home | legal stuff | glossary | blog | search

 Legend:  new window    outside link    tools page  glossary link   

Finding the owners of mail hosts

What we’re doing on this page: Given the IP addresses of spam sources and open relays that we found in analyzing the header, we’re tracking down which organizations control these addresses, and the e-mail abuse contacts for these organizations.

If you’ve analyzed the header of your spam message, you will have found the IP address from which the spam was launched. Possibly you may also have found the IP address of an open relay mail host through which the message traveled. Both of these addresses should be reported to the respective organizations responsible for them. On this page, we’ll see how to find these reporting contacts using IP-whois lookups.

“Auto-magic” IP-whois

The quickest way to track down the owners of IPs, if you aren’t afraid of command lines, is to use the whois command.

When whois is used to query information about IP addresses, it’s often called IP-whois, even though the command is the same as for domain lookups. With IP-whois, when you’re supplying an IP address as the argument, whois first queries the IP-whois data at the American Registry for Internet Numbers (ARIN). If the address isn’t found there (e.g., it is a European or Asian address), your whois query will (usually) be directed to another IP-whois database, and possibly thence to yet another. Eventually, after a few seconds, and if the whois system is feeling well, then you will get your answer. Here’s an example using an IP address (81.185.154.193) from which I once received some stock spam:

[G4733:~] rconner% whois 81.185.154.193

 [ARIN finds that the address belongs to RIPE ...]

OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL

ReferralServer: whois://whois.ripe.net:43

NetRange: 81.0.0.0 - 81.255.255.255
CIDR: 81.0.0.0/8
NetName: 81-RIPE
NetHandle: NET-81-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: NS-EXT.ISC.ORG
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate:
Updated: 2005-07-27

# ARIN WHOIS database, last updated 2005-12-08 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

 [ ... our whois program goes to the RIPE whois database for the answer...] 

% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Note: the default output of the RIPE Whois server
% is changed. Your tools may need to be adjusted. See
% http://www.ripe.net/db/news/abuse-proposal-20050331.html
% for more details.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '81.185.144.0 - 81.185.159.255'

inetnum: 81.185.144.0 - 81.185.159.255
netname: N9UF-DYN-DSL
descr: Dynamic pool
country: FR
admin-c: LD699-RIPE
tech-c: LDC76-RIPE
status: ASSIGNED PA
mnt-by: LDCOM-MNT
source: RIPE # Filtered

role: LDCOM Legal Contact
address: neuf telecom
address: Immeuble Quai Ouest
address: 40-42 Quai du point du jour
address: 92659 Boulogne Billancourt
address: France
fax-no: +33 1 58 63 18 18
admin-c: LD699-RIPE
tech-c: LM5867-RIPE
nic-hdl: LD699-RIPE
abuse-mailbox: abuse@gaoland.net
mnt-by: LDCOM-MNT
source: RIPE # Filtered

role: LDCOM Networks Tech Contact
address: neuf telecom
address: Immeuble Quai Ouest
address: 40-42 Quai du point du jour
address: 92659 Boulogne Billancourt
address: France
fax-no: +33 1 70 18 15 70
admin-c: LM5867-RIPE
tech-c: DG1056-RIPE
nic-hdl: LDC76-RIPE
abuse-mailbox: abuse@gaoland.net
mnt-by: LDCOM-MNT
source: RIPE # Filtered

% Information related to '81.185.0.0/16AS12626'

route: 81.185.0.0/16
descr: 9TELECOM-BLK
origin: AS12626
mnt-by: LDCOM-MNT
source: RIPE # Filtered


This answer came to us in two parts, as it were: ARIN (our starting point) determined that the address was in a block allocated by its European sibling Réseaux IP Européens (RIPE), and so we got handed off to the RIPE IP-whois server, which gave us our answer.

We see that this particular address is part of a large block named N9UF-DYN-DSL, quite probably a big block of addresses used by broadband DSL customers of the French ISP Neuf Telecom. We have a company name (“neuf telecom”), an address, and a fax number, and most importantly an abuse contact abuse@gaoland.net (see the blue highlight). This is the address to which we can direct our spam reports regarding 81.185.154.193.

“Manual” IP-whois

Most of the time, IP-whois lookups are just this easy. However, there are occasions on which IP-whois won’t take you all the way to the responsible parties. On these occasions, you’ll need to know how to track down the appropriate regional internet registry (RIR) and query its whois server yourself.

For example, let’s look at 210.116.242.207, the address I found in our example of how to identify spam sources:

[G4733:~] rconner% whois 210.116.242.207

 [ARIN finds APNIC and refers us there ...] 

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

ReferralServer: whois://whois.apnic.net

NetRange: 210.0.0.0 - 211.255.255.255
CIDR: 210.0.0.0/7
NetName: APNIC-CIDR-BLK2
NetHandle: NET-210-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: NS-SEC.RIPE.NET
NameServer: TINNIE.ARIN.NET
NameServer: DNS1.TELSTRA.NET
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to http://www.apnic.net/info/faq/abuse
Comment:
RegDate: 1996-07-01
Updated: 2005-05-20

OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3100
OrgTechEmail: search-apnic-not-arin@apnic.net

# ARIN WHOIS database, last updated 2005-12-08 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

 [APNIC finds KRNIC but doesn't refer us...] 

% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 210.116.0.0 - 210.119.255.255
netname: KRNIC-KR
descr: KRNIC
descr: Korea Network Information Center
country: KR
admin-c: HM127-AP
tech-c: HM127-AP
remarks: ******************************************
remarks: KRNIC is the National Internet Registry
remarks: in Korea under APNIC. If you would like to
remarks: find assignment information in detail
remarks: please refer to the KRNIC Whois DB
remarks: http://whois.nic.or.kr/english/index.html
remarks: ******************************************
mnt-by: APNIC-HM
mnt-lower: MNT-KRNIC-AP
changed: hm-changed@apnic.net 19961126
changed: hm-changed@apnic.net 20010606
changed: hm-changed@apnic.net 20040319
status: ALLOCATED PORTABLE
source: APNIC

person: Host Master
address: 11F, KTF B/D, 1321-11, Seocho2-Dong, Seocho-Gu,
address: Seoul, Korea, 137-857
country: KR
phone: +82-2-2186-4500
fax-no: +82-2-2186-4496
e-mail: hostmaster@nic.or.kr
nic-hdl: HM127-AP
mnt-by: MNT-KRNIC-AP
changed: hostmaster@nic.or.kr 20020507
source: APNIC

Here’s what this output shows us: ARIN determined that the address was in the IP address space belonging to its Asian sibling, the Asia-Pacific Network Information Centre (APNIC), and handed us off to the APNIC IP-whois server. The APNIC server determined that this block was in space belonging to a subordinate national registry KRNIC (for South Korea). APNIC, however did not hand us off to an IP-whois server for KRNIC. We therefore have no information here on a specific ISP and no abuse contacts (we don’t want to send complaints to KRNIC, since they generally can’t or won’t do anything about them).

In order to find out to whom we need to report, then, we must check with KRNIC ourselves. This can be done at the KRNIC website (http://whois.nic.or.kr/english/index.html) mentioned in the whois output (look for a “whois” search form linked from this site), but since we’re already on the terminal we can do it more quickly by querying KRNIC’s IP-whois host with another whois command (note the -h option, which is used to specify which specific whois host you want to query):

[G4733:~] rconner% whois -h whois.nic.or.kr 210.116.242.207

query: 210.116.242.207

# ENGLISH

KRNIC is not a ISP but a National Internet Registry similar to APNIC.
The IPv4 address is allocated and still held by the following ISP, or
its Whois information is not updated after assigned to end-users.

Please see the following ISP contacts for further information
or network abuse.

[ ISP Organization Information ]
Org Name : Enterprise Networks
Service Name : ENTERPRISENET
Org Address : 12F, Hyundai B/D, 646-1, Yeoksam-dong, Gangnam-gu

[ ISP IP Admin Contact Information ]
Name : IP
Phone : +82-2-3415-4330
Fax : +82-2-3415-4939
E-Mail : ip@epnetworks.co.kr

[ ISP IP Tech Contact Information ]
Name : IP
Phone : +82-2-3415-4330
Fax : +82-2-3415-4939
E-mail : ip@epnetworks.co.kr

[ ISP Network Abuse Contact Information ]
Name : Postmaster
Phone : +82-2-3415-4330
Fax : +82-2-3415-4939
E-mail : abuse@epnetworks.co.kr

KOREAN

(Korean-language output snipped)

At last, we have struck pay dirt: the address is allocated to the Korean ISP named Enterprise Networks, with an abuse contact at abuse@epnetworks.co.kr. This is where we can send our spam reports regarding IP address 210.116.242.207.

Going upstream

When you look up contact info for spam sources, you will want to be aware of the possibility that you might be looking at contact info for the spammers themselves. It isn’t a good idea to report to such addresses; not only will the spammers not do anything to stop their activities, they may also record that your e-mail address is “live” and can be targeted with further spamming (or worse, they could use your info for “joe-jobbing” or other forms of harrassment). Therefore, you will want to know how to find the “upstream” information for addresses that appear to be directly owned by spammers.

Here’s a brief example involving 63.243.148.247, an address from which I once got a lot of spam.

