3

For the last 15 years I've been using SpamCop to report the spam I receive. I do this because

  • it sometimes results in spammers and the third-party machines they compromise getting shut down, at least temporarily (as evidenced by the occasional responses I get from ISPs thanking me for my reports and confirming that they've terminated access);
  • it helps build real-time blackhole lists that others can use to help filter spam; and
  • it requires almost no effort on my part, since my reporting workflow is largely automated.

If there's one type of network traffic I get even more of than spam, it's password-guessing attempts on my SSH servers. Is there some SpamCop-like service I can or should be using to report attempts to break into my machines via SSH or other network services?

I already know about and employ various defences against such break-in attempts, but that's not what this question is about. What I'm asking is

  • whether at least some ISPs want to be informed when their networks are being abused for break-in attempts,
  • whether there are any centralized IP blocklists that people can use to help filter maliciously employed IPs from incoming network connections, and
  • whether there is some software or online service that allows me to automatically submit reports for either or both of the above two purposes.
Psychonaut
  • 615
  • 4
  • 14

1 Answers1

0

I've discovered one service that purports to collect reports of attempted break-ins to SSH, mail, web, FTP, and other servers, and to forward these on to the listed abuse contacts for the originating networks. The service in question is www.BlockList.de, which bills itself as a sort of SpamCop for other-than-spam network abuse:

www.blocklist.de is a free and voluntary service provided by a Fraud/Abuse-specialist, whose servers are often attacked via SSH-, Mail-Login-, FTP-, Webserver- and other services. The mission is to report any and all attacks to the respective abuse departments of the infected PCs/servers, to ensure that the responsible provider can inform their customer about the infection and disable the attacker.

We report more than 70,000 attacks every 12 hours in real time using Whois (abuse-mailbox, abuse@, security@, email, remarks), the Ripe-Abuse-Finder, and the contact-database from abusix.com so we may find the abuse-address assigned to the offending host. Our reports are based on X-Arf (Network Abuse Reporting 2.0), so the abuse-department of the provider for the attacking host may parse our reports automatically.

blocklist is comparable with spamcop.net for attacks of any nature, with an exception for spam.

I have no experience with using this service, though according to its own documentation it seems to do exactly what I had in mind, and moreover seems to integrate well with fail2ban.

Psychonaut
  • 615
  • 4
  • 14