In message <A5DAD1A3-9CC9-4560-93BD-85F9E912885E@steffann.nl>, Sander Steffann <sander@steffann.nl> wrote:
Sorry, but you post this information on public mailing lists where it can be discussed but where no action can be taken...
I think that you mistake formalized centralized "action" for "action" more broadly and generally. In fact, it is my belief that "action" has already been taken, within some networks, to firewall themselves off from the miscreant ASNs and IP blocks that I reported on. (And based upon my beliefs regading these ASNs and IP blocks I would highly recommend that others who have not yet done so follow suit, along with any and all IP space being announced in routes from AS2876.)
Nobody else will take your research and submit it to a third party. It's your research: either you submit it to the RIPE NCC and action will be taken where appropriate...
As I have already stated, I have no faith whatsoever in the last part of that assertion, and thus elect not to waste my time. These kinds of problems have been going on for literally years now, primarily originating out of Romania. If RIPE seriously wanted to shut down all of this fradulent activity, they could have and would have done so long before now. In the three years since the following report was written, what has changed? Anything? http://threatpost.com/en_us/blogs/attackers-buying-own-data-centers-botnets-... "It is impossible at that stage in the process for the RIPE NCC to determine that a company is involved in illegal activity. The member in question later proved to be a front for RBN," RIPE said in a statement on the case. But the allocation was made in 2006 and it wasn't until May 2008 that RIPE was able to close down the LIR and get the IP space back." Excuse me, but really? Two *&^%$#@ years, just to get some space back from the notorious RBN?? "In most regions, a new organization requesting a large allocation will have to go through a fairly rigorous process to show the need for the address space..." But not in the RIPE region, apparently. Regards, rfg P.S. ASNs are not nearly in as short supply as IPv4 addresses are, however there _are_ only a finite number of them, and they should not be wasted. As I understand it, generally speaking if you are too small to own even at least one router, then you most certainly do not need your own ASN. I have noted however that the last hop on all traceroutes to all of the domains mentioned in my initial report seems to be 193.226.166.214. The router at that address is, I believe, the router immediately in front of the server(s) that are serving up the home pages for these fraudlent false-front entities. That IP belongs to AS5606 aka GTS Telecom SRL... *not* to any one of these bogus fradulent pseudo-entities. So, within the RIPE region, it appears that one can obtain one's own ASN... or even perhaps a couple dozen of them... without even owning a single router. Somewhow this does not seem to me to be an efficient allocation of finite number resources. P.P.S. Before anyone asks, no, the fact that all routes to all of the web servers for all of the domains mentioned in my initial report all pass through 193.226.166.214 (just before the last hop in all cases) is most certainly *not* the only bit of evidence that indicates that all of these 18 fradulent false-front entities were created/registered/implemented by a single hand (which I am confident they all were). There is plenty more evidence that supports this view also. One has only to look just very slightly below the surface. The evidence is abundant. P.P.P.S. Long before I posted my report here this week, it was already well and widely known that JUMP.RO has an unfortunate tendency to provide IP space to fictitious entities engaged primarily in spamming: http://www.spamhaus.org/rokso/evidence/ROK9107/world-company-register-eu-bus... If the good folks at RIPE NCC have not already known about this for some time then I would suggest that some of them may perhaps be working overtime to avoid knowing. On the other hand, if the RIPE folks have in fact known about what JUMP.RO has been up to, based on earlier published reports of their quastionable activities, then that begs the obvious question: What has RIPE done about this so far? Anything? I'm sure that your urging of me to take further action with respect to this matter is well intentioned, but you have your urging pointed in the wrong direction, I think. The primary onus for further action lies elsewhere.