I just thought that y'all might want to be aware of this. My attention was called recently to a RIPE-issued block of IPv4 addresses assigned to a particular Polish firm (Marton Media: https://martonmedia.pl/) that appears to sell digital TV services. The block in question is 91.149.192.0/18 aka "PL-MARTON-20061120". It appears that perhaps this company didn't quite need all of that /18 that it got from RIPE, so it looks like they parceled out some sub-parts of that /18 to at least a couple of other parties, to wit: "Hostermatrix LLC" aka "ORG-HL183-RIPE": 91.149.232.0/22 91.149.252.0/22 "Real Tone Hosting LLC" aka "ORG-RTHL1-RIPE" 91.149.224.0/21 91.149.236.0/22 91.149.240.0/21 91.149.248.0/22 Ignoring, for the moment, the fact that neither of these companies actually seem to exist anywhere... at least not on -this- planet... my attention was further called to the pair of /22 blocks that have been sub-allocated by Marton Media (Poland) to this thing they are calling "Hostermatrix LLC". The reverse DNS for those blocks looked like this, just a few short days ago, on November 16th: https://pastebin.com/raw/hjWG5KxA But apparently, that all has been changed rather substantially, just in the past few days, so now it all looks like this instead: https://pastebin.com/raw/58qCdPrc (You might call this the "Schrodinger Effect". When researching bad guys on the Internet, their stuff may change, even as you are looking at it, and perhaps even -because- you are looking at it.) Anyway, the rDNS listing, as it was on the 16th, looked more than a little fishy. Why would anyone need quite this many different outbound SMTP servers? The one and only second-level domain name that appeared in the rDNS listing as of the 16th was "sm-smtp.net". I did a bit of research on that domain name and found that historical passive DNS associates that domain, quite unambiguously, with another domain name, sendermatrix.net. It didn't take much more research for me to find out that a company called Sender Matrix, LLC is in fact registered in the State of Florida to a Mr. Jay Passerino. Mr. Passerino appears to have registered a number of different Florida companies: Haggle USA Corp. Mahem Partners, Inc. Sourcehire, LLC Boat App, LLC, All In Nutraceuticals, LLC Miami Suppliments, LLC Balladex Enterprises, LLC Sender Matrix, LLC (http://sendermatrix.com/) Gasher, Inc. Digital Platinum, Inc. (http://digital-platinum.com/) BB&M Ventures, Inc. Of course, there's nothing at all wrong with Mr. Passerino having prolific and multiple business interests, however a fellow who also, coincidentally, has the name Jay Passerino, and who also, coincidentally, hails from the State of Florida seems to have gotten into what the Brits might call "a spot of bother" with respect to not one but -two- U.S. federal regulatory agencies of late, specifically the SEC and the CFTC, both of which appear to have taken serious issue with this Mr. Jay Passerino's business practices, along with those of several of his cohorts: CFTC Press Release: https://www.cftc.gov/PressRoom/PressReleases/7807-18 SEC Press Release: https://www.sec.gov/news/press-release/2018-216 As you can see, both the SEC and the CFTC elected to take issue... on the exact same day, by the way... with this Mr. Jay Passerino's activities on the Internet, and specifically relating to "pump and dump" email scams. Returning now to the subject of the two /22 sub-allocations that were made by this Polish outfit, Marton Media, to this apparently non-existant corporate entity called "Hostermatrix LLC", i hope that it will not escape anoyone's notice that whereas the IPv4 blocks in question have been provided... seemingly to an Internet crook named Jay Passerino... by a Polish company, the actual -routing- of each of these blocks shows the participation of some other actors within two more (different) European countries: 91.149.232.0/22 - routed by AS51765 (Oy Creanova Hosting Solutions Ltd. - Finland) 91.149.252.0/22 - routed by AS24768 (ALMOUROLTEC SERVICOS DE INFORMATICA E INTERNET LDA - Portugal) The only observation I can offer with respect to all of the forgoing, is the rather obvious one: All of this is, to say the least, rather suspicious. But wait! There's more! It appears that Mr. Passerino's IPv4 assets are not strictly limited to RIPEland. Theres also a Direct Allocation block of ARIN IPv4 space (138.128.224.0/22) that is explicitly registered to Sender Matrix LLC of Miami, Florida: https://pastebin.com/raw/cZcsPYrL This block is routed by AS62519, Netrouting Inc., also, according to ARIN records, of Miami, Florida: https://pastebin.com/raw/mJKnJX6w Curiously, the one and only route being announced by AS62519 is for the /22 registered to Mr. Passerino's Sender Matrix LLC: https://bgp.he.net/AS62519#_prefixes It appears that the only current reason for this ASN to even exist is to provide routing to Mr. Passerino's ARINland /22 IPv4 block. And interestingly, AS62519 has only one IPv4 peer, i.e. AS47869: https://bgp.he.net/AS62519#_peers AS47869 meanwhile appears to belong to a major Dutch connectivity provider, also, not coincidentally, called "Netrouting". And unlike its Miami peer, AS62519, this Dutch network, AS47869, appears to have numerous different peers and to provide routing to numerous different entities, all apparently above board, unlike Mr. Passerino's Sender Matrix LLC: https://bgp.he.net/AS47869#_peers