Spammers Hijacking IP Space

Ron Guilmette writes "As reported in the Washington Post's Security Fix blog, a substantial hunk of IP address space has apparently been taken over by notorious mass e-mailing company Media Breakaway, LLC, formerly known as OptInRealBig, via means that are at best questionable. The block in question is 134.17.0.0/16, which I documented in depth in an independent investigation. (Apparently, the President of Media Breakaway has now admitted to the Washington Post that his company has been occupying and using the 134.17.0.0/16 block and that front company JKS Media, which provides routing to the block, is actually owned by Media Breakaway.) Remarkably, the president of Media Breakaway, who happens to be an attorney, is trying to defend his company's apparent snatching of this block based upon his own rather novel legal theory that ARIN doesn't have jurisdiction over any IP address space that was handed out before ARIN was formed, in 1997."

Snotty Scotty Richter

[kchrist]

OptinRealBig belongs to none other than Snotty Scotty Richter. I haven't heard of that guy in a while. I was hoping he had been hit by a bus or something.

Re:"Hijack?"

[jon787]

That it doesn't belong to the parent company either:

$ whois 134.17.0.0

OrgName: SF Bay Packet Radio
OrgID: SBPR-1
Address: 1490 W 121st Ave
Address: Suite 201
City: Westminster
StateProv: CO
PostalCode: 80234
Country: US

NetRange: 134.17.0.0 - 134.17.255.255
CIDR: 134.17.0.0/16
NetName: BAY-PR-NET
NetHandle: NET-134-17-0-0-1
Parent: NET-134-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.SFBPRSERVICES.COM
NameServer: NS2.SFBPRSERVICES.COM
Comment:
RegDate: 1989-04-12
Updated: 2007-10-05

Re:what's the big deal?

[wytcld]

Um no. Everyone else knows this. But might as well clue you in. They've claimed 134.17.*.* - all of it.

Re:what's the big deal?

[Have+Blue]

The "/16" means they claimed the remaining 16 bits of the 32-bit IP address whose first 2 bytes are 134.17 in decimal- everything from 134.17.0.0 to 134.17.255.255. That's one of only 65,000 blocks of its class available and is the sort of range that would be owned by a large corporation or university.

So I'm bored...

[Mutiny32]

The very first evidence I can find of the 134.17.0.0 being reserved is referenced in RFC 1166 to BAY-PR-NET with a contact of a Mr. Milo Medin of NASA Science Internet Program Office (MEDIN@NSIPO.NASA.GOV), who This RFC is obviously outdated (July 1990), but government agencies usually don't give up their IP space. Initial impression is that NASA was/is involved in providing connectivity to the Pacific Rim; in some ways with AX.25. If this is still the case, then the US Government should have a little talk with whoever gave/sold one of their /16 nets to some lady in Colorado who is the CIO for one of the most notorious spammers in the world.

Re:So I'm bored...

[Mutiny32]

A little more digging around reveals that NASA reserved this space for use of testing and implementing TCP/IP links over AX.25 (packet radio). This was later part of the NASA Science Internet; which eventually just became part of the Internet. The company name SF Bay Packet Radio, LLC looks to be a bogus company name to make it look to ARIN that it is the original owner of the address space, reserved and documented in RFC 1166 in 1990. Most accurately known as identity theft. It is most likely that NASA Ames and subsequently the US Government still owns the 134.17.0.0/16 address space. I wonder if someone could get in touch Mr. Medin, who is now the founder and CTO of M2Z Networks, Inc of Menlo Park, CA and ask him if he knows much more about this. It is possible that this space has actually been hijacked from NASA Ames Research Center.

Hijacking the IP Space Owners, not just the Space

[billstewart]

As much as I dislike Scotty Richter and his tactics, you can't say he isn't a clever bastard.

The rules for managing pre-ARIN space aren't totally clear, but nobody's worried about them too much because they were mostly owned by large reputable organizations, such as universities and government contractors. (Some of them may need to set the Evil Bit on their packets, but none of them needed to set the Stupid Bit.) In many cases, they've given most of their space back to IANA or ARIN - several universities have returned their Class A /8 space in return for smaller allocations. Also, IANA predates ARIN - while I've got real problems with ICANN's appropriation of Jon Postel's Ghost, and they've delegated most of the policy-making to ARIN, RIPE, APNIC, etc., they're still somewhat in charge.

But there have been a few early-adopters that are no longer in business - and in some cases their IP address space was worth more than their remaining furniture and intellectual property. Does the space revert to IANA if the organization is gone? Probably, but if you can pretend the organization is Not Dead Yet, you might get away with keeping their space. In some cases, you can do that more legitimately than in other cases. (A friend of a friend was the former sysadmin from a defunct early-adopter company that had had a Class B /16 address block, which by the mid-Internet-boom was probably worth $100K. Unfortunately, his ownership of it was dubious enough that he never felt that he could legitimately sell it, and unlike Scotty's newly acquired block of space, it didn't have a corporate shell wrapped around it that he could sell either.)

OptInRealBig and their corporate-shell sock puppets have owned large IP spaces before. It's been a while, so I may have details wrong; if I remember correctly, one of the sock puppets was a "web hosting" company, with lots of "customers", and if one of those "customers" got caught spamming, then they'd get spanked for violating the AUP ("Bad! Bad customer!") - and there was enough IP space that they could keep playing this game for a long time.