Mailing List CGatePro@mail.stalker.com Message #106032
From: Jeff Wark <jwark@tbaytel.net>
Subject: Re: Spam from one 'organization'.
Date: Wed, 16 Mar 2016 08:35:37 -0400
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: CommuniGate Pro WebUser v5.4.11
Thank you Mr. Cole.

Your thorough and informative answers are always interesting and appreciated.

--

Jeff Wark
Tbaytel Internet
On Tue, 15 Mar 2016 19:50:41 -0400
"Bill Cole" <cgp-2015@billmail.scconsult.com> wrote:
>> On 14 Mar 2016, at 9:59, Jeff Wark wrote:
>>
>>> Thanks for the validation Bill.  I had already blocked them.
>>>
>>>
>>> As a side note, I wish to reveal my ignorance in most things IP based.  What do you mean when you say 'Network object' or
>>>'Organization object'?  I believe this would be interesting.
>>
>> Preface: whois database operators (like ARIN) are all mostly-independent entities that answer queries in widely varied ways
>>because there's really no standard for the format or content of a response. A whois query is any single line of ASCII printable
>>characters, an answer is one or more lines of ASCII printable characters. Implementations of whois in various servers extend
>>that often to UTF-8 or whatever other encodings they like, because they are each independent entities often associated with
>>nation-states that have an affinity for particular non-ASCII character sets. As a result, and partly out of pure tradition,
>>whois queries often are answered broadly with multiple matching "objects" of whatever types the server (and in some cases, the
>>specific client implementation) think you might be wanting to know about, usually in some coherent set that are related to each
>>other. Often, particularly with ARIN & RIPE, there will be clear delimiters between objects, such as one or more blank lines. If
>>you find yourself asking questions of jpnic or krnic, things get very strange sometimes...
>>
>> When you do a whois query that ends up being serviced by ARIN, they send back (assuming your client knows what to ask ARIN)
>>either a list of relevant network objects or a single network object, plus probably an Organization object matching the
>>Organization field of the Network object, plus probably Point of Contact records related to the Organization, and maybe
>>additional Resource records like referrals to rwhois servers (which your whois client may or may not follow and which may or may
>>not work)
>>
>> Recently, ARIN has also been putting "Ref:" fields into most records with links to their web interface to whois. These links
>>can be very helpful for following connections the whois server didn't think were close enough to what you asked it.
>>
>> Example: In your 1st message you showed the result of piping your whois output into "grep -A 8 'OrgName'" which essentially
>>stripped down the output to the 1st 9 lines of the Organization objects that ARIN sent back. Had you instead used "grep -C6
>>'^NetType:'" your output would have been the full Network objects with a blank line before (and often after) each one, e.g.:
>>
>> # /usr/bin/whois 66.199.224.10 72.9.96.10 104.243.64.10 216.169.96.10 |grep -C6 '^NetType:'
>>
>> NetRange:       66.199.224.0 - 66.199.255.255
>> CIDR:           66.199.224.0/19
>> NetName:        NETBLK-EZZI
>> NetHandle:      NET-66-199-224-0-1
>> Parent:         NET66 (NET-66-0-0-0-0)
>> NetType:        Direct Allocation
>> OriginAS:
>> Organization:   Access Integrated Technologies, Inc. (ACCES-731)
>> RegDate:        2003-08-22
>> Updated:        2014-04-03
>> Ref:            https://whois.arin.net/rest/net/NET-66-199-224-0-1
>>
>> --
>>
>> NetRange:       72.9.96.0 - 72.9.111.255
>> CIDR:           72.9.96.0/20
>> NetName:        NETBLK2-EZZI
>> NetHandle:      NET-72-9-96-0-1
>> Parent:         NET72 (NET-72-0-0-0-0)
>> NetType:        Direct Allocation
>> OriginAS:
>> Organization:   Access Integrated Technologies, Inc. (ACCES-731)
>> RegDate:        2004-10-04
>> Updated:        2012-03-02
>> Ref:            https://whois.arin.net/rest/net/NET-72-9-96-0-1
>>
>> --
>>
>> NetRange:       104.243.64.0 - 104.243.79.255
>> CIDR:           104.243.64.0/20
>> NetName:        NETBLK-EZZI-20
>> NetHandle:      NET-104-243-64-0-1
>> Parent:         NET104 (NET-104-0-0-0-0)
>> NetType:        Direct Allocation
>> OriginAS:       AS4436, AS174, AS3257
>> Organization:   Core Technology Services, Inc. (CTS-96)
>> RegDate:        2014-11-18
>> Updated:        2014-11-26
>> Ref:            https://whois.arin.net/rest/net/NET-104-243-64-0-1
>>
>> --
>>
>> NetRange:       216.169.96.0 - 216.169.127.255
>> CIDR:           216.169.96.0/19
>> NetName:        EZZI-ESS1
>> NetHandle:      NET-216-169-96-0-1
>> Parent:         NET216 (NET-216-0-0-0-0)
>> NetType:        Direct Allocation
>> OriginAS:
>> Organization:   Essential Services (ESSS)
>> RegDate:        1999-01-21
>> Updated:        2013-08-21
>> Comment:        ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
>> Ref:            https://whois.arin.net/rest/net/NET-216-169-96-0-1
>>
>> #############################################################
>> This message is sent to you because you are subscribed to
>>  the mailing list <CGatePro@mail.stalker.com>.
>> To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
>> To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
>> To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
>> Send administrative queries to  <CGatePro-request@mail.stalker.com>

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster