spammer from outer space? (routing error)
I just caught this one: 2007-08-25 16:57:52 SMTP connection from [125.187.32.144]:45885 (TCP/IP connection count = 1) 2007-08-25 16:58:11 SMTP connection from [125.187.32.222]:52495 (TCP/IP connection count = 2) 2007-08-25 16:58:22 ident connection to 125.187.32.144 timed out 2007-08-25 16:58:25 no host name found for IP address 125.187.32.144 Traceroute says: traceroute to 125.187.32.144 (125.187.32.144), 30 hops max, 40 byte packets 1 krzach.peter-dambier.de (192.168.48.2) 1.112 ms 1.590 ms 1.774 ms 2 * * * 3 217.0.78.54 83.412 ms 83.446 ms 183.549 ms 4 217.239.40.33 183.582 ms 190.061 ms 207.031 ms 5 dt-gw.n54ny.ip.att.net (192.205.32.57) 207.000 ms * * 6 * * * 7 12.122.16.137 268.719 ms 275.778 ms 284.531 ms 8 cr1.cgcil.ip.att.net (12.122.1.190) 209.032 ms 217.048 ms 223.948 ms 9 12.122.17.130 229.927 ms 237.691 ms 245.808 ms 10 tbr1.sffca.ip.att.net (12.122.10.6) 252.838 ms 260.754 ms 269.676 ms 11 12.122.110.5 277.657 ms 576.902 ms * 12 * * * 13 * * * 14 203.255.234.221 357.076 ms 357.083 ms 372.057 ms 15 210.120.246.65 379.221 ms 395.135 ms 395.169 ms 16 210.120.117.6 410.197 ms 210.120.248.250 420.023 ms 427.029 ms 17 210.120.244.94 360.443 ms 360.451 ms 210.120.244.90 368.292 ms 18 210.120.104.146 389.240 ms 203.248.223.82 389.274 ms 746.508 ms 19 * * * 22 * * * 23 125.187.32.144(H!) 351.850 ms (H!) 359.870 ms (H!) 367.696 ms But whois keeps telling me: ReferralServer: whois://whois.apnic.net NetRange: 125.0.0.0 - 125.255.255.255 CIDR: 125.0.0.0/8 NetName: APNIC-125 NetHandle: NET-125-0-0-0-1 Parent: NetType: Allocated to APNIC Comment: This IP address range is not registered in the ARIN database. Comment: For details, refer to the APNIC Whois Database via Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry Comment: for the Asia Pacific region. APNIC does not operate networks Comment: using this IP address range and is not able to investigate Comment: spam or abuse reports relating to these addresses. For more Comment: help, refer to http://www.apnic.net/info/faq/abuse RegDate: 2005-01-27 Updated: 2005-05-20 OrgTechHandle: AWC12-ARIN OrgTechName: APNIC Whois Contact OrgTechPhone: +61 7 3858 3100 OrgTechEmail: search-apnic-not-arin@apnic.net So I should never have seen a packet from them? Kind regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: peter@peter-dambier.de mail: peter@echnaton.arl.pirates http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Dear Peter,
But whois keeps telling me:
ReferralServer: whois://whois.apnic.net
NetRange: 125.0.0.0 - 125.255.255.255 CIDR: 125.0.0.0/8 NetName: APNIC-125 NetType: Allocated to APNIC Comment: This IP address range is not registered in the ARIN database. Comment: For details, refer to the APNIC Whois Database via Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
So I should never have seen a packet from them?
you have only queried arin ip database, which is not the only one. The right one is apnic in this case (asia region). ripe-whois -h WHOIS.APNIC.NET 125.187.32.144 % [whois.apnic.net node-1] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 125.176.0.0 - 125.191.255.255 netname: XPEED country: KR descr: POWERCOM descr: ************************************************ descr: If you would like to find assignment descr: information in detail please refer to descr: the KRNIC Whois Database at descr: http://whois.nic.or.kr/english/index.html descr: ************************************************ admin-c: HM127-AP tech-c: HM127-AP status: Allocated Portable changed: hostmaster@nic.or.kr 20060621 mnt-by: MNT-KRNIC-AP source: APNIC bye, Ingo
Peter Dambier wrote:
I just caught this one:
2007-08-25 16:57:52 SMTP connection from [125.187.32.144]:45885 (TCP/IP connection count = 1) 2007-08-25 16:58:11 SMTP connection from [125.187.32.222]:52495 (TCP/IP connection count = 2) 2007-08-25 16:58:22 ident connection to 125.187.32.144 timed out 2007-08-25 16:58:25 no host name found for IP address 125.187.32.144
I don't think of korea as outer space but maybe that's just me.
