[Dshield] How to ask someone's ISP to investigate

Johannes B. Ullrich euclidian at euclidian.com
Fri Jul 13 00:17:32 GMT 2001


Just use the DShield Fightback ;-) . The form letter we use:
(I also have a Korean version I will put in service soon).

Hi.

   A user of DShield.org, the Distributed Intrusion Detection System, 
 submitted a log excerpt which indicates a probe from one of your users.
 Please notify the user and take appropriate actions to avoid further
problems.
 
   Details:

   Source IP: %%source%% (port: %%sourceport%%)
   Target IP: %%target%%(port: %%targetport%%)
   Protocol: %%protocol%% (Flags: %%flags%% ) 
   Time: %%date%% %%time%% (GMT)

   Original Log as submitted:

     %%log%%  

   A total of %%target_count%% records in dshield's database implicate
   this IP address. These records show attacks against %%target_count%%
unique
   targets. This report includes one sample of these records.

   This report was submitted to Dshield.org by %%useremail%%  

   For more information about DShield see http://www.dshield.org
   Please let us know if you would not like any further notices from
DShield.org
   or if you would prefer a different format.

    Thanks.

        fightback at dshield.org
        http://www.dshield.org/fightback.html

-----------

 Things to do:

    - include all the information you have.
      (important: time!)
    - identify yourself. Most ISPs reject anonymous reports.
    - be friendly. It is not the ISP attacking you.
    - just show the facts. Leave it up to them to decide.
    - complain fast. A month later is too late.

  Avoid:

    - attachements/images. Just use plain text.
    - know whois info or such that will just make the e-mail
      longer
    - abusive language.


---




More information about the list mailing list