Grabbing Bulk Abuse Emails

13 March 2015

This post came about due to a recent attempted IRC bot takedown, so I thought it may benefit some people.

To start, we grabbed a /who of the channels containing the bots and aggregated them all together to get a master list of victims, we then did some command line sorting:

Before we started it was a list of username@[domain|ip], so we needed to do this in multiple parts to get one format.

awk -F ' ' '{ print $6 }' victims.txt | sed 's/~//g' | awk -F '@' '{ print $2 }' | sort | uniq >> pwned.txt

After running the above command, we are now left with just the hostnames or IP's of the compromised hosts.

Next, we needed to convert all the hostnames into IP addresses.

cat pwned.txt | grep -E -o -v '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}’

The above command greps the list of victims for anything that wasn't an IP address, so we would be left with just the domains.

We then wrote a small Python script which would give us the IP address of the hostname.

#!/usr/bin/python
import socket
import sys

orig_stdout = sys.stdout

fn = file('ips.txt','w')
sys.stdout = fn

with open('domains.txt') as f:
	for domain in f:
		try:
			print socket.gethostbyname(domain.strip())
		except:
			pass

sys.stdout = orig_stdout
fn.close()

Next, we can just run the same grep command above without the -v to pull out the IP addresses:

cat pwned.txt | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}’

Then we'll merge the two files, and we're left with one master list of victim IP's.

Lastly, we wrote another Python script which would do a whois lookup on the IP and print out the abuse email, sorted by their ISP.

#!/usr/bin/python
from ipwhois import IPWhois
from pprint import pprint

domain = {}

with open('ips.txt') as f:
	for ip in f:
		try:
			ip = ip.strip()
			obj = IPWhois(ip)
			results = obj.lookup()

			print results['nets'][0]['abuse_emails']
			test = results['nets'][0]['abuse_emails']
			if results['nets'][0]['abuse_emails'] in domain:
				domain[test].append(ip)
			else:
				domain[test] = [ip]
		except:
			pass
pprint(domain)

We are then left with a JSON structure of abuse emails and the IP's that pertain to that email, which we can then use to send out bulk emails letting them know about their infected hosts.