Today, I had the most bizarre phone call. Co-worker comes to me and says there is an abuse issue that needs addressed on line one. So, I pick up line one, and this guy is telling me about this guy who “uses your service” (I work for an ISP) who is making online threats, photoshopping nude photos and posting them online, and is involved in identity theft, all if which violate our usage agreement. The call definitely grabs my interest, because network security is fascinating. I start asking for information. The caller tells me that the police, sheriff, and FBI have all been contacted and are involved, so he cannot give me the IP address. At this point I’m thinking “Then why am I talking to you instead of a fed,” but I don’t say anything. Instead, I inform him that first, we would need a valid subpoena to release log files (not that our logs are particularly useful) and also state that we used to have a different upstream provider which provided IP address space to us, but we gave it back even though records still show those IP addresses as being assigned to us. I tell him the address space that is, and also our CIDR block, and he tells me that the address in question isn’t part of either network. How bizarre! I explain that I would need to talk to one of the three computer guys who told him that the activity traced to our network in order to investigate further, because an issue coming from that address could not have come from us. He finally relented and gave me the IP address, and a quick trip to ARIN shows that the IP address belongs to Road Runner! I do a traceroute and find out that this particular Road Runner customer is a business class account, and 22 hops away from us. The caller finally says that he’ll take what I’ve told him back to his computer guys (why is he handling this instead of the feds?!) and will get back to me. I told him that I’d be interested in knowing how the IP traces to us, so have one of the computer guys call me so I can help them figure out what’s going on.