OK, we're pretty vigilant about policing abusers on our network. This
just showed up from "no-reply@abuse.bz". Please see my responses
inline. Mail origin IP is from an ISP in the Netherlands. Some
information redacted to protect the guilty.
Is this type of thing typical these days and we're just lucky so far and
behind the curve on the futility of trying to take action on reports of
network abuse?
This is almost certainly sent by some idiot hand reporting spam /
desktop firewall alerts, with a fake address because he thinks
everybody out there is a spammer.
Lossless compression of your abuse queue is possible when you just
delete those, or procmail them out when they get too regular.
--srs
Send that nonsense to /dev/null
I would agree except abuse.bz indeed is a real domain and also the
apparent source of the email.
They may be some sort of amplification/referral service for idiot
desktop firewall alerts but they have no web presence and Google turns
up very little.
Registered to "Musti Aslan" of snel internet services bv. Looks like
a small colo shop, and googling "Musti Aslan" turns up a twitter
handle etc.
Tech-ID:SISB19-EPNIC
Tech-Name:Musti Aslan
Tech-Organisation:Snel Internet Services B.V.
Tech-Street:Piet Heinstraat 7
Tech-City:Schiedam
Tech-Postal-Code:3115JC
Tech-Country:NL
Tech-Phone:+31.882088077
Tech-FAX:+31.882088089
Tech-Email:domains@snelis.com
Sending an automated message over e-mail without a working reply
address in the From: field and SMTP sender address is a type of
spam, and you might choose to report as such. That is, the
"report" itself is abuse, because no mechanism is provided to reply
to a person who sent the message. Domain/IP contacts are
contacts to be reached by humans, not "dumping addresses" for
automatic message robots that cannot handle replies and coordinate to
resolve issues.
If the message had a valid return path, then it may make sense, to
reply with a message that states you require the destination IP
address that was supposedly attacked, before your investigation
starts.
If they have bonafide abuse to report, then they should be
cooperative in providing sufficient details to efficiently locate
records of that abuse.
It would be understandable, if any efforts to locate alleged abuse
based on such limited information were limited, or deferred, until
the reporter could provide sufficient details to properly identify
the abuse in the future via monitoring, or by extracting logs for
traffic to the reported destination addresses.
Those are my thoughts on the matter.
Regards,
Is this type of thing typical these days and we're just lucky so far and
behind the curve on the futility of trying to take action on reports of
network abuse?
Suresh is right, this is a GWF/GWL. Normal people send abuse reports
with actionable data and a working return address for replies and
questions.
If I got one of those I would be torn between writing back and saying
"If you want a real response, send a real report" and just blackholing
his IP since there is clearly no chance that any useful traffic will
come from it.
R's,
John
Given that he uses a junk and non-repliable address he doesn't want a
reply. #2 sounds like a viable plan - or maybe just procmail that out
of your abuse queue.
I haven't seen something this clue-challenged since the CIRT for one of the US
military branches sent me an e-mail about network probes. Turned out that it
was our Listserv machine, trying to send to the IP address that was listed as
an MX for one of their subdomains, and said IP didn't have anything listening
at port 25.