Abuse Service

+Open all -Close all
Font size
A
A
A
Dyslexia
Contrast
Reset

The CARNET Abuse Service receives and processes reports concerning computer security incidents and the abuse of CARNET resources.

Abuse Service

Every Internet Service Provider has its Abuse Service. Abuse Service deals with the receipt and processing of incidents involving the end-users of Internet Service Providers (ISP) to which the Abuse Service belongs.

CARNET’s Abuse Service aims to receive and process incidents related to computer security incidents and misuse of CARNET resources such as:

  • spam
  • copyright infringement
  • attempted unauthorized access
  • unauthorized access
  • malware
  • DoS
  • commercial use
  • netiquette.

 

Users

pupils
students
parents
CARNET system engineers
e-Citizens
schools
ministries
teachers
professors
scientists
other AAI@EduHr users
public
faculties and colleges
other public institutions

How to Become a User

Abuse service user becomes each individual who uses the Internet connection service, upon opening an electronic identity in the AAI@EduHr system, based on which the authentication and user authorization process is performed. Abuse service users are also all members of CARNET network.

Questions and Answers

What is the CARNET Abuse service?

The CARNET Abuse service collects and processes applications related to computer security incidents and the misuse of CARNET resources.

Who are the users of the CARNET Abuse Service?

The CARNET Abuse service users are all persons reporting an incident or a violation of acceptable online behaviour committed by a CARNET user. The applicant itself does not have to be a CARNET user.

What are the basic principles of the CARNET Abuse Service?

The basic starting point for each action is the fact stated in the received report of the incident. The Abuse Service accurately and precisely examines the available data for taking further steps. Each submission is classified according to the specified division of the incidents. If the Service receives a report indicating a number of potential offenses, the first to be processed is the one assessed as the most serious. The Service respects the privacy of the user and the data is processed in the manner described in the rules of the Service. The Service sends data to third persons solely based on the court order or at the request of the police during the investigation procedure. All correspondence is archived.

How to contact the CARNET Abuse Service?

You can contact the CARNET Abuse Service by e-mail at abuse@carnet.hr or by phone at +385 1 6661 655.

Computer incidents are sent via e-mail only to abuse@carnet.hr. 

The working hours of the CARNET Abuse Service are from 9 am to 4 pm.

How does CARNET collect traffic data of its users?

By the Electronic Communications Act, CARNET as an Internet Service Provider has the obligation to retain data related to customer connections to the Internet. Accordingly, CARNET maintains the base of all connections of its users. Also, by the same Act, the operator of public communications networks and publicly available electronic communications services, is obliged to retain the electronic communication data needed to determine the source, destination, time, duration and type of communication. It is forbidden to retain data revealing the contents of communication. The CARNET Abuse Service responds solely to user’s e-mails. Retained data are only disclosed to employees of the Ministry of the Interior and the Ministry of Justice with the submission of a warrant.

What types of incidents apply to CARNET Abuse Service?
  • The CARNET Abuse Service warns and sanctions CARNET network users who have violated any provision of the “Decision on the Acceptable Use of CARNET Network” and the generally accepted user behaviour norms in communication of individuals or users in communication within the group. In short these are:
    • spam – unwanted, usually commercial messages distributed to disproportionately large numbers of users
    • copyright infringement – distribution of content such as pirated software, music, movies, which is protected by the Copyright Act
    • unauthorized access – (successful or unsuccessful) attempt to access another computer without permission
    • violation of netiquette 
    • rules for opening, administering and using user accounts on a CARNET public server
    • pests: (viruses, worms, Trojans).

    More:

    • Viruses are malicious code with the ability of self-multiplication; their code is added to the existing executable file, waiting for the “infected” file to be used to be re-activated
    • Warms – malicious codes with the ability of self-multiplication that are widespread by copying their entire content through some media of communication, such as e-mail
    • Trojans – malicious codes that are considered as harmless applications and require some user action to be installed
    • DoS (Denial of Service) form of attacks by denying services usually by overloading a particular service or network
    • DDoS (Distributed Denial of Service) form of attacks by denying services where the sources of congested network traffic are distributed over multiple sites online
    • Phishing – a set of activities by which unauthorized users attempt to lead users to the disclosure of confidential personal information by using fraudulent e-mail and fraudulent websites, e.g. financial organisations.
Which Abuse Service should an incident be reported?
  • Incidents are generally reported to abuse services competent for the networks from which the attack originates. Therefore, in the event of an attack on your computer, it is necessary to identify the attacking network and report the incident to the Abuse Service competent for the relevant network. Computers on the Internet are identified by IP addresses, so it is necessary to determine the IP address of the attacker or the source of the e-mail and determine which provider of the Internet services it belongs. The jurisdiction over IP space is divided into regional internet registers. Competence over an individual IP address can be checked on the following pages:

