ConfigServer Community Forum

I would like to get opinions and ideas about automatically sending an email to the network abuse (or other) email address of the owner of every IP number that attempts to hack into my system. I get a lot of SSH login failures, a fair number of rejected TCP SYN messages, and some port scanning activity. The hacking activity comes from all over the world. After looking up the network information on each IP and send a message manually, I realized that automation would be preferable.

What would be the problems with this approach? Yes, I know that the specific machine might be hijacked, but if the clueless machine owner needs my message (delivered through his network) to realize that a machine cleanup is needed, that sounds good to me. The cleanup has to start somewhere.

Is it likely that such message would prove to be false positives and therefore annoying to network admins?

Thanks for all suggestions.

PS I have a program that does this, running off the new block_report output of lfd, but I do not want to rush to deployment without some input.

I can see this as being a major annoyance for most, as well as resulting in RBL listings, probably not a wise idea IMO

Why would it be an RBL problem? The message would be sent ONLY if there was hacking activity detected. If I send it manually or automatically, it would still be 1 message to report the activity.

Regarding the annoyance factor, I am already the target of the activity and my annoyance trumps the annoyance of the network administrators who are (perhaps unknowingly) harboring a likely hacker felon.

any automated mail submission has the potential to land you up in an RBL, take for example challenge based mail systems such as boxtrapper, although the messages that eminate from it could be deemed legitimate, it is known to result in blacklisting, generally due to its mail being classed as backscatter.

Your point is valid, however due to the automated nature of what you are proposing I can see RBL listings as a direct result.