Postmaster Guidelines and Procedures

	abuse

	Problems with Central University Systems
	General Info \| Reading Abuse \| Standard Responses \| Virus Process \| Processing Abuse \| Identifying Owners \| Disconnects \| Reconnects \| HSCS Port Shutdown \| Identity Theft Process \| Annual Dorm Block Cleanup
General information	Most of the situations that arrive for the abuse@Virginia.edu address fall into one of a number of routine categories. The lead/abuse postmaster is responsible for providing responses to all messages addressed to abuse@virginia.edu.
Access to abuse messages	Abuse messages are processed from the uabuse account on list.mail.virginia.edu. The password for the uabuse account is usually identical to the upostmst password.
Standard responses	Standard responses for the abuse account can be found in the res directory on the uabuse account. cd res
Virus Processing	When lead/abuse feels swamped with virus reports, he/she can ask the postmaster for assistance with the situation or ask other postmasters for assistance. See Viri section of this guide for specific steps in recording/responding to virus incident reports.
Processing an abuse message	To better measure Abuse workload and number of incident reports we are receiving and handling, All unique reports/messages involving an IP address should be entered as separate entries in the log. Only one log entry should be used to track contact, disconnect, and reconnect dates. General Process: Read the message so that you know: who sent the message what concern is being expessed where the concern originated Go to the web site at: http://www.itc.virginia.edu/~upostmst/abuseVirus/ Login with the admin password. If you don't know the admin password, ask Trisha or Jayne. Search for the relevant IP address/customer ID to see if this is a new report or a continuation of a previous report. Add the incident details to database. Send reply to person making report. Many 'standard' responses are in the res directory on the uabuse account. Edit the Subject: line using ~s to append with [uvaLogNumber], as in [uva04080001]. Save the incoming message and the outgoing message to: abuse/yymm/mbox.dd to include the message in the archive. Make any additional followup as appropriate for the situation. If you are uncertain what to do, ask another postmaster, or write to abuse@Virginia.edu and ask for the advice of other members of the abuse team. Remember: Abuse is not a 1-hour response, though when possible a timely response is appropriate. People writing to abuse have concerns, may be upset and need to be treated with courtesy and empathy.
Identifying Owners	Available tools for identifying an owner or contact person based on the IP address of a specific machine include: Previously recorded incidents found in the Abuse-Virus database for a given IP using the Search form. Faculty/Staff network device registration database: https://www.web.virginia.edu/microsys/register/admin/ (login with your eservices account id, as in "eservices\mst3k" and your eservices password. Most members of the Desktop group should have access to this database) Using the command nbtstat -A ipaddress from a Windows command prompt or nbtstat ipaddress from holmes.acc.virginia.edu may provide clues as to the owner, department, or area in which a machine is located if the machine is online at the time this command is used. Departmental areas for a given IP address range may also be found using the Networks by Area tool: https://odin.itc.virginia.edu/cgi-bin/switch_project/network_view.cgi It is often helpful to use several or all of these tools when attempting to identify an owner or appropriate contact for a particular machine. When it is not possible to definitively identify a machine owner or contact, but a departmental area is indicated using one of the above tools, it may be possible to determine who to contact by consulting the following resources: contacts file found in the uabuse account on mail.virginia.edu under /home/uabuse/ help.info directory of the upostmst account on mail.virginia.edu under /home/upostmst/help.info/ Postmaster Guidelines at: http://holmes.acc.virginia.edu/~upostmst/guide/helpinfo.html LSP directory at: http://www.itc.virginia.edu/dcs/lsp/list.html A message may also be sent to vassist@virginia.edu to request an owner ID. Such a request will be automatically generated by the "black box" for most abuse incidents when submitting a new record where the Owner ID field is left blank. The Networks group also has the ability to identify owners of machines located in the dorms via the Student Network Device Registration database. This tool is not currently accessible by the Postmaster team for identifying machine owners by IP address. When an owner or contact email ID is entered in the Owner ID field of either the New Record or Update Record forms and submitted, the Black Box will: generate a contact date of the current date if a date has not been added by the person entering the data for the incident being recorded; generate a generic message for inclusion in a notice to the owner or contact based on how the incident is categorized.
