Re: What to do if they ignore you

From: Rory (
Date: 04/16/05

  • Next message: David A.Ulevitch: "Re: What to do if they ignore you"
    Date: Sat, 16 Apr 2005 14:51:57 +1000
    To: Skip Carter <>

    I handle the abuse mail & investigation for 12 Class C's and I have to
    say its bloody hard
    to keep up with worm infected pc's. At any one time I would imagine we'd
    have at least
    3,000 customers with worm infections, I suspend or contact on average 50
    users a day.

    I would say I receive about 800 complaints via email
    a day, probably about 300 of those are IDS reports for probes on 445
    from companys like
    D-Shield. Generally most companys consider Network Abuse to be fairly
    unimportant and
    staff it accordingly, I mean, its not like the role makes the company
    money, but a service
    provider wouldn't last long without it.

    Personally I'd be happy if more people took legal action against us for
    it, maybe then management
    would be more interested in actually hiring enough people to handle it.
    However a friendly letter
    to the manager a long with copies of the reports you've sent to their
    abuse team would probably do.

    There are a few things that would make dealing with these sorts of
    things easier,
    1. Sending IDS Logs in UTC would be easier, converting GMT -07:00 to GMT
    +10:00 requires
        a whole lot more thinking that I'd like to put into a single
    investigation =P~
    2. Sending IDS Reports in a nicely formated way like D-Shield does, so
    you know where the data
        you actually want is.
    3. Not putting so much crap about legalitys at the top of the email,
    scrolling is hard work, I get
        scroll wheel cramps sometimes.
    4. Don't be rude and spout nonsense in your emails, like "STOP YOURS
        as fun as is sending back canned replys, you get a bit sick of it.
    5. Threatening to blacklist my IP's is really not going to get you any
    more attention than anyone else.
    6. Don't expect a reply unless its a really major issue.
    7. Don't send me complaints for other bloody companies IP space godamnit!

    Thats all =)


    Skip Carter wrote:

    >My company provides outsource security management/monitoring services.
    >In early March we noticed that several of our clients that are in the
    >same /16 block were getting persistent port 445 probes from a couple
    >of systems from a very large corporation's satellite office which is
    >on the same /16 block.
    >I have repeatedly called the companies security manager (on the US east
    >coast) and talked to people at the companies headquarters (on the US
    >west coast). They take my information (I have shown them firewall logs,
    >IDS logs, captured packet traces, and honeypot sessions) but nothing is
    >done about these probes (typically around 1500/day).
    >We have black-holed connections from the offending network block, but many
    >of our clients are small and do not have firewalls with the resources to
    >handle huge lists of blacklisted networks.
    >It has been over a month now, and nothing has changed. They seem to be
    >unable or unwilling to fix their own systems when they have all the
    >information they could ask for in order to track the problem down.
    >Does anybody have any suggestions on what to do to make Goliath behave
    >when you are David ?

    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    Go to
    to learn more.

  • Next message: David A.Ulevitch: "Re: What to do if they ignore you"