Jump to content

ARIN whois contact


Recommended Posts

Posted

Can someone give me a pointer to documentation on how SpamCop, when deciding where to direct a notification message, uses the various contacts in the ARIN whois database?

I'm asking because some notifications are coming to me, in my role with ISPnet, related to email sent by some of our customers. I had thought I'd set up the SWIPs in a way that would cause the notifications to go to the customer, but clearly don't have it quite right.

A recent example is an email that had originated at 69.48.133.19. The explanation in http://www.spamcop.net/sc?id=z751647436zc4...6723731a467370z states that

| If reported today, reports would be sent to:

| Re: 69.48.133.19 (Administrator of network where email originates)

| bob[at]tink.com

(That's me.)

The relevant SWIPs are 69.48.128.0/18 (ISPnet's direct ARIN allocation) and 69.48.133.0/27 (a subnet we assigned to a customer).

I would have assumed that the SpamCop logic would use the more specific. I guess that's the first thing I was looking to verify in SpamCop documentation. In the more specific SWIP, I am listed as NOCHandle, but both the OrgTechHandle and the AbuseHandle are set to addresses associated with our customer. Clearly my intent was that abuse reports (including SpamCop) get sent, by default, to the customer contact listed there.

Any advice would be much appreciated.

--

Bob Tinkelman <bob[at]tink.com>

ISPnet, Inc. 718.464.4747

Posted

On the tracking URL you provided:

Tracking message source: 69.48.133.19:

Routing details for 69.48.133.19

Cached whois for 69.48.133.19 : bob[at]tink.com

Using last resort contacts bob[at]tink.com

From the routing details:

Reports routes for 69.48.133.19:

routeid:13419230 69.48.128.0 - 69.48.191.255 to:bob[at]tink.com

Administrator found from whois records

From the refresh/show:

Tracking details

Display data:

"whois 69.48.133.19[at]whois.arin.net" (Getting contact from whois.arin.net )

checking NET-69-48-133-0-1

Display data:

"whois NET-69-48-133-0-1[at]whois.arin.net" (Getting contact from whois.arin.net )

Found AbuseEmail in whois myelen[at]aldoncci.com

Ignoring small (31 IP) network

checking NET-69-48-128-0-1

Display data:

"whois NET-69-48-128-0-1[at]whois.arin.net" (Getting contact from whois.arin.net )

69.48.128.0 - 69.48.191.255:bob[at]tink.com

whois.arin.net contact: bob[at]tink.com

Routing details for 69.48.133.19

Using last resort contacts bob[at]tink.com

So, because the network is too small, it is using the larger network, which is yours. It should work for any larger networks you have setup. I know it works for my /24 at work.

Posted

Also, aldoncci.com's lack of an abuse address and standard fax numbers make it appear illegitimate.

  • 2 weeks later...
Posted

Clearly the key is in the following:

|"whois NET-69-48-133-0-1[at]whois.arin.net" (Getting contact from whois.arin.net )

| Found AbuseEmail in whois myelen[at]aldoncci.com

| Ignoring small (31 IP) network

| checking NET-69-48-128-0-1

So, a /27 is too small for SpamCop. Is a /26 OK? Whatever the answer, I cringe at the thought of using this as a justification with ARIN for sizing nets.

Posted

Once upon a time, the FAQ entry at How can I get SpamCop reports about my network? used to be a form that led to filling in the particulars of where reports would go. Trust being what it is, that had to develop into filling out the form, but that request would be vetted a bit by the Deputies. With simply too much stuff going on, this form was changed to what it is now, an opportunity for an interested party to keep some tabs on their IP (block) .. solving both problems of sending reports to the spammer and providing enough data that the system could be played.

The database can be massaged, a bit of detail to Deputies <at> admin.spamcop.net may be sufficient to receive what you ask (though they don't hang out here often, you may want to reference this discussion as having already happened .. just one of those other little details)

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...