I would suggest to use recent information to file such a mail.
For me it looks like the are relying on stale information collected a long time ago.
whoever is hosting this stale information ...
you simply could query the live DNS and the RIPE whois server ...
I agree with Andreas ... they do not carry out professionality.
----- Am 18. Feb 2020 um 9:08 schrieb Silvan M. Gebhardt gebhardt@openfactory.ch:
So what I suspect happened is this
On 2/18/20 1:51 AM, Andreas Fink wrote:
- The single IP address in the report is not in my network (I used to
have that IP range in the past but I sold it in 2016. So long long ago. )
it might still be registred to you via shadowservers.org OR another org like this
- The abuse email they sent the report to is not in the whois of that
network.
it might be becuase it shows it to belong to you via shadowservers.org instead.
- The DNS name used in the report is not the reverse PTR of that IP.
Nor does the forward DNS point to that IP. 5. The DNS name points to a host in my network but that host is definitively not a IoT device which has any kind of default password. Its a solid Linux machine with a up to date distribution with 2 usernames only on it with very secure passwords and only one specific application running which doesn't talk to outside my network at all. If that machine would have gotten hacked, it would surprise me very much. At least I have found nothing unusual on that IP. No unexpected network activity, CPU load, processes etc.
it looks to me like there is something going wrong with shadowservers.org and any other report like this. seems they just forwarded it without fact checking, which, is kinda not their job either (would swamp them massively I guess)
so yeah, guess you'd have to ask which source the report came from?
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog