Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
NANOG: Look, the people posting here who are trashing Intercage are pure security analysts -- they know and understand the evil that is Intercage. STOP TRYING TO ASSIST INTERCAGE -- you are effectively aiding and abetting the enemy. Intercage/Atrivo hosts the malware cc botnets that DDoS your systems and networks. Intercage/Atrivo hosts the spyware that compromises your users' passwords. Intercage/Atrivo hosts the adware that slows your customers' machines. Don't take my word for it, DO YOUR OWN RESEARCH: http://www.google.com/search?hl=enq=intercage+malware You don't get called the ***American RBN*** for hosting a couple bad machines. They have and will continue to host much of the malware pumped out of America. THEY ARE NOT YOUR COMRADES. These people represent the most HIGHLY ORGANZIED CRIME you will ever come across. Most people were afraid to speak out against them until this recent ground swell. This is the MALWARE CARTEL. GET THE PICTURE? Many links have been posted here that prove this already -- instead of asking what customers they cut off, let them show WHAT CUSTOMERS ARE LEGIT-- because there are NONE. I would suggest a different Step 1. Instead of killing power, simply isolate the affected machine. This might be as simple as putting up a firewall rule or two, if it is simply sending outgoing SMTP spam, or it's probably easiest (depending on the network gear of course) to just put the lan port into an isolated VLAN. It's not the 100% solution (some badness rm's itself once it loses connectivity to the internets) but it'd make things simpler for the client/LEA when they need to figure out what happened. -chris
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Sep 23, 2008 at 10:52 PM, Paul Ferguson [EMAIL PROTECTED] wrote: On Tue, Sep 23, 2008 at 10:13 PM, Russell Mitchell [EMAIL PROTECTED] wrote: I believe the blocks your referring to are their 85.255 Blocks? Registered to InHoster. I believe those prefixes are an entity of their's, though I don't know for sure. Perhaps ask them? Thanks, thats right -- Inhoster. Operating out of Odessa and blacklisted virtually everywhere. Sorry, my last post on this issue. As you may (or may not) know, Inhoster's domain(s) were suspended due to criminal activity: http://whois.domaintools.com/inhoster.com The prefixes you mention, were deliberately being originated by AS27595 up until the recent kerfluffle and disconnect on Saturday night: Prefixes added and withdrawn by this origin AS in the past 7 days. - 64.28.176.0/20 Withdrawn - 67.210.0.0/21 Withdrawn - 67.210.8.0/22 Withdrawn - 67.210.14.0/23 Withdrawn - 69.22.162.0/23 Withdrawn - 69.22.168.0/21 Withdrawn - 69.22.184.0/22 Withdrawn - 69.31.64.0/20 Withdrawn - 69.50.160.0/19 Withdrawn - 85.255.113.0/24 Withdrawn - 85.255.114.0/23 Withdrawn - 85.255.116.0/22 Withdrawn - 85.255.120.0/23 Withdrawn - 85.255.122.0/24 Withdrawn - 216.255.176.0/20Withdrawn - 216.255.176.0/22Withdrawn - 216.255.180.0/22Withdrawn - 216.255.184.0/22Withdrawn - 216.255.188.0/22Withdrawn And they magically reappeared in Cernel (AS36445) almost immediately: Prefix AS Path 64.28.187.0/24 12654 3257 36445 67.210.12.0/23 12654 3257 36445 85.255.112.0/20 12654 3257 36445 93.188.161.0/24 12654 3257 36445 93.188.166.0/24 12654 3257 36445 This was not an accident. So what you are saying is that these prefixes have always belonged to Inhoster? Thanks, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI2doTq1pz9mNUZTMRAupwAKDxEF9kyS/UoTb/Hl2FwEGM1tsj2gCfYF16 qyG0vUAmfxfdQg/vqHFCxbw= =T+0o -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Hello Paul, Sorry I didn't make this clear enough in the previous responses. The prefixes that are registered to Inhoster belong to Esthost. I'm not sure how or why you think those prefixes belong to us. These prefixes belong DIRECTLY to us: - 69.50.160.0/19 Withdrawn - 216.255.176.0/20 Withdrawn These prefixes belong DIRECTLY to nLayer, and were LEASED to us: - 69.22.162.0/23 Withdrawn - 69.22.168.0/21 Withdrawn - 69.22.184.0/22 Withdrawn - 69.31.64.0/20 Withdrawn The prefixes LEASED to us BY nLayer are being reclaimed at the end of this month 09/30/08, as the lease contract is set to cease at that time. Hopefully, that is clear enough for you. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. - Original Message From: Paul Ferguson [EMAIL PROTECTED] To: Russell Mitchell [EMAIL PROTECTED] Cc: nanog@nanog.org Sent: Tuesday, September 23, 2008 11:11:39 PM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Sep 23, 2008 at 10:52 PM, Paul Ferguson [EMAIL PROTECTED] wrote: On Tue, Sep 23, 2008 at 10:13 PM, Russell Mitchell [EMAIL PROTECTED] wrote: I believe the blocks your referring to are their 85.255 Blocks? Registered to InHoster. I believe those prefixes are an entity of their's, though I don't know for sure. Perhaps ask them? Thanks, thats right -- Inhoster. Operating out of Odessa and blacklisted virtually everywhere. Sorry, my last post on this issue. As you may (or may not) know, Inhoster's domain(s) were suspended due to criminal activity: http://whois.domaintools.com/inhoster.com The prefixes you mention, were deliberately being originated by AS27595 up until the recent kerfluffle and disconnect on Saturday night: Prefixes added and withdrawn by this origin AS in the past 7 days. - 64.28.176.0/20 Withdrawn - 67.210.0.0/21 Withdrawn - 67.210.8.0/22 Withdrawn - 67.210.14.0/23 Withdrawn - 69.22.162.0/23 Withdrawn - 69.22.168.0/21 Withdrawn - 69.22.184.0/22 Withdrawn - 69.31.64.0/20 Withdrawn - 69.50.160.0/19 Withdrawn - 85.255.113.0/24 Withdrawn - 85.255.114.0/23 Withdrawn - 85.255.116.0/22 Withdrawn - 85.255.120.0/23 Withdrawn - 85.255.122.0/24 Withdrawn - 216.255.176.0/20 Withdrawn - 216.255.176.0/22 Withdrawn - 216.255.180.0/22 Withdrawn - 216.255.184.0/22 Withdrawn - 216.255.188.0/22 Withdrawn And they magically reappeared in Cernel (AS36445) almost immediately: Prefix AS Path 64.28.187.0/24 12654 3257 36445 67.210.12.0/23 12654 3257 36445 85.255.112.0/20 12654 3257 36445 93.188.161.0/24 12654 3257 36445 93.188.166.0/24 12654 3257 36445 This was not an accident. So what you are saying is that these prefixes have always belonged to Inhoster? Thanks, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI2doTq1pz9mNUZTMRAupwAKDxEF9kyS/UoTb/Hl2FwEGM1tsj2gCfYF16 qyG0vUAmfxfdQg/vqHFCxbw= =T+0o -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Sep 23, 2008 at 11:28 PM, Russell Mitchell [EMAIL PROTECTED] wrote: Sorry I didn't make this clear enough in the previous responses. The prefixes that are registered to Inhoster belong to Esthost. I'm not sure how or why you think those prefixes belong to us. These prefixes belong DIRECTLY to us: - 69.50.160.0/19 Withdrawn - 216.255.176.0/20Withdrawn These prefixes belong DIRECTLY to nLayer, and were LEASED to us: - 69.22.162.0/23 Withdrawn - 69.22.168.0/21 Withdrawn - 69.22.184.0/22 Withdrawn - 69.31.64.0/20 Withdrawn The prefixes LEASED to us BY nLayer are being reclaimed at the end of this month 09/30/08, as the lease contract is set to cease at that time. Hopefully, that is clear enough for you. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. Clear as mud, thanks. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI2d6uq1pz9mNUZTMRAmkcAJ4toRsggJ325VfjkqK8QJKWQG4UegCg84x+ KwcuyxtFp7/x3/vScFTkP3I= =/vFy -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Wow, this topic has really gotten old. On Tue, Sep 23, 2008 at 11:31 PM, Paul Ferguson [EMAIL PROTECTED]wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Sep 23, 2008 at 11:28 PM, Russell Mitchell [EMAIL PROTECTED] wrote: Sorry I didn't make this clear enough in the previous responses. The prefixes that are registered to Inhoster belong to Esthost. I'm not sure how or why you think those prefixes belong to us. These prefixes belong DIRECTLY to us: - 69.50.160.0/19 Withdrawn - 216.255.176.0/20Withdrawn These prefixes belong DIRECTLY to nLayer, and were LEASED to us: - 69.22.162.0/23 Withdrawn - 69.22.168.0/21 Withdrawn - 69.22.184.0/22 Withdrawn - 69.31.64.0/20 Withdrawn The prefixes LEASED to us BY nLayer are being reclaimed at the end of this month 09/30/08, as the lease contract is set to cease at that time. Hopefully, that is clear enough for you. