I got this email from my ISP in Germany. I don’t know what to do about it, or where to ask on Lemmy (all the tech communities seem to be about news and info, not to ask any questions)
I have two phones (Xiaomi and Poco), two iPads, two Devolo repeaters, one Tenda repeater, a PC and and Android TV Box… I suspect it may be the Android box I think it is rooted and I will put AFWall+ on it when I get home.
I haven’t yet been able to check the IP address that they sent. But does anyone know if these emails are legit, and what to do about them if they are? I will obviously have to try and find the culprit and try to clean it, but the IP addresses look different on my router (192.168.XXX.XXX)
Can anyone help? What to do?
This is an automated abuse complaint regarding suspection of device infection within your network behind IP address 210.XXX.XXX.XXX
Our isolated systems has received multiple unsolicited incoming connections from an IP address under your control (abuse-mailbox as per RIR database). All unsolicited connections reported below have completed three-way handshake procedure defined per Transmission Control Protocol (TCP). This ensures that our evidence was not tampered upon any external party posessing a source IP address spoofing capability, because three-way handshake procedure requires both receiving (device within our network) and sending (device within your network) parties to receive reply of another party to complete handshake.
The aforementioned isolated systems within our network are hosted at unused IP address space and are implemented as a TCP listener, so that we can be sure our evidence actually covering “unsolicited” and “not spoofed” activity.
The activity we are reporting is often referred to as “service probing” or “banner grabbing”. Unlike typical “port scan” type of abuse complaints you might receive, our complaints are not induced by a single or multiple TCP packets with SYN flag set. Instead, as was mentioned previously, three-way handshake procedure is required. To eliminate possible false-positive alerts caused by human typo, abuse complaint is generated only upon having four (4) distinct successful connections as per (Source IP; Destination IP; Destination Port) tuple.
To minimize “Internet background noise” our network observes, the reported IP address was temporarily banned. Do not worry, it will be unblocked automatically soon. If it is the first report for this IP address within 90 days, block lasts 24 hours. Each following report within this timeframe extends blocking duration for 24 hours.
As for implications for your network, we suspect that device within your network is infected with a malware. However, sometimes there are another reasons, namely:
- device hosts publicly accessible proxy or VPN (either intentionally, due to software misconfiguration or due to usage of “proxyware” type of software);
- device is infected with a malware (for example, networking worm, most frequently this happens with IoT and DVR/IP cameras);
- device (for example, server) is used by an malicious actor for exploitation purposes (see “unethical hacking”);
- device is used by a legitimate Internet security researchers team that can be clearly attributed using Forward-confirmed reverse DNS (FCrDNS).
Given exact reason in this situation, you would like either to communicate with your client to address this issue as per Terms of Service of your organization or notify us of legitimate nature of this activity. When it comes to legitimate security researchers, we are always co-operating to whitelist your networks as long as FCrDNS is valid.
Please note that we are providing hosting services, hence you are strongly discouraged from blocking any of the destination IP addresses mentioned below.
If these complaints are considered irrelevant by your team for any reason, do not hesitate to let us know by replying to this letter. We will exclude your abuse-mailbox from receiving these abuse complaints in the future.
Incident details are attached below. Please note that due to some automated abuse complaint processing systems parsing destination IP addresses as ones involved to this report, we are redacting destination IP addresses replacing all “.” and “:” characters with “x”.
Timestamp SrcIP SrcPort DstIP DstPort
2026-05-04T10:31:16.818Z 210.XXX.XXX.XXX 64644 82x24x200x216 23
2026-05-04T12:46:08.422Z 210.XXX.XXX.XXX 65179 88x218x206x67 23
2026-05-04T13:58:24.048Z 210.XXX.XXX.XXX 64515 88x218x206x29 23
2026-05-04T19:36:57.453Z 210.XXX.XXX.XXX 61451 144x79x59x121 23
----------------------------------------------------------------------
As was mentioned previously, the table above lists all unsolicited TCP connections that have completed three-way handshake. This prevents us from producing false-positive alerts. It is worth to note that we aren’t closing the connection immediately after three-way handshake was completed, thus you should see communication from your sFlow monitoring. If you are using NetFlow or IPFIX, you should be able to see all four (4) flows. If you don’t implement any of those, do not hesitate to ask us for more detailed logs.
