Automatic IP -> abuse email address mapping
Hi, I hope this is the right list for such a question. How does one map an IP address to an abuse email address in an automated way? I assume scripts exist, but I haven't found any. Does everyone roll their own? -- Olaf
Hi Olaf, I use the API from ISC SANS (http://isc.sans.edu/api ) to do some parsing for me if needed. cat send_abusemsg.sh #!/bin/sh for i in `cat uniq_IP_list` do abuse=`wget -O - http://isc.sans.edu/api/ip/"$i"?text | grep 'abusecontact' | cut -f2 -d'>' | tr -d ' '` cat template.txt | sed "s/%%ip%%/$i/" | sed "s/%%email%%/$abuse/" | sendmail -oi -t done the uniq_IP_list is a file that has the offending IP addresses. 1 IP per line. and the mail template that I use looks something like : cat template.txt | more To: %%email%% Cc: noc@<your mail domain here> From: abuse@<your mail domain here> Subject: IP Address %%ip%% involved in DDoS attack Dear abusedesk, Please take action on the following IP address: %%ip%% due to an DDoS on an IP in our network. </snip partial SFLOW log> The mentioned server with IP address: %%ip%% should be looked at directly as it is probably hacked or misconfigured to be abused. Regards, <your ISP NOC> Does that answer your question? Regards, Erik Bais From: anti-abuse-wg-bounces@ripe.net [mailto:anti-abuse-wg-bounces@ripe.net] On Behalf Of Olaf van der Spek Sent: donderdag 20 juni 2013 10:08 To: anti-abuse-wg@ripe.net Subject: [anti-abuse-wg] Automatic IP -> abuse email address mapping Hi, I hope this is the right list for such a question. How does one map an IP address to an abuse email address in an automated way? I assume scripts exist, but I haven't found any. Does everyone roll their own? -- Olaf
Erik Bais wrote:
Hi Olaf,
Hi, this interface does not find all possible abuse contacts, an example for http://isc.sans.edu/api/ip/5.76.13.127 <ip><number>5.76.13.127</number><count>0</count><attacks>0</attacks><maxdate>0</maxdate><mindate>0</mindate><updated>0</updated><country> KZ </country><as>9198 </as><asname> KAZTELECOM-AS JSC Kazakhtelecom</asname><network> 5.76.0.0/16 </network><comment/></ip> no abuse contact, where a # whois.ripe -b 5.76.13.127 % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf inetnum: 5.76.8.0 - 5.76.15.255 abuse-mailbox: abuse.spam@telecom.kz finds one ... Kind regards, Frank
I use the API from ISC SANS (http://isc.sans.edu/api ) to do some parsing for me if needed.
cat send_abusemsg.sh
#!/bin/sh
for i in `cat uniq_IP_list`
do
abuse=`wget -O - http://isc.sans.edu/api/ip/"$i"?text | grep 'abusecontact' | cut -f2 -d'>' | tr -d ' '`
cat template.txt | sed "s/%%ip%%/$i/" | sed "s/%%email%%/$abuse/" | sendmail -oi -t
done
the uniq_IP_list is a file that has the offending IP addresses. 1 IP per line.
and the mail template that I use looks something like :
cat template.txt | more
To: %%email%%
Cc: noc@<your mail domain here>
From: abuse@<your mail domain here>
Subject: IP Address %%ip%% involved in DDoS attack
Dear abusedesk,
Please take action on the following IP address: %%ip%% due to an DDoS on an IP in our network.
</snip partial SFLOW log>
The mentioned server with IP address: %%ip%% should be looked at directly as it is probably hacked or misconfigured to be abused.
Regards,
<your ISP NOC>
Does that answer your question?
Regards,
Erik Bais
*From:*anti-abuse-wg-bounces@ripe.net [mailto:anti-abuse-wg-bounces@ripe.net] *On Behalf Of *Olaf van der Spek *Sent:* donderdag 20 juni 2013 10:08 *To:* anti-abuse-wg@ripe.net *Subject:* [anti-abuse-wg] Automatic IP -> abuse email address mapping
Hi,
I hope this is the right list for such a question.
How does one map an IP address to an abuse email address in an automated way?
I assume scripts exist, but I haven't found any. Does everyone roll their own?
-- Olaf
Olaf van der Spek wrote:
Hi,
I hope this is the right list for such a question. How does one map an IP address to an abuse email address in an automated way? I assume scripts exist, but I haven't found any. Does everyone roll their own?
There are no public script to my knowledge This kind of automatic mapping is quite complicated and mostly internal know-how of f.e. blacklists, that do automatic reporting. The steps to do it are something like this: - first you need to identify, wich RIR is responsible for the IP/netblock, this is tricky, because there more RIRs like only RIPE, ARIN, LACNIC, AFRNINIC and APNIC, that actually hold the information you need (f.e. KRNIC and BRNIC aso) and because there are early registration networks, that usally do not belong to the RIR you would expect - all whois interfaces at the RIRs are different, parsing is difficult, different options too and all have different regulations and fields with even dubled content - then there are limits, how many whois queries you can do We have a pearl-script doing all this with over 3000 lines of code, and this code has to be adjusted nearly every month ... It would be a dream, if this group could discuss a standard whois output format for all RIRs. And the final step could be a centralized whois, anybody could ask for the abuse contact covering the data of all RIRs. Kind regards, Frank Network Operation Center - PowerWeb -- MOTD: "have you enabled SSL on a website or mailbox today ?" -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ======================================================================
-- Olaf
On 20 Jun 2013, at 10:17, Frank Gadegast wrote:
And the final step could be a centralized whois, anybody could ask for the abuse contact covering the data of all RIRs.
Distributed, or actually centralized? Perhaps it would be useful to consider generalizing the referral mechanism described in 2.11 of the RIPE Database Query Reference Manual? /Niall
Distributed, or actually centralized?
One souce, but could be distributed and mirror anyway ...
Perhaps it would be useful to consider generalizing the referral mechanism described in 2.11 of the RIPE Database Query Reference Manual?
The main problem is, that IANA should be responsible for that, but they will not create a technical service for the public. A local RIR should not be responsible for abuse contacts for the worlds networks, but we do need a single starting point for all who like to report abuse. One whois covering all RIRs whois services at one place would be great, distributed per DNS even better ... Kind regards, Frank /Niall
Hi Frank, Frank Gadegast wrote: [...]
Perhaps it would be useful to consider generalizing the referral mechanism described in 2.11 of the RIPE Database Query Reference Manual?
The main problem is, that IANA should be responsible for that, but they will not create a technical service for the public.
Can you please expand upon that? ICANN currently provide a whois service (whois.iana.org) which provides the same information as is found in the registries we publish. If there is a strong demand for improvements to the service then please let us know. Kind regards, Leo Vegoda
Leo Vegoda wrote:
Hi Frank,
Hi Leo,
Perhaps it would be useful to consider generalizing the referral mechanism described in 2.11 of the RIPE Database Query Reference Manual?
The main problem is, that IANA should be responsible for that, but they will not create a technical service for the public.
Can you please expand upon that?
Well, I might be uninformed, but when asking iana's whois I simply get: # whois.ripe -h whois.iana.org 85.237.64.1 % IANA WHOIS server % for more information on IANA, visit http://www.iana.org % This query returned 1 object refer: whois.ripe.net inetnum: 85.0.0.0 - 85.255.255.255 organisation: RIPE NCC status: ALLOCATED whois: whois.ripe.net changed: 2004-04 source: IANA So, it only tells me the reponsible RIR. Now I know its RIPE, then I have to ask RIPE (and when IANA tells me APNIC, I might have to ask APNIC first, wich tells me, its KRNIC ...) There might be more, when using options, but I would like a command like the following wich would return one single line # whois -h abuse.iana.org 85.237.64.1 abuse@powerweb.de So, there should be an interface between IANA and all RIRs to query abuse contacts, IANA knows at least, which RIR to ask. If IANA sees an IP from RIPE, its pretty easy, the whois could connect to whois.ripe.net make the -b and return a standarizes line. If its that simple with other RIRs, I dont really know, f.e. ARIN holds its abuse contacts still in about 4 different places. APNIC could be pretty easy, because of the IRT-object, others are really hard, because even IANA probably does not know, wich RIR delegated wich network to wich sub-RIR (like BRNIC). And the final interface should be presented under https://abuse.iana.org doing excactly the same, one sentence explaining what its for, one field to enter an IP, one button and following, one line as result. Simple, clean and easy to use for everyone. Then we would have ONE single place, where to look up published abuse contact email addresses. We could direct our end users to it, when they like to report abuse and we would have one single source for automatic reporting ...
