Security Incidents mailing list archives
Re: How to cope with, uhm, "mentally challenged" abuse personnel?
From: "Ralf G. R. Bergs" <rabe () RWTH-Aachen DE>
Date: Tue, 6 Mar 2001 12:31:22 +0100
On Sun, 04 Mar 2001 16:12:07 -0600, Gary Maltzen wrote:
Could it be something about the way you report the incidents?
I don't think so. This is what I use to start my messages (I used a message posted recently here in this mailing list as a template, and changed it to fit my needs):
Hi there, sorry to be the bearer of bad news, but one of your IPs apparently engaged in a port scan of our network. This is not normal behavior, leading us to suspect that your host, or a user account on that host, may be compromised. Could you please check into the matter, take any necessary action, and if you deem necessary inform us about any results? Thanks, Ralf PS: logfile timestamps are GMT+1, synced to a Stratum-1 timeserver.
In my initial report (to abuse-noverbose () uu net), I usually include a brief statement about why the activity I am reporting seems abnormal, even if "obvious".
I only do this when they refute my report, I usually write something as follows:
The following traffic cannot be of "normal origin," since none of our LAN IPs ever leave the LAN, but are subject to NAT. Therefore, how come that there are incoming packets addressed to non-visible addresses?
Gary>I typically report sweeps of our address space and other obvious Gary>exploit attempts. I have a similar policy of reporting things.
-------- UU NET response to one of my scanning reports ---------
[...]
This is a follow-up message from the UUNET Internet Abuse Investigations Department to let you know the security incident referenced in the subject line above was researched and handled according to UUNET`s Service Agreement with its customers.
[...]
Unless you wish to pursue further action, we will close this incident, but
I haven't yet received a reply similar to the above one. I've ONLY received "normal traffic" replies so far. :-( Thanks. -- Sign the EU petition against SPAM: L I N U X .~. http://www.politik-digital.de/spam/ The Choice /V\ of a GNU /( )\ Generation ^^-^^
Current thread:
- How to cope with, uhm, "mentally challenged" abuse personnel? Ralf G. R. Bergs (Mar 03)
- Re: How to cope with, uhm, "mentally challenged" abuse personnel? Utopian Admin (Mar 03)
- Re: How to cope with, uhm, "mentally challenged" abuse personnel? Ralf G. R. Bergs (Mar 06)
- Re: How to cope with, uhm, "mentally challenged" abuse personnel? Blake Frantz (Mar 03)
- Re: How to cope with, uhm, "mentally challenged" abuse personnel? Ralf G. R. Bergs (Mar 06)
- Re: How to cope with, uhm, "mentally challenged" abuse personnel? Gary Maltzen (Mar 04)
- Re: How to cope with, uhm, "mentally challenged" abuse personnel? Ralf G. R. Bergs (Mar 06)
- Re: How to cope with, uhm, "mentally challenged" abuse personnel? Nicholas Bachmann (Mar 06)
- <Possible follow-ups>
- FW: How to cope with, uhm, "mentally challenged" abuse personnel? Tyrannis Von Nettesheim (Mar 05)
- Re: How to cope with, uhm, "mentally challenged" abuse personnel? Ralf G. R. Bergs (Mar 06)
- Re: How to cope with, uhm, "mentally challenged" abuse personnel? Travis Pugh (Mar 06)
- Re: How to cope with, uhm, "mentally challenged" abuse personnel? Justin Shore (Mar 06)
- Re: How to cope with, uhm, "mentally challenged" abuse personnel? Utopian Admin (Mar 03)