No one wants to have to deal with a suspected abuse case, but at least RIPEstat can help you to find available anti-abuse contact information in the RIPE Database easily. In this article we show you when and how you can use RIPEstat to do that.
NOTE: This article was updated 17 April 2013 with information about the inclusion of a fifth star as the highest rating possible for a returned abuse contact. This fifth star is the result of a new policy that began improving the management of abuse contact details in the RIPE Database in early 2013 (see more below).
Using RIPEstat to find abuse contacts
Below, we describe how to use RIPEstat to look up any abuse contact information that might be available for a particular IP address, as abuse cases are usually connected with a single IP address. However, it is also possible to look up information for prefixes or ASNs.
You can learn more about how to identify the IP address responsible in the FAQs on spamming and hacking. Once you have identified the IP address related to the abuse, you can use RIPEstat to help find the correct contact information to report the abuse.
The RIPEstat Abuse Contact Finder widget searches and returns information contained in the RIPE Database in a consolidated, easy-to-read format. For now, the RIPE Database may or may not contain abuse contact information for a given IP address, but a new policy is being implemented that makes abuse contact information mandatory for all new, and eventuall all existing, objects that are registered in the RIPE Database. Learn more about this new policy below.
Step 1: Query RIPEstat's Abuse Contact Finder widget
- Open https://stat.ripe.net/specials/abuse in your browser (see Figure 1)
- Fill in the IP address in the input field ("Enter an IP address") and press enter
Step 2: How to interpret the results
The widget interface presents the results with different background colours:
- Light green for 'Abuse contacts found'
- Grey for 'No contacts found'
- Light red for 'Special purpose addresses'
Abuse contacts found
If the widget can find abuse contact information, it will be shown in the box "Email Contact". However, the contact information returned might not be the one you were looking for. We implemented a rating system that shows you the reliabilty of the contact information found in the RIPE Database. You can find more details about the star rating system below.
If you find an email address and want to report an abuse incident, please make sure that you read the section on how to report an incident.
No abuse contact information found
If the tool could not find any abuse contacts, you will see a message on a grey background as shown in Figure 3 below.
Note that since we are not serving abuse contacts for resources outside the RIPE NCC region, you will see a similar result for resources registered with one of the other Regional Internet Registries, as shown in Figure 4 below.
Special purpose addresses
There are addresses that fulfill a special purpose, such as private address space as defined in RFC 1918 (Address Allocation for Private Internets). For the majority of those resources, it is not useful to look for abuse contacts. Special purpose addresses are highlighted with a red background and come with a more detailed explanation.
How the widget works internally
The accuracy of the contact information can vary depending on where it is found within the RIPE Database object. To help you decide if the contact is appropriate for reporting abuse, we implemented a rating system that indicates the likelihood that the contact found is the correct one.
Five stars: Designated abuse contact
- A queried IP address that includes an "abuse-c:" attribute in the RIPE Database conforms to ripe-563. The returned contact is a designated abuse contact for the address and is deemed to be the correct contact.
Four stars: Most likely to be the correct abuse contact
- An "abuse-mailbox:" attribute was found in a database object related to the IP address queried for. This could also include related objects of the announcing network (ASN).
Three stars: Likely to be the correct abuse contact
- No "abuse-mailbox:" attribute was found in any database object related to the IP address queried for. However, contact information was found in a remark attribute, which could possibly be the abuse contact.
Two stars: Likelihood of this being the correct abuse contact is uncertain
- No abuse contact information was found for the specific IP address queried for. However, an "abuse-mailbox:" attribute was found in another object registering a more specific resource. This could be the upstream provider for the resource you are looking for, so you could try to use this abuse contact information, but it may not be the correct contact.
One star: Unlikely to be the correct abuse contact
- No abuse contact information was found for the specific IP address queried for. However, in another object registering a more specific resource, a contact address was found (but not in an "abuse-mailbox:" attribute). This could be the upstream provider for the resource you are looking for, so you could try to use this abuse contact information, but it is quite unlikely that this is the one you were searching for.
For more details on how the widget works internally, please refer to the widget documentation, which you can find when you click on the "Info" button at the bottom right corner of the widget.