ICANN currently provide a whois service (whois.iana.org) which provides the same information as is found in the registries we publish.
"Your" information, not the abuse contacts from all RIRs whois service, I guess (or does IANA mirrors all of them ?) ...
If there is a strong demand for improvements to the service then please let us know.
Yes, please (strong demand, really strong demand, the most important demand ;o) Kind regards, Frank
Kind regards,
Leo Vegoda
Hi Frank, Frank Gadegast wrote: [...]
The main problem is, that IANA should be responsible for that, but they will not create a technical service for the public.
Can you please expand upon that?
[...]
So, it only tells me the reponsible RIR. Now I know its RIPE, then I have to ask RIPE (and when IANA tells me APNIC, I might have to ask APNIC first, wich tells me, its KRNIC ...)
There might be more, when using options, but I would like a command like the following wich would return one single line
# whois -h abuse.iana.org 85.237.64.1 abuse@powerweb.de
So, there should be an interface between IANA and all RIRs to query abuse contacts, IANA knows at least, which RIR to ask.
We could implement an active referral service if there was strong demand for it. However, I wonder whether taping lots of whois servers together with web interfaces and scripting is the right way to go. As I understand it, the protocol being developed by the IETF's WEIRDS WG "SHOULD be able to deliver a reply that is effectively a referral or redirect to another server" as well as supporting internationalised addresses and so forth. That might be a better way to go. Regards, Leo
Leo Vegoda wrote:
Hi Frank,
Frank Gadegast wrote:
[...]
The main problem is, that IANA should be responsible for that, but they will not create a technical service for the public.
Can you please expand upon that?
[...]
So, it only tells me the reponsible RIR. Now I know its RIPE, then I have to ask RIPE (and when IANA tells me APNIC, I might have to ask APNIC first, wich tells me, its KRNIC ...)
There might be more, when using options, but I would like a command like the following wich would return one single line
# whois -h abuse.iana.org 85.237.64.1 abuse@powerweb.de
So, there should be an interface between IANA and all RIRs to query abuse contacts, IANA knows at least, which RIR to ask.
We could implement an active referral service if there was strong demand for it.
The problem is how to estimate a demand for people, that are no "pros" and have no idea, that they would probably like this central service. I believe that there are no members on this list, that do not know how to find an abuse contact with current tools, so this list would not be representative ... even the RIRs members itself would not be representative ...
However, I wonder whether taping lots of whois servers together with web interfaces and scripting is the right way to go. As I understand it, the protocol being developed by the IETF's WEIRDS WG "SHOULD be able to deliver a reply that is effectively a referral or redirect to another server" as well as supporting internationalised addresses and so forth.
URL ?
That might be a better way to go.
But why do things always need to be complicated ? Using this way, it would not work during the next 5 years ... Remember how long it took, to have the abuse-c and the -b option at RIPE ... And involving groups and standards and all the like would end up in an interface so complicated, that it isnt usefull for normal people anymore, it will be full of options, explanations, dos and donts, funny APIs based on pretty seldom standards and the like ... The more easy way would probably be: - IANA tells the RIRs to implement a whois like the "whois -b" from RIPE only reachable from IANAs servers (lets say until August ;o) - IANA creates the new whois under abuse.iana.org, and referres the queries and standarizes the output I would estimate about 1/2 hour work on IANAs side ... Done, bingo.
Regards,
Leo
Kind regards, Frank
Hi Frank, Frank Gadegast wrote: [...]
We could implement an active referral service if there was strong demand for it.
The problem is how to estimate a demand for people, that are no "pros" and have no idea, that they would probably like this central service.
I wonder whether asking end users to report abuse is the right way to go. Would it not be more effective for the user to inform their service provider that a message or event is abuse and rely on the service provider to do the right thing. After all, most people ask a mechanic to service their car rather than learn how to do that. [...]
However, I wonder whether taping lots of whois servers together with web interfaces and scripting is the right way to go. As I understand it, the protocol being developed by the IETF's WEIRDS WG "SHOULD be able to deliver a reply that is effectively a referral or redirect to another server" as well as supporting internationalised addresses and so forth.
URL ?
The requirements are here: http://tools.ietf.org/id/draft-kucherawy-weirds-requirements-04.txt and the charter is here: http://tools.ietf.org/wg/weirds/charters [...]
And involving groups and standards and all the like would end up in an interface so complicated, that it isnt usefull for normal people anymore, it will be full of options, explanations, dos and donts, funny APIs based on pretty seldom standards and the like ...
I believe that one of the requirements is that the protocols is simple and lightweight.
The more easy way would probably be: - IANA tells the RIRs to implement a whois like the "whois -b" from RIPE only reachable from IANAs servers (lets say until August ;o) - IANA creates the new whois under abuse.iana.org, and referres the queries and standarizes the output
In this bottom-up world the policies and requirements are given to ICANN as the IANA functions operator. ICANN doesn't command the RIRs to perform specific tasks. If you want to place a requirement on ICANN and the RIRs along the lines above, you could go down the Global Policy route and ask the ASO AC to start a global policy process. Details here: http://archive.icann.org/en/aso/aso-mou-attachmentA-29oct04.htm Regards, Leo Vegoda
Leo Vegoda wrote:
Hi Frank,
Hi,
The problem is how to estimate a demand for people, that are no "pros" and have no idea, that they would probably like this central service.
I wonder whether asking end users to report abuse is the right way to go. Would it not be more effective for the user to inform their service provider that a message or event is abuse and rely on the service provider to do the right thing. After all, most people ask a mechanic to service their car rather than learn how to do that.
Quite right, our users simply want that no spam arrives at all. Reporting reduces spam a lot, simply because it makes the originator aware of a problem (he might fix or not). Even our normal customers and end users are aware of this, but they have no tools to do it right and easy. SpamCop is pretty often used by our end users, simply because they paste the email or forward the spam to SpamCop and they do the rest and its simple do use. Other ISPs would probably like to have such a reporting service for their customers, but struggle because of the quite complicated structure how abuse contacts are stored all over the world (if you remember, the "automatic mapping" was the start of this discussion this morning). abusix is a good example, they dont do some "magic". They are gluing the whois services together and it works brilliant, I think its the most up-to-date abuse address source currently available. But: why should everybody depend on a service someone implemented to cover the inability of the ones that ARE responsible for the resources ? Hm ? Why do big organizations do not think like companies and simply present the best solution themself ? So, a unique interface to "find" the abuse contacts email address, world-wide, would be a good start for ISPs and blacklist to start a reporting service as well as for sighly-advanced end-users ... even think of admins in local (business) networks responsible for the spam their co-workers receive ... And again: this whois or webinterface isnt something new nor is it something you need to ask the compunity for. The data is public, simply wrap it up under a unique place. You dont have to force the RIRs to implement their bit, IANA could ask them for an unrestricted whois channel and implement the parsing themself ...
I believe that one of the requirements is that the protocols is simple and lightweight.
Sure, but it would be something new again, and would take ages ... Whats wrong with something you can build today ? Using whois ? Anything wrong with whois ? Or a web-interface ?
