• OUR SERVICES
• PRICING
• ABOUT US
• SUPPORT
• PARTNERS
• CONTACT

Using Whois to find the Owner of a TCP/IP Address

There are three registries that handle registration information for TCP/IP addresses. All three publish their information via "whois", a simple lookup mechanism.

ARIN handles primarily North American address assignments. RIPE handles European address assignments. APNIC handles Asia-Pacific address assignments. These registries also handle nearby regions that don't necessarily fit those categories.

To find out the owner of a given TCP/IP address, search for it first in the ARIN database. If it's actually handled by one of the other registries, the ARIN entry will refer you to the correct registry. For example:

# whois 195.53.2.15@whois.arin.net

[whois.arin.net]
European Regional Internet Registry/RIPE NCC (NETBLK-RIPE-C)
These addresses have been further assigned to European users.
Contact info can be found in the RIPE database, via the
WHOIS and TELNET servers at whois.ripe.net, and at
http://www.ripe.net/perl/whois/
NL

Netname: RIPE-CBLK3
Netblock: 195.0.0.0 - 195.255.255.255
[snip]
    

For this address, we really need to do:

# whois 195.53.2.15@whois.ripe.net

inetnum:      195.53.2.0 - 195.53.2.255
netname:      COFARAN
descr:        Farmaceutica Andaluza
country:      ES
admin-c:      FMF1-RIPE
tech-c:       JMA1-RIPE
status:       ASSIGNED PA
mnt-by:       MAINT-AS3352
changed:      dnsadmin@ibernet.es 19970517
changed:      olga.luna@ttd.es 19990224
source:       RIPE

route:        195.53.0.0/16
descr:        Ibernet Madrid POP
origin:       AS3352
mnt-by:       MAINT-AS3352
changed:      hostmaster@ibernet.es 19970428
source:       RIPE

person:       Felicidad Martin
address:      Telefonica Transmision de Datos
address:      C/ Almansa 105, 5 Dcha
address:      28040 Madrid
address:      Spain
phone:        +34 91 4567687
fax-no:       +34 91 4566499
e-mail:       felicidad.martin@telefonica-data.com
nic-hdl:      FMF1-RIPE
mnt-by:       MAINT-AS3352
changed:      mfmartin@ttd.ibernet.es 19971106
changed:      mfmartin@ttd.ibernet.es 19981027
changed:      felicidad.martin@ttd.es 19981223
changed:      felicidad.martin@ttd.es 19990805
source:       RIPE

person:       Jose Manuel Arce
address:      Telefonica Transmision de Datos
address:      C/ Beatriz de Bobadilla 18, 1 Izqda. (CNC -Ibernet-)
address:      28040 Madrid
address:      Spain
phone:        +34 1 456 66 66
fax-no:       +34 1 456 63 59
e-mail:       dnsadmin@ttd.net
nic-hdl:      JMA1-RIPE
mnt-by:       MAINT-AS3352
changed:      dnsadmin@ibernet.es 19971106
changed:      mfmartin@ttd.ibernet.es 19980710
changed:      cgarcia@ttd.ibernet.es 19980908
source:       RIPE
    

Find the most recent E-mail addresses in the whois record, these are some of the people you need to complain to about this address. In this example, we are interested in cgarcia@ttd.ibernet.es, felicidad.martin@ttd.es and olga.luna@ttd.es. We'd also suggest abuse@ttd.es and abuse@ttd.ibernet.es.

For 208.187.142.128, we do:

# whois 208.187.142.128@whois.arin.net
[whois.arin.net]
Electric Lightwave Inc (NETBLK-ELI-2-NETBLK99) ELI-2-NETBLK99
208.186.0.0 - 208.187.255.255
Trip.net (NETBLK-ELI-831-2081871421) ELI-831-2081871421
208.187.142.1 - 208.187.142.200

To single out one record, look it up with "!xxx", where xxx is the
handle, shown in parenthesis following the name, which comes first.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.

    

In this case we received multiple records. We wish to look at the most specific (smallest assignment), so we do a new query like:

# whois NETBLK-ELI-831-2081871421@whois.arin.net

[whois.arin.net]
Trip.net (NETBLK-ELI-831-2081871421)
    5615 Richmond Avenue
    Houston, TX 77057
    US

    Netname: ELI-831-2081871421
    Netblock: 208.187.142.1 - 208.187.142.200

    Coordinator:
    Maynard, Jeff  (JM1115-ARIN)  jmaynard@trip.net
    (512)882-9268

    Record last updated on 26-Jul-2001.
    Database last updated on  16-Jan-2002 02:38:24 EDT.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.
    

In this case the address we find is jmaynard@trip.net. We'll also want to send to abuse@trip.net.

If you find an IP address that is registered to APNIC, the whois server to use is whois.apnic.net.

Note that registry information is often out of date. If you see a registry entry that bears little resemblance to the Reverse DNS or header info given by a site and you don't think that information is forged, it's a good bet the registry info is out of date.

Sam Spade can do all this for you. Put the IP Address in the box next to the IP Whois button, and click the button.

[ Back to Skyway West Knowledge Center ]

[ Back to Spam Resource Page ]

Please send corrections or suggestions for improvements in this page to abuse@skywaywest.com