[Dshield] Idea for dealing with ISPs that ignore abuse notificatons was RE: The Art/Tao/Zen of Abuse e-mails (Was: [Fwd: WHY IS YOURCUSTOMER...])

Tomas L. Byrnes tomb at byrneit.net
Fri Aug 25 15:19:02 GMT 2006


One way to change those economics is if we all were to block ALL traffic
from the CIDRs of non-responsive Abuse aliases.

Perhaps DShield could post a list of CIDRs managed by RPs that don't
respond to fightback.

That changes the equation, at least for fightback, drastically:

"Do something about these reports, or we will publish your IP addresses
to a list that is used worldwide to block traffic".

If they don't respond to messages from DSHIELD/SANS, and/or keep their
RP contact alias up to date, they're not good netizens, and deserve to
be cast into the outer darkness.


-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Johannes B. Ullrich
Sent: Friday, August 25, 2006 7:15 AM
To: General DShield Discussion List
Subject: [Dshield] The Art/Tao/Zen of Abuse e-mails (Was: [Fwd: WHY IS
YOURCUSTOMER...])


Looks like the IPs mentioned below are "down" now.

The frustration of sending abuse complaints was one of the reasons
DShield was started. Back then (Late 2000, before Code Red), personal
firewalls just got started and ISPs as well as users tried to figure out
what to do with all the logs.

Firewalls are typically designed with the "default closed" principle in
mind. If a packet doesn't make sense, its dropped. Now packets that
don't make sense are not always "bad". Sure, we got RFCs and thick books
written about how TCP/IP is supposed to work. But well, reality is
different.

Now back to abuse complaints:
Whenever you write a "nasty gram" to an ISP, consider the economics of
it: You are not a paying customer. So you need to get their interest up
in other ways. Here a couple ways to do this:

- Be polite and concise (the email below fulfills this requirement).
- include the "right" amount of logs. I recommend up to about a dozen
lines. Time stamps and time zone (if possible UTC) is critical.
- They can't see your friendly face. All they see is an all caps email.
- do not use attachments, html or any other "email extensions".
- don't write the complaint anonymous.
- Do not expect a response. In many countries, privacy laws will not
allow the ISP to confirm any action taken.
- Don't get discouraged by auto-responses. I rather have them spent time
calling customers then coming up with personal e-mails.






BOYD S. (SPENCE) MINER wrote:
> I FILLED OUT THEIR ON LINE COMPLAINT AND THEY ACKNOWLEDGED WITH WE 
> WILL CHECK IT OUT.
> 
> BUT PROBES STILL ARE ACTIVE.
> 
> ***************** ANOTHER MESSAGE TO ISP ********************* YOUR 
> TECHNICIANS ARE NOT MAKING ANY PROGRESS. WE ARE STILL BEING HIT BY
> 
> 204.16.208.75:59785 dedicated.thehideout.net
> 204.16.208.20:47282 dedicated20.thehideout.net
> 204.16.208.66:56092 dedicated66.thehideout.net
> 204.16.208.66:55285 dedicated66.thehideout.net
> 204.16.208.66:33371 dedicated66.thehideout.net 204.16.208.70:56310 
> dedicated70.thehideout.net
> 
> AND MANY OTHER VARIATIONS.
> ***************************** END****************
> 
> DOES ANYONE HAVE THE CLOUT TO GET A STONG MESSAGE TO THIS ISP.
> 
> THEIR REGISTRATION CLAIMS A ABUSE ADDRESS AS SHOWEN HERE BUT THE
REFUSE TO HONOR IT.
> 
> 
> 73
> SPENCE
> 
> 
> 
> 
> 
> 
> -------- Original Message --------
> 
> Subject: WHY IS YOUR CUSTOMER ATTEMPTING ILLEGAL ACCESS TO THIS 
> COMPUTER
> Date: Wed, 09 Aug 2006 01:06:06 -0400
> From: BOYD S. (SPENCE) MINER <k4kep at backroads.net>
> To: abusedept at fastcolocation.net
> 
> 
> 
> WHY IS 204.16.208.50 (DEDICATED50.THEHIDEOUT.NET) CONTINUOUSLY PROBING

