Do you care about WHOIS contact information?

Wed Jul 29 10:56:24 PDT 2009

Interesting responses...

I run ssh on a non-standard randomly generated port, use phrase authentication AND a private key :-)

Years ago, I left 22 open for a friend to log in, forgot to close it, and about 4 days afterwards found some clown was running spam from my poor server. I contacted the various ISPs he was coming in from but nobody cared.

David I commend you on your approach though.

Sandeep Cariapa

--- On Tue, 7/28/09, Guy B. Purcell <guy at extragalactic.net> wrote:

> From: Guy B. Purcell <guy at extragalactic.net>
> Subject: Re: Do you care about WHOIS contact information?
> To: "BayLISA" <baylisa at baylisa.org>
> Date: Tuesday, July 28, 2009, 10:39 PM
> 
> On Jul 23, 2009, at 6:32 AM, David Wolfskill wrote:
> 
> [...brute force attack notification automation bits...]
> 
> > Anyhow, I often get auto-responses; I also sometimes
> get a more
> > personal note of thanks from the other admins (e.g.,
> when they find
> > out that they had a compromised host they didn't know
> about on their
> > network), so I believe it's a useful exercise in
> general.
> > 
> > Sometimes, though, my notification message gets
> bounced -- e.g.,
> > with an equivalent of "no such mailbox" for each of
> the addresses
> > on the recipient list.
> > 
> > Over the years, I've developed an approach for
> addressing (no pun
> > intended) this situation, but before I explain that,
> I'd like to
> > do a reality check and ask y'all what you (would) do
> about it.
> 
> I have a couple thoughts :^)
> 
> If you have things completely automated, you could tweak
> the system a bit to dump the addresses of those (under your
> current system) you *would* send a message to into
> files--one file per day (sort of like 'sar' does), then add
> a daily cron job that goes through the files for the
> previous N days & checks for repeat offenders (via some
> tunable criteria)--and sends messages only to *those* folks
> (and potentially auto-firewall the host for a while,
> too).  This would likely significantly reduce the
> number of messages you send, thus the number of bounces you
> get from them, leaving you more able to deal with those
> bounces manually.
> 
> Personally, I wish *everyone* had a similar system in
> place, but that's not likely to happen (*I* certainly don't
> have one, and don't have the time even to implement one
> handed to me, much less roll my own at this point; hmm, make
> a dandy summer project for my kid, though...). 
> Unfortunately, I don't think it's likely to be able to scale
> as the Internet in general--and the bad guy population in
> particular--grows in its various ways (number of nodes,
> power of the nodes, speed of the connections, etc.), much as
> the spam problem ballooned.  Eventually, I think trying
> to deal with this is a friendly manner will become
> impossible, much like dealing with spammers has :^(
> 
> I *do* value whois data, BTW, which is why I still have my
> email address listed for my domains.
> 
> -Guy
> 
> 