Do you care about WHOIS contact information?

Guy B. Purcell guy at extragalactic.net
Tue Jul 28 22:39:28 PDT 2009


On Jul 23, 2009, at 6:32 AM, David Wolfskill wrote:

[...brute force attack notification automation bits...]

> Anyhow, I often get auto-responses; I also sometimes get a more
> personal note of thanks from the other admins (e.g., when they find
> out that they had a compromised host they didn't know about on their
> network), so I believe it's a useful exercise in general.
>
> Sometimes, though, my notification message gets bounced -- e.g.,
> with an equivalent of "no such mailbox" for each of the addresses
> on the recipient list.
>
> Over the years, I've developed an approach for addressing (no pun
> intended) this situation, but before I explain that, I'd like to
> do a reality check and ask y'all what you (would) do about it.

I have a couple thoughts :^)

If you have things completely automated, you could tweak the system a  
bit to dump the addresses of those (under your current system) you  
*would* send a message to into files--one file per day (sort of like  
'sar' does), then add a daily cron job that goes through the files for  
the previous N days & checks for repeat offenders (via some tunable  
criteria)--and sends messages only to *those* folks (and potentially  
auto-firewall the host for a while, too).  This would likely  
significantly reduce the number of messages you send, thus the number  
of bounces you get from them, leaving you more able to deal with those  
bounces manually.

Personally, I wish *everyone* had a similar system in place, but  
that's not likely to happen (*I* certainly don't have one, and don't  
have the time even to implement one handed to me, much less roll my  
own at this point; hmm, make a dandy summer project for my kid,  
though...).  Unfortunately, I don't think it's likely to be able to  
scale as the Internet in general--and the bad guy population in  
particular--grows in its various ways (number of nodes, power of the  
nodes, speed of the connections, etc.), much as the spam problem  
ballooned.  Eventually, I think trying to deal with this is a friendly  
manner will become impossible, much like dealing with spammers has :^(

I *do* value whois data, BTW, which is why I still have my email  
address listed for my domains.

-Guy




More information about the Baylisa mailing list