Hostexploit report/Intercage/Esthost
Hello, My name is Konstantin Poltev and I'm with Esthost. I'd like to ask you to read through this email before hastily replying. As you are probably aware, Esthost has been accused of pretty much every mortal sin - from cybercrime to being KGB-sponsored part of Russian Business Network involved in information warfare against Georgia [R1]. However, that's just one side of the story. I'd like to present our side, in this email, and in person - I am right here at NANOG, ready to answer your questions. I've initially planned to make a short presentation during security BOF, but decided against it - I believe tempers are still too hot to hear our side of the story, also, my English is not quite as good to be able to stand up before 1000 people. However, I'll be around, in the hotel bar, should anyone want to ask me any questions in person - or should any law enforcement officer wish to arrest me :) Now, on to the story: First, few words on the "community police" that is accusing us of all the misdeeds. The accusations initially were made by (anonymous) John Reid from Spamhaus, then continued with anonymous rbnexploit blog, then by Jart Armin from the "hostexploit". All of those are (to my knowledge) are very much anonymous. I'd love to debate the report and their accusations, in public, but, regretfully, I don't see this happening anytime soon - while I'm very much willing to travel to US and subject myself to US jurisdiction, my accuser John Reid in Spamhaus is anonymous, and Spamhaus itself claims not to be subject to any US laws, where it clearly does business. It begs the question - how come the alleged "criminals" are so brazen, and alleged "community police" so anonymous? One possible conclusion is that there's no evidence of a crime, and "community police" is nothing short of a lynch mob, that needs no evidence, heeds no laws, and acts as a judge, jury and executioner. However, more on spamhaus later. Finally, the last point was the publication of an article in Washington Post by Brian Krebs. Brian, as it appears, has commissioned the hostexploit report, and it makes a wonderful media story - you have full-on thriller, with cybercriminals out of Estonia being aided by corporations small and large in US - it doesn't get any better than that. Unfortunately, said report is full of unsubstantiated allegations - in fact, not just unsubstantiated, but clearly known to be false to anyone who is actually in the industry (more on this later). Brian has attempted to ask us for our side of the story. However, the questions asked were "How many EstHost employees have graduated the KGB military public information school?", "How often does KGB/GRU/FSB ask Esthost to implement special measures against Western visitors", "Does Esthost provide GRU/SVR with information about Western visitors", "What percentage of Est's revenue is reinvested by FSB into Est's infrastructure". I'm dead serious - those were the questions - I can't make this up. You can draw your own conclusions on Brian's bias and the desire of a sensational story. I'd like to point out that Esthost doesn't hide behind anonymity - names of the owners of Esthost are well known, and we live in Estonia, which, despite what you think, is as much of a Western-world country with rule of law as, say, France or Germany - with criminal police, extradition treaties, Interpol membership, etc. What is the truth? We have no affiliation with "Russian Business Network" (if there ever was such a thing). We have no affiliation with Emil or Atrivo (other than being an ex-customer). We have no affiliation with HostFresh. We don't know what *they* do with their network, or their abuse complaints - we can only speak for ourselves. Onto the discussion of the "hostexploit report" itself: I am surprised that it appears that nobody actually have taken time to read the report - as inaccuracies are glaring enough to be immediately noticable. Report is hardly "unbiased" - it is a very beautifully typeset piece whose purpose is to smear our company (and our vendors' vendors' vendors, and our customers, and just about anyone else, maybe short of the guys who deliver pizza to our office). As I point out flaws in the report, I'd like to again emphasize, we are not atrivo. I believe Emil and Atrivo were unfairly smeared, and as much as Esthost, they deserve fairness, although I can't speak for the rest of Atrivo's customers, not affiliated with Esthost. Report itself is located at: http://hostexploit.com/downloads/Atrivo%20white%20paper%20082808ac.pdf First part of report is fluff - using spamhaus pages as evidence of wrongdoing. Let's start with obvious: ****** Page 16 - the page with the actual data: Google has 4 times more infections than Atrivo, and approximately same infection rate. Are they also cyber-criminals? Chinanet-backbone - has 48 times number of Atrivo's infections - they are here at NANOG, are they being asked what are *they* doing about the abuse? INETWORK-AS, twice the infections in quarter of Atrivo's space, 65% infection rate - what about them? Theplanet and Softlayer, *three* times the number of infections? EV1, twice the number of infections, and similar infection rate as Atrivo? The only pattern that I can draw is all the other companies are large businesses - who wouldn't take kindly to being smeared. It is far