Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spammers Hijacking IP Space

Posted by kdawson on from the open-and-shut-case dept.

Ron Guilmette writes "As reported in the Washington Post's Security Fix blog, a substantial hunk of IP address space has apparently been taken over by notorious mass e-mailing company Media Breakaway, LLC, formerly known as OptInRealBig, via means that are at best questionable. The block in question is 134.17.0.0/16, which I documented in depth in an independent investigation. (Apparently, the President of Media Breakaway has now admitted to the Washington Post that his company has been occupying and using the 134.17.0.0/16 block and that front company JKS Media, which provides routing to the block, is actually owned by Media Breakaway.) Remarkably, the president of Media Breakaway, who happens to be an attorney, is trying to defend his company's apparent snatching of this block based upon his own rather novel legal theory that ARIN doesn't have jurisdiction over any IP address space that was handed out before ARIN was formed, in 1997."

27 of 233 comments (clear)

  1. I say we dust off and nuke the site from orbit by $RANDOMLUSER · · Score: 3, Funny

    It's the only way to be sure...

    --
    No folly is more costly than the folly of intolerant idealism. - Winston Churchill
  2. If only we could... by Fluffeh · · Score: 2, Funny

    Form an agry mob, arm ourselves with pitchforks and flaming brands, and the chase those rascals way out to the outskirts of town.

    Hell, if there was any trouble, we could even transform into an angry lynch mob - THEN lets see who owns that space eh? EH? Whaddya say?

    --
    Moved to http://soylentnews.org/. You are invited to join us too!
  3. Wouldn't it be nice... by dreamchaser · · Score: 3, Insightful

    ...if everyone just blocked that IP range entirely at their routers, shutting off their connectivity?

    There was a time when the Internet was a 'small' enough place that it would have even been feasible. Kind of like blacklisting a Usenet server for spam.

    1. Re:Wouldn't it be nice... by Fluffeh · · Score: 3, Insightful

      Only problem with that approach is that you are therefore in fact giving them that IP space by lack of a fight.

      That would then lead to another group "claiming" another spot of space, and so on and so forth - until there was no legitimate or unused space left at all - then you would have to fight the same fight with many many people rather than one spamming company as we have now.

      --
      Moved to http://soylentnews.org/. You are invited to join us too!
    2. Re:Wouldn't it be nice... by Metasquares · · Score: 3, Insightful

      How will everyone know when the block is reclaimed? You'll end up with an entire /16 that no one can use because everyone is still blocking it.

  4. Blackhole == Defeat! by Fluffeh · · Score: 4, Insightful

    If the IP is simply blackholed, you are by lack of argument allowing this Spammer to put some sort of credible hold on that IP. That's like finding a squatter in a house on the street where the owners have gone on holiday - and simply putting a peice of tape across the driveway - it doesn't solve the bigger problem which is that someone walked into the house and started living there without any credible reason of doing so. It doesn't solve the problem of what's going to happen when the people return from holidays and find this squatter in their house.

    Also, if we simply blackhole that IP, what's going to happen when a legitimate user tries to use that space. It's going to go to bollocks for them when they find that the rest of the net is ignoring them already.

    --
    Moved to http://soylentnews.org/. You are invited to join us too!
  5. Snotty Scotty Richter by kchrist · · Score: 3, Informative

    OptinRealBig belongs to none other than Snotty Scotty Richter. I haven't heard of that guy in a while. I was hoping he had been hit by a bus or something.

    --
    Web consulting +
  6. Blackholing this address space may not be wise by Whuffo · · Score: 5, Insightful
    If you're going to add this address space to your firewall or block it at the router - consider that this rogue outfit is likely to be taken down soon, and that address space may then be assigned to a legitimate operation. There's not an unlimited number of addresses left in IPv4 you know.

    What's been happening for years now is well-meaning admins blocking various IP addresses / blocks and/or domain names. Their motives are good, but after the address or domain name is blocked they almost never go back and recheck to see if the block is still needed. What this leads to over time are holes in the address space that can't be used, awkward or no routes to some addresses from some other addresses, etc. Especially in this time of zombie machines; blackhole that IP address and you've knocked some individual off line - but you've done nothing to reduce the amount of spam / viruses / worms / etc.

