Notice: Fradulent RIPE ASNs

After a careful investigation, I am of the opinion that each of the
following 18 ASNs was registered (via RIPE) with fradulent information
purporting to represent the identity of the true registrant, and that
in fact, all 18 of these ASNs were registered by a single party,
apparently as part of a larger scheme to provide IP space to various
snowshoe spammers.

Evidence I have in hand strongly links this scheme and these ASNs and
their associated IPv4 route announcements to Jump Network Services,
aka JUMP.RO. Furthermore, all of these ASNs are apparently peering
with exactly and only the same two other ASNs in all cases, i.e.
GTS Telecom SRL (AS5606) and Net Vision Telecom SRL (AS39737). These
peers and the fradulent ASNs listed below are all apparently originated
out of Romania.

AS16011 (fiberwelders.ro)
AS28822 (creativitaterpm.ro)
AS48118 (telecomhosting.ro)
AS49210 (rom-access.ro)
AS50659 (grandnethost.com)
AS57131 (speedconnecting.ro)
AS57133 (nordhost.ro)
AS57135 (fastcable.ro)
AS57176 (bucovinanetwork.ro)
AS57184 (kaboomhost.ro)
AS57415 (highwayinternet.ro)
AS57695 (effidata.ro)
AS57724 (id-trafic.ro)
AS57738 (mclick.ro)
AS57786 (hosting-www.ro)
AS57837 (romtechinnovation.ro)
AS57906 (momy.ro)
AS57917 (nature-design.ro)

At present, the above 18 ASNs are currently announcing routes for a total
amount of IP space equal to 1,022 /24s, which is the rough equivalent of
an entire /14 block. These IPv4 route announcements are listed below,
sorted by IPv4 (32-bit) start address.

Additional potentially relevant background information:

    http://threatpost.com/en_us/blogs/attackers-buying-own-data-centers-botnets-spam-122109
    http://www.spamhaus.org/rokso/evidence/ROK9107/world-company-register-eu-business-register/rogue-ases-as43332-as44414-as44520-as49173-as49643
    http://www.spamhaus.org/sbl/listings/jump.ro

Current route announcements:

