Opening up another pet peeve I see.. Yes, (and absolutely no reflection on the MS lurkers on this list) this is a pain point, of our team as well.
A lot of attention was given to Microsoft's role in take down's of miscreants that are attacking them, but when the attacker is on Azure, the story is quite different. But this is not just about Microsoft, but about several big cloud providers. Not only is it very difficult to get a response, but when you do it is usually "We have notified the customer", or even worse, "We have notified the reseller" and that's where it ends. Hackers are turning more often to these providers simply because of the slow take downs. Now, with spammers it is pretty simple, block the source IP, but when the spammer is sending malicious materials, like virus' and ransomware, there needs to better take downs, otherwise the bad actor simply continues on. We see there is also a big trend towards AUTH attacks, using Azure IP Space to hack email accounts, BEC (Business Email Attacks), and other activity that is dangerous and illegal. These threats as a community we should NOT tolerate. IF the server was hacked, and the owner is not at fault, it should STILL be taken down, it is dangerous every second it is up, and the hacker is making money every second, and the longer he can do that, the more he will try again. Now, don't get me wrong, I think I understand WHY takedowns practices is so bad. Aside from the very low budget given to abuse teams, when you have management telling you that all you can do is 'let the customer know', as an abuse person you would get pretty jaded.. hard to respond to a complaint, when your know your hands are tied. This isn't a new phenonom, the problem is over 20 year old, "Don't do anything that could possible affect a paying customer" We still have ISP's that aren't blocking port 25 outbound from dynamic IP space. But I boldly predict that this is the year that things will change. Attitudes are changing. (The removal of Trump from Twitter is a good example) The last few years too much emphasis has been placed on 'privacy' protection and user rights, and the bad guys are benefiting from those practices. It isn't hard to stop, many of us in the infosec field could be giving data feeds to the big players, if they can't see it themselves, (sure maybe these ;arge providers should contribute more to these infosec players), but I am sure many would offer it for free, IF they knew it would have an impact. I know our team has probably not bothered to even report these to Azure anymore, because it is a waste of time, and that's sad. I mean, the volume we see everyday it's simply impossible to go through the standard 'reporting channels'. I know many others who have given up. And this means more 'last resort' activity instead, and by that I mean 'blacklisting' or blocking traffic of those that don't respond to take down requests. Speaking to the cyber crimes people in my circle, I hear it more and more. They are simply fed up. They are going to get more aggresive and simply start with take down orders, when a provider doesn't seem to co-operate. You can expect a lot more.. how best to describe it.. heavy handed approaches. You can help, you can lobby your politicians to allow more to be done, and you can expect that "this is the year where providers will start becoming responsible for the activity on their networks", legally... Sure, the ISP's and Hosting companies are fighting that, but it's on their own heads. If they would have done more on their own, it would not have reached this point. There is too much damage being done, the criminals are too successful.. This is the year when people are going to get fed up I predict, and are going to demand change. We already are seeing faster take down's of dark web sites, more networks getting shutdown, and more domain names being shutdown.. but the next step is coming.. 2021 is going to be a great year everyone! Let's all do what we can to make the world a safer place. On Thu, 14 Jan 2021 12:34:27 +0100 Peter Nicolai Mathias Hansteen via mailop wrote: > > >> 14. jan. 2021 kl. 12:20 skrev Hans-Martin Mosner via mailop : >> >> Am 09.12.20 um 08:43 schrieb Hans-Martin Mosner via mailop: >>> Today we got a response to our abuse reports requesting that we report >>> these to j...@office365.microsoft.com - I >>> would've thought that within one corporation, forwarding of abuse tickets >>> should work somehow. >> >> Well it looks like reporting to j...@office365.microsoft.com is completely >> useless. No response, no reaction, no >> reduction in spam. >> >> Is there a reporting address for azure that is read and acted upon? > > I tend to include abuse at the parent domains (hotmail.com , outlook.com and > Microsoft.com) as cc:. You probably will not get any response other than the > automated one from «The Outlook team», but the flow has decreased somewhat > since I started cc-ing those addresses. > > - Peter > > — > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. > > > > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop > -- -- "Catch the Magic of Linux..." ------------------------------------------------------------------------ Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic ------------------------------------------------------------------------ A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" is a Registered TradeMark of Wizard Tower TechnoServices Ltd. ------------------------------------------------------------------------ 604-682-0300 Beautiful British Columbia, Canada _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
