This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] Second Notice: Squatting / Fraud / Identity theft by AS13259 - Delta Telesystems Ltd. (RU)
- Next message (by thread): [anti-abuse-wg] Huge List of Domains Cloaking to Malware (5,000+)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ronald F. Guilmette
rfg at tristatelogic.com
Sun Jan 3 02:44:36 CET 2021
Greetings all and Happy New Year. It is my sad duty to report to you all that since my posting of 2020-12-21 noting the several squats onto various IPv4 address blocks and multiple ASNs, little if anything has changed. Here is a link to that prior posting: https://www.ripe.net/ripe/mail/archives/routing-wg/2020-December/004212.html (Note that there was one minor typo in that posting -- I wrote "AS1065" in one place where I should have written "AS10650".) As noted in that prior posting, all of this illicit activity quite clearly traces back to AS13259 - Delta Telesystems Ltd. (RU). Several abandoned AS numbers were and are being used in an attempt to disguise that fact, but the evidence is clear that 100% of these squats are tracable back to AS13259. The only thing that appears to have changed since my original report of 2020-12-21 is that now, instead of using fradulent RADB route objects to try to frame up an apparently innocent party (Leaseweb Deutschland GmbH) the perpetrator of these squats has removed those prior fradulent RADB route objects and has simpley replaced them with a new set of fradulent RADB route objects which now attempt to shift blame instead onto a different German company, specifically the owners of AS8208, Teamware GmbH. It is easy to see past this new deception however, since all of the same old squatted blocks are still being squatted. A full listing of the affected squatted blocks is given below, along with annotations that show, for each block, the identity of the legitimate registrant organization and also the identity of the organization that is routing each squatted block. As noted in my prior report, many of these ASNs are themselves being squatted on, specifically: AS39325 - Viptelecom LLC AS41762 - PE Logvinov Vladimir Vladimirovich AS56968 - TemirLan Net Ltd AS34498 - Jilcomservice AS10650 - Extreme Internet The non-squatted ASNs that are still active & willing participants in these ongoing frauds are as follows: AS13259 - Delta Telesystems Ltd. (RU) AS9009 - M247 Ltd (UK) AS397373 - H4Y Technologies LLC (US) Given that this entire mess quite evidently originates from within the RIPE region, it would be Nice if more could be done, by RIPE and/or the RIPE community to put a stop to these ongoing squats. Regards, rfg P.S. Most of you will no doubt have heard by now about the large and ongoing SolarWinds[tm] hack/scandal, and probably also the belief, expressed by some, that this gigantic hack originated in Russia. Nobody has had the courtesy to show me the hard evidence which supports that attribution, so I personally remain entirely ambivalent about it. That hack, wherever it originated, does however provide me with the opportunity to remind all of you here of the age-old differention between abuse "on the Internet" versus abuse "of the Internet". Regardless of origin, the SolarWinds[tm] hack did not and does not in any way threaten the stability of the Internet. It thus must be properly categorized as being a kind of abuse "on the Internet"... and shame on all those whose security missteps, on the receiving end, allowed it to happen. In contrast, what I have described with respect to these squats is, I think, quite clearly abuse "of the Internet", and as such I hope that this sort of skulduggery will earn truly international and non-partisan condemnation, and suitably immediate attention from all quarters. It is not in the interests of any faction or any nation to see the Internet descend into lawless routing chaos. #------------------------------------------------------------------------ # ORG: (KZ) ORG-TNL11-RIPE "TemirLan Net Ltd" #------------------------------------------------------------------------ 91.229.148.0/22 - routed by AS56968 - TemirLan Net Ltd (KZ) #------------------------------------------------------------------------ # ORG: (RU) ORG-CC3-RIPE "Gorodskaya elektronnaya svyaz Ltd" #------------------------------------------------------------------------ 85.28.48.0/20 - routed by AS13259 - Delta Telesystems Ltd. (RU) #------------------------------------------------------------------------ # ORG: (RU) ORG-OA780-RIPE "OOO \"IT-Region\"" #------------------------------------------------------------------------ 79.173.104.0/21 - routed by AS13259 - Delta Telesystems Ltd. (RU) #------------------------------------------------------------------------ # ORG: (RU) ORG-PL249-RIPE "Prime-Service LLC" #------------------------------------------------------------------------ 128.0.80.0/20 - routed by AS34498 - Jilcomservice (RU) #------------------------------------------------------------------------ # ORG: (RU) ORG-TCUL3-RIPE "Telecommunications center UMOS, LLC" #------------------------------------------------------------------------ 85.89.104.0/21 - routed by AS13259 - Delta Telesystems Ltd. (RU) #------------------------------------------------------------------------ # ORG: (UA) ORG-FA278-RIPE "Filite Ltd" #------------------------------------------------------------------------ 62.182.160.0/21 - routed by AS39325 - Viptelecom LLC (RU) #------------------------------------------------------------------------ # ORG: (UA) ORG-TNOO1-RIPE "The national operator of wireless communication \"WiMAX-Ukraine\"" #------------------------------------------------------------------------ 89.187.8.0/21 - routed by AS41762 - PE Logvinov Vladimir Vladimirovich (UA) #------------------------------------------------------------------------ # ORG: (US) CIS-341 "CoreComm Internet Services Inc" #------------------------------------------------------------------------ 216.93.0.0/19 - unrouted #------------------------------------------------------------------------ # ORG: (US) CSXINT "CSX Intermodal" #------------------------------------------------------------------------ 205.134.96.0/19 - routed by AS10650 - Extreme Internet (US) #------------------------------------------------------------------------ # ORG: (US) HONEY-13 "Honeywell International Inc." #------------------------------------------------------------------------ 199.61.32.0/19 - 50% routed by AS9009 - M247 Ltd (UK) / 50% unrouted #------------------------------------------------------------------------ # ORG: (US) MSGM "Mortgage Sytems Group (MSG)" #------------------------------------------------------------------------ 205.148.96.0/19 - routed by AS397373 - H4Y Technologies LLC (US)
- Next message (by thread): [anti-abuse-wg] Huge List of Domains Cloaking to Malware (5,000+)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]