North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Hijacked IP space.

  • From: william
  • Date: Tue Nov 04 08:36:32 2003

> Correct.  Unfortunately, that's my old block and I wasn't quite ready to
> hand it back since I'd sort of wanted to announce it again.  I've been
> trying to chase down C&W as the upstream of AS 30080, the jokers who've
> been pulling this stuff for quite some time with other blocks.
C&W received quite a number of reports about abuse from AS30080, I'm very 
surprised they have not reacted yet (in previous cases of hijacked block, 
C&W acted on part with other large networks). The two ip blocks 
199.245.138.0/24 and 204.89.224.0/24 are actually hijacked in rather 
unique way by getting old @netcom.com email account forwarded to 
hijackers (who is presumably a customer of earthlink). Nanog has just 
seen confirmation from one of these people whose ip block has been 
hijacked this way, for the other block you can see the data file at
http://www.completewhois.com/hijacked/files/199.245.138.0.txt

The 3rd ip block used by as30080 is 192.107.49.0/24 and there ARIN already 
deleted this block from whois (but AS30080 still announces it). I'm certain
C&W knows about all the issues with those blocks (I actually only emailed 
them once, but I know others did it quite a bit more then once and c&w
person is present at hijacked mail list too). It would really be good if 
C&W finally take a stand on this and stopped this clearly bad activity 
from their customer (not to mention that there are uncountable number of 
unsolicited emails all originating in those blocks, I've received more 
then two dozen in last months just on couple accounts). If C&W does not 
take a stand and at least explain why is as30080 is still their customer 
(public if possible or private to those individuals and organizations 
looking into this matter), then more active measures may have to be taken 
that that may very well cost C&W a lot more money in legal fees.

> I'm starting to figure that, given the delays, there's been enough damage
> done that 204.89.224/24 will never be able to get off the blocking lists
> anyway, so perhaps I'll turn it back in afterall. *sigh*  That's what
> I get for trying to find low-cost ISPs willing to announce portable
> space.
You should not be asking somebody to announce this space while whois is 
not fixed and current and while its still announced by somebody else. 
Afterwards, I'm sure you will be able to find somebody to announce the 
space (as long as original company the ip block has been assigned to is 
still around and you still represent it). 204.89.224.0/24 has not been on 
blacklists too long yet (no more then 10 days) and its not too "contaminated"
yet and should be reusable fairly easily once you post on couple appropriate
mail lists that real ip block owner is now announcing it.

-- 
William Leibzon
Elan Networks
[email protected]