I received a nice email from a very polite graduate student just now, who shall remain nameless, and I decided that I wanted to give him the reply below, but also to post this all to NANOG too, so here it is. I hope this may ally some of the concern that has been expressed about me not being more forthcomeing about the details of this case. (And if anybody gives me a hard time about being ``off topic'' then I'm going to give him or her a knucke sandwich, because I was specifically asked... indeed badgered... to provide more explanation of, and more justification for my earlier posting, as the record in the archives of this list will clearly show.) The friendly graduate student wote:
I've been quietly following NANOG's little flamewar over this. I'm interested in what techniques you used to arrive at your conclusion regarding AS11296.
Unfortunately for me, I'm not a network op. Instead, I am a PhD student interested in all matters inter-domain. I hope you feel this is enough to make me a worthy recipient.
No, actually, it isn't. If I google you can I be _sure_ that you're not playing for the other team? Probably not. But the good news is that I have decided to be a bit less cagey generally, and specifically in my public comments about these things anyway, and to give out more confirming data bits anyway. And I'll be sending this letter on to the NANOG list soon, with your name redacted, of course. What follows below is information that could be gleened (if you know how) from whois.internic.net. It's all public info. I just rearrange it and print it out in a nice pretty way. (Of course knowing where to look within the vast IPv4 address space is also quite helpful, but I'm not going to get in to that.) The bottom line here is that if you get the whois records for the domains associated with the name servers in the list attached at the end, you'll see that they are all going to be ``fishy'' in some way, e.g. ``cloaked'' (aka ``privacy protected''), or else registered to some mystery fly-by night company that may or may not actually exist, or at any rate, the domains will all be registered to something sort-of stealthy... something which is intended to make the spammer behind all this a bit harder to find. Oh yea, and the snail mail addresses given in the WHOIS records for the domains will usually/often be tracable to UPS Store rental P.O. boxes... those are standard spammer favorites, because...as they well know... us spamfighters can't find out who really controls any one of those boxes without a subpoena... unlike USPS boxes, for instance. (All this is quite well known in the dank sleezy spammer undergound already, so I'm not hardly giving away any secrets here.) And in a similar vein, the contact phone numbers given in the whois records will quite typically be 1-800 or 1-888 or 1-877 or 1-866 toll-free numbers. No, the spammers are _not_ trying to save you money when you want to call them up to bitch to them about the fact that they sent you 8,372 spams in a row. Nope, again, they use the toll-free numbers for a very specific purpose, which is again to make it more difficult for anyone trying to track them down to find their actual physical location. Non-tollfree numbers are typically associated with a specific geographic vicinity (although even that is being substantially eroded by number portability). But the toll free numbers are truly and always utterly geographically anonymous. So spammers use them a lot, primarily in domain whois records. So here you are. You've got this s**t load of highly ``fishy'' name servers, and they are all planted firmly into IP space that (a) appears to have been allocated to a reputable name brand company... such as Seiko, in this case... *and* (b) the block in question, based on the RegDate: and Updated: fields of the block's ARIN whois record, apparently hasn't been touched for years... maybe even a decade or more... thus implying that the former owners of the block either have abandoned it years ago, or else they themselves went belly up and ceased to exist, probably during the Great Dot Com Crash of 2000. Add it all up and what does it spell? No, not heartburn... Hijack. See, there actually isn't any big mystery about any of this, except the part about how I came to focus on this particular set of IP blocks and/or the particular AS that was announcing routes to them. And about that part, I have