(Long) rant about some LIRs in RIPE region, most likely linked to RFG's earlier email
Disclaimer: this is just my POV, I didn't investigate (too) much/deep. All the information bellow is public, easy to find and Google Translate seems to work most of the times. From what I know, Jump.RO's business model is to *sell* IP space from their ALLOCATED PA ranges received from RIPE. Not *sub-allocate*, not *assign* or similar terms. They don't ask too many questions. They give you IPs faster than other LIRs. They market this as being professional. All of the Jump.RO's sub-allocations (that I've seen in whois) have *ASSIGNED PA* status, which according to ripe-553 [1] is to be used when the range is assigned to an end user for services provided by the issuing LIR. This is probably not the case because except the (new) annual fee for the registration service there are no other services provided by that LIR to the end user. Most of Jump.RO's "end users" are in fact small ISPs that can't afford the RIPE membership fees and bypass the rules of not using PI space for customers by deaggregating Jump's IP space. I don't know about the 12k number, but they have a large client base in the country and neighboring countries. I also think that Jump is aware of their IPs being in use by spammers as they advertise on their website that new and unused IP blocks cost about 2 times more than "used" ones. They also note that the previously "used" PA space is checked with "MxToolBox" in 120 anti-spam lists [2]. Even though Jump.RO's business model isn't exactly in the spirit of the RIPE region rules or following best practices (no prefix aggregation, but their excuse is that they are not the only ones doing it), I don't think that they are willing to risk their LIR status by defending known spam operations, so reporting well documented cases of false information provided during registration first to RIPE and then to them would probably get them to withdraw the PA from that customer. The ranges found by you clearly suggest that fake information has been used. Only "under construction" sites, nobody ever heard of those companies, all using same ISPs. With all this said about ro.registry (Jump.RO's LIR id) i'd like to add the following. There are entire LIRs with very large IP allocations and suspicious activities. I'll just list here a few: (RIPE allocation list publicly available here [3]) The first candidate that pops up is ro.visnet (VisNetwork Media SRL). According to their web page [4] they are a pretty large ISP with over 300 experienced employees and over 30 vehicles used for interventions and installations. They provide no CIF (Romanian for Fiscal Identification Code) or other identifying information, but the company is valid and has CIF 25083281. According to the Romanian Trade Register [5], the company named VisNetwork Media SRL with Fiscal Identification Code 25083281 is registered since February 2009, has no employees (where did those 300 professionals go?) and has registered for the 2011 fiscal year expenses of roughly about 3000 EUR (this value is around the value of the RIPE maintenance fees) and an amazing income of 100 EUR. Also, they are not registerd with ANCOM [6] (Romanian National Agency for Management and Regulation in Communications), so they are not a real ISP. They have received from RIPE the following IP space: 20090624 188.170.0.0/16 ALLOCATED PA 20100713 46.49.128.0/17 ALLOCATED PA 20110404 31.173.0.0/16 ALLOCATED PA 20110707 146.0.128.0/17 ALLOCATED PA 20110707 146.0.32.0/19 ALLOCATED PA 20111012 128.234.0.0/16 ALLOCATED PA 20120113 37.56.0.0/16 ALLOCATED PA 20120405 37.224.0.0/16 ALLOCATED PA 20120730 5.163.0.0/16 ALLOCATED PA 20121113 185.9.244.0/22 ALLOCATED PA 20110331 2a03:4100::/29 With this much IP space I would think they must have at least a few LARGE cities covered, but nobody ever heard of them or their professional employees. Also, because apparently their IPs were not enough and their employees seem that they couldn't handle hosting their main website, their website is hosted on IP ranges from another LIR. visnet.ro has address 77.36.59.10 inetnum: 77.36.59.0 - 77.36.59.255 netname: ROSITE-EQUIPMENTS The second obvious candidate for our small investigation is, as you might have guessed, ro.rosite (RoSite Equipment SRL). Information about their deaggregation habits can be found here [7]. According to the Trade Register, ROSITE EQUIPMENT SRL has CIF 17352052 and is a registered company since march 2005. They are registered as an ISP at ANCOM, but with a different company name (ROSITE NET SRL). Their second company, the one registered as an ISP, ROSITE NET SRL has CIF 13669105 and is a registered company since january 2001. The larger company, not the ISP, received from RIPE a large number of IP addresses: 20090706 188.119.128.0/18 ALLOCATED PA 20090813 188.74.128.0/18 ALLOCATED PA 20091223 188.74.192.0/18 ALLOCATED PA 20100325 62.216.64.0/19 ALLOCATED PA 20100628 178.157.64.0/18 ALLOCATED PA 20110712 146.158.128.0/17 ALLOCATED PA 20110712 146.66.208.0/20 ALLOCATED PA 20120105 37.35.128.0/17 ALLOCATED PA 20120105 37.35.32.0/19 ALLOCATED PA 20120724 5.157.128.0/17 ALLOCATED PA 20101217 2a03:8800::/32 On the third place in our list we have ro.swift (now Media Trend Sistem SRL, formerly using the company Swift Marketing SRL). Swift Marketing SRL (nice name, huh?) was deleted from the Trade Registry in may 2011. During 2010 they had 0 employees. The new company, Media Trend Sistem SRL (CIF 26301830) is registered since december 2009 and was known under another name (not publicly available) until changing it's name to the current one in december 2010. They are also not registered as an ISP with ANCOM and had 0 employees in 2011. This didn't seem to stop them from receiving the following IP ranges from RIPE: 20070730 78.95.0.0/16 ALLOCATED PA 20080319 93.168.0.0/15 ALLOCATED PA 20090303 95.218.0.0/15 ALLOCATED PA 20110518 2a00:aa80::/32 Another interesting Romanian LIR is ro.ssnet (SISTEM SOFT NETWORK SRL). The company is registered with the Trade Register with CIF 24496484 since september 2008, had in 2011 only 1 employee and is not a registered ISP with ANCOM. They became LIR just a few months before the final /8 was reached in RIPE region. They only got from RIPE this /15: 20120719 5.154.0.0/15 ALLOCATED PA They also seem to like deaggregating very much [8], now originating 369 prefixes. Now with all this in sight I suppose the ro.registry issue of about an /14 block seems a rather small issue. [1] https://www.ripe.net/ripe/docs/ripe-553 [2] http://www.ip.ro/ip.html [3] ftp://ftp.ripe.net/pub/stats/ripencc/membership/alloclist.txt [4] http://www.visnet.ro/despre/ [5] http://www.mfinante.ro/agenticod.html [6] http://www.ancom.org.ro/furnizoricomunicatii-electronice_133 [7] http://bgp.he.net/AS49687#_prefixes [8] http://bgp.he.net/AS56465#_prefixes
On Tuesday 15 January 2013 18.13, Vasile Capdefier wrote:
Disclaimer: this is just my POV, I didn't investigate (too) much/deep. All the information bellow is public, easy to find and Google Translate seems to work most of the times.
