Hijack Factories: AS203418, AS205944, and AS203040
Executive Summary: AS203418 (Marketigames, LLC), together with its one and only immediate IPv4 upstream, AS203040 (Mint Company, LLC), and its sister network, AS205944 (MediaClick, LLC) either are currently hijacking or have recently hijacked multiple abandoned /16 IPv4 address blocks, apparently with the intent of leasing out this hijacked IPv4 space to snowshoe spammers, in particular, to Clickjet Media (clickjetmedia.com). Readers who may be peering with AS203040, in particular, are encouraged to cease doing so. +_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_ I believe that this listing of 13 separate /16 routes makes it self-evident what is going on here: https://bgp.he.net/AS203418#_prefixes (Please note that a screenshot of the above page has been archived here for posterity: http://i.imgur.com/Ws2aKkz.png) The hijacks currently being perpetrated by this ASN (AS203418 - Marketigames, LLC) are, in my opinion, both brazen and audacious. I wouldn't mind, but other evidence indicates persuasively that at least one of these hijacked /16 blocks (140.167.0.0/16) has already been put into use as a snowshoe spamming source. The following file contains a listing of numerous domain names that currently have associated SPF TXT records permitting these domains to send outbound emails from various parts of the (hijacked) 140.167.0.0/16 block: https://pastebin.com/raw/0EjThpR8 It is also interesting that a great many of the domain names listed in the above file in fact resolve to the IPv4 address 216.128.69.220, which is within a /24 block (216.128.69.0/24) which is ostensibly registered to an entity calling itself "Big Hosting Plus" (aka bighostingplus.com) allegedly of Albuquerque, New Mexico. A brief perusal of the WHOIS record associated with the contact domain name for that IPv4 block (bighostingplus.com) shows however the identity of the party that is actually pulling the strings here, i.e. a company called Clickjet Media of Glendale, California, aka clickjetmedia.com: https://pastebin.com/raw/h9cuGSdK I should note that the ARIN sub-SWIP for the 216.128.69.0/24 block is not the only instance in which Clickjet Media has followed this exact same playbook. I have previously identified the following four additional fradulent ARIN sub-SWIPs where ClickJet Media is, evidently, the real entity behind the deliberately fictitious ARIN sub-SWIPs: High Point Host ARB-69-1-227-0 (NET-69-1-227-0-1) 69.1.227.0 - 69.1.227.255 Pleasant Hosting ARB-69-1-228-0 (NET-69-1-228-0-1) 69.1.228.0 - 69.1.228.255 Quasi Hosting ARB-69-1-254-0 (NET-69-1-254-0-1) 69.1.254.0 - 69.1.254.255 Green River Hosting ARB-69-1-255-0 (NET-69-1-255-0-1) 69.1.255.0 - 69.1.255.255 Here is the archived evidence supporting my contentions as they relate to the above four ARIN sub-SWIPs: ARIN sub-SWIP records: https://pastebin.com/raw/UDBQKDiC https://pastebin.com/raw/hpDUqLFF https://pastebin.com/raw/7zdZLw01 https://pastebin.com/raw/gvXNwbJW Associated domain WHOIS records: https://pastebin.com/raw/pHLGRJux (highpointhost.com) https://pastebin.com/raw/V91DTsX1 (pleasanthosting.com) https://pastebin.com/raw/SxqzQy2v (quasihosting.com) https://pastebin.com/raw/2qv5xDsE (greenriverhosting.com) I should note for the sake of completeness that the listing of the 13 hijacked /16 blocks linked to above, as currently presented on the bgp.he.net web site, is in fact a somewhat stale listing. All of those thirteen /16 blocks were in fact hijacked by AS203418 as of yesterday, however as of this writing, it would appear that only the following nine /16 blocks are still hijacked at this moment (although this is hardly a cause for celebration): 116.79.0.0/16 116.144.0.0/16 116.152.0.0/16 116.166.0.0/16 116.181.0.0/16 128.13.0.0/16 134.22.0.0/16 140.167.0.0/16 148.154.0.0/16 Naturally, readers will ask "Who or what is AS203418?" It is registered using the name Marketigames, LLC, which is apparently a properly registered Delaware LLC. Beyond that it is difficult to find any other definitive info. The main web site for this entity (http://marketigames.biz/) is mostly devoid of any information that would allow us to know who is really behind this entity. Contact information is provided on the web site however, as follows: MarketiGames LLC, 4283 Express Lane,Suite 315-592, Sarasota, FL 34238 Phone : 217-717-9384 Googling the street address indicates that it is most often associated with fradulent activity on the Internet (e.g. frudulent attempts to order products). The area code 217 is associated with the Chicago area, not Florida and not Delaware. Although this entity (MarketiGames) does have its own ASN, it also appears to have a number of valid ARIN IP block allocations which are not currently routed by its own ASN: 104.218.224.0/22 (NET-104-218-224-0-1) 104.244.88.0/21 (NET-104-244-88-0-1) 104.245.40.0/21 (NET-104-245-40-0-1) 104.245.248.0/21 (NET-104-245-248-0-1) 173.234.197.0/24 (NET-173-234-197-0-1) 2620:125:C000::/40 (NET6-2620-125-C000-1) Historical passive DNS data appears to indicate that some or all of the above blocks have historically also been used to support snowshoe spamming. Data available from the interactive RIPE Routing History web service indicates clearly that it is not only AS203418 (Marketigames, LLC) that has been involved in the hijacking of abandoned /16 blocks, but also and likewise its immediate upstream AS203040 (Mint Company, LLC), and its sister network, AS205944 (MediaClick, LLC). RIPE Routing History shows that all three of these ASNs have, at various times, hijacked the 116.79.0.0/16 block, for example. The implication seems clear. All three of these ASNs have been working together to hijack abandoned /16 blocks for purposes of hosting snowshoe spamming operations. Because both AS203418 and AS205944 only peer with AS203040 (Mint Company, LLC) it is evident that the real problem here is Mint Company, LLC and the peering its ASN (AS203040) currently enjoys. Data provided by bgp.he.net indicates that the top three peers of AS203040 are currently as follows: AS24785 Open Peering B.V. AS20562 Open Peering B.V. AS6939 Hurricane Electric, Inc. I will be contacting these companies and asking them to de-peer from AS203040. I make the same request, here and now, to all other networks that may be peering with AS203040. Please stop that peering. Regards, rfg
Sorry to follow-up on myself, but I just now realized that I made a small omission in my earlier post. I indicated that AS205944 (MediaClick, LLC) had previously hijacked the 116.79.0.0/16 block. That is true, but it may perhaps have led some people to incorrectly conclude that AS205944 was not -currently- hijacking anything. Unfortunately, nothing could be further from the truth. As shown here https://bgp.he.net/AS205944#_prefixes and as archived here: http://i.imgur.com/gkW6LUh.png AS205944 is currently announcing 13 IPv4 routes, all of which, except for the five that are for blocks legitimately allocated to either Marketigames, LLC or to Mint Company, LLP appear to be hijacked sub-parts of various legacy ARIN blocks. So, to set the record straight, AS205944 is *currently* engaged in a whole lotta hijacking, as we speak. I should also mention that MediaClick, LLC is actually a defunct Wyoming LLC. It has been struck off the rolls of active Wyoming companies for having failed to pay even its (minimal) Wyoming corporate taxes. RIPE NCC, in its infinite wisdom, will no doubt allow it to continue to exist, and to hold various number resources, indefinitely, but as far as the law is concerned it no longer exists. (The contact phone number for this ASN, as shown in the RIPE WHOIS record for AS205944 is also D.O.A. and probably has been for some time now. Perhaps forever. It may perhaps -never- have worked. RIPE NCC can't be bothered to ever actually check such things.) The good news is that corporate documents archived on the Wyoming Secretary of State's web site indicate clearly and persuasively the identity of the guy behind MediaClick, LLC. That is apparently a frenchman by the name of Mathieu Jean Guillaume, <m.guillaume42@gmail.com>, who is also, apparently the proprietor of a couple of other French companies, i.e. ClicMe, SARL and also something called "YAQ Production" (yaqproduction.com) which appears to have one of these perpetual "under construction" web sites. (Apparently, Mathieu Jean Guillaume fancies himself as a budding film producer. Maybe he could be that, someday, if he ever decides to stop being a lame-ass low-life spammer and hijacker.) Sadly, this schmuck is probably a distant relative of mine. I may perhaps email him and ask why he was unable or unwilling to find some honest way of making a living, and why he turned to Internet crime instead. In the meantime, I repeat my suggestion that everyone who can do so should immediately de-peer from AS203040, which appears to be the roots of all this evil. Regards, rfg
participants (1)
-
Ronald F. Guilmette