APNIC Home APNIC Home

You're here:  Home » Info & FAQ » APNIC FAQs » Network abuse FAQs

Spammers & hackers: using the APNIC Whois Database to find their network

Network abuse FAQ series

Spammers & hackers : Spam | Hacking | Reporting network abuse

Contents

Where are the whois databases and what do they contain?

There are five RIRs, each maintaining a whois database holding details of IP address registrations in their regions. The RIR whois databases are located at:

  • AfriNIC (Africa)
  • ARIN (North America)
  • APNIC (Asia Pacific region)
  • LACNIC (Southern and Central America and the Carribean)
  • RIPE NCC (Europe and the Middle East)

For historical reasons, the ARIN Whois Database is generally the starting point for searches. If an address is outside of ARIN's region, then that database will provide a reference to one of the other whois databases.

Unfortunately, many people misinterpret this referral to mean that either APNIC, AfriNIC, LACNIC, or RIPE NCC is the network from where the problem arose. In fact, APNIC, AfriNIC, LACNIC, and RIPE NCC perform the same function as ARIN. To get more specific information you must follow the referral and search the appropriate database.

Top

What does the APNIC Whois database contain?

The APNIC Whois Database contains registration details of IP addresses and AS numbers originally allocated by APNIC. It contains details of the organisations that hold the resources, where the allocations were made, and contact details for the networks. The organisations that hold those resources are responsible for updating their information in the database.

Please note, the APNIC Whois Database will be able to identify the details of the network routing the IP address you are searching for. In general it will not identify the individual actually using the specific address. Only the network administrator will have access to user information.

Top

How do I use the APNIC Whois Database?

To find details about the IP address you are searching for, simply enter it into the text box and click "Search Whois".

There are many other options available in the advanced Whois interface, but for simple IP look-ups you should just use the default settings.

Top

What do the query results mean?

A. Which are the most important parts to look at?

For spam and hacking complaints, you really only need to consider the admin-c and tech-c fields.

These two fields show the administrative and technical contacts for the organisation holding the relevant address range. Click on the hyperlinked entry (it looks like "AB12-AP"). This takes you to the address details of the contact.

B. What do all the other fields mean?

The other fields are included as part of the proper registration of public resources. If you're just using the database to look for the organisation responsible for network abuse, these other fields should not be relevant.

C. Your database says APNIC is the "source" of the IP address I've looked up

The source field shows the RIR responsible for keeping records of the IP address allocation. It does not show the organisation responsible for the administration or operation of the network.

Also note that the changed field is not a network contact address, as it merely records who made the most recent change to the registration information. All APNIC addresses will initially record an APNIC address in this field, as APNIC creates the first database object.

Top

Where do I go from here?

To contact the network responsible for the IP address of the spammer or hacker, you will need to contact the admin-c or tech-c.

See what if the registered contact details are wrong? for more information.

Top

Are there any exceptions?

In many cases the APNIC Whois Database will refer you to a National Internet Registry (NIR). The NIRs perform a similar function to APNIC, but on a national level only. If the netname in the Whois record shows one of the following NIRs, you will need to access their databases to find out which ISP they allocated the address space to and contact the admin-c or tech-c of that ISP. Only contact the NIR itself if there are problems with the contacts registered in their database.

NIR

Nation

Whois Database

APJII

Indonesia

Refer to APNIC Whois Database

CNNIC

China

Refer to APNIC Whois Database

JPNIC

Japan

http://whois.nic.ad.jp/cgi-bin/whois_gw

KRNIC/NIDA*

Korea

http://whois.nic.or.kr/english/

TWNIC

Taiwan

http://www.twnic.net/index2.php

VNNIC

Vietnam

Refer to APNIC Whois Database

*KRNIC/NIDA maintains a list of ISP network abuse contacts.

Top

I'm ready to query the APNIC Whois Database

The APNIC Whois Database is located at http://www.apnic.net/apnic-bin/

Top

More information

Top  |  APNIC FAQs

Home | MyAPNIC | Info & FAQ | Services | Training | Meetings | Membership | Policy | Internet community | Search
Last modified Thursday, 23-Aug-2007 11:19:03 EST | © 1999 - 2008 APNIC Pty. Ltd.
Comments to: webmaster@apnic.net | Privacy statement | RSS Really Simple Syndication