Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Abuse addresses SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Abuse addresses

Ian wrote in the following: "Would it perhaps be a useful thing to put a note in the ISC diary as a reminder for people to make sure that their 'abuse@domain' addresses are actually working? I've lost count of the number of full mailboxes, broken redirects &c I see."

According to RFC 2142 organizations that accept email are supposed to have an abuse@domain and security@domain address that work. The reasons are quite simple, if someone outside your organization notices something they will need to get in touch and let you know. Recent examples include conficker and other pieces of malware where you may have infected systems and a good samaritan would like to have you clean them up. Email is one of the simpler and faster methods of doing so. If you don't have one, the malbox is full, it bounces, or is not monitored, you miss out on the chance to be advised that somethig bad is up.

On the flip side, these addresses can also quickly swamp helpdesks or whomever is supposed to be following up. They also tend to attract spam. If you receive a sufficient quantity of email to abuse@ it is likely recommended to have an automated process to weed through the flood. Although this introduces the risk that important email could be ignored.

Thoughts or feedback?

Adrien de Beaupré Inc.

I will be teaching next: Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques - SANS Cyber Defense Initiative 2021

Adrien de Beaupre

353 Posts
ISC Handler
Apr 6th 2009
I would disagree in part. RFC's are subject to interpretation and my interpretation is that not all of these mailboxes are required including "security@domain.tld". While the RFC is quite specific regarding the abuse mailbox, it does not tie this to e-mail services, rather the existence of a domain necessitates the Abuse mail as not tied to a protocol rather it is tied to the existence of a domain.

Yet it also states that if a service is implemented the associated mailbox must exist, yet clearly identifies services vs. network operations. Most domains are not held by organizations that operate public networks. Traffic originating from their site may fall into the abuse category, but they do not provide network or security services in most cases to users other than their own internal users, thus no public address is necessary for NOC or SECURITY in these cases. In fact most complaints about network issues and security problems originating from one or more IPs are addressed to the ISP who is assigned the IP block, not the ISPs customer. I would contend that while all organizations having Internet connected networks should be concerned with Network Operations and Security, that does not constitute an available and accessible service to anyone on the Internet and therefore is not a requirement as the service is not implemented in a publicly accessible form.

Sign Up for Free or Log In to start participating in the conversation!