Re: Attacks from poneytelecom.eu
Mcikael, 1) As others have mentioned your AS seemingly has a history of tolerating abuse. I know some of the other VPS players such as DO have automated scripts that look for attacks and lock them out. I see you peer with them perhaps they can share some scripts ;) 2) I went to the abuse URL you have posted and it just lands at your main page. The offending IP was 195.154.182.242. I checked two different boxes (one our own range and another a hosted box elsewhere) and both have entries in the last 3 days from that IP. Scans have been going on for at least the last 48+ hours. On Wed, Jan 3, 2018 at 2:47 AM, Mickael Marchand <mmarchand@corp.free.fr> wrote:
Hi Dovid,
Just fill in our abuse form at https://abuse. <https://abuse.scaleway> online.net
I know people feel these are not processed but they actually are (and human reviewed) we are improving our automated tracking of bad guys more reports come in, easier it is in the end.
note that most IPs you report are rented per minute and it’s usually not the same account (but often the same IP as they are reused quickly I agree), we are working on killing these accounts as fast as we can
we have a long awaited overall of our abuse system coming in the next months and additional global scale network security in the pipe (automated SIP scan detection and blocking is among them for example)
regards Mik
Le 3 janv. 2018 à 04:11, Ahad Aboss <ahad@swiftelnetworks.com> a écrit :
Have you emailed their abuse or NOC teams with the attack logs from their IPs?
Sometimes ISP servers or their customer CPEs are compromised without their knowledge.
On Wed, 3 Jan 2018 at 1:56 pm, Dovid Bender <dovid@telecurve.com> wrote:
Hi All,
Lately we have seen a lot of attacks from IPs where the PTR record ends in poneytelecom.eu to PBX systems. A quick search on twitter ( https://twitter.com/hashtag/poneytelecom) shows multiple people complaining that they reported the IP's yet nothing happens. Has anyone had the pleasure of dealing with them and have you gotten anywhere? I wonder if the only option is public shaming.
I would rather not ban their AS as it may hurt legit traffic but I am out of ideas at this point....
TIA.
Dovid
-- Mickael Marchand, VP Network Scaleway - Online.net Looking for an amazing job? Join us NOW ! https://careers.scaleway.com/
On Wed, 3 Jan 2018, Dovid Bender wrote:
On Wed, Jan 3, 2018 at 2:47 AM, Mickael Marchand <mmarchand@corp.free.fr> wrote:
Hi Dovid,
Just fill in our abuse form at https://abuse. <https://abuse.scaleway> online.net
I have no idea why anyone thinks it is acceptable to require victims to fill out online web forms. -Dan
On Wed, Jan 3, 2018 at 10:57 PM, Dan Hollis <goemon@sasami.anime.net> wrote:
On Wed, 3 Jan 2018, Dovid Bender wrote:
On Wed, Jan 3, 2018 at 2:47 AM, Mickael Marchand <mmarchand@corp.free.fr> wrote:
Hi Dovid,
Just fill in our abuse form at https://abuse. <https://abuse.scaleway> online.net
I have no idea why anyone thinks it is acceptable to require victims to fill out online web forms.
Because the number of people who successfully provide actionable information without being prompted is vanishingly small and the number of people who fire off automated complaints to the best guess abuse address (also without actionable information) is disappointingly large? Why anyone thinks it's acceptable for the form submission to vanish in to the faceless support queue is more of a quandary. The form submission should provide a case number, the individual to whom it is assigned, direct contact information for that individual and a promise that your report will receive a response. Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>
In their defense I was pleasantly surprised that I got a response back from them telling me the account was banned. Though it makes me wonder if this is just them trying to save face. I have spoken with the guys that run DO's network and they have an extensive amount of automation to weed out spammers, attackers etc. It makes you wonder why for years that are known in the spammer community as a safe heaven. On Thu, Jan 4, 2018 at 9:33 AM, William Herrin <bill@herrin.us> wrote:
On Wed, Jan 3, 2018 at 10:57 PM, Dan Hollis <goemon@sasami.anime.net> wrote:
On Wed, 3 Jan 2018, Dovid Bender wrote:
On Wed, Jan 3, 2018 at 2:47 AM, Mickael Marchand <mmarchand@corp.free.fr
wrote:
Hi Dovid,
Just fill in our abuse form at https://abuse. <https://abuse.scaleway> online.net
I have no idea why anyone thinks it is acceptable to require victims to fill out online web forms.
