphy wrote:

I don't know how many providers use the service called RT ( Request Tracker - http://www.bestpractical.com/ ), but I have found this very useful.

ICONZ uses it for tracking internal jobs, queues, etc. It's quite excellent, and you can't beat the price. :) The biggest problem is making sure staff check/clear their own tickets and suchlike, regularly. But that's an education and training issue rather than a problem with RT. JSR -- John S Russell | Big Geek | Doing geek stuff.

On Mon, 7 Jul 2003 17:22:39 +1200, Barry Murphy wrote:

To name 2 big companys ( http://www.bestpractical.com/rt/praise.html ) that use it: NASA DynDNS

And perhaps a little closer to home and our field.. APNIC use it, it seems to work well. -- Nathan Ward Esphion Ltd.

We use RT, both for our helpdesk and for production. I looked at a lot of packages (commercial and otherwise) and it ended up with RT suiting our needs. Also, being open source allowed us to patch it to integrate with our other systems in various ways. Of the commercial packages I was also impressed with AnswerTrack. It does what you need straight out of the box in a clean and well-presented way. Originally by HumanKind Systems, recently bought - all with the development team - by GSI: http://www.answertrack.com/ We trialed AnswerTrack, but in the end went with RT because of the ability to customise, but also because RT was more email-oriented, and I really wanted a system where the parties could interact purely via email if they chose to (without using the web interface). Aaron. ----- Original Message ----- From: "Barry Murphy" To: "Russell Fulton" Cc: Sent: Monday, July 07, 2003 5:22 PM Subject: Re: [nznog] Abuse desk responses

Hi,

I don't know how many providers use the service called RT ( Request Tracker - http://www.bestpractical.com/ ), but I have found this very useful. It keeps all emails in a ticketing system using a database such as mysql or others and ACL can be setup for support groups and queues. When a ticket is closed, the requestor (client) is notified of the ticket closure, any additional responses from the client will re-open the ticket and the info will be appended to the ticket. If clients were to open a new ticket but it was in reference to the old ticket, they can be linked to the main ticket.

To name 2 big companys ( http://www.bestpractical.com/rt/praise.html ) that use it: NASA DynDNS

I would be interested to know how many people are using this system and what they think of it.

Kindest Regards Barry Murphy

----- Original Message ----- From: "Russell Fulton" To: "Steve Phillips" Cc: Sent: Monday, July 07, 2003 7:04 AM Subject: Re: [nznog] Abuse desk responses

...

On Fri, 2003-07-04 at 15:37, Steve Phillips wrote:

...

Has anyone else here had problems with NZ ISP abuse complaint responses ? mainly in response to SPAM reports where they refuse to do anything until they get blacklisted but also covering network abuse (DOS type scenario's and the like) ?

It appears that abuse complains are more and more regularly falling on deaf ears where the person/team handling the abuse desk seems more concerned with pointing out how it is not their problem than actually trying to educate their end users as to correct practices.

I have reported a great deal of network abuse in the past (unfortunately I'm now so busy dealing with the consequences of the abuse I don't have time to follow up any but the worst examples :-( ).

My experience is that NZ ISPs are far and away better at responding than the global norm. One point I will make is that an automated response acknowledging receipt is useful (if only as evidence that you really did report the problem) but gives no indication of whether or not the report was then simply dropped in the bit bucket. I assume that all ISPs us some form or call tracking software and it would be great if they would set them up so that when the call is closed an email is sent back to the originator with a brief status message. (eg, resolved, could not match time and IP, ....).

Earlier this year I did a binge on machines in NZ that were infected by worms that spread via open shares. Since many of these are on dial up addresses it is impossible to tell if particular machines have been fixed, even so one could tell from the total numbers of reports that I was sending to each ISP which were doing something about them and which were not. One thing that was interesting is that one major ISP who always acknowledges receipt of complaints seemed to do little about them while another big player who do do give automated acknowledgements seemed to act on them. In this context I must commend Xtra (as much as it pains me to say anything positive about anything to do with Telecom ;-) who alway responded and actively encouraged me to continue sending reports.

Another specific example is Sapphire (aka slammer -- MSSQL worm) which most NZ ISPs blocked (and continue to block ?), the exception was ihug and I was still seeing infected machines scanning us until very recently from ihug address space. I reported these on numerous occasions but it did not appear to have any impact on the number of infected machines that I was seeing.

Cheers, Russell.

-- Russell Fulton, Network Security Officer, The University of Auckland, New Zealand.

_______________________________________________ Nznog mailing list Nznog(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________ Nznog mailing list Nznog(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

...

