This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] Manual vs automated reports
- Previous message (by thread): [anti-abuse-wg] Manual vs automated reports
- Next message (by thread): [anti-abuse-wg] Manual vs automated reports
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Denis Walker
denis at ripe.net
Thu Jul 26 15:02:00 CEST 2012
Dear Reza This is a nice example illustrating why the situation IS confused. With some knowledge of the RIPE Database you can dig in and see what you find. But there are three different ways of recording abuse contact information in the database and these can be used in many different object types. To find this information you need to look into objects referenced in objects referenced in....referenced in the object you are interested in. If you don't follow this chain of references far enough you may miss the contact details. If you follow it too far you find abuse contacts not intended for this resource. The information you show below includes a "remarks:" attribute with an abuse email address. This is human readable and in English. If this comment was written in another of the many languages used within the RIPE region, could you be sure it was an abuse email address? This object also has a long since deprecated "trouble:" attribute. If that had been a different email address, where is the dividing line between abuse from and trouble with an IP address? There is also an "e-mail:" attribute. Should you cc: that, just to be sure? I notice you also included the "changed:" attribute in your selection from the object and in the context of 'security related issues'. The changed details are purely administrative, virtually un-maintained and may be years out of date. It may be telling you who changed this object ten years ago. If you put this IP address in our Abuse Finder tool it also returns the abuse contact abuse at bt.net which is missing from the details below. But finding these details by script is not easy. We can program in the relationships between different objects, which is how we found abuse at bt.net. But we cannot parse any comment as we don't know what language it is in and we can't interpret a set of words around an email address. If the policy proposal 2011-06 is approved by the community we can work towards storing abuse contact details in one location, referenced in one way and easily readable by humans and scripts. Of course it won't solve all problems, as some people were hoping for. But it is the first step of what can be a journey towards a more complete solution. Regards Denis Walker Business Analyst RIPE NCC Database Group On 26/07/2012 13:23, Reza Farzan wrote: > Hello All, > > I just checked the IP in question, 62.239.237.250 in Whois and there is > nothing confusing about it, especially the Abuse reporting channel. > > > inetnum: 62.239.237.0 - 62.239.237.255 > remarks: Please send abuse notification to mailto:btcertcc at bt.com > role: BT Corporate Registry > address: British Telecommunications > address: 81 Newgate Street > address: London GB > e-mail: ip.manager at bt.com > remarks: trouble: mailto: mailto:btcertcc at bt.com > > > And they have even listed the contact for their security related issues: > > remarks: BT Security Computer Emergency Response Team > mnt-by: BTENT-MNT > changed: mailto:steve.a.marshall at bt.com > > ++++ > > Cheers, > > > Reza Farzan > rezaf at mindspring.com > > > > ________________________________ > > From: anti-abuse-wg-bounces at ripe.net > [mailto:anti-abuse-wg-bounces at ripe.net] On Behalf Of Aftab Siddiqui > Sent: Thursday, July 26, 2012 6:50 AM > To: Michele Neylon :: Blacknight > Cc: Denis Walker; anti-abuse-wg at ripe.net > Subject: Re: [anti-abuse-wg] Manual vs automated reports > > > > Hi Michele > > > > I tried that now. It's very confusing. > > > Agree to that. > > > > It's not at all clear if the search box will take an IP > address or not ... > > > > Should be mentioned clearly with ? box > > > > I tried one and got back a "result" which I could click on > .. When I did I got "ERROR:115: invalid search key" > > > > Yes, you are right. It happens many times. I guess it is still in > beta phase. We have found an easy way to do it. I guess that legit > > curl -i -H "Accept: application/json" > http://apps.db.ripe.net/whois/use-cases/abuse-ripe&primary-key=+62.239.237.2 > 50 | grep abuse-mail > > Just pass the abuser IP (here I've mentioned bt subnet and thats it. > Its just a work around. > > Regards, > > Aftab A. Siddiqui > > > > >
- Previous message (by thread): [anti-abuse-wg] Manual vs automated reports
- Next message (by thread): [anti-abuse-wg] Manual vs automated reports
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]