Another possibly hijacked block - 160.116.0.0/16
Hello, I want to alert you everyone on the maillist regarding ip block 160.116.0.0/16, the block was announced by HE and XO previously (in my own routing table it is not showing right now) so these organizations are probably aware of the unsolicited emails that were coming out of this block and chose to not announce it any more. I'm hoping other organizations that maybe approaced to announce the block would be alerted by this email and not let it show up on tne net again. I'm also trying to find out more about if this block is really hijacked or not. The address listed in ARIN database is "P.O. Box 261333, Excom, South Africa" and as far as I can tell this address is the one that was used originally (at least as of 1994) and when block first appeared on the net, it was announced through AS1957. I also tracked that network in ARIN database was originally named "Affiliated Computing Services--Uninet Project" which means it had some associated with UNINET which is/was South Africa's education/university network (www.tenet.ac.za) kind of like NSFNET was in US as far as I can remember. As far as I can see most of other organizations associated with uninet are being announced through AS3741 (this includes blocks 160.114.0.0/16, 160.115.0.0/16, 160.118.0.0/16, and many of the of the blocks from 196.11.0.0/16). Uninet/Tenet itself is using ip block 196.21.0.0/16 and several others and these are and announced through AS2018 (and none of these are AS## 1228 - 1332 which are the as# in arin records for uninet, anyway its probably just historical records). I can not find any information about original domain that organization that had this block may have had but currently it seems to be affiliatedcomputing.com and record is pointing to the same address as arin block but I can not confirm if it was this way originally or if the domain was reregistered (but I'm sure whoever controls the domain now is involved in unsolicited email). Now if anybody is here from South Africa, possibly UNINET/TENET or somebody associated with AS1957 or AS3741 and knows anything about this block please reply and if something wrong did happen as far as ARIN records, we need to let them know. -- William Leibzon Elan Communications william@elan.net
Also I found some records that indicate that 160.116.0.0/16 had something to do with eskom.co.za and that organization's physical address is/was located in Johanesburg. I think it would be best if somebody emails me info on AfriNOG or associated mailing list and I'll ask this question there, probably more likely to find somebody there who knows what was going on so long ago... On Sun, 11 May 2003 william@elan.net wrote:
Hello,
I want to alert you everyone on the maillist regarding ip block 160.116.0.0/16, the block was announced by HE and XO previously (in my own routing table it is not showing right now) so these organizations are probably aware of the unsolicited emails that were coming out of this block and chose to not announce it any more. I'm hoping other organizations that maybe approaced to announce the block would be alerted by this email and not let it show up on tne net again.
I'm also trying to find out more about if this block is really hijacked or not. The address listed in ARIN database is "P.O. Box 261333, Excom, South Africa" and as far as I can tell this address is the one that was used originally (at least as of 1994) and when block first appeared on the net, it was announced through AS1957. I also tracked that network in ARIN database was originally named "Affiliated Computing Services--Uninet Project" which means it had some associated with UNINET which is/was South Africa's education/university network (www.tenet.ac.za) kind of like NSFNET was in US as far as I can remember. As far as I can see most of other organizations associated with uninet are being announced through AS3741 (this includes blocks 160.114.0.0/16, 160.115.0.0/16, 160.118.0.0/16, and many of the of the blocks from 196.11.0.0/16). Uninet/Tenet itself is using ip block 196.21.0.0/16 and several others and these are and announced through AS2018 (and none of these are AS## 1228 - 1332 which are the as# in arin records for uninet, anyway its probably just historical records).
I can not find any information about original domain that organization that had this block may have had but currently it seems to be affiliatedcomputing.com and record is pointing to the same address as arin block but I can not confirm if it was this way originally or if the domain was reregistered (but I'm sure whoever controls the domain now is involved in unsolicited email).
Now if anybody is here from South Africa, possibly UNINET/TENET or somebody associated with AS1957 or AS3741 and knows anything about this block please reply and if something wrong did happen as far as ARIN records, we need to let them know.
