In a effort to be proactive in doing my part to stop the massive quantities of internet traffic probing for open ports or more specifically the probing for known ports that ms/windows spy ware, Trojans, and what ever other ms/windows ports are commonly probed which result in increasing my bandwidth usage changes, I wrote this perl application for reporting that abuse to the senders ISP, with the hopes they will monitor the abuser and terminate the abuser's internet account.
This group of scripts are based on the log records created by the open source IPFILTER firewall. www.dshield.org has perl scripts that use the IPFW log file as source. The logic code for converting ipfw log records to the DShield record file format could be lifted from one of the www.dshield.org downloadable scripts and inserted in these scripts replacing the ipfilter log record conversion to DShield record format if a person wanted to do so.
This proactive abuse reporting system is comprised of 4 major process, all of which are based on ipfilter firewall log records.
1. abuse.ipflog.rotate.pl :: This script is executed from within the cron scheduling system. It checks to see if the ipfilter log file was rotated by the newsyslog command. If the ipfilter log file was rotated it launches the following scripts to process the log file creating abuse email reports containing the firewall log records.
2. abuse.dshield.pl :: This script reads the ipf log, drops log records based on the exclusion file, and creates an email containing all the remaining ipf log records which is sent to the global reporting site for abuse at www.dshield.com. The exclusion file contains only the IP address ranges used on your private LAN if you have any. <IE: Single email containing both public and your ISP abuse log records.>
3. abuse.myisp.pl :: This script reads the ipf log, drops all log records not contained in the exclusion file, and creates an email containing all the ipf log records from source IP address belonging to your ISP which is then emailed to your ISP's abuse department. The exclusion file contains only the IP address ranges owned by your ISP. <IE: Single email containing only your ISP abuse log records.>
4. abuse.public.ISP0.pl :: This script first executes the abuse.public.ISP1.pl script. It reads the ipf log, drops log records based on the exclusion file, and writes a file. Then this script sorts the source IP address into sequence, performs a whois command to harvest the abuse reporting email address of the ISP who owns the IP address range and then creates an email containing all the ipf log records for that offending source IP address which is then sent to the owning ISP reporting the probing abuse. The exclusion file contains only the IP address ranges used on your private LAN if you have any and the IP address range owned by your ISP.
<IE: Single email per each abusing source IP address containing it's log records is sent. This generates a lot of email. 99% of the abusive source IP address resolve to good owner ISP abuse reporting email address. RIPE and APNIC have merged their data into the whois.internic.org database which makes this possible. There are still some South America countries which have not as yet merged there data.>
6/1/2004 Author: Joe Barbish, I bequeath these perl scripts to public domain. It can be copied and distributed for free by anyone to anyone by any manner.
Please note that when each file download is complete 'CLICK ON THE CLOSE BUTTON' to return to this screen and complete the downloading of all the other files.
After completing the downloading of the files to your PC, go to the directory (IE: folder) on your PC where you saved them at and remove the trailing .Z file name suffix.
Download abuse.ipflog.rotate.pl Now
Download abuse.dshield.pl Now
Download abuse.myisp.pl Now
Download abuse.public.ISP0.pl Now
Download abuse.public.ISP1.pl Now
Download abuse.Reporting.system.pl Now