<div><div dir="auto">We have noticed a huge influx of people requesting us to route blocks of ips they rent from IP brokers, we always make sure they show us an LOA and that radb records match the company name and proper registration is in place, I doubt some smaller providers do the same due diligence, but for me it’s concerning how easy it is to rent ip space these days , it just means that there is a coming storm. </div></div><div dir="auto"><br></div><div><div dir="auto">Nice investigative work, is this guy listed in rokso by chance ? I am traveling and have crappy connectivity on my phone so I don’t want to bother and check at the moment. </div><div dir="auto"><br></div><div dir="auto"><br></div><br><div class="gmail_quote"><div dir="ltr">On Wed, Nov 21, 2018 at 4:33 PM Ronald F. Guilmette <<a href="mailto:rfg@tristatelogic.com">rfg@tristatelogic.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
I just thought that y'all might want to be aware of this.<br>
<br>
My attention was called recently to a RIPE-issued block of IPv4 addresses<br>
assigned to a particular Polish firm (Marton Media: <a href="https://martonmedia.pl/" rel="noreferrer" target="_blank">https://martonmedia.pl/</a>)<br>
that appears to sell digital TV services.<br>
<br>
The block in question is <a href="http://91.149.192.0/18" rel="noreferrer" target="_blank">91.149.192.0/18</a> aka "PL-MARTON-20061120".<br>
<br>
It appears that perhaps this company didn't quite need all of that /18 that<br>
it got from RIPE, so it looks like they parceled out some sub-parts of that<br>
/18 to at least a couple of other parties, to wit:<br>
<br>
"Hostermatrix LLC" aka "ORG-HL183-RIPE":<br>
<a href="http://91.149.232.0/22" rel="noreferrer" target="_blank">91.149.232.0/22</a><br>
<a href="http://91.149.252.0/22" rel="noreferrer" target="_blank">91.149.252.0/22</a><br>
<br>
"Real Tone Hosting LLC" aka "ORG-RTHL1-RIPE"<br>
<a href="http://91.149.224.0/21" rel="noreferrer" target="_blank">91.149.224.0/21</a><br>
<a href="http://91.149.236.0/22" rel="noreferrer" target="_blank">91.149.236.0/22</a><br>
<a href="http://91.149.240.0/21" rel="noreferrer" target="_blank">91.149.240.0/21</a><br>
<a href="http://91.149.248.0/22" rel="noreferrer" target="_blank">91.149.248.0/22</a><br>
<br>
Ignoring, for the moment, the fact that neither of these companies actually<br>
seem to exist anywhere... at least not on -this- planet... my attention was<br>
further called to the pair of /22 blocks that have been sub-allocated by<br>
Marton Media (Poland) to this thing they are calling "Hostermatrix LLC".<br>
<br>
The reverse DNS for those blocks looked like this, just a few short<br>
days ago, on November 16th:<br>
<br>
<a href="https://pastebin.com/raw/hjWG5KxA" rel="noreferrer" target="_blank">https://pastebin.com/raw/hjWG5KxA</a><br>
<br>
But apparently, that all has been changed rather substantially, just in the<br>
past few days, so now it all looks like this instead:<br>
<br>
<a href="https://pastebin.com/raw/58qCdPrc" rel="noreferrer" target="_blank">https://pastebin.com/raw/58qCdPrc</a><br>
<br>
(You might call this the "Schrodinger Effect". When researching bad guys on<br>
the Internet, their stuff may change, even as you are looking at it, and<br>
perhaps even -because- you are looking at it.)<br>
<br>
Anyway, the rDNS listing, as it was on the 16th, looked more than a little<br>
fishy. Why would anyone need quite this many different outbound SMTP servers?<br>
<br>
The one and only second-level domain name that appeared in the rDNS listing<br>
as of the 16th was "<a href="http://sm-smtp.net" rel="noreferrer" target="_blank">sm-smtp.net</a>". I did a bit of research on that domain<br>
name and found that historical passive DNS associates that domain, quite<br>
unambiguously, with another domain name, <a href="http://sendermatrix.net" rel="noreferrer" target="_blank">sendermatrix.net</a>.<br>
