Re: What to do if they ignore you

[Rory <reamo () aubroadband com>]

I handle the abuse mail & investigation for 12 Class C's and I have to 
say its bloody hard
to keep up with worm infected pc's. At any one time I would imagine we'd 
have at least
3,000 customers with worm infections, I suspend or contact on average 50 
users a day.

I would say I receive about 800 complaints via email
a day, probably about 300 of those are IDS reports for probes on 445 
from companys like
D-Shield. Generally most companys consider Network Abuse to be fairly 
unimportant and
staff it accordingly, I mean, its not like the role makes the company 
money, but a service
provider wouldn't last long without it.

Personally I'd be happy if more people took legal action against us for 
it, maybe then management
would be more interested in actually hiring enough people to handle it. 
However a friendly letter
to the manager a long with copies of the reports you've sent to their 
abuse team would probably do.

There are a few things that would make dealing with these sorts of 
things easier,
1. Sending IDS Logs in UTC would be easier, converting GMT -07:00 to GMT 
+10:00 requires
   a whole lot more thinking that I'd like to put into a single 
investigation =P~
2. Sending IDS Reports in a nicely formated way like D-Shield does, so 
you know where the data
   you actually want is.
3. Not putting so much crap about legalitys at the top of the email, 
scrolling is hard work, I get
   scroll wheel cramps sometimes.
4. Don't be rude and spout nonsense in your emails, like "STOP YOURS 
COMPUTORS HAX0RING ME"
   as fun as is sending back canned replys, you get a bit sick of it.
5. Threatening to blacklist my IP's is really not going to get you any 
more attention than anyone else.
6. Don't expect a reply unless its a really major issue.
7. Don't send me complaints for other bloody companies IP space godamnit!

Thats all =)

Regards,
Rory


Skip Carter wrote:

> Hello,
>
> My company provides outsource security management/monitoring services.
>
> In early March we noticed that several of our clients that are in the
> same /16 block were getting persistent port 445 probes from a couple
> of systems from a very large corporation's satellite office which is
> on the same /16 block.
>
> I have repeatedly called the companies security manager (on the US east
> coast) and talked to people at the companies headquarters (on the US
> west coast).  They take my information (I have shown them firewall logs,
> IDS logs, captured packet traces, and honeypot sessions) but nothing is
> done about these probes (typically around 1500/day).
>
> We have black-holed connections from the offending network block, but many
> of our clients are small and do not have firewalls with the resources to
> handle huge lists of blacklisted networks.
>
> It has been over a month now, and nothing has changed.  They seem to be
> unable or unwilling to fix their own systems when they have all the
> information they could ask for in order to track the problem down.
>
> Does anybody have any suggestions on what to do to make Goliath behave
> when you are David ?
>
>
>  


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------