From rfg at tristatelogic.com Tue Dec 1 00:19:18 2020 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Mon, 30 Nov 2020 15:19:18 -0800 Subject: [anti-abuse-wg] AS55330 -- Routing oddities Message-ID: <26239.1606778358@segfault.tristatelogic.com> Some people seem to think that I'm sort of a master Internet sleuth. The truth is that I'm just as dumb as anybody else, and maybe even moreso. But if one spends enough time looking at stuff on the Internet, it really takes both very little time and also very little in the way of brains to notice many many inexplicable oddities. AS55330 is a case in point. This ASN was allocated/assigned to the Afghan government by APNIC, circa 2009-12-08. Given the nature of the registrant in this case, One might thus reasonably assume that this ASN, belonging as it does to a national government, would be one of the last ones that one would ever see as being involved in any kind of untoward hanky panky or funny business on the Internet. But despite that, I feel compelled to ask if anyone would like to take a stab at explaining to me why the Afghan national government's ASN would be announcing routes to IP blocks belonging to (a) a Chinese commercial enterprise (180.94.99.0/24) and also (b) several RIPE-issued IPv4 blocks that appear to be the property of some Airbus facility located in Norway (182.50.176.0/24, 182.50.177.0/24, 182.50.178.0/23, 182.50.180.0/22): https://bgp.he.net/AS55330#_prefixes I am not persuaded that Airbus/Norway's apparent reliance on the Afghan government to route their IPv4 space for them is an entirely sustainable business model, over the longer term. If I have misunderstood any of the data I'm looking at, then I do apologize to all parties concerned. Regards, rfg From phishphucker at storey.ovh Tue Dec 1 00:47:05 2020 From: phishphucker at storey.ovh (PP) Date: Tue, 1 Dec 2020 10:47:05 +1100 Subject: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 In-Reply-To: <22285.1606720121@segfault.tristatelogic.com> References: <22285.1606720121@segfault.tristatelogic.com> Message-ID: <14928918-e479-833f-4eae-fd711afc11ef@storey.ovh> Amongst the greatest mysteries of the shady underbelly of the internet: how to pronounce "Guilmette" -- From randy at psg.com Tue Dec 1 02:38:27 2020 From: randy at psg.com (Randy Bush) Date: Mon, 30 Nov 2020 17:38:27 -0800 Subject: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 In-Reply-To: <14928918-e479-833f-4eae-fd711afc11ef@storey.ovh> References: <22285.1606720121@segfault.tristatelogic.com> <14928918-e479-833f-4eae-fd711afc11ef@storey.ovh> Message-ID: > Amongst the greatest mysteries of the shady underbelly of the > internet: how to pronounce "Guilmette" speaking of anti-abuse; back in the '80s we agreed that making fun of others' typos, misspellings, personal names, etc. was impolite. randy From rfg at tristatelogic.com Tue Dec 1 06:12:51 2020 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Mon, 30 Nov 2020 21:12:51 -0800 Subject: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 In-Reply-To: Message-ID: <27865.1606799571@segfault.tristatelogic.com> In message , Randy Bush wrote: >> Amongst the greatest mysteries of the shady underbelly of the >> internet: how to pronounce "Guilmette" > >speaking of anti-abuse; back in the '80s we agreed that making fun of >others' typos, misspellings, personal names, etc. was impolite. I do not believe the original poster was making fun of my name, and I likely would not take exception even if the OP had done so. There have certainly been far more scurrilous and disturbing things said about me personally, on various mailing lists, so I am somewhat inoculated against taking too much offense nowadays about virtually anything personal. If one is fortunate to live long enough, one develops a thick skin. Regards, rfg From vesely at tana.it Tue Dec 1 10:16:28 2020 From: vesely at tana.it (Alessandro Vesely) Date: Tue, 1 Dec 2020 10:16:28 +0100 Subject: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 In-Reply-To: <20201130215622.6E03528A029A@ary.qy> References: <20201130215622.6E03528A029A@ary.qy> Message-ID: <08948c33-14cc-6b55-10c3-4d461fbc08d5@tana.it> On Mon 30/Nov/2020 22:56:22 +0100 John Levine wrote: > In article , > Richard Clayton wrote: >>>Only a few of them are listed on https://www.spamhaus.org/drop/ > >>So announcing a prefix that is on that list is not a good sign (indeed >>far from it) -- but don't expect a "new" hijacker to only choose from >>that list or indeed to pick any prefixes from that list at all. > > Spamhaus have very conservative criteria for their DROP list, so it's > not surprising that you wouldn't immediately find all those hijacked > blocks on it. On the other hand, they update it frequently and I see > they added a bunch of new blocks to it today. Indeed. As I have the command still in bash's history, matches increased from 5 to 17, nearly one half of Ronald's post: 199.84.16.0 -> spamhaus-drop/drop.txt:199.84.16.0/20 ; SBL503515 199.185.144.0 -> spamhaus-drop/drop.txt:199.185.144.0/20 ; SBL503521 68.66.48.0 -> spamhaus-drop/drop.txt:68.66.48.0/20 ; SBL502548 207.70.224.0 -> spamhaus-drop/drop.txt:207.70.224.0/20 ; SBL503527 207.228.192.0 -> spamhaus-drop/drop.txt:207.228.192.0/20 ; SBL503528 96.45.144.0 -> spamhaus-drop/drop.txt:96.45.144.0/20 ; SBL502550 204.44.208.0 -> spamhaus-drop/drop.txt:204.44.208.0/20 ; SBL503530 204.156.192.0 -> spamhaus-drop/drop.txt:204.156.192.0/20 ; SBL503537 69.8.64.0 -> spamhaus-drop/drop.txt:69.8.64.0/20 ; SBL502549 69.8.96.0 -> spamhaus-drop/drop.txt:69.8.96.0/20 ; SBL503524 206.125.16.0 -> spamhaus-drop/drop.txt:206.125.16.0/20 ; SBL503526 64.92.224.0 -> spamhaus-drop/drop.txt:64.92.224.0/20 ; SBL503523 204.147.96.0 -> spamhaus-drop/drop.txt:204.147.96.0/20 ; SBL503525 24.137.16.0 -> spamhaus-drop/drop.txt:24.137.16.0/20 ; SBL502541 204.128.32.0 -> spamhaus-drop/drop.txt:204.128.32.0/20 ; SBL503533 199.73.64.0 -> spamhaus-drop/drop.txt:199.73.64.0/20 ; SBL502551 104.156.144.0 -> spamhaus-drop/drop.txt:104.156.144.0/20 ; SBL503516 Best Ale -- From brian.nisbet at heanet.ie Tue Dec 1 17:54:54 2020 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Tue, 1 Dec 2020 16:54:54 +0000 Subject: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 In-Reply-To: <27865.1606799571@segfault.tristatelogic.com> References: , <27865.1606799571@segfault.tristatelogic.com> Message-ID: Ronald, I'm glad you aren't offended/upset, but I agree with Randy's interpretation, especially as the initial email added no light/signal to the conversation at all. Despite what may be believed the Co-Chairs don't like putting people in moderation, but we will if we have to. However I suspect that X-posting to a list like apnic-talk may not be the wisest idea, given the different populations etc, and I suspect that's what led to the other exclamation of surprise. I'm not saying information should be hidden, but perhaps two separate emails might be, sadly, needed? Thanks, Brian Co-Chair, RIPE AA-WG Brian Nisbet Service Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland +35316609040 brian.nisbet at heanet.ie www.heanet.ie Registered in Ireland, No. 275301. CRA No. 20036270 ________________________________ From: anti-abuse-wg on behalf of Ronald F. Guilmette Sent: Tuesday 1 December 2020 05:12 To: apnic-talk at lists.apnic.net ; anti-abuse-wg at ripe.net Subject: Re: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 CAUTION[External]: This email originated from outside of the organisation. Do not click on links or open the attachments unless you recognise the sender and know the content is safe. In message , Randy Bush wrote: >> Amongst the greatest mysteries of the shady underbelly of the >> internet: how to pronounce "Guilmette" > >speaking of anti-abuse; back in the '80s we agreed that making fun of >others' typos, misspellings, personal names, etc. was impolite. I do not believe the original poster was making fun of my name, and I likely would not take exception even if the OP had done so. There have certainly been far more scurrilous and disturbing things said about me personally, on various mailing lists, so I am somewhat inoculated against taking too much offense nowadays about virtually anything personal. If one is fortunate to live long enough, one develops a thick skin. Regards, rfg -------------- next part -------------- An HTML attachment was scrubbed... URL: From ximaera at gmail.com Tue Dec 1 19:51:55 2020 From: ximaera at gmail.com (=?UTF-8?Q?T=C3=B6ma_Gavrichenkov?=) Date: Tue, 1 Dec 2020 21:51:55 +0300 Subject: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 In-Reply-To: <22285.1606720121@segfault.tristatelogic.com> References: <22285.1606720121@segfault.tristatelogic.com> Message-ID: Peace, On Mon, Nov 30, 2020 at 10:09 AM Ronald F. Guilmette wrote: > Please be advised that the set of IPv4 blocks listed below appear to be > squatted on at the present time, with the apparent aid and assistance of > AS44050 -- "Petersburg Internet Network Ltd." (Russia) and also AS58552 -- > "PT Multidata Rancana Prima" (Indonesia). Please be informed that after a (pretty short) conversation AS44050 is not announcing those prefixes anymore. (removed the routing WG from CC b/c I don' think this belongs there) -- T?ma From rfg at tristatelogic.com Tue Dec 1 22:48:21 2020 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Tue, 01 Dec 2020 13:48:21 -0800 Subject: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 In-Reply-To: Message-ID: <31654.1606859301@segfault.tristatelogic.com> In message , Brian Nisbet wrote: >However I suspect that X-posting to a list like apnic-talk may not be the >wisest idea, given the different populations etc... It is among my fondest hopes that cybercriminals of all stripes, and particularly the ones who squat on IPv4 space that doesn't belong to them, will, in future, show more respect for regional boundaries, such that their devious activities will only oblige me to notify the members of a single one of the five RIR regions regarding any single one of these elaborate criminal schemes. Alas, in this instance however, the perpetrators, in a very unsportsmanlike manner, elected to make messes whose roots were found in both the RIPE region and also in the APNIC region. (And that's not even to mention that most of the squatted IPv4 real estate was and is under the administration of the ARIN region.) Clearly, authorities in all five regions should be devoting somewhat more effort towards the cultivation of a better and more respectful class of cybercriminals who will confine their convoluted schemes to their own home regions. Regards, rfg From rfg at tristatelogic.com Tue Dec 1 23:52:41 2020 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Tue, 01 Dec 2020 14:52:41 -0800 Subject: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 In-Reply-To: Message-ID: <31913.1606863161@segfault.tristatelogic.com> In message =?UTF-8?Q?T=C3=B6ma_Gavrichenkov?