<br>
It didn't take much more research for me to find out that a company called<br>
Sender Matrix, LLC is in fact registered in the State of Florida to a Mr.<br>
Jay Passerino. Mr. Passerino appears to have registered a number of different<br>
Florida companies:<br>
<br>
Haggle USA Corp.<br>
Mahem Partners, Inc.<br>
Sourcehire, LLC<br>
Boat App, LLC,<br>
All In Nutraceuticals, LLC<br>
Miami Suppliments, LLC<br>
Balladex Enterprises, LLC<br>
Sender Matrix, LLC (<a href="http://sendermatrix.com/" rel="noreferrer" target="_blank">http://sendermatrix.com/</a>)<br>
Gasher, Inc.<br>
Digital Platinum, Inc. (<a href="http://digital-platinum.com/" rel="noreferrer" target="_blank">http://digital-platinum.com/</a>)<br>
BB&M Ventures, Inc.<br>
<br>
Of course, there's nothing at all wrong with Mr. Passerino having prolific<br>
and multiple business interests, however a fellow who also, coincidentally,<br>
has the name Jay Passerino, and who also, coincidentally, hails from the<br>
State of Florida seems to have gotten into what the Brits might call "a spot<br>
of bother" with respect to not one but -two- U.S. federal regulatory agencies<br>
of late, specifically the SEC and the CFTC, both of which appear to have<br>
taken serious issue with this Mr. Jay Passerino's business practices, along<br>
with those of several of his cohorts:<br>
<br>
CFTC Press Release:<br>
<a href="https://www.cftc.gov/PressRoom/PressReleases/7807-18" rel="noreferrer" target="_blank">https://www.cftc.gov/PressRoom/PressReleases/7807-18</a><br>
<br>
SEC Press Release:<br>
<a href="https://www.sec.gov/news/press-release/2018-216" rel="noreferrer" target="_blank">https://www.sec.gov/news/press-release/2018-216</a><br>
<br>
As you can see, both the SEC and the CFTC elected to take issue... on the<br>
exact same day, by the way... with this Mr. Jay Passerino's activities on<br>
the Internet, and specifically relating to "pump and dump" email scams.<br>
<br>
Returning now to the subject of the two /22 sub-allocations that were made<br>
by this Polish outfit, Marton Media, to this apparently non-existant corporate<br>
entity called "Hostermatrix LLC", i hope that it will not escape anoyone's<br>
notice that whereas the IPv4 blocks in question have been provided... seemingly<br>
to an Internet crook named Jay Passerino... by a Polish company, the actual<br>
-routing- of each of these blocks shows the participation of some other<br>
actors within two more (different) European countries:<br>
<br>
<a href="http://91.149.232.0/22" rel="noreferrer" target="_blank">91.149.232.0/22</a> -<br>
routed by AS51765 (Oy Creanova Hosting Solutions Ltd. - Finland)<br>
<br>
<a href="http://91.149.252.0/22" rel="noreferrer" target="_blank">91.149.252.0/22</a> -<br>
routed by AS24768 (ALMOUROLTEC SERVICOS DE INFORMATICA E INTERNET LDA -<br>
Portugal)<br>
<br>
The only observation I can offer with respect to all of the forgoing, is the<br>
rather obvious one: All of this is, to say the least, rather suspicious.<br>
<br>
But wait! There's more!<br>
<br>
It appears that Mr. Passerino's IPv4 assets are not strictly limited to<br>
RIPEland. Theres also a Direct Allocation block of ARIN IPv4 space<br>
(<a href="http://138.128.224.0/22" rel="noreferrer" target="_blank">138.128.224.0/22</a>) that is explicitly registered to Sender Matrix LLC<br>
of Miami, Florida:<br>
<br>
<a href="https://pastebin.com/raw/cZcsPYrL" rel="noreferrer" target="_blank">https://pastebin.com/raw/cZcsPYrL</a><br>
<br>
This block is routed by AS62519, Netrouting Inc., also, according to ARIN<br>
records, of Miami, Florida:<br>
<br>
<a href="https://pastebin.com/raw/mJKnJX6w" rel="noreferrer" target="_blank">https://pastebin.com/raw/mJKnJX6w</a><br>
<br>
Curiously, the one and only route being announced by AS62519 is for the /22<br>
registered to Mr. Passerino's Sender Matrix LLC:<br>
<br>
