In message <D9973D64-91AB-4380-B5E8-DEE173726CC0@arin.net>, John Curran <jcurran@arin.net> wrote:
On 9 Aug 2019, at 4:09 PM, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
... Unfortunately, we cannot read too much into this change that was made to the block's public-facing WHOIS record. Neither the new WHOIS info nor even the old WHOIS info can be used to reliably infer who or what is the legitimate registrant of the block at any point in time. This is because ARIN, like all of the other Regional Internet Registries, allows registrants to put essentially any bovine excrement they desire into their public-facing WHOIS records.
That is not the case – ARIN confirms the legal status of organizations receiving number resources.
This is NOT the message that I got from our recent discussion of the giant Micfo fraud on the ARIN Public Policy Mailing List. When I raised questions about why various of the Micfo phoney baloney shell companies has block with WHOIS records saying they were located in states that they were obviously not located in, I believe that you said that once a black has been allocated, by ARIN, to some (properly vetted) entity, that after that point in time, the entity could -change- the relevant WHOIS record to say any bloody thing it wanted, and that such -changes- to ARIN WHOIS records are not vetted in any way. If I got the Wrong Impression from your prior statements, then by all means, please do correct me. And then please do explain why several of the Micfo phony shell companies did in fact have WHOIS records for ARIN- issued IPv4 space that gave street addreses in states where none of these phony shell companies were actually registered to do business.
(And, it should be noted, the man behind the recent large scale "Micfo" fraud apparently availed himself of this exact opportunity far subterfuge, in spades.)
As previously noted on this list, such was only possible because of the use of falsely notarized documents.
I -do- understand that the fradulent documents that were originally presented to you/ARIN provided information indicating that the phoney Micfo shell companies -did- actually exist in -some- state (Delaware?), and that ARIN -did- verify, to the best of its ability, that those companies -did- exist, legally spekaing, in their originally declared home state(s). But that fact is just skirting the real issue here, which is the question of whether or not ARIN even looks at -changes_ that a registrant may make to the WHOIS records (e.g. for IPv4 blocks) -after- those blocks have been assigned. It appears from where I am sitting that ARIN dos not do so. And thus, I stand by my comment that a registrant -can- in fact put any bloody nonsense they want into their WHOIS records, at least as long as they do it via -changes- and not in the original/initial WHOIS records.
Regardless, the available records suggest that there are only two likely possibilities in this case:
{trimmed} 1) 216.179.128.0/17 was transferred in violation of ARIN policy.
2) The current WHOIS for 216.179.128.0/17 is simply fradulent.
That is easy to address: submit a fraud request, and it will be reviewed and corrected if it was done fraudulently.
I would do that, but for the following four things: 1) ARIN is not the Internet Police and has no power to affect routing decisions of anybody. 2) Getting the info out here, on the NANOG list, allows people to make up their own minds and to ignore the relevant route announcements and/or cease peering if they are persuaded that 216.179.128.0/17 is likely a source of "undesirable" packets. 3) An investigation by ARIN of 216.179.128.0/17 could take weeks or perhaps even months. In contrast, packets, including bad ones, travel from one end of the planet to another in milliseconds. ARIN and its careful review processes are a sure and steady and reliable check on fradulent behavior over the longer term. But they will not do much to addres the bad packets that may be flowing out of 216.179.128.0/17 this week, or even next. 4) Filing a "fraud request" with ARIN is a serious step and one that could quite conceivably end up with the party filing such a formal report being on the business end of lawsuit, just for having filed such a report. Does ARIN indemnify the parties who file such reports against such claims, as ARIN is currently asking ARIN-region networks to do for ARIN if they want to avail themselves of the added security of RPKI? Regards, rfg