Re: advise on network security report

["Chris L. Morrow" <christopher.morrow () verizonbusiness com>]

On Tue, 31 Oct 2006, Rick Wesson wrote:
> > Whatever service you end up offering, a a full-text RSS or Atom feed
> > would probably be useful, as well.
>
> we do CSV for detail reporting and will be posting these directly to the
> abuse@ mbox for the nextworks we have contacts for.

whichever notification method you use you need to include information that
the abuse@ address folks can actually use. Saying: "machine 1.2.3.4 sent
spam" isn't useful, however sending:

-----------------------------example---------------------
machine 1.2.3.4 delivered this spam:

<full spam mail with headers>

-----------------------------end example----------------

is useful... Extend that to virus/trojan/bot/C&C info of course (send logs
of the abuse).  If you don't provide this there is no reasonable way to
affect change. Also, make sure that whatever you send is machine parsable,
it'd be great to send things in some 'standards compliant' manner as well
(INCH perhaps?) sending an email that a human has to process will get that
email deleted/ignored/not-processed-to-your-satisfaction. I also believe
that since you are aiming at something machine parseable you should submit
one email per 'incident' you are reporting, that way abuse@ folks can
judge the volume of the problem in a  fairly simple manner.

it's just an opinion or 3... :)

Oh, and as Scott said, pleaes tag the subject so it can get procmail'd
appropriately.

-Chris