Regarding the Puppet output, I found a post about iptables and Puppet that might be helpful.

As to testing the blocks, when I tried to test the following code snippet,

perl -MData::Dumper -MNet::Whois::IP -le '$Data::Dumper::Deepcopy = 1;
$Data::Dumper::Sortkeys = 1;
my ( $response, $array_of_responses ) 
  = whoisip_query( q{4.2.2.1}, 1, undef ); 
print Data::Dumper->Dump( 
    [ \$response, \$array_of_responses, ], 
    [ qw( *response *array_of_responses ) ] );'
[download]

$response = \{
        '# available at' => [
                'https://www.arin.net/whois_tou.html',
                'https://www.arin.net/whois_tou.html'
                            ]
              };
$array_of_responses = \undef;
[download]

Hope that helps, though.

I suppose I should have guessed that ARIN would be useless. Heck, they're not even the only people passing out IPs. I suppose the real answer here is either "you blindly trust your spam service and follow their blacklist" or you don't.

I don't really think things are quite that dire but it seems that all you can do is the "brute force" approach.

I did have two additional thoughts:

• ARIN apparently has an API for accessing WHOIS data, which may be useful, and
• Could you (and, would you want to) perhaps look up SPF records for domains your mail server contacts frequently and if present specifically "white-list" some of those in this system?

Just thoughts, in case they might prove useful.

Well, the first order of business would be to provide samples of the input data and desired output. :)

Thought that wouldn't be necessary since I did say CIDR blocks, but here:

108.177.128.0/17
108.62.0.0/16
109.200.1.0/24
109.200.2.0/23
109.200.4.0/22
109.200.8.0/21
109.200.16.0/20
109.200.6.200/29
109.200.6.208/28
109.200.6.224/27
109.230.192.0/19
109.230.224.0/20
109.230.240.0/21
109.230.248.0/22
109.230.252.0/23
109.230.254.0/24
109.230.255.0/25
109.230.255.128/26
109.230.255.192/27
109.230.255.224/28
109.230.255.240/29
109.230.255.248/30
109.230.255.252/31
109.230.255.254/32
[download]

---

Peter L. Berghold -- Unix Professional
Peter -at- Berghold -dot- Net; AOL IM redcowdawg Yahoo IM: blue_cowdawg

I was more interested in the output format you need. At this point, why not share with us the idea(s) you have tried that you think could be improved on. Apparently the only thing you are looking for is an efficient way of looping through the data, right?

It helps to remember that the primary goal is to drain the swamp even when you are hip-deep in alligators.

I don't know puppet so I don't know it's input requirements, but I'm not seeing the issue. iptables (on Linux) accepts CIDR blocks as arguments to --source and your input is CIDR blocks, how about print or say?

As for the other, less obvious "question" (Given a CIDR block, how do I see who owns it?), all that comes to mind is brute force: look up each and every IP address in each of every CIDR block. The reason you need to do ALL of them is because people who sell hosting resell individual IPs from from CIDR blocks. On the other hand, you might find some of ARIN's web tools of use, if you're not worried about being wrong sometimes (e.g. resold IPs).

Even if he is getting a bit snarky, I agree with boftx that "you're a saint, you shouldn't have to be reminded to give examples of input and output."