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. Clear as mud, thanks. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI2d6uq1pz9mNUZTMRAmkcAJ4toRsggJ325VfjkqK8QJKWQG4UegCg84x+ KwcuyxtFp7/x3/vScFTkP3I= =/vFy -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Hello John Doe, I welcome any further comments you have. We have to get past people such as yourself, and your blasphemous and false statements. This is the same issue with the recent media and self-proclaimed Security Researchers. Fly-by-night mind you. To help you out in your claims: Yes, we did house a client whom had quite a run with their client's from various locations, such as Russia. That Client is no longer hosted on our network. I myself spent all of monday afternoon, night, and tuesday morning shutting off EVERY machine they had leased in our Billing System. I'm currently working to scan further and see if there's anything I may have missed. Yes, Russia is very well known for Virus and Malware writer's. Yes, we have had issues with malware distribution from our network. This was directly and near singularly related to the former client of ours. We did have another client, Hostfresh, whom had their share of malware issues. Both have been completely and effectively removed. The server's leased to both of them have been canceled, and their machines have been shutoff. Let me know if there's anything else you'd like me to state to the public. We're on a rocky road right now. But it IS starting to smooth out. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. - Original Message From: Mark Foo [EMAIL PROTECTED] To: Bruce Williams [EMAIL PROTECTED] Cc: Christopher Morrow [EMAIL PROTECTED]; nanog@nanog.org; Joe Greco [EMAIL PROTECTED] Sent: Tuesday, September 23, 2008 11:08:21 PM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer NANOG: Look, the people posting here who are trashing Intercage are pure security analysts -- they know and understand the evil that is Intercage. STOP TRYING TO ASSIST INTERCAGE -- you are effectively aiding and abetting the enemy. Intercage/Atrivo hosts the malware cc botnets that DDoS your systems and networks. Intercage/Atrivo hosts the spyware that compromises your users' passwords. Intercage/Atrivo hosts the adware that slows your customers' machines. Don't take my word for it, DO YOUR OWN RESEARCH: http://www.google.com/search?hl=enq=intercage+malware You don't get called the ***American RBN*** for hosting a couple bad machines. They have and will continue to host much of the malware pumped out of America. THEY ARE NOT YOUR COMRADES.. These people represent the most HIGHLY ORGANZIED CRIME you will ever come across. Most people were afraid to speak out against them until this recent ground swell. This is the MALWARE CARTEL. GET THE PICTURE? Many links have been posted here that prove this already -- instead of asking what customers they cut off, let them show WHAT CUSTOMERS ARE LEGIT-- because there are NONE. I would suggest a different Step 1. Instead of killing power, simply isolate the affected machine. This might be as simple as putting up a firewall rule or two, if it is simply sending outgoing SMTP spam, or it's probably easiest (depending on the network gear of course) to just put the lan port into an isolated VLAN. It's not the 100% solution (some badness rm's itself once it loses connectivity to the internets) but it'd make things simpler for the client/LEA when they need to figure out what happened. -chris
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Hello Pedram, Until everyone fully understands the truth in ENGLISH, this topic will continue. This is what they demand. As long as there are questions which relate to us, I will continue to respond. When it's set in stone, and the false claims and false statements are corrected, this topic will cease. I hope soon, people will realise and accept the truth that we are a LEGITIMATE Company that DOES Operate in the USA. We are NOT directly or in-directly related to any Russian's. We do NOT support, write, directly distribute, or knowingly allow the distribution of malware or other abusive activities to originate from our network. While the previous statements are questionable in the public's eye, I hope some time, you will understand it IS the truth. Prove me wrong, PLEASE. If you know of any further malware or further abusive activities, such as the claimed CC Botnets, please PLEASE don't hesitate to tell me. abuse.intercage and russ..intercage and emil.intercage are live and operational. We are currently investigating the rest of our clientel and any site's or communities you can recommend to follow, we will follow. While it is clear that this will not be accepted by the community any time soon, it will eventually be accepted. That is what I am waiting for, however long it takes. I can't stress this enough. We DO need your help to locate and eliminate abusive activities from our network. I know you have information, and I need you to atleast reclaim the faith that we WILL be very active against abuse originating from our network, and we WILL be proactive to locate and eliminate abusive activities on our network. Thank you very much for all your time and future assistance. Have a great day. --- Russell Mitchell InterCage, Inc. - Original Message From: Pedram M [EMAIL PROTECTED] To: nanog@nanog.org Sent: Tuesday, September 23, 2008 11:38:54 PM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer Wow, this topic has really gotten old. On Tue, Sep 23, 2008 at 11:31 PM, Paul Ferguson [EMAIL PROTECTED]wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Sep 23, 2008 at 11:28 PM, Russell Mitchell [EMAIL PROTECTED] wrote: Sorry I didn't make this clear enough in the previous responses. The prefixes that are registered to Inhoster belong to Esthost. I'm not sure how or why you think those prefixes belong to us. These prefixes belong DIRECTLY to us: - 69.50.160.0/19 Withdrawn - 216.255.176.0/20 Withdrawn These prefixes belong DIRECTLY to nLayer, and were LEASED to us: - 69.22.162.0/23 Withdrawn - 69.22.168.0/21 Withdrawn - 69.22.184.0/22 Withdrawn - 69.31.64.0/20 Withdrawn The prefixes LEASED to us BY nLayer are being reclaimed at the end of this month 09/30/08, as the lease contract is set to cease at that time. Hopefully, that is clear enough for you. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. Clear as mud, thanks. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI2d6uq1pz9mNUZTMRAmkcAJ4toRsggJ325VfjkqK8QJKWQG4UegCg84x+ KwcuyxtFp7/x3/vScFTkP3I= =/vFy -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, Sep 24, 2008 at 12:12 AM, Russell Mitchell [EMAIL PROTECTED] wrote: I hope soon, people will realise and accept the truth that we are a LEGITIMATE Company that DOES Operate in the USA. We are NOT directly or in-directly related to any Russian's. We do NOT support, write, directly distribute, or knowingly allow the distribution of malware or other abusive activities to originate from our network. While the previous statements are questionable in the public's eye, I hope some time, you will understand it IS the truth. Prove me wrong, PLEASE. AS27595, and all prefixes which you advertise, will be ultra-scrutinized. You can be sure that you, and many others, will know if when criminal activity re-appears inside prefixes hosted by Atrivo/Intercage. The gloves are off, so to speak. Cheers, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI2epPq1pz9mNUZTMRAumJAKD5lujVV7CTeZ6iQDEjsELHy7+I1wCfeXFH TxVWvBONxa+jozHf9hq+k2c= =L/4x -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Hello Paul, GREAT! I am very pleased with that. This is what we need, and I'm sure you can agree, this is what the Internet needs. Thank you very much for your time. Have a great day. --- Russell Mitchell InterCage, Inc. - Original Message From: Paul Ferguson [EMAIL PROTECTED] To: Russell Mitchell [EMAIL PROTECTED] Cc: nanog@nanog.org Sent: Wednesday, September 24, 2008 12:20:59 AM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, Sep 24, 2008 at 12:12 AM, Russell Mitchell [EMAIL PROTECTED] wrote: I hope soon, people will realise and accept the truth that we are a LEGITIMATE Company that DOES Operate in the USA. We are NOT directly or in-directly related to any Russian's. We do NOT support, write, directly distribute, or knowingly allow the distribution of malware or other abusive activities to originate from our network. While the previous statements are questionable in the public's eye, I hope some time, you will understand it IS the truth. Prove me wrong, PLEASE. AS27595, and all prefixes which you advertise, will be ultra-scrutinized. You can be sure that you, and many others, will know if when criminal activity re-appears inside prefixes hosted by Atrivo/Intercage. The gloves are off, so to speak. Cheers, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI2epPq1pz9mNUZTMRAumJAKD5lujVV7CTeZ6iQDEjsELHy7+I1wCfeXFH TxVWvBONxa+jozHf9hq+k2c= =L/4x -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Russell: Ferg was just being coy -- what you don't understand is there are about 3 other security mailing lists plotting to TAKE YOUR SERVICE DOWN. You FAIL. Law Enforcement might not take action against you (but appear to be interested now), but the community can. GET OFF THE NET WITH YOUR MALWARE! You mistake me for someone who believes you pack of lies! Don't you understand each time you post to this list gives those of us who know the opportunity to post MORE EVIDENCE of your MALWARE? You disconnected Hostfresh and think that's the extent of your cimes? Gimme a break. Only those who are easily socially engineered would believe your pathetic claims of innocence. You've BEEN HOSTING MALWARE since 2003 -- SEE Nanog post: Re: The in-your-face hijacking example http://www.irbs.net/internet/nanog/0305/0038.html Let me know if there's anything else you'd like me to state to the public. Answer Ferg's question -- Why are you moving to CERNAL? Do you think this is going to work? That's just another of Emil's networks. We're on a rocky road right now. But it IS starting to smooth out. That's just the calm before the storm. Go ahead and post a response to each of these allegations: Cybercrime's US Hosts http://www.spamhaus.org/news.lasso?article=636 Report Slams U.S. Host as Major Source of Badware http://voices.washingtonpost.com/securityfix/2008/08/report_slams_us_host_as_major.html?nav=rss_blog A Superlative Scam and Spam Site Registrar http://voices.washingtonpost.com/securityfix/2008/09/estdomains.html?nav=rss_blog ICANN cast as online scam enabler http://www.theregister.co.uk/2008/09/03/cyber_crime_reports/ 'Malware-friendly' Intercage back with the living http://www.theregister.co.uk/2008/09/24/intercage_back_online/ On Tue, Sep 23, 2008 at 11:50 PM, Russell Mitchell [EMAIL PROTECTED] wrote: Hello John Doe, I welcome any further comments you have. We have to get past people such as yourself, and your blasphemous and false statements. This is the same issue with the recent media and self-proclaimed Security Researchers. Fly-by-night mind you. To help you out in your claims: Yes, we did house a client whom had quite a run with their client's from various locations, such as Russia. That Client is no longer hosted on our network. I myself spent all of monday afternoon, night, and tuesday morning shutting off EVERY machine they had leased in our Billing System. I'm currently working to scan further and see if there's anything I may have missed. Yes, Russia is very well known for Virus and Malware writer's. Yes, we have had issues with malware distribution from our network. This was directly and near singularly related to the former client of ours. We did have another client, Hostfresh, whom had their share of malware issues. Both have been completely and effectively removed. The server's leased to both of them have been canceled, and their machines have been shutoff. Let me know if there's anything else you'd like me to state to the public. We're on a rocky road right now. But it IS starting to smooth out. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. - Original Message From: Mark Foo [EMAIL PROTECTED] To: Bruce Williams [EMAIL PROTECTED] Cc: Christopher Morrow [EMAIL PROTECTED]; nanog@nanog.org; Joe Greco [EMAIL PROTECTED] Sent: Tuesday, September 23, 2008 11:08:21 PM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer NANOG: Look, the people posting here who are trashing Intercage are pure security analysts -- they know and understand the evil that is Intercage. STOP TRYING TO ASSIST INTERCAGE -- you are effectively aiding and abetting the enemy. Intercage/Atrivo hosts the malware cc botnets that DDoS your systems and networks. Intercage/Atrivo hosts the spyware that compromises your users' passwords. Intercage/Atrivo hosts the adware that slows your customers' machines. Don't take my word for it, DO YOUR OWN RESEARCH: http://www.google.com/search?hl=enq=intercage+malware You don't get called the ***American RBN*** for hosting a couple bad machines. They have and will continue to host much of the malware pumped out of America. THEY ARE NOT YOUR COMRADES.. These people represent the most HIGHLY ORGANZIED CRIME you will ever come across. Most people were afraid to speak out against them until this recent ground swell. This is the MALWARE CARTEL. GET THE PICTURE? Many links have been posted here that prove this already -- instead of asking what customers they cut off, let them show WHAT CUSTOMERS ARE LEGIT-- because there are NONE. I would suggest a different Step 1. Instead of killing power, simply isolate the affected machine. This might be as simple as putting up a firewall rule or two, if it is simply sending outgoing SMTP spam, or it's probably easiest (depending on the network gear of course) to just put the lan port
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, Sep 24, 2008 at 12:27 AM, Mark Foo [EMAIL PROTECTED] wrote: Answer Ferg's question -- Why are you moving to CERNAL? Do you think this is going to work? That's just another of Emil's networks. Actually, I was not being coy. Okay, maybe I was. With regards to the prefix shuffle to Cernel, I think that speaks for itself. With regards to ...another of Emil's networks..., I don't believe that to be true. In fact, I think Emil is just a pawn in this entire mess. It is clear to me -- at least -- that this entire criminal operation is being operated out of Eastern Europe, and their foothold in the U.S. is the major issue here. This is the major heartburn -- ISPs and network operators in the U.S. seem not to care about these issues, and it becomes an 'unpopular' effort to purge these activities in this audience. $.02, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI2e5Wq1pz9mNUZTMRAsf6AJ47BKaCBckIkllV2XN/CJhvIGUqowCgrOSQ kBmKYLTVEipzNwXGxIZa6Zo= =zs8t -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Hello Mark, It really seems YOU _DID_ miss the memo. I think that since no one else is responding to your non-sense, there is no reason for me to either. If you have something accurate to say, I'll be happy to listen. Until then, there's not much I can say. There's no sense in repeating myself. --- Russell Mitchell InterCage, Inc. - Original Message From: Mark Foo [EMAIL PROTECTED] To: Russell Mitchell [EMAIL PROTECTED] Cc: Bruce Williams [EMAIL PROTECTED]; Christopher Morrow [EMAIL PROTECTED]; nanog@nanog.org; Joe Greco [EMAIL