Unattended or inexistent 'abuse' mailboxes

KeyJey

Hi, for some time now, I use to send abuse attack logs to IP maintainers with the help of csf.

But I can see that a lot of official abuse mailboxes are full, or not existent or non deliverable.

What you guys do in this cases ? it's a hard job to report this abuse attacks ......

linuxthefish

Send to whoever owns the IP space or rents the server? Run a traceroute a lookup the abuse contact on the 2nd to last IP.

black

You just sort of protect your own infrastructure and move on if they don't respond.

KeyJey

@linuxthefish Doing that 5 times per day is OK, but I get dozens of emails per day. That's a lot of work !

Isn't there any way to 'report' that abuse contact is not working ? some of those run millions of attacks per second to the world.

podsdad

Fail2ban can do it automatically these days depending on version and setup!

podsdad

As you say though it's like talking to a wall. Only a few providers take things seriously. Online.net are very good but they ask for it as they host anything and anyone and need to cover themselves.

jar

I know a few of those. HostSailor is one of them. Blackhole all their IP ranges and hope that eventually their customers complain that their IPs are useless because too many people don't want their traffic.

GM2015

What's an abuse attack according to you?

KeyJey said: I use to send abuse attack logs to IP maintainers

KeyJey

@GM2015 Brute force attacks, typically via SSH and POP3 protocols:

---------- Forwarded message ----------
From: ME
Date: 2015-11-26 14:36 GMT-02:00
Subject: Fwd: abuse report about 59.46.98.66 - 2015-11-24T13:41:43-0200
To: [email protected]



The IP address 59.46.98.66 (CN/China/-) was found attacking ftpd on cpus2.server.com  25 times in the last 3600 seconds.

Attached is an X-ARF report (see http://www.x-arf.org/specification.html) and the original log report that triggered this block.

Abuse Contact for 59.46.98.66: [[email protected]]

The Abuse Contact of this report was provided by the Abuse Contact DB by abusix.com. abusix.com does not maintain the content of the database. All information which we pass out, derives from the RIR databases and is processed for ease of use. If you want to change or report non working abuse contacts please contact the appropriate RIR. If you have any further question, contact abusix.com directly via email ([email protected]). Information about the Abuse Contact Database can be found here:

https://abusix.com/global-reporting/abuse-contact-db

abusix.com is neither responsible nor liable for the content or accuracy of this message.

podsdad

Just ban them for infinity using fail2ban or just drop them in iptables with..

iptables -I INPUT -s the.ip.address -j DROP

because complaining to them will not get you anywhere at most times

KeyJey

That's already done by csf and lfd, why should I do that manually ?

The point is to find an effective way to report attacks.

GM2015

Right, I'd report those bastards too.

There's this gang of yahoos sending everyone and their grannies spam abuse emails to spamvertise.

Keep up the fight!

KeyJey said: The point is to find an effective way to report attacks.

podsdad

Look at fail2ban, and it's newest versions, I gave up on this.

Keyjey, your into an area that many people would like.

podsdad

What I have realized is that sometimes justice is never served and as long as our servers are protected by our own security measures then we have nothing to worry about. Yes, though, these attacks will continue every day.

KeyJey

Well, that depends.

It's not something about the "police"

If all ppl take care of this kind of reports, we should't get 95% of the attacks to our servers, that's what I think.

I've been client of OVH some years ago, also when working with Hetzner, and I rememner I got reports from ppl reporting my attacks (a typical PHP script in one account). I liked that, coz there was ORDER and an effective way of submitting this attacks.

I talk about responsability, and consequences. That's good.