[[ NOTE: This information is being made available to information content providers, or others, as part of the technical means to restrict access to material with may be deemed by some to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, in accordance with 47 USC 230(c)(2)(B). ]] Whew! Now that I got THAT out of the way... I _had_ planned on dribbling out this info, one AS at a time, because I thought that might yield a slightly more ponderous effect, but since another big batch of this info was already made (semi-)public today on another mailing list I'm on, there doesn't seem to be any real point in dragging this out anymore. So here is the whole enchalada... at least with respect to THIS whole interconnected mess. (Yes, there are others. We'll get to them. Be patient.) AS27626, aka Joytel of Jacksonville, Florida, would appear to be at the heart of a rather sizable AS and IP block hijacking campaign, the likes of which, in my experience, the net has never before seen. I mean the total amount of IP space that's been jacked may be smaller than some past big-time hijacks, but this one takes the cake, I think, for the number of separate different IP blocks involved... a number which has actually even been growing stedily over the past week. (These turkeys appear to be in a race to corner the market on abandoned IP blocks. Jeeeesh!) In addition to a metric buttload of jacked blocks being announced by Joytel ltself, AS27626, (see below) there are _three_ other ASes that also appear to be jacked, and each of these also appears to be separately announcing routes to yet more jacked IP blocks. But all of these machinations appear to be to be tied together, if in no other way, then at least by the common thread of the same single common snowshoe spamming company (in Victoria, BC) being the primary (but probably not the only) ultimate beneficiary of all of this hijacking. I have already reported here on two of these other ASes, i.e. AS11296 and AS10392. I now report on a third apparently hijacked AS, i.e. AS6061. See details below. Note that the routes that were being announced by AS11296 have already been withdrawn, but the old route announcements are still listed below, for the sake of completeness. Additionally, I am reporting here on three somewhat stealthy IP blocks that appear to have been legitimately obtained by Joytel... two on Level3 and one on Cogent... all of which appear to me to be infested with/by _some_ snowshoe spammer. (Perhaps someone or something other than the previously mentioned company in Victoria, BC. I haven't actually checked that yet, one way or the other.) As indicated below, the various blocks that I've annotated as "jacked" are in fact, and exclusively, very old, and most probably abandoned IP blocks. That's why they were chosen, specifically, i.e. because it was thought that nobody would miss them, and nobody would even notice that they had been ``liberated''. And that probably would have been true, if it were not for the fact that some of them were then filled up with snowshoe spam domains. As I mentioned previously, spamming is THE most public of crimes. It's hard to make any money at it unless you are annoying millions of people at a time, and thus alerting them to your presence. And when you do that, you are going to draw attention to yourself, big time. I'm not going to even make any sort of suggestion to people, this time, as to what they might want to do with all of the information below, since people gave me a hard time when I did that before. So I'll just leave it as this: You are all clever people here. Use your imagination. I have included below a very partial NS dump for one of the blocks being announced by AS10392 that shows some of the snowshoe pattern there. If people want to see the complete NS dumps for all of the blocks listed below, so that they can independently verify the snowshoey-ness of all this stuff, then ask and you shall receive. One last thing... AS11296 (Interpath) was (is?) only connected to the net via AS27524 (Xeex). Since it is no longer announcing any routes, this is moot, and a non-issue at this time. Everything else you see below all represents open issues. I would like to especially beg, plead, and cajole any customers of AS3491, aka Beyond The Network America, Inc. who may be reading this to PLEASE contact your provider and demand an answer to this simple question: WTF do they think they are doing by peering with AS6061 and AS10392, and who the bleep is actually writing them monthly checks for that? Beyond The Network America, Inc. needs to answer for this too, since they are unambiguously facilitating this ongoing crime. As