Earlier this year I did a binge on machines in NZ that were infected by worms that spread via open shares. Since many of these are on dial up addresses it is impossible to tell if particular machines have been fixed [....]

A while back I used to test each IP which sent email to our email servers to see if it was an "open relay" (try and connect to email server and send test message and see if come back). It found A LOT of them (and auto blacklisted them) but it was too much of a nightmare due to the backlash from the people who didn't like me doing it. I guess me ":testing" was stealing thir bandwidth and they didn't like it. . Also a lot of the machines had uncomtactable "owners" or people who never replied (or even spoke english). The Hit Ratio of getting them fixed was very low. Thanks Craig

On Tue, 8 Jul 2003, Des Berryman wrote:

OP's definitely seem to be the spammers choice at the moment. Don't know whether they are more exciting to use or just that there's more of them.

Open proxies are... * Anonymising * Pump out the spam at the speed of your Internet connection * Often don't log anything * Plentiful. You can see why spammers love 'em. I believe e.g. AnalogX still comes set to allow connections from everywhere as default. Why not put a few lines about open proxies etc. on the Xtra Web site? -- Juha Saarinen

Keith Davidson wrote:

My ISP operates as above - we scan for known exploits amongst machines on our network, and also scan and report open relays and open proxies that are used to spam our users. To maintain doing this consumes an enormous amount of time and effort, and involves a lot of abuse from people who operate open relays/open proxies who maintain it is their *right* to do so. More time and effort is spent in educating these users too.

Human nature being what it is ; Those who insist on taking others rights will complain about theirs being interfered with.. Customers don't care about their screwed-up virus-ridden system attacking others until they are forced to do something about it.. The bottom line is - ISPs are the leaders, and therefore the meat in the sandwich, and like all change, there will be a growing period for all while the 'offended' customers swap ISPs a few times. Unfortunate, but necessary. Everyone can see how the environment must be respected, and the Internet is no different. The public is already inclined in this direction viz the current fad<ducks> towards conservation.. perhaps this can be exploit^H^H^H^H^H used. <TIC>Perhaps a discounted package might be offered for nonwindows-based accounts, since they are less a liablity and generally have an experienced admin on board.

Given that the average Internet user doesn't give a rats about what their ISP does, they choose their ISP generally on price alone (providing their connection is otherwise robust), I could understand that many ISP's would or could not afford the time and cost of being proactive in regard to these issues.

What costs less ? To prevent the problem, or deal with the consequences.. <shrug>

So, the answer may well be that until Internet users become more discerning in seeking service levels consistent with Best Practice from their ISP's, and don't mind paying a few bucks extra per month for additional protection and security, and until ISP's customers become sufficiently educated and familiar with Best Practice for the operation of their networked services, the problem is likely to get worse rather than better.

Customers don't care - they just buy a better product from ms that prevents the symptom. They will not do anything different until it effects them - like having their account shut down after 3 warnings.

Blaming the ISP, or expecting ISP's to carry the burden is not helpful.

Like it or not, ISPs carry the can. Customers will not accept the problem is theirs, until the problem is theirs. Surely one of the larger monoliths could pull this off without decimating their customer-base (they seem to gotten away with far worse<ducks>) /sw

On Tue, 2003-07-08 at 08:04, Steve Wright wrote:

Russell Fulton wrote:

...

Earlier this year I did a binge on machines in NZ that were infected by worms that spread via open shares. Since many of these are on dial up addresses it is impossible to tell if particular machines have been fixed [....]

IMO, ISPs who allow their customers to be part of the problem, are part of the problem themselves. Why are ISPs not scanning their customers machines, either as a service to the customer, or as a means to protect their network ?

Infected PCs on the Internet == SARs infected person in a university, so stop complaining and sort it out.

I'm not quite sure what you are getting at Steve, I have no way to "sort it out". I was reporting addresses from local ISPs that were scanning us and which appeared to be infected by worms. My comment was that it is difficult to work out if things are getting fixed for machines that change IPs all the time (like dialup machines). Anyway, with a little work I could completely automate reporting of addresses that are doing random scanning on various well known ports (e.g. udp 137, tcp 80, 139, 445 and udp 1343). These machines are almost certainly infected by worms and (IMHO ;-) should be off the 'Net until fixed (simply to protect the owners since many of these worms also install remote control backdoors). The reports could be sent out once a day with a single line per detection ( <first time> <last time> <ip> <ports being scanned>). Which ISPs would be interested in subscribing to this free service. BTW this won't happen straight away -- I'm on leave for two weeks (school holidays) and am currently wondering if I am going to get through the Desert Road tomorrow or if I should go down the west side of the mountains... -- Russell Fulton, Network Security Officer, The University of Auckland, New Zealand.