how should we handle abuse?

No longer supported!

Moderator: Moderators

how should we handle abuse?

Postby zoli » Wed Mar 23, 2005 9:02 pm

polarhome line was cut of again... a romanian "user" spoofed ebay login screen on his homepage. SongNetworks warned polarhome that it was the last abuse incident from polarhome - next time they will break the contract. We will lose our main ADSL line.

Seems mostly http service is abused by spoof, illegal and pirate software etc.

Do you have any idea, how could we continue "as open as possible" and not to close http service for unregistered (ftp account) users?

To be honest, I do not have any good idea, but we need fo find some solution otherwise it will be end of very stable period.
Regards,
Z
---
Zoltan Arpadffy
zoli
Forum Admin
Forum Admin
 
Posts: 756
Joined: Mon Sep 30, 2002 1:27 am
Location: Stockholm, Sweden

Postby afonic » Wed Mar 23, 2005 10:53 pm

Well tbh I can't think of a good idea, besides I think it's impossible to have someone check all the pages a user has in his public_html folder.

Maybe we need to take other forms of actions, for example towards the ISP. I mean you have a free host, why are you responsible for a stupid user using it to create a fake ebay login page and then send some phising emails? Can't they understand this simple thing?

Something you could do is make the abuse@polarhome.com email readable for some more people and then give them access to remove these material.
For example if me, Denis, sjaz and Matej could read it and have some way to deleting users (you could create a simple userdel script, we could add the username, some password for security and delete the users) the time to find and remove a user like that would be just a few hours since we get the abuse report.
User avatar
afonic
Forum Admin
Forum Admin
 
Posts: 685
Joined: Tue Oct 14, 2003 11:11 pm
Location: Salonica, Greece

Postby DenisF » Thu Mar 24, 2005 1:25 am

That's the problem - it's not us that get the abuse report, but the ISP.

If polarhome would run a raid array of 10k rpm drives i would suggest adding a cron script that will cat all .php files in all user dirs and look for 'ebay' or 'hotmail' or whatever [u get the idea] and if a match is found - delete the username.

But then again.. no 10k rpm drives here :(
Image
[ FAQ ] :: [ Policy ] :: [ Port Forwarding Guide ] :: [ Search ]
User avatar
DenisF
Forum Admin
Forum Admin
 
Posts: 679
Joined: Mon Dec 16, 2002 9:09 pm
Location: Israhell

Postby afonic » Thu Mar 24, 2005 4:30 am

Maybe we should add abuse email in the WHOIS then?


/Edit
Oh and btw, I don't think a fake ebay login php script has to include the word ebay.
User avatar
afonic
Forum Admin
Forum Admin
 
Posts: 685
Joined: Tue Oct 14, 2003 11:11 pm
Location: Salonica, Greece

Postby zoli » Thu Mar 24, 2005 8:52 am

Exactly... the problem is that ebay and others do not send abuse raport to abuse@polarhome.com (that act quite fast) but directly to ISP and they just cut the line and log the incident.

Like this we get a quite long incident log and instable line.

I do not want to lose this ISP. There are not so many ISPs that provide fix IP address with all ports open. polarhome's another line is fast, nice and open but IP address changes during every connection (pppoe).

After one night and few glasses of wine I think that I will do the following:
- keep DNS on fix IP
- load balance outgoing traffic on both uplinks
- incoming www.polarhome.com will not be load balanced. Direct access goes through fix (seving www.polarhome.com)
- forwarded traffic goes through pppoe line that's IP address is handeled with DNS
- add two MX records in order to get mail even if one line is down

Because webspace is most abused, with this method we move over affected traffic to so far clean account.

It will be abused also for sure (it is impossible to have control over that) - but we gain two years to be rich and buy a leased line :)

Do you have any idea what angelfire, yahoo and other free, web space provides do?

Or we can leave as it is and webspace will be open just for shell users. All other users will get just e-mail access.

Opinions?

BTW what happens with chaz's irc server on solaris?
If nothing else I used it for tests, It would be nice to get it back

Also... there exist COP scripts on redhat to delete, control user processes and homes - but they have not been used since shell access requires extra registartion - users do respect more their accounts and there is no need any more for such actions.
Regards,
Z
---
Zoltan Arpadffy
zoli
Forum Admin
Forum Admin
 
Posts: 756
Joined: Mon Sep 30, 2002 1:27 am
Location: Stockholm, Sweden

Postby Matej » Thu Mar 24, 2005 11:55 pm

Oh... there is another line? Well if it's capable enough than your idea seems to be the best solution. But you still should find a way to make users feel that they are being watched over. Perhaps randomly pick sites and do a little inspecting from time to time (basically what afonic suggested).

Do you have any idea what angelfire, yahoo and other free, web space provides do?

Well they have leased lines so the abuse reports probably go directly to their administrators who than ban/remove/report the users.
Even if the reports go to the ISPs of those providers they probably care more about those companies (money makes the world go round) than Song does about polarhome.
User avatar
Matej
Forum Admin
Forum Admin
 
Posts: 365
Joined: Sun Sep 29, 2002 12:28 am
Location: Ljubljana, Slovenia

Postby sjaz » Fri Mar 25, 2005 12:44 pm

I've started fulltime job and have very little time. Your welcome to have it back Z :)
User avatar
sjaz
Forum Admin
Forum Admin
 
Posts: 689
Joined: Fri Feb 14, 2003 11:08 pm
Location: London, UK

ABUSE

Postby jagar_freebsd » Wed Mar 30, 2005 6:21 am

Registration process is very easy, that helps to flood the hda. So its hard to know which ones are going to be used for good.
So, making the registration harder or better yet put the mods into account approving priviledges.
I mean account can be handled by people(in this case Dear Mods :))

PS:
People vs People
Machines vs Machines
>>>Laugh<<< is a life energy.
User avatar
jagar_freebsd
Advanced Member
 
Posts: 58
Joined: Mon Nov 24, 2003 4:40 am
Location: Missouri, US

Postby sjaz » Wed Mar 30, 2005 10:37 pm

Perhaps limit how many people per month can have ftp accounts or whatnot ..

Maybe ask people what they want to do with their accounts in advance.
User avatar
sjaz
Forum Admin
Forum Admin
 
Posts: 689
Joined: Fri Feb 14, 2003 11:08 pm
Location: London, UK

Postby zoli » Thu Mar 31, 2005 11:39 am

lol ... you must be kidding.
Should I ask: do you plan to abuse you account?
A. yes or no - if yes is choosen, account creation is denied.

It is very rare that shell account is abused where COPS could act - from another side statistics points out that Romania, Lithuania, Brazil, an Vietnam are those countries that most harm polarhome...
I think I will create a script that will scan content of those accounts after creation for some period (maybe few months)

If nothing suspicious happens during this period account will become a normal, non scanned polarhome account (even if owner is Romanian) otherwise - userdel -r without any warning.

BTW sorry for mistakes - I have 39 degree C now and I am not going to correct any misspelling typos etc.
Regards,
Z
---
Zoltan Arpadffy
zoli
Forum Admin
Forum Admin
 
Posts: 756
Joined: Mon Sep 30, 2002 1:27 am
Location: Stockholm, Sweden

Postby Matej » Thu Mar 31, 2005 3:47 pm

Don't worry. We can understand you perfectly.
I think I'll be a bit unfair to scan just those countries (and it's not even hard to enter another country isn't it?). Rather use it for every user.

Hope you'll get better soon.
User avatar
Matej
Forum Admin
Forum Admin
 
Posts: 365
Joined: Sun Sep 29, 2002 12:28 am
Location: Ljubljana, Slovenia

Postby Matej » Tue Apr 19, 2005 3:55 pm

Seems it's time for some more drastic measures. :(

Polarhome lost static ip, all i-lines and other benefits that we've worked so hard to get them. Sad.
User avatar
Matej
Forum Admin
Forum Admin
 
Posts: 365
Joined: Sun Sep 29, 2002 12:28 am
Location: Ljubljana, Slovenia

Postby afonic » Tue Apr 19, 2005 7:02 pm

Not just sad, exasperating.