= wrote: >On Mon, Nov 30, 2020 at 10:09 AM Ronald F. Guilmette > wrote: >> Please be advised that the set of IPv4 blocks listed below appear to be >> squatted on at the present time, with the apparent aid and assistance of >> AS44050 -- "Petersburg Internet Network Ltd." (Russia) and also AS58552 >> "PT Multidata Rancana Prima" (Indonesia). > >Please be informed that after a (pretty short) conversation AS44050 is >not announcing those prefixes anymore. Neither AS44050 nor AS58552 was never announcing any of the squatted prefixes themselves directly. Rather AS44050 was... for reasons which have yet to be explained... peering with the set of four apparently squatted ASNs which were in turn announcing the various squatted prefixes. If you are in a position to have one more short conversation with the owners and/or operators of AS44050, Petersburg Internet Network Ltd., then please be so kind as to ask them on my behalf why they were peering with those four different apparently squatted & abandoned ASNs. If, as I suspect, they wish to blame some other party for all of this apparent skulduggery, and if they wish such an excuse to be believable, then at the very least they should be willing to identify whatever other party they would like to shift the blame to. Not that any of their lame excuses will be too awfully believable in any event. The name "Petersburg Internet" has come up, time and time again, in relation to online skulduggery and malfesance. And not just among the anti-abuse people that I hang out with. I just now did a search on the web site of journalist Brian Krebs for the name "Petersburg Internet" and found no fewer than 19 different stories, written by Krebs, that featured this network, in some supporting role or another... and not in any good way. https://krebsonsecurity.com/page/2/?s=Petersburg+Internet&x=0&y=0 (Full disclosure: I have direct personal knowledge of, and had direct participation in the development of some, but certainly not all of those Krebs stories.) Regards, rfg From serge.droz at first.org Wed Dec 2 09:12:35 2020 From: serge.droz at first.org (Serge Droz) Date: Wed, 2 Dec 2020 09:12:35 +0100 Subject: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 In-Reply-To: <31654.1606859301@segfault.tristatelogic.com> References: <31654.1606859301@segfault.tristatelogic.com> Message-ID: <1f5e205f-9945-dd91-476e-35b8ec99e4d3@first.org> First of: Congrats and thank you Ronald for this work. What makes me a bit sad is, that posting this here immediately starts a discussion about what is expected behavior on these lists, rather than how we could combat abuse more efficiently. It seems a seeminglu, to me at least, humorous remark, sparks more discussion than the troubling fact that criminals have the time of their lives during this period of time. I'm all in favor of staying civil on public fora. But noting in the original post was not civil. I am wondering what the we want to achieve here on the anti-abuse list? Call me stupid, but I just don't get it. Best Serge On 01.12.20 22:48, Ronald F. Guilmette wrote: > In message outlook.com>, Brian Nisbet wrote: > >> However I suspect that X-posting to a list like apnic-talk may not be the >> wisest idea, given the different populations etc... > > It is among my fondest hopes that cybercriminals of all stripes, and > particularly the ones who squat on IPv4 space that doesn't belong to > them, will, in future, show more respect for regional boundaries, such > that their devious activities will only oblige me to notify the > members of a single one of the five RIR regions regarding any single > one of these elaborate criminal schemes. Alas, in this instance > however, the perpetrators, in a very unsportsmanlike manner, elected > to make messes whose roots were found in both the RIPE region and also > in the APNIC region. (And that's not even to mention that most of the > squatted IPv4 real estate was and is under the administration of the > ARIN region.) > > Clearly, authorities in all five regions should be devoting somewhat > more effort towards the cultivation of a better and more respectful > class of cybercriminals who will confine their convoluted schemes to > their own home regions. > > > Regards, > rfg > -- Dr. Serge Droz Chair of the FIRST Board of Directors https://www.first.org From brian.nisbet at heanet.ie Wed Dec 2 10:02:52 2020 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Wed, 2 Dec 2020 09:02:52 +0000 Subject: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 In-Reply-To: <1f5e205f-9945-dd91-476e-35b8ec99e4d3@first.org> References: <31654.1606859301@segfault.tristatelogic.com>, <1f5e205f-9945-dd91-476e-35b8ec99e4d3@first.org> Message-ID: Folks, I should be clear here, the Co-Chairs have no objection to the first post, nothing at all. Personally I'm happy for misbehaviour to be called out, while obviously ensuring that people aren't unfairly tarred with bad brushes. My comments about the apnic-talk address was that I wasn't sure if that list was used to the kind of content, and I was worried that it might not get Ronald's message where it would it best for it to go. However I'm not sure (without looking it up) what the best reporting mechanisms for APNIC members are. My comments there were advisory, nothing more. I too would love a discussion where we didn't feel like we had to say a word about the civility of posting, trust me! And thankfully we have had quite a few of those! Brian Co-Chair, RIPE AA-WG Brian Nisbet Service Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland +35316609040 brian.nisbet at heanet.ie www.heanet.ie Registered in Ireland, No. 275301. CRA No. 20036270 ________________________________ From: anti-abuse-wg on behalf of Serge Droz via anti-abuse-wg Sent: Wednesday 2 December 2020 08:12 To: anti-abuse-wg at ripe.net Subject: Re: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 CAUTION[External]: This email originated from outside of the organisation. Do not click on links or open the attachments unless you recognise the sender and know the content is safe. First of: Congrats and thank you Ronald for this work. What makes me a bit sad is, that posting this here immediately starts a discussion about what is expected behavior on these lists, rather than how we could combat abuse more efficiently. It seems a seeminglu, to me at least, humorous remark, sparks more discussion than the troubling fact that criminals have the time of their lives during this period of time. I'm all in favor of staying civil on public fora. But noting in the original post was not civil. I am wondering what the we want to achieve here on the anti-abuse list? Call me stupid, but I just don't get it. Best Serge On 01.12.20 22:48, Ronald F. Guilmette wrote: > In message outlook.com>, Brian Nisbet wrote: > >> However I suspect that X-posting to a list like apnic-talk may not be the >> wisest idea, given the different populations etc... > > It is among my fondest hopes that cybercriminals of all stripes, and > particularly the ones who squat on IPv4 space that doesn't belong to > them, will, in future, show more respect for regional boundaries, such > that their devious activities will only oblige me to notify the > members of a single one of the five RIR regions regarding any single > one of these elaborate criminal schemes. Alas, in this instance > however, the perpetrators, in a very unsportsmanlike manner, elected > to make messes whose roots were found in both the RIPE region and also > in the APNIC region. (And that's not even to mention that most of the > squatted IPv4 real estate was and is under the administration of the > ARIN region.) > > Clearly, authorities in all five regions should be devoting somewhat > more effort towards the cultivation of a better and more respectful > class of cybercriminals who will confine their convoluted schemes to > their own home regions. > > > Regards, > rfg > -- Dr. Serge Droz Chair of the FIRST Board of Directors https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.first.org%2F&data=04%7C01%7C%7C2f6a30d3cd21408fe43108d8969a16ec%7Ccd9e8269dfb648e082538b7baf8d3391%7C0%7C0%7C637424935833941387%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ZYQoXWNHJk8wQBBHAZcv6NcDKsDe7cp%2F2dy8SHzsSV8%3D&reserved=0 -------------- next part -------------- An HTML attachment was scrubbed... URL: From ximaera at gmail.com Wed Dec 2 10:42:55 2020 From: ximaera at gmail.com (=?UTF-8?Q?T=C3=B6ma_Gavrichenkov?=) Date: Wed, 2 Dec 2020 12:42:55 +0300 Subject: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 In-Reply-To: <31913.1606863161@segfault.tristatelogic.com> References: <31913.1606863161@segfault.tristatelogic.com> Message-ID: Peace, On Wed, Dec 2, 2020 at 1:53 AM Ronald F. Guilmette wrote: > >> Please be advised that the set of IPv4 blocks listed below appear to be > >> squatted on at the present time, with the apparent aid and assistance of > >> AS44050 -- "Petersburg Internet Network Ltd." (Russia) and also AS58552 > >> "PT Multidata Rancana Prima" (Indonesia). > > > >Please be informed that after a (pretty short) conversation AS44050 is > >not announcing those prefixes anymore. > > Neither AS44050 nor AS58552 was never announcing any of the squatted > prefixes themselves directly. > Rather AS44050 was... for reasons which have yet to be explained... peering > with the set of four apparently squatted ASNs Yes, this is understood. There's no peering anymore. See e.g.: https://radar.qrator.net/as24199/providers#startDate=2020-08-30&endDate=2020-11-30&tab=current > If you are in a position to have one more short conversation with the > owners and/or operators of AS44050, Petersburg Internet Network Ltd., > then please be so kind as to ask them on my behalf why they were > peering with those four different apparently squatted & abandoned ASNs. I don't think I'm anywhere close to a position where I can ask them questions like that. > The name "Petersburg Internet" has come up, time and time again, > in relation to online skulduggery and malfesance. [..] > https://krebsonsecurity.com/page/2/?s=Petersburg+Internet&x=0&y=0 This search yields all the results containing "petersburg" OR "internet". There's no doubt there would be many in this case. AS44050 is basically the SOHO provider for the St. Petersburg Internet Exchange. St. Petersburg's population is slightly below 5 million people, not counting satellite cities and suburbs (which, if counted, would contribute another 2 millions I think), and the city has quite got a reputation for hidden criminal activity. It's Chicago-style if you will. Surely there are also quite a few criminals in one of the largest ISP networks of the city. To put it into some shape for your understanding: I think the likes of Centu, ah sorry, Lumen or Comcast would've got a reputation very close to what PIN has got in your eyes if not for their location close to you in the United States. E.g. Lumen has allowed a route leak incident on their network quite recently; and there's no doubt they won't vouch for every customer of theirs. -- T?ma From ximaera at gmail.com Wed Dec 2 10:51:45 2020 From: ximaera at gmail.com (=?UTF-8?Q?T=C3=B6ma_Gavrichenkov?