PROTECTED] Sent: Wednesday, September 24, 2008 12:27:50 AM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer Russell: Ferg was just being coy -- what you don't understand is there are about 3 other security mailing lists plotting to TAKE YOUR SERVICE DOWN. You FAIL. Law Enforcement might not take action against you (but appear to be interested now), but the community can. GET OFF THE NET WITH YOUR MALWARE! You mistake me for someone who believes you pack of lies! Don't you understand each time you post to this list gives those of us who know the opportunity to post MORE EVIDENCE of your MALWARE? You disconnected Hostfresh and think that's the extent of your cimes? Gimme a break. Only those who are easily socially engineered would believe your pathetic claims of innocence. You've BEEN HOSTING MALWARE since 2003 -- SEE Nanog post: Re: The in-your-face hijacking example http://www.irbs.net/internet/nanog/0305/0038.html Let me know if there's anything else you'd like me to state to the public. Answer Ferg's question -- Why are you moving to CERNAL? Do you think this is going to work? That's just another of Emil's networks. We're on a rocky road right now. But it IS starting to smooth out. That's just the calm before the storm. Go ahead and post a response to each of these allegations: Cybercrime's US Hosts http://www.spamhaus.org/news.lasso?article=636 Report Slams U.S. Host as Major Source of Badware http://voices.washingtonpost.com/securityfix/2008/08/report_slams_us_host_as_major.html?nav=rss_blog A Superlative Scam and Spam Site Registrar http://voices.washingtonpost.com/securityfix/2008/09/estdomains.html?nav=rss_blog ICANN cast as online scam enabler http://www.theregister.co.uk/2008/09/03/cyber_crime_reports/ 'Malware-friendly' Intercage back with the living http://www.theregister.co.uk/2008/09/24/intercage_back_online/ On Tue, Sep 23, 2008 at 11:50 PM, Russell Mitchell [EMAIL PROTECTED] wrote: Hello John Doe, I welcome any further comments you have. We have to get past people such as yourself, and your blasphemous and false statements. This is the same issue with the recent media and self-proclaimed Security Researchers. Fly-by-night mind you. To help you out in your claims: Yes, we did house a client whom had quite a run with their client's from various locations, such as Russia. That Client is no longer hosted on our network. I myself spent all of monday afternoon, night, and tuesday morning shutting off EVERY machine they had leased in our Billing System. I'm currently working to scan further and see if there's anything I may have missed. Yes, Russia is very well known for Virus and Malware writer's. Yes, we have had issues with malware distribution from our network. This was directly and near singularly related to the former client of ours. We did have another client, Hostfresh, whom had their share of malware issues. Both have been completely and effectively removed. The server's leased to both of them have been canceled, and their machines have been shutoff. Let me know if there's anything else you'd like me to state to the public. We're on a rocky road right now. But it IS starting to smooth out. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. - Original Message From: Mark Foo [EMAIL PROTECTED] To: Bruce Williams [EMAIL PROTECTED] Cc: Christopher Morrow [EMAIL PROTECTED]; nanog@nanog.org; Joe Greco [EMAIL PROTECTED] Sent: Tuesday, September 23, 2008 11:08:21 PM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer NANOG: Look, the people posting here who are trashing Intercage are pure security analysts -- they know and understand the evil that is Intercage. STOP TRYING TO ASSIST INTERCAGE -- you are effectively aiding and abetting the enemy. Intercage/Atrivo hosts the malware cc botnets that DDoS your systems and networks. Intercage/Atrivo hosts the spyware that compromises your users' passwords. Intercage/Atrivo hosts the adware that slows your customers' machines. Don't take my word for it, DO YOUR OWN RESEARCH: http://www.google.com/search?hl=enq=intercage+malware You don't get called the ***American RBN*** for hosting a couple bad machines. They have and will continue to host much of the malware pumped out of America. THEY ARE NOT YOUR COMRADES.. These people represent the most HIGHLY
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
. --- Russell Mitchell InterCage, Inc. - Original Message From: Mark Foo [EMAIL PROTECTED] To: Russell Mitchell [EMAIL PROTECTED] Cc: Bruce Williams [EMAIL PROTECTED]; Christopher Morrow [EMAIL PROTECTED]; nanog@nanog.org; Joe Greco [EMAIL PROTECTED] Sent: Wednesday, September 24, 2008 12:27:50 AM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer Russell: Ferg was just being coy -- what you don't understand is there are about 3 other security mailing lists plotting to TAKE YOUR SERVICE DOWN. You FAIL. Law Enforcement might not take action against you (but appear to be interested now), but the community can. GET OFF THE NET WITH YOUR MALWARE! You mistake me for someone who believes you pack of lies! Don't you understand each time you post to this list gives those of us who know the opportunity to post MORE EVIDENCE of your MALWARE? You disconnected Hostfresh and think that's the extent of your cimes? Gimme a break. Only those who are easily socially engineered would believe your pathetic claims of innocence. You've BEEN HOSTING MALWARE since 2003 -- SEE Nanog post: Re: The in-your-face hijacking example http://www.irbs.net/internet/nanog/0305/0038.html Let me know if there's anything else you'd like me to state to the public. Answer Ferg's question -- Why are you moving to CERNAL? Do you think this is going to work? That's just another of Emil's networks. We're on a rocky road right now. But it IS starting to smooth out. That's just the calm before the storm. Go ahead and post a response to each of these allegations: Cybercrime's US Hosts http://www.spamhaus.org/news.lasso?article=636 Report Slams U.S. Host as Major Source of Badware http://voices.washingtonpost.com/securityfix/2008/08/report_slams_us_host_as_major.html?nav=rss_blog A Superlative Scam and Spam Site Registrar http://voices.washingtonpost.com/securityfix/2008/09/estdomains.html?nav=rss_blog ICANN cast as online scam enabler http://www.theregister.co.uk/2008/09/03/cyber_crime_reports/ 'Malware-friendly' Intercage back with the living http://www.theregister.co.uk/2008/09/24/intercage_back_online/ On Tue, Sep 23, 2008 at 11:50 PM, Russell Mitchell [EMAIL PROTECTED] wrote: Hello John Doe, I welcome any further comments you have. We have to get past people such as yourself, and your blasphemous and false statements. This is the same issue with the recent media and self-proclaimed Security Researchers. Fly-by-night mind you. To help you out in your claims: Yes, we did house a client whom had quite a run with their client's from various locations, such as Russia. That Client is no longer hosted on our network. I myself spent all of monday afternoon, night, and tuesday morning shutting off EVERY machine they had leased in our Billing System. I'm currently working to scan further and see if there's anything I may have missed. Yes, Russia is very well known for Virus and Malware writer's. Yes, we have had issues with malware distribution from our network. This was directly and near singularly related to the former client of ours. We did have another client, Hostfresh, whom had their share of malware issues. Both have been completely and effectively removed. The server's leased to both of them have been canceled, and their machines have been shutoff. Let me know if there's anything else you'd like me to state to the public. We're on a rocky road right now. But it IS starting to smooth out. