anybody know the owner of 209.251.0.0/19?
i'm getting spammed from there... [sa:i386] ./find-spam.pl 209.251.0.0/19 SELECT HOST(s.relay) AS relay, s.entered, s.md5, s.body_md5, LENGTH(s.header)+LENGTH(b.body)+1 AS size, s.header FROM spam s LEFT JOIN bodies b ON s.body_md5 = b.md5 WHERE relay <<= '209.251.0.0/19' ORDER BY entered LIMIT ALL spam: [002515 2001-12-09 23:37:37+00 209.251.20.7] lart: {12370 209.251.20.7 source mailer} mail: (0 007557 ) spam: [005626 2003-07-31 22:14:54.367173+00 209.251.28.142] lart: {316925 209.251.28.142 source mailer} spam: [001260 2003-08-13 14:28:06.363234+00 209.251.28.142] lart: {332664 209.251.28.142 relay mailer} mail: (0 002207 20030813142817.C3EF013980@sa.vix.com) spam: [001260 2003-08-13 14:28:06.363234+00 209.251.28.142] lart: {332664 209.251.28.142 relay mailer} mail: (0 002207 20030813142817.C3EF013980@sa.vix.com) spam: [001260 2003-08-13 14:28:06.363234+00 209.251.28.142] lart: {332664 209.251.28.142 relay mailer} mail: (0 002207 20030813142817.C3EF013980@sa.vix.com) spam: [001260 2003-08-13 14:28:06.363234+00 209.251.28.142] lart: {332664 209.251.28.142 relay mailer} mail: (0 002207 20030813142817.C3EF013980@sa.vix.com) spam: [001260 2003-08-13 14:28:06.363234+00 209.251.28.142] lart: {332664 209.251.28.142 relay mailer} mail: (0 002207 20030813142817.C3EF013980@sa.vix.com) spam: [001260 2003-08-13 14:28:06.363234+00 209.251.28.142] lart: {332664 209.251.28.142 relay mailer} mail: (0 002207 20030813142817.C3EF013980@sa.vix.com) spam: [001260 2003-08-13 14:28:06.363234+00 209.251.28.142] lart: {332664 209.251.28.142 relay mailer} mail: (0 002207 20030813142817.C3EF013980@sa.vix.com) ...but there is no whois... [sa:i386] whois -h whois.arin.net 209.251.28.142 No match found for 209.251.28.142. # ARIN WHOIS database, last updated 2003-08-18 19:15 # Enter ? for additional hints on searching ARIN's WHOIS database. ...and they seem to have transit through both AS209 and AS6076... noc@re0.r7.pao1> show route 209.251.28.142 ... 209.251.0.0/19 *[BGP/170] 2w3d 23:55:24, MED 2147483647, localpref 100 AS path: 209 11036 I > to 198.32.176.52 via ge-2/1/0.6 [BGP/170] 1w2d 10:47:58, MED 2147483647, localpref 100 AS path: 3549 8011 6076 11036 I > to 208.50.13.57 via ge-1/3/0.501 [BGP/170] 2w3d 23:55:12, MED 10, localpref 90 AS path: 2914 209 11036 I > to 129.250.16.157 via so-1/2/2.0 [BGP/170] 1w4d 16:20:31, MED 10, localpref 90 AS path: 701 209 11036 I > to 198.32.176.2 via ge-2/1/0.6 [BGP/170] 04:33:44, MED 10, localpref 90 AS path: 6453 209 11036 I > to 207.45.196.65 via so-1/2/0.0 ...although both AS11036 (the origin) and AS6076 (one of the transits) are in the same geo area, one of them (voyager.net) was i thought out of business. am i being spammed from pirated address space?
If you check arin whois, you can find ip block 209.251.0.0 - 209.251.23.255 listed as NETBLK-SISCOM-BLK-1 (why would ARIN assign them /20 + /21 but not make it easier for everyone and just do /19 ?????????): [whois.arin.net] OrgName: SISCOM OrgID: SISC Address: 130 W. Second St. Address: Suite 1100 City: Dayton StateProv: OH PostalCode: 45402 Country: US NetRange: 209.251.0.0 - 209.251.23.255 CIDR: 209.251.0.0/20, 209.251.16.0/21 NetName: SISCOM-BLK-1 NetHandle: NET-209-251-0-0-1 Parent: NET-209-0-0-0-0 NetType: Direct Allocation NameServer: NS1.SISCOM.NET NameServer: NS2.SISCOM.NET Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate: 1998-07-13 Updated: 2001-06-22 TechHandle: RJ818-ARIN TechName: Adams, Robert TechPhone: +1-937-222-8150 TechEmail: RADAMS@siscom.net OrgTechHandle: TFI7-ARIN OrgTechName: Finkenstadt, Thomas OrgTechPhone: +1-937-222-8150 OrgTechEmail: tfink@siscom.net Not surprisingly SISCOM.NET (AS11036) is announcing this as /19, I'd do the same if I were them.... Now I don't know anything about SISCOM but it does not look like they are out of business or controlled by spammers, so I think it would be best to just contact them on this issue (and ask them to talk to ARIN and add extra /21 to their allocation to make it even /19) On Tue, 19 Aug 2003, Paul Vixie wrote:
i'm getting spammed from there...
