[Dshield] Fightback email addresses?

Johannes Ullrich jullrich at euclidian.com
Wed Jun 11 14:21:45 GMT 2003


On Wed, 2003-06-11 at 09:38, Richard Roy wrote:
> Yeah, I agree, perhaps an over ride for our own domain?  Somehow though
> Dshield would have to verify we are indeed responsible for the domain/ip
> block in order to avoid more errors.  Anyone else agree?

By default, we use 'whois' to lookup contacts. The data is cached, so
it can happen that we are using an outdated record. 

However, we frequently adjust these based on feedback we get from
ISPs. There is also a small team of helpers to help with this.

Overall, there is no 'standard'. Not even a requirement to have an
abuse contact at all. Common methods are:

- whois (what we are doing), which is improving, e.g. ARIN added a
special abuse contact field (it is optional)
- abuse at domain , works if the IP reverse resolves. I am not using this
as in some cases, the reverse resolution is being messed with.
- AS contact lookups. This should work quite well, but I still have to
look at the details.
- abuse.net. may as well use abuse at domain.

and so on ... like some people say there are enough standards to chose
from.




More information about the list mailing list