Edge 1 Networks/Williams Communications Group
After several run-ins with Edge 1 Networks [69.44.28.0/22] having their machines "hijack" victim machines on our networks infected with Jeem, and then making their spam runs, I've had it. I have reported both to Edge 1 and their parent Williams Communications Group [AS7911] with no result and I will be blocking Edge 1 [in theory, AS29986, but no doubt private spewage from WCG.NET). They hijacked a Jeem proxy on July 17th, it was shut down. The help desk thought they had cleaned it up, but within 30 mins of placing it back online again, Edge 1 grabbed it again. I brought it into the lab with a sniffer, rebooted (new IP), and Edge 1 picked it up within 10 minutes and began spam/proxying. This past Sunday, a similarly Jeem'ed machine was hijacked by the same Edge 1 block (numerous machines in the Edge 1 block, mind you) and due to me being out of the office it wasn't noticed and shutdown until Tuesday, after a little over a half million proxied spams. Are these people just totally off-the-wall? Google searches seem to concur. I am awaiting confirmation that ALL the proxies originated from Edge 1 (takes a while to churn through those gigs of pix logs). Jeff Kell University of Tennessee, Chattanooga
After several run-ins with Edge 1 Networks [69.44.28.0/22] having their machines "hijack" victim machines on our networks infected with Jeem, and then making their spam runs, I've had it. I have reported both to Edge 1 and their parent Williams Communications Group [AS7911] with no result and I will be blocking Edge 1 [in theory, AS29986, but no doubt private spewage from WCG.NET).
I smell a rat. I have a funny feeling Edge1 is a front for pro-spammer Nick Geyer. Look at their whois: Edge1 Networks Hostmaster Edge1 25 Broadway - 5th Floor New York, NY 10004 US Phone: 212-248-1121 Fax..: 212-248-0929 But if you call Verizon, they'll tell you these lines terminate on the sixth floor of 25 Broadway, an address I remember all too well from the VMX Networks hijackings. If you want the abuse to stop, call Nick at work (212-685-2009) or on his cellular phone (503-851-1963) and tell him to knock it off. If Nick is busy or at a meeting, as is often the case ask to speak to his boss, Paul Hodara, and see if he can track him down. The Williams NOC could care less, if you want to get anywhere, try contacting Blake Williams (blake.williams@wcg.com) or Michael Winslow (Michael.Winslow@wcg.com), who are capable of taking action, including ultimately denying service to Edge1 for AUP violations.
(off-topic) On 8/4/2003 at 10:26 PM, "Jeff Kell" <jeff-kell@utc.edu> wrote:
After several run-ins with Edge 1 Networks [69.44.28.0/22] having their machines "hijack" victim machines on our networks infected with Jeem, and then making their spam runs, I've had it. I have reported both to Edge 1 and their parent Williams Communications Group [AS7911] with no result and I will be blocking Edge 1 [in theory, AS29986, but no doubt private spewage from WCG.NET).