nothing to say, except to tell these spammers (who are probably listening) what I always say... that spamming is THE most public of all crimes. If you really think that you an hide and be totally invisible, even while you blast MILLIONS of total strangers with your advertising, then you need to up your lithium, because the dosage you're on now clearly isn't doing the job. Oh, and one other small thing... Even though the spammers try to hide themselves, often times, they really don't try THAT hard, probably because most folks don't care enough to really learn how to track these kinds of schmucks down, so in general, they only have to be a little stealthy... not a lot stealthy, and they know that. But using hijacked space raises the bar a little. In this context, you shouldn't really use all P.O. boxes that are on your same island, just because you are too effing lazy to take a ferry to the mainland once a month to pick up your hate mail from your anonymous UPS drop box. I can't really tell you exactly who engineered the hijacking in this case. Somebody with some network savvy obviously. What I suspect I _can_ tell you is which spammer (who runs a false-front ``affiliate marketing'' operation, just as cover story for their own snowshoe spamming... as most of the serious snowshoers do these days) most probably sub-leased the IP space from whoever actually engineered the hijacking. Look at the snail-mail addresses in the whois records for the domains listed below. Yes, they are UPS boxes, but look at the general location, Victoria, BC. So now go and google for "affiliate marketing" and "Victoria". There really aren't that many probable suspects. Victoria ain't a terribly big place. Not like, e.g. Vancouver. But then the schmuck would have to take the ferry over once a month to collect his hate mail from his mainland anonymous UPS box, and he's too effing lazy to do that. That's why he's a spammer, because he's too effing lazy and untalented to get honest work, or even to learn an honest trade, you know, like male hooker. (Hey! At least it's consensual, unlike spamming.) (Nishant? I know you're listening. Now you WILL make sure that Tobyn gets a copy of this posting, won't you? That's a good boy. Thanks. Effing assholes!) Could it possibly be that I'm jumping to the Wrong Conclusion here about who the spammer is, I mean just based on something as flimsy as geographic proximity? Sure, but not bloody likely. You see that's not hardly the only evidence that I have in front of me. I'm just not talking about the rest. (And I hope it keeps the son of a bitch up nights trying to figure out how ELSE he phuked up, in addition to being lazy and using only local UPS drop boxes.) Regards, rfg P.S. Some or all of the data presented below may still be available via whois.internic.net, even though the IP blocks are no longer even routed. Try this for example: whois -h whois.internic.net 206.226.96.2 Yup. Still there. At least for now. Probably be gone by morning. P.P.S. To all of the spammers out there reading this who think that you have learned from this e-mail how to be more stealthy still, and how to hide from me even better in the future... well... enjoy your fantasy while it lasts. I can find you now, I can find you next year, and I'll be able to find you ten years from now. And do you know why? Because I'm smarter than you are. And that's not saying much. If you had any talent... any talent at all... then you'd be able to find an HONEST job. It wouldn't pay as well, but at least you wouldn't be ashamed to tell your mother what you _actually_ do for a living. In the meantime, please hurry up and die. The world will most definitely be a better place when we no longer have to carry your dead weight on the backs of humanity. Don't flatter yourselves. You make nothing. You build nothing. You contribute nothing. You just annoy people. For money. We will make sure that that exact epitaph is engraved on your headstone, so that you will be remembered properly, once you go. ================================================================ 63.247.172.3 ns1.tooplacedomain10tht.info 63.247.172.4 ns2.tooplacedomain10tht.info 63.247.181.3 ns1.steadyvolumebandw57.info 63.247.181.4 ns2.steadyvolumebandw57.info 63.247.185.19 ns1.magnumfourcompkriel.info 63.247.185.20 ns2.magnumfourcompkriel.info 199.241.95.253 fwd1.itargetdirect.net 206.226.64.4 ns1.granadacentral.info 