> THIS COMPUTER 204.116.130.251. THIS HAS BEEN GOING ON FOR SOME TIME 
> AND AS OFTEN AS
> 1.5 HOUR INTERVALS.
> 
> IF IT DOES NOT STOP, A REPORT WILL BE SENT TO DHS AS THIS SYSTEM IS IN

> DHS SERVICE AT A REMOTE SITE AND USED FOR OFFICIAL DHS BUSINESS.
> 
> 
> SYSADMIN
> 
> 
> 
> whois
> 
> Whois:
> @whois.
> 
> Server Used: [ whois.arin.net ]
> 
> 204.16.208.50 = [ dedicated50.thehideout.net ]
> 
>    OrgName:    FAST COLOCATION SERVICES
>    OrgID:      FCS-73
>    Address:    3791 N. Edgewater Dr
>    City:       Wasilla
>    StateProv:  AK
>    PostalCode: 99654
>    Country:    US
>    NetRange:   204.16.208.0 - 204.16.211.255
>    CIDR:       204.16.208.0/22
>    NetName:     FC-BLK-1
>    NetHandle:   NET-204-16-208-0-1
>    Parent:     NET-204-0-0-0-0
>    NetType:    Direct Allocation
>    NameServer: SANDY.THEHIDEOUT.NET
>    NameServer: SANDY2.THEHIDEOUT.NET
>    Comment:    For Abuse Notices please visit
http://www.fastcolocation.net/abuse/
>    RegDate:    2005-11-07
>    Updated:    2006-07-31
>    RAbuseHandle: NAD41-ARIN
>    RAbuseName:   NOC Abuse Department
>    RAbusePhone:  1-703-637-6336
>    RAbuseEmail:  abusedept at fastcolocation.net
> 
>    RNOCHandle: NOC1938-ARIN
>    RNOCName:   Network Operations Center
>    RNOCPhone:  1-703-286-2487
>    RNOCEmail:  noc at fastcolocation.net
> 
>    RTechHandle: NOC1938-ARIN
>    RTechName:   Network Operations Center
>    RTechPhone:  1-703-286-2487
>    RTechEmail:  noc at fastcolocation.net
> 
>    OrgAbuseHandle: NAD41-ARIN
>    OrgAbuseName:   NOC Abuse Department
>    OrgAbusePhone:  1-703-637-6336
>    OrgAbuseEmail:  abusedept at fastcolocation.net
> 
>    OrgTechHandle: NOC1938-ARIN
>    OrgTechName:   Network Operations Center
>    OrgTechPhone:  1-703-286-2487
>    OrgTechEmail:  noc at fastcolocation.net
> 
>     ARIN WHOIS database  last updated 2006-08-08 19: 10
>     Enter ? for additional hints on searching ARIN's WHOIS database.
> 
>> Hello
>>
>> Thank you for your email, however we do not accept abuse notices via
email. 
>>
>> In order to better assist you, please go to automated abuse system at

>> http://www.fastcolocation.net/abuse/ and fill out a abuse notice 
>> request. Your ip address will be temporarily blocked from our network
until an administrator can review your case.
>>
>> Your issue will not be reviewed until you fill out a abuse notice at 
>> http://wwww.fastcolocation.net/abuse/
>>
>> Thank you,
>> Abuse Department
>> abusedept at fastcolocation.net
>> Fast Colocation Services
> 
> 
> 
> 
> 
> _________________________________________
> 
> SANS Network Security 2006 - Las Vegas NV October 1st-9th.
> Wide selection of 1-6 Day Courses. Top Instructors!  
> 
> Details: isc.sans.org/clickcount.php?ad=1 (use Brochurcode "ISC")
> 
> "Best IT Security return on Investment" (Mario Chiock, Schlumberger) 
> _______________________________________________
> 


--
---------
Johannes Ullrich                        jullrich at sans.org
Chief Research Officer                     (617) 639 5000
http://isc.sans.org
PGP Key: https://secure.dshield.org/PGPKEYS

"We use [isc.sans.org] every day to keep on top of  security at our
bank" Matt, Network Administrator.





More information about the list mailing list