    As it is not always easy to determine the source of an attack, in the event of the inability to easily identify the network, send the notification to the Abuse Service of your ISP. In case the incident occurred in your organisation, contact your system administrator. Incidents are reported to the National CERT (e-mail:incident@cert.hr) if your notification sent to the Abuse Service has not stopped illegal online activities and there is a need to mediate in dealing with the incident.

    E-mails of the Croatian Abuse Services:

     

 

What should be included in the submission?

In order for the submission to be correct, it must contain the following information:

  • a brief and clear description of the incident (what the user complains about)
  • extract from the log file or message header where it is clearly visible:
    • IP address of the attacker
    • date, time and time zone of the attack.

If you’re reporting spam or non-thematic Usenet messages, you need to include the content of the message.

It is important to note that IP addresses for broadband access services change every time you connect, so for uniquely identifying users, only IP addresses are not sufficient. It is therefore important to specify the exact time of the incident with the time zone for each IP address and to the accuracy of a second.

What are the time zones and how are they defined?

All time zones are defined in relation to Coordinated Universal Time (UTC). The time zone reference point is a zero-meridian that passes through the Royal Observatory at Greenwich, London. That is why today, the term Greenwich Mean Time (GMT) is often used today. For example, Croatia has CET time zone that corresponds to UTC + 1, i.e. if it is 2 pm in Croatia, UTC is 1 pm. During summer time, instead of CET time, CEST time is used corresponding to the UTC + 2 time zone.

How to recognize a computer security issue?
  • Unacceptable behaviour in the CARNET network is defined by the document  – “Decision on the Acceptable Use of the CARNET Network” and generally accepted user behaviour norms in communication of individuals or  users in communication within the group. Any unauthorized activity described in the policy or norms of conduct is subject to the sanctions of the CARNET Abuse Service in the form of warnings and in the case of repetitive behaviour or more serious incidents, as temporary or permanent denial of Internet access.The unacceptable behaviour is:
    • distribution of copyrighted material
    • selling or borrowing your own and using another user’s electronic identity
    • spreading offensive, humiliating or discriminating material
    • sending unwanted e-mails
    • disabling or hindering the operation of an individual service
    • spreading malicious programs
    • searching for security vulnerabilities without the permission of the owner of the tested system
    • destruction of data
    • breach of privacy.

    Also, the CARNET Abuse Service shall report acts to the competent state bodies that are prohibited by the laws of the Republic of Croatia in case of more serious offenses. For example, the Criminal Code prohibits:

    • racial and other discrimination
    • distribution, acquisition and possession of child pornography on a computer system, violation of confidentiality, integrity and availability of computer data, programs or systems
    • computer counterfeiting
    • computer fraud.

     

How to recognize a virus-infected computer?

It can be assumed that a computer is infected with a virus if there are issues such as:

  • a significantly slow computer operation
  • unknown programs are started by themselves (usually in multiple instances)
  • inexplicable shutdown or restart of the computer
  • loss of functionality of computer protection programs (antivirus, antispyware)
  • some other expressly non-standard behaviours
  • some network pages cannot be opened (typically the antivirus software manufacturer’s site)
  • the requested network page does not open but some others do
  • there are also some symptoms that are a bit more difficult to be checked out like unknown processes that are launched in the background.
What does an example of an authentic e-mail notification look like?

I received the following unwanted message:

From xxx@yahoo.com Sun Nov 6 21:40:21 2005

Received: from localhost (xxx.xxx.carnet.hr [999.999.999.999]) by mars.aros.net (8.13.3/8.13.1) with SMTP id jA74eJUr088160 for <100336.3721@aros.net>; Sun, 1 Nov 2005 21:40:21 -0700 (MST) (envelope-from geoffrey@yahoo.com)

Date: Mon, 1 Nov 2005 05:40:16 +0100

From: “Fried”” ) >

To: <100336.3721@aros.net>

Subject: Best quality drags

Message-ID: <000601c5e0b8$c128d490$f95bcf52@pc>

MIME-Version: 1.0

Content-Type: multipart/alternative; boundary=”—-=_NextPart_000_0003_01C5E0C9.82D73F40″