31.14.30.0/24
31.14.32.0/24
31.14.33.0/24
31.14.34.0/23
31.14.36.0/22
31.14.40.0/22
31.14.44.0/24
31.14.45.0/24
31.14.46.0/23
31.14.48.0/24
31.14.49.0/24
31.14.50.0/23
31.14.52.0/22
31.14.56.0/21
31.14.64.0/24
31.14.65.0/24
31.14.66.0/23
31.14.68.0/22
31.14.72.0/21
31.14.80.0/20
31.14.112.0/20
31.14.144.0/20
37.153.128.0/22
37.153.132.0/22
37.153.140.0/22
37.153.144.0/21
37.153.152.0/22
37.153.160.0/21
37.153.168.0/22
37.153.172.0/23
37.153.174.0/23
37.153.176.0/20
37.156.0.0/22
37.156.4.0/22
37.156.8.0/21
37.156.16.0/23
37.156.18.0/23
37.156.20.0/23
37.156.22.0/23
37.156.24.0/23
37.156.26.0/23
37.156.28.0/23
37.156.30.0/23
37.156.36.0/24
37.156.37.0/24
37.156.38.0/23
37.156.48.0/21
37.156.56.0/22
37.156.100.0/22
37.156.104.0/22
37.156.108.0/22
37.156.112.0/20
37.156.128.0/20
37.156.144.0/22
37.156.148.0/22
37.156.152.0/21
37.156.160.0/21
37.156.168.0/22
37.156.172.0/23
37.156.180.0/23
37.156.184.0/22
37.156.188.0/22
37.156.208.0/22
37.156.216.0/22
37.156.224.0/24
37.156.225.0/24
37.156.226.0/23
37.156.228.0/23
37.156.230.0/23
37.156.232.0/23
37.156.234.0/23
37.156.236.0/23
37.156.238.0/23
37.156.240.0/21
37.156.248.0/22
37.156.252.0/22
46.102.128.0/20
46.102.144.0/20
46.102.160.0/21
77.81.120.0/23
77.81.126.0/24
77.81.160.0/22
84.247.4.0/22
84.247.18.0/23
84.247.40.0/22
85.204.18.0/24
85.204.20.0/23
85.204.30.0/23
85.204.36.0/22
85.204.54.0/23
85.204.64.0/23
85.204.66.0/24
85.204.76.0/23
85.204.96.0/23
85.204.104.0/23
85.204.120.0/24
85.204.121.0/24
85.204.124.0/24
85.204.132.0/23
85.204.152.0/23
85.204.176.0/21
85.204.194.0/23
86.104.0.0/23
86.104.2.0/24
86.104.4.0/24
86.104.9.0/24
86.104.10.0/24
86.104.96.0/21
86.104.115.0/24
86.104.116.0/24
86.104.118.0/23
86.104.121.0/24
86.104.122.0/23
86.104.132.0/23
86.104.192.0/24
86.104.195.0/24
86.104.212.0/23
86.104.215.0/24
86.104.240.0/22
86.104.245.0/24
86.104.248.0/23
86.105.178.0/24
86.105.195.0/24
86.105.196.0/24
86.105.200.0/22
86.105.225.0/24
86.105.227.0/24
86.105.230.0/24
86.105.242.0/23
86.105.248.0/22
86.106.0.0/21
86.106.8.0/23
86.106.10.0/24
86.106.11.0/24
86.106.12.0/24
86.106.24.0/24
86.106.25.0/24
86.106.90.0/24
86.106.95.0/24
86.106.169.0/24
86.107.8.0/21
86.107.28.0/23
86.107.74.0/23
86.107.104.0/24
86.107.195.0/24
86.107.216.0/21
86.107.242.0/23
89.32.122.0/23
89.32.176.0/23
89.32.192.0/23
89.32.196.0/23
89.32.204.0/24
89.33.46.0/23
89.33.108.0/23
89.33.117.0/24
89.33.168.0/21
89.33.233.0/24
89.33.246.0/24
89.33.255.0/24
89.34.16.0/22
89.34.94.0/23
89.34.102.0/23
89.34.112.0/21
89.34.128.0/20
89.34.148.0/23
89.34.200.0/23
89.34.216.0/23
89.34.236.0/22
89.35.32.0/24
89.35.56.0/24
89.35.77.0/24
89.35.133.0/24
89.35.156.0/23
89.35.176.0/23
89.35.196.0/24
89.35.240.0/21
89.36.16.0/23
89.36.32.0/23
89.36.34.0/24
89.36.35.0/24
89.36.96.0/21
89.36.104.0/21
89.36.178.0/23
89.36.182.0/23
89.36.184.0/21
89.36.226.0/23
89.36.236.0/22
89.37.48.0/21
89.37.64.0/22
89.37.76.0/22
89.37.102.0/23
89.37.107.0/24
89.37.129.0/24
89.37.133.0/24
89.37.143.0/24
89.37.240.0/21
89.38.26.0/24
89.38.216.0/22
89.38.220.0/22
89.39.76.0/22
89.39.168.0/22
89.39.180.0/23
89.39.216.0/22
89.40.40.0/24
89.40.66.0/24
89.40.133.0/24
89.40.240.0/21
89.40.254.0/23
89.41.16.0/21
89.41.44.0/22
89.42.27.0/24
89.42.33.0/24
89.42.150.0/23
89.42.208.0/23
89.43.182.0/23
89.43.184.0/23
89.43.216.0/21
89.43.224.0/21
89.44.94.0/23
89.44.115.0/24
89.44.120.0/21
89.44.190.0/23
89.45.11.0/24
89.45.14.0/24
89.45.72.0/21
89.45.126.0/23
89.46.8.0/22
89.46.44.0/23
89.46.47.0/24
89.46.60.0/24
89.46.88.0/22
89.46.192.0/21
89.47.34.0/24
89.47.44.0/22
92.114.36.0/24
92.114.38.0/24
92.114.83.0/24
93.113.216.0/22
93.114.24.0/21
93.114.85.0/24
93.114.86.0/23
93.114.128.0/24
93.114.133.0/24
93.115.32.0/23
93.115.62.0/23
93.115.130.0/23
93.115.134.0/23
93.115.138.0/23
93.115.142.0/23
93.115.192.0/21
93.115.253.0/24
93.117.112.0/21
93.117.120.0/21
93.119.112.0/23
93.119.118.0/23
93.119.120.0/23
93.119.124.0/23
94.176.224.0/20
176.126.168.0/23
176.126.170.0/23
176.126.172.0/23
176.126.174.0/23
176.223.64.0/23
176.223.108.0/24
176.223.111.0/24
176.223.116.0/23
176.223.118.0/24
176.223.167.0/24
176.223.172.0/22
176.223.176.0/24
176.223.177.0/24
176.223.178.0/23
176.223.190.0/24
188.212.22.0/24
188.212.48.0/20
188.213.64.0/20
188.213.112.0/22
188.213.116.0/23
188.213.118.0/24
188.213.119.0/24
188.213.120.0/23
188.213.122.0/23
188.213.124.0/22
188.213.144.0/20
188.213.176.0/22
188.213.180.0/22
188.213.184.0/22
188.213.188.0/22
188.215.18.0/23
188.215.20.0/22
188.215.192.0/19
188.241.188.0/23
188.241.192.0/22
217.19.4.0/24

