Fail2ban blocked 1087 ip addresses in the last week, which seems normal.

I reset it and it has blocked eleven ip addresses in the last hour, mainly China and Digital Ocean as usual.

Just to see what happens, I'v tried sending abuse reports about ssh brute force, vnc brute force and phishing sites, by the standard method of doing a whois lookup on the ip for the abuse email address.

Some server and web hosting companies take the inconvenient approach of having an email auto-reply that says "we ignore all emailed abuse reports, you must use this web form", sometimes requiring a captcha.

When I reported a load of boxes attempting brute force logins, most complaints disappeared into the void.

I got a few responses from virtual server providers saying "no response from the customer after two weeks so we shut down the box" and one CC:ed email that appeared to be from an end user saying "we have reinstalled the box and changed the password."

Honestly, I don't understand why people make reporting abuse so hard/labour-intensive.

It is trivial to record netflow data (and most networks do that already), and then verify incoming abuse reports against those records.

is there a chance of forming some kind of a community fail2ban blocklist? I guess trusting the contributors and admins is the hard part here and that’s why spam lists are a double edged sword?

https://crowdsec.net/ https://github.com/crowdsecurity/crowdsec