anybody know the owner of 209.251.0.0/19?

william at elan.net william at elan.net
Tue Aug 19 22:01:36 UTC 2003



If you check arin whois, you can find ip block  209.251.0.0 - 209.251.23.255
listed as NETBLK-SISCOM-BLK-1 (why would ARIN assign them /20 + /21 but 
not make it easier for everyone and just do /19 ?????????):
[whois.arin.net]
OrgName:    SISCOM
OrgID:      SISC
Address:    130 W. Second St.
Address:    Suite 1100
City:       Dayton
StateProv:  OH
PostalCode: 45402
Country:    US

NetRange:   209.251.0.0 - 209.251.23.255
CIDR:       209.251.0.0/20, 209.251.16.0/21
NetName:    SISCOM-BLK-1
NetHandle:  NET-209-251-0-0-1
Parent:     NET-209-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.SISCOM.NET
NameServer: NS2.SISCOM.NET
Comment:    ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate:    1998-07-13
Updated:    2001-06-22

TechHandle: RJ818-ARIN
TechName:   Adams, Robert
TechPhone:  +1-937-222-8150
TechEmail:  RADAMS at siscom.net

OrgTechHandle: TFI7-ARIN
OrgTechName:   Finkenstadt, Thomas
OrgTechPhone:  +1-937-222-8150
OrgTechEmail:  tfink at siscom.net

Not surprisingly SISCOM.NET (AS11036) is announcing this as /19, I'd do the 
same if I were them.... Now I don't know anything about SISCOM but it does 
not look like they are out of business or controlled by spammers, so I 
think it would be best to just contact them on this issue (and ask them to 
talk to ARIN and add extra /21 to their allocation to make it even /19)

On Tue, 19 Aug 2003, Paul Vixie wrote:

> 
> i'm getting spammed from there...
> 
> 	[sa:i386] ./find-spam.pl 209.251.0.0/19
> 
>                   SELECT HOST(s.relay) AS relay, s.entered, s.md5, s.body_md5,
>                          LENGTH(s.header)+LENGTH(b.body)+1 AS size, s.header
>                     FROM spam s LEFT JOIN bodies b ON s.body_md5 = b.md5
>                    WHERE relay <<= '209.251.0.0/19'
>                 ORDER BY entered
>                    LIMIT ALL
> 
> 	spam: [002515 2001-12-09 23:37:37+00 209.251.20.7]
> 	   lart: {12370    209.251.20.7  source mailer}
> 	      mail: (0 007557 )
> 	spam: [005626 2003-07-31 22:14:54.367173+00 209.251.28.142]
> 	   lart: {316925  209.251.28.142  source mailer}
> 	spam: [001260 2003-08-13 14:28:06.363234+00 209.251.28.142]
> 	   lart: {332664  209.251.28.142   relay mailer}
> 	      mail: (0 002207 20030813142817.C3EF013980 at sa.vix.com)
> 	spam: [001260 2003-08-13 14:28:06.363234+00 209.251.28.142]
> 	   lart: {332664  209.251.28.142   relay mailer}
> 	      mail: (0 002207 20030813142817.C3EF013980 at sa.vix.com)
> 	spam: [001260 2003-08-13 14:28:06.363234+00 209.251.28.142]
> 	   lart: {332664  209.251.28.142   relay mailer}
> 	      mail: (0 002207 20030813142817.C3EF013980 at sa.vix.com)
> 	spam: [001260 2003-08-13 14:28:06.363234+00 209.251.28.142]
> 	   lart: {332664  209.251.28.142   relay mailer}
> 	      mail: (0 002207 20030813142817.C3EF013980 at sa.vix.com)
> 	spam: [001260 2003-08-13 14:28:06.363234+00 209.251.28.142]
> 	   lart: {332664  209.251.28.142   relay mailer}
> 	      mail: (0 002207 20030813142817.C3EF013980 at sa.vix.com)
> 	spam: [001260 2003-08-13 14:28:06.363234+00 209.251.28.142]
> 	   lart: {332664  209.251.28.142   relay mailer}
> 	      mail: (0 002207 20030813142817.C3EF013980 at sa.vix.com)
> 	spam: [001260 2003-08-13 14:28:06.363234+00 209.251.28.142]
> 	   lart: {332664  209.251.28.142   relay mailer}
> 	      mail: (0 002207 20030813142817.C3EF013980 at sa.vix.com)
> 
> ...but there is no whois...
> 
> 	[sa:i386] whois -h whois.arin.net 209.251.28.142
> 	
> 	No match found for 209.251.28.142.
> 	
> 	# ARIN WHOIS database, last updated 2003-08-18 19:15
> 	# Enter ? for additional hints on searching ARIN's WHOIS database.
> 
> ...and they seem to have transit through both AS209 and AS6076...
> 
>     noc at re0.r7.pao1> show route 209.251.28.142 
>     ...
>     209.251.0.0/19     *[BGP/170] 2w3d 23:55:24, MED 2147483647, localpref 100
>                           AS path: 209 11036 I
>                         > to 198.32.176.52 via ge-2/1/0.6
>                         [BGP/170] 1w2d 10:47:58, MED 2147483647, localpref 100
>                           AS path: 3549 8011 6076 11036 I
>                         > to 208.50.13.57 via ge-1/3/0.501
>                         [BGP/170] 2w3d 23:55:12, MED 10, localpref 90
>                           AS path: 2914 209 11036 I
>                         > to 129.250.16.157 via so-1/2/2.0
>                         [BGP/170] 1w4d 16:20:31, MED 10, localpref 90
>                           AS path: 701 209 11036 I
>                         > to 198.32.176.2 via ge-2/1/0.6
>                         [BGP/170] 04:33:44, MED 10, localpref 90
>                           AS path: 6453 209 11036 I
>                         > to 207.45.196.65 via so-1/2/0.0
> 
> ...although both AS11036 (the origin) and AS6076 (one of the transits) are
> in the same geo area, one of them (voyager.net) was i thought out of business.
> 
> am i being spammed from pirated address space?
> 

-- 
William Leibzon
Elan Networks
william at elan.net




More information about the NANOG mailing list