Saturday, June 30, 2012

How to report an abuse to an ISP/SP

From time to time, you will have to report an abuse to an Internet Service Provider (ISP). Having been at both ends of this, I know it can be a frustrating task. As the person submitting the abuse report, you always end up having to feedback or a vague, generic e-mail that informs you that your report will be read and that, if needed, actions will be taken. In most of the case, this is the only response you will get. 

As the person receiving the abuse reports, you have to deal with incomplete or ambiguous information, people demanding the name of a subscriber, and from time to time, profanities and threats. Usually, that receiver gets the report from someone with no connection whatsoever to his service - understand by that "not paying anything" - on someone who gives him good money. That's a conflict of interest various laws tried to solve by imposing to the ISPs the obligation of notifying users of potential misconducts, as these may be unintentional, for instance in the case of machines infected by a virus.

In all cases, it is important to stay polite and courteous, after all, the person reporting the abuse is asking for help, but the person receiving the report may have a legal obligation in taking action.

A good report includes:

- The IP address of the machine that allegedly did the abuse;
- The IP address of the machine that was the target of the abuse;
- A description of the abuse, in factual terms - no elaboration or intents;
- The relevant entries from the logs with timestamps - the relevant entries only, no need to forward a 10MB log to show 2 lines;
- The timezone the machine is in.

In addition to these, I usually add a short note inviting the ISP to contact me should more information be needed.

Unless you are familiar with the language spoken by the ISP you are reporting the abuse to, English is a good bet to write the e-mail. If your logs are not in the same language, offer to provide a translation.

Here is an example of e-mail I would send:

Subject: potential abuse coming from x.x.x.x

Sir,
My logs indicate that x.x.x.x tried several combinations of username/password on my SMTP server, with IP y.y.y.y.

Please find the logs below. All the times are EST.
Should you need more information or log, feel free to send me an e-mail.
[Logs]

Now comes the question: how to find the e-mail address to report an abuse.

The Whois service

All IP networks have been allocated by a regional Internet Registry. These operate over a geographic area and are responsible for assigning the IP networks, maintaining the technical and administrative contacts and providing some base information regarding the IP networks.

For the North America, the registry is ARIN. On the top right corner, there is a box called "Search WHOIS". This is were you will put the offending IP. The result may, or may not include an "abuse contact".

When it doesn't include such a record, I look to see if there is a link to another delegation: some ISPs have hundreds of networks and operate their own WHOIS. In that case, the best is to follow the link and to search for the information in the next database.

In the event there is no such delegation and no abuse contact, I usually go for the parent network, until I find an abuse contact.

Going to Justice

If the abuse costed you money or caused harm or damages, you may want to go to the police. In that event, the procedure depends on where you are and what jurisdiction applies. Contact your local authorities for more information.

In that case, it is important to preserve as much information as possible: if the abused machine is your desktop, don't use it anymore, disconnect it from the network and wait for instructions.

Happy Surging!