****************************************************************************** * WARNING!!! This is an automated message. All replies to this email will be * * seen by a real human. Please be sure to include this letter to your answer * ****************************************************************************** To Whom It May Concern: There are different stateful traps on an unused IP addresses within our networks to detect network scans (or a network attacks) carried to the Internet-wide or explicitly targetting our infrastructure. The IP address 80.85.242.58 has made a few connections to our TCP traps as provided in the logs section below. This means the host behind that IP address is either infected with a virus, participates in a botnet, or performs Internet-wide research. Whatever the reason is for this behaviour for IP address 80.85.242.58, we urge you to cease and desist this kind of activity. Otherwise this IP address will be blackholed for prolonged period of time within our networks. If you are a security researcher, please add the following ranges to your blacklist: - 88.218.206.0/24 - 2a09:b280:fe00::/48 Otherwise we insist that you and/or your end-user will take all necessary actions to avoid this in the future and to resolve the current issue. # Why your email address was added to the recipient list? Our automated toolset tries to lookup **validated** email addresses in the following way: Firstly, abuse mailboxes for both IP address and Autonomous System (AS) to ensure the deliverability of the complaint to an appropriate party. Secondly, if no abuse mailboxes were discovered, all emails from abuse contacts entities for both IP address and AS are used. Thirdly, if there is still no email addresses discovered, all discovered emails for both IP address and AS are used. Our interaction with RIR databases are done solely via Registration Data Access Protocol (RDAP) which is the machine-readable successor to WHOIS. As you can see at [1], RDAP is supported by all RIRs and thus is a reliable source of data. Please note that by validated email address we mean one that is not marked as invalid by RIR. For example, ARIN uses remark with a title "Unvalidated POC" to mark contact entity. Please be sure to fix this issue with them before blaiming us of using wrong contact details. # Notes Please note that you should get this message at most only a few minutes after the incident. For your reference, all provided timestamps are in Coordinated Universal Time (UTC). If you have any questions, please send them to us by responding to this email. Please be sure to include this letter in further correspondence to make it easy for us to assist you within the current case. # Logs ------------------------------------------------------------------------------- - Log of port scans verified by a TCP three-way handshake - ------------------------------------------------------------------------------- Timestamp SrcIP SrcPort DstIP DstPort 2023-09-08T02:02:37.937Z 80.85.242.58 60274 88.218.206.212 6379 2023-09-08T02:02:37.938Z 80.85.242.58 36124 88.218.206.223 6379 2023-09-08T02:02:37.934Z 80.85.242.58 55570 88.218.206.199 6379 2023-09-08T02:02:37.938Z 80.85.242.58 44972 88.218.206.205 6379 ------------------------------------------------------------------------------- # Links [1]: https://www.iana.org/assignments/as-numbers/as-numbers.txt Kind regards, Network department Skhron.COM.UA
