[anti-abuse-wg] Notice: Fradulent RIPE ASNs

The last time a romanian I know checked, most of these appear to be set up
with business registration that was valid at the time the netblocks were
registered but mostly lapsed a year or so later.

Almost as if someone in bucharest walks into a bar, pays people there a few
euro in drinking money if they will let their ID get used to register a
shell company that can then register for a /16 or larger netblock.

--srs (htc one x)
On 15-Jan-2013 4:30 AM, "Ronald F. Guilmette" <rfg at tristatelogic.com> wrote:

>
> After a careful investigation, I am of the opinion that each of the
> following 18 ASNs was registered (via RIPE) with fradulent information
> purporting to represent the identity of the true registrant, and that
> in fact, all 18 of these ASNs were registered by a single party,
> apparently as part of a larger scheme to provide IP space to various
> snowshoe spammers.
>
> Evidence I have in hand strongly links this scheme and these ASNs and
> their associated IPv4 route announcements to Jump Network Services,
> aka JUMP.RO.  Furthermore, all of these ASNs are apparently peering
> with exactly and only the same two other ASNs in all cases, i.e.
> GTS Telecom SRL (AS5606) and Net Vision Telecom SRL (AS39737).  These
> peers and the fradulent ASNs listed below are all apparently originated
> out of Romania.
>
> AS16011 (fiberwelders.ro)
> AS28822 (creativitaterpm.ro)
> AS48118 (telecomhosting.ro)
> AS49210 (rom-access.ro)
> AS50659 (grandnethost.com)
> AS57131 (speedconnecting.ro)
> AS57133 (nordhost.ro)
> AS57135 (fastcable.ro)
> AS57176 (bucovinanetwork.ro)
> AS57184 (kaboomhost.ro)
> AS57415 (highwayinternet.ro)
> AS57695 (effidata.ro)
> AS57724 (id-trafic.ro)
> AS57738 (mclick.ro)
> AS57786 (hosting-www.ro)
> AS57837 (romtechinnovation.ro)
> AS57906 (momy.ro)
> AS57917 (nature-design.ro)
>
> At present, the above 18 ASNs are currently announcing routes for a total
> amount of IP space equal to 1,022 /24s, which is the rough equivalent of
> an entire /14 block.  These IPv4 route announcements are listed below,
> sorted by IPv4 (32-bit) start address.
>
> Additional potentially relevant background information:
>
>
> http://threatpost.com/en_us/blogs/attackers-buying-own-data-centers-botnets-spam-122109
>
> http://www.spamhaus.org/rokso/evidence/ROK9107/world-company-register-eu-business-register/rogue-ases-as43332-as44414-as44520-as49173-as49643
>     http://www.spamhaus.org/sbl/listings/jump.ro
>
>
> Current route announcements:
>
> 31.14.30.0/24
> 31.14.32.0/24
> 31.14.33.0/24
