On Wed, Sep 3, 2014 at 10:27 AM, Doug Madory <dmad...@renesys.com> wrote:
> http://www.bgpmon.net/using-bgp-data-to-find-spammers/
>
> This blog post furthers this discussion, but it would have been appropriate
> to cite my original analysis explicitly, rather than simply citing "some
> discussion on Nanog recently."
>
> If we want to foster a community where people share expertise on this list,
> fully citing others' work is essential, as in any professional or academic
> setting.
>
> Doug Madory
> 603-643-9300 x115
> Hanover, NH
> "The Internet Intelligence Authority"
>
Doug,
Furthering a sense of community through public shaming and allegations
of plagiarism?
> On Aug 31, 2014, at 2:04 PM, Doug Madory <dmad...@renesys.com> wrote:
>
>> FWIW, this is from an IP squatting operation I came across in recent weeks.
>> I encounter these things regularly in the course of working with BGP data -
>> probably others do too. Usually I look up the ASN or prefix and often it has
>> already been added to someone's spam source list. When I see that, I assume
>> the "system is working" and move on.
>>
>> In this case, starting late Jun, we have seen IP address ranges from around
>> the world (most ranges are unused, sometimes hijacked space) announced by
>> one of two (formerly unused) ASNs and routed through another formerly unused
>> ASN, 57756, then on to Anders (AS39792) and out to the Internet in the
>> following form:
>>
>> ... 39792 57756 {3.721, 43239} prefix
>>
>> The prefixes are only routed for an hour or two before it moves on to the
>> next range of IP address space. Not sure if this is for spam or something
>> else. Either way, it is probably associated with something bad. Earlier this
>> month I reached out to a contact at Anders in Russia and gave him some
>> details about what was happening. I didn't get a response, but within a
>> couple of days the routing (mostly) shifted from Anders to through
>> Petersburg Internet Network (AS44050). I have no idea if this was due to my
>> email. The day it moved to PIN I sent similar emails to addresses I could
>> find at PIN, but haven't seen any response. Now the these routes take one of
>> two forms:
>>
>> ... 39792 57756 {3.721, 43239} prefix
>>
>> Or
>>
>> ... 44050 57756 {3.721, 43239} prefix
>>
>> This is mostly routed through Cogent (AS174), but Anders (AS39792) also has
>> a lot of peers. I would advise that people treat any route coming through
>> AS57756 is probably bad. AS57756 doesn't originate anything and hasn't since
>> 28-Jun when it very briefly hijacked some NZ space.
>>
>> Also, Pierre-Antoine Vervier from Symantec gave a good talk at NANOG in Feb
>> about IP squatting for spam generation. Pierre and I have since compared
>> notes on this topic.
>>
>> -Doug Madory
>
