Security Basics mailing list archives
Re: ISP abuse reporting template
From: "Jason Ross" <algorythm () gmail com>
Date: Fri, 4 Jan 2008 22:44:43 -0500
On 4 Jan 2008 20:56:56 -0000, <darmour () aug edu> wrote:
Does anyone have a template they could share with me or where I could find the information to create a well formed abuse report to send to an ISP who has a customer on their network doing items to our network such as probing, etc.
Apologies for not answering directly, I don't have a template I can share, but as someone that handles NSP abuse emails, I thought I could provide some useful input anyway. I find that the most useful types of abuse reports include at least the following information: * Source IP * Destination IP * Nature of the abuse (spam/phishing/ddos/bruteforce etc.) * Time of the attack (preferably in UTC, but certainly the timezone should be listed regardless) * Sample logs or URLs or Emails (with headers) showing the abuse It's amazing how often folks send abuse notifications and neglect to include some (or all!) of the above. The information listed is (in my opinion) the minimum amount required to enable one to investigate the issue and shut down whatever it is that's causing the problem. Additionally, If the abuse is being performed by a customer of the service provider (eg. a company or a smaller ISP) rather than an end user, the ISP may be unable to do much about the issue other than pass the abuse report on to their customer and hope they take care of it. It takes a fair amount of "proof" and/or legal hassle before the accounting folks allow the network security folks to shut off paying customers. Having the information above can sometimes go a fair way towards helping to convince them. =) Things that I (personally) don't care about in the abuse reports: * Anything claiming that your AUP is being violated in some way by the abuse. From a "network security guy" POV, I could care less about your AUP, since I'm not your customer, and have never agreed to abide by said policy. (I'm sure there's some sound legal defense reason this gets included though; there must be, because a lot of folks do so). * Some "helpful" advice to the effect that the IP seems to be infected with "Malware X". Since it is very seldom the case that I have access to the machine using the IP in question, there's little that I can do to fix it, so this information is useless. (There may be some merit to it being there however, as eventually the report should end up in the hands of someone that *is* able to access the host. Of course, one would hope that this person would be able to determine the nature of the problem without needing to be guided by the victim ;-) * Threats that if the abuse continues, the originating IP address will be blocked by your ( network | server | whatever ). It's your network, do what you like to it. (There is of course something to be said for the "good karma" factor of letting an ISP know that they [or one of their customers] may soon be experiencing some problems, I get that. But really, for the purposes of dealing with the abuse, it just doesn't matter, and it fills the report up with cruft.) The above is just my opinion obviously. I can see advantages to all of those things (and listed them). However, I find that the more crap like "AUP" and "here's what I think you've got, here's some info about that worm" that ends up in the report, the tougher it is to weed out the relevant information (like IP, etc.) *shrug* ... my 2 bits. -- jason
Current thread:
- ISP abuse reporting template darmour (Jan 04)
- Re: ISP abuse reporting template Jason Ross (Jan 07)
- <Possible follow-ups>
- Re: ISP abuse reporting template rohnskii (Jan 07)