RBN as Chinese as Caviar & Borscht

When the routes to the older IP address mapped to the Russian Business network began to no longer route on the internet, Spamhaus noticed a new set of IP addresses and ASN numbers mapping into the same upstream network. The Whois data for these showed Chinese company names and .cn/.tw email addresses.

But just because you call yourself Chan does not mean you're not still Ivan. The IP addresses and ASN numbers were obtained from RIPE, the European RIR, who assured Spamhaus that the allocation 'was perfectly correct at the time it was made under existing RIPE rules and procedures'.

Spamhaus posted this data in RBN's ROKSO record and mentioned this sleight-of-hand.

However this didn't stop the word spreading in online news that RBN had moved to Chinese networks. Yes, China has huge spam and cybercrime hosting issues, but in this case there was no Chinese vector other than the fake company names and contact addresses.

A bit of good news is that only one of these new IP address ranges is currently visible on the internet. That one, "91.198.71.0/24", has no detectable web or DNS servers. However as the original RIPE allocations do not appear to have been revoked, the IP address ranges and routes could reappear, at any time, and traffic could appear to go to any destination on the Internet. As with all these spam and cybercrime hubs, Spamhaus recommends ISPs and networks use our Don't Route Or Peer list.