http://www.arin.net/whois/arinwhois.html

 cat post_scan_complaint.txt
Security matter - reply requested

[sent to end domain holder, and each relevant upstream]

(This email is directed to the domain owner Technical contact, as
listed at InterNIC, or its equivalent for your domain and for your
'upstream' providers, as we were able to find, and such other
'security' or 'abuse' related contacts appearent for your domain.)

Our reference: ORC-99031601  [XXXXXXXXX  fix-up with current TT number]

1.  We are being 'portscanned' from one of your dialups or hosts.  
The attacked host offers no public telnet, anon. ftp, smtp, imap, 
or pop3 services.  An extract from our logfile is enclosed.  All 
times are Eastern US.

=====================
Extract from relevant host's system log:

(eg: grep sji /var/log/secure | tail -20 )
=====================
Representative Probe Report, to attempt to identify offending 
userid:

(paste probe advisory email here)
=====================

... There are several more such Probe Reports from our host 
concerning attacks upon it.

2.  This conduct (portscanning) is an unauthorized use of the 
host, and contrary to Ohio law (where the host is located), and 
federal (US) law; we do not want it to recur.  Clearly, present 
technology readily permits identification and prevention of 
extended TCP scanning without connection, as is a 'signature' 
of portscanning outbound from a host within your domain by you, 
and also by your upstream providers.  Please take affirmative 
steps to prevent recurrence of this situation [such as throttling
extended multi-host un-completed connection probing]; and confirm 
to us by return email of the general nature of those steps.

... We say this with some sadness, and lament the end of the 
friendly internet; we however are mindful that "All that is 
necessary for evil to triumph is for good men to do nothing." 
--Edmund Burke

3.  Please advise us by return email or paper mail of the 'Trouble 
Ticket' number which you assign to this matter.  Our paper mail 
address may be obtained at InterNIC, or will be provided by us 
directly upon email request.

4.  Under the 'security' exception to the ECPA, please advise us 
of identity information sufficient to contact the user within your 
domain from which the probe emanated, such that we may track 
repeated probes, and your disposition of this matter under that 
trouble ticket.  Please note our reference number in your reply.


(scancplt.txt)
(rev 990415)