[RFCI-Discuss] Posit: abuse@aol.com

[Vincent Schonau]

Derek J. Balling wrote:
> $VICTIM knows who he/she is, and should stay out of this discussion for 
> the first 24-48 hours. I want to hear unbiased responses. :-)

I am one of the people who reads and responds to reports to abuse@, at 
my orkplace. I'm also aware of who $VICTIM is (but that has no relevance 
to the discussion).

> Posit:
> 
> -    $VICTIM is the recipient of between one and two thousand 
> illegitimate messages from AOL.com mail servers, crushing them
> 
> -    After failing to get anyone at AOL's attention, $VICTIM configures 
> their system to generate an e-mail to abuse at aol.com for each individual 
> message of those 1500+ messages
> 
> -    AOL.com, after $VICTIM'S_IP (or maybe e-mail address, don't know), 
> sends "N" messages, views this as an attack and ceases accepting abuse@ 
> messages from this IP/address.
> 
> -    $VICTIM requests (there's no submission yet, so don't bother 
> looking) that we list AOL.COM in the abuse zone

> .... is aol.com rfc-ignorant for the abuse zone?

> The yes argument:
> 
>     Each individual message is relevant to an abusive message. If AOL 
> wants to generate abuse at "X" rate, they need to be prepared to accept 
> complaints about it at "X" rate.

$VICTIM complains that the messages he's receiving constitute (part of) 
a DDoS attack. If we accept it is, then as the volume of message 
redirected by $VICTIM's actions to AOL's abuse-address is of the same 
order of magnitude, is abusive, and AOL is entitled (expected?) to 
defend against it.

This reasoning also fails when the problem-protocol isn't e-mail. 
Occasionaly, some of our customers will generate several hundred 
DNS-queries per second for a single hostname (record). If we were to 
have to expect several hundred complaints to our abuse-address for 
complaints about such abuse, we would have to scale up the systems that 
are currently serving mail for 300k customers - by doubling them.

> The no argument:
> 
>     Rate limiting, for situations like this, is perfectly normal and 
> acceptable. It's impossible, or extremely technically difficult, to 
> differentiate between "the person who is attacking/spamming our abuse 
> address" and "the person who is sending us thousands of extremely 
> similar messages, each one of which is itself a legitimate complaint".

I have sympathy for $VICTIMs predicament, and think his complaint is 
legitimate. I don't think the fact that AOL protected their 
abuse-handling infrastructure against his or similar attacks makes them 
rfc-ignorant (quite the opposite: the fact that they're taking such 
measures underscores their understanding of the importance of an 
available and working abuse@ contact).

It makes no sense for rfc-ignorant.org to consider filtering for 
*general* abuse (ie; DNS blocklists) acceptable, but filtering for 
specific attacks directed at the mailbox in question.

Vince.