Jump to content
gnarlymarley

allow for whois referral when ARIN relocates an entire range to APNIC or RIPE

Recommended Posts

We need to have SpamCop automatically detect when an entire IP range is transferred from one registrar to another.  Right now, there are a lot of manual updates being put in to get the reports to the correct destination.  This should be automated so that the correct whois entries can be detected without manual human intervention.
Routing details for 150.107.103.51
[refresh/show] Cached whois for 150.107.103.51 : search-apnic-not-arin@apnic.net
I refuse to bother search-apnic-not-arin@apnic.net.
Using search-apnic-not-arin#apnic.net@devnull.spamcop.net for statistical tracking.
 Using last resort contacts search-apnic-not-arin#apnic.net@devnull.spamcop.net

I believe this is what it would detect in the code.
ReferralServer:  whois://whois.apnic.net

 

Share this post


Link to post
Share on other sites
Posted (edited)
3 hours ago, gnarlymarley said:

Routing details for 150.107.103.51
[refresh/show] Cached whois for 150.107.103.51 : search-apnic-not-arin@apnic.net
I refuse to bother search-apnic-not-arin@apnic.net.
Using search-apnic-not-arin#apnic.net@devnull.spamcop.net for statistical tracking.
 Using last resort contacts search-apnic-not-arin#apnic.net@devnull.spamcop.net

We need to have SpamCop automatically detect when an entire IP range is transferred from one registrar to another.  Right now, there are a lot of manual updates being put in to get the reports to the correct destination.  This should be automated so that the correct whois entries can be detected without manual human intervention.

ReferralServer:  whois://whois.apnic.net

I believe this is what it would detect in the code.

 

Ok, I write this from a "I know nothing" position....  And, i'm throwing it out to all, (I'm not questioning the validity of the post GnarleyMarley🙂)

I thought "I refuse to bother" statement was not bc a fix was required but bc, for whatever reason, SC had made a determination that, for  x specific address, no escalations, could/would have a positive result?

But, the 2nd bit of the post, I need some GM input please, I don't understand:

"ReferralServer:  whois://whois.apnic.net", is this just specific for "apnic", or? 

Nor:

"I believe this is what it would detect in the code", is there more? 

Apologies in advance if I'm missing something obvious!

G🦗H

Edited by MIG

Share this post


Link to post
Share on other sites

Sorry about that.  Using a Code takes out the links.  Both sections I posted are from the same whois output.  (One is from above and the second from further down.)  If you look at [refresh/show], you can see that that it has the ReferralServer entry in the Display data area, but the whois chain stops at the ARIN output without apppearing to try to query APNIC.  I would expect SpamCop to follow the ReferralServer between registries like my whois program does, or when it forwards to LACNIC (Such as on [refresh/show] for 177.38.191.21).  (I have another example of it not following at from 158.140.160.0 below since the original IP has a manually entered entry on it Routing details for 150.107.103.51.)  The feature I would like added is to have it automatically follow the referral without any manual intervention.

..........................

Parsing input: 150.107.103.51

Routing details for 150.107.103.51
[refresh/show] Cached whois for 158.140.160.0 : search-apnic-not-arin@apnic.net
I refuse to bother search-apnic-not-arin@apnic.net.

Using search-apnic-not-arin#apnic.net@devnull.spamcop.net for statistical tracking.

Using last resort contacts search-apnic-not-arin#apnic.net@devnull.spamcop.net

..........................

Tracking details

Display data:
"whois 150.107.103.51@whois.arin.net" (Getting contact from whois.arin.net )
Found AbuseEmail in whois search-apnic-not-arin@apnic.net
150.0.0.0 - 150.255.255.255:search-apnic-not-arin@apnic.net
Routing details for 150.107.103.51
I refuse to bother search-apnic-not-arin@apnic.net.

Using search-apnic-not-arin#apnic.net@devnull.spamcop.net for statistical tracking.

Using last resort contacts search-apnic-not-arin#apnic.net@devnull.spamcop.net

..........................

Parsing input: 158.140.160.0

Routing details for 158.140.160.0
[refresh/show] Cached whois for 158.140.160.0 : search-apnic-not-arin@apnic.net
I refuse to bother search-apnic-not-arin@apnic.net.

Using search-apnic-not-arin#apnic.net@devnull.spamcop.net for statistical tracking.

