ARIN Spams?

[vindicator]

Again, I'm pretty new to reporting, but was shocked to find the sender 23.170.165.40 to be an ARIN-owned IP, which may be why SC gives "No reporting addresses found".

But the POC IS found if searched (maybe this message should be in the sublisting):

https://whois.arin.net/rest/net/NET-23-0-0-0-0/pft?s=23.170.165.40

https://whois.arin.net/rest/poc/ARIN-HOSTMASTER.html

I REALLY find the timing of this email to be suspect considering I contacted them earlier today (though their reply came from a 199.43* address): 

(man, I like how this forum works, much like github)

[Lking]

It would be helpful if you could provide a Tracking URL for examples of spam you are referencing.

Take a look at to see an example of what a Tracking URL (third line, long blue link) can be found.  You should Cut&past the Tracking URL into you post so that everyone can see the original spam, what the parser did, and thus better understand you question.

[vindicator]

https://www.spamcop.net/sc?id=z6365977357z8a69e9ff1345099192b9ce1d3523e8b9z

EDIT (Sanitizing): You'll note that I sanitize anything that looks like it may link to me. I know of one way I don't sanitize that MAY still be used to identify me, but I won't mention it (no one knows who may be lurking).

[vindicator]

Based on my new thread in the subtopic regarding an APNIC address, I tried running whois in linux for the IP address I mention in my OP.

Interestingly, it came back that no match was found which is bizarre enough in it's own right. I don't even know what to think of that.

When I used the -B and -a flags, I got more information, but still nothing usable:

$ whois -B -a 23.170.165.40
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Information related to '23.0.0.0 - 23.252.65.255'

% No abuse contact registered for 23.0.0.0 - 23.252.65.255

inetnum:        23.0.0.0 - 23.252.65.255
netname:        NON-RIPE-NCC-MANAGED-ADDRESS-BLOCK
descr:          IPv4 address block not managed by the RIPE NCC
remarks:        ------------------------------------------------------
remarks:
remarks:        You can find the whois server to query, or the
remarks:        IANA registry to query on this web page:
remarks:        http://www.iana.org/assignments/ipv4-address-space
remarks:
remarks:        You can access databases of other RIRs at:
remarks:
remarks:        AFRINIC (Africa)
remarks:        http://www.afrinic.net/ whois.afrinic.net
remarks:
remarks:        APNIC (Asia Pacific)
remarks:        http://www.apnic.net/ whois.apnic.nett
remarks:
remarks:        ARIN (Northern America)
remarks:        http://www.arin.net/ whois.arin.net
remarks:
remarks:        LACNIC (Latin America and the Carribean)
remarks:        http://www.lacnic.net/ whois.lacnic.net
remarks:
remarks:        IANA IPV4 Recovered Address Space
remarks:        http://www.iana.org/assignments/ipv4-recovered-address-space/ipv4-recovered-address-space.xhtml
remarks:
remarks:        ------------------------------------------------------
country:        EU # Country is really world wide
admin-c:        IANA1-RIPE
tech-c:         IANA1-RIPE
status:         ALLOCATED UNSPECIFIED
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      RIPE-NCC-HM-MNT
mnt-routes:     RIPE-NCC-RPSL-MNT
created:        2016-04-14T14:35:56Z
last-modified:  2016-04-14T14:35:56Z
source:         RIPE

role:           Internet Assigned Numbers Authority
address:        see http://www.iana.org.
e-mail:         bitbucket@ripe.net
admin-c:        IANA1-RIPE
tech-c:         IANA1-RIPE
nic-hdl:        IANA1-RIPE
remarks:        For more information on IANA services
remarks:        go to IANA web site at http://www.iana.org.
mnt-by:         RIPE-NCC-MNT
created:        1970-01-01T00:00:00Z
last-modified:  2001-09-22T09:31:27Z
source:         RIPE

% Information related to '23.170.128.0/18AS24091'

route:          23.170.128.0/18
origin:         AS24091
mnt-by:         MAINT-MGR-RIPE
created:        2017-03-08T14:30:56Z
last-modified:  2017-03-08T14:30:56Z
source:         RIPE

% This query was served by the RIPE Database Query Service version 1.88 (WAGYU)

 

[Lking]

There does seem to be an ongoing difference between the obligations domain name registrars have to ICANN (and the rest of the www) and how those obligations are executed/enforced.  For more on this see KnujOn

[vindicator]

I had forgotten about that whole pharmacy deal. Feels like it was even longer ago than that to me.

I did get a reply from ARIN regarding the unattached IP spam:

Quote

If an Organization fails to pay their invoice, their IP ranges are revoked 
and from Whois standpoint, are returned to ARIN.

Generally, these IP addresses on in a limbo state while between 
organizations.

However, sometimes Organizations will fail to pay their invoice, have 
their resources removed and continue announcing them (or, unfortunately 
spamming).

Since you've submitted a Whois Inaccuracy Report, a member of our team 
that reviews those requests will be in touch with you.

But I have not yet heard back about the inaccuracy report. I had just gotten another spam from that range 23.175.189.83.

It's disheartening to find that they still have the ability to continue using the IPs. There needs to be another cut-off method that involves whatever pipe they use.

I should probably look more into how these addresses get used and piped out. It's like now that I know that range is (unattached?), that I could start broadcasting ownership of them. Or for that matter, any range. I'd have to see how the routing all plays into it.

I tried tracing it from 2 locations and ended up in the void.