Re: Template Admin Notification

["Forrester, Mike" <mforrester () HSACORP NET>]

We get quite a few of compliant emails on a daily basis as we have over 100K
broadband users (mostly cable modem).  David Kennedy and Martin Hoz Salvador
seem to have the best general advice IMHO.  I'd like to add a few comments:

> - Polite language
Very important.  Most admins have quite a lot to do and an attitude moves
your message to the bottom of the priority list or the bit bucket.  Telling
me how to do my job is not necessary.  We have company policy for dealing
with compliants and that's how they are handled.  You may want their head,
but you'll have to do that on your own without any help from me.

> - PGP SIGNED
Not super important to me.  Since I don't *know* you personally and you did
not *personally* give me your key, what difference does it make?

> - Source Ip's, ports, destination ips and ports, giving times
>  (start and ending times), giving also the timezone (this
>  is pretty important).
All this is good.  The accuracy of your timestamps and timezone info are
very important.  Especially the timezone.  Also, remember that there's a
good chance the remote system is compromised or the IP is spoofed.  Keep
your logs short and to the point.  If you send me a 5MB log file mostly
irrelevent info, chances are I'll save it from when I have time.

> - How did you realized about the attack (IDS, firewall logs,
>  casuality, etc...)
Sometimes helpful in determining what actually happened, but logs are always
required.

> - The kind of attack you think are dealing with...
Proof of this is good.  Just because your firewall said it was a certain
type of attack doesn't work for me.  Logs, logs, logs.

> - A message saying "I could help you if you want. Let me know
>  if that's the case". And of course, be ready to back this
>  statement. ;-)
Depends on the problem, but good to know.

> Important: If you don't get an answer in a reasonable time
> (i.e. 2 or 3 days), resend the message, and this time, send
> a copy to the carrier of your "attack source". You can
> fiugure out this using traceroute and whois. :-)
If you expect immediate response, then provide immediate contact info.  If
you want more than an automated response, then say so, but don't always
expect a reply.  Don't SPAM with compliants.  If you (or your users) get 20
of the same SPAM message, only one copy of the message is necessary.  Odds
are the admin hates SPAM as much as or more than you and will deal with the
matter swiftly and decisively.

I was going to say alot more, but I won't (*applause from the crowd*).
Basically, be short, polite, and provide enough relevant information to help
fix the problem.  If you want or need details, say so but be reasonable in
your expectations.  Work with them and not against them.  Depending on the
incident, they don't have to do anything and being an a$$ won't get you
anywhere.

Mike