No one wants to have to deal with a suspected abuse case, but at least RIPEstat can help you to find available anti-abuse contact information in the RIPE Database easily. In this article we show you when and how you can use RIPEstat to do that.
NOTE: This article was updated 17 April 2013 with information about the inclusion of a fifth star as the highest rating possible for a returned abuse contact. This fifth star is the result of a new policy that began improving the management of abuse contact details in the RIPE Database in early 2013 (see more below).
Using RIPEstat to find abuse contacts
Below, we describe how to use RIPEstat to look up any abuse contact information that might be available for a particular IP address, as abuse cases are usually connected with a single IP address. However, it is also possible to look up information for prefixes or ASNs.
You can learn more about how to identify the IP address responsible in the FAQs on spamming and hacking. Once you have identified the IP address related to the abuse, you can use RIPEstat to help find the correct contact information to report the abuse.
The RIPEstat Abuse Contact Finder widget searches and returns information contained in the below.in a consolidated, easy-to-read format. For now, the RIPE Database may or may not contain abuse contact information for a given IP address, but a new policy is being implemented that makes abuse contact information mandatory for all new, and eventuall all existing, objects that are registered in the RIPE Database. Learn more about this new policy
Step 1: Query RIPEstat's Abuse Contact Finder widget
- Open https://stat.ripe.net/specials/abuse in your browser (see Figure 1)
- Fill in the IP address in the input field ("Enter an IP address") and press enter
Figure 1: RIPEstat's Abuse Contact Finder page
Step 2: How to interpret the results
The widget interface presents the results with different background colours:
- Light green for 'Abuse contacts found'
- Grey for 'No contacts found'
- Light red for 'Special purpose addresses'
Abuse contacts found
Figure 2: Abuse contact information found
If the widget can find abuse contact information, it will be shown in the box "Email Contact". However, the contact information returned might not be the one you were looking for. We implemented a rating system that shows you the reliabilty of the contact information found in the RIPE Database. You can find more details about the star rating system below.
If you find an email address and want to report an abuse incident, please make sure that you read the section on how to report an incident.
No abuse contact information found
If the tool could not find any abuse contacts, you will see a message on a grey background as shown in Figure 3 below.
Figure 3: No contacts found
Note that since we are not serving abuse contacts for resources outside the RIPE NCC region, you will see a similar result for resources registered with one of the other Regional Internet Registries, as shown in Figure 4 below.
Figure 4: No contacts found for resources outside teh RIPE NCC service region
Special purpose addresses
There are addresses that fulfill a special purpose, such as private address space as defined in RFC 1918 (Address Allocation for Private Internets). For the majority of those resources, it is not useful to look for abuse contacts. Special purpose addresses are highlighted with a red background and come with a more detailed explanation.
Figure 5: Special purpose addresses
The accuracy of the contact information can vary depending on where it is found within the RIPE Database object. To help you decide if the contact is appropriate for reporting abuse, we implemented a rating system that indicates the likelihood that the contact found is the correct one.
Five stars: Designated abuse contact
- A queried IP address that includes an "abuse-c:" attribute in the RIPE Database conforms to . The returned contact is a designated abuse contact for the address and is deemed to be the correct contact.
Four stars: Most likely to be the correct abuse contact
- An "abuse-mailbox:" attribute was found in a database object related to the IP address queried for. This could also include related objects of the announcing network (ASN).
Three stars: Likely to be the correct abuse contact
- No "abuse-mailbox:" attribute was found in any database object related to the IP address queried for. However, contact information was found in a remark attribute, which could possibly be the abuse contact.
Two stars: Likelihood of this being the correct abuse contact is uncertain
- No abuse contact information was found for the specific IP address queried for. However, an "abuse-mailbox:" attribute was found in another object registering a more specific resource. This could be the upstream provider for the resource you are looking for, so you could try to use this abuse contact information, but it may not be the correct contact.
One star: Unlikely to be the correct abuse contact
- No abuse contact information was found for the specific IP address queried for. However, in another object registering a more specific resource, a contact address was found (but not in an "abuse-mailbox:" attribute). This could be the upstream provider for the resource you are looking for, so you could try to use this abuse contact information, but it is quite unlikely that this is the one you were searching for.
For more details on how the widget works internally, please refer to the widget documentation, which you can find when you click on the "Info" button at the bottom right corner of the widget.
Please keep in mind that the email addresses listed may be for contact people at an ISP providing Internet services and they may not be aware that somebody is using their network in this way. They will need you to give them details of the abuse so that they can investigate it further.
- Explain what happened
- Try to explain why you think it's an abuse case
- Include the IP address
- Include the times when it happened
- Include any evidence (e.g. copy the message from your firewall, log entries etc.)
You might want to mention that you found this contact via RIPEstat's Abuse Contact Finder widget by appending this line:
"This email contact was found using RIPEstat's Abuse Contact Finder widget. Please find more information at https://stat.ripe.net/specials/abuse."
More on anti-abuse
Learn more about spamming and hacking, and what you can do about it, in the FAQs on spamming and hacking.
You can also look through the archvies of the Anti-Abuse Working Group mailing list.
Currently, any abuse contact information contained in the RIPE Database is voluntarily given when an Internet number resource is registered. That means that this information may or may not be available for any given resource.
However, a new policy began implementation in 2013 that mandates the inclusion of an "abuse:c" attribute, which contains an abuse contact, for all new objects in the RIPE Database. In addition, this policy will retroactively require abuse contact information for all pre-existing resources. As "abuse:c" attributes are added to resources registered in the RIPE Database, RIPEstat's Abuse Contact Finder widget will return more and more reliable anti-abuse contact results. The widget rates all contacts found in the "abuse:c" attribute with five stars, the highest rating.