What to do when mail to a netblock coordinator bounces....

Fri Jan 11 08:03:53 PST 2002

Yesterday morning, as I was reviewing the mail from the preceding night,
I noticed that someone tried (once) to contact an SSH server on my
mother's (grandfathered static) DSL installation.  (It happens that there
is an SSH server, but I block access to it from nearly all IP addresses;
I don't see any point in increasing exposure.)

Now, this isn't all that rare an occurrence:  we're all human, and all
make mistakes from time to time (and I fully expect to live long enough
to make a few more).  But there was a moderately-recent exploit re: SSH,
and I expect that that are still some twits with nothing better to do than
try to cause trouble for others.  What got my attention, though, was that
this also happened for my firewall (also a grandfathered static DSL), from
the same IP address.

So... accidents happen, sure, but the coincidence (within a rather short
timeframe) seemed to me to be unlikely to be accidental.

The IP address didn't (reverse-)resolve, who I queried WHOIS re: the
netblock.  Turns out it's a class B, assigned to an academic institution
over in the UK.  So I figured that someone might need a bit more
homework... or that a box on that net had been cracked... or some such
thing -- in any case, that it might be a Good Idea to mention this to
someone who might be in a position to do something arguably constructive
about the situation.  After all, when I have ben in such situations
myself, I have appreciated it when someone let me know about such things
(in a civil way, of course).

So I put together a little note, explaining what I had seen, copying the
log entries, pointing out that there was no evidence of damage or actual
intrusion in this case, but that the pattern seemed a tad suspicious.

I got a bounce-o-gram for my trouble.

OK, OK; this isn't all that big a deal, right?  Folks let WHOIS entries
lapse routinely.  And were the present situation somethig that seemed to
warrant it, I suppose I could try calling (much as I dislike using
telephones).  But this was certainly not an emergency.

As I write this, it occurred to me that I probably should have run a
traceroute, and tried to contact whatever site provides the connectivity
to the class B (OK, OK -- /16) in question.  It turns out that I did
something else... but before I mention it, I'll ask my colleagues on the
list for suggestions.

Thoughts?

Thanks,
david
-- 
David H. Wolfskill				david at catwhisker.org
I believe it would be irresponsible (and thus, unethical) for me to advise,
recommend, or support the use of any product that is or depends on any
Microsoft product for any purpose other than personal amusement.