nanog mailing list archives

Re: Another possibly hijacked block - 160.116.0.0/16

From: william () elan net
Date: Mon, 12 May 2003 02:45:19 -0700 (PDT)


(Replying to myself yet again....)

I finally tracked this network down to original domain acs.co.za (which 
has been reregistered a few times since long ago), the connection you can 
see at: http://www.sas.upenn.edu/African_Studies/E_Mail/E_Mail_10674.html
Best I can tell is that this was somehow affiliated with webfeat.co.za:
http://co.za/cgi-bin/whatelse.sh?File=acs.3
which is no longer in business it seems, I'm going to ask people at is.co.za
(who were providing original network services to webfeat in 1996) to see
if they have any historic info on what happened and if they confirm company is
not in business I'll ask them to mail it to ARIN.

But since I know couple people from ARIN are already on this list and
listining it'd be good ARIN were little more proactive and did its own 
investigation on updates done to this block. Right now I have no conculsive
evidence that affiliatedcomputing.com has no connection to the block but 
from what you can see above this seems likely.

And right now nowaffiliatedcomputing.com is completely under control of 
large Florida spam gang, some info on that can be found at:
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL6949
And you can see previous affiliation to advistechsa.com (remember my 
previous post that VMX INC block 157.156.0.0/16 that is probably supposed 
to be Lucent block now? Well vmxnetworks was their upstream!).
Spews has a lot of info on that gang:
http://www.spews.org/html/S367.html
http://www.spews.org/html/S2425.html (publicom!)

Besides that it seems publicom which is possibly same as networktron
has long history of spamming and ip block hijacking back from 1999
http://groups.google.com/groups?q=networldtron

Networldtron is the company for which most of the ip blocks which I listed 
as announced by AS8143 are swipped to at ARIN database. Their main domain 
networldtron.net is now expired and inactive (if you do whois on it you'll 
find connection to publicom yet again). But ntwt.net is active and has 
been taken over by company called Naronda with domain naronda.com - be on 
the lookout for such a client who maybe spammer and hijacker!

On Sun, 11 May 2003 william () elan net wrote:

Though its strange to reply to my own email for 2nd time ...

But some importaint info I did not notice - apperently parts of 160.116.0.0
are still being announce through XO and Internap/Global Crossing with 
actual announcements coming from AS8143. Even more interesting it appears 
smaller blocks from that /16 are announced (/19) and it appears email 
comes from particular ip and then the block which was announced before is 
announced no longer and they move to announcing another subblock with 
emails coming from there! 

In any case, this calls for active blocking of this /16 from anybody who 
does not want to provide services to spammers and ip hijackers.
As for XO and Internap, (I'm sure somebody is here from these companies) - 
take notice and get rid of this customer!!! 

Also UUNET take notice too - AS8143 is announcing number of other blocks 
though your network and I have serious suspicions the ASN itself is 
hijacked (its registered to Publicom Corp, Miami, but domain 4publicom.com
has been reregistered and it has some invalid whois info; in addition 
number of other announcements from 8143 are also suspicious).

And for the record here is some of what I'm seeing from 8143:

*>i63.89.167.0/24   209.144.160.89                100     10 6347 701 8143 
*>i63.109.72.0/24   209.144.160.89                100     10 6347 701 8143 
*>i63.109.79.0/24   209.144.160.89                100     10 6347 701 8143 
*>i134.33.0.0       209.144.160.89                100     10 6347 3549 10910
10910 10910 10910 10910 10910 8143 i
*>i160.116.16.0/24  209.144.160.89                100     10 6347 701 2828 8143
*>i160.116.160.0/19 209.144.160.89                100     10 6347 701 2828 8143
*>i160.116.224.0/19 209.144.160.89                100     10 6347 3549 10910
10910 10910 10910 10910 10910 8143 i
*>i162.73.128.0/19  209.144.160.89                100     10 6347 3549 10910
10910 10910 10910 10910 10910 8143 i
*>i204.179.64.0/20  209.144.160.89                100     10 6347 701 8143 8143
*>i207.243.145.0    209.144.160.89                100     10 6347 701 8143 
*>i208.168.213.0    209.144.160.89                100     10 6347 701 7018 8143
*>i208.168.215.0    209.144.160.89                100     10 6347 701 7018 8143
*>i208.238.44.0     209.144.160.89                100     10 6347 701 8143 
*>i208.238.45.0     209.144.160.89                100     10 6347 701 8143 

On Sun, 11 May 2003 william () elan net wrote:

Also I found some records that indicate that 160.116.0.0/16 had something
to do with eskom.co.za and that organization's physical address is/was 
located in Johanesburg. 

I think it would be best if somebody emails me info on AfriNOG or 
associated mailing list and I'll ask this question there, probably more 
likely to find somebody there who knows what was going on so long ago...

On Sun, 11 May 2003 william () elan net wrote:

  Hello, 

I want to alert you everyone on the maillist regarding ip block 
160.116.0.0/16, the block was announced by HE and XO previously (in my 
own routing table it is not showing right now) so these organizations are 
probably aware of the unsolicited emails that were coming out of this 
block and chose to not announce it any more. I'm hoping other organizations
that maybe approaced to announce the block would be alerted by this email and
not let it show up on tne net again. 

I'm also trying to find out more about if this block is really hijacked or 
not. The address listed in ARIN database is "P.O. Box 261333, Excom, South 
Africa" and as far as I can tell this address is the one that was used 
originally (at least as of 1994) and when block first appeared on the net, 
it was announced through AS1957. I also tracked that network in ARIN 
database was originally named "Affiliated Computing Services--Uninet 
Project" which means it had some associated with UNINET which is/was
South Africa's education/university network (www.tenet.ac.za) kind of like 
NSFNET was in US as far as I can remember. As far as I can see most 
of other organizations associated with uninet are being announced through 
AS3741 (this includes blocks 160.114.0.0/16, 160.115.0.0/16, 160.118.0.0/16,
and many of the of the blocks from 196.11.0.0/16). Uninet/Tenet itself is 
using ip block 196.21.0.0/16 and several others and these are and announced
through AS2018 (and none of these are AS## 1228 - 1332 which are the as# 
in arin records for uninet, anyway its probably just historical records).

I can not find any information about original domain that organization 
that had this block may have had but currently it seems to be 
affiliatedcomputing.com and record is pointing to the same address
as arin block but I can not confirm if it was this way originally or if 
the domain was reregistered (but I'm sure whoever controls the domain 
now is involved in unsolicited email). 

Now if anybody is here from South Africa, possibly UNINET/TENET or somebody 
associated with AS1957 or AS3741 and knows anything about this block 
please reply and if something wrong did happen as far as ARIN records, we 
need to let them know.

Current thread:

Another possibly hijacked block - 160.116.0.0/16 william (May 11)
- Re: Another possibly hijacked block - 160.116.0.0/16 william (May 11)
  - Re: Another possibly hijacked block - 160.116.0.0/16 william (May 12)
    - Re: Another possibly hijacked block - 160.116.0.0/16 fingers (May 12)
    - Re: Another possibly hijacked block - 160.116.0.0/16 william (May 12)
    - Re[2]: Another possibly hijacked block - 160.116.0.0/16 Richard Cox (May 13)
    - Re[2]: Another possibly hijacked block - 160.116.0.0/16 william (May 13)
- Re: Another possibly hijacked block - 160.116.0.0/16 fingers (May 11)