[Dshield] Contacting ISP's to report hack attempts - any luck ?
clewis at iquest.net
Wed Jan 14 17:57:27 GMT 2004
Yep, I kept that "briefer" the normal but I do always keep it friendly, etc.
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Johannes B. Ullrich
Sent: Wednesday, January 14, 2004 12:42 PM
To: General DShield Discussion List
Subject: RE: [Dshield] Contacting ISP's to report hack attempts - any luck ?
> Jan 13 21:54:56 leeqube2 portsentry: attackalert: Host:
> is already blocked. Ignoring
> So is this not enough ?
maybe add a 'translation' of your log. There are hundreds of different
formats. I should post the template again that we are using for our
messages. But ask Wayne, our cvtwin maintainer, how hard it can be to
make sense of some of these logs. Portsentry is not bad (IMHO). But
still, think about the poor abuse desk guy and give them some hints ;-)
Target IP Address: 220.127.116.11
Source IP Address: 18.104.22.168
Time: Jan 13th 21:54:56 (UTC)
one note about time: spell out the month (something I have to fix in our
notices I think). Different countries use different conventions...
e.g. 01/02/03 could be: Jan 2nd 2003, Feb. 3rd 2001, Feb. 1st. 2003
I think the three letter English abbreviation for the month will work
And one more: Keep it brief. A couple lines of logs (10 maybe.. not
100), and no whois info or things that are 'obvious'. The strategic use
of the words 'Please' and 'Thank you' can help as well.
> As your note that they might fix them and not tell me. That yields a
> quandary - I almost never see the same problem info whether I report them
> not (?). Maybe others report them ?
> Thanks so much the info.
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
CTO SANS Internet Storm Center http://isc.sans.org
phone: (617) 837 2807 jullrich at sans.org
contact details: http://johannes.homepc.org/contact.htm
More information about the list