You're assuming that the hunters are correct. I once had a report to me that one of my servers was spitting out spam and flooding a chaps mail server, DOS levels of spam, his recipients were getting an email every second or so. I asked for a copy of the email headers, read back through to the originating server. It wasn't one of my IP addresses. It was a random server out on the internet (mis)configured as an open relay. My domain was being spoofed. I politely pointed out that there was nothing I could do about a 3rd party server spoofing email addresses. I showed him the NSLOOKUP of our MX records we were sending emails from (and I'm pretty certain SPF, tho I can't be sure that long ago, we were not on Office 365 then) to show him I had taken what steps I could from my side of things. I also pointed out that I could see the IP address was listed on several DNSBLs, so if he wanted to stop the emails at source, either block the IP in his mail server config, or firewall, or configure it with a DNSBL lookup. I even pointed him to an article online with how-to configs for most email servers out there.
Within an hour all company board members were emailed with an ALL CAPS subjected email "OFFICIAL COMPLAINT OF INACTION BY YOUR IT DEPARTMENT". Basically re-iterating what his original email said, but in stronger language, lots of CAPITALS, complaining about my inaction and competency.
I looked him up, saw that he owned an IT consultancy, professing to be an internet security professional. Then I saw his blog. He'd listed his interactions with the company I worked for and my lack of response. The blog also linked to his twitter and social media. He was basically shouting from the rooftops.
Undeterred, (and mainly because there was no GDPR back in 2011 to stop me doing this). I simply screenshotted the interaction between us and posted it in response to all his posts, along with a breakdown of where he was at fault, and recommending anyone using his services to look for someone else that can read and understand something as simple as an email header.
Couple of hours later, yet more emails ALL IN CAPS informing us he would take legal action against us immediately unless I apologised for my posts publically, admitted I was wrong and would fix the problem.
Instead I screenshotted this, and added it to my previous posts on his blog and social media, along with a final sentence "You have 24 hours to show this interaction between us to your lawyer and someone more technically knowledgeable than you. Then, take appropriate action. Failure to do this will result in us starting legal action for defamation and/or libel".
The following day, his blog on his company website had vanished and his social media accounts were all set to private with no public posts. Even his photo had gone.
I've no problem with people reporting technical exploits, I'm grateful for it. But if someone else isn't as appreciative of your report, and you don't have the government authority to investigate it, then simply reporting it to the authorities, i.e. the ICO, and then minding your own business is safest all round for you as an individual. Or to put it another way; who are you, who made you the internet police. Be careful the real police don't end up investigating you if you keep sticking your beak in.
Biting the hand that feeds IT
