[anti-abuse-wg] Automatic IP -> abuse email address mapping

Hi Olaf,

I use the API from ISC SANS (http://isc.sans.edu/api  ) to do some parsing for me if needed.

cat send_abusemsg.sh

#!/bin/sh

for i in `cat uniq_IP_list`

    do
         abuse=`wget -O - http://isc.sans.edu/api/ip/"$i"?text | grep 'abusecontact' | cut -f2 -d'>' | tr -d ' '`
         cat template.txt | sed "s/%%ip%%/$i/" | sed "s/%%email%%/$abuse/" | sendmail -oi -t
    done


the uniq_IP_list is a file that has the offending IP addresses. 1 IP per line.

and the mail template that I use looks something like :


cat template.txt | more

To: %%email%%
Cc: noc@<your mail domain here>
From: abuse@<your mail domain here>
Subject: IP Address %%ip%% involved in DDoS attack

Dear abusedesk,

Please take action on the following IP address:  %%ip%%  due to an DDoS on an IP in our network.

</snip partial SFLOW log>

The mentioned server with IP address: %%ip%% should be looked at directly as it is probably hacked or misconfigured to be abused.

Regards,
<your ISP NOC>


Does that answer your question?

Regards,
Erik Bais

From: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg-bounces at ripe.net] On Behalf Of Olaf van der Spek
Sent: donderdag 20 juni 2013 10:08
To: anti-abuse-wg at ripe.net
Subject: [anti-abuse-wg] Automatic IP -> abuse email address mapping

Hi,

I hope this is the right list for such a question.
How does one map an IP address to an abuse email address in an automated way?
I assume scripts exist, but I haven't found any. Does everyone roll their own?


--
Olaf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/anti-abuse-wg/attachments/20130620/ac858cc4/attachment.html>