On Sat, Jan 12, 2013 at 08:43:11PM +0100, Karl-Josef Ziegler wrote:
Hello!
Today I go a spam for pillz (CAPRXPHARMACY.RU) 'hosted' at IP 84.22.104.117. This IP is of course listed at Spamhaus:
http://www.spamhaus.org/sbl/query/SBL99505
http://www.spamhaus.org/sbl/query/SBL99505
and this 'hoster' has a very long list (118 entries) at Spamhaus:
http://www.spamhaus.org/sbl/listings/cb3rob.net
and is on place no. 1 at Spamhaus:
http://www.spamhaus.org/statistics/networks/
Whois says:
address: Customer did not enter their own contact details yet
A research says:
Ministry of Telecommunications, One CyberBunker Avenue CB-10000 CyberBunker-1 Republic CyberBunker
C/O
CB3ROB LLTC. Company reg. #8 CyberBunker trade register. One CyberBunker Avenue CB-10000 CyberBunker-1 Republic CyberBunker
So is it really possible to get an IP block with anonymous whois entries at RIPE?
The inetnum object for 84.22.104.112/29 was created by 'CUSTOMER-RESOURCES-MNT' which are the criminals themselves, so the question should probably be rephrased into: "How can it happen that a criminal group can keep resources allocated for such a long time, and how can it happen that they can still find companies allowing them to connect to the Internet?". The first question is probably more relevant for law enforcement than for RIPE NCC, the second seems related with greediness and corporate dumbness winning over ethics and reputation. See also: http://www.spamhaus.org/news/article/673/ , http://www.theregister.co.uk/2011/10/20/spamhaus_a2b_row/ . According to the Spamhaus article, transit providers connecting CB3ROB up to october 2011 included Ecatel.net, Grafix.nl, datahouse.nl and the famous a2b-internet.com who even fought back antiabuse organizations rather than thanking them. After those, it was the turn of Inteliquent (former TINET) and Tata Communications, still connecting them. CB3ROB is also connected through Idear4business which is another very questionable outfit. furio