What to send, how to send it, where to send it — and what not to send or do.
Personal firewall pitfalls
- When setting up an access list, you will often start by denying and logging all incoming traffic. However, this does not mean that you should report everything you find in your logs.
- Abuse desks do not exist in order to teach basic IP networking. If you are confused, contact your local technical support people instead, or search the web for information.
- Do not report an alert generated by a personal firewall unless you understand what the traffic in question is, and why you should considered it hostile.
- Do not report “intrusion attempts” from your provider’s routers, or their DHCP, DNS, mail, WWW etc. servers. As you use those services, it is normal for them to send traffic back your way.
- If you do not have a firewall, or if the one you have is outdated, please visit our shop.
A few other caveats
- If your complaint refers to abuse on the network rather than abuse of the network, consider contacting some other party instead of (or in addition to) the ISP. For example, report copyright violations to the relevant copyright enforcement association, and report crime to the police.
- If unsolicited promotional email is illegal in your jurisdiction, and someone within that jurisdiction sends you some, please report the matter to the police so that the sender may be prosecuted instead of just mole-whacked into using another provider.
- Think twice, and then twice more, before reporting personal disputes, such as disagreements regarding:
- politics, taste, opinion etc. — common carrier ISPs are not content censors
- IRC channel operator status — if “your” channel was taken from you, either
- the IRC network does not support channel ownership, so the channel was not yours in the first place, or
- you are experiencing problems with the network’s registration system (not an abuse issue)
- Never try to fight abuse with abuse, e.g. by “mail bombing” an ISP, or you may find your account suspended.
Remember that these addresses are special
IPv4
- 0.0.0.0 – 0.255.255.255: “this” network
- 10.0.0.0 – 10.255.255.255: private
- 127.0.0.0 – 127.255.255.255: loopback
- 169.254.0.0 – 169.254.255.255: link local
- 172.16.0.0 – 172.31.255.255: private
- 192.0.0.0 – 192.0.0.255: protocol assignments
- 192.0.2.0 – 192.0.2.255: documentation
- 192.88.99.0 – 192.88.99.255: 6to4 relay anycast
- 192.168.0.0 – 192.168.255.255: private
- 198.51.100.0 – 198.51.100.255: documentation
- 198.18.0.0 – 198.19.255.255: benchmark tests
- 203.0.113.0 – 203.0.113.255: documentation
- 224.0.0.0 – 239.255.255.255: multicast
- 240.0.0.0 – 255.255.255.255: broadcast and future use
IPv6
- ::/0: default unicast route
- ::/128: unspecified address
- ::1/128: loopback
- ::ffff:0:0/96: IPv4-mapped
- ::<ipv4-address>/96: IPv4-compatible
- 2001::/32: Teredo
- 2001:10::/28: ORCHID
- 2001:db8::/32: documentation
- 2002::/16: 6to4
- 3ffe::/16: 6bone (second instance)
- 5f00::/8: 6bone (first instance)
- fc00::/7: unique-local
- fe80::/10: link local
- ff00::/8: multicast
Consider sending your reports through a service
…such as DShield FightBack or myNetWatchman (for intrusion attempts), or SpamCop (for unsolicited bulk email).
They may:
- help you avoid mistakes
- generate blocking lists based on reports received
- produce streamlined reports, easy for ISPs to act on
- allow you to track your complaint status in real time
General advice on reporting
- Send your report as plain text. Many request-tracking systems do not support images, HTML pages, proprietary word processor documents, spreadsheets…
- If your report includes time stamps from your own systems:
- Check whether your system clocks are correct; if they are not, indicate any error exactly (this becomes especially important e.g. when identifying a dial-up user).
- State the difference between UTC and the time zone used in your time stamps. Not everyone will be familiar with your time zone and daylight saving schedule, so avoid using local time zone names or abbreviations; instead, use e.g. ”+0200″ to indicate that your local time is two hours ahead of UTC.
- Avoid issuing demands. It is up to the provider to investigate the issue and take action as they see fit.
- Remember that ISPs may be legally prohibited from disclosing (or even determining) subscriber information, such as the identity of a dial-up customer, without a court order.