The more easy way would probably be: - IANA tells the RIRs to implement a whois like the "whois -b" from RIPE only reachable from IANAs servers (lets say until August ;o) - IANA creates the new whois under abuse.iana.org, and referres the queries and standarizes the output
In this bottom-up world the policies and requirements are given to ICANN as the IANA functions operator. ICANN doesn't command the RIRs to perform specific tasks.
Sure not, but sometime policies are just "in-the-way". All RIRs do meet regulary, so get their admins at a little table in a bar and simply do it ... A centralized whois isnt something "new". Its just a unique way to present information that is already available, but difficult to find.
If you want to place a requirement on ICANN and the RIRs along the lines above, you could go down the Global Policy route and ask the ASO AC to start a global policy process. Details here: http://archive.icann.org/en/aso/aso-mou-attachmentA-29oct04.htm
I knew this answer would come, thats why I sayd in my first mail today, that IANA would not implement a service for the public ... Specially because I asked IANA about 2 year ago for it and guess what the answer was ...
Regards,
Leo Vegoda
Kind regards, Frank P.S.: So, forget my query. Im happy that I know how to find abuse contacts and can do the reporting automatically, why did I even think of asking IANA ? We have automatic reporting for our customers and that gives me some kind of advantage over my competitors. Sorry, Im so stupid ...
Hi Frank, Frank Gadegast wrote: [...]
Sure not, but sometime policies are just "in-the-way". All RIRs do meet regulary, so get their admins at a little table in a bar and simply do it ... A centralized whois isnt something "new". Its just a unique way to present information that is already available, but difficult to find.
There are more than just six organisations involved. Discussions in bars are good ways to start things off but probably not the right way to come up with full plans for an integrated service that is intended to last for a decade or more. The discussion on how best to implement the kind of service you've described is already happening in the IETF's WEIRDS WG. I doubt people would go to the effort to draft, review and redraft documents if reaching agreement and implementing the service was something that could be done in an evening. Regards, Leo
Hi there,
I wonder whether asking end users to report abuse is the right way to go. Would it not be more effective for the user to inform their service provider that a message or event is abuse and rely on the service provider to do the right thing. After all, most people ask a mechanic to service their car rather than learn how to do that.
I fully agree. There are several services out there that offer this kind of reporting. Big ISPs do this in a automatic way via feedbackloops. Other services with plugins for mail clients, or copy&paste website solutions. There is imho no need to make this process understandable and workable for everybody. At least not until it is working and understandable for technical people. Thanks, Tobias
I figure this is as good a place as any to ask. Spam to my e-mail addresses has stopped more or less cold. Up until about June/July this year I received a bout 1 - 2 dozen SPAM messages per day. Since then, just about nothing. It took me a while to realize that it has stopped, but it got me wondering why. Has anyone else seen a similar decrease? Arnold -- Fight Spam - report it with wxSR 0.6 ready for Vista & Win7 http://www.columbinehoney.net/wxSR.shtml
On 6/20/2013 4:05 AM, Leo Vegoda wrote:
Hi Frank,
Frank Gadegast wrote:
[...]
Perhaps it would be useful to consider generalizing the referral mechanism described in 2.11 of the RIPE Database Query Reference Manual? The main problem is, that IANA should be responsible for that, but they will not create a technical service for the public. FWIW. my Spam reporter utility - see my signature - does use the IANA database to identify, where possible, the e-mail address to which any abuse report should be made.
Arnold
Can you please expand upon that?
ICANN currently provide a whois service (whois.iana.org) which provides the same information as is found in the registries we publish. If there is a strong demand for improvements to the service then please let us know.
Kind regards,
Leo Vegoda
-- Fight Spam - report it with wxSR 0.6 ready for Vista & Win7 http://www.columbinehoney.net/wxSR.shtml
Dear Frank, The RIPE NCC has a Global Resource Service (GRS) where you can perform unlimited queries on operational data from all the 5 RIRs and all responses are returned in RIPE RPSL format. You can script your queries against the RIPE GRS using our API. I am, at this very moment, writing a new RIPE Labs article with all the latest details and improvements we have made recently to this service. We expect to publish this article next week. Regards Denis Walker Business Analyst RIPE NCC Database Team On 20/06/2013 11:17, Frank Gadegast wrote:
Olaf van der Spek wrote:
Hi,
I hope this is the right list for such a question. How does one map an IP address to an abuse email address in an automated way? I assume scripts exist, but I haven't found any. Does everyone roll their own?
There are no public script to my knowledge
This kind of automatic mapping is quite complicated and mostly internal know-how of f.e. blacklists, that do automatic reporting.
The steps to do it are something like this:
- first you need to identify, wich RIR is responsible for the IP/netblock, this is tricky, because there more RIRs like only RIPE, ARIN, LACNIC, AFRNINIC and APNIC, that actually hold the information you need (f.e. KRNIC and BRNIC aso) and because there are early registration networks, that usally do not belong to the RIR you would expect - all whois interfaces at the RIRs are different, parsing is difficult, different options too and all have different regulations and fields with even dubled content - then there are limits, how many whois queries you can do
We have a pearl-script doing all this with over 3000 lines of code, and this code has to be adjusted nearly every month ...
It would be a dream, if this group could discuss a standard whois output format for all RIRs. And the final step could be a centralized whois, anybody could ask for the abuse contact covering the data of all RIRs.
Kind regards, Frank Network Operation Center - PowerWeb -- MOTD: "have you enabled SSL on a website or mailbox today ?" -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ======================================================================
-- Olaf
Denis Walker wrote:
Dear Frank,
Hi Denis, Im not sure, if this coveres what I would like to have, simply because you have to know to wich RIR the network belongs first. Its quite complicated to - look the RIR up at whois.iana.org first, defny needed for ERX networks - make the whois at the RIR (and usally find, that it sub-deligated the whois to a another RIR like BRNIC or KRNIC - and end up wich 10 different output formats You cant explain that procedure to an end user ... But maybe I understood your interface wrong, and I can really enter an IP at the GRS service and get the abuse contact email addresses ... And I know through the expiriences with our normal customer users, that they simply do not report spam, because they have no single place to look it up, and then do not know, where they should send an abuse complaint to. Normal users are always quite puzzled, when you tell them about whois services, RIRs aso, they have no idea about it, simply because they never heard anything about RIPE, IANA aso ... Most dont even know, what an IP address is ... Its hard enough to tell them how to find the abusive IP in an mail header ... And thats why eople use services like SpamCop, they simply put the spam in a web form, and they do the rest (ok, not perfect, but handy anyway). iana should have such a central service ... Kind regards, Frank
The RIPE NCC has a Global Resource Service (GRS) where you can perform unlimited queries on operational data from all the 5 RIRs and all responses are returned in RIPE RPSL format. You can script your queries against the RIPE GRS using our API.
I am, at this very moment, writing a new RIPE Labs article with all the latest details and improvements we have made recently to this service. We expect to publish this article next week.
Regards Denis Walker Business Analyst RIPE NCC Database Team
On 20/06/2013 11:17, Frank Gadegast wrote:
Olaf van der Spek wrote:
Hi,
I hope this is the right list for such a question. How does one map an IP address to an abuse email address in an automated way? I assume scripts exist, but I haven't found any. Does everyone roll their own?
There are no public script to my knowledge
This kind of automatic mapping is quite complicated and mostly internal know-how of f.e. blacklists, that do automatic reporting.
The steps to do it are something like this:
- first you need to identify, wich RIR is responsible for the IP/netblock, this is tricky, because there more RIRs like only RIPE, ARIN, LACNIC, AFRNINIC and APNIC, that actually hold the information you need (f.e. KRNIC and BRNIC aso) and because there are early registration networks, that usally do not belong to the RIR you would expect - all whois interfaces at the RIRs are different, parsing is difficult, different options too and all have different regulations and fields with even dubled content - then there are limits, how many whois queries you can do
We have a pearl-script doing all this with over 3000 lines of code, and this code has to be adjusted nearly every month ...