X-Priority: 3 X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2900.2180

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

X-Virus-Scanned: ClamAV version 0.86.2, clamav-milter version 0.86 on mars.aros.net

X-Virus-Status: Clean

How to get a detailed e-mail header?
  • If you are reporting any e-mail incident, such as receiving a virus message or spam, for a proper incident reporting, you need a full message header. The content from the “From:” field is not sufficient for the correct identification of the sender of the disputed message since it is most often forged.Below are some short instructions that can assist you to get to the message header for some of the more popular e-mail clients.
    • Outlook Express – In the list of received messages, right-click on the message, activate the drop-down menu and select “Properties” in it. A tab shall appear where you select “Details”. The text box contains the e-mail header. Right-click anywhere in the box. In the drop-down menu, select “Select All”. The header text shall be darkened. Right-click anywhere in the text again and select “Copy” from the drop-down menu.
    • Mozilla Thunderbird – In the list of received messages, click to mark the spam message. On the keyboard, press “Ctrl” and “U” simultaneously. A new window opens that contains the entire header besides the message.
    • Eudora – You open it in a separate window in the list of received messages by double-clicking on a spam e-mail. The message displayed does not contain the entire header. To see it click on the icon stating “Blah”, which then adds the entire header to the beginning of the message.
    • Gmail webmail service – Once you open the spam message in the line where the sender’s name is located, next to the button, click the arrow. After you open the menu, select “Show original” to open a new window with the e-mail headers.
    • Netscape Mail 6 – Select a message, from the View menu, select the Headers -> All option. The message header appears in the message window, and then click the Forward icon or from the Message menu, select the Forward option.

     

     

How do attackers know my e-mail address?
  • There are several ways in which attackers come to your e-mail address. The most common ways are:
    • a person whose computer is infected with a virus has your e-mail address in their address book
    • you have entered your e-mail address on a page for which you cannot safely claim that it shall protect your data
    • you have written your e-mail address on a publicly available place (network headquarters, newsgroup, forum)
    • you have subscribed to the mailing list (even if a list of subscribers is not provided, the attacker may have been able to access the list illegally).

     

How and when to report inappropriate use of news groups?

It is important to note the purpose of reporting the non-thematic posts to the CARNET Abuse Service. In order for a job to be performed with quality, it is important for users to get quality and grounded applications, especially since the Abuse Service cannot actively track all active newsgroups primarily because of their number. In general, users should report cases of targeted and repeated cross-posting, intentional disruption of participants, severe and targeted offenses, deliberate submission of non-thematic posts and similar. Reporting any incorrect words, limiting cases of non-thematic posts, random non-thematic posts, and so on is counterproductive and does not contribute to the introduction of order on the Usenet.

Once you have concluded that you can submit a report, first describe in one or two sentences the complaint, then provide a detailed header of the post and content of the post.

What does an example of a correct report look like?

I am reporting your user for sending a non-thematic message because he has sent a hardware-supply message to the hardware group newsgroup, despite the existence of hr.potraznja.hardver group.

Path: Iskon!fu-berlin.de!news.glorb.com!nntp-server.pubsub.com!CARNet.hr!not-for-mail From: “roginator” ” ) >

Newsgroups: hr.ponuda.hardver

Subject: I purchase hardware

Date: Wed, 2 Nov 2005 19:56:25 +0100

Organisation: CARNET, CROATIA

Lines: 5

Message-ID:

NNTP-Posting-Host: xxx.xxx.carnet.hr

X-Trace: xxx.srce.hr 1130957786 9184 999.999.999.999 (1 Nov 2005 18:56:26 GMT)

X-Complaints-To: abuse@carnet.hr

NNTP-Posting-Date: Wed, 1 Nov 2005 18:56:26 +0000 (UTC)

X-Priority: 3

X-MSMail-Priority: Normal

X-Newsreader: Microsoft Outlook Express 6.00.2900.2180

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-RFC2646: Format=Flowed; Original

X-Antivirus: avast! (VPS 0543-2, 27.10.2005), Outbound message

X-Antivirus-Status: Clean

Xref: Iskon hr.ponuda.hardver:33531

How to get a detailed Usenet message header?
  • If you are reporting a Usenet-related incident, such as a non-thematic post, for a proper incident reporting, you need a complete message header. The content from the “From:” field is not sufficient for the correct identification of the sender of the message in question. Below are brief instructions that can assist you get to the header of the message at several popular news clients.
    • Outlook Express – select a message and press CTRL and F3 simultaneously. The Message Source window shows a full header message, highlight the entire contents of the window and copy it, close the window, insert a copied message and header into the new message, and send the message to the Abuse Service.
    • Mozilla Thunderbird – In the list of received messages, click to mark the spam message. On the keyboard, press “Ctrl” and “U” simultaneously. A new window opens that contains the entire header besides the message.
    • Google Groups – select a message, click Show Options, and then click Show Original. Copy the complete header and message and send it to the address of the Abuse Service.