Using last resort contacts search-apnic-not-arin#apnic.net@devnull.spamcop.net

 

Share this post


Link to post
Share on other sites

Thank you Gnarlymarley,

I appreciate the extra info & now I understand!

I'm going to post about your post shortly, in the interim, may I ask please: "my whois program", which program are you referring to please?

Thanks!

G🦗H

Share this post


Link to post
Share on other sites
Posted (edited)
On 6/2/2019 at 7:20 AM, MIG said:

Ok, I write this from a "I know nothing" position....

iknownothing.jpg.d149ab62c556e67e2e74105d1a875fc3.jpg

🙃🤗🤣

Edited by RobiBue

Share this post


Link to post
Share on other sites
Posted (edited)
On 6/3/2019 at 12:14 AM, gnarlymarley said:

Sorry about that! & the data/explanation.

Hello GnarleyMarley,

Sorry it's taken me a while to get back to you.

Now I get it.

"allow for whois referral when ARIN relocates an entire range to APNIC or RIPE", it's the most logical "allow" I've seen in a while. 

Why not submit to SCA?

& (I'm sure) you'll have seen the above posts from our residents clowns? All I have to say about those is: "look what YOU started!"

Best!

😂G🦗H😂 

Edited by MIG

Share this post


Link to post
Share on other sites
Posted (edited)
4 hours ago, RobiBue said:

I prefer https://youtu.be/RlsiiWlt35s, I don't like to be called Muriel

🙃🤗🤣

 

RobiBue,

STOP!

🦗s bathroom is not close enough, it's pissing down, the dryer's no longer used, (pathetic attempt to STOP 🌐🔥), finding smalls to fit 🦗 is as difficult as accomplishing the previous.

I'm on 🦗 knees here, for a 🦗, that's a terrifying position!

IF you have a ❤️, have a ❤️ 🙏🙇‍♂️!

Edited by MIG

Share this post


Link to post
Share on other sites

At this time I am unable to find my RIPE IP (because the link is past 90 days), but it used to be accessible from https://www.spamcop.net/sc?id=z6524466667z591f1e62a326f6b7f0346018215c0821z.  If you have restore capabilities, you can find it.  I noticed this down on Feb 24th, so it would be that day or before.  If I can location the IP again, I can post it.  (I figure I can post it now and keep searching through all my spam to see if I can find it.)

On 6/2/2019 at 6:20 AM, MIG said:

"ReferralServer:  whois://whois.apnic.net", is this just specific for "apnic", or? 

I am starting to think this is all of them and previously the SCA has been manually putting in the forward from ARIN to APNIC or RIPE or LACNIC, or AFRINIC.

On 6/2/2019 at 10:18 AM, MIG said:

I'm going to post about your post shortly, in the interim, may I ask please: "my whois program", which program are you referring to please?

The whois program I was referring to is the one ran by the whois command on freebsd, but it also works on linux the same way.  That program detects the referrer and does a whois look up at the referred server.

9 hours ago, MIG said:

Why not submit to SCA?

We are, but in this day and age with IPv4 runout, the registrars are dividing and passing small IP blocks back and forth and I imagine the intensity of those transfers will increase.  If this could be automated, it could alleviate the addition of human error (since most of us are getting it from the whois anyway) and also expedite the process of getting updated information.

 

All

Share this post


Link to post
Share on other sites

Hello GnarleyMarley,

Thanks for posting back and the information

Last 1. " Why not submit to SCA?", I meant why not contact SC/Admin and ask them to implement automation of the "allow for whois referral when ARIN relocates an entire range to APNIC or RIPE".

Back later for the remainder of your post, 1st StateofOrigin tonight, offline FAW.

🦗

Share this post


Link to post
Share on other sites

This forum "New Feature Request" is the correct vehicle to pass suggested changes to the SpamCop tool.

All suggestions are evaluated and prioritize based on its value to the objectives of SC.

Share this post


Link to post
Share on other sites
16 hours ago, MIG said:

Last 1. " Why not submit to SCA?", I meant why not contact SC/Admin and ask them to implement automation of the "allow for whois referral when ARIN relocates an entire range to APNIC or RIPE".

Ah, I thought you mean the IP range.  I did send a note to the SCA about the possibility of implementating this in Feb, when I had also them fixed the both a RIPE IP range and an APNIC IP range.  They thought it was a good idea.  I figure I would post it here for the rest to see just in case there was anything else I missed.