Because the number of people who successfully provide actionable information without being prompted is vanishingly small and the number of people who fire off automated complaints to the best guess abuse address (also without actionable information) is disappointingly large?
Why anyone thinks it's acceptable for the form submission to vanish in to the faceless support queue is more of a quandary. The form submission should provide a case number, the individual to whom it is assigned, direct contact information for that individual and a promise that your report will receive a response.
Regards, Bill Herrin
-- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>
I may have to take back what I said. Yes the attacks stopped from what IP but they magically started again from another IP of theirs in a different. Range. seems like the attacker picked up where they left off just from a new UP. Almost as if they told the attacker they got complaints and they would need to just simply switch their IP to keep them as a customer...... On Thu, Jan 4, 2018 at 9:42 AM, Dovid Bender <dovid@telecurve.com> wrote:
In their defense I was pleasantly surprised that I got a response back from them telling me the account was banned. Though it makes me wonder if this is just them trying to save face. I have spoken with the guys that run DO's network and they have an extensive amount of automation to weed out spammers, attackers etc. It makes you wonder why for years that are known in the spammer community as a safe heaven.
On Thu, Jan 4, 2018 at 9:33 AM, William Herrin <bill@herrin.us> wrote:
On Wed, Jan 3, 2018 at 10:57 PM, Dan Hollis <goemon@sasami.anime.net> wrote:
On Wed, 3 Jan 2018, Dovid Bender wrote:
On Wed, Jan 3, 2018 at 2:47 AM, Mickael Marchand < mmarchand@corp.free.fr> wrote:
Hi Dovid,
Just fill in our abuse form at https://abuse. <https://abuse.scaleway> online.net
I have no idea why anyone thinks it is acceptable to require victims to fill out online web forms.
Because the number of people who successfully provide actionable information without being prompted is vanishingly small and the number of people who fire off automated complaints to the best guess abuse address (also without actionable information) is disappointingly large?
Why anyone thinks it's acceptable for the form submission to vanish in to the faceless support queue is more of a quandary. The form submission should provide a case number, the individual to whom it is assigned, direct contact information for that individual and a promise that your report will receive a response.
Regards, Bill Herrin
-- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>
On 01/05/2018 11:38 AM, Dovid Bender wrote:
I may have to take back what I said. Yes the attacks stopped from what IP but they magically started again from another IP of theirs in a different. Range. seems like the attacker picked up where they left off just from a new UP. Almost as if they told the attacker they got complaints and they would need to just simply switch their IP to keep them as a customer......
Back when I joined a Web hosting company after the freelance-writing market collapsed, I was astonished to learn that the usual response to an abuse complaint was to move the customer to a new IP address. And the owner of the company wondered why his entire netblock was in SORBS. So, I took over the abuse desk. Closed four accounts out of several thousand. And, lo and behold, I got the company out of SORBS. ("You've got to be kidding me! And in only six weeks!" -- NANAE contributor.) Not only did my $DAYJOB stop being a spam source, I was able to do some things about the inflow to my customers as well. Then there was the subpoena from the IRS, the cease-and-desist order from a major watch company, and other fun stuff. Oh, and the court order brought in by the Nevada Gaming Commission...and the hapless "expert"* they brought in to do the forensic capture of the disk image. An expert who knew NOTHING about Unix, let alone Linux. Fun times, indeed. I revel in my dull, dull professional life now. Lift a glass, make a toast, sing a ditty. * X is a mathematical quantity denoting the unknown. "Spurt" is a drip of water under pressure. So an X-Spurt is an unknown drip under pressure.
