Service providers are flooded with reports of network abuse on a daily basis, making service provider security a top priority. To deal with the multi-layered abuse effectively, it’s important for service providers to use reliable inbound abuse channels to stay on top of the latest service provider security threats.
Cybercrime and network abuse are on the increase, with the number of reported security incidents rising around the world by 48% in 2015 to 42.8 million – the equivalent of 117,339 attacks per day. To deal with this ongoing network abuse, service providers need all the latest abuse information and reports at their fingertips.
Common Inbound Abuse Channels
Common Inbound Abuse Channels that reliably deliver up-to-the-minute information about security threats and network abuse include:
- The abuse@mailbox. A service provider’s abuse@mailbox is simply a mailbox where abuse reports can be directed. It’s important not to scan and block spam from this mailbox, as you could end up blocking reports of spam from within your own network. Rather tag all inbound traffic with a spam score that allows your team to easily sort and identify spam during the parsing and analyzing process. For enhanced security, don’t use an autoresponder when you receive the following types of mail in your abuse@mailbox:
- Envelope-sender contains “no-reply@”,“noreply@”, or “nobody@”
- Messages with an empty envelope-sender
- The subject line contains “[no-reply]”
- Contains “X-Auto-Response-Suppress: All” (Microsoft Exchange) Header
- Contains "Auto-Submitted: auto-generated" (RFC 3834) Header
- Regional Internet Registries (RIRs). The five major RIRs are RIPE, ARIN, LACNIC, APNIC, and AFRINIC. They are responsible for delegating blocks of IP addresses to service providers. They keep accurate records of companies that have received each block, which is recorded in the RIRs’ whois services. If your abuse team detects abuse coming from a particular IP address, they can use the RIRs’ whois service to see who is responsible for the abuse. This abuse can then be reported to the abuser’s service provider, and it becomes their responsibility to mitigate or remediate it.
- Web Forms: Spam reports often come from a private person sending or forwarding you a spam message and asking you to make it go away. The biggest problems a network abuse team usually faces with these types of reports are either missing details on the incident or reports arriving in a format that cannot be parsed automatically. Web forms can help prevent this with fields that guide reporters through the process of submitting an accurate report.
- Application Programming Interfaces (APIs). APIs can be used to automate large amounts of data in the abuse handling process. The only disadvantage of an API is the amount of time needed to manage them.
- Abusix’ Abuse Contact DB. Abusix’s Abuse Contact Database works similarly to the RIRs whois service, as it allows you to report network abuse directly to network owners. The database is easy to use – it’s DNS driven and you can send requests to the DNS server in the same ways you would with an RBL or any other DNS-based list.
Create A Structured Report Format
Unstructured data creates hours of unnecessary work, so it’s important for incoming reports to arrive in a common format that doesn’t require complicated rule sets. If you see high- or medium-volume reports coming from a reporter and they are not in a machine-parsable format, inform them that they should switch to a machine-parsable format such as X-Arf. X-Arf has become the M3AAWG (Messaging Malware Mobile Anti-Abuse Working Group) best practice.
Once the data has been received, it should be parsed and analyzed. The type, category, and priority level will depend on whether the abuse is mitigated or remediated. Remediation occurs when the abuse can be completely eliminated. Mitigation occurs when the abuse cannot be fully remediated, but its occurrence and effect can be minimized
Companies like Abusix have specialist products like AbuseHQ, which improves service provider security and reveals insights buried deep within your network abuse reports, helping your service provider reduce abuse and support ticket volumes. To find out more about how AbuseHQ can help abuse desks perform at their best, request your free demo today.