Though its strange to reply to my own email for 2nd time ... But some importaint info I did not notice - apperently parts of 160.116.0.0 are still being announce through XO and Internap/Global Crossing with actual announcements coming from AS8143. Even more interesting it appears smaller blocks from that /16 are announced (/19) and it appears email comes from particular ip and then the block which was announced before is announced no longer and they move to announcing another subblock with emails coming from there! In any case, this calls for active blocking of this /16 from anybody who does not want to provide services to spammers and ip hijackers. As for XO and Internap, (I'm sure somebody is here from these companies) - take notice and get rid of this customer!!! Also UUNET take notice too - AS8143 is announcing number of other blocks though your network and I have serious suspicions the ASN itself is hijacked (its registered to Publicom Corp, Miami, but domain 4publicom.com has been reregistered and it has some invalid whois info; in addition number of other announcements from 8143 are also suspicious). And for the record here is some of what I'm seeing from 8143: *>i63.89.167.0/24 209.144.160.89 100 10 6347 701 8143 *>i63.109.72.0/24 209.144.160.89 100 10 6347 701 8143 *>i63.109.79.0/24 209.144.160.89 100 10 6347 701 8143 *>i134.33.0.0 209.144.160.89 100 10 6347 3549 10910 10910 10910 10910 10910 10910 8143 i *>i160.116.16.0/24 209.144.160.89 100 10 6347 701 2828 8143 *>i160.116.160.0/19 209.144.160.89 100 10 6347 701 2828 8143 *>i160.116.224.0/19 209.144.160.89 100 10 6347 3549 10910 10910 10910 10910 10910 10910 8143 i *>i162.73.128.0/19 209.144.160.89 100 10 6347 3549 10910 10910 10910 10910 10910 10910 8143 i *>i204.179.64.0/20 209.144.160.89 100 10 6347 701 8143 8143 *>i207.243.145.0 209.144.160.89 100 10 6347 701 8143 *>i208.168.213.0 209.144.160.89 100 10 6347 701 7018 8143 *>i208.168.215.0 209.144.160.89 100 10 6347 701 7018 8143 *>i208.238.44.0 209.144.160.89 100 10 6347 701 8143 *>i208.238.45.0 209.144.160.89 100 10 6347 701 8143 On Sun, 11 May 2003 william@elan.net wrote:
Also I found some records that indicate that 160.116.0.0/16 had something to do with eskom.co.za and that organization's physical address is/was located in Johanesburg.
I think it would be best if somebody emails me info on AfriNOG or associated mailing list and I'll ask this question there, probably more likely to find somebody there who knows what was going on so long ago...
On Sun, 11 May 2003 william@elan.net wrote:
Hello,
I want to alert you everyone on the maillist regarding ip block 160.116.0.0/16, the block was announced by HE and XO previously (in my own routing table it is not showing right now) so these organizations are probably aware of the unsolicited emails that were coming out of this block and chose to not announce it any more. I'm hoping other organizations that maybe approaced to announce the block would be alerted by this email and not let it show up on tne net again.
I'm also trying to find out more about if this block is really hijacked or not. The address listed in ARIN database is "P.O. Box 261333, Excom, South Africa" and as far as I can tell this address is the one that was used originally (at least as of 1994) and when block first appeared on the net, it was announced through AS1957. I also tracked that network in ARIN database was originally named "Affiliated Computing Services--Uninet Project" which means it had some associated with UNINET which is/was South Africa's education/university network (www.tenet.ac.za) kind of like NSFNET was in US as far as I can remember. As far as I can see most of other organizations associated with uninet are being announced through AS3741 (this includes blocks 160.114.0.0/16, 160.115.0.0/16, 160.118.0.0/16, and many of the of the blocks from 196.11.0.0/16). Uninet/Tenet itself is using ip block 196.21.0.0/16 and several others and these are and announced through AS2018 (and none of these are AS## 1228 - 1332 which are the as# in arin records for uninet, anyway its probably just historical records).