[G4733:~] rconner% whois 63.243.148.247
Teleglobe Inc. TELEGLOBE-3BLK (NET-63-243-128-0-1)
63.243.128.0 - 63.243.255.255
MailCompanyX, Inc MAILCOMPANYX-TGB (NET-63-243-148-0-1)
63.243.148.0 - 63.243.148.255

# ARIN WHOIS database, last updated 2005-12-08 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

This gave us rather scant information, so I’m going to try again, this time digging a bit deeper using the handy service at whois.completewhois.com:

[G4733:~] rconner% whois -h whois.completewhois.com 63.243.148.247
Completewhois.Com Whois Server, Version 0.91a28, compiled on Sep 03, 2005
Please see http://www.completewhois.com/help.htm for command-line options
Use of this server and any information obtained here is allowed only
if you follow our policies at http://www.completewhois.com/policies.htm

[IPv4 whois information for 63.243.148.247 ]
[whois.arin.net]
Teleglobe Inc. TELEGLOBE-3BLK (NET-63-243-128-0-1)
63.243.128.0 - 63.243.255.255
MailCompanyX, Inc MAILCOMPANYX-TGB (NET-63-243-148-0-1)
63.243.148.0 - 63.243.148.255

# ARIN WHOIS database, last updated 2005-12-08 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
[whois.arin.net]

OrgName: Teleglobe Inc.
OrgID: GLBE
Address: 1441 Carrie-Derick
City: Montreal
StateProv: QC
PostalCode: H3C-4S9
Country: CA

NetRange: 63.243.128.0 - 63.243.255.255
CIDR: 63.243.128.0/17
NetName: TELEGLOBE-3BLK
NetHandle: NET-63-243-128-0-1
Parent: NET-63-0-0-0-0
NetType: Direct Allocation
NameServer: CASTOR.TELEGLOBE.NET
NameServer: POLLUX.TELEGLOBE.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2001-08-17
Updated: 2002-07-30

RTechHandle: ZT129-ARIN
RTechName: IP Admin
RTechPhone: +1-514-868-8308
RTechEmail: ip-addr@teleglobe.ca

OrgTechHandle: ZT129-ARIN
OrgTechName: IP Admin
OrgTechPhone: +1-514-868-8308
OrgTechEmail: ip-addr@teleglobe.ca

# ARIN WHOIS database, last updated 2005-12-08 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
[whois.arin.net]
Teleglobe Inc. TELEGLOBE-3BLK (NET-63-243-128-0-1)
63.243.128.0 - 63.243.255.255
MailCompanyX, Inc MAILCOMPANYX-TGB (NET-63-243-148-0-1)
63.243.148.0 - 63.243.148.255

# ARIN WHOIS database, last updated 2005-12-08 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
[whois.arin.net]

OrgName: MailCompanyX, Inc
OrgID: MAILC-1
Address: 1200 W 7th Street
Address: Suite L1-100
City: Los Angeles
StateProv: CA
PostalCode: 90017
Country: US

NetRange: 63.243.148.0 - 63.243.148.255
CIDR: 63.243.148.0/24
NetName: MAILCOMPANYX-TGB
NetHandle: NET-63-243-148-0-1
Parent: NET-63-243-128-0-1
NetType: Reassigned
NameServer: NS1.HOSTNETCA.COM
NameServer: NS2.HOSTNETCA.COM
Comment: MailCompanyX Fax 702-933-4382
RegDate: 2005-04-22
Updated: 2005-05-02

RTechHandle: ATH18-ARIN
RTechName: Thomas, Albert
RTechPhone: +1-702-933-4382
RTechEmail: athomas@mailcompanyx.com

OrgTechHandle: ATH18-ARIN
OrgTechName: Thomas, Albert
OrgTechPhone: +1-702-933-4382
OrgTechEmail: athomas@mailcompanyx.com

# ARIN WHOIS database, last updated 2005-12-08 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

Here, whois.completewhois.com followed up with more detailed queries to ARIN on each of the two net blocks named. We have a bit more info now, including a couple of e-mail addresses, but no specific abuse contacts. As it happens, however, I know that MailCompanyX is a spam outfit that controls its own address block, which it uses both to send mail and to host websites. It would not be a good idea to send abuse complaints to anyone at MailCompanyX. Instead, we want to find who sold them the block.

The answer to this question can actually be found in our original IP-whois lookup: the MAILCOMPANYX-TGB net block fits completely within the TELEGLOBE-3BLK block, so we can conclude that Teleglobe is the upstream provider.

Who to contact at Teleglobe? Since we didn’t find a specific abuse contact anywhere in the above lookups, we can try a specialized lookup for abuse contacts at whois.abuse.net:

[G4733:~] rconner% whois -h whois.abuse.net teleglobe.net
abuse@Teleglobe.net (for teleglobe.net)

We have an address that was put there by Teleglobe, at any rate — but should we use it? That’s a question we need to think about for a bit.

The only reason why we would look up an upstream provider and file a report with them is that we expect them to do something about the problem. If they don’t do anything, or (worse) if they pass our complaints on to their spamming customers, then the whole exercise becomes a waste of time.

In this case, since Teleglobe has taken no action against MailCompanyX despite what must be thousands of spam complaints (dozens from me alone), I have to conclude that it would be pointless (or worse) to send a direct complaint to them. Instead, I might decide not to report to them directly, instead perhaps using SpamCop to file “blind” reports (in which Teleglobe can’t see my actual e-mail address.



 home | legal stuff | glossary | blog | search

 Legend:  new window    outside link    tools page  glossary link   


(c) 2003-2008, Richard C. Conner ( )

07597 hits since March 28 2009

Updated: Sat, 14 Jun 2008