Announcing a reserved ASN?
AS23456 is currently announcing a good few netblocks (which don't have a very good smtp reputation, by the way). Funny thing is, that's a special use ASN as per rfc4893, something about two octet ASNs that don't have a four octet representation. Only one upstream (airtelbroadband-as-ap, as24560) that I can see 103.7.204.0/22 103.14.208.0/22 103.23.124.0/22 103.30.12.0/22 103.245.112.0/22 111.235.148.0/22 177.55.249.0/24 186.251.192.0/21 --srs (htc one x)
Announcing a reserved ASN?
At least the 103.x which are announced by airtel. The other netblocks (one Indian and two brazilian) appear unrelated though also showing as23456 --srs (htc one x) On 03-Feb-2013 6:12 PM, Suresh Ramasubramanian ops.li...@gmail.comjavascript:_e({}, 'cvml', 'ops.li...@gmail.com'); wrote: AS23456 is currently announcing a good few netblocks (which don't have a very good smtp reputation, by the way). Funny thing is, that's a special use ASN as per rfc4893, something about two octet ASNs that don't have a four octet representation. Only one upstream (airtelbroadband-as-ap, as24560) that I can see 103.7.204.0/22 103.14.208.0/22 103.23.124.0/22 103.30.12.0/22 103.245.112.0/22 111.235.148.0/22 177.55.249.0/24 186.251.192.0/21 --srs (htc one x) -- --srs (iPad)
Re: Announcing a reserved ASN?
On Sun, Feb 03, 2013 at 06:12:32PM +0530, Suresh Ramasubramanian wrote: AS23456 is currently announcing a good few netblocks (which don't have a very good smtp reputation, by the way). To say the least. A quick rDNS scan reveals that those netblocks include: 8448 addresses 6932 return nxdomain 512 return servfail 1004 with rDNS entries Those 1004 hosts with rDNS account for 36 domains: ainoutserver.net alphainfonet.com boxmatter.org clickcabin.com cloud-core.com contrymail.com coremail4you.org dealatmail.org deliver8mail.org deliverbox.org deliveryalive.org deliveryaverage.org emailadvisir.org emailpacts.com emailservercore.com emailvalue.co.in emailvalue.in fairmail4you.org financeofferpros.com globalmaildelivery.org inboxdelivery.org livemailservices.in nayasa.net newwaygain.com paydayloanforyou.net payloantoyou.com quickpaydaytoyou.net ready4deal.org realemail.org realemaildelivery.org sandeshdelivery.org sandeshfour.com sandeshone.com sandeshonline.org truemaildelivery.org warmmailcampaign.com I'm sure they're all perfectly legitimate businesses. ---rsk
Re: Announcing a reserved ASN?
On 2/3/13 9:04 AM, Rich Kulawiec r...@gsp.org wrote: On Sun, Feb 03, 2013 at 06:12:32PM +0530, Suresh Ramasubramanian wrote: AS23456 is currently announcing a good few netblocks (which don't have a very good smtp reputation, by the way). To say the least. A quick rDNS scan reveals that those netblocks include: 8448 addresses 6932 return nxdomain 512 return servfail 1004 with rDNS entries Those 1004 hosts with rDNS account for 36 domains: snip long list of spammy domains Just as another data point, the domain names you listed hit on enough URL blacklists that Spamassassin quarantined the message for me (and would have rejected it during the SMTP transaction had the NANOG server not been listed on DNSWL-High). Spam hosts plus fake ASN = paging the Spamhaus DROP maintainers to the white courtesy phone -- Dave Pooser Manager of Information Services Alford Media http://www.alfordmedia.com
Re: Announcing a reserved ASN?
I do believe, as has been pointed out to me elsewhere that this is what shows up when there's a 64 bit ASN and router software that doesn't grok 64 bit ASNs So, completely by chance that one such as belongs to what looks like a bulk mailer --srs (htc one x) On 03-Feb-2013 9:02 PM, Dave Pooser dave.na...@alfordmedia.com wrote: On 2/3/13 9:04 AM, Rich Kulawiec r...@gsp.org wrote: On Sun, Feb 03, 2013 at 06:12:32PM +0530, Suresh Ramasubramanian wrote: AS23456 is currently announcing a good few netblocks (which don't have a very good smtp reputation, by the way). To say the least. A quick rDNS scan reveals that those netblocks include: 8448 addresses 6932 return nxdomain 512 return servfail 1004 with rDNS entries Those 1004 hosts with rDNS account for 36 domains: snip long list of spammy domains Just as another data point, the domain names you listed hit on enough URL blacklists that Spamassassin quarantined the message for me (and would have rejected it during the SMTP transaction had the NANOG server not been listed on DNSWL-High). Spam hosts plus fake ASN = paging the Spamhaus DROP maintainers to the white courtesy phone -- Dave Pooser Manager of Information Services Alford Media http://www.alfordmedia.com
Re: Announcing a reserved ASN?
