[anti-abuse-wg] Automatic IP -> abuse email address mapping

Dear Frank,

The RIPE NCC already mirrors the other RIRs whois databases as well as 
some routing registries like JPIRR and RADB. All this data is already 
available with a single query and all in RIPE RPSL format. You do not 
need to know which registry is the authoritative source for the 
resource. That information is part of the response we return.

For RIPE data the abuse-c is being implemented so we will be able to 
give answers to abuse contact requests for this data. The data we return 
for the other RIRs contains pointers to their abuse contact details. 
This data also includes information from some of the NICs who may hold 
the authoritative data. For example, querying a JPNIC address in the 
APNIC database includes information from the JPNIC registry.

For example (I have shortened some of the output here):
$ whois -h whois.nic.ad.jp 134.180.0.0/16/e

Network Information:
[Network Number]                134.180.0.0/16
[Network Name]
[Organization]                  SANYO Information Technology Solutions 
Co., Ltd.
[Administrative Contact]        JP00018865
[Technical Contact]             JP00018865
[Abuse]                         abuse at sannet.ne.jp
[Allocated Date]                2011/09/20
[Last Update]                   2011/09/20 14:50:42(JST)

This shows the abuse contact from JPNIC as an attribute.

$ whois -h whois.apnic.net 134.180.0.0/16

inetnum:        134.180.0.0 - 134.180.255.255
netname:        SANNET
descr:          SANYO Information Technology Solutions Co., Ltd.
descr:          2-5-5, Keihan-Hondori,
descr:          Moriguchi-shi,Osaka 570-8686, Japan
country:        JP
admin-c:        JNIC1-AP
tech-c:         JNIC1-AP
status:         ALLOCATED PORTABLE
remarks:        Email address for spam or abuse complaints : 
abuse at sannet.ne.jp
mnt-irt:        IRT-JPNIC-JP
mnt-by:         MAINT-JPNIC
mnt-lower:      MAINT-JPNIC
changed:        hostmaster at arin.net 19990719
changed:        hm-changed at apnic.net 20031111
changed:        hm-changed at apnic.net 20040926
changed:        hm-changed at apnic.net 20041214
changed:        ip-apnic at nic.ad.jp 20050406
changed:        hm-changed at apnic.net 20050407
changed:        ip-apnic at nic.ad.jp 20110920
source:         APNIC

This shows the same abuse contact as a remarks: attribute

$ whois -h whois.ripe.net --resource 134.180.0.0/16

inetnum:        134.180.0.0 - 134.180.255.255
netname:        SANNET
descr:          SANYO Information Technology Solutions Co., Ltd.
descr:          2-5-5, Keihan-Hondori,
descr:          Moriguchi-shi,Osaka 570-8686, Japan
country:        JP
admin-c:        DUMY-RIPE
tech-c:         DUMY-RIPE
status:         ALLOCATED PORTABLE
remarks:        Email address for spam or abuse complaints : 
abuse at sannet.ne.jp
mnt-irt:        IRT-JPNIC-JP
mnt-by:         MAINT-JPNIC
mnt-lower:      MAINT-JPNIC
changed:        unread at ripe.net 20000101
source:         APNIC-GRS

So using the RIPE GRS also gives you the abuse contact from JPNIC for 
this resource.

For more details see the new RIPE Labs article next week.

Regards
Denis Walker
Business Analyst
RIPE NCC Database Team


On 20/06/2013 13:53, Frank Gadegast wrote:
> Denis Walker wrote:
>> Dear Frank,
>
> Hi Denis,
>
> Im not sure, if this coveres what I would like to have,
> simply because you have to know to wich RIR the network
> belongs first.
>
> Its quite complicated to
> - look the RIR up at whois.iana.org first,
>    defny needed for ERX networks
> - make the whois at the RIR (and usally find, that
>    it sub-deligated the whois to a another RIR like
>    BRNIC or KRNIC
> - and end up wich 10 different output formats
>
> You cant explain that procedure to an end user ...
>
> But maybe I understood your interface wrong, and
> I can really enter an IP at the GRS service
> and get the abuse contact email addresses ...
>
> And I know through the expiriences with our normal
> customer users, that they simply do not report spam,
> because they have no single place to look it up, and
> then do not know, where they should send an abuse complaint
> to.
>
> Normal users are always quite puzzled, when you tell
> them about whois services, RIRs aso, they have
> no idea about it, simply because they never heard
> anything about RIPE, IANA aso ...
> Most dont even know, what an IP address is ...
> Its hard enough to tell them how to find the
> abusive IP in an mail header ...
>
> And thats why eople use services like SpamCop,
> they simply put the spam in a web form, and
> they do the rest (ok, not perfect, but handy
> anyway).
>
> iana should have such a central service ...
>
>
> Kind regards, Frank
>
>>
>> The RIPE NCC has a Global Resource Service (GRS) where you can perform
>> unlimited queries on operational data from all the 5 RIRs and all
>> responses are returned in RIPE RPSL format. You can script your queries
>> against the RIPE GRS using our API.
>>
>> I am, at this very moment, writing a new RIPE Labs article with all the
>> latest details and improvements we have made recently to this service.
>> We expect to publish this article next week.
>>
>> Regards
>> Denis Walker
>> Business Analyst
>> RIPE NCC Database Team
>>
>> On 20/06/2013 11:17, Frank Gadegast wrote:
>>> Olaf van der Spek wrote:
>>>> Hi,
>>>>
>>>> I hope this is the right list for such a question.
>>>> How does one map an IP address to an abuse email address in an
>>>> automated
>>>> way?
>>>> I assume scripts exist, but I haven't found any. Does everyone roll
>>>> their own?
>>>
>>> There are no public script to my knowledge
>>>
>>> This kind of automatic mapping is quite complicated and
>>> mostly internal know-how of f.e. blacklists, that do
>>> automatic reporting.
>>>
>>> The steps to do it are something like this:
>>>
>>> - first you need to identify, wich RIR is responsible for the
>>>    IP/netblock, this is tricky, because there more RIRs like
>>>    only RIPE, ARIN, LACNIC, AFRNINIC and APNIC, that actually
>>>    hold the information you need (f.e. KRNIC and BRNIC aso) and because
>>>    there are early registration networks, that usally do not
>>>    belong to the RIR you would expect
>>> - all whois interfaces at the RIRs are different, parsing is
>>>    difficult, different options too and all have different regulations
>>>    and fields with even dubled content
>>> - then there are limits, how many whois queries you can do
>>>
>>> We have a pearl-script doing all this with over
>>> 3000 lines of code, and this code has to be adjusted
>>> nearly every month ...
>>>
>>> It would be a dream, if this group could discuss
>>> a standard whois output format for all RIRs.
>>> And the final step could be a centralized whois, anybody
>>> could ask for the abuse contact covering the data
>>> of all RIRs.
>>>
>>>
>>> Kind regards, Frank
>>> Network Operation Center - PowerWeb
>>> --
>>> MOTD: "have you enabled SSL on a website or mailbox today ?"
>>> --
>>> PHADE Software - PowerWeb                       http://www.powerweb.de
>>> Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
>>> Schinkelstrasse 17                                fon: +49 33200 52920
>>> 14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
>>> ======================================================================
>>>
>>>
>>>
>>>
>>>
>>>>
>>>>
>>>> --
>>>> Olaf
>>>
>>>
>>>
>>
>>
>
>
>