[anti-abuse-wg] weird ERX networks ?
Carlos Martinez-Cagnazzo carlosm3011 at gmail.com
Mon Mar 26 14:13:05 CEST 2012
Hello all, <I work for LACNIC> I will report the issue with the WHOIS data for this block to our WHOIS maintenance team. On the other hand, I am currently doing some research work into hijackings, and while I expect to present more detailed results in a month or so, this ASN from an organization named Telematika consistently appears in the hijacking cases I've been able to identify so far. Even more, Telematika has announced the whole of 191/8 several times during the past months. 191/8 is a ERX block that was assigned to LACNIC when the ERX space was returned/given to the RIRs. It's not being currently used for *any* purpose, it's in reserve and it should not appear in any routing table. So, in short, yes, the Telematika guys are up to no good. My evil twin would just filter their whole ASN out, but maybe the responsible thing to do first would be contacting them. Warm regards, Carlos On 3/26/12 7:16 AM, Denis Walker wrote: > Dear Colleagues, > > The IP address 126.96.36.199 - 188.8.131.52 was allocated to an > organisation in Algeria and registered in the RIPE Database. So the > entries in ARIN and LACNIC Databases were originally correct, but need > to be updated. > > It was transferred from the RIPE Database to AfriNIC as part of the set > up of the Afrinic Registry in 2005. That is why the RIPE Database entry > says "This network has been transferred to AFRINIC" and has the netname > "AFRINIC-NET-TRANSFERRED-20050223". Any questions about the current > status of these addresses should be directed to AfriNIC. > > Regards, > Denis Walker > Business Analyst > RIPE NCC Database Group > > On 26/03/12:14 11:43 AM, Frank Gadegast wrote: >> Suresh Ramasubramanian wrote: >> >> Hi, >> >>> I dont think that IP is even announced - the /24 is not in the routing >>> table at all. >> It could be, that this specific network was announced once and isnt >> anymore today. >> >>> Did you get some spam from any specific IP in there? >> Yes. And true for all those networks (once we got a connect from those >> IPs). Im trying to find a few, that are really routed somewhere and >> really hove no whois, but that needs a bit programming first ... >> >> >> My main question was, why ARIN and LACNIC are saying, that >> they belong to RIPE and RIPE is saying, that they belong to AFRINIC >> and AFRINIC is saying, that they are worldwide. >> >> Should AFRINIC not say, that they are unassigned, where they belong >> to them and arent used right now ? Instead of saying, that they are >> worldwide ? >> >> Should not any resource belong to one of the RIRs (even if its PI space) ? >> >> >> Kind regards, Frank >> >> >>> On Mon, Mar 26, 2012 at 1:30 PM, Frank Gadegast >>> <ripe-anti-spam-wg at powerweb.de <mailto:ripe-anti-spam-wg at powerweb.de>> >>> wrote: >>> >>> >>> Hi, >>> >>> we receive Spam from some networks we cannot find any whois record >>> for. >>> >>> An example: >>> 184.108.40.206 >>> (we found about 1000 networks like this) >>> >>> >>> ARINs whois says, its RIPE >>> RIPEs whois says, its AFRINIC >>> LACNIC also says, its AFRINIC >>> >>> but AFRINICs whois says, its "world-wide" ... >>> >>> >>> So, where is this really allocated too and where can we we find a >>> whois record for those networks ? >>> Unallocated, but still in use from somebody ? >>> Anybody an idea ? >>> >>> Here are the whois records: >>> >>> ARIN: >>> NetRange: 220.127.116.11 - 18.104.22.168 >>> CIDR: 22.214.171.124/8 <http://126.96.36.199/8> >>> OriginAS: >>> NetName: RIPE-C3 >>> NetHandle: NET-62-0-0-0-1 >>> >>> >>> RIPE: >>> inetnum: 188.8.131.52 - 184.108.40.206 >>> org: ORG-AFNC1-RIPE >>> netname: AFRINIC-NET-TRANSFERRED-__20050223 >>> descr: This network has been transferred to AFRINIC >>> remarks: These IP addresses are assigned in the AFRINIC region. >>> >>> >>> AFRINIC: >>> inetnum: 0.0.0.0 - 255.255.255.255 >>> netname: IANA-BLK >>> descr: The whole IPv4 address space >>> country: EU # Country is really world wide >>> org: ORG-IANA1-AFRINIC >>> >>> >>> >>> >>> Kind regards, Frank >>> -- >>> MOTD: "have you enabled SSL on a website or mailbox today ?" >>> -- >>> PHADE Software - PowerWeb http://www.powerweb.de >>> Inh. Dipl.-Inform. Frank Gadegast >>> mailto:frank at powerweb.de <mailto:frank at powerweb.de> >>> Schinkelstrasse 17 fon: +49 33200 >>> 52920 >>> 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 >>> 52921 >>> >>> ==============================__==============================__========== >>> >>> >>> >>> >>> >>> >>> -- >>> Suresh Ramasubramanian (ops.lists at gmail.com <mailto:ops.lists at gmail.com>) >>