Apparently, not all routing funny business involves hijacked IP address space.
I was just doing some preliminary testing of a tool which I hope will allow me to automate more of my spam reporting process. I don't like to report spam to the registered owner of the smallest containing IP address block of the spam source because a substantial fraction of the time, those are the very people actually doing the spamming. So I prefer instead to send spam reports to the designated abuse contacts for the entire relevant ASN. Fortunately, these days, for most RIPE and ARIN ASNs at least, the relevant abuse reporting address for any given ASN is easy to obtain, and obtaining those email addresses may be done in a fully automated fashion from the relevant ASN WHOIS records. But as I have only just now learned, while I was doing preliminary testing on my simple software tool, there are some exceptional cases where mapping an ASN to a corresponding abuse reporting address becomes problematic. Specifically, I have noticed some spammers cammped out on a block of IPv4 addresses that are currently routed by AS65021. The whois.iana.org WHOIS server tells me that this is a reserved ASN, and that it doesn't actually belong to anybody at all. Thus, my rather simple Perl script which attempts to find a proper reporting email address for this one specific spammer infestation fails rather horribly. The CIDRs currently being routed by AS65021 are: 31.13.210.0/24 31.13.241.0/24 87.120.104.0/24 87.120.253.0/24 87.120.255.0/24 87.121.116.0/24 93.123.64.0/24 216.99.221.0/24 (seen by bgp.he.net) Some of these have been routed by (bogus) AS65021 since 2018-12-03. All of those CIDRs are properly registered to cloudware.bg except for the last one which is registered to International Payout Systems Inc. (Florida). Apparently, cloudware.bg is part of Neterra, Ltd. of Bulgaria (AS34224): https://www.cloudware.bg/en/about "As part of Neterra..." I would say that this is just a very temporary mishap, and a temporary "fat fingered" anomaly if it were not for the fact that some of these routes have, according to RIPE Rotuing History, been countinuously announced for over four full months now. Can anyone explain this to me? Please? I have more than a little trouble understanding why a company like Neterra, Ltd., which -does- already have its very own ASN (AS34224), feels the need to effectively steal a reserved ASN for their own private use. Are new AS numbers really all that expensive in the RIPE region, so that some businesses might be motivated to save some money by just grabbing onto one of the reserved ones? None of this makes particularly much sense, but I do plan to send email to Neterra, Ltd. in order to ask them what the devil goes on here. Mostly, I am just reporting theis here as a sort of indirect way of asking other people on the list for their opinions about Neterra, Ltd. of Bulgaria. Is that compaony in the habit of doing routing funny business? For my own part, all I can say is that this is certainly not the first time that I have encountered that company name... and not in a good way. Regards, rfg
