[Dshield] Idea for dealing with ISPs that ignore abuse notificatons was RE: The Art/Tao/Zen of Abuse e-mails (Was: [Fwd: WHY IS YOURCUSTOMER...])
Tomas L. Byrnes
tomb at byrneit.net
Fri Aug 25 15:19:02 GMT 2006
One way to change those economics is if we all were to block ALL traffic
from the CIDRs of non-responsive Abuse aliases.
Perhaps DShield could post a list of CIDRs managed by RPs that don't
respond to fightback.
That changes the equation, at least for fightback, drastically:
"Do something about these reports, or we will publish your IP addresses
to a list that is used worldwide to block traffic".
If they don't respond to messages from DSHIELD/SANS, and/or keep their
RP contact alias up to date, they're not good netizens, and deserve to
be cast into the outer darkness.
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Johannes B. Ullrich
Sent: Friday, August 25, 2006 7:15 AM
To: General DShield Discussion List
Subject: [Dshield] The Art/Tao/Zen of Abuse e-mails (Was: [Fwd: WHY IS
Looks like the IPs mentioned below are "down" now.
The frustration of sending abuse complaints was one of the reasons
DShield was started. Back then (Late 2000, before Code Red), personal
firewalls just got started and ISPs as well as users tried to figure out
what to do with all the logs.
Firewalls are typically designed with the "default closed" principle in
mind. If a packet doesn't make sense, its dropped. Now packets that
don't make sense are not always "bad". Sure, we got RFCs and thick books
written about how TCP/IP is supposed to work. But well, reality is
Now back to abuse complaints:
Whenever you write a "nasty gram" to an ISP, consider the economics of
it: You are not a paying customer. So you need to get their interest up
in other ways. Here a couple ways to do this:
- Be polite and concise (the email below fulfills this requirement).
- include the "right" amount of logs. I recommend up to about a dozen
lines. Time stamps and time zone (if possible UTC) is critical.
- They can't see your friendly face. All they see is an all caps email.
- do not use attachments, html or any other "email extensions".
- don't write the complaint anonymous.
- Do not expect a response. In many countries, privacy laws will not
allow the ISP to confirm any action taken.
- Don't get discouraged by auto-responses. I rather have them spent time
calling customers then coming up with personal e-mails.
BOYD S. (SPENCE) MINER wrote:
> I FILLED OUT THEIR ON LINE COMPLAINT AND THEY ACKNOWLEDGED WITH WE
> WILL CHECK IT OUT.
> BUT PROBES STILL ARE ACTIVE.
> ***************** ANOTHER MESSAGE TO ISP ********************* YOUR
> TECHNICIANS ARE NOT MAKING ANY PROGRESS. WE ARE STILL BEING HIT BY
> 22.214.171.124:59785 dedicated.thehideout.net
> 126.96.36.199:47282 dedicated20.thehideout.net
> 188.8.131.52:56092 dedicated66.thehideout.net
> 184.108.40.206:55285 dedicated66.thehideout.net
> 220.127.116.11:33371 dedicated66.thehideout.net 18.104.22.168:56310
> AND MANY OTHER VARIATIONS.
> ***************************** END****************
> DOES ANYONE HAVE THE CLOUT TO GET A STONG MESSAGE TO THIS ISP.
> THEIR REGISTRATION CLAIMS A ABUSE ADDRESS AS SHOWEN HERE BUT THE
REFUSE TO HONOR IT.
> -------- Original Message --------
> Subject: WHY IS YOUR CUSTOMER ATTEMPTING ILLEGAL ACCESS TO THIS
> Date: Wed, 09 Aug 2006 01:06:06 -0400
> From: BOYD S. (SPENCE) MINER <k4kep at backroads.net>
> To: abusedept at fastcolocation.net
> WHY IS 22.214.171.124 (DEDICATED50.THEHIDEOUT.NET) CONTINUOUSLY PROBING
> THIS COMPUTER 126.96.36.199. THIS HAS BEEN GOING ON FOR SOME TIME
> AND AS OFTEN AS
> 1.5 HOUR INTERVALS.
> IF IT DOES NOT STOP, A REPORT WILL BE SENT TO DHS AS THIS SYSTEM IS IN
> DHS SERVICE AT A REMOTE SITE AND USED FOR OFFICIAL DHS BUSINESS.
> Server Used: [ whois.arin.net ]
> 188.8.131.52 = [ dedicated50.thehideout.net ]
> OrgName: FAST COLOCATION SERVICES
> OrgID: FCS-73
> Address: 3791 N. Edgewater Dr
> City: Wasilla
> StateProv: AK
> PostalCode: 99654
> Country: US
> NetRange: 184.108.40.206 - 220.127.116.11
> CIDR: 18.104.22.168/22
> NetName: FC-BLK-1
> NetHandle: NET-204-16-208-0-1
> Parent: NET-204-0-0-0-0
> NetType: Direct Allocation
> NameServer: SANDY.THEHIDEOUT.NET
> NameServer: SANDY2.THEHIDEOUT.NET
> Comment: For Abuse Notices please visit
> RegDate: 2005-11-07
> Updated: 2006-07-31
> RAbuseHandle: NAD41-ARIN
> RAbuseName: NOC Abuse Department
> RAbusePhone: 1-703-637-6336
> RAbuseEmail: abusedept at fastcolocation.net
> RNOCHandle: NOC1938-ARIN
> RNOCName: Network Operations Center
> RNOCPhone: 1-703-286-2487
> RNOCEmail: noc at fastcolocation.net
> RTechHandle: NOC1938-ARIN
> RTechName: Network Operations Center
> RTechPhone: 1-703-286-2487
> RTechEmail: noc at fastcolocation.net
> OrgAbuseHandle: NAD41-ARIN
> OrgAbuseName: NOC Abuse Department
> OrgAbusePhone: 1-703-637-6336
> OrgAbuseEmail: abusedept at fastcolocation.net
> OrgTechHandle: NOC1938-ARIN
> OrgTechName: Network Operations Center
> OrgTechPhone: 1-703-286-2487
> OrgTechEmail: noc at fastcolocation.net
> ARIN WHOIS database last updated 2006-08-08 19: 10
> Enter ? for additional hints on searching ARIN's WHOIS database.
>> Thank you for your email, however we do not accept abuse notices via
>> In order to better assist you, please go to automated abuse system at
>> http://www.fastcolocation.net/abuse/ and fill out a abuse notice
>> request. Your ip address will be temporarily blocked from our network
until an administrator can review your case.
>> Your issue will not be reviewed until you fill out a abuse notice at
>> Thank you,
>> Abuse Department
>> abusedept at fastcolocation.net
>> Fast Colocation Services
> SANS Network Security 2006 - Las Vegas NV October 1st-9th.
> Wide selection of 1-6 Day Courses. Top Instructors!
> Details: isc.sans.org/clickcount.php?ad=1 (use Brochurcode "ISC")
> "Best IT Security return on Investment" (Mario Chiock, Schlumberger)
Johannes Ullrich jullrich at sans.org
Chief Research Officer (617) 639 5000
PGP Key: https://secure.dshield.org/PGPKEYS
"We use [isc.sans.org] every day to keep on top of security at our
bank" Matt, Network Administrator.
More information about the list