AS11296 -- Hijacked?

Ronald F. Guilmette rfg at tristatelogic.com
Fri Oct 1 05:47:34 UTC 2010


I received a nice email from a very polite graduate student just now,
who shall remain nameless, and I decided that I wanted to give him
the reply below, but also to post this all to NANOG too, so here it
is.  I hope this may ally some of the concern that has been expressed
about me not being more forthcomeing about the details of this case.
(And if anybody gives me a hard time about being ``off topic'' then
I'm going to give him or her a knucke sandwich, because I was
specifically asked... indeed badgered... to provide more explanation
of, and more justification for my earlier posting, as the record in
the archives of this list will clearly show.)

The friendly graduate student wote:

>I've been quietly following NANOG's little flamewar over this. I'm
>interested in what techniques you used to arrive at your conclusion
>regarding AS11296.
>
>Unfortunately for me, I'm not a network op. Instead, I am a PhD student
>interested in all matters inter-domain. I hope you feel this is enough
>to make me a worthy recipient.

No, actually, it isn't.  If I google you can I be _sure_ that you're
not playing for the other team?   Probably not.

But the good news is that I have decided to be a bit less cagey
generally, and specifically in my public comments about these things
anyway, and to give out more confirming data bits anyway.  And I'll
be sending this letter on to the NANOG list soon, with your name
redacted, of course.

What follows below is information that could be gleened (if you know
how) from whois.internic.net.  It's all public info.  I just rearrange
it and print it out in a nice pretty way.  (Of course knowing where
to look within the vast IPv4 address space is also quite helpful, but
I'm not going to get in to that.)

The bottom line here is that if you get the whois records for the domains
associated with the name servers in the list attached at the end, you'll
see that they are all going to be ``fishy'' in some way, e.g. ``cloaked''
(aka ``privacy protected''), or else registered to some mystery fly-by
night company that may or may not actually exist, or at any rate, the
domains will all be registered to something sort-of stealthy... something
which is intended to make the spammer behind all this a bit harder to find.

Oh yea, and the snail mail addresses given in the WHOIS records for the
domains will usually/often be tracable to UPS Store rental P.O. boxes...
those are standard spammer favorites, because...as they well know... us
spamfighters can't find out who really controls any one of those boxes
without a subpoena... unlike USPS boxes, for instance.  (All this is
quite well known in the dank sleezy spammer undergound already, so I'm
not hardly giving away any secrets here.)  And in a similar vein, the
contact phone numbers given in the whois records will quite typically
be 1-800 or 1-888 or 1-877 or 1-866 toll-free numbers.  No, the spammers
are _not_ trying to save you money when you want to call them up to bitch
to them about the fact that they sent you 8,372 spams in a row.  Nope,
again, they use the toll-free numbers for a very specific purpose, which
is again to make it more difficult for anyone trying to track them down
to find their actual physical location.  Non-tollfree numbers are typically
associated with a specific geographic vicinity (although even that is
being substantially eroded by number portability).  But the toll free
numbers are truly and always utterly geographically anonymous.  So
spammers use them a lot, primarily in domain whois records.

So here you are.  You've got this s**t load of highly ``fishy'' name servers,
and they are all planted firmly into IP space that (a) appears to have been
allocated to a reputable name brand company... such as Seiko, in this
case... *and* (b) the block in question, based on the RegDate: and Updated:
fields of the block's ARIN whois record, apparently hasn't been touched for
years... maybe even a decade or more... thus implying that the former owners
of the block either have abandoned it years ago, or else they themselves
went belly up and ceased to exist, probably during the Great Dot Com Crash
of 2000.  Add it all up and what does it spell?  No, not heartburn... Hijack.

See, there actually isn't any big mystery about any of this, except the
part about how I came to focus on this particular set of IP blocks and/or 
the particular AS that was announcing routes to them.  And about that
part, I have nothing to say, except to tell these spammers (who are
probably listening) what I always say... that spamming is THE most public
of all crimes.  If you really think that you an hide and be totally invisible,
even while you blast MILLIONS of total strangers with your advertising, then
you need to up your lithium, because the dosage you're on now clearly isn't
doing the job.

Oh, and one other small thing... Even though the spammers try to hide
themselves, often times, they really don't try THAT hard, probably because
most folks don't care enough to really learn how to track these kinds of
schmucks down, so in general, they only have to be a little stealthy...
not a lot stealthy, and they know that.  But using hijacked space raises
the bar a little.  In this context, you shouldn't really use all P.O.
boxes that are on your same island, just because you are too effing lazy
to take a ferry to the mainland once a month to pick up your hate mail
from your anonymous UPS drop box.

I can't really tell you exactly who engineered the hijacking in this
case.  Somebody with some network savvy obviously.  What I suspect I
_can_ tell you is which spammer (who runs a false-front ``affiliate
marketing'' operation, just as cover story for their own snowshoe
spamming... as most of the serious snowshoers do these days) most
probably sub-leased the IP space from whoever actually engineered the
hijacking.

Look at the snail-mail addresses in the whois records for the domains
listed below.  Yes, they are UPS boxes, but look at the general location,
Victoria, BC.  So now go and google for "affiliate marketing" and
"Victoria".  There really aren't that many probable suspects.  Victoria
ain't a terribly big place.  Not like, e.g. Vancouver.  But then the
schmuck would have to take the ferry over once a month to collect his
hate mail from his mainland anonymous UPS box, and he's too effing lazy
to do that.  That's why he's a spammer, because he's too effing lazy and
untalented to get honest work, or even to learn an honest trade, you
know, like male hooker.  (Hey!  At least it's consensual, unlike spamming.)

