[Dshield] Fightback email addresses?

Johannes Ullrich jullrich at euclidian.com
Thu Jun 12 01:20:27 GMT 2003

On Wed, 2003-06-11 at 10:29, Tim Rushing wrote:
> I think it would be a bad idea for Dshield to only send to self-reported 
> abuse addresses.  It would be a good way for an attacker to hide evidence 
> of a targeted attack.

yes. thats why we start with the 'whois' entries. In many cases, the
whois contact will tell us to use a different address. We can send to
two contacts at the same time, but there are only a couple of ISPs
that prefer this.

> However, what I think would be a good idea would be if Dshield could send 
> to the ARIN abuse address (or whatever source Dshield currently uses) and 
> to a self-reported abuse address.  Of course, I imagine this would mean 
> significant changes in the interface, database and automation systems.
> All I'm reporting to Dshield is a home system.  My ISP is small enough that 
> if they get a report regarding me, I will hear about it.  However, I would 
> love to be able to ask Dshield to let me know if my IP suddenly starts 
> scanning.
>      ---Tim Rushing

We do have this for ISPs, but not for individual users. For home users,
the best check is to visit the warning banner. I guess
I can setup a quick 'check my ip' page.

More information about the list mailing list