[I omitted quoting the follow-up post where Nick Geyer and Chris 'Rizler' Smith are being ratted out by fellow IP space hijackers at Web Design House (AS 26857): - 199.60.102.0/24 hijacked by registering henningassoc.com (which has the same POC e-mail addr as AS26857 until recently: loopback2003@yahoo.com, with interesting nameservers that have since moved out of that /24: NS1.NANOG.US 216.66.69.69, NS2.NANOG.US 216.66.69.169 ; - announced hijacked 148.3.32.0/20 IT-SOUTHLTD.COM - provided transit for AS 27526 (endai.com/endai.net/dmx0.com), originating hijacked 148.3.0.0/21 (IT-SOUTHLTD.COM) ] The following (now posted daily) feature in Spam-L should make some silent NANOG subscribers ask themselves a question: do I work for a large criminal enterprise and could my own actions as an employee be considered active participation with possible criminal culpability? And for those OTHER NANOG subscribers that decided that joining the unemployment line after the Internet bubble burst was not for them, but legal work suiting their qualifications was nowhere to be found: you should read up on some of the statutes of limitations for computer fraud and abuse acts (federal and state) and reconsider your current activities. Your acts are definitely not going unnoticed nor are they being ignored. There's a reason why Chris 'Rizler' Smith and 2 of his associates fled^Wrelocated to Costa Rica, you know, but Mary Jo White sure as hell didn't care that the last batch of people she had indicted had relocated to small caribbean island nations to evade US justice: http://zdnet.com.com/2100-11-508027.html ISPs, including Level3.net and Cogent, are conspiring (that's what 'knowingly providing assistance to the perpetrator of a criminal act' actually is) with hard core computer criminals, and there's a handy list right here: ------- This is a forwarded message From: Ronald F. Guilmette To: SPAM-L@PEACH.EASE.LSOFT.COM Date: Monday, August 4, 2003, 4:06:47 PM Subject: BLOCK,MISC: WHO'S SPAMMING YOU? Top 40 Proxy-Hijacker-Friendly ISPs 2003-08-04 ===8<==============Original message text=============== Date: Mon, 4 Aug 2003 13:06:47 -0700 Sender: Spam Prevention Discussion List <SPAM-L@PEACH.EASE.LSOFT.COM> From: "Ronald F. Guilmette" Subject: BLOCK,MISC: WHO'S SPAMMING YOU? Top 40 Proxy-Hijacker-Friendly ISPs 2003-08-04 To: SPAM-L@PEACH.EASE.LSOFT.COM Precedence: list The following list is based on proxy honeypot network data collected between 12 Noon 2003-08-03 and 12 noon 2003-08-04. Commentary follows below... 1. 38.112.197 cogentco.com - daicahosting.com/daica.com (Tampa, FL) 2. 38.114.11 cogentco.com - tailoredservers.com (Frisco, TX) 3. 66.135.15 broadbandip.net (Baton Rouge, LA) 4. 38.114.3 cogentco.com - tailoredservers.com (Frisco, TX) 5. 63.246.136 unitedcolo.com aka sagonet.com (San Francisco, CA) 6. 66.44.228 sterlingnetwork.net - savanti.net (Tucson, AZ) 7. 166.90.206 level3.com - ?Alan Ralsky? (Detroit area, MI) 8. 66.118.187 sagonet.com (Tampa, FL) 9. 63.246.135 unitedcolo.com aka sagonet.com (San Francisco, CA) 10. 66.250.125 cogentco.com - applicationx.net (Alpha, NJ) 11. 66.111.39 unitedcolo.com aka sagonet.com (San Francisco, CA) 12. 63.246.133 unitedcolo.com aka sagonet.com (San Francisco, CA) 13. 66.118.189 sagonet.com (Tampa, FL) 14. 64.5.51 theplanet.com (Dallas, TX) 15. 66.111.49 unitedcolo.com aka sagonet.com (San Francisco, CA) 16. 66.118.142 sagonet.com - argobroadcast.com (Tampa, FL) 17. 66.205.223 cetnetworks.com - smartmailhosting.com (New Orleans, LA) 18. 66.44.231 sterlingnetwork.net - savanti.net (Tucson, AZ) 19. 64.180.125 telus.net - "Trinity Prof-Soho" (Vancouver, BC, CA) 20. 206.47.187 bell.ca - "Datatech Communications" (Windsor, ON, CA) 21. 66.17.157 yipes.com - net-sentry.net (Dallas, TX) 22. 38.118.143 cogentco.com - infinology.com (Goleta, CA) 23. 66.118.180 sagonet.com (Tampa, FL) 24. 216.99.99 nutnbut.net - pntsi.ca (London, ON, CA) 25. 66.111.40 unitedcolo.com aka sagonet.com (San Francisco, CA) 26. 66.70.114 datapipe.com (Hoboken, NJ) 27. 66.111.33 unitedcolo.com aka sagonet.com (San Francisco, CA) 28. 