Sunday, June 27, 2021

Abuse emails - how would you prefer to receive them?

Hi all,

I'm working on a simple script that will log connection attempts to a honeypot and then email the abuse email associated with the IP address. This is very much a side/hobby project but I would eventually like to deploy this once its ready and I was hoping to get some feedback from netadmins on what they prefer to see for these types of emails.

Currently my script checks the previous 24 hours and generates an email, something like this:

Dear Admin,

The following IP addresses have been logged attempting to access a honeypot hosted on 0.0.0.0:

TIME | SOURCE | SOURCE PORT

1.1.20 5:00 0.0.0.06969

1.1.20 5:00 0.0.0.06969

1.1.20 5:00 0.0.0.06969

1.1.20 5:00 0.0.0.06969

1.1.20 5:00 0.0.0.06969

Regards,

Greb88

My questions are:

Is this enough information for you? Anything else you would like to see?

Is 24 hours too frequent? I want to avoid sending an overwhelming amount of emails to one address which will result in the email just being blocked.

Obviously the vast majority of attempts I see are made from providers/countries where I don't think there is any point in sending an email because no action will be taken. Any ideas for how I can filter my data for admins who are likely to care/take action? I would like to limit the amount of emails I am sending out each day.



No comments:

Post a Comment