[Dshield] Contacting ISP's to report hack attempts - any luck ?

Brad Spencer brad.madison at mail.tds.net
Wed Jan 14 18:06:17 GMT 2004

At 12:41 PM 1/14/2004 -0500, you wrote:

>maybe add a 'translation' of your log. There are hundreds of different
>formats. I should post the template again that we are using for our
>messages. But ask Wayne, our cvtwin maintainer, how hard it can be to
>make sense of some of these logs. Portsentry is not bad (IMHO). But
>still, think about the poor abuse desk guy and give them some hints ;-)

I send ZoneAlarm log entries, with a subject that indicates abuse is coming 
from the IP that I identify in the subject.

So I'd say: Apparent abuse attempts from

FWIN,2004/01/14,08:04:14 -6:00 
GMT,,,TCP (flags:S)
FWIN,2004/01/14,08:04:14 -6:00 
GMT,,,TCP (flags:S)
FWIN,2004/01/14,08:04:14 -6:00 
GMT,,,TCP (flags:S)
FWIN,2004/01/14,08:04:36 -6:00 
GMT,,,TCP (flags:S)

And then something like "Please act to end this abuse" or "please be aware 
of this abuse."  The latter is to suggest that they themselves watch the 
traffic from the indicated IP and take appropriate action based on what 
they see.  It could be that the IP sending me open proxy tests is itself an 
open proxy.  While I'd like the open proxy cured I'd like even more for the 
ISP to find out the source of the packets _to_ that open proxy system and 
to notify the ISP for that IP.

I figure (suppose, accept you choose the word) that the ISP will do 
whatever they've programmed themselves to do.  I don't put any effort into 
trying to influence that decision, to change the ISP's default behavior.

I may mention that I also have a hardware firewall, so the IP shown 
( isn't really my IP.

This is at least the second batch of probes from that same IP 
(pool-64-223-154-227.man.east.verizon.net).  That suggests that it may be 
the abuser's own IP.  Is that Manhattan East?

More information about the list mailing list