Hijacking machine: ASAS201640 / AS200002
Ronald F. Guilmette
rfg at tristatelogic.com
Fri Oct 31 23:20:02 UTC 2014
I don't routinely follow this list, so I'm not sure how much of this is
common knowledge already, but...
Current route announcements for AS201640:
126.96.36.199/21 probable hijack - China
188.8.131.52/23 probable hijack - Cameroon
184.108.40.206/20 probable hijack - South Africa
220.127.116.11/20 probable hijack - South Africa
18.104.22.168/19 probable hijack - China
22.214.171.124/19 probable hijack - India
126.96.36.199/19 probable hijack - Vietnam
188.8.131.52/24 probable hijack - Brazil
184.108.40.206/23 probable hijack - Mexico
220.127.116.11/20 probable hijack - Taiwan Network Information Center
18.104.22.168/19 probable hijack - Telstra/Japan
It would appear that AS201640 may possibly exist at the present time
only for the purpose of providing illicitly obtained IP space for
spammers, including but not limited to the ""Mike Prescott" mentioned
in the Cisco blog entry cited above.
The spammer, "Mike Prescott"... not his real last name... has also been
spotted spewing from IP space routed by AS200002, which is AS201640's
only connection to the rest of the world.
Coincidence? You be the judge.
P.S. If anybody is able to look up _all_ of the route announcements
that have been made by AS201640 over the past few months, I for one would
definitely like to see those. Please e-mail them to me off list. I
already know that "Mike Prescott" has been spewing from at least one
of the above current announcements (22.214.171.124/20) and probably all
of the others too. But there are additional route announcements that
have already been withdrawn, and I'd like to check those for "Mike
Prescott" footprints also.
P.P.S. To the real "Mike P."... on the off chance that he might see
this... You can run, but you don't hide very well. You should have
gotten out of the game in 1998 when you had the chance. Maybe the
Powers That Be will lock you up this time.
More information about the NANOG