What follows below is a volume-ranked list of the most prolific /24 IP address blocks with respect to open proxy hijacking activity over the past 2 days. These ranking are based on data collected by my extensive open proxy honeypot network for the 48 hour period from 5 PM Pacific Daylight Time, August 4th, 2003 through 5 PM Pacific Daylight Time August 6th, 2003. Some brief commentary material follows the list. If you or someone you know owns or operates any of the networks listed below, please contact me off-list so that we may arange for the timely cremation of the relevant criminal spammers and open proxy hijackers, and the scattering of their ashes in some suitable garbage dump. (Note that mass open proxy hijacking of the kind being originated from all of the /24 blocks listed below is quite clearly a criminal act within these United States. The criminals doing this stuff are violating the federal Computer Fraud and Abuse Act in so many dif- ferent ways it isn't even funny.) ** NOTICE ** I will provide the specific IP addresses that are actually engaged in the proxy hijacking activities within each of these blocks upon request. What I positively WILL NOT DO is to provide detailed log files from my proxy honeypot machines to any party, PERIOD. (DON'T EVEN ASK unless you enjoy being verbally abused.) Doing so would only tend to give the spammers info that they could use to deduce the locations of my honeypot machines, which they would then carefully avoid.) I will provide date/time stamps to relevant network admini- strators, but ONLY in cases involving clearly dynamic IP addresses. 1. 38.112.197 cogentco.com - daicahosting.com/daica.com (Tampa, FL) 2. 66.44.228 savanti.net (Tucson, AZ) 3. 202.177.23 kdd.net.hk (Hong Kong) 4. 66.205.223 cetnetworks.com - smartmailhosting.com (New Orleans, LA) 5. 38.114.11 cogentco.com - tailoredservers.com (Frisco, TX) 6. 66.44.231 savanti.net (Tucson, AZ) 7. 209.50.253 servint.com (McLean, VA) 8. 66.111.39 unitedcolo.com aka sagonet.com (San Francisco, CA) 9. 38.114.3 cogentco.com - tailoredservers.com (Frisco, TX) 10. 66.250.125 cogentco.com - applicationx.net (Alpha, NJ) 11. 166.90.206 level3.com - ?Alan Ralsky? (Detroit area, MI) 12. 206.47.187 bell.ca - "Datatech Communications" (Windsor, ON, CA) 13. 38.112.199 cogentco.com - daicahosting.com/daica.com (Tampa, FL) 14. 38.118.143 cogentco.com - infinology.com (Goleta, CA) 15. 216.99.99 nutnbut.net (Hazelwood, MO) 16. 63.246.136 unitedcolo.com aka sagonet.com (San Francisco, CA) 17. 66.118.189 sagonet.com (Tampa, FL) 18. 64.5.51 theplanet.com (Dallas, TX) 19. 66.118.187 sagonet.com (Tampa, FL) 20. 69.33.1 megapath.net (Pleasanton, CA) 21. 62.219.50 bezeqint.net (Petach Tikva, Israel) 22. 146.82.135 gblx.net - archercomms.com (Minneapolis, MN) 23. 66.205.219 cetnetworks.com (Redwood City, CA) 24. 207.164.251 jet2.net (Windsor, ON, CA) 25. 63.246.135 unitedcolo.com aka sagonet.com (San Francisco, CA) 26. 216.81.218 lh.net (Des Moines, IA) 27. 66.118.142 sagonet.com - argobroadcast.com (Tampa, FL) 28. 64.180.125 telus.net - "Trinity Prof-Soho" (Vancouver, BC, CA) 29. 216.8.169 mnsi.net (Windsor, ON, CA) 30. 66.230.228 level3.com - city-guide.com/neucom.com/candidhosting.net (Tampa) 31. 64.228.134 bell.ca/sympatico.ca (Montreal, QB, CA) 32. 66.111.40 unitedcolo.com aka sagonet.com (San Francisco, CA) 33. 207.101.233 algx.net (Dallas, TX) 34. 216.54.223 twtelecom.net - ozline.net (Clearwater, FL) 35. 63.247.65 gnax.net/dv2.net - burtonhosting.com (North Yorkshire, GB) 36. 66.135.15 broadbandip.net (Baton Rouge, LA) 37. 67.8.179 cfl.rr.com (RR - Florida) 38. 38.117.14 cogentco.com - sagonet.com (Tampa, FL) 39. 64.23.55 affinity.com - skynetweb.com (Baltimore, MD) 40. 64.70.45 exodus.net - nrsoftware.com (Santa Monica, CA) 41. 64.159.76 level3.com - city-guide.com/neucom.com/candidhosting.net (Tampa) 42. 216.58.92 igs.net (Kanata, ON, CA) 43. 66.118.180 sagonet.com (Tampa, FL) 44. 63.246.131 unitedcolo.com aka sagonet.com (San Francisco, CA) 45. 69.0.240 dialtone.com/dialtoneinternet.net (Davie, FL) 46. 203.98.177 newworldtel.com (Hong Kong) 47. 203.98.164 newworldtel.com (Hong Kong) 48. 66.176.226 attbb.net (Chelmsford, MA) 49. 64.237.34 mfnx.net - netlabs.net - "AdultBouncer" (Hazlet, NJ) 50. 69.28.206 peer1.net (Vancouver, BC, CA) 51. 202.181.236 hkcix.com (Hong Kong) 52. 66.70.114 datapipe.com (Hoboken, NJ) 52. 216.128.72 band-x.com - sxpress.com (Hackensack, NJ) 53. 162.42.131 cybertrails.com - atjeu.com (Phoenix, AZ) 54. 216.67.251 pwebtech.com (Parsippany, NJ) 55. 207.180.3 ici.net (Tulsa, OK) 56. 216.232.165 telus.net - "Consumer ADSL" (New Westminster, BC, CA) 57. 66.36.98 burlee.com (Toronto, ON, CA) 58. 