Do you care about WHOIS contact information?

Fri Jul 24 13:38:08 PDT 2009

David Wolfskill wrote:
> Under normal circumstances, I'm in the habit of perusing certain
> logfiles on my home network (which I admit isn't "Large") every
> morning, looking for certain forms of anomalous activity.
>
> One of those forms that has proved fairly common over the years is
> a sequence of attempts to login via my SSH server.
>
> While I'm aware of strategies such as port-shifting and the like,
> I don't do that.  For one thing, it complicates my life more than
> necessary; for another, my SSH server is actually one of the
> better-protected services, as I only permit public key authentication
> via SSH.
>
> So if the stupid perps want to wear themselves out & advertise their
> activities by banging their heads against my SSH server, well,
> that's just fine by me.
>
> Of course, that doesn't stop me from noticing -- or reporting --
> their activities.
>
> This is all the more so because I have my packet filter configured
> to log all 22/TCP SYN packets; the SSH server already logs all
> attempts to connect to it.
>
> So when I notice a burst of activity, I do a WHOIS query and provide
> the allegedly responsible party for the netblock in question an
> appropriate excerpt from each of the logfiles in question, together
> with a slightly-customized (for the occasion) bit of boilerplate
> text explaining why I'm writing and what the significance of certain
> bits of the logfile extracts is, concluding with an offer to provide
> additional information on request.  The whole thing is deliberately
> phrased to be non-confrontational and non-accusatory -- e.g., it
> starts with:
>
> | Below, please find log entries corresponding to several unauthorized
> | attempts to access my SSH server.  I have no reason to believe that
> | any of my systems were harmed or compromised, but the activity was
> | certainly not welcome, and I'm notifying you of it in case the
> | information helps a current or future investigation you may make.
>
> Fundamentally, I believe there is much value in treating others as
> I'd like to be treated.  And if stuff like that originated from a
> network for which I have responsiblity, I'd really like to know.
>
> Anyhow, I often get auto-responses; I also sometimes get a more
> personal note of thanks from the other admins (e.g., when they find
> out that they had a compromised host they didn't know about on their
> network), so I believe it's a useful exercise in general.
>
> Sometimes, though, my notification message gets bounced -- e.g.,
> with an equivalent of "no such mailbox" for each of the addresses
> on the recipient list.
>
> Over the years, I've developed an approach for addressing (no pun
> intended) this situation, but before I explain that, I'd like to
> do a reality check and ask y'all what you (would) do about it.
>
> :-)
>
> Peace,
> david
>   
Hi David. 
Short answer.. Give up unless its really consistent or bad.  Easier to 
just firewall them.

 I tried doing that for awhile. I too would get an occasional, "thanks" 
But more often I got bounced emails (people using bad email addresses to 
avoid spam),  replies asking how is this any of my business, telling me 
thanks we already know (but not that they have done anything about it), 
and even a few threats saying a lawyer would be contacting me for 
sending them obviously false information.  I found it just to amazing 
how many people wanted to stick their fingers in their ears, blame 
someone else, blame me, or just not care. So I gave up on doing it.   
Too much work for too little gain.

 More power to you, as I would want to know.  But I often found it a 
true example of how no good deed goes unpunished.

 As for the bounces, so many people have learned that 99.9% of the time 
they will only get spam at the address listed for their domains, they 
list fake ones or it is rarely if ever checked. Not to mention how many 
sites are setup on a shared host someplace, managed by some contactor, 
and all emails listed in whois goes to some corporate dweeb who still 
thinks it's a bunch of tubes.

  Nicole