[Asrg] News Article - Stealing IP address ownership to send spam

Yakov Shafranovich <research@solidmatrix.com> Wed, 11 June 2003 19:42 UTC

Received: from www1.ietf.org (ietf.org [] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA28333 for <asrg-archive@odin.ietf.org>; Wed, 11 Jun 2003 15:42:01 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h5BJfXM29664 for asrg-archive@odin.ietf.org; Wed, 11 Jun 2003 15:41:33 -0400
Received: from ietf.org (odin.ietf.org []) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h5BJfXm29661 for <asrg-web-archive@optimus.ietf.org>; Wed, 11 Jun 2003 15:41:33 -0400
Received: from ietf-mx (ietf-mx.ietf.org []) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA28151; Wed, 11 Jun 2003 15:41:31 -0400 (EDT)
Received: from ietf-mx ([]) by ietf-mx with esmtp (Exim 4.12) id 19QBRP-00034b-00; Wed, 11 Jun 2003 15:39:27 -0400
Received: from ietf.org ([] helo=www1.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19QBRO-00034Y-00; Wed, 11 Jun 2003 15:39:26 -0400
Received: from www1.ietf.org (localhost.localdomain []) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h5BJc3m29484; Wed, 11 Jun 2003 15:38:03 -0400
Received: from ietf.org (odin.ietf.org []) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h5BJbEm28751 for <asrg@optimus.ietf.org>; Wed, 11 Jun 2003 15:37:14 -0400
Received: from ietf-mx (ietf-mx.ietf.org []) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA26185 for <Asrg@ietf.org>; Wed, 11 Jun 2003 15:37:11 -0400 (EDT)
Received: from ietf-mx ([]) by ietf-mx with esmtp (Exim 4.12) id 19QBND-00032J-00 for Asrg@ietf.org; Wed, 11 Jun 2003 15:35:07 -0400
Received: from 000-257-319.area7.spcsdns.net ([] helo= ident=trilluser) by ietf-mx with smtp (Exim 4.12) id 19QBNA-00032E-00 for Asrg@ietf.org; Wed, 11 Jun 2003 15:35:06 -0400
Message-Id: <>
X-Sender: research@solidmatrix.com
X-Mailer: QUALCOMM Windows Eudora Version
To: Asrg@ietf.org
From: Yakov Shafranovich <research@solidmatrix.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-MimeHeaders-Plugin-Info: v2.03.00
X-GCMulti: 1
Subject: [Asrg] News Article - Stealing IP address ownership to send spam
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Wed, 11 Jun 2003 15:36:25 -0400

See the following SecurityFocus article 
(http://www.securityfocus.com/news/5654) and the related SlashDot story 
(http://yro.slashdot.org/yro/03/06/11/1853254.shtml). Some quotes:

"The most rapacious consumers of the stolen address space are spammers 
trying to stay a step ahead of anti-spam blacklists. A /16 provides a lot 
of addresses to hide behind, a lot of launch pads for unwanted e-mail, 
squats for hastily-erected spamvertised websites, and attack points from 
which one can scan the Internet for misconfigured proxy servers-- useful 
for laundering even more spam. Some anti-spam investigators believe an 
underground economy exists in which a large block of address space is 
broken down and re-sold in smaller chunks like a boosted Acura in a 
chop-shop. "Money is changing hands," says Kai Schlichting, a veteran 
network engineer who tracks down stolen IP space in his spare time. "I 
wouldn't be surprised if you could sell a /16 for $100,000 in bits and pieces."

" But elsewhere the scam has intensified in recent months, with at least 
seven large allocations found newly-diverted, and countless other cases 
suspected. Last month anti-spam groups and concerned network operators 
formed a private mailing list to investigate the phenomenon outside the 
view of cyberjackers. "There's anything up to 100 of these blocks out there 
on the loose," estimates Richard Cox, an IT forensics guru with Mandarin 
Technology in the U.K. "That's the magnitude that we're dealing with here."

"Network operators were galvanized by a particularly brazen case in April, 
when a trail of spam led to the discovery that no-less than six /16s -- 
nearly 400,000 addresses -- had been misappropriated from Trafalgar House, 
a British construction and shipping conglomerate that's now part of Aker 
Kvaerner, headquartered in Norway. From the U.K., Cox discovered that the 
perpetrators conned the American Registry for Internet Numbers (ARIN) into 
changing the contact information for the space. One of the /16s was traced 
to a Dutch spammer, and the other five to a mysterious company called 
"Fedfinancial Corp."
	Fedfinancial managed to convince ARIN that it had been contracted to 
provide network management services for Trafalgar. ARIN won't say exactly 
how it was swindled, but registration records show the grifters had an 
authentic-looking e-mail address at a newly-minted "traf-infosystems.net" 
domain, and a genuine street address with matching voice and fax telephone 
numbers. But the phone numbers ring to Nevada and Offshore Business 
Formation, a company that sets up corporations for a fee, and takes orders 
over the Web. Public records show that they incorporated Fedfinancial as a 
Nevada corporation last January, on behalf of an unnamed client. The street 
address is also theirs. "

"But like the mob moving in on a neighborhood poker game, spammers have 
turned a once-harmless misdemeanor into an organized and well-funded 
scheme. Internet defenders shudder at the thought of large portions of the 
net's real-estate under the control of anonymous rogue entities. "There's 
no accountability. You don't know who really owns this particular address 
space. You have no way of finding out," says Schlichting." Some even worry 
that malefactors will go a step further, and begin hijacking address space 
that's already in active use. "This whole episode has identified huge 
weaknesses in the Internet's own infrastructure," says Cox. "What we've 
seen happen is trivial compared to what we've seen possible."

Asrg mailing list