From owner-freebsd-isp@FreeBSD.ORG Sat May 22 11:10:02 2004 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 24AEB16A4D1 for ; Sat, 22 May 2004 11:10:02 -0700 (PDT) Received: from mail.enyo.de (mail.enyo.de [212.9.189.167]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6CC6143D39 for ; Sat, 22 May 2004 11:10:01 -0700 (PDT) (envelope-from fw@deneb.enyo.de) Received: (debugging) helo=deneb ip=212.9.189.171 name=deneb.enyo.de Received: from deneb.enyo.de ([212.9.189.171] helo=deneb) by mail.enyo.de with esmtp id 1BRaw1-0006RC-Ee; Sat, 22 May 2004 20:09:25 +0200 Received: from fw by deneb with local (Exim 4.34) id 1BRaw0-0002f4-1W; Sat, 22 May 2004 20:09:24 +0200 To: fbsd_user@a1poweruser.com References: From: Florian Weimer Date: Sat, 22 May 2004 20:09:24 +0200 In-Reply-To: (fbsd user's message of "Sat, 22 May 2004 11:39:00 -0400") Message-ID: <87r7tctju3.fsf@deneb.enyo.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: "freebsd-isp@FreeBSD. ORG" Subject: Re: Abuse reporting based on whois X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 May 2004 18:10:02 -0000 * fbsd user: > My ipfilter firewall is blocking 35 to 150 un-solicited inbound > port packets per minute coming from all over the world. I have an > dynamic IP address assigned by my ISP, so I know the senders are > scanning an whole subnet range of IP address for the ports they are > interested in. I have to pay for this background packet noise in > bandwidth usage surcharges. I decided to research and try to build > an process to report this abuse to the ISP's who own the source IP > address that is scanning the whole subnet ranges of IP address I > belong to. A significant part of those scans have spoofed source addresses. Unless you complete a three-way handshake (for TCP scans only, of course) and thus validate the source address, your observations are probably not worth reporting. -- Current mail filters: many dial-up/DSL/cable modem hosts, and the following domains: bigpond.com, di-ve.com, hotmail.com, jumpy.it, libero.it, netscape.net, postino.it, simplesnet.pt, spymac.com, tatanova.com, tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr, yahoo.com.