Crooks on the Intrernet: Episode 6,427
Ronald F. Guilmette
rfg at tristatelogic.com
Wed Nov 21 09:32:39 UTC 2018
I just thought that y'all might want to be aware of this.
My attention was called recently to a RIPE-issued block of IPv4 addresses
assigned to a particular Polish firm (Marton Media: https://martonmedia.pl/)
that appears to sell digital TV services.
The block in question is 91.149.192.0/18 aka "PL-MARTON-20061120".
It appears that perhaps this company didn't quite need all of that /18 that
it got from RIPE, so it looks like they parceled out some sub-parts of that
/18 to at least a couple of other parties, to wit:
"Hostermatrix LLC" aka "ORG-HL183-RIPE":
91.149.232.0/22
91.149.252.0/22
"Real Tone Hosting LLC" aka "ORG-RTHL1-RIPE"
91.149.224.0/21
91.149.236.0/22
91.149.240.0/21
91.149.248.0/22
Ignoring, for the moment, the fact that neither of these companies actually
seem to exist anywhere... at least not on -this- planet... my attention was
further called to the pair of /22 blocks that have been sub-allocated by
Marton Media (Poland) to this thing they are calling "Hostermatrix LLC".
The reverse DNS for those blocks looked like this, just a few short
days ago, on November 16th:
https://pastebin.com/raw/hjWG5KxA
But apparently, that all has been changed rather substantially, just in the
past few days, so now it all looks like this instead:
https://pastebin.com/raw/58qCdPrc
(You might call this the "Schrodinger Effect". When researching bad guys on
the Internet, their stuff may change, even as you are looking at it, and
perhaps even -because- you are looking at it.)
Anyway, the rDNS listing, as it was on the 16th, looked more than a little
fishy. Why would anyone need quite this many different outbound SMTP servers?
The one and only second-level domain name that appeared in the rDNS listing
as of the 16th was "sm-smtp.net". I did a bit of research on that domain
name and found that historical passive DNS associates that domain, quite
unambiguously, with another domain name, sendermatrix.net.
It didn't take much more research for me to find out that a company called
Sender Matrix, LLC is in fact registered in the State of Florida to a Mr.
Jay Passerino. Mr. Passerino appears to have registered a number of different
Florida companies:
Haggle USA Corp.
Mahem Partners, Inc.
Sourcehire, LLC
Boat App, LLC,
All In Nutraceuticals, LLC
Miami Suppliments, LLC
Balladex Enterprises, LLC
Sender Matrix, LLC (http://sendermatrix.com/)
Gasher, Inc.
Digital Platinum, Inc. (http://digital-platinum.com/)
BB&M Ventures, Inc.
Of course, there's nothing at all wrong with Mr. Passerino having prolific
and multiple business interests, however a fellow who also, coincidentally,
has the name Jay Passerino, and who also, coincidentally, hails from the
State of Florida seems to have gotten into what the Brits might call "a spot
of bother" with respect to not one but -two- U.S. federal regulatory agencies
of late, specifically the SEC and the CFTC, both of which appear to have
taken serious issue with this Mr. Jay Passerino's business practices, along
with those of several of his cohorts:
CFTC Press Release:
https://www.cftc.gov/PressRoom/PressReleases/7807-18
SEC Press Release:
https://www.sec.gov/news/press-release/2018-216
As you can see, both the SEC and the CFTC elected to take issue... on the
exact same day, by the way... with this Mr. Jay Passerino's activities on
the Internet, and specifically relating to "pump and dump" email scams.
