When I first came upon a spear phishing email a few months ago which originated from the UK’s Ministry of Defence I thought that was pretty queer. Like, how ironic that an invoice scam is coming from a Defense Ministry. Do they have a bad actor? Are we on the cusp of cracking some big international cybertheft? Do we tell them?
Then their address space came up yet again just a few days ago, this time in a fairly different context. Microsoft’s Exchange Online service hosted in the UK cannot deliver email to a particular domain:
8/5/2016 3:32:35 PM - Server at e********s.net (220.127.116.11) returned '450 4.4.312 DNS query failed(ServerFailure)'
I obscured the domain a bit. But it’s an everyday domain which every DNS server I’ve tested resolves just fine. But Microsoft doesn’t see it that way. Several test messages have shown non-delivery reports using these other addresses as well following the “Server at…”: 18.104.22.168, 22.214.171.124.
The Register sheds the most light – but it still lacks in critical details – on what might have happened to the UK Ministry of Defence’s IPv4 address space, namely, that some was sold. Here’s the article.
How do you show that all these 126.96.36.199 addresses belong to the Ministry of Defence? You use RIPE: http://ripe.net/ and do a search. It shows that 188.8.131.52/8 belongs to them. But according to the article in The Register this is no longer true as of late last year.
Why is Microsoft using these IP addresses? No idea. But something I read got me to suspecting that some outfits decided to use 25/8 address space as though it were private IP addresses!
References and related