Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Spammers Hijacking IP Space

Posted by kdawson on Tuesday April 29, @08:54PM
from the open-and-shut-case dept.
Spam The Internet
Ron Guilmette writes "As reported in the Washington Post's Security Fix blog, a substantial hunk of IP address space has apparently been taken over by notorious mass e-mailing company Media Breakaway, LLC, formerly known as OptInRealBig, via means that are at best questionable. The block in question is 134.17.0.0/16, which I documented in depth in an independent investigation. (Apparently, the President of Media Breakaway has now admitted to the Washington Post that his company has been occupying and using the 134.17.0.0/16 block and that front company JKS Media, which provides routing to the block, is actually owned by Media Breakaway.) Remarkably, the president of Media Breakaway, who happens to be an attorney, is trying to defend his company's apparent snatching of this block based upon his own rather novel legal theory that ARIN doesn't have jurisdiction over any IP address space that was handed out before ARIN was formed, in 1997."

Related Stories

Firehose:Spammers Hijacking IP Space? You be the judge by Anonymous Coward
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Spammers Hijacking IP Space 25 Comments More | Login | Reply /

 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • It's the only way to be sure...

  • If only we could... (Score:3, Funny)

    by Fluffeh (1273756) on Tuesday April 29, @08:58PM (#23246744)
    Form an agry mob, arm ourselves with pitchforks and flaming brands, and the chase those rascals way out to the outskirts of town.

    Hell, if there was any trouble, we could even transform into an angry lynch mob - THEN lets see who owns that space eh? EH? Whaddya say?

  • Wouldn't it be nice... (Score:4, Insightful)

    by dreamchaser (49529) on Tuesday April 29, @08:59PM (#23246764) Homepage Journal
    ...if everyone just blocked that IP range entirely at their routers, shutting off their connectivity?

    There was a time when the Internet was a 'small' enough place that it would have even been feasible. Kind of like blacklisting a Usenet server for spam.
  • This one is simple. Everyone just blackholes the IP range and game over. Better if the backbones drop the route. Best if we all drop the IP space of whoever is directly connecting to a known spam network.

    • Re:SImple, blackhole the IP space (Score:4, Interesting)

      by dave.josephsen (1087529) on Tuesday April 29, @09:35PM (#23247074) Homepage
      It really isn't that simple. I'd refer you to my own work (http://www.usenix.org/media/events/lisa07/tech/videos/josephsen.mp4, and http://media.defcon.org/dc-15/video/Defcon15-Dave_Josephsen-Homeless_Vikings.mp4 [defcon.org] ) or that of Nick Feamster at Georgia tech. They've been hijacking address space via short-lived BGP prefix hijacks for at least 5 years now, and It is exactly the attitude of "we'll just block X" that got us here in the first place. If you use RBL's and make the arms race about IP's , then the most direct response is to attack the network layer and/or IP space. Further there are real world reasons why IP filters just aren't going to work on a global scale. For that I'd refer you to the work of Mohit Lad at UCLA. There is an economic layer on top of BGP. The effect of no-valley routing is that you're going to get route propagation from folks you think you can trust but cannot. It's a bit much to get into here, but off-handedly blacklisting more shit isn't the answer here, it's the problem.

  • Blackhole == Defeat! (Score:5, Insightful)

    by Fluffeh (1273756) on Tuesday April 29, @09:09PM (#23246872)
    If the IP is simply blackholed, you are by lack of argument allowing this Spammer to put some sort of credible hold on that IP. That's like finding a squatter in a house on the street where the owners have gone on holiday - and simply putting a peice of tape across the driveway - it doesn't solve the bigger problem which is that someone walked into the house and started living there without any credible reason of doing so. It doesn't solve the problem of what's going to happen when the people return from holidays and find this squatter in their house.

    Also, if we simply blackhole that IP, what's going to happen when a legitimate user tries to use that space. It's going to go to bollocks for them when they find that the rest of the net is ignoring them already.

  • Snotty Scotty Richter (Score:4, Informative)

    by kchrist (938224) on Tuesday April 29, @09:15PM (#23246896) Homepage
    OptinRealBig belongs to none other than Snotty Scotty Richter [flickr.com]. I haven't heard of that guy in a while. I was hoping he had been hit by a bus or something.
  • If you're going to add this address space to your firewall or block it at the router - consider that this rogue outfit is likely to be taken down soon, and that address space may then be assigned to a legitimate operation. There's not an unlimited number of addresses left in IPv4 you know.

    What's been happening for years now is well-meaning admins blocking various IP addresses / blocks and/or domain names. Their motives are good, but after the address or domain name is blocked they almost never go back and recheck to see if the block is still needed. What this leads to over time are holes in the address space that can't be used, awkward or no routes to some addresses from some other addresses, etc. Especially in this time of zombie machines; blackhole that IP address and you've knocked some individual off line - but you've done nothing to reduce the amount of spam / viruses / worms / etc.

    This is what killed ORBS and other services of that type. Easy to add domains / addresses to the blocklist, but difficult to remove them. Eventually the list becomes useless...

    Much better solution: make an example out of the people who are squatting on this netblock. Break out the pitchforks and torches...

