[ncc-services-wg] Finding previous user of IP addresses

In message <6C247001-B2CB-4CFD-818B-E31EC48D9134 at ripe.net>, at 16:01:41 
on Tue, 10 Dec 2019, Daniel Karrenberg <dfk at ripe.net> writes
>
>On 10 Dec 2019, at 13:15, Roland Perry wrote:
>
>> … How do I as (nowadays anyway, an outsider) access such historic 
>>snapshots of the IP address range, before today's ISP acquired them.
>>
>> Is this a 'service' that RIPE NCC offers (and hence my question in 
>>this forum). …
>
>https://stat.ripe.net/
>
>Type in the prefix concerned.

Thanks, Daniel. As ever you are a star!

>The ‘Anti-abuse’ tab lists some well known blacklists, also 
>historically.

But shows nothing. (Nor had my earlier searches elsewhere)

The block that a friend encountered yesterday, and made me decide to 
look into this further, was from Hootsuite, which is a social media 
management platform.

Ones that had been previously mentioned by other users include Adobe, 
PayPal and Eventbrite.

>The ‘ Database’ tab has registration and allocation history.

Which suggests an allocation to the ISP in July 2015...

>The ‘Routing’ tab has routing history.

...and to customers in 11th March 2019. Which together *doesn't* match a 
theory of either recent acquisition, nor a hangover from dirty usage.

>In my experience all this goes a long way to get a good picture of the 
>address space concerned.
>
>It would be helpful if you told the list whether this would have warned 
>this particular end-user had they or their consultants looked at it.

Nothing leaps out at me.

Which leaves the question of where the data being acted on by the 
undoubtedly active block lists originated. But could explain why it's 
apparently difficult to expunge, if it's of unknown source.

The name 'Globalprotect' was also mentioned.

My next theory is that it's not a poorly sanitised transfer of IP 
addresses, but some glitch in the blacklisting process.
-- 
Roland Perry