=) Date: Wed, 2 Dec 2020 12:51:45 +0300 Subject: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 In-Reply-To: References: <31913.1606863161@segfault.tristatelogic.com> Message-ID: Peace, On Wed, Dec 2, 2020 at 12:42 PM T?ma Gavrichenkov wrote: > AS44050 is basically the SOHO provider for the St. Petersburg Internet > Exchange. St. Petersburg's population is slightly below 5 million > people, not counting satellite cities and suburbs (which, if counted, > would contribute another 2 millions I think), and the city has quite > got a reputation for hidden criminal activity. It's Chicago-style if > you will. Surely there are also quite a few criminals in one of the > largest ISP networks of the city. To avoid blatant misunderstanding and inappropriate jokes: that's a few criminals AS CUSTOMERS of the largest SOHO ISP network of the city. There's no reason at this point to suspect intentional harm from the employees. -- T?ma From ipabuseresearch at gmail.com Wed Dec 2 14:54:56 2020 From: ipabuseresearch at gmail.com (IP Abuse Research) Date: Wed, 2 Dec 2020 08:54:56 -0500 Subject: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 In-Reply-To: <1f5e205f-9945-dd91-476e-35b8ec99e4d3@first.org> References: <31654.1606859301@segfault.tristatelogic.com> <1f5e205f-9945-dd91-476e-35b8ec99e4d3@first.org> Message-ID: I'd like to second Serge's sentiment, RFG catches a good deal of abuse for his contributions, which we have all seen on this and other lists. What the continued findings indicate is a need for IANA and the RIRs to adapt to a new stage in the resource issuance and governance lifecycle. Since this is by definition a working group, would it make sense to establish some metrics to quantify the perceived impact of this phenomenon on abuse? If we establish a process to collect these observations of either "abandoned" resources, prefixes or ASNs, which then re-appear mysteriously or in the case of an ASN start routing space that is unexpectedly, "hijack", we can take a step as a community to quantify the phenomenon? Note: This is specifically not an internet policing function as much as a neighborhood watch effort to help inform the governing bodies / policy ... etc. Right now from responses it seems like defacto this weight has been put onto the shoulder of Spamhaus vs. having a working group work on a solution. If this is of interest I'm happy to write up a proposal and or work with the chairs to see if this is something that is seen as constructive. Also if this doesn't fit into the anti-abuse working group ... where does it fit? On Wed, Dec 2, 2020 at 3:12 AM Serge Droz via anti-abuse-wg < anti-abuse-wg at ripe.net> wrote: > First of: Congrats and thank you Ronald for this work. > > What makes me a bit sad is, that posting this here immediately starts a > discussion about what is expected behavior on these lists, rather than > how we could combat abuse more efficiently. > > It seems a seeminglu, to me at least, humorous remark, sparks more > discussion than the troubling fact that criminals have the time of their > lives during this period of time. > > I'm all in favor of staying civil on public fora. But noting in the > original post was not civil. I am wondering what the we want to achieve > here on the anti-abuse list? Call me stupid, but I just don't get it. > > Best > Serge > > > On 01.12.20 22:48, Ronald F. Guilmette wrote: > > In message > > outlook.com>, Brian Nisbet wrote: > > > >> However I suspect that X-posting to a list like apnic-talk may not be > the > >> wisest idea, given the different populations etc... > > > > It is among my fondest hopes that cybercriminals of all stripes, and > > particularly the ones who squat on IPv4 space that doesn't belong to > > them, will, in future, show more respect for regional boundaries, such > > that their devious activities will only oblige me to notify the > > members of a single one of the five RIR regions regarding any single > > one of these elaborate criminal schemes. Alas, in this instance > > however, the perpetrators, in a very unsportsmanlike manner, elected > > to make messes whose roots were found in both the RIPE region and also > > in the APNIC region. (And that's not even to mention that most of the > > squatted IPv4 real estate was and is under the administration of the > > ARIN region.) > > > > Clearly, authorities in all five regions should be devoting somewhat > > more effort towards the cultivation of a better and more respectful > > class of cybercriminals who will confine their convoluted schemes to > > their own home regions. > > > > > > Regards, > > rfg > > > > -- > Dr. Serge Droz > Chair of the FIRST Board of Directors > https://www.first.org > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ops.lists at gmail.com Wed Dec 2 15:05:31 2020 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Wed, 2 Dec 2020 14:05:31 +0000 Subject: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 In-Reply-To: References: <31654.1606859301@segfault.tristatelogic.com> <1f5e205f-9945-dd91-476e-35b8ec99e4d3@first.org> Message-ID: +1 ? most of the activity on this list has been people from the anti abuse community come up with suggestions that the RIPE regulars find unworkable, and then many people spend lots of time pointing out why the proposal is unworkable. So far I have not seen one case of a proposal coming in from the other side on what can be done instead to achieve the goals of the unworkable proposal, but have a chance of working under RIPE policies and procedures. From: anti-abuse-wg on behalf of IP Abuse Research Date: Wednesday, 2 December 2020 at 7:25 PM To: Serge Droz Cc: "anti-abuse-wg at ripe.net" Subject: Re: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 I'd like to second Serge's sentiment, RFG catches a good deal of abuse for his contributions, which we have all seen on this and other lists. What the continued findings indicate is a need for IANA and the RIRs to adapt to a new stage in the resource issuance and governance lifecycle. Since this is by definition a working group, would it make sense to establish some metrics to quantify the perceived impact of this phenomenon on abuse? If we establish a process to collect these observations of either "abandoned" resources, prefixes or ASNs, which then re-appear mysteriously or in the case of an ASN start routing space that is unexpectedly, "hijack", we can take a step as a community to quantify the phenomenon? Note: This is specifically not an internet policing function as much as a neighborhood watch effort to help inform the governing bodies / policy ... etc. Right now from responses it seems like defacto this weight has been put onto the shoulder of Spamhaus vs. having a working group work on a solution. If this is of interest I'm happy to write up a proposal and or work with the chairs to see if this is something that is seen as constructive. Also if this doesn't fit into the anti-abuse working group ... where does it fit? On Wed, Dec 2, 2020 at 3:12 AM Serge Droz via anti-abuse-wg > wrote: First of: Congrats and thank you Ronald for this work. What makes me a bit sad is, that posting this here immediately starts a discussion about what is expected behavior on these lists, rather than how we could combat abuse more efficiently. It seems a seeminglu, to me at least, humorous remark, sparks more discussion than the troubling fact that criminals have the time of their lives during this period of time. I'm all in favor of staying civil on public fora. But noting in the original post was not civil. I am wondering what the we want to achieve here on the anti-abuse list? Call me stupid, but I just don't get it. Best Serge On 01.12.20 22:48, Ronald F. Guilmette wrote: > In message outlook.com>, Brian Nisbet > wrote: > >> However I suspect that X-posting to a list like apnic-talk may not be the >> wisest idea, given the different populations etc... > > It is among my fondest hopes that cybercriminals of all stripes, and > particularly the ones who squat on IPv4 space that doesn't belong to > them, will, in future, show more respect for regional boundaries, such > that their devious activities will only oblige me to notify the > members of a single one of the five RIR regions regarding any single > one of these elaborate criminal schemes. Alas, in this instance > however, the perpetrators, in a very unsportsmanlike manner, elected > to make messes whose roots were found in both the RIPE region and also > in the APNIC region. (And that's not even to mention that most of the > squatted IPv4 real estate was and is under the administration of the > ARIN region.) > > Clearly, authorities in all five regions should be devoting somewhat > more effort towards the cultivation of a better and more respectful > class of cybercriminals who will confine their convoluted schemes to > their own home regions. > > > Regards, > rfg > -- Dr. Serge Droz Chair of the FIRST Board of Directors https://www.first.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From michele at blacknight.com Wed Dec 2 15:44:09 2020 From: michele at blacknight.com (Michele Neylon - Blacknight) Date: Wed, 2 Dec 2020 14:44:09 +0000 Subject: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 In-Reply-To: References: <31654.1606859301@segfault.tristatelogic.com> <1f5e205f-9945-dd91-476e-35b8ec99e4d3@first.org> Message-ID: <4B754E96-761E-40CD-8873-82BDBDCEA4FE@blacknight.com> I don?t think it?s simply a matter of two sides, which your language attempts to categorise it as. Some of us refuse to have our processes and businesses dictated to by people who won?t listen to reasonable arguments against their unworkable proposals -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: anti-abuse-wg on behalf of Suresh Ramasubramanian Date: Wednesday 2 December 2020 at 14:06 To: IP Abuse Research , Serge Droz Cc: "anti-abuse-wg at ripe.net" Subject: Re: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 +1 ? most of the activity on this list has been people from the anti abuse community come up with suggestions that the RIPE regulars find unworkable, and then many people spend lots of time pointing out why the proposal is unworkable. So far I have not seen one case of a proposal coming in from the other side on what can be done instead to achieve the goals of the unworkable proposal, but have a chance of working under RIPE policies and procedures. From: anti-abuse-wg on behalf of IP Abuse Research Date: Wednesday, 2 December 2020 at 7:25 PM To: Serge Droz Cc: "anti-abuse-wg at ripe.net" Subject: Re: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 I'd like to second Serge's sentiment, RFG catches a good deal of abuse for his contributions, which we have all seen on this and other lists. What the continued findings indicate is a need for IANA and the RIRs to adapt to a new stage in the resource issuance and governance lifecycle. Since this is by definition a working group, would it make sense to establish some metrics to quantify the perceived impact of this phenomenon on abuse? If we establish a process to collect these observations of either "abandoned" resources, prefixes or ASNs, which then re-appear mysteriously or in the case of an ASN start routing space that is unexpectedly, "hijack", we can take a step as a community to quantify the phenomenon? Note: This is specifically not an internet policing function as much as a neighborhood watch effort to help inform the governing bodies / policy ... etc. Right now from responses it seems like defacto this weight has been put onto the shoulder of Spamhaus vs. having a working group work on a solution. If this is of interest I'm happy to write up a proposal and or work with the chairs to see if this is something that is seen as constructive. Also if this doesn't fit into the anti-abuse working group ... where does it fit? On Wed, Dec 2, 2020 at 3:12 AM Serge Droz via anti-abuse-wg > wrote: First of: Congrats and thank you Ronald for this work. What makes me a bit sad is, that posting this here immediately starts a discussion about what is expected behavior on these lists, rather than how we could combat abuse more efficiently. It seems a seeminglu, to me at least, humorous remark, sparks more discussion than the troubling fact that criminals have the time of their lives during this period of time. I'm all in favor of staying civil on public fora. But noting in the original post was not civil. I am wondering what the we want to achieve here on the anti-abuse list? Call me stupid, but I just don't get it. Best Serge On 01.12.20 22:48, Ronald F. Guilmette wrote: > In message outlook.com>, Brian Nisbet > wrote: > >> However I suspect that X-posting to a list like apnic-talk may not be the >> wisest idea, given the different populations etc... > > It is among my fondest hopes that cybercriminals of all stripes, and > particularly the ones who squat on IPv4 space that doesn't belong to > them, will, in future, show more respect for regional boundaries, such > that their devious activities will only oblige me to notify the > members of a single one of the five RIR regions regarding any single > one of these elaborate criminal schemes. Alas, in this instance > however, the perpetrators, in a very unsportsmanlike manner, elected > to make messes whose roots were found in both the RIPE region and also > in the APNIC region. (And that's not even to mention that most of the > squatted IPv4 real estate was and is under the administration of the > ARIN region.) > > Clearly, authorities in all five regions should be devoting somewhat > more effort towards the cultivation of a better and more respectful > class of cybercriminals who will confine their convoluted schemes to > their own home regions. > > > Regards, > rfg > -- Dr. Serge Droz Chair of the FIRST Board of Directors https://www.first.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From ops.lists at gmail.com Wed Dec 2 15:56:43 2020 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Wed, 2 Dec 2020 14:56:43 +0000 Subject: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 In-Reply-To: <4B754E96-761E-40CD-8873-82BDBDCEA4FE@blacknight.com> References: <31654.1606859301@segfault.tristatelogic.com> <1f5e205f-9945-dd91-476e-35b8ec99e4d3@first.org> <4B754E96-761E-40CD-8873-82BDBDCEA4FE@blacknight.com> Message-ID: Please feel free to come up with workable proposals then ? At leat that way the conversation stays operational From: Michele Neylon - Blacknight Date: Wednesday, 2 December 2020 at 8:14 PM To: Suresh Ramasubramanian , IP Abuse Research , Serge Droz Cc: "anti-abuse-wg at ripe.net" Subject: Re: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 I don?t think it?s simply a matter of two sides, which your language attempts to categorise it as. Some of us refuse to have our processes and businesses dictated to by people who won?t listen to reasonable arguments against their unworkable proposals -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: anti-abuse-wg on behalf of Suresh Ramasubramanian Date: Wednesday 2 December 2020 at 14:06 To: IP Abuse Research , Serge Droz Cc: "anti-abuse-wg at ripe.net" Subject: Re: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 +1 ? most of the activity on this list has been people from the anti abuse community come up with suggestions that the RIPE regulars find unworkable, and then many people spend lots of time pointing out why the proposal is unworkable. So far I have not seen one case of a proposal coming in from the other side on what can be done instead to achieve the goals of the unworkable proposal, but have a chance of working under RIPE policies and procedures. From: anti-abuse-wg on behalf of IP Abuse Research Date: Wednesday, 2 December 2020 at 7:25 PM To: Serge Droz Cc: "anti-abuse-wg at ripe.net" Subject: Re: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 I'd like to second Serge's sentiment, RFG catches a good deal of abuse for his contributions, which we have all seen on this and other lists. What the continued findings indicate is a need for IANA and the RIRs to adapt to a new stage in the resource issuance and governance lifecycle. Since this is by definition a working group, would it make sense to establish some metrics to quantify the perceived impact of this phenomenon on abuse? If we establish a process to collect these observations of either "abandoned" resources, prefixes or ASNs, which then re-appear mysteriously or in the case of an ASN start routing space that is unexpectedly, "hijack", we can take a step as a community to quantify the phenomenon? Note: This is specifically not an internet policing function as much as a neighborhood watch effort to help inform the governing bodies / policy ... etc. Right now from responses it seems like defacto this weight has been put onto the shoulder of Spamhaus vs. having a working group work on a solution. If this is of interest I'm happy to write up a proposal and or work with the chairs to see if this is something that is seen as constructive. Also if this doesn't fit into the anti-abuse working group ... where does it fit? On Wed, Dec 2, 2020 at 3:12 AM Serge Droz via anti-abuse-wg > wrote: First of: Congrats and thank you Ronald for this work. What makes me a bit sad is, that posting this here immediately starts a discussion about what is expected behavior on these lists, rather than how we could combat abuse more efficiently. It seems a seeminglu, to me at least, humorous remark, sparks more discussion than the troubling fact that criminals have the time of their lives during this period of time. I'm all in favor of staying civil on public fora. But noting in the original post was not civil. I am wondering what the we want to achieve here on the anti-abuse list? Call me stupid, but I just don't get it. Best Serge On 01.12.20 22:48, Ronald F. Guilmette wrote: > In message outlook.com>, Brian Nisbet > wrote: > >> However I suspect that X-posting to a list like apnic-talk may not be the >> wisest idea, given the different populations etc... > > It is among my fondest hopes that cybercriminals of all stripes, and > particularly the ones who squat on IPv4 space that doesn't belong to > them, will, in future, show more respect for regional boundaries, such > that their devious activities will only oblige me to notify the > members of a single one of the five RIR regions regarding any single > one of these elaborate criminal schemes. Alas, in this instance > however, the perpetrators, in a very unsportsmanlike manner, elected > to make messes whose roots were found in both the RIPE region and also > in the APNIC region. (And that's not even to mention that most of the > squatted IPv4 real estate was and is under the administration of the > ARIN region.) > > Clearly, authorities in all five regions should be devoting somewhat > more effort towards the cultivation of a better and more respectful > class of cybercriminals who will confine their convoluted schemes to > their own home regions. > > > Regards, > rfg > -- Dr. Serge Droz Chair of the FIRST Board of Directors https://www.first.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From ops.lists at gmail.com Wed Dec 2 16:21:57 2020 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Wed, 2 Dec 2020 15:21:57 +0000 Subject: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 In-Reply-To: References: <31654.1606859301@segfault.tristatelogic.com> <1f5e205f-9945-dd91-476e-35b8ec99e4d3@first.org> <4B754E96-761E-40CD-8873-82BDBDCEA4FE@blacknight.com> Message-ID: I know him and trust him enough to have workable proposals. So, thank you very much for your opinion but I?m afraid I fail to share it. From: Elad Cohen Date: Wednesday, 2 December 2020 at 8:38 PM To: Suresh Ramasubramanian , Michele Neylon - Blacknight , IP Abuse Research , Serge Droz Cc: "anti-abuse-wg at ripe.net" Subject: Re: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 Mr. Michele have no proposals, all he can do is to complain. ________________________________ From: anti-abuse-wg on behalf of Suresh Ramasubramanian Sent: Wednesday, December 2, 2020 4:56 PM To: Michele Neylon - Blacknight ; IP Abuse Research ; Serge Droz Cc: anti-abuse-wg at ripe.net Subject: Re: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 Please feel free to come up with workable proposals then ? At leat that way the conversation stays operational From: Michele Neylon - Blacknight Date: Wednesday, 2 December 2020 at 8:14 PM To: Suresh Ramasubramanian , IP Abuse Research , Serge Droz Cc: "anti-abuse-wg at ripe.net" Subject: Re: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 I don?t think it?s simply a matter of two sides, which your language attempts to categorise it as. Some of us refuse to have our processes and businesses dictated to by people who won?t listen to reasonable arguments against their unworkable proposals -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: anti-abuse-wg on behalf of Suresh Ramasubramanian Date: Wednesday 2 December 2020 at 14:06 To: IP Abuse Research , Serge Droz Cc: "anti-abuse-wg at ripe.net" Subject: Re: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 +1 ? most of the activity on this list has been people from the anti abuse community come up with suggestions that the RIPE regulars find unworkable, and then many people spend lots of time pointing out why the proposal is unworkable. So far I have not seen one case of a proposal coming in from the other side on what can be done instead to achieve the goals of the unworkable proposal, but have a chance of working under RIPE policies and procedures. From: anti-abuse-wg on behalf of IP Abuse Research Date: Wednesday, 2 December 2020 at 7:25 PM To: Serge Droz Cc: "anti-abuse-wg at ripe.net" Subject: Re: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 I'd like to second Serge's sentiment, RFG catches a good deal of abuse for his contributions, which we have all seen on this and other lists. What the continued findings indicate is a need for IANA and the RIRs to adapt to a new stage in the resource issuance and governance lifecycle. Since this is by definition a working group, would it make sense to establish some metrics to quantify the perceived impact of this phenomenon on abuse? If we establish a process to collect these observations of either "abandoned" resources, prefixes or ASNs, which then re-appear mysteriously or in the case of an ASN start routing space that is unexpectedly, "hijack", we can take a step as a community to quantify the phenomenon? Note: This is specifically not an internet policing function as much as a neighborhood watch effort to help inform the governing bodies / policy ... etc. Right now from responses it seems like defacto this weight has been put onto the shoulder of Spamhaus vs. having a working group work on a solution. If this is of interest I'm happy to write up a proposal and or work with the chairs to see if this is something that is seen as constructive. Also if this doesn't fit into the anti-abuse working group ... where does it fit? On Wed, Dec 2, 2020 at 3:12 AM Serge Droz via anti-abuse-wg > wrote: First of: Congrats and thank you Ronald for this work. What makes me a bit sad is, that posting this here immediately starts a discussion about what is expected behavior on these lists, rather than how we could combat abuse more efficiently. It seems a seeminglu, to me at least, humorous remark, sparks more discussion than the troubling fact that criminals have the time of their lives during this period of time. I'm all in favor of staying civil on public fora. But noting in the original post was not civil. I am wondering what the we want to achieve here on the anti-abuse list? Call me stupid, but I just don't get it. Best Serge On 01.12.20 22:48, Ronald F. Guilmette wrote: > In message outlook.com>, Brian Nisbet > wrote: > >> However I suspect that X-posting to a list like apnic-talk may not be the >> wisest idea, given the different populations etc... > > It is among my fondest hopes that cybercriminals of all stripes, and > particularly the ones who squat on IPv4 space that doesn't belong to > them, will, in future, show more respect for regional boundaries, such > that their devious activities will only oblige me to notify the > members of a single one of the five RIR regions regarding any single > one of these elaborate criminal schemes. Alas, in this instance > however, the perpetrators, in a very unsportsmanlike manner, elected > to make messes whose roots were found in both the RIPE region and also > in the APNIC region. (And that's not even to mention that most of the > squatted IPv4 real estate was and is under the administration of the > ARIN region.) > > Clearly, authorities in all five regions should be devoting somewhat > more effort towards the cultivation of a better and more respectful > class of cybercriminals who will confine their convoluted schemes to > their own home regions. > > > Regards, > rfg > -- Dr. Serge Droz Chair of the FIRST Board of Directors https://www.first.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From rfg at tristatelogic.com Thu Dec 3 01:13:22 2020 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Wed, 02 Dec 2020 16:13:22 -0800 Subject: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 In-Reply-To: Message-ID: <45275.1606954402@segfault.tristatelogic.com> In message , Brian Nisbet wrote: >My comments about the apnic-talk address was that I wasn't sure if that list >was used to the kind of content, and I was worried that it might not get >Ronald's message where it would it best for it to go... I've looked around and frankly, the pickings, when it comes to APNIC mailing lists, are rather on the lean/sparse side. That region doesn't have a "abuse" working group or mailing list. It does have a "Routing Security" Special Interest Group (SIG) and an associated mailing lists for that, and you're right, Brian, that I might have been better off to send my notice there, rather than sending it to apnic-talk, as I did do, but then again it could be argued, albeit a bit tongue-in-cheek, that what I posted had more to do with routing IN-security than it did with routing security, per se. Not that any of this matters much anyway. As I have been infomred several thousand times, none of the RIRs are "the Internet Police" and thus all are utterly powerless to even so much as officially -care- about such matters. But given the general difficulty of finding anybody anywhere who cares about such events/schemes, I confess that I do have a tendency to just shout into the wind and hope that someone somwhere who has the authority to act will see what I have written, will care, and will act. Regards, rfg From rfg at tristatelogic.com Thu Dec 3 11:48:02 2020 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Thu, 03 Dec 2020 02:48:02 -0800 Subject: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 In-Reply-To: Message-ID: <48112.1606992482@segfault.tristatelogic.com> In message , =?UTF-8?Q?T=C3=B6ma_Gavrichenkov?= wrote: >> Neither AS44050 nor AS58552 was never announcing any of the squatted >> prefixes themselves directly. >> Rather AS44050 was... for reasons which have yet to be explained... peering >> with the set of four apparently squatted ASNs > >Yes, this is understood. There's no peering anymore. See e.g.: Very good. I have confirmed. >> If you are in a position to have one more short conversation with the >> owners and/or operators of AS44050, Petersburg Internet Network Ltd., >> then please be so kind as to ask them on my behalf why they were >> peering with those four different apparently squatted & abandoned ASNs. > >I don't think I'm anywhere close to a position where I can ask them >questions like that. OK. Just give me the contact information that was used to have this previous "brief conversation" with them, and I will ask them myself. See, I'm not like most folks who just shrug and move on after an incident like this. I sort of like to find out what really happened, why, and who is actually responsible. Either Petersburg Internet Network did this themselves, or else *somebody* was paying them a *lot* of money to get them to provide peering & transit to all of these bogus squatted ASNs. >> The name "Petersburg Internet" has come up, time and time again, >> in relation to online skulduggery and malfesance. [..] >> https://krebsonsecurity.com/page/2/?s=3DPetersburg+Internet&x=3D0&y=3D0 > >This search yields all the results containing "petersburg" OR >"internet". There's no doubt there would be many in this case. That's actually not correct, but it turns out that we were both half right and both half wrong about Brian Kerbs' web site search function. I looked into this, and it now appears that if you search for "Petersburg Internet" on Brian's site, you *do not* get the results for "Petersburg OR Internet" and you also *do not* get results for "Petersburg AND Internet". In fact, it looks like the search function just ignores the second word entirely, so the search is effectively for just "Petersburg". In any case, you may wish to have a loook at the following article in which the company *is* mentioned, and not in any good way: https://krebsonsecurity.com/2016/07/carbanak-gang-tied-to-russian-security-firm/ I would also recommend perusing page 28 of the following expert witness statement, which relates to botnet command & control servers: http://cdn.cnn.com/cnn/2019/images/03/15/xbt.doc.248.2.pdf See also page 5 of this academic paper about automated Internet attacks: https://grehack.fr/data/2017/slides/GreHack17_Automation_Attacks_at_Scale_paper.pdf >AS44050 is basically the SOHO provider for the St. Petersburg Internet >Exchange. St. Petersburg's population is slightly below 5 million >people, not counting satellite cities and suburbs (which, if counted, >would contribute another 2 millions I think), and the city has quite >got a reputation for hidden criminal activity. It's Chicago-style if >you will. Surely there are also quite a few criminals in one of the >largest ISP networks of the city. Yes, but if any of -our- criminals attack people or businesses located in other countries, we will allow them to be extradited to those other countries to face trial. Your country, I am sad to say, instead protects online miscreants, and insures that they never have to face justice. You know that, I know that, everybody who knows even the first thing about online cybercrime knows that. It's not exactly a secret. Regards, rfg From ximaera at gmail.com Thu Dec 3 12:05:07 2020 From: ximaera at gmail.com (=?UTF-8?Q?T=C3=B6ma_Gavrichenkov?=) Date: Thu, 3 Dec 2020 14:05:07 +0300 Subject: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 In-Reply-To: <48112.1606992482@segfault.tristatelogic.com> References: <48112.1606992482@segfault.tristatelogic.com> Message-ID: Peace, On Thu, Dec 3, 2020, 1:48 PM Ronald F. Guilmette wrote: > Yes, but if any of -our- criminals attack people or businesses located in > other countries, we will allow them to be extradited to those other > countries > to face trial. > This is slowly sliding into the territory of off-topic, but you're not exactly correct here. https://en.m.wikipedia.org/wiki/List_of_United_States_extradition_treaties -- T?ma > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rfg at tristatelogic.com Thu Dec 3 12:11:14 2020 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Thu, 03 Dec 2020 03:11:14 -0800 Subject: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 In-Reply-To: Message-ID: <48608.1606993874@segfault.tristatelogic.com> In message =?UTF-8?Q?T=C3=B6ma_Gavrichenkov?= wrote: >On Wed, Dec 2, 2020 at 12:42 PM T=C3=B6ma Gavrichenkov = >wrote: >> AS44050 is basically the SOHO provider for the St. Petersburg Internet >> Exchange. St. Petersburg's population is slightly below 5 million >> people, not counting satellite cities and suburbs (which, if counted, >> would contribute another 2 millions I think), and the city has quite >> got a reputation for hidden criminal activity. It's Chicago-style if >> you will. Surely there are also quite a few criminals in one of the >> largest ISP networks of the city. > >To avoid blatant misunderstanding and inappropriate jokes: that's a >few criminals AS CUSTOMERS of the largest SOHO ISP network of the city. I, for one, am not offended. We do indeed have plenty of our own criminals right here in the U.S. of A., including in Chicago, and that includes cyber- criminals. >There's no reason at this point to suspect intentional harm from the >employees. OK, who then? Someone is responsible, even if no one wishes to take responsibility. Those several bogus route announcements did not create themselves. And this shouldn't be a hard question to get an answer to. The fact that it is, for some unexplained reason, is indicative of just how far trust & cooperation in the "Internet community" have deteriorated to the point where they are nothing more that the butts of jokes. Regards, rfg From rfg at tristatelogic.com Thu Dec 3 22:40:30 2020 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Thu, 03 Dec 2020 13:40:30 -0800 Subject: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 In-Reply-To: Message-ID: <52106.1607031630@segfault.tristatelogic.com> In message , IP Abuse Research wrote: >What the >continued findings indicate is a need for IANA and the RIRs to adapt to a >new stage in the resource issuance and governance lifecycle. Since this is >by definition a working group, would it make sense to establish some >metrics to quantify the perceived impact of this phenomenon on abuse? > >If we establish a process to collect these observations of either >"abandoned" resources, prefixes or ASNs, which then re-appear mysteriously >or in the case of an ASN start routing space that is unexpectedly, >"hijack", we can take a step as a community to quantify the phenomenon? This kind of stuff certainly could be done, but this would be a serious research project, requiring sme serious manpower expenditure. That's not to say that it would not be worth the investment. I think it would be. But someone or something would have to step up to make the investment. In the meantime, there is other work, and other steps that would obviously be worthwhile. The first is doing everything possible to try to get RPKI adopted more widely. The second is persuading everyone, certainly including Petersburg Internet, to stop even trying to use an data from RADB. That thing has -zero- security. Any fool can use that at any time to create any route object he/she/it wants. And speaking of which, I for one would love to know if Petersburg Internet was performing -any- checking on those route announcements it was passing on behalf of its customer in this case. If not, then that right there constitutes some "low hanging fruit" in terms of moving things forward so as to prevent repeats of this kind of situation. Regards, rfg From ximaera at gmail.com Thu Dec 3 22:43:19 2020 From: ximaera at gmail.com (=?UTF-8?Q?T=C3=B6ma_Gavrichenkov?