From owner-freebsd-isp@FreeBSD.ORG Sat May 22 11:33:56 2004 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 487FB16A4CE for ; Sat, 22 May 2004 11:33:56 -0700 (PDT) Received: from mta9.adelphia.net (mta9.adelphia.net [68.168.78.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id 98EE343D1F for ; Sat, 22 May 2004 11:33:55 -0700 (PDT) (envelope-from fbsd_user@a1poweruser.com) Received: from barbish ([67.20.101.71]) by mta9.adelphia.net (InterMail vM.5.01.06.08 201-253-122-130-108-20031117) with SMTP id <20040522183343.UQHQ26615.mta9.adelphia.net@barbish>; Sat, 22 May 2004 14:33:43 -0400 From: "fbsd_user" To: "Florian Weimer" , Date: Sat, 22 May 2004 14:33:42 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) Importance: Normal In-Reply-To: <87r7tctju3.fsf@deneb.enyo.de> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 cc: "freebsd-isp@FreeBSD. ORG" Subject: RE: Abuse reporting based on whois X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: fbsd_user@a1poweruser.com List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 May 2004 18:33:56 -0000 If the source ips are spoofed, what purpose do they do other than consume bandwidth. I believe the senders are script kiddies probing for know ports that backdoors, spyware or Trojans are know to use. -----Original Message----- From: Florian Weimer [mailto:fw@deneb.enyo.de] Sent: Saturday, May 22, 2004 2:09 PM To: fbsd_user@a1poweruser.com Cc: freebsd-isp@FreeBSD. ORG Subject: Re: Abuse reporting based on whois * fbsd user: > My ipfilter firewall is blocking 35 to 150 un-solicited inbound > port packets per minute coming from all over the world. I have an > dynamic IP address assigned by my ISP, so I know the senders are > scanning an whole subnet range of IP address for the ports they are > interested in. I have to pay for this background packet noise in > bandwidth usage surcharges. I decided to research and try to build > an process to report this abuse to the ISP's who own the source IP > address that is scanning the whole subnet ranges of IP address I > belong to. A significant part of those scans have spoofed source addresses. Unless you complete a three-way handshake (for TCP scans only, of course) and thus validate the source address, your observations are probably not worth reporting. -- Current mail filters: many dial-up/DSL/cable modem hosts, and the following domains: bigpond.com, di-ve.com, hotmail.com, jumpy.it, libero.it, netscape.net, postino.it, simplesnet.pt, spymac.com, tatanova.com, tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr, yahoo.com.