FAQ: Hacking & Spamming

Oct 2010 — faq

Is the RIPE NCC spamming/hacking me? →

The RIPE NCC is not responsible for spamming or hacking. The RIPE NCC network is never used to facilitate the sending of spam or any other kind of network abuse and the RIPE NCC never sends unsolicited/spam/phishing emails.

The RIPE NCC is responsible for the allocation of blocks of IP address space to Local Internet Registries (LIRs). These LIRs then assign addresses to their customers or use them in their own networks.

The RIPE NCC is therefore listed as a contact for these blocks in the RIPE Database.

However, if you suspect that the spam, hacking or network abuse originates from the following IP blocks, please contact us at ncc _at_ ripe _dot_ net as soon as possible. These ranges are resources from the RIPE NCC.

193.0.0.0 - 193.0.31.255
2001:67c:2e8::/48
2001:67c:64::/48

If the IP address falls outside these ranges, we are unable to investigate the matter.

How can I find out who is spamming me? →

You can identify which IP address was used to send a spam email by checking the “received” line in the full email header as shown below:

spamFAQs16dec_final

You can see which organisation is responsible for the IP address in the RIPE Database: https://apps.db.ripe.net/search/query.html

Enter the IP address in the box and click “Search”. The output will look similar to this:

inetnum:        10.25.100.0 - 10.25.100.255
netname:        EXAMPLE-PROVIDER2
descr:          Example-Provider BV
descr:          ADSL IP numbers
country:        NL
admin-c:        EP65536-RIPE
tech-c:         EP65536-RIPE
status:         ASSIGNED PA
abusemailbox:  abuse _at_ example _dot_ org
mnt-by:         EP65555-MNT
changed:        operations.employee _at_ example _dot_ org 20060422
source:         RIPE

This shows you which organisation is responsible for the IP address.

If the output says “IANA” or “The whole IPv4 address space”, the IP address may not be registered by the RIPE NCC and you can widen your search to include the databases of the other Regional Internet Registries (RIRs) listed under “Global Resource Service”.

Note: Doing this will return several placeholder objects and you may need to scroll down to find the holder of the IP address. Alternatively, you can search the other RIR databases directly.

If you suspect that the spam, hacking or network abuse originates from the following IP blocks, please contact us at ncc _at_ ripe _dot_ net as soon as possible. These ranges are resources from the RIPE NCC.

193.0.0.0 - 193.0.31.255
2001:67c:2e8::/48
2001:67c:64::/48

If the IP address falls outside these ranges, we are unable to investigate the matter.

What can I do about spam/hacking? →

Once you have identified which IP address is being used to send abuse and which organisation is responsible for the IP address, you can report the incident. You can use the Abuse Finder tool or search the RIPE Database in order to find contact details:

Abuse Finder

https://apps.db.ripe.net/search/abuse-finder.html

The Abuse Finder tool makes it easier to find the right contact details to report abuse coming from a certain IP address. Enter the IP address in the box and click “Search”. The output will look similar to this:

Objects with abuse related remarks:

role: RFC1918-RIPE

person: EMIL-RIPE

person: CNAG-RIPE

person: BOH-RIPE

Click on any of the objects to find contact information for abuse-related complaints within the network you have searched for.

Please keep in mind that the email addresses listed may be for contact people at an ISP providing Internet services and they may not be aware that somebody is using their network in this way. They will need you to give them details of the abuse so that they can investigate it further.

In case of spam, forward a copy of the spam email, including the full header. In case of hacking or phishing, include as much relevant information as possible to make it easier for the ISP to locate and deal with the abuser. If your firewall software has generated a log file of the attack, then you should include that. If not, try to include at least:

The IP address that attempted the network intrusion
The date
The time
The time zone

RIPE Database

https://apps.db.ripe.net/search/query.html

If there is no abuse-related contact information in the object, you can also search the RIPE Database manually for other contact details, for example, maintainers and administrative or technical contacts. Please do not use the email address in the “changed” line.

If you have any questions about how to search the RIPE Database, please send an email to ripe-dbm _at_ ripe _dot_ net.

Incorrect contact information in the RIPE Database

If you notice that some information is outdated in a RIPE Database object and have already tried to contact the relevant maintainer of the object, we can forward your report to the person responsible for maintaining the registration. We will track the report and make sure this person takes appropriate action (e.g., assisting with updating an entry in the RIPE Database).
Go to the RIPE NCC Reporting Procedure.

193.0.0.0 - 193.0.31.255
2001:67c:2e8::/48
2001:67c:64::/48

If the IP address falls outside these ranges, we are unable to investigate the matter.

What can the RIPE NCC do about spam/hacking? →

The RIPE NCC cannot do anything about spam or hacking. It is responsible for the allocation of blocks of IP address space to Local Internet Registries (LIRs). These LIRs then assign IP addresses to their customers or use them in their own networks. The RIPE NCC is not a service provider and has no jurisdiction over, or responsibility for, how the IP addresses it assigns or allocates are used. It is unable to investigate any complaints about spamming.

193.0.0.0 - 193.0.31.255
2001:67c:2e8::/48
2001:67c:64::/48

If the IP address falls outside these ranges, we are unable to investigate the matter.

Where can I find out more about spam/hacking? →

ISPs can find more information about preventing spam here:

Good Practice In Minimising Email Abuse

Anti-Abuse Working Group

Sections

FAQ: Hacking & Spamming