It would be a dream, if this group could discuss a standard whois output format for all RIRs. And the final step could be a centralized whois, anybody could ask for the abuse contact covering the data of all RIRs.
Kind regards, Frank Network Operation Center - PowerWeb -- MOTD: "have you enabled SSL on a website or mailbox today ?" -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ======================================================================
-- Olaf
Dear Frank, The RIPE NCC already mirrors the other RIRs whois databases as well as some routing registries like JPIRR and RADB. All this data is already available with a single query and all in RIPE RPSL format. You do not need to know which registry is the authoritative source for the resource. That information is part of the response we return. For RIPE data the abuse-c is being implemented so we will be able to give answers to abuse contact requests for this data. The data we return for the other RIRs contains pointers to their abuse contact details. This data also includes information from some of the NICs who may hold the authoritative data. For example, querying a JPNIC address in the APNIC database includes information from the JPNIC registry. For example (I have shortened some of the output here): $ whois -h whois.nic.ad.jp 134.180.0.0/16/e Network Information: [Network Number] 134.180.0.0/16 [Network Name] [Organization] SANYO Information Technology Solutions Co., Ltd. [Administrative Contact] JP00018865 [Technical Contact] JP00018865 [Abuse] abuse@sannet.ne.jp [Allocated Date] 2011/09/20 [Last Update] 2011/09/20 14:50:42(JST) This shows the abuse contact from JPNIC as an attribute. $ whois -h whois.apnic.net 134.180.0.0/16 inetnum: 134.180.0.0 - 134.180.255.255 netname: SANNET descr: SANYO Information Technology Solutions Co., Ltd. descr: 2-5-5, Keihan-Hondori, descr: Moriguchi-shi,Osaka 570-8686, Japan country: JP admin-c: JNIC1-AP tech-c: JNIC1-AP status: ALLOCATED PORTABLE remarks: Email address for spam or abuse complaints : abuse@sannet.ne.jp mnt-irt: IRT-JPNIC-JP mnt-by: MAINT-JPNIC mnt-lower: MAINT-JPNIC changed: hostmaster@arin.net 19990719 changed: hm-changed@apnic.net 20031111 changed: hm-changed@apnic.net 20040926 changed: hm-changed@apnic.net 20041214 changed: ip-apnic@nic.ad.jp 20050406 changed: hm-changed@apnic.net 20050407 changed: ip-apnic@nic.ad.jp 20110920 source: APNIC This shows the same abuse contact as a remarks: attribute $ whois -h whois.ripe.net --resource 134.180.0.0/16 inetnum: 134.180.0.0 - 134.180.255.255 netname: SANNET descr: SANYO Information Technology Solutions Co., Ltd. descr: 2-5-5, Keihan-Hondori, descr: Moriguchi-shi,Osaka 570-8686, Japan country: JP admin-c: DUMY-RIPE tech-c: DUMY-RIPE status: ALLOCATED PORTABLE remarks: Email address for spam or abuse complaints : abuse@sannet.ne.jp mnt-irt: IRT-JPNIC-JP mnt-by: MAINT-JPNIC mnt-lower: MAINT-JPNIC changed: unread@ripe.net 20000101 source: APNIC-GRS So using the RIPE GRS also gives you the abuse contact from JPNIC for this resource. For more details see the new RIPE Labs article next week. Regards Denis Walker Business Analyst RIPE NCC Database Team On 20/06/2013 13:53, Frank Gadegast wrote:
Denis Walker wrote:
Dear Frank,
Hi Denis,
Im not sure, if this coveres what I would like to have, simply because you have to know to wich RIR the network belongs first.
Its quite complicated to - look the RIR up at whois.iana.org first, defny needed for ERX networks - make the whois at the RIR (and usally find, that it sub-deligated the whois to a another RIR like BRNIC or KRNIC - and end up wich 10 different output formats
You cant explain that procedure to an end user ...
But maybe I understood your interface wrong, and I can really enter an IP at the GRS service and get the abuse contact email addresses ...
And I know through the expiriences with our normal customer users, that they simply do not report spam, because they have no single place to look it up, and then do not know, where they should send an abuse complaint to.
Normal users are always quite puzzled, when you tell them about whois services, RIRs aso, they have no idea about it, simply because they never heard anything about RIPE, IANA aso ... Most dont even know, what an IP address is ... Its hard enough to tell them how to find the abusive IP in an mail header ...
And thats why eople use services like SpamCop, they simply put the spam in a web form, and they do the rest (ok, not perfect, but handy anyway).
iana should have such a central service ...
Kind regards, Frank
The RIPE NCC has a Global Resource Service (GRS) where you can perform unlimited queries on operational data from all the 5 RIRs and all responses are returned in RIPE RPSL format. You can script your queries against the RIPE GRS using our API.
I am, at this very moment, writing a new RIPE Labs article with all the latest details and improvements we have made recently to this service. We expect to publish this article next week.
Regards Denis Walker Business Analyst RIPE NCC Database Team
On 20/06/2013 11:17, Frank Gadegast wrote:
Olaf van der Spek wrote:
Hi,
I hope this is the right list for such a question. How does one map an IP address to an abuse email address in an automated way? I assume scripts exist, but I haven't found any. Does everyone roll their own?
There are no public script to my knowledge
This kind of automatic mapping is quite complicated and mostly internal know-how of f.e. blacklists, that do automatic reporting.
The steps to do it are something like this:
- first you need to identify, wich RIR is responsible for the IP/netblock, this is tricky, because there more RIRs like only RIPE, ARIN, LACNIC, AFRNINIC and APNIC, that actually hold the information you need (f.e. KRNIC and BRNIC aso) and because there are early registration networks, that usally do not belong to the RIR you would expect - all whois interfaces at the RIRs are different, parsing is difficult, different options too and all have different regulations and fields with even dubled content - then there are limits, how many whois queries you can do
We have a pearl-script doing all this with over 3000 lines of code, and this code has to be adjusted nearly every month ...
It would be a dream, if this group could discuss a standard whois output format for all RIRs. And the final step could be a centralized whois, anybody could ask for the abuse contact covering the data of all RIRs.
Kind regards, Frank Network Operation Center - PowerWeb -- MOTD: "have you enabled SSL on a website or mailbox today ?" -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ======================================================================
-- Olaf
Denis Walker wrote:
Dear Frank,
Hi,
The RIPE NCC already mirrors the other RIRs whois databases as well as some routing registries like JPIRR and RADB. All this data is already available with a single query and all in RIPE RPSL format. You do not need to know which registry is the authoritative source for the resource. That information is part of the response we return.
But these queries are restricted, because they contain personal data. And its to MUCH information.
For RIPE data the abuse-c is being implemented so we will be able to give answers to abuse contact requests for this data. The data we return for the other RIRs contains pointers to their abuse contact details.
Sure, but what do you return when asked for aother registries ? They dont have simply ONE place for the abuse contacts email address. So, you return "everything", what is not usefull for end users ...
This data also includes information from some of the NICs who may hold the authoritative data. For example, querying a JPNIC address in the APNIC database includes information from the JPNIC registry.
