Hi, we receive Spam from some networks we cannot find any whois record for. An example: 62.61.196.0 (we found about 1000 networks like this) ARINs whois says, its RIPE RIPEs whois says, its AFRINIC LACNIC also says, its AFRINIC but AFRINICs whois says, its "world-wide" ... So, where is this really allocated too and where can we we find a whois record for those networks ? Unallocated, but still in use from somebody ? Anybody an idea ? Here are the whois records: ARIN: NetRange: 62.0.0.0 - 62.255.255.255 CIDR: 62.0.0.0/8 OriginAS: NetName: RIPE-C3 NetHandle: NET-62-0-0-0-1 RIPE: inetnum: 62.61.192.0 - 62.61.255.255 org: ORG-AFNC1-RIPE netname: AFRINIC-NET-TRANSFERRED-20050223 descr: This network has been transferred to AFRINIC remarks: These IP addresses are assigned in the AFRINIC region. AFRINIC: inetnum: 0.0.0.0 - 255.255.255.255 netname: IANA-BLK descr: The whole IPv4 address space country: EU # Country is really world wide org: ORG-IANA1-AFRINIC Kind regards, Frank -- MOTD: "have you enabled SSL on a website or mailbox today ?" -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ======================================================================
I dont think that IP is even announced - the /24 is not in the routing table at all. Did you get some spam from any specific IP in there? On Mon, Mar 26, 2012 at 1:30 PM, Frank Gadegast < ripe-anti-spam-wg@powerweb.de> wrote:
Hi,
we receive Spam from some networks we cannot find any whois record for.
An example: 62.61.196.0 (we found about 1000 networks like this)
ARINs whois says, its RIPE RIPEs whois says, its AFRINIC LACNIC also says, its AFRINIC
but AFRINICs whois says, its "world-wide" ...
So, where is this really allocated too and where can we we find a whois record for those networks ? Unallocated, but still in use from somebody ? Anybody an idea ?
Here are the whois records:
ARIN: NetRange: 62.0.0.0 - 62.255.255.255 CIDR: 62.0.0.0/8 OriginAS: NetName: RIPE-C3 NetHandle: NET-62-0-0-0-1
RIPE: inetnum: 62.61.192.0 - 62.61.255.255 org: ORG-AFNC1-RIPE netname: AFRINIC-NET-TRANSFERRED-**20050223 descr: This network has been transferred to AFRINIC remarks: These IP addresses are assigned in the AFRINIC region.
AFRINIC: inetnum: 0.0.0.0 - 255.255.255.255 netname: IANA-BLK descr: The whole IPv4 address space country: EU # Country is really world wide org: ORG-IANA1-AFRINIC
Kind regards, Frank -- MOTD: "have you enabled SSL on a website or mailbox today ?" -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ==============================**==============================**==========
-- Suresh Ramasubramanian (ops.lists@gmail.com)
Suresh Ramasubramanian wrote: Hi,
I dont think that IP is even announced - the /24 is not in the routing table at all.
It could be, that this specific network was announced once and isnt anymore today.
Did you get some spam from any specific IP in there?
Yes. And true for all those networks (once we got a connect from those IPs). Im trying to find a few, that are really routed somewhere and really hove no whois, but that needs a bit programming first ... My main question was, why ARIN and LACNIC are saying, that they belong to RIPE and RIPE is saying, that they belong to AFRINIC and AFRINIC is saying, that they are worldwide. Should AFRINIC not say, that they are unassigned, where they belong to them and arent used right now ? Instead of saying, that they are worldwide ? Should not any resource belong to one of the RIRs (even if its PI space) ? Kind regards, Frank
On Mon, Mar 26, 2012 at 1:30 PM, Frank Gadegast <ripe-anti-spam-wg@powerweb.de <mailto:ripe-anti-spam-wg@powerweb.de>> wrote:
Hi,
we receive Spam from some networks we cannot find any whois record for.
An example: 62.61.196.0 (we found about 1000 networks like this)
ARINs whois says, its RIPE RIPEs whois says, its AFRINIC LACNIC also says, its AFRINIC
but AFRINICs whois says, its "world-wide" ...
So, where is this really allocated too and where can we we find a whois record for those networks ? Unallocated, but still in use from somebody ? Anybody an idea ?
Here are the whois records:
ARIN: NetRange: 62.0.0.0 - 62.255.255.255 CIDR: 62.0.0.0/8 <http://62.0.0.0/8> OriginAS: NetName: RIPE-C3 NetHandle: NET-62-0-0-0-1
RIPE: inetnum: 62.61.192.0 - 62.61.255.255 org: ORG-AFNC1-RIPE netname: AFRINIC-NET-TRANSFERRED-__20050223 descr: This network has been transferred to AFRINIC remarks: These IP addresses are assigned in the AFRINIC region.
