How do you handle client contact for network abuse/malware compaints etc.?

Hello
As a sort of addendum to the thread of "Quarantine
your infected users spreading
malware" I am curious how other handle contact to the
users/clients for network
security incidents. 

 The question I have is; When someone reports an incident to
you about
one of your clients (a user or server owner) possibly being
infected, having
an owned box being used for hacking into other servers or
being used to spread
 malware, how much information do you send/forward on to
that user/client to
support your case.

 Is it normal practice to simply forward on unaltered logs
sent in by those
complaining or do you sanitize them a bit to protect the
people notifying you?
 Do you even send them at all at first or do you simply
inform them that a 
complaint has been received.
  
 In short, how much information do you pass on to support
yourself and when.


 Thanks

 Nicole Harrington



--
                     |\ __ /|   (`\            
                     | o_o  |__  ) )           
                    //      \\                 
  -  nmhdaemontech.com  -  Powered by FreeBSD  -
------------------------------------------------------
 "The term "daemons" is a Judeo-Christian
pejorative.
 Such processes will now be known as "spiritual
guides"
  - Politicaly Correct UNIX Page

On 3/1/06, Nicole Harrington <nmhdaemontech.com> wrote:
...
>  In short, how much information do you pass on to
support yourself and when.

We've found that a simple "we've received complaints
about you and
your machine. Go here (symantec, fsecure, windowsupdate,
etc) and
patch your machine."  works pretty well. By and large,
everyone
replies back with "yeah, I was missing X, Y, and Z
patches" or "I
found such-and-such virus and disinfected it".

Maybe one in a few thousand asks for logs. When the user
asks for
logs, we're pretty forthcoming with them. They might just
have the
same info in their windows/norton/whatever logs already.

In short, we tell them they have a problem, give them the
tools to fix
it, and if asked will show them the complaint, but usually
that buck
stops with us.

CK

--
GDB has a 'break' feature; why doesn't it have 'fix'
too?

Nicole Harrington wrote:

>Hello
>As a sort of addendum to the thread of "Quarantine
your infected users spreading
>malware" I am curious how other handle contact to
the users/clients for network
>security incidents. 
>
> The question I have is; When someone reports an
incident to you about
>one of your clients (a user or server owner) possibly
being infected, having
>an owned box being used for hacking into other servers
or being used to spread
> malware, how much information do you send/forward on to
that user/client to
>support your case.
>
> Is it normal practice to simply forward on unaltered
logs sent in by those
>complaining or do you sanitize them a bit to protect the
people notifying you?
> Do you even send them at all at first or do you simply
inform them that a 
>complaint has been received.
>  
> In short, how much information do you pass on to
support yourself and when.
>
>
> Thanks
>
> Nicole Harrington
>
>  
>
All depends on the client and if I think the abuse is
intentional or not.  

If the user knows what he/she is doing and I don't think
they are being
malicious then I will send them everything.

If I think they are doing it on purpose I send enough to
prove my case
and tell them to knock it off -  before I knock it off for
them (or
after - depends on how much damage they are causing).

If they don't have a clue then sending them a bunch of
information they
won't understand is pointless.  We either help them clean
up the mess or
refer them to someone who can.

-- 
Mark Radabaugh

Amplex
markamplex.net
419.837.5015

>All depends on the client and if I think the abuse is
intentional or not. 
>
>If the user knows what he/she is doing and I don't
think they are being
>malicious then I will send them everything.
>
>If I think they are doing it on purpose I send enough to
prove my case
>and tell them to knock it off -  before I knock it off
for them (or
>after - depends on how much damage they are causing).
>
>If they don't have a clue then sending them a bunch of
information they
>won't understand is pointless.  We either help them
clean up the mess or
>refer them to someone who can.

Ditto here on all the above. Too often it falls under the
latter 
category it seems. Since we're in the hosting/colo business
PHP web 
forms seem to be the vast majority of issues lately.

I'd love to know what cluebats or magic bullets are
available for 
whacking this particular mole most effectively.



--chuck goolsbee
digital.forest