For example (I have shortened some of the output here):
You see ? Too much information ... A normal lookup looks like this: # whois.ripe 201.237.64.1 % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '0.0.0.0 - 255.255.255.255' inetnum: 0.0.0.0 - 255.255.255.255 netname: IANA-BLK descr: The whole IPv4 address space country: EU # Country field is actually all countries in the world and not just EU countries org: ORG-IANA1-RIPE admin-c: IANA1-RIPE tech-c: IANA1-RIPE status: ALLOCATED UNSPECIFIED remarks: This object represents all IPv4 addresses. remarks: If you see this object as a result of a single IP query, it remarks: means that the IP address you are querying is not managed by remarks: the RIPE NCC but by one of the other five RIRs. It might remarks: also be an address that has been reserved by the IETF as part remarks: of a protocol or test range. remarks: You can find the whois server to query, or the remarks: IANA registry to query on this web page: remarks: http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml mnt-by: RIPE-NCC-HM-MNT mnt-lower: RIPE-NCC-HM-MNT mnt-routes: RIPE-NCC-RPSL-MNT source: RIPE # Filtered organisation: ORG-IANA1-RIPE org-name: Internet Assigned Numbers Authority org-type: IANA address: see http://www.iana.org remarks: The IANA allocates IP addresses and AS number blocks to RIRs remarks: see http://www.iana.org/ipaddress/ip-addresses.htm remarks: and http://www.iana.org/assignments/as-numbers admin-c: IANA1-RIPE tech-c: IANA1-RIPE mnt-ref: RIPE-NCC-HM-MNT mnt-by: RIPE-NCC-HM-MNT source: RIPE # Filtered role: Internet Assigned Numbers Authority address: see http://www.iana.org. admin-c: IANA1-RIPE tech-c: IANA1-RIPE nic-hdl: IANA1-RIPE remarks: For more information on IANA services remarks: go to IANA web site at http://www.iana.org. mnt-by: RIPE-NCC-MNT source: RIPE # Filtered % This query was served by the RIPE Database Query Service version 1.66.3 (WHOIS1) You see ? No information about the RIR. Its pointing to IANA ! Ok, lets ask IANA: # whois.ripe -h whois.iana.org 201.237.64.1 % IANA WHOIS server % for more information on IANA, visit http://www.iana.org % This query returned 1 object refer: whois.lacnic.net inetnum: 201.0.0.0 - 201.255.255.255 organisation: LACNIC status: ALLOCATED whois: whois.lacnic.net changed: 2003-04 source: IANA Ah, LACNIC .... Lets ask LACNIC: # whois.ripe -h whois.lacnic.net 201.237.64.1 % Joint Whois - whois.lacnic.net % This server accepts single ASN, IPv4 or IPv6 queries % LACNIC resource: whois.lacnic.net % Copyright LACNIC lacnic.net % The data below is provided for information purposes % and to assist persons in obtaining information about or % related to AS and IP numbers registrations % By submitting a whois query, you agree to use this data % only for lawful purposes. % 2013-06-20 11:22:08 (BRT -03:00) inetnum: 201.237.64/23 status: reallocated owner: NOSARA ownerid: CR-NOSA-LACNIC responsible: Desarrollo de la Red - ICE address: 10032, 1, 1 address: 1 - Liberia - country: CR phone: +506 1 22207465 [] owner-c: REJ tech-c: REJ abuse-c: REJ created: 20080828 changed: 20080828 inetnum-up: 201.237/16 nic-hdl: REJ person: Desarrollo de la Red - DDIBA e-mail: gspam@ICE.GO.CR address: 10032-1000 San Jos###Costa Rica, 10032, San Jos### address: 10032-100 - San Jos### cr country: CR phone: +506 20001123 [] created: 20041004 changed: 20120529 % whois.lacnic.net accepts only direct match queries. % Types of queries are: POCs, ownerid, CIDR blocks, IP % and AS numbers. Great, no abuse contact. Its just a handle with an email address. You can to explain this to an end user ...
$ whois -h whois.nic.ad.jp 134.180.0.0/16/e
Network Information: [Network Number] 134.180.0.0/16 [Network Name] [Organization] SANYO Information Technology Solutions Co., Ltd. [Administrative Contact] JP00018865 [Technical Contact] JP00018865 [Abuse] abuse@sannet.ne.jp [Allocated Date] 2011/09/20 [Last Update] 2011/09/20 14:50:42(JST)
This shows the abuse contact from JPNIC as an attribute.
$ whois -h whois.apnic.net 134.180.0.0/16
inetnum: 134.180.0.0 - 134.180.255.255 netname: SANNET descr: SANYO Information Technology Solutions Co., Ltd. descr: 2-5-5, Keihan-Hondori, descr: Moriguchi-shi,Osaka 570-8686, Japan country: JP admin-c: JNIC1-AP tech-c: JNIC1-AP status: ALLOCATED PORTABLE remarks: Email address for spam or abuse complaints : abuse@sannet.ne.jp mnt-irt: IRT-JPNIC-JP mnt-by: MAINT-JPNIC mnt-lower: MAINT-JPNIC changed: hostmaster@arin.net 19990719 changed: hm-changed@apnic.net 20031111 changed: hm-changed@apnic.net 20040926 changed: hm-changed@apnic.net 20041214 changed: ip-apnic@nic.ad.jp 20050406 changed: hm-changed@apnic.net 20050407 changed: ip-apnic@nic.ad.jp 20110920 source: APNIC
This shows the same abuse contact as a remarks: attribute
$ whois -h whois.ripe.net --resource 134.180.0.0/16
inetnum: 134.180.0.0 - 134.180.255.255 netname: SANNET descr: SANYO Information Technology Solutions Co., Ltd. descr: 2-5-5, Keihan-Hondori, descr: Moriguchi-shi,Osaka 570-8686, Japan country: JP admin-c: DUMY-RIPE tech-c: DUMY-RIPE status: ALLOCATED PORTABLE remarks: Email address for spam or abuse complaints : abuse@sannet.ne.jp mnt-irt: IRT-JPNIC-JP mnt-by: MAINT-JPNIC mnt-lower: MAINT-JPNIC changed: unread@ripe.net 20000101 source: APNIC-GRS
So using the RIPE GRS also gives you the abuse contact from JPNIC for this resource.
For more details see the new RIPE Labs article next week.
Again, too complicated, too much information. Not usefull for end users or admin, that are not familiar with all this. Kind regards, Frank
Regards Denis Walker Business Analyst RIPE NCC Database Team
On 20/06/2013 13:53, Frank Gadegast wrote:
Denis Walker wrote:
Dear Frank,
Hi Denis,
Im not sure, if this coveres what I would like to have, simply because you have to know to wich RIR the network belongs first.
Its quite complicated to - look the RIR up at whois.iana.org first, defny needed for ERX networks - make the whois at the RIR (and usally find, that it sub-deligated the whois to a another RIR like BRNIC or KRNIC - and end up wich 10 different output formats
You cant explain that procedure to an end user ...
But maybe I understood your interface wrong, and I can really enter an IP at the GRS service and get the abuse contact email addresses ...
And I know through the expiriences with our normal customer users, that they simply do not report spam, because they have no single place to look it up, and then do not know, where they should send an abuse complaint to.
Normal users are always quite puzzled, when you tell them about whois services, RIRs aso, they have no idea about it, simply because they never heard anything about RIPE, IANA aso ... Most dont even know, what an IP address is ... Its hard enough to tell them how to find the abusive IP in an mail header ...
And thats why eople use services like SpamCop, they simply put the spam in a web form, and they do the rest (ok, not perfect, but handy anyway).
iana should have such a central service ...
Kind regards, Frank
The RIPE NCC has a Global Resource Service (GRS) where you can perform unlimited queries on operational data from all the 5 RIRs and all responses are returned in RIPE RPSL format. You can script your queries against the RIPE GRS using our API.
I am, at this very moment, writing a new RIPE Labs article with all the latest details and improvements we have made recently to this service. We expect to publish this article next week.
Regards Denis Walker Business Analyst RIPE NCC Database Team
On 20/06/2013 11:17, Frank Gadegast wrote:
Olaf van der Spek wrote:
Hi,
I hope this is the right list for such a question. How does one map an IP address to an abuse email address in an automated way? I assume scripts exist, but I haven't found any. Does everyone roll their own?
There are no public script to my knowledge
This kind of automatic mapping is quite complicated and mostly internal know-how of f.e. blacklists, that do automatic reporting.
