Dealing with abuse complaints to non-existent contacts

Mon Aug 11 17:48:34 UTC 2014

On 2014-08-10 10:19, Gabriel Marais wrote:
> Hi Nanog
> 
> I'm curious.
> 
> I have been receiving some major ssh brute-force attacks coming from 
> random
> hosts in the 116.8.0.0 - 116.11.255.255 network. I have sent a 
> complaint to
> the e-mail addresses obtained from a whois query on one of the IP 
> Addresses.

Did they have a dedicated abuse e-mail? Did you receive an automated 
confirmation (which generally means the communication went into some 
sort of ticket queue as opposed to 
$random_employee_malbox_who_has_moved_on .

How did you format the e-mail? What information did you provide?

(Folks here, what do you look for in an abuse complaint to take it 
seriously)? I imagine many here have template/ticket systems for abuse 
communications? What info do you ask for in those communications?

> 
> My e-mail bounced back from both recipients. Once being rejected by 
> filter
> and the other because the e-mail address doesn't exist. I would have
> thought that contact details are rather important to be up to date, or 
> not?

Yes. For operators who actually care about running their networks and 
being good citizens. At least that's my opinion.

> 
> Besides just blocking the IP range on my firewall, I was wondering what
> others would do in this case?
> 

Well of course fail2ban is always good.

My personal preference is only expose HTTPS/SMTPS/IMAPS to the world. 
Zero management traffic on the front channel. SSH is only possible once 
you have connected to the VPN (which is running on 443 on another IP and 
is accessible without any firewall restrictions).