Notice: Fradulent RIPE ASNs

Ronald F. Guilmette rfg at tristatelogic.com
Tue Jan 15 11:34:09 UTC 2013


In message <CALgc3C7n0Hy80qLBcQ8tZrvGuaVsVrcEneYaYKomUUy58p3rEw at mail.gmail.com>,
Eugeniu Patrascu <eugen at imacandi.net> wrote:

>Jump.ro is a very active LIR and domain registry on the Romanian
>market and is "selling" ASNs to whomever is interested...

I do see that JUMP.RO is ``very active''.  I do not know who they
have actually given all of this IP space to.  Do you?  If so, then
by all means, please don't keep us in suspense.   Please do share
that information.

(I have also seen that JUMP.RO has puffed up its own resume, claiming on
its home page to have over 12,000 customers. but from where I am sitting,
it looks more like a tiny little ISP with only two /24s of its own,
and perhaps only a few handfuls of customers, many of whom, it seems,
are spammers.)

>and facilitates
>allocations of PI netblocks to those who can justify them.

JUMP.RO also ``facilitates'' IP block allocations to _themselves_, apparently.

>It might
>come as a surprise to you, but in Romania there are a lot of companies
>(even very small ones) with their own ASN and PI netblocks.

Regardless of whether that assertion is true or false, it has no bearing
whatsoever on the specific issue and the specific ASNs and the specific
IP address blocks that I have reported on here.

I will repeat myself, so as to be completely clear.  The 18 specific
ASNs I reported on, together with their associated IPv4 address blocks,
were all registered, via RIPE, with fradulent information.

>> AS16011 (fiberwelders.ro)
>> AS28822 (creativitaterpm.ro)
>> AS48118 (telecomhosting.ro)
>> AS49210 (rom-access.ro)
>> AS50659 (grandnethost.com)
>> AS57131 (speedconnecting.ro)
>> AS57133 (nordhost.ro)
>> AS57135 (fastcable.ro)
>> AS57176 (bucovinanetwork.ro)
>> AS57184 (kaboomhost.ro)
>> AS57415 (highwayinternet.ro)
>> AS57695 (effidata.ro)
>> AS57724 (id-trafic.ro)
>> AS57738 (mclick.ro)
>> AS57786 (hosting-www.ro)
>> AS57837 (romtechinnovation.ro)
>> AS57906 (momy.ro)
>> AS57917 (nature-design.ro)
>
>from all those websites it looks like they are all hosting companies.

Yes.  Indeed.  The web sites associated with all of the above domain
names have indeed been made to _look_ like they are all legitimate
hosting companies.

I'm so glad that you noticed.

>have you tried calling the numbers listed on the WHOIS registrant
>information on the ASN and you couldn't get to any one ?

That is a good idea.  Why don't you try it and report back here and let
us know your results.

Personally, I have much better things to do with my time (and my money)
that to waste any of it making pointless long-distance overseas phone
calls to pseudo-companies that I am already 100% convinced are simply
fradulent and fictitious.

But since you yourself seem to be geographically in that area... AND since
you probably speak Romanian about 100,000% better than I do, by all means,
I encourage you to try to reach some human, i.e. ANY human at any of these
(fictitious) places who might be able to disprove the assertions that I
have made here, and repeated elsewhere.

Good luck.

>If you really believe that all those ASNs listed by you above are only
>used to host spammers...

Sir, I am not in the habit of risking either my reputation or my legal
safety by posting allegations on the NANOG list which I have anything
less than the highest confidence in.  To do so would be foolish in the
extreme, and in multiple dimensions.

>...then by all means please contact
>alerts at cert-ro.eu - that is the Romanian CERT

Thank you but no.

This is another task that you have tried to assign to me... also
of entirely questionable usefulness...  that I also personally elect
not to waste any of my precious minutes on this earth pursuing.

But please, feel free to do yourself the (pointless) tasks that you
have attempted to assign to me.  Please feel free to contact
the Romanian CERT yourself.  (If you manage to find anyone within that
organization that has ever done _anything_ to materially improve the
safety or security of the Internet, then please do send me that
person's name so that I can send it on to the Guinness World Records
people and let them know that such a person does exist after all.)

>...as they are active...

Oh yes!  I am quite sure they are.  As are the particles shown in the
simulation on this page:

   http://en.wikipedia.org/wiki/Brownian_motion

Very active indeed!

>and will investigate the allegations you make.

What exactly would be the point of that?

They are not Internet Police, and I rather doubt that they have any control
over RIPE's allocation processes for number resources.

(On the other hand, if I am wrong, and if the people at the Romanian CERT
actually *are* the Internet Police, then please do let me know immediately.
In that case, I have some vastly more serious matters to discuss with them,
specifically the massive fake pharmacy operations that are run out of
your country *and* the propensity of the specific crooks behind those oper-
ations for stealing and using the credit card numbers of at least hundreds
and more probably thousands of unsuspecting Americans.  But I digress.)

>So far I do not know a single web hosting company that it's customers
>never spammed anyone :)

I confess that I cannot deduce whether your obtuse inability to differentiate
between the occasional spammer and an entire /14 full of them is genuine
or an act.

If genuine, you have my sympathy.


Regards,
rfg



More information about the NANOG mailing list