a customer of chello.be has been repeating a dns dynamic update against my
zone every four minutes since october 20. chello's abuse reporting channel
is no doubt full of spam reports. their noc no doubt doesn't care about
end-user problems. i nmap'd the offending box:
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-11-05 17:24 GMT
Interesting ports on cable-62-205-122-245.upc.chello.be (62.205.122.245):
(The 1638 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
9/tcp open discard
13/tcp open daytime
21/tcp open ftp
25/tcp open smtp
37/tcp filtered time
53/tcp open domain
111/tcp open rpcbind
113/tcp filtered auth
135/tcp filtered msrpc
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
515/tcp open printer
548/tcp open afpovertcp
1024/tcp open kdm
1025/tcp open NFS-or-IIS
1026/tcp filtered LSA-or-nterm
8009/tcp open ajp13
8080/tcp open http-proxy
10000/tcp open snet-sensor-mgmt
and i connected to every one of those services that i had a client for, and
sent mail to the postmaster (using telnet and the @[] notation), but i think
i have not done enough to set off any kind of intrusion detection systems.
what's a socially acceptable way to be rude enough to make these people pay
attention to me? i'm asking not just for this host -- i'm hoping there's a
"community standard" i can follow, and recommend that others follow.
the box is raw debian. in fact its hostname (according to its exim and bind)
is "debian". i don't think anybody's reading its "postmaster" mailbox. i
do not think there is any evil intent in the updates they won't stop sending
me, but they're filling my logs and i don't want to firewall them.
we all have this kind of problem.
if you're on freebsd, man ipfw. i am sure there are similar
on other oss.
randy
Voice phone call to their NOC, maybe? Old-fashioned, but sometimes it helps.
Alternatively, an SMTP alphabet spam against their box ought to find
some email address
beside the unread postmaster - but try sending mail to "root" first.
Or just filter out their IP address.
Hi,
compose a 'written-by-a-lawyer' looking letter in plain text and print
it out. I bet 515/udp is open as well and most printers can handle
plain ASCII.
515/tcp open printer
-andreas
Paul Vixie wrote:
a customer of chello.be has been repeating a dns dynamic update against my
zone every four minutes since october 20. chello's abuse reporting channel
is no doubt full of spam reports. their noc no doubt doesn't care about
end-user problems. i nmap'd the offending box:
Hmmm..
Couldn't sending them [and only them] specifically bad information for your zone... say everything (*) goes to a webpage that says "you REALLY need to fix this?"
I think most ISPs could reach their unreachable customers by forcing all their connections [http at least] to a page that starts out with "your web surfing has been interrupted because we need to talk to you... please wait 60 seconds to be taken to the web page you wanted to get to. Or just call us.."
And the time keeps getting longer... and longer... as more time passes without it being cleared by the noc.
It seems to get my attention in hotels when they hotel does it to me [and expires my dhcp ip]. Usually that is just that I need to renew my daily IP subscription, but you get the drift.
If they are requesting information from you, give them information that directs them to contact you.
[I am imagining a world where every file on an FTP server becomes a README when you have violated their access rules].
Not saying its a good idea.. Just an idea.
Deepak
Ron Guilmette used to notify operators of insecure machines with remote writes
to syslog (that'd get logged on the console, as like as not) .. that didn't
exactly win him friends or influence people (including Paul Vixie I think) some
5..6 years back 
srs