Following the proper process to report Internet abuse is very important if you want to be taken seriously. As you're hopefully aware, abuse can be rampant on the internet, as it is often out of the reach of local authorities. In this text we will try to document the steps you would take to report an abuse, from a spam to a common DoS.
In your email client, you will want to find the "View Headers" option in your email client.
Return-Path: <[email protected]> X-Original-To: [email protected] Delivered-To: [email protected] Received: from dmccapital.com (188.8.131.52.exetel.com.au [184.108.40.206]) by proksie.yashy.com (Postfix) with SMTP id C76635C50 for <[email protected]>; Mon, 27 Feb 2006 19:24:12 -0500 (EST) Message-ID: <[email protected]> Reply-To: "Thelonius Span" <[email protected]> From: "Thelonius Span" <[email protected]> To: [email protected] Subject: fi ll news Date: Mon, 27 Feb 2006 19:24:50 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0001_01C63BD3.7A784B40" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
The line you will want to pay attention to in determining the culprit is the last "Received:" header. In this case there is only one.
Received: from dmccapital.com (220.127.116.11.exetel.com.au [18.104.22.168])
Ignore the DNS as it could be spoofed, it is the IP in brackets that you really want to investigate further.
$ host 22.214.171.124 126.96.36.199.in-addr.arpa domain name pointer 188.8.131.52.exetel.com.au.
so the DNS was correct. You can find the upstream provider by using traceroute, it is usually the host before the last one. You will want to email [email protected] of the responsible domain. In this case, that domain is exetel.com.au, although I will also email [email protected] as I can't be assured that the spammer doesn't own the exetel subdomain.
So now I've done my homework, I forward the spam to both [email protected] and [email protected] making sure that the email headers are included. Don't expect a personalized reply, as you can imagine, system administrators are often really busy handling such complaints.
If someone is attacking you via DoS, or any any malicious activity worth reporting, you will need three items.
1. Logs with the IP address of the attacker You will want to log as much as you can with a sniffer. You want also want to check out your open ports, as often an attacker will setup an IRC session. Here is the lsof log example showing exactly that:
# lsof | grep irc portmap 73690 mailman 9u IPv4 0xd5cc6540 0t0 TCP home.machine.com:4662->remote.attacker.example.com:ircd (ESTABLISHED) portmap 73690 mailman 10u IPv4 0xd5d91400 0t0 TCP home.machine.com:4663->remote.attacker.example.com:ircd (ESTABLISHED)
2. Email address of the responsible abuse department. Luckily for us, [email protected] is a standard email username used for reporting abuses, so now we just have to determine the proper domain name. This will most often be the domain name of the 2nd last "hop" in a traceroute. In this case, we will remove the hostname (remote) and contact both the subdomain (attacker) owner in the example, but also the domain abuse department. [email protected] and [email protected] is who we will contact.
3. The email. This is the most important part if you want your email to be acknowledged, read and reacted to. A few hints: 1. Gather as much evidence as appropriate. You don't want to email a 20M tcpdump log unless it is asked for, but you do want to include at least a snippit of logs showing the IP of the attacker. 2.Look professional. Do all the research you can beforehand. If any part of the this wiki page doesn't make sense to you, follow the links so you fully understand the text. Follow proper email etiquette. You will want all of your research summarized in a single email. You do not want an email that has no evidence of an attack, but you also don't want 10 emails each with a little bit more as you do your research.
To: [email protected] Cc: [email protected] Dear sirs, I've recently been attacked by a host which I believe to be on your network. I believe the attacker has remotely compromised my mailman application. The machine in question is remote.attacker.example.com. as you can see by the log below. If you require further logs or information, feel free to contact me. Thanks in Advance, -- Sean Jones System Administrator home.lan. # lsof | grep irc portmap 73690 mailman 9u IPv4 0xd5cc6540 0t0 TCP home.lan:4662->remote.attacker.example.com:ircd (ESTABLISHED) portmap 73690 mailman 10u IPv4 0xd5d91400 0t0 TCP home.lan:4663->remote.attacker.example.com:ircd (ESTABLISHED)