I can not find any information about original domain that organization that had this block may have had but currently it seems to be affiliatedcomputing.com and record is pointing to the same address as arin block but I can not confirm if it was this way originally or if the domain was reregistered (but I'm sure whoever controls the domain now is involved in unsolicited email).
Now if anybody is here from South Africa, possibly UNINET/TENET or somebody associated with AS1957 or AS3741 and knows anything about this block please reply and if something wrong did happen as far as ARIN records, we need to let them know.
(Replying to myself yet again....) I finally tracked this network down to original domain acs.co.za (which has been reregistered a few times since long ago), the connection you can see at: http://www.sas.upenn.edu/African_Studies/E_Mail/E_Mail_10674.html Best I can tell is that this was somehow affiliated with webfeat.co.za: http://co.za/cgi-bin/whatelse.sh?File=acs.3 which is no longer in business it seems, I'm going to ask people at is.co.za (who were providing original network services to webfeat in 1996) to see if they have any historic info on what happened and if they confirm company is not in business I'll ask them to mail it to ARIN. But since I know couple people from ARIN are already on this list and listining it'd be good ARIN were little more proactive and did its own investigation on updates done to this block. Right now I have no conculsive evidence that affiliatedcomputing.com has no connection to the block but from what you can see above this seems likely. And right now nowaffiliatedcomputing.com is completely under control of large Florida spam gang, some info on that can be found at: http://www.spamhaus.org/sbl/sbl.lasso?query=SBL6949 And you can see previous affiliation to advistechsa.com (remember my previous post that VMX INC block 157.156.0.0/16 that is probably supposed to be Lucent block now? Well vmxnetworks was their upstream!). Spews has a lot of info on that gang: http://www.spews.org/html/S367.html http://www.spews.org/html/S2425.html (publicom!) Besides that it seems publicom which is possibly same as networktron has long history of spamming and ip block hijacking back from 1999 http://groups.google.com/groups?q=networldtron Networldtron is the company for which most of the ip blocks which I listed as announced by AS8143 are swipped to at ARIN database. Their main domain networldtron.net is now expired and inactive (if you do whois on it you'll find connection to publicom yet again). But ntwt.net is active and has been taken over by company called Naronda with domain naronda.com - be on the lookout for such a client who maybe spammer and hijacker! On Sun, 11 May 2003 william@elan.net wrote:
Though its strange to reply to my own email for 2nd time ...
But some importaint info I did not notice - apperently parts of 160.116.0.0 are still being announce through XO and Internap/Global Crossing with actual announcements coming from AS8143. Even more interesting it appears smaller blocks from that /16 are announced (/19) and it appears email comes from particular ip and then the block which was announced before is announced no longer and they move to announcing another subblock with emails coming from there!
In any case, this calls for active blocking of this /16 from anybody who does not want to provide services to spammers and ip hijackers. As for XO and Internap, (I'm sure somebody is here from these companies) - take notice and get rid of this customer!!!
Also UUNET take notice too - AS8143 is announcing number of other blocks though your network and I have serious suspicions the ASN itself is hijacked (its registered to Publicom Corp, Miami, but domain 4publicom.com has been reregistered and it has some invalid whois info; in addition number of other announcements from 8143 are also suspicious).
And for the record here is some of what I'm seeing from 8143:
*>i63.89.167.0/24 209.144.160.89 100 10 6347 701 8143 *>i63.109.72.0/24 209.144.160.89 100 10 6347 701 8143 *>i63.109.79.0/24 209.144.160.89 100 10 6347 701 8143 *>i134.33.0.0 209.144.160.89 100 10 6347 3549 10910 10910 10910 10910 10910 10910 8143 i *>i160.116.16.0/24 209.144.160.89 100 10 6347 701 2828 8143 *>i160.116.160.0/19 209.144.160.89 100 10 6347 701 2828 8143 *>i160.116.224.0/19 209.144.160.89 100 10 6347 3549 10910 10910 10910 10910 10910 10910 8143 i *>i162.73.128.0/19 209.144.160.89 100 10 6347 3549 10910 10910 10910 10910 10910 10910 8143 i *>i204.179.64.0/20 209.144.160.89 100 10 6347 701 8143 8143 *>i207.243.145.0 209.144.160.89 100 10 6347 701 8143 *>i208.168.213.0 209.144.160.89 100 10 6347 701 7018 8143 *>i208.168.215.0 209.144.160.89 100 10 6347 701 7018 8143 *>i208.238.44.0 209.144.160.89 100 10 6347 701 8143 *>i208.238.45.0 209.144.160.89 100 10 6347 701 8143
On Sun, 11 May 2003 william@elan.net wrote:
Also I found some records that indicate that 160.116.0.0/16 had something to do with eskom.co.za and that organization's physical address is/was located in Johanesburg.
I think it would be best if somebody emails me info on AfriNOG or associated mailing list and I'll ask this question there, probably more likely to find somebody there who knows what was going on so long ago...
On Sun, 11 May 2003 william@elan.net wrote:
Hello,
I want to alert you everyone on the maillist regarding ip block 160.116.0.0/16, the block was announced by HE and XO previously (in my own routing table it is not showing right now) so these organizations are probably aware of the unsolicited emails that were coming out of this block and chose to not announce it any more. I'm hoping other organizations that maybe approaced to announce the block would be alerted by this email and not let it show up on tne net again.
I'm also trying to find out more about if this block is really hijacked or not. The address listed in ARIN database is "P.O. Box 261333, Excom, South Africa" and as far as I can tell this address is the one that was used originally (at least as of 1994) and when block first appeared on the net, it was announced through AS1957. I also tracked that network in ARIN database was originally named "Affiliated Computing Services--Uninet Project" which means it had some associated with UNINET which is/was South Africa's education/university network (www.tenet.ac.za) kind of like NSFNET was in US as far as I can remember. As far as I can see most of other organizations associated with uninet are being announced through AS3741 (this includes blocks 160.114.0.0/16, 160.115.0.0/16, 160.118.0.0/16, and many of the of the blocks from 196.11.0.0/16). Uninet/Tenet itself is using ip block 196.21.0.0/16 and several others and these are and announced through AS2018 (and none of these are AS## 1228 - 1332 which are the as# in arin records for uninet, anyway its probably just historical records).
I can not find any information about original domain that organization that had this block may have had but currently it seems to be affiliatedcomputing.com and record is pointing to the same address as arin block but I can not confirm if it was this way originally or if the domain was reregistered (but I'm sure whoever controls the domain now is involved in unsolicited email).
Now if anybody is here from South Africa, possibly UNINET/TENET or somebody associated with AS1957 or AS3741 and knows anything about this block please reply and if something wrong did happen as far as ARIN records, we need to let them know.
Hi I've spoken with Dr Duncan Martin, who currently administers Tenet. He didn't have any record of 160.116 being previously managed by Tenet (old Uninet in a way) but has forwarded your first post which I sent him to the gentleman who ran Uninet for many years before him. He said he'd let me know if he found anything out. Regards --Rob
On Sun, 11 May 2003 22:26:46 -0700 (PDT), william@elan.net wrote: | In any case, this calls for active blocking of this /16 from anybody | who does not want to provide services to spammers and ip hijackers. | As for XO and Internap, (I'm sure somebody is here from these | companies) - take notice and get rid of this customer!!! Since clearing up the "Trafalgar House" hijacks, several people have written me pointing out an even larger number of probably-hijacked blocks that they think should be investigated. I've researched what I can, and drawn the attention of ARIN, and the relevant upstreams, to BGP announcements that research suggests may be inappropriate. What I have avoided doing is reporting all the gory details here, except where there was some specific relevance in doing so. I have, as promised, set up the mailing list - hijacked@numbering.com for reports and evaluation of likely incidents of IP block hijacking, and if the outcome of any evaluation is that hijacking is confirmed, the details can be sent to the upstreams and ARIN for consideration. I would hope that ARIN and the major networks will want to join that list and follow the discussions there anyway. That list is now open; initial requests have been added manually, and anyone else who wishes to join will need to send the usual incantation to majordomo@numbering.com and then respond to the email challenge. To avoid misunderstanding can I say very clearly that the "hijacked" list will not be discussing any aspect of ARIN's (or indeed any other registries') procedure or policies: such matters are more appropriate to the individual policy fora of each registry/community. At Matthew Sullivan's kind suggestion, a DNS-BL of confirmed hijacked IP blocks is now live and available as a separate specific zone within the SORBS project; details at http://www.dnsbl.sorbs.net Networks can therefore prevent abuse from hijacked netblocks by using SORBS' DNSBL. Richard Cox
On Sun, 11 May 2003 22:26:46 -0700 (PDT), william@elan.net wrote: | In any case, this calls for active blocking of this /16 from anybody | who does not want to provide services to spammers and ip hijackers. | As for XO and Internap, (I'm sure somebody is here from these | companies) - take notice and get rid of this customer!!!