=) Date: Fri, 4 Dec 2020 00:43:19 +0300 Subject: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552 In-Reply-To: <52106.1607031630@segfault.tristatelogic.com> References: <52106.1607031630@segfault.tristatelogic.com> Message-ID: Peace, On Fri, Dec 4, 2020, 12:40 AM Ronald F. Guilmette wrote: > The first is doing everything possible to try to get RPKI adopted more > widely. > Totally agree, The second is persuading everyone, certainly including Petersburg Internet, > to stop even trying to use an data from RADB. That thing has -zero- > security. Any fool can use that at any time to create any route object > he/she/it wants. > And as sad as it might sound, this is also true. -- T?ma > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rfg at tristatelogic.com Fri Dec 4 23:29:20 2020 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Fri, 04 Dec 2020 14:29:20 -0800 Subject: [anti-abuse-wg] ORG-TKDS1-RIPE - VECTRA S.A. - Spam filters & abuse reporting addresses Message-ID: <60131.1607120960@segfault.tristatelogic.com> Based on my experience, if one is reporting spam to most typical networks, the network operators generally like to actually -see- the spam being reported. Thus, I always include a copy. It is Good that RIPE resource holders now all have abuse reporting addresses in their WHOIS records. It is also Good that RIPE NCC is now checking these abuse reporting contact email addresses to insure that they actually function, at least minimally. What is un-good, in my opinion, is for any network to have an abuse reporting address set up with *content based* anti-spam filters. To illustrate this point, I have recently received a spam from an IP address that is currently being routed by AS29314 - Vectra S.A., located in Poland. I duly forwarded a full copy of that spam to the abuse reporting address provided in the RIPE WHOIS for AS29314, i.e. abuse at vectra.pl. That message was rejected with the following SMTP reject message: : host smtp.vectra.pl[88.156.64.22] said: 554 Spam. Email Session ID: 86748699 (in reply to end of DATA command) Given that outcome, I now feel compelled to locally blacklist all IP space associated with ORG-TKDS1-RIPE (VECTRA S.A.) until such time as some kind soul provides the operators of this network with some education on the topic of how to operate an abuse reporting address. The space in question is as follows: 31.11.128.0/17 31.22.96.0/21 31.135.168.0/21 37.8.192.0/18 37.77.152.0/21 46.36.224.0/19 62.122.112.0/21 77.222.224.0/19 78.31.152.0/21 78.31.209.0/24 78.88.0.0/16 82.139.0.0/18 83.143.40.0/21 83.143.136.0/21 83.243.104.0/21 88.156.0.0/16 89.151.0.0/18 91.192.76.0/22 91.230.159.0/24 91.230.162.0/23 91.230.164.0/22 91.231.116.0/23 91.238.232.0/22 93.105.0.0/16 94.231.48.0/20 95.160.0.0/16 109.107.0.0/19 109.197.56.0/21 109.197.64.0/21 109.241.0.0/16 178.235.0.0/16 185.51.180.0/22 192.166.120.0/23 193.108.228.0/23 193.201.18.0/23 194.54.188.0/22 195.26.72.0/22 195.28.170.0/23 195.95.170.0/24 195.191.162.0/23 195.225.92.0/22 195.242.252.0/22 From rfg at tristatelogic.com Fri Dec 4 23:57:34 2020 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Fri, 04 Dec 2020 14:57:34 -0800 Subject: [anti-abuse-wg] AS47510 & AS35555 -- Bogon ASNs routing Bogon IPv4 space Message-ID: <60277.1607122654@segfault.tristatelogic.com> I have just received a spam which has a so-called "payload" URL which the spammer wants me to visit, apparently so that I can be sold some male performance drugs of dubious origin. The domain part of the URL resolves to the IPv4 address 217.8.117.98. That address lies within a pair of bogon (unallocated) IPv4 address blocks, 217.8.116.0/24 and 217.8.117.0/24, that are both being routed by a common ASN, i.e. AS47510. https://bgp.he.net/AS47510#_prefixes It appears that AS47510 is itself an unallocated bogon at the present time: https://bgp.he.net/AS47510#_asinfo As can be readily seen at the above link, AS47510 is peering with only two other ASNs, i.e. AS29226 - JSC Mastertel (Russia) and AS35555 - Crex Fex Pex Internet System Solutions" LLC. The latter ASN, AS35555 also appears to be an unallocated bogon ASN at the present time. Nontheless, that does not appear to be preventing it from peering with yet another Russian network, AS213254 - OOO Rait Telecom: https://bgp.he.net/AS35555 It would be Nice, in my opinion, if someone who speaks Russian could make contact with the operators of AS29226 and AS213254 and respectfully suggest to them that they should cease peering with bogon ASNs, such as AS47510 and AS35555, including but not limited to bogon ASNs that are at present routing bogon IPv4 address space. Regards, rfg P.S. It appears that the company "Crex Fex Pex Internet System Solutions, LLC" which was the former owner of AS47510 and AS35555 and also AS60031 was a Russian entity, and one that most likely no longer qualifies as what one would call a "going concern": https://crex-fex-pex.ru/ From furio+as at spin.it Sat Dec 5 01:35:08 2020 From: furio+as at spin.it (furio ercolessi) Date: Sat, 5 Dec 2020 01:35:08 +0100 Subject: [anti-abuse-wg] AS47510 & AS35555 -- Bogon ASNs routing Bogon IPv4 space In-Reply-To: <60277.1607122654@segfault.tristatelogic.com> References: <60277.1607122654@segfault.tristatelogic.com> Message-ID: On Fri, Dec 04, 2020 at 02:57:34PM -0800, Ronald F. Guilmette wrote: > I have just received a spam which has a so-called "payload" URL which > the spammer wants me to visit, apparently so that I can be sold some > male performance drugs of dubious origin. > > The domain part of the URL resolves to the IPv4 address 217.8.117.98. > > That address lies within a pair of bogon (unallocated) IPv4 address > blocks, 217.8.116.0/24 and 217.8.117.0/24, that are both being routed > by a common ASN, i.e. AS47510. > > https://bgp.he.net/AS47510#_prefixes > > It appears that AS47510 is itself an unallocated bogon at the present > time: > > https://bgp.he.net/AS47510#_asinfo > > As can be readily seen at the above link, AS47510 is peering with only > two other ASNs, i.e. AS29226 - JSC Mastertel (Russia) and AS35555 - > Crex Fex Pex Internet System Solutions" LLC. > > The latter ASN, AS35555 also appears to be an unallocated bogon ASN > at the present time. Nontheless, that does not appear to be preventing > it from peering with yet another Russian network, AS213254 - OOO Rait > Telecom: > > https://bgp.he.net/AS35555 If you look at the previous whois - https://ipinfo.io/AS35555 still has a copy - you may notice that they had published a bunch of "user at spamhaus.org" addresses in "remarks:" field, which I suppose does not go very well with privacy laws and GDPR and is not an acceptable usage of the RIPE database. You may also find it interesting that, after running out of ASNs, they are currently announcing 217.8.117.0/24 from AS1214, an ASN in ARIN space ("Coloexchange") that had been entirely dormant (no announces) since January 2011 according to stat.ripe.net. It is somewhat suspect that an ASN of a US company without a web site comes back to life after almost 10 years of silence exclusively to announce a /24 in russian space, through a russian ISP. > It would be Nice, in my opinion, if someone who speaks Russian could > make contact with the operators of AS29226 and AS213254 and respectfully > suggest to them that they should cease peering with bogon ASNs, such as > AS47510 and AS35555, including but not limited to bogon ASNs that are > at present routing bogon IPv4 address space. AS29226 is again involved, as they are the "AS1214" upstream. regards, furio > P.S. It appears that the company "Crex Fex Pex Internet System Solutions, > LLC" which was the former owner of AS47510 and AS35555 and also AS60031 > was a Russian entity, and one that most likely no longer qualifies as > what one would call a "going concern": > > https://crex-fex-pex.ru/ > > From brian.nisbet at heanet.ie Tue Dec 8 15:27:44 2020 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Tue, 8 Dec 2020 14:27:44 +0000 Subject: [anti-abuse-wg] Mailing List Membership Update Message-ID: Folks, In the spirit of full disclosure in regards to actions by the Co-Chairs I wanted to let everyone know that Elad Cohen has been banned from the mailing list. After a period of time in moderation he repeatedly showed that he was unwilling to abide by the Community/Working Group Code of Conduct and that his only contributions were to spread fud and conspiracy theories, as well as insulting other members. This is not useful. We informed him yesterday. The Co-Chairs really do not like doing this, but we found ourselves with no other option in this instance. If you have any questions, then please contact us on aa-wg-chair at ripe.net Thanks, Brian Co-Chair, RIPE AA-WG Brian Nisbet Service Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland +35316609040 brian.nisbet at heanet.ie www.heanet.ie Registered in Ireland, No. 275301. CRA No. 20036270 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rfg at tristatelogic.com Sat Dec 12 11:36:21 2020 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Sat, 12 Dec 2020 02:36:21 -0800 Subject: [anti-abuse-wg] AS16019, vodafone.cz == idiots Message-ID: <58688.1607769381@segfault.tristatelogic.com> Some days I am inclined to wonder how or why anything at all actually works on this planet. I suspect that I am not alone, given that Covid-19 has now exposed for all the world to see just how inept and dysfunctional even so-called "first world" systems are at dealing with anything that is even just a little bit out of the ordinary. Another case in point: AS16019 aka vodafone.cz, whose formally declared abuse reporting address, as given in the WHOIS record for the ASN, is abuse at vodafone.cz. Unfortunately, if you send a copy of a spam that you have received from their network to that address, you will get back something that may look vaguely like this: : host mail2.dkm.cz[62.24.64.36] said: 550 5.7.1 : Recipient address rejected: Please see http://www.openspf.net/Why?s=mfrom;id=rfg%40tristatelogic.com;ip=80.95.99.97;r=mail2.dkm.cz