Home --> IAQ -->

Finding a Network Administrator

By Jeffrey Howard
All rights reserved unless noted otherwise

Sometimes, it's very helpful to find out who administers a particular network. Most often, this comes up in the context of tracing a spam message or a network attack. With the IP address or domain name of the source of the problem, it's still necessary to produce an email address to contact.

With a Domain Name

From a UNIX prompt

First, find the whois program. Hopefully, it will be in the command path, so it can just be run without a full pathname. Type:

whois domain.com

where domain.com is replaced by whatever domain you're trying to track down. Using mit.edu as an example, whois produces the following.

[whois.internic.net]

Whois Server Version 1.3

Domain names in the .com, .net, and .org domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

   Domain Name: MIT.EDU
   Registrar: NETWORK SOLUTIONS, INC.
   Whois Server: whois.networksolutions.com
   Referral URL: www.networksolutions.com
   Name Server: BITSY.MIT.EDU
   Name Server: STRAWB.MIT.EDU
   Name Server: W20NS.MIT.EDU
   Updated Date: 23-may-2000


>>> Last update of whois database: Thu, 5 Oct 2000 07:16:20 EDT <<<

The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and
Registrars.

The output provides some information, such as what nameservers have authoratative information about that domain and who the registrar of the domain is. The most important information is the whois server. This whois server should have contact information for the domain.

Type:

whois mit.edu@whois.networksolutions.com

This should produce output similar to the following:

[networksolutions.com]
The Data in Network Solutions' WHOIS database is provided by Network
Solutions for information purposes, and to assist persons in obtaining
information about or related to a domain name registration record.
Network Solutions does not guarantee its accuracy.  By submitting a
WHOIS query, you agree that you will use this Data only for lawful
purposes and that, under no circumstances will you use this Data to:
(1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail
(spam); or  (2) enable high volume, automated, electronic processes
that apply to Network Solutions (or its systems).  Network Solutions
reserves the right to modify these terms at any time.  By submitting
this query, you agree to abide by this policy.

Registrant:
Massachusetts Institute of Technology (MIT-DOM)
   Cambridge, MA 02139

   Domain Name: MIT.EDU

   Administrative Contact, Technical Contact, Zone Contact:
      Schiller, Jeffrey I  (JIS)  jis@MIT.EDU
      Massachusetts Institute of Technology
      MIT Room E40-311, 77 Massachusetts Avenue
      Cambridge, MA 02139-4307
      +1 617 253-8400 (FAX) +1 617 258-8736

   Record last updated on 14-Jan-1994.
   Record expires on 29-Apr-2002.
   Record created on 23-May-1985.
   Database last updated on 5-Oct-2000 18:33:49 EDT.

   Domain servers in listed order:

   STRAWB.MIT.EDU		18.71.0.151
   W20NS.MIT.EDU		18.70.0.160
   BITSY.MIT.EDU		18.72.0.3

The administrative, technical contact, and zone contact are all the same person in this case, and plentiful contact information is provided. If you were suffering some sort of attack based on an MIT machine, you'd now have enough information to contact their network administrator and coordinate a solution. Before you go on the war path, though, please read the the quick note about what you should and shouldn't say at the bottom of the page.

Also note that InterNIC only carries information on .com, .net, .org, and .edu domains. This covers a lot, but if you want to find a host outside these domains (a foreign country for example), you have to query the whois server for that foreign registrant.

From a Web Browser

Whois services like those explained in the section above are also provided by websites. Try Yahoo's directory of Whois servers to find one. They have a blank where one can type a domain name and get the record for the registrant.

Finding an IP Address

Sometimes, it may not be possible to get a domain name to look up. All that's available is the IP address of a source network. A similar method is used.

From a UNIX Prompt

To continue the MIT example, type:

whois 18.71.0.151@whois.arin.net

The output should look something like:

[whois.arin.net]
[No name] (MIT-STRAWB)		STRAWB.MIT.EDU                     18.71.0.151
Massachusetts Institute of Technology (NET-MIT-TEMP) MIT
						     18.0.0.0 - 18.255.255.255
To single out one record, look it up with "!xxx", where xxx is the
handle, shown in parenthesis following the name, which comes first.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.

The information about the owner of the address is listed above. Now, look up that information:

whois NET-MIT-TEMP@whois.arin.net

The response will look something like:

Massachusetts Institute of Technology (NET-MIT-TEMP)
   1 Amherst Street
   Cambridge, MA 02139-1986

   Netname: MIT
   Netblock: 18.0.0.0 - 18.255.255.255

   Coordinator:
      Schiller, Jeffrey I  (JIS-ARIN)  jis@MIT.EDU
      +1 617 253-8400 (FAX) +1 617 258-8736

   Domain System inverse mapping provided by:

   STRAWB.MIT.EDU		18.71.0.151
   W20NS.MIT.EDU		18.70.0.160
   BITSY.MIT.EDU		18.72.0.3

   Record last updated on 26-Sep-1998.
   Database last updated on 6-Oct-2000 07:22:44 EDT.

