[anti-abuse-wg] [routing-wg] AS12679 -- 206.195.224.0/19

Hi Ronald,

On Sun, Jan 26, 2020 at 09:00:33PM -0800, Ronald F. Guilmette wrote:
> legacy IPv4 block 206.195.224.0/19.
> 
> The results were predictable.  This /19 has been repeatedly squatted on
> in recent years, as shown by RIPEstat:
> 
> https://stat.ripe.net/widget/routing-history#w.resource=206.195.224.1

> The 206.195.224.0/19 block is currently being squatted on by AS12679,
> Iceburg Telecom (Moscow).

This is somewhat curious:

job at vurt ~$ whois -hwhois.arin.net 206.195.224.0 | grep OriginAS
OriginAS:       AS12679

Usually, the "OriginAS" attribute can only be modified by whoever has
access to the ARIN Online portal for this resource. Despite some
technical challenges with the semantic meaning of the "OriginAS:"
attribute, one thing should be clear: the OriginAS attribute from an
authorization perspective should be viewed as equivalence to "route:"
objects in the RIPE (not RIPE-NONAUTH0 and APNIC databases. In other
words, only the owner can set it - or an account was compromised.

You may want to report the following to ARIN:

    job at vurt ~$ whois -hwhois.arin.net 206.195.224.0 | grep @thriftdrug.org
    OrgAbuseEmail:  kwebb at thriftdrug.org
    OrgTechEmail:  kwebb at thriftdrug.org
    job at vurt ~$ whois thriftdrug.org | grep 'Creation Date'
    Creation Date: 2019-08-15T23:00:51Z
    Creation Date: 2019-08-15T23:00:51.00Z

The dates, the website at https://www.thriftdrug.org/, the non-US origin
of the announcement all seem to suggest that someone discovered the
block was dangling, the domain unregistered, and some quick registration
& forgery could lead to treasure.

Kind regards,

Job