SQL Slammer Clean-up: Reporting Upstream
By now you've sent off your abuse reports (http://isc.sans.edu/diary.html?storyid=9664) and have tracked the responses in your spreadsheet. I'd wager that so far you haven't got great results in that column yet. You've likely received bounces that the abuse contact doesn't exist, or that the mailbox is full. Others have given you nothing but silence. What next?
It's now time to go up a level. With a little bit of detective work, say a traceroute or a bit of DNS probing you can identify the organization that supplies the IP addresses belonging to the infected system. There is a nice guide on how to go about that here: http://www.rickconner.net/spamweb/tools-upstream.html Add a new couple of columns to your tracking spreadsheet, identify the upstream provider, the contact, and when you send your report.
You will want to update your abuse report to take into consideration the needs of the up-stream contact. You have be even nicer, and provide the initial abuse report as well as your justification for escalating to the up-stream (e.g. Abuse contact does not exist, or mailbox full, no response after a week, etc.)
Why didn't we report to all levels of the up-stream contact in the initial report? My simple answer is crowd psychology. If you send out your report to many levels of abuse contacts, and copy SANS, and law-enforcement, I can gurantee you that nearly all of your recipients are going to ignore your report, thinking that it's someone else's problem to handle.
It's a process, it will take some time. Don't give up because you got an automated response.
-KL
Comments