<a href="https://bgp.he.net/AS62519#_prefixes" rel="noreferrer" target="_blank">https://bgp.he.net/AS62519#_prefixes</a><br>
<br>
It appears that the only current reason for this ASN to even exist is to<br>
provide routing to Mr. Passerino's ARINland /22 IPv4 block.<br>
<br>
And interestingly, AS62519 has only one IPv4 peer, i.e. AS47869:<br>
<br>
<a href="https://bgp.he.net/AS62519#_peers" rel="noreferrer" target="_blank">https://bgp.he.net/AS62519#_peers</a><br>
<br>
AS47869 meanwhile appears to belong to a major Dutch connectivity provider,<br>
also, not coincidentally, called "Netrouting". And unlike its Miami peer,<br>
AS62519, this Dutch network, AS47869, appears to have numerous different<br>
peers and to provide routing to numerous different entities, all apparently<br>
above board, unlike Mr. Passerino's Sender Matrix LLC:<br>
<br>
<a href="https://bgp.he.net/AS47869#_peers" rel="noreferrer" target="_blank">https://bgp.he.net/AS47869#_peers</a><br>
<a href="https://bgp.he.net/AS47869#_prefixes" rel="noreferrer" target="_blank">https://bgp.he.net/AS47869#_prefixes</a><br>
<br>
So, you know, this kind of begs the question: Did Netrouting realize that<br>
Mr. Passerino and/or Sender Matrix LLC were carrying on some rather dubious<br>
activites, and did the principals of Netrouting decide to attempt to<br>
distance themselves, and their main ASN (AS47869) from this activity,<br>
by putting a "cut out" ASN between them and Mr. Passerino (AS62519), just<br>
in case anybody ever clued in to what was really going here? Was this<br>
extra layer of AS numbers delibrately engineered to provide Netrouting<br>
with an extra layer of plausible deniability?<br>
<br>
I frankly don't know the answer to that question, but the peering and routing<br>
arrangement I've just described, together with the apparent nature of Mr.<br>
Passerino's Internet activities (as can be construed from the SEC and CFTC<br>
press releases) certainly does make one wonder about what the principals of<br>
Netrouting knew, and when they knew it.<br>
<br>
In contrast, I have fewer doubts about the Polish, Finnish, and Portuguese<br>
companies that are, apparently, aiding and abetting Mr. Passerino over in<br>
RIPEland. The evidence suggests that none of them bothered in the slightest<br>
to find out if there even really was any such corporate entity as<br>
"Hostermatrix, LLC" registered in -any- jurisdiction on planet earth. (The<br>
very helpful <a href="http://opencorporates.com" rel="noreferrer" target="_blank">opencorporates.com</a> web site suggests that there is no such<br>
entity, anywhere on earth.) Or perhaps they all knew full well that this<br>
name, "Hostermatrix, LLC", was just a made-up bullcrap name intended to<br>
hide the real identity of thhe real registrant of both of these /22 blocks.<br>
Either way, these three companies, in Poland, Finland, and Portugal, appear<br>
to be actively.. even iof perhaps unwittingly... aiding and abetting a<br>
Florida pump-and-dump spammer/scammer.<br>
<br>
Bottom line: I recommend to all to cease accepting any and all packets from<br>
at least the following:<br>
<br>
<a href="http://91.149.232.0/22" rel="noreferrer" target="_blank">91.149.232.0/22</a> - "Hostermatrix LLC"<br>
<a href="http://91.149.252.0/22" rel="noreferrer" target="_blank">91.149.252.0/22</a> - "Hostermatrix LLC"<br>
<a href="http://138.128.224.0/22" rel="noreferrer" target="_blank">138.128.224.0/22</a> - "Sender Matrix LLC"<br>
<br>
Anyone who may feel inclined towards an even more through defense should<br>
certainly consider also a complete block of packlets to/from <a href="http://91.149.192.0/18" rel="noreferrer" target="_blank">91.149.192.0/18</a>, <br>
or at least blocking that CIDR from your mail server. (After all, Polish<br>
digital TV customers are unlikely to be doing much in the way of outbound<br>
email anyway.)<br>
<br>
Regards,<br>
rfg<br>
</blockquote></div></div>