Results 1 to 6 of 6

Thread: Abuse Alerting

  1. #1
    Senior Member Info_Au's Avatar
    Join Date
    Jul 2001

    Abuse Alerting

    I had a user from Comindico.co.au and i sent off a report on what their user had done just in last few minutes to them..Now i have just recieved a email back from them saying.
    COMindico is a wholesale network provider. As such, we do not have direct control over the actions of end-users who use our network. However, we do take complaints forwarded to abuse@comindico.com.au seriously.Each complaint will be forwarded to the wholesale customer who is closest to the source of the incident detailed in your report.

    Our Acceptable Use Policy is available from our website. Go to http://www.comindico.com.au/ and click on the link at the bottom of the main index page.

    Should you require further information about the status of your complaint, feel free to reply to this email.
    What should i say back to them??
    I feel that them saying they have no control of the users under their I.P's sounds a bit weak?

  2. #2
    Senior Member
    Join Date
    Oct 2001
    just send a good complaint explaining exactly what this user has done and everything u know about what happened.. don't be too clever though sound like u really need help and that u'r just a "poor little Internet user". If the mail doesn't help and it happens again then send another. If it happens a third time... hmm... CALL 'EM AND SCRIEM THEM HALF DEAF!
    that's what I always do... now remember it's good to sound a bit dumb if u call them but if u feel u'r talking to the typical "computer illiterate support-line wannabe" just sound like some1 very clever and important... now this as u probably know is called social engineering hehe. it works wonders if used correctly
    Visit: http://www.cpc-net.org
    \"Software is like sex: it\'s better when it\'s free.\" -Linus Torvalds

  3. #3
    Senior Member
    Join Date
    Apr 2002
    Not really a whole lot of information here to go on, so I apologise now for what may be a incorrect set of assumptions. If you need more specifics I'll need a bit more info

    COMindico is a wholesale network provider.
    Why are they saying this? Well probably it goes something like this. Say COMindico own a B class address (255.255.x.x) and they resell these addresses in C class blocks (255.255.255.x) to a large number of downstream providers.

    So if COMindico are not responsible for the IP you are having trouble with what are they responsible for? Well to answer that we have to know that IP addresses come from The Internet Corporation for Assigned Names and Numbers or icann. If COMindico are NOT responsible for the running of the offending IP, as an ICANN reseller they ARE responsible for keeping up to date whois information.

    So in theory you ought to be able to use whois to look up COMindico's downstream provider that hosts the IP that is giving you problems.

    First telnet to whois.arin.net or port 43, type your offending IP and you should get the name of the registry that has been assigned that netblock. You should then be able to whois query that server (eg whois.ripe.net for european addresses) and get the name of the downstram provider.

    If that doesn't work (ie you still get COMindico's details rather than the downstream provider) then COMindico is not keeping the whois up to date. In this instance you can ask COMindico to update their whois (otherwise all abuse report are going to the wrong network) and if you get no response you can refer the matter back to ICANN.

    If the abuse that you wish to report is SPAM related then you also have another alternative. You can contact COMindico and tell them that if the matter is not resolved then you will report the matter to the MAPS (the Mail Abuse Prevention) System who maintain a database of spamming networks called the Realtime Blackhole List.

    Addition to this list would block outbound mail from COMindico's entire network for anyone using the MAPS system (LOTS of ISPs), and so COMindico will be at great pains to avoid this happening. If neccecary you can use this as leverage in your argument that COMindico should update the whois (because then only the downstream provider would be blackholed).

    Hope that helps a bit...Good luck - let us know how you get on.
    \"I may not agree with what you say, but I will defend to the death your right to say it.\"
    Sir Winston Churchill.

  4. #4
    Senior Member Info_Au's Avatar
    Join Date
    Jul 2001


    Here is the log from when the activity alerted me..I had checked the I.P's at Samspade and it came back with the above contact!
    Thanks for the information to check into this more.
    I had seen a post here last week with a good email on Standard abuse letter which sounded good,But now i cant find it.If anybody remembers that post tag the link on here.
    FWIN,2002/06/24,11:32:11 +10:00 GMT,,,UDP
    FWIN,2002/06/24,11:32:11 +10:00 GMT,,,UDP
    FWIN,2002/06/24,11:32:40 +10:00 GMT,,,UDP
    FWIN,2002/06/24,11:32:40 +10:00 GMT,,,UDP
    FWOUT,2002/06/24,11:40:05 +10:00 GMT,,,ICMP (type:3/subtype:3)
    FWOUT,2002/06/24,11:45:11 +10:00 GMT,,,ICMP (type:3/subtype:3)
    FWOUT,2002/06/24,11:47:43 +10:00 GMT,,,ICMP (type:3/subtype:3)
    FWIN,2002/06/24,11:52:21 +10:00 GMT,,,TCP (flags:S)
    FWOUT,2002/06/24,12:24:20 +10:00 GMT,,,ICMP (type:3/subtype:3)
    FWOUT,2002/06/24,12:28:08 +10:00 GMT,,,ICMP (type:3/subtype:3)
    FWIN,2002/06/24,12:33:57 +10:00 GMT,,,TCP (flags:S)
    FWOUT,2002/06/24,12:47:25 +10:00 GMT,,,ICMP (type:3/subtype:3)
    FWOUT,2002/06/24,12:53:26 +10:00 GMT,,,ICMP (type:3/subtype:3)
    FWOUT,2002/06/24,12:56:57 +10:00 GMT,,,ICMP (type:3/subtype:3)

  5. #5
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Another interesting thing you can do is report it to incidents.org (run in conjunction with SANS, it is a very interesting site btw, they have a sharing of firewall logs/ids/etc thing going on and it is kind of fascinating to watch) or cert.org. Incidents.org has a program called fight back that is pretty interesting and basically tries to report abusers to their ISP and at times even to authorities. Cert.org will also pursue the incident with the ISP as well and if you get enough people asking about it, it would be in the ISP's best interest to investigate it, especially if failure to do so could result in a shun (a recommended blockage of their network by incidents.org).

