This document provides various explanations about the way in which Cantv.net processes the reports about network activity which is incompatible with our Acceptable Use Policy. The proper way to create and submit these reports is also covered.
The contents of this document are revised whenever new questions or doubts are identified in the communications with our users. Please carefully review the questions and answers that might be related with your doubts, as we've made an important effort to provide ample and complete answers.
If you do not find the answer you need in this site, please let us know by using the links at the end of each page.
- What are abuse reports?
- The need to act upon the abuse reports
- Are all reports equal?
- Why do you protect the identity of the abuse report's author? Isn't this an annonymous report? Is an annonymous report, valid?
- Defensive actions applied when the source of the problem lies inside Cantv.net's network
- Defensive actions applied when the source of the problem lies outside Cantv.net's network
- What kind of activity should be reported?
- How to create an abuse report to send to Cantv.net?
- How does Cantv.net process the abuse reports that it receives?
- When sending an abuse report, I got an answer saying that my report was not understood... What happened? What can I do?
- Hostile and continuous activity from an IP address beginning with 200.44.32...
- I'm an ABA user and I detected an incident of "MAC spoofing"
- I need to know the identity of the user that...
What are abuse reports?
An abuse report is a message or communication delivered to a network administration through regular channels, that notifies about a situation that violates the terms of use of any of the involved parties and includes enough technical evidence so as to support the veracity of the reported incident.
The most common channel for the interchange of abuse reports, is email. In fact, Internet's operational standards define a number of special email addresses, for instance postmaster@, hostmaster@ and abuse@, that must always exist and be monitored periodically by the responsible administration.
<<The need to act upon the abuse reports
There are those who think that the fact of being connected to the Internet, means that traffic can freely flow through the network. This is not necesarilly true. The abundant information security threats force network operators to be selective about which traffic to accept.
Networks that do not respond to the received abuse reports, gradually become the source of an ever increasing number of security incidents. Virus infected machines proliferate, because nothing is done to clean them. This is a vicious circle in which, as time passes, more questionable or hostile activity is originated from that network.
There is a point, the tolerance threshold, in which other administrations must review wether continuing to exchange traffic with the unresponsive network is worth the risk. No matter how large is the network, if it generates a large enough amount of problems to other networks, those will choose not exchanging traffic with it.
This situation is unacceptable for an ISP as Cantv.net, which has the duty to guarantee its ability to connect its users to the Internet.
<<Are all reports equal?
There are many classifications that each operator can apply to the reports it processes. Cantv.net classifies the reports according to the types of incidents (viral infection, sending or receiving spam, hostile network activity and others). This classification is used for statistical purposes that allow us to identify problems and adopt proactive solutions before the severity of the problem shown in the abuse reports, escalates and increments the impact among our subscribers.
Another important category, is the source of the incident. If the incident originates inside Cantv.net's network, this means we must take actions to correct and avoid the escalation of a problem of one of our users.
When the incident originates outside of our network, generally there is not much we can do about it. Unfortunately, large network operators pass along to its customers, often smaller network operators, the responsibility of solving the problems that cause the abuse reports. Those smaller network operators, might not have a swift or strong enough response so as to stop the problem.
With unsolicited bulk email, spam, the situation has forced us to take defensive actions that prevent the repeated abuse from the same source network and at the same time, send a strong message to the source of the problem; It is imperative that actions be taken to correct their part of the problem, if they wish to use our messaging platform.
<<Why do you protect the identity of the abuse report's author? Isn't this an annonymous report? Is an annonymous report, valid?
It is very common that whenever copies of the abuse reports are sent as evidence to the incident's sources, they take abusive retaliatory actions. This situation isn't convenient for Cantv.net or its users. If this behaviour becomes widespread, other networks might choose not to send us their abuse reports and simply escalate to blocking or more aggresive measures, without giving us the chance to solve the problem.
Cantv.net takes measures to hide the information leading to the identity of whomever sent the report, as this information is irrelevant. If the abuse indeed happened, the report will come with activity logs that might be compared with those of other networks or systems in order to validate them. Since this is a purely technical topic, the answer must be technical as well.
<<Defensive actions applied when the source of the problem lies inside Cantv.net's network
The most common violations to our Terms of Use, are viral infection and sending of spam, which is generally related to the first.
Because of this, we took a series of proactive and reactive measures that include end-user education and network disconnection to avoid the proliferation of virus and other problems.
<<Defensive actions applied when the source of the problem lies outside Cantv.net's network
Just as in the case of abuse originated in our network, Cantv.net is the target of continuous spam and virus attacks.
Most viral attacks are adequately contained by a series of proactive measures that we have implemented.
