Abuse-contact look-ups

The right decision whom to contact about a specific incident is vital to get the incident resolved as quick as possible. Different types of events may required different abuse-contact to be selected. For example, issues about a device, e.g. a vulnerability in the operating system or an application, is better sent to the hoster which can inform the server administrator. For website-related issues, like defacements or phishing, the domain owner (maintaining the content of the website) could be the better and more direct contact. Additionally, different CERT’s have different approaches and different contact databases. Multiple information sources have different information, and some sources are more accurate than others. IntelMQ can query multiple sources of abuse-contacts and combine them. Internal databases, like a Constituency Portal (see ecosystem) provide high-quality and first-hand contact information. The RIPE document Sources of Abuse Contact Information for Abuse Handlers contains a good summary of the complex of themes.

Sources for abuse-contacts

All these bots add the queried contacts to the IntelMQ events in the field source.abuse_contact if not state otherwise in the documentation.

Sources for domain-based abuse-contacts

These bots are suitable for domain-based abuse-contact look-ups.

• RDAP expert queries private and public RDAP servers for source.fqdn and add the contact information to the event as source.abuse_contact.

• Trusted Introducer Lookup Expert expert queries a locally cached Trusted Introducer team directory for the TLD or domain (first match) of source.fqdn.

Sources for IP address-based abuse-contacts

These bots are suitable for IP address- and ASN-based abuse-contact look-ups.

• Abusix expert queries the online Abusix service.

• DO Portal Expert Bot expert queries an instance of the do-portal software (deprecated).

• Tuency expert queries an instance of the tuency Constituency Portal for the IP address. The Portal also takes into account any notification rules, which are saved additionally in the event.

• RIPE expert queries the online RIPE database for IP-Address and AS contacts.

• Trusted Introducer Lookup Expert expert queries a locally cached Trusted Introducer team directory for the Autonomous system source.asn.

Generic sources for abuse-contacts

• Generic DB Lookup expert for local data sources, like database tables mapping ASNs to abuse-contact or Country Codes to abuse-contact.

• uWhoisd expert for fetching whois-data, not extracting abuse-contact information

Helpful other bots for pre-processing

• ASN Lookup

• Cymru Whois to lookup ASN, Geolocation, and BGP prefix for *.ip.

• Domain Suffix to lookup the public suffix of the domain in *.fqdn.

• Format Field

• Gethostbyname resolve *.ip from *.fqdn.

• MaxMind GeoIP to lookup Geolocation information for *.ip.

• Reverse DNS to resolve *.reverse_dns from *.ip.

• RIPE to lookup *.asn and Geolocation information for *.ip.

• Tor Nodes for filtering out TOR nodes.

• Url2FQDN to extract *.fqdn/*.ip from *.url.

Combining the lookup approaches

In order to get the best contact, it may be necessary to combine multiple abuse-contact sources. IntelMQ’s modularity provides methods to arrange and configure the bots as needed. Among others, the following bots can help in getting the best result:

• Filter expert: Your lookup process may be different for different types of data. E.g. website-related issues may be better addressed at the domain owner and device-related issues may be better addressed to the hoster.

• Modify expert: Allows you to set values based on filter and also format values based on the value of other fields.

• Sieve expert: Very powerful expert which allows filtering, routing (to different subsequent bots) based on if-expressions . It support set-operations (field value is in list) as well as sub-network operations for IP address networks in CIDR notation for the expression-part. You can as well set the abuse-contact directly.