Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spammers Hijacking IP Space

Posted by kdawson on from the open-and-shut-case dept.

Ron Guilmette writes "As reported in the Washington Post's Security Fix blog, a substantial hunk of IP address space has apparently been taken over by notorious mass e-mailing company Media Breakaway, LLC, formerly known as OptInRealBig, via means that are at best questionable. The block in question is 134.17.0.0/16, which I documented in depth in an independent investigation. (Apparently, the President of Media Breakaway has now admitted to the Washington Post that his company has been occupying and using the 134.17.0.0/16 block and that front company JKS Media, which provides routing to the block, is actually owned by Media Breakaway.) Remarkably, the president of Media Breakaway, who happens to be an attorney, is trying to defend his company's apparent snatching of this block based upon his own rather novel legal theory that ARIN doesn't have jurisdiction over any IP address space that was handed out before ARIN was formed, in 1997."

15 of 233 comments (clear)

  1. I say we dust off and nuke the site from orbit by $RANDOMLUSER · · Score: 3, Funny

    It's the only way to be sure...

    --
    No folly is more costly than the folly of intolerant idealism. - Winston Churchill
  2. Wouldn't it be nice... by dreamchaser · · Score: 3, Insightful

    ...if everyone just blocked that IP range entirely at their routers, shutting off their connectivity?

    There was a time when the Internet was a 'small' enough place that it would have even been feasible. Kind of like blacklisting a Usenet server for spam.

    1. Re:Wouldn't it be nice... by Fluffeh · · Score: 3, Insightful

      Only problem with that approach is that you are therefore in fact giving them that IP space by lack of a fight.

      That would then lead to another group "claiming" another spot of space, and so on and so forth - until there was no legitimate or unused space left at all - then you would have to fight the same fight with many many people rather than one spamming company as we have now.

      --
      Moved to http://soylentnews.org/. You are invited to join us too!
    2. Re:Wouldn't it be nice... by Metasquares · · Score: 3, Insightful

      How will everyone know when the block is reclaimed? You'll end up with an entire /16 that no one can use because everyone is still blocking it.

  3. Blackhole == Defeat! by Fluffeh · · Score: 4, Insightful

    If the IP is simply blackholed, you are by lack of argument allowing this Spammer to put some sort of credible hold on that IP. That's like finding a squatter in a house on the street where the owners have gone on holiday - and simply putting a peice of tape across the driveway - it doesn't solve the bigger problem which is that someone walked into the house and started living there without any credible reason of doing so. It doesn't solve the problem of what's going to happen when the people return from holidays and find this squatter in their house.

    Also, if we simply blackhole that IP, what's going to happen when a legitimate user tries to use that space. It's going to go to bollocks for them when they find that the rest of the net is ignoring them already.

    --
    Moved to http://soylentnews.org/. You are invited to join us too!
  4. Snotty Scotty Richter by kchrist · · Score: 3, Informative

    OptinRealBig belongs to none other than Snotty Scotty Richter. I haven't heard of that guy in a while. I was hoping he had been hit by a bus or something.

    --
    Web consulting +
  5. Blackholing this address space may not be wise by Whuffo · · Score: 5, Insightful
    If you're going to add this address space to your firewall or block it at the router - consider that this rogue outfit is likely to be taken down soon, and that address space may then be assigned to a legitimate operation. There's not an unlimited number of addresses left in IPv4 you know.

    What's been happening for years now is well-meaning admins blocking various IP addresses / blocks and/or domain names. Their motives are good, but after the address or domain name is blocked they almost never go back and recheck to see if the block is still needed. What this leads to over time are holes in the address space that can't be used, awkward or no routes to some addresses from some other addresses, etc. Especially in this time of zombie machines; blackhole that IP address and you've knocked some individual off line - but you've done nothing to reduce the amount of spam / viruses / worms / etc.

    This is what killed ORBS and other services of that type. Easy to add domains / addresses to the blocklist, but difficult to remove them. Eventually the list becomes useless...

    Much better solution: make an example out of the people who are squatting on this netblock. Break out the pitchforks and torches...

    1. Re:Blackholing this address space may not be wise by v1 · · Score: 4, Insightful

      He has to peer somewhere. THEY should be the ones to blackhole him. One way or another he has to be paying someone off to route in his direction. I don't see why that's hard to cut off?

      --
      I work for the Department of Redundancy Department.
    2. Re:Blackholing this address space may not be wise by mysidia · · Score: 3, Insightful

      If you're willing to pay enough for the bandwidth you will probably find a major provider to let you advertise your range.

      For the origin of that range to get as far as they have, they clearly had paperwork to prove to their upstream that the range is assigned to them.

      You're their customer. Without a very good reason to do so, they won't (can't) blackhole you without violating whatever interconnection agreement was signed.

      Temporarily blocking a range should cause no permanent issue for the new owners, not that a range like that one can be re-assigned quickly.

