North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: How do you handle client contact for network abuse/malware compaintsetc.?

  • From: Mark Radabaugh
  • Date: Wed Mar 01 21:47:18 2006

Nicole Harrington wrote:

>As a sort of addendum to the thread of "Quarantine your infected users spreading
>malware" I am curious how other handle contact to the users/clients for network
>security incidents. 
> The question I have is; When someone reports an incident to you about
>one of your clients (a user or server owner) possibly being infected, having
>an owned box being used for hacking into other servers or being used to spread
> malware, how much information do you send/forward on to that user/client to
>support your case.
> Is it normal practice to simply forward on unaltered logs sent in by those
>complaining or do you sanitize them a bit to protect the people notifying you?
> Do you even send them at all at first or do you simply inform them that a 
>complaint has been received.
> In short, how much information do you pass on to support yourself and when.
> Thanks
> Nicole Harrington
All depends on the client and if I think the abuse is intentional or not.  

If the user knows what he/she is doing and I don't think they are being
malicious then I will send them everything.

If I think they are doing it on purpose I send enough to prove my case
and tell them to knock it off -  before I knock it off for them (or
after - depends on how much damage they are causing).

If they don't have a clue then sending them a bunch of information they
won't understand is pointless.  We either help them clean up the mess or
refer them to someone who can.

Mark Radabaugh

[email protected]