One particular large and well-distributed snowshoe spamming operation became the subject of my special scrutiny recently. After seeing all of the the various apparently hijacked IP blocks that this particular snowshoe spamming operation seemed to be relying upon for much of its IP space, it seemed like the right thing to do for me to report on the whole mess here. To begin with here are a couple of files which show the full extent of this particular rather vast snowshoe operation (including both hijacked and non-hijacked parts). By my count we are talking in excess of 6,300 separate second-level gTLD domain names. http://www.47-usc-230c2.org/20110414-snowshoe-1.txt http://www.47-usc-230c2.org/20110414-snowshoe-2.txt Dredging into this operation more deeply led me to the following con- clusions... Based upon information and belief, the following number resources have been hijacked, i.e. they either are now, or were in the recent past being used without proper authorization by a party or parties to whom these resources were not assigned by any RiR. (Unless otherwise specified below, these are all ARIN-assigned number resources.) AS8143 (1) AS29987 (2) AS11756 (3) (4) AS47024 (5) AS27906 (6)(7) 198.23.32.0/20 - NET-198-23-32-0-1 (8) 198.57.64.0/20 - NET-198-57-64-0-1 (9) 199.88.32.0/20 - NET-199-88-32-0-1 (10) 199.192.16.0/20 - NET-199-192-16-0-1 (11) 199.196.192.0/19 - NET-199-196-192-0-1 (12) 200.107.216.0/21 - GT-AGSA1-LACNIC (13) 204.147.240.0/20 - NET-204-147-240-0-1 (14) 207.22.224.0/19 - (NET-207-22-192-0-1) (15) (16) Notes ----- (1) Probable fradulent falsification of JD47-ORG-ARIN - 2010-11-22 (2) Probable fradulent falsification of AS29987 & IPADM448-ARIN - 2010-11-04 (3) Probable fradulent falsification of AS11756 - 2011-03-15 (4) Probable fradulent falsification of JR1271-ARIN - 2010-07-08 (5) ARIN unable to validate contact NOC3622-ARIN since 2010-06-19 (6) LACNIC assigned AS (7) Contact record ERJ3 modified - 2011-04-06 (falsified?) (8) Probable fradulent falsification of NET-199-88-32-0-1 & SH174-ARIN - 2010-11-03 (9) ARIN unable to valiadate contact GW449-ARIN since 2010-07-18 (10) ARIN unable to valiadate contact DM126-ARIN since 2010-07-16 (11) ARIN unable to valiadate contact RP56-ARIN since 2010-07-22 (12) ARIN unable to valiadate contact FB43-ARIN since 2010-07-17 (13) LACNIC assigned IPv4 block (14) ARIN unable to valiadate contact LT127-ORG-ARIN since 2010-07-20 (15) Only the 207.22.224.0/19 portion of 207.22.192.0/18 is being routed (16) ARIN unable to valiadate contact MH521-ARIN since 2010-07-12 Discussion ---------- The entire scope of this particular spamming operation spans both the aforementioned (hijacked) IP ranges and also a number of IP ranges that are clearly NOT hijacked. I have attempted to list below all ranges that either are now in use by this operation, or that have been in use by this operation, in the relatively recent past. The various IP blocks listed below are connected, in one way or another, to several entities that have been caught doing IP block hijacking in the past, in particular: *) Joytel Wireless of Florida... which apparently has some significant connection to an entity called "GoRack", also of South Florida, and *) Xeex aka AS27524 aka Nishant Ramachandran, and *) last but by no means least, Media Breakaway, LLC aka JKS Media, LLC, aka Dynamic Dolphin (ICANN Accredited Registrar) aka "OptInRealBig" aka the notorious Scott Richter. (Essentially all of the domains of this operation are, apparently, registered anonymously with Dynamic Dophin, and as noted below, A portion of them are also being routed by JKS Media, and a subset of those are either hosted in and/or are getting DNS service from IP blocks registered to Media Breakaway.) As you will see below, a few of the ranges that I have identified as having been hijacked were already/previously blacklisted by Spamhaus some months ago. Also, in at least one case, Spamhaus records indicate that they too believe that the block in question was indeed hijacked. (It is always nice to have a second, confirming opinion.) I could speculate on the identity of the person or company which might most accurately be said to be "behind" all this, but I actually do not feel the need to do so in this instance. The data speaks for itself, and I do believe that any diligent researcher who really wants to dredge into it all will likely reach what I consider to be the proper conclusion(s). =========================================================================== All IP ranges containing assets of this specific snowshoe operation: -------------------------------------------------------------------- 8.24.248.0/21 - via AS19844 (gorack.net) 66.115.166.0/24 - NET-66-115-166-0-1 - via AS22384 (nationalnet.com) 66.115.167.0/24 - NET-66-115-167-0-1 - via AS22384 (nationalnet.com) 66.115.168.0/24 - NET-66-115-168-0-1 - via AS22384 (nationalnet.com) 66.115.172.0/24 - NET-66-115-172-0-1 - via AS22384 (nationalnet.com) 66.232.42.0/23 - via AS21510 (tristarcorp.net) 66.232.44.0/24 - via AS21510 (tristarcorp.net) 66.232.46.0/23 - via AS21510 (tristarcorp.net) 66.232.48.0/23 - via AS21510 (tristarcorp.net) 67.55.111.0/24 - "Masterly International S.A."