[Dshield] Ren: NTL support/abuse staff

R.H. Cotterell seec at mail.retina.ar
Thu Aug 30 17:48:40 GMT 2001


dshield-request at dshield.org's e-mail of 30 August 2001 9:54 stated:

>Message: 5
>From: "john.worley" <john.worley at ntlworld.com>
>Date: Wed, 29 Aug 2001 20:27:01 +0100
>Subject: [Dshield] Fw: NTL Support/Abuse Staff
>
>Hi All.    I have read this on My ISP's Newsgroup and was wondering if
>in fact this is right, as I have also been shown as an attacker Three
>Times,  Is there any truth in what Robin Walker has pointed out.
>Many Thanks  John Worley.

Please scroll further down for appropriate comments.  Thanks.

>
>----- Original Message -----
>From: "Robin Walker" <rdhw at cam.ac.uk>
>Newsgroups: ntl.support.broadband.cm
>Sent: Wednesday, August 29, 2001 7:28 PM
>Subject: Re: NTL Support/Abuse Staff
>
>
>in article b1aj7.4804$%P3.25208 at news11-gui.server.ntli.net, Paul H at
>paul.humphreysno spam at ntlworld.com wrote on 29/8/01 18:56:
>
>> I regularly send my Zonealarm firewall logs to this organisation
>> http://www.dshield.org/ and have known been told that my IP, (that's
>you
>> NTL), have been involved in attacks on other users. Their report
>reads:.....
>>
>> IP Address: 62.253.32.5
>> HostName: inktomi2-nor.server.ntl.com
>> DShield Profile: Country: GB
>> Contact E-mail: nmc at ntli.net
>> Total Records against IP:  3
>> Number of targets:  3
>> Date Range: 2001-08-04 to 2001-08-04
>> Ports Attacked (up to 10):
>>
>> Please advise current status of your Servers and Inkomi Caches...do
>they
>> need patching?
>
>I think this Dshield report is worthless.  Consider:
>
>1. an NTL user sends their web browser to http://[IP number or DNS
>address
>somewhere]/
>
>2. The request is routed via the local web proxy.
>
>3. The target host is firewalled on port 80, and registers a stopped
>attempt.
>
>4. That host's user sends their logs to Dshield.
>
>5. The web proxies get listed as attackers.

Hey Cantab (that's to say, Robin Walker), what you state does NOT make the 
Dshield report worthless, merely criptic to the extent that it does not provide 
sufficient information for the ISP to review its logs in order to pin-point the 
offending party that made an attempt on a third party.

Dshield should offer to provide the pertinent log information as a second step 
after initial bilateral contact has been established.  :-)

That closes the circle and makes for VERY VALUABLE precise input. This means 
one does not *punt* around worthlessly!

>
>--
>Robin Walker
>rdhw at cam.ac.uk
>
Cheers and a beer!


--
Richard H. Cotterell <mailto:seec at mail.retina.ar>

A quotation for your reading pleasure:
There's no trick to being a humorist when you have the whole
government working for you.
  -Will Rogers





More information about the list mailing list