With spam, we take various types of actions. In the first place, each of the unsolicited messages reported to us, including full headers, are reported to the abuse contact, according to the WHOIS information published by the administrators of the source netblock. Additionally, when a large enough number of complaints is reached, the message source es added to one of our mail filtering lists, which prevents the repetition of the incident.
This combination of actions has generated a marked reduction in the quantity of spam that our users are exposed to, but this is no reason to lower our guard.
<<What kind of activity should be reported?
In general, it's a good idea to report activity that falls outside the ordinary and that can be considered hostile. It is not easy to generate an absolute criteria for this, but these are some guidelines:
- Warnings from personal firewalls are tipically produced by traffic originated in a machine infected by some virus. These warnings might seem extremely alarming because in many cases, the software vendor wishes to cover his responsibility or persuade you to buy additional security products.
- A large number of warnings in your personal firewall in a short time, specially if each event is different, deserves attention.
- Various different events from the same source directed to different ports or nodes in your network might indicate a problem.
This is not an absolute guide. In general, you can report any activity which makes you unconfortable. However, it is important to exert moderation in your reports, so as to not overload the people who must process them, deviating their attention from events associated with larger risks.
<<How to create an abuse report to send to Cantv.net?
Cantv.net processes its abuse reporta through automatic processes, although eventually those reports are read by a human being. Because of this, your report should be as simple as possible, expressing it in clear and to the point language. If you suspect about some type of activity, say it directly. We will take care of the correlation and investigation of the case.
Reports must include evidence, which in this case are activity logs, where the source IP address and timestamp in a standard format must appear, along the corresponding timezone. Certain timestamp formats are impossible to process by us, because they are ambiguous. We recomend that you stick to formats such as RFC-822 / RFC-2822 or ISO-8601 for the timestamps.
Avoid the use of HTML to write your reports. This only increases the size and in many cases, makes it more difficult the processing of the evidence to us. Evidence must be included clearly within the text of the message and not as an attachment.
We cannot process images or pictures as evidence. Most likely, the program logging the events you wish to report, can also provide the same information as plain text.
It is always a good practice to always hide partially the nonnessential information. For instance, you can hide the last number if your IP addresses as long as the source IP addresses are left intact. This is vital if you're a Cantv.net user to avoid that your own addresses be identified as the source of the incident.
Usually, only a sample of the events is needed for the investigation and resolution of the case. For instance, if your firewall reported 10,000 penetration attempts, mention this fact but only send a sample of the significant events. This simplifies the investigation process and accelerates the correction, which is what you look for after all.
<<How does Cantv.net process the abuse reports that it receives?
Cantv.net uses a series of automated tools for the reception, manipulation, analysis and investigation of the received abuse reports. The most universal components in these tools, have been placed in the public domain, so that other network operators can use them and emulate our processes, in benefit of the community.
This automatic processing, allows us to correlate, archive and quickly classify large ammounts of abuse reports. Later, a series of proprietary processes takes actions based in that information. Most of the time, we take less than 24 hours to stop a flow of hostile traffic originating in our networks.
<<When sending an abuse report, I got an answer saying that my report was not understood... What happened? What can I do?
You must check the composition of your report. Make sure that you included the evidence, that may be an activity log or a complete mail header. The evidence must include the source IP address and a timestamp in a format we can understand without ambiguity.
You should not use attachments and preferably, your message must be plain text, without HTML or other ornaments. Finally, check in this same document, the instructions to generate an abuse report.
<<Hostile and continuous activity from an IP address beginning with 200.44.32...
Various operational groups within Cantv.net, monitor the network continuously to detect possible problems proactively, before our users see them.
Some of those activities might be incorrectly classified as hostile.
Cantv.net accepts abuse reports about these incidents, but does not act on them as they are part of our normal operational processes, which allow us to maintain exceptional levels of service availability.
<<I'm an ABA user and I detected an incident of "MAC spoofing"
(Very technical answer) Most likely this is not the case. For security reasons, the traffic aggregators used for the ABA service, hide the physical address (MAC) of the other users that might be sharing it with you.
To guarantee trouble-free connectivity with those machines, the aggregator associates its own physical address to their IP addresses. This can cause that your ARP table contains that MAC address for various IP addresses within your subnet, including the IP address of the default gateway. This is no reason to worry, as this is the expected behavior of the network architecture providing the ABA service.
<<I need to know the identity of the user that...
The policy of Cantv.net, is to protect the privacy of our users. Because of this, we do not divulge any component of the personal information of our users.
If the action that causes your curiosity justifies it, we recomend that you file a complaint to the legal authorities, so that they channel and endorse your requirement according to the law requirements.
<<
