Bashinators Abuse Central

General Information

This page contains information about centralized abuse complaint handling by the servers operated by the Bashinators. See below for details.

Abuse Detection

All hosts mentioned above run seperate instances of Fail2Ban, a log monitoring service checking for failed login attempts and the like. If Fail2Ban detects misbehaving clients, it applies some measure to prevent the client from connecting to the host again for a defined amount of time (like shorewall reject, iptables drop, ...).

Fail2Ban generates detailed reports of attacking machines containing the attacked service, whois information for the client address(es) and relevant log lines and sends them out by e-mail. We collect all these reports in a centralized mailbox for further processing.

If you received an abuse complaint from our system, it will probably list several message ids that triggered the alarm. You can search for these ids to read the raw reports:

You can also search for all Fail2Ban reports listing a certain IP address. Please do respect the privacy of others.

Searching the archives might take some time once it becomes large. To your relief, it only searches reports used in abuse complaints.

Abuse Complaint Creation

We developed a Python script that, controlled by cron, scans the Fail2Ban mailbox mentioned above on a regular basis and parses the incoming reports. It then applies (a variant of) the following algorithm:

1. Archive all messages older than 7 days.
2. Parse incoming MIME message, retrieving:
   • Reporting host
   • Attacking address
   • Attacked service
   • Whois information
     • Abuse contact address(es)
   • Relevant log lines
3. Store information in data structures for later processing.
4. If more messages exist, go back to 2.
5. Go through attacking addresses:
   1. If less than 3 records exist, ignore. Else,
   2. Generate abuse report with
      • Attacking address
      • Attacked service(s) and host(s)
      • Whois information justifying the report
      • Excerpt from relevant log lines
      • Information on how to cooperate with us
   3. Send out report.
   4. Archive all messages used for the report.
6. Finish.

The script can be found here.

Abuse Complaint Policy

We consider it our duty to send out abuse reports for all hosts that appear to misbehave over a certain period of time or are reported to do so by more than a few machines. Abuse complaints play an important role in keeping the internet free from malvolent users. The also serve the purpose in letting other administrators know that their system(s) might have been hijacked.

Our script applies some intelligence in deciding what to report when; however, if a single address triggers a high number of reports in a short time, you might receive up to 4 reports per day because counters are reset once a report has been sent out.

Operators

The Bashinators Abuce Central is operated by Dominik George and Felix Falk. Please contact us should you have any inquiries concerning the abuse reporting system.

Statistics

The last run of the script was on Friday, 26-Apr-2013 17:30:59 CEST. It produced some log output.

The handling script generates some basic statistics and graphs here. Furthermore, it generates some maps of attack origins through Google's Chart API.

Script Usage

You are welcome to mimic this system and use our abuse complaint handling script for your own purposes. It is published under the terms and conditions of the Simplified BSD License.

However, we make no assumptions concerning the quality of the software. It is an ugly script that somehow "works for us". It may, in the best case, not work for you and, in the worst case, mess up your mailbox and send out tons of unsolicited mail. You have been warned.

As an additional note, please change the sender, reply-to and cc addresses should you use our script. We do not have to explain that ...

Please support our work by 'ing us.