Looks like ">" quoting in Outlook has other plans when converted to plain text. Sorry about that folks.
Ryan Hamel ________________________________ From: Ryan Hamel via NANOG <[email protected]> Sent: Sunday, January 18, 2026 2:55 PM To: North American Network Operators Group <[email protected]> Cc: Intergalactic Auditor <[email protected]>; Ryan Hamel <[email protected]> Subject: Re: Weird routing pattern - Atlanta device hitting Argentine ISP + unknown EU endpoint Caution: This is an external email and may be malicious. Please take care when clicking links or opening attachments. Could you provide more information to go along with this? What exactly are you trying to reach at Apple, and the originating ASN/carrier where you are seeing this behavior? Depending on the service, it could be a cache box for Apple TV+, or something CDN related. Reformatting your email for readability. --- * Expected: Apple infrastructure (17.x.x.x) * * Actual destinations: * * - 109.1.2.1 (SFR France, INFRA-SBT, [email protected]) * - 200.3.10.2 (INTERWEB-DAIREAUX Argentina, 200.3.10.0/23) * - 67.1.2.1 (CenturyLink) * - 184.0.0.13 (CenturyLink) * - 136.3.5.1 (AWS) * * Pattern: TLS 1.3, 02:00-03:30 local, multiple clients Geographic spread makes no sense (EU + small Argentine ISP from US). * * Possible C2/exfil. Worth checking your flows for 109.1.0.0/17 and 200.3.10.0/23 from non-EU/LACNIC sources. --- Ryan Hamel ________________________________ From: Intergalactic Auditor via NANOG <[email protected]> Sent: Sunday, January 18, 2026 1:27 PM To: North American Network Operators Group <[email protected]> Cc: Intergalactic Auditor <[email protected]> Subject: Weird routing pattern - Atlanta device hitting Argentine ISP + unknown EU endpoint Caution: This is an external email and may be malicious. Please take care when clicking links or opening attachments. Hey NANOG, Seeing some odd routing from an Atlanta device that seems to lack logic to say the least. Thought I'd shed some light on it.... Expected: Apple infrastructure (17.x.x.x) Actual destinations: - 109.1.2.1 (SFR France, INFRA-SBT, [email protected]) - 200.3.10.2 (INTERWEB-DAIREAUX Argentina, 200.3.10.0/23) - 67.1.2.1 (CenturyLink) - 184.0.0.13 (CenturyLink) - 136.3.5.1 (AWS) Pattern: TLS 1.3, 02:00-03:30 local, multiple clients Geographic spread makes no sense (EU + small Argentine ISP from US). Possible C2/exfil. Worth checking your flows for 109.1.0.0/17 and 200.3.10.0/23 from non-EU/LACNIC sources. - Joseph II _______________________________________________ NANOG mailing list https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.nanog.org%2Farchives%2Flist%2Fnanog%40lists.nanog.org%2Fmessage%2FSKY43646JXNAZVYN5ZRUV55II3SGWSVO%2F&data=05%7C02%7Cryan%40rkhtech.org%7C840953a8ed4d4d9c0c0708de56e4c4eb%7C81c24bb4f9ec4739ba4d25c42594d996%7C0%7C0%7C639043737733213912%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=qDXwN6PAZvebM5NF5%2Bk99aMm97Jyh9rxzmbIaH8U1bg%3D&reserved=0<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.nanog.org%2Farchives%2Flist%2Fnanog%40lists.nanog.org%2Fmessage%2FSKY43646JXNAZVYN5ZRUV55II3SGWSVO%2F&data=05%7C02%7Cryan%40rkhtech.org%7C840953a8ed4d4d9c0c0708de56e4c4eb%7C81c24bb4f9ec4739ba4d25c42594d996%7C0%7C0%7C639043737733237547%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=YSBGPePQ48Zh1Ca0HAX29dX%2BQcyucfmop5%2BmMq3hupg%3D&r eserved=0><https://lists.nanog.org/archives/list/[email protected]/message/SKY43646JXNAZVYN5ZRUV55II3SGWSVO/> _______________________________________________ NANOG mailing list https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.nanog.org%2Farchives%2Flist%2Fnanog%40lists.nanog.org%2Fmessage%2FQCGNZVUWA6ARYNP7O4DWCDU3W6P3GLVA%2F&data=05%7C02%7Cryan%40rkhtech.org%7C840953a8ed4d4d9c0c0708de56e4c4eb%7C81c24bb4f9ec4739ba4d25c42594d996%7C0%7C0%7C639043737733255156%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=ZN95WRGXi0QmYFcnA5YC4xOur1NARP7K0nlzVIB8oHg%3D&reserved=0<https://lists.nanog.org/archives/list/[email protected]/message/QCGNZVUWA6ARYNP7O4DWCDU3W6P3GLVA/> _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/4JGO4QLYPD4JA2HUWJPH5ZEQMOXJJAHC/
