Dear Reza This is a nice example illustrating why the situation IS confused. With some knowledge of the RIPE Database you can dig in and see what you find. But there are three different ways of recording abuse contact information in the database and these can be used in many different object types. To find this information you need to look into objects referenced in objects referenced in....referenced in the object you are interested in. If you don't follow this chain of references far enough you may miss the contact details. If you follow it too far you find abuse contacts not intended for this resource. The information you show below includes a "remarks:" attribute with an abuse email address. This is human readable and in English. If this comment was written in another of the many languages used within the RIPE region, could you be sure it was an abuse email address? This object also has a long since deprecated "trouble:" attribute. If that had been a different email address, where is the dividing line between abuse from and trouble with an IP address? There is also an "e-mail:" attribute. Should you cc: that, just to be sure? I notice you also included the "changed:" attribute in your selection from the object and in the context of 'security related issues'. The changed details are purely administrative, virtually un-maintained and may be years out of date. It may be telling you who changed this object ten years ago. If you put this IP address in our Abuse Finder tool it also returns the abuse contact abuse@bt.net which is missing from the details below. But finding these details by script is not easy. We can program in the relationships between different objects, which is how we found abuse@bt.net. But we cannot parse any comment as we don't know what language it is in and we can't interpret a set of words around an email address. If the policy proposal 2011-06 is approved by the community we can work towards storing abuse contact details in one location, referenced in one way and easily readable by humans and scripts. Of course it won't solve all problems, as some people were hoping for. But it is the first step of what can be a journey towards a more complete solution. Regards Denis Walker Business Analyst RIPE NCC Database Group On 26/07/2012 13:23, Reza Farzan wrote:
Hello All,
I just checked the IP in question, 62.239.237.250 in Whois and there is nothing confusing about it, especially the Abuse reporting channel.
inetnum: 62.239.237.0 - 62.239.237.255 remarks: Please send abuse notification to mailto:btcertcc@bt.com role: BT Corporate Registry address: British Telecommunications address: 81 Newgate Street address: London GB e-mail: ip.manager@bt.com remarks: trouble: mailto: mailto:btcertcc@bt.com
And they have even listed the contact for their security related issues:
remarks: BT Security Computer Emergency Response Team mnt-by: BTENT-MNT changed: mailto:steve.a.marshall@bt.com
++++
Cheers,
Reza Farzan rezaf@mindspring.com
________________________________
From: anti-abuse-wg-bounces@ripe.net [mailto:anti-abuse-wg-bounces@ripe.net] On Behalf Of Aftab Siddiqui Sent: Thursday, July 26, 2012 6:50 AM To: Michele Neylon :: Blacknight Cc: Denis Walker; anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] Manual vs automated reports
Hi Michele
I tried that now. It's very confusing.
Agree to that.
It's not at all clear if the search box will take an IP address or not ...
Should be mentioned clearly with ? box
I tried one and got back a "result" which I could click on .. When I did I got "ERROR:115: invalid search key"
Yes, you are right. It happens many times. I guess it is still in beta phase. We have found an easy way to do it. I guess that legit
curl -i -H "Accept: application/json" http://apps.db.ripe.net/whois/use-cases/abuse-ripe&primary-key=+62.239.237.2 50 | grep abuse-mail
Just pass the abuser IP (here I've mentioned bt subnet and thats it. Its just a work around.
Regards,
Aftab A. Siddiqui