On Thu, Jan 04, 2018 at 09:33:51AM -0500, William Herrin wrote:
Because the number of people who successfully provide actionable information without being prompted is vanishingly small and the number of people who fire off automated complaints to the best guess abuse address (also without actionable information) is disappointingly large?
Not a valid excuse. (1) It is a trivial matter for any "abuse desk" worthy of the title to priority-sort incoming traffic. (2) An excellent way for operations to reduce the volume of such complaints is to reduce the volume of the abuse they emit/support. ---rsk
On Thu, 04 Jan 2018 09:33:51 -0500, William Herrin said:
Why anyone thinks it's acceptable for the form submission to vanish in to the faceless support queue is more of a quandary. The form submission should provide a case number, the individual to whom it is assigned, direct contact information for that individual and a promise that your report will receive a response.
The very real problem with direct contact info is that people latch onto it. Then, if there's another issue the person will bypass your form submission, send a direct e-mail - which would then not be dealt with if that particular person wasn't working, for reasons ranging from vacation to no longer being with the provider in an abuse desk role. Been there, done that. Been out of the country and offline for 36 hours, reconnect and there's a user with a problem that would have been dealt with 36 hours earlier if they had sent it to our help desk instead of to me directly.
I've never dealt with a support queue that resolved the issue faster than a direct contact. On 4 January 2018 at 09:12, <valdis.kletnieks@vt.edu> wrote:
On Thu, 04 Jan 2018 09:33:51 -0500, William Herrin said:
Why anyone thinks it's acceptable for the form submission to vanish in to the faceless support queue is more of a quandary. The form submission should provide a case number, the individual to whom it is assigned, direct contact information for that individual and a promise that your report will receive a response.
The very real problem with direct contact info is that people latch onto it. Then, if there's another issue the person will bypass your form submission, send a direct e-mail - which would then not be dealt with if that particular person wasn't working, for reasons ranging from vacation to no longer being with the provider in an abuse desk role.
Been there, done that. Been out of the country and offline for 36 hours, reconnect and there's a user with a problem that would have been dealt with 36 hours earlier if they had sent it to our help desk instead of to me directly.
On Thu, 04 Jan 2018 09:48:24 -0700, Michael Crapse said:
I've never dealt with a support queue that resolved the issue faster than a direct contact.
Which would the user prefer - a guaranteed 15 minute response time from the queue, or 10 minute from a direct contact, unless it's an hour because they're in a meeting, or the next day because they're out sick, or 2 weeks because they're on vacation? Bonus points for recognizing there's a confirmation bias effect here - people will remember the 2 week response time more than they'll remember the 5 minutes faster the rest of the time. Hint: How many "I haven't heard back in a week" do we see here and on the mailop list, and how many "Congrats to so-n-so who fixed my problem in 5 minutes flat?"
On 1/4/2018 12:36 PM, valdis.kletnieks@vt.edu wrote:
On Thu, 04 Jan 2018 09:48:24 -0700, Michael Crapse said:
I've never dealt with a support queue that resolved the issue faster than a direct contact. Which would the user prefer - a guaranteed 15 minute response time from the queue, or 10 minute from a direct contact, unless it's an hour because they're in a meeting, or the next day because they're out sick, or 2 weeks because they're on vacation?
Bonus points for recognizing there's a confirmation bias effect here - people will remember the 2 week response time more than they'll remember the 5 minutes faster the rest of the time.
Hint: How many "I haven't heard back in a week" do we see here and on the mailop list, and how many "Congrats to so-n-so who fixed my problem in 5 minutes flat?"
Also, unless the requester already has a close relationship with someone in that department at the company they are contacting - it is sort of offensive to contact them without FIRST filling out the form and allotting a reasonable time for a response. Then, if filling out the form didn't work as fast as expected - THEN it might be appropriate to contact someone directly to help escalate the form submission. That is the RIGHT way to do these things. The opposite of this produces insufficiency, miscommunication, legal entanglements (if things didn't get handled properly), lost audit-trails/metrics etc. Some larger companies FORBID their employees from doing such direct help that is entirely outside their regular support system. -- Rob McEwen
On Thu, Jan 4, 2018 at 11:48 AM, Michael Crapse <michael@wi-fiber.io> wrote:
I've never dealt with a support queue that resolved the issue faster than a direct contact.
