[Asrg] News Article - Stealing IP address ownership to send spam
Yakov Shafranovich <research@solidmatrix.com> Wed, 11 June 2003 19:42 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA28333 for <asrg-archive@odin.ietf.org>; Wed, 11 Jun 2003 15:42:01 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h5BJfXM29664 for asrg-archive@odin.ietf.org; Wed, 11 Jun 2003 15:41:33 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h5BJfXm29661 for <asrg-web-archive@optimus.ietf.org>; Wed, 11 Jun 2003 15:41:33 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA28151; Wed, 11 Jun 2003 15:41:31 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19QBRP-00034b-00; Wed, 11 Jun 2003 15:39:27 -0400
Received: from ietf.org ([132.151.1.19] helo=www1.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19QBRO-00034Y-00; Wed, 11 Jun 2003 15:39:26 -0400
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h5BJc3m29484; Wed, 11 Jun 2003 15:38:03 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h5BJbEm28751 for <asrg@optimus.ietf.org>; Wed, 11 Jun 2003 15:37:14 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA26185 for <Asrg@ietf.org>; Wed, 11 Jun 2003 15:37:11 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19QBND-00032J-00 for Asrg@ietf.org; Wed, 11 Jun 2003 15:35:07 -0400
Received: from 000-257-319.area7.spcsdns.net ([68.27.245.18] helo=68.27.245.18 ident=trilluser) by ietf-mx with smtp (Exim 4.12) id 19QBNA-00032E-00 for Asrg@ietf.org; Wed, 11 Jun 2003 15:35:06 -0400
Message-Id: <5.2.0.9.2.20030611153623.00bb2e20@solidmatrix.com>
X-Sender: research@solidmatrix.com
X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9
To: Asrg@ietf.org
From: Yakov Shafranovich <research@solidmatrix.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-MimeHeaders-Plugin-Info: v2.03.00
X-GCMulti: 1
Subject: [Asrg] News Article - Stealing IP address ownership to send spam
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Wed, 11 Jun 2003 15:36:25 -0400
See the following SecurityFocus article (http://www.securityfocus.com/news/5654) and the related SlashDot story (http://yro.slashdot.org/yro/03/06/11/1853254.shtml) Some quotes: --snip-- "The most rapacious consumers of the stolen address space are spammers trying to stay a step ahead of anti-spam blacklists. A /16 provides a lot of addresses to hide behind, a lot of launch pads for unwanted e-mail, squats for hastily-erected spamvertised websites, and attack points from which one can scan the Internet for misconfigured proxy servers-- useful for laundering even more spam. Some anti-spam investigators believe an underground economy exists in which a large block of address space is broken down and re-sold in smaller chunks like a boosted Acura in a chop-shop. "Money is changing hands," says Kai Schlichting, a veteran network engineer who tracks down stolen IP space in his spare time. "I wouldn't be surprised if you could sell a /16 for $100,000 in bits and pieces." " But elsewhere the scam has intensified in recent months, with at least seven large allocations found newly-diverted, and countless other cases suspected. Last month anti-spam groups and concerned network operators formed a private mailing list to investigate the phenomenon outside the view of cyberjackers. "There's anything up to 100 of these blocks out there on the loose," estimates Richard Cox, an IT forensics guru with Mandarin Technology in the U.K. "That's the magnitude that we're dealing with here." "Network operators were galvanized by a particularly brazen case in April, when a trail of spam led to the discovery that no-less than six /16s -- nearly 400,000 addresses -- had been misappropriated from Trafalgar House, a British construction and shipping conglomerate that's now part of Aker Kvaerner, headquartered in Norway. From the U.K., Cox discovered that the perpetrators conned the American Registry for Internet Numbers (ARIN) into changing the contact information for the space. One of the /16s was traced to a Dutch spammer, and the other five to a mysterious company called "Fedfinancial Corp." Fedfinancial managed to convince ARIN that it had been contracted to provide network management services for Trafalgar. ARIN won't say exactly how it was swindled, but registration records show the grifters had an authentic-looking e-mail address at a newly-minted "traf-infosystems.net" domain, and a genuine street address with matching voice and fax telephone numbers. But the phone numbers ring to Nevada and Offshore Business Formation, a company that sets up corporations for a fee, and takes orders over the Web. Public records show that they incorporated Fedfinancial as a Nevada corporation last January, on behalf of an unnamed client. The street address is also theirs. " "But like the mob moving in on a neighborhood poker game, spammers have turned a once-harmless misdemeanor into an organized and well-funded scheme. Internet defenders shudder at the thought of large portions of the net's real-estate under the control of anonymous rogue entities. "There's no accountability. You don't know who really owns this particular address space. You have no way of finding out," says Schlichting." Some even worry that malefactors will go a step further, and begin hijacking address space that's already in active use. "This whole episode has identified huge weaknesses in the Internet's own infrastructure," says Cox. "What we've seen happen is trivial compared to what we've seen possible." --snip-- _______________________________________________ Asrg mailing list Asrg@ietf.org https://www1.ietf.org/mailman/listinfo/asrg
- [Asrg] News Article - Stealing IP address ownersh… Yakov Shafranovich