Bizarre (.bz) abuse report - are we alone?
OK, we're pretty vigilant about policing abusers on our network. This just showed up from "no-reply@abuse.bz". Please see my responses inline. Mail origin IP is from an ISP in the Netherlands. Some information redacted to protect the guilty. Is this type of thing typical these days and we're just lucky so far and behind the curve on the futility of trying to take action on reports of network abuse? -------- Original Message -------- Subject: Re: Illegal activity from 207.71.241.252 Date: Sun, 26 Aug 2012 19:13:39 -0700 From: Jay Hennigan <jay@west.net> To: [redacted] CC: [redacted] Sent to RIPE WHOIS contacts for mail origin IP [redacted]. On 8/25/12 3:29 PM, no-reply@abuse.bz wrote:
We have noticed illegal activity from [redacted] aimed at one of our servers. Please disable these brute force attempts, port scans and/or neighbour scanning technologies.
If you are not sure how to, please use Google to find more information about the SPT/DPT (source/destination port). Alternatively, consult with your system administrator, forums, communities and any other sources of help.
PLEASE NOTE: We have replaced our own IP with 127.0.0.1 for privacy and security purposes. The destination IP address does not matter because you should solve your exploits properly instead of nullrouting our IP. With the exact time, IP address, source port and destination port you have plenty of information to address this issue. Our IP address is not mentioned anywhere and there are no DNS records pointed to it - hence we know your IP address is being abusive.
This report isn't particularly helpful. In fact, it in itself is somewhat abusive of our time. First, I had to dig through the headers of the email to find a (hopefully) deliverable address to which I could respond. Second, these logs seem to be two attempts to visit a website within a very short period of time. Two tries each on TCP 80 and TCP 443. Hardly what most reasonable people would call a brute force attempt, port scan, etc. No typical exploit ports, no brute force hammering, just an attempt to connect to a web server, retried once for 80 and 443. Do you think it would be reasonable for us to query our customer and ask if someone there might have fat-fingered a web address on one of 70+ workstations yesterday, or that someone at any of tens of thousands of nameservers worldwide has fat-fingered the A record of some random website? This report appears to be robot-generated, and deliberately designed to make it difficult for a human to reply, being sent from a write-only mailbox. By masking the destination IP of a web request, you make it rather difficult to track it down in the event that it is indeed abusive in the first place. NOC personnel and resources are a finite resource. You appear to be robo-sending abuse reports that are: 1. Sent from a write-only mailbox 2. Containing logs deliberately modified to prevent tracking the abuse 3. Depicting activity that doesn't appear to be abusive Already, abuse departments at ISPs are generally shorthanded. This type of thing is even more likely to cause legitimate reports to be ignored. If you feel that this warrants further attention, please respond with a message that is: 1. Sent by a human being. 2. Has a deliverable reply address. 3. Demonstrates activity that indeed constitutes abuse. 4. Contains logs of the abuse sufficient for us to take action against our customer (such as the IP address being abused, or at least the subnet).
Here are our raw firewall logs, limited to 100 lines with timezone Central European Time. There is also an timestamp since epoch (UNIX time). == [2012-08-25 01:01:30 CET] [Timestamp: 1345849290] [11883637.767804] Firewall: *TCP_IN Blocked* IN=eth0 OUT= SRC=[redacted] DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=58 ID=64182 DF PROTO=TCP SPT=56463 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 [2012-08-25 01:01:31 CET] [Timestamp: 1345849292] [11883639.265682] Firewall: *TCP_IN Blocked* IN=eth0 OUT= SRC=[redacted] DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=58 ID=44605 DF PROTO=TCP SPT=57003 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 [2012-08-25 01:01:38 CET] [Timestamp: 1345849299] [11883646.105990] Firewall: *TCP_IN Blocked* IN=eth0 OUT= SRC=[redacted] DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=58 ID=39054 DF PROTO=TCP SPT=33537 DPT=443 WINDOW=5840 RES=0x00 SYN URGP=0 [2012-08-25 01:01:38 CET] [Timestamp: 1345849299] [11883646.411775] Firewall: *TCP_IN Blocked* IN=eth0 OUT= SRC=[redacted] DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=58 ID=37931 DF PROTO=TCP SPT=33645 DPT=443 WINDOW=5840 RES=0x00 SYN URGP=0
-- -- Jay Hennigan - CCIE #7880 - Network Engineering - jay@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
This is almost certainly sent by some idiot hand reporting spam / desktop firewall alerts, with a fake address because he thinks everybody out there is a spammer. Lossless compression of your abuse queue is possible when you just delete those, or procmail them out when they get too regular. --srs On Mon, Aug 27, 2012 at 8:05 AM, Jay Hennigan <jay@west.net> wrote:
OK, we're pretty vigilant about policing abusers on our network. This just showed up from "no-reply@abuse.bz". Please see my responses inline. Mail origin IP is from an ISP in the Netherlands. Some information redacted to protect the guilty.
