Below is what Dshield's FightBack system sends.
Hope this helps,
Jesse Lepich
[snip]
Hi.
A user of DShield.org, the Distributed Intrusion Detection System,
submitted a log excerpt which indicates a probe from one of your users.
Please notify the user and take appropriate actions to avoid further
problems.
Details (not all users submit flags and protocol):
Source IP: SSS.SSS.SSS.SSS (port: 2239)
Target IP: DDD.DDD.DDD.DDD (port: 445)
Protocol: 6 (Flags: S )
Time: 2005-01-29 14:54:08 (GMT)
Hostname: SSS.SSS.SSS.SSS.xxx.xxxxxxxxx.xxx
Sample logs as submitted:
(not all submitters permit forwarding of the target IP. Some may be
withheld or obfuscated by using '10' as first byte)
2005-01-29 14:54:08 GMT SSS.SSS.SSS.SSS => DDD.DDD.DDD.DDD
All Logs:
http://www.dshield.org/ipdetails.php?ip= (Source IP + and ID code
that allows the reciepient to see the target IP)
targets. This report includes one sample of these records.
This report was submitted to Dshield.org by XXXXXXX@XXXXXX.XXX
For more information about DShield see http://www.dshield.org
Please let us know if you would not like any further notices from
DShield.org
or if you would prefer a different format.
You have permission to share this information to facilitate a
solution
of this problem.
Thanks.
fightback@dshield.org
http://www.dshield.org/fightback.html
IMPORTANT: If you require further assistance, please reply and add the
word 'URGENT' to the subject. Please include this full email in your
reply.
[snip]
-----Original Message-----
From: Jason Burton [mailto:jab@leximedia.net]
Sent: Tuesday, August 16, 2005 9:02 PM
To: incidents@securityfocus.com
Subject: Proper ISP Reporting
Anyone have samples of how to properly report to ISP's regarding abuse?
ie. What format the email should be in, sample phrases, or sentences
that might help. I've been doing this for a while and while some work,
some have not. Im wondering if anyone has examples.
Thanks
Jason Burton
Leximedia LLC
jab@leximedia.net