    This is what killed ORBS and other services of that type. Easy to add domains / addresses to the blocklist, but difficult to remove them. Eventually the list becomes useless...

    Much better solution: make an example out of the people who are squatting on this netblock. Break out the pitchforks and torches...

    1. Re:Blackholing this address space may not be wise by v1 · · Score: 4, Insightful

      He has to peer somewhere. THEY should be the ones to blackhole him. One way or another he has to be paying someone off to route in his direction. I don't see why that's hard to cut off?

      --
      I work for the Department of Redundancy Department.
    2. Re:Blackholing this address space may not be wise by mysidia · · Score: 3, Insightful

      If you're willing to pay enough for the bandwidth you will probably find a major provider to let you advertise your range.

      For the origin of that range to get as far as they have, they clearly had paperwork to prove to their upstream that the range is assigned to them.

      You're their customer. Without a very good reason to do so, they won't (can't) blackhole you without violating whatever interconnection agreement was signed.

      Temporarily blocking a range should cause no permanent issue for the new owners, not that a range like that one can be re-assigned quickly.

      Since it had already been used before, very possibly the range would be considered un-assignable, just like the class E ranges and other ranges which were originally reserved/special.

      But you see, it's better to have a range be unusable than to have a range with bad documentation that can be occupied by whatever spammer wants to occupy it.

      (Or: blackholed is better than can be freely occupied on tenuous or ridiculous reasoning arising out of strange circumstances -- like the person who wants to occupy it used to be a contact for the the defunct organization who it was once registered to)

  7. Spammers know no limits by erroneus · · Score: 4, Insightful

    There's only one true solution to the problem of spammers. Death. I'm not joking. These people that create botnets, hijack networks and servers so that they can sell advertising are creating problems on a global scale for money. Nothing but death will stop or deter them. They need to die.

    It's good that I do not own any firearms and good that I do not know where these people live and good that I lack the means to get there. If I had those things and an air-tight alibi, I wouldn't hesitate to make my first murder one of these people.

    1. Re:Spammers know no limits by dfm3 · · Score: 2

      Dude. Back away from the computer, get out of the basement for a little, and maybe step outside for a minute to take a breather. I'm not joking. ;-)

  8. "Hijack?" by PhotoGuy · · Score: 4, Interesting

    Apparently, the President of Media Breakaway has now admitted to the Washington Post that his company has been occupying and using the 134.17.0.0/16 block and that front company JKS Media, which provides routing to the block, is actually owned by Media Breakaway.

    If he is president of a company that owns the company that provides routing for the block, doesn't that mean he has legal ownership of that block?

    Yes, if the block is used primarily for spam, I'm all for people blackholing the range. And if he's using it for illegal purposes, yes, he should be punished (and the range appropriated). But I don't see where the term "hijacking" could be applied at all.

    If I own some cars and use them in crimes, I haven't "hijacked" anyone.

    What am I missing?
    --
    Love many, trust a few, do harm to none.
    1. Re:"Hijack?" by jon787 · · Score: 4, Informative

      That it doesn't belong to the parent company either:

      $ whois 134.17.0.0

      OrgName: SF Bay Packet Radio
      OrgID: SBPR-1
      Address: 1490 W 121st Ave
      Address: Suite 201
      City: Westminster
      StateProv: CO
      PostalCode: 80234
      Country: US

      NetRange: 134.17.0.0 - 134.17.255.255
      CIDR: 134.17.0.0/16
      NetName: BAY-PR-NET
      NetHandle: NET-134-17-0-0-1
      Parent: NET-134-0-0-0-0
      NetType: Direct Assignment
      NameServer: NS1.SFBPRSERVICES.COM
      NameServer: NS2.SFBPRSERVICES.COM
      Comment:
      RegDate: 1989-04-12
      Updated: 2007-10-05

      --
      X(7): A program for managing terminal windows. See also screen(1).
    2. Re:"Hijack?" by Kadin2048 · · Score: 3, Interesting

      Humm ... San Francisco Packet Radio ... with a Colorado mailing address. Somehow I don't think so.

      It looks like what they did was just register a company with a similar-sounding name to a defunct organization that had an old /16. Then they went to ARIN and got control of it on the strength of the similar name, including getting themselves listed in WHOIS. (Which, when you think about it, isn't that hard -- there's no real authentication mechanism for proving you're the "real" San Francisco Packet Radio.)