- Do not harass the persons listed as NIC contacts. Whois lookups show their names because they handle administrative, billing and/or technical tasks, often for large chunks of IP address space. They might not have anything to do with their organization’s abuse response duties, and they are certainly not likely to commit acts of abuse, such as attempt to crack their way into your systems.
- If you receive a tracking-number and you later find you need to follow up on your report, use that number so that the abuse desk team will be able to connect your new message with your original report. If you are not assigned a tracking-number, keep the “Subject:” line unchanged and quote previous correspondence as necessary.
What to send
Email and netnews abuse
Usually, you should simply forward the abusive message in full, without editing it in any way. The visual presentation a mail or news reader offers is often very different from the actual message format, so it might not be enough to just copy what you see and paste it into your report—you must forward the original message, including all header lines. An email abuse report without “Received:” lines, or a netnews abuse report without a “Path:” line, is probably worthless. The newsgroup news.admin.net-abuse.sightings contains good examples of forwarded spam, but the group’s moderator ceased in 2009 to accept new submissions.
Sometimes you may want to edit the message in order to anonymize the original email recipient. If you alter e.g. the “Received:” and “To:” lines, please make that obvious; the de facto standard is to replace the recipient information with the string “x” (without the quotation marks), as in:
Received: from leo (61-217-61-120.HINET-IP.hinet.net [61.217.61.120])by walrus.megabaud.fi (8.11.3+3.4W/8.11.3) with SMTP id fBP9P1V03370 for <x>; Thu, 25 Dec 2008 11:25:03 +0200 (EET)
To: x
Extremely large messages, as well as messages that contain malicious software, are also exceptions to the forward-in-entirety rule; instead of forwarding e.g. a Trojan or a 20 MB Microsoft Office document, add a note describing the size and content of the attachment. If appropriate, include a plain-text sample.
Unauthorized access attempts, denial of service attacks and similar activity
Send the relevant log lines from the device (such as your firewall, router or server) on which you detected the attack. State that the traffic in question was unauthorized, and indicate whether the target systems were running services intended for the general public (the originators might try the “I had permission to scan the network for security holes” and/or the “I was trying to use a public service” excuses). Especially if the log format is not self-explanatory, prepend a descriptive header line, such as “type,date,time,source,destination,transport”.
What to add
In typical cases, no “cover letter” is necessary, but sometimes a couple of explanatory lines may be useful, such as when
- the abusive message is encoded (e.g. uses client-side scripting, or exotic character sets),
- the connection between the abuser and the report recipient is not immediately obvious (such as in the case of web site redirection, or if you need to escalate the report because the end provider’s abuse contact has failed to adequately resolve your complaint), or
- you have blocked traffic due to the abuse incident. It would be a good idea to indicate this in detail (e.g., “all mail exchangers for example.net now reject connections from 192.0.2.0/24″). You might then receive a personal reply explaining the issue and how it has been resolved.
Additionally, you may want to use one of the following tags in your Subject: line in order to specify the medium where the abuse occurred:
- [email]
- Internet email
- [usenet]
- Netnews (including non-Usenet groups)
- [irc]
- Internet Relay Chat
- [icq]
- ICQ
- [chat]
- Other chat media
- [misc]
- Other media
… and what not to add
- Do not send screen shots.
- Do not send your entire log file, expecting the recipient to determine just which five or so lines out of a thousand actually are relevant to your report.
- Do not routinely enclose traceroute, whois or similar output. An ISP would know how they have set up their NIC records and their routing, so mailing that information back to them usually just adds noise to your report.
- Do not obfuscate your report by including representations of your mail or news client’s user interface buttons such as “Block address” or “Add to address book”.
- Do not issue empty threats of legal action. When you report a case of network abuse, you want the ISP to work with you in resolving the problem. If you instead threaten to sue them, they may refer the matter to their legal department, and you will have positioned yourself against them. In addition, an ISP might not want to interfere with a police investigation by alerting a suspect.
- Profanity, personal insults or other kinds of tantrum throwing are not useful.
Where to send your report
If you decide to mail the ISP directly, the convention is to use the abuse mailbox of the provider in question, e.g. abuse@example.net. Do not needlessly “shotgun” your report to a “bitch list” of different addresses belonging to the same organization. If the abuse address does not work, chances are the organization in question would not know what to do with an abuse report anyway; in such a case, you should probably contact the uplink provider’s abuse desk instead.