206.226.64.5 ns2.granadacentral.info 206.226.96.2 ns1.sandpipedream.com ns1.optinletters.com ns1.notifications-mail.com ns1.mailingdaily.com ns1.blueholster.com ns1.allowingmail.com 206.226.96.3 ns2.sandpipedream.com ns2.optinletters.com ns2.notifications-mail.com ns2.mailingdaily.com ns2.blueholster.com ns2.allowingmail.com 206.226.112.2 ns1.drainagecorner.com 206.226.112.3 ns2.drainagecorner.com 206.226.112.130 ns1.calculatingdigits.com 206.226.112.131 ns2.calculatingdigits.com 206.226.112.194 ns1.mailcreatures.com 206.226.112.195 ns2.mailcreatures.com 206.226.113.2 ns1.qualitycampaigns.com 206.226.113.3 ns2.qualitycampaigns.com 206.226.113.66 ns1.onlyinstant.com 206.226.113.67 ns2.onlyinstant.com 206.226.114.194 ns1.droppedtargets.com 206.226.114.195 ns2.droppedtargets.com 206.226.115.2 ns1.dinneroutstanding.com 206.226.115.3 ns2.dinneroutstanding.com 206.226.116.130 ns1.offersenveloped.com 206.226.116.131 ns2.offersenveloped.com 206.226.117.2 ns1.sleekrange.com 206.226.117.3 ns2.sleekrange.com 206.226.117.66 ns1.thegulfofmail.com 206.226.117.67 ns2.thegulfofmail.com 206.226.118.2 ns1.mailmammals.com 206.226.118.3 ns2.mailmammals.com 206.226.118.66 ns1.trackpreference.com 206.226.118.67 ns2.trackpreference.com 206.226.119.2 ns1.platinumpermission.com 206.226.119.3 ns2.platinumpermission.com 206.226.119.130 ns1.approvedcity.com 206.226.119.131 ns2.approvedcity.com 206.226.120.130 ns1.creaturesofmail.com 206.226.120.131 ns2.creaturesofmail.com 206.226.121.2 ns1.tonnesofmail.com 206.226.121.3 ns2.tonnesofmail.com 206.226.122.2 ns1.cancellationsanytime.com 206.226.122.3 ns2.cancellationsanytime.com 206.226.123.2 ns1.hourofman.com 206.226.123.3 ns2.hourofman.com 206.226.124.2 ns1.businessneedsfilled.com 206.226.124.3 ns2.businessneedsfilled.com 206.226.124.130 ns1.underestimatedhours.com 206.226.124.131 ns2.underestimatedhours.com 206.226.126.2 ns1.companiesthatperform.com 206.226.126.3 ns2.companiesthatperform.com 206.226.126.130 ns1.pageuppleasure.com 206.226.126.131 ns2.pageuppleasure.com 206.226.127.2 ns1.transferredtraffic.com 206.226.127.3 ns2.transferredtraffic.com
-----Original Message----- From: Ronald F. Guilmette [mailto:rfg@tristatelogic.com] Sent: Thursday, September 30, 2010 10:48 PM To: nanog@nanog.org Subject: Re: AS11296 -- Hijacked? ================================================================ 63.247.172.3 ns1.tooplacedomain10tht.info 63.247.172.4 ns2.tooplacedomain10tht.info 63.247.181.3 ns1.steadyvolumebandw57.info 63.247.181.4 ns2.steadyvolumebandw57.info 63.247.185.19 ns1.magnumfourcompkriel.info 63.247.185.20 ns2.magnumfourcompkriel.info
... I would take more of an Occam's razor approach. If you have an AS that is supposedly an ISP in North Carolina or Ohio or wherever and first of all have only one way into their network (are they an ISP or are they simply reselling someone else's service?) and none of that connectivity traces back to their region of operation, and particularly where their name has been bought by or merged with someone else and that someone else is not announcing their AS and address blocks, then that is certainly cause for suspicion. "Hijacking" of defunct resources is probably a widespread activity. Finding the hijacked resources of companies that liquidated in fairly public fashion is probably easier than finding resources for a company that has been "laundered" through several mergers over several years where the current company doesn't even realize that they "own" the resources of a company bought by a company they bought because of personnel turnover involved with layoffs and such. To the general population of this list: Have you worked for a company that has liquidated? Are those Internet resource registrations still in whois? Maybe you should inform ARIN so those resources can be reclaimed. I did that when I noticed that a company I once worked for that evaporated still had resources in the database. That is just ASKING for someone to announce those resources and nobody is probably going to blink an eye because the upstreams rarely check to see if the entity they are talking to are actually authorized to announce that space. You tell them the ASN and net blocks, the two jibe, upstream says OK. How much address space is being wasted in this way? G
On Thu, Sep 30, 2010 at 11:34:16PM -0700, George Bonser wrote:
"Hijacking" of defunct resources is probably a widespread activity.