Is this type of thing typical these days and we're just lucky so far and behind the curve on the futility of trying to take action on reports of network abuse?
-- Suresh Ramasubramanian (ops.lists@gmail.com)
Send that nonsense to /dev/null -- Gino On 8/26/12 7:55 PM, Suresh Ramasubramanian wrote:
This is almost certainly sent by some idiot hand reporting spam / desktop firewall alerts, with a fake address because he thinks everybody out there is a spammer.
Lossless compression of your abuse queue is possible when you just delete those, or procmail them out when they get too regular.
--srs
On Mon, Aug 27, 2012 at 8:05 AM, Jay Hennigan <jay@west.net> wrote:
OK, we're pretty vigilant about policing abusers on our network. This just showed up from "no-reply@abuse.bz". Please see my responses inline. Mail origin IP is from an ISP in the Netherlands. Some information redacted to protect the guilty.
Is this type of thing typical these days and we're just lucky so far and behind the curve on the futility of trying to take action on reports of network abuse?
On 8/26/12 7:55 PM, Suresh Ramasubramanian wrote:
This is almost certainly sent by some idiot hand reporting spam / desktop firewall alerts, with a fake address because he thinks everybody out there is a spammer.
I would agree except abuse.bz indeed is a real domain and also the apparent source of the email. They may be some sort of amplification/referral service for idiot desktop firewall alerts but they have no web presence and Google turns up very little. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
On Mon, Aug 27, 2012 at 8:36 AM, Jay Hennigan <jay@west.net> wrote:
I would agree except abuse.bz indeed is a real domain and also the apparent source of the email.
They may be some sort of amplification/referral service for idiot desktop firewall alerts but they have no web presence and Google turns up very little.
Registered to "Musti Aslan" of snel internet services bv. Looks like a small colo shop, and googling "Musti Aslan" turns up a twitter handle etc. Tech-ID:SISB19-EPNIC Tech-Name:Musti Aslan Tech-Organisation:Snel Internet Services B.V. Tech-Street:Piet Heinstraat 7 Tech-City:Schiedam Tech-Postal-Code:3115JC Tech-Country:NL Tech-Phone:+31.882088077 Tech-FAX:+31.882088089 Tech-Email:domains@snelis.com -- Suresh Ramasubramanian (ops.lists@gmail.com)
Sending an automated message over e-mail without a working reply address in the From: field and SMTP sender address is a type of spam, and you might choose to report as such. That is, the "report" itself is abuse, because no mechanism is provided to reply to a person who sent the message. Domain/IP contacts are contacts to be reached by humans, not "dumping addresses" for automatic message robots that cannot handle replies and coordinate to resolve issues. If the message had a valid return path, then it may make sense, to reply with a message that states you require the destination IP address that was supposedly attacked, before your investigation starts. If they have bonafide abuse to report, then they should be cooperative in providing sufficient details to efficiently locate records of that abuse. It would be understandable, if any efforts to locate alleged abuse based on such limited information were limited, or deferred, until the reporter could provide sufficient details to properly identify the abuse in the future via monitoring, or by extracting logs for traffic to the reported destination addresses. Those are my thoughts on the matter. Regards, -- -JH On 8/26/12, Jay Hennigan <jay@west.net> wrote:
OK, we're pretty vigilant about policing abusers on our network. This just showed up from "no-reply@abuse.bz". Please see my responses inline. Mail origin IP is from an ISP in the Netherlands. Some information redacted to protect the guilty.
Is this type of thing typical these days and we're just lucky so far and behind the curve on the futility of trying to take action on reports of network abuse?
Suresh is right, this is a GWF/GWL. Normal people send abuse reports with actionable data and a working return address for replies and questions. If I got one of those I would be torn between writing back and saying "If you want a real response, send a real report" and just blackholing his IP since there is clearly no chance that any useful traffic will come from it. R's, John
On Mon, Aug 27, 2012 at 9:15 AM, John Levine <johnl@iecc.com> wrote:
If I got one of those I would be torn between writing back and saying "If you want a real response, send a real report" and just blackholing his IP since there is clearly no chance that any useful traffic will come from it.
Given that he uses a junk and non-repliable address he doesn't want a reply. #2 sounds like a viable plan - or maybe just procmail that out of your abuse queue. -- Suresh Ramasubramanian (ops.lists@gmail.com)
On Sun, 26 Aug 2012 19:35:54 -0700, Jay Hennigan said:
On 8/25/12 3:29 PM, no-reply@abuse.bz wrote:
We have noticed illegal activity from [redacted] aimed at one of our servers. Please disable these brute force attempts, port scans and/or neighbour scanning technologies.
I haven't seen something this clue-challenged since the CIRT for one of the US military branches sent me an e-mail about network probes. Turned out that it was our Listserv machine, trying to send to the IP address that was listed as an MX for one of their subdomains, and said IP didn't have anything listening at port 25.
participants (6)
-
Gino -
Jay Hennigan -
Jimmy Hess -
John Levine -
Suresh Ramasubramanian -
valdis.kletnieks@vt.edu