On 10 Dec 2019, at 16:58, Roland Perry wrote:
In message <6C247001-B2CB-4CFD-818B-E31EC48D9134@ripe.net>, at 16:01:41 on Tue, 10 Dec 2019, Daniel Karrenberg <dfk@ripe.net> writes
On 10 Dec 2019, at 13:15, Roland Perry wrote:
… How do I as (nowadays anyway, an outsider) access such historic snapshots of the IP address range, before today's ISP acquired them.
Is this a 'service' that RIPE NCC offers (and hence my question in this forum). …
Type in the prefix concerned.
Thanks, Daniel. As ever you are a star!
The stars are the engineers who make RIPEstat work. I was just the initial instigator to set this up.
The ‘Anti-abuse’ tab lists some well known blacklists, also historically.
But shows nothing. (Nor had my earlier searches elsewhere)
We cannot possibly cover all blacklists. It is just an indication. We may add more public blacklists on suggestion.
The block that a friend encountered yesterday, and made me decide to look into this further, was from Hootsuite, which is a social media management platform.
Ones that had been previously mentioned by other users include Adobe, PayPal and Eventbrite.
Those usually do not publish their prejudices …. :-(
The ‘ Database’ tab has registration and allocation history.
Which suggests an allocation to the ISP in July 2015...
That’s what I read into that. So I guess the customer should complain to the ISP.
The ‘Routing’ tab has routing history.
...and to customers in 11th March 2019. Which together *doesn't* match a theory of either recent acquisition, nor a hangover from dirty usage.
I read the same.
In my experience all this goes a long way to get a good picture of the address space concerned.
It would be helpful if you told the list whether this would have warned this particular end-user had they or their consultants looked at it.
Nothing leaps out at me.
Not really in this case.
Which leaves the question of where the data being acted on by the undoubtedly active block lists originated. But could explain why it's apparently difficult to expunge, if it's of unknown source.
The name 'Globalprotect' was also mentioned.
My next theory is that it's not a poorly sanitised transfer of IP addresses, but some glitch in the blacklisting process.
That’s what I would go with. I have heard similar stories. If you are inclined towards conspiracies it may also be deliberate poisoning. I have seen evidence of this in the past. Also some of this may be based on goofy geolocation. My family server for instance suddenly seems to be regarded by some as somewhere in Russia even though it has not moved from Germany in years. This way I can practise my hardly existent Russian by trying to decipher the google ads. ;-) Daniel