[sa:i386] ./find-spam.pl 209.251.0.0/19
SELECT HOST(s.relay) AS relay, s.entered, s.md5, s.body_md5, LENGTH(s.header)+LENGTH(b.body)+1 AS size, s.header FROM spam s LEFT JOIN bodies b ON s.body_md5 = b.md5 WHERE relay <<= '209.251.0.0/19' ORDER BY entered LIMIT ALL
spam: [002515 2001-12-09 23:37:37+00 209.251.20.7] lart: {12370 209.251.20.7 source mailer} mail: (0 007557 ) spam: [005626 2003-07-31 22:14:54.367173+00 209.251.28.142] lart: {316925 209.251.28.142 source mailer} spam: [001260 2003-08-13 14:28:06.363234+00 209.251.28.142] lart: {332664 209.251.28.142 relay mailer} mail: (0 002207 20030813142817.C3EF013980@sa.vix.com) spam: [001260 2003-08-13 14:28:06.363234+00 209.251.28.142] lart: {332664 209.251.28.142 relay mailer} mail: (0 002207 20030813142817.C3EF013980@sa.vix.com) spam: [001260 2003-08-13 14:28:06.363234+00 209.251.28.142] lart: {332664 209.251.28.142 relay mailer} mail: (0 002207 20030813142817.C3EF013980@sa.vix.com) spam: [001260 2003-08-13 14:28:06.363234+00 209.251.28.142] lart: {332664 209.251.28.142 relay mailer} mail: (0 002207 20030813142817.C3EF013980@sa.vix.com) spam: [001260 2003-08-13 14:28:06.363234+00 209.251.28.142] lart: {332664 209.251.28.142 relay mailer} mail: (0 002207 20030813142817.C3EF013980@sa.vix.com) spam: [001260 2003-08-13 14:28:06.363234+00 209.251.28.142] lart: {332664 209.251.28.142 relay mailer} mail: (0 002207 20030813142817.C3EF013980@sa.vix.com) spam: [001260 2003-08-13 14:28:06.363234+00 209.251.28.142] lart: {332664 209.251.28.142 relay mailer} mail: (0 002207 20030813142817.C3EF013980@sa.vix.com)
...but there is no whois...
[sa:i386] whois -h whois.arin.net 209.251.28.142
No match found for 209.251.28.142.
# ARIN WHOIS database, last updated 2003-08-18 19:15 # Enter ? for additional hints on searching ARIN's WHOIS database.
...and they seem to have transit through both AS209 and AS6076...
noc@re0.r7.pao1> show route 209.251.28.142 ... 209.251.0.0/19 *[BGP/170] 2w3d 23:55:24, MED 2147483647, localpref 100 AS path: 209 11036 I > to 198.32.176.52 via ge-2/1/0.6 [BGP/170] 1w2d 10:47:58, MED 2147483647, localpref 100 AS path: 3549 8011 6076 11036 I > to 208.50.13.57 via ge-1/3/0.501 [BGP/170] 2w3d 23:55:12, MED 10, localpref 90 AS path: 2914 209 11036 I > to 129.250.16.157 via so-1/2/2.0 [BGP/170] 1w4d 16:20:31, MED 10, localpref 90 AS path: 701 209 11036 I > to 198.32.176.2 via ge-2/1/0.6 [BGP/170] 04:33:44, MED 10, localpref 90 AS path: 6453 209 11036 I > to 207.45.196.65 via so-1/2/0.0
...although both AS11036 (the origin) and AS6076 (one of the transits) are in the same geo area, one of them (voyager.net) was i thought out of business.
am i being spammed from pirated address space?
-- William Leibzon Elan Networks william@elan.net
participants (2)
-
Paul Vixie
-
william@elan.net