> 31.14.34.0/23
> 31.14.36.0/22
> 31.14.40.0/22
> 31.14.44.0/24
> 31.14.45.0/24
> 31.14.46.0/23
> 31.14.48.0/24
> 31.14.49.0/24
> 31.14.50.0/23
> 31.14.52.0/22
> 31.14.56.0/21
> 31.14.64.0/24
> 31.14.65.0/24
> 31.14.66.0/23
> 31.14.68.0/22
> 31.14.72.0/21
> 31.14.80.0/20
> 31.14.112.0/20
> 31.14.144.0/20
> 37.153.128.0/22
> 37.153.132.0/22
> 37.153.140.0/22
> 37.153.144.0/21
> 37.153.152.0/22
> 37.153.160.0/21
> 37.153.168.0/22
> 37.153.172.0/23
> 37.153.174.0/23
> 37.153.176.0/20
> 37.156.0.0/22
> 37.156.4.0/22
> 37.156.8.0/21
> 37.156.16.0/23
> 37.156.18.0/23
> 37.156.20.0/23
> 37.156.22.0/23
> 37.156.24.0/23
> 37.156.26.0/23
> 37.156.28.0/23
> 37.156.30.0/23
> 37.156.36.0/24
> 37.156.37.0/24
> 37.156.38.0/23
> 37.156.48.0/21
> 37.156.56.0/22
> 37.156.100.0/22
> 37.156.104.0/22
> 37.156.108.0/22
> 37.156.112.0/20
> 37.156.128.0/20
> 37.156.144.0/22
> 37.156.148.0/22
> 37.156.152.0/21
> 37.156.160.0/21
> 37.156.168.0/22
> 37.156.172.0/23
> 37.156.180.0/23
> 37.156.184.0/22
> 37.156.188.0/22
> 37.156.208.0/22
> 37.156.216.0/22
> 37.156.224.0/24
> 37.156.225.0/24
> 37.156.226.0/23
> 37.156.228.0/23
> 37.156.230.0/23
> 37.156.232.0/23
> 37.156.234.0/23
> 37.156.236.0/23
> 37.156.238.0/23
> 37.156.240.0/21
> 37.156.248.0/22
> 37.156.252.0/22
> 46.102.128.0/20
> 46.102.144.0/20
> 46.102.160.0/21
> 77.81.120.0/23
> 77.81.126.0/24
> 77.81.160.0/22
> 84.247.4.0/22
> 84.247.18.0/23
> 84.247.40.0/22
> 85.204.18.0/24
> 85.204.20.0/23
> 85.204.30.0/23
> 85.204.36.0/22
> 85.204.54.0/23
> 85.204.64.0/23
> 85.204.66.0/24
> 85.204.76.0/23
> 85.204.96.0/23
> 85.204.104.0/23
> 85.204.120.0/24
> 85.204.121.0/24
> 85.204.124.0/24
> 85.204.132.0/23
> 85.204.152.0/23
> 85.204.176.0/21
> 85.204.194.0/23
> 86.104.0.0/23
> 86.104.2.0/24
> 86.104.4.0/24
> 86.104.9.0/24
> 86.104.10.0/24
> 86.104.96.0/21
> 86.104.115.0/24
> 86.104.116.0/24
> 86.104.118.0/23
> 86.104.121.0/24
> 86.104.122.0/23
> 86.104.132.0/23
> 86.104.192.0/24
> 86.104.195.0/24
> 86.104.212.0/23
> 86.104.215.0/24
> 86.104.240.0/22
> 86.104.245.0/24
> 86.104.248.0/23
> 86.105.178.0/24
> 86.105.195.0/24
> 86.105.196.0/24
> 86.105.200.0/22
> 86.105.225.0/24
> 86.105.227.0/24
> 86.105.230.0/24
> 86.105.242.0/23
> 86.105.248.0/22
> 86.106.0.0/21
> 86.106.8.0/23
> 86.106.10.0/24
> 86.106.11.0/24
> 86.106.12.0/24
> 86.106.24.0/24
> 86.106.25.0/24
> 86.106.90.0/24
> 86.106.95.0/24
> 86.106.169.0/24
> 86.107.8.0/21
> 86.107.28.0/23
> 86.107.74.0/23
> 86.107.104.0/24
> 86.107.195.0/24
> 86.107.216.0/21
> 86.107.242.0/23
> 89.32.122.0/23
> 89.32.176.0/23
> 89.32.192.0/23
> 89.32.196.0/23
> 89.32.204.0/24