https://bgp.he.net/AS47869#_prefixes So, you know, this kind of begs the question: Did Netrouting realize that Mr. Passerino and/or Sender Matrix LLC were carrying on some rather dubious activites, and did the principals of Netrouting decide to attempt to distance themselves, and their main ASN (AS47869) from this activity, by putting a "cut out" ASN between them and Mr. Passerino (AS62519), just in case anybody ever clued in to what was really going here? Was this extra layer of AS numbers delibrately engineered to provide Netrouting with an extra layer of plausible deniability? I frankly don't know the answer to that question, but the peering and routing arrangement I've just described, together with the apparent nature of Mr. Passerino's Internet activities (as can be construed from the SEC and CFTC press releases) certainly does make one wonder about what the principals of Netrouting knew, and when they knew it. In contrast, I have fewer doubts about the Polish, Finnish, and Portuguese companies that are, apparently, aiding and abetting Mr. Passerino over in RIPEland. The evidence suggests that none of them bothered in the slightest to find out if there even really was any such corporate entity as "Hostermatrix, LLC" registered in -any- jurisdiction on planet earth. (The very helpful opencorporates.com web site suggests that there is no such entity, anywhere on earth.) Or perhaps they all knew full well that this name, "Hostermatrix, LLC", was just a made-up bullcrap name intended to hide the real identity of thhe real registrant of both of these /22 blocks. Either way, these three companies, in Poland, Finland, and Portugal, appear to be actively.. even iof perhaps unwittingly... aiding and abetting a Florida pump-and-dump spammer/scammer. Bottom line: I recommend to all to cease accepting any and all packets from at least the following: 91.149.232.0/22 - "Hostermatrix LLC" 91.149.252.0/22 - "Hostermatrix LLC" 138.128.224.0/22 - "Sender Matrix LLC" Anyone who may feel inclined towards an even more through defense should certainly consider also a complete block of packlets to/from 91.149.192.0/18, or at least blocking that CIDR from your mail server. (After all, Polish digital TV customers are unlikely to be doing much in the way of outbound email anyway.) Regards, rfg
We have noticed a huge influx of people requesting us to route blocks of ips they rent from IP brokers, we always make sure they show us an LOA and that radb records match the company name and proper registration is in place, I doubt some smaller providers do the same due diligence, but for me it’s concerning how easy it is to rent ip space these days , it just means that there is a coming storm. Nice investigative work, is this guy listed in rokso by chance ? I am traveling and have crappy connectivity on my phone so I don’t want to bother and check at the moment. On Wed, Nov 21, 2018 at 4:33 PM Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
I just thought that y'all might want to be aware of this.
My attention was called recently to a RIPE-issued block of IPv4 addresses assigned to a particular Polish firm (Marton Media: https://martonmedia.pl/) that appears to sell digital TV services.
The block in question is 91.149.192.0/18 aka "PL-MARTON-20061120".
It appears that perhaps this company didn't quite need all of that /18 that it got from RIPE, so it looks like they parceled out some sub-parts of that /18 to at least a couple of other parties, to wit:
"Hostermatrix LLC" aka "ORG-HL183-RIPE": 91.149.232.0/22 91.149.252.0/22
"Real Tone Hosting LLC" aka "ORG-RTHL1-RIPE" 91.149.224.0/21 91.149.236.0/22 91.149.240.0/21 91.149.248.0/22
Ignoring, for the moment, the fact that neither of these companies actually seem to exist anywhere... at least not on -this- planet... my attention was further called to the pair of /22 blocks that have been sub-allocated by Marton Media (Poland) to this thing they are calling "Hostermatrix LLC".
The reverse DNS for those blocks looked like this, just a few short days ago, on November 16th:
https://pastebin.com/raw/hjWG5KxA
But apparently, that all has been changed rather substantially, just in the past few days, so now it all looks like this instead:
https://pastebin.com/raw/58qCdPrc
(You might call this the "Schrodinger Effect". When researching bad guys on the Internet, their stuff may change, even as you are looking at it, and perhaps even -because- you are looking at it.)
Anyway, the rDNS listing, as it was on the 16th, looked more than a little fishy. Why would anyone need quite this many different outbound SMTP servers?
The one and only second-level domain name that appeared in the rDNS listing as of the 16th was "sm-smtp.net". I did a bit of research on that domain name and found that historical passive DNS associates that domain, quite unambiguously, with another domain name, sendermatrix.net.
It didn't take much more research for me to find out that a company called Sender Matrix, LLC is in fact registered in the State of Florida to a Mr. Jay Passerino. Mr. Passerino appears to have registered a number of different Florida companies:
Haggle USA Corp. Mahem Partners, Inc. Sourcehire, LLC Boat App, LLC, All In Nutraceuticals, LLC Miami Suppliments, LLC Balladex Enterprises, LLC Sender Matrix, LLC (http://sendermatrix.com/) Gasher, Inc. Digital Platinum, Inc. (http://digital-platinum.com/) BB&M Ventures, Inc.