It is. A number of individuals and entities have been involved in tracking these over the years, and I've seen enough to figure out that it's common because it's relatively easy, it's likely to be undetected, it's likely to be ignored if detected, there are no significant penalties, and even if it all goes south: it's easy to start over and do it again.
How much address space is being wasted in this way?
A lot. Moreover, large chunks of address space are being wasted in this way: 1. Spammer sets up dummy front web-hosting/ISP company. 1a. (optional) Spammer sets up second-level dummy front. 2. Spammer gets ARIN et.al. to allocate a /20 or a /17 or whatever. 3. Spammer uses spammer-friendly registrar to purchase throwaway domains in bulk. (Sometimes the registrar IS the spammer. Cost-effective.) 4. Spammer populates the allocation with throwaway domains and commences snowshoe spamming. 4a. (optional) Spamming facilitates drive-by downloads, malware injection, browser exploits, phishing, and other attacks. 5. Anti-spam resources notice this and blacklist the allocation. So do large numbers of individual network/system/mail admins. 6. Return to step 1. It's instructive to consider who profits from each of these steps. A quick check of my (local, incomplete, barely scratch-the-surface) list of such things includes (and I've left out smaller and larger blocks, thus this is a pretty much a snapshot of the middle of the curve): /16's: 25 /17's: 20 /18's: 47 /19's: 73 /20's: 99 /21's: 88 /22's: 105 /23's: 198 /24's: 3245 for a total of about 6.6 million IP addresses. My guess is that this is likely a few percent, at best, of the real total: it just happens to be the set that brought itself to my attention by being sufficiently annoying to local resources. So I wouldn't be at all surprised to find that real total is in the 100M ballpark. So I've concluded that there really isn't an IPv4 address space shortage. Spammers have absolutely no problem getting allocation after allocation after allocation, turning each one into scorched earth and moving on. ARIN et.al. certainly have no interest in stopping them, and ICANN only cares about registrar profits, so there's no help coming from either of those. ---rsk
On Fri, Oct 1, 2010 at 8:00 AM, Rich Kulawiec <rsk@gsp.org> wrote:
A quick check of my (local, incomplete, barely scratch-the-surface) list of such things includes (and I've left out smaller and larger blocks, thus this is a pretty much a snapshot of the middle of the curve):
/16's: 25 /17's: 20 /18's: 47 /19's: 73 /20's: 99 /21's: 88 /22's: 105 /23's: 198 /24's: 3245
for a total of about 6.6 million IP addresses. My guess is that this is likely a few percent, at best, of the real total: it just happens
this is still less than a /8, which lasts ~3 months in ARIN region and less if you could across RIR's...
-----Original Message----- From: Christopher Morrow Sent: Friday, October 01, 2010 7:46 AM To: Rich Kulawiec Cc: nanog@nanog.org Subject: Re: AS11296 -- Hijacked?
this is still less than a /8, which lasts ~3 months in ARIN region and less if you could across RIR's...
Which is sort of like saying: Citizen: "Hello, police? There is a crate of M-16's and a truckload of ammunition just sitting here on the corner" Police: "That is less than the Army goes through in 3 months ... *click*" While true, it is orthogonal to the point being made which is if you collect those resources and issue them to legitimate operators, those are some 6.6 million unique hosts addresses than cannot be used for various nefarious activities.
On Fri, Oct 1, 2010 at 5:12 PM, George Bonser <gbonser@seven.com> wrote:
this is still less than a /8, which lasts ~3 months in ARIN region and less if you could across RIR's...
Which is sort of like saying:
Citizen: "Hello, police? There is a crate of M-16's and a truckload of ammunition just sitting here on the corner" Police: "That is less than the Army goes through in 3 months ... *click*"
Death by IP address? -Bill -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
-----Original Message----- From: wherrin@gmail.com Herrin Sent: Friday, October 01, 2010 2:27 PM To: George Bonser Cc: Christopher Morrow; nanog@nanog.org Subject: Re: AS11296 -- Hijacked?
Death by IP address?