From what I know, Jump.RO's business model is to *sell* IP space from their ALLOCATED PA ranges received from RIPE. Not *sub-allocate*, not *assign* or similar terms. They don't ask too many questions. They give you IPs faster than other LIRs. They market this as being professional.
All of the Jump.RO's sub-allocations (that I've seen in whois) have *ASSIGNED PA* status, which according to ripe-553 [1] is to be used when the range is assigned to an end user for services provided by the issuing LIR. This is probably not the case because except the (new) annual fee for the registration service there are no other services provided by that LIR to the end user.
Most of Jump.RO's "end users" are in fact small ISPs that can't afford the RIPE membership fees and bypass the rules of not using PI space for customers by deaggregating Jump's IP space. I don't know about the 12k number, but they have a large client base in the country and neighboring countries.
I also think that Jump is aware of their IPs being in use by spammers as they advertise on their website that new and unused IP blocks cost about 2 times more than "used" ones. They also note that the previously "used" PA space is checked with "MxToolBox" in 120 anti-spam lists [2].
Even though Jump.RO's business model isn't exactly in the spirit of the RIPE region rules or following best practices (no prefix aggregation, but their excuse is that they are not the only ones doing it), I don't think that they are willing to risk their LIR status by defending known spam operations, so reporting well documented cases of false information provided during registration first to RIPE and then to them would probably get them to withdraw the PA from that customer. The ranges found by you clearly suggest that fake information has been used. Only "under construction" sites, nobody ever heard of those companies, all using same ISPs.
With all this said about ro.registry (Jump.RO's LIR id) i'd like to add the following. There are entire LIRs with very large IP allocations and suspicious activities. I'll just list here a few:
(RIPE allocation list publicly available here [3])
Thank you very much, another 1111040 addresses added to my spamblock list. <snipped to save some bandwidth> -- Peter Håkanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det är billigare att göra rätt. Det är dyrt att laga fel. )
In message <1358270019.95063.YahooMailNeo@web171606.mail.ir2.yahoo.com>, Vasile Capdefier <vasile.capdefier@yahoo.co.uk> wrote:
Disclaimer: this is just my POV, I didn't investigate (too) much/deep...
That's all very interesting information, however with the exception of the various fradulent ASNs that I reported, all tied in very substantial ways to JUMP.RO itself, the only other one of the Romanian entities that you named that I have been aware of, in the past, as being at the root of either security or spam issues is Swift Marketing SRL. Regards, rfg P.S. Someone (I don't know who) took it upon himself/herself to file a report... or perhaps several reports... relating to the report that I posted here yesterday, with RIPE NCC. As a result, my inbox this morning contained (in addition to a couple of messsgaes from friends and the usual smattering of spam) no fewer that SEVENTEEN separate automated messages from RIPE NCC, asking me to click on various URLs/links in order to confirm my report(s) to the RIPR NCC. It seems to me that there are only two plausible explanations for this: 1) Some unhelpful person filed a report with RIPE NCC regarding my allegations, but used my name and e-mail address when filing the report, and then RIPE NCC's automated system for responding to such reports went bonkers and decided to send me seventeen separate requests to confirm ``my'' report. (In this case, some programmer @ RIPE should really fix their broken report handling system.) 2) Some unhelpful person or set of persons elected to file seventeen separate reports relating to my allegations with RIPE NCC, using my name and my e-mail address in all cases in order to make it look like the reports came from me (which they didn't), thus causing me to receive a mini-mailbomb from RIPE NCC. In either case it would appear that someone is improperly filing reports while pretending to be me, and I would ask that whoever is doing this to please stop. Doing this is rather utterly pointless because I will *not* be responding in any way to RIPE's seventeen requests to me to confirm the validity of ``my'' report(s) to them. (Note that even if I was feeling generous, I would not do so because the automated messages to me from RIPE do not give any indication of what is actually in the reports that I am being asked to validate! For all I know, some miscreant may have filed a report with RIPE claiming that the moon is made of green cheese. If I validated that, using RIPE's automated system, then effectively *I* would be responsible for filing that preposterous and utterly irrelevant claim with RIPE.) If anyone wants to make a report to RIPE NCC about any of the material that I posted here yesterday, please be my guest. However please have the courtesy to use your own name and e-mail address when doing so, not mine.
participants (3)
-
peter h -
Ronald F. Guilmette -
Vasile Capdefier