AS6517 - Reliance Globalcom -- routing three more hijacked blocks

Ronald_F_Guilmette1 · October 7, 2010, 3:36am

Has anybody ever succeeded at sending any e-mail to the
<abuse@relianceglobalcom.com> address? It doesn't seem to
work for me. I just get undeliverable bounces.

I'd like to, you know, at least inform them about all of these hijacked
routes that _they_ are announcing, but I guess I need to do that via
smoke signal or something.

Well, anyway, here's three more hijacked blocks that they (AS6517)
are routing. This is in addition to the 75 such blocks I've already
reported. (I guess that makes 78 hijacked blocks for them, in total.)

198.99.245.0/24 NET-198-99-245-0-1
(wjhoreni.com - domain registered 2009-10-30)

198.151.138.0/24 NET-198-151-138-0-1
(crescentnets.com - registered 07-09-2010, in the
Cayman Islands)

207.45.56.0/21 NET-207-45-56-0-1
(crescentnets.com - see above)

Name server dump of the above blocks, illustrating snowshoe spam domains:

Jason_Bertoch1 · October 7, 2010, 1:59pm

Out of curiosity, are you also reporting these blocks to Spamhaus? I expect their DROP list maintainers would be interested.

Heath_Jones · October 7, 2010, 2:09pm

Well, anyway, here's three more hijacked blocks that they (AS6517)
are routing. This is in addition to the 75 such blocks I've already
reported. (I guess that makes 78 hijacked blocks for them, in total.)

Out of curiosity, are you also reporting these blocks to Spamhaus? I expect
their DROP list maintainers would be interested.

With an IP space of just 2^32, I'd suspect they are better off
maintaining a whitelist

Sven_Olaf_Kamphuis · October 7, 2010, 2:19pm

I'd say people that hijack space have a legitimate need for it or they would not be doing it. as long as spamming is not "criminal activity" i see no need to filter them actually, on the other hand, we spend a lot of time filtering MPAA/RIAA member ranges. I can has blacklist for those?
(those are the real enemies of the internet industry, not the spammers

Christopher_Morrow · October 7, 2010, 2:25pm

in stabbing around today on the ARIN online website I noticed this:

" ARIN provides access to a list of number resources in the database
which have no valid POC data. A POC handle is marked invalid by ARIN
staff when the POC has not been modified in more than one year and the
POC fails to respond to ARIN's annual request to validate their POC
information. In order to access this report, NRPM Policy 3.6.1
requires that you meet the criteria specified in ARIN’s Bulk Whois
policy, including signing an Acceptable Use Policy (AUP). Complete
information on Bulk Whois, including the AUP and data request form can
be found here. "

one wonders if this sort of thing could be useful to folks maintaining
lists of numbers that are used to affect other folks business plans.

John_Curran1 · October 7, 2010, 2:35pm

Chris -

  Very timely... I should advise the community that a revised ARIN
  Bulk WHOIS policy will be sent for community consultation shortly,
  and folks should take a chance to comment on the valid uses of
  access to this data. More information on how ARIN processes
  incoming suggestions and consultations is available here:
  <https://www.arin.net/participate/acsp/index.html>

FYI,
/John

John Curran
President and CEO
ARIN