Kind regards, Network department Skhron
Rule 5. Locking.
Honestly, this reeks of spam. Let’s just look at the first paragraph:
Our isolated systems
Isolated from what?
has [sic] received multiple unsolicited incoming connections from an IP address under your control (abuse-mailbox as per RIR database).
If this is really coming from your ISP, then they don’t have to look up anything in the RIR database since they already (should) know which IP address(es) is/are assigned to you.
All unsolicited connections reported below have completed three-way handshake procedure [sic] defined per Transmission Control Protocol (TCP) [sic]. This ensures that our evidence was not tampered upon [sic] any external party posessing [sic] a source IP address spoofing capability, because three-way handshake procedure requires both receiving (device within our network) and sending (device within your network) parties to receive reply of another party to complete handshake [sic].
I’m not an expert in TCP, but AFAIK, the fact that a TCP three-way handshake occured does not prove anything.
All in all, it sounds like they’re throwing around a bunch of technical terms in hopes of sounding legitimate. If you’re still worried, contact your ISP directly (not using any links or similar from this email, but through your normal channels, e.g. by phone), and if there really is a problem, they’ll tell you then and there.
EDIT: the more I read just that first paragraph, the more I realize how broken the English is. I started inserting “[sic]” where there are mistakes, but I stopped because it would make the text that much harder to read.
The three way handshake only proves an established tcp connection. Not with whom. It can still be with the man-in-the-middle.
You highlighted a few lines from the mail, but you can highlight the whole message. It’s bullshit after bullshit. No isp excpects the enduser to monitor the flows. I do, but my isp’s helpdesk had no clue what it is.
It’s bluf. If you answer, you have to pay a “fine” to pay off any further steps from being taken. (You invoice is always in € the “offer” for the fine only stands for 1 day and can only be paid in bitcoins, but don’t worry, a how-to is included /s )
our isolated systems has received multiple unsolicited incoming connections from an IP address under your control
Is utter bullshit. They just try to impress/scare with facy words especially by letting them make no sense (assuming the reader will think ‘i dont understand, so they must be right’). You can safely Just ignore it. Delete it.
IF it makes you feel better, call your isp on the number you get from their website or from an invoice. Do NOT use any details from the email.
A few places to start. Double check it’s actually from your ISP (look at the email header, who actually sent the email).
A lot of routers have logging. You could scan through there for anything matching what the report says.
The 192.xxx.xxx.xxx ip is your internal ip assigned by the router. The ISP can’t tell you which device it is exactly. You still have an external IP which is what the report is mentioning. Make sure yours matches what they say. There are plenty of sites you can visit that tell you your external IP. I’ve always just used https://www.whatismyip.com/
When suspicious messages arrive: Are they providing any links or telling you how to contact them? Don’t trust it.
I assume its been translated and the original language doesn’t have the written issues seen here, otherwise thats a red flag as well (bad grammar or spelling, or seeming to explain something but not making sense to you).
Hover over links (or long press on mobile until option pop up) to see the actual address behind the link. Look closely, small L and big I can look the same, a letter can be changed for a similar symbol, the font may be off, they may have extra letters in an address (@company.it.com), ysing N instead of M, etc… If it looks fine, it’s better but may still be false. Do the same with the senders email address and the reply-to address.
Use a search engine to find the company website and their contact information through there. It should be the top or in the top three results. Do not click on the websites in the ad/sponsored sections at top+middle+bottom+side of the results, they can be false and pay to be there above the correct site. Do not trust the information provided by the search engine, actually click into the website and look for contact info there.
Compare these numbers/emails with the ones in the email. If they look the same its a good sign - still, dont click links or reply directly to the email.
Only contact them through the numbers/emails provided by this website.
If any of the above steps raises red flags, assume its a scam and contact the company as written below.
