Re: ISP abuse reporting template

["Jason Ross" <algorythm () gmail com>]

On 4 Jan 2008 20:56:56 -0000,  <darmour () aug edu> wrote:
> Does anyone have a template they could share with me or where I could
> find the information to create a well formed abuse report to send to
> an ISP who has a customer on their network doing items to our network
> such as probing, etc.

Apologies for not answering directly, I don't have a template I can
share, but as someone that handles NSP abuse emails, I thought I could
provide some useful input anyway.

I find that the most useful types of abuse reports include at least the
following information:

   * Source IP
   * Destination IP
   * Nature of the abuse (spam/phishing/ddos/bruteforce etc.)
   * Time of the attack (preferably in UTC, but certainly the timezone
     should be listed regardless)
   * Sample logs or URLs or Emails (with headers) showing the abuse

It's amazing how often folks send abuse notifications and neglect to
include some (or all!) of the above. The information listed is (in my
opinion) the minimum amount required to enable one to investigate the
issue and shut down whatever it is that's causing the problem.

Additionally, If the abuse is being performed by a customer of the
service provider (eg. a company or a smaller ISP) rather than an end
user, the ISP may be unable to do much about the issue other than pass
the abuse report on to their customer and hope they take care of it.

It takes a fair amount of "proof" and/or legal hassle before the
accounting folks allow the network security folks to shut off paying
customers. Having the information above can sometimes go a fair way
towards helping to convince them. =)



Things that I (personally) don't care about in the abuse reports:
   * Anything claiming that your AUP is being violated in some way by
     the abuse. From a "network security guy" POV, I could care less
     about your AUP, since I'm not your customer, and have never agreed
     to abide by said policy. (I'm sure there's some sound legal
     defense reason this gets included though; there must be, because a
     lot of folks do so).
   * Some "helpful" advice to the effect that the IP seems to be
     infected with "Malware X". Since it is very seldom the case that I
     have access to the machine using the IP in question, there's little
     that I can do to fix it, so this information is useless. (There
     may be some merit to it being there however, as eventually the
     report should end up in the hands of someone that *is* able to
     access the host. Of course, one would hope that this person would
     be able to determine the nature of the problem without needing to
     be guided by the victim ;-)
   * Threats that if the abuse continues, the originating IP address
     will be blocked by your ( network | server | whatever ). It's your
     network, do what you like to it. (There is of course something to
     be said for the "good karma" factor of letting an ISP know that
     they [or one of their customers] may soon be experiencing some
     problems, I get that. But really, for the purposes of dealing
     with the abuse, it just doesn't matter, and it fills the report
     up with cruft.)

The above is just my opinion obviously. I can see advantages to all of
those things (and listed them). However, I find that the more crap like
"AUP" and "here's what I think you've got, here's some info about that
worm" that ends up in the report, the tougher it is to weed out the
relevant information (like IP, etc.)

*shrug* ... my 2 bits.

--
jason