This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[anti-abuse-wg] Automatic IP -> abuse email address mapping

Previous message (by thread): [anti-abuse-wg] Automatic IP -> abuse email address mapping
Next message (by thread): [anti-abuse-wg] Automatic IP -> abuse email address mapping

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Frank Gadegast ripe-anti-spam-wg at powerweb.de
Thu Jun 20 11:17:45 CEST 2013

Erik Bais wrote:
> Hi Olaf,

Hi,

this interface does not find all possible abuse contacts, an example for

http://isc.sans.edu/api/ip/5.76.13.127

<ip><number>5.76.13.127</number><count>0</count><attacks>0</attacks><maxdate>0</maxdate><mindate>0</mindate><updated>0</updated><country> 
KZ </country><as>9198 </as><asname> KAZTELECOM-AS JSC 
Kazakhtelecom</asname><network> 5.76.0.0/16 </network><comment/></ip>

no abuse contact, where a
# whois.ripe -b 5.76.13.127
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

inetnum:        5.76.8.0 - 5.76.15.255
abuse-mailbox:  abuse.spam at telecom.kz

finds one ...


Kind regards, Frank

>
> I use the API from ISC SANS (http://isc.sans.edu/api  ) to do some
> parsing for me if needed.
>
> cat send_abusemsg.sh
>
> #!/bin/sh
>
> for i in `cat uniq_IP_list`
>
>      do
>
>           abuse=`wget -O - http://isc.sans.edu/api/ip/"$i"?text | grep
> 'abusecontact' | cut -f2 -d'>' | tr -d ' '`
>
>           cat template.txt | sed "s/%%ip%%/$i/" | sed
> "s/%%email%%/$abuse/" | sendmail -oi -t
>
>      done
>
> the uniq_IP_list is a file that has the offending IP addresses. 1 IP per
> line.
>
> and the mail template that I use looks something like :
>
> cat template.txt | more
>
> To: %%email%%
>
> Cc: noc@<your mail domain here>
>
> From: abuse@<your mail domain here>
>
> Subject: IP Address %%ip%% involved in DDoS attack
>
> Dear abusedesk,
>
> Please take action on the following IP address:  %%ip%%  due to an DDoS
> on an IP in our network.
>
> </snip partial SFLOW log>
>
> The mentioned server with IP address: %%ip%% should be looked at
> directly as it is probably hacked or misconfigured to be abused.
>
> Regards,
>
> <your ISP NOC>
>
> Does that answer your question?
>
> Regards,
>
> Erik Bais
>
> *From:*anti-abuse-wg-bounces at ripe.net
> [mailto:anti-abuse-wg-bounces at ripe.net] *On Behalf Of *Olaf van der Spek
> *Sent:* donderdag 20 juni 2013 10:08
> *To:* anti-abuse-wg at ripe.net
> *Subject:* [anti-abuse-wg] Automatic IP -> abuse email address mapping
>
> Hi,
>
> I hope this is the right list for such a question.
>
> How does one map an IP address to an abuse email address in an automated
> way?
>
> I assume scripts exist, but I haven't found any. Does everyone roll
> their own?
>
>
> --
> Olaf
>

Previous message (by thread): [anti-abuse-wg] Automatic IP -> abuse email address mapping
Next message (by thread): [anti-abuse-wg] Automatic IP -> abuse email address mapping

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ anti-abuse-wg Archives ]