Abuse reports are normally not sent to RIRs or to IANA, as these organizations are not access providers. However, since recent discussion (example 1, example 2) indicates that the community does wish RIRs to take actions against abusive ISPs, this policy needs to be revisited soon.
Please double-check to make sure you do not send your report to an innocent bystander. Spam-reporting software will frequently mislead you. For example, one widely used lookup tool directed complaints regarding a certain /16 network to us just because we were responsible for the first /19 chunk. In addition, remember that email and netnews headers are easy to falsify; do not complain to forgery victims.
Commonly falsified email headers
| Header | Comments |
|---|---|
| Date: | The message may appear older or newer than it is. |
| From: | The name and address of the purported sender of a spam message are usually forged. |
| To: | There are often several recipients per spam message, even if the “To:” line carries only one name and/or address. The addresses of the real recipients are always listed in the RCPT command, which is part of SMTP; the “To:” header does not determine where the message is forwarded. |
| Received: | To make the message more difficult to trace, the spammer may have “preloaded” it with one or more forged “Received:” headers. You can rely on the “Received:” line that your mail server wrote, but you should treat any others with suspicion. |
Third parties may be interested in your abuse case
- “Spam archives” such as spam@uce.gov may accept junk email submissions regardless of the message topic, but might not take any other measures than storing the message in a database (which may be available to the public).
- Certain organizations and agencies collect messages that are relevant to their specific duties. Such topics may include phishing, stock fraud, advance payment fraud or chain letters.
- Copyright enforcement agencies are usually interested in any illegal distribution of their clients’ copyrighted material, such as software, music or video. Many copyright holders will also accept direct reports.
Summary
- Consider whether the issue really should be reported to the ISP.
- If a personal firewall detected the issue, reconsider whether to file a report.
- Make sure you have identified the provider correctly.
- If you contact an ISP, write to their abuse address (e.g. abuse@example.net).
- Use plain text.
- Usually send either a complete “raw” message copy, or the relevant log lines describing the incident.
- Advise the recipient regarding any difference (clock error, or time zone offset) between your time stamps and UTC.
- If you follow up on your report later, include sufficient background information.
- Please post your comments below!
18 Comments
please help me. a guy i knew is uploading my unpleasant pics on his web appearance profile i do nto know what to do. please help me.
help, keep getting link exchange offers from this spam site, no way to remove this spam? where to report abuse?
we
poker.onlinecasinoswiss.com/
onlinecasinoswiss.com
I have created a website that specifically deals with abuse of “persons” on the Internet. This is where a person is falsely accused, stalked or verbal abuse posted to malign or spread false libelous comments or statements etc. Most other “Internet Abuse” sites deals with the technical aspects of abuse via email, hacking etc.
AEWPS posts the information of websites URLS, Webpage owners, Hosts and the attackers (if known) so that their activities are published in a public forum identifying them as abusers or those that allow abuse.
The purpose of AEWPS is to encourage Web masters, owners, etc to exercise proper ethics and standards by which this kind of abuse is blocked and removed.
Therefore, I invite others to attend AEWPS and report abuse so it can be posted.
Please tell others of my web site.
Sincerely
AEWPS Administrator
There is a peson on RDC names Beverly Fleetwood. She makes up many profiles and writes abusive vulgar comments…we have reported her to RDC many times and they deleted her profile many times……but this is getting totally out of control. Can you help? Please……….tell me what to do to rid RDC of this person for good…..there are many of us on RDC that are asking for help…..any advice would be appreciated..thank you……
There s a person on RDC that is posting vulgar and abusive comments, and threats…..she makes up many profiles, which RCD deletes, her name is Beverly Fleetwood, lives in West Virgina….there are many of us who are asking for help in this…..how can we rid her from RDC for good, she has been reported many times…..can you help……any advice would be appreciated…..Please…….thank you………
archive name atheism resources alt last modified december version … – 7 visits – 7:52pm
… fourth khalif hazret frustrating night selim guncer luna asu en mi los …… pedophilia pedophile codify soroka radagast rstevew walz ripbc toilets …
people.csail.mit.edu/jrennie/ 20Newsgroups/vocabulary.txt – 484k – Cached – Similar pages
The reason I was given for the unfortunate coupling of my name with unspeakable and disgusting pornography words coming from a ‘dictionary’ according to csail.mit.edu does not make sense. caching my name (name redacted by thor@anta.net) with ASU brings up the above referenced site. I taught at ASU between the years 1996-2001 and object to the results regardless of the reason.
