Re: [anti-abuse-wg] Automatic IP -> abuse email address mapping

20 Jun 2013

      Denis Walker wrote:
...
Dear Frank,
Hi,
...
The RIPE NCC already mirrors the other RIRs whois databases as well as
some routing registries like JPIRR and RADB. All this data is already
available with a single query and all in RIPE RPSL format. You do not
need to know which registry is the authoritative source for the
resource. That information is part of the response we return.
But these queries are restricted, because they contain personal data.
And its to MUCH information.
...
For RIPE data the abuse-c is being implemented so we will be able to
give answers to abuse contact requests for this data. The data we return
for the other RIRs contains pointers to their abuse contact details.
Sure, but what do you return when asked for aother registries ?
They dont have simply ONE place for the abuse contacts email address.
So, you return "everything", what is not usefull for end users ...
...
This data also includes information from some of the NICs who may hold
the authoritative data. For example, querying a JPNIC address in the
APNIC database includes information from the JPNIC registry.
For example (I have shortened some of the output here):
You see ?
Too much information ...

A normal lookup looks like this:
# whois.ripe 201.237.64.1
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '0.0.0.0 - 255.255.255.255'

inetnum:        0.0.0.0 - 255.255.255.255
netname:        IANA-BLK
descr:          The whole IPv4 address space
country:        EU # Country field is actually all countries in the 
world and not just EU countries
org:            ORG-IANA1-RIPE
admin-c:        IANA1-RIPE
tech-c:         IANA1-RIPE
status:         ALLOCATED UNSPECIFIED
remarks:        This object represents all IPv4 addresses.
remarks:        If you see this object as a result of a single IP query, it
remarks:        means that the IP address you are querying is not managed by
remarks:        the RIPE NCC but by one of the other five RIRs. It might
remarks:        also be an address that has been reserved by the IETF as 
part
remarks:        of a protocol or test range.
remarks:        You can find the whois server to query, or the
remarks:        IANA registry to query on this web page:
remarks: 
http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      RIPE-NCC-HM-MNT
mnt-routes:     RIPE-NCC-RPSL-MNT
source:         RIPE # Filtered

organisation:   ORG-IANA1-RIPE
org-name:       Internet Assigned Numbers Authority
org-type:       IANA
address:        see http://www.iana.org
remarks:        The IANA allocates IP addresses and AS number blocks to RIRs
remarks:        see http://www.iana.org/ipaddress/ip-addresses.htm
remarks:        and http://www.iana.org/assignments/as-numbers
admin-c:        IANA1-RIPE
tech-c:         IANA1-RIPE
mnt-ref:        RIPE-NCC-HM-MNT
mnt-by:         RIPE-NCC-HM-MNT
source:         RIPE # Filtered

role:           Internet Assigned Numbers Authority
address:        see http://www.iana.org.
admin-c:        IANA1-RIPE
tech-c:         IANA1-RIPE
nic-hdl:        IANA1-RIPE
remarks:        For more information on IANA services
remarks:        go to IANA web site at http://www.iana.org.
mnt-by:         RIPE-NCC-MNT
source:         RIPE # Filtered

% This query was served by the RIPE Database Query Service version 
1.66.3 (WHOIS1)

You see ?
No information about the RIR.
Its pointing to IANA !

Ok, lets ask IANA:

# whois.ripe -h whois.iana.org 201.237.64.1
% IANA WHOIS server
% for more information on IANA, visit http://www.iana.org
% This query returned 1 object

refer:        whois.lacnic.net

inetnum:      201.0.0.0 - 201.255.255.255
organisation: LACNIC
status:       ALLOCATED

whois:        whois.lacnic.net

changed:      2003-04
source:       IANA

Ah, LACNIC ....

Lets ask LACNIC:

# whois.ripe -h whois.lacnic.net 201.237.64.1

% Joint Whois - whois.lacnic.net
%  This server accepts single ASN, IPv4 or IPv6 queries

% LACNIC resource: whois.lacnic.net

% Copyright LACNIC lacnic.net
%  The data below is provided for information purposes
%  and to assist persons in obtaining information about or
%  related to AS and IP numbers registrations
%  By submitting a whois query, you agree to use this data
%  only for lawful purposes.
%  2013-06-20 11:22:08 (BRT -03:00)

inetnum:     201.237.64/23
status:      reallocated
owner:       NOSARA
ownerid:     CR-NOSA-LACNIC
responsible: Desarrollo de la Red - ICE
address:     10032, 1, 1
address:     1 - Liberia -
country:     CR
phone:       +506 1 22207465 []
owner-c:     REJ
tech-c:      REJ
abuse-c:     REJ
created:     20080828
changed:     20080828
inetnum-up:  201.237/16

nic-hdl:     REJ
person:      Desarrollo de la Red - DDIBA
e-mail:      gspam@ICE.GO.CR
address:     10032-1000 San Jos###Costa Rica, 10032, San Jos###
                                                                address: 
     10032-100 - San Jos### cr
country:     CR
phone:       +506  20001123 []
created:     20041004
changed:     20120529

% whois.lacnic.net accepts only direct match queries.
% Types of queries are: POCs, ownerid, CIDR blocks, IP
% and AS numbers.

Great, no abuse contact. Its just a handle with an email address.

