How do you handle client contact for network abuse/malware compaints etc.?

Mark Radabaugh mark at
Thu Mar 2 02:45:12 UTC 2006

Nicole Harrington wrote:

>As a sort of addendum to the thread of "Quarantine your infected users spreading
>malware" I am curious how other handle contact to the users/clients for network
>security incidents. 
> The question I have is; When someone reports an incident to you about
>one of your clients (a user or server owner) possibly being infected, having
>an owned box being used for hacking into other servers or being used to spread
> malware, how much information do you send/forward on to that user/client to
>support your case.
> Is it normal practice to simply forward on unaltered logs sent in by those
>complaining or do you sanitize them a bit to protect the people notifying you?
> Do you even send them at all at first or do you simply inform them that a 
>complaint has been received.
> In short, how much information do you pass on to support yourself and when.
> Thanks
> Nicole Harrington
All depends on the client and if I think the abuse is intentional or not.  

If the user knows what he/she is doing and I don't think they are being
malicious then I will send them everything.

If I think they are doing it on purpose I send enough to prove my case
and tell them to knock it off -  before I knock it off for them (or
after - depends on how much damage they are causing).

If they don't have a clue then sending them a bunch of information they
won't understand is pointless.  We either help them clean up the mess or
refer them to someone who can.

Mark Radabaugh

mark at

More information about the NANOG mailing list