WTF, why would you want to spread viruses in the internet? Why do people like even get born...

zoli, how much would a leased line cost per month?
User avatar
afonic
Forum Admin
Forum Admin
 
Posts: 685
Joined: Tue Oct 14, 2003 11:11 pm
Location: Salonica, Greece

Postby miker_alpha » Wed Apr 20, 2005 10:55 am

From the point of view of a definitely *non*-expert in these matters:
Would it help if new users / FTP accounts / whatever categories were limited to certain file types? Say any text files, gifs and jpegs? Or am I talking rubbish?

MikeR
Look for OpenVMS help on my webpage
Check for QOTD here.
Image
User avatar
miker_alpha
Moderator
Moderator
 
Posts: 256
Joined: Sat May 08, 2004 9:20 am
Location: Kibbutz Tzora, Israel

Postby sjaz » Wed Apr 20, 2005 4:48 pm

Sounds pretty good to me.
User avatar
sjaz
Forum Admin
Forum Admin
 
Posts: 689
Joined: Fri Feb 14, 2003 11:08 pm
Location: London, UK

Postby zoli » Fri Apr 22, 2005 12:20 am

Mike,

it is a very good idea, but very hard to realize...
Regards,
Z
---
Zoltan Arpadffy
zoli
Forum Admin
Forum Admin
 
Posts: 756
Joined: Mon Sep 30, 2002 1:27 am
Location: Stockholm, Sweden

Postby amec » Sat Jul 30, 2005 10:08 pm

miker_alpha wrote:From the point of view of a definitely *non*-expert in these matters:
Would it help if new users / FTP accounts / whatever categories were limited to certain file types? Say any text files, gifs and jpegs? Or am I talking rubbish?

MikeR


could work, but unfortunatly any file can be renamed to a valid file...
I've climbed the mountains high
And walked among the clouds
amec
Moderator
Moderator
 
Posts: 8
Joined: Sat Jul 30, 2005 9:41 pm
Location: here and there

Re: how should we handle abuse?

Postby amec » Sat Jul 30, 2005 10:13 pm

zoli wrote:polarhome line was cut of again... a romanian "user" spoofed ebay login screen on his homepage. SongNetworks warned polarhome that it was the last abuse incident from polarhome - next time they will break the contract. We will lose our main ADSL line.


For the romanian users, if you have his IP address from romania, you can contact the ISP and also some of the local authorities, and they might be able to catch the little bastard. Unfortunatly things are moving way to slow over here and because of these guys, the honest users are cut off from the possibility of ordering some goodies from the internet.
I've climbed the mountains high
And walked among the clouds
amec
Moderator
Moderator
 
Posts: 8
Joined: Sat Jul 30, 2005 9:41 pm
Location: here and there

Postby miker_alpha » Sun Jul 31, 2005 7:36 am

About file types:
Besides the actual file type in the directory, most useful files contain "magic numbers" - I know .JPEG and .JPG files do, HTML (or .HTM) files must have "<HTML>" in the first few lines, and "</html>" near the end (ignoring case differences...) Text files should not contain non-alphanumerics etc...

Again WRT OpenVMS (Alpha & VAX) - it would make a cute programming exercise to write something to winnow files. I might even do that in my copious free time. :D

MikeR
Look for OpenVMS help on my webpage
Check for QOTD here.
Image
User avatar
miker_alpha
Moderator
Moderator
 
Posts: 256
Joined: Sat May 08, 2004 9:20 am
Location: Kibbutz Tzora, Israel

Postby amec » Sun Jul 31, 2005 8:22 am

yup that's true. Most of the file-types contain some header info. But for this, you should validate the files based on the header and not on a string that usually can be found in the file. ANother thing would be to look in HTML files to be sure that they do not contain parts encoded and which are decoded upon accessing them (via a jscript or something similar) and maybe forcing the pure visitor to execute some nasty code
I've climbed the mountains high
And walked among the clouds
amec
Moderator
Moderator
 
Posts: 8
Joined: Sat Jul 30, 2005 9:41 pm
Location: here and there

Next

Return to FTP accounts

Who is online

Users browsing this forum: No registered users and 2 guests

cron