-Bill
Quite possible if one is using it to distribute a virus. RE: Spanair flight JK-5022 http://www.monstersandcritics.com/news/europe/news/article_1578877.php/C omputer-viruses-may-have-contributed-to-Spanish-2008-plane-crash
Try this link instead http://tinyurl.com/2cngbx6
-----Original Message----- From: George Bonser [mailto:gbonser@seven.com] Sent: Friday, October 01, 2010 2:32 PM To: William Herrin Cc: nanog@nanog.org Subject: RE: AS11296 -- Hijacked?
-----Original Message----- From: wherrin@gmail.com Herrin Sent: Friday, October 01, 2010 2:27 PM To: George Bonser Cc: Christopher Morrow; nanog@nanog.org Subject: Re: AS11296 -- Hijacked?
Death by IP address?
-Bill
Quite possible if one is using it to distribute a virus. RE: Spanair flight JK-5022
http://www.monstersandcritics.com/news/europe/news/article_1578877.php/
C omputer-viruses-may-have-contributed-to-Spanish-2008-plane-crash
On Fri, Oct 1, 2010 at 5:31 PM, George Bonser <gbonser@seven.com> wrote:
Quite possible if one is using it to distribute a virus. RE: Spanair flight JK-5022
http://www.monstersandcritics.com/news/europe/news/article_1578877.php/C omputer-viruses-may-have-contributed-to-Spanish-2008-plane-crash
Hi George, That's been debunked. http://www.zdnet.com/blog/bott/fact-check-malware-did-not-bring-down-a-passe... "A computer at the airline’s maintenance headquarters [...] was infected with some sort of malware. [...] That same computer is used to record incident reports submitted by mechanics and is programmed to raise an alarm if the same problem occurs three times on the same aircraft. On the day of the crash, the plane returned to the gate after the crew noticed a problem. The mechanics at the airport identified the issue and cleared the plane for takeoff. They apparently didn’t know that this was the third report of a similar problem in a two-day period. But even if the headquarters office had maintained its PC perfectly, the plane would still have taken off. The mechanics were still entering their report at the time of the crash." Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
-----Original Message----- From: wherrin@gmail.com On Behalf Of William Herrin Sent: Friday, October 01, 2010 2:50 PM To: George Bonser Cc: nanog@nanog.org Subject: Re: AS11296 -- Hijacked?
On Fri, Oct 1, 2010 at 5:31 PM, George Bonser wrote:
Quite possible if one is using it to distribute a virus. RE: Spanair flight JK-5022
http://www.monstersandcritics.com/news/europe/news/article_1578877.php/
C
omputer-viruses-may-have-contributed-to-Spanish-2008-plane-crash
Hi George,
That's been debunked.
Good. Ok, now shall we move on to Stuxnet which now seems to be infiltrating China. We don't know yet if that will cause any problems or not. The idea that there are fairly significant amounts of address space that could be used for practically anything at any time is probably a bigger issue in 2010 than it was in 1995 simply because we have more infrastructure that is either directly or indirectly exposed to it. Malware distributed on the internet can find its way onto a laptop and from there a thumb drive and from there to a computer used for medical purposes or at a chemical plant is more plausible of a scenario these days. Why make it EASY to distribute such things? Why do you seem to be defending the idea that it is somehow good to have lots of unaccounted for address space out there? Do you use it for something? G
Try this one on for size: http://tinyurl.com/2aoqpmk Sent from my somethingorother.
-----Original Message----- From: On Behalf Of William Herrin Sent: Friday, October 01, 2010 2:50 PM To: George Bonser Cc: nanog@nanog.org Subject: Re: AS11296 -- Hijacked?
Stuff about ip bullets or something ...
On Oct 1, 2010, at 2:31 PM, George Bonser wrote:
-----Original Message----- From: wherrin@gmail.com Herrin Sent: Friday, October 01, 2010 2:27 PM To: George Bonser Cc: Christopher Morrow; nanog@nanog.org Subject: Re: AS11296 -- Hijacked?
Death by IP address?
