[Dshield] Why???

KeithTarrant KeithTarrant at spamcop.net
Wed Oct 2 01:14:02 GMT 2002

Pep -

>From what I understand, most ISPs have a staff working full-time tracking
down hackers and infected machines.  It is just there are so many viri,
and the scriptkiddies have so much fun, and the average Internet user is
so innocent of the precautions to take, and the profit margines so slim
(because of the constant need to upgrade hardware), that the volume of
abuse complaints is vast.

These abuse departments are the main reason why abuse from an IP address
continues for an average 2 weeks on good ISPs and an average 2 months on
the worst ISPs.  (2 months = the scriptkiddie got bored, or his/her IP
address changed)

Typically people don't get responses to abuse complaints even if the
complaint is acted upon (unless their complaint is to a very "small" IT
organization).  Large ISPs wait for multiple complaints, so they aren't
bothering people with false alarms, which would be very embarassing.  Of
course many times they wait a lot longer.

By the time they act, the abuse departments are acting on logs extracted
from the original complaint letters -- the original email and the email
addresses of the original complainants are gone.

The thing to keep in mind is that ISPs are large organizations and large
organizations act in weeks not days.  (On complex issues, large
organizations act in years.)

So don't be discouraged that abuse complaints aren't answered.  Focus on
whether the abuse continues or stops.

It would be interesting to have a DShield Award for the ISP with the
longest outstanding Fightback incident of  a type where it is obvious
abuse (say sub 7 scanning).

- Keith
----- Original Message -----
From: "Per-Erik Persson" <pep at hemmapc.com>
To: <list at dshield.org>
Sent: Tuesday, October 01, 2002 7:51 PM
Subject: [Dshield] Why???

> Hash: SHA1
> I've quite new to use this feature, but my site (quite private) allready
> 10 issues in my "fightback"-summary. Only one of those has answered (and
> that's by a autoreply (in which i'm told that they really dosn't got
time for
> my, or dshields, observation)) to me. It's not ok if the abuser does
> reply. He or she maybe not be aware what their computer create on the
> He or she maybe do not have an smtp-server running while they almost
surley do
> not get any notification from dshield which would be bad for them as
> don't get any notification that they made some dumb things on the
Internet or
> that they have a corrupted computer making bad things. As I could read
> functions with dshields, a message goes both to the ip-address that,
> hopefully, created the scene and to their ISP. Shouldn't anyone of those
> feel any sorts of responsability to elliminate or decrease such an act?
> Hope that the ISP do not create new rules fore what goes in and out from
> firewall. A censured activity would not be right to all of those
> which know how to use their computer. But shouldn't the ISP be
responsible to
> tell their customers that they maybe got som trouble that they propably
> aware about?  I'd would apprechiate that as an customer and I'm surely
> apprechiate an answer from the ISP that  they try to do something about
> Or dosn't the ISP feel any responsability beside making money???
> - --
> (excuse somewhere bad spelling, got into sleep when my englishteacher
> talking ;-) )
> /pep
> Who is General Failure and why is he reading my hard disk ?
> Open PGP-key:  http://www.hemmapc.com/peppgp.txt
> Version: GnuPG v1.0.7 (GNU/Linux)
> iD8DBQE9mkMD93OAeYRCYrsRAhp4AKCYm11c8rx1mfy1sV33Du8bBeG3IwCeOFkY
> hgu5TiyaopUk/TgxIm2N4ao=
> =GXsX

More information about the list mailing list