5 hours ago, Lking said:

This forum "New Feature Request" is the correct vehicle to pass suggested changes to the SpamCop tool.

 

If I understood the SCA correctly at the time, this was thought to be in the works for the 5.0 upgrade.  I should also admit that I have never seen any typos from the manually fixed entries.

One note, if this is implemented, I am not sure how far one would follow the referrers.  I know IPv6 on Hurricane Electric goes down to data put in on when a tunnel was created.  (AKA, but someone setting up a free account at the time.)

Share this post


Link to post
Share on other sites

Used to be RIPE objected to SpamCop links of any sort.
So one needs to check with RIPE to see if it is now acceptable?

Share this post


Link to post
Share on other sites
6 hours ago, Lking said:

This forum "New Feature Request" is the correct vehicle to pass suggested changes to the SpamCop tool.

All suggestions are evaluated and prioritize based on its value to the objectives of SC.

Thanks Master,
G🦗wasn't clear if the "allow" was a "new feature" request or a "fix exsisting" SCParser.. 

G🦗thought "fixes" were facilitated by SCA, clearly G🦗 knows nothing. 

Specific to the "allow" request:  does it have value that matches the objectives of SC?

G🦗🙏

42 minutes ago, petzl said:

One needs to check with RIPE to see if it is now acceptable?

Who  is "One" Petzl?

G🦗🙏

 

Share this post


Link to post
Share on other sites
38 minutes ago, MIG said:
1 hour ago, petzl said:

One needs to check with RIPE to see if it is now acceptable?

Who  is "One" Petzl?

One in this case is SpamCop's owners
If to many requests and SpamCop makes a lot and are like a DoS attack

Share this post


Link to post
Share on other sites
Posted (edited)

Thanks Petzl.

-------------------------------------------------------------

Surely the way to circumvent false DoS attacks is to define the "allows"?

Ok, I'll bite, who asks Spamcop "owners" to chk with RIPE, is that SCFA or SCA or ? 

or does dummy (G🦗) just ask another dummy question?

G🦗Having a groundhogday

Edited by MIG

Share this post


Link to post
Share on other sites
Posted (edited)
11 hours ago, MIG said:

Surely the way to circumvent false DoS attacks is to define the "allows"?

SpamCop now tries to cache "look-ups" but would need permission to be allowed to use RIPE
At present SpamCop looks-up 9 spams a second

Edited by petzl

Share this post


Link to post
Share on other sites
Posted (edited)

"SC now tries to cache "look-ups"

 I know.

I'm trying to work out, if permission was granted, would the "allow" question be resolved?

& referring back to Master's post: "new feature", is the "allow" a new feature or an enhancement/fix to an already exisitng SC process?

🙏

Edited by MIG

Share this post


Link to post
Share on other sites
Posted (edited)
On 6/6/2019 at 6:19 PM, MIG said:

I'm trying to work out, if permission was granted, would the "allow" question be resolved?

The answer to the permissions question would be not solved by a permissions grant since SpamCop goes to ARIN and stops.  It does not appear to be trying the other registrars.  As near as I can tell, the "Redirect to ripe" or "Redirect to apnic" or "Redirect to lacnic" or "Redirect to afrinic" that shows up is manually made entry from http://forum.spamcop.net/forum/39-routing-report-address-issues/ and not automatic.

"whois xx.xx.xx.xx@whois.arin.net" (Getting contact from whois.arin.net )
   Redirect to ripe

As a reminder here, this is happening with more than just RIPE as it is happening with all IP registrars.  It is most notably with APNIC, which has granted full permissions.  Also, I thought there was a whois copy at SpamCop using rsync that would be queried first, which would also

Edited by gnarlymarley
to Remind folks this is not just RIPE, but also APNIC, AFRINIC, and LACNIC too.

Share this post


Link to post
Share on other sites

Another reason why I would prefer an automated solution over the manual one is that the current solution can override any whois lookup attempts.  Once an entry is made manually, it will constantly need to be manually updated as it can prevent the fresh "whois" link from gathering new contacts.  If an IP range is passed back and forth between (for example) APNIC and ARIN, each pass would require a manual update.

If automated,  The system can either expire the cached entry or else the refresh whois link could pull in the updated contacts.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×