The steps to do it are something like this:
- first you need to identify, wich RIR is responsible for the IP/netblock, this is tricky, because there more RIRs like only RIPE, ARIN, LACNIC, AFRNINIC and APNIC, that actually hold the information you need (f.e. KRNIC and BRNIC aso) and because there are early registration networks, that usally do not belong to the RIR you would expect - all whois interfaces at the RIRs are different, parsing is difficult, different options too and all have different regulations and fields with even dubled content - then there are limits, how many whois queries you can do
We have a pearl-script doing all this with over 3000 lines of code, and this code has to be adjusted nearly every month ...
It would be a dream, if this group could discuss a standard whois output format for all RIRs. And the final step could be a centralized whois, anybody could ask for the abuse contact covering the data of all RIRs.
Kind regards, Frank Network Operation Center - PowerWeb -- MOTD: "have you enabled SSL on a website or mailbox today ?" -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ======================================================================
-- Olaf
Denis Walker wrote:
Dear Frank,
BTW: there is still no simple form under www.ripe.net (maybe upper right corner, directly under the search field), that says: enter an abusive IP address here, and we tell you, where to send an abuse report to ___ ___ ___ ___ (get abuse contact email address) This should be technical pretty easy, because whois -b is in place, but an end user would never us a whois service and play with options ... So: we cannot even send end customers to www.ripe.net ... Kind regards, Frank
The RIPE NCC has a Global Resource Service (GRS) where you can perform unlimited queries on operational data from all the 5 RIRs and all responses are returned in RIPE RPSL format. You can script your queries against the RIPE GRS using our API.
I am, at this very moment, writing a new RIPE Labs article with all the latest details and improvements we have made recently to this service. We expect to publish this article next week.
Regards Denis Walker Business Analyst RIPE NCC Database Team
On 20/06/2013 11:17, Frank Gadegast wrote:
Olaf van der Spek wrote:
Hi,
I hope this is the right list for such a question. How does one map an IP address to an abuse email address in an automated way? I assume scripts exist, but I haven't found any. Does everyone roll their own?
There are no public script to my knowledge
This kind of automatic mapping is quite complicated and mostly internal know-how of f.e. blacklists, that do automatic reporting.
The steps to do it are something like this:
- first you need to identify, wich RIR is responsible for the IP/netblock, this is tricky, because there more RIRs like only RIPE, ARIN, LACNIC, AFRNINIC and APNIC, that actually hold the information you need (f.e. KRNIC and BRNIC aso) and because there are early registration networks, that usally do not belong to the RIR you would expect - all whois interfaces at the RIRs are different, parsing is difficult, different options too and all have different regulations and fields with even dubled content - then there are limits, how many whois queries you can do
We have a pearl-script doing all this with over 3000 lines of code, and this code has to be adjusted nearly every month ...
It would be a dream, if this group could discuss a standard whois output format for all RIRs. And the final step could be a centralized whois, anybody could ask for the abuse contact covering the data of all RIRs.
Kind regards, Frank Network Operation Center - PowerWeb -- MOTD: "have you enabled SSL on a website or mailbox today ?" -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ======================================================================
-- Olaf
Hi, On Thu, Jun 20, 2013 at 02:00:32PM +0200, Frank Gadegast wrote:
enter an abusive IP address here, and we tell you, where to send an abuse report to ___ ___ ___ ___ (get abuse contact email address)
What sort of input field would that be? IP addresses are no longer fitting into 4 groups of 3 digits. Just because *you* do not see abuse coming from IPv6 addresses... Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
Gert Doering wrote:
Hi,
On Thu, Jun 20, 2013 at 02:00:32PM +0200, Frank Gadegast wrote:
enter an abusive IP address here, and we tell you, where to send an abuse report to ___ ___ ___ ___ (get abuse contact email address)
What sort of input field would that be? IP addresses are no longer fitting into 4 groups of 3 digits.
Just because *you* do not see abuse coming from IPv6 addresses...
Hm ... maybe because this is only a fuzzy idea floating in my head, not a final draft ?
Gert Doering -- NetMaster
Kind regards, Frank
Hi Frank and list, Frank Gadegast <ripe-anti-spam-wg@powerweb.de> writes:
but an end user would never us a whois service and play with options ...
I won't bother you with the entirety of a rather scary story, but I've had a colleague listed as admin-c for a large dial-in address pool. One day he received a death threat by some end user who assumed him to be responsible for something someone has done using one of these addresses (details over a beer at the next RIPE meeting if you press me). If you make looking up the admin-c for an address as easy as some people here like, this will lead to a significant-to-unbearable extra burden on the people listed as admin-c; the result is rather likely that admin-c's will have no option but to resort to rather heavy automated filtering. I have significant doubt that this is in any way helpful. So please, try to find some sort of balance here. Evacuating an office until the police arrive isn't something you---or your management---want to happen more often than can be helped. Cheers, Benedikt -- Business Grade IPv6 Consulting, Training, Projects Benedikt Stockebrand, Dipl.-Inform. http://www.stepladder-it.com/
This is one of those one in a million type occurences .. and given that your company is a listed one - so that contact information is available in a multitude of other places, that same death threat would probably have been phoned in to your office receptionist instead of your colleague, from whoever was crazy enough to make it. That does not sound like any kind of argument to do what you ask for .. and making it hard will simply add to the already extremely high quantum of abuse issues in the RIPE area. On Thursday, June 20, 2013, Benedikt Stockebrand wrote:
Hi Frank and list,
Frank Gadegast <ripe-anti-spam-wg@powerweb.de <javascript:;>> writes:
but an end user would never us a whois service and play with options ...
I won't bother you with the entirety of a rather scary story, but I've had a colleague listed as admin-c for a large dial-in address pool. One day he received a death threat by some end user who assumed him to be responsible for something someone has done using one of these addresses (details over a beer at the next RIPE meeting if you press me).
If you make looking up the admin-c for an address as easy as some people here like, this will lead to a significant-to-unbearable extra burden on the people listed as admin-c; the result is rather likely that admin-c's will have no option but to resort to rather heavy automated filtering. I have significant doubt that this is in any way helpful.
So please, try to find some sort of balance here. Evacuating an office until the police arrive isn't something you---or your management---want to happen more often than can be helped.
Cheers,
Benedikt
-- Business Grade IPv6 Consulting, Training, Projects
Benedikt Stockebrand, Dipl.-Inform. http://www.stepladder-it.com/
-- --srs (iPad)
Hi Suresh and list, Suresh Ramasubramanian <ops.lists@gmail.com> writes:
This is one of those one in a million type occurences ..
so when Frank reasons that he doesn't want *any* spam to reach his customers, that's ok, but when I reason that making certain information too readily available to end users may increase the likelyhood some way more serious incidents it's a "one in a million type occurrence"? Sorry, I can't follow that reasoning.
and given that your company is a listed one - so that contact information is available in a multitude of other places, that same death threat would probably have been phoned in to your office receptionist instead of your colleague, from whoever was crazy enough to make it.
What do you mean "would probably have"? It *has* been sent by e-mail. And as far as "crazy" goes: Being "crazy" doesn't make someone harmless.
That does not sound like any kind of argument to do what you ask for .. and making it hard will simply add to the already extremely high quantum of abuse issues in the RIPE area.
Have you actually read beyond the first paragraph of my posting? A few weeks ago a (kind of) colleague -- more of a developer -- who had detected rather persistent attacks against a customer's SIP server had his mails to abuse-c systematically ignored. When he resorted to legal means he was told "nobody here bothers to read those mails anyway" by the attacker's ISP. Please explain to me why providing an excessively easy-to-use abuse interface won't cause such an increase in workload for the recipients of that list that it becomes impossible to handle. Cheers, Benedikt -- Business Grade IPv6 Consulting, Training, Projects Benedikt Stockebrand, Dipl.-Inform. http://www.stepladder-it.com/
Benedikt Stockebrand wrote:
Hi Suresh and list,
Please explain to me why providing an excessively easy-to-use abuse interface won't cause such an increase in workload for the recipients of that list that it becomes impossible to handle.
