On Wed, Sep 3, 2014 at 10:27 AM, Doug Madory <dmad...@renesys.com> wrote: > http://www.bgpmon.net/using-bgp-data-to-find-spammers/ > > This blog post furthers this discussion, but it would have been appropriate > to cite my original analysis explicitly, rather than simply citing "some > discussion on Nanog recently." > > If we want to foster a community where people share expertise on this list, > fully citing others' work is essential, as in any professional or academic > setting. > > Doug Madory > 603-643-9300 x115 > Hanover, NH > "The Internet Intelligence Authority" >
Doug, Furthering a sense of community through public shaming and allegations of plagiarism? > On Aug 31, 2014, at 2:04 PM, Doug Madory <dmad...@renesys.com> wrote: > >> FWIW, this is from an IP squatting operation I came across in recent weeks. >> I encounter these things regularly in the course of working with BGP data - >> probably others do too. Usually I look up the ASN or prefix and often it has >> already been added to someone's spam source list. When I see that, I assume >> the "system is working" and move on. >> >> In this case, starting late Jun, we have seen IP address ranges from around >> the world (most ranges are unused, sometimes hijacked space) announced by >> one of two (formerly unused) ASNs and routed through another formerly unused >> ASN, 57756, then on to Anders (AS39792) and out to the Internet in the >> following form: >> >> ... 39792 57756 {3.721, 43239} prefix >> >> The prefixes are only routed for an hour or two before it moves on to the >> next range of IP address space. Not sure if this is for spam or something >> else. Either way, it is probably associated with something bad. Earlier this >> month I reached out to a contact at Anders in Russia and gave him some >> details about what was happening. I didn't get a response, but within a >> couple of days the routing (mostly) shifted from Anders to through >> Petersburg Internet Network (AS44050). I have no idea if this was due to my >> email. The day it moved to PIN I sent similar emails to addresses I could >> find at PIN, but haven't seen any response. Now the these routes take one of >> two forms: >> >> ... 39792 57756 {3.721, 43239} prefix >> >> Or >> >> ... 44050 57756 {3.721, 43239} prefix >> >> This is mostly routed through Cogent (AS174), but Anders (AS39792) also has >> a lot of peers. I would advise that people treat any route coming through >> AS57756 is probably bad. AS57756 doesn't originate anything and hasn't since >> 28-Jun when it very briefly hijacked some NZ space. >> >> Also, Pierre-Antoine Vervier from Symantec gave a good talk at NANOG in Feb >> about IP squatting for spam generation. Pierre and I have since compared >> notes on this topic. >> >> -Doug Madory >