This article outlines some of the refinements made to the Abuse Finder tool based on community feedback. It also explains the heuristics of the tool.
The Abuse Finder tool has been online for a little over a month now (see Find Abuse Handler Details Using the Abuse Finder ). Since we published the tool we received some excellent feedback from the forum and during the Anti Abuse working group session at the RIPE 60 Meeting where we presented the tool. We found that the heuristics used by the tool needed some refinements.
We have made the following refinements and fixed these issues:
- The Abuse Finder only accepts address space and AS Numbers as input. It will try to loosely verify the input and otherwise return a “Nothing Found” result.
- We introduced some filtering for placeholder data in the database that caused the tool to frequently and incorrectly return " abuse@ripe.net ".
- We fixed the situation where the Abuse Finder returned additional results that were unrelated to the input data, because primary and indexed keys are not unique for different object types.
- We implemented recursive search through layers of personal data (for example, role -> role -> person).
With these refinements the Abuse Finder returns much more accurate and focused results.
The updated Abuse Finder tool can be found here: https://apps.db.ripe.net/search/abuse-finder.htm l
The Abuse Finder heuristics explained
A question frequently asked was what exact logic the Abuse Finder tool uses to come to the results.
Because there isn’t a single method or even documented best practise for documenting Abuse Contact information in the RIPE Database, we implemented a set of rules that we feel harvest the most useful results.
These are the steps taken to get to its results:
- Lookup the given AUT-NUM or INETNUM or INET6NUM object
- Find reference to IRT object if it exists
- Lookup referenced ROLE, PERSON and ORGANISATION objects
- Extract ROUTE[6] objects
- Lookup referenced ROLE, PERSON and ORGANISATION objects
- Lookup referenced MNTNER objects.
We remove duplicate entries from the resulting collection of objects. We then extract the abuse-mailboxes and pointers to objects that contain abuse related text in the remarks field.
The total amount of queries the service makes to the RIPE Database may range between 30 and 150 queries. This depends largely on the amount of referenced objects the routine has to retrieve.
For example, when we query for “193.0.0.1” the abuse finder performs 37 separate queries to the RIPE Database.
Here are the exact queries that were performed:
whois -B -r -T inetnum,inet6num 193.0.0.1 whois -B -r -G 193.0.0.0 - 193.0.7.255 whois -r -B -T person,role AMR68-RIPE whois -r -B -T person,role BRD-RIPE whois -r -B -T person,role OPS4-RIPE whois -r -B -T person,role AMR68-RIPE whois -r -B -T person,role BRD-RIPE whois -r -B -T person,role GL7321-RIPE whois -r -B -T person,role JA47 whois -r -B -T person,role MENN1-RIPE whois -r -B -T person,role EMIL-RIPE whois -r -B -T person,role SSIE-RIPE whois -r -B -T person,role RCO-RIPE whois -r -B -T person,role APZ-RIPE whois -r -B -T person,role CNAG-RIPE whois -r -B -T person,role SMCA-RIPE whois -r -B -T person,role BOH-RIPE whois -r -B -T mntner RIPE-NCC-MNT whois -r -B -T mntner RIPE-NCC-RIS-MNT whois -r -B -T person,role AP110-RIPE whois -r -B -T person,role OPS4-RIPE whois -r -B -T person,role MD1601-RIPE whois -r -B -T person,role RISM-RIPE whois -r -B -T person,role AMR68-RIPE whois -r -B -T person,role BRD-RIPE whois -r -B -T person,role GL7321-RIPE whois -r -B -T person,role JA47 whois -r -B -T person,role MENN1-RIPE whois -r -B -T person,role EMIL-RIPE whois -r -B -T person,role SSIE-RIPE whois -r -B -T person,role RCO-RIPE whois -r -B -T person,role APZ-RIPE whois -r -B -T person,role CNAG-RIPE whois -r -B -T person,role SMCA-RIPE whois -r -B -T person,role BOH-RIPE whois -r -B -T person,role EROM1-RIPE whois -r -B -T person,role VAA
We are looking forward to your feedback.
Are there other searches that you need to perform frequently that we could group in a similar tool?
Any such searches we call “Use Case searches” and we’re looking forward to receiving some suggestions.
You can post your comments or send an email to the RIPE Labs mailbox .
Comments 0
Comments are disabled on articles published more than a year ago. If you'd like to inform us of any issues, please reach out to us via the contact form here.