hosting with anonymous whois
Hello! Today I go a spam for pillz (CAPRXPHARMACY.RU) 'hosted' at IP 84.22.104.117. This IP is of course listed at Spamhaus: http://www.spamhaus.org/sbl/query/SBL99505 http://www.spamhaus.org/sbl/query/SBL99505 and this 'hoster' has a very long list (118 entries) at Spamhaus: http://www.spamhaus.org/sbl/listings/cb3rob.net and is on place no. 1 at Spamhaus: http://www.spamhaus.org/statistics/networks/ Whois says: address: Customer did not enter their own contact details yet A research says: Ministry of Telecommunications, One CyberBunker Avenue CB-10000 CyberBunker-1 Republic CyberBunker C/O CB3ROB LLTC. Company reg. #8 CyberBunker trade register. One CyberBunker Avenue CB-10000 CyberBunker-1 Republic CyberBunker So is it really possible to get an IP block with anonymous whois entries at RIPE? Best regards, - Karl-Josef Ziegler
On Sat, Jan 12, 2013 at 08:43:11PM +0100, Karl-Josef Ziegler wrote:
Hello!
Today I go a spam for pillz (CAPRXPHARMACY.RU) 'hosted' at IP 84.22.104.117. This IP is of course listed at Spamhaus:
http://www.spamhaus.org/sbl/query/SBL99505
http://www.spamhaus.org/sbl/query/SBL99505
and this 'hoster' has a very long list (118 entries) at Spamhaus:
http://www.spamhaus.org/sbl/listings/cb3rob.net
and is on place no. 1 at Spamhaus:
http://www.spamhaus.org/statistics/networks/
Whois says:
address: Customer did not enter their own contact details yet
A research says:
Ministry of Telecommunications, One CyberBunker Avenue CB-10000 CyberBunker-1 Republic CyberBunker
C/O
CB3ROB LLTC. Company reg. #8 CyberBunker trade register. One CyberBunker Avenue CB-10000 CyberBunker-1 Republic CyberBunker
So is it really possible to get an IP block with anonymous whois entries at RIPE?
The inetnum object for 84.22.104.112/29 was created by 'CUSTOMER-RESOURCES-MNT' which are the criminals themselves, so the question should probably be rephrased into: "How can it happen that a criminal group can keep resources allocated for such a long time, and how can it happen that they can still find companies allowing them to connect to the Internet?". The first question is probably more relevant for law enforcement than for RIPE NCC, the second seems related with greediness and corporate dumbness winning over ethics and reputation. See also: http://www.spamhaus.org/news/article/673/ , http://www.theregister.co.uk/2011/10/20/spamhaus_a2b_row/ . According to the Spamhaus article, transit providers connecting CB3ROB up to october 2011 included Ecatel.net, Grafix.nl, datahouse.nl and the famous a2b-internet.com who even fought back antiabuse organizations rather than thanking them. After those, it was the turn of Inteliquent (former TINET) and Tata Communications, still connecting them. CB3ROB is also connected through Idear4business which is another very questionable outfit. furio
Karl-Josef, On Saturday, 2013-01-12 20:43:11 +0100, Karl-Josef Ziegler <kjz@gmx.net> wrote:
Today I go a spam for pillz (CAPRXPHARMACY.RU) 'hosted' at IP 84.22.104.117.
So is it really possible to get an IP block with anonymous whois entries at RIPE?
The parent block refers to this organisation object: organisation: ORG-CA76-RIPE org-name: CB3ROB Ltd. & Co. KG org-type: LIR address: CB3ROB Ltd. & Co. KG Hostmaster Koloniestrasse 34 D-13359 BERLIN GERMANY phone: +31878747479 A quick Google search reveals what seems to be the home page: http://www.cb3rob.net/ According to the RIPE policy: All assignments and allocations must be registered in the RIPE Database. This is necessary to ensure uniqueness and to support network operations. Only allocations and assignments registered in the RIPE Database are considered valid. Registration of objects in the database is the final step in making an allocation or assignment. Registration data (range, contact information, status etc.) must be correct at all times (i.e. they have to be maintained). They only have 2 assignments which are not obviously at a fictitious address, so they seem to be in violation here. I guess the best thing to do is ask for an audit? http://www.ripe.net/ripe/docs/audit Cheers, -- Shane
participants (3)
-
furio ercolessi -
Karl-Josef Ziegler -
Shane Kerr