Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

Tue Aug 13 22:54:53 UTC 2019

>   4)  Filing a "fraud request" with ARIN is a serious step and one that
        could quite conceivably end up with the party filing such a formal
        report being on the business end of lawsuit, just for having filed
        such a report.

What makes you think that the sort of persons who would hijack a /17 sized
piece of space, for spam generation purposes, would sue you over some
formal submission you might make to ARIN, but would not already have sued
you over your already exhaustively detailed posts to the public NANOG list?

On Tue, Aug 13, 2019 at 12:18 PM Ronald F. Guilmette <rfg at tristatelogic.com>
wrote:

> In message <D9973D64-91AB-4380-B5E8-DEE173726CC0 at arin.net>,
> John Curran <jcurran at arin.net> wrote:
>
> >On 9 Aug 2019, at 4:09 PM, Ronald F. Guilmette <rfg at tristatelogic.com>
> wrote:
> >> ...
> >> Unfortunately, we cannot read too much into this change that was made
> >> to the block's public-facing WHOIS record.  Neither the new WHOIS info
> >> nor even the old WHOIS info can be used to reliably infer who or what
> >> is the legitimate registrant of the block at any point in time.  This
> >> is because ARIN, like all of the other Regional Internet Registries,
> >> allows registrants to put essentially any bovine excrement they desire
> >> into their public-facing WHOIS records.
> >
> >That is not the case – ARIN confirms the legal status of organizations
> >receiving number resources.
>
> This is NOT the message that I got from our recent discussion of the giant
> Micfo fraud on the ARIN Public Policy Mailing List.  When I raised
> questions about why various of the Micfo phoney baloney shell companies
> has block with WHOIS records saying they were located in states that
> they were obviously not located in, I believe that you said that once
> a black has been allocated, by ARIN, to some (properly vetted) entity,
> that after that point in time, the entity could -change- the relevant
> WHOIS record to say any bloody thing it wanted, and that such -changes-
> to ARIN WHOIS records are not vetted in any way.
>
> If I got the Wrong Impression from your prior statements, then by all
> means, please do correct me.  And then please do explain why several of
> the Micfo phony shell companies did in fact have WHOIS records for ARIN-
> issued IPv4 space that gave street addreses in states where none of these
> phony shell companies were actually registered to do business.
>
> >> (And, it should be noted, the
> >> man behind the recent large scale "Micfo" fraud apparently availed
> >> himself of this exact opportunity far subterfuge, in spades.)
> >
> >As previously noted on this list, such was only possible because of the
> >use of falsely notarized documents.
>
> I -do- understand that the fradulent documents that were originally
> presented to you/ARIN provided information indicating that the phoney
> Micfo shell companies -did- actually exist in -some- state (Delaware?),
> and that ARIN -did- verify, to the best of its ability, that those
> companies -did- exist, legally spekaing, in their originally declared
> home state(s).  But that fact is just skirting the real issue here,
> which is the question of whether or not ARIN even looks at -changes_
> that a registrant may make to the WHOIS records (e.g. for IPv4 blocks)
> -after- those blocks have been assigned.
>
> It appears from where I am sitting that ARIN dos not do so.  And thus,
> I stand by my comment that a registrant -can- in fact put any bloody
> nonsense they want into their WHOIS records, at least as long as they
> do it via -changes- and not in the original/initial WHOIS records.
>
> >> Regardless, the available records suggest that there are only two likely
> >> possibilities in this case:
> >>
> >> {trimmed}
> >>     1) 216.179.128.0/17 was transferred in violation of ARIN policy.
> >>
> >>     2) The current WHOIS for 216.179.128.0/17 is simply fradulent.
>
> >That is easy to address:  submit a fraud request, and it will be reviewed
> >and corrected if it was done fraudulently.
>
> I would do that, but for the following four things:
>
>     1)  ARIN is not the Internet Police and has no power to affect routing
>         decisions of anybody.
>
>     2)  Getting the info out here, on the NANOG list, allows people to make
>         up their own minds and to ignore the relevant route announcements
>         and/or cease peering if they are persuaded that 216.179.128.0/17
>         is likely a source of "undesirable" packets.
>
>     3)  An investigation by ARIN of 216.179.128.0/17 could take weeks or
>         perhaps even months.  In contrast, packets, including bad ones,
>         travel from one end of the planet to another in milliseconds.
>         ARIN and its careful review processes are a sure and steady and
>         reliable check on fradulent behavior over the longer term.  But
>         they will not do much to addres the bad packets that may be
>         flowing out of 216.179.128.0/17 this week, or even next.
>
>     4)  Filing a "fraud request" with ARIN is a serious step and one that
>         could quite conceivably end up with the party filing such a formal
>         report being on the business end of lawsuit, just for having filed
>         such a report.
>
>         Does ARIN indemnify the parties who file such reports against such
>         claims, as ARIN is currently asking ARIN-region networks to do for
>         ARIN if they want to avail themselves of the added security of
> RPKI?
>
>
> Regards,
> rfg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190813/43af20e1/attachment.html>