This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[anti-abuse-wg] Automatic IP -> abuse email address mapping
- Previous message (by thread): [anti-abuse-wg] Automatic IP -> abuse email address mapping
- Next message (by thread): [anti-abuse-wg] Automatic IP -> abuse email address mapping
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Frank Gadegast
ripe-anti-spam-wg at powerweb.de
Thu Jun 20 11:17:45 CEST 2013
Erik Bais wrote: > Hi Olaf, Hi, this interface does not find all possible abuse contacts, an example for http://isc.sans.edu/api/ip/5.76.13.127 <ip><number>5.76.13.127</number><count>0</count><attacks>0</attacks><maxdate>0</maxdate><mindate>0</mindate><updated>0</updated><country> KZ </country><as>9198 </as><asname> KAZTELECOM-AS JSC Kazakhtelecom</asname><network> 5.76.0.0/16 </network><comment/></ip> no abuse contact, where a # whois.ripe -b 5.76.13.127 % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf inetnum: 5.76.8.0 - 5.76.15.255 abuse-mailbox: abuse.spam at telecom.kz finds one ... Kind regards, Frank > > I use the API from ISC SANS (http://isc.sans.edu/api ) to do some > parsing for me if needed. > > cat send_abusemsg.sh > > #!/bin/sh > > for i in `cat uniq_IP_list` > > do > > abuse=`wget -O - http://isc.sans.edu/api/ip/"$i"?text | grep > 'abusecontact' | cut -f2 -d'>' | tr -d ' '` > > cat template.txt | sed "s/%%ip%%/$i/" | sed > "s/%%email%%/$abuse/" | sendmail -oi -t > > done > > the uniq_IP_list is a file that has the offending IP addresses. 1 IP per > line. > > and the mail template that I use looks something like : > > cat template.txt | more > > To: %%email%% > > Cc: noc@<your mail domain here> > > From: abuse@<your mail domain here> > > Subject: IP Address %%ip%% involved in DDoS attack > > Dear abusedesk, > > Please take action on the following IP address: %%ip%% due to an DDoS > on an IP in our network. > > </snip partial SFLOW log> > > The mentioned server with IP address: %%ip%% should be looked at > directly as it is probably hacked or misconfigured to be abused. > > Regards, > > <your ISP NOC> > > Does that answer your question? > > Regards, > > Erik Bais > > *From:*anti-abuse-wg-bounces at ripe.net > [mailto:anti-abuse-wg-bounces at ripe.net] *On Behalf Of *Olaf van der Spek > *Sent:* donderdag 20 juni 2013 10:08 > *To:* anti-abuse-wg at ripe.net > *Subject:* [anti-abuse-wg] Automatic IP -> abuse email address mapping > > Hi, > > I hope this is the right list for such a question. > > How does one map an IP address to an abuse email address in an automated > way? > > I assume scripts exist, but I haven't found any. Does everyone roll > their own? > > > -- > Olaf >
- Previous message (by thread): [anti-abuse-wg] Automatic IP -> abuse email address mapping
- Next message (by thread): [anti-abuse-wg] Automatic IP -> abuse email address mapping
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]