    Good luck,

    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  6. #6
    Senior Member
    Join Date
    Apr 2002
    info_au> There's a template email to your ISP here .

    You could also use the language translation tools on Google to create yourself a Rossetta Email like this one I did to send to people who where mailing me Klez a while back.

    >>English version.

    You seem to have sent me the klez.h virus. The klez virus is an email based mass-mailer worm that searches your hard drive for email addresses to which it then forwards itself. You can find more information on the klez.h worm on the symantec website (who produce the Nortons AVTK) at:

    You can download the klez removal tool from the click and build ftp server at:

    Save the file to your desktop and then double click it.

    If you have any questions or queries related to this matter please do not hesitate to email me and I will get back to you as soon as possible.

    >>En Français.

    Vous semblez m'avoir envoyé le virus de klez.h. Le virus de klez est un ver d'masse-annonce basé par email qui recherche votre commande dure les adresses d'email auxquelles il s'expédie alors. Vous pouvez trouver plus d'information sur le ver de klez.h sur le website de symantec (qui produit le Nortons AVTK) à: http://securityresponse.symantec.co....klez.h@mm.html

    Vous pouvez télécharger l'outil d'enlèvement de klez du déclic et construire le ftp server à:

    Économiser le dossier à votre dessus de bureau et doublez alors le déclic il. Si vous avez n'importe quelles questions ou les questions liées à cette matière veuillez ne pas hésiter à l'email j'et j'obtiendrai de nouveau à vous aussitôt que possible.

    >>En Español.

    Usted se parece haber enviadome el virus de klez.h. El virus del klez es un gusano basado email del masa-anuncio publicitario que busca su impulsión dura para las direcciones del email a las cuales entonces se remite. Usted puede encontrar más información sobre el gusano de klez.h en el website del symantec (quién producto el Nortons AVTK) en: http://securityresponse.symantec.co....klez.h@mm.html

    Usted puede descargar la herramienta del retiro del klez del tecleo y construir el ftp server en:

    Excepto el archivo a su tablero del escritorio y entonces doble el tecleo él. Si usted tiene cualesquiera preguntas o las preguntas relacionadas con esta materia no vacilan por favor en el email yo y conseguiré de nuevo a usted cuanto antes.

    >>In Italiano.

    Sembrate trasmettermi il virus di klez.h. Il virus del klez è una vite senza fine del massa-bollettino basata email che cerca il vostro azionamento duro gli indirizzi del email a cui allora si spedisce. Potete trovare le più informazioni sulla vite senza fine di klez.h sul website dello symantec (chi prodotti il Nortons AVTK) a: http://securityresponse.symantec.co....klez.h@mm.html

    Potete trasferire l'attrezzo dal sistema centrale verso i satelliti di rimozione del klez dallo scatto e costruire il ftp server a:

    Risparmi la lima al vostro tavolo ed allora raddoppi lo scatto esso. Se avete qualunque domande o le domande relative a questa materia non esitano prego al email me ed otterrò appena possibile di nuovo voi.

    >>Auf Deutsch.

    Sie scheinen, mir das klez.h Virus geschickt zu haben. Das klez Virus ist eine email gegründete Masse-Werbung Endlosschraube, die Ihren harten Antrieb nach email Adressen sucht, zu denen es sich dann nachschickt. Sie können mehr Informationen über die klez.h Endlosschraube auf dem symantec website (wer Erzeugnis das Nortons AVTK) an finden: http://securityresponse.symantec.co....klez.h@mm.html

    Sie können das klez Abbauwerkzeug vom Klicken downloaden und ftp server an errichten:

    Außer der Akte zu Ihrem Schreibtisch und verdoppeln Sie dann Klicken es. Wenn Sie irgendwelche Fragen haben, oder die Fragen, die auf dieser Angelegenheit bitte bezogen werden, nicht zu email ich zögern und ich erhalte zurück zu Ihnen so bald wie möglich.


    こんにちは… あなたは私にklez.h のウイルスを送るようである。Klez のウイルスは電子メールによって基づいている固まり郵便利用者みみずである電子メールの住所をあなたの堅いドライブを捜す進める。あなたはsymantec のwebsite (だれ農産物Nortons AVTK か の klez.h みみずのより多くの情報をで見つけることができる: http://securityresponse.symantec.co....klez.h@mm.html

    あなたはかちりと言う音からのklez の取り外し用具をダウンロードし, ftp サーバをで造ることができる:

    あなたの卓上へのファイルを除けばそれからかちりと言う音をそれ倍増すれば。 あなたがどの質問でも有するか, またはこの問題と関連している問い合わせが電子メールへ私と躊躇しなければ私はあなたへできるだけ早く戻る。


    喂-- 你好似寄发我klez.h 病毒。Klez 病毒是寻找你的硬盘电子邮件地址它然后批转的电子邮件基于的大量邮件蠕虫。你能发现更多信息关于klez.h 蠕虫在symantec 网站(谁产物Nortons AVTK) 于: http://securityresponse.symantec.co....klez.h@mm.html

    你能下载klez 撤除工具从点击和修造文件传送规约服务器于:

    保存文件对你的桌面和然后加倍点击它。 如果你有任何问题或询问与这个问题有关请不犹豫对电子邮件我和我尽快将得到回到你。
    \"I may not agree with what you say, but I will defend to the death your right to say it.\"
    Sir Winston Churchill.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts