Christian Teuschel

Finding Abuse Contact Information with RIPEstat

Christian Teuschel
Contributors: Suzanne Taylor Muzzin
6

No one wants to have to deal with a suspected abuse case, but at least RIPEstat can help you to find available anti-abuse contact information in the RIPE Database easily. In this article we show you when and how you can use RIPEstat to do that.


 

Note: Since 2015 the RIPEstat Abuse Contact Finder does not provide rating heuristics anymore. It only shows the abuse-c e-mail address as specified in RIPE Document 563, "Abuse Contact Management in the RIPE Database".

NOTE: This article was updated 17 April 2013 with information about the inclusion of a fifth star as the highest rating possible for a returned abuse contact. This fifth star is the result of a new policy that began improving the management of abuse contact details in the RIPE Database in early 2013 (see more below).

Using RIPEstat to find abuse contacts

Below, we describe how to use RIPEstat to look up any abuse contact information that might be available for a particular IP address, as abuse cases are usually connected with a single IP address. However, it is also possible to look up information for prefixes or ASNs.

You can learn more about how to identify the IP address responsible in the FAQs on spamming and hacking. Once you have identified the IP address related to the abuse, you can use RIPEstat to help find the correct contact information to report the abuse.

The RIPEstat Abuse Contact Finder widget searches and returns information contained in the RIPE Database in a consolidated, easy-to-read format. For now, the RIPE Database may or may not contain abuse contact information for a given IP address, but a new policy is being implemented that makes abuse contact information mandatory for all new, and eventuall all existing, objects that are registered in the RIPE Database. Learn more about this new policy below.

Step 1: Query RIPEstat's Abuse Contact Finder widget

  • Fill in the IP address in the input field ("Enter an IP address") and press enter

RIPEstat's abuse contact page Figure 1: RIPEstat's Abuse Contact Finder page

Step 2: How to interpret the results

The widget interface presents the results with different background colours:

  • Light green for 'Abuse contacts found'
  • Grey for 'No contacts found'
  • Light red for 'Special purpose addresses'

Abuse contacts found

 

example of a result for RIPEstat's Abuse Contact Finder Figure 2: Abuse contact information found

If the widget can find abuse contact information, it will be shown in the box "Email Contact". However, the contact information returned might not be the one you were looking for. We implemented a rating system that shows you the reliabilty of the contact information found in the RIPE Database. You can find more details about the star rating system below.

If you find an email address and want to report an abuse incident, please make sure that you read the section on how to report an incident.

No abuse contact information found

If the tool could not find any abuse contacts, you will see a message on a grey background as shown in Figure 3 below.

No contacts found Figure 3: No contacts found

Note that since we are not serving abuse contacts for resources outside the RIPE NCC region, you will see a similar result for resources registered with one of the other Regional Internet Registries, as shown in Figure 4 below.

Outside the RIPE NCC region Figure 4: No contacts found for resources outside teh RIPE NCC service region

Special purpose addresses

There are addresses that fulfill a special purpose, such as private address space as defined in RFC 1918 (Address Allocation for Private Internets). For the majority of those resources, it is not useful to look for abuse contacts. Special purpose addresses are highlighted with a red background and come with a more detailed explanation.

Special Purpose Addresses Figure 5: Special purpose addresses

How the widget works internally

The accuracy of the contact information can vary depending on where it is found within the RIPE Database object. To help you decide if the contact is appropriate for reporting abuse, we implemented a rating system that indicates the likelihood that the contact found is the correct one.

Five stars: Designated abuse contact

  • A queried IP address that includes an "abuse-c:" attribute in the RIPE Database conforms to ripe-563. The returned contact is a designated abuse contact for the address and is deemed to be the correct contact.

Abuse Widget - 5 Stars

Four stars: Most likely to be the correct abuse contact

  • An "abuse-mailbox:" attribute was found in a database object related to the IP address queried for. This could also include related objects of the announcing network (ASN).

Abuse Widget - 4 Stars

Three stars: Likely to be the correct abuse contact

  • No "abuse-mailbox:" attribute was found in any database object related to the IP address queried for. However, contact information was found in a remark attribute, which could possibly be the abuse contact.

Abuse Widget - 3 Stars

Two stars: Likelihood of this being the correct abuse contact is uncertain

  • No abuse contact information was found for the specific IP address queried for. However, an "abuse-mailbox:" attribute was found in another object registering a more specific resource. This could be the upstream provider for the resource you are looking for, so you could try to use this abuse contact information, but it may not be the correct contact.

Abuse Widget - 2 Stars

One star: Unlikely to be the correct abuse contact

  • No abuse contact information was found for the specific IP address queried for. However, in another object registering a more specific resource, a contact address was found (but not in an "abuse-mailbox:" attribute). This could be the upstream provider for the resource you are looking for, so you could try to use this abuse contact information, but it is quite unlikely that this is the one you were searching for.

Abuse Widget - 1 Star

For more details on how the widget works internally, please refer to the widget documentation, which you can find when you click on the "Info" button at the bottom right corner of the widget.

How to report a suspected abuse incident

Please keep in mind that the email addresses listed may be for contact people at an ISP providing Internet services and they may not be aware that somebody is using their network in this way. They will need you to give them details of the abuse so that they can investigate it further.

  • Explain what happened
  • Try to explain why you think it's an abuse case
  • Include the IP address
  • Include the times when it happened
  • Include any evidence (e.g. copy the message from your firewall, log entries etc.)

You might want to mention that you found this contact via RIPEstat's Abuse Contact Finder widget by appending this line:

"This email contact was found using RIPEstat's Abuse Contact Finder widget. Please find more information at https://stat.ripe.net/specials/abuse."

More on anti-abuse

Learn more about spamming and hacking, and what you can do about it, in the FAQs on spamming and hacking.

You can also look through the archvies of the Anti-Abuse Working Group mailing list.

Changes to anti-abuse information in the RIPE Database

Currently, any abuse contact information contained in the RIPE Database is voluntarily given when an Internet number resource is registered. That means that this information may or may not be available for any given resource.

However, a new policy began implementation in 2013 that mandates the inclusion of an "abuse:c" attribute, which contains an abuse contact, for all new objects in the RIPE Database. In addition, this policy will retroactively require abuse contact information for all pre-existing resources. As "abuse:c" attributes are added to resources registered in the RIPE Database, RIPEstat's Abuse Contact Finder widget will return more and more  reliable anti-abuse contact results. The widget rates all contacts found in the "abuse:c" attribute with five stars, the highest rating.

Read details of the full policy in RIPE Document 563, "Abuse Contact Management in the RIPE Database" or learn more about the implementation of ripe-563 in this RIPE Labs article.

6

You may also like

View more

About the author

Christian Teuschel Based in Amsterdam

Christian Teuschel joined the RIPE NCC in 2010 and is currently a System Architect in the Research and Development department. He is responsible for the development and operation of RIPEstat, a widely used, web-based interface that provides data on Internet address space and related information for countries and hostnames. He also contributes to RIPE Atlas and other services provided by the RIPE NCC. Christian is co-author of the RIPE Document "Sources of Abuse Contact Information for Abuse Handlers" (ripe-658). Expertise: RIPEstat, Internet measurements, Internet Abuse, RIPE Labs, Data Quality

Comments 6