On Wed, 9 Jan 2002, Greg McCarroll wrote: > It's a BT openworld IP which I am also a member of, so i've already > contacted [EMAIL PROTECTED] , however they suggest I contact the > cops.
If it looks like automated stuff (repeated nimda/code red/etc scans) then maybe contact abuse@bt again and make it clear that you doubt the user is aware of this, and that it puts their network at risk, both by it being able to participate in DoS attacks, and by also actively trying to infect other bt users machines, thus potentially causing even more trouble on bts network. If you're feeling particularly generous, then enclose a suggested mail for them to send to the customer on what has happened to their machine, how to fix it, and how to stop it happening again (3 URLs for other peoples docs, that is) Although useful in itself, I would hope that it will also get your mail past 1st line support, and up to someone who might actually care. More direct alternatives, such as netsend'ing the user a message that their machine has been hacked, or using the holes which an infected machine has to alert the user in some other way (log in, remove adsl driver ? or change their subnet mask to not include you (though I'm not sure if the worms target your actual subnet, or just anything on the same /24), leave a few batch files or rude messages around for the user, or some helpful hints ?) Be creative, if bt aren't being cooperative. > BT have advised me to contact the cops, i don't want to do this but > i'm talking to my wife about it at the moment. Like you guess, it's unlikely to get very far, unless a lot of people are making some noise about it (maybe even enough for bt to change their stance and be a bit more helpful ? ntl or telewest were reportedly pulling the connection on anyone whose machine was nimda scanning) > 1.) advise, do you think i should just ignore it and accept it as > just one of those things that happen on the 'Net If it was somewhere remote, as a fair chunk of scans will be, then I'd live with it as long as it's not likely to cause you any damage. However people on your subnet are people with very fast access to your machine, and the potential to make openworld a slow service. > 2.) because i gave my IP address to this list (for xfrisk reasons) > just a few hours before i can't help wondering if it is someone > on this list or someone who reads it in an archive Possible but unlikely. That said, I'd guess you can drop your dhcp lease and pick up a new IP, then only give it out to people who ask you directly for it. the hatter