back to Jitbit Blog home About this blog

Don't Just Ban IPs - Send the Damn Abuse Report

by Alex Yumashev · Updated Aug 1 2025

I just finished dealing with a Digital Ocean IP address that sent half-a-million requests to our network and this got me thinking...

Remember when we used to send abuse reports? You'd spot some shady traffic - and fire off an email to the host. Fast, easy, and effective.

Now? Nobody does it. We just shrug and block.

Here's the thing: abuse reports still work (shocker). I know becasue we get them all the time.

If you see brute-force attempts, port scanning, spam, malicious HTTP traffic - and it's coming from a Hetzner box or a DigitalOcean droplet - don't just block the IP. Take 1 minute and report it.

How to find the abuse contact with one command

Surpiringly, most "IP info" API-providers offer abuse contact info as a paid feature. After a bit of research it turned out you can still get it for free using a reverse DNS lookup, thanks to Abusix database. Here's a Bash script:

#!/bin/bash

# USAGE: ./abuse.sh 123.123.123.123

if [ -z "$1" ]; then
  echo "Usage: $0 <ip_address>"
  exit 1
fi

IP_ADDRESS=$1

# Reverse the IP address octets. For example, "1.2.3.4" becomes "4.3.2.1"
REVERSED_IP=$(echo "$IP_ADDRESS" | awk -F. '{print $4"."$3"."$2"."$1}')

# Construct the special domain name for the Abusix query.
QUERY_DOMAIN="$REVERSED_IP.abuse-contacts.abusix.zone."

# Use the 'host' command to look up the TXT record for the constructed domain.
# The abuse contact is typically found within quotes in the TXT record.
# We use grep to find the quoted string and tr to remove the quotes.
ABUSE_CONTACT=$(host -t TXT "$QUERY_DOMAIN" | grep -o '".*"' | tr -d '"')

# Check if an abuse contact was found.
if [ -n "$ABUSE_CONTACT" ]; then
  echo "$IP_ADDRESS: $ABUSE_CONTACT"
else
  echo "No abuse contact found for $IP_ADDRESS via Abusix."
fi

Save it as abuse.sh, and now you're one command away from knowing who to notify.

Email template

Copy-paste this:

To: abuse@hostingprovider.com
Subject: Suspicious activity from IP [123.123.123.123]

Hello,

We've observed thousands of suspicious requests from the following IP:

- IP Address: 123.123.123.123
- Timestamp: 2025-08-01 10:23:17 UTC
- Log Excerpt:

[2025-08-01 10:23:17] GET /phpmyadmin/index.php
[2025-08-01 10:23:18] POST /wp-login.php
[2025-08-01 10:23:21] GET /.env.local
[2025-08-01 10:23:25] GET /.docker-compose.yml

This traffic is unauthorized and persistent. Please investigate.

Thanks,  
Your Name  
Your Company

Just ask your favorite AI to vibe-code the email-sending part too.

Why bother?

According to the "2025 Imperva Bad Bot Report", 51% of internet traffic is bots. 75% of that is malicious.

That means most of your server logs are full of bots trying to exploit stuff.

Blocking one IP at a time doesn't solve anything. But abuse reports do. Cloud providers actually act on them. Some auto-suspend users after a few verified reports.

I know this firsthand - we run a SaaS app, and we occasionally get these ourselves. Someone registers a fake account, sends spam, and boom: we get a report from the provider before we even notice.

Cloud hosts care about abuse complaints. It's often the only signal they get about compromised droplets or customers doing shady stuff.

So: don't just block. Report. Like it's 2001 again. This takes 2 minutes, but it makes a difference.