[anti-abuse-wg] Manual vs automated reports

Dear Reza

This is a nice example illustrating why the situation IS confused.

With some knowledge of the RIPE Database you can dig in and see what you 
find. But there are three different ways of recording abuse contact 
information in the database and these can be used in many different 
object types. To find this information you need to look into objects 
referenced in objects referenced in....referenced in the object you are 
interested in. If you don't follow this chain of references far enough 
you may miss the contact details. If you follow it too far you find 
abuse contacts not intended for this resource.

The information you show below includes a "remarks:" attribute with an 
abuse email address. This is human readable and in English. If this 
comment was written in another of the many languages used within the 
RIPE region, could you be sure it was an abuse email address?

This object also has a long since deprecated "trouble:" attribute. If 
that had been a different email address, where is the dividing line 
between abuse from and trouble with an IP address?

There is also an "e-mail:" attribute. Should you cc: that, just to be 
sure? I notice you also included the "changed:" attribute in your 
selection from the object and in the context of 'security related 
issues'. The changed details are purely administrative, virtually 
un-maintained and may be years out of date. It may be telling you who 
changed this object ten years ago.

If you put this IP address in our Abuse Finder tool it also returns the 
abuse contact abuse at bt.net which is missing from the details below. But 
finding these details by script is not easy. We can program in the 
relationships between different objects, which is how we found 
abuse at bt.net. But we cannot parse any comment as we don't know what 
language it is in and we can't interpret a set of words around an email 
address.

If the policy proposal 2011-06 is approved by the community we can work 
towards storing abuse contact details in one location, referenced in one 
way and easily readable by humans and scripts. Of course it won't solve 
all problems, as some people were hoping for. But it is the first step 
of what can be a journey towards a more complete solution.

Regards
Denis Walker
Business Analyst
RIPE NCC Database Group

On 26/07/2012 13:23, Reza Farzan wrote:
> Hello All,
>
> I just checked the IP in question, 62.239.237.250 in Whois and there is
> nothing confusing about it, especially the Abuse reporting channel.
>
>
> inetnum:        62.239.237.0 - 62.239.237.255
> remarks:        Please send abuse notification to mailto:btcertcc at bt.com
> role:           BT Corporate Registry
> address:        British Telecommunications
> address:        81 Newgate Street
> address:        London GB
> e-mail:         ip.manager at bt.com
> remarks:        trouble:      mailto: mailto:btcertcc at bt.com
>
>
> And they have even listed the contact for their security related issues:
>
> remarks:        BT Security Computer Emergency Response Team
> mnt-by:         BTENT-MNT
> changed:        mailto:steve.a.marshall at bt.com
>
> ++++
>
> Cheers,
>
>
> Reza Farzan
> rezaf at mindspring.com
>
>
>
> ________________________________
>
> 	From: anti-abuse-wg-bounces at ripe.net
> [mailto:anti-abuse-wg-bounces at ripe.net] On Behalf Of Aftab Siddiqui
> 	Sent: Thursday, July 26, 2012 6:50 AM
> 	To: Michele Neylon :: Blacknight
> 	Cc: Denis Walker; anti-abuse-wg at ripe.net
> 	Subject: Re: [anti-abuse-wg] Manual vs automated reports
> 	
> 	
>
> 	Hi Michele
> 	
>
>
> 		I tried that now. It's very confusing.
> 		
>
> 	Agree to that.
> 	
>
>
> 		It's not at all clear if the search box will take an IP
> address or not ...
> 		
>
> 	
> 	Should be mentioned clearly with ? box
> 	
>
>
> 		I tried one and got back a "result" which I could click on
> .. When I did I got "ERROR:115: invalid search key"
> 		
>
> 	
> 	Yes, you are right. It happens many times. I guess it is still in
> beta phase. We have found an easy way to do it. I guess that legit
> 	
> 	curl -i -H "Accept: application/json"
> http://apps.db.ripe.net/whois/use-cases/abuse-ripe&primary-key=+62.239.237.2
> 50 | grep abuse-mail
> 	
> 	Just pass the abuser IP (here I've mentioned bt subnet and thats it.
> Its just a work around.
> 	
> 	Regards,
> 	
> 	Aftab A. Siddiqui
> 	
>
>
>
>