Mailing List CGatePro@mail.stalker.com Message #106031
From: Bill Cole <cgp-2015@billmail.scconsult.com>
Subject: Re: Spam from one 'organization'.
Date: Tue, 15 Mar 2016 19:50:41 -0400
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: MailMate (1.9.4r5234)
On 14 Mar 2016, at 9:59, Jeff Wark wrote:

Thanks for the validation Bill.  I had already blocked them.


As a side note, I wish to reveal my ignorance in most things IP based.  What do you mean when you say 'Network object' or 'Organization object'?  I believe this would be interesting.

Preface: whois database operators (like ARIN) are all mostly-independent entities that answer queries in widely varied ways because there's really no standard for the format or content of a response. A whois query is any single line of ASCII printable characters, an answer is one or more lines of ASCII printable characters. Implementations of whois in various servers extend that often to UTF-8 or whatever other encodings they like, because they are each independent entities often associated with nation-states that have an affinity for particular non-ASCII character sets. As a result, and partly out of pure tradition, whois queries often are answered broadly with multiple matching "objects" of whatever types the server (and in some cases, the specific client implementation) think you might be wanting to know about, usually in some coherent set that are related to each other. Often, particularly with ARIN & RIPE, there will be clear delimiters between objects, such as one or more blank lines. If you find yourself asking questions of jpnic or krnic, things get very strange sometimes...

When you do a whois query that ends up being serviced by ARIN, they send back (assuming your client knows what to ask ARIN) either a list of relevant network objects or a single network object, plus probably an Organization object matching the Organization field of the Network object, plus probably Point of Contact records related to the Organization, and maybe additional Resource records like referrals to rwhois servers (which your whois client may or may not follow and which may or may not work)

Recently, ARIN has also been putting "Ref:" fields into most records with links to their web interface to whois. These links can be very helpful for following connections the whois server didn't think were close enough to what you asked it.

Example: In your 1st message you showed the result of piping your whois output into "grep -A 8 'OrgName'" which essentially stripped down the output to the 1st 9 lines of the Organization objects that ARIN sent back. Had you instead used "grep -C6 '^NetType:'" your output would have been the full Network objects with a blank line before (and often after) each one, e.g.:

# /usr/bin/whois 66.199.224.10 72.9.96.10 104.243.64.10 216.169.96.10 |grep -C6 '^NetType:'

NetRange:       66.199.224.0 - 66.199.255.255
CIDR:           66.199.224.0/19
NetName:        NETBLK-EZZI
NetHandle:      NET-66-199-224-0-1
Parent:         NET66 (NET-66-0-0-0-0)
NetType:        Direct Allocation
OriginAS:
Organization:   Access Integrated Technologies, Inc. (ACCES-731)
RegDate:        2003-08-22
Updated:        2014-04-03
Ref:            https://whois.arin.net/rest/net/NET-66-199-224-0-1

--

NetRange:       72.9.96.0 - 72.9.111.255
CIDR:           72.9.96.0/20
NetName:        NETBLK2-EZZI
NetHandle:      NET-72-9-96-0-1
Parent:         NET72 (NET-72-0-0-0-0)
NetType:        Direct Allocation
OriginAS:
Organization:   Access Integrated Technologies, Inc. (ACCES-731)
RegDate:        2004-10-04
Updated:        2012-03-02
Ref:            https://whois.arin.net/rest/net/NET-72-9-96-0-1

--

NetRange:       104.243.64.0 - 104.243.79.255
CIDR:           104.243.64.0/20
NetName:        NETBLK-EZZI-20
NetHandle:      NET-104-243-64-0-1
Parent:         NET104 (NET-104-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS4436, AS174, AS3257
Organization:   Core Technology Services, Inc. (CTS-96)
RegDate:        2014-11-18
Updated:        2014-11-26
Ref:            https://whois.arin.net/rest/net/NET-104-243-64-0-1

--

NetRange:       216.169.96.0 - 216.169.127.255
CIDR:           216.169.96.0/19
NetName:        EZZI-ESS1
NetHandle:      NET-216-169-96-0-1
Parent:         NET216 (NET-216-0-0-0-0)
NetType:        Direct Allocation
OriginAS:
Organization:   Essential Services (ESSS)
RegDate:        1999-01-21
Updated:        2013-08-21
Comment:        ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
Ref:            https://whois.arin.net/rest/net/NET-216-169-96-0-1
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster