This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] simple routing question
- Previous message (by thread): [anti-abuse-wg] simple routing question
- Next message (by thread): [anti-abuse-wg] simple routing question
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ronald F. Guilmette
rfg at tristatelogic.com
Sat Jun 11 05:17:25 CEST 2016
In message <HB9imoEBx2WXFAnP at highwayman.com>, Richard Clayton <richard at highwayman.com> wrote: >>Which (if any) routes within 161.123.0.0/16 are currently being announced >>by AS60117? > >I see AS60117 to be behind AS43350, and they are announcing > > 161.123.48.0/22 > 161.123.52.0/22 > 161.123.56.0/22 > 161.123.64.0/18 > 161.123.128.0/18 > 161.123.192.0/18 Thank you. That confirms what I saw from actual (real-time) looking glass data. (Unfortunately, as I only learned today, results obtained from the web site bgp.he.net are somewhat less than real-time.) >Why do you actually ask ? Well, um, since you ask, several reasons, actually. 1) Some crook (probably Russian) spammed me today promoting some URL which, after the usual obfsucating redirections, landed me a on a page promoting phoney baloney diet pills: http://575-healthandbeauty.wedietweightdrloss.com/us/fpju/cla-safflower-oil/ (This is, of course, only one of hundreds of related domain names used by this same crook/spammer/scammer, all hosted in the same /24 IP block.) Note that 575-healthandbeauty.wedietweightdrloss.com == 185.141.25.37 which is currently routed by AS60117. 2) Passive DNS data for the containing /24 (courtesy of FSI) shows that this same /24 is also currently hosting hundreds or thousands of third level .TOP gibberish domain names (e.g. "l5efi.n1c0z4ft.top"). 3) WHOIS records for this second (and possibly unrelated) set of spam/scam snowshoe domains which are also associated with the AS60117-routed 185.141.25.0/24 address block generally seem to contain the following: Registrant Name: Mayko Evgeniy Registrant Organization: N/A Registrant Street: v.c. 18285 Registrant City: Balabanovo-1 Registrant State/Province: Kaluzhskaya oblast Registrant Postal Code: 18285 Registrant Country: RU Registrant Phone: +7.9616073061 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: maykoe at list.ru 4) The first hit you will get when doing a google search on "Mayko Evgeniy" is this interesting report from Cisco's Talos security group: http://blog.talosintel.com/2016/03/angler-slips-hook.html The above recent report (March 1, 2016) states that someone who has a clear preference for using domains within the .TOP TLD has been using many such domains, together with the Angler exploit kit, as part of a long-running and highly professional ransomeware scheme, which, as the report says, is "...generating millions of dollars monthly and shows no signs of slowing down." 5) Entirely apart from its apparent hosting of spammed-for domains, including but not limited to ones owned by the professional thevies and extortionists described in the Cisco/Talos report, certain aspects of the online records relating to AS60117 appear on their face to be fradulent, beginning with even just the minimal data that RIPE requires whenever someone wants to become an authorized RIPE LIR: https://www.ripe.net/membership/indices/data/ae.sailorhost.html (I don't want to put anybody to any trouble, but I do really wonder about how many other RIPE LIRs are headquartered in the U.A.E. and yet have declared themelves as -only- providing service to -just- the Netherlands. Are there hundreds of such LIRs, or is it rather, as I suspect, just this one? We could even broden the inquiry... How many authorized RIPE LIRs are (a) registerd in *any* middle eastern country and yet have declared on their LIR application that they only intend to provide service to some *single* *european* country? If there are thousands of such LIRs, then I guess this specific one... Host Sailor... isn't at all remarkable. Is U.A.E. one of those offshore tax shelter places that companies like to form in, even when they actually do business elsewhere? I really don't know.) Leaving aside the question of which countries this authorized RIPE LIR actually provides service to, one cannot help but wonder also why they use their alleged U.A.E. headquarters address only rather selectively, prefering instead to use an apartment address in Belize City, Belize ... one which is apparently used by quite a number of different companies... in many of the other records relating to their online operations: whois -h whois.lacnic.net 138.99.216.0 whois -h whois.lacnic.net 138.99.217.0 ... Perhaps I am alone here... which is certainly often the case... but I confess to also being mystified about why, exactly a U.A.E. based hosting provider, which, according to the RIPE LIR application which they themselves filed, -only- provides service to the Netherlands, nontheless sports a Los Angeles (USA) phone number at the top of its corporate home page: https://hostsailor.com/ (I'm sure that the usual gaggle of apologists for RIPE area scam artists and those who sell them connectivity will have no trouble explaining all this away as just a set of minor and inconsequental human errors, as always, but even that still begs the question that I have often asked here: What's the point of RIPE even collecting all of this info and putting it into a public data base when so much of it is clearly either (a) wrong or (b) deliberately fradulent?) And as if all of the above were not enough to illustrate the various apparent small and not-so-small frauds associated with AS60177 and its public records, I personally also could not help but stop and pause to wonder why an allegedly U.A.E. based hosting company... one that allegedly only sells services in the Netherlands (but which nontheless has only a Los Angeles phone number) should also find itself supplying connectivity to party or parties unknown in within ROMANIA, as both RIPE WHOIS and any traceroute to any address within 185.141.24.0/22 shows they are clearly doing. 6) Even if I/we were to completely disregard ALL of the forgoing, I would still be inclined to be more than a little bit suspicious upon seeing an allegedly U.A.E. based service provider suddenly wake up one day (very recently), register with RIPE a bunch of routes to what amounts to essentially the whole of one particular (previously disused) South African /16, and then also announce routes to essentially all of that IP space. Do I have iron-clad proof that AS60117 has hijacked 161.123.0.0/16? No. Not at the moment. If anybody has even a shred of evidence which would support the view that AS60117 is *not* currently hijacking 161.123.0.0/16, then I, for one, would love to see that. Oh! Yea! And if anybody contacts the company (Host Sailor) about any of these dubious route registrations or the equally dubious route announcements, could you please ask them for me, please, pretty please, could they please stop hosting Angler exploit kit delivery sites and other snowshoe spammers? Thanks. (I am sort-of hoping also that if anybody actually makes contact with Host Sailor then that party might also be able to narrow down their actual HQ location... at least to one specific continent. That would be Nice.) Regards, rfg
- Previous message (by thread): [anti-abuse-wg] simple routing question
- Next message (by thread): [anti-abuse-wg] simple routing question
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]