65.34.198 attbb.net (Chelmsford, MA) 59. 38.114.4 cogentco.com - 800hosting.com (Dalas, TX) 60. 62.205.161 corbina.net (Moscow, RU) Before getting in to the commentary, I should perhaps mention that all of the above /24 blocks, as well as the companies that provide connectivity to them are now subject to the new listing criteria for the Monkeys.Com Unsecured Proxies List: http://www.monkeys.com/upl/listing-policy.html (Please see criteria #2, which was just recently added.) ** COMMENTARY FOLLOWS ** ** PERSONAL OPINIONS ONLY ** ** USE AT YOUR OWN RISC ** Note: I have already been posting `Top 40' lists of the worst and most proxy-hijacker friendly networks to news.admin.net-abuse.email and SPAM-L for about two weeks now. Some of you may have seen those prior lists and thus may be all too familiar with many of the networks listed above, especially in the topmost few positions. My comments about specific networks follow: cogentco.com: What can I say? The facts speak for themselves. This is now the #1 most criminal-friendly network on the Internet. They have been hosting the criminal open proxy hijackers that are attached to the net via the following downstream customers for a long while now, and they know exactly what's going on here, because I told them, several times. I can only infer that they prefer to keep on accepting money from criminals: daicahosting.com/daica.com (previously throw off 2 other networks) tailoredservers.com (totally unreachable & bullet-proof) applicationx.net (caught red-handed with a web page full of proxies) infinology.com sagonet.com (Has some blocks suspiciously SWIPed to Cogentco.) Cogent's `tailoredservers.com' customer is THE perfect false front for spamming activities. No phone numbers on the web site. False/disconnected phone number in their WHOIS, and no need for them to ever take any call from any disgruntled folks whose servers they (or their customers) have hijacked. Level3: These people have been hosting a ``mystery'' major-league criminal proxy hijacker in their 166.90.206/24 block for MONTHS, and if they don't know that then it is only because they don't want to know. (I've already told them myself, several times.) And they were informed that this criminal activity was going on from their network all the way back as far as March: http://news.spamcop.net/pipermail/spamcop-help/2003-March/028053.html Note that the criminal in question is located someplace in the Detroit area and has been rumored to most likely be none other than Alan Ralsky, known mega-spammer who bragged in this article: http://www.freep.com/money/tech/mwend22_20021122.htm that he's got 20 spam pumping machines in his basement going 24/7. And the evidence suggests that he does, and that they are all busy hijacking other people's poorly secured proxies, all courtesy of the kind folks at Level3. Note: The SpamHaus Project describes Ralsky as a "convicted fraudster" and has an extensive file on him: http://www.spamhaus.org/rokso/search.lasso?evidencefile=1290 Oh! And lest I forget, Level3 also continues to provide bandwidth to the criminal open proxy hijackers that are working out of the notorious spam-friendly outfit called `CandidHosting'. sagonet.com: Sagonet.com and its west coast subsidiary, unitedcolo, seem to have more criminal open proxy hijackers per square inch than any other network or company on the net. A few days ago, they had no fewer than 9 different /24s listed in my Top 60 list of open proxy hijacking origi- nation points. I've seen some signs in the past 24 hours that they may perhaps finally be getting their act together, but then again, maybe not. Time will tell. (I have been told that the owner is just plain greedy, and that he does really understand why spam is bad.) savanti.net: Finally got kicked off sterlingnetwork.net within the past 24 hours. Will be looking for a new home, I'm sure. BE ON THE LOOKOUT FOR THESE GUYS as they wander around, in search of new connectivity. (This is as least the second strike for them, or so I'm told. They were kicked off another network before sterlingnetwork.net.) kdd.net.hk: Seems to be approaching the density of lead. No response whatsoever to hijacking reports. The lights are on but nobody's home. Does anybody know anybody who can explain to these people what proxy hijacking is and why it's bad? servint.com: Sounds familiar. These guys have been in trouble before, haven't they? nutnbut.net: Could be renamed to Nothin' But /dev/null P.S. My special thanks to verio.net, rr.com, algx.net, and jet2.net, all of whom seem to be able to kill these blasted proxy hijackers just about as fast as I can report them.