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. - Original Message From: Mark Foo [EMAIL PROTECTED] To: Bruce Williams [EMAIL PROTECTED] Cc: Christopher Morrow [EMAIL PROTECTED]; nanog@nanog.org; Joe Greco [EMAIL PROTECTED] Sent: Tuesday, September 23, 2008 11:08:21 PM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer NANOG: Look, the people posting here who are trashing Intercage are pure security analysts -- they know and understand the evil that is Intercage. STOP TRYING TO ASSIST INTERCAGE -- you are effectively aiding and abetting the enemy. Intercage/Atrivo hosts the malware cc botnets that DDoS your systems and networks. Intercage/Atrivo hosts the spyware that compromises your users' passwords. Intercage/Atrivo hosts the adware that slows your customers' machines. Don't take my word for it, DO YOUR OWN RESEARCH: http://www.google.com/search?hl=enq=intercage+malware You don't get called the ***American RBN*** for hosting a couple bad machines. They have and will continue to host much of the malware pumped out of America. THEY ARE NOT YOUR COMRADES.. These people represent the most HIGHLY ORGANZIED CRIME you will ever come across. Most people were afraid to speak out against them until this recent ground swell. This is the MALWARE CARTEL. GET THE PICTURE? Many links have been posted here that prove this already -- instead of asking what
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Russell, Thanks to the efforts of the people on this list, you've known Estdomains/Esthost was bad news for several weeks or more. Why are you only now shutting them down? Thank you for proving that our research was not for naught, and that Atrivo/Intercage is a black hat operation which needs to be permanently disconnected from the Internet at all costs. Drive Slow, Paul Wall
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Hello Mark, What's YOUR motivation to consistantly attack my company? What's my motivation to continue working @ InterCage? To keep a roof over my family's heads, and to keep them well-fed: 1.) Myself 2.) My Wife 3.) My near 2 year old Son (November) 4.) My near 3 week old Daughter (Born Sept. 4th) It's great that you finally accepted the claim of InterCage being associated with the famed RBN as being alledged. You've taken the first step into seeing how much BS information has been spread out about our company. Whether you support me in my anti-abuse endeavor or not, as long as you get FACTUAL information, I'm happy. However someday, I trust you will find and accept the truth about InterCage. From what I see now from the claims your making, that day may not come soon. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. - Original Message From: Mark Foo [EMAIL PROTECTED] To: Russell Mitchell [EMAIL PROTECTED] Cc: Bruce Williams [EMAIL PROTECTED]; Christopher Morrow [EMAIL PROTECTED]; nanog@nanog.org; Joe Greco [EMAIL PROTECTED] Sent: Wednesday, September 24, 2008 1:14:01 AM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer Russell: Oh I got the memo, you'll be getting served one soon too. I just wonder why you don't consider playing both sides of the fence -- with your knowledge of who's who in the cyber crime field, you could probably get paid more as an informant (either to LEO or one of the Intel companies than whatever you're doing for Emil and (allegedly) the RBN. You can't possible sleep well knowing what your up to now so I figure it's the money that motivates you. Or, maybe you don't really know anyone, you just respond to their demands and they end up with all the money, pr0n chicks, etc. Doesn't that bother you -- don't you want more? Plus, no one would know you were pulling two pay checks -- you manage systems on one side and pass info to the other. It's actually fairly simple -- maybe you already know this ;). If not, please explain this: http://www.spamhaus.org/news.lasso?article=636 Without exception, all of the major security organizations on the Internet agree that the 'Home' of cybercrime in the western world is a firm known as Atrivo/Intercage, based in California. We ourselves have not come to this conclusion lightly but from many years of dealing with criminal operations hosted by Atrivo/Intercage, gangs of cybercriminals - mostly Russian and East European but with several US online crime gangs as well - whose activities always lead back to servers run by Atrivo/Intercage. We have lost count of the times we have tracked a major virus botnet's command and control to Atrivo/Intercage servers, readers can view here some of the current and historic SBL records for Atrivo for a taste of what has been happening in this network. At almost every Internet security conference, or law enforcement seminar on cyber-crime, a presentation will detail some attack, exploit, phish or financial crime that has some nexus at Atrivo/Intercage. The person who runs Atrivo/Intercage, Emil Kacperski is an expert at playing the surprised janitor, unaware of every new criminal enterprise found on his servers and keen to show he gets rid of some criminals once their activities on his network are exposed. His Internet hosting career first came to the attention of most anti-abuse organizations when he pinched (or 'purchased stolen goods' as he put it) and routed an unused block of 65,536 IP addresses belonging to the County of Los Angeles. Spamhaus has dealt with over 350 incidents of cyber-crime hosting on Atrivo/Intercage and its related networks in the last 3 years alone, all of which involved criminal operations such as malware, virus spreaders and botnet command and control servers. Malware found by Spamhaus on Atrivo/Intercage/Cernel/Hostfresh just in the last few months included the Storm Worm installer and controller and a MySpace spambot amongst others. Spamhaus currently sees a large amount of activity related to malicious software and exploits being hosted on Atrivo/Intercage which include DNS hijack malware, IFRAME browser attacks, dialers, pirated software websites and blatantly criminal services. We assume that every law enforcement agency with a cyber-crimes division has a dossier bursting at the seams on Atrivo/Intercage and its tentacles such as Esthost, Estdomains, Cernel, Hostfresh. The only question on everyone's mind is which agency will beat the others to shutting the whole place down and indicting the people behind it. Because if shut down, one thing is certain: the amount of malware-driven crime on the Internet would drop overnight as cyber-criminals rush to find a new crime-friendly host - difficult to find in the US, as Atrivo/Intercage is one of the very few remaining dedicated crime hosting firms whose customer base is composed almost, or perhaps entirely, of criminal gangs. More importantly, millions of Internet users
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Hi! Thanks to the efforts of the people on this list, you've known Estdomains/Esthost was bad news for several weeks or more. [EMAIL PROTECTED] ~]# dig estdomains.com ; DiG 9.5.0-P2 estdomains.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 2970 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;estdomains.com.IN A ;; ANSWER SECTION: estdomains.com. 86400 IN A 94.102.49.3 inetnum:94.102.48.0 - 94.102.63.255 netname:NL-ECATEL-20080829 descr: Ecatel LTD country:NL org:ORG-EL38-RIPE admin-c:RvE16-RIPE tech-c: RvE16-RIPE status: ALLOCATED PA mnt-by: RIPE-NCC-HM-MNT mnt-lower: ECATEL-MNT mnt-routes: ECATEL-MNT source: RIPE # Filtered person: Reinier van Eeden address:Archangelkade 1-3 address:1013 BE Amsterdam mnt-by: IQARUS-MNT e-mail: [EMAIL PROTECTED] phone: +31 64 607 11 12 nic-hdl:RvE16-RIPE source: RIPE # Filtered The same guys were hosting several ROKSO spammers in 2006 allready. This smells badly! Earlier this year they had also this one (also ROKSO) http://www.spamhaus.org/sbl/sbl.lasso?query=SBL65783 The company that Reinier was with was called Icarus earlier, does that ring a bell? 3 of the top 10 ROKSO spammers were hosted there. This is more then just a normal shining. bye, Raymond.
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
define:nanog North American Network Operators Group A membership organization that provides for the exchange of tecnical information among public, commercial ... I think this conversation should have ended way long time ago. My $0.50 cents + $1.00 or $2 Regards, Pedram On Wed, Sep 24, 2008 at 1:29 AM, Russell Mitchell [EMAIL PROTECTED]wrote: Hello Mark, What's YOUR motivation to consistantly attack my company? What's my motivation to continue working @ InterCage? To keep a roof over my family's heads, and to keep them well-fed: 1.) Myself 2.) My Wife 3.) My near 2 year old Son (November) 4.) My near 3 week old Daughter (Born Sept. 4th) It's great that you finally accepted the claim of InterCage being associated with the famed RBN as being alledged. You've taken the first step into seeing how much BS information has been spread out about our company. Whether you support me in my anti-abuse endeavor or not, as long as you get FACTUAL information, I'm happy. However someday, I trust you will find and accept the truth about InterCage. From what I see now from the claims your making, that day may not come soon. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. - Original Message From: Mark Foo [EMAIL PROTECTED] To: Russell Mitchell [EMAIL PROTECTED] Cc: Bruce Williams [EMAIL PROTECTED]; Christopher Morrow [EMAIL PROTECTED]; nanog@nanog.org; Joe Greco [EMAIL PROTECTED] Sent: Wednesday, September 24, 2008 1:14:01 AM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer Russell: Oh I got the memo, you'll be getting served one soon too. I just wonder why you don't consider playing both sides of the fence -- with your knowledge of who's who in the cyber crime field, you could probably get paid more as an informant (either to LEO or one of the Intel companies than whatever you're doing for Emil and (allegedly) the RBN. You can't possible sleep well knowing what your up to now so I figure it's the money that motivates you. Or, maybe you don't really know anyone, you just respond to their demands and they end up with all the money, pr0n chicks, etc. Doesn't that bother you -- don't you want more? Plus, no one would know you were pulling two pay checks -- you manage systems on one side and pass info to the other. It's actually fairly simple -- maybe you already know this ;). If not, please explain this: http://www.spamhaus.org/news.lasso?article=636 Without exception, all of the major security organizations on the Internet agree that the 'Home' of cybercrime in the western world is a firm known as Atrivo/Intercage, based in California. We ourselves have not come to this conclusion lightly but from many years of dealing with criminal operations hosted by Atrivo/Intercage, gangs of cybercriminals - mostly Russian and East European but with several US online crime gangs as well - whose activities always lead back to servers run by Atrivo/Intercage. We have lost count of the times we have tracked a major virus botnet's command and control to Atrivo/Intercage servers, readers can view here some of the current and historic SBL records for Atrivo for a taste of what has been happening in this network. At almost every Internet security conference, or law enforcement seminar on cyber-crime, a presentation will detail some attack, exploit, phish or financial crime that has some nexus at Atrivo/Intercage. The person who runs Atrivo/Intercage, Emil Kacperski is an expert at playing the surprised janitor, unaware of every new criminal enterprise found on his servers and keen to show he gets rid of some criminals once their activities on his network are exposed. His Internet hosting career first came to the attention of most anti-abuse organizations when he pinched (or 'purchased stolen goods' as he put it) and routed an unused block of 65,536 IP addresses belonging to the County of Los Angeles. Spamhaus has dealt with over 350 incidents of cyber-crime hosting on Atrivo/Intercage and its related networks in the last 3 years alone, all of which involved criminal operations such as malware, virus spreaders and botnet command and control servers. Malware found by Spamhaus on Atrivo/Intercage/Cernel/Hostfresh just in the last few months included the Storm Worm installer and controller and a MySpace spambot amongst others. Spamhaus currently sees a large amount of activity related to malicious software and exploits being hosted on Atrivo/Intercage which include DNS hijack malware, IFRAME browser attacks, dialers, pirated software websites and blatantly criminal services. We assume that every law enforcement agency with a cyber-crimes division has a dossier bursting at the seams on Atrivo/Intercage and its tentacles such as Esthost, Estdomains, Cernel, Hostfresh. The only question on everyone's mind is which agency will beat the others to shutting the whole place down
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
It's actually starting to look like WHT. On Wed, Sep 24, 2008 at 1:35 AM, Pedram M [EMAIL PROTECTED] wrote: define:nanog North American Network Operators Group A membership organization that provides for the exchange of tecnical information among public, commercial ... I think this conversation should have ended way long time ago. My $0.50 cents + $1.00 or $2 Regards, Pedram On Wed, Sep 24, 2008 at 1:29 AM, Russell Mitchell [EMAIL PROTECTED]wrote: Hello Mark, What's YOUR motivation to consistantly attack my company? What's my motivation to continue working @ InterCage? To keep a roof over my family's heads, and to keep them well-fed: 1.) Myself 2.) My Wife 3.) My near 2 year old Son (November) 4.) My near 3 week old Daughter (Born Sept. 4th) It's great that you finally accepted the claim of InterCage being associated with the famed RBN as being alledged. You've taken the first step into seeing how much BS information has been spread out about our company. Whether you support me in my anti-abuse endeavor or not, as long as you get FACTUAL information, I'm happy. However someday, I trust you will find and accept the truth about InterCage. From what I see now from the claims your making, that day may not come soon. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. - Original Message From: Mark Foo [EMAIL PROTECTED] To: Russell Mitchell [EMAIL PROTECTED] Cc: Bruce Williams [EMAIL PROTECTED]; Christopher Morrow [EMAIL PROTECTED]; nanog@nanog.org; Joe Greco [EMAIL PROTECTED] Sent: Wednesday, September 24, 2008 1:14:01 AM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer Russell: Oh I got the memo, you'll be getting served one soon too. I just wonder why you don't consider playing both sides of the fence -- with your knowledge of who's who in the cyber crime field, you could probably get paid more as an informant (either to LEO or one of the Intel companies than whatever you're doing for Emil and (allegedly) the RBN. You can't possible sleep well knowing what your up to now so I figure it's the money that motivates you. Or, maybe you don't really know anyone, you just respond to their demands and they end up with all the money, pr0n chicks, etc. Doesn't that bother you -- don't you want more? Plus, no one would know you were pulling two pay checks -- you manage systems on one side and pass info to the other. It's actually fairly simple -- maybe you already know this ;). If not, please explain this: http://www.spamhaus.org/news.lasso?article=636 Without exception, all of the major security organizations on the Internet agree that the 'Home' of cybercrime in the western world is a firm known as Atrivo/Intercage, based in California. We ourselves have not come to this conclusion lightly but from many years of dealing with criminal operations hosted by Atrivo/Intercage, gangs of cybercriminals - mostly Russian and East European but with several US online crime gangs as well - whose activities always lead back to servers run by Atrivo/Intercage. We have lost count of the times we have tracked a major virus botnet's command and control to Atrivo/Intercage servers, readers can view here some of the current and historic SBL records for Atrivo for a taste of what has been happening in this network. At almost every Internet security conference, or law enforcement seminar on cyber-crime, a presentation will detail some attack, exploit, phish or financial crime that has some nexus at Atrivo/Intercage. The person who runs Atrivo/Intercage, Emil Kacperski is an expert at playing the surprised janitor, unaware of every new criminal enterprise found on his servers and keen to show he gets rid of some criminals once their activities on his network are exposed. His Internet hosting career first came to the attention of most anti-abuse organizations when he pinched (or 'purchased stolen goods' as he put it) and routed an unused block of 65,536 IP addresses belonging to the County of Los Angeles. Spamhaus has dealt with over 350 incidents of cyber-crime hosting on Atrivo/Intercage and its related networks in the last 3 years alone, all of which involved criminal operations such as malware, virus spreaders and botnet command and control servers. Malware found by Spamhaus on Atrivo/Intercage/Cernel/Hostfresh just in the last few months included the Storm Worm installer and controller and a MySpace spambot amongst others. Spamhaus currently sees a large amount of activity related to malicious software and exploits being hosted on Atrivo/Intercage which include DNS hijack malware, IFRAME browser attacks, dialers, pirated software websites and blatantly criminal services. We assume that every law enforcement agency with a cyber-crimes division has a dossier bursting at the seams on Atrivo/Intercage and its tentacles such as Esthost, Estdomains, Cernel, Hostfresh
