ABUSEEMAIL

Section: User Contributed Perl Documentation (1)
Updated: perl 5.005, patch 03
Index Return to Main Contents
 

NAME

abuseEmail - Finds out abuse email addresses for a specified IP address  

SYNOPSIS

abuseEmail [OPTIONS] ip-address  

DESCRIPTION

abuseEmail receives an IP address and tries to find out, using its internal whois and DNS clients, what is the responsible party's email address.  

OPTIONS


--verbose i
Set verbosity level to i. The verbosity levels are: 0: silent, only output the result 1: same as 0 but also output fatal errors (default) 2: same as 1 but also output non-fatal errors 5: The script will explain every action it makes. Set to 5 if you want to understand how abuseEmail works.
--noUseHostname
Don't the hostname to guess some addresses. Depending on the severity of the attack, you may want to try some simple guesses at abuse email addresses. For example, if you've just been portscanned by host.provider.com, writing to abuse@provider.com is a good idea. If you're being DoSed by an attacker, you may bypass the service provider and email directly to their uplink provider.
--UseAbuseNet
abuseEmail can passe all emails it founds into abuse.net whois service. For most domains, this founds the right email address to report your problem. As for noUseHostname, you may want to desactivate this if you're reporting an urgent problem.
--noUseDNSsoa
Don't try to dig the IP subnet's manager email address using DNS SOA. You may want to desactivate this if you're reporting something that is not urgent.
--noUseWhoisIP
Don't use Whois to get IP addresses. This is really here for uniformity, since you almost always will want to use Whois.
--showCommands
This is for educationnal use only. 8) This will show the unix equivalent command for every query made. That way, you can reproduce the technique used by abuseEmail.
--batch
Outputs the result in a way that is easier to parse in a script. The output will look like: 127.123.123.123:abuse@mailprovider.com,roger@domain.top
 

EXAMPLES


abuseEmail a.b.c.d
The simplest way to use it. Will give a list of email addresses.
abuseEmail --verbose=5 --showCommands a.b.c.d
This is the best way of understanding how abuseEmail works and how to reproduce the results using the regular Unix tools.
abuseEmail --noUseHostname --noUseAbuseNet a.b.c.d
This could be used in case you really want to get infos about the uplink provided, not the service provider. You could use this in an emergency situation.

In all those examples, a.b.c.d must be replaced by a real IP address.  

DIAGNOSTICS


Error: Please specify a host IP address.
(F) You did not specified an IP address to lookup.
Error: This doesn't looks like a numeric IP address.
(F) Specifing an hostname will not work, a numeric IP address is required.
Error: %s is a private IP address (RFC1918). It's a local machine or a spoofed ip, either way, I can't give you any infos on this.
(F) Because of an IP address shortage, the IANA (Internet Assigned Numbers Authority), decided to specify addresses that could only be used in private networks, not on the public Internet. You asked this program to lookup this kind of address, as it is a private address, it is not listed in any directory. You may want to ping this address to see if this come from a computer using a private address on your local network. It is also possible that the person who tried to connect to your computer sent a spoofed ip packet, that is, sending an ip packet with an incorrect ``from:'' tag. There is not much that you can do about this. Sorry.
Error: %s is a reserved IP address. It's very likely to be a spoofed ip, or your network admin/BOFH is on crack, either way, I can't give you any infos on this.
(F) The IP address you specified is a reserved address for experimental purposes; it is almost impossible that such an IP address is used on the Net. What is very likely is that the person who tried to connect to your computer sent a spoofed ip packet, that is, sending an ip packet with an incorrect ``from:'' tag. There is not much that you can do about this. Sorry.
 

REQUIRES

Perl 5.004, Net::DNS, IO::Socket (included with Perl), Getopt::Long (included with Perl), XWhoisIP (included with abuseEmail)  

SEE ALSO

dig(1), whois(1), perl(1), Net::Whois(1)  

BUGS

Yes, there might be some. Please report any one you find to guillaume@filion.org  

VERSION

Version 1.1, 2001-06-27  

TODO


Better handling of the email addresses, and find out which one are best.

Remake everything in a more object oriented way and use XML for data.

Add an option to dig phone numbers.
 

WEBSITE

Visit http://logidac.com/abuseEmail/ for more infos and the lastest version.  

AUTHOR

Guillaume Filion <guillaume@filion.org>

PGP Fingerprint: 14A6 720A F7BA 6C87 2331 33FD 467E 9198 3DED D5CA  

THANKS

Great thanks to:
Russell Fulton who modified Net::XWhois to handle queries on IP addresses.

Philippe Bourcier of cyberabuse.org who provided me a list of 40 000 IPs with their relative abuse email address. Philippe also provided feedback on abuseEmail.


 

Index

NAME
SYNOPSIS
DESCRIPTION
OPTIONS
EXAMPLES
DIAGNOSTICS
REQUIRES
SEE ALSO
BUGS
VERSION
TODO
WEBSITE
AUTHOR
THANKS

This document was created by man2html, using the manual pages.
Time: 22:23:56 GMT, June 27, 2001