On Sat, Oct 2, 2010 at 3:41 PM, John Curran <jcurran@arin.net> wrote:
On Oct 2, 2010, at 4:03 PM, Robert Bonomi <bonomi@mail.r-bonomi.com> wrote: Robert - You are matching nearly verbatim from ARIN's actual procedures for recognizing a transfer via merger or acquisition. The problem is compounded because often the parties appear years later, don't have access to the legal documentation of the merger, and there is no "corporate" surviving entity to contact. Many parties abandon these transfers mid-process, leaving us to wonder whether they were exactly as claimed but simply lacking needed documentation, or whether they were optimistic attempts to hijack. /John
Hm.. just a thought... if an org doesn't have and are unable to obtain any good written documentation at all, from even the public record, then aren't they (as far as the operator community should be concerned) not the same registrant, or authorized? Where would a person be if they were trying to claim the right to a certain piece of land, and someone else (an opportunist/scammer) also claimed ownership using "papers" they had created, but the 'rightful' owner had neither a deed, nor a transfer agreement, proof of their use of that land, nor other certified document, and the local authority did not have any record of a transfer from the now defunct original owner? --- So, I wonder why only ARIN itself is singled out.. Have other RIRs found something much better to do with fraud reports? This matters, because scammers can concentrate on whichever IP blocks are easiest to hijack. If ARIN somehow creates a hostile environment for scammers, they can concentrate on APNIC/RIPE/AfriNic/LACNIC-administered IP ranges instead. Assume scanners don't care or need to be undetected for long at all, they just need to stay off 'hijacked IP lists' for a very brief time, perhaps a week, until they are blacklisted by major RBLs for spamming, stop using the range, find a new one, under a new manufactured identity, lather, rinse, .... Even with excellent RIR detection and reclaiming of defunct ranges, the most capable anti-scammer mechanisms may still be independent Bogon lists and RBLs. Watch the global visibility of prefixes, and detect when part of a completely unannounced RIR assigned prefix starts being announced or when an entire RIR prefix stops being announced for more than a couple days or so. And it doesn't fall into the category of 'newly registered prefix' . Those should be additional "triggers" for defunct contact detection / additional verification, and anti-fraud detection by RIRs and others. Because address ranges can become defunct at any time.... Something really should be watching for a previously defunct range re-appearing from a different AS or from a completely different place net-wise. -- -J