[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Proper ISP Reporting

To: Brandon Butterworth <brandon@xxxxxxxxxxxx>
Subject: Re: Proper ISP Reporting
From: Leif Ericksen <leife@xxxxxxx>
Date: Thu, 18 Aug 2005 19:20:50 -0500
Cc: incidents@xxxxxxxxxxxxxxxxx
Delivered-to: mailing list incidents@xxxxxxxxxxxxxxxxx
Delivered-to: moderator for incidents@xxxxxxxxxxxxxxxxx
In-reply-to: <200508170720.IAA08998@xxxxxxxxxxxxxxxxxxx>
List-help: <mailto:incidents-help@securityfocus.com>
List-id: <incidents.list-id.securityfocus.com>
List-post: <mailto:incidents@securityfocus.com>
List-subscribe: <mailto:incidents-subscribe@securityfocus.com>
List-unsubscribe: <mailto:incidents-unsubscribe@securityfocus.com>
Mailing-list: contact incidents-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <200508170720.IAA08998@xxxxxxxxxxxxxxxxxxx>

On top of all that have patience.  I work for a large ISP and there is
sometimes is a bureaucratic channel that must be followed that can delay
the response time that you are going to get.

--L

On Wed, 2005-08-17 at 08:20 +0100, Brandon Butterworth wrote:
> > ie. What format the email should be in, sample phrases, or
> > sentences that might help.
> 
> Keep it neutral, simple and informative. 
> 
> Don't threaten or tell them how evil they are, you want their
> cooperation
> 
> Only tell them about things they can do something about
> 
> Include all evidence, don't anonymise it.
> 
> If you don't understand the evidence research it first,
> it may not be their fault. Ask the vendor of whatver tool
> reported the problem - you paid them not the ISP so they should
> be your first call.
> 
> > I've been doing this for a while and while some work, some have
> > not. Im wondering if anyone has examples.
> 
> We get lots from people running scripts automatically. Almost
> all are a waste of our time and may cause us to miss a genuine
> report.
> 
> Common useless reports include -
> 
> Reporting 419s or spam that refer to our web sites or include our
> domains/ip addresses as strings in the headers. The 419ers are dumb
> enough to send the same scams to us so we don't need you to tell
> us what they sent you.
> 
> Reporting viruses we didn't send - doubly annoying to those of us not
> running commonly susceptible systems, we get the virus anyway from
> people forwarding or bouncing them to us. If your AV system doesn't
> know a virus forges the sender then get a new one as it's broken,
> if it emails a forged sender then disable all email to third 
> parties as your reports will be still be ignored should you eventually
> get a proper one.
> 
> Reporting our web site/dns server/streaming media server
> dossed you with 3 packets, is trying to take over your computer,
> probed your firewall, invaded your privacy.
> 
> regards,
> brandon
-- 
Leif Ericksen <leife@xxxxxxx>

Follow-Ups:
- Re: Proper ISP Reporting
  - From: Valdis . Kletnieks

References:
- Re: Proper ISP Reporting
  - From: Brandon Butterworth

Prev by Date: Re: New Virus?
Next by Date: Oracle 8i compromise questions
Previous by thread: Re: Proper ISP Reporting
Next by thread: Re: Proper ISP Reporting
Index(es):
- Date
- Thread