Mail ISPs Feature

[trentwiles]

Hey tbiens! I'm working on a mod that will look up the contact details for the IP address owner and write them an abuse email, something like:

(**AUTOMATED MESSAGE**)

Hello,

We have detected unusual traffic from your computer network. Please review the following logs from IP address xx.xx.xx.xx:


Unauthorized connection attempt detected from IP address xx.xx.xx.xx to port 445 [V]

Please scan your network for malware or contact the customer behind this IP address. Thank you and have a nice day.

Abuse Team

I'm not familiar with navigating the codebase, could you give me a hand in linking my script in with the rest of the project? Thanks!

[tbiens]

Hello RR,

An excellent idea to send the abuse emails. This is certainly a goal of mine so let's do it!

The thing I consider is how many emails would go out. The honeypots often get 10,000+ attacks a day, each. Can't really send an email for each attack. I do check already for LARG*feed if an IP has attacked more than once during the day. We could tap into that and maybe make it less, but rough estimate it could still be thousands of emails a day.

We could build summary daily emails, but now we're much worse off because we also need to introduce all that into memory. Unless I do this at LARG*feed and it solves all these problems together.

We also need to determine what the abuse emails are for each, the api seems to be straight forward. https://stat.ripe.net/docs/02.data-api/abuse-contact-finder.html

[trentwiles]

Thanks for the reply! I've done some testing with my own code and a lot of time the ISPs that attack don't have contact info set up (I'd say this happens around 30-40% of the time). I didn't know about the ripe API, thanks!

How do you set up a "mod" for this repo? I've been looking around in the code and haven't found out how to do it.

Also, I'm not very familiar with the RIPE API, is there any ratelimits?

[tbiens]

Thanks for the reply! I've done some testing with my own code and a lot of time the ISPs that attack don't have contact info set up (I'd say this happens around 30-40% of the time). I didn't know about the ripe API, thanks!

That's unfortunate. I would also imagine a good chunk of those who do have contact information is basically a blackhole anyway. Nobody will see or care about it.

How do you set up a "mod" for this repo? I've been looking around in the code and haven't found out how to do it.

Great question, nobody has ever wanted to 'mod' my project. Searching is difficult, its bringing up 'modules' and 'modulus'

Also, I'm not very familiar with the RIPE API, is there any ratelimits?

I dont know, never seen any limits but surely there are.

[trentwiles]

Sorry if I wasn't clear. By mod I just meant a module that I could add to the code, for example the abuseipdb mod you have here.

[tbiens]

Hey RR,

If you want to add a new module, put say 'newmodule.py' in the app folder.

Then wherever you're going to use it for example, you do

from app.newmodule import newfunction

then the function can be used.

[mindsolve]

Hi together,

may I suggest an alternative source for abuse addresses? Abusix provides the Abuse Contact DB, which you can query with any IP address, and it returns a fitting abuse address. This way you won't have to implement RDAP/WHOIS querying and parsing for every RIR.
See https://docs.abusix.com/abuse-contact-db/5BScLdS3SxHV1giQYpXpKm for details on the service and on how to use it.

I am not affiliated with Abusix, I am just working for an ISP successfully using them.

[trentwiles]

Oh wow, I checked it out and I quite like it. Do you know what the rate limiting on it is?

[tbiens]

I very much like the idea of https://github.com/abusix/querycontacts

I just connected to an icarus instance that has been going for months and it has been attacked over 2 million times. That's a ton of emails to be sending out.

I wonder if Canada's antispam laws allow me to send out these emails?

[mindsolve]

Regarding your questions, @tbiens:

That's a ton of emails to be sending out.

That's absolutely correct. But with relatively simple event aggregation (and afterwards temp. blocking), the amount should drastically decrease.
There is no need to send out messages for every single tried login. Instead for example collecting 5 failed logins per source IP, then sending a message for those events, then blocking that IP for 24h should be a handlable amount.

Big companies have automated systems with which they handle their abuse complaints and we should absolutely try and make it as simple as possible for them to react. I am myself working for an ISP, and we do not -at all- handle "manual" abuse messages, only those that are machine-readable (X-ARF or similar). I am sure that other big companies/ISPs handle this similarly.

I wonder if Canada's antispam laws allow me to send out these emails?

I am no expert in Canadian Law, nor law in general, but according to the online version of the antispam act that I found, a requirement is that the message must be commercial in character (emphasis added by me):

Meaning of commercial electronic message
(2) For the purposes of this Act, a commercial electronic message is an electronic message that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity, including an electronic message that
(a) offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land;
(b) offers to provide a business, investment or gaming opportunity;
(c) advertises or promotes anything referred to in paragraph (a) or (b); or
(d) promotes a person, including the public image of a person, as being a person who does anything referred to in any of paragraphs (a) to (c), or who intends to do so.

Other commercial electronic message
(3) An electronic message that contains a request for consent to send a message described in subsection (2) is also considered to be a commercial electronic message.

If you don't add an advertisement for your favourite VPN provider or your IT security consultancy you should be in the green (again: no expert here!).

Best regards,
Felix