[Intrusions] `tattle`, now with goodness
Andrew Daviel
andrew at andrew.triumf.ca
Tue Jun 14 00:47:02 GMT 2005
Interesting thread; just started reading as I posted something completely
different.
I haven't had time to look at tattle in detail, but I've been running
something vaguely similar for a few years to report viruses.
A few observations:
Whois lists DNS and network administrators and they don't really like to
be bothered with "security spam", especially the big ISPs and big
companies as it may be someone's private email rather than a role
account. Small places it's probably all the same guy so it doesn't
matter.
Some registries list abuse or security mail, some don't. It's worth
grepping whois records for "abuse@". Sometimes there's a record
"added by" as well as "person"; ideally a script needs to pick the
correct one.
It's important to give date/time/timezone etc., time that numeric ips
were resolved, who to reply to in case of problems etc. etc.
Most abuse contacts don't like attachments; a few refuse to take mail and
want you to fill out a special form (tough; I'm not doing that unless
it's critical...)
whois.abuse.net is pretty good. Though I noticed at one point they were
setting a default of "postmaster" instead of returning nothing. Again,
not a great place to email, so I filtered that out.
I have a private list I populate by hand from return email for things
like AOL (tosgeneral at aol.com) and so on. It's up to 600 or so entries I
think by now.
Many ips, especially outside North America, do not resolve. I then try to
start at ARIN and work down. Hopefully not too many mails to ARIN,
APNIC, IANA etc. themselves though a few do get through. The idea is to
follow the block assignations to the most exact match, try and figure out
who owns it, try and find an address in abuse.net, and if all else fails
then try one of the registrant addresses.
My script is a bit of a mess and needs rewriting. And it's a bit more
complicated in that it tries successive received headers rather than just
one ip address. But if anyone is interested I can make it available.
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
security at triumf.ca
More information about the Intrusions
mailing list