-Bill
Quite possible if one is using it to distribute a virus. RE: Spanair flight JK-5022
http://www.monstersandcritics.com/news/europe/news/article_1578877.php/C omputer-viruses-may-have-contributed-to-Spanish-2008-plane-crash
http://aircrewbuzz.com/2008/10/officials-release-preliminary-report-on.html A more recent Interim report: http://www.fomento.es/NR/rdonlyres/AADDBF93-690C-4186-983C-8D897F09EAA5/7573... The crew apparently skipped the step where they were supposed to deploy the slats/flaps prior to takeoff. Additionally, the warning system on the aircraft which should have alerted the crew to the failure to extend the flaps/slats also failed to sound. A computer virus may have had a small contribution to the failure to detect the warning system failure in the maintenance process, but, it did not cause the accident. The accident is clearly the result of pilot error, specifically the failure to properly configure the aircraft for takeoff and failure to take remedial action upon activation of the stall warning system during the initial climb. Owen (who is also a pilot with a commercial rating)
On Oct 1, 2010, at 7:00 51PM, Owen DeLong wrote:
On Oct 1, 2010, at 2:31 PM, George Bonser wrote:
-----Original Message----- From: wherrin@gmail.com Herrin Sent: Friday, October 01, 2010 2:27 PM To: George Bonser Cc: Christopher Morrow; nanog@nanog.org Subject: Re: AS11296 -- Hijacked?
Death by IP address?
-Bill
Quite possible if one is using it to distribute a virus. RE: Spanair flight JK-5022
http://www.monstersandcritics.com/news/europe/news/article_1578877.php/C omputer-viruses-may-have-contributed-to-Spanish-2008-plane-crash
http://aircrewbuzz.com/2008/10/officials-release-preliminary-report-on.html
A more recent Interim report:
http://www.fomento.es/NR/rdonlyres/AADDBF93-690C-4186-983C-8D897F09EAA5/7573...
The crew apparently skipped the step where they were supposed to deploy the slats/flaps prior to takeoff.
Additionally, the warning system on the aircraft which should have alerted the crew to the failure to extend the flaps/slats also failed to sound.
A computer virus may have had a small contribution to the failure to detect the warning system failure in the maintenance process, but, it did not cause the accident.
The accident is clearly the result of pilot error, specifically the failure to properly configure the aircraft for takeoff and failure to take remedial action upon activation of the stall warning system during the initial climb.
There's more to the story than that. There was a problem with a sensor -- the heater for it was running when the plane was on the ground, which it shouldn't do. The mechanic couldn't reproduce the problem; since there was no icing likely and the heater was only needed if there was icing, the pilot flipped the breaker to disable it. (The virus-infected computer was the one that should have been used to log two previous reports of that same heater problem, but no one even tried entering the reports until after the crash, so the virus wasn't at all the problem.) Because of the distractions -- the return to the gate, the co-pilot making a call to cancel dinner planes, a third person in the cockpit, the pilots indeed forgot to set the flaps -- and just breezed through the checklist item (which they did recite) rather than actually paying attention to it. However... the accident investigators learned that in almost all previous instances, worldwide, of that heater problem, the cause was a failed relay in the "I'm on the ground" circuit. That same relay was used to activate the Takeoff Configuration Warning System -- which didn't alert the pilots to the flaps problem because the relay failed again after the plane left the gate for the second time. In other words, a crucial safety system had a single point of failure -- and that failure also contributed to the distraction that led to the pre-takeoff pilot error. --Steve Bellovin, http://www.cs.columbia.edu/~smb
George - Full agreement; the next step is defining a deterministic process for identifying these specific resources which are hijacked, and then making a policy for ARIN to act. We have a duty of stewardship, so addressing this problem is a priority if the community directs us to do so via policy. /John On Oct 1, 2010, at 5:12 PM, George Bonser <gbonser@seven.com> wrote:
-----Original Message----- From: Christopher Morrow Sent: Friday, October 01, 2010 7:46 AM To: Rich Kulawiec Cc: nanog@nanog.org Subject: Re: AS11296 -- Hijacked?
this is still less than a /8, which lasts ~3 months in ARIN region and less if you could across RIR's...
