I received a nice email from a very polite graduate student just now, who shall remain nameless, and I decided that I wanted to give him the reply below, but also to post this all to NANOG too, so here it is. I hope this may ally some of the concern that has been expressed about me not being more forthcomeing about the details of this case. (And if anybody gives me a hard time about being ``off topic'' then I'm going to give him or her a knucke sandwich, because I was specifically asked... indeed badgered... to provide more explanation of, and more justification for my earlier posting, as the record in the archives of this list will clearly show.) The friendly graduate student wote:
I've been quietly following NANOG's little flamewar over this. I'm interested in what techniques you used to arrive at your conclusion regarding AS11296.
Unfortunately for me, I'm not a network op. Instead, I am a PhD student interested in all matters inter-domain. I hope you feel this is enough to make me a worthy recipient.
No, actually, it isn't. If I google you can I be _sure_ that you're not playing for the other team? Probably not. But the good news is that I have decided to be a bit less cagey generally, and specifically in my public comments about these things anyway, and to give out more confirming data bits anyway. And I'll be sending this letter on to the NANOG list soon, with your name redacted, of course. What follows below is information that could be gleened (if you know how) from whois.internic.net. It's all public info. I just rearrange it and print it out in a nice pretty way. (Of course knowing where to look within the vast IPv4 address space is also quite helpful, but I'm not going to get in to that.) The bottom line here is that if you get the whois records for the domains associated with the name servers in the list attached at the end, you'll see that they are all going to be ``fishy'' in some way, e.g. ``cloaked'' (aka ``privacy protected''), or else registered to some mystery fly-by night company that may or may not actually exist, or at any rate, the domains will all be registered to something sort-of stealthy... something which is intended to make the spammer behind all this a bit harder to find. Oh yea, and the snail mail addresses given in the WHOIS records for the domains will usually/often be tracable to UPS Store rental P.O. boxes... those are standard spammer favorites, because...as they well know... us spamfighters can't find out who really controls any one of those boxes without a subpoena... unlike USPS boxes, for instance. (All this is quite well known in the dank sleezy spammer undergound already, so I'm not hardly giving away any secrets here.) And in a similar vein, the contact phone numbers given in the whois records will quite typically be 1-800 or 1-888 or 1-877 or 1-866 toll-free numbers. No, the spammers are _not_ trying to save you money when you want to call them up to bitch to them about the fact that they sent you 8,372 spams in a row. Nope, again, they use the toll-free numbers for a very specific purpose, which is again to make it more difficult for anyone trying to track them down to find their actual physical location. Non-tollfree numbers are typically associated with a specific geographic vicinity (although even that is being substantially eroded by number portability). But the toll free numbers are truly and always utterly geographically anonymous. So spammers use them a lot, primarily in domain whois records. So here you are. You've got this s**t load of highly ``fishy'' name servers, and they are all planted firmly into IP space that (a) appears to have been allocated to a reputable name brand company... such as Seiko, in this case... *and* (b) the block in question, based on the RegDate: and Updated: fields of the block's ARIN whois record, apparently hasn't been touched for years... maybe even a decade or more... thus implying that the former owners of the block either have abandoned it years ago, or else they themselves went belly up and ceased to exist, probably during the Great Dot Com Crash of 2000. Add it all up and what does it spell? No, not heartburn... Hijack. See, there actually isn't any big mystery about any of this, except the part about how I came to focus on this particular set of IP blocks and/or the particular AS that was announcing routes to them. And about that part, I have nothing to say, except to tell these spammers (who are probably listening) what I always say... that spamming is THE most public of all crimes. If you really think that you an hide and be totally invisible, even while you blast MILLIONS of total strangers with your advertising, then you need to up your lithium, because the dosage you're on now clearly isn't doing the job. Oh, and one other small thing... Even though the spammers try to hide themselves, often times, they really don't try THAT hard, probably because most folks don't care enough to really learn how to track these kinds of schmucks down, so in general, they only have to be a little stealthy... not a lot stealthy, and they know that. But using hijacked space raises the bar a little. In this context, you shouldn't really use all P.O. boxes that are on your same island, just because you are too effing lazy to take a ferry to the mainland once a month to pick up your hate mail from your anonymous UPS drop box. I can't really tell you exactly who engineered the hijacking in this