RE: YAY! Re: Atrivo/Intercage: NO Upstream depeer
It is clear to me -- at least -- that this entire criminal operation is being operated out of Eastern Europe, and their foothold in the U.S. is the major issue here. If you believe that this is a criminal operation then you should keep this discussion OFF THE LIST and discourage anyone from taking any action against the bad guys that might disrupt evidence gathering. If this is a criminal matter, then it is best to keep quiet, collect good evidence, and go to court. Better to get a court injunction ordering them to stop sending malware, and then collect evidence showing that they violated the injunction. To do this, they need to have functioning upstream connections to your network. NANOG is not the place to discuss these things. None of this is network operational. The whole discussion amounts to a shouting match between vigilantes and their victims. Some of those victims might also be bad guys, but a shouting match on NANOG does not prove this one way or the other. --Michael Dillon
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Hello Michael, THANK YOU for the Intervention. If anyone would like to continue the chats, drop me an email, and we can continue talks OFF NANOG. Thank you all very much for your time and careful consideration into the issues we're having. Have a great day. --- Russell Mitchell InterCage, Inc. - Original Message From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: nanog@nanog.org Sent: Wednesday, September 24, 2008 2:23:01 AM Subject: RE: YAY! Re: Atrivo/Intercage: NO Upstream depeer It is clear to me -- at least -- that this entire criminal operation is being operated out of Eastern Europe, and their foothold in the U.S. is the major issue here. If you believe that this is a criminal operation then you should keep this discussion OFF THE LIST and discourage anyone from taking any action against the bad guys that might disrupt evidence gathering. If this is a criminal matter, then it is best to keep quiet, collect good evidence, and go to court. Better to get a court injunction ordering them to stop sending malware, and then collect evidence showing that they violated the injunction. To do this, they need to have functioning upstream connections to your network. NANOG is not the place to discuss these things. None of this is network operational. The whole discussion amounts to a shouting match between vigilantes and their victims. Some of those victims might also be bad guys, but a shouting match on NANOG does not prove this one way or the other. --Michael Dillon
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
On Wed, 24 Sep 2008, Russell Mitchell wrote: Hello Mark, What's YOUR motivation to consistantly attack my company? I don't know this Mark, but it seems like he is copying your strategy of stay up last and you win as you both make little sense. Gadi. What's my motivation to continue working @ InterCage? To keep a roof over my family's heads, and to keep them well-fed: 1.) Myself 2.) My Wife 3.) My near 2 year old Son (November) 4.) My near 3 week old Daughter (Born Sept. 4th) It's great that you finally accepted the claim of InterCage being associated with the famed RBN as being alledged. You've taken the first step into seeing how much BS information has been spread out about our company. Whether you support me in my anti-abuse endeavor or not, as long as you get FACTUAL information, I'm happy. However someday, I trust you will find and accept the truth about InterCage. From what I see now from the claims your making, that day may not come soon. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. - Original Message From: Mark Foo [EMAIL PROTECTED] To: Russell Mitchell [EMAIL PROTECTED] Cc: Bruce Williams [EMAIL PROTECTED]; Christopher Morrow [EMAIL PROTECTED]; nanog@nanog.org; Joe Greco [EMAIL PROTECTED] Sent: Wednesday, September 24, 2008 1:14:01 AM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer Russell: Oh I got the memo, you'll be getting served one soon too. I just wonder why you don't consider playing both sides of the fence -- with your knowledge of who's who in the cyber crime field, you could probably get paid more as an informant (either to LEO or one of the Intel companies than whatever you're doing for Emil and (allegedly) the RBN. You can't possible sleep well knowing what your up to now so I figure it's the money that motivates you. Or, maybe you don't really know anyone, you just respond to their demands and they end up with all the money, pr0n chicks, etc. Doesn't that bother you -- don't you want more? Plus, no one would know you were pulling two pay checks -- you manage systems on one side and pass info to the other. It's actually fairly simple -- maybe you already know this ;). If not, please explain this: http://www.spamhaus.org/news.lasso?article=636 Without exception, all of the major security organizations on the Internet agree that the 'Home' of cybercrime in the western world is a firm known as Atrivo/Intercage, based in California. We ourselves have not come to this conclusion lightly but from many years of dealing with criminal operations hosted by Atrivo/Intercage, gangs of cybercriminals - mostly Russian and East European but with several US online crime gangs as well - whose activities always lead back to servers run by Atrivo/Intercage. We have lost count of the times we have tracked a major virus botnet's command and control to Atrivo/Intercage servers, readers can view here some of the current and historic SBL records for Atrivo for a taste of what has been happening in this network. At almost every Internet security conference, or law enforcement seminar on cyber-crime, a presentation will detail some attack, exploit, phish or financial crime that has some nexus at Atrivo/Intercage. The person who runs Atrivo/Intercage, Emil Kacperski is an expert at playing the surprised janitor, unaware of every new criminal enterprise found on his servers and keen to show he gets rid of some criminals once their activities on his network are exposed. His Internet hosting career first came to the attention of most anti-abuse organizations when he pinched (or 'purchased stolen goods' as he put it) and routed an unused block of 65,536 IP addresses belonging to the County of Los Angeles. Spamhaus has dealt with over 350 incidents of cyber-crime hosting on Atrivo/Intercage and its related networks in the last 3 years alone, all of which involved criminal operations such as malware, virus spreaders and botnet command and control servers. Malware found by Spamhaus on Atrivo/Intercage/Cernel/Hostfresh just in the last few months included the Storm Worm installer and controller and a MySpace spambot amongst others. Spamhaus currently sees a large amount of activity related to malicious software and exploits being hosted on Atrivo/Intercage which include DNS hijack malware, IFRAME browser attacks, dialers, pirated software websites and blatantly criminal services. We assume that every law enforcement agency with a cyber-crimes division has a dossier bursting at the seams on Atrivo/Intercage and its tentacles such as Esthost, Estdomains, Cernel, Hostfresh. The only question on everyone's mind is which agency will beat the others to shutting the whole place down and indicting the people behind it. Because if shut down, one thing is certain: the amount of malware-driven crime on the Internet would drop overnight as cyber-criminals rush to find a new crime-friendly host - difficult to find in the US, as Atrivo