Thats the wrong starting point. If some resource holder is not willing to reduce abuse coming from his networks, theres nothing we can do. And it will not harm him to pubish his abuse contact in a central space, hes not reding the abuse reports anyway ... If they ARE willing, but have a heavy workload with these abuse reports, whats about, if the resource holder is securing his networks to reduce the abuse ? This will reduce his work load and the mails he receive ASAP. And if theres no more abuse originating from his networks, he will not care, if his abuse address is beeing published at a central space. Once he maybe reaches a point, where he has no leaks in his networks anymore and is very happy to receive reports as quick as possible to close new security leaks ... Kind regards, Frank
Cheers,
Benedikt
Frank Gadegast <ripe-anti-spam-wg@powerweb.de> writes:
Benedikt Stockebrand wrote:
Hi Suresh and list,
Please explain to me why providing an excessively easy-to-use abuse interface won't cause such an increase in workload for the recipients of that list that it becomes impossible to handle.
Thats the wrong starting point.
If some resource holder is not willing to reduce abuse coming from his networks, theres nothing we can do. And it will not harm him to pubish his abuse contact in a central space, hes not reding the abuse reports anyway ...
Sorry, this is nonsense. If somebody has his home PC being part of a botnet, and someone uses that botnet to flood a victim with ping or TCP syn or <whatever> flood attacks using my IP address, then how will the mails I get as my own abuse-c find their way to the bot PC owner or his ISP's abuse-c? Your entire chain of reasoning relies on the fact that whatever IP address from an attacker your end users find in their logs identifies the abuse-c to contact. -- Business Grade IPv6 Consulting, Training, Projects Benedikt Stockebrand, Dipl.-Inform. http://www.stepladder-it.com/
Benedikt Stockebrand wrote:
Frank Gadegast <ripe-anti-spam-wg@powerweb.de> writes:
Benedikt Stockebrand wrote:
Hi Suresh and list,
Please explain to me why providing an excessively easy-to-use abuse interface won't cause such an increase in workload for the recipients of that list that it becomes impossible to handle.
Thats the wrong starting point.
If some resource holder is not willing to reduce abuse coming from his networks, theres nothing we can do. And it will not harm him to pubish his abuse contact in a central space, hes not reding the abuse reports anyway ...
Sorry, this is nonsense. If somebody has his home PC being part of a botnet, and someone uses that botnet to flood a victim with ping or TCP syn or <whatever> flood attacks using my IP address, then how will the mails I get as my own abuse-c find their way to the bot PC owner or his ISP's abuse-c?
Dont get the point here. If you get attacked with a whatever flood, you see the sender IP. Enter the sender-ip in the central whois and write a mail to the abuse-c responsible. He now can check, wich user used the IP at that time and get in contact with him to fix the problem, or deny the end users access or ignore it or whatever policy they run.
Your entire chain of reasoning relies on the fact that whatever IP address from an attacker your end users find in their logs identifies the abuse-c to contact.
Sure, end user arent normally able to find the IP, but there are already tools and plugins to do this. And I still think that a central whois makes it easy to find the right contact, for end users, semi-professionals and pros ... Kind regards, Frank
Frank Gadegast <ripe-anti-spam-wg@powerweb.de> writes:
Dont get the point here.
Obviously you don't.
If you get attacked with a whatever flood, you see the sender IP.
You see the IP that the sender has configured. To spell it out just for you: If someone configures a box to use the address 62.67.229.200 and then flood pings some poor soul using that address as source, who will then get all the abuse mails you want people to force to read? Hint: $ dig +noall +answer www.powerweb.de any www.powerweb.de. 500 IN MX 200 mail.berlin3.powerweb.de. www.powerweb.de. 500 IN MX 100 mail.powerweb.de. www.powerweb.de. 500 IN A 62.67.229.200 Now do that with an entire botnet and see what happens. Or do you have any plans you didn't share yet on how to prevent attackers from using this for a new kind of Joe job?
Your entire chain of reasoning relies on the fact that whatever IP address from an attacker your end users find in their logs identifies the abuse-c to contact.
Sure, end user arent normally able to find the IP, but there are already tools and plugins to do this.
So, more mails to abuse@powerweb.de. Which of course, since you want to force other people to read their abuse-c mail address, you will all read yourself. And if that's not enough to keep you busy: Maybe somebody with basic scripting skills takes your approach even a bit further and links his/her packet filter to script that stuffs every such packet in a mail to the "responsible" abuse-c. Happy reading.
And I still think that a central whois makes it easy to find the right contact, for end users, semi-professionals and pros ...
And the "right contact" is whoever holds the IP address used as source for some sort of attack or whatever. This is so immensely clever I'm absolutely speechless. -- Business Grade IPv6 Consulting, Training, Projects Benedikt Stockebrand, Dipl.-Inform. http://www.stepladder-it.com/
Benedikt Stockebrand wrote:
Frank Gadegast <ripe-anti-spam-wg@powerweb.de> writes:
Dont get the point here.
Obviously you don't.
If you get attacked with a whatever flood, you see the sender IP.
You see the IP that the sender has configured. To spell it out just for
Did you ever configured Netflow in your backbone ? and have backbone partners that also have Netflow ? You can then easily follow where its really coming from.
you: If someone configures a box to use the address 62.67.229.200 and then flood pings some poor soul using that address as source, who will then get all the abuse mails you want people to force to read? Hint:
$ dig +noall +answer www.powerweb.de any www.powerweb.de. 500 IN MX 200 mail.berlin3.powerweb.de. www.powerweb.de. 500 IN MX 100 mail.powerweb.de. www.powerweb.de. 500 IN A 62.67.229.200
Now do that with an entire botnet and see what happens.
You can with ping or other packets, when you actually do not want any packet to return to you, but with spam ? Hacking ? TCP-flodding, password-harvesting ? No way, this is two-way, they need to expose the originating IP. And Anti-DDoS-Protection is then quite easy.
Or do you have any plans you didn't share yet on how to prevent attackers from using this for a new kind of Joe job?
admins allowing ICMP to float into their backbone are, aeh, stupid.
Your entire chain of reasoning relies on the fact that whatever IP address from an attacker your end users find in their logs identifies the abuse-c to contact.
Sure, end user arent normally able to find the IP, but there are already tools and plugins to do this.
So, more mails to abuse@powerweb.de.
Not at all. Your getting personal here, so a personal answer. There is no spam leaving our address space and nearly no other abuse problems (maybe a badly administered webspace gets hacked once or twice a year, but then Im really happy about every report I do get to find more details, but we usally find and repair these kind of problems BEFORE any report or complaint is reaching us). So: clean network, no work. Because you got personal, here a little homework: try and find any of our IP addresses on a blacklist ... BTW: checked (probably one of some) /28, that your using and found 3 IPs on only one blacklist nobody is really using, you shouldnt get too many mails for that (probably because your arent the abuse-contact for that block yourself, but your ISP is :o). And suprise, suprise, no spam ever reached us from your ISPs networks, impressive. They shouldnt get so many complaints either ...
Which of course, since you want to force other people to read their abuse-c mail address, you will all read yourself.
Sure, I like that, and its not too much for me to read about 10 mails a year, and even reply to those 5 that think the abuse was coming from us, explaining them that it wasnt and why it wasnt.
And if that's not enough to keep you busy: Maybe somebody with basic scripting skills takes your approach even a bit further and links his/her packet filter to script that stuffs every such packet in a mail to the "responsible" abuse-c. Happy reading.
Happy filtering ...
And I still think that a central whois makes it easy to find the right contact, for end users, semi-professionals and pros ...
And the "right contact" is whoever holds the IP address used as source for some sort of attack or whatever. This is so immensely clever I'm absolutely speechless.
