Home page logo
/

nanog logo nanog mailing list archives

anybody know the owner of 209.251.0.0/19?
From: Paul Vixie <paul () vix com>
Date: Tue, 19 Aug 2003 18:17:57 +0000


i'm getting spammed from there...

        [sa:i386] ./find-spam.pl 209.251.0.0/19

                  SELECT HOST(s.relay) AS relay, s.entered, s.md5, s.body_md5,
                         LENGTH(s.header)+LENGTH(b.body)+1 AS size, s.header
                    FROM spam s LEFT JOIN bodies b ON s.body_md5 = b.md5
                   WHERE relay <<= '209.251.0.0/19'
                ORDER BY entered
                   LIMIT ALL

        spam: [002515 2001-12-09 23:37:37+00 209.251.20.7]
           lart: {12370    209.251.20.7  source mailer}
              mail: (0 007557 )
        spam: [005626 2003-07-31 22:14:54.367173+00 209.251.28.142]
           lart: {316925  209.251.28.142  source mailer}
        spam: [001260 2003-08-13 14:28:06.363234+00 209.251.28.142]
           lart: {332664  209.251.28.142   relay mailer}
              mail: (0 002207 20030813142817.C3EF013980 () sa vix com)
        spam: [001260 2003-08-13 14:28:06.363234+00 209.251.28.142]
           lart: {332664  209.251.28.142   relay mailer}
              mail: (0 002207 20030813142817.C3EF013980 () sa vix com)
        spam: [001260 2003-08-13 14:28:06.363234+00 209.251.28.142]
           lart: {332664  209.251.28.142   relay mailer}
              mail: (0 002207 20030813142817.C3EF013980 () sa vix com)
        spam: [001260 2003-08-13 14:28:06.363234+00 209.251.28.142]
           lart: {332664  209.251.28.142   relay mailer}
              mail: (0 002207 20030813142817.C3EF013980 () sa vix com)
        spam: [001260 2003-08-13 14:28:06.363234+00 209.251.28.142]
           lart: {332664  209.251.28.142   relay mailer}
              mail: (0 002207 20030813142817.C3EF013980 () sa vix com)
        spam: [001260 2003-08-13 14:28:06.363234+00 209.251.28.142]
           lart: {332664  209.251.28.142   relay mailer}
              mail: (0 002207 20030813142817.C3EF013980 () sa vix com)
        spam: [001260 2003-08-13 14:28:06.363234+00 209.251.28.142]
           lart: {332664  209.251.28.142   relay mailer}
              mail: (0 002207 20030813142817.C3EF013980 () sa vix com)

...but there is no whois...

        [sa:i386] whois -h whois.arin.net 209.251.28.142
        
        No match found for 209.251.28.142.
        
        # ARIN WHOIS database, last updated 2003-08-18 19:15
        # Enter ? for additional hints on searching ARIN's WHOIS database.

...and they seem to have transit through both AS209 and AS6076...

    noc () re0 r7 pao1> show route 209.251.28.142 
    ...
    209.251.0.0/19     *[BGP/170] 2w3d 23:55:24, MED 2147483647, localpref 100
                          AS path: 209 11036 I
                        > to 198.32.176.52 via ge-2/1/0.6
                        [BGP/170] 1w2d 10:47:58, MED 2147483647, localpref 100
                          AS path: 3549 8011 6076 11036 I
                        > to 208.50.13.57 via ge-1/3/0.501
                        [BGP/170] 2w3d 23:55:12, MED 10, localpref 90
                          AS path: 2914 209 11036 I
                        > to 129.250.16.157 via so-1/2/2.0
                        [BGP/170] 1w4d 16:20:31, MED 10, localpref 90
                          AS path: 701 209 11036 I
                        > to 198.32.176.2 via ge-2/1/0.6
                        [BGP/170] 04:33:44, MED 10, localpref 90
                          AS path: 6453 209 11036 I
                        > to 207.45.196.65 via so-1/2/0.0

...although both AS11036 (the origin) and AS6076 (one of the transits) are
in the same geo area, one of them (voyager.net) was i thought out of business.

am i being spammed from pirated address space?


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault