Hi Olaf,
I use the API from ISC SANS (http://isc.sans.edu/api ) to do some parsing for me if needed.
cat send_abusemsg.sh
#!/bin/sh
for i in `cat uniq_IP_list`
do
abuse=`wget -O - http://isc.sans.edu/api/ip/"$i"?text | grep 'abusecontact' | cut -f2 -d'>' | tr -d ' '`
cat template.txt | sed "s/%%ip%%/$i/" | sed "s/%%email%%/$abuse/" | sendmail -oi -t
done
the uniq_IP_list is a file that has the offending IP addresses. 1 IP per line.
and the mail template that I use looks something like :
cat template.txt | more
To: %%email%%
Cc: noc@<your mail domain here>
From: abuse@<your mail domain here>
Subject: IP Address %%ip%% involved in DDoS attack
Dear abusedesk,
Please take action on the following IP address: %%ip%% due to an DDoS on an IP in our network.
</snip partial SFLOW log>
The mentioned server with IP address: %%ip%% should be looked at directly as it is probably hacked or misconfigured to be abused.
Regards,
<your ISP NOC>
Does that answer your question?
Regards,
Erik Bais
From: anti-abuse-wg-bounces@ripe.net [mailto:anti-abuse-wg-bounces@ripe.net]
On Behalf Of Olaf van der Spek
Sent: donderdag 20 juni 2013 10:08
To: anti-abuse-wg@ripe.net
Subject: [anti-abuse-wg] Automatic IP -> abuse email address mapping
Hi,
I hope this is the right list for such a question.
How does one map an IP address to an abuse email address in an automated way?
I assume scripts exist, but I haven't found any. Does everyone roll their own?
--
Olaf