[anti-abuse-wg] Automatic IP -> abuse email address mapping
- Previous message (by thread): [anti-abuse-wg] Automatic IP -> abuse email address mapping
- Next message (by thread): [anti-abuse-wg] Automatic IP -> abuse email address mapping
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Frank Gadegast
ripe-anti-spam-wg at powerweb.de
Thu Jun 20 11:17:45 CEST 2013
Erik Bais wrote: > Hi Olaf, Hi, this interface does not find all possible abuse contacts, an example for http://isc.sans.edu/api/ip/5.76.13.127 <ip><number>5.76.13.127</number><count>0</count><attacks>0</attacks><maxdate>0</maxdate><mindate>0</mindate><updated>0</updated><country> KZ </country><as>9198 </as><asname> KAZTELECOM-AS JSC Kazakhtelecom</asname><network> 5.76.0.0/16 </network><comment/></ip> no abuse contact, where a # whois.ripe -b 5.76.13.127 % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf inetnum: 5.76.8.0 - 5.76.15.255 abuse-mailbox: abuse.spam at telecom.kz finds one ... Kind regards, Frank > > I use the API from ISC SANS (http://isc.sans.edu/api ) to do some > parsing for me if needed. > > cat send_abusemsg.sh > > #!/bin/sh > > for i in `cat uniq_IP_list` > > do > > abuse=`wget -O - http://isc.sans.edu/api/ip/"$i"?text | grep > 'abusecontact' | cut -f2 -d'>' | tr -d ' '` > > cat template.txt | sed "s/%%ip%%/$i/" | sed > "s/%%email%%/$abuse/" | sendmail -oi -t > > done > > the uniq_IP_list is a file that has the offending IP addresses. 1 IP per > line. > > and the mail template that I use looks something like : > > cat template.txt | more > > To: %%email%% > > Cc: noc@<your mail domain here> > > From: abuse@<your mail domain here> > > Subject: IP Address %%ip%% involved in DDoS attack > > Dear abusedesk, > > Please take action on the following IP address: %%ip%% due to an DDoS > on an IP in our network. > > </snip partial SFLOW log> > > The mentioned server with IP address: %%ip%% should be looked at > directly as it is probably hacked or misconfigured to be abused. > > Regards, > > <your ISP NOC> > > Does that answer your question? > > Regards, > > Erik Bais > > *From:*anti-abuse-wg-bounces at ripe.net > [mailto:anti-abuse-wg-bounces at ripe.net] *On Behalf Of *Olaf van der Spek > *Sent:* donderdag 20 juni 2013 10:08 > *To:* anti-abuse-wg at ripe.net > *Subject:* [anti-abuse-wg] Automatic IP -> abuse email address mapping > > Hi, > > I hope this is the right list for such a question. > > How does one map an IP address to an abuse email address in an automated > way? > > I assume scripts exist, but I haven't found any. Does everyone roll > their own? > > > -- > Olaf >
- Previous message (by thread): [anti-abuse-wg] Automatic IP -> abuse email address mapping
- Next message (by thread): [anti-abuse-wg] Automatic IP -> abuse email address mapping
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]