How to report IP-based abuse

To report abuse from an IP address, identify the network operator with a WHOIS lookup, then send a report to their listed abuse contact along with technical evidence — such as log entries, timestamps, and headers — that documents what happened.

  1. Identify the abusive IP address. Check your server logs, email headers, or firewall records to identify the IP address responsible for the abusive activity.
  2. Look up the IP owner using WHOIS. Use a WHOIS lookup tool to find the ISP or hosting provider responsible for the IP address. Note the abuse contact email.
  3. Gather evidence. Collect log excerpts, timestamps, and any other evidence of the abuse. The more specific your evidence, the more likely the ISP will act.
  4. Submit an abuse report. Send your report to the abuse contact email found in WHOIS. Use a clear subject line, include the IP address, timestamps, and evidence.
  5. Report to blacklist databases if needed. If the abuse continues, submit the IP to spam or abuse blacklist databases such as Spamhaus or AbuseIPDB for wider action.
Download CSV

Downloadable templates

Got some ready-made templates here so you can bang out abuse reports faster. Just swap in the details like [IP_ADDRESS] and [ABUSE_TYPE] where you see them.

Abuse type Evidence required Who to contact Notes
Spam emailFull email headersMail provider / DNSBLMake sure you include the full headers
Port scanningFirewall logsHosting providerGotta have timestamps
Brute-force loginAuth logsISP / hosting providerShow multiple failed attempts
DDoS trafficTraffic graphs / logsHosting providerProve the traffic volume
Malware C2IDS alertsSecurity orgNeed solid confidence on this one
Web scraping abuseWeb server logsHosting providerShow how fast the requests are coming in
Proxy/VPN abuseReputation signalsBlacklist operatorWatch out for false positives here

Examples: how to report abuse

Example 1: Reporting spam email

Received: from unknown (203.0.113.45)


    by mail.example.com;


    Tue, 02 Jan 2026 10:14:32 +0000

1. Grab the full email headers.
2. Look up who owns that IP using WHOIS.
3. Send them a short, clear report with the headers and when it happened.

Subject: Spam originating from 203.0.113.45


Date/time (UTC): 2026-01-02 10:14:32


Source IP: 203.0.113.45


Evidence: Full email headers attached.

Example 2: Reporting brute-force or scanning attempts

Jan 02 09:33:21 sshd[4123]: Failed password for root from 198.51.100.72


Jan 02 09:33:25 sshd[4123]: Failed password for root from 198.51.100.72

Throw in your logs, how often it's happening, and what service they were going after (like SSH).

Example 3: Reporting false blacklist listings

1. Check if your IP's on any blacklists using the IP Blacklist tool.
2. Figure out which blacklist has you listed.
3. Contact them and follow their delisting steps.

What NOT to do

Authoritative resources

See Also