Romanian Spam Network with curious effetcs
I just realized a new spam active network. When doing some deeper checks I was really astonished. There is a huge netrange (Romania) prepared for spamming. The netrange is 176.121.24.0/21 176.121.32.0/19 Only half an hour after mails arrived I took a look at a border gateway - but it says this network has no route. There are different AS numbers within the RipeDB for these networks. The AS whois looks strange. Anyone out there who can give some hints what happens here ?
In message <20130318224656.GA10805@work-lp.shlink.de>, Lutz Petersen <lp@shlink.de> wrote:
The AS whois looks strange. Anyone out there who can give some hints what happens here ?
Yes. But what does it matter?
Not much you can do here. The LIRs involved need to be stopped from operating a cash and carry ip allocation service for spammers and botmasters but that doesn't seem likely to happen --srs (htc one x) On 19-Mar-2013 5:18 AM, "Ronald F. Guilmette" <rfg@tristatelogic.com> wrote:
In message <20130318224656.GA10805@work-lp.shlink.de>, Lutz Petersen <lp@shlink.de> wrote:
The AS whois looks strange. Anyone out there who can give some hints what happens here ?
Yes.
But what does it matter?
Ronald, it's a mysterious for me, sorry. Maybe I did not made it clearly enough what irritates me.. Viewing BGP tables one don't see a single accouncement for this netblock. Traces all ends obvious at default null route in core routers. Seems to be one of the cases where nets are only announced when spinning out short time spam waves - one can see this comparing older logs. But: Reverse delegation from RIPE for this nets has been done to two nameservers - 176.121.32.2 + 176.121.32.3. But even if there does not exit an BGP entry, these nameservers can be asked and give an answer: # sh ip bgp 176.121.32.2 % Network not in table # host -t ptr 2.34.121.176.in-addr.arpa. ns2.alvinemove.info. # Using domain server: # Name: ns2.alvinemove.info. # Address: 176.121.32.3#53 # 2.34.121.176.in-addr.arpa domain name pointer rented-2.beggarlyout.info. What may be the trick with that ?
Dear Lutz, I may misunderstand you, but see below.
it's a mysterious for me, sorry. Maybe I did not made it clearly enough what irritates me.. Viewing BGP tables one don't see a single accouncement for this netblock. Traces all ends obvious at default null route in core routers. Seems to be one of the cases where nets are only announced when spinning out short time spam waves - one can see this comparing older logs.
But: Reverse delegation from RIPE for this nets has been done to two nameservers - 176.121.32.2 + 176.121.32.3. But even if there does not exit an BGP entry, these nameservers can be asked and give an answer:
# sh ip bgp 176.121.32.2 % Network not in table
This only says _your_ router does not have it in the BGP. I suspect though that you do have a default route. So sh ip route 176.121.32.2 would give you some answer. Please note that the network _is_ advertised (as 176.121.32.0/24 at present), see http://www.ris.ripe.net/cgi-bin/lg/index.cgi?rrc=RRC001&query=1&arg=176.121.32.2 for example. I hope this helps. Best regards, Janos
# host -t ptr 2.34.121.176.in-addr.arpa. ns2.alvinemove.info. # Using domain server: # Name: ns2.alvinemove.info. # Address: 176.121.32.3#53 # 2.34.121.176.in-addr.arpa domain name pointer rented-2.beggarlyout.info.
What may be the trick with that ?
Dear All, In order to get more information about this block, you can also take a look at RIPEstat, which shows the routing status and history very nicely: https://stat.ripe.net/176.121.32.2#tabId=routing Regards, Robert Kisteleki RIPE NCC R&D On 2013.03.19. 8:49, Janos Zsako wrote:
Dear Lutz,
I may misunderstand you, but see below.
it's a mysterious for me, sorry. Maybe I did not made it clearly enough what irritates me.. Viewing BGP tables one don't see a single accouncement for this netblock. Traces all ends obvious at default null route in core routers. Seems to be one of the cases where nets are only announced when spinning out short time spam waves - one can see this comparing older logs.
But: Reverse delegation from RIPE for this nets has been done to two nameservers - 176.121.32.2 + 176.121.32.3. But even if there does not exit an BGP entry, these nameservers can be asked and give an answer:
# sh ip bgp 176.121.32.2 % Network not in table
This only says _your_ router does not have it in the BGP. I suspect though that you do have a default route. So sh ip route 176.121.32.2 would give you some answer.
Please note that the network _is_ advertised (as 176.121.32.0/24 at present), see http://www.ris.ripe.net/cgi-bin/lg/index.cgi?rrc=RRC001&query=1&arg=176.121.32.2
for example.
I hope this helps.
Best regards, Janos
# host -t ptr 2.34.121.176.in-addr.arpa. ns2.alvinemove.info. # Using domain server: # Name: ns2.alvinemove.info. # Address: 176.121.32.3#53 # 2.34.121.176.in-addr.arpa domain name pointer rented-2.beggarlyout.info.
What may be the trick with that ?
On Tue, Mar 19, 2013 at 10:51 AM, Lutz Petersen <lp@shlink.de> wrote:
# sh ip bgp 176.121.32.2 % Network not in table
# host -t ptr 2.34.121.176.in-addr.arpa. ns2.alvinemove.info. # Using domain server: # Name: ns2.alvinemove.info. # Address: 176.121.32.3#53 # 2.34.121.176.in-addr.arpa domain name pointer rented-2.beggarlyout.info.
suresh@frodo 01:01:32 <~> $ whois -h whois.ripe.net DSCNET|perl ./ iprange2cidr.pl 31.133.24.0/21 46.151.32.0/21 91.226.52.0/22 91.240.154.0/24 91.240.156.0/22 91.246.172.0/22 91.246.176.0/20 91.246.192.0/21 91.246.200.0/23 94.232.96.0/21 176.102.120.0/21 176.111.0.0/21 176.115.224.0/20 176.121.32.0/20 -- Suresh Ramasubramanian (ops.lists@gmail.com)
participants (5)
-
Janos Zsako -
Lutz Petersen -
Robert Kisteleki -
Ronald F. Guilmette -
Suresh Ramasubramanian