Home page logo
/

nanog logo nanog mailing list archives

Re: RIPE Down or DOSed ?
From: jlewis () lewis org
Date: Thu, 27 Feb 2003 21:58:05 -0500 (EST)


On Thu, 27 Feb 2003, Kai Schlichting wrote:

Secrecy over a public resource = no oversight = facilitator of abuse.

Why do I get the distinct feeling that this "move" by Level3 is
aimed not at creating greater customer privacy (it never served
POC email addresses), or protecting themselves from getting their
customer base poached by other providers, but at preventing
people from identifying spamming Level3 customers (of which they
seem to have 100's) by organization name and being able to
correlate activity from different netblocks of theirs.

Though I agree, Level3 seems to host a good number of spammers, they're by
no means the only guilty party.  Pulled at random from recent spams I've
submitted to NJABL are 69.6.4.104, 69.6.4.114, and 69.6.4.156.  whois
@arin.net yields the following:

...
NetRange:   69.6.0.0 - 69.6.63.255
CIDR:       69.6.0.0/18
NetName:    WHOLE-2
NetHandle:  NET-69-6-0-0-1
Parent:     NET-69-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.WHOLESALEBANDWIDTH.COM
NameServer: NS2.WHOLESALEBANDWIDTH.COM
...

Where are the swips?  The rest of that record makes no mention of an
rwhois server.  Doing a bunch of whois requests for IPs in that block, I
found only one swip (for a /21).  I realize the ARIN regs don't seem to
require that reassignment info be made available to the public (just to
ARIN), but using your innocent customers (if there are any) as a shield to
hide your spammer customers is just wrong.  Should I block 69.6.4.0/24
from sending email into my systems?  69.6.0.0/18?

http://www.njabl.org/cgi-bin/lookup.cgi?query=69.6.4.104
http://www.njabl.org/cgi-bin/lookup.cgi?query=69.6.4.114
http://www.njabl.org/cgi-bin/lookup.cgi?query=69.6.4.156

----------------------------------------------------------------------
 Jon Lewis *jlewis () lewis org*|  I route
 System Administrator        |  therefore you are
 Atlantic Net                |  
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault