On Tuesday 15 January 2013 18.13, Vasile Capdefier wrote:
Disclaimer: this is just my POV, I didn't investigate (too) much/deep. All the information bellow is public, easy to find and Google Translate seems to work most of the times.
From what I know, Jump.RO's business model is to *sell* IP space from their ALLOCATED PA ranges received from RIPE. Not *sub-allocate*, not *assign* or similar terms. They don't ask too many questions. They give you IPs faster than other LIRs. They market this as being professional.
All of the Jump.RO's sub-allocations (that I've seen in whois) have *ASSIGNED PA* status, which according to ripe-553 [1] is to be used when the range is assigned to an end user for services provided by the issuing LIR. This is probably not the case because except the (new) annual fee for the registration service there are no other services provided by that LIR to the end user.
Most of Jump.RO's "end users" are in fact small ISPs that can't afford the RIPE membership fees and bypass the rules of not using PI space for customers by deaggregating Jump's IP space. I don't know about the 12k number, but they have a large client base in the country and neighboring countries.
I also think that Jump is aware of their IPs being in use by spammers as they advertise on their website that new and unused IP blocks cost about 2 times more than "used" ones. They also note that the previously "used" PA space is checked with "MxToolBox" in 120 anti-spam lists [2].
Even though Jump.RO's business model isn't exactly in the spirit of the RIPE region rules or following best practices (no prefix aggregation, but their excuse is that they are not the only ones doing it), I don't think that they are willing to risk their LIR status by defending known spam operations, so reporting well documented cases of false information provided during registration first to RIPE and then to them would probably get them to withdraw the PA from that customer. The ranges found by you clearly suggest that fake information has been used. Only "under construction" sites, nobody ever heard of those companies, all using same ISPs.
With all this said about ro.registry (Jump.RO's LIR id) i'd like to add the following. There are entire LIRs with very large IP allocations and suspicious activities. I'll just list here a few:
(RIPE allocation list publicly available here [3])
Thank you very much, another 1111040 addresses added to my spamblock list. <snipped to save some bandwidth> -- Peter Håkanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det är billigare att göra rätt. Det är dyrt att laga fel. )