[Dshield] Contacting ISP's to report hack attempts - any luck ?

Chuck Lewis clewis at iquest.net
Wed Jan 14 17:57:27 GMT 2004


Thanks,

Yep, I kept that "briefer" the normal but I do always keep it friendly, etc.


Thanks again,

Chuck

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Johannes B. Ullrich
Sent: Wednesday, January 14, 2004 12:42 PM
To: General DShield Discussion List
Subject: RE: [Dshield] Contacting ISP's to report hack attempts - any luck ?


> Jan 13 21:54:56 leeqube2 portsentry[1068]: attackalert: Host:
64.222.46.166
> is already blocked. Ignoring
> 
> 
> So is this not enough ? 

maybe add a 'translation' of your log. There are hundreds of different
formats. I should post the template again that we are using for our
messages. But ask Wayne, our cvtwin maintainer, how hard it can be to
make sense of some of these logs. Portsentry is not bad (IMHO). But
still, think about the poor abuse desk guy and give them some hints ;-)

(e.g. say 
Target IP Address: 1.2.3.4
Source IP Address: 64.222.46.166
Targetport: 80
Time: Jan 13th 21:54:56 (UTC)

one note about time: spell out the month (something I have to fix in our
notices I think). Different countries use different conventions...

e.g. 01/02/03 could be: Jan 2nd 2003, Feb. 3rd 2001, Feb. 1st. 2003

I think the three letter English abbreviation for the month will work
well.

And one more: Keep it brief. A couple lines of logs (10 maybe.. not
100), and no whois info or things that are 'obvious'. The strategic use
of the words 'Please' and 'Thank you' can help as well.




       

> 
> As your note that they might fix them and not tell me. That yields a
> quandary - I almost never see the same problem info whether I report them
or
> not (?). Maybe others report them ?
> 
> Thanks so much the info.
> 
> Chuck
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
-- 
CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm




More information about the list mailing list