     

How to recognize a phishing message?
  • Fraudsters often copy the visual appearance of real e-mail from banks and other companies. Recently, false messages are completely identical to the original, but there are certain details that disclose the fraud:
    • personal information is requested in the message
    • the urgency of the message
    • links
    • the body of an e-mail is a picture
    • unrealistic promises.

    In any case, no one has the right, and no system engineer maintaining the e-mail server, to ask for your user password. Your user password is a secret and only known to you and you should use it responsibly. Phishing sites are difficult to identify because attackers copy the visual identity of a legitimate site well. Often, such fake pages have the following features:

    • the domain of the web page is similar to the legitimate site domain, but not the same
    • the login network where the password is entered is not https, but http
    • if there is a secure https access, the site certificate is invalid.

     

Firewall informs me that it has blocked my computer scan. Am I a target of the attack that I need to report?

Some firewalls, especially if they are set to be more sensitive, report certain actions (which other apps consider to be normal and use them for work) as an attempt of attack. If you notice that it is often repeated, under different conditions, it is very likely a massive scan of the computer. Such a phenomenon is a burglar alarm, but if your operating system is upgraded, the threat is minimal. Such attacks do not need to be reported because there are services that report such attacks with all the necessary information to the abuse services.

Can you help me with configuring the program or cleaning my computer from a virus?

The CARNET Abuse Service does not support the configuration of antivirus or some other programs. For assistance with the configuration of the software, contact the appropriate service provider of the software manufacturer you are using.

The CARNET Abuse Service does not provide support for cleaning your computer from malicious software, operating system reinstallation, antivirus and other tools installation, etc. The Abuse Service may provide advice on recommended practices of computer security.

I got a warning that I am sending spam, what should I do?

If it is not deliberately caused by a direct action of a user, the computer is infected with a spam virus.

The first thing you need to do is check your computers connected to the Internet with antivirus and antispyware tools. There are free scan tools as well as commercial variants. You can find some antivirus tools on the Abuse service website.

Since no security system is 100% effective, it is possible for the antivirus tool to show that the computer is clean and actually it is not. There are situations when malicious software is not detected and continues to cause problems. As the ultimate and safest solution to the problem, you need to reinstall the operating system, install all patches, and install antivirus software and firewall.

It is also important to note that all that is required for malicious spammers is the Internet connection to port 25 (SMTP port). Removing mail software (such as MS Outlook, Mozilla Thunderbird, etc.) from your computer has no effect because the malicious software has an embedded mail client that sends spam. As a temporary measure, while the problem is not resolved otherwise, it is possible to set up a firewall that blocks network traffic to port 25, thereby preventing any e-mail from being sent even via the e-mail client.

As the ultimate and safest solution to the problem, you need to reinstall the operating system, install all patches, and install the antivirus program and firewall.

Once the problem is resolved and the computer has been cleaned, it would certainly be advisable to take preventive steps so that the problem would no longer be repeated. It is good practice to disable the use of a computer with administrator privileges and to create user accounts with the minimum authorizations required to perform the tasks for which the computer is intended. Also, we recommend using one of the tools that have the ability to restore the computer to the original, previously stored status. After saving the computer status that is known to be “free of viruses” (for example, after a fresh installation of the operating system), it is possible, in the event of a problem, to relaunch the computer in a relatively uncompromised state in a relatively simple and fast way. For this purpose, there is a free Microsoft Steady State tool or commercial solutions like Deep Freeze. More information can be found on sys.portal.

Please let us know about the issue of e-mail troubleshooting, specifying the appropriate incident identification in the message headline.

I got a warning of the attempt of an unauthorized access to a computer or network, but I did not try to break in?

As with the sending of unsolicited e-mail, unless caused by a direct action of the user, the computer is infected by a virus which is attempting an unauthorized access of another computer system.

The first thing you need to do is check your computers connected to Internet with antivirus and antispyware tools. There are free scan tools as well as commercial variants. You can find some antivirus tools on the Abuse service website.