209.50.253 servint.com (McLean, VA) 29. 219.109.197 tcn-catv.ne.jp (Tokyo, JP) 30. 66.205.219 cetnetworks.com (Redwood City, CA) 31. 63.246.131 unitedcolo.com aka sagonet.com (San Francisco, CA) 32. 61.220.193 hinet.net (Taipei, TW) 33. 38.112.199 cogentco.com - daicahosting.com/daica.com (Tampa, FL) 34. 66.111.35 unitedcolo.com aka sagonet.com (San Francisco, CA) 35. 64.228.130 bell.ca/sympatico.ca (Montreal, QB, CA) 36. 216.58.92 igs.net (Kanata, ON, CA) 37. 66.111.50 unitedcolo.com aka sagonet.com (San Francisco, CA) 38. 80.71.71 telia.net - megaprovider.com/Bevelander (Haarlem, NL) 39. 216.8.169 mnsi.net (Windsor, ON, CA) 40. 195.14.58 corbina.net (Moscow, RU) Not very much new today. All of the usual suspects are still in the top ranks of the list. I called Cogent to ask about daicahosting.com. A guy named `Al' in the abuse department said that daica is ``on probation'', whever the hell that means. I asked him if they could at least filter outbound connects to common proxy ports, and he said ``Oh no... I couldn't do THAT!'' Level3's mystery spammer in the Detroit area is still in the Top 10, banging the crap out 24/7 like always. Oh well, at least we caught one of their official spokesmodels in a bald faced lie... ``Ralsky never sent any spam out via the connection we sell him.'' Yea. Right. What they should have said is that nobody was actually able to CATCH him doing it until now. broadbandip.net, the Baton Rouge ISP that thinks that proxy hijacking is OK has jumped into the #3 spot. The Cajun spam gang must be getting restless. Cetnetwork.com is still doing proxy hijacking, big-time, from both its 66.205.223 and 66.205.219 blocks. I just had ANOTHER long phone chat with "Ketchersid, John" about this, and I gave him one last piece of rope to definitely hang himself with. He said that he was gonna filter outbound traffic to proxy ports. So if this crap from his network continues, then I'll know that he's a complete liar. Sagonet and its subsidiary, unitedcolo appear to be trying to disperse their proxy hijackers throughout their address space, probably in the vain hope that they will be able to fly beneath my radar, and get off the Top 40 list. But they are just making it more and more evident what a bunch of slimebags they are. The greedy jerk in charge of sterlingnetwork.net is still hanging on to his paying customer savanti.net, who are raping proxies like there's no tomorrow. So what else is new? Bevelander/megaprovider.nl is now connected via telia.net, and he is cranking out the crap, via that connection, big time. The big trend today, other that sagonet's dispersal of its criminal proxy hijackers to all corners of its network, is the general increase in criminal activity orginating from various locales within Canada, notably in the vicinity of Toronto/Windsor. This is most probably the proxy hijacker that I got nuked off of Beanfield.Com a couple of weeks ago trying to squirm his way back onto the net again. IMPORTANT CORRECTION: I had previously listed the proxy hijacking within the 206.47.187/24 block as being the responsibility of "KRCMAR Surveyors (Thornhill, ON, CA)". That was totally incorrect. This /24 block is subdivided among many customers of bell.ca, and KRCMAR Surveyors only has the first set of 7 IPs in this block. The real and correct culprits for the proxy hijacking are listed above, i.e. "Datatech Communications" (Windsor, ON, CA). My apologies to KRCMAR Surveyors for the prior erroneous attribution. Regards, rfg P.S. Not all of the companies on the list above have had a fair chance to nuke off their proxy hijacking customers yet. Some were only notified this morning of the problem, i.e.: 19. 64.180.125 telus.net - "Trinity Prof-Soho" (Vancouver, BC, CA) 26. 66.70.114 datapipe.com (Hoboken, NJ) 28. 209.50.253 servint.com (McLean, VA) 29. 219.109.197 tcn-catv.ne.jp (Tokyo, JP) 32. 61.220.193 hinet.net (Taipei, TW) 35. 64.228.130 bell.ca/sympatico.ca (Montreal, QB, CA) 40. 195.14.58 corbina.net (Moscow, RU) ===8<===========End of original message text===========
participants (3)
-
Booth, Michael (ENG)
-
Jeff Kell
-
Kai Schlichting