How to report a suspected abuse incident
Please keep in mind that the email addresses listed may be for contact people at an ISP providing Internet services and they may not be aware that somebody is using their network in this way. They will need you to give them details of the abuse so that they can investigate it further.
- Explain what happened
- Try to explain why you think it's an abuse case
- Include the IP address
- Include the times when it happened
- Include any evidence (e.g. copy the message from your firewall, log entries etc.)
You might want to mention that you found this contact via RIPEstat's Abuse Contact Finder widget by appending this line:
"This email contact was found using RIPEstat's Abuse Contact Finder widget. Please find more information at https://stat.ripe.net/specials/abuse."
More on anti-abuse
Learn more about spamming and hacking, and what you can do about it, in the FAQs on spamming and hacking.
You can also look through the archvies of the Anti-Abuse Working Group mailing list.
Changes to anti-abuse information in the RIPE Database
Currently, any abuse contact information contained in the RIPE Database is voluntarily given when an Internet number resource is registered. That means that this information may or may not be available for any given resource.
However, a new policy began implementation in 2013 that mandates the inclusion of an "abuse:c" attribute, which contains an abuse contact, for all new objects in the RIPE Database. In addition, this policy will retroactively require abuse contact information for all pre-existing resources. As "abuse:c" attributes are added to resources registered in the RIPE Database, RIPEstat's Abuse Contact Finder widget will return more and more reliable anti-abuse contact results. The widget rates all contacts found in the "abuse:c" attribute with five stars, the highest rating.
Read details of the full policy in RIPE Document 563, "Abuse Contact Management in the RIPE Database" or learn more about the implementation of ripe-563 in this RIPE Labs article.
Comments 6
Comments are disabled on articles published more than a year ago. If you'd like to inform us of any issues, please reach out to us via the contact form here.
Craig Shaver •
Is there a way to get this in plain text using a program interface such as a perl script?
Hide replies
Christian Teuschel •
Hi Craig, Yes, there is - the RIPEstat Data API! Specifically for abuse contact information you can find the documentation here: https://stat.ripe.net/docs/data_api#AbuseContactFinder The standard output format is JSON, so you can use it with all common scripting languages. The Abuse-Contact widget itself is based on this REST-like API. Best regards, Christian Teuschel
Anonymous •
Any advice on what to do if the abuse contact email (5 stars) given by the widget is bad?
Hide replies
Christian Teuschel •
Dear User, There are various reasons why an abuse contact (aka. abuse-c attribute) can be a source of frustration for users trying to report abuse incidences. Among them are typos in the contact address, technical problems at the side of the recipient or simply mailboxes that are not maintained/read. Most of these problems are easy to fix but currently there is not procedure in place for users respectively the RIPE NCC to correct/validate abuse contacts given by the resource holders. For this to happen it needs a mandate from the Internet community. Ideally preceded by discussion in the Anti-Abuse Working Group [1] with a clear, unanimous outcome. I would not recommend to browse inet(6)num or aut-num objects in the RIPE DB for occurrences of previously used "abuse-mailbox" attributes or abuse contacts stated in the remarks. Best regards, Christian Teuschel [1] https://www.ripe.net/ripe/groups/wg/anti-abuse
Anonymous •
What do you do about bogus/non-functioning contact addresses listed in the database? Namely, this: ----- The following addresses had permanent fatal errors ----- <abuse@respina.net> (reason: 550 Administrative prohibition)
Hide replies
Claudia Pacifici •
Dear database user, The RIPE NCC allocates IP address space to operators. They assign those addresses to their networks and customers. The allocation is registered in the RIPE Database by the RIPE NCC and the assignments by the operators themselves. The contact information referenced is placed in the RIPE Database by the network operators and can be changed by them at any time using the automatic interface made available (to everyone) by the RIPE NCC. We kindly ask you to report the incorrect information to all contacts listed in the relevant object. You can find the contact details in the contact details in the admin-c, tech-c, email and mnt- attributes of the relevant objects in the RIPE database. If you need assistance using the RIPE Database, please contact us at ripe-dbm@ripe.net When you have contacted all contacts without success (e.g. no reply, or not willing to update the object), you can send us a report form. To submit a report, please complete this form: www.ripe.net/report-form We will acknowledge receipt of the report and inform you whether an investigation will be conducted. Kind regards, Claudia Pacifici