Again, this provides contact information for the network. This time, it was not necessary to know the domain names at all, just the IP address of a host.

There is another variation. Type:

whois 209.95.130.66@whois.arin.net

It returns:

[whois.arin.net]
Telia Network Services (NETBLK-TELIANET) TELIANET209.95.128.0 - 209.95.159.255
MIT Corporation (NETBLK-MITCORP2-NET) MITCORP2-NET
						 209.95.130.64 - 209.95.130.95

To single out one record, look it up with "!xxx", where xxx is the
handle, shown in parenthesis following the name, which comes first.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.

This record shows delegation of IP addresses. Telia Network services is the service provider for the MIT Corporation. Therefore, the MIT Corporation, and thus MITCORP2-NET is the record one should look up to address troubles in their network. They are most directly in responsible for the 209.95.130.66 IP address. However, if they cannot be reached or do not address the problem, it means that Telia Network Services could be contacted as a last recourse, since they provide those addresses to the MIT Corporation.

Lastly, recognize that whois.arin.net only provides information for addresses allocated by ARIN. For addresses allocated by RIPE, one must use whois.ripe.net. For AUNIC addresses, use whois.aunic.net. For addresses allocated by other authorities, use their respective whois services.

From a Web Browser

The web browser procedure is very similar to using a web browser to look up domain names. Go to Yahoo's directory of Whois servers. Many of the web sites listed only handle domain names, not IP addresses. Some handle IP addresses, but only from a certain part of the world, such as the region handled by ARIN. Keep looking around, and at the links from those whois servers to other whois servers. You should eventually be able to find a server that will give you contact information for any address on the net.

What Do I Say?

If you're willing to go to this much trouble to track down the administrator of a domain, you presumably have some greivance you want addressed. Most often, I find that I'm tracking down a network because I've received a spam message from them, or because an attack against our network seems to have originated from theirs. How much success you have in dealing with your problem very much depends on how you write to the administrator of the network.

The general guideline is to use common sense. Be polite; you are asking for someone else's time in helping you track down a problem. Imagine someone coming to you to complain about being sent spam or having their network attacked. Assuming you'd done nothing wrong, how would you want to be treated? For specific things to avoid, read below.

What Not To Do

The most important thing: don't email the people in the examples I used above. I graduated from MIT, so I feel I owe them a hard time ;) That's why they get to be the example network. But I've never actually received a spam message from their network, nor has my network been attacked from within their network. I do not want to be contacted by an angry MIT network administrator because his inbox is filled with email from people who've been following the examples too literally. I'm sure they've got enough work on their hands as it is.

When you do contact a network because of a problem, try sending mail to abuse@domain.com (where domain.com is replaced by the domain you're contacting). The "abuse" user is a reasaonably widespread convention at this point, and it can save you the trouble of having to use whois to find a contact at all. If a message to "abuse" bounces, though, you may just have to email the technical, administrative, billing and/or zone contacts for the domain, though.

If you do contact these people, remember that the only reason you're using their email address or phone number is because it was the one that was publicly available. Sometimes, these people have almost nothing to do with the actual operation of the network they represent. Therefore, always clearly identify which domain (or better yet specific IP address) you are inquiring about. That way, they can route your message more effectively.

Also bear in mind that the person you are contacting is most likley not responsible for whatever trouble you're having. If your received spam from their network, it is most likely that the spammer cracked one of their machines and has been stealing time on it to send the spam. If your machine was probed or attacked from their network, chances are that the attacker had broken into their machines and was using them to attack yours. I have yet to contact anyone who was knowingly and deliberately using their own network to attack me.

Now imagine that you're a system administrator. You haven't even had a cup of coffee in the morning yet, and someone from three time zones away is calling you on their lunch break and screaming about spam or a network attack or whatever. Would you want to help this person out? So be polite. Assume the innocence of whoever you contact. Inquire if they know why one of the machines on their network was trying to portscan every host on yours. Gently remind them that if they can't find a rational explanation, like a misconfiguration, then it may indicate that someone has cracked their computers and is using them to attack others. If you can't get a satisfactory response, don't get angry, just contact that network's service provider and explain the problem.

Lastly, if you are complaining about spam, you must include the spam message, in its entirety, with all the message header information. If you don't know how to get the full set of message headers (which shows the path the message has taken), it's different for every mail client, so I'm afraid I can't help you. Find a more experienced user of that mail client to help. And don't be entirely surprised if the network administrator you contact tells you that the mail didn't actually go through their network. Message headers and domain names can be forged, so they may be telling the truth. I'd like to go into an explanation of how to tell real header information from falsified information, but that will have to wait for another time.