After a careful investigation, I am of the opinion that each of the
following 18 ASNs was registered (via RIPE) with fradulent information
purporting to represent the identity of the true registrant, and that
in fact, all 18 of these ASNs were registered by a single party,
apparently as part of a larger scheme to provide IP space to various
snowshoe spammers.

Evidence I have in hand strongly links this scheme and these ASNs and
their associated IPv4 route announcements to Jump Network Services,
aka JUMP.RO. Furthermore, all of these ASNs are apparently peering
with exactly and only the same two other ASNs in all cases, i.e.
GTS Telecom SRL (AS5606) and Net Vision Telecom SRL (AS39737). These
peers and the fradulent ASNs listed below are all apparently originated
out of Romania.

Jump.ro is a very active LIR and domain registry on the Romanian
market and is "selling" ASNs to whomever is interested and facilitates
allocations of PI netblocks to those who can justify them. It might
come as a surprise to you, but in Romania there are a lot of companies
(even very small ones) with their own ASN and PI netblocks. This setup
makes it extremely easy to switch ISPs with virtually no impact on
network operations.

If I'm not mistaken, companies use Netvision for cheap internet
access. GTS is more expensive, but theoretically is providing high
quality internet access with good SLAs.

AS16011 (fiberwelders.ro)
AS28822 (creativitaterpm.ro)
AS48118 (telecomhosting.ro)
AS49210 (rom-access.ro)
AS50659 (grandnethost.com)
AS57131 (speedconnecting.ro)
AS57133 (nordhost.ro)
AS57135 (fastcable.ro)
AS57176 (bucovinanetwork.ro)
AS57184 (kaboomhost.ro)
AS57415 (highwayinternet.ro)
AS57695 (effidata.ro)
AS57724 (id-trafic.ro)
AS57738 (mclick.ro)
AS57786 (hosting-www.ro)
AS57837 (romtechinnovation.ro)
AS57906 (momy.ro)
AS57917 (nature-design.ro)

from all those websites it looks like they are all hosting companies.
have you tried calling the numbers listed on the WHOIS registrant
information on the ASN and you couldn't get to any one ?

At present, the above 18 ASNs are currently announcing routes for a total
amount of IP space equal to 1,022 /24s, which is the rough equivalent of
an entire /14 block. These IPv4 route announcements are listed below,
sorted by IPv4 (32-bit) start address.

If you really believe that all those ASNs listed by you above are only
used to host spammers, then by all means please contact
alerts@cert-ro.eu - that is the Romanian CERT as they are active and
will investigate the allegations you make.

Additional potentially relevant background information:

    Threatpost | The first stop for security news
    ROKSO: EU Business Register / World Company Register - The Spamhaus Project
    The Spamhaus Project - SBL

So far I do not know a single web hosting company that it's customers
never spammed anyone

Hello,

After a careful investigation, I am of the opinion that each of the
following 18 ASNs was registered (via RIPE) with fradulent information
purporting to represent the identity of the true registrant, and that
in fact, all 18 of these ASNs were registered by a single party,
apparently as part of a larger scheme to provide IP space to various
snowshoe spammers.

As this email is regarding actions in Europe by RIPE, you may get a
better response from contacts in the RIPE region. I notice that you
have been cross posting this message (though not responding on list to
replies), for example to the RIPE NCC Anti-Abuse Working Group
(http://www.ripe.net/ripe/groups/wg/anti-abuse) - a great place to
start.

