[155965] in North American Network Operators' Group
91.201.64.0/22 hijacked?
daemon@ATHENA.MIT.EDU (Jeroen van Aart)
Fri Aug 31 14:39:36 2012
Date: Fri, 31 Aug 2012 11:38:30 -0700
From: Jeroen van Aart <jeroen@mompl.net>
To: NANOG list <nanog@nanog.org>
In-Reply-To: <mailman.3.1346256002.15671.list@spammers.dontlike.us>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
The below email exchange may be of interest to some of you. The
practical upshot is that it appears "the 91.201.64.0/22 range was
hijacked and should be included into the DROP list".
As an interesting aside, quoting a friend:
"the original company (that performed dangerous waste utilization) may
have been a shady thing in and of itself (..) what most companies
calling themselves "ecoservice" (with variations) do is take money for
"safe utilisation" of hazardous waste, and then dump it in some old
quarry out in the remote (or not so remote) corner of a forest or other
natural area (..) they always have criminal links and protection from
corrupts officials (often co-owners) and security/law enforcement services"
> From: Jeroen van Aart
> there is
> nothing but crap coming from 91.201.64.0/24. Amongst other things
> attempts to spam (through) wordpress sites.
> inetnum: 91.201.64.0 - 91.201.67.255
> netname: Donekoserv
> descr: DonEkoService Ltd
Don - name of the nearby large river.
"EkoService" means ecological service.
> country: RU
> org: ORG-DS41-RIPE
>
> person: Haralevich Piotr
> address: novocherkassk, ul stremyannaya d.6
> mnt-by: MNT-DONECO
> phone: +74951000000
nic-hdl: HP2220-RIPE
changed: admin@donecoserv.ru 20101117
The company performed dangerous waste utilization:
http://donekoservis.alloy.ru/contacts/
http://www.idbo.ru/view/72321/
But domains donecoserv.ru and donekoservis.ru don't exist anymore.
traceroute 91.201.64.14
...
11 router02.spbbm18.ru.edpnet.net (212.71.11.26) 65.979 ms 65.971 ms
66.182 ms
12 77.109.110.62.static.edpnet.net (77.109.110.62) 88.868 ms 47.809 ms
47.715ms
13 195.2.240.234 (195.2.240.234) 48.235 ms 48.546 ms 48.664 ms
14 ajursrv.parohod.biz (95.215.0.206) 47.957 ms 47.752 ms 47.606 ms
15 mail.rx-helps.com (91.201.64.14) 48.206 ms 48.302 ms 48.237 ms
SPb (Sankt-Peterburg) is 1500 km from Novocherkassk.
parohod.biz also is in Sankt-Peterburg, they offer SEO (which I consider
fraud,
spamming websites and search engines).
Also, see
http://support.clean-mx.de/clean-mx/viruses.php?email=admin@donecoserv.ru&response=
http://www.spambotsecurity.com/forum/viewtopic.php?f=7&t=795
http://unapprovedpharmacy.wordpress.com/2011/01/03/whois-www-canadianmedsshop-com/
| January 3, 2011
...
| inetnum: 91.201.64.0 91.201.67.255
| netname: Donekoserv
| descr: DonEkoService Ltd
| country: RU
| org: ORG-DS41-RIPE
...
| organisation: ORG-DS41-RIPE
| org-name: DonEko Service
| org-type: OTHER
| address: novocherkassk, ul stremyannaya d.6
| e-mail: admin@bulletproof-web.com
Note "bulletproof".
Therefore, the 91.201.64.0/22 range was hijacked
and should be included into the DROP list.