Which is sort of like saying:
Citizen: "Hello, police? There is a crate of M-16's and a truckload of ammunition just sitting here on the corner" Police: "That is less than the Army goes through in 3 months ... *click*"
While true, it is orthogonal to the point being made which is if you collect those resources and issue them to legitimate operators, those are some 6.6 million unique hosts addresses than cannot be used for various nefarious activities.
On 10/1/2010 17:12, George Bonser wrote:
Citizen: "Hello, police? There is a crate of M-16's and a truckload of ammunition just sitting here on the corner" Police: "That is less than the Army goes through in 3 months ... *click*"
You'd have better luck calling the ATF, they are the ones empowered to enforce the tax on machine guns. The local police do not have any authority to enforce those taxes, and could get sued if they tried to. -- Bryan Fields 727-409-1194 - Voice 727-214-2508 - Fax http://bryanfields.net
Citizen: "Hello, police? There is a crate of M-16's and a truckload of ammunition just sitting here on the corner" Police: "That is less than the Army goes through in 3 months ... *click*"
You'd have better luck calling the ATF, they are the ones empowered to enforce the tax on machine guns. The local police do not have any authority to enforce those taxes, and could get sued if they tried to.
Why are we diverting the topic from 'draft a proposal to empower ARIN to deal with these sorts of problems' to 'arguing with meaningless analogies that do nothing except make the author feel good'? This is an operations list, not a debate team. Nathan
Bryan Fields wrote:
On 10/1/2010 17:12, George Bonser wrote:
Citizen: "Hello, police? There is a crate of M-16's and a truckload of ammunition just sitting here on the corner" Police: "That is less than the Army goes through in 3 months ... *click*"
You'd have better luck calling the ATF, they are the ones empowered to enforce the tax on machine guns. The local police do not have any authority to enforce those taxes, and could get sued if they tried to.
Here's an incident where the "local authorities" didn't know what to do about a possibly very worrisome incident at SJC (San Jose International Airport): <http://forums.mercurynews.com/topic/two-men-armed-with-assault-weapons-barely-cause-a-stir-at-mineta-san-jose-international-airpor> The problem is that people don't *think* - they just follow orders, follow their training. No one had thought about or trained for this type of incident. Fortunately, in this case, the people were not terrorists. Meanwhile, TSA confiscates bottles of shampoo and water. jc
On Oct 1, 2010, at 3:48 PM, JC Dill wrote:
Bryan Fields wrote:
On 10/1/2010 17:12, George Bonser wrote:
Citizen: "Hello, police? There is a crate of M-16's and a truckload of ammunition just sitting here on the corner" Police: "That is less than the Army goes through in 3 months ... *click*"
You'd have better luck calling the ATF, they are the ones empowered to enforce the tax on machine guns. The local police do not have any authority to enforce those taxes, and could get sued if they tried to.
Here's an incident where the "local authorities" didn't know what to do about a possibly very worrisome incident at SJC (San Jose International Airport):
The problem is that people don't *think* - they just follow orders, follow their training. No one had thought about or trained for this type of incident. Fortunately, in this case, the people were not terrorists. Meanwhile, TSA confiscates bottles of shampoo and water.
jc
Having now read that article, it really strikes me as much ado about nothing. The men were not concealing the lawfully carried weapons. They were carrying the weapons in a lawful manner. I suspect that all of their permits were in order. They did not shoot anyone. No animals were harmed in the making of this farce. Turns out they were legitimate armed guards from US DoE on legitimate business. Frankly, I'd be much more worried about the safety of whatever was in that man's luggage being on the flight than about the guards carrying assault rifles in the non-secure area of the airport. Heck, we let SJPD carry guns in that area, why shouldn't the general public? Owen
On Fri, Oct 1, 2010 at 5:12 PM, George Bonser <gbonser@seven.com> wrote:
-----Original Message----- From: Christopher Morrow this is still less than a /8, which lasts ~3 months in ARIN region and less if you could across RIR's...
