[Dshield] The Art/Tao/Zen of Abuse e-mails (Was: [Fwd: WHY IS YOUR CUSTOMER...])

Johannes B. Ullrich jullrich at sans.org
Fri Aug 25 14:14:33 GMT 2006


Looks like the IPs mentioned below are "down" now.

The frustration of sending abuse complaints was one of the reasons
DShield was started. Back then (Late 2000, before Code Red), personal
firewalls just got started and ISPs as well as users tried to figure out
what to do with all the logs.

Firewalls are typically designed with the "default closed" principle in
mind. If a packet doesn't make sense, its dropped. Now packets that
don't make sense are not always "bad". Sure, we got RFCs and thick books
written about how TCP/IP is supposed to work. But well, reality is
different.

Now back to abuse complaints:
Whenever you write a "nasty gram" to an ISP, consider the economics of
it: You are not a paying customer. So you need to get their interest up
in other ways. Here a couple ways to do this:

- Be polite and concise (the email below fulfills this requirement).
- include the "right" amount of logs. I recommend up to about a dozen
lines. Time stamps and time zone (if possible UTC) is critical.
- They can't see your friendly face. All they see is an all caps email.
- do not use attachments, html or any other "email extensions".
- don't write the complaint anonymous.
- Do not expect a response. In many countries, privacy laws will not
allow the ISP to confirm any action taken.
- Don't get discouraged by auto-responses. I rather have them spent time
calling customers then coming up with personal e-mails.






BOYD S. (SPENCE) MINER wrote:
> I FILLED OUT THEIR ON LINE COMPLAINT AND THEY ACKNOWLEDGED WITH WE WILL
> CHECK IT OUT.
> 
> BUT PROBES STILL ARE ACTIVE.
> 
> ***************** ANOTHER MESSAGE TO ISP *********************
> YOUR TECHNICIANS ARE NOT MAKING ANY PROGRESS. WE ARE STILL BEING HIT BY
> 
> 204.16.208.75:59785 dedicated.thehideout.net
> 204.16.208.20:47282 dedicated20.thehideout.net
> 204.16.208.66:56092 dedicated66.thehideout.net
> 204.16.208.66:55285 dedicated66.thehideout.net
> 204.16.208.66:33371 dedicated66.thehideout.net
> 204.16.208.70:56310 dedicated70.thehideout.net
> 
> AND MANY OTHER VARIATIONS.
> ***************************** END****************
> 
> DOES ANYONE HAVE THE CLOUT TO GET A STONG MESSAGE TO THIS ISP.
> 
> THEIR REGISTRATION CLAIMS A ABUSE ADDRESS AS SHOWEN HERE BUT THE REFUSE TO HONOR IT.
> 
> 
> 73
> SPENCE
> 
> 
> 
> 
> 
> 
> -------- Original Message --------
> 
> Subject: WHY IS YOUR CUSTOMER ATTEMPTING ILLEGAL ACCESS TO THIS COMPUTER
> Date: Wed, 09 Aug 2006 01:06:06 -0400
> From: BOYD S. (SPENCE) MINER <k4kep at backroads.net>
> To: abusedept at fastcolocation.net
> 
> 
> 
> WHY IS 204.16.208.50 (DEDICATED50.THEHIDEOUT.NET) CONTINUOUSLY PROBING THIS
> COMPUTER 204.116.130.251. THIS HAS BEEN GOING ON FOR SOME TIME AND AS OFTEN AS
> 1.5 HOUR INTERVALS.
> 
> IF IT DOES NOT STOP, A REPORT WILL BE SENT TO DHS AS THIS SYSTEM IS IN DHS
> SERVICE AT A REMOTE SITE AND USED FOR OFFICIAL DHS BUSINESS.
> 
> 
> SYSADMIN
> 
> 
> 
> whois
> 
> Whois:
> @whois.
> 
> Server Used: [ whois.arin.net ]
> 
> 204.16.208.50 > 
>    OrgName:    FAST COLOCATION SERVICES
>    OrgID:      FCS-73
>    Address:    3791 N. Edgewater Dr
>    City:       Wasilla
>    StateProv:  AK
>    PostalCode: 99654
>    Country:    US
>    NetRange:   204.16.208.0 - 204.16.211.255
>    CIDR:       204.16.208.0/22
>    NetName:     FC-BLK-1
>    NetHandle:   NET-204-16-208-0-1
>    Parent:     NET-204-0-0-0-0
>    NetType:    Direct Allocation
>    NameServer: SANDY.THEHIDEOUT.NET
>    NameServer: SANDY2.THEHIDEOUT.NET
>    Comment:    For Abuse Notices please visit http://www.fastcolocation.net/abuse/
>    RegDate:    2005-11-07
>    Updated:    2006-07-31
>    RAbuseHandle: NAD41-ARIN
>    RAbuseName:   NOC Abuse Department
>    RAbusePhone:  1-703-637-6336
>    RAbuseEmail:  abusedept at fastcolocation.net
> 
>    RNOCHandle: NOC1938-ARIN
>    RNOCName:   Network Operations Center
>    RNOCPhone:  1-703-286-2487
>    RNOCEmail:  noc at fastcolocation.net
> 
>    RTechHandle: NOC1938-ARIN
>    RTechName:   Network Operations Center
>    RTechPhone:  1-703-286-2487
>    RTechEmail:  noc at fastcolocation.net
> 
>    OrgAbuseHandle: NAD41-ARIN
>    OrgAbuseName:   NOC Abuse Department
>    OrgAbusePhone:  1-703-637-6336
>    OrgAbuseEmail:  abusedept at fastcolocation.net
> 
>    OrgTechHandle: NOC1938-ARIN
>    OrgTechName:   Network Operations Center
>    OrgTechPhone:  1-703-286-2487
>    OrgTechEmail:  noc at fastcolocation.net
> 
>     ARIN WHOIS database  last updated 2006-08-08 19: 10
>     Enter ? for additional hints on searching ARIN's WHOIS database.
> 
>> Hello
>>
>> Thank you for your email, however we do not accept abuse notices via email. 
>>
>> In order to better assist you, please go to automated abuse system at http://www.fastcolocation.net/abuse/ and fill out a 
>> abuse notice request. Your ip address will be temporarily blocked from our network until an administrator can review your 
>> case.
>>
>> Your issue will not be reviewed until you fill out a abuse notice at http://wwww.fastcolocation.net/abuse/
>>
>> Thank you,
>> Abuse Department
>> abusedept at fastcolocation.net
>> Fast Colocation Services
> 
> 
> 
> 
> 
> _________________________________________
> 
> SANS Network Security 2006 - Las Vegas NV October 1st-9th.
> Wide selection of 1-6 Day Courses. Top Instructors!  
> 
> Details: isc.sans.org/clickcount.php?ad=1
> (use Brochurcode "ISC")
> 
> "Best IT Security return on Investment" (Mario Chiock, Schlumberger)
> _______________________________________________
> 


-- 
---------
Johannes Ullrich                        jullrich at sans.org
Chief Research Officer                     (617) 639 5000
http://isc.sans.org
PGP Key: https://secure.dshield.org/PGPKEYS

"We use [isc.sans.org] every day to keep on top of
 security at our bank" Matt, Network Administrator.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
Url : http://lists.dshield.org/pipermail/list/attachments/20060825/acfcd9dc/attachment.bin 


More information about the list mailing list