[IP] more on Advanced Paypal phish - uses faked functional address bar

[David Farber <dave@xxxxxxxxxx>]

Begin forwarded message:

From: Rich Kulawiec <rsk@xxxxxxx>
Date: December 1, 2005 11:04:01 AM EST
To: Charles Pinneo <pinneo@xxxxxxxxxxxxx>
Cc: David Farber <dave@xxxxxxxxxx>
Subject: Re: [IP] more on Advanced Paypal phish - uses faked  
functional address bar

> Paypal says to send theirs to  <spoof@xxxxxxxxxx>. Do most people  
> know this?

I doubt it; there's no reason for them to.

What Paypal (and everyone else) _should_ be doing is following RFC 2142,
which specifies that "abuse" is the correct address for every domain to
receive abuse reports -- whether those reports pertain to abuse *by*
the domain (or its customers, etc.) or *of* the domain (or its  
customers).
This is not only specified in the RFC, but it's a well-known best  
practice,
and has been for years.

Unfortunately, many domains have chosen to ignore this -- or to  
"support"
it in a way that renders it effectively unusable.  Those methods  
include:

        - routing its traffic to the bit-bucket
        - routing its traffic to an autoresponder that directs
                senders to use a web form -- thus deliberately
                making it as difficult as possible for users
                to report abuse, c.f. "hoop-jumping".
        - routing its traffic to an ignore-bot
        - using spam/virus filtering methods on the address
                that make it impossible to report spam/virus
                incidents to the address
        - forwarding complaints to those being complained
                about, thus handing over victims' data to
                the abusers and facilitating spammer
                "list-washing" and various forms of revenge attacks
        - routing its traffic to untrained/incompetent staff
                whose response is either that the complaint is
                in error or has been resolved (Hotmail and Yahoo,
                are particularly well-known for this)
        - refusing to investigate any complaint not filed by
                their own customers
        - allowing the abuse mailbox to reach its quota and reject
                subsequent messages (Comcast prefers this approach)

and so on.

Happily, There are some exceptions to this: some operations (correctly)
consider every abuse complaint as a possible indicator of a security
emergency, requiring immediate attention from senior personnel until
resolved.  Unsurprisingly, these well-run operations don't have to
field many abuse complaints, because the same diligence and
professionalism that allows them to respond promptly and effectively
also enables them to pro-actively address many issues *before* abuse
actually occurs.  But unfortunately, these are the exceptions; the
rule is that for most operations, handling abuse traffic is a reluctant
afterthought at best, and thus we have...what we have.

---Rsk



-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/