Returning now to the subject of the two /22 sub-allocations that were made
by this Polish outfit, Marton Media, to this apparently non-existant corporate
entity called "Hostermatrix LLC", i hope that it will not escape anoyone's
notice that whereas the IPv4 blocks in question have been provided... seemingly
to an Internet crook named Jay Passerino... by a Polish company, the actual
-routing- of each of these blocks shows the participation of some other
actors within two more (different) European countries:
91.149.232.0/22 -
routed by AS51765 (Oy Creanova Hosting Solutions Ltd. - Finland)
91.149.252.0/22 -
routed by AS24768 (ALMOUROLTEC SERVICOS DE INFORMATICA E INTERNET LDA -
Portugal)
The only observation I can offer with respect to all of the forgoing, is the
rather obvious one: All of this is, to say the least, rather suspicious.
But wait! There's more!
It appears that Mr. Passerino's IPv4 assets are not strictly limited to
RIPEland. Theres also a Direct Allocation block of ARIN IPv4 space
(138.128.224.0/22) that is explicitly registered to Sender Matrix LLC
of Miami, Florida:
https://pastebin.com/raw/cZcsPYrL
This block is routed by AS62519, Netrouting Inc., also, according to ARIN
records, of Miami, Florida:
https://pastebin.com/raw/mJKnJX6w
Curiously, the one and only route being announced by AS62519 is for the /22
registered to Mr. Passerino's Sender Matrix LLC:
https://bgp.he.net/AS62519#_prefixes
It appears that the only current reason for this ASN to even exist is to
provide routing to Mr. Passerino's ARINland /22 IPv4 block.
And interestingly, AS62519 has only one IPv4 peer, i.e. AS47869:
https://bgp.he.net/AS62519#_peers
AS47869 meanwhile appears to belong to a major Dutch connectivity provider,
also, not coincidentally, called "Netrouting". And unlike its Miami peer,
AS62519, this Dutch network, AS47869, appears to have numerous different
peers and to provide routing to numerous different entities, all apparently
above board, unlike Mr. Passerino's Sender Matrix LLC:
https://bgp.he.net/AS47869#_peers
https://bgp.he.net/AS47869#_prefixes
So, you know, this kind of begs the question: Did Netrouting realize that
Mr. Passerino and/or Sender Matrix LLC were carrying on some rather dubious
activites, and did the principals of Netrouting decide to attempt to
distance themselves, and their main ASN (AS47869) from this activity,
by putting a "cut out" ASN between them and Mr. Passerino (AS62519), just
in case anybody ever clued in to what was really going here? Was this
extra layer of AS numbers delibrately engineered to provide Netrouting
with an extra layer of plausible deniability?
I frankly don't know the answer to that question, but the peering and routing
arrangement I've just described, together with the apparent nature of Mr.
Passerino's Internet activities (as can be construed from the SEC and CFTC
press releases) certainly does make one wonder about what the principals of
Netrouting knew, and when they knew it.
In contrast, I have fewer doubts about the Polish, Finnish, and Portuguese
companies that are, apparently, aiding and abetting Mr. Passerino over in
RIPEland. The evidence suggests that none of them bothered in the slightest
to find out if there even really was any such corporate entity as
"Hostermatrix, LLC" registered in -any- jurisdiction on planet earth. (The
very helpful opencorporates.com web site suggests that there is no such
entity, anywhere on earth.) Or perhaps they all knew full well that this
name, "Hostermatrix, LLC", was just a made-up bullcrap name intended to
hide the real identity of thhe real registrant of both of these /22 blocks.
Either way, these three companies, in Poland, Finland, and Portugal, appear
to be actively.. even iof perhaps unwittingly... aiding and abetting a
Florida pump-and-dump spammer/scammer.
Bottom line: I recommend to all to cease accepting any and all packets from
at least the following:
91.149.232.0/22 - "Hostermatrix LLC"
91.149.252.0/22 - "Hostermatrix LLC"
138.128.224.0/22 - "Sender Matrix LLC"
Anyone who may feel inclined towards an even more through defense should
certainly consider also a complete block of packlets to/from 91.149.192.0/18,
or at least blocking that CIDR from your mail server. (After all, Polish
digital TV customers are unlikely to be doing much in the way of outbound
email anyway.)
Regards,
rfg
More information about the NANOG
mailing list