      Then they had another front company obtain an AS number and provide routing, and suddenly they have lots of IPs from which to send spam.

      The even-creepier part is that it looks like they have another block stolen through similar means (currently registered to a P.O. box in NYC) and possible connections to Russian spammers, which means basically the Russian mafia.

      Here's hoping that when the whole thing falls apart, the Russian mob comes calling for this guy's head. Ironically they're the best chance for this guy getting the slow, painful death he so richly deserves.

      --
      "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
  9. To read this comment by lisany · · Score: 2, Funny

    I'm sorry but to read this comment you must accept the terms of service of my crappy comment. Please click your back button to accept terms of service.

  10. A lack of ethics by mlwmohawk · · Score: 4, Interesting

    I will continue to say it every time I can.

    We need a strong societal repudiation of the violation of ethics. Organizations like Microsoft, SCO, and the like and people like Bill Gates, Darl McBride, etc. need to be made pariahs for the shameless unethical and illegal behavior.

    "Spamming" is unethical. The only reason why it is done is because their unethical behavior is not shunned.

    1. Re:A lack of ethics by swordgeek · · Score: 2, Insightful

      I expect that people will misinterpret what you mean by shun, or maybe I am. However, I agree entirely--if it could be done in a comprehensive way. Imagine if nobody would sell groceries or toilet paper to Bill Gates, because of his behaviour. Rather than being invited as guests to TV shows, the media would all collectively turn their backs on the likes of Darl McBride and Steve Ballmer at press conferences. The Richters shouldn't be able to get power, water, or gas service to their houses or businesses. People wouldn't BUY their products, people wouldn't SELL products to them, people wouldn't INTERACT with them, and people wouldn't ACCEPT them into the community. This would provide some strong incentive to behave ethically. (Both social and financial.)

      Unfortunately, we need to fix humanity (or at least society) before it'll work. Cheap prices, convenience, and lying trump ethics every time. Kurt Vonnegut commented on the psychopathic behaviour of corporate leaders, and in fact being a psychopath is almost a prerequisite to being a CEO. The companies themselves behave psychopathically. Capitalism and ethics are contrary. Worst of all though, is that as a capitalistic society, we encourage and reward this behaviour, by buying cheap and convenient every time.

      --

      "People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
  11. Set firewalls on shun! by zerofoo · · Score: 2, Funny

    Boy, that was a cheezy joke huh?

    -ted

  12. Re:SImple, blackhole the IP space by dave.josephsen · · Score: 4, Interesting

    It really isn't that simple. I'd refer you to my own work (http://www.usenix.org/media/events/lisa07/tech/videos/josephsen.mp4, and http://media.defcon.org/dc-15/video/Defcon15-Dave_Josephsen-Homeless_Vikings.mp4 ) or that of Nick Feamster at Georgia tech. They've been hijacking address space via short-lived BGP prefix hijacks for at least 5 years now, and It is exactly the attitude of "we'll just block X" that got us here in the first place. If you use RBL's and make the arms race about IP's , then the most direct response is to attack the network layer and/or IP space. Further there are real world reasons why IP filters just aren't going to work on a global scale. For that I'd refer you to the work of Mohit Lad at UCLA. There is an economic layer on top of BGP. The effect of no-valley routing is that you're going to get route propagation from folks you think you can trust but cannot. It's a bit much to get into here, but off-handedly blacklisting more shit isn't the answer here, it's the problem.

  13. Re:what's the big deal? by wytcld · · Score: 2, Informative

    Um no. Everyone else knows this. But might as well clue you in. They've claimed 134.17.*.* - all of it.

    --
    "with their freedom lost all virtue lose" - Milton
  14. who is linking this to the backbone? by timmarhy · · Score: 2, Insightful
    this has a very simple fix. major backbone providers like at&t need to cease routing from providers who allow this kind of misconfiguration of the internet.

    because that's all it is, a mid level isp has added someone to their routing tables with ip's that they have no right to. simply telling their provider to correct their configurations or all their traffic will be dropped should be enough, indeed it should be mandatory for backbone providers to do this in order for them to legally keep their own ip ranges. anything else is asking for people to start claiming ip's all over the place and before you know it each isp will route you to a different site for the same ip, making the internet useless.