case. Somebody with some network savvy obviously. What I suspect I _can_ tell you is which spammer (who runs a false-front ``affiliate marketing'' operation, just as cover story for their own snowshoe spamming... as most of the serious snowshoers do these days) most probably sub-leased the IP space from whoever actually engineered the hijacking. Look at the snail-mail addresses in the whois records for the domains listed below. Yes, they are UPS boxes, but look at the general location, Victoria, BC. So now go and google for "affiliate marketing" and "Victoria". There really aren't that many probable suspects. Victoria ain't a terribly big place. Not like, e.g. Vancouver. But then the schmuck would have to take the ferry over once a month to collect his hate mail from his mainland anonymous UPS box, and he's too effing lazy to do that. That's why he's a spammer, because he's too effing lazy and untalented to get honest work, or even to learn an honest trade, you know, like male hooker. (Hey! At least it's consensual, unlike spamming.) (Nishant? I know you're listening. Now you WILL make sure that Tobyn gets a copy of this posting, won't you? That's a good boy. Thanks. Effing assholes!) Could it possibly be that I'm jumping to the Wrong Conclusion here about who the spammer is, I mean just based on something as flimsy as geographic proximity? Sure, but not bloody likely. You see that's not hardly the only evidence that I have in front of me. I'm just not talking about the rest. (And I hope it keeps the son of a bitch up nights trying to figure out how ELSE he phuked up, in addition to being lazy and using only local UPS drop boxes.) Regards, rfg P.S. Some or all of the data presented below may still be available via whois.internic.net, even though the IP blocks are no longer even routed. Try this for example: whois -h whois.internic.net 206.226.96.2 Yup. Still there. At least for now. Probably be gone by morning. P.P.S. To all of the spammers out there reading this who think that you have learned from this e-mail how to be more stealthy still, and how to hide from me even better in the future... well... enjoy your fantasy while it lasts. I can find you now, I can find you next year, and I'll be able to find you ten years from now. And do you know why? Because I'm smarter than you are. And that's not saying much. If you had any talent... any talent at all... then you'd be able to find an HONEST job. It wouldn't pay as well, but at least you wouldn't be ashamed to tell your mother what you _actually_ do for a living. In the meantime, please hurry up and die. The world will most definitely be a better place when we no longer have to carry your dead weight on the backs of humanity. Don't flatter yourselves. You make nothing. You build nothing. You contribute nothing. You just annoy people. For money. We will make sure that that exact epitaph is engraved on your headstone, so that you will be remembered properly, once you go. ================================================================ 63.247.172.3 ns1.tooplacedomain10tht.info 63.247.172.4 ns2.tooplacedomain10tht.info 63.247.181.3 ns1.steadyvolumebandw57.info 63.247.181.4 ns2.steadyvolumebandw57.info 63.247.185.19 ns1.magnumfourcompkriel.info 63.247.185.20 ns2.magnumfourcompkriel.info 199.241.95.253 fwd1.itargetdirect.net 206.226.64.4 ns1.granadacentral.info 206.226.64.5 ns2.granadacentral.info 206.226.96.2 ns1.sandpipedream.com ns1.optinletters.com ns1.notifications-mail.com ns1.mailingdaily.com ns1.blueholster.com ns1.allowingmail.com 206.226.96.3 ns2.sandpipedream.com ns2.optinletters.com ns2.notifications-mail.com ns2.mailingdaily.com ns2.blueholster.com ns2.allowingmail.com 206.226.112.2 ns1.drainagecorner.com 206.226.112.3 ns2.drainagecorner.com 206.226.112.130 ns1.calculatingdigits.com 206.226.112.131 ns2.calculatingdigits.com 206.226.112.194 ns1.mailcreatures.com 206.226.112.195 ns2.mailcreatures.com 206.226.113.2 ns1.qualitycampaigns.com 206.226.113.3 ns2.qualitycampaigns.com 206.226.113.66 ns1.onlyinstant.com 206.226.113.67 ns2.onlyinstant.com 206.226.114.194 ns1.droppedtargets.com 206.226.114.195 ns2.droppedtargets.com 206.226.115.2 ns1.dinneroutstanding.com 206.226.115.3 ns2.dinneroutstanding.com 206.226.116.130 ns1.offersenveloped.com 206.226.116.131 ns2.offersenveloped.com 206.226.117.2 ns1.sleekrange.com 206.226.117.3 ns2.sleekrange.com 206.226.117.66 ns1.thegulfofmail.com 206.226.117.67 ns2.thegulfofmail.com 206.226.118.2 ns1.mailmammals.com 206.226.118.3 ns2.mailmammals.com 206.226.118.66 ns1.trackpreference.com 206.226.118.67 ns2.trackpreference.com 206.226.119.2 ns1.platinumpermission.com 206.226.119.3 ns2.platinumpermission.com 206.226.119.130 ns1.approvedcity.com 206.226.119.131 ns2.approvedcity.com 206.226.120.130 ns1.creaturesofmail.com 206.226.120.131 ns2.creaturesofmail.com 206.226.121.2 ns1.tonnesofmail.com 206.226.121.3 ns2.tonnesofmail.com 206.226.122.2 ns1.cancellationsanytime.com 206.226.122.3 ns2.cancellationsanytime.com 206.226.123.2 ns1.hourofman.com 206.226.123.3 ns2.hourofman.com 206.226.124.2 ns1.businessneedsfilled.com 206.226.124.3 ns2.businessneedsfilled.com 206.226.124.130 ns1.underestimatedhours.com 206.226.124.131 ns2.underestimatedhours.com 206.226.126.2 ns1.companiesthatperform.com 206.226.126.3 ns2.companiesthatperform.com 206.226.126.130 ns1.pageuppleasure.com 206.226.126.131 ns2.pageuppleasure.com 206.226.127.2 ns1.transferredtraffic.com 206.226.127.3 ns2.transferredtraffic.com