regards to the ongoing situation with AS27626, aka Joytel, you can readily see here who is keeping _them_ alive and connected: http://www.robtex.com/as/as27626.html#graph AS3356 -- Level3 AS33132 -- FPL FiberNet, LLC If you are a customer of either of these providers, or even a peer, I do encourage you to contact them, and ask them WTF they are thinking. I, for one, sure would like to know. Regards, rfg ============================================================================= AS27626 (Joytel.net, Jacksonville, FL): 24.230.0.0/19 NET-24-230-0-0-1 jacked - empty 68.67.64.0/20 NET-68-67-64-0-1 legit -- GoRack, LLC (Jacksonville, FL) 192.100.5.0/24 NET-192-100-5-0-1 jacked - empty 192.100.88.0/24 NET-192-100-88-0-1 jacked - empty 192.100.134.0/24 NET-192-100-134-0-1 jacked - empty 192.100.143.0/24 NET-192-100-143-0-1 jacked - empty 192.101.177.0/24 NET-192-101-177-0-1 jacked - empty 192.101.187.0/24 NET-192-101-187-0-1 jacked - empty 192.235.32.0/19 NET-192-235-32-0-1 jacked - empty 198.13.16.0/20 NET-198-13-16-0-1 jacked - empty 198.14.16.0/20 NET-198-14-16-0-1 jacked - empty 198.143.128.0/19 NET-198-143-128-0-1 jacked - empty 198.183.32.0/19 NET-198-183-32-0-1 jacked - mucho snowshoe ns 198.210.32.0/19 NET-198-210-32-0-1 jacked - empty 198.241.64.0/18 NET-198-241-64-0-1 jacked - mucho snowshoe ns 198.252.64.0/18 NET-198-252-64-0-1 jacked - empty 199.34.128.0/18 NET-199-34-128-0-1 jacked - empty 199.46.32.0/19 NET-199-46-32-0-1 jacked - empty 199.84.64.0/19 NET-199-84-64-0-1 jacked - empty 199.198.160.0/19 NET-199-198-140-0-1 jacked - empty 204.48.64.0/19 NET-204-48-64-0-1 jacked - empty 204.107.208.0/24 NET-204-107-208-0-1 jacked - just two spammer ns'es 205.144.0.0/20 NET-205-144-0-0-1 jacked - mucho snowshoe ns 206.224.160.0/19 NET-206-224-160-0-1 jacked - empty 206.227.64.0/18 NET-206-227-64-0-1 jacked - empty 208.93.220.0/22 NET-208-93-220-0-1 Actually does belong to Joytel! 216.49.0.0/18 NET-216-49-0-0-1 jacked - empty 216.245.64.0/18 NET-216-245-64-0-1 jacked - empty ============================================================================= AS6061 (Datalytics, Inc - connected only via AS3491 -- Hijacked AS?): 198.187.64.0/18 NET-198-187-64-0-1 198.187.64.0/20 jacked - mucho snowshoe ns 198.187.80.0/20 jacked - mucho snowshoe ns 198.187.96.0/20 jacked - empty 198.187.112.0/20 jacked - empty 209.201.128.0/17 NET-209-201-128-0-1 209.201.128.0/20 jacked - empty 209.201.144.0/20 jacked - empty 209.201.160.0/20 jacked - empty 209.201.176.0/20 jacked - empty 209.201.192.0/20 jacked - empty 209.201.208.0/20 jacked - empty 209.201.224.0/20 jacked - empty 209.201.240.0/20 jacked - empty ============================================================================= AS10392 (GlassCity Internet, Inc. - connected only via AS3491): 192.171.64.0/19 NET-192-171-64-0-1 jacked - some snowshoe 204.137.224.0/19 NET-204-137-224-0-1 jacked - empty 205.164.0.0/18 NET-205-164-0-0-1 205.164.0.0/20 jacked - mucho snowshoe ns 205.164.16.0/20 jacked - empty 205.164.32.0/20 jacked - empty 205.164.48.0/20 jacked - empty 192.171.64.156 1 ns1.carnhamandassochaddel.info 6 youworkinginternationalco.info topgunandinmcb.info picallilyaframeco.info peacondeliverycopcogas.info chillonagabrainpower.info enabledsearchingforcrossco.net 192.171.64.157 1 ns2.carnhamandassochaddel.info 6 youworkinginternationalco.info topgunandinmcb.info picallilyaframeco.info peacondeliverycopcogas.info chillonagabrainpower.info enabledsearchingforcrossco.net ... ============================================================================= AS11296 (Interpath - Routed only via AS27524 Xeex aka NR Software/Nishant Ramachandran): http://www.thefreelibrary.com/USi+Completes+Restructuring,+Receives+$81+Mill... http://www.att.com/gen/press-room?pid=5097&cdvn=news&newsarticleid=22973 63.247.160.0/19 NET-63-247-160-0-1 jacked - empty -- popularfh.com -- all MXes DoA 199.241.64.0/19 NET-199-241-64-0-1 jacked - snowshoe ns @ 199.241.95.253 -- no email! 206.226.64.0/18 NET-206-226-64-0-1 jacked - snowshoe ns @206.226.96.{2,3} seikotsi.com -- Grand Cayman 11-20-2009 206.226.64.0/24 206.226.65.0/24 206.226.66.0/24 206.226.67.0/24 206.226.68.0/24 206.226.69.0/24 206.226.70.0/24 206.226.71.0/24 206.226.72.0/24 206.226.73.0/24 206.226.74.0/24 206.226.75.0/24 206.226.76.0/24 206.226.77.0/24 206.226.78.0/24 206.226.79.0/24 206.226.96.0/19 ============================================================================= Legitimate semi-stealth allocations: Joytel on Level3: 8.22.200.0/21 (snowshoe) Joytel on Level3: 8.24.224.0/20 (snowshoe) Joytel on Cogent: 38.124.176.0/20 (snowshoe) =============================================================================