Re: Multicom Hijacks: Do you peer with these turkeys (AS35916)?
Also AS57166 (single upstream AS29632 NetAssist) is likely hijacking 10 ASNs, and AS43659 (currently inactive). Both with mnt-by: D2INVEST-MNT. http://bgp.he.net/AS57166#_peers DATASTAR-MNT created 14 autnum and 31 route dummy objects in RIPE, on resources that looks abandoned (2 of them confirmed hijacking) https://apps.db.ripe.net/search/query.html?searchtext=DATASTAR-MNT&inverse=mnt-by;mnt-domains;mnt-irt;mnt-lower;mnt-nfy;mnt-ref;mnt-routes&bflag=true&source=RIPE#resultsAnchor Someone actually mentioned these back in Oct https://mailman.nanog.org/pipermail/nanog/2016-October/088487.html
Re: Multicom Hijacks: Do you peer with these turkeys (AS35916)?
On Thu, Aug 03, 2017 at 02:52:43AM -0700, Ronald F. Guilmette wrote: > And of course, Mr. Stanciu's snowshoe spamming domains would not be > maximally productive unless they each had SPF TXT records attached [...] > > https://pastebin.com/raw/BbK2YGe6 FYI, 85 of the 101 domains listed here are have been picked up by various spammer domain detection methods in place here. I have no doubt that the other 16 either will be in due course or simply reflect an inadequacy in my methods. ---rsk
Re: Multicom Hijacks: Do you peer with these turkeys (AS35916)?
A few years back, Ronald named-and-shamed my work's new carrier for facilitating a prefix hijacker on this very list. As luck would have it, I had a fresh, crisp business card from our sales rep, so I passed the (quite legitimate) grievance along, and a short time later, the hijacked prefixes had one less upstream. Years later now, I have a different job, and a circuit with AS209. I'll see if I can't scare someone up (if it's still active by the time I get into the office). Thanks Ronald. Rest assured that many of us remember. :-) Jima On 2017-08-03 05:21, Ken Chase wrote: RIPE or one of dem dere responsible RIRs should hire him. I got a sales call in a few weeks with NTT, let's see if Job is successful and then I can be duly impressed and even more interested in their products. This shit actually matters, sometimes.
Re: Multicom Hijacks: Do you peer with these turkeys (AS35916)?
RIPE or one of dem dere responsible RIRs should hire him. I got a sales call in a few weeks with NTT, let's see if Job is successful and then I can be duly impressed and even more interested in their products. This shit actually matters, sometimes. /kc On Thu, Aug 03, 2017 at 12:23:51PM +0200, Job Snijders said: >Dear Ronald, > >Thanks for your report, we'll investigate. > >Kind regards, > >Job -- Ken Chase - m...@sizone.org Guelph Canada
Re: Multicom Hijacks: Do you peer with these turkeys (AS35916)?
Dear Ronald, Thanks for your report, we'll investigate. Kind regards, Job
Multicom Hijacks: Do you peer with these turkeys (AS35916)?
Well, it took less than a day for my last missive here to get the hijacks associated with AS202746 (Nexus Webhosting) taken down. I guess that somebody must have smacked Telia upside the head with a clue-by-four at long last. So, with that out of the way, let's see what else I can accomplish this week. As I understand it, the theory is that the thing that keeps the entire Internet from descending into the final stages of a totally broken "tragedy of the commons" is peer pressure. As everyone knows, there is no "Internet Police", so the whole system relies on the ability and willingness of networks to de-peer from other networks when those other networks are demonstratably behaving badly. Let's find out if that actually works, in practice, shall we? According to bgp.he.net, the top three peers of AS35916 (Multacom) are as follows: AS2914 NTT America, Inc. AS3223 Voxility S.R.L. AS209 Qwest Communications Company, LLC I'd like help from any and all subscribers to this mailing list who might have contacts in these companies. I'd like you to call their attention to Multacom's routing of the following block specifically: 163.198.0.0/16 This is a long-abandoned Afrinic block belonging to a semi-defunct company called "Agrihold". In fact, this block was a part of the massive number of hijacked legacy Afrinic /16 blocks that I pointed out, right here on this maling list, way back last November: https://mailman.nanog.org/pipermail/nanog/2016-November/089164.html After that posting, whoever was responsible for all those blatant hijackings got cold feet, apparently, and stopped passing all of those bogus route announcements out through their pals at AS260, Xconnect24 Inc. And so, for a brief time at least, the wanton pillaging of legacy Afrinic /16 blocks, and the reselling of those stolen blocks to various snowshoe spammers stopped... for awhile. But it appears that on or about January 6th of this year, Mulutacom lept into the breach and re-hijacked both the 163.198.0.0/16 block and also the additional Afrinic legacy