Which is sort of like saying:
no, the point is/was that the number of addresses isn't likely the really important point you don't care about reclaiming addresses because of the size of the allocations. you care to reclaim because of improper use/abuse and/or "theft" of the resource. Nathan is correct though, propose some policy text that the community can get behind? probably also do that on ppml.... -Chris -chris
On Oct 1, 2010, at 8:00 AM, Rich Kulawiec wrote:
Spammers have absolutely no problem getting allocation after allocation after allocation, turning each one into scorched earth and moving on.
Materially correct, despite the fact that we look into the company registrations, principal parties involved, and mailing addresses at the time of a new request. It is simply too easy to create a complete illusion of a valid organization.
ARIN et.al. certainly have no interest in stopping them,
Hmm... An interesting assumption, and one that is quite incorrect. Rich - How do suggest dealing with this problem? If you can suggest a straightforward way of vetting a new organization which the community will support, I'll happily have it implemented asap. /John John Curran President and CEO ARIN
On 1 October 2010 06:47, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
I hope this may ally some of the concern that has been expressed about me not being more forthcomeing about the details of this case.
Cheers Ron for coming forth with your reasoning, it is appreciated. Your bit of trust in me/us has gone a long way, and its good to understand your motivation and how you came to your conclusions. I'm actually quite surprised that you have found so much spam coming out of the US! I would have thought less developed countries where its easy to obtain unregulated connections, with little legal repercussion would be more popular. Then again, I personally have not done a lot of research in the field. Good luck with your endeavour. Heath
On Fri, Oct 1, 2010 at 1:47 AM, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
Oh yea, and the snail mail addresses given in the WHOIS records for the domains will usually/often be tracable to UPS Store rental P.O. boxes... those are standard spammer favorites, because...as they well know... us spamfighters can't find out who really controls any one of those boxes without a subpoena... unlike USPS boxes, for instance. (All this is quite well known in the dank sleezy spammer undergound already, so I'm not hardly giving away any secrets here.) And in a similar vein, the contact phone numbers given in the whois records will quite typically be 1-800 or 1-888 or 1-877 or 1-866 toll-free numbers. No, the spammers are _not_ trying to save you money when you want to call them up to bitch to them about the fact that they sent you 8,372 spams in a row. Nope, again, they use the toll-free numbers for a very specific purpose, which is again to make it more difficult for anyone trying to track them down to find their actual physical location. Non-tollfree numbers are typically associated with a specific geographic vicinity (although even that is being substantially eroded by number portability). But the toll free numbers are truly and always utterly geographically anonymous. So spammers use them a lot, primarily in domain whois records.
So here you are. You've got this s**t load of highly ``fishy'' name servers, and they are all planted firmly into IP space that (a) appears to have been allocated to a reputable name brand company... such as Seiko, in this case... *and* (b) the block in question, based on the RegDate: and Updated: fields of the block's ARIN whois record, apparently hasn't been touched for years... maybe even a decade or more... thus implying that the former owners of the block either have abandoned it years ago, or else they themselves went belly up and ceased to exist, probably during the Great Dot Com Crash of 2000. Add it all up and what does it spell? No, not heartburn... Hijack.
Ron, Let's try that without the diatribe: "I saw spam domains pop up associated with 199.241.95.253. 199.241.64.0/19 appears to be a defunct registration reannounced to the Internet two weeks ago by an AS11296 -- an unregistered AS number. A large quantity of spam domains popped up with the other addresses recently announced by AS11296 as well. Accordingly, I suspect that as we've seen many times before and all clearly understand, AS11296 and the addresses it advertises have been hijacked by a spammer." There. Now, would that have been so hard? Your friend was right. We don't want a "lengthy elaboration." Just a simple, concise explanation of why you believe your claim to be true. As for your secretive and ingenious detection, get over yourself. We've seen this before. More than once. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
participants (12)
-
Bryan Fields
-
Christopher Morrow
-
George Bonser
-
Heath Jones
-
JC Dill
-
John Curran
-
Nathan Eisenberg
-
Owen DeLong
-
Rich Kulawiec
-
Ronald F. Guilmette
-
Steven Bellovin
-
William Herrin