Hi Olaf, I use the API from ISC SANS (http://isc.sans.edu/api ) to do some parsing for me if needed. cat send_abusemsg.sh #!/bin/sh for i in `cat uniq_IP_list` do abuse=`wget -O - http://isc.sans.edu/api/ip/"$i"?text | grep 'abusecontact' | cut -f2 -d'>' | tr -d ' '` cat template.txt | sed "s/%%ip%%/$i/" | sed "s/%%email%%/$abuse/" | sendmail -oi -t done the uniq_IP_list is a file that has the offending IP addresses. 1 IP per line. and the mail template that I use looks something like : cat template.txt | more To: %%email%% Cc: noc@<your mail domain here> From: abuse@<your mail domain here> Subject: IP Address %%ip%% involved in DDoS attack Dear abusedesk, Please take action on the following IP address: %%ip%% due to an DDoS on an IP in our network. </snip partial SFLOW log> The mentioned server with IP address: %%ip%% should be looked at directly as it is probably hacked or misconfigured to be abused. Regards, <your ISP NOC> Does that answer your question? Regards, Erik Bais From: anti-abuse-wg-bounces@ripe.net [mailto:anti-abuse-wg-bounces@ripe.net] On Behalf Of Olaf van der Spek Sent: donderdag 20 juni 2013 10:08 To: anti-abuse-wg@ripe.net Subject: [anti-abuse-wg] Automatic IP -> abuse email address mapping Hi, I hope this is the right list for such a question. How does one map an IP address to an abuse email address in an automated way? I assume scripts exist, but I haven't found any. Does everyone roll their own? -- Olaf