I strongly recommend that you read about and fully understand how 4-byte ASNs work, and their use of AS23456 before you continue this thread. On Sun, 3 Feb 2013, Suresh Ramasubramanian wrote: I do believe, as has been pointed out to me elsewhere that this is what shows up when there's a 64 bit ASN and router software that doesn't grok 64 bit ASNs So, completely by chance that one such as belongs to what looks like a bulk mailer --srs (htc one x) On 03-Feb-2013 9:02 PM, Dave Pooser dave.na...@alfordmedia.com wrote: On 2/3/13 9:04 AM, Rich Kulawiec r...@gsp.org wrote: On Sun, Feb 03, 2013 at 06:12:32PM +0530, Suresh Ramasubramanian wrote: AS23456 is currently announcing a good few netblocks (which don't have a very good smtp reputation, by the way). To say the least. A quick rDNS scan reveals that those netblocks include: 8448 addresses 6932 return nxdomain 512 return servfail 1004 with rDNS entries Those 1004 hosts with rDNS account for 36 domains: snip long list of spammy domains Just as another data point, the domain names you listed hit on enough URL blacklists that Spamassassin quarantined the message for me (and would have rejected it during the SMTP transaction had the NANOG server not been listed on DNSWL-High). Spam hosts plus fake ASN = paging the Spamhaus DROP maintainers to the white courtesy phone -- Dave Pooser Manager of Information Services Alford Media http://www.alfordmedia.com -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
Re: Announcing a reserved ASN?
Some links: http://www.nanog.org/meetings/nanog45/presentations/Tuesday/Hankins_4byteASN_N45.pdf https://tools.ietf.org/html/rfc6793 On Sun, Feb 3, 2013 at 11:15 AM, Brandon Ross br...@pobox.com wrote: I strongly recommend that you read about and fully understand how 4-byte ASNs work, and their use of AS23456 before you continue this thread. On Sun, 3 Feb 2013, Suresh Ramasubramanian wrote: I do believe, as has been pointed out to me elsewhere that this is what shows up when there's a 64 bit ASN and router software that doesn't grok 64 bit ASNs So, completely by chance that one such as belongs to what looks like a bulk mailer --srs (htc one x) On 03-Feb-2013 9:02 PM, Dave Pooser dave.na...@alfordmedia.com wrote: On 2/3/13 9:04 AM, Rich Kulawiec r...@gsp.org wrote: On Sun, Feb 03, 2013 at 06:12:32PM +0530, Suresh Ramasubramanian wrote: AS23456 is currently announcing a good few netblocks (which don't have a very good smtp reputation, by the way). To say the least. A quick rDNS scan reveals that those netblocks include: 8448 addresses 6932 return nxdomain 512 return servfail 1004 with rDNS entries Those 1004 hosts with rDNS account for 36 domains: snip long list of spammy domains Just as another data point, the domain names you listed hit on enough URL blacklists that Spamassassin quarantined the message for me (and would have rejected it during the SMTP transaction had the NANOG server not been listed on DNSWL-High). Spam hosts plus fake ASN = paging the Spamhaus DROP maintainers to the white courtesy phone -- Dave Pooser Manager of Information Services Alford Media http://www.alfordmedia.com -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667ICQ: 2269442 Schedule a meeting: https://doodle.com/brossSkype: brandonross
Re: Announcing a reserved ASN?
AS23456 is what you get if your system doesn't properly support 32-bit ASNs and an AS-PATH (or peer) uses a 32-bit ASN. There should be an extended attribute on the route that contains the full 32-bit AS-PATH called AS4_PATH associated with any such routes. Arguably any route containing AS23456 without an AS4_PATH attribute is invalid and could be filtered. Unfortunately, routers that would display AS23456 instead of restoring the full 32-bit AS_PATH may not be able to identify this. A properly transmitted route from a 4-byte ASN will be recovered as follows: 91.217.86.0/23 *[BGP/170] 1w5d 09:11:37, MED 101, localpref 100 AS path: 8121 1299 3209 197269 I to 192.124.40.129 via ge-0/0/0.0 OTOH, you may occasionally see artifacts like this (I don't know why): 91.217.87.0/24 *[BGP/170] 1w5d 09:10:16, MED 101, localpref 100 AS path: 8121 1299 174 23456 197269 I to 192.124.40.129 via ge-0/0/0.0 But if you are seeing 23456 on an AS4 capable router without at least some indication of a 4-byte ASN in the path, it's probably fishy. On Feb 3, 2013, at 4:57 AM, Suresh Ramasubramanian ops.li...@gmail.com wrote: At least the 103.x which are announced by airtel. The other netblocks (one Indian and two brazilian) appear unrelated though also showing as23456 --srs (htc one x) On 03-Feb-2013 6:12 PM, Suresh Ramasubramanian ops.li...@gmail.comjavascript:_e({}, 'cvml', 'ops.li...@gmail.com'); wrote: AS23456 is currently announcing a good few netblocks (which don't have a very good smtp reputation, by the way). Funny thing is, that's a special use ASN as per rfc4893, something about two octet ASNs that don't have a four octet representation. Only one upstream (airtelbroadband-as-ap, as24560) that I can see 103.7.204.0/22 Missing AS4_PATH -- Probably a spoofed/hijacked route 103.14.208.0/22 Missing AS4_PATH -- Probably a spoofed/hijacked route 103.23.124.0/22 Missing AS4_PATH -- Probably a spoofed/hijacked route 103.30.12.0/22 Missing AS4_PATH -- Probably a spoofed/hijacked route 103.245.112.0/22 Missing AS4_PATH -- Probably a spoofed/hijacked route 111.235.148.0/22 Missing AS4_PATH -- Probably a spoofed/hijacked route 177.55.249.0/24 Missing AS4_PATH -- Probably a spoofed/hijacked route 186.251.192.0/21 Missing AS4_PATH -- Probably a spoofed/hijacked route If you're motivated to pursue this, the best thing to do is probably to contact the last legitimate AS before 23456 in the AS-PATH and inquire. Owen