Hijack Factories: AS203418, AS205944, and AS203040
Ronald F. Guilmette
rfg at tristatelogic.com
Mon Aug 28 19:06:26 UTC 2017
AS203418 (Marketigames, LLC), together with its one and only
immediate IPv4 upstream, AS203040 (Mint Company, LLC), and its
sister network, AS205944 (MediaClick, LLC) either are currently
hijacking or have recently hijacked multiple abandoned /16 IPv4
address blocks, apparently with the intent of leasing out this
hijacked IPv4 space to snowshoe spammers, in particular, to
Clickjet Media (clickjetmedia.com). Readers who may be peering
with AS203040, in particular, are encouraged to cease doing so.
I believe that this listing of 13 separate /16 routes makes it self-evident
what is going on here:
(Please note that a screenshot of the above page has been archived here for
The hijacks currently being perpetrated by this ASN (AS203418 - Marketigames,
LLC) are, in my opinion, both brazen and audacious. I wouldn't mind, but
other evidence indicates persuasively that at least one of these hijacked
/16 blocks (22.214.171.124/16) has already been put into use as a snowshoe
The following file contains a listing of numerous domain names that currently
have associated SPF TXT records permitting these domains to send outbound
emails from various parts of the (hijacked) 126.96.36.199/16 block:
It is also interesting that a great many of the domain names listed in the
above file in fact resolve to the IPv4 address 188.8.131.52, which is
within a /24 block (184.108.40.206/24) which is ostensibly registered to an
entity calling itself "Big Hosting Plus" (aka bighostingplus.com) allegedly
of Albuquerque, New Mexico. A brief perusal of the WHOIS record associated
with the contact domain name for that IPv4 block (bighostingplus.com) shows
however the identity of the party that is actually pulling the strings here,
i.e. a company called Clickjet Media of Glendale, California, aka
I should note that the ARIN sub-SWIP for the 220.127.116.11/24 block is not the
only instance in which Clickjet Media has followed this exact same playbook.
I have previously identified the following four additional fradulent ARIN
sub-SWIPs where ClickJet Media is, evidently, the real entity behind the
deliberately fictitious ARIN sub-SWIPs:
High Point Host ARB-69-1-227-0 (NET-69-1-227-0-1) 18.104.22.168 - 22.214.171.124
Pleasant Hosting ARB-69-1-228-0 (NET-69-1-228-0-1) 126.96.36.199 - 188.8.131.52
Quasi Hosting ARB-69-1-254-0 (NET-69-1-254-0-1) 184.108.40.206 - 220.127.116.11
Green River Hosting ARB-69-1-255-0 (NET-69-1-255-0-1) 18.104.22.168 - 22.214.171.124
Here is the archived evidence supporting my contentions as they relate to the
above four ARIN sub-SWIPs:
ARIN sub-SWIP records:
Associated domain WHOIS records:
I should note for the sake of completeness that the listing of the 13 hijacked
/16 blocks linked to above, as currently presented on the bgp.he.net web site,
is in fact a somewhat stale listing. All of those thirteen /16 blocks were
in fact hijacked by AS203418 as of yesterday, however as of this writing, it
would appear that only the following nine /16 blocks are still hijacked at
this moment (although this is hardly a cause for celebration):
Naturally, readers will ask "Who or what is AS203418?" It is registered using
the name Marketigames, LLC, which is apparently a properly registered Delaware
LLC. Beyond that it is difficult to find any other definitive info. The main
web site for this entity (http://marketigames.biz/) is mostly devoid of any
information that would allow us to know who is really behind this entity.
Contact information is provided on the web site however, as follows:
4283 Express Lane,Suite 315-592, Sarasota, FL 34238
Phone : 217-717-9384
Googling the street address indicates that it is most often associated
with fradulent activity on the Internet (e.g. frudulent attempts to order
products). The area code 217 is associated with the Chicago area, not
Florida and not Delaware.
Although this entity (MarketiGames) does have its own ASN, it also appears to
have a number of valid ARIN IP block allocations which are not currently
routed by its own ASN:
Historical passive DNS data appears to indicate that some or all of the above
blocks have historically also been used to support snowshoe spamming.
Data available from the interactive RIPE Routing History web service
indicates clearly that it is not only AS203418 (Marketigames, LLC) that
has been involved in the hijacking of abandoned /16 blocks, but also
and likewise its immediate upstream AS203040 (Mint Company, LLC), and its
sister network, AS205944 (MediaClick, LLC). RIPE Routing History shows
that all three of these ASNs have, at various times, hijacked the
126.96.36.199/16 block, for example.
The implication seems clear. All three of these ASNs have been working
together to hijack abandoned /16 blocks for purposes of hosting snowshoe
spamming operations. Because both AS203418 and AS205944 only peer with
AS203040 (Mint Company, LLC) it is evident that the real problem here is
Mint Company, LLC and the peering its ASN (AS203040) currently enjoys.
Data provided by bgp.he.net indicates that the top three peers of AS203040
are currently as follows:
AS24785 Open Peering B.V.
AS20562 Open Peering B.V.
AS6939 Hurricane Electric, Inc.
I will be contacting these companies and asking them to de-peer from AS203040.
I make the same request, here and now, to all other networks that may be
peering with AS203040. Please stop that peering.
More information about the NANOG