1

When inspecting the DNS configuration for example with dnsinspect.com, the following shows up sometimes (note I used example.com):

Accepts Abuse Address

WARNING: Found mail servers which are not accepting emails to abuse@example.com address:

primary.mail.example.com

>> MAIL FROM: <dnsreport@dnsinspect.com>
<< 250 OK
>> RCPT TO: <abuse@example.com>
<< 550 5.1.1 User unknown

fallback.mail.example.com

>> MAIL FROM: <dnsreport@dnsinspect.com>
<< 250 OK
>> RCPT TO: <abuse@example.com>
<< 550 5.1.1 User unknown

Now I figured, if you can't receive abuse emails, you won't be able to get notified by external parties (eventually automatically with services like fail2ban) because you'll never receive those emails. This way if your server is infected and is for example busy brute-forcing a innocent server that is desperately trying to notify the infected server owner, the owner of the infected server will never get notified.

Is this considered a security risk in general, in terms of a disability to detect and react in such case?

In other words I'm seeking for a way to detect abuse of my own servers, in case one is compromised. I understand that just waiting till other servers start to send abuse messages won't be sufficient and is reactive while you'd prefer a proactive method. But it will surely help in case other (proactive) measures like rootkit detection etc. failed. Now, I'm wondering if "not being able to receive that abuse emails" in case of a compromised server is a risk (read; possibly not detecting that your server is compromised)?

Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
  • 1
    You have to decide if it's a security risk to you, in your situation, and if it merits some kind of response or remediation action. It's not a one size fits all: "RED ALERT - SECURITY RISK". – John Deters Jun 28 '16 at 15:12
  • Remember, organisations may not use abuse@ - while it is the most common, others may use other contact mechanisms, or even online reporting. – Rory Alsop Jun 29 '16 at 10:11

1 Answers1

1

There are a number of alternative standard addresses that might work. For example, postmaster@example.com, admin@example.com, webmaster@example.com (full list: https://www.ietf.org/rfc/rfc2142.txt).

If that fails, you might want to look for a contract form in the website hosted on the domain, if there's any.

If you can't reach any of these, you may want to do a WHOIS query and send the abuse email to domain name registrant's email address. Even if the registrant uses domain privacy service, the privacy service usually will still forward the email to the real domain owner or have other ways to contact the real domain owner.

If that fails, you might want to try third party abuse address database like https://www.abuse.net/ and see if they have a different abuse address listed there.

If that fails, you can get the IP Address of the abusive system and reverse lookup the IP Address to get the ISP for that IP Addreas. You can notify the abuse contact address of the ISP instead. ISPs are usually more responsive to these kind of requests than individual domain owners. Most ISPs don't want abusers in their network, just as much as you don't want them abusing yours. Reputable ISPs would usually try to contact the customer, investigate the abuse, and if they consider the complaint has a case and the abuse doesn't cease, they can, at their discretion, shut down or filter the customer's internet access.

The lack of abuse@example.com addresses doesn't necessarily mean that there's nothing you can do about abuses. There's a number of alternatives you can pursue.

Lie Ryan
  • 31,089
  • 6
  • 68
  • 93
  • Thanks for your answer. Most of this explains alternative ways to report abuse. But I'm seeking for a way to detect abuse of my own servers, in case it is compromised. Just waiting till other servers start to send abuse messages won't be sufficient, but it will surely help in case other measures like rootkit detection etc. fail. Now I'm wondering if "not being able to receive that mails" in case of a compromised server is a risk (read; possibly not detecting that your server is compromised)? – Bob Ortiz Jun 29 '16 at 11:12
  • 1
    @EvanderConsus: yes, not handling abuse complaints may be a risk. If your ISP shuts down your server because you didn't respond to abuse complaints, that's a risk to your site. – Lie Ryan Jun 29 '16 at 11:45
  • can you add to your answer that it's an availability risk? I want to accept this answer but it's not really answering the question yet. It gives the alternatives of sending an abuse message. But the answer "yes, not handling abuse complaints may be a risk", is actually the answer on the question. Can you add that? – Bob Ortiz Jul 04 '16 at 09:19