I got this email from my ISP in Germany. I don’t know what to do about it, or where to ask on Lemmy (all the tech communities seem to be about news and info, not to ask any questions)
I have two phones (Xiaomi and Poco), two iPads, two Devolo repeaters, one Tenda repeater, a PC and and Android TV Box… I suspect it may be the Android box I think it is rooted and I will put AFWall+ on it when I get home.
I haven’t yet been able to check the IP address that they sent. But does anyone know if these emails are legit, and what to do about them if they are? I will obviously have to try and find the culprit and try to clean it, but the IP addresses look different on my router (192.168.XXX.XXX)
Can anyone help? What to do?
This is an automated abuse complaint regarding suspection of device infection within your network behind IP address 210.XXX.XXX.XXX
Our isolated systems has received multiple unsolicited incoming connections from an IP address under your control (abuse-mailbox as per RIR database). All unsolicited connections reported below have completed three-way handshake procedure defined per Transmission Control Protocol (TCP). This ensures that our evidence was not tampered upon any external party posessing a source IP address spoofing capability, because three-way handshake procedure requires both receiving (device within our network) and sending (device within your network) parties to receive reply of another party to complete handshake.
The aforementioned isolated systems within our network are hosted at unused IP address space and are implemented as a TCP listener, so that we can be sure our evidence actually covering “unsolicited” and “not spoofed” activity.
The activity we are reporting is often referred to as “service probing” or “banner grabbing”. Unlike typical “port scan” type of abuse complaints you might receive, our complaints are not induced by a single or multiple TCP packets with SYN flag set. Instead, as was mentioned previously, three-way handshake procedure is required. To eliminate possible false-positive alerts caused by human typo, abuse complaint is generated only upon having four (4) distinct successful connections as per (Source IP; Destination IP; Destination Port) tuple.
To minimize “Internet background noise” our network observes, the reported IP address was temporarily banned. Do not worry, it will be unblocked automatically soon. If it is the first report for this IP address within 90 days, block lasts 24 hours. Each following report within this timeframe extends blocking duration for 24 hours.
As for implications for your network, we suspect that device within your network is infected with a malware. However, sometimes there are another reasons, namely:
- device hosts publicly accessible proxy or VPN (either intentionally, due to software misconfiguration or due to usage of “proxyware” type of software);
- device is infected with a malware (for example, networking worm, most frequently this happens with IoT and DVR/IP cameras);
- device (for example, server) is used by an malicious actor for exploitation purposes (see “unethical hacking”);
- device is used by a legitimate Internet security researchers team that can be clearly attributed using Forward-confirmed reverse DNS (FCrDNS).
Given exact reason in this situation, you would like either to communicate with your client to address this issue as per Terms of Service of your organization or notify us of legitimate nature of this activity. When it comes to legitimate security researchers, we are always co-operating to whitelist your networks as long as FCrDNS is valid.
Please note that we are providing hosting services, hence you are strongly discouraged from blocking any of the destination IP addresses mentioned below.
If these complaints are considered irrelevant by your team for any reason, do not hesitate to let us know by replying to this letter. We will exclude your abuse-mailbox from receiving these abuse complaints in the future.
Incident details are attached below. Please note that due to some automated abuse complaint processing systems parsing destination IP addresses as ones involved to this report, we are redacting destination IP addresses replacing all “.” and “:” characters with “x”.
Timestamp SrcIP SrcPort DstIP DstPort
2026-05-04T10:31:16.818Z 210.XXX.XXX.XXX 64644 82x24x200x216 23
2026-05-04T12:46:08.422Z 210.XXX.XXX.XXX 65179 88x218x206x67 23
2026-05-04T13:58:24.048Z 210.XXX.XXX.XXX 64515 88x218x206x29 23
2026-05-04T19:36:57.453Z 210.XXX.XXX.XXX 61451 144x79x59x121 23
----------------------------------------------------------------------
As was mentioned previously, the table above lists all unsolicited TCP connections that have completed three-way handshake. This prevents us from producing false-positive alerts. It is worth to note that we aren’t closing the connection immediately after three-way handshake was completed, thus you should see communication from your sFlow monitoring. If you are using NetFlow or IPFIX, you should be able to see all four (4) flows. If you don’t implement any of those, do not hesitate to ask us for more detailed logs.
Kind regards, Network department Skhron
When suspicious messages arrive: Are they providing any links or telling you how to contact them? Don’t trust it.
I assume its been translated and the original language doesn’t have the written issues seen here, otherwise thats a red flag as well (bad grammar or spelling, or seeming to explain something but not making sense to you).
Hover over links (or long press on mobile until option pop up) to see the actual address behind the link. Look closely, small L and big I can look the same, a letter can be changed for a similar symbol, the font may be off, they may have extra letters in an address (@company.it.com), ysing N instead of M, etc… If it looks fine, it’s better but may still be false. Do the same with the senders email address and the reply-to address.
Use a search engine to find the company website and their contact information through there. It should be the top or in the top three results. Do not click on the websites in the ad/sponsored sections at top+middle+bottom+side of the results, they can be false and pay to be there above the correct site. Do not trust the information provided by the search engine, actually click into the website and look for contact info there.
Compare these numbers/emails with the ones in the email. If they look the same its a good sign - still, dont click links or reply directly to the email.
Only contact them through the numbers/emails provided by this website.
If any of the above steps raises red flags, assume its a scam and contact the company as written below.
Contact the company through email: Create a new email and type or copy in the address from the website. Type your message and your questions about the legitimacy of the email and then copy in the email you recieved below your own message.
Contact the company through phone (I prefer this option): Call the number on the website and tell them you got a suspicious email claiming yo be from them and that you want to verify.
If you have already clicked a link, shut down your systems and your router, and use your phones to search up and contact support.
If you haven’t clicked a link you I would still recommend you contact the company (through their website, not the email) and ask them if it’s legit, and look for the issue while you wait, look through logs and double check IPs etc as suggested in the thread.
The email seems directed at a company, not a private customer, so it’s quite sus. Is this actually from your ISP? Compare with your contract or payment invoices.
But the part you pasted here doesn’t seem to have much call to action (numbers to call, links to click, steps to take to fix the reported issue), or intense and worrying/stressful language to make you act impulsively - it’s rather calm, which is good.
If I understand correctly they claim to have blocked your access to the internet for 24 hours, is this true (in general or for any of your devices with direct network access)? If so, it seems legit (unless they then want you to pay to regain access, in which case you definitely have malware).
If you’re contacted again with them providing you steps you need to take to unblock your access or clean/protect your devices, again be wary of links and mounting pressure to act.