From owner-freebsd-questions@FreeBSD.ORG Tue May 18 16:12:16 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DBE9B16A4F2 for ; Tue, 18 May 2004 16:12:12 -0700 (PDT) Received: from mta9.adelphia.net (mta9.adelphia.net [68.168.78.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7484243E61 for ; Tue, 18 May 2004 15:08:35 -0700 (PDT) (envelope-from Barbish3@adelphia.net) Received: from barbish ([67.20.101.71]) by mta9.adelphia.net (InterMail vM.5.01.06.08 201-253-122-130-108-20031117) with SMTP id <20040518220420.CFPK26615.mta9.adelphia.net@barbish> for ; Tue, 18 May 2004 18:04:20 -0400 From: "JJB" To: "freebsd-questions@FreeBSD. ORG" Date: Tue, 18 May 2004 18:04:20 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Importance: Normal Subject: reporting port scaning abuse based on whois X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Barbish3@adelphia.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 May 2004 23:12:16 -0000 My ipfilter firewall is blocking 35 to 150 port scan packets per minute coming from all over the world. I have an dynamic IP address assigned by my ISP, so I know the senders are scanning an whole subnet range of IP address for the ports they are interested in. I have to pay for this background packet noise in bandwidth usage surcharges. I decided to research and try to build an process to report this abuse to the ISP's who own the source IP address that is scanning the whole subnet ranges of IP address I belong to. I pieced together an perl script from many other sources that reads the ipfilter ipmon log creating an structured file with the source and target ip address padded with zeros to sort the source ip address into sequence, then I read the sorted file and do an whois lookup on the source ip address and scan the whois output for an abuse@ domain name building an email including the log records as evidence and send it. This process only found abuse@ email address for about 30% of the abusive port scan traffic being blocked. Manually doing whois on some of the remainder, I see many different reporting abuse email address. I guess abuse@ is not an standard naming convention. An I going about this the correct way, or is there some other way I should be doing this? Is whois ip addr the only way to find the owner of the ip address block? Do any of the readers of this list have an perl script that does something like what I an trying to do, that they would share, or exchange in return for receiving an copy of mine? I am thinking about changing the way I search the whois output for abuse@, to scanning the output one position at an time for @ then parse left and right of it to first blank to capture email address, then save it in table and continue with scan looking for another email address. Then interrogate the harvested email address in the table for abuse, spam, tech or webmaster to choose best email address to send my reporting abuse email to. The problem is my perl coding ability is not sufficient to accomplish this. An sample scan routine sure would go a long way in enabling me to understand the coding technique so I could modify it to my purposes. Any comments or coding help sure would be helpful. Thanks