[Intrusions] `tattle`, now with goodness

C.J. Steele, CISSP coreyjsteele at yahoo.com
Tue Jun 14 01:43:13 GMT 2005 

Andrew;

If you're reading the [intrusions] list, you're probably not seeing
quite a bit of the lynching I've taken on [bugtrq], which has caused
`tattle` to evolve in many of the ways you're suggesting.  Given the
types of attacks we're all seeing, I suspect you'll find that `tattle`
makes a best-effort attempt to report the mail to the right parties
(i.e. abuse.net and then whois, where abuse doesn't reply), reverse
lookups of IP addresses, etc... 

I realize its probably a pretty big favor to ask, but if you would
share your custom list of abuse contacts, I would very-much appreciate
it.  I don't know how I could incorporate that, but I'd love to take a
stab at it if it looks like something that might be of value.  Plus,
I'd certainly be interested in taking a look at your script to report
viruses, that would be interesting.

Best Regards,
Corey

--- Andrew Daviel <andrew at andrew.triumf.ca> wrote:

> 
> Interesting thread; just started reading as I posted something
> completely
> different.
> 
> I haven't had time to look at tattle in detail, but I've been running
> something vaguely similar for a few years to report viruses.
> 
> A few observations:
> 
> Whois lists DNS and network administrators and they don't really like
> to
> be bothered with "security spam", especially the big ISPs and big
> companies as it may be someone's private email rather than a role
> account. Small places it's probably all the same guy so it doesn't
> matter.
> 
> Some registries list abuse or security mail, some don't. It's worth
> grepping whois records for "abuse@". Sometimes there's a record
> "added by" as well as "person"; ideally a script needs to pick the
> correct one.
> 
> It's important to give date/time/timezone etc., time that numeric ips
> were resolved, who to reply to in case of problems etc. etc.
> Most abuse contacts don't like attachments; a few refuse to take mail
> and
> want you to fill out a special form (tough; I'm not doing that unless
> it's critical...)
> 
> whois.abuse.net is pretty good. Though I noticed at one point they
> were
> setting a default of "postmaster" instead of returning nothing.
> Again,
> not a great place to email, so I filtered that out.
> 
> I have a private list I populate by hand from return email for things
> like AOL (tosgeneral at aol.com) and so on. It's up to 600 or so entries
> I
> think by now.
> 
> Many ips, especially outside North America, do not resolve. I then
> try to
> start at ARIN and work down.  Hopefully not too many mails to ARIN,
> APNIC, IANA etc. themselves though a few do get through.  The idea is
> to
> follow the block assignations to the most exact match, try and figure
> out
> who owns it, try and find an address in abuse.net, and if all else
> fails
> then try one of the registrant addresses.
> 
> 
> My script is a bit of a mess and needs rewriting. And it's a bit more
> complicated in that it tries successive received headers rather than
> just
> one ip address. But if anyone is interested I can make it available.
> 
> 
> 
> -- 
> Andrew Daviel, TRIUMF, Canada
> Tel. +1 (604) 222-7376  (Pacific Time)
> security at triumf.ca
> 
> 


--
C.J. Steele, CISSP <coreyjsteele at yahoo.com>

More information about the Intrusions mailing list