Hi, I'm the author of the CyberAbuse whois, which is a tool that catches the "most suitable" abuse contact email for a specific IP/host by searching in the RIRs whois result. It's security and network abuse oriented... it's used in many CERTs or IRTs. I understand there's a new (and long waited for) abuse-mailbox field that my program should catch in the RIPE db. I'd like to know what would you recommend as the behavior for catching the "best possible" abuse-contact in the RIPE db. Here is how the cyberabuse whois used to work (for RIPE) : 1 - search for an IRT object (mnt-irt), if one exist, go catch the associated e-mail 2 - search for an email in all the remarks/trouble/descr fields with the abuse/security/cert/csirt string in it 3 - search for the admin-c's email, if any 4 - search for the tech-c's, if any 5 - search for the first email found I think I'm going to add a search for the abuse-mailbox field between (1) and (2). Is this how you would do it ? Any other comments/suggestions ? Sincerely, Philippe Bourcier
On Tue, May 24, 2005 at 11:32:28PM +0200, Philippe Bourcier wrote:
I'd like to know what would you recommend as the behavior for catching the "best possible" abuse-contact in the RIPE db.
Here is how the cyberabuse whois used to work (for RIPE) : 1 - search for an IRT object (mnt-irt), if one exist, go catch the associated e-mail 2 - search for an email in all the remarks/trouble/descr fields with the abuse/security/cert/csirt string in it 3 - search for the admin-c's email, if any 4 - search for the tech-c's, if any 5 - search for the first email found [...] Any other comments/suggestions ?
I think steps 3 and 4 should be swapped, and 5 removed completely. Best regards, Daniel -- CLUE-RIPE -- Jabber: dr@cluenet.de -- dr@IRCnet -- PGP: 0xA85C8AA0
participants (2)
-
Daniel Roesen
-
Philippe Bourcier