RE: Proper ISP Reporting

From: McKinley, Jackson (Jackson.McKinley_at_team.telstra.com)
Date: 08/18/05

  • Next message: James Polley: "Re: New Virus?"
    Date: Thu, 18 Aug 2005 09:25:58 +1000
    To: "Jason Burton" <jab@leximedia.net>
    
    

     + Contact Information for the Incident Reporter
    - Name
    - E-mail address
    - Phone number
    - Location (Time zone and country)
    + Incident Details
    - Date/time that the incident was discovered
    - Type of incident (e.g., denial of service, malicious code,
    unauthorized access, inappropriate usage)
    - Date/time that the incident occurred (if known)
    - Current status of the incident (e.g., ongoing attack)
    - Source/cause of the incident (if known), including hostnames and IP
    addresses
    - Description of the incident (e.g.what occurred)
    + General Comments

     

    Extra notes:
    * Remember the person that looks at the email first will most likely be
    a low level engineer 1st to 2nd level. Try not to be over technically
    but make it clear a "Security person" should look at it.
    * Use statements like "Assist with the resolution" and "Help us to solve
    this issue" Make it out that they can work with you to fix it no just
    them do it.
    * Leave as much info in the logs that you send as possible. Some times
    its easyer to track traffic from its distination rather then its source.
    * NEVER EVER EVER EVER say you will do anything legal if they don't fix
    it ASAP... Matter of fact never use the work "legal" in any way.. The
    moment you do that you start a new game, and then everything must be
    looked at by legal before it goes anywhere. Thus slowing the process
    down a LOT! We all know how good at red tape legal are :P
    * I always send to more then 1 address.. Abuse@isp, hostmaster@isp,
    postmaster@isp, Helpdesk@isp, noc@isp, gnoc@isp, soc@isp. Are always
    good places to start.
    * Saying things like we have forward you details to the <Insert Agency
    name here> will only have the same effect as point 3. and they don't
    need to know you have done this.
    * You can try login it as a Fault with the ISP's helpdesk. This will
    mean they will have call back alarms and PKI's to think of... ;)
    * Also expect things to take time. Personally in the past when I have
    worked on abuse reports for ISP's it has taken time to deal with them.
    Its not like you can just switch of customer or machine XYZ.. You have
    to gather info, look into it from your end, contact the customer, check
    with the customers contract / AUE. Then if the customer does nothing
    you can do it.. But that can take some time.
    * solve the issue with in your scope of control if you can. Get you
    Upstream to block it (if you have one ;) )

    Cheers

    Jack.

    -----Original Message-----
    From: Jason Burton [mailto:jab@leximedia.net]
    Sent: Wednesday, 17 August 2005 12:02 PM
    To: incidents@securityfocus.com
    Subject: Proper ISP Reporting

    Anyone have samples of how to properly report to ISP's regarding abuse?
     
    ie. What format the email should be in, sample phrases, or sentences
    that might help. I've been doing this for a while and while some work,
    some have not. Im wondering if anyone has examples.
     
    Thanks
     
    Jason Burton
    Leximedia LLC
    jab@leximedia.net


  • Next message: James Polley: "Re: New Virus?"

    Relevant Pages

    • Kike Press not reporting this >>>
      ... Firehouse incident with noose was a hoax! ... By Justin Fenton | Sun reporter ... likely face additional punishment, fire officials said. ... A black firefighters group had called accusations of cheating racially ...
      (misc.invest.stocks)
    • Re: The Spadaro Incident
      ... As a reporter, which Spadaro pretends to be, especially at press conferences, he is supposed to report the news rather than be the news. ... This incident blemishes the entire city, which had been notorious for crass fans. ... There hadn't been any blemishes during the entire decade at Lincoln Financial Field. ... may you rot in NFL insignificance for eternity and the mental retardation everyone in your organisation suffers from isolates you from a civilised, ...
      (alt.sports.football.pro.phila-eagles)
    • Manila Standard: Palace repeats warning against paying rebels
      ... fees by the ... +loose change anyway," the reporter said. ... The military's Southern Luzon Command is apparently clueless. ... +such incident," said Command head Lt. Gen. ...
      (soc.culture.filipino)
    • Re: Manila Standard: Palace repeats warning against paying rebels
      ... fees by the ... +loose change anyway," the reporter said. ... The military's Southern Luzon Command is apparently clueless. ... +such incident," said Command head Lt. Gen. ...
      (soc.culture.filipino)
    • Re: The Spadaro Incident
      ... this incident is all anyone will ever remember. ... As a reporter, which ... Spadaro pretends to be, especially at press conferences, he is supposed to ... blemishes during the entire decade at Lincoln Financial Field. ...
      (alt.sports.football.pro.phila-eagles)