AFRINIC: inetnum: 0.0.0.0 - 255.255.255.255 netname: IANA-BLK descr: The whole IPv4 address space country: EU # Country is really world wide org: ORG-IANA1-AFRINIC
Kind regards, Frank -- MOTD: "have you enabled SSL on a website or mailbox today ?" -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de <mailto:frank@powerweb.de> Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ==============================__==============================__==========
-- Suresh Ramasubramanian (ops.lists@gmail.com <mailto:ops.lists@gmail.com>)
-- Mit freundlichen Gruessen, -- MOTD: "have you enabled SSL on a website or mailbox today ?" -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ======================================================================
-----Original Message----- From: anti-abuse-wg-bounces@ripe.net [mailto:anti-abuse-wg- bounces@ripe.net] On Behalf Of Frank Gadegast Sent: Monday, March 26, 2012 12:44 PM To: anti-abuse-wg@ripe.net
Should not any resource belong to one of the RIRs (even if its PI space) ?
In the interest of picking nits: a number of /8 prefixes were allocated to non-RIR entities between 1991 and 1998 (look for 'LEGACY' status at http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml). The network you mentioned is not in any of those ranges though. -- Thor Kottelin http://www.anta.net/
hi! On 03/26/2012 11:43 AM, Frank Gadegast wrote:
It could be, that this specific network was announced once and isnt anymore today.
ris says: (fist seen) (last seen) 62.61.192.0/18 25512 CDT-AS CD-Telematika a.s. 2012-01-23 07:45:22 UTC 2012-03-16 11:38:08 UTC
My main question was, why ARIN and LACNIC are saying, that they belong to RIPE and RIPE is saying, that they belong to AFRINIC and AFRINIC is saying, that they are worldwide.
well, arin doesn't get it, ripe and lacnic are consistent. i don't find this surprising. 0/0 matches any address, and discussing the actual content of an 'all' allocation wouldn't help anyone i guess... that there's no assignment simply seems to be true.
Should not any resource belong to one of the RIRs (even if its PI space) ?
it's obvious it's allocated to afrinic. i think a rir's whois policy on its own allocation objects isn't really relevant for users. at least when it's not 'my' RIR i wouldn't feel like it's my business... regards, Chris
What is an ASN belonging to an obscure provider in Prague, the Czech Republic, doing announcing Lacnic ASNs anyway? :) On Mon, Mar 26, 2012 at 3:31 PM, Chris <chrish@consol.net> wrote:
ris says: (fist seen) (last seen) 62.61.192.0/18 25512 CDT-AS CD-Telematika a.s. 2012-01-23 07:45:22 UTC 2012-03-16 11:38:08 UTC
-- Suresh Ramasubramanian (ops.lists@gmail.com)
Dear Colleagues, The IP address 62.61.192.0 - 62.61.255.255 was allocated to an organisation in Algeria and registered in the RIPE Database. So the entries in ARIN and LACNIC Databases were originally correct, but need to be updated. It was transferred from the RIPE Database to AfriNIC as part of the set up of the Afrinic Registry in 2005. That is why the RIPE Database entry says "This network has been transferred to AFRINIC" and has the netname "AFRINIC-NET-TRANSFERRED-20050223". Any questions about the current status of these addresses should be directed to AfriNIC. Regards, Denis Walker Business Analyst RIPE NCC Database Group On 26/03/12:14 11:43 AM, Frank Gadegast wrote:
Suresh Ramasubramanian wrote:
Hi,
I dont think that IP is even announced - the /24 is not in the routing table at all.
It could be, that this specific network was announced once and isnt anymore today.
Did you get some spam from any specific IP in there?
Yes. And true for all those networks (once we got a connect from those IPs). Im trying to find a few, that are really routed somewhere and really hove no whois, but that needs a bit programming first ...
My main question was, why ARIN and LACNIC are saying, that they belong to RIPE and RIPE is saying, that they belong to AFRINIC and AFRINIC is saying, that they are worldwide.
Should AFRINIC not say, that they are unassigned, where they belong to them and arent used right now ? Instead of saying, that they are worldwide ?
Should not any resource belong to one of the RIRs (even if its PI space) ?
Kind regards, Frank
On Mon, Mar 26, 2012 at 1:30 PM, Frank Gadegast <ripe-anti-spam-wg@powerweb.de <mailto:ripe-anti-spam-wg@powerweb.de>> wrote:
Hi,
we receive Spam from some networks we cannot find any whois record for.
An example: 62.61.196.0 (we found about 1000 networks like this)
ARINs whois says, its RIPE RIPEs whois says, its AFRINIC LACNIC also says, its AFRINIC
but AFRINICs whois says, its "world-wide" ...
So, where is this really allocated too and where can we we find a whois record for those networks ? Unallocated, but still in use from somebody ? Anybody an idea ?
