Network Abuse
Indexing & reporting

Netabuse started in 2012 as a hobby project and is nowadays maintained by a team of volunteers.

All network abuse on our network is automatically indexed in a central database. Aggregated reports per IP-address are emailed at least one a day to the originating networks's abuse contact in X-ARF format. If the number of incidents form a subnet is too high, the subnet will be added to the firewall automatically.

Learn more

Indexing

The system analyses logfiles from several applications to detect abuse and add it to the database.

Reporting

The system searched the abuse-contect for the offending IP-address sends an X-ARF email. If the email is handled by a ticketing system, the ticket-ID will be detected and linked to our report. New reports will be added to the same ticket.

Blocking

When too much abuse from a subnet is detected, a firewall rule for blocking traffic from the subnet will be created and activated automatically. The rule will be removed a few days after the abuse has stopped.

If you don't report abuse incidents, the administrators of the offending network don't know about the problem and the problems will continue.

Frequently Asked Questions.

Is your software Open Source? Can we get a copy of it?
Unfortunately, it isnt. The software is very system specific and i do not have much time for support and new features. I don't think it's a good idea to start an Open Source project if you don't maintain it. But fee free to copy my idea and write your own Open Source software (a reference or some credits for the idea would be nice).
How do you find the abuse contacts for the offening IP-address?
In the past, we used AbuseIX's data for all reports, but unfortunately, they're missing contacts for lots of ipaddresses and sometimes list the wrong contact address. So I started to add corrections to my own database, which is now the primary source for contact information.
We would like to add your next report to same ticket in our support system.
When you send a reply to the report, please leave our report-ID (including the square brackets) in the subject and add yours (also between square brackets). The system will detect your ticket-ID and add it to our next report.
Stop sending your annoying emails!
If you stop the abuse from your network, the emails will stop automatically.
What about X-ARF? Which software can i use to automatically handle these messages?
I don't have a full list of applications, but abuse.io is a nice tool for taking care of network abuse, including X-ARF support.
You should contact our customer, listed in the IP-range's WHOIS
As an ISP, you probably have rules about abuse in your terms and conditions. I suppose you want to know about your customer's misbehaviour, so you can warn them or quit their services? Or is facilitating abuse your core business?
We're not portscanning, we're a research project indexing the use of software
Stop it right now! Your project is a high security risk. If somebody gets access to your database, he has a ready to use list of exploitable machines when an bug is found. Beside, compare it to this: your checking the frontdoor of every building on the world if they locked the door. Your not breaking in, but you keep a list of all addresses with unlocked doors.
Please give us your ipaddresses and we will exclude you from our research project
Yeah, that would be great for malware developers. Please send me the name of your project and the ip-ranges you use and i'll exclude you. You can use the contact form for this.
Do you offer some kind of blacklist we can use?
Yes, we offer a blacklist you can import using ipset. First, create a set for ipv4 called abuse_v4 and for ipv6 called abuse_v6. ipset list abuse_v4 > /dev/null 2>&1 || (ipset create abuse_v4 hash:net family inet) ipset list abuse_v6 > /dev/null 2>&1 || (ipset create abuse_v6 hash:net family inet6) Also create some firewall-rules that use these sets. iptables -A INPUT -m set --match-set abuse_v4 src -m comment --comment "Block abuse" -j DROP ip6tables -A INPUT -m set --match-set abuse_v6 src -m comment --comment "Block abuse" -j DROP Finally, create a cronjob that updates the contents of these sets # Run this cronjob hourly to update set for ipset wget https://netabuse.info/export/ipset.php?version=4 -q -O /tmp/abuse_v4.ipset if [ `cat /tmp/abuse_v4.ipset | wc -l` -gt 1 ]; then /sbin/ipset restore < /tmp/abuse_v4.ipset fi wget https://netabuse.info/export/ipset.php?version=6 -q -O /tmp/abuse_v6.ipset if [ `cat /tmp/abuse_v6.ipset | wc -l` -gt 1 ]; then /sbin/ipset restore < /tmp/abuse_v6.ipset fi

Contact Us


Get in touch

If you have any questions about the software, managing abuse in your network or anything else, please do not hesitate to use the contact form. Normally your question will be answered in 24 hours.