So, the retorical question for the day is: Just how completely idiotic does any given group of network operators have to be in order to be unable to just simply operate a functioning email address for inbound messages? I guess Vodafone is either too broke or too cheap to hire merely competent people. It would be one thing if this was an impoverished third-world country involved here, but it isn't. It's the Czech Republic. So what is their excuse for this level of sheer incompetence? Does someone need to send a formal memo to Vodafone, explaining to them about this thing called spam? And why are they even leaving port 25 outbound open on end-luser lines? Regards, rfg From sergey at devnull.ru Sat Dec 12 13:20:46 2020 From: sergey at devnull.ru (Sergey Myasoedov) Date: Sat, 12 Dec 2020 13:20:46 +0100 Subject: [anti-abuse-wg] AS16019, vodafone.cz == idiots In-Reply-To: <58688.1607769381@segfault.tristatelogic.com> References: <58688.1607769381@segfault.tristatelogic.com> Message-ID: <83900D1F-3EB8-4D72-8A8E-2086BCD0D4AB@devnull.ru> Ronald, my two cents on this: > http://www.openspf.net/Why?s=mfrom;id=rfg%40tristatelogic.com;ip=80.95.99.97;r=mail2.dkm.cz There are many SMTP relays in the world checking SPF record for the incoming mail and providing a diagnostics with openspf.net web. But unfortunately this website is down for almost two years and this diagnostics leads to nowhere. If someone is running a mail relay, then now is a good time to check its responses. -- Kind regards, Sergey Myasoedov > On 12 Dec 2020, at 11:36, Ronald F. Guilmette wrote: > > Some days I am inclined to wonder how or why anything at all actually > works on this planet. I suspect that I am not alone, given that > Covid-19 has now exposed for all the world to see just how inept and > dysfunctional even so-called "first world" systems are at dealing > with anything that is even just a little bit out of the ordinary. > > Another case in point: AS16019 aka vodafone.cz, whose formally > declared abuse reporting address, as given in the WHOIS record > for the ASN, is abuse at vodafone.cz. Unfortunately, if you send > a copy of a spam that you have received from their network to that > address, you will get back something that may look vaguely like this: > > : host mail2.dkm.cz[62.24.64.36] said: 550 5.7.1 > : Recipient address rejected: Please see > http://www.openspf.net/Why?s=mfrom;id=rfg%40tristatelogic.com;ip=80.95.99.97;r=mail2.dkm.cz > > So, the retorical question for the day is: Just how completely idiotic > does any given group of network operators have to be in order to be > unable to just simply operate a functioning email address for inbound > messages? > > I guess Vodafone is either too broke or too cheap to hire merely competent > people. > > It would be one thing if this was an impoverished third-world country > involved here, but it isn't. It's the Czech Republic. So what is their > excuse for this level of sheer incompetence? > > Does someone need to send a formal memo to Vodafone, explaining to them > about this thing called spam? > > And why are they even leaving port 25 outbound open on end-luser lines? > > > Regards, > rfg > From rfg at tristatelogic.com Sat Dec 12 14:18:57 2020 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Sat, 12 Dec 2020 05:18:57 -0800 Subject: [anti-abuse-wg] AS16019, vodafone.cz == idiots In-Reply-To: <83900D1F-3EB8-4D72-8A8E-2086BCD0D4AB@devnull.ru> Message-ID: <60647.1607779137@segfault.tristatelogic.com> In message <83900D1F-3EB8-4D72-8A8E-2086BCD0D4AB at devnull.ru>, Sergey Myasoedov wrote: >my two cents on this: >http://www.openspf.net/Why?s=3Dmfrom;id=3Drfg%40tristatelogic.com;ip=3D80.= >95.99.97;r=3Dmail2.dkm.cz > >There are many SMTP relays in the world checking SPF record for the >incoming mail and providing a diagnostics with openspf.net web. That would be fine, BUT... there isn't a goddamn single thing wrong with my domain's SPF record. The brain damage is on THEIR END. Apparently they don't even know how to check SPF TXT properly. >But unfortunately this website is down for almost two years and this >diagnostics leads to nowhere. Yea, there's that also. Basically, it is stupid layered on top of stupid. It's a stupid sandwich. Regards, rfg From ops.lists at gmail.com Sat Dec 12 15:10:01 2020 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Sat, 12 Dec 2020 14:10:01 +0000 Subject: [anti-abuse-wg] AS16019, vodafone.cz == idiots In-Reply-To: <60647.1607779137@segfault.tristatelogic.com> References: <83900D1F-3EB8-4D72-8A8E-2086BCD0D4AB@devnull.ru> <60647.1607779137@segfault.tristatelogic.com> Message-ID: They shot themselves in the foot. The email was sent to abuse at vodafone.cz It apparently forwards on to spamrd at vf.dkm.cz and this forwarding breaks SPF, and domains with strict -all SPF records like RFG's tristatelogic.com will fail SPF validation. I guess it is an interesting way to cut down on abuse, as measured by reducing traffic to your abuse mailbox. --srs ?On 12/12/20, 6:49 PM, "anti-abuse-wg on behalf of Ronald F. Guilmette" wrote: In message <83900D1F-3EB8-4D72-8A8E-2086BCD0D4AB at devnull.ru>, Sergey Myasoedov wrote: >my two cents on this: >http://www.openspf.net/Why?s=3Dmfrom;id=3Drfg%40tristatelogic.com;ip=3D80.= >95.99.97;r=3Dmail2.dkm.cz > >There are many SMTP relays in the world checking SPF record for the >incoming mail and providing a diagnostics with openspf.net web. That would be fine, BUT... there isn't a goddamn single thing wrong with my domain's SPF record. The brain damage is on THEIR END. Apparently they don't even know how to check SPF TXT properly. >But unfortunately this website is down for almost two years and this >diagnostics leads to nowhere. Yea, there's that also. Basically, it is stupid layered on top of stupid. It's a stupid sandwich. Regards, rfg From ximaera at gmail.com Sat Dec 12 15:26:31 2020 From: ximaera at gmail.com (=?UTF-8?Q?T=C3=B6ma_Gavrichenkov?=) Date: Sat, 12 Dec 2020 17:26:31 +0300 Subject: [anti-abuse-wg] AS47510 & AS35555 -- Bogon ASNs routing Bogon IPv4 space In-Reply-To: <60277.1607122654@segfault.tristatelogic.com> References: <60277.1607122654@segfault.tristatelogic.com> Message-ID: Peace, On Sat, Dec 5, 2020, 1:57 AM Ronald F. Guilmette wrote: > It appears that AS47510 is itself an unallocated bogon at the present > time: > > https://bgp.he.net/AS47510#_asinfo > > As can be readily seen at the above link, AS47510 is peering with only > two other ASNs, i.e. AS29226 - JSC Mastertel (Russia) and AS35555 - > Crex Fex Pex Internet System Solutions" LLC. > Both peering links are now down. The matters with AS35555 may be harder to resolve, though. -- T?ma > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rfg at tristatelogic.com Sat Dec 12 23:54:47 2020 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Sat, 12 Dec 2020 14:54:47 -0800 Subject: [anti-abuse-wg] AS47510 & AS35555 -- Bogon ASNs routing Bogon IPv4 space In-Reply-To: Message-ID: <65877.1607813687@segfault.tristatelogic.com> In message =?UTF-8?Q?T=C3=B6ma_Gavrichenkov?= wrote: >On Sat, Dec 5, 2020, 1:57 AM Ronald F. Guilmette >wrote: > >> It appears that AS47510 is itself an unallocated bogon at the present >> time: >> >> https://bgp.he.net/AS47510#_asinfo >> >> As can be readily seen at the above link, AS47510 is peering with only >> two other ASNs, i.e. AS29226 - JSC Mastertel (Russia) and AS35555 - >> Crex Fex Pex Internet System Solutions" LLC. >> > >Both peering links are now down. > >The matters with AS35555 may be harder to resolve, though. If possible please elaborate. It appears that AS35555, which is a bogon ASN, is bdeing kept alive at this point only by AS213254 -- Rait Telecom, which is just a seven-month old Russian company/ASN with -zero- IP allocations and apparently NO WEB SITE. And yet despite being only 7 months old and having absolutely no IP space of its own (and also no web site), Rait Telecom has somehow managed to work itself into the fabric of no fewer than seven European IXes: https://bgp.he.net/AS213254#_ix And it also has managed to acquire all these IPv4 peers: AS25091 IP-Max SA AS50340 OOO "Network of data-centers "Selectel" AS35297 Dataline LLC AS199524 G-Core Labs S.A. AS35555 "Crex Fex Pex Internet System Solutions" LLC AS49673 Truenetwork LLC AS8492 "OBIT" Ltd. AS42861 Foton Telecom CJSC AS35598 INETCOM LLC AS47441 TRUNK MOBILE, INC How exactly does that even happen? And who the hell are these people anyway? Regards, rfg From at at univie.ac.at Mon Dec 14 09:07:06 2020 From: at at univie.ac.at (Alexander Talos-Zens) Date: Mon, 14 Dec 2020 09:07:06 +0100 Subject: [anti-abuse-wg] AS16019, vodafone.cz == idiots In-Reply-To: <58688.1607769381@segfault.tristatelogic.com> References: <58688.1607769381@segfault.tristatelogic.com> Message-ID: <8cf9cb94b656a3e6940d528b4aee9ba5f8f49cd7.camel@univie.ac.at> Hej, l?r 2020-12-12 klockan 02:36 -0800 skrev Ronald F. Guilmette: > how inept and > dysfunctional even so-called "first world" systems are at dealing > with anything that is even just a little bit out of the ordinary. You're referring to your wording in the subject, aren't you? Cheers, Alexander -- Alexander Talos-Zens IT-Security - ACOnet-CERT Zentraler Informatikdienst http://zid.univie.ac.at Universit?t Wien Universit?tsstra?e 7 1010 Wien T +43-1-4277-14351 at at univie.ac.at GPG-Key-Id: 0x757A494B From rfg at tristatelogic.com Mon Dec 21 01:16:28 2020 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Sun, 20 Dec 2020 16:16:28 -0800 Subject: [anti-abuse-wg] AS28753 - Leaseweb Deutschland GmbH -- Facilitating legacy squatting? Message-ID: <31061.1608509788@segfault.tristatelogic.com> In the period from 2020-12-04 until 2020-12-10 someone representing AS28753 - Leaseweb Deutschland GmbH, or someone purporting to represent that ASN/company created a set of thirteen (13) new route: entries in the security-free RADB data base: https://pastebin.com/raw/qs9yywFe It appears somewhat more than coincidental that many of these new RADB route entries refer to either(a) legacy IPv4 address blocks in the ARIN region or else (b) unassigned (bogon) IPv4 address space in the ARIN region. A listing of the relevant IPv4 cidrs along with the top-level allocation holders for each CIDR is given in the following table: https://pastebin.com/raw/rnqMXHW0 Although there is some ambiguity regarding the status of the non-US/non-ARIN blocks listed in the above table, my inspection of the relevant WHOIS records for the US/ARIN blocks indicates to me that these are all either (a) abandoned IPv4 legacy blocks or else (b) unassigned ARIN bogons. This strongly suggests that all of the IPv4 address blocks named in all of the relevant RADB rote entries may be, and likely are being squatted on at the present time. Please note however that AS28753 - Leaseweb Deutschland GmbH - is not itself doing any of the squatting. Rather, the squatting is being undertaken by the various ASNs mention in the following active routing summary: 62.182.160.0/21 AS39325 RU Viptelecom LLC 79.173.104.0/21 AS13259 RU Delta Telesystems Ltd. 85.28.48.0/20 AS13259 RU Delta Telesystems Ltd. 85.89.104.0/21 AS13259 RU Delta Telesystems Ltd. 89.187.8.0/21 AS41762 UA PE Logvinov