[anti-abuse-wg] Speaking of routing funny business... what's up with AS65021?

Apparently, not all routing funny business involves hijacked IP address
space.

I was just doing some preliminary testing of a tool which I hope will
allow me to automate more of my spam reporting process.  I don't like
to report spam to the registered owner of the smallest containing IP
address block of the spam source because a substantial fraction of the
time, those are the very people actually doing the spamming.  So I prefer
instead to send spam reports to the designated abuse contacts for the
entire relevant ASN.

Fortunately, these days, for most RIPE and ARIN ASNs at least, the relevant
abuse reporting address for any given ASN is easy to obtain, and obtaining
those email addresses may be done in a fully automated fashion from the
relevant ASN WHOIS records.  But as I have only just now learned, while I
was doing preliminary testing on my simple software tool, there are some
exceptional cases where mapping an ASN to a corresponding abuse reporting
address becomes problematic.

Specifically, I have noticed some spammers cammped out on a block of IPv4
addresses that are currently routed by AS65021.  The whois.iana.org WHOIS
server tells me that this is a reserved ASN, and that it doesn't actually
belong to anybody at all.  Thus, my rather simple Perl script which attempts
to find a proper reporting email address for this one specific spammer
infestation fails rather horribly.

The CIDRs currently being routed by AS65021 are:

31.13.210.0/24
31.13.241.0/24
87.120.104.0/24
87.120.253.0/24
87.120.255.0/24
87.121.116.0/24
93.123.64.0/24
216.99.221.0/24  (seen by bgp.he.net)

Some of these have been routed by (bogus) AS65021 since 2018-12-03.

All of those CIDRs are properly registered to cloudware.bg except for the
last one which is registered to International Payout Systems Inc. (Florida).

Apparently, cloudware.bg is part of Neterra, Ltd. of Bulgaria (AS34224):

https://www.cloudware.bg/en/about
        "As part of Neterra..."

I would say that this is just a very temporary mishap, and a temporary
"fat fingered" anomaly if it were not for the fact that some of these
routes have, according to RIPE Rotuing History, been countinuously
announced for over four full months now.

Can anyone explain this to me?  Please? I have more than a little trouble
understanding why a company like Neterra, Ltd., which -does- already have
its very own ASN (AS34224), feels the need to effectively steal a reserved
ASN for their own private use.  Are new AS numbers really all that expensive
in the RIPE region, so that some businesses might be motivated to save some
money by just grabbing onto one of the reserved ones?

None of this makes particularly much sense, but I do plan to send email to
Neterra, Ltd. in order to ask them what the devil goes on here.  Mostly, I
am just reporting theis here as a sort of indirect way of asking other
people on the list for their opinions about Neterra, Ltd. of Bulgaria.
Is that compaony in the habit of doing routing funny business?

For my own part, all I can say is that this is certainly not the first time
that I have encountered that company name... and not in a good way.


Regards,
rfg