Re: RIPE Down or DOSed ?

[Kai Schlichting <kai () pac-rim net>]

On 2/27/2003 at 9:58 PM, jlewis () lewis org wrote:

> ...
> NetRange:   69.6.0.0 - 69.6.63.255
> CIDR:       69.6.0.0/18
> NetName:    WHOLE-2
> NetHandle:  NET-69-6-0-0-1
> Parent:     NET-69-0-0-0-0
> NetType:    Direct Allocation
> NameServer: NS1.WHOLESALEBANDWIDTH.COM
> NameServer: NS2.WHOLESALEBANDWIDTH.COM
> ...

> Where are the swips?  The rest of that record makes no mention of an
> rwhois server.  Doing a bunch of whois requests for IPs in that block, I
> found only one swip (for a /21).  I realize the ARIN regs don't seem to
> require that reassignment info be made available to the public (just to
> ARIN), but using your innocent customers (if there are any) as a shield to
> hide your spammer customers is just wrong.  Should I block 69.6.4.0/24
> from sending email into my systems?  69.6.0.0/18?

Correct answer: the /18, and then some.

Oh, how you wished you hadn't posted this to the list (and Cc:'d
wholesalebandwidth.com on it), but chosen reply-to-poster :)

Random example from this block appearing in my rejects:
http://www.openrbl.org/lookup?i=69.6.4.153 or: "I see red!"

Extended answer directly from my auto-complaint override map:

 'as:26956' => 'as:17054,isp:cogent', # netfreeinc.com/wholesalebandwidth.com - rogue AS
 'as:11938' => 'abuse () yipes com,isp:verio', # wholesalebandwidth.com - rogue AS
 'as:17054' => 'abuse () e-xpedient com,isp:genuity,abuse () yipes com,isp:gblx', # e-xpedient.com - rogue AS?

Anything announced out of 26956 and 11938 goes straight to the sendmail
access file here, and given the various pointers from OTHER rogues back
to 17054, e-xpedient.com routes will be there RSN, too.


And if you thought /18 is a big block in spammer-hand, go check out various
DNSBLs for listings and the history of AS's announcing portions of:

142.105.0.0/16
162.73.0.0/16
160.122.0.0/16
157.156.0.0/16
138.121.0.0/16
160.116.0.0/16
144.176.0.0/16
146.100.0.0/16