Home page logo

nanog logo nanog mailing list archives

Re: Edge 1 Networks/Williams Communications Group
From: Kai Schlichting <kai () pac-rim net>
Date: Tue, 5 Aug 2003 14:46:37 -0400


On 8/4/2003 at 10:26 PM, "Jeff Kell" <jeff-kell () utc edu> wrote:

After several run-ins with Edge 1 Networks [] having their 
machines "hijack" victim machines on our networks infected with Jeem, 
and then making their spam runs, I've had it.  I have reported both to 
Edge 1 and their parent Williams Communications Group [AS7911] with no 
result and I will be blocking Edge 1 [in theory, AS29986, but no doubt 
private spewage from WCG.NET).

[I omitted quoting the follow-up post where Nick Geyer and Chris
 'Rizler' Smith are being ratted out by fellow IP space hijackers at
 Web Design House (AS 26857):
 - hijacked by registering henningassoc.com (which has
   the same POC e-mail addr as AS26857 until recently: loopback2003 () yahoo com,
   with interesting nameservers that have since moved out of that /24:
 - announced hijacked IT-SOUTHLTD.COM
 - provided transit for AS 27526 (endai.com/endai.net/dmx0.com),
   originating hijacked (IT-SOUTHLTD.COM) ]

The following (now posted daily) feature in Spam-L should make some
silent NANOG subscribers ask themselves a question: do I work for a
large criminal enterprise and could my own actions as an employee be
considered active participation with possible criminal culpability?

And for those OTHER NANOG subscribers that decided that joining the
unemployment line after the Internet bubble burst was not for them,
but legal work suiting their qualifications was nowhere to be found:
you should read up on some of the statutes of limitations for computer
fraud and abuse acts (federal and state) and reconsider your current
activities. Your acts are definitely not going unnoticed nor are they
being ignored.
There's a reason why Chris 'Rizler' Smith and 2 of his associates
fled^Wrelocated to Costa Rica, you know, but Mary Jo White sure as
hell didn't care that the last batch of people she had indicted had
relocated to small caribbean island nations to evade US justice:

ISPs, including Level3.net and Cogent, are conspiring (that's what 'knowingly
providing assistance to the perpetrator of a criminal act' actually is) with
hard core computer criminals, and there's a handy list right here:


This is a forwarded message
From: Ronald F. Guilmette
Date: Monday, August 4, 2003, 4:06:47 PM
Subject: BLOCK,MISC: WHO'S SPAMMING YOU? Top 40 Proxy-Hijacker-Friendly ISPs 2003-08-04

===8<==============Original message text===============
Date: Mon, 4 Aug 2003 13:06:47 -0700
Sender: Spam Prevention Discussion List <SPAM-L () PEACH EASE LSOFT COM>
From: "Ronald F. Guilmette"
Subject: BLOCK,MISC: WHO'S SPAMMING YOU? Top 40 Proxy-Hijacker-Friendly ISPs 2003-08-04
Precedence: list

The following list is based on proxy honeypot network data collected
between 12 Noon 2003-08-03 and 12 noon 2003-08-04.

Commentary follows below...

 1. 38.112.197  cogentco.com - daicahosting.com/daica.com (Tampa, FL)
 2. 38.114.11   cogentco.com - tailoredservers.com (Frisco, TX)
 3. 66.135.15   broadbandip.net (Baton Rouge, LA)
 4. 38.114.3    cogentco.com - tailoredservers.com (Frisco, TX)
 5. 63.246.136  unitedcolo.com aka sagonet.com (San Francisco, CA)
 6. 66.44.228   sterlingnetwork.net - savanti.net (Tucson, AZ)
 7. 166.90.206  level3.com - ?Alan Ralsky? (Detroit area, MI)
 8. 66.118.187  sagonet.com (Tampa, FL)
 9. 63.246.135  unitedcolo.com aka sagonet.com (San Francisco, CA)
10. 66.250.125  cogentco.com - applicationx.net (Alpha, NJ)
11. 66.111.39   unitedcolo.com aka sagonet.com (San Francisco, CA)
12. 63.246.133  unitedcolo.com aka sagonet.com (San Francisco, CA)
13. 66.118.189  sagonet.com (Tampa, FL)
14. 64.5.51     theplanet.com (Dallas, TX)
15. 66.111.49   unitedcolo.com aka sagonet.com (San Francisco, CA)
16. 66.118.142  sagonet.com - argobroadcast.com (Tampa, FL)
17. 66.205.223  cetnetworks.com - smartmailhosting.com (New Orleans, LA)
18. 66.44.231   sterlingnetwork.net - savanti.net (Tucson, AZ)
19. 64.180.125  telus.net - "Trinity Prof-Soho" (Vancouver, BC, CA)
20. 206.47.187  bell.ca - "Datatech Communications" (Windsor, ON, CA)
21. 66.17.157   yipes.com - net-sentry.net (Dallas, TX)
22. 38.118.143  cogentco.com - infinology.com (Goleta, CA)
23. 66.118.180  sagonet.com (Tampa, FL)
24. 216.99.99   nutnbut.net - pntsi.ca (London, ON, CA)
25. 66.111.40   unitedcolo.com aka sagonet.com (San Francisco, CA)
26. 66.70.114   datapipe.com (Hoboken, NJ)
27. 66.111.33   unitedcolo.com aka sagonet.com (San Francisco, CA)
28. 209.50.253  servint.com (McLean, VA)
29. 219.109.197 tcn-catv.ne.jp (Tokyo, JP)
30. 66.205.219  cetnetworks.com (Redwood City, CA)
31. 63.246.131  unitedcolo.com aka sagonet.com (San Francisco, CA)
32. 61.220.193  hinet.net (Taipei, TW)
33. 38.112.199  cogentco.com - daicahosting.com/daica.com (Tampa, FL)
34. 66.111.35   unitedcolo.com aka sagonet.com (San Francisco, CA)
35. 64.228.130  bell.ca/sympatico.ca (Montreal, QB, CA)
36. 216.58.92   igs.net (Kanata, ON, CA)
37. 66.111.50   unitedcolo.com aka sagonet.com (San Francisco, CA)
38. 80.71.71    telia.net - megaprovider.com/Bevelander (Haarlem, NL)
39. 216.8.169   mnsi.net (Windsor, ON, CA)
40. 195.14.58   corbina.net (Moscow, RU)

