Re: RIPE Down or DOSed ?

[jlewis () lewis org]

On Thu, 27 Feb 2003, Kai Schlichting wrote:

> Secrecy over a public resource = no oversight = facilitator of abuse.
>
> Why do I get the distinct feeling that this "move" by Level3 is
> aimed not at creating greater customer privacy (it never served
> POC email addresses), or protecting themselves from getting their
> customer base poached by other providers, but at preventing
> people from identifying spamming Level3 customers (of which they
> seem to have 100's) by organization name and being able to
> correlate activity from different netblocks of theirs.

Though I agree, Level3 seems to host a good number of spammers, they're by
no means the only guilty party.  Pulled at random from recent spams I've
submitted to NJABL are 69.6.4.104, 69.6.4.114, and 69.6.4.156.  whois
@arin.net yields the following:

...
NetRange:   69.6.0.0 - 69.6.63.255
CIDR:       69.6.0.0/18
NetName:    WHOLE-2
NetHandle:  NET-69-6-0-0-1
Parent:     NET-69-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.WHOLESALEBANDWIDTH.COM
NameServer: NS2.WHOLESALEBANDWIDTH.COM
...

Where are the swips?  The rest of that record makes no mention of an
rwhois server.  Doing a bunch of whois requests for IPs in that block, I
found only one swip (for a /21).  I realize the ARIN regs don't seem to
require that reassignment info be made available to the public (just to
ARIN), but using your innocent customers (if there are any) as a shield to
hide your spammer customers is just wrong.  Should I block 69.6.4.0/24
from sending email into my systems?  69.6.0.0/18?

http://www.njabl.org/cgi-bin/lookup.cgi?query=69.6.4.104
http://www.njabl.org/cgi-bin/lookup.cgi?query=69.6.4.114
http://www.njabl.org/cgi-bin/lookup.cgi?query=69.6.4.156

----------------------------------------------------------------------
 Jon Lewis *jlewis () lewis org*|  I route
 System Administrator        |  therefore you are
 Atlantic Net                |  
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________