Of course, there's nothing at all wrong with Mr. Passerino having prolific and multiple business interests, however a fellow who also, coincidentally, has the name Jay Passerino, and who also, coincidentally, hails from the State of Florida seems to have gotten into what the Brits might call "a spot of bother" with respect to not one but -two- U.S. federal regulatory agencies of late, specifically the SEC and the CFTC, both of which appear to have taken serious issue with this Mr. Jay Passerino's business practices, along with those of several of his cohorts:
CFTC Press Release: https://www.cftc.gov/PressRoom/PressReleases/7807-18
SEC Press Release: https://www.sec.gov/news/press-release/2018-216
As you can see, both the SEC and the CFTC elected to take issue... on the exact same day, by the way... with this Mr. Jay Passerino's activities on the Internet, and specifically relating to "pump and dump" email scams.
Returning now to the subject of the two /22 sub-allocations that were made by this Polish outfit, Marton Media, to this apparently non-existant corporate entity called "Hostermatrix LLC", i hope that it will not escape anoyone's notice that whereas the IPv4 blocks in question have been provided... seemingly to an Internet crook named Jay Passerino... by a Polish company, the actual -routing- of each of these blocks shows the participation of some other actors within two more (different) European countries:
91.149.232.0/22 - routed by AS51765 (Oy Creanova Hosting Solutions Ltd. - Finland)
91.149.252.0/22 - routed by AS24768 (ALMOUROLTEC SERVICOS DE INFORMATICA E INTERNET LDA - Portugal)
The only observation I can offer with respect to all of the forgoing, is the rather obvious one: All of this is, to say the least, rather suspicious.
But wait! There's more!
It appears that Mr. Passerino's IPv4 assets are not strictly limited to RIPEland. Theres also a Direct Allocation block of ARIN IPv4 space (138.128.224.0/22) that is explicitly registered to Sender Matrix LLC of Miami, Florida:
https://pastebin.com/raw/cZcsPYrL
This block is routed by AS62519, Netrouting Inc., also, according to ARIN records, of Miami, Florida:
https://pastebin.com/raw/mJKnJX6w
Curiously, the one and only route being announced by AS62519 is for the /22 registered to Mr. Passerino's Sender Matrix LLC:
https://bgp.he.net/AS62519#_prefixes
It appears that the only current reason for this ASN to even exist is to provide routing to Mr. Passerino's ARINland /22 IPv4 block.
And interestingly, AS62519 has only one IPv4 peer, i.e. AS47869:
https://bgp.he.net/AS62519#_peers
AS47869 meanwhile appears to belong to a major Dutch connectivity provider, also, not coincidentally, called "Netrouting". And unlike its Miami peer, AS62519, this Dutch network, AS47869, appears to have numerous different peers and to provide routing to numerous different entities, all apparently above board, unlike Mr. Passerino's Sender Matrix LLC:
https://bgp.he.net/AS47869#_peers https://bgp.he.net/AS47869#_prefixes
So, you know, this kind of begs the question: Did Netrouting realize that Mr. Passerino and/or Sender Matrix LLC were carrying on some rather dubious activites, and did the principals of Netrouting decide to attempt to distance themselves, and their main ASN (AS47869) from this activity, by putting a "cut out" ASN between them and Mr. Passerino (AS62519), just in case anybody ever clued in to what was really going here? Was this extra layer of AS numbers delibrately engineered to provide Netrouting with an extra layer of plausible deniability?
I frankly don't know the answer to that question, but the peering and routing arrangement I've just described, together with the apparent nature of Mr. Passerino's Internet activities (as can be construed from the SEC and CFTC press releases) certainly does make one wonder about what the principals of Netrouting knew, and when they knew it.
In contrast, I have fewer doubts about the Polish, Finnish, and Portuguese companies that are, apparently, aiding and abetting Mr. Passerino over in RIPEland. The evidence suggests that none of them bothered in the slightest to find out if there even really was any such corporate entity as "Hostermatrix, LLC" registered in -any- jurisdiction on planet earth. (The very helpful opencorporates.com web site suggests that there is no such entity, anywhere on earth.) Or perhaps they all knew full well that this name, "Hostermatrix, LLC", was just a made-up bullcrap name intended to hide the real identity of thhe real registrant of both of these /22 blocks. Either way, these three companies, in Poland, Finland, and Portugal, appear to be actively.. even iof perhaps unwittingly... aiding and abetting a Florida pump-and-dump spammer/scammer.
Bottom line: I recommend to all to cease accepting any and all packets from at least the following:
91.149.232.0/22 - "Hostermatrix LLC" 91.149.252.0/22 - "Hostermatrix LLC" 138.128.224.0/22 - "Sender Matrix LLC"
Anyone who may feel inclined towards an even more through defense should certainly consider also a complete block of packlets to/from 91.149.192.0/18, or at least blocking that CIDR from your mail server. (After all, Polish digital TV customers are unlikely to be doing much in the way of outbound email anyway.)
Regards, rfg
participants (2)
-
A. Pishdadi
-
Ronald F. Guilmette