LinuxSA Mailing list archives
Index:
[thread]
[date]
[subject]
[author]
[stats]
From: Alan Kennington <akenning@dog.topology.org>
To : Steve Fraser <sfraser@sierra.apana.org.au>
Date: Sat, 9 Dec 2000 14:04:03 +1030
Re: attack against sendmail - clues?
On Sat, Dec 09, 2000 at 08:52:12AM +1030, Steve Fraser wrote:
>
> At APANA, we've found it quite effective to email the log to the ISP, and
> complain about the activity when hit by an attack. Most reputable ISP's WILL
> take action against the offender (they can identify them from their own logs,
> given the IP number,and time of day - so overseas ones need to be told our
> time zone).
>
> ISP's often have an address such as abuse@, or failing that just try root@ or
> check on their web page for an address.
>
> It's well worthwhile doing this.
Steve,
I always do this anyway.
I sent a full report to SENet already before I sent this query
to linuxSA.
What I was looking for from linuxSA was some technical info on what
that particular kind of attack looked like.
I understood the other 90% of the attack, I think.
A couple of hours later I reported a later attack to wanadoo.fr
(in french, of course).
The only time I don't report attacks is if they're from Korea,
China or some such place, which is about 30% of all attacks.
They never, ever reply, even if the address in the DNS SOA
is correct.
I also always quote timezone, with full firewall log, and
if it's complicated, I send the tcpdump log too.
Most ISPs in the english-speaking world will send an
auto-reply to abuse@ messages.
Some actually require you to use NTP to validate your time-stamps!
If abuse@ doesn't work, I try webmaster@. Rarely does root@ work,
maybe because many of the machines don't run unix.
I also often check the ISP webpage for abuse@ addresses.
But very few ISPs indeed have info on where to
send abuse reports. That surprises me really.
I almost always have to guess.
The DNS SOA is the most reliable source of info on who to
send messages to mostly.
Cheers,
Alan Kennington.
--
LinuxSA WWW: http://www.linuxsa.org.au/ IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject
Index:
[thread]
[date]
[subject]
[author]
[stats]
Return to the LinuxSA Mailing List Information Page