[Dshield] Nimda box reporting

Mike Burns mike.burns at net-linx.com
Thu Aug 8 20:17:07 GMT 2002


-----Original Message-----
From: Russell Washington [mailto:russ.washington at vaultsentry.com]
Sent: Thursday, August 08, 2002 10:52 AM

>But getting word to that admin about a confirmed infection... tricky...

Yes, it is not straight forward,  go to ARIN, lookup the IP address, then go
to APIC or elsewhere, send the email to the email address registered for the
IP (I also copy CERT and NIPC).

> Or is the upshot that folks don't pay attention when they get
> these kinds of notifications anyway?

I have found that ISPs that keep the IP address block up to date with the
correct email addresses work the best for contacting.  

ex:  UUnet registered my net block to my company name that contained my
email address, when you lookup 63.98.67.215 it is easy to contact me about a
machine on my network.

bad ex: ChoiceOne and others does not practice this, if you do an ARIN whois
on 216.153.246.120, you will not see that I am using that netblock, but only
that ChoiceOne owns it.

With the up-to-date entries I usually get a 90% response rate with the
majority thankful for my notice and the infected machine is fixed/removed

With the lazy ISPs or foreign IP blocks out of the hundreds of messages I
have sent only 1 has responded to say that there is no way it could be him
and to please stop bothering him.


Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/list/attachments/20020808/b7edf9de/attachment.htm


More information about the list mailing list