Security Incidents mailing list archives
RE: Proper ISP Reporting
From: "McKinley, Jackson" <Jackson.McKinley () team telstra com>
Date: Thu, 18 Aug 2005 09:25:58 +1000
+ Contact Information for the Incident Reporter - Name - E-mail address - Phone number - Location (Time zone and country) + Incident Details - Date/time that the incident was discovered - Type of incident (e.g., denial of service, malicious code, unauthorized access, inappropriate usage) - Date/time that the incident occurred (if known) - Current status of the incident (e.g., ongoing attack) - Source/cause of the incident (if known), including hostnames and IP addresses - Description of the incident (e.g.what occurred) + General Comments Extra notes: * Remember the person that looks at the email first will most likely be a low level engineer 1st to 2nd level. Try not to be over technically but make it clear a "Security person" should look at it. * Use statements like "Assist with the resolution" and "Help us to solve this issue" Make it out that they can work with you to fix it no just them do it. * Leave as much info in the logs that you send as possible. Some times its easyer to track traffic from its distination rather then its source. * NEVER EVER EVER EVER say you will do anything legal if they don't fix it ASAP... Matter of fact never use the work "legal" in any way.. The moment you do that you start a new game, and then everything must be looked at by legal before it goes anywhere. Thus slowing the process down a LOT! We all know how good at red tape legal are :P * I always send to more then 1 address.. Abuse@isp, hostmaster@isp, postmaster@isp, Helpdesk@isp, noc@isp, gnoc@isp, soc@isp. Are always good places to start. * Saying things like we have forward you details to the <Insert Agency name here> will only have the same effect as point 3. and they don't need to know you have done this. * You can try login it as a Fault with the ISP's helpdesk. This will mean they will have call back alarms and PKI's to think of... ;) * Also expect things to take time. Personally in the past when I have worked on abuse reports for ISP's it has taken time to deal with them. Its not like you can just switch of customer or machine XYZ.. You have to gather info, look into it from your end, contact the customer, check with the customers contract / AUE. Then if the customer does nothing you can do it.. But that can take some time. * solve the issue with in your scope of control if you can. Get you Upstream to block it (if you have one ;) ) Cheers Jack. -----Original Message----- From: Jason Burton [mailto:jab () leximedia net] Sent: Wednesday, 17 August 2005 12:02 PM To: incidents () securityfocus com Subject: Proper ISP Reporting Anyone have samples of how to properly report to ISP's regarding abuse? ie. What format the email should be in, sample phrases, or sentences that might help. I've been doing this for a while and while some work, some have not. Im wondering if anyone has examples. Thanks Jason Burton Leximedia LLC jab () leximedia net
Current thread:
- Proper ISP Reporting Jason Burton (Aug 16)
- Re: Proper ISP Reporting chip (Aug 17)
- RE: Proper ISP Reporting Ramki B (Aug 17)
- Re: Proper ISP Reporting Rod Barnhart (Aug 17)
- Re: Proper ISP Reporting Valdis . Kletnieks (Aug 17)
- RE: Proper ISP Reporting Lyal Collins (Aug 17)
- <Possible follow-ups>
- Re: Proper ISP Reporting Brandon Butterworth (Aug 17)
- Re: Proper ISP Reporting Leif Ericksen (Aug 19)
- Re: Proper ISP Reporting Valdis . Kletnieks (Aug 22)
- Re: Proper ISP Reporting Leif Ericksen (Aug 19)
- RE: Proper ISP Reporting Lepich, Jesse A Mr GLWACH (Aug 17)
- RE: Proper ISP Reporting McKinley, Jackson (Aug 18)
- RE: Proper ISP Reporting Scott Fuhriman (Aug 19)
- Re: Proper ISP Reporting Dennis Willson (Aug 22)
- RE: Proper ISP Reporting Scott Fuhriman (Aug 19)
- RE: Proper ISP Reporting Swen Wulf (Aug 19)