There are tons of networks out there that will automatically send an email to abuse records in whois based on fairly braindead criteria. Sadly, this has resulted in abuse contacts being increasingly useless since large hosting providers get such a flood of garbage that they can't actually look into it. Even better, most of the networks sending this garbage can't be bothered to respond when you ask for more information, making it pretty clear they don't actually care about the abuse they're supposedly notifying you of. Over the years I've started routing any abuse emails from networks who don't bother to respond to requests for further info to /dev/null. It has basically removed all the garbage and leaves an abuse contact that can actually handle real abuse reports. Matt On 11/4/24 8:01 PM, Pierre Bourdon wrote:
Hi nanog,
Some of you might have seen https://delroth.net/posts/spoofed-mass-scan-abuse/ circulating last week (it was also sent here in reply to someone who received abuse complaints from their ISP).
The TL;DR is that some previously unknown company with a fancy looking domain name has started noticing the background noise on the internet and is sending automated abuse complaints to any owner of a source IP sending a SYN packet to port 22 on their network. They're not doing any filtering to try to prevent spoofed source addresses, and at this point there's plenty of evidence that they are seeing mostly spoofed src IPs, then sending abuse reports to a completely uninvolved owner of the IP.
I've recently been in communication with that company. They sent me an email trying to get "advice" from me about how to not send abuse complaints to the whole internet, while ignoring the obvious answer of "don't mass send automated abuse complaints based on no evidence of abuse and no evidence of who sent you traffic". They're also making wild claims in their email to me, like, I quote, seeing "1.3 billion attacks logged in the past 24 hours". They're saying that they act on data sources like "we query the VirusTotal API for the source IP and it shows us it's infected with malware".
If you're a NOC or someone handling abuse complaints for an ISP or a hosting provider, this is my plea to you: please send abuse reports from "watchdogcyberdefense.com" to your spam box until they understand 1. that a TCP SYN packet is spoofable; 2. that they're harming the internet through reducing trust in abuse complaints by sending so many false positives.
I've myself had interactions with both Hetzner and Linode's abuse team, both of them have been top notch and understood what they're likely dealing with, but having to explain to every single ISP what's going on while sitting in the equivalent of an interrogation room threatened with a service suspension isn't a very comfortable situation.
Thank you in advance, Best,