(Nishant?  I know you're listening.  Now you WILL make sure that Tobyn
gets a copy of this posting, won't you?  That's a good boy.  Thanks.
Effing assholes!)

Could it possibly be that I'm jumping to the Wrong Conclusion here about
who the spammer is, I mean just based on something as flimsy as geographic
proximity?  Sure, but not bloody likely.  You see that's not hardly the
only evidence that I have in front of me.  I'm just not talking about
the rest.  (And I hope it keeps the son of a bitch up nights trying to
figure out how ELSE he phuked up, in addition to being lazy and using
only local UPS drop boxes.)


Regards,
rfg


P.S.  Some or all of the data presented below may still be available via
whois.internic.net, even though the IP blocks are no longer even routed.
Try this for example:

   whois -h whois.internic.net 206.226.96.2

Yup.  Still there.  At least for now.  Probably be gone by morning.

P.P.S.  To all of the spammers out there reading this who think that you
have learned from this e-mail how to be more stealthy still, and how to
hide from me even better in the future... well... enjoy your fantasy
while it lasts.  I can find you now, I can find you next year, and I'll
be able to find you ten years from now.  And do you know why?  Because
I'm smarter than you are.  And that's not saying much.  If you had any
talent... any talent at all...  then you'd be able to find an HONEST job.
It wouldn't pay as well, but at least you wouldn't be ashamed to tell
your mother what you _actually_ do for a living.

In the meantime, please hurry up and die.  The world will most definitely
be a better place when we no longer have to carry your dead weight on the
backs of humanity.  Don't flatter yourselves.  You make nothing.  You
build nothing.  You contribute nothing.  You just annoy people.  For
money.  We will make sure that that exact epitaph is engraved on your
headstone, so that you will be remembered properly, once you go.


================================================================
63.247.172.3
	ns1.tooplacedomain10tht.info
63.247.172.4
	ns2.tooplacedomain10tht.info
63.247.181.3
	ns1.steadyvolumebandw57.info
63.247.181.4
	ns2.steadyvolumebandw57.info
63.247.185.19
	ns1.magnumfourcompkriel.info
63.247.185.20
	ns2.magnumfourcompkriel.info
199.241.95.253
	fwd1.itargetdirect.net
206.226.64.4
	ns1.granadacentral.info
206.226.64.5
	ns2.granadacentral.info
206.226.96.2
	ns1.sandpipedream.com
	ns1.optinletters.com
	ns1.notifications-mail.com
	ns1.mailingdaily.com
	ns1.blueholster.com
	ns1.allowingmail.com
206.226.96.3
	ns2.sandpipedream.com
	ns2.optinletters.com
	ns2.notifications-mail.com
	ns2.mailingdaily.com
	ns2.blueholster.com
	ns2.allowingmail.com
206.226.112.2
	ns1.drainagecorner.com
206.226.112.3
	ns2.drainagecorner.com
206.226.112.130
	ns1.calculatingdigits.com
206.226.112.131
	ns2.calculatingdigits.com
206.226.112.194
	ns1.mailcreatures.com
206.226.112.195
	ns2.mailcreatures.com
206.226.113.2
	ns1.qualitycampaigns.com
206.226.113.3
	ns2.qualitycampaigns.com
206.226.113.66
	ns1.onlyinstant.com
206.226.113.67
	ns2.onlyinstant.com
206.226.114.194
	ns1.droppedtargets.com
206.226.114.195
	ns2.droppedtargets.com
206.226.115.2
	ns1.dinneroutstanding.com
206.226.115.3
	ns2.dinneroutstanding.com
206.226.116.130
	ns1.offersenveloped.com
206.226.116.131
	ns2.offersenveloped.com
206.226.117.2
	ns1.sleekrange.com
206.226.117.3
	ns2.sleekrange.com
206.226.117.66
	ns1.thegulfofmail.com
206.226.117.67
	ns2.thegulfofmail.com
206.226.118.2
	ns1.mailmammals.com
206.226.118.3
	ns2.mailmammals.com
206.226.118.66
	ns1.trackpreference.com
206.226.118.67
	ns2.trackpreference.com
206.226.119.2
	ns1.platinumpermission.com
206.226.119.3
	ns2.platinumpermission.com
206.226.119.130
	ns1.approvedcity.com
206.226.119.131
	ns2.approvedcity.com
206.226.120.130
	ns1.creaturesofmail.com
206.226.120.131
	ns2.creaturesofmail.com
206.226.121.2
	ns1.tonnesofmail.com
206.226.121.3
	ns2.tonnesofmail.com
206.226.122.2
	ns1.cancellationsanytime.com
206.226.122.3
	ns2.cancellationsanytime.com
206.226.123.2
	ns1.hourofman.com
206.226.123.3
	ns2.hourofman.com
206.226.124.2
	ns1.businessneedsfilled.com
206.226.124.3
	ns2.businessneedsfilled.com
206.226.124.130
	ns1.underestimatedhours.com
206.226.124.131
	ns2.underestimatedhours.com
206.226.126.2
	ns1.companiesthatperform.com
206.226.126.3
	ns2.companiesthatperform.com
206.226.126.130
	ns1.pageuppleasure.com
206.226.126.131
	ns2.pageuppleasure.com
206.226.127.2
	ns1.transferredtraffic.com
206.226.127.3
	ns2.transferredtraffic.com




More information about the NANOG mailing list