Hijacked IP space.
william at elan.net
william at elan.net
Tue Nov 4 11:42:50 UTC 2003
> Correct. Unfortunately, that's my old block and I wasn't quite ready to
> hand it back since I'd sort of wanted to announce it again. I've been
> trying to chase down C&W as the upstream of AS 30080, the jokers who've
> been pulling this stuff for quite some time with other blocks.
C&W received quite a number of reports about abuse from AS30080, I'm very
surprised they have not reacted yet (in previous cases of hijacked block,
C&W acted on part with other large networks). The two ip blocks
199.245.138.0/24 and 204.89.224.0/24 are actually hijacked in rather
unique way by getting old @netcom.com email account forwarded to
hijackers (who is presumably a customer of earthlink). Nanog has just
seen confirmation from one of these people whose ip block has been
hijacked this way, for the other block you can see the data file at
http://www.completewhois.com/hijacked/files/199.245.138.0.txt
The 3rd ip block used by as30080 is 192.107.49.0/24 and there ARIN already
deleted this block from whois (but AS30080 still announces it). I'm certain
C&W knows about all the issues with those blocks (I actually only emailed
them once, but I know others did it quite a bit more then once and c&w
person is present at hijacked mail list too). It would really be good if
C&W finally take a stand on this and stopped this clearly bad activity
from their customer (not to mention that there are uncountable number of
unsolicited emails all originating in those blocks, I've received more
then two dozen in last months just on couple accounts). If C&W does not
take a stand and at least explain why is as30080 is still their customer
(public if possible or private to those individuals and organizations
looking into this matter), then more active measures may have to be taken
that that may very well cost C&W a lot more money in legal fees.
> I'm starting to figure that, given the delays, there's been enough damage
> done that 204.89.224/24 will never be able to get off the blocking lists
> anyway, so perhaps I'll turn it back in afterall. *sigh* That's what
> I get for trying to find low-cost ISPs willing to announce portable
> space.
You should not be asking somebody to announce this space while whois is
not fixed and current and while its still announced by somebody else.
Afterwards, I'm sure you will be able to find somebody to announce the
space (as long as original company the ip block has been assigned to is
still around and you still represent it). 204.89.224.0/24 has not been on
blacklists too long yet (no more then 10 days) and its not too "contaminated"
yet and should be reusable fairly easily once you post on couple appropriate
mail lists that real ip block owner is now announcing it.
--
William Leibzon
Elan Networks
william at elan.net
More information about the NANOG
mailing list