Although you have already been told this elsewhere, your best step
after contacting the Romanian CIRT is likely to be following the
reporting procedure for the provision of untruthful information to the
RIPE NCC at http://www.ripe.net/contact/reporting-procedure, which is
a well defined procedure. RIPE NCC will investigate any report
submitted though this procedure; there is a flowchart at this web
address that clearly explains what will happen.

If you ever need to find the contact details for a European CSIRT, the
centralised "Trusted Introducer" is normally the place to start.
Their website can be found at https://www.trusted-introducer.org.

As this list is the North America Network Operators Group, it's
unlikely that much in they way of action by RIPE NCC, Romanian
authorities or other relevant authorities within the EU will happen as
a result of a post here.

I hope this helps get you in touch with the right people to help.

Best wishes,

Alex

In message <CALgc3C7n0Hy80qLBcQ8tZrvGuaVsVrcEneYaYKomUUy58p3rEw@mail.gmail.com>,

Jump.ro is a very active LIR and domain registry on the Romanian
market and is "selling" ASNs to whomever is interested...

I do see that JUMP.RO is ``very active''. I do not know who they
have actually given all of this IP space to. Do you? If so, then
by all means, please don't keep us in suspense. Please do share
that information.

(I have also seen that JUMP.RO has puffed up its own resume, claiming on
its home page to have over 12,000 customers. but from where I am sitting,
it looks more like a tiny little ISP with only two /24s of its own,
and perhaps only a few handfuls of customers, many of whom, it seems,
are spammers.)

and facilitates
allocations of PI netblocks to those who can justify them.

JUMP.RO also ``facilitates'' IP block allocations to _themselves_, apparently.

It might
come as a surprise to you, but in Romania there are a lot of companies
(even very small ones) with their own ASN and PI netblocks.

Regardless of whether that assertion is true or false, it has no bearing
whatsoever on the specific issue and the specific ASNs and the specific
IP address blocks that I have reported on here.

I will repeat myself, so as to be completely clear. The 18 specific
ASNs I reported on, together with their associated IPv4 address blocks,
were all registered, via RIPE, with fradulent information.

AS16011 (fiberwelders.ro)
AS28822 (creativitaterpm.ro)
AS48118 (telecomhosting.ro)
AS49210 (rom-access.ro)
AS50659 (grandnethost.com)
AS57131 (speedconnecting.ro)
AS57133 (nordhost.ro)
AS57135 (fastcable.ro)
AS57176 (bucovinanetwork.ro)
AS57184 (kaboomhost.ro)
AS57415 (highwayinternet.ro)
AS57695 (effidata.ro)
AS57724 (id-trafic.ro)
AS57738 (mclick.ro)
AS57786 (hosting-www.ro)
AS57837 (romtechinnovation.ro)
AS57906 (momy.ro)
AS57917 (nature-design.ro)

from all those websites it looks like they are all hosting companies.

Yes. Indeed. The web sites associated with all of the above domain
names have indeed been made to _look_ like they are all legitimate
hosting companies.

I'm so glad that you noticed.

have you tried calling the numbers listed on the WHOIS registrant
information on the ASN and you couldn't get to any one ?

That is a good idea. Why don't you try it and report back here and let
us know your results.

Personally, I have much better things to do with my time (and my money)
that to waste any of it making pointless long-distance overseas phone
calls to pseudo-companies that I am already 100% convinced are simply
fradulent and fictitious.

But since you yourself seem to be geographically in that area... AND since
you probably speak Romanian about 100,000% better than I do, by all means,
I encourage you to try to reach some human, i.e. ANY human at any of these
(fictitious) places who might be able to disprove the assertions that I
have made here, and repeated elsewhere.

Good luck.

If you really believe that all those ASNs listed by you above are only
used to host spammers...

Sir, I am not in the habit of risking either my reputation or my legal
safety by posting allegations on the NANOG list which I have anything
less than the highest confidence in. To do so would be foolish in the
extreme, and in multiple dimensions.

...then by all means please contact
alerts@cert-ro.eu - that is the Romanian CERT

Thank you but no.

This is another task that you have tried to assign to me... also
of entirely questionable usefulness... that I also personally elect
not to waste any of my precious minutes on this earth pursuing.