I have submitted my complaint to csail.mit.edu and don’t buy the ‘reason’ the coupling of my name with asu should bring up a dictionary that does not include my name.
My daughter was physically beaten by two girls over being friends with one of the girls boyfriend. He may have played a part in kicking her in the face also. We’ve filed charges but their friends make comments constantly on bebo to annoy her, torment her, and emb arras her. They also stated this was round one of UFC and Rrr Uuuuu RrrrrrrrreADY?.
What can I do to put an end to this. I’ve already given copies to our Police Department. However, the Tribal Judge (we are part of an Indian Tribe) is good friends with one of these girls. Please advise.
Hello, there is an article that appears when searching my name: Yamila Y Garcia-Ratmiroff. It is slander, libel and deffamation of my character. It was posted in 2006, it is all false. I went directly to the source and they state that they don’t even know who wrote it, the persons named in the article no longer work there. They explained that it was indexed by Yahoo, Google, etc and this is the reason it still appears even if they just posted it by mistake for one day. I’m a proffesional and a mother of two and this is a false advertisement of my family name for everyone to see 24 hrs of everyday for over two years! What should I do? I would appreciate anyone who can help me or direct me in the right direction.
Hello, there is an article that appears when searching my name: Yamila Y Garcia-Ratmiroff. It is slander, libel and deffamation of my character. It was posted in 2006, it is all false. I went directly to the source and they state that they don’t even know who wrote it, the persons named in the article no longer work there. They explained that it was indexed by Yahoo, Google, etc. and this is the reason it still appears even if they just posted it by mistake for one day. I’m a proffessional and a mother of two and this is a false advertisement of my family name for everyone to see 24 hrs of everyday for over two years! I would really appreciate if someone would help me.
Hello Yamila,
The article I believe you refer to is available on the web server of an agency. In order for the article to no longer appear in web search results, it would first have to be removed from the aforementioned web server.
I am not familiar with the law in that legislation, but unless you can come to an understanding with the agency, I suggest contacting a lawyer so that you can deliberate your legal options.
I hope things work out for you.
OK “PerfectStorm” or whichever of his operatives you are, as you well know the private messages are not monitored except by an automated process which monitors for and reports spam only, as well you know it is a standard feature of almost any modern chatrooms to block spams from people like yourselves that seem to have to spam our chatters to attract chatters to your own site.
The IRC server software we use can be found at http://www.unrealircd.com
The IRC services software can be found at http://www.anope.org
Both sites have complete documentation of features and nowhere does it mention or include the abilities that you are claiming so I can only conclude that this is a deliberate falsehood just like the false rumors spread by yourself yesterday claiming that our site had been shutdown by the feds while it was offline for approximately 3 hours because the power supply unit overheated and needed replacing. As you are passing this link to everybody you can think of it appears that your motives are to try to spread mistrust to as many people as possible.
I wasn’t even aware that we supposedly had a moderator by the name of *Hellen Smith* btw, who could this mysterious Hellen Smith be?
As you used to be a moderator on xxxchatters, you should already know exactly how the spam filtering works and you never had a problem with it until now. Funnily enough your own IRC site software is similar in functionality to ours so maybe you should voice the same fictitious concerns to your own chatters.
“Unable to complete forwarding for alwaysadultschatting.com. The domain is listed as spam in some spam lists. You must remove your domain from those lists to use URL forwarding service. For information regarding the lists, please use the following information: Blocked, alwaysadultschatting.com on lists [ab][sc], See: http://www.surbl.org/lists.html
Unfortunately, we can’t provide any assistance in removing your domain from the list(s). Please contact list owner directly.”