Vladimir Vladimirovich 91.229.148.0/22 AS56968 KZ TemirLan Net Ltd 128.0.80.0/20 AS34498 RU Jilcomservice 199.61.32.0/19 AS9009 GB M247 Ltd 204.229.64.0/19 AS10650 US Extreme Internet 205.134.96.0/19 AS10650 US Extreme Internet 205.148.96.0/19 AS397373 US H4Y Technologies LLC 209.151.96.0/19 AS9009 GB M247 Ltd 216.93.0.0/19 AS9009 GB M247 Ltd Note that AS10650 (Extreme Internet) is itself a legacy abandoned ARIN ASN. It is likely also squatted. It's one and only current upstream, according to bgp.he.net, is AS13259 - Delta Telesystems Ltd. (Russia). In fact, all of the following ASNs from the above table also have AS13259, Delta Telesystems Ltd. (Russia) as their one and only upstream at the present time: AS39325 - Viptelecom LLC AS41762 - PE Logvinov Vladimir Vladimirovich AS56968 - TemirLan Net Ltd AS34498 - Jilcomservice AS1065 - Extreme Internet On this basis it would appear that the root of the problem in this case lies at AS13259, Delta Telesystems Ltd. (Russia). As a mitigation for these squats, I recommend dropping/blocking all of the IPv4 CIDRs listed above. Additionally, since AS13259 appears to be highly untrustworth at the present time. I would advise blocking all traffic to/from these blocks also: https://bgp.he.net/AS13259#_prefixes 79.173.104.0/21 82.147.68.0/24 82.147.70.0/24 82.147.71.0/24 82.147.75.0/24 85.28.48.0/20 85.89.104.0/21 91.206.16.0/23 193.107.92.0/22 2001:678:68c::/48 Regards, rfg From phishphucker at storey.ovh Mon Dec 21 01:47:21 2020 From: phishphucker at storey.ovh (PP) Date: Mon, 21 Dec 2020 11:47:21 +1100 Subject: [anti-abuse-wg] AS28753 - Leaseweb Deutschland GmbH -- Facilitating legacy squatting? In-Reply-To: <31061.1608509788@segfault.tristatelogic.com> References: <31061.1608509788@segfault.tristatelogic.com> Message-ID: <73c593e8-88b4-0c47-bda3-b1a053b9f7e7@storey.ovh> Does anyone else find it crazy that without Mr Guilmette, this would all go un-noticed? Why does RIPE not employ its own researchers doing what he is doing? and more importantly, how much of this crap is occurring that even he himself has not yet noticed? On 21/12/2020 11:16 am, Ronald F. Guilmette wrote: > In the period from 2020-12-04 until 2020-12-10 someone representing > AS28753 - Leaseweb Deutschland GmbH, or someone purporting to represent > that ASN/company created a set of thirteen (13) new route: entries in > the security-free RADB data base: > > https://pastebin.com/raw/qs9yywFe > > It appears somewhat more than coincidental that many of these new RADB > route entries refer to either(a) legacy IPv4 address blocks in the ARIN > region or else (b) unassigned (bogon) IPv4 address space in the ARIN > region. > > A listing of the relevant IPv4 cidrs along with the top-level allocation > holders for each CIDR is given in the following table: > > https://pastebin.com/raw/rnqMXHW0 > > Although there is some ambiguity regarding the status of the non-US/non-ARIN > blocks listed in the above table, my inspection of the relevant WHOIS > records for the US/ARIN blocks indicates to me that these are all either > (a) abandoned IPv4 legacy blocks or else (b) unassigned ARIN bogons. This > strongly suggests that all of the IPv4 address blocks named in all of the > relevant RADB rote entries may be, and likely are being squatted on at the > present time. > > Please note however that AS28753 - Leaseweb Deutschland GmbH - is not > itself doing any of the squatting. Rather, the squatting is being > undertaken by the various ASNs mention in the following active routing > summary: > > 62.182.160.0/21 AS39325 RU Viptelecom LLC > 79.173.104.0/21 AS13259 RU Delta Telesystems Ltd. > 85.28.48.0/20 AS13259 RU Delta Telesystems Ltd. > 85.89.104.0/21 AS13259 RU Delta Telesystems Ltd. > 89.187.8.0/21 AS41762 UA PE Logvinov Vladimir Vladimirovich > 91.229.148.0/22 AS56968 KZ TemirLan Net Ltd > 128.0.80.0/20 AS34498 RU Jilcomservice > 199.61.32.0/19 AS9009 GB M247 Ltd > 204.229.64.0/19 AS10650 US Extreme Internet > 205.134.96.0/19 AS10650 US Extreme Internet > 205.148.96.0/19 AS397373 US H4Y Technologies LLC > 209.151.96.0/19 AS9009 GB M247 Ltd > 216.93.0.0/19 AS9009 GB M247 Ltd > > Note that AS10650 (Extreme Internet) is itself a legacy abandoned ARIN > ASN. It is likely also squatted. It's one and only current upstream, > according to bgp.he.net, is AS13259 - Delta Telesystems Ltd. (Russia). > > In fact, all of the following ASNs from the above table also have AS13259, > Delta Telesystems Ltd. (Russia) as their one and only upstream at the > present time: > > AS39325 - Viptelecom LLC > AS41762 - PE Logvinov Vladimir Vladimirovich > AS56968 - TemirLan Net Ltd > AS34498 - Jilcomservice > AS1065 - Extreme Internet > > On this basis it would appear that the root of the problem in this case > lies at AS13259, Delta Telesystems Ltd. (Russia). > > As a mitigation for these squats, I recommend dropping/blocking all of > the IPv4 CIDRs listed above. Additionally, since AS13259 appears to > be highly untrustworth at the present time. I would advise blocking > all traffic to/from these blocks also: > > https://bgp.he.net/AS13259#_prefixes > > 79.173.104.0/21 > 82.147.68.0/24 > 82.147.70.0/24 > 82.147.71.0/24 > 82.147.75.0/24 > 85.28.48.0/20 > 85.89.104.0/21 > 91.206.16.0/23 > 193.107.92.0/22 > 2001:678:68c::/48 > > > Regards, > rfg > From go at rutherfordpress.ca Mon Dec 21 01:50:57 2020 From: go at rutherfordpress.ca (go at rutherfordpress.ca) Date: Mon, 21 Dec 2020 00:50:57 +0000 Subject: [anti-abuse-wg] AS28753 - Leaseweb Deutschland GmbH -- Facilitating legacy squatting? In-Reply-To: <73c593e8-88b4-0c47-bda3-b1a053b9f7e7@storey.ovh> References: <31061.1608509788@segfault.tristatelogic.com>, <73c593e8-88b4-0c47-bda3-b1a053b9f7e7@storey.ovh> Message-ID: Excellent questions, friends. All the best in this time of covid and holidays! George Canada ________________________________ From: anti-abuse-wg on behalf of PP Sent: Sunday, December 20, 2020 4:47:21 PM To: anti-abuse-wg at ripe.net Subject: Re: [anti-abuse-wg] AS28753 - Leaseweb Deutschland GmbH -- Facilitating legacy squatting? Does anyone else find it crazy that without Mr Guilmette, this would all go un-noticed? Why does RIPE not employ its own researchers doing what he is doing? and more importantly, how much of this crap is occurring that even he himself has not yet noticed? On 21/12/2020 11:16 am, Ronald F. Guilmette wrote: > In the period from 2020-12-04 until 2020-12-10 someone representing > AS28753 - Leaseweb Deutschland GmbH, or someone purporting to represent > that ASN/company created a set of thirteen (13) new route: entries in > the security-free RADB data base: > > https://pastebin.com/raw/qs9yywFe > > It appears somewhat more than coincidental that many of these new RADB > route entries refer to either(a) legacy IPv4 address blocks in the ARIN > region or else (b) unassigned (bogon) IPv4 address space in the ARIN > region. > > A listing of the relevant IPv4 cidrs along with the top-level allocation > holders for each CIDR is given in the following table: > > https://pastebin.com/raw/rnqMXHW0 > > Although there is some ambiguity regarding the status of the non-US/non-ARIN > blocks listed in the above table, my inspection of the relevant WHOIS > records for the US/ARIN blocks indicates to me that these are all either > (a) abandoned IPv4 legacy blocks or else (b) unassigned ARIN bogons. This > strongly suggests that all of the IPv4 address blocks named in all of the > relevant RADB rote entries may be, and likely are being squatted on at the > present time. > > Please note however that AS28753 - Leaseweb Deutschland GmbH - is not > itself doing any of the squatting. Rather, the squatting is being > undertaken by the various ASNs mention in the following active routing > summary: > > 62.182.160.0/21 AS39325 RU Viptelecom LLC > 79.173.104.0/21 AS13259 RU Delta Telesystems Ltd. > 85.28.48.0/20 AS13259 RU Delta Telesystems Ltd. > 85.89.104.0/21 AS13259 RU Delta Telesystems Ltd. > 89.187.8.0/21 AS41762 UA PE Logvinov Vladimir Vladimirovich > 91.229.148.0/22 AS56968 KZ TemirLan Net Ltd > 128.0.80.0/20 AS34498 RU Jilcomservice > 199.61.32.0/19 AS9009 GB M247 Ltd > 204.229.64.0/19 AS10650 US Extreme Internet > 205.134.96.0/19 AS10650 US Extreme Internet > 205.148.96.0/19 AS397373 US H4Y Technologies LLC > 209.151.96.0/19 AS9009 GB M247 Ltd > 216.93.0.0/19 AS9009 GB M247 Ltd > > Note that AS10650 (Extreme Internet) is itself a legacy abandoned ARIN > ASN. It is likely also squatted. It's one and only current upstream, > according to bgp.he.net, is AS13259 - Delta Telesystems Ltd. (Russia). > > In fact, all of the following ASNs from the above table also have AS13259, > Delta Telesystems Ltd. (Russia) as their one and only upstream at the > present time: > > AS39325 - Viptelecom LLC > AS41762 - PE Logvinov Vladimir Vladimirovich > AS56968 - TemirLan Net Ltd > AS34498 - Jilcomservice > AS1065 - Extreme Internet > > On this basis it would appear that the root of the problem in this case > lies at AS13259, Delta Telesystems Ltd. (Russia). > > As a mitigation for these squats, I recommend dropping/blocking all of > the IPv4 CIDRs listed above. Additionally, since AS13259 appears to > be highly untrustworth at the present time. I would advise blocking > all traffic to/from these blocks also: > > https://bgp.he.net/AS13259#_prefixes > > 79.173.104.0/21 > 82.147.68.0/24 > 82.147.70.0/24 > 82.147.71.0/24 > 82.147.75.0/24 > 85.28.48.0/20 > 85.89.104.0/21 > 91.206.16.0/23 > 193.107.92.0/22 > 2001:678:68c::/48 > > > Regards, > rfg > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rfg at tristatelogic.com Mon Dec 21 02:13:39 2020 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Sun, 20 Dec 2020 17:13:39 -0800 Subject: [anti-abuse-wg] AS28753 - Leaseweb Deutschland GmbH -- Facilitating legacy squatting? In-Reply-To: <73c593e8-88b4-0c47-bda3-b1a053b9f7e7@storey.ovh> Message-ID: <31654.1608513219@segfault.tristatelogic.com> In message <73c593e8-88b4-0c47-bda3-b1a053b9f7e7 at storey.ovh>, PP wrote: >and more importantly, how much of this crap is occurring that even he >himself has not yet noticed? Thank you for your kind comments. More coming. You ain't seen nuttin' yet! NOTE: Yes, there's more... way more. The main constraint that slows me down in posting and presenting this kind of stuff is *not* my ability to find such things. Rather, the main constraint is the time it takes to write up my findings, carefully, in a way so that everyone can see the real issue/problem, and in ways that that won't get me sued (because all of the relevant, undeniable, and independently verifiable facts are presented). For example, I really can't say for sure whether or not AS28753 - Leaseweb Deutschland GmbH actually has any involvement with this set of apparent squats or not, and it is really entirely possible that they don't. (Note that whoever did this used a disposable @yahoo.com email address.) If Leaseweb actually doesn't have anything to do with this, then maybe they will do the planet a favor and register their unhappiness about being framed for this crime with the people who run the fundamentally flawed RADB data base, who are effectively allowing such bogus frame-ups to take place. Regards, rfg