This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[anti-abuse-wg] [routing-wg] AS12679 -- 206.195.224.0/19
- Previous message (by thread): [anti-abuse-wg] AS12679 -- 206.195.224.0/19
- Next message (by thread): [anti-abuse-wg] [routing-wg] AS12679 -- 206.195.224.0/19
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Job Snijders
job at ntt.net
Mon Jan 27 06:26:21 CET 2020
Hi Ronald, On Sun, Jan 26, 2020 at 09:00:33PM -0800, Ronald F. Guilmette wrote: > legacy IPv4 block 206.195.224.0/19. > > The results were predictable. This /19 has been repeatedly squatted on > in recent years, as shown by RIPEstat: > > https://stat.ripe.net/widget/routing-history#w.resource=206.195.224.1 > The 206.195.224.0/19 block is currently being squatted on by AS12679, > Iceburg Telecom (Moscow). This is somewhat curious: job at vurt ~$ whois -hwhois.arin.net 206.195.224.0 | grep OriginAS OriginAS: AS12679 Usually, the "OriginAS" attribute can only be modified by whoever has access to the ARIN Online portal for this resource. Despite some technical challenges with the semantic meaning of the "OriginAS:" attribute, one thing should be clear: the OriginAS attribute from an authorization perspective should be viewed as equivalence to "route:" objects in the RIPE (not RIPE-NONAUTH0 and APNIC databases. In other words, only the owner can set it - or an account was compromised. You may want to report the following to ARIN: job at vurt ~$ whois -hwhois.arin.net 206.195.224.0 | grep @thriftdrug.org OrgAbuseEmail: kwebb at thriftdrug.org OrgTechEmail: kwebb at thriftdrug.org job at vurt ~$ whois thriftdrug.org | grep 'Creation Date' Creation Date: 2019-08-15T23:00:51Z Creation Date: 2019-08-15T23:00:51.00Z The dates, the website at https://www.thriftdrug.org/, the non-US origin of the announcement all seem to suggest that someone discovered the block was dangling, the domain unregistered, and some quick registration & forgery could lead to treasure. Kind regards, Job
- Previous message (by thread): [anti-abuse-wg] AS12679 -- 206.195.224.0/19
- Next message (by thread): [anti-abuse-wg] [routing-wg] AS12679 -- 206.195.224.0/19
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]