[apops] Fw: HELP, BLOCK: AS Hijack!

  • To: <apops at apops dot net>
  • Subject: [apops] Fw: HELP, BLOCK: AS Hijack!
  • From: "Suresh Ramasubramanian" <suresh at outblaze dot com>
  • Date: Sat, 5 Apr 2003 08:56:15 +0530
  • List-archive: <http://www.apnic.net/mailing-lists/apops/>
  • List-help: <mailto:apops-request@apops.net?subject=help>
  • List-id: Asia Pacific Operators Forum <apops.apops.net>
  • List-post: <mailto:apops@apops.net>
  • List-subscribe: <http://mailman.apnic.net/mailman/listinfo/apops>,<mailto:apops-request@apops.net?subject=subscribe>
  • List-unsubscribe: <http://mailman.apnic.net/mailman/listinfo/apops>,<mailto:apops-request@apops.net?subject=unsubscribe>
  • Organization: Outblaze Limited - http://www.outblaze.com
  • Sender: apops-admin@apops.net
    • adjust your filters - your mail admins will thank you for this I think,
      there's massive spam coming out these netblocks.
      
          srs
      
      On Saturday, April 05, 2003 2:59 AM [GMT+0530=IST],
      Richard Cox <nobody@MANDARIN.ORG> wrote:
      
      > This may partly - but probably not completely - overlap other work and
      > reports here.  For any overlap I apologise ... for my extremely basic
      > knowledge of BGP, I both apologise and grovel ... all clues gratefully
      > accepted.
      >
      > A week or two back it was reported in NZNOG that IP ranges belonging
      > to
      > tower.co.nz had been hijacked - apparently by a spammer in Florida.
      >
      > Today we started looking at spam from 137.171.168.43, looking up that
      > IP resulted in verifiably bogus information.  OK, look back an AS step
      > in the traceroute, got 158.181.123.254 which was assigned to Trafalgar
      > House Group ... London UK ... alarm bells ring because I know that
      > that
      > building's been demolished!  In fact THG was taken over by Aker
      > Kvaerner (based in Norway) and when I managed to reach someone
      > authoritative in
      > the company they confirmed they have no knowledge of the /16.
      >
      > Tom Losnedahl, VP Information Security, Aker Kvaerner, wrote to me:
      >
      > "Thanks for making us aware of the false use of network addresses in
      >  our net 158.181/16.  We are not using this subnet for the time being,
      >  so any Internet traffic using addresses in that net must be bogus.
      >  Please feel free to take necessary actions in order to remove future
      >  illicit traffic from the net."
      >
      > So I'm happy to relay the request for everyone please to block that
      > /16 until this is sorted out.
      >
      > The routing I'm seeing differs from what others tell me they see:
      > so here's the routes I see at the OPTUS looking glass:
      >
      > BGP routing table entry for 137.171.0.0/16, version 119558990
      >   3561 1239 3726 5770 13419
      >     208.173.173.217 from 203.202.143.24 (203.202.143.18)
      >       Origin IGP, metric 19, localpref 50, valid, internal
      >       Community: 7474:1403
      >       Originator : 203.202.143.3, Cluster list: 0.0.0.1
      >
      > BGP routing table entry for 158.181.0.0/16, version 119558991
      >   3561 1239 3726 5770
      >     208.173.173.217 from 203.202.143.20 (203.202.143.18)
      >       Origin IGP, metric 19, localpref 50, valid, internal
      >       Community: 7474:1403
      >       Originator : 203.202.143.3, Cluster list: 0.0.0.1
      >
      > BGP routing table entry for 170.67.0.0/16, version 119558988
      >   3561 1239 3726
      >     208.173.173.217 from 203.202.143.24 (203.202.143.15)
      >       Origin IGP, metric 19, localpref 50, valid, internal
      >       Community: 7474:1403
      >       Originator : 203.202.143.3, Cluster list: 0.0.0.1
      >
      > BGP routing table entry for 217.149.32.0/20, version 118323095
      >   701 1239
      >     157.130.227.181 from 203.202.143.24 (192.65.89.109)
      >       Origin IGP, localpref 50, valid, internal
      >       Community: 7474:1403
      >       Originator : 192.65.89.109, Cluster list: 0.0.0.1
      >
      > AS 13419 currently appears to me to originate:
      >
      > 63.71.125.0/24
      > 63.71.126.0/23
      > 65.207.204.0/22
      > 137.171.16.0/16
      > 205.246.207.0/24
      > 207.41.8.0/24
      > 207.41.9.0/24
      > 207.51.128.0/24
      > 207.51.152/24
      > 207.51.153/24
      >
      > AS 5770: *only* originates 151.181.0.0/16 (see note above)
      > My guess is that at least ASs 5770 and 13419 are bogus.
      >
      > The spam?  Oh, very well then ... here it is:
      >
      >> Return-Path: <tresdfwsf at osk.mitc dot co dot jp>
      >> Received: from nyc1.p20hosting.com (Unverified [137.171.168.43]) by
      >> our.smtp.net with SMTP; Fri, 4 Apr 2003 04:37:21 GMT
      >> Received: (qmail 25996 invoked from network); 21 Mar 2003 09:35:57
      >> -0000
      >> Received: from unknown (HELO relais-ext.globalintranet.net)
      >> (217.57.159.146) by 203.34.205.31 with SMTP; 21 Mar 2003 09:35:57
      >> -0000 Message-ID: <00007c3f6a33$00004eb9$00006723 at mx1.kubota dot co dot jp>
      >> To: <redacted>
      >> From: "beatrice jackson" <tresdfwsf at osk.mitc dot co dot jp>
      >> Subject: re_ As Seen On TV - HGH            26996
      >> Date: Fri, 21 Mar 2003 01:18:24 -1700
      >> MIME-Version: 1.0
      >> Content-Type: text/html; charset="iso-8859-1"
      >> Content-Transfer-Encoding: quoted-printable
      >
      > {HGH bogus claims also redacted!}
      >
      > Richard
      
      -- 
      Suresh Ramasubramanian + mallet @ blackehlo.cluestick.org
      EMail Sturmbannfuehrer + Lower Middle Class Unix Sysadmin