Here are the whois records:
ARIN: NetRange: 62.0.0.0 - 62.255.255.255 CIDR: 62.0.0.0/8 <http://62.0.0.0/8> OriginAS: NetName: RIPE-C3 NetHandle: NET-62-0-0-0-1
RIPE: inetnum: 62.61.192.0 - 62.61.255.255 org: ORG-AFNC1-RIPE netname: AFRINIC-NET-TRANSFERRED-__20050223 descr: This network has been transferred to AFRINIC remarks: These IP addresses are assigned in the AFRINIC region.
AFRINIC: inetnum: 0.0.0.0 - 255.255.255.255 netname: IANA-BLK descr: The whole IPv4 address space country: EU # Country is really world wide org: ORG-IANA1-AFRINIC
Kind regards, Frank -- MOTD: "have you enabled SSL on a website or mailbox today ?" -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de <mailto:frank@powerweb.de> Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921
==============================__==============================__==========
-- Suresh Ramasubramanian (ops.lists@gmail.com <mailto:ops.lists@gmail.com>)
Hello all, <I work for LACNIC> I will report the issue with the WHOIS data for this block to our WHOIS maintenance team. On the other hand, I am currently doing some research work into hijackings, and while I expect to present more detailed results in a month or so, this ASN from an organization named Telematika consistently appears in the hijacking cases I've been able to identify so far. Even more, Telematika has announced the whole of 191/8 several times during the past months. 191/8 is a ERX block that was assigned to LACNIC when the ERX space was returned/given to the RIRs. It's not being currently used for *any* purpose, it's in reserve and it should not appear in any routing table. So, in short, yes, the Telematika guys are up to no good. My evil twin would just filter their whole ASN out, but maybe the responsible thing to do first would be contacting them. Warm regards, Carlos On 3/26/12 7:16 AM, Denis Walker wrote:
Dear Colleagues,
The IP address 62.61.192.0 - 62.61.255.255 was allocated to an organisation in Algeria and registered in the RIPE Database. So the entries in ARIN and LACNIC Databases were originally correct, but need to be updated.
It was transferred from the RIPE Database to AfriNIC as part of the set up of the Afrinic Registry in 2005. That is why the RIPE Database entry says "This network has been transferred to AFRINIC" and has the netname "AFRINIC-NET-TRANSFERRED-20050223". Any questions about the current status of these addresses should be directed to AfriNIC.
Regards, Denis Walker Business Analyst RIPE NCC Database Group
On 26/03/12:14 11:43 AM, Frank Gadegast wrote:
Suresh Ramasubramanian wrote:
Hi,
I dont think that IP is even announced - the /24 is not in the routing table at all. It could be, that this specific network was announced once and isnt anymore today.
Did you get some spam from any specific IP in there? Yes. And true for all those networks (once we got a connect from those IPs). Im trying to find a few, that are really routed somewhere and really hove no whois, but that needs a bit programming first ...
My main question was, why ARIN and LACNIC are saying, that they belong to RIPE and RIPE is saying, that they belong to AFRINIC and AFRINIC is saying, that they are worldwide.
Should AFRINIC not say, that they are unassigned, where they belong to them and arent used right now ? Instead of saying, that they are worldwide ?
Should not any resource belong to one of the RIRs (even if its PI space) ?
Kind regards, Frank
On Mon, Mar 26, 2012 at 1:30 PM, Frank Gadegast <ripe-anti-spam-wg@powerweb.de <mailto:ripe-anti-spam-wg@powerweb.de>> wrote:
Hi,
we receive Spam from some networks we cannot find any whois record for.
An example: 62.61.196.0 (we found about 1000 networks like this)
ARINs whois says, its RIPE RIPEs whois says, its AFRINIC LACNIC also says, its AFRINIC
but AFRINICs whois says, its "world-wide" ...
So, where is this really allocated too and where can we we find a whois record for those networks ? Unallocated, but still in use from somebody ? Anybody an idea ?
Here are the whois records:
ARIN: NetRange: 62.0.0.0 - 62.255.255.255 CIDR: 62.0.0.0/8 <http://62.0.0.0/8> OriginAS: NetName: RIPE-C3 NetHandle: NET-62-0-0-0-1
RIPE: inetnum: 62.61.192.0 - 62.61.255.255 org: ORG-AFNC1-RIPE netname: AFRINIC-NET-TRANSFERRED-__20050223 descr: This network has been transferred to AFRINIC remarks: These IP addresses are assigned in the AFRINIC region.
AFRINIC: inetnum: 0.0.0.0 - 255.255.255.255 netname: IANA-BLK descr: The whole IPv4 address space country: EU # Country is really world wide org: ORG-IANA1-AFRINIC
Kind regards, Frank -- MOTD: "have you enabled SSL on a website or mailbox today ?" -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de <mailto:frank@powerweb.de> Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921
==============================__==============================__==========
-- Suresh Ramasubramanian (ops.lists@gmail.com <mailto:ops.lists@gmail.com>)
participants (6)
-
Carlos Martinez-Cagnazzo -
Chris -
Denis Walker -
Frank Gadegast -
Suresh Ramasubramanian -
Thor Kottelin