This was displayed when anyone tried to visit your website earlier and your nameservers were set to the below:
“Name Servers:
blockedduetospam.pleasecontactsupport.com
dummysecondary.pleasecontactsupport.com
Creation date: 28 Dec 2008 04:26:05
Expiration date: 28 Dec 2009 04:26:05″
http://groups.google.com/group/news.admin.net-abuse.sightings/browse_thread/thread/f69089ad3e00d238?hl=en&q=alwaysadultschatting
Registered on the 28th of December 2008 and within days is in various blacklists for network abuse and being a spam nuisance.
Anyone who has legitimate concerns can contact us via our site for further information as this is certainly not the correct venue for this type of unfounded complaint.
Best Regards
Administrator
xxxchatters
The comment XXXChatters Admin referred to has been suspended.
help, comment faire pour stopper un spammeur qui envoie des emails à des gens avec l’adresse url de notre site. HELP!
Keyword searches that appear cached
I am being physically abused by Lisa agusus at Golden Living Center in Battle Lake Minesota even though I’ve reported this several tmes with no results except the abuse gets worse.Please help me I’m at my wits end. This has to stop Ican’t take it anymore.The name is Lisa Agustus and she is a bully Please help me!!!
help me Please I’m tired of being abused by Lisa Agustus even though I’ve reported it on umerous occasions and with no results but lots of excuses.
I am from Romania and I want to send you few emails copy of somthing that make me very sad.
The last e-mail:
Barrister Coulibaly Adama, (Esq.)
law firm of Sprenz & Associates
44, boul. de la République
2nd Floor Abidjan Cote d Ivoire.
Tel.: (+225) 09 42 26 20)
FOR YOUR KIND ATTENTION,
Attn Isabel Balzac
From my findings, my noble law firm was made to understand that there are Three documents required from you by the bank before the transfer of the fund into your Account.
Which are;- Anti-Terrorist Clearance Certificate, And Obtaining of the Transfer Approval of your Fund From the Ministry Of Finance here in cote d ivoire.
We want to bring to your notice that we have collected the statement of account and the Death certificate from your partner and registered them in the federal high court here for processing of the attorney and the Affidavit.
My noble law firm wish to bring to your notice that before we can proceed with this services, we want you to cross examine the information you sent and forward it back to this law firm as you want it to appear on the power of attorney)
NAME……………………………………
NATIONALITY………………………..
IDENTITY CARD N0….. ……………
DRIVER’s LICENSE REG N0….. .
In regards of the above and from our findings in the federal high court here, it will cost the sum of ($800) for the authentication of the power of attorney.
($730) for the swearing of the affidavit of oath at the federal high court here before it becomes valid.
($110) for notary stamping at the notary office here.
my legal processing fee of ($270)
Total amount will be ( $1.910 ) only to get everything done.
You are to pay the money today/tomorrow through western union money transfer with the name of my sectary Below is the information which you will have to use
Mr Kingsley Ngumah
Contact Address: 44, boul. de la République
2nd Floor
City: Abidjan
Country: Cote d Ivoire ( Ivory Coast)
Then after payment you forward to me the
( DIGITS CONTROL NUMBERS—–
( QUESTION & ANSWER—————
We serve our clients with best of our services and you will never regret working with my law firm.
make sure you inform me immediately you transfer the money so that I can start the processing of the documents which will be ready in next two working days.
Note: We receive payment first before rendering our legal service.
Thanks for your co-operation.
PRINCIPAL PARTNER
BAR, Coulibaly Adama (esq )
The midle e-mail:
ATTN SOVINSCHI ANISOARA
THIS IS TO ACKNOWLEDGE THE RECEIPT OF YOUR LETTER TO OUR BANK.
FOLLOWING THE RECEIPT OF YOUR LETTER AND OUR CONFIRMATION OF THE STATUTORY DECLARATION FROM THE FEDERAL MINISTRY OF JUSTICE. WE ASSURED YOU THAT YOUR FUND WILL BE TRANSFERRED TO YOU ONCE YOU MEET UP THE TRANSFER REQUIREMENTS.