> 89.33.46.0/23
> 89.33.108.0/23
> 89.33.117.0/24
> 89.33.168.0/21
> 89.33.233.0/24
> 89.33.246.0/24
> 89.33.255.0/24
> 89.34.16.0/22
> 89.34.94.0/23
> 89.34.102.0/23
> 89.34.112.0/21
> 89.34.128.0/20
> 89.34.148.0/23
> 89.34.200.0/23
> 89.34.216.0/23
> 89.34.236.0/22
> 89.35.32.0/24
> 89.35.56.0/24
> 89.35.77.0/24
> 89.35.133.0/24
> 89.35.156.0/23
> 89.35.176.0/23
> 89.35.196.0/24
> 89.35.240.0/21
> 89.36.16.0/23
> 89.36.32.0/23
> 89.36.34.0/24
> 89.36.35.0/24
> 89.36.96.0/21
> 89.36.104.0/21
> 89.36.178.0/23
> 89.36.182.0/23
> 89.36.184.0/21
> 89.36.226.0/23
> 89.36.236.0/22
> 89.37.48.0/21
> 89.37.64.0/22
> 89.37.76.0/22
> 89.37.102.0/23
> 89.37.107.0/24
> 89.37.129.0/24
> 89.37.133.0/24
> 89.37.143.0/24
> 89.37.240.0/21
> 89.38.26.0/24
> 89.38.216.0/22
> 89.38.220.0/22
> 89.39.76.0/22
> 89.39.168.0/22
> 89.39.180.0/23
> 89.39.216.0/22
> 89.40.40.0/24
> 89.40.66.0/24
> 89.40.133.0/24
> 89.40.240.0/21
> 89.40.254.0/23
> 89.41.16.0/21
> 89.41.44.0/22
> 89.42.27.0/24
> 89.42.33.0/24
> 89.42.150.0/23
> 89.42.208.0/23
> 89.43.182.0/23
> 89.43.184.0/23
> 89.43.216.0/21
> 89.43.224.0/21
> 89.44.94.0/23
> 89.44.115.0/24
> 89.44.120.0/21
> 89.44.190.0/23
> 89.45.11.0/24
> 89.45.14.0/24
> 89.45.72.0/21
> 89.45.126.0/23
> 89.46.8.0/22
> 89.46.44.0/23
> 89.46.47.0/24
> 89.46.60.0/24
> 89.46.88.0/22
> 89.46.192.0/21
> 89.47.34.0/24
> 89.47.44.0/22
> 92.114.36.0/24
> 92.114.38.0/24
> 92.114.83.0/24
> 93.113.216.0/22
> 93.114.24.0/21
> 93.114.85.0/24
> 93.114.86.0/23
> 93.114.128.0/24
> 93.114.133.0/24
> 93.115.32.0/23
> 93.115.62.0/23
> 93.115.130.0/23
> 93.115.134.0/23
> 93.115.138.0/23
> 93.115.142.0/23
> 93.115.192.0/21
> 93.115.253.0/24
> 93.117.112.0/21
> 93.117.120.0/21
> 93.119.112.0/23
> 93.119.118.0/23
> 93.119.120.0/23
> 93.119.124.0/23
> 94.176.224.0/20
> 176.126.168.0/23
> 176.126.170.0/23
> 176.126.172.0/23
> 176.126.174.0/23
> 176.223.64.0/23
> 176.223.108.0/24
> 176.223.111.0/24
> 176.223.116.0/23
> 176.223.118.0/24
> 176.223.167.0/24
> 176.223.172.0/22
> 176.223.176.0/24
> 176.223.177.0/24
> 176.223.178.0/23
> 176.223.190.0/24
> 188.212.22.0/24
> 188.212.48.0/20
> 188.213.64.0/20
> 188.213.112.0/22
> 188.213.116.0/23
> 188.213.118.0/24
> 188.213.119.0/24
> 188.213.120.0/23
> 188.213.122.0/23
> 188.213.124.0/22
> 188.213.144.0/20
> 188.213.176.0/22
> 188.213.180.0/22
> 188.213.184.0/22
> 188.213.188.0/22
> 188.215.18.0/23
> 188.215.20.0/22
> 188.215.192.0/19
> 188.241.188.0/23
> 188.241.192.0/22
> 217.19.4.0/24
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/anti-abuse-wg/attachments/20130115/3bef2d3f/attachment.html>