On Tuesday 13 April 2004 19:48, wayne wrote:
I did *not*, however, know about the + option to whois. I used to use
some web based tools and such. Thanks!
AFAIK only ARIN supports the "+" option as it's a feature of their whois
server, not of the whois program (ARIN is the American Registry for Internet
Numbers, other locations have their own such as JPNIC for Japan, RIPE for
Europe etc.).
Back when I tried tracing and complaining the source of joe-job emails, I had
quite some success with a home rolled script which understood how to fire off
and parse the whois command. In particular, it does a basic whois to the
default provider, and then, when the results come back, knows how to look at
the results and see if anotehr more specific query to another provider is
needed (I believe some WHOIS clients may do this overseas lookup themselves,
but for me this 2 stage approach worked better).
You can also query the cyberabuse whois database which is dedicated to holding
abuse addresses for IP ranges ("whois -h whois.cyberabuse.org").
If anyone's interested I can post the perl code to do the lookup... or the
short list of NICs to whois hosts is below:
ARIN => "whois -h whois.arin.net + ",
APNIC => "whois -h whois.apnic.net ",
RIPE => "whois -h whois.ripe.net ",
LACNIC => "whois -h whois.lacnic.net ",
JPNIC => "whois -h whois.nic.ad.jp ",
JNIC => "whois -h whois.nic.ad.jp ",
KRNIC => "whois -h whois.krnic.net",
Cheers
--
Tim