Hi nanog, Some of you might have seen https://delroth.net/posts/spoofed-mass-scan-abuse/ circulating last week (it was also sent here in reply to someone who received abuse complaints from their ISP). The TL;DR is that some previously unknown company with a fancy looking domain name has started noticing the background noise on the internet and is sending automated abuse complaints to any owner of a source IP sending a SYN packet to port 22 on their network. They're not doing any filtering to try to prevent spoofed source addresses, and at this point there's plenty of evidence that they are seeing mostly spoofed src IPs, then sending abuse reports to a completely uninvolved owner of the IP. I've recently been in communication with that company. They sent me an email trying to get "advice" from me about how to not send abuse complaints to the whole internet, while ignoring the obvious answer of "don't mass send automated abuse complaints based on no evidence of abuse and no evidence of who sent you traffic". They're also making wild claims in their email to me, like, I quote, seeing "1.3 billion attacks logged in the past 24 hours". They're saying that they act on data sources like "we query the VirusTotal API for the source IP and it shows us it's infected with malware". If you're a NOC or someone handling abuse complaints for an ISP or a hosting provider, this is my plea to you: please send abuse reports from "watchdogcyberdefense.com" to your spam box until they understand 1. that a TCP SYN packet is spoofable; 2. that they're harming the internet through reducing trust in abuse complaints by sending so many false positives. I've myself had interactions with both Hetzner and Linode's abuse team, both of them have been top notch and understood what they're likely dealing with, but having to explain to every single ISP what's going on while sitting in the equivalent of an interrogation room threatened with a service suspension isn't a very comfortable situation. Thank you in advance, Best, -- Pierre Bourdon <delroth () gmail com> Software Engineer @ Zürich, Switzerland https://delroth.net/