There are tons of networks out there that will automatically send an email to abuse records in whois
based on fairly braindead criteria. Sadly, this has resulted in abuse contacts being increasingly
useless since large hosting providers get such a flood of garbage that they can't actually look into
it. Even better, most of the networks sending this garbage can't be bothered to respond when you ask
for more information, making it pretty clear they don't actually care about the abuse they're
supposedly notifying you of.
Over the years I've started routing any abuse emails from networks who don't bother to respond to
requests for further info to /dev/null. It has basically removed all the garbage and leaves an abuse
contact that can actually handle real abuse reports.
Matt
On 11/4/24 8:01 PM, Pierre Bourdon wrote:
Hi nanog,
Some of you might have seen
https://delroth.net/posts/spoofed-mass-scan-abuse/ circulating last
week (it was also sent here in reply to someone who received abuse
complaints from their ISP).
The TL;DR is that some previously unknown company with a fancy looking
domain name has started noticing the background noise on the internet
and is sending automated abuse complaints to any owner of a source IP
sending a SYN packet to port 22 on their network. They're not doing
any filtering to try to prevent spoofed source addresses, and at this
point there's plenty of evidence that they are seeing mostly spoofed
src IPs, then sending abuse reports to a completely uninvolved owner
of the IP.
I've recently been in communication with that company. They sent me an
email trying to get "advice" from me about how to not send abuse
complaints to the whole internet, while ignoring the obvious answer of
"don't mass send automated abuse complaints based on no evidence of
abuse and no evidence of who sent you traffic". They're also making
wild claims in their email to me, like, I quote, seeing "1.3 billion
attacks logged in the past 24 hours". They're saying that they act on
data sources like "we query the VirusTotal API for the source IP and
it shows us it's infected with malware".
If you're a NOC or someone handling abuse complaints for an ISP or a
hosting provider, this is my plea to you: please send abuse reports
from "watchdogcyberdefense.com" to your spam box until they understand
1. that a TCP SYN packet is spoofable; 2. that they're harming the
internet through reducing trust in abuse complaints by sending so many
false positives.
I've myself had interactions with both Hetzner and Linode's abuse
team, both of them have been top notch and understood what they're
likely dealing with, but having to explain to every single ISP what's
going on while sitting in the equivalent of an interrogation room
threatened with a service suspension isn't a very comfortable
situation.
Thank you in advance,
Best,
