[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Abuse Desks

Please don't use this kind of crap to send automated "we received 3 login attempts on our SSH box..waaaaaaaaa" emails.
This is why folks don't have abuse contacts that are responsive to real issues anymore.


On 4/28/20 11:57 AM, Mike Hammett wrote:
> I noticed over the weekend that a Fail2Ban instance's complain function wasn't working. I fixed it. I've noticed a few
> things:
> 1) Abusix likes to return RIR abuse contact information. The vast majority are LACNIC, but it also has kicked back a
> couple for APNIC and ARIN. When I look up the compromised IP address in Abusix via the CLI, the APNIC and ARIN ones
> return both ISP contact information and RIR information. When I look them up on the RIR's whois, it just shows the ISP
> abuse information. Weird, but so rare it's probably just an anomaly. However, almost everything I see in LACNIC's region
> is returned with only the LACNIC abuse information when the ones I've checked on LACNIC's whois list valid abuse
> information for that prefix. Can anyone confirm they've seen similar behavior out of Abusix? I reached out to them, but
> haven't heard back.
> 2) Digital Ocean hits my radar far more than any other entity.
> 3) Azure shows up a lot less than GCP or AWS, which are about similar to each other.
> 4) Around 5% respond saying it's been addressed (or why it's not in the event of security researchers) within a couple
> hours. The rest I don't know. I've had a mix of small and large entities in that response.
> 5) HostGator seems to have an autoresponder (due to a 1 minute response) that just indicates that you sent nothing
> actionable, despite the report including the relevant log file entries.
> 6) Charter seems to have someone actually looking at it as it took them 16 - 17 hours to respond, but they say they
> don't have enough information to act on, requesting relevant log file entries...  which were provided in the initial
> report and are even included in their response. They request relevant log file entries with the date, time, timezone,
> etc. all in the body in plain text, which was delivered.
> 7) The LACNIC region has about 1/3 of my reports.
> Do these mirror others' observations with security issues and how abuse desks respond?
> -----
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
> Midwest-IX
> http://www.midwest-ix.com