Traceroute says:
traceroute to 125.187.32.144 (125.187.32.144), 30 hops max, 40 byte packets 1 krzach.peter-dambier.de (192.168.48.2) 1.112 ms 1.590 ms 1.774 ms 2 * * * 3 217.0.78.54 83.412 ms 83.446 ms 183.549 ms 4 217.239.40.33 183.582 ms 190.061 ms 207.031 ms 5 dt-gw.n54ny.ip.att.net (192.205.32.57) 207.000 ms * * 6 * * * 7 12.122.16.137 268.719 ms 275.778 ms 284.531 ms 8 cr1.cgcil.ip.att.net (12.122.1.190) 209.032 ms 217.048 ms 223.948 ms 9 12.122.17.130 229.927 ms 237.691 ms 245.808 ms 10 tbr1.sffca.ip.att.net (12.122.10.6) 252.838 ms 260.754 ms 269.676 ms 11 12.122.110.5 277.657 ms 576.902 ms * 12 * * * 13 * * * 14 203.255.234.221 357.076 ms 357.083 ms 372.057 ms 15 210.120.246.65 379.221 ms 395.135 ms 395.169 ms 16 210.120.117.6 410.197 ms 210.120.248.250 420.023 ms 427.029 ms 17 210.120.244.94 360.443 ms 360.451 ms 210.120.244.90 368.292 ms 18 210.120.104.146 389.240 ms 203.248.223.82 389.274 ms 746.508 ms 19 * * * 22 * * * 23 125.187.32.144(H!) 351.850 ms (H!) 359.870 ms (H!) 367.696 ms
But whois keeps telling me:
ReferralServer: whois://whois.apnic.net
NetRange: 125.0.0.0 - 125.255.255.255 CIDR: 125.0.0.0/8 NetName: APNIC-125 NetHandle: NET-125-0-0-0-1 Parent: NetType: Allocated to APNIC Comment: This IP address range is not registered in the ARIN database. Comment: For details, refer to the APNIC Whois Database via Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry Comment: for the Asia Pacific region. APNIC does not operate networks Comment: using this IP address range and is not able to investigate Comment: spam or abuse reports relating to these addresses. For more Comment: help, refer to http://www.apnic.net/info/faq/abuse RegDate: 2005-01-27 Updated: 2005-05-20
OrgTechHandle: AWC12-ARIN OrgTechName: APNIC Whois Contact OrgTechPhone: +61 7 3858 3100 OrgTechEmail: search-apnic-not-arin@apnic.net
So I should never have seen a packet from them?
Kind regards Peter and Karin
On Sat, 25 Aug 2007, Peter Dambier wrote:
I just caught this one:
2007-08-25 16:57:52 SMTP connection from [125.187.32.144]:45885 (TCP/IP connection count = 1) 2007-08-25 16:58:11 SMTP connection from [125.187.32.222]:52495 (TCP/IP connection count = 2) 2007-08-25 16:58:22 ident connection to 125.187.32.144 timed out 2007-08-25 16:58:25 no host name found for IP address 125.187.32.144
OrgTechHandle: AWC12-ARIN OrgTechName: APNIC Whois Contact OrgTechPhone: +61 7 3858 3100 OrgTechEmail: search-apnic-not-arin@apnic.net
So I should never have seen a packet from them?
Because it's not ARIN IP space? KRNIC is not an ISP but a National Internet Registry similar to APNIC. The followings is organization information that is using the IPv4 address. IPv4 Address : 125.187.32.0-125.187.47.255 Network Name : POWC-503 Connect ISP Name : Xpeed Registration Date : 20051128 Publishes : Y Whether or not you should accept email from Korean end-user IP space is left as exercise for the reader. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Peter Dambier wrote:
But whois keeps telling me:
Time to fix your whois client: inetnum: 125.176.0.0 - 125.191.255.255 netname: Xpeed-KR descr: LG POWERCOMM country: KR admin-c: IA469-KR tech-c: IM469-KR status: ALLOCATED PORTABLE mnt-by: MNT-KRNIC-AP remarks: This information has been partially mirrored by APNIC from remarks: KRNIC. To obtain more specific information, please use the remarks: KRNIC whois server at whois.krnic.net. changed: hostmaster@nic.or.kr source: KRNIC Pete
Thankyou all, for opening my eyes and for the whois. Kind regards Peter Petri Helenius wrote:
Peter Dambier wrote:
But whois keeps telling me:
Time to fix your whois client: inetnum: 125.176.0.0 - 125.191.255.255 netname: Xpeed-KR descr: LG POWERCOMM country: KR admin-c: IA469-KR tech-c: IM469-KR status: ALLOCATED PORTABLE mnt-by: MNT-KRNIC-AP remarks: This information has been partially mirrored by APNIC from remarks: KRNIC. To obtain more specific information, please use the remarks: KRNIC whois server at whois.krnic.net. changed: hostmaster@nic.or.kr source: KRNIC
Pete
-- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: peter@peter-dambier.de mail: peter@echnaton.arl.pirates http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
23 125.187.32.144(H!) 351.850 ms (H!) 359.870 ms (H!) 367.696 ms
But whois keeps telling me:
ReferralServer: whois://whois.apnic.net
Hmm, you might want to follow up with the referral server.
NetRange: 125.0.0.0 - 125.255.255.255 CIDR: 125.0.0.0/8 NetName: APNIC-125 NetHandle: NET-125-0-0-0-1 Parent: NetType: Allocated to APNIC Comment: This IP address range is not registered in the ARIN database.
Logical, since it was never assigned to ARIN.
Comment: For details, refer to the APNIC Whois Database via Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
This seems pretty clear. You can get details from APNIC since this was allocated to them, as the 'NetType' above shows.
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry Comment: for the Asia Pacific region. APNIC does not operate networks Comment: using this IP address range and is not able to investigate Comment: spam or abuse reports relating to these addresses. For more Comment: help, refer to http://www.apnic.net/info/faq/abuse
And, of course, APNIC doesn't operate this network, they assigned it.
So I should never have seen a packet from them?
From whom? What are you talking about?
This is someone who is using an IP inside a block that IANA assigned to APNIC. You asked ARIN about the block and ARIN told you that they have no idea since they have nothing to do with it and they suggested you follow up with APNIC. So you still have no idea what APNIC did with the block, other than that they didn't actually operate any networks in it. They presumably assigned it to a customer, and if you asked them (as you were suggested to do *twice*) they would have told you. DS
participants (6)
-
David Schwartz -
Ingo Flaschberger -
Joel Jaeggli -
Jon Lewis -
Peter Dambier -
Petri Helenius