The right decision whom to contact about a specific incident is vital to get the incident resolved as quick as possible. Different types of events may required different abuse-contact to be selected. For example, issues about a device, e.g. a vulnerability in the operating system or an application, is better sent to the hoster which can inform the server administrator. For website-related issues, like defacements or phishing, the domain owner (maintaining the content of the website) could be the better and more direct contact. Additionally, different CERT’s have different approaches and different contact databases. Multiple information sources have different information, and some sources are more accurate than others. IntelMQ can query multiple sources of abuse-contacts and combine them. Internal databases, like a Constituency Portal (see IntelMQ Ecosystem) provide high-quality and first-hand contact information. The RIPE document Sources of Abuse Contact Information for Abuse Handlers contains a good summary of the complex of themes.
Sources for abuse-contacts¶
All these bots add the queried contacts to the IntelMQ events in the field source.abuse_contact if not state otherwise in the documentation.
Sources for domain-based abuse-contacts¶
These bots are suitable for domain-based abuse-contact look-ups.
Sources for IP address-based abuse-contacts¶
These bots are suitable for IP address- and ASN-based abuse-contact look-ups.
Abusix expert queries the online Abusix service.
DO Portal Expert Bot expert queries an instance of the do-portal software (deprecated).
Tuency expert queries an instance of the tuency Constituency Portal for the IP address. The Portal also takes into account any notification rules, which are saved additionally in the event.
RIPE expert queries the online RIPE database for IP-Address and AS contacts.
Generic sources for abuse-contacts¶
Helpful other bots for pre-processing¶
Cymru Whois to lookup ASN, Geolocation, and BGP prefix for
Domain Suffix to lookup the public suffix of the domain in
MaxMind GeoIP to lookup Geolocation information for
Reverse DNS to resolve
RIPE to lookup
*.asnand Geolocation information for
Tor Nodes for filtering out TOR nodes.
Url2FQDN to extract
Combining the lookup approaches¶
In order to get the best contact, it may be necessary to combine multiple abuse-contact sources. IntelMQ’s modularity provides methods to arrange and configure the bots as needed. Among others, the following bots can help in getting the best result:
Filter expert: Your lookup process may be different for different types of data. E.g. website-related issues may be better addressed at the domain owner and device-related issues may be better addressed to the hoster.
Modify expert: Allows you to set values based on filter and also format values based on the value of other fields.
Sieve expert: Very powerful expert which allows filtering, routing (to different subsequent bots) based on if-expressions . It support set-operations (field value is in list) as well as sub-network operations for IP address networks in CIDR notation for the expression-part. You can as well set the abuse-contact directly.