      Since it had already been used before, very possibly the range would be considered un-assignable, just like the class E ranges and other ranges which were originally reserved/special.

      But you see, it's better to have a range be unusable than to have a range with bad documentation that can be occupied by whatever spammer wants to occupy it.

      (Or: blackholed is better than can be freely occupied on tenuous or ridiculous reasoning arising out of strange circumstances -- like the person who wants to occupy it used to be a contact for the the defunct organization who it was once registered to)

  6. Spammers know no limits by erroneus · · Score: 4, Insightful

    There's only one true solution to the problem of spammers. Death. I'm not joking. These people that create botnets, hijack networks and servers so that they can sell advertising are creating problems on a global scale for money. Nothing but death will stop or deter them. They need to die.

    It's good that I do not own any firearms and good that I do not know where these people live and good that I lack the means to get there. If I had those things and an air-tight alibi, I wouldn't hesitate to make my first murder one of these people.

  7. "Hijack?" by PhotoGuy · · Score: 4, Interesting

    Apparently, the President of Media Breakaway has now admitted to the Washington Post that his company has been occupying and using the 134.17.0.0/16 block and that front company JKS Media, which provides routing to the block, is actually owned by Media Breakaway.

    If he is president of a company that owns the company that provides routing for the block, doesn't that mean he has legal ownership of that block?

    Yes, if the block is used primarily for spam, I'm all for people blackholing the range. And if he's using it for illegal purposes, yes, he should be punished (and the range appropriated). But I don't see where the term "hijacking" could be applied at all.

    If I own some cars and use them in crimes, I haven't "hijacked" anyone.

    What am I missing?
    --
    Love many, trust a few, do harm to none.
    1. Re:"Hijack?" by jon787 · · Score: 4, Informative

      That it doesn't belong to the parent company either:

      $ whois 134.17.0.0

      OrgName: SF Bay Packet Radio
      OrgID: SBPR-1
      Address: 1490 W 121st Ave
      Address: Suite 201
      City: Westminster
      StateProv: CO
      PostalCode: 80234
      Country: US

      NetRange: 134.17.0.0 - 134.17.255.255
      CIDR: 134.17.0.0/16
      NetName: BAY-PR-NET
      NetHandle: NET-134-17-0-0-1
      Parent: NET-134-0-0-0-0
      NetType: Direct Assignment
      NameServer: NS1.SFBPRSERVICES.COM
      NameServer: NS2.SFBPRSERVICES.COM
      Comment:
      RegDate: 1989-04-12
      Updated: 2007-10-05

      --
      X(7): A program for managing terminal windows. See also screen(1).
    2. Re:"Hijack?" by Kadin2048 · · Score: 3, Interesting

      Humm ... San Francisco Packet Radio ... with a Colorado mailing address. Somehow I don't think so.

      It looks like what they did was just register a company with a similar-sounding name to a defunct organization that had an old /16. Then they went to ARIN and got control of it on the strength of the similar name, including getting themselves listed in WHOIS. (Which, when you think about it, isn't that hard -- there's no real authentication mechanism for proving you're the "real" San Francisco Packet Radio.)

      Then they had another front company obtain an AS number and provide routing, and suddenly they have lots of IPs from which to send spam.

      The even-creepier part is that it looks like they have another block stolen through similar means (currently registered to a P.O. box in NYC) and possible connections to Russian spammers, which means basically the Russian mafia.

      Here's hoping that when the whole thing falls apart, the Russian mob comes calling for this guy's head. Ironically they're the best chance for this guy getting the slow, painful death he so richly deserves.

      --
      "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
  8. A lack of ethics by mlwmohawk · · Score: 4, Interesting

    I will continue to say it every time I can.

    We need a strong societal repudiation of the violation of ethics. Organizations like Microsoft, SCO, and the like and people like Bill Gates, Darl McBride, etc. need to be made pariahs for the shameless unethical and illegal behavior.

    "Spamming" is unethical. The only reason why it is done is because their unethical behavior is not shunned.

  9. Re:SImple, blackhole the IP space by dave.josephsen · · Score: 4, Interesting

    It really isn't that simple. I'd refer you to my own work (http://www.usenix.org/media/events/lisa07/tech/videos/josephsen.mp4, and http://media.defcon.org/dc-15/video/Defcon15-Dave_Josephsen-Homeless_Vikings.mp4 ) or that of Nick Feamster at Georgia tech. They've been hijacking address space via short-lived BGP prefix hijacks for at least 5 years now, and It is exactly the attitude of "we'll just block X" that got us here in the first place. If you use RBL's and make the arms race about IP's , then the most direct response is to attack the network layer and/or IP space. Further there are real world reasons why IP filters just aren't going to work on a global scale. For that I'd refer you to the work of Mohit Lad at UCLA. There is an economic layer on top of BGP. The effect of no-valley routing is that you're going to get route propagation from folks you think you can trust but cannot. It's a bit much to get into here, but off-handedly blacklisting more shit isn't the answer here, it's the problem.