Re: How do you handle client contact for network abuse/malware compaints etc.?

[Mark Radabaugh <mark () amplex net>]

Nicole Harrington wrote:

> Hello
> As a sort of addendum to the thread of "Quarantine your infected users spreading
> malware" I am curious how other handle contact to the users/clients for network
> security incidents. 
>
> The question I have is; When someone reports an incident to you about
> one of your clients (a user or server owner) possibly being infected, having
> an owned box being used for hacking into other servers or being used to spread
> malware, how much information do you send/forward on to that user/client to
> support your case.
>
> Is it normal practice to simply forward on unaltered logs sent in by those
> complaining or do you sanitize them a bit to protect the people notifying you?
> Do you even send them at all at first or do you simply inform them that a 
> complaint has been received.
>  
> In short, how much information do you pass on to support yourself and when.
>
>
> Thanks
>
> Nicole Harrington
>
>  
All depends on the client and if I think the abuse is intentional or not.  

If the user knows what he/she is doing and I don't think they are being
malicious then I will send them everything.

If I think they are doing it on purpose I send enough to prove my case
and tell them to knock it off -  before I knock it off for them (or
after - depends on how much damage they are causing).

If they don't have a clue then sending them a bunch of information they
won't understand is pointless.  We either help them clean up the mess or
refer them to someone who can.

-- 
Mark Radabaugh

Amplex
mark () amplex net
419.837.5015