vindicator

ARIN Spams?

6 posts in this topic

Again, I'm pretty new to reporting, but was shocked to find the sender 23.170.165.40 to be an ARIN-owned IP, which may be why SC gives "No reporting addresses found".

But the POC IS found if searched (maybe this message should be in the sublisting):

https://whois.arin.net/rest/net/NET-23-0-0-0-0/pft?s=23.170.165.40

https://whois.arin.net/rest/poc/ARIN-HOSTMASTER.html

I REALLY find the timing of this email to be suspect considering I contacted them earlier today (though their reply came from a 199.43* address): 

(man, I like how this forum works, much like github)

Share this post


Link to post
Share on other sites

It would be helpful if you could provide a Tracking URL for examples of spam you are referencing.

Take a look at to see an example of what a Tracking URL (third line, long blue link) can be found.  You should Cut&past the Tracking URL into you post so that everyone can see the original spam, what the parser did, and thus better understand you question.

Share this post


Link to post
Share on other sites

Based on my new thread in the subtopic regarding an APNIC address, I tried running whois in linux for the IP address I mention in my OP.

Interestingly, it came back that no match was found which is bizarre enough in it's own right. I don't even know what to think of that.

When I used the -B and -a flags, I got more information, but still nothing usable:

$ whois -B -a 23.170.165.40
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Information related to '23.0.0.0 - 23.252.65.255'

% No abuse contact registered for 23.0.0.0 - 23.252.65.255

inetnum:        23.0.0.0 - 23.252.65.255
netname:        NON-RIPE-NCC-MANAGED-ADDRESS-BLOCK
descr:          IPv4 address block not managed by the RIPE NCC
remarks:        ------------------------------------------------------
remarks:
remarks:        You can find the whois server to query, or the
remarks:        IANA registry to query on this web page:
remarks:        http://www.iana.org/assignments/ipv4-address-space
remarks:
remarks:        You can access databases of other RIRs at:
remarks:
remarks:        AFRINIC (Africa)
remarks:        http://www.afrinic.net/ whois.afrinic.net
remarks:
remarks:        APNIC (Asia Pacific)
remarks:        http://www.apnic.net/ whois.apnic.nett
remarks:
remarks:        ARIN (Northern America)
remarks:        http://www.arin.net/ whois.arin.net
remarks:
remarks:        LACNIC (Latin America and the Carribean)
remarks:        http://www.lacnic.net/ whois.lacnic.net
remarks:
remarks:        IANA IPV4 Recovered Address Space
remarks:        http://www.iana.org/assignments/ipv4-recovered-address-space/ipv4-recovered-address-space.xhtml
remarks:
remarks:        ------------------------------------------------------
country:        EU # Country is really world wide
admin-c:        IANA1-RIPE
tech-c:         IANA1-RIPE
status:         ALLOCATED UNSPECIFIED
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      RIPE-NCC-HM-MNT
mnt-routes:     RIPE-NCC-RPSL-MNT
created:        2016-04-14T14:35:56Z
last-modified:  2016-04-14T14:35:56Z
source:         RIPE

role:           Internet Assigned Numbers Authority
address:        see http://www.iana.org.
e-mail:         bitbucket@ripe.net
admin-c:        IANA1-RIPE
tech-c:         IANA1-RIPE
nic-hdl:        IANA1-RIPE
remarks:        For more information on IANA services
remarks:        go to IANA web site at http://www.iana.org.
mnt-by:         RIPE-NCC-MNT
created:        1970-01-01T00:00:00Z
last-modified:  2001-09-22T09:31:27Z
source:         RIPE

% Information related to '23.170.128.0/18AS24091'

route:          23.170.128.0/18
origin:         AS24091
mnt-by:         MAINT-MGR-RIPE
created:        2017-03-08T14:30:56Z
last-modified:  2017-03-08T14:30:56Z
source:         RIPE

% This query was served by the RIPE Database Query Service version 1.88 (WAGYU)

 

Share this post


Link to post
Share on other sites

There does seem to be an ongoing difference between the obligations domain name registrars have to ICANN (and the rest of the www) and how those obligations are executed/enforced.  For more on this see KnujOn

Share this post


Link to post
Share on other sites

I had forgotten about that whole pharmacy deal. Feels like it was even longer ago than that to me.

I did get a reply from ARIN regarding the unattached IP spam:

Quote

If an Organization fails to pay their invoice, their IP ranges are revoked 
and from Whois standpoint, are returned to ARIN.

Generally, these IP addresses on in a limbo state while between 
organizations.

However, sometimes Organizations will fail to pay their invoice, have 
their resources removed and continue announcing them (or, unfortunately 
spamming).

Since you've submitted a Whois Inaccuracy Report, a member of our team 
that reviews those requests will be in touch with you.

But I have not yet heard back about the inaccuracy report. I had just gotten another spam from that range 23.175.189.83.

It's disheartening to find that they still have the ability to continue using the IPs. There needs to be another cut-off method that involves whatever pipe they use.

I should probably look more into how these addresses get used and piped out. It's like now that I know that range is (unattached?), that I could start broadcasting ownership of them. Or for that matter, any range. I'd have to see how the routing all plays into it.

I tried tracing it from 2 locations and ended up in the void.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now