An Informal Analysis of One Site's Attempts to Contact Host Owners

To contact? Or not to contact? It seems to be a question that periodically rises and creates a myriad of opinions. How do I find a contact for a site? Should I send a copy to the parent domain? What information should my e-mail contain? Should I call? How long should I go before I block the site? How many times should I see scans or probes from a particular site before attempting to contact someone? Why should I bother? Does anybody really care? What good might it do? The Incidents mailing list hosted by SecurityFocus has had postings and (sometimes heated) discussions regarding whether or not host owners should be contacted. Some people hold the opinion that a port scan is nothing to be concerned about; others are very thankful that port scans from their site were reported. This paper will look at one system administrator's attempts to contact host owners of machines that scan or probe her network. After a brief discussion of various ways to identify possible contacts, this person's data will be used to show how different sites may respond and how probes have multiplied over a definitive period of time. The paper concludes by mentioning two projects that might help the overburdened system/network/security administrator to simplify the whole process of contacting a host owner.