Since clearing up the "Trafalgar House" hijacks, several people have written me pointing out an even larger number of probably-hijacked blocks that they think should be investigated. I've researched what I can, and drawn the attention of ARIN, and the relevant upstreams, to BGP announcements that research suggests may be inappropriate.
What I have avoided doing is reporting all the gory details here, except where there was some specific relevance in doing so.
I agree with this, but I could not go any futher on the South African block, needed help from somebody local to find out what company the block should belong now. But on my own I also did research on two other blocks hijacked by "Naronda/Publicom Gang" and announced through AS8143 - 162.73.0.0/16 and 134.33.0.0/16. Owners of both of the blocks have been definetly identified (a lot more certain there then for 160.116.0.0/16 block) and I've sent reports to these companies and to ARIN. Based on these and other information, XO yesterday has stopped announcement from AS8143 on ther network. Only Internap remains, but I'v been completely unsussfull on getting ANY response from their abuse team. As such I've focused on Internap upstreams - Verio and Global Crossing. Verio is more responsive and has already received all necessary information and will probably shut down their announcements after reviewing that, Global Crossing security team still has not responded back to me though, I'm however still hopefull that by tomorrow both Verio and Global Crossing will shut down the hijacked block announcements through their networks.
I have, as promised, set up the mailing list - hijacked@numbering.com for reports and evaluation of likely incidents of IP block hijacking, and if the outcome of any evaluation is that hijacking is confirmed, the details can be sent to the upstreams and ARIN for consideration. I would hope that ARIN and the major networks will want to join that list and follow the discussions there anyway.
Great, I'll work with others on that list now. And if anybody is interested in seeing details on findings on who the blocks hijacked by Naronda/Publicom Gang belong too, I'll post information on that mailing list shortly.
That list is now open; initial requests have been added manually, and anyone else who wishes to join will need to send the usual incantation to majordomo@numbering.com and then respond to the email challenge.
To avoid misunderstanding can I say very clearly that the "hijacked" list will not be discussing any aspect of ARIN's (or indeed any other registries') procedure or policies: such matters are more appropriate to the individual policy fora of each registry/community.
At Matthew Sullivan's kind suggestion, a DNS-BL of confirmed hijacked IP blocks is now live and available as a separate specific zone within the SORBS project; details at http://www.dnsbl.sorbs.net Networks can therefore prevent abuse from hijacked netblocks by using SORBS' DNSBL.
Richard Cox
Hi
Now if anybody is here from South Africa, possibly UNINET/TENET or somebody associated with AS1957 or AS3741 and knows anything about this block please reply and if something wrong did happen as far as ARIN records, we need to let them know.
many moons ago there were a bunch of large blocks which were assigned to Uninet. These ended up as a rather large swamp. Uninet has however been busy trying to clean up the info for these (see www.tenet.ac.za). I see the record was updated in feb this year. There are afaik a few ppl from 3741 on this list, so perhaps they'd know more (if it was a downstream of theirs actually using the space). I'll bounce a mail to the Tenet people and see if they can assist. Regards --Rob
participants (3)
-
fingers -
Richard Cox -
william@elan.net