[anti-abuse-wg] simple routing question

In message <HB9imoEBx2WXFAnP at highwayman.com>, 
Richard Clayton <richard at highwayman.com> wrote:

>>Which (if any) routes within 161.123.0.0/16 are currently being announced
>>by AS60117?
>
>I see AS60117 to be behind AS43350, and they are announcing
>
>        161.123.48.0/22
>        161.123.52.0/22
>        161.123.56.0/22
>        161.123.64.0/18
>        161.123.128.0/18
>        161.123.192.0/18

Thank you.  That confirms what I saw from actual (real-time)
looking glass data.  (Unfortunately, as I only learned today,
results obtained from the web site bgp.he.net are somewhat less
than real-time.)

>Why do you actually ask ?

Well, um, since you ask, several reasons, actually.

1)  Some crook (probably Russian) spammed me today promoting some
    URL which, after the usual obfsucating redirections, landed me a
    on a page promoting phoney baloney diet pills:

    http://575-healthandbeauty.wedietweightdrloss.com/us/fpju/cla-safflower-oil/

    (This is, of course, only one of hundreds of related domain names
    used by this same crook/spammer/scammer, all hosted in the same /24
    IP block.)
    
    Note that 575-healthandbeauty.wedietweightdrloss.com == 185.141.25.37
    which is currently routed by AS60117.

2)  Passive DNS data for the containing /24 (courtesy of FSI) shows
    that this same /24 is also currently hosting hundreds or thousands
    of third level .TOP gibberish domain names (e.g. "l5efi.n1c0z4ft.top").

3)  WHOIS records for this second (and possibly unrelated) set of spam/scam
    snowshoe domains which are also associated with the AS60117-routed
    185.141.25.0/24 address block generally seem to contain the following:

    Registrant Name: Mayko Evgeniy
    Registrant Organization: N/A
    Registrant Street: v.c. 18285
    Registrant City: Balabanovo-1
    Registrant State/Province: Kaluzhskaya oblast
    Registrant Postal Code: 18285
    Registrant Country: RU
    Registrant Phone: +7.9616073061
    Registrant Phone Ext: 
    Registrant Fax: 
    Registrant Fax Ext: 
    Registrant Email: maykoe at list.ru

4)  The first hit you will get when doing a google search on "Mayko Evgeniy"
    is this interesting report from Cisco's Talos security group:

    http://blog.talosintel.com/2016/03/angler-slips-hook.html

    The above recent report (March 1, 2016) states that someone who has a
    clear preference for using domains within the .TOP TLD has been using
    many such domains, together with the Angler exploit kit, as part of a
    long-running and highly professional ransomeware scheme, which, as
    the report says, is "...generating millions of dollars monthly and
    shows no signs of slowing down."

5)  Entirely apart from its apparent hosting of spammed-for domains,
    including but not limited to ones owned by the professional thevies
    and extortionists described in the Cisco/Talos report, certain
    aspects of the online records relating to AS60117 appear on their
    face to be fradulent, beginning with even just the minimal data
    that RIPE requires whenever someone wants to become an authorized
    RIPE LIR:

    https://www.ripe.net/membership/indices/data/ae.sailorhost.html

    (I don't want to put anybody to any trouble, but I do really wonder
    about how many other RIPE LIRs are headquartered in the U.A.E. and
    yet have declared themelves as -only- providing service to -just-
    the Netherlands.  Are there hundreds of such LIRs, or is it rather,
    as I suspect, just this one?  We could even broden the inquiry...
    How many authorized RIPE LIRs are (a) registerd in *any* middle eastern
    country and yet have declared on their LIR application that they only
    intend to provide service to some *single* *european* country?  If
    there are thousands of such LIRs, then I guess this specific one...
    Host Sailor... isn't at all remarkable.  Is U.A.E. one of those
    offshore tax shelter places that companies like to form in, even
    when they actually do business elsewhere?  I really don't know.)

    Leaving aside the question of which countries this authorized RIPE LIR
    actually provides service to, one cannot help but wonder also why they
    use their alleged U.A.E. headquarters address only rather selectively,
    prefering instead to use an apartment address in Belize City, Belize
    ... one which is apparently used by quite a number of different companies...
    in many of the other records relating to their online operations:

    whois -h whois.lacnic.net 138.99.216.0
    whois -h whois.lacnic.net 138.99.217.0
    ...

    Perhaps I am alone here... which is certainly often the case... but
    I confess to also being mystified about why, exactly a U.A.E. based
    hosting provider, which, according to the RIPE LIR application which
    they themselves filed, -only- provides service to the Netherlands,
    nontheless sports a Los Angeles (USA) phone number at the top of its
    corporate home page:

    https://hostsailor.com/

    (I'm sure that the usual gaggle of apologists for RIPE area scam
    artists and those who sell them connectivity will have no trouble
    explaining all this away as just a set of minor and inconsequental
    human errors, as always, but even that still begs the question that
    I have often asked here:  What's the point of RIPE even collecting
    all of this info and putting it into a public data base when so much
    of it is clearly either (a) wrong or (b) deliberately fradulent?)

    And as if all of the above were not enough to illustrate the various
    apparent small and not-so-small frauds associated with AS60177 and its
    public records, I personally also could not help but stop and pause
    to wonder why an allegedly U.A.E. based hosting company... one that
    allegedly only sells services in the Netherlands (but which nontheless
    has only a Los Angeles phone number) should also find itself supplying
    connectivity to party or parties unknown in within ROMANIA, as both
    RIPE WHOIS and any traceroute to any address within 185.141.24.0/22
    shows they are clearly doing.

6)  Even if I/we were to completely disregard ALL of the forgoing, I would
    still be inclined to be more than a little bit suspicious upon seeing
    an allegedly U.A.E. based service provider suddenly wake up one day
    (very recently), register with RIPE a bunch of routes to what amounts
    to essentially the whole of one particular (previously disused)
    South African /16, and then also announce routes to essentially all
    of that IP space.

    Do I have iron-clad proof that AS60117 has hijacked 161.123.0.0/16?
    No.  Not at the moment.  If anybody has even a shred of evidence
    which would support the view that AS60117 is *not* currently hijacking
    161.123.0.0/16, then I, for one, would love to see that.

    Oh!  Yea!  And if anybody contacts the company (Host Sailor) about any
    of these dubious route registrations or the equally dubious route
    announcements, could you please ask them for me, please, pretty please,
    could they please stop hosting Angler exploit kit delivery sites and
    other snowshoe spammers?  Thanks.

    (I am sort-of hoping also that if anybody actually makes contact with
    Host Sailor then that party might also be able to narrow down their actual
    HQ location... at least to one specific continent.  That would be Nice.)


Regards,
rfg