How to report IP-based abuse
To report abuse from an IP address, identify the network operator with a WHOIS lookup, then send a report to their listed abuse contact along with technical evidence — such as log entries, timestamps, and headers — that documents what happened.
- Identify the abusive IP address. Check your server logs, email headers, or firewall records to identify the IP address responsible for the abusive activity.
- Look up the IP owner using WHOIS. Use a WHOIS lookup tool to find the ISP or hosting provider responsible for the IP address. Note the abuse contact email.
- Gather evidence. Collect log excerpts, timestamps, and any other evidence of the abuse. The more specific your evidence, the more likely the ISP will act.
- Submit an abuse report. Send your report to the abuse contact email found in WHOIS. Use a clear subject line, include the IP address, timestamps, and evidence.
- Report to blacklist databases if needed. If the abuse continues, submit the IP to spam or abuse blacklist databases such as Spamhaus or AbuseIPDB for wider action.
Downloadable templates
Got some ready-made templates here so you can bang out abuse reports faster. Just swap in the details like [IP_ADDRESS] and [ABUSE_TYPE] where you see them.
| Abuse type | Evidence required | Who to contact | Notes |
|---|---|---|---|
| Spam email | Full email headers | Mail provider / DNSBL | Make sure you include the full headers |
| Port scanning | Firewall logs | Hosting provider | Gotta have timestamps |
| Brute-force login | Auth logs | ISP / hosting provider | Show multiple failed attempts |
| DDoS traffic | Traffic graphs / logs | Hosting provider | Prove the traffic volume |
| Malware C2 | IDS alerts | Security org | Need solid confidence on this one |
| Web scraping abuse | Web server logs | Hosting provider | Show how fast the requests are coming in |
| Proxy/VPN abuse | Reputation signals | Blacklist operator | Watch out for false positives here |
Examples: how to report abuse
Example 1: Reporting spam email
Received: from unknown (203.0.113.45)
by mail.example.com;
Tue, 02 Jan 2026 10:14:32 +0000
1. Grab the full email headers.
2. Look up who owns that IP using WHOIS.
3. Send them a short, clear report with the headers and when it happened.
Subject: Spam originating from 203.0.113.45 Date/time (UTC): 2026-01-02 10:14:32 Source IP: 203.0.113.45 Evidence: Full email headers attached.
Example 2: Reporting brute-force or scanning attempts
Jan 02 09:33:21 sshd[4123]: Failed password for root from 198.51.100.72 Jan 02 09:33:25 sshd[4123]: Failed password for root from 198.51.100.72
Throw in your logs, how often it's happening, and what service they were going after (like SSH).
Example 3: Reporting false blacklist listings
1. Check if your IP's on any blacklists using the IP Blacklist tool.
2. Figure out which blacklist has you listed.
3. Contact them and follow their delisting steps.
What NOT to do
- Don't try to call the actual users involved.
- Don't submit a report if you've got no proof.
- Don't assume an IP's location is where the person physically is.