ABUSEEMAIL
Section: User Contributed Perl Documentation (1)
Updated: perl 5.006
Index
Return to Main Contents
NAME
abuseEmail - Finds out abuse email addresses for a specified IP address
SYNOPSIS
abuseEmail [OPTIONS] ip-address
DESCRIPTION
abuseEmail receives an IP address and tries to find out, using its
internal whois and DNS clients, what is the responsible party's email
address.
OPTIONS
- --verbose i
-
Set verbosity level to i. The verbosity levels are:
0: silent, only output the result
1: same as 0 but also output fatal errors (default)
2: same as 1 but also output non-fatal errors
5: The script will explain every action it makes. Set to 5 if you want to understand how abuseEmail works.
- --noUseHostname
-
Don't the hostname to guess some addresses. Depending on the severity of the attack, you may want to try
some simple guesses at abuse email addresses. For example, if you've just been portscanned by host.provider.com,
writing to abuse@provider.com is a good idea. If you're being DoSed by an attacker, you may bypass the service provider and
email directly to their uplink provider.
- --noUseAbuseNet
-
abuseEmail can passe all emails it founds into abuse.net whois service. For most domains, this founds the
right email address to report your problem. As for noUseHostname, you may want to desactivate this if you're reporting
an urgent problem.
- --noUseDNSsoa
-
Don't try to dig the IP subnet's manager email address using DNS SOA. You may want to desactivate this if you're reporting
something that is not urgent.
- --noUseWhoisIP
-
Don't use Whois to get IP addresses. This is really here for uniformity, since you almost always will want to use Whois.
- --showCommands
-
This is for educationnal use only. 8) This will show the unix equivalent command for every query made. That way, you can
reproduce the technique used by abuseEmail.
- --batch
-
Outputs the result in a way that is easier to parse in a script. The output will look like: 127.123.123.123:abuse@mailprovider.com,roger@domain.top
- --cache dir
-
Use dir as a cache directory for Whois queries.
- --cacheExpire i
-
Specify that cache entries should be used for i seconds. Note that abuseEmail will not delete outdated cache entries.
You could set a cronjob like this to delete any file older than 7 days in the /your/cache/dir/ directory : find /your/cache/dir -mtime +7 -exec rm -f `{}' \;
Never run this command as the superuser, you could end up deleting important things!
EXAMPLES
- abuseEmail a.b.c.d
-
The simplest way to use it. Will give a list of email addresses.
- abuseEmail --cache=/tmp/abuseEmailcache --verbose=5 --showCommands a.b.c.d
-
This is the best way of understanding how abuseEmail works and how to reproduce the results using
the regular Unix tools. We are using the /tmp/abuseEmailcache directory as a cache directory.
- abuseEmail --noUseHostname --noUseAbuseNet a.b.c.d
-
This could be used in case you really want to get infos about the uplink provided, not the service provider. You could use this
in an emergency situation.
In all those examples, a.b.c.d must be replaced by a real IP address.
DIAGNOSTICS
- Error: Please specify a host IP address.
-
(F) You did not specified an IP address to lookup.
- Error: This doesn't looks like a numeric IP address.
-
(F) Specifing an hostname will not work, a numeric IP address is required.
- Error: %s is a private IP address (RFC1918). It's a local machine or a spoofed ip, either way, I can't give you any infos on this.
-
(F) Because of an IP address shortage, the IANA (Internet Assigned Numbers Authority),
decided to specify addresses that could only be used in private networks, not on the
public Internet. You asked this program to lookup this kind of address, as it is a private
address, it is not listed in any directory. You may want to ping this address to
see if this come from a computer using a private address on your local network. It is
also possible that the person who tried to connect to your computer sent a spoofed ip
packet, that is, sending an ip packet with an incorrect ``from:'' tag. There is not much
that you can do about this. Sorry.
- Error: %s is a reserved IP address. It's very likely to be a spoofed ip, or your network admin/BOFH is on crack, either way, I can't give you any infos on this.
-
(F) The IP address you specified is a reserved address for experimental purposes; it is
almost impossible that such an IP address is used on the Net. What is very likely is that
the person who tried to connect to your computer sent a spoofed ip packet, that is,
sending an ip packet with an incorrect ``from:'' tag. There is not much that you can do about
this. Sorry.
REQUIRES
Perl 5.004, Net::DNS, IO::Socket (included with Perl), Getopt::Long (included with Perl), XWhoisIP (included with abuseEmail)
SEE ALSO
dig(1), whois(1), perl(1), Net::Whois(1)
BUGS
Yes, there might be some. Please report any one you find to guillaume@filion.org
VERSION
Version 1.1.2, 2001-07-06
TODO
- Better handling of the email addresses, and find out which one are best.
-
- Dig the contact handles from whois and get email addresses from them.
-
- Add support for rwhois servers (rwhois.arin.net, rwhois.verio.net, rwhois.exodus.net)
-
- Remake everything in a more object oriented way and use XML for data.
-
- Add an option to dig phone numbers.
-
WEBSITE
Visit http://logidac.com/abuseEmail/ for more infos and the lastest version.
AUTHOR
Guillaume Filion <guillaume@filion.org>
PGP Fingerprint: 14A6 720A F7BA 6C87 2331 33FD 467E 9198 3DED D5CA
THANKS
Great thanks to:
- Russell Fulton who modified Net::XWhois to handle queries on IP addresses.
-
- Philippe Bourcier of cyberabuse.org who provided me a list of 40 000 IPs with their relative abuse email address. Philippe also provided feedback on abuseEmail.
-
Index
- NAME
-
- SYNOPSIS
-
- DESCRIPTION
-
- OPTIONS
-
- EXAMPLES
-
- DIAGNOSTICS
-
- REQUIRES
-
- SEE ALSO
-
- BUGS
-
- VERSION
-
- TODO
-
- WEBSITE
-
- AUTHOR
-
- THANKS
-
This document was created by
man2html,
using the manual pages.
Time: 00:36:29 GMT, July 07, 2001