This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[anti-abuse-wg] (Long) rant about some LIRs in RIPE region, most likely linked to RFG's earlier email
- Previous message (by thread): [anti-abuse-wg] Notice: Fradulent RIPE ASNs
- Next message (by thread): [anti-abuse-wg] (Long) rant about some LIRs in RIPE region, most likely linked to RFG's earlier email
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Vasile Capdefier
vasile.capdefier at yahoo.co.uk
Tue Jan 15 18:13:39 CET 2013
Disclaimer: this is just my POV, I didn't investigate (too) much/deep. All the information bellow is public, easy to find and Google Translate seems to work most of the times. From what I know, Jump.RO's business model is to *sell* IP space from their ALLOCATED PA ranges received from RIPE. Not *sub-allocate*, not *assign* or similar terms. They don't ask too many questions. They give you IPs faster than other LIRs. They market this as being professional. All of the Jump.RO's sub-allocations (that I've seen in whois) have *ASSIGNED PA* status, which according to ripe-553 [1] is to be used when the range is assigned to an end user for services provided by the issuing LIR. This is probably not the case because except the (new) annual fee for the registration service there are no other services provided by that LIR to the end user. Most of Jump.RO's "end users" are in fact small ISPs that can't afford the RIPE membership fees and bypass the rules of not using PI space for customers by deaggregating Jump's IP space. I don't know about the 12k number, but they have a large client base in the country and neighboring countries. I also think that Jump is aware of their IPs being in use by spammers as they advertise on their website that new and unused IP blocks cost about 2 times more than "used" ones. They also note that the previously "used" PA space is checked with "MxToolBox" in 120 anti-spam lists [2]. Even though Jump.RO's business model isn't exactly in the spirit of the RIPE region rules or following best practices (no prefix aggregation, but their excuse is that they are not the only ones doing it), I don't think that they are willing to risk their LIR status by defending known spam operations, so reporting well documented cases of false information provided during registration first to RIPE and then to them would probably get them to withdraw the PA from that customer. The ranges found by you clearly suggest that fake information has been used. Only "under construction" sites, nobody ever heard of those companies, all using same ISPs. With all this said about ro.registry (Jump.RO's LIR id) i'd like to add the following. There are entire LIRs with very large IP allocations and suspicious activities. I'll just list here a few: (RIPE allocation list publicly available here [3]) The first candidate that pops up is ro.visnet (VisNetwork Media SRL). According to their web page [4] they are a pretty large ISP with over 300 experienced employees and over 30 vehicles used for interventions and installations. They provide no CIF (Romanian for Fiscal Identification Code) or other identifying information, but the company is valid and has CIF 25083281. According to the Romanian Trade Register [5], the company named VisNetwork Media SRL with Fiscal Identification Code 25083281 is registered since February 2009, has no employees (where did those 300 professionals go?) and has registered for the 2011 fiscal year expenses of roughly about 3000 EUR (this value is around the value of the RIPE maintenance fees) and an amazing income of 100 EUR. Also, they are not registerd with ANCOM [6] (Romanian National Agency for Management and Regulation in Communications), so they are not a real ISP. They have received from RIPE the following IP space: 20090624 188.170.0.0/16 ALLOCATED PA 20100713 46.49.128.0/17 ALLOCATED PA 20110404 31.173.0.0/16 ALLOCATED PA 20110707 146.0.128.0/17 ALLOCATED PA 20110707 146.0.32.0/19 ALLOCATED PA 20111012 128.234.0.0/16 ALLOCATED PA 20120113 37.56.0.0/16 ALLOCATED PA 20120405 37.224.0.0/16 ALLOCATED PA 20120730 5.163.0.0/16 ALLOCATED PA 20121113 185.9.244.0/22 ALLOCATED PA 20110331 2a03:4100::/29 With this much IP space I would think they must have at least a few LARGE cities covered, but nobody ever heard of them or their professional employees. Also, because apparently their IPs were not enough and their employees seem that they couldn't handle hosting their main website, their website is hosted on IP ranges from another LIR. visnet.ro has address 77.36.59.10 inetnum: 77.36.59.0 - 77.36.59.255 netname: ROSITE-EQUIPMENTS The second obvious candidate for our small investigation is, as you might have guessed, ro.rosite (RoSite Equipment SRL). Information about their deaggregation habits can be found here [7]. According to the Trade Register, ROSITE EQUIPMENT SRL has CIF 17352052 and is a registered company since march 2005. They are registered as an ISP at ANCOM, but with a different company name (ROSITE NET SRL). Their second company, the one registered as an ISP, ROSITE NET SRL has CIF 13669105 and is a registered company since january 2001. The larger company, not the ISP, received from RIPE a large number of IP addresses: 20090706 188.119.128.0/18 ALLOCATED PA 20090813 188.74.128.0/18 ALLOCATED PA 20091223 188.74.192.0/18 ALLOCATED PA 20100325 62.216.64.0/19 ALLOCATED PA 20100628 178.157.64.0/18 ALLOCATED PA 20110712 146.158.128.0/17 ALLOCATED PA 20110712 146.66.208.0/20 ALLOCATED PA 20120105 37.35.128.0/17 ALLOCATED PA 20120105 37.35.32.0/19 ALLOCATED PA 20120724 5.157.128.0/17 ALLOCATED PA 20101217 2a03:8800::/32 On the third place in our list we have ro.swift (now Media Trend Sistem SRL, formerly using the company Swift Marketing SRL). Swift Marketing SRL (nice name, huh?) was deleted from the Trade Registry in may 2011. During 2010 they had 0 employees. The new company, Media Trend Sistem SRL (CIF 26301830) is registered since december 2009 and was known under another name (not publicly available) until changing it's name to the current one in december 2010. They are also not registered as an ISP with ANCOM and had 0 employees in 2011. This didn't seem to stop them from receiving the following IP ranges from RIPE: 20070730 78.95.0.0/16 ALLOCATED PA 20080319 93.168.0.0/15 ALLOCATED PA 20090303 95.218.0.0/15 ALLOCATED PA 20110518 2a00:aa80::/32 Another interesting Romanian LIR is ro.ssnet (SISTEM SOFT NETWORK SRL). The company is registered with the Trade Register with CIF 24496484 since september 2008, had in 2011 only 1 employee and is not a registered ISP with ANCOM. They became LIR just a few months before the final /8 was reached in RIPE region. They only got from RIPE this /15: 20120719 5.154.0.0/15 ALLOCATED PA They also seem to like deaggregating very much [8], now originating 369 prefixes. Now with all this in sight I suppose the ro.registry issue of about an /14 block seems a rather small issue. [1] https://www.ripe.net/ripe/docs/ripe-553 [2] http://www.ip.ro/ip.html [3] ftp://ftp.ripe.net/pub/stats/ripencc/membership/alloclist.txt [4] http://www.visnet.ro/despre/ [5] http://www.mfinante.ro/agenticod.html [6] http://www.ancom.org.ro/furnizoricomunicatii-electronice_133 [7] http://bgp.he.net/AS49687#_prefixes [8] http://bgp.he.net/AS56465#_prefixes
- Previous message (by thread): [anti-abuse-wg] Notice: Fradulent RIPE ASNs
- Next message (by thread): [anti-abuse-wg] (Long) rant about some LIRs in RIPE region, most likely linked to RFG's earlier email
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]