Re: Constant Abuse Reports / Borderline Spamming from RiskIQ

["Kushal R." <kushal.r () h4g co>]

 I’ll reaching out to you off list.   
  

  
  

  
  
>   
> On Apr 14, 2020 at 1:55 PM,  <Jonathan M (mailto:jonathan-m () riskiq net)>  wrote:
>   
>   
>   
>   
> My bad - This was not for Rich but for Kushal who initiated the thread taking the survey about us being "spammers". 
> I'm contacting the administrator at Nanog.org now to figure out what I did wrong to properly post to the thread as I 
> haven't used the mailing list before. Have a good day. Jonathan
>   
>   
>   
> On Mon, Apr 13, 2020 at 9:55 PM Jonathan M  <jonathan-m () riskiq net (mailto:jonathan-m () riskiq net)>  wrote:
>   
> >   
> >   
> > This may not have been approved yet by the moderator but was sent to the list about 30 minutes ago....I'm sorry, 
> > but I'm just learning how to use this list and I am concerned that my post was not properly sent--thus, replying to 
> > the thread here....thx
> >   
> >
> >  Re:   https://twitter.com/RiskIQ_IRT/status/1249721818602070016?s=20   
> >
> >   
> > Hi, Rich,
> >   
> >
> >   
> > I hope you are well. If you ever encounter an incident that you think could have been handled better on our end, we 
> > aspire to continuously improve, and don't claim to be perfect.
> >   
> >
> >   
> > Rather than blocking our abuse notification to the abuse POC, it would be better to let us know you have concerns 
> > so that we can improve our communications. Blocking us on Twitter and shutting off communication is no better than 
> > if we were to just send your customer's domain to a blacklist without notifying you of a compromise so that it can 
> > possibly be patched. Let's keep the overall goal in mind -- it's to make the internet safer by flagging possible 
> > violations of your acceptable use policy that may lead to compromised personal data or sensitive credentials of 
> > innocent visitors online.
> >   
> >
> >   
> > Before anything is posted to Twitter, I personally review the history of the event to see if we have exhausted all 
> > reasonable steps to mitigate harmful cyber activity or operations on network infrastructure short of always picking 
> > up the phone or using the fax. While we have attempted to do that in the past for each event, there is just too 
> > much harmful cyber activity going on for us to be relying on phone calls to try and reach the abuse team to ask 
> > that our ticket be prioritised after an unreasonable period of time has elapsed. We have thousands of escalations 
> > that we need to handle and most of the time though not across the board, when we call to reach the abuse teams, we 
> > are unsuccessful in reducing the time to remediation.
> >   
> >
> >   
> > The goal is not to shame anyone per se. It's to create more transparency regarding a problem that we all need to 
> > work together on. It's similar to where nation state actors use public attribution as part of mitigation to improve 
> > the Internet from cyber attacks. We did not block you on Twitter, and after every tweet, we follow-up to the 
> > appropriate abuse point of contact to raise visibility of the matter, as well as to the PR team, and applicable 
> > computer emergency response teams as well as attorney generals or other applicable authorities.
> >   
> >
> >   
> > We all need to work together. Please do not hesitate to contact me and I will make sure we are meeting our end of 
> > aspiring to be a good partner, and look forward to working with you as the need arises. Stay safe and healthy in 
> > these challenging times, and we wish you the best.
> >   
> >
> >   
> > I'm happy to discuss offline as well. We can set up a time to discuss and improve the mitigation workflow on both 
> > sides.
> >   
> >
> >   
> > Best regards,
> >   
> > Jonathan Matkowsky
> >   
> > VP, Digital Risk
> >   
> > RiskIQ, Inc.
> >   
> >
> >   
> >
> >     
> >   
> >   
> > On Mon, Apr 13, 2020 at 9:41 PM Tom Beecher  <beecher () beecher cc>  wrote:
> >   
> > >   
> > > I would agree that Twitter is not a primary place for abuse reporting.     
> > >
> > >   
> > > If they are reporting things via your correct abuse channel and you are indeed handling them within 48 business 
> > > hours, then I would also agree this much extra spray and pray is excessive. However RiskIQ is known to be pretty 
> > > responsible, so if they are doing this they likely feel like they are NOT getting appropriate responses from you 
> > > and are resorting to scorched earth.   Have you attempted to reach out to them and make sure they have the proper 
> > > direct channel for abuse reporting?   
> > >   
> > >   
> > >   
> > >   
> > > On Mon, Apr 13, 2020 at 1:45 PM Kushal R.  <kushal.r () h4g co (mailto:kushal.r () h4g co)>  wrote:
> > >   
> > > >   
> > > >   
> > > >   
> > > >
> > > >  All abuse reports that we receive are dealt within 48 business hours. As far as that tweet is concerned, it’s 
> > > > pending for 16 days because they have been blocked from sending us any emails due to the sheer amount of emails 
> > > > they started sending and then our live support chats.
> > > >   
> > > >
> > > >   
> > > > We send our abuse reports to, but we don’t spam them to every publicly available email address for an 
> > > > organisation, it isn’t difficult to lookup the Abuse POC for an IP or network and just because you do not get a 
> > > > response in 24 hours does not mean you forward the same report to 10 other email addresses. Similarly twitter 
> > > > isn’t a place to report abuse either.   
> > > >   
> > > >
> > > >   
> > > >   
> > > >
> > > >   
> > > >   
> > > > >   
> > > > > On Apr 13, 2020 at 9:37 PM,  <Rich Kulawiec (mailto:rsk () gsp org)>  wrote:
> > > > >   
> > > > >   
> > > > >   
> > > > >  On Mon, Apr 13, 2020 at 07:55:37PM +0530, Kushal R. wrote:  >  We understand these reports and deal with 
> > > > > them as per our policies and timelines but this constant spamming by them from various channels is not 
> > > > > appreciated. Quoting from:  https://twitter.com/RiskIQ_IRT/status/1249696689985740800  which is dated 9:15 AM 
> > > > > 4/13/2020: 5 #phishing URLs on admin12.find-textbook[.]com were reported to @Host4Geeks (Walnut, CA) from as 
> > > > > far back as 16 days ago, and they are all STILL active 16 days is unacceptable. If you can't do better than 
> > > > > that -- MUCH better -- then shut down your entire operation today as it's unworthy of being any part of the 
> > > > > Internet community. ---rsk  
> > > > >
> > > > >   
> > > >   
> > > >   
> > > >   
> > > >   
> > >   
> > >   
> >   
> >   
>   
>   
>   
>   *******************************************************************
> This message was sent from RiskIQ, and is intended only for the designated recipient(s). It may contain confidential 
> or proprietary information and may be subject to confidentiality protections. If you are not a designated recipient, 
> you may not review, copy or distribute this message. If you receive this in error, please notify the sender by reply 
> e-mail and delete this message. Thank you.   
>
>
>
>   *******************************************************************
>