  • Spammers know no limits (Score:5, Insightful)

    by erroneus (253617) on Tuesday April 29, @09:15PM (#23246902) Homepage
    There's only one true solution to the problem of spammers. Death. I'm not joking. These people that create botnets, hijack networks and servers so that they can sell advertising are creating problems on a global scale for money. Nothing but death will stop or deter them. They need to die.

    It's good that I do not own any firearms and good that I do not know where these people live and good that I lack the means to get there. If I had those things and an air-tight alibi, I wouldn't hesitate to make my first murder one of these people.

  • "Hijack?" (Score:5, Interesting)

    by PhotoGuy (189467) on Tuesday April 29, @09:21PM (#23246950) Homepage

    Apparently, the President of Media Breakaway has now admitted to the Washington Post that his company has been occupying and using the 134.17.0.0/16 block and that front company JKS Media, which provides routing to the block, is actually owned by Media Breakaway.

    If he is president of a company that owns the company that provides routing for the block, doesn't that mean he has legal ownership of that block?

    Yes, if the block is used primarily for spam, I'm all for people blackholing the range. And if he's using it for illegal purposes, yes, he should be punished (and the range appropriated). But I don't see where the term "hijacking" could be applied at all.

    If I own some cars and use them in crimes, I haven't "hijacked" anyone.

    What am I missing?
    • That it doesn't belong to the parent company either:

      $ whois 134.17.0.0

      OrgName: SF Bay Packet Radio
      OrgID: SBPR-1
      Address: 1490 W 121st Ave
      Address: Suite 201
      City: Westminster
      StateProv: CO
      PostalCode: 80234
      Country: US

      NetRange: 134.17.0.0 - 134.17.255.255
      CIDR: 134.17.0.0/16
      NetName: BAY-PR-NET
      NetHandle: NET-134-17-0-0-1
      Parent: NET-134-0-0-0-0
      NetType: Direct Assignment
      NameServer: NS1.SFBPRSERVICES.COM
      NameServer: NS2.SFBPRSERVICES.COM
      Comment:
      RegDate: 1989-04-12
      Updated: 2007-10-05
      • Humm ... San Francisco Packet Radio ... with a Colorado mailing address. Somehow I don't think so.

        It looks like what they did was just register a company with a similar-sounding name to a defunct organization that had an old /16. Then they went to ARIN and got control of it on the strength of the similar name, including getting themselves listed in WHOIS. (Which, when you think about it, isn't that hard -- there's no real authentication mechanism for proving you're the "real" San Francisco Packet Radio.)

        Then they had another front company obtain an AS number and provide routing, and suddenly they have lots of IPs from which to send spam.

        The even-creepier part is that it looks like they have another block stolen through similar means (currently registered to a P.O. box in NYC) and possible connections to Russian spammers, which means basically the Russian mafia.

        Here's hoping that when the whole thing falls apart, the Russian mob comes calling for this guy's head. Ironically they're the best chance for this guy getting the slow, painful death he so richly deserves.

  • A lack of ethics (Score:5, Interesting)

    by mlwmohawk (801821) on Tuesday April 29, @09:25PM (#23246994)
    I will continue to say it every time I can.

    We need a strong societal repudiation of the violation of ethics. Organizations like Microsoft, SCO, and the like and people like Bill Gates, Darl McBride, etc. need to be made pariahs for the shameless unethical and illegal behavior.

    "Spamming" is unethical. The only reason why it is done is because their unethical behavior is not shunned.

    • Re: (Score:3, Insightful)

      by swordgeek (112599)
      I expect that people will misinterpret what you mean by shun, or maybe I am. However, I agree entirely--if it could be done in a comprehensive way. Imagine if nobody would sell groceries or toilet paper to Bill Gates, because of his behaviour. Rather than

  • Set firewalls on shun! (Score:3, Funny)

    by zerofoo (262795) on Tuesday April 29, @09:31PM (#23247048)
    Boy, that was a cheezy joke huh?

    -ted

  • who is linking this to the backbone? (Score:3, Insightful)

    by timmarhy (659436) on Tuesday April 29, @09:53PM (#23247220)
    this has a very simple fix. major backbone providers like at&t need to cease routing from providers who allow this kind of misconfiguration of the internet.

    because that's all it is, a mid level isp has added someone to their routing tables with ip's that they have no right to. simply telling their provider to correct their configurations or all their traffic will be dropped should be enough, indeed it should be mandatory for backbone providers to do this in order for them to legally keep their own ip ranges. anything else is asking for people to start claiming ip's all over the place and before you know it each isp will route you to a different site for the same ip, making the internet useless.

  • " I felt a great disturbance in the internet, as if 65535 ip addresses suddenly cried out in terror and were suddenly silenced. I fear something terrible has happened. "

    iptables -A spam -s 134.17.0.0/16 -j DROP

    • Re: (Score:3, Informative)

      by wytcld (179112)
      Um no. Everyone else knows this. But might as well clue you in. They've claimed 134.17.*.* - all of it.

    • Re: (Score:3, Informative)

      by Have Blue (616)
      The "/16" means they claimed the remaining 16 bits of the 32-bit IP address whose first 2 bytes are 134.17 in decimal- everything from 134.17.0.0 to 134.17.255.255. That's one of only 65,000 blocks of its class available and is the sort of range that would

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.