Re: How to cope with, uhm, "mentally challenged" abuse personnel?

[Gary Maltzen <maltzen () MM COM>]

Could it be something about the way you report the incidents? In my initial report (to abuse-noverbose () uu net), I 
usually include a brief statement about why the activity I am reporting seems abnormal, even if "obvious".

I typically report sweeps of our address space and other obvious exploit attempts.

A typical response from UU NET is appended to this message.

> I have to report about 1 incident per day that is caused by ip addresses
> assigned to UUnet. Mostly it's sweeps across our whole class C, sometimes
> ICMP, sometimes even scans for 111/UDP. NONE of our LAN IPs EVER leave our
> LAN, since altho they're IPs officially assigned to us I masquerade (NAT) them
> at our router.
>
> The usual answer I receive from UUnet is the following:
>
>    "The type of internet traffic you describe appears to be of normal
> origin."
>
> As I explained above NONE of our LAN IPs ever can be seen outside of our LAN,
> so HOW ON EARTH should this be "of normal origin???"
>
> Frankly I'm fed up with this kind of replies. I don't know whether it's just
> that the abuse personnel simply is underqualified for their job, or whether
> it's they simply can't cope with the growing number of incidents caused by
> their customers, but I don't feel like accepting this kind of ignorance.
>
> Any suggestions what I should do? If UUnet's personnel doesn't get their act
> together I could be forced to completely black-hole their respective subnets
> in our router.

-------- UU NET response to one of my scanning reports ---------

Dear Complainant(s):

This is a follow-up message from the UUNET Internet Abuse Investigations
Department to let you know the security incident referenced in the
subject line above was researched and handled according to UUNET`s
Service Agreement with its customers.

If you wish to pursue legal action against this user, please have the
authorities contact us for information on where to send a subpoena.

If you incur additional security incidents that you believe orginate from
a UUNET customer, please report them as seperate incidents to the appropriate
email address below.

Unless you wish to pursue further action, we will close this incident, but
it can be re-opened at any time by replying to this email or referring to
the ticket# above when calling UUNET Security Support.

Sincerely,

UUNET Internet Abuse Investigations Team                1-800-900-0241
UUNET 3060 Williams Dr., Fairfax, VA  22031             703-206-5440
security () uu net - Security Incidents                    http://www.uu.net
abuse-mail () uu net - Massmail
abuse-news () uu net - Usenet Abuse