Re: spam/virus reporting to abuse () whereever com

[Tremaine Lea <tlea () ddiction com>]

The usual process is to send an email to abuse@ originating domain,  
in this case the listed ARIN owner of the block the IP is in.   
Identify the source IP from the headers, look it up at ARIN (or RIPE,  
or APNIC...)  Once you have identified the ISP it's originating from,  
send an email to their abuse address, such as abuse () shaw ca.

Include the full headers of the received message, and raw content.

Do *not* include screenshots.  Most ISP's of any size these days  
receive a large number of reports and automagically parse inbound  
emails for important details.  Screenshots will frequently get tossed  
or handled a LOT later than something that can be parsed by a script/ 
ticket system.

Do report each instance separately where possible.

Do not include extraneous language or opinion about either the sender  
or the origin IP.  It won't get them to act any faster than they  
already will, and takes away from any professionalism you may hope to  
have.

For firewall reporting, choose something automated like MyNetWatchman  
or similar.  Spam (*not* viruses) should be reported via spamcop.net  
or a similar service.

Cheers,

---
Tremaine Lea
Network Security Consultant
Intrepid ACL
"Paranoia for hire"



On 17-Jul-07, at 11:49 PM, Murda Mcloud wrote:

> What is the usual etiquette for informing an abuse email address at  
> an ISP
> that spam/viruses appear to be coming from a certain IP in their  
> block?
>
> I was just going to send the headers from the various emails.
> The 'spam' engine is spoofing various domains
> I'd guess that the box is owned.