But please, feel free to do yourself the (pointless) tasks that you
have attempted to assign to me. Please feel free to contact
the Romanian CERT yourself. (If you manage to find anyone within that
organization that has ever done _anything_ to materially improve the
safety or security of the Internet, then please do send me that
person's name so that I can send it on to the Guinness World Records
people and let them know that such a person does exist after all.)

...as they are active...

Oh yes! I am quite sure they are. As are the particles shown in the
simulation on this page:

   Brownian motion - Wikipedia

Very active indeed!

and will investigate the allegations you make.

What exactly would be the point of that?

They are not Internet Police, and I rather doubt that they have any control
over RIPE's allocation processes for number resources.

(On the other hand, if I am wrong, and if the people at the Romanian CERT
actually *are* the Internet Police, then please do let me know immediately.
In that case, I have some vastly more serious matters to discuss with them,
specifically the massive fake pharmacy operations that are run out of
your country *and* the propensity of the specific crooks behind those oper-
ations for stealing and using the credit card numbers of at least hundreds
and more probably thousands of unsuspecting Americans. But I digress.)

So far I do not know a single web hosting company that it's customers
never spammed anyone

I confess that I cannot deduce whether your obtuse inability to differentiate
between the occasional spammer and an entire /14 full of them is genuine
or an act.

If genuine, you have my sympathy.

Regards,
rfg

In message <CALKLF0-g2Ni7tZ5toUZi9Ss_VWXOBL7BAeDUBmRo1TpCSJDuYg@mail.gmail.com>

I notice that you
have been cross posting this message (though not responding on list to
replies), for example to the RIPE NCC Anti-Abuse Working Group
(http://www.ripe.net/ripe/groups/wg/anti-abuse)

I did post (singular) the message there also, and have seen no replies
on that list that warrant any type of further follow up from me.

Although you have already been told this elsewhere, your best step
after contacting the Romanian CIRT

I personally have no intention of contacting the Romanian CERT (or CIRT)
for reasons I previously elaborated upon. But by all means, please feel
free to do so yourself it you think it worthwhile.

I have done the hard work to find, flesh out, document, and verify the
problem/issue I reported on. I have tried to warn the people who matter,
network operators and people in the RIPE area interested in network abuse
issues. If other people feel that the message needs to be relayed to
yet more parties, then that is up to them to effectuate. I have done
all that I plan to do on this. (However I am willing to answer questions
put to me, e.g. from people wanting to know the specific facts that led
me to my conclusions. That is only fair, after all.)

is likely to be following the
reporting procedure for the provision of untruthful information to the
RIPE NCC at http://www.ripe.net/contact/reporting-procedure, which is
a well defined procedure. RIPE NCC will investigate any report
submitted though this procedure; there is a flowchart at this web
address that clearly explains what will happen.

See above. I have done a great deal of work on this already. I leave
it to other interested parties to file wharever additional reports they
might feel are warranted or appropriate.

I may be able to clear tall buildings with a single bound, but I can't
do _everything_. (Besides which, why should _I_ have all the fun?)

Separately however, I should perhaps also clarify that I have less than
zero faith in _any_ process undertaken by _any_ RiR which has as its
purported goal the un-doing of fradulent number resource registrations.

I was not born yesterday. I have seen such processes in action, and it
has been my experience that all such make molasses in January look fast
by comparison... when they work at all. Furthermore, RiRs are not the
Internet Police. Thus, whenever they find (or, more often, are told
about) some number resource which has been registered or used via fraud,
deceit, or artifice they have universally self-defined the limits of
their own authority to simply taking back what was stolen. Never more.
Thus, the most theives risk when they steal or defraud to obtain number
resources is that somebody _might_ someday ask them to give what they
stole back... and thus it may be easily demonstrated that the RiRs
are effectively all castrated eunics with gigantic "kick me" signs on
their backs. (When and if RIPE kicks JUMP.RO entirely off the net as
a penalty for its part in these shenanigans... and others that have
previously been documented..., then please do let me know and then I
may change my mind and start believeing that RiRs are no longer acting
like helpless hapless morons each time they have been clearly defrauded.)

And of course, some (perhaps all) RiRs are more than happy to have the
final remaining bits of IPv4 space defrauded out from under them so that
they can press on with the business of selling us all IPv6.

