Hello! I've been asked to draw the attention of Network administrators to the recent hijacking of various large blocks of ARIN IP-space: particularly six /16 blocks allocated to the London-based Trafalgar House Group. Trafalgar House Group (THG): Trafalgar House Group TRAF (NET-144-176-0-0-1) 144.176.0.0/16 Trafalgar House Group THIN1 (NET-144-177-0-0-1) 144.177.0.0/16 Trafalgar House Group THIN3 (NET-144-179-0-0-1) 144.179.0.0/16 Trafalgar House Group THIN4 (NET-144-180-0-0-1) 144.180.0.0/16 Trafalgar House Group THIN5 (NET-144-181-0-0-1) 144.181.0.0/16 Trafalgar House Group THIN2 (NET-158-181-0-0-1) 158.181.0.0/16 I'm sure I don't need to remind people here why this is bad - a zombie block that can be announced and de-announced at an abuser's whim makes it far more difficult to trace the source of spam or the destination of responses: particularly where fraud and password-phishing has occurred. The company originally known as Trafalgar House is now part of Aker Kvaerner, headquartered in Norway, who have already set in train the processes to recover the ARIN and other handles associated with their Internet assets. Information about the original change of ownership is available, if anyone wants further confirmation or background, at http://www.brookes.ac.uk/other/conmark/IJCM/issue_02/010201.html and http://www.kvaerner.com/group/investor_relations/reports/1996/3q/Default.asp... I could give a lot more details but do not want to bore those of you who have, inevitably, "heard it all before". I'm not claiming this is new - or any sort of special case. I'm posting this solely as a heads-up to help any admins who may have been asked to accept forged credentials authorising the announcement of the above blocks, and at the same time to ask for help from anyone who may have already been approached in similar terms. But if anyone does want more background they're welcome to mail me via the security account @ my domain. At the time of writing THIN5 is being announced via Level3 in Boston, and THIN2, plus two other hijacked blocks not owned by Aker Kvaerner (137.171.0.0/16 and 170.67.0.0/16) are being announced via Telia in Amsterdam. Sadly we have had difficulty reaching the right people at Telia, so if anyone from Telia is here, we'd be real pleased to hear from you. ARIN is now aware that handles ST58-ARIN and AMS87-ARIN are completely bogus, as is also the statement on the WHOIS for ST58-ARIN, that: "This company Is currently contracted by trafalgar House to provide network management services. Further information will be made avaiblible to request" (sic); If, therefore, any of you are asked to let through BGP announcements of any of the above blocks, or if you have been asked anything like this in the recent past - we ask you not to pass those announcements, but to get in touch with us urgently, taking care to preserve any documents that may have been sent to you to support that request: as these may be needed for prosecution and possible civil litigation against the perpetrators. Any valid authority for the use of these blocks would come directly from either Aker Kvaerner in Norway, or Equant (on their behalf). It certainly would NOT claim to be from Trafalgar House Group at any address because that Group is no longer trading under that identity. However I'm told that there are no plans to deploy those blocks in the immediate future, or until this incident has been cleared up. Thanks! -- Richard Cox Mandarin Technology Ltd, Penarth, UK