Security Incidents mailing list archives
Re: Proper ISP Reporting
From: Rod Barnhart <rod.barnhart () gmail com>
Date: Wed, 17 Aug 2005 09:11:38 -0400
I spent about five years as the support manager for a local ISP and responded to abuse, hostmaster, and support email. Without more details about what type of thing you're reporting, I can only speak in generalities. I can also only say how I handled things for the ISP I was at. I'm sure the big boys handle things differently. First, make sure you provide documentation. Make sure you indicate what timezone your logs are in, and send them. Feel free to obscure your own IP address space if you'd like. I can't tell you how many reports I had that simply said "ZoneAlarm reported XXXX attack from xxx.xxx.xxx.xxx at 5am." When asked for logs, the sender had no idea how to obtain them, nor understood that it may have been a false-positive. On the occassions that it was a legitimate abuse complaint, 90% of the time the sender would fail to indicate the timezone their logs were in, making it impossible for me to track down what subscriber was assigned that IP address at that time. Also, be polite. I'm sure I'm not the only person who was abuse@ who had many other duties. If you're demanding my log files, I'm going to demand a sopena and leave it to you to figure out where to send it. If you're politely stating that a criminal case may result, I'm going to tell you that we require a sopena to release our log files, but I will be as cooperative as possible without violating the privacy of our users. Finally, we had extremely low log retention times. We were happy to put in a best-effort to help, but if it had rotated out of our logs, there wasn't a lot we could do to help. Also, in my position there, I had to send abuse reports to other ISPs.
From experience, it appeared many people who responded where as
overworked as I was. Unfortunately, many of them were less responsive than I was. Rod Barnhart On 8/16/05, Jason Burton <jab () leximedia net> wrote:
Anyone have samples of how to properly report to ISP's regarding abuse? ie. What format the email should be in, sample phrases, or sentences that might help. I've been doing this for a while and while some work, some have not. Im wondering if anyone has examples. Thanks Jason Burton Leximedia LLC jab () leximedia net
Current thread:
- Proper ISP Reporting Jason Burton (Aug 16)
- Re: Proper ISP Reporting chip (Aug 17)
- RE: Proper ISP Reporting Ramki B (Aug 17)
- Re: Proper ISP Reporting Rod Barnhart (Aug 17)
- Re: Proper ISP Reporting Valdis . Kletnieks (Aug 17)
- RE: Proper ISP Reporting Lyal Collins (Aug 17)
- <Possible follow-ups>
- Re: Proper ISP Reporting Brandon Butterworth (Aug 17)
- Re: Proper ISP Reporting Leif Ericksen (Aug 19)
- Re: Proper ISP Reporting Valdis . Kletnieks (Aug 22)
- Re: Proper ISP Reporting Leif Ericksen (Aug 19)
- RE: Proper ISP Reporting Lepich, Jesse A Mr GLWACH (Aug 17)
- RE: Proper ISP Reporting McKinley, Jackson (Aug 18)
- RE: Proper ISP Reporting Scott Fuhriman (Aug 19)
- Re: Proper ISP Reporting Dennis Willson (Aug 22)
- RE: Proper ISP Reporting Scott Fuhriman (Aug 19)
- RE: Proper ISP Reporting Swen Wulf (Aug 19)