It is rather pointless to report something as stolen to an owner who
doesn't seriously want it back anyway.

But it's a free country. You can do whatever you like.

If you ever need to find the contact details for a European CSIRT,

Why would I ever need THAT??

Until convinced otherwise, I'm going to continue to view those folks
as being more likely to be a part of the problem rather than part of
the solution.

As this list is the North America Network Operators Group, it's
unlikely that much in they way of action by RIPE NCC, Romanian
authorities or other relevant authorities within the EU will happen as
a result of a post here.

I know that.

However I am also of the opinion that it is unlikely that much in the
way of action by RIPE NCC, Romanian authorities or other relevant
authorities within the EU will happen with respect to an issue like
this NO MATTER WHAT because all of these organizations are far more
adept at explaining why nothing can be done than they are at actually
doing anything.

By posting here, at least North American network operators can decide
on their own to block routes from the relevant ASNs... or not, if they
don't feel like it. That's something at least.

I'm not an Internet Policeman. I'm not even an Internet Police informant.
I'm an investigative journalist. As the old saying goes, if you don't
like the news, then go out and make some of your own.

I hope this helps get you in touch with the right people to help.

I don't need any help. I posted here to try to help others, and I believe
that I did. I don't feel any pressing need or desire to contact anyone else.

Best wishes,

Thank you. And to you!

Regards,
rfg

Hi,

is likely to be following the
reporting procedure for the provision of untruthful information to the
RIPE NCC at http://www.ripe.net/contact/reporting-procedure, which is
a well defined procedure. RIPE NCC will investigate any report
submitted though this procedure; there is a flowchart at this web
address that clearly explains what will happen.

See above. I have done a great deal of work on this already. I leave
it to other interested parties to file wharever additional reports they
might feel are warranted or appropriate.

Sorry, but you post this information on public mailing lists where it can be discussed but where no action can be taken, and then refuse to post it to the single organisation that actually *can* do something with it?

Nobody else will take your research and submit it to a third party. It's your research: either you submit it to the RIPE NCC and action will be taken where appropriate, or you don't and then your research will be forgotten and nothing will be done... It's just one form to fill in.

Thanks,
Sander

Ronald,

What is your goal here? Is there some action that any particular NANOG
participant should take based on your opinion?

Regards,
Bill Herrin

I'm having more than a little deja vu here - Romanian LIRs have come up on
this list (leave alone nanog, or various other RIPE lists) more than once
in this context. In fact

There is an apparent pattern of large scale misuse of resources here, with
a complex reporting procedure that puts the onus on the complainant to
perform validation that, given complaints of a widespread problem, RIPE
staff is much better qualified (not to mention, paid for their time) to do
themselves, on a proactive basis.

--srs

Hi,

I'm having more than a little deja vu here - Romanian LIRs have come up on this list (leave alone nanog, or various other RIPE lists) more than once in this context. In fact

Yes, but like I said: talk on lists is not enough

There is an apparent pattern of large scale misuse of resources here, with a complex reporting procedure that puts the onus on the complainant to perform validation

Filling in one web form is a complex reporting procedure?

The form only contains:
- the reason (probably "Violation of RIPE Policies and RIPE NCC Procedures" or "Provision of untruthful information to the RIPE NCC")
- one of the relevant resources (can be an address, ASN or organisation object from the RIPE database) "In order to identify the natural or legal person responsible".
- a text field where you can copy&paste your report
- your contact details
- one checkbox "I confirm that the information I provide is correct and to the best of my knowledge"
- one checkbox "I allow the RIPE NCC to forward my report and attachments to the party the report is about."
- a captcha

They add a note that your contact details will never be shared with a third party, only the content of your report. They also provide a nice flowchart that shows how they will handle the report, which basically comes down to: Report-submitted -> report-accepted -> start-investigation.

I really can't see how this is a "complex reporting procedure that puts the onus on the complainant to perform validation". They don't ask for validation, only that you provide correct information on which they can base their investigation.

that, given complaints of a widespread problem, RIPE staff is much better qualified (not to mention, paid for their time) to do themselves, on a proactive basis.

They do proactive audits and they do verification/validation of the information people write in the reports. They will take action on complaints of a widespread problem. They just need the proper information through the official channels, which in this case is a not-so-complicated web form...

Cheers,
Sander

In message <A5DAD1A3-9CC9-4560-93BD-85F9E912885E@steffann.nl>,

Sorry, but you post this information on public mailing lists where it
can be discussed but where no action can be taken...

I think that you mistake formalized centralized "action" for "action"
more broadly and generally.

In fact, it is my belief that "action" has already been taken, within
some networks, to firewall themselves off from the miscreant ASNs and
IP blocks that I reported on. (And based upon my beliefs regading these
ASNs and IP blocks I would highly recommend that others who have not
yet done so follow suit, along with any and all IP space being announced
in routes from AS2876.)

Nobody else will take your research and submit it to a third party. It's
your research: either you submit it to the RIPE NCC and action will be
taken where appropriate...

As I have already stated, I have no faith whatsoever in the last part of
that assertion, and thus elect not to waste my time.

These kinds of problems have been going on for literally years now,
primarily originating out of Romania. If RIPE seriously wanted to shut
down all of this fradulent activity, they could have and would have done
so long before now.

In the three years since the following report was written, what has changed?
Anything?

  Threatpost | The first stop for security news

   "It is impossible at that stage in the process for the RIPE NCC to determine
   that a company is involved in illegal activity. The member in question later
   proved to be a front for RBN," RIPE said in a statement on the case. But the
   allocation was made in 2006 and it wasn't until May 2008 that RIPE was able
   to close down the LIR and get the IP space back."

Excuse me, but really? Two *&^%$#@ years, just to get some space back from
the notorious RBN??

   "In most regions, a new organization requesting a large allocation will have
   to go through a fairly rigorous process to show the need for the address
   space..."

But not in the RIPE region, apparently.

Regards,
rfg

P.S. ASNs are not nearly in as short supply as IPv4 addresses are, however
there _are_ only a finite number of them, and they should not be wasted.

As I understand it, generally speaking if you are too small to own even
at least one router, then you most certainly do not need your own ASN.
I have noted however that the last hop on all traceroutes to all of
the domains mentioned in my initial report seems to be 193.226.166.214.
The router at that address is, I believe, the router immediately in front
of the server(s) that are serving up the home pages for these fraudlent
false-front entities. That IP belongs to AS5606 aka GTS Telecom SRL...
*not* to any one of these bogus fradulent pseudo-entities.

So, within the RIPE region, it appears that one can obtain one's own
ASN... or even perhaps a couple dozen of them... without even owning a
single router.

Somewhow this does not seem to me to be an efficient allocation of finite
number resources.

P.P.S. Before anyone asks, no, the fact that all routes to all of the
web servers for all of the domains mentioned in my initial report all
pass through 193.226.166.214 (just before the last hop in all cases) is
most certainly *not* the only bit of evidence that indicates that all of
these 18 fradulent false-front entities were created/registered/implemented
by a single hand (which I am confident they all were). There is plenty
more evidence that supports this view also. One has only to look just
very slightly below the surface. The evidence is abundant.

P.P.P.S. Long before I posted my report here this week, it was already
well and widely known that JUMP.RO has an unfortunate tendency to provide
IP space to fictitious entities engaged primarily in spamming:

  ROKSO: EU Business Register / World Company Register - The Spamhaus Project

If the good folks at RIPE NCC have not already known about this for some
time then I would suggest that some of them may perhaps be working overtime
to avoid knowing. On the other hand, if the RIPE folks have in fact known
about what JUMP.RO has been up to, based on earlier published reports of
their quastionable activities, then that begs the obvious question: What
has RIPE done about this so far? Anything?

I'm sure that your urging of me to take further action with respect to this
matter is well intentioned, but you have your urging pointed in the wrong
direction, I think. The primary onus for further action lies elsewhere.

In message <CAP-guGVs-kCYoSkNNs+v8R1gDKBpmkuuFM1eNgqvhqh0pR0gCA@mail.gmail.com>

What is your goal here?

Primarily to inform.

Forewarned is forearmed. Wouldn't you agree?

Is there some action that any particular NANOG
participant should take based on your opinion?

Dropping all route announcements from the 18 fraudlent ASNs I listed,
together with all those from AS2876, and avoiding propagating any of
said routes to any other parties would, I think, be an altogether
prudent step for all concerned.