[1] - via AS27257 (webair.com) 67.220.69.0/24 - via AS17048 (awknet.com) 69.6.29.0/24 - NET-69-6-29-0-1 - Media Breakaway - via AS32311 (jksmedia.net) 69.6.31.0/24 - NET-69-6-31-0-1 RRM LLC - via AS32311 (jksmedia.net) 69.6.36.0/24 - NET-69-6-36-0-1 - Media Breakaway - via AS32311 (jksmedia.net) 69.6.42.0/24 - via AS32311 (jksmedia.net) 69.6.43.0/24 - via AS32311 (jksmedia.net) 69.6.49.0/24 - NET-69-6-49-0-1 - Media Breakaway - via AS32311 (jksmedia.net) 69.6.56.0/24 - via AS32311 (jksmedia.net) 69.42.77.64/28 - "Masterly International S.A."[1] - via AS27257 (webair.com) 74.202.216.0/21 - Joytel Wireless - via AS4323 (twtelecom.net) 91.90.192.0/19 - via AS41331 (moda-ua.net/Ukraine) 93.171.64.0/21 - via AS27257 (webair.com) 173.239.8.0/24 - "Masterly International S.A."[1] - via AS27257 (webair.com) 173.239.9.0/24 - "Masterly International S.A."[1] - via AS27257 (webair.com) 198.23.32.0/20 - NET-198-23-32-0-1 - Was Hijacked - via AS11756 [5] (BitStorm) http://www.spamhaus.org/sbl/sbl.lasso?query=SBL101186 05-Jan-2011 22:17 GMT | SR22 198.57.64.0/20 - NET-198-57-64-0-1 - Was Hijacked (AS?) http://www.spamhaus.org/sbl/sbl.lasso?query=SBL101250 07-Jan-2011 21:28 GMT | SR03 199.88.32.0/20 - NET-199-88-32-0-1 - Hijacked - via AS29987 [3] 199.192.16.0/20 - NET-199-192-16-0-1 - Was hijacked (AS?) http://www.spamhaus.org/sbl/sbl.lasso?query=SBL101188 05-Jan-2011 22:08 GMT | SR22 199.196.192.0/19 - NET-199-196-192-0-1 - Hijacked - via AS8143 [2] 200.107.216.0/21 - GT-AGSA1-LACNIC - Hijacked - via AS27906 [7] 204.147.240.0/20 - NET-204-147-240-0-1 - Hijacked - via AS47024 [6] 206.246.104.0/22 - via AS11194 (nni.com) 207.22.224.0/19 - (NET-207-22-192-0-1) Hijacked - via AS8143 [2] [4] 207.178.179.0/24 - NET-207-178-179-0-1 - Prime Directive - via AS5033 207.178.191.0/24 - NET-207-178-191-0-1 - Prime Directive - via AS5033 207.178.192.0/24 - NET-207-178-192-0-1 - Prime Directive - via AS5033 207.199.128.0/18 - via AS11194 (nni.com) 207.231.96.0/21 - NET-207-231-96-0-1 - via AS11194 (nni.com) 209.141.0.0/20 - NET-209-141-0-0-1 - via AS12124 (thorn.net) 209.147.86.0/23 - via AS11194 (nni.com) 209.147.88.0/21 - via AS11194 (nni.com) 209.200.23.128/28 - "Masterly International S.A."[1] - via AS27257 (webair.com) Notes: ====== [1] "Masterly International S.A." -- Identified as snowshoer 2005-06-01 by rfg [2] AS8143 hijacked; JD47-ORG-ARIN revised 2010-11-22 4publicom.com - newly registered 2010-11-22 AS8143 is connected to the net only via AS19844 (gorack.com) [3] AS29987 hijacked; IPADM448-ARIN revised 2010-11-04; braziliancomputing.com - newly registered 2010-10-07 AS29987 is connected to the net only via AS3257 (tiscali.net) [4] Not currently inhabited [5] AS11756 hijacked; JR1271-ARIN revised 2010-07-08 jandamy.com - newly registered 2010-11-03 Company declared dead as of 09/22/2000: http://www.sunbiz.org/scripts/cordet.exe?action=DETFIL&inq_doc_number=P96000102349&inq_came_from=NAMFWD&cor_web_names_seq_number=0000&names_name_ind=N&names_cor_number=&names_name_seq=&names_name_ind=&names_comp_name=BITSTORM&names_filing_type= AS11756 currently has -zero- peers (according to www.robtex.com) [6] AS47024 hijacked; NOC3622-ARIN - ARIN unable to validate since 2010-06-19 No company web site; 909-941-8100 - reassigned; 909-743-6182 - disconnected; intiumservices.com newly (re-)registered - 2010-11-04 AS47024 currenly connected only via AS3257 (tiscali.net) [7] AS27906 currently only routed via AS27524 (Xeex) according to robtex.com =========================================================================== As you can see, there is a large volume of material here, and a large amount of research went into it all. I have tried diligently to ensure the complete accuracy of all of the above information, however it is certainly possible that I may have made a mistake or two, here or there, or that circumstances and facts may have changed since I first began compiling this information two days ago. Certainly, no one should rely in any way upon the above information in the absence of your own independent due diligence. I hereby disavow any and all responsibility for any errors or omissions. The above information may only be used at the reader's own risk. This information is being published in accordance with 47 USC 230(c)(2)(B), to enable or make available to information content providers or others the technical means to restrict access to material described in 47 USC 230(c)(1). Via con dios, rfg P.S. ARIN's attempts, during July of last year, to validate various con- tacts that were the responsible parties for various IP allocations was a good and noble effort on ARIN's part. In the present context however it does seem a pity that more was not done with the various negative results from that valiant effort.