information downloads whois server abuse-contact








ABUSE-CONTACT


After having determined the whois server to use, The CyberAbuse Whois searches for an Abuse-Contact email. While in previous versions of the whois, I provided a mean for ISPs or abuse-teams to correct the email caught by the parser, in this new version, the only way to get the right abuse-contact email is to have it included in the output of the IP registry whois.

More technically, here is how The CyberAbuse Whois searches for abuse entries in the different Regional Internet Registry or National Internet Registry whois's :


ARIN (North America & various historical records) :

ARIN has setup a new Point Of Contact (POC) record type for abuse reporting purpose. More informations can be found here...

So basically, all you have to do is to add an Abuse (AB) POC to your ARIN network entries to get the right abuse-contact email taken by the parser.
If your network is recorded at ARIN and another place (ie: APNIC, RIPE, JPNIC...) the whois will automatically "jump" to the right whois.


RIPE (Europe & Middle-East) :

RIPE has setup an IRT object that you should use to set the proper email to which abuse has to be reported. Only the CyberAbuse Whois version 4.5 and greater supports the RIPE IRT object. If you don't have an IRT object, you should use the abuse-mailbox object which is easier to create. If you don't have any of these, then the parser searches all the remarks/trouble/descr fields for the abuse@/security@/cert@/csirt@ strings. Then it searches for the admin-c's email and then for the tech-c's... Finally, if nothing at all is found it will return the first email address caught (the notify one most of the time (ugly I know)).
So basically, all you have to do is to create an IRT object (or abuse-mailbox) and associate it to all your inetnum's or to add an abuse@ email in the "comments/remarks" fields of all your networks ("For abuse/security issues contact abuse@...").


APNIC (Asia & Pacific) :

The parser will search for the string abuse@ in any of the email fields and then will return the admin-contact email (if set) or the technical-contact email (if set).
So basically, all you have to do is to set your technical contact email to abuse@... else admin-contact's email will be taken by default.


LACNIC (Latin American and Carib) :

The parser will return the first email found. This is quite ugly, but as LACNIC is pretty new, you might also suggest them to create an abuse-contact record. So basically, all you have to do is to set your owner-c's email to your abuse-contact email (ugly).


AFRINIC (Africa) :

The parser is the same as the RIPE one, though AFRINIC has no abuse-mailbox or IRT object.
So the parser searches all the remarks/trouble/descr fields for the abuse@/security@/cert@/csirt@ strings. Then it searches for the admin-c's email and then for the tech-c's... Finally, if nothing at all is found it will return the first email address caught (the notify one most of the time (ugly I know)).
So basically, all you have to do is add an abuse@ email in the "comments/remarks" fields of all your networks ("For abuse/security issues contact abuse@...").


KRNIC (NIR for Korea) :

KRNIC has setup a "Network Abuse Contact" record for abuse reporting purpose.
If this record is not set, the parser will take the admin-contact email or the technical-contact email or the ISP admin contact email or the ISP technical contact email (in this order).
So basically, all you have to do is to get your ISP set a "Network Abuse Contact" record.


JPNIC (NIR for Japan) :

The parser will return the Administrative Contact or Technical Contact and if none of those have set an email, then the first email found will be returned.
So basically, all you have to do is to set your Administrative Contact to your abuse contact (a bit ugly)...


BRNIC (NIR for Brazil) :

The parser will first try to search the strings abuse@ or security@ in all the email fields, then it will try to search for the abuse-c's email and finally it will return the first email found.
If no email is found, the email of the security team at nic.br will be returned. They are great and will most likely solve the issue you might have with one of their members.
So basically, all you have to do is to create an abuse-c object.

____________________


Comments/Bugs/Suggestions : philippe[At]cyberabuse.org



© 2003-2017, Philippe Bourcier - CyberAbuse