The ARIN information has been updated to have up-to-date contact info for
the original owner, the original owners' ISP is announcing 4 /18s but AT&T
is still announcing 157.112.0.0/16. Can whoever's been bugging AT&T to stop
announcing it to bug them some more?
abuse@att.net seems to be a dead horse - demands from numerous parties,
including the owner of this /16 (the true source of records is JPNIC:
whois -h whois.nic.ad.jp "157.112.0.0 /e" , ARIN has not proceeded with
'early registration' transfer of this group of records to JPNIC, it
seems) that have been mailed there and to various other @att.net addresses,
including their so-called "legal demands center" (that is reportedly hard
to reach via email) have been summarily ignored, and we mean "/dev/null'd".
AT&T, for lack of presenting any TRO forcing them to keep routing this,
appears to willingly conspire with the Empire Towers IP space hijackers
while presented with overwhelming evidence that whatever forged documents
Empire Towers and Thomas Cowles may have presented to them are indeed that
- forged.
ARIN zapping the legacy record for this block apparently isn't
convincing enough for them to stop announcing this route.
The ISP for Systems Clipper Inc. (AS 23720) had started announcing a competing
/16 almost 2 weeks ago, but for reasons obvious to nearly all members of
this list, that of course wasn't good enough: it's four /18's now,
and AT&T should be seeing none of the traffic just about now.
If you are peering with AS 7018, a nicely worded email to your peering
contacts expressing your concern with AT&T's non-existent cooperation
in IP space hijacking cases would be appreciated.
Thank you.
bye,Kai
ps: and this says nothing about the amount and nature of actual abuse that's
been reported from this /16 while it originated from AS 7018.
I stopped seeing 157.112.0.0/16 announced via AT&T earlier this week.
So did many people. That route came back again soon afterwards.
I have received an assurance directly from senior AT&T management that
the route has - in the last few minutes - been removed with prejudice.
It will not be returning.
We will now be working with AT&T management to help them to identify
exactly and how where their internal processes failed on this issue.
Way back on Thu, 10 Apr 2003 01:06 UTC I wrote:
I've been asked to draw the attention of Network administrators to the
recent hijacking of various large blocks of ARIN IP-space: particularly
six /16 blocks allocated to the London-based Trafalgar House Group.
Trafalgar House Group (THG):
Trafalgar House Group TRAF (NET-144-176-0-0-1) 144.176.0.0/16
Trafalgar House Group THIN1 (NET-144-177-0-0-1) 144.177.0.0/16
Trafalgar House Group THIN3 (NET-144-179-0-0-1) 144.179.0.0/16
Trafalgar House Group THIN4 (NET-144-180-0-0-1) 144.180.0.0/16
Trafalgar House Group THIN5 (NET-144-181-0-0-1) 144.181.0.0/16
Trafalgar House Group THIN2 (NET-158-181-0-0-1) 158.181.0.0/16
The other good news is that all those blocks have now been either
returned to Aker Kvaerner Group (successors-in-title to Trafalgar
House Group) or returned to ARIN for reuse, as appropriate. Any
filters you routing people may have put in place to prevent abuse
from those blocks can be - and, please, SHOULD be, removed as soon
as practicable. The DNSBL entries for them at Spamhaus and SORBS
have already been removed.
Anyone wanting more information is welcome to join the "Hijacked"
list (mailto:majordomo@numbering.com?subject="subscribe hijacked")
which is where we discuss and resolve the Hijacking incidents as
they occur. Most network operators are now represented there, and
as a result we have been able to resolve most of the hijacking
incidents within a very short time of their coming to notice.
The other good news is that all those blocks have now been either
returned to Aker Kvaerner Group (successors-in-title to Trafalgar
House Group) or returned to ARIN for reuse, as appropriate. Any
filters you routing people may have put in place to prevent abuse
from those blocks can be - and, please, SHOULD be, removed as soon
as practicable. The DNSBL entries for them at Spamhaus and SORBS
have already been removed.
As a FYI, that class B appears to have gone totally silent on the spamming front on the 9th of Sept or thereabouts. We were getting ~40 attempts per day from it.
If anybody needs samples, contact me - quickly. We only retain it for about two weeks. Spams all referencing www.dnt.opt.listaudit.biz (resolves to 141.152.34.207, apparently Verizon, also blacklisted as being part of Empire Towers)