You can to explain this to an end user ...
...
$ whois -h whois.nic.ad.jp 134.180.0.0/16/e
Network Information:
[Network Number]                134.180.0.0/16
[Network Name]
[Organization]                  SANYO Information Technology Solutions
Co., Ltd.
[Administrative Contact]        JP00018865
[Technical Contact]             JP00018865
[Abuse]                         abuse@sannet.ne.jp
[Allocated Date]                2011/09/20
[Last Update]                   2011/09/20 14:50:42(JST)
This shows the abuse contact from JPNIC as an attribute.
$ whois -h whois.apnic.net 134.180.0.0/16
inetnum:        134.180.0.0 - 134.180.255.255
netname:        SANNET
descr:          SANYO Information Technology Solutions Co., Ltd.
descr:          2-5-5, Keihan-Hondori,
descr:          Moriguchi-shi,Osaka 570-8686, Japan
country:        JP
admin-c:        JNIC1-AP
tech-c:         JNIC1-AP
status:         ALLOCATED PORTABLE
remarks:        Email address for spam or abuse complaints :
abuse@sannet.ne.jp
mnt-irt:        IRT-JPNIC-JP
mnt-by:         MAINT-JPNIC
mnt-lower:      MAINT-JPNIC
changed:        hostmaster@arin.net 19990719
changed:        hm-changed@apnic.net 20031111
changed:        hm-changed@apnic.net 20040926
changed:        hm-changed@apnic.net 20041214
changed:        ip-apnic@nic.ad.jp 20050406
changed:        hm-changed@apnic.net 20050407
changed:        ip-apnic@nic.ad.jp 20110920
source:         APNIC
This shows the same abuse contact as a remarks: attribute
$ whois -h whois.ripe.net --resource 134.180.0.0/16
inetnum:        134.180.0.0 - 134.180.255.255
netname:        SANNET
descr:          SANYO Information Technology Solutions Co., Ltd.
descr:          2-5-5, Keihan-Hondori,
descr:          Moriguchi-shi,Osaka 570-8686, Japan
country:        JP
admin-c:        DUMY-RIPE
tech-c:         DUMY-RIPE
status:         ALLOCATED PORTABLE
remarks:        Email address for spam or abuse complaints :
abuse@sannet.ne.jp
mnt-irt:        IRT-JPNIC-JP
mnt-by:         MAINT-JPNIC
mnt-lower:      MAINT-JPNIC
changed:        unread@ripe.net 20000101
source:         APNIC-GRS
So using the RIPE GRS also gives you the abuse contact from JPNIC for
this resource.
For more details see the new RIPE Labs article next week.
Again, too complicated, too much information.
Not usefull for end users or admin, that are not
familiar with all this.

Kind regards, Frank
...
Regards
Denis Walker
Business Analyst
RIPE NCC Database Team
On 20/06/2013 13:53, Frank Gadegast wrote:
...
Denis Walker wrote:
...
Dear Frank,
Hi Denis,
Im not sure, if this coveres what I would like to have,
simply because you have to know to wich RIR the network
belongs first.
Its quite complicated to
- look the RIR up at whois.iana.org first,
   defny needed for ERX networks
- make the whois at the RIR (and usally find, that
   it sub-deligated the whois to a another RIR like
   BRNIC or KRNIC
- and end up wich 10 different output formats
You cant explain that procedure to an end user ...
But maybe I understood your interface wrong, and
I can really enter an IP at the GRS service
and get the abuse contact email addresses ...
And I know through the expiriences with our normal
customer users, that they simply do not report spam,
because they have no single place to look it up, and
then do not know, where they should send an abuse complaint
to.
Normal users are always quite puzzled, when you tell
them about whois services, RIRs aso, they have
no idea about it, simply because they never heard
anything about RIPE, IANA aso ...
Most dont even know, what an IP address is ...
Its hard enough to tell them how to find the
abusive IP in an mail header ...
And thats why eople use services like SpamCop,
they simply put the spam in a web form, and
they do the rest (ok, not perfect, but handy
anyway).
iana should have such a central service ...
Kind regards, Frank
...
The RIPE NCC has a Global Resource Service (GRS) where you can perform
unlimited queries on operational data from all the 5 RIRs and all
responses are returned in RIPE RPSL format. You can script your queries
against the RIPE GRS using our API.
I am, at this very moment, writing a new RIPE Labs article with all the
latest details and improvements we have made recently to this service.
We expect to publish this article next week.
Regards
Denis Walker
Business Analyst
RIPE NCC Database Team
On 20/06/2013 11:17, Frank Gadegast wrote:
...
Olaf van der Spek wrote:
...
Hi,
I hope this is the right list for such a question.
How does one map an IP address to an abuse email address in an
automated
way?
I assume scripts exist, but I haven't found any. Does everyone roll
their own?
There are no public script to my knowledge
This kind of automatic mapping is quite complicated and
mostly internal know-how of f.e. blacklists, that do
automatic reporting.
The steps to do it are something like this:
- first you need to identify, wich RIR is responsible for the
   IP/netblock, this is tricky, because there more RIRs like
   only RIPE, ARIN, LACNIC, AFRNINIC and APNIC, that actually
   hold the information you need (f.e. KRNIC and BRNIC aso) and because
   there are early registration networks, that usally do not
   belong to the RIR you would expect
- all whois interfaces at the RIRs are different, parsing is
   difficult, different options too and all have different regulations
   and fields with even dubled content
- then there are limits, how many whois queries you can do
We have a pearl-script doing all this with over
3000 lines of code, and this code has to be adjusted
nearly every month ...
It would be a dream, if this group could discuss
a standard whois output format for all RIRs.
And the final step could be a centralized whois, anybody
could ask for the abuse contact covering the data
of all RIRs.
Kind regards, Frank
Network Operation Center - PowerWeb
--
MOTD: "have you enabled SSL on a website or mailbox today ?"
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank@powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
...
--
Olaf