anybody know the owner of 209.251.0.0/19?
william at elan.net
william at elan.net
Tue Aug 19 22:01:36 UTC 2003
If you check arin whois, you can find ip block 209.251.0.0 - 209.251.23.255
listed as NETBLK-SISCOM-BLK-1 (why would ARIN assign them /20 + /21 but
not make it easier for everyone and just do /19 ?????????):
[whois.arin.net]
OrgName: SISCOM
OrgID: SISC
Address: 130 W. Second St.
Address: Suite 1100
City: Dayton
StateProv: OH
PostalCode: 45402
Country: US
NetRange: 209.251.0.0 - 209.251.23.255
CIDR: 209.251.0.0/20, 209.251.16.0/21
NetName: SISCOM-BLK-1
NetHandle: NET-209-251-0-0-1
Parent: NET-209-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.SISCOM.NET
NameServer: NS2.SISCOM.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 1998-07-13
Updated: 2001-06-22
TechHandle: RJ818-ARIN
TechName: Adams, Robert
TechPhone: +1-937-222-8150
TechEmail: RADAMS at siscom.net
OrgTechHandle: TFI7-ARIN
OrgTechName: Finkenstadt, Thomas
OrgTechPhone: +1-937-222-8150
OrgTechEmail: tfink at siscom.net
Not surprisingly SISCOM.NET (AS11036) is announcing this as /19, I'd do the
same if I were them.... Now I don't know anything about SISCOM but it does
not look like they are out of business or controlled by spammers, so I
think it would be best to just contact them on this issue (and ask them to
talk to ARIN and add extra /21 to their allocation to make it even /19)
On Tue, 19 Aug 2003, Paul Vixie wrote:
>
> i'm getting spammed from there...
>
> [sa:i386] ./find-spam.pl 209.251.0.0/19
>
> SELECT HOST(s.relay) AS relay, s.entered, s.md5, s.body_md5,
> LENGTH(s.header)+LENGTH(b.body)+1 AS size, s.header
> FROM spam s LEFT JOIN bodies b ON s.body_md5 = b.md5
> WHERE relay <<= '209.251.0.0/19'
> ORDER BY entered
> LIMIT ALL
>
> spam: [002515 2001-12-09 23:37:37+00 209.251.20.7]
> lart: {12370 209.251.20.7 source mailer}
> mail: (0 007557 )
> spam: [005626 2003-07-31 22:14:54.367173+00 209.251.28.142]
> lart: {316925 209.251.28.142 source mailer}
> spam: [001260 2003-08-13 14:28:06.363234+00 209.251.28.142]
> lart: {332664 209.251.28.142 relay mailer}
> mail: (0 002207 20030813142817.C3EF013980 at sa.vix.com)
> spam: [001260 2003-08-13 14:28:06.363234+00 209.251.28.142]
> lart: {332664 209.251.28.142 relay mailer}
> mail: (0 002207 20030813142817.C3EF013980 at sa.vix.com)
> spam: [001260 2003-08-13 14:28:06.363234+00 209.251.28.142]
> lart: {332664 209.251.28.142 relay mailer}
> mail: (0 002207 20030813142817.C3EF013980 at sa.vix.com)
> spam: [001260 2003-08-13 14:28:06.363234+00 209.251.28.142]
> lart: {332664 209.251.28.142 relay mailer}
> mail: (0 002207 20030813142817.C3EF013980 at sa.vix.com)
> spam: [001260 2003-08-13 14:28:06.363234+00 209.251.28.142]
> lart: {332664 209.251.28.142 relay mailer}
> mail: (0 002207 20030813142817.C3EF013980 at sa.vix.com)
> spam: [001260 2003-08-13 14:28:06.363234+00 209.251.28.142]
> lart: {332664 209.251.28.142 relay mailer}
> mail: (0 002207 20030813142817.C3EF013980 at sa.vix.com)
> spam: [001260 2003-08-13 14:28:06.363234+00 209.251.28.142]
> lart: {332664 209.251.28.142 relay mailer}
> mail: (0 002207 20030813142817.C3EF013980 at sa.vix.com)
>
> ...but there is no whois...
>
> [sa:i386] whois -h whois.arin.net 209.251.28.142
>
> No match found for 209.251.28.142.
>
> # ARIN WHOIS database, last updated 2003-08-18 19:15
> # Enter ? for additional hints on searching ARIN's WHOIS database.
>
> ...and they seem to have transit through both AS209 and AS6076...
>
> noc at re0.r7.pao1> show route 209.251.28.142
> ...
> 209.251.0.0/19 *[BGP/170] 2w3d 23:55:24, MED 2147483647, localpref 100
> AS path: 209 11036 I
> > to 198.32.176.52 via ge-2/1/0.6
> [BGP/170] 1w2d 10:47:58, MED 2147483647, localpref 100
> AS path: 3549 8011 6076 11036 I
> > to 208.50.13.57 via ge-1/3/0.501
> [BGP/170] 2w3d 23:55:12, MED 10, localpref 90
> AS path: 2914 209 11036 I
> > to 129.250.16.157 via so-1/2/2.0
> [BGP/170] 1w4d 16:20:31, MED 10, localpref 90
> AS path: 701 209 11036 I
> > to 198.32.176.2 via ge-2/1/0.6
> [BGP/170] 04:33:44, MED 10, localpref 90
> AS path: 6453 209 11036 I
> > to 207.45.196.65 via so-1/2/0.0
>
> ...although both AS11036 (the origin) and AS6076 (one of the transits) are
> in the same geo area, one of them (voyager.net) was i thought out of business.
>
> am i being spammed from pirated address space?
>
--
William Leibzon
Elan Networks
william at elan.net
More information about the NANOG
mailing list