Re[2]: The in-your-face hijacking example, was: Re: Who is announcing bogons?

Mailman List Mirror (Read Only)
1

Maybe because they expect your email to actually work, and dont care to
spend money calling you long distance?

http://groups.google.com/groups?selm=jql2avgk84hporq5cj8vdkcvsghj8ae9so%404ax.com&oe=UTF-8&output=gplain
Your role address bounces (yes, i did verify emil@atrivo.com bounces), and
apparently you have a portscanner on 170.208.15.82.

Looking through my logs for April I have received spams from
170.208.17.65, 170.208.17.67, 170.208.17.70, 170.208.17.92,
170.208.17.112, 170.208.17.113, 170.208.17.114, 170.208.17.115

You have got porno spammers in these netblocks scanning for open relays
and relay raping innocent third parties.

-Dan

2

Looking through my logs for April I have received spams from
  170.208.17.65, 170.208.17.67, 170.208.17.70, 170.208.17.92,
  170.208.17.112, 170.208.17.113, 170.208.17.114, 170.208.17.115

  You have got porno spammers in these netblocks scanning for open relays
  and relay raping innocent third parties.

  -Dan

3

Can't have one on 170.208.15.82 I null routed it some time ago as it was a
compromised machine.

4

... apparently you have a portscanner on 170.208.15.82.

Which is a salient reminder that while spam may be the most visible
indication of compromised machines, bogus routing etc) it is likely to
be by far the least of the evils that will originate from such a source.

Spot the spam, catch the REAL problem ... prevent more serious issues.

I would not be so sure that LANET-1 ASN has anything to do with
LANET-1 Network or with LANET organization id.

To be frank, I wasn't as sure as I wanted to be; that's why I simply
pointed to the repeated use of the LANET-1 label, so that others could
make their own judgements. Further research confirms William is right
about it being a California LANET: compare the listing for 170.208.0.0
in: http://euclid.math.brandeis.edu/turtschi/whois/netb22.html with
the listing for (the block currently in use by LA County) 159.83.0.0
in: http://euclid.math.brandeis.edu/turtschi/whois/netb16.html

I have today spoken to the appropriate people who have confirmed their
ongoing ownership of the block and are now taking appropriate action.
We have also identified how the deception was carried out in this case.

For the record, the current routing analysis is as follows:

Netblock BGP route Announced by

170.208.0.0/24 174 16631 Cogent
170.208.1.0/24 6939 26346 27595 Atrivo
170.208.2.0/24 6939 26346 27595 Atrivo
170.208.3.0/24 6939 26346 27595 Atrivo
170.208.4.0/24 6939 26346 27595 Atrivo
170.208.5.0/24 6939 26346 27595 Atrivo
170.208.6.0/24 6939 26346 27595 Atrivo
170.208.7.0/24 6939 26346 27595 Atrivo
170.208.8.0/24 174 16631 Cogent
170.208.9.0/24 6939 26346 27595 Atrivo
170.208.10.0/24 6939 26346 27595 Atrivo
170.208.11.0/24 6939 26346 27595 Atrivo
170.208.12.0/24 6939 26346 27595 Atrivo
170.208.13.0/24 6939 26346 27595 Atrivo
170.208.14.0/24 6939 26346 Digital Wireworks
170.208.15.0/24 6939 26346 27595 Atrivo
170.208.17.0/24 6939 26346 Digital Wireworks
170.208.18.0/24 6939 26346 27595 Atrivo

5

For the record, the current routing analysis is as follows:
Netblock BGP route Announced by

170.208.1.0/24 6939 26346 27595 Atrivo

etc...

FYI, AS 6939 (Hurricane) is no longer transiting prefixes in the
170.208.0.0/16 range.

Mike.

+----------------- H U R R I C A N E - E L E C T R I C -----------------+

6

Excellent news, Mike; the current routing now appears to be:

Netblock BGP route Announced by

170.208.0.0/24 174 16631 Cogent
170.208.0.0/19 174 16631 27595 Atrivo
170.208.6.0/24 174 16631 Cogent
170.208.7.0/24 174 16631 Cogent
170.208.8.0/24 174 16631 Cogent
170.208.14.0/24 7911 6517 26346 Digital Wireworks via YIPES

Richard Cox

7

Just to further add, Wireworks is no longer transiting blocks in the
170.208.0.0/16 block. The block appears to still be announced but not via
26346.