block, 160.115.0.0/16. (They apparently stopped routing this latter block some time ago, for reasons unknown. But that fact that Multacom was indeed routing this second purloined legacy Afrinic /16 block also is in the historical records now, and cannot be denied. Multicom's routing of both blocks began around January 6th or so of this year, 2017.) Just as a courtesy, I sent the block absconders at Multacom a short email, earlier today, asking them if they had an LOA which demonstrates that they have rights/permission to be routing the 163.198.0.0/16 block. Of course, the mystery person (noc@) who emailed me back claimed that they did, but unfortunately, he was not under oath at the time. I asked if he could show me a copy of this purported LOA, and I haven't heard back from anybody at Mulatcom ever since. I don't really think there is any big mystery here, nor do I think that Multacom has or had, at any time, any rights to be routing these two legacy Afrinic /16 blocks. But they have done so, and continue to do so, in the case of the 163.198.0.0/16 block at least, quite obviously because -somebody- is paying them to do it, even in the total absence of a legitimate LOA. And as it turns out, it is quite easy to figure out who Multacom has been routing these two hijacked legacy Afrinic /16 blocks both for and to. It's trivially easy to run a traceroute to any arbitrary IP address within the 163.198.0.0/16 block. No matter which one you pick, the traceroute always passes through a particular IP address, 178.250.191.162, before the remainder of the traceroute gets deliberately blocked. That IP address is registered *not* to some long lost African concern, but rather to a Romanian networking company called Architecture Iq Data S.R.L. That company itself is apparently owned by a fellow by the name of Alexandru ("Andrei") Stanciu who hails from the city of Suceava, Romania. (Note that this is apparently *not* the same Alexandru Stanciu who the FBI arrested on bank and wire fraud charges in 2014. That one apparently hailed from Bucharest.) Anyway, "networking" seems to be only one of our Mr. Stanciu's many and varied business interest. His networking company, Architecture Iq Data S.R.L. has a web site (http://architekiq.ro/) but it is "shallow" to say the least. Many, and perhaps evenmost of the links on the home page of that company's web site seem to lead nowhere. In cotrast, Mr. Stanciu has the following other well-developed web sites and companies: ads.com.ro promoart.ro largeformatprinting.ro Promoart S.R.L. Advertising Distribution Supplies S.R.L. Mostly, he seems to be in the advertising business, as evidenced by the above web sites, and also by his membership in the "Email Marketing Gurus" special interest group over on LinkedIn: https://ro.linkedin.com/in/alexandru-stanciu-8846aa12a Given Mr. Stanciu'
Re: Contact at Orange?
Wrong currency zone On August 3, 2017 12:19:07 AM PDT, Dan Hollis wrote: >On Thu, 3 Aug 2017, Benoit Panizzon wrote: >> Apparently this was not their problem. > >As long as the money's green? > >-Dan -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: Contact at Orange?
On Thu, 3 Aug 2017, Benoit Panizzon wrote: Apparently this was not their problem. As long as the money's green? -Dan
Re: Contact at Orange?
Hi In 2013/2014 we also had to deal with a massive spam spike from orange.fr Our stats showed that the spam to ham ratio was at about 95% or higher from their 'mailserver' IP Range. After sending several emails to their different abuse and postmaster email addresses and trying to escalate the problem via orange.ch (now salt), as a last resort we blacklisted their whole IP Range via SWINOG Blacklist, which is used by many swiss ISP. This finally resulted in orange.fr getting in contact with us. Apparently the do receive and look at emails at their normal abuse contact address. But they never bother to reply, especially when they do not feel responsible for the specific IP addresses, even if they are in their range. The problem at that time was, that they had leased a part of their IP range to one of their branches in eastern europe and this branch had somehow been massively abused by spamers. After they were able to tell me which IP ranges belonged to their 'east europe' branch, we could shrink the blocked range to those specific ip addresses and this was also fine with their abuse desk, because they could clearly see the problem and more or less confirmed their colleagues in eastern europe apparently did not care so much about spam or being listed in anti-spam blacklists. Apparently this was not their problem. So, yes, try their abuse contact email address, write in french if somehow possible, and make clear you need a reply. Hopefully this will help. Kind regards -BenoƮt Panizzon- -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __