use Perl

Are you an abuse desk operator? Ever suffered the wrath of NANAE when you didn't shut down a spammer the very second they notified you of the presence of the spammer?

Well I've seen it over and over again, and I thought this post to SPAM-L from Gary S Callison really summed up my feelings on it:

> As to UUNET, what do you consider to be an acceptable amount of time
> between their receiving an abuse complaint and the spammer being
> terminated? I'm not asking how many fingers are in the pie, or why the
> delay is as long as it is, I'm asking what *YOU* consider to be
> acceptable. If your answer is measured in days or weeks rather than
> hours then what we have is a failure to communicate.

Shmuel: You (and anyone else who thinks this) really need some experience
working at even a mid-tier ISP - say one with a couple hundred
thousand to half a million users or so. You will spend a few months
dealing with a queue depth that hovers around a week or so, and then
you'll either see reason or get fired for trying to cowboy every incident
and being too draconian in a misguided attempt to close tickets faster.
Incidents require investigation, from the dialup luser whose roommate is
spamming while he's off at work, to the chucklehead who has Klez but
knows he's okay because he runs the "Klez Removal Tool" (i.e: Elkern.D)
every day, to the OC-3 sold to a reseller sold to a webhosting firm who
host a website registered to Johnathan Cosie that has never actually sent
any spam or hosted any webpages referenced in any spam. All of those
investigations take time. How much time? I dunno. Minutes or hours.

Now suppose you get a thousand incident reports a day, referencing
a few score distinct incidents. You sift through all of that crap (takes
time) to aggregate into the incidents, then you have a couple dozen
incidents that each take 'minutes or hours'. You have (just suppose) a
really well-staffed abuse desk for a smaller provider: five people. You
triage out 'easy to close' and give those to the new guy, which removes
all of the 'minutes' and knocks your queue down by half. Now, assume one
of your people did all of the ticket-aggregating in half a day. You have
3-1/2 man-days at this point to close a dozen or two tickets on a scale of
'hours' apiece. Are you going to tread water and never get your queue
backlog down? Yes, if you're lucky. So your response time is going to
stay at a week - unless you get something really tricky like a whackamole
using stolen accounts, a rooted box with a proxy or relay they can open
and close at will, a compromised router that the bad guys can put stolen
routes on, or something like that. Then you're going to get even further
behind.

Meanwhile, in n.a.n-a.e, the torch-bearing mob will be chanting for your
head on a pike. "Takes 'em a week to close a fucking dropbox, pieces of
shit." Never mind that the dropbox is hosted on a lights-out-
administration webhost which is hosted on a reseller and both
of those only have one guy doing abuse part-time. You're there, you've
seen the ticket, you've told them to fix their shit, it's not your fault,
and the loudmouthed pricks in n.a.n-a.e are calling for YOUR head? Fuck 'em.
They don't have a clue what the hell is going on; you do. Right?

I don't know what the collective wisdom of n.a.n-a.e aggregates to an idea
of "how long should it take for a provider to resolve an issue", but if
that answer is hours, rather than days or weeks, people who believe that
have a failure to understand the magnitude of the issues involved. And
responding to reality with "Well, they should just hire more people then!"
will get you a "Thank you, Captain Obvious" from anyone working at any of
those overworked understaffed abuse desks. They're doing the best they
can, and if that takes days or weeks rather than hours, deal with it.