WE HEREBY CONFIRM THAT MRS.MARIAM TOURAY, HAS AN INHERITANCE RIGHT TO HER LATE HUSBAND’S FUND AS THE NEXT OF KIN AND LEGITIMATE WIFE, SHE HAS, MADE YOU TO BENEFIT THE FUND US$825,000 INCLUDING INTEREST IN THE GENERAL TRUST ACCOUNT N° CB-CI-152348007 AS HER NEXT OF KIN AS INDICATED IN HER AFFIDAVIT DECLARATION BEFORE US.
NOTE THAT THERE ARE LEGAL NECESSITIES THAT MUST BE FOLLOWED THAT PRECEDE THE TRANSFER.
(1) LEGALIZATION: THIS ACCOUNT N° CB-CI-152348007 MUST BE LEGALIZED TO PUT MY BANK ON THE SAFE SIDE OVER THIS TRANSFER BECAUSE THIS ACCOUNT IS DORMANT AND MOREOVER THE HOLDER IS DEAD.
(2) AN ANTI-TERRORIST CLEARANCE CERTIFICATE TO CERTIFY YOUR FUND FREE FROM TERRORISM, MUST BE OBTAINED WHICH IS IN LINE WITH THE RULE OF THE INTERNATIONAL MONETARY FUND.
(3) OBTAINING OF THE TRANSFER APPROVAL OF YOUR FUND, FROM THE MINISTRY OF FINANCE.
YOU ARE THEREFORE REQUESTED TO CONTACT OUR LEGAL DEPARTMENT THROUGH AN INDEPENDENT ACCREDITED LAWYER TO OUR BANK FOR THE LEGAL REVALIDATION OF THE ACCOUNT AND PROCUREMENT OF A TERRORIST CLEARANCE CERTIFICATE THAT IS A PRE-REQUISITE FOR THE TRANSFER OF THIS FUND SINCE THE ORIGINAL ACCOUNT HOLDER IS LATE.
HERE IS THE CONTACT OF THE LAWYER.
HON.Barr Coulibaly Adama
TEL/FAX: +22509422620
E-MAIL: barr_coulibaly_adama@yahoo.co.uk
BE ASSURED THAT AS SOON AS THE ACCREDITED LAWYER CONCLUDES THE LEGAL REQUIREMENTS ON YOUR BEHALF AND SUBMIT TO THE BANK, YOUR FUND WOULD BE TRANSFERRED ACCORDINGLY.
REGARDS.
DR FRANCIOS KONE
TELEX OPERATIONS
COOPEC BANQUE.
The first e-mail:
Dear Sovinschi Anisoara
I hope all is well with you and other members of your family to the Glory of God. This is to inform you that I have procured the affidavit on oath today from the Ministry of justice. I want to inform you that this fund will be under your control towards humanitarian and charity services including the propagation of the gospel. The affidavit declaration is in your name and I trusting you to channel this fund accordingly.
I have attached a copy the certificate of deposit of this fund to this mail Please confirm the receipt immediately, and I beg you to keep this documents very very confidential.
You have now been officially and legally known as the next of kin to this fund. A copy of affidavit will also be forwarded to the Coopec Bank according to the officer of oath. You have to contact the bank director immediately and instruct them for the transfer of this money to your account. You will also give them your bank account where you want the money to be transferred.
Here is the contact address:
To: Dr. Francios Kone,
Transfer Manager,
Coopec Bank Cote d’ivoire.
Tel: +22560256243
Fax: +22521243880
E-mail: coopec_banque@live.com
You have to contact Them on Phone as soon as You send them the mail and the document which i am sending to you, always give me informations and always remember me in your daily prayers.
Thanks and May GOD blesses us all.
Sister Mariam Touray.
Note: In case of any question, remember this money was deposited by my Late husband DR.JONATHAN TOURAY, from Republic of Sierra-Leone.
Date of deposit: 12/09/2001
Account N° CB-CI-152348007
Type of Account: General Trust Account.
Amount: US $800,000.
——————————————————————————–
Insert movie times and more without leaving Hotmail®. See how.
——————————————————————————–
1 Image | View Slideshow | Download Selected
CERTIFICATE DR TOURAY.jpg
(111KB)
Please keep me informed about this storie.
Regardes
Disregard that email from Ivory Coast. Many fraud cases use this ploy. The official procedures is through diplomatic channels and not direct emails. Besides the official language in Ivory Coast is French not English.
Post a Comment