Disconnects	The Abuse-Virus Log program will auto-generate a report to uabuse@virginia.edu (and postmaster@virginia.edu) each morning around 8:30 a.m. indicating which machines in the database (with associated logNumbers) are due for disconnection. The listed items in the report should be the same as those appearing on the Contacted page in the Abuse-Virus Log. Lead-Abuse should verify the entries in the report and send a message to vassist@virginia.edu requesting that Networks block the machine(s) in the report. Please check the Contacted page in the Abuse-Virus log to review the comments for these cases to see if any items listed in the report should NOT be forwarded to vassist and remove these items from the list that is sent to vassist for disconnection. Important: the logNumber entries appearing on the Contacted page are the ones that should be updated with disconnect and/or resolution dates to avoid duplication of records for the same IP/situation in the disconnect table of the database! *Sometimes it is helpful to check Remedy to see if any of the owner IDs in the report have an existing case for the reported problem that is marked as Resolved. If so, these items should probably be removed from the list that is sent to vassist, as well. Some followup with the owner or Help Desk staff may be needed to confirm that the infected computer has indeed been secured. In these cases, Lead-Abuse should find the associated log entry on the Contacted page and enter a Resolution date for that record. Include as the Subject: Disconnections Needed (or something to that effect). When Networks blocks the machine(s), they will enter the current date into the Disconnect field of the Abuse-Virus Log. This action will generate two automated messages to a) the Help Desk and vassist@virginia.edu and b) the owner/contact (if available) that the machine has been disconnected from the network pending disinfection/or rebuild. Save the auto-generated report and related correspondence to abuse/yymm/mbox.dd and delete from the Inbox.
Resolutions	Disconnected machine process: If a machine is currently disconnected, a record for it will appear in the Disconnects page and the Help Desk Disconnections page of the Abuse-Virus log showing a current disconnection. When we receive a report from the owner of the compromise/infected machine, or from the Help Desk on behalf of the owner of the machine, that the machine has been secured: Send a message to vassist@virginia.edu notifying them that the machine may be reconnected. Be sure to provide the Log Number under which a given situation is being Tracked so that the "right" record will be updated! This can be determined by checking the Disconnects page. When Networks unblocks the machine(s), they will enter the current date into the Resolution field of the Abuse-Virus Log. This action will generate two automated messages to a) the Help Desk and vassist@virginia.edu and b) the owner/contact that the machine has been reconnected. Not-disconnected machine process: If an owner/contact has been notified about a problem with their machine and it has not yet been disconnected, a "contact" record should be listed in the Contacted page of the Abuse-Virus log. When an owner/contact person responds that they have disinfected and/or secured their machine, update the associated record found on the Contacted page to enter a Resolution date for that record.
HSCS Port Blocking	If you ever have need of HS/CS to shutdown a port because of an attack here are ways to contact network: 1. Call the hscs helpdesk 4-5334 and tell them you need to contact the HS/CS network on-call. Someone mans the helpdesk 24/7 and a network person is always on call. 2. If you don't get a response you can call me: Mark Monroe, cell 760-4095, work 4-2443, home 985-4107, pager 972-4646.
Mass Resolution	At the end of each spring semester, Networks will remove blocks on dorm IP addresses. To perform a mass resolution of the records in the abuseVirus database when the blocks are removed, simply browse to: http://www.itc.virginia.edu/~upostmst/abuseVirus/massUpdate.phtml The script will resolve all outstanding disconnected incidents involving 199.111 IP addresses and add a comment to the record indicating that resolution was due to end of year cleanup. The current date will be added as the Resolution Date. No notice to the machine owner will be generated when using this script. To view the source code, see: http://www.itc.virginia.edu/~upostmst/abuseVirus/massUpdateSrc.phtml
Central Systems Abuse Issues	When reports are received about abuse issues involving central University systems, such as Financial Services, ISDS, etc., we must contact Shirley Payne or Brian Davis by phone before responding to reports or initiating investigations. Contact information for Shirley Payne: Phone: 924-4165 Email: scp8b@Virginia.EDU Contact information for Brian Davis: Phone: 243-8707 Email: bd2m@Virginia.EDU