ABUSEEMAIL

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

--verbose i

Set verbosity level to i. The verbosity levels are: 0: silent, only output the result 1: same as 0 but also output fatal errors (default) 2: same as 1 but also output non-fatal errors 5: The script will explain every action it makes. Set to 5 if you want to understand how abuseEmail works.

--noUseHostname

Don't the hostname to guess some addresses. Depending on the severity of the attack, you may want to try some simple guesses at abuse email addresses. For example, if you've just been portscanned by host.provider.com, writing to abuse@provider.com is a good idea. If you're being DoSed by an attacker, you may bypass the service provider and email directly to their uplink provider.

--noUseAbuseNet

abuseEmail can passe all emails it founds into abuse.net whois service. For most domains, this founds the right email address to report your problem. As for noUseHostname, you may want to desactivate this if you're reporting an urgent problem.

--noUseDNSsoa

Don't try to dig the IP subnet's manager email address using DNS SOA. You may want to desactivate this if you're reporting something that is not urgent.

--noUseWhoisIP

Don't use Whois to get IP addresses. This is really here for uniformity, since you almost always will want to use Whois.

--showCommands

This is for educationnal use only. 8) This will show the unix equivalent command for every query made. That way, you can reproduce the technique used by abuseEmail.

--batch

Outputs the result in a way that is easier to parse in a script. The output will look like: 127.123.123.123:abuse@mailprovider.com,roger@domain.top

--cache dir

Use dir as a cache directory for Whois queries.

--cacheExpire i

Specify that cache entries should be used for i seconds. Note that abuseEmail will not delete outdated cache entries.

You could set a cronjob like this to delete any file older than 7 days in the /your/cache/dir/ directory : find /your/cache/dir -mtime +7 -exec rm -f `{}' \; Never run this command as the superuser, you could end up deleting important things!  

EXAMPLES

abuseEmail a.b.c.d

The simplest way to use it. Will give a list of email addresses.

abuseEmail --cache=/tmp/abuseEmailcache --verbose=5 --showCommands a.b.c.d

This is the best way of understanding how abuseEmail works and how to reproduce the results using the regular Unix tools. We are using the /tmp/abuseEmailcache directory as a cache directory.

abuseEmail --noUseHostname --noUseAbuseNet a.b.c.d

This could be used in case you really want to get infos about the uplink provided, not the service provider. You could use this in an emergency situation.

In all those examples, a.b.c.d must be replaced by a real IP address.  

DIAGNOSTICS

Error: Please specify a host IP address.

(F) You did not specified an IP address to lookup.

Error: This doesn't looks like a numeric IP address.

(F) Specifing an hostname will not work, a numeric IP address is required.

Error: %s is a private IP address (RFC1918). It's a local machine or a spoofed ip, either way, I can't give you any infos on this.

(F) Because of an IP address shortage, the IANA (Internet Assigned Numbers Authority), decided to specify addresses that could only be used in private networks, not on the public Internet. You asked this program to lookup this kind of address, as it is a private address, it is not listed in any directory. You may want to ping this address to see if this come from a computer using a private address on your local network. It is also possible that the person who tried to connect to your computer sent a spoofed ip packet, that is, sending an ip packet with an incorrect ``from:'' tag. There is not much that you can do about this. Sorry.

Error: %s is a reserved IP address. It's very likely to be a spoofed ip, or your network admin/BOFH is on crack, either way, I can't give you any infos on this.

(F) The IP address you specified is a reserved address for experimental purposes; it is almost impossible that such an IP address is used on the Net. What is very likely is that the person who tried to connect to your computer sent a spoofed ip packet, that is, sending an ip packet with an incorrect ``from:'' tag. There is not much that you can do about this. Sorry.

REQUIRES

SEE ALSO

BUGS

VERSION

TODO

Better handling of the email addresses, and find out which one are best.

Dig the contact handles from whois and get email addresses from them.

Add support for rwhois servers (rwhois.arin.net, rwhois.verio.net, rwhois.exodus.net)

Remake everything in a more object oriented way and use XML for data.

Add an option to dig phone numbers.

WEBSITE

AUTHOR

PGP Fingerprint: 14A6 720A F7BA 6C87 2331 33FD 467E 9198 3DED D5CA  

THANKS

Russell Fulton who modified Net::XWhois to handle queries on IP addresses.

Philippe Bourcier of cyberabuse.org who provided me a list of 40 000 IPs with their relative abuse email address. Philippe also provided feedback on abuseEmail.

Index

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

EXAMPLES

DIAGNOSTICS

REQUIRES

SEE ALSO

BUGS

VERSION

TODO

WEBSITE

AUTHOR

THANKS