[LACNIC/Seguridad] Abuse contact of gvt.com.br not functioning

U.Mutlu security en mutluit.com
Lun Oct 15 19:04:54 BRT 2012


Dear Sir from LACNIC!
your suggestions are impractical, you seem never have been
an administrator, and you seem not to know your own mandate!

There must be a working abuse contact in the WHOIS db,
and that contact must process the Abuse Reports caused by its clients,
and cut off those clients who are evidently doing cyber crimes
like attempting to hack other systems.
If that contact evidently does not do its duty, then it is
the job of the RIR to make them obey the rules.

FYI: here over in Europe (RIPE) "abuse-c" in the WHOIS has become a _mandatory_ entry
--> https://www.ripe.net/ripe/policies/proposals/2011-06
and it works in about all EU countries.
Problematic countries are CN, IN, ID, BR, RU, UA etc.
One wonders why...
I think because of lack of law & rules, education, and moral values.


Arturo Servin wrote, On 10/15/2012 06:32 PM:
>
> 	So, why not just block the IP(s)?
>
> 	Any fw can do that, I do not see why you need to block the whole cctld.
>
> 	Also you can change the ssh port or/and to allow just some IP address
> to login to your server.
>
> 	Finally, what do you expect for the IP address holder to do? 	
> 	
> 	IMHO and IANAL if you want them to do something you need to execute
> legal action, not just an email to abuse.
>
> Regards,
> as
>
> On 15/10/2012 14:11, U.Mutlu wrote:
>> Arturo Servin wrote, On 10/15/2012 05:48 PM:
>>>
>>>      What do you mean it is not possible?
>>>
>>>      What is your problem? Do you get SPAM or DDoS from gvt.com.br?
>>>
>>>      It would be difficult to give an advise without knowing the problem.
>>> But certainly blocking the whole .cc is not a clean/optimal/advisable
>>> solution to say the least no matter the problem.
>>
>> Especially unauthorized login attempts, ie. hacker activities, just one
>> example:
>>
>> "
>> Subject: [MIT-s5-BR3S083182EHL] Net Abuse: illegal ssh login attempt
>> (hacker activity) from IP 187.115.202.83
>> To: abuse en gvt.com.br (Network Abuse Desk)
>> Date: Sat, 13 Oct 2012 11:27:37 +0200
>> "
>>
>> This was the 3rd Abuse Report that IP had caused on that server of ours.
>> And we wait 2+ days before sending another AR if the attack/attempt
>> repeats.
>> Ie. that company has not reacted to any of the 3 Abuse Reports for that IP,
>> and unfortunately there are way too many such cases...
>>
>>
>>> On 15/10/2012 13:42, U.Mutlu wrote:
>>>> Carlos Martinez wrote, On 10/14/2012 06:05 PM:
>>>>> I don't really understand your logic. You  blocked a CC of 170M people
>>>>> for a single domain.
>>>>>
>>>>> A more fine grained acl can be created I'm sure.
>>>>
>>>> I admit it's not the best method, I too would prefer blocking
>>>> on a company/domain basis (or abuse-address basis), but that is
>>>> IMHO not possible with the standard tools we use (iptables with
>>>> xtools/geoip).
>>
>> _______________________________________________
>> Seguridad mailing list
>> Seguridad en lacnic.net
>> https://mail.lacnic.net/mailman/listinfo/seguridad
> _______________________________________________
> Seguridad mailing list
> Seguridad en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/seguridad
>




Más información sobre la lista de distribución Seguridad