Is it worth my time to email these abuse contacts and ask them to stop? Should I just ignore it? Should I block the IPs?
Thanks for any advice.
I have two stories I can only tell on this anonymous account. First as a kid I was nmap scanning carelessly from my boyhood room, trying to learn. Got a letter home a few days later with a warning from my ISP and a little booklet about "netiquette". Class acts in the 90s.
And fast forward to just 8 or so years ago at my current job I decide to host a service that got abuse complaints on company servers and IPs. My boss asks me if I know what's running on this VM with this IP and I had to fess up that it was me trying to use free resources.
Both cases stem from an abuse report where the reporter only had the IP to report on.
And actually now that I think about it, running Tor exit nodes at Linode they regularly contacted me due to abuse reports and we had to resolve them together.
So yes abuse emails should work, but of course there will be exceptions.
I'm not entirely sure how effective or relevant this kind of method is these days but I wouldn't be surprised if it was something you could still pull off now.
In any other cases, we care about it. Anyway, at least in Italy, ISP cannot do too much and responsabilitiy is up to the final user.
They are addressing it, though, and I believe there is a place for public comments.
I forwarded the message with a brief explanation to their abuse address.
The server responded saying "this server does not accept forwarded mail".
I told them about it on Twitter instead.
"Please DM us a screenshot."
A screenshot? That won't do much good. I included the headers too showing the provenance.
"Please forward it to our abuse address".
At this point I just laughed and stopped.
Not likely. Unless there is evidence captured proving someone hacked your machine and did damage, the reports to the domain owner will be ignored or never seen. Reports to the ISP will be ignored. Or worse, they wont be ignored and the ISP just pits you against the compromised server owner who will be in denial and/or won't know what to do.
I find it best to just set environment variables and ACL's to just ignore the attacks. Maybe send them to a dummy page served entirely from RAM or a ram disk and set logging to /dev/null. I would not even bother blocking them. The C&C nodes will detect an edge node can't reach you and will just try at some point from another compromised host. I'd just give them a lightweight error served from ram to reduce disk IO and bandwidth.
If you are bored, something fun to do is make pages that cause the bot to go into recursion loops on your site with dummy pages that have keywords like "Wordpress, cpanel, admin" and that link to each other ...etc. A clever error page can do this in a single page but make it look like infinite pages via relative links.
If the probes are to SSH then just use SSH keys and disable password authentication. Let them probe away. If it's really annoying then firewall restrict SSH to your ISP's CIDR blocks to reduce the noise, and/or move SSH to a high port to reduce noise not for security. If that is not enough I can suggest something that will make your SSH invisible to 90%+ of the bots without moving to a high port.
Obviously not worth your time, unless your time is worth nothing, because that's exactly what you get in return. You will never receive any benefit whatsoever from emailing those abuse contacts.
You should just ignore it, even blocking the IPs isn't worth the effort.
>They fill up my access logs with noise that costs money to store and takes time to deal with.
If your access logs cost meaningful amounts of money to store, you should address that issue.
Storage costs something like $15 per TB, and you can safely assume around 6 years life expectancy. That's around $2.5 per year per terabyte of logs.
There's no way this abusive traffic is costing you even a dollar in log storage unless you're doing something utterly stupid.
I've seen abuse complaints to the abuse contacts of the RIRs (that, in the end, are in the top of the chain of "owners" of those IP blocks) or intermediate owners that lease those ranges or distribute them among their clients. Sending to the wrong targets (specially, in an automated way, there are scripts that does that) will end you getting ignored, and the reports of the IPs that they actually use may get lost because the noise.
And besides that, there are different ways to use those addresses, and the owner of them may not know, or could not have policies to deal with them.
What you do with residential IPs? Will you block/penalize your users if somehow their connection was used to launch an attack? Even if they are not aware of that happened? Different ISPs in different countries could have different policies.
What about big hosting companies? There are more shades of grey there, specially when those outbound IP addresses could be used by several clients. For entire servers to vulnerable web applications in shared servers to ways to dynamic launching workloads with IPs from common pools, is not trivial.
But it should matter for small enough companies, where that activity was launched by their own administered servers, because exploited vulnerabilities or rogue employees. Or companies that take some action because internal or clients hostile activity.
Anyway, besides complaining to abuse reports, you have more ways of action. You can block IPs or IP blocks (if connections are coming from an ISP, country or hosting company where you not expect to get actual users for your service. You can use fail2ban or some WAF to block those IPs as soon as some known attack pattern is detected. Or you can use them to monitor your infrastructure, in the sense that if some of those attempts for an URL get a 200 status code or something like that launch an alert.
Also, using RDAP (https://en.wikipedia.org/wiki/Registration_Data_Access_Proto...) should be better than using whois.
In general, abuse reports are often useful for kicking users from services involved in illegal activities.
If you don't get a response, than black-hole the entire IP blocks and their routes. i.e. play possum, and they will eventually get bored enough to find a softer target. The other users are collateral damage, but if they aren't a customer... than who gives a toss. =)
> costs money to store and takes time to deal with
Are you storing requests long term? With sampling and a rolling window of history it shouldn't really affect you. I would spend my time optimizing that part than dealing with abuse forms.
Port Scans? Not worth the time.
Below is a pro forma response from namesilo.com when I recently bothered to report an sms scam for a domain that was registered with them. Their ToS explicitly calls out illegal uses, which this was one, but they don't seem to really care enough about it.
===
ToS:
You represent and warrant that the statements in your application are true and that no Services are being procured for any unlawful purpose, including but not limited to the infringement of any intellectual property right, the unauthorized transfer to yourself or any other party of any domain name or Services, or the violation of any laws, rules, or regulations (the"Illegal Uses"). Providing inaccurate information and willful failure to update information within seven (7) days of any change, or failure to respond for over fifteen (15) days to inquiries concerning the accuracy of contact details associated with your registration, failing to immediately update information or engaging in any Illegal Uses will constitute an incurable material breach of this Agreement.
===
Hi,
Thank you for reporting this issue.
Please note we are only the domain name registrar and cannot validate or control the content posted on the site.
If you or your client are the holder of a trademark that you feel is being infringed upon via a domain name registered with us, you are advised to consider a UDRP dispute.
We will comply as required by ICANN rules upon the commencement of a UDRP dispute.
Main UDRP Bodies: National Arbitration Forum - adrforum.com. World Intellectual Property Organization (WIPO) - wipo.int *Asian Domain Dispute Resolution Centre (ADR) - adndrc.org
Czech Arbitration Court (CAC) - adr.eu
Resolution Canada - resolutioncanada.ca
If you are a copyright holder and believe your rights are being infringed, we recommend you file a DMCA complaint with the hosting provider of the associated web site. https://www.whoishostingthis.com/resources/dmca/
If you want to report a phishing case, please follow these steps: To create a case: 1) Visit new(.)namesilo(.)com/phishing_report(.)php 2) Fill in a the domain URL 3) Complete required information and click Continue. To report SPAM/SCAM please contact the hosting provider: This can be done by the hosting company of the website, which you can look up on this website: https://www.whoishostingthis.com/ Once you know the hosting provider, please look up their company information and contact them with the case. To report SPAM/SCAM please contact the hosting provider: This can be done by the hosting company of the website, which you can look up on this website: https://www.whoishostingthis.com/ Once you know the hosting provider, please look up their company information and contact them with the case.
You can also use the following pages to report the website: Malware: https://safebrowsing.google.com/safebrowsing/report_badware/ Scam and Fraud: https://secure.nclforms.org/nficweb/OnlineComplaintForm.aspx
Whois inaccuracy you may report here: https://forms.icann.org/en/resources/compliance/complaints/w... You may also discuss the case with your local law enforcement officer to seek help.
To limit the number of spam landing in your mailbox please follow these instructions: Check your email account to see if it provides a tool to filter out potential spam or to channel spam into a bulk email folder. You might want to consider these options when you are choosing which Internet Service Provider (ISP) or email service to use.
Limit your exposure. You might decide to use two email addresses one for personal messages and one for shopping, newsletters, chat rooms, coupons and other services. You also might consider using a disposable email address service that forwards messages to your permanent account. If one of the disposable addresses begins to receive spam, you can shut it off without affecting your permanent address.
Also, try not to display your email address in public. That includes on blog posts, in chat rooms, on social networking sites, or in online membership directories. Spammers use the web to harvest email addresses.
Check privacy policies and uncheck boxes. Check the privacy policy before you submit your email address to a website. See if it allows the company to sell your email to others. You might decide not to submit your email address to websites that will not protect it.
When submitting your email address to a website, look for pre-checked boxes that sign you up for email updates from the company and its partners. Some websites allow you to opt out of receiving these mass emails.
Choose a unique email address. Your choice of email addresses may affect the amount of spam you receive. Spammers send out millions of messages to probable name combinations at large ISPs and email services, hoping to find a valid address. Thus, a common name such as jdoe may get more spam than a more unique name like j26d0e34. Of course, there is a downside it is harder to remember an unusual email address.
Hackers and spammers troll the internet looking for computers that are not protected by up to date security software. When they find unprotected computers, they try to install hidden software called malware that allows them to control the computers remotely. Many thousands of these computers linked together make up a botnet, a network used by spammers to send millions of emails at once. Millions of home computers are part of botnets. In fact, most spam is sent this way.
Do not let spammers use your computer. You can help reduce the chances that your computer will become part of a botnet. Use good computer security practices and disconnect from the internet when you are away from your computer. Hackers can not get to your computer when it is not connected to the internet. Be cautious about opening any attachments or downloading files from emails you receive. Do not open an email attachment even if it looks like it is from a friend or coworker, unless you are expecting it or you know what it is. If you send an email with an attached file, include a message explaining what it is.
Download free software only from sites you know and trust. It can be appealing to download free software like games, file sharing programs, and customized toolbars. But remember that free software programs may contain malware.
Report Spam to the Federal Trade Commission at spam@uce.gov and at https://www.spamcop.net/anonsignup.shtml
Read more about reporting spam on this page: https://en.wikipedia.org/wiki/Spam_reporting
Hope you find this helpful!
NameSilo Abuse Team 31311545:175916