How often does that really happen, aeh ? Compared to all those bots where precise reports get send to the right person, but who simply do nothing and then complain about "so many reports". Again, clean, close and protect your network, educated your customers, clean your hacked homepages, kill the bots together with your customers and your done. You will not get a lot to read anymore ... Kind regards, Frank
Frank Gadegast wrote the following on 29/06/2013 13:25:
Benedikt Stockebrand wrote:
Frank Gadegast <ripe-anti-spam-wg@powerweb.de> writes:
Not at all. Your getting personal here, so a personal answer.
Let's all take this opportunity to stop getting personal. This is a general note, but sparked by this exchange. We're all professionals. Brian Co-Chair, RIPE AA-WG
On Jun 24, 2013 4:34 PM, "Benedikt Stockebrand" <bs@stepladder-it.com> wrote:
customers, that's ok, but when I reason that making certain information too readily available to end users may increase the likelyhood some way
That same information, that is, contact information about your company, is absolutely not available elsewhere? Any maniac out to issue a death threat may well use any other way to deliver that threat, rather than a ripe whois contact address
more serious incidents it's a "one in a million type occurrence"? Sorry, I can't follow that reasoning
After having worked on and managed large isp abuse desks for millions of users for about fifteen + years, I regret to report that I have yet to receive any death threats. OK, maybe that one nigerian in 2004 who wanted to practice voodoo on me after I killed some extremely high value accounts of his (the sort used higher up the food chain of a scam).
his mails to abuse-c systematically ignored. When he resorted to legal means he was told "nobody here bothers to read those mails anyway" by the attacker's ISP.
One incompetent or complicit isp.. Rather more common than death threats or voodoo curses, but still no reason to suppress this information --srs
Benedikt Stockebrand wrote:
Hi Frank and list,
Frank Gadegast <ripe-anti-spam-wg@powerweb.de> writes:
but an end user would never us a whois service and play with options ...
I won't bother you with the entirety of a rather scary story, but I've had a colleague listed as admin-c for a large dial-in address pool. One day he received a death threat by some end user who assumed him to be responsible for something someone has done using one of these addresses (details over a beer at the next RIPE meeting if you press me).
Sad, but how can you submit a death threat to a role persons (object) ?
If you make looking up the admin-c for an address as easy as some people
No, not the admin-c, the abuse contact email addresses, that are already published ...
here like, this will lead to a significant-to-unbearable extra burden on the people listed as admin-c; the result is rather likely that admin-c's will have no option but to resort to rather heavy automated filtering. I have significant doubt that this is in any way helpful.
Only the abuse email address published by the ISPs or resource holder will be available. Its up to every resource holder to publish, what he thinks whats accurate. Usally a role address like abuse@sitename.de or so ... Kind regards, Frank
So please, try to find some sort of balance here. Evacuating an office until the police arrive isn't something you---or your management---want to happen more often than can be helped.
Cheers,
Benedikt
Dear Colleagues, One of the changes that was made with the introduction of the "abuse-c:" attribute was to make "admin-c:" and "tech-c:" optional attributes on the ROLE object. The specific purpose of this was to allow abuse contact information to be strictly a 'role' and not force references to real people with personal details. The intention of "abuse-c:" is to clearly and simply document business contact information for a department where abuse can be reported. Even if that department is an individual, it does not need to be personal data. Regards Denis Walker Business Analyst RIPE NCC Database Team On 20/06/2013 16:15, Frank Gadegast wrote:
Benedikt Stockebrand wrote:
Hi Frank and list,
Frank Gadegast <ripe-anti-spam-wg@powerweb.de> writes:
but an end user would never us a whois service and play with options ...
I won't bother you with the entirety of a rather scary story, but I've had a colleague listed as admin-c for a large dial-in address pool. One day he received a death threat by some end user who assumed him to be responsible for something someone has done using one of these addresses (details over a beer at the next RIPE meeting if you press me).
Sad, but how can you submit a death threat to a role persons (object) ?
If you make looking up the admin-c for an address as easy as some people
No, not the admin-c, the abuse contact email addresses, that are already published ...
here like, this will lead to a significant-to-unbearable extra burden on the people listed as admin-c; the result is rather likely that admin-c's will have no option but to resort to rather heavy automated filtering. I have significant doubt that this is in any way helpful.
Only the abuse email address published by the ISPs or resource holder will be available. Its up to every resource holder to publish, what he thinks whats accurate. Usally a role address like abuse@sitename.de or so ...
Kind regards, Frank
So please, try to find some sort of balance here. Evacuating an office until the police arrive isn't something you---or your management---want to happen more often than can be helped.
Cheers,
Benedikt
Frank Gadegast <ripe-anti-spam-wg@powerweb.de> writes:
Sad, but how can you submit a death threat to a role persons (object) ?
As e-mail.
If you make looking up the admin-c for an address as easy as some people
No, not the admin-c, the abuse contact email addresses, that are already published ...
Sorry, that was a typo. Same problem, however.
Only the abuse email address published by the ISPs or resource holder will be available. Its up to every resource holder to publish, what he thinks whats accurate. Usally a role address like abuse@sitename.de or so ...
The reason why I am so wary about this is because at that time you'd have to have a real person, with name and phone number, listed as admin-c. Things have improved since then, partly due to the introduction of abuse-c. Nevertheless, the actual problem with the idea about abuse-c being too easily accessible still remains: People who don't really know what they are doing will find that interface and cause additional work to the people on the receiving end of the abuse-c mail queue. -- Business Grade IPv6 Consulting, Training, Projects Benedikt Stockebrand, Dipl.-Inform. http://www.stepladder-it.com/
Benedikt Stockebrand wrote:
Frank Gadegast <ripe-anti-spam-wg@powerweb.de> writes:
Sad, but how can you submit a death threat to a role persons (object) ?
As e-mail.
There is no such "person" under a role object. Sure, you can send an email "I kill you all there at this company", but ...
The reason why I am so wary about this is because at that time you'd have to have a real person, with name and phone number, listed as admin-c. Things have improved since then, partly due to the introduction of abuse-c.
Exactly. Now you can hide some more personal information.
Nevertheless, the actual problem with the idea about abuse-c being too easily accessible still remains: People who don't really know what they are doing will find that interface and cause additional work to the people on the receiving end of the abuse-c mail queue.
Understand. What about admin fearing a higher workload, simply send an email back with a ticket number, when the incoming mail isnt in ARF ? Or direct people with this returning mail to a webform where the user only can enter certain things .. Its the admins choice ... Its my personal opinion that admins are fixing there security holes when the complain about the work load. The will get less complains, if they do. Kind regards, Frank
Hi, http://abusix.com/contactdb.html We are at the moment working on getting the new abuse-c in place as well. Thanks, Tobias Olaf van der Spek schrieb:
Hi,
I hope this is the right list for such a question. How does one map an IP address to an abuse email address in an automated way? I assume scripts exist, but I haven't found any. Does everyone roll their own?
-- Olaf
Hi Olaf, all, On 6/20/13 10:08 AM, Olaf van der Spek wrote:
Hi,
I hope this is the right list for such a question. How does one map an IP address to an abuse email address in an automated way? I assume scripts exist, but I haven't found any. Does everyone roll their own?
for the IP addresses and AS numbers in RIPE Database, you can use "ripestat" text service / abuse finder widget/functionality (*) puppy:becha:~ $ whois -h stat.ripe.net " -d abuse-contact-finder -s anti_abuse_contacts.abuse_c.0.email 5.2.25.1" the answer should be: csm-dpto.comunicaciones@ibermatica.com I hope this helps, Vesna (*) More details in this RIPE Labs article: https://labs.ripe.net/Members/cteusche/finding-anti-abuse-contact-informatio...
participants (13)
-
Arnold -
Benedikt Stockebrand -
Brian Nisbet -
Denis Walker -
Erik Bais -
Frank Gadegast -
Gert Doering -
Leo Vegoda -
Niall O'Reilly -
Olaf van der Spek -
Suresh Ramasubramanian -
Tobias Knecht -
Vesna Manojlovic