Contact the company through email: Create a new email and type or copy in the address from the website. Type your message and your questions about the legitimacy of the email and then copy in the email you recieved below your own message.
Contact the company through phone (I prefer this option): Call the number on the website and tell them you got a suspicious email claiming yo be from them and that you want to verify.
If you have already clicked a link, shut down your systems and your router, and use your phones to search up and contact support.
If you haven’t clicked a link you I would still recommend you contact the company (through their website, not the email) and ask them if it’s legit, and look for the issue while you wait, look through logs and double check IPs etc as suggested in the thread.
The email seems directed at a company, not a private customer, so it’s quite sus. Is this actually from your ISP? Compare with your contract or payment invoices.
But the part you pasted here doesn’t seem to have much call to action (numbers to call, links to click, steps to take to fix the reported issue), or intense and worrying/stressful language to make you act impulsively - it’s rather calm, which is good.
If I understand correctly they claim to have blocked your access to the internet for 24 hours, is this true (in general or for any of your devices with direct network access)? If so, it seems legit (unless they then want you to pay to regain access, in which case you definitely have malware).
If you’re contacted again with them providing you steps you need to take to unblock your access or clean/protect your devices, again be wary of links and mounting pressure to act.
As everyone else said, authenticate the E-mail first. Don’t just reply and ask if they’re your ISP. Don’t just trust the
fromheader. Don’t trust any links or contact info in that E-mail until you authenticate it.After that, personally I’d do the following:
- Shut everything down or at least disconnect it from the network (literally everything. switches, IoT devices, your phone, etc)
- I’d reinstall my router OS. If you have a consumer grade device, I’d consider replacing it, updating it, then connecting it to the empty network.
- Setup packet capture on the router looking for the signature (
tcpdump port 23) . If you have a consumer grade router device, you might need to figure out another way to get a tap in there. - Bring up/reconnect each device on your network individually to try and narrow it down.
Once you identify the source of that traffic, you can come up with a plan to deal with that.
If there isn’t a good way to take logs from the router, OP might try a software firewall on the PC - most malware also tries to spread on the local network, so installing a software firewall and logging all incoming connections from local devices might send him on the right track.
Agreed. Listening on the router is best but setting up a honeypot like the ISP did has a pretty good chance to work in this case. Assuming the malware is automated and continues to scan the LAN.
Everything that has already been said, and also, call your ISP from a number available not on this email, but on your contract with them. Ask your ISP on the phone to confirm whether they sent you this email. For this, have available the timestamp of the mail.
Optionally: report it to the local authorities. Attach the e-mail in its entirety. Not to expect any particular action from them, but to make sure that you have done anything and everything in your power to get ahead of any possible problems.
What made you think it’s from your ISP? It’s written in English with grammatical mistakes and the name sounds Polish. Looking it up it seems like they are a VPS. If they are lying - not sure what would they be trying to get out of you, do not provide them with any personal information whatsoever. Also where did they even get your email? Is the IP they mention actually yours? Is your IP even static?
As a general check up:
- Update your router firmware; if your router is too old it genuinely may be susceptible to infections that then turn it into a botnet. If it’s your own router, you can also factory reset it and set it up from 0. This applies to all your repeaters, too. Ideally look into using OpenWRT if your hardware supports it and keeping it updated.
- Update the phones, look through all your apps for anything that you didn’t install.
Definitely do what this comment tells you to actually find out if the problem exists. Or if you are too unsure of how to navigate through all that - call your actual ISP and ask if they could help you. If it’s not your own router, they might be able to do it remotely.
I didn’t read your post because I’m busy but 2 things
- Make sure it’s not a scam
- Write down a list of devices in your house and search the name of each one appended with “botnet”
@Babalugats ewe, that being true, isp is snifing your network…
i know mine as full access to the router they provide, thats why I have my own router in front of itSorry, thats not correct. The ISP informed OP that a device from behind OPs public IP address attempted outgoing connections to ISP systems, not that the ISP sniffed network traffic.
