Re: Constant Abuse Reports / Borderline Spamming from RiskIQ

[Brandon Martin <lists.nanog () monmotha net>]

On 4/15/20 11:33 PM, Ross Tajvar wrote:
> Can you give some examples of the things you mention above? I'm not 
> doing much in terms of customer filtering and would be interested to 
> hear what others consider best practice.

My experience is that there's two groups of customers that are 
problematic from an abuse standpoint:

* Those who intend to abuse your network
* Those who enable others to abuse your network

The former are of course a little easier to detect up front and much, 
much easier to give the axe when they do commit AUP violations.  It 
looks like others have already given some hints as to how to detect 
these kinds of folks up-front.  I'd also recommend looking for 
references for any new customer who wants a very large amount of 
resources, explicitly wants to send email, is bringing their own IP 
space (especially if they are leasing it), etc.

The latter are far more problematic for legitimate operations.  I don't 
really run "hosting" providers as I'm mostly in the business of mid- and 
last-mile networks, but I always try to ask anyone who's either buying a 
plan that explicitly permits "hosting" or who is asking for personal-use 
exemptions to anti-hosting provisions in the AUP (which I do permit) 
what their intent is.  I don't really care so much what they're doing as 
long as they know what they're doing and that I get a vibe from them 
that they are competent.  "I want to host my wordpress blog" is an 
instant red flag since compromised wordpress instances are one of the 
biggest sources of snowshoe hosting in my experience.
--
Brandon Martin