AS11296 -- Hijacked?

William Herrin bill at
Fri Oct 1 07:29:04 CDT 2010

On Fri, Oct 1, 2010 at 1:47 AM, Ronald F. Guilmette
<rfg at> wrote:
> Oh yea, and the snail mail addresses given in the WHOIS records for the
> domains will usually/often be tracable to UPS Store rental P.O. boxes...
> those are standard spammer favorites, they well know... us
> spamfighters can't find out who really controls any one of those boxes
> without a subpoena... unlike USPS boxes, for instance.  (All this is
> quite well known in the dank sleezy spammer undergound already, so I'm
> not hardly giving away any secrets here.)  And in a similar vein, the
> contact phone numbers given in the whois records will quite typically
> be 1-800 or 1-888 or 1-877 or 1-866 toll-free numbers.  No, the spammers
> are _not_ trying to save you money when you want to call them up to bitch
> to them about the fact that they sent you 8,372 spams in a row.  Nope,
> again, they use the toll-free numbers for a very specific purpose, which
> is again to make it more difficult for anyone trying to track them down
> to find their actual physical location.  Non-tollfree numbers are typically
> associated with a specific geographic vicinity (although even that is
> being substantially eroded by number portability).  But the toll free
> numbers are truly and always utterly geographically anonymous.  So
> spammers use them a lot, primarily in domain whois records.
> So here you are.  You've got this s**t load of highly ``fishy'' name servers,
> and they are all planted firmly into IP space that (a) appears to have been
> allocated to a reputable name brand company... such as Seiko, in this
> case... *and* (b) the block in question, based on the RegDate: and Updated:
> fields of the block's ARIN whois record, apparently hasn't been touched for
> years... maybe even a decade or more... thus implying that the former owners
> of the block either have abandoned it years ago, or else they themselves
> went belly up and ceased to exist, probably during the Great Dot Com Crash
> of 2000.  Add it all up and what does it spell?  No, not heartburn... Hijack.


Let's try that without the diatribe:

"I saw spam domains pop up associated with appears to be a defunct registration reannounced to
the Internet two weeks ago by an AS11296 -- an unregistered AS number.
A large quantity of spam domains popped up with the other addresses
recently announced by AS11296 as well. Accordingly, I suspect that as
we've seen many times before and all clearly understand, AS11296 and
the addresses it advertises have been hijacked by a spammer."

There. Now, would that have been so hard?

Your friend was right. We don't want a "lengthy elaboration." Just a
simple, concise explanation of why you believe your claim to be true.

As for your secretive and ingenious detection, get over yourself.
We've seen this before. More than once.

Bill Herrin

William D. Herrin ................ herrin at  bill at
3005 Crane Dr. ...................... Web: <>
Falls Church, VA 22042-3004

More information about the NANOG mailing list