Executive Summary: AS203418 (Marketigames, LLC), together with its one and only immediate IPv4 upstream, AS203040 (Mint Company, LLC), and its sister network, AS205944 (MediaClick, LLC) either are currently hijacking or have recently hijacked multiple abandoned /16 IPv4 address blocks, apparently with the intent of leasing out this hijacked IPv4 space to snowshoe spammers, in particular, to Clickjet Media (clickjetmedia.com). Readers who may be peering with AS203040, in particular, are encouraged to cease doing so. +_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_ I believe that this listing of 13 separate /16 routes makes it self-evident what is going on here: https://bgp.he.net/AS203418#_prefixes (Please note that a screenshot of the above page has been archived here for posterity: http://i.imgur.com/Ws2aKkz.png) The hijacks currently being perpetrated by this ASN (AS203418 - Marketigames, LLC) are, in my opinion, both brazen and audacious. I wouldn't mind, but other evidence indicates persuasively that at least one of these hijacked /16 blocks (140.167.0.0/16) has already been put into use as a snowshoe spamming source. The following file contains a listing of numerous domain names that currently have associated SPF TXT records permitting these domains to send outbound emails from various parts of the (hijacked) 140.167.0.0/16 block: https://pastebin.com/raw/0EjThpR8 It is also interesting that a great many of the domain names listed in the above file in fact resolve to the IPv4 address 216.128.69.220, which is within a /24 block (216.128.69.0/24) which is ostensibly registered to an entity calling itself "Big Hosting Plus" (aka bighostingplus.com) allegedly of Albuquerque, New Mexico. A brief perusal of the WHOIS record associated with the contact domain name for that IPv4 block (bighostingplus.com) shows however the identity of the party that is actually pulling the strings here, i.e. a company called Clickjet Media of Glendale, California, aka clickjetmedia.com: https://pastebin.com/raw/h9cuGSdK I should note that the ARIN sub-SWIP for the 216.128.69.0/24 block is not the only instance in which Clickjet Media has followed this exact same playbook. I have previously identified the following four additional fradulent ARIN sub-SWIPs where ClickJet Media is, evidently, the real entity behind the deliberately fictitious ARIN sub-SWIPs: High Point Host ARB-69-1-227-0 (NET-69-1-227-0-1) 69.1.227.0 - 69.1.227.255 Pleasant Hosting ARB-69-1-228-0 (NET-69-1-228-0-1) 69.1.228.0 - 69.1.228.255 Quasi Hosting ARB-69-1-254-0 (NET-69-1-254-0-1) 69.1.254.0 - 69.1.254.255 Green River Hosting ARB-69-1-255-0 (NET-69-1-255-0-1) 69.1.255.0 - 69.1.255.255 Here is the archived evidence supporting my contentions as they relate to the above four ARIN sub-SWIPs: ARIN sub-SWIP records: https://pastebin.com/raw/UDBQKDiC https://pastebin.com/raw/hpDUqLFF https://pastebin.com/raw/7zdZLw01 https://pastebin.com/raw/gvXNwbJW Associated domain WHOIS records: https://pastebin.com/raw/pHLGRJux (highpointhost.com) https://pastebin.com/raw/V91DTsX1 (pleasanthosting.com) https://pastebin.com/raw/SxqzQy2v (quasihosting.com) https://pastebin.com/raw/2qv5xDsE (greenriverhosting.com) I should note for the sake of completeness that the listing of the 13 hijacked /16 blocks linked to above, as currently presented on the bgp.he.net web site, is in fact a somewhat stale listing. All of those thirteen /16 blocks were in fact hijacked by AS203418 as of yesterday, however as of this writing, it would appear that only the following nine /16 blocks are still hijacked at this moment (although this is hardly a cause for celebration): 116.79.0.0/16 116.144.0.0/16 116.152.0.0/16 116.166.0.0/16 116.181.0.0/16 128.13.0.0/16 134.22.0.0/16 140.167.0.0/16 148.154.0.0/16 Naturally, readers will ask "Who or what is AS203418?" It is registered using the name Marketigames, LLC, which is apparently a properly registered Delaware LLC. Beyond that it is difficult to find any other definitive info. The main web site for this entity (http://marketigames.biz/) is mostly devoid of any information that would allow us to know who is really behind this entity. Contact information is provided on the web site however, as follows: MarketiGames LLC, 4283 Express Lane,Suite 315-592, Sarasota, FL 34238 Phone : 217-717-9384 Googling the street address indicates that it is most often associated with fradulent activity on the Internet (e.g. frudulent attempts to order products). The area code 217 is associated with the Chicago area, not Florida and not Delaware. Although this entity (MarketiGames) does have its own ASN, it also appears to have a number of valid ARIN IP block allocations which are not currently routed by its own ASN: 104.218.224.0/22 (NET-104-218-224-0-1) 104.244.88.0/21 (NET-104-244-88-0-1) 104.245.40.0/21 (NET-104-245-40-0-1) 104.245.248.0/21 (NET-104-245-248-0-1) 173.234.197.0/24 (NET-173-234-197-0-1) 2620:125:C000::/40 (NET6-2620-125-C000-1) Historical passive DNS data appears to indicate that some or all of the above blocks have historically also been used to support snowshoe spamming. Data available from the interactive RIPE Routing History web service indicates clearly that it is not only AS203418 (Marketigames, LLC) that has been involved in the hijacking of abandoned /16 blocks, but also and likewise its immediate upstream AS203040 (Mint Company, LLC), and its sister network, AS205944 (MediaClick, LLC). RIPE Routing History shows that all three of these ASNs have, at various times, hijacked the 116.79.0.0/16 block, for example. The implication seems clear. All three of these ASNs have been working together to hijack abandoned /16 blocks for purposes of hosting snowshoe spamming operations. Because both AS203418 and AS205944 only peer with AS203040 (Mint Company, LLC) it is evident that the real problem here is Mint Company, LLC and the peering its ASN (AS203040) currently enjoys. Data provided by bgp.he.net indicates that the top three peers of AS203040 are currently as follows: AS24785 Open Peering B.V. AS20562 Open Peering B.V. AS6939 Hurricane Electric, Inc. I will be contacting these companies and asking them to de-peer from AS203040. I make the same request, here and now, to all other networks that may be peering with AS203040. Please stop that peering. Regards, rfg