Abundant evidence indicates that AS18466, allocated by LACNIC, has been hijacked. All of the routes currently announced by this AS, i.e.: 170.25.0.0/19 170.25.32.0/19 170.25.160.0/19 170.25.192.0/19 are currently routing IP blocks, also allocated by LACNIC, which have also themselves appear to have been hijacked. As you can see below, AS18466 was first allocated (apparently by ARIN) on 2000-08-31 and its WHOIS record was last updated on 2006-06-16. Note however that the domain associated with the contact e-mail address for this ASN, i.e. "geminicom.net" was apparently re-registered on 2010-11-01, unboubtedly by the hijacker. (This is the mostly commonly used approach to AS and IP block hijacking, i.e. find an abandoned AS or IP block whose contact domain has become unregistered and then simply re-register it and then pretend that you are the original party to whom the resource was allocated. In short, fraud and identity theft.) ========================================================================= aut-num: AS18466 owner: Geminicommunications Limited ownerid: BZ-GELI-LACNIC address: 13 1/2 Northern Highway address: Belize City, country: BZ owner-c: HC170-ARIN created: 20000831 changed: 20060616 source: ARIN-HISTORIC nic-hdl: HC170-ARIN person: Hans Cardenas e-mail: hcardenas@GEMINICOM.NET address: 13 1/2 Northern Highway address: Belize City, country: BZ phone: 501254011 source: ARIN-HISTORIC ========================================================================= As shown here: http://www.robtex.com/as/as18466.html#graph AS18466 is connected to the Internet only via Global Crossing. In my opinion, and based on the available evidence, there appear to me to be only two possibilities. Either (1) Global Crossing is consciously and in- tentionally participating in this fraud and identity theft scheme or else (2) Global Crossing has allowed itself to be hoodwinked by crooks who con- vinced one or more decision makers at Global Crossing to allow fradulent route announcements to pass to the wider Internet via Global Crossing's network. I look forward to Global Crossing's clarification of this event. Additional evidence of this hijacking may be found here: ftp://ftp.tristatelogic.com/pub/AS18466-rDNS.txt and also here: ftp://ftp.tristatelogic.com/pub/AS18466-nameservers.txt Both of these files show an abundance of "snowshoe" spamming domains which are associated with the IPv4 space currently routed by AS18466. All of these domains have been registered in the relatively recent past, and all of them have been registered either with WHOIS anonymity cloaking or with clearly fradulent WHOIS information. Additional supporting evidence of this hijacking is also readily available in teh form of the following fradulent web site: http://geminicom.net/ This false front web site, intended to serve as part of the clever deception surrounding the miraculous rebirth of "Geminicommunications Limited", is in fact nothing more than a thin veneer, much of which appears to have been simply stolen/copied from the web site of a legitimate UK company, i.e. http://www.8el.com/ (That copying itself represents yet another fradulent and illegal act, i.e. blatant copyright violation.) As was true with the prior group of IP hijackings that I reported on back on April 14th[1], in this case also the majority of the snowshoe spamming domains involved in this incident (as shown in the AS18466-rDNS.txt file, see above) have been registered via the ICANN accredited registrar named Dynamic Dolphin, Inc. It is, I believe, well and widely know by this time that Dynamic Dolphin, Inc. is among the past and/or present business interests of the notorious Scott Richter, interests which include, or which have included bulk e-mail advertising firm Media Breakaway LLC, aka OptInRealBig. Other evidence I have in hand also indicates a clear connection between this hijacked IP space and another of Richter's business interests, specifically a company called WholesaleBandwidth, Inc. (I am not dis- closing this additional evidence publically at the present time. I have my reasons.) FULL DISCLOSURE: Previously, in 2005, my company filed a legal claim in the bankruptcy proceeding of Media Breakaway LLC, said bankruptcy having been largely if not entirely precipitated by a multi-million dollar legal action initiated by Microsoft against Media Breakaway LLC and Scott Richter personally for various alleged mass violations of various anti-spam laws. My company's claim was subsequently dismissed by the bankruptcy judge in that case (improperly, in my view) and following the later dismissal of the bankruptcy case, the Richters (Scott and father Steve) sued myself, my company, and my attorney for alleged "abuse of process", specifically for having had the gumption to show up in the bankruptcy case and make a claim not too awfully different from the one that Microsoft had made. The Richter's "abuse of process" case against me, my company, and my attorney was also subsequently dismissed, the judge having found it to be lacking in merit. Regards, rfg P.S. Those of you who missed it the first time around may wish to review the following potentially relevant historical reference material: http://www.47-usc-230c2.org/chapter2.html http://www.47-usc-230c2.org/chapter3.html P.P.S. Although I have previously bemoaned ARIN's lack of agressivness in reclaiming abandoned ASNs and IP blocks that have been hijacked, I feel compelled to note that at least they (ARIN) do have a proccess in place for doing so, i.e. when and if they are motivated in that direction. I have it on good authority however that LACNIC does not even have an established process for reclaiming abandoned number resources. Given that the problem of hijacked number resources, rather than disappearing, is in fact accelerating, over time, I do believe that it would behove LACNIC and other RiRs to develop processes for reclaiming abandoned resources, in particular when and where it becomes evident that these resources have been hijacked. =-=-=-=-= [1] See http://mailman.nanog.org/pipermail/nanog/2011-April/035235.html