[Dshield] How to ask someone's ISP to investigate

Johannes B. Ullrich euclidian at euclidian.com
Fri Jul 13 00:17:32 GMT 2001

Just use the DShield Fightback ;-) . The form letter we use:
(I also have a Korean version I will put in service soon).


   A user of DShield.org, the Distributed Intrusion Detection System, 
 submitted a log excerpt which indicates a probe from one of your users.
 Please notify the user and take appropriate actions to avoid further

   Source IP: %%source%% (port: %%sourceport%%)
   Target IP: %%target%%(port: %%targetport%%)
   Protocol: %%protocol%% (Flags: %%flags%% ) 
   Time: %%date%% %%time%% (GMT)

   Original Log as submitted:


   A total of %%target_count%% records in dshield's database implicate
   this IP address. These records show attacks against %%target_count%%
   targets. This report includes one sample of these records.

   This report was submitted to Dshield.org by %%useremail%%  

   For more information about DShield see http://www.dshield.org
   Please let us know if you would not like any further notices from
   or if you would prefer a different format.


        fightback at dshield.org


 Things to do:

    - include all the information you have.
      (important: time!)
    - identify yourself. Most ISPs reject anonymous reports.
    - be friendly. It is not the ISP attacking you.
    - just show the facts. Leave it up to them to decide.
    - complain fast. A month later is too late.


    - attachements/images. Just use plain text.
    - know whois info or such that will just make the e-mail
    - abusive language.


More information about the list mailing list