This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[anti-abuse-wg] [routing-wg] AS12679 -- 206.195.224.0/19

Previous message (by thread): [anti-abuse-wg] [routing-wg] AS12679 -- 206.195.224.0/19
Next message (by thread): [anti-abuse-wg] [routing-wg] AS12679 -- 206.195.224.0/19

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ronald F. Guilmette rfg at tristatelogic.com
Mon Jan 27 06:40:13 CET 2020

In message <20200127052621.GJ36653 at vurt.meerval.net>, 
Job Snijders <job at ntt.net> wrote:

>The dates, the website at https://www.thriftdrug.org/, the non-US origin
>of the announcement all seem to suggest that someone discovered the
>block was dangling, the domain unregistered, and some quick registration
>& forgery could lead to treasure.

Yes.  My apologies to all.  I made a bit of a mistake here.

Note that I no longer use the term "hijacked" because it is too imprecise.
These days I only use the terms "squatted" or "stolen" where the latter
is a term that I reserve for cases where the relevant WHOIS record has
actually been fiddled.

Upon further review, this block (206.195.224.0/19) now appears to have
been stolen, i.e. with the (assumed unwitting) participation of ARIN.

As Job has noted, multiple aspects of the WHOIS record are most certainly
non-conformant with common sense.  I highlight these below.  (I have
attempted to call the new contact phone number and it is dead/disconnected.)

It is my hope, of course, that the apparent illicit take-over of this
block was a product of garden variety incompetence @ ARIN, rather than,
you know, the alternative.

It appears from ARIN WhoWas data that this takeover began on 2019-08-12
with additional fradulent changes to the WHOIS also on 2019-08-14,
2019-08-15, and lastly 2019-09-24, when the OriginAS was fiddled to
its present state.

==================================================================
[Source: whois://whois.arin.net  2020-01-27 04:18:39 UTC]

NetRange:       206.195.224.0 - 206.195.255.255
CIDR:           206.195.224.0/19
NetName:        THRIFT-NET-1
NetHandle:      NET-206-195-224-0-1
Parent:         NET206 (NET-206-0-0-0-0)
NetType:        Direct Assignment
OriginAS:       AS12679         <========================= Russia ????
Organization:   Thrift Drug, Inc. (THRIFT)
RegDate:        1995-08-03
Updated:        2019-09-24
Ref:            https://rdap.arin.net/registry/ip/206.195.224.0

OrgName:        Thrift Drug, Inc.
OrgId:          THRIFT
Address:        100 Delta Drive
City:           Pittsburgh
StateProv:      PA
PostalCode:     15238
Country:        US
RegDate:        1994-03-15
Updated:        2019-08-14
Ref:            https://rdap.arin.net/registry/entity/THRIFT

OrgAbuseHandle: WEBBK16-ARIN
OrgAbuseName:   Webb, Kristi 
OrgAbusePhone:  +1-885-923-1290   <================ dead/bogus
OrgAbuseEmail:  kwebb at thriftdrug.org  <=============== bogus/parked
OrgAbuseRef:    https://rdap.arin.net/registry/entity/WEBBK16-ARIN

OrgTechHandle: WEBBK16-ARIN
OrgTechName:   Webb, Kristi 
OrgTechPhone:  +1-885-923-1290   <================ dead/bogus
OrgTechEmail:  kwebb at thriftdrug.org  <=============== bogus/parked
OrgTechRef:    https://rdap.arin.net/registry/entity/WEBBK16-ARIN

Previous message (by thread): [anti-abuse-wg] [routing-wg] AS12679 -- 206.195.224.0/19
Next message (by thread): [anti-abuse-wg] [routing-wg] AS12679 -- 206.195.224.0/19

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ anti-abuse-wg Archives ]