I've never dealt with a support queue that's more competent than the last direct contact I talked with. Navigating the support queue to the guy competent to deal with my problem is one of the more infuriating things about big company support. -Bill -- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>
On Thu, 4 Jan 2018, William Herrin wrote:
I've never dealt with a support queue that resolved the issue faster than a direct contact. I've never dealt with a support queue that's more competent than the last
On Thu, Jan 4, 2018 at 11:48 AM, Michael Crapse <michael@wi-fiber.io> wrote: direct contact I talked with. Navigating the support queue to the guy competent to deal with my problem is one of the more infuriating things about big company support.
it does get kind of old when you have to argue with first tier support on how to read smtp headers. or that an IP address registered to them in ARIN actually belongs to them. people reach out to nanog because first tier support is clueless and completely ineffective. when the first tier incompetence stops, the direct contacts will stop too. -Dan
On Thu, Jan 4, 2018 at 4:02 PM, Dan Hollis <goemon@sasami.anime.net> wrote:
On Thu, 4 Jan 2018, William Herrin wrote:
On Thu, Jan 4, 2018 at 11:48 AM, Michael Crapse <michael@wi-fiber.io> wrote:
I've never dealt with a support queue that resolved the issue faster than a direct contact.
I've never dealt with a support queue that's more competent than the last direct contact I talked with. Navigating the support queue to the guy competent to deal with my problem is one of the more infuriating things about big company support.
it does get kind of old when you have to argue with first tier support on how to read smtp headers. or that an IP address registered to them in ARIN actually belongs to them.
Those are the good ones. The bad ones are when the the support tech wanders down the script without understanding you at all. "Your email server at 1.2.3.4 gave me the following error message when my server at 6.7.8.9 tried to pass email to bob@yourcompany.com from joe@mycompany.com at 13:54:06 UTC." "Reboot your computer. Then please take this survey to let me know how I did." -Bill -- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>
On 01/04/2018 01:02 PM, Dan Hollis wrote:
when the first tier incompetence stops, the direct contacts will stop too.
But, but, but...when the first tier support person gets the training to not be incompetent, he is promoted to the second tier and the vacuum is filled with another incompetent first-tier person. So, by definition, the first tier of support will only be able to answer questions "from the book". Anything more complex than what's in "the book" is bumped to the second tier...where the problem is above the second-tier pay grade and it gets bumped further up the chain. It's a variation of the Peter Principal: ex-incompetents will rise up the promotion ladder.
It's classic Max Weber's formal description of bureaucracy, in the good sense, ca 1900-1920 as an administrative/management structure. You try to set up the local office (call it first-tier) so they can answer about 90% of all questions. The other 10% are kicked up to the regional (call it 2nd tier) who one hopes can answer 90% of those questions, and so on. Or as I used to say as an academic: If you (students) have any questions about majoring etc please don't hesitate to ask me. If I don't know the answer we can go to the dept head and ask again. If the dept head doesn't know the answer we can all go to the dean who, if s/he does not know the answer, will no doubt make one up on the spot! On January 4, 2018 at 15:34 list@satchell.net (Stephen Satchell) wrote:
On 01/04/2018 01:02 PM, Dan Hollis wrote:
when the first tier incompetence stops, the direct contacts will stop too.
But, but, but...when the first tier support person gets the training to not be incompetent, he is promoted to the second tier and the vacuum is filled with another incompetent first-tier person.
So, by definition, the first tier of support will only be able to answer questions "from the book". Anything more complex than what's in "the book" is bumped to the second tier...where the problem is above the second-tier pay grade and it gets bumped further up the chain.
It's a variation of the Peter Principal: ex-incompetents will rise up the promotion ladder.
-- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
On Fri, Jan 5, 2018, at 00:34, Stephen Satchell wrote:
On 01/04/2018 01:02 PM, Dan Hollis wrote:
when the first tier incompetence stops, the direct contacts will stop too.
But, but, but...when the first tier support person gets the training to not be incompetent, he is promoted to the second tier and the vacuum is filled with another incompetent first-tier person.
So, by definition, the first tier of support will only be able to answer questions "from the book". Anything more complex than what's in "the book" is bumped to the second tier...where the problem is above the second-tier pay grade and it gets bumped further up the chain.
Yes and no. You need to have a good "script" for the first-level support, and then you need to have people that understand what they are trying to do: take the information from the requester, do minimal (ideally script-defined) checks, run through it the script, then either fix (and confirm that it's fixed) or escalate. For smaller business structures, you may seriously loosen the script and go as far as require that people answering the phone or treating the support queue have an understanding of everything that the company does and how it does it. This does not scale. You cannot expect this for companies with more than (10s of) thousands of customers. You cannot expect to only have technically competent people to handle 100s or 1000s of tickets per day. Then you compare this with contacting directly someone that only receives a few requests a week because he/she is usually doing something else. That's obviously more effective as long as: - the person in question is still in a position to help or at least to escalate/forward properly - the person in question is still willing to help - the person in question is not flooded with requests impacting his/her normal duties, in which case the willingness to help may decrease to zero (or even make sure that a direct contact is counter-productive). Particularly for abuse management, thinks are a little more complex. Arbitration needs to be done between what you (the requestor) think is abuse, what the provider thinks about it, what the customer thinks about it, what the laws says and what does the contract/T&C/AUP says about it (and about how to deal with it). This may take time, involve non-technical persons and may not give the expected outcome even when dealt with by a good-faith service provider.
On Thu, 4 Jan 2018, valdis.kletnieks@vt.edu wrote:
Why anyone thinks it's acceptable for the form submission to vanish in to the faceless support queue is more of a quandary. The form submission should provide a case number, the individual to whom it is assigned, direct contact information for that individual and a promise that your report will receive a response. The very real problem with direct contact info is that people latch onto it. Then, if there's another issue the person will bypass your form submission, send a direct e-mail - which would then not be dealt with if that particular
On Thu, 04 Jan 2018 09:33:51 -0500, William Herrin said: person wasn't working, for reasons ranging from vacation to no longer being with the provider in an abuse desk role.
Been there, done that. Been out of the country and offline for 36 hours, reconnect and there's a user with a problem that would have been dealt with 36 hours earlier if they had sent it to our help desk instead of to me directly.
They use your direct contact info because your help desk isn't responsive. They go where they get results. No results from help desk = direct contact to you. -Dan
On Thu, 04 Jan 2018 12:58:48 -0800, Dan Hollis said:
On Thu, 4 Jan 2018, valdis.kletnieks@vt.edu wrote:
Been there, done that. Been out of the country and offline for 36 hours, reconnect and there's a user with a problem that would have been dealt with 36 hours earlier if they had sent it to our help desk instead of to me directly.
They use your direct contact info because your help desk isn't responsive.
Not really - because a big chunk of the time, I end up opening a ticket with the help desk in their behalf, because I wasn't even the person who was actually responsible for fixing their problem (I do infrastructure, not user services). They just splat out a mail to a name they recognize because I've been here almost 3 decades now. Why they think I can help with a NetApp CIFS permission issue just because they remember I fixed their SGI system in the late 90s is beyond me... Plus, I know for a fact that if they called our help desk, they'd probably have a ticket open and called back by somebody faster than I would reply, because the help desk's SLA is measured in "reply in hours", while mine is "within 2 business days" for non-system-down situations. Hell, took me 4 hours to respond to your mail. :)
participants (10)
-
bzs@theworld.com
-
Dan Hollis
-
Dovid Bender
-
Michael Crapse
-
Radu-Adrian Feurdean
-
Rich Kulawiec
-
Rob McEwen
-
Stephen Satchell
-
valdis.kletnieks@vt.edu
-
William Herrin