Please don't use this kind of crap to send automated "we received 3 login attempts on our SSH box..waaaaaaaaa" emails. This is why folks don't have abuse contacts that are responsive to real issues anymore.
Matt On 4/28/20 11:57 AM, Mike Hammett wrote: > I noticed over the weekend that a Fail2Ban instance's complain function > wasn't working. I fixed it. I've noticed a few > things: > > 1) Abusix likes to return RIR abuse contact information. The vast majority > are LACNIC, but it also has kicked back a > couple for APNIC and ARIN. When I look up the compromised IP address in > Abusix via the CLI, the APNIC and ARIN ones > return both ISP contact information and RIR information. When I look them up > on the RIR's whois, it just shows the ISP > abuse information. Weird, but so rare it's probably just an anomaly. However, > almost everything I see in LACNIC's region > is returned with only the LACNIC abuse information when the ones I've checked > on LACNIC's whois list valid abuse > information for that prefix. Can anyone confirm they've seen similar behavior > out of Abusix? I reached out to them, but > haven't heard back. > 2) Digital Ocean hits my radar far more than any other entity. > 3) Azure shows up a lot less than GCP or AWS, which are about similar to each > other. > 4) Around 5% respond saying it's been addressed (or why it's not in the event > of security researchers) within a couple > hours. The rest I don't know. I've had a mix of small and large entities in > that response. > 5) HostGator seems to have an autoresponder (due to a 1 minute response) that > just indicates that you sent nothing > actionable, despite the report including the relevant log file entries. > 6) Charter seems to have someone actually looking at it as it took them 16 - > 17 hours to respond, but they say they > don't have enough information to act on, requesting relevant log file > entries... which were provided in the initial > report and are even included in their response. They request relevant log > file entries with the date, time, timezone, > etc. all in the body in plain text, which was delivered. > 7) The LACNIC region has about 1/3 of my reports. > > > > Do these mirror others' observations with security issues and how abuse desks > respond? > > > > ----- > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > Midwest-IX > http://www.midwest-ix.com
