nanog mailing list archives
Re: AS11296 -- Hijacked?
From: William Herrin <bill () herrin us>
Date: Fri, 1 Oct 2010 08:29:04 -0400
On Fri, Oct 1, 2010 at 1:47 AM, Ronald F. Guilmette <rfg () tristatelogic com> wrote:
Oh yea, and the snail mail addresses given in the WHOIS records for the domains will usually/often be tracable to UPS Store rental P.O. boxes... those are standard spammer favorites, because...as they well know... us spamfighters can't find out who really controls any one of those boxes without a subpoena... unlike USPS boxes, for instance. (All this is quite well known in the dank sleezy spammer undergound already, so I'm not hardly giving away any secrets here.) And in a similar vein, the contact phone numbers given in the whois records will quite typically be 1-800 or 1-888 or 1-877 or 1-866 toll-free numbers. No, the spammers are _not_ trying to save you money when you want to call them up to bitch to them about the fact that they sent you 8,372 spams in a row. Nope, again, they use the toll-free numbers for a very specific purpose, which is again to make it more difficult for anyone trying to track them down to find their actual physical location. Non-tollfree numbers are typically associated with a specific geographic vicinity (although even that is being substantially eroded by number portability). But the toll free numbers are truly and always utterly geographically anonymous. So spammers use them a lot, primarily in domain whois records. So here you are. You've got this s**t load of highly ``fishy'' name servers, and they are all planted firmly into IP space that (a) appears to have been allocated to a reputable name brand company... such as Seiko, in this case... *and* (b) the block in question, based on the RegDate: and Updated: fields of the block's ARIN whois record, apparently hasn't been touched for years... maybe even a decade or more... thus implying that the former owners of the block either have abandoned it years ago, or else they themselves went belly up and ceased to exist, probably during the Great Dot Com Crash of 2000. Add it all up and what does it spell? No, not heartburn... Hijack.
Ron, Let's try that without the diatribe: "I saw spam domains pop up associated with 199.241.95.253. 199.241.64.0/19 appears to be a defunct registration reannounced to the Internet two weeks ago by an AS11296 -- an unregistered AS number. A large quantity of spam domains popped up with the other addresses recently announced by AS11296 as well. Accordingly, I suspect that as we've seen many times before and all clearly understand, AS11296 and the addresses it advertises have been hijacked by a spammer." There. Now, would that have been so hard? Your friend was right. We don't want a "lengthy elaboration." Just a simple, concise explanation of why you believe your claim to be true. As for your secretive and ingenious detection, get over yourself. We've seen this before. More than once. Regards, Bill Herrin -- William D. Herrin ................ herrin () dirtside com bill () herrin us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Current thread:
- RE: AS11296 -- Hijacked?, (continued)
- RE: AS11296 -- Hijacked? George Bonser (Oct 01)
- Re: AS11296 -- Hijacked? Owen DeLong (Oct 01)
- Re: AS11296 -- Hijacked? Steven Bellovin (Oct 02)
- Re: AS11296 -- Hijacked? John Curran (Oct 01)
- Re: AS11296 -- Hijacked? Bryan Fields (Oct 01)
- RE: AS11296 -- Hijacked? Nathan Eisenberg (Oct 01)
- Re: AS11296 -- Hijacked? JC Dill (Oct 01)
- Re: AS11296 -- Hijacked? Owen DeLong (Oct 01)
- Re: AS11296 -- Hijacked? Christopher Morrow (Oct 01)
- Re: AS11296 -- Hijacked? John Curran (Oct 02)
- Re: AS11296 -- Hijacked? James Hess (Oct 02)
- Re: AS11296 -- Hijacked? (ARIN region & hijacking) John Curran (Oct 02)
- RE: AS11296 -- Hijacked? (ARIN region & hijacking) George Bonser (Oct 02)