Finding Abuse Contact Information with RIPEstat

Christian Teuschel — Feb 19, 2013 03:25 PM
Contributors: Suzanne Taylor Muzzin
Filed under: , ,
No one wants to have to deal with a suspected abuse case, but at least RIPEstat can help you to find available anti-abuse contact information in the RIPE Database easily. In this article we show you when and how you can use RIPEstat to do that.

NOTE: This article was updated 17 April 2013 with information about the inclusion of a fifth star as the highest rating possible for a returned abuse contact. This fifth star is the result of a new policy that began improving the management of abuse contact details in the RIPE Database in early 2013 (see more below).

Using RIPEstat to find abuse contacts

Below, we describe how to use RIPEstat to look up any abuse contact information that might be available for a particular IP address, as abuse cases are usually connected with a single IP address. However, it is also possible to look up information for prefixes or ASNs.

You can learn more about how to identify the IP address responsible in the FAQs on spamming and hacking. Once you have identified the IP address related to the abuse, you can use RIPEstat to help find the correct contact information to report the abuse.

The RIPEstat Abuse Contact Finder widget searches and returns information contained in the RIPE Database in a consolidated, easy-to-read format. For now, the RIPE Database may or may not contain abuse contact information for a given IP address, but a new policy is being implemented that makes abuse contact information mandatory for all new, and eventuall all existing, objects that are registered in the RIPE Database. Learn more about this new policy below.

Step 1: Query RIPEstat's Abuse Contact Finder widget

  • Fill in the IP address in the input field ("Enter an IP address") and press enter

    RIPEstat's abuse contact pageFigure 1: RIPEstat's Abuse Contact Finder page

    Step 2: How to interpret the results

    The widget interface presents the results with different background colours:

    • Light green for 'Abuse contacts found'
    • Grey for 'No contacts found'
    • Light red for 'Special purpose addresses'

    Abuse contacts found

     

    example of a result for RIPEstat's Abuse Contact FinderFigure 2: Abuse contact information found

    If the widget can find abuse contact information, it will be shown in the box "Email Contact". However, the contact information returned might not be the one you were looking for. We implemented a rating system that shows you the reliabilty of the contact information found in the RIPE Database. You can find more details about the star rating system below.

    If you find an email address and want to report an abuse incident, please make sure that you read the section on how to report an incident.

    No abuse contact information found

    If the tool could not find any abuse contacts, you will see a message on a grey background as shown in Figure 3 below.

    No contacts foundFigure 3: No contacts found

    Note that since we are not serving abuse contacts for resources outside the RIPE NCC region, you will see a similar result for resources registered with one of the other Regional Internet Registries, as shown in Figure 4 below.

    Outside the RIPE NCC regionFigure 4: No contacts found for resources outside teh RIPE NCC service region

    Special purpose addresses

    There are addresses that fulfill a special purpose, such as private address space as defined in RFC 1918 (Address Allocation for Private Internets). For the majority of those resources, it is not useful to look for abuse contacts. Special purpose addresses are highlighted with a red background and come with a more detailed explanation.

    Special Purpose AddressesFigure 5: Special purpose addresses

    How the widget works internally

    The accuracy of the contact information can vary depending on where it is found within the RIPE Database object. To help you decide if the contact is appropriate for reporting abuse, we implemented a rating system that indicates the likelihood that the contact found is the correct one.

    Five stars: Designated abuse contact

    • A queried IP address that includes an "abuse-c:" attribute in the RIPE Database conforms to ripe-563. The returned contact is a designated abuse contact for the address and is deemed to be the correct contact.

    Abuse Widget - 5 Stars

    Four stars: Most likely to be the correct abuse contact

    • An "abuse-mailbox:" attribute was found in a database object related to the IP address queried for. This could also include related objects of the announcing network (ASN).

    Abuse Widget - 4 Stars

      Three stars: Likely to be the correct abuse contact

      • No "abuse-mailbox:" attribute was found in any database object related to the IP address queried for. However, contact information was found in a remark attribute, which could possibly be the abuse contact.

      Abuse Widget - 3 Stars

        Two stars: Likelihood of this being the correct abuse contact is uncertain

        • No abuse contact information was found for the specific IP address queried for. However, an "abuse-mailbox:" attribute was found in another object registering a more specific resource. This could be the upstream provider for the resource you are looking for, so you could try to use this abuse contact information, but it may not be the correct contact.

        Abuse Widget - 2 Stars

          One star: Unlikely to be the correct abuse contact

          • No abuse contact information was found for the specific IP address queried for. However, in another object registering a more specific resource, a contact address was found (but not in an "abuse-mailbox:" attribute). This could be the upstream provider for the resource you are looking for, so you could try to use this abuse contact information, but it is quite unlikely that this is the one you were searching for.

