[Dshield] Re: ARIN errors?

Kenneth Coney superc at visuallink.com
Fri Jun 25 08:52:04 GMT 2004

Had something new today with some troubling implications for tracking 
spammers.  Got a spam which when I checked the originating IP on ARIN 
resolved to (never mind who, call them "Toys for grown ups.com") under 
the IP blocks controled by (call them Witheld2).  I sent a copy to  the 
supposed abuse dept. there that bounced back with no such addressee 
found.  Much more detective work and I located the "Toys for grownups" 
company actual owner and sent the spam to him personally to fix.  I got 
back an email saying why are you telling me, I am not xyz . com (the 
plain text From)?  I sent him a little blurb explaining IP #s and 
tracing and all that, suggested he ask his tech people to explain the 
finer points and meanwhile out of boredom I had examined the Received 
from IPs on his "I am innocent" email and noticed they were from a 
totally different range which resolved on ARIN to a second company 
(never mind who, call them "A famous phone co.com") supposedly under the 
control of (also Witheld).  A few friendly back and forth emails then 
ensued.  The long and short of it is, ARIN is wrong, Toys for grown 
ups.com  has never had the IP numbers in the Spam mail.  About his 
letters to me with received from IPs that resolved to "A famous phone 
co.com" under the control of Witheld, ARIN was wrong again.  The IP 
numbers ARIN says belong to A famous phone co.com actually belong to 
Toys for grown ups.com.  The numbers allegedly belonging to Toys for 
grown ups.com aren't theirs and ARIN apparently has no idea who they 
belong to.  A check confirmed my ARIN info is up to date.  Here is what 
the owner of Toys for grown ups.com says about it all.

"I can shed a little light on this. Our current ISP is indeed, 
(Witheld), which merely leases us our block of 32 IPs. Nearly a decade 
ago we used (Witheld 2) as our ISP. At the time we left (Witheld2) we 
were told that we did not own our IP block, and that we couldn't take 
these IPs with us to our next service provider. After all this time I am 
astounded that "Toys for grown ups.com's" name is still attached to 
them. I don't even believe that (Witheld2) is still in business. If our 
company does actually OWN these IPs, I'd be interested in learning how 
we can regain control of them."

Now where am I/we?  I have no idea who owns the IP numbers found in the 
Spam email.  The ARIN database contains errors to include no longer 
existent companies and mismatched companies and number combinations.  
This kind of thing makes it really, really, hard to track down 
spammers.  If we can't use ARIN, who can we use?

More information about the list mailing list