    --
    If you mod me down, I will become more powerful than you can imagine....
  15. Re:what's the big deal? by Have+Blue · · Score: 2, Informative

    The "/16" means they claimed the remaining 16 bits of the 32-bit IP address whose first 2 bytes are 134.17 in decimal- everything from 134.17.0.0 to 134.17.255.255. That's one of only 65,000 blocks of its class available and is the sort of range that would be owned by a large corporation or university.

  16. easily fixed...... by Indy1 · · Score: 2, Funny

    " I felt a great disturbance in the internet, as if 65535 ip addresses suddenly cried out in terror and were suddenly silenced. I fear something terrible has happened. "

    iptables -A spam -s 134.17.0.0/16 -j DROP

    --
    Lawyers, MBA's, RIAA? A jedi fears not these things!
  17. So I'm bored... by Mutiny32 · · Score: 2, Informative

    The very first evidence I can find of the 134.17.0.0 being reserved is referenced in RFC 1166 to BAY-PR-NET with a contact of a Mr. Milo Medin of NASA Science Internet Program Office (MEDIN@NSIPO.NASA.GOV), who This RFC is obviously outdated (July 1990), but government agencies usually don't give up their IP space. Initial impression is that NASA was/is involved in providing connectivity to the Pacific Rim; in some ways with AX.25. If this is still the case, then the US Government should have a little talk with whoever gave/sold one of their /16 nets to some lady in Colorado who is the CIO for one of the most notorious spammers in the world.

    1. Re:So I'm bored... by Mutiny32 · · Score: 2, Informative

      A little more digging around reveals that NASA reserved this space for use of testing and implementing TCP/IP links over AX.25 (packet radio). This was later part of the NASA Science Internet; which eventually just became part of the Internet. The company name SF Bay Packet Radio, LLC looks to be a bogus company name to make it look to ARIN that it is the original owner of the address space, reserved and documented in RFC 1166 in 1990. Most accurately known as identity theft. It is most likely that NASA Ames and subsequently the US Government still owns the 134.17.0.0/16 address space. I wonder if someone could get in touch Mr. Medin, who is now the founder and CTO of M2Z Networks, Inc of Menlo Park, CA and ask him if he knows much more about this. It is possible that this space has actually been hijacked from NASA Ames Research Center.

  18. Hijacking the IP Space Owners, not just the Space by billstewart · · Score: 2, Informative
    As much as I dislike Scotty Richter and his tactics, you can't say he isn't a clever bastard.


    The rules for managing pre-ARIN space aren't totally clear, but nobody's worried about them too much because they were mostly owned by large reputable organizations, such as universities and government contractors. (Some of them may need to set the Evil Bit on their packets, but none of them needed to set the Stupid Bit.) In many cases, they've given most of their space back to IANA or ARIN - several universities have returned their Class A /8 space in return for smaller allocations. Also, IANA predates ARIN - while I've got real problems with ICANN's appropriation of Jon Postel's Ghost, and they've delegated most of the policy-making to ARIN, RIPE, APNIC, etc., they're still somewhat in charge.


    But there have been a few early-adopters that are no longer in business - and in some cases their IP address space was worth more than their remaining furniture and intellectual property. Does the space revert to IANA if the organization is gone? Probably, but if you can pretend the organization is Not Dead Yet, you might get away with keeping their space. In some cases, you can do that more legitimately than in other cases. (A friend of a friend was the former sysadmin from a defunct early-adopter company that had had a Class B /16 address block, which by the mid-Internet-boom was probably worth $100K. Unfortunately, his ownership of it was dubious enough that he never felt that he could legitimately sell it, and unlike Scotty's newly acquired block of space, it didn't have a corporate shell wrapped around it that he could sell either.)


    OptInRealBig and their corporate-shell sock puppets have owned large IP spaces before. It's been a while, so I may have details wrong; if I remember correctly, one of the sock puppets was a "web hosting" company, with lots of "customers", and if one of those "customers" got caught spamming, then they'd get spanked for violating the AUP ("Bad! Bad customer!") - and there was enough IP space that they could keep playing this game for a long time.

    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks