[Dshield] Contacting ISP's to report hack attempts - any luck ?
brad.madison at mail.tds.net
Wed Jan 14 18:06:17 GMT 2004
At 12:41 PM 1/14/2004 -0500, you wrote:
>maybe add a 'translation' of your log. There are hundreds of different
>formats. I should post the template again that we are using for our
>messages. But ask Wayne, our cvtwin maintainer, how hard it can be to
>make sense of some of these logs. Portsentry is not bad (IMHO). But
>still, think about the poor abuse desk guy and give them some hints ;-)
I send ZoneAlarm log entries, with a subject that indicates abuse is coming
from the IP that I identify in the subject.
So I'd say: Apparent abuse attempts from 188.8.131.52
And then something like "Please act to end this abuse" or "please be aware
of this abuse." The latter is to suggest that they themselves watch the
traffic from the indicated IP and take appropriate action based on what
they see. It could be that the IP sending me open proxy tests is itself an
open proxy. While I'd like the open proxy cured I'd like even more for the
ISP to find out the source of the packets _to_ that open proxy system and
to notify the ISP for that IP.
I figure (suppose, accept you choose the word) that the ISP will do
whatever they've programmed themselves to do. I don't put any effort into
trying to influence that decision, to change the ISP's default behavior.
I may mention that I also have a hardware firewall, so the IP shown
(192.168.12.17) isn't really my IP.
This is at least the second batch of probes from that same IP
(pool-64-223-154-227.man.east.verizon.net). That suggests that it may be
the abuser's own IP. Is that Manhattan East?
More information about the list