          Abuse Widget - 1 Star

            For more details on how the widget works internally, please refer to the widget documentation, which you can find when you click on the "Info" button at the bottom right corner of the widget.

                    How to report a suspected abuse incident

                    Please keep in mind that the email addresses listed may be for contact people at an ISP providing Internet services and they may not be aware that somebody is using their network in this way. They will need you to give them details of the abuse so that they can investigate it further.

                    • Explain what happened
                    • Try to explain why you think it's an abuse case
                    • Include the IP address
                    • Include the times when it happened
                    • Include any evidence (e.g. copy the message from your firewall, log entries etc.)

                    You might want to mention that you found this contact via RIPEstat's Abuse Contact Finder widget by appending this line:

                    "This email contact was found using RIPEstat's Abuse Contact Finder widget. Please find more information at https://stat.ripe.net/specials/abuse."

                    More on anti-abuse

                    Learn more about spamming and hacking, and what you can do about it, in the FAQs on spamming and hacking.

                    You can also look through the archvies of the Anti-Abuse Working Group mailing list.

                    Changes to anti-abuse information in the RIPE Database

                    Currently, any abuse contact information contained in the RIPE Database is voluntarily given when an Internet number resource is registered. That means that this information may or may not be available for any given resource.

                    However, a new policy began implementation in 2013 that mandates the inclusion of an "abuse:c" attribute, which contains an abuse contact, for all new objects in the RIPE Database. In addition, this policy will retroactively require abuse contact information for all pre-existing resources. As "abuse:c" attributes are added to resources registered in the RIPE Database, RIPEstat's Abuse Contact Finder widget will return more and more  reliable anti-abuse contact results. The widget rates all contacts found in the "abuse:c" attribute with five stars, the highest rating.

                    Read details of the full policy in RIPE Document 563, "Abuse Contact Management in the RIPE Database" or learn more about the implementation of ripe-563 in this RIPE Labs article.

                    4 Comments

                    Craig Shaver
                    Craig Shaver says:
                    Nov 17, 2013 03:19 AM
                    Is there a way to get this in plain text using a program interface such as a perl script?
                    christian.teuschel@ripe.net
                    Christian Teuschel says:
                    Nov 19, 2013 10:09 AM
                    Hi Craig,
                    Yes, there is - the RIPEstat Data API!
                    Specifically for abuse contact information you can find the documentation here: https://stat.ripe.net/docs/data_api#AbuseContactFinder
                    The standard output format is JSON, so you can use it with all common scripting languages. The Abuse-Contact widget itself is based on this REST-like API.

                    Best regards,
                    Christian Teuschel
                    Anonymous says:
                    Jan 14, 2014 05:24 PM
                    Any advice on what to do if the abuse contact email (5 stars) given by the widget is bad?
                    christian.teuschel@ripe.net
                    Christian Teuschel says:
                    Jan 16, 2014 09:38 PM
                    Dear User,
                    There are various reasons why an abuse contact (aka. abuse-c attribute) can be a source of frustration for users trying to report abuse incidences. Among them are typos in the contact address, technical problems at the side of the recipient or simply mailboxes that are not maintained/read.
                    Most of these problems are easy to fix but currently there is not procedure in place for users respectively the RIPE NCC to correct/validate abuse contacts given by the resource holders.
                    For this to happen it needs a mandate from the Internet community. Ideally preceded by discussion in the Anti-Abuse Working Group [1] with a clear, unanimous outcome.

                    I would not recommend to browse inet(6)num or aut-num objects in the RIPE DB for occurrences of previously used "abuse-mailbox" attributes or abuse contacts stated in the remarks.

                    Best regards,
                    Christian Teuschel

                    [1] https://www.ripe.net/ripe/groups/wg/anti-abuse
                    Add comment

                    You can add a comment by filling out the form below. Only plain text is possible. Web and email addresses will be transformed into clickable links. Comments are moderated so they won't appear immediately.

                    Related Items
                    NTP Reflections

                    After the recent amplification attacks involving NTP servers, John Kristoff, a researcher with Team ...

                    Increased Reach of RIPE Atlas Anchors

                    Increasing the reach of RIPE Atlas anchors is one of the highest priority goals of RIPE Atlas Team. ...

                    Proposing Making RIPE Atlas Data More Public

                    RIPE Atlas is now three years old, and is moving from a prototype to production service. Based on ...

                    Modifications to the IP Analyser to Reflect New Policy

                    We are in the process of implementing the policy regarding Post Depletion Adjustment of Procedures ...

                    Report on IPv6 Security Test Methodology

                    The Dutch Institute for Applied Scientific Research (TNO) and a number of Dutch security companies ...

                    more ...