Not very much new today.  All of the usual suspects are still in the top
ranks of the list.

I called Cogent to ask about daicahosting.com.  A guy named `Al' in the
abuse department said that daica is ``on probation'', whever the hell
that means.  I asked him if they could at least filter outbound connects
to common proxy ports, and he said ``Oh no... I couldn't do THAT!''

Level3's mystery spammer in the Detroit area is still in the Top 10,
banging the crap out 24/7 like always.  Oh well, at least we caught
one of their official spokesmodels in a bald faced lie... ``Ralsky
never sent any spam out via the connection we sell him.'' Yea.  Right.
What they should have said is that nobody was actually able to CATCH
him doing it until now.

broadbandip.net, the Baton Rouge ISP that thinks that proxy hijacking is
OK has jumped into the #3 spot.  The Cajun spam gang must be getting

Cetnetwork.com is still doing proxy hijacking, big-time, from both its
66.205.223 and 66.205.219 blocks.  I just had ANOTHER long phone chat
with "Ketchersid, John" about this, and I gave him one last piece of
rope to definitely hang himself with.  He said that he was gonna filter
outbound traffic to proxy ports.  So if this crap from his network
continues, then I'll know that he's a complete liar.

Sagonet and its subsidiary, unitedcolo appear to be trying to disperse
their proxy hijackers throughout their address space, probably in the
vain hope that they will be able to fly beneath my radar, and get off
the Top 40 list.  But they are just making it more and more evident
what a bunch of slimebags they are.

The greedy jerk in charge of sterlingnetwork.net is still hanging on
to his paying customer savanti.net, who are raping proxies like there's
no tomorrow.  So what else is new?

Bevelander/megaprovider.nl is now connected via telia.net, and he is
cranking out the crap, via that connection, big time.

The big trend today, other that sagonet's dispersal of its criminal proxy
hijackers to all corners of its network, is the general increase in criminal
activity orginating from various locales within Canada, notably in the
vicinity of Toronto/Windsor.  This is most probably the proxy hijacker
that I got nuked off of Beanfield.Com a couple of weeks ago trying to
squirm his way back onto the net again.

IMPORTANT CORRECTION:  I had previously listed the proxy hijacking within
the 206.47.187/24 block as being the responsibility of "KRCMAR Surveyors
(Thornhill, ON, CA)".  That was totally incorrect.  This /24 block is
subdivided among many customers of bell.ca, and KRCMAR Surveyors only
has the first set of 7 IPs in this block.  The real and correct culprits
for the proxy hijacking are listed above, i.e. "Datatech Communications"
(Windsor, ON, CA).  My apologies to KRCMAR Surveyors for the prior erroneous


P.S.  Not all of the companies on the list above have had a fair chance
to nuke off their proxy hijacking customers yet.  Some were only notified
this morning of the problem, i.e.:

19. 64.180.125  telus.net - "Trinity Prof-Soho" (Vancouver, BC, CA)
26. 66.70.114   datapipe.com (Hoboken, NJ)
28. 209.50.253  servint.com (McLean, VA)
29. 219.109.197 tcn-catv.ne.jp (Tokyo, JP)
32. 61.220.193  hinet.net (Taipei, TW)
35. 64.228.130  bell.ca/sympatico.ca (Montreal, QB, CA)
40. 195.14.58   corbina.net (Moscow, RU)

===8<===========End of original message text===========

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]