Since no security system is 100% effective, it is possible for the antivirus tool to show that the computer is clean and actually it is not. There are situations when malicious software is not detected and continues to cause problems. As the ultimate and safest solution to the problem, you need to reinstall the operating system, install all patches, and install antivirus software and firewall.

Once the problem is resolved and the computer has been cleaned, it would certainly be advisable to take preventive steps so that the problem would no longer be repeated. It is good practice to disable the use of a computer with administrator privileges and to create user accounts with the minimum authorizations required to perform the tasks for which the computer is intended. Also, we recommend using one of the tools that have the ability to restore the computer to the original, previously stored status. After saving the computer status that is known to be “free of viruses” (for example, after a fresh installation of the operating system), it is possible, in the event of a problem, to relaunch the computer in a relatively uncompromised state in a relatively simple and fast way. For this purpose, there is a free Microsoft Steady State tool or commercial solutions like Deep Freeze. More information can be found on sys.portal.

Please let us know about the issue of e-mail troubleshooting, specifying the appropriate incident identification in the message headline.

I got the notice that I sent a virus even though my computer was not infected. What is it about?

Unfortunately, the creators of malicious programs have become more creative in avoiding detection with antivirus tools. There is no guarantee that any of the tools will clean up all malicious software, so it is possible that the computer is still infected even though the antivirus tool reports it to be clean.

The only way to make sure your computer is completely clean is to reinstall your operating system.

How to protect yourself from viruses and malicious software?

Today, there is no security system in the world that will protect you 100% from viruses and other malicious software. What you can do is reduce the risk of infecting your computer with security tools (such as antivirus, antispyware, and firewall), safer operating system configuration, and more cautious use of your e-mail client and network browser.

More on the topic can be found on the CARNET Abuse Service website in the section

 “Security on the Internet”.

I got the notice that I have been distributing copyrighted material, what it is about?

According to the CARNET Document CDA0035 – “Decision on the Acceptable Use of the CARNET Network” distribution and downloading of copyrighted content is prohibited. Reproduction, distribution, storage or processing of the work is also prohibited by the Copyright Act and related rights. The works include films, computer games, and computer programs for which the author explicitly did not issue a license to download or distribute.

Once you have received a notification from the CARNET’s Abuse Service, you need to delete the disputed material and make sure that the CARNET Abuse Service is notified by responding to the received e-mail. It is also necessary to discontinue further copyright infringement.

Are so called peer-to-peer protocols forbidden?

No, peer-to-peer protocols are not forbidden. The laws of the Republic of Croatia and the CARNET document “Decision on the Acceptable Use of the CARNET Network” prohibit the distribution and download of content protected by the Copyright and Related Rights Act.

In other words, the use of peer-to-peer protocols for the exchange of computer games, movies, applications, and other materials protected by copyright is not permitted.

What to do when I receive a notification for a violation of the netiquette?

A notification for violating netiquette has been received because you have violated some of the commonly accepted behavioural norms in the group communication. More about netiquette can be found here.

Such behaviour must be discontinued in further communication at the Usenet Service.

Can I appeal to sanctions imposed by CARNET Abuse Service?

The user who has been sanctioned by the CARNET Abuse Service has the right to appeal to the CARNET CEO. An appeal shall be filed in writing and the decision on the appeal shall be made by the CARNET CEO within 30 days of filing the appeal.

How do I divert e-mail from my e-mail account to another address (for schools)?

You can enable forwarding as follows:

  • log in to the webmail school system at https://webmail.skole.hr/  
  • click on “Filters” and then on “Forward”
  • enter one or more e-mail addresses to which you want to forward messages
  • if you want copies of messages to remain in your account, select this option by selecting a checkmark 
  • click the “Save” button to save the settings.

You can find more information about CARNET webmail system at: https://helpdesk.carnet.hr/CARNET_Webmail

 

Important Documents

The acceptable behaviour of the CARNET network user is defined by the document CDA0035 – “Decision on the Acceptable Use of the CARNET Network” as well as generally accepted user behaviour norms in communication of individuals or users in communication within the group.

The Rules of the CARNET Abuse Service are governed by the document CDA0038 – “CARNET Abuse Service Rules”.

Contact Details

Abuse Service

Phone: + 385 1 6661 655
E-mail: abuse@carnet.hr

You can contact the CARNET Abuse Service by e-mail abuse@carnet.hr or by phone at +385 1 6661 655.

Computer incidents are sent via e-mail only to abuse@carnet.hr.

The working hours of CARNET Abuse Service are from 9 am to 4 pm.