easier to scapegoat a small Estonian company and blame it on them. ****** Page 17: Claims that Broadwing is AS3356 (...!), and is "Atrivo - directly controlled /managed". Claims that Nlayer has control of 5,916,928 IP addresses. While I'm sure this is unintentional copy-paste thing, it shows lack of technical review of this report. ****** Page 13: Claims that "Atrivo requires internet connectivity from ThePlanet". Again, I'm not Emil, but I'd find it unlikely that he'd buy from his direct competitor. Claims that 1546 of privacyprotect sites are "ThePlanet sponsored" - I assume they meant hosted at ThePlanet. How does it demonstrate Planet's complicity, I don't know. ****** Page 6: Claims that "AS 4657 Singapore based providing collocation for Atrivo". That's a naked assertion, and fails the "oh really" test. (Again, not speaking for Emil, he *might* have colocation in China, but that's pretty damn unlikely!) ****** Page 7: "AS 36445 a newer Autonomous Server apparently used by Cernal". I assume the author meant "Autonomous System", just another questionable "technical" moment. Claims that "Estdomains is an anonymous registrar and "Esthost" is anonymous hosting" - I don't really know where to start. We don't provide anonymous hosting, any more than Yahoo! does. ****** Page 26: "It should be further noted some of the adult sites hosted are either border line or are within known blacklists of pedo-pornographic web sites (Note: this topic is outside the remit of this study, however details have been passed to appropriate third parties)". This is a very serious accusation - and it seems to be thrown very lightly with disregard for possible consequences. If it is actual child pornography, knowingly hosted by Atrivo, it has very direct consequences for Emil. Across the entire report, Hostexploit has made allegations of Esthost being affiliated with DirectI, and of DirectI being a willing participant in our "crimes". Within a week, Hostexploit had to withdraw those claims - I can only presume due to pressure from DirectI and its lawyers. Regarding "cybercriminals" and calls for community to "take action" against those who allegedly "provide transit" to cybercriminals - I'd like to point note that neither we, nor any of our customers, have been convicted (or even accused) in any court of law of any misdeeds. Spamhaus made claims [1] that: "We assume that every law enforcement agency with a cyber-crimes division has a dossier bursting at the seams on Atrivo/Intercage and its tentacles such as Esthost, Estdomains, Cernel, Hostfresh". Well, I'm right here in LA - if there's actual evidence, I have no doubt that law enforcement will act. However, I think this is highly unlikely. I won't deny that we *did* have abuse issues - that is the problem when your customers are mostly located in Eastern Europe - there are quite a few bad apples. Payment systems used in Eastern Europe tend to favor anonymity - which, obviously is also favored by criminals. However, it's the exception and not a rule. We've stopped accepting all anonymous payment systems quite awhile ago, and have new arrangement with one of Russia's largest payment systems where, if we report abuse, they will lock the criminal's account and accounts linked to it. We've always reacted expediously against abuse - every email that we received we've reacted to. We've implemented a anti-fraud system that links billing accounts to hosting accounts to domains, and if one domain is involved in abuse, everything "linked" to it is investigated and suspended/terminated. This is hard for a small company to do - due to intense competition in the registrar arena, profit margins are very slim. I'd like to finish with this - cybercrime is our common enemy. We'd like to be a part of a solution - and we are playing our part, as much as a small organization can do. If anyone wishes to discuss any of the above, or give us suggestions on what more could we do to fight spam/etc, I'll be around later on in the hotel bar area, just look for my nametag. However, I won't be there at all the time, in case you want to talk, kindly drop me an email and we'll figure out a time to meet. Thanks for reading so far, I know it's a long email. I hope to see you later at the conference. Kind regards, Konstantin [R1] http://rbnexploit.blogspot.com/2008/08/rbn-georgia-cyberwarfare-continuation .html [1] http://www.spamhaus.org/news.lasso?article=636
On Monday 13 October 2008 15:30:07 Konstantin Poltev wrote:
and Spamhaus itself claims not to be subject to any US laws, where it clearly does business.
The Spamhaus website lists addresses in the UK and Switzerland. They appear to operate from the UK, and they claim to be subject to UK law. Searching for "spamhaus jurisdiction" answers this in the first paragraph of the first result, not that Google is always this accurate. Spamhaus might not be perfect, but they demonstrably provide the best public source of information on spam sources on the Internet. As such criticizing them makes you look suspect in the eyes of those who have very positive experiences of spamhaus's data, and who are use to seeing criticism of them come almost exclusively from shady characters. If they are wrong say so, and tell them, they've always been very responsive to communications in the past, but don't rant.
participants (2)
-
Konstantin Poltev
-
Simon Waters