[Dshield] How to ask someone's ISP to investigate
Johannes B. Ullrich
euclidian at euclidian.com
Fri Jul 13 00:17:32 GMT 2001
Just use the DShield Fightback ;-) . The form letter we use:
(I also have a Korean version I will put in service soon).
A user of DShield.org, the Distributed Intrusion Detection System,
submitted a log excerpt which indicates a probe from one of your users.
Please notify the user and take appropriate actions to avoid further
Source IP: %%source%% (port: %%sourceport%%)
Target IP: %%target%%(port: %%targetport%%)
Protocol: %%protocol%% (Flags: %%flags%% )
Time: %%date%% %%time%% (GMT)
Original Log as submitted:
A total of %%target_count%% records in dshield's database implicate
this IP address. These records show attacks against %%target_count%%
targets. This report includes one sample of these records.
This report was submitted to Dshield.org by %%useremail%%
For more information about DShield see http://www.dshield.org
Please let us know if you would not like any further notices from
or if you would prefer a different format.
fightback at dshield.org
Things to do:
- include all the information you have.
- identify yourself. Most ISPs reject anonymous reports.
- be friendly. It is not the ISP attacking you.
- just show the facts. Leave it up to them to decide.
- complain fast. A month later is too late.
- attachements/images. Just use plain text.
- know whois info or such that will just make the e-mail
- abusive language.
More information about the list