Unless of couse your are hosting one or more spam research organizations
that are eager to collect as much spam as possible.

Regards,
rfg

P.S. It is most probably unnecessary to worry about blocking route
announcements relating to any of the separate set of five bogus ASNs
documented here:

   ROKSO: EU Business Register / World Company Register - The Spamhaus Project

It is unnecessary to block any such route announcements because owing to
the good work Spamhaus did already in publicising these other five "rogue"
ASNs... which also got all of their IP space from JUMP.RO... none of them
is even announcing routes anymore. (Well, at least that's what it looks
like from where I am sitting.)

That's not exactly correct. Lots of people on this list are perfectly
capable of taking a variety of actions (based on this information)
should they choose to do so. I have.

I do not understand why you're so adamant about sending this information
to an organization primarily distinguished by its incompetence and
negligence. If they were actually DOING THEIR JOBS in even minimally
diligent fashion, then Ron wouldn't needed to write that note or do
the research behind it, because this wouldn't be happening.

---rsk

I do not understand why you're so adamant about sending this information
to an organization primarily distinguished by its incompetence and
negligence. If they were actually DOING THEIR JOBS in even minimally
diligent fashion, then Ron wouldn't needed to write that note or do
the research behind it, because this wouldn't be happening.

this kind of mostly unfounded vitriole is silly and damages your credibility.

no one seriously believes that the RIPE NCC (which is managed by all
of its members) is primarily distinguished by their incompetence and
negligence.

i believe this conversation has now gotten to the <plonk> stage. can
someone compare them to hitler so that we can move on?

cheers,

t

Really? Then why, pray tell, haven't they made it a practice to routinely
(let's say, once a month) ask the people over at Spamhaus: "Hey folks, do
you see anything wonky in the space we manage?" and then act
immediately and decisively on what they get back for an answer?

I don't want to speak for Spamhaus, but I suspect that they would be
delighted to provide that response, particularly if it led to swift and
effective action to make the problem(s) go away. And while I don't
always agree with their positions, I've *rarely* found mistakes in
their research: they're thorough. (So's Ron, by the way.)

This isn't complicated. This isn't expensive. This doesn't require
new technology or anything fancy. It's basic due diligence. Yet it
clearly hasn't happened. Why the hell not?

We live in a time when abuse is epidemic. It's costing us a fortune,
and I don't just mean in financial terms, although certainly that's
bad enough all by itself. But it doesn't just magically fall out of
the sky and land on our servers or routers, or at port 25 on our
mail servers. It comes from *somewhere*, and it does so on *somebody's*
watch. And when it does so on a chronic and systemic basis, surely
it is reasonable to ask questions like "Why, if we can so clearly see
it arriving at our operation, can they not see it leaving theirs?"
or "Why aren't people paying attention to the primary/most useful
sources of information about their own operations?"

So it's (well past) time to stop giving people a pass for looking the
other way or failing to look at all. It's my, your, and everyone's
professional responsibility to do everything we possibly can to prevent
the networks, hosts, and resources we run from being part of the problem.
So yeah: "incompetence" and "negligence" are the best words I can find
to describe failure to do that. What would you call it?

---rsk

I'll bet Hitler would have used his real name on the whois entries.

There. Now I think we're done.

Matt

it's nice that we've proceded to insult our colleagues.

many thanks to mr. petach for achieving the end of this thread. thank
you all for participating.

Hi Rich,

Since this is NANOG, not a forum which represents Internet activities
on the Continent, perhaps a better set of questions would be:

1. Has SPAMHAUS attempted to feed relevant portions of their knowledge
into ARIN's reporting system for fraudulent registrations and,

2. Understanding that ARIN can only deal with fraudulent
registrations, not any other kind of bad-actor behavior, are there
improvements to ARIN's process which would help SPAMHAUS and similar
organizations feed ARIN actionable knowledge?

Regards,
Bill Herrin

There have been previous incidents in the ARIN region .. Nothing on the
grand scale of what Ron is describing, and just saying, Arin does liaise
with the Anti spam world rather better than this.

Please, please someone go to http://meemsy.com/videos/add/24 and create
'Hitler reacts to the fraudulent Romanian ASNs'

After that we can move on.

:=)

~C.

ni lar has requested to add someone, and so has kanchana, so i think our group reservation is full

will try to check this morning to confirm