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Hello Joe, If we can't power down the machine, due to evidence loss. We can't nullroute the IP, as stated, some malware will delete itself or alter itself when Net Access is lost. Now we can filter a single port, in the case of spam, phishing, etc? You can do whatever you need to, of course. The right thing to do is not always immediately apparent. Some time looking at the traffic on a mirror port (etc) can provide useful clues about how to proceed to an experienced professional. Unfortunately, my experience suggests that handling incidents on the datacenter side is a somewhat different skill set than handling the sorts of incidents that are commonly found on consumer Internet connections. The relative value of an infected machine approaches zero, while the value of a controlling system is fairly high, which implies that more effort may have been put into active defenses, which in turn implies other things. The Geek Squad or other Nerds On Wheels services are probably not going to be able to effectively clean off an impacted server, much less determine useful and clever ways to analyze what is going on, which is where it pays to have someone with contacts into the security community. Alas, I believe that all of this basic stuff should be immediately obvious and familiar to those in the hosting community, which leads me to other questions that are more along the lines of what others have been asking in this thread, and probably not relevant to NANOG. In the event that you are what you claim to be, rather than what many believe you to be based on past history and appearances, you would be well advised to make some contacts within the security community, and be prepared to acquire some expensive advice the next time you have an incident. You would need more help than you're going to be able to get on NANOG. And if you're what many people seem to think, well, tough. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
RE: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Very well said. James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 24, 2008 5:23 AM To: nanog@nanog.org Subject: RE: YAY! Re: Atrivo/Intercage: NO Upstream depeer It is clear to me -- at least -- that this entire criminal operation is being operated out of Eastern Europe, and their foothold in the U.S. is the major issue here. If you believe that this is a criminal operation then you should keep this discussion OFF THE LIST and discourage anyone from taking any action against the bad guys that might disrupt evidence gathering. If this is a criminal matter, then it is best to keep quiet, collect good evidence, and go to court. Better to get a court injunction ordering them to stop sending malware, and then collect evidence showing that they violated the injunction. To do this, they need to have functioning upstream connections to your network. NANOG is not the place to discuss these things. None of this is network operational. The whole discussion amounts to a shouting match between vigilantes and their victims. Some of those victims might also be bad guys, but a shouting match on NANOG does not prove this one way or the other. --Michael Dillon
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
On Wed, Sep 24, 2008 at 04:19:16AM -0400, Paul Wall wrote: Thanks to the efforts of the people on this list, you've known Estdomains/Esthost was bad news for several weeks or more. Why are you only now shutting them down? several weeks? Try several years. And do note the rationale (below) for the refusal to shut them down. From [EMAIL PROTECTED] Sun Sep 4 13:58:23 EDT 2005 Newsgroups: news.admin.net-abuse.blocklisting From: [EMAIL PROTECTED] Subject: Re: Atrivo/InterCage Abuse Approved: NANAB Moderators [EMAIL PROTECTED] Injection-Info: f14g2000cwb.googlegroups.com; posting-host=69.107.73.156; posting-account=2w8xwQ0AAADzda9cIvAir5JUpndTEjLg Nntp-Posting-Date: Fri, 2 Sep 2005 17:48:03 + (UTC) Nntp-Posting-Host: 69.107.73.156 X-Http-Useragent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322),gzip(gfe),gzip(gfe) Organization: http://groups.google.com Message-ID: [EMAIL PROTECTED] References: [EMAIL PROTECTED] [EMAIL PROTECTED] X-Trace: posting.google.com 1125683283 16154 127.0.0.1 (2 Sep 2005 17:48:03 GMT) Date: Fri, 2 Sep 2005 19:51:13 GMT X-Robomod: STUMP, [EMAIL PROTECTED] (Igor Chudov), C++/Perl/Unix Consulting Hello fhh, There is no network of esthost. The network in which Esthost resides is our network. Esthost is one of our larger clients, They are very successful in the industry of web hosting and domain registration. They just recently became an ICANN Accredited Registrar. I won't comment on why they're so successful... But for some, that may be obvious. I believe an investigation by law enforcement is a very corrective step... That would definately clean Esthost up. I can honestly say, there are 2 of our major clients who are very successful... and with both of those comes occasional abuse. On one, it's the occasional spam via exploit. The other... Esthost... Well... A lot worse abuse then just spam. One of the things I find quite rediculous is people have taken all of our business emails from whois etc, and placed them in spam runs. How stupid can you get?... Honestly! You have never received a spam email that came from our business servers... Our clients (like EVERY other companies clients) do get the abuse of spam from their servers. For all of our clients (esthost aside)... This is not very often. We can't please everyone. We try... But when you have to go through and work with a client like esthost who doesn't quite take abuse too seriously... and the only other thing you can do is null their client's server it's hard to get a correct action taken. The correct action on any intentional spammer is to be immediately removed. As well as intentional virii distributors. This is seen with iframecash.biz... We took reports from P Thompson and demanded their removal... That appeared to be resolved... and then they pop up again. If I had the ability... I would cut Esthost as a client... But, in doing so, it causes nearly a quarter if not half of the company's monthly revenue to be cut. That is not too good of a move nor reasonably possible ;) People consider Atrivo/InterCage to be some abuse supporting company... If only any of you knew what the position would be in a company our size. It's not as easy as you believe it to be ;) Thank you for your time. Have a great day. -- Russell Mitchell - Russ[at]Atrivo.com Atrivo Technologies
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
On Wed, Sep 24, 2008 at 12:13 AM, Russell Mitchell [EMAIL PROTECTED] wrote: Hello Paul, Those are their IP Blocks. We were simply routing them, as they were our client. They've owned these blocks for quite a while. They seem to have moved that after a day of being down. You're not very good at this are you? For future reference, when you're trying to pretend like you've cleaned up your act and someone asks you why your second largest cyber criminal customer is no longer on your network, you say we kicked them off for abuse too, not they left us after a day of being down due to outages caused by our hosting of an even bigger criminal. Drive Slow, Paul Wall
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Hold the rejoicing, Atrivo is back, this time on UnitedLayer. I'd contact them, only they seem to change CTOs every month or two, does anybody know who's currently in charge? Thank you, and Drive Slow, Paul Wall
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Well, their management team is listed here: http://www.unitedlayer.com/team.html - - ferg On Tue, Sep 23, 2008 at 5:46 PM, Paul Wall [EMAIL PROTECTED] wrote: Hold the rejoicing, Atrivo is back, this time on UnitedLayer. I'd contact them, only they seem to change CTOs every month or two, does anybody know who's currently in charge? Thank you, and Drive Slow, Paul Wall -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI2Y/zq1pz9mNUZTMRAnfWAKClED9vjhHusr2Y6+HJ4Bc9fHAosACeOhfK 8coixrmTH5I3Hlh2phmut5w= =gzBi -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=0-593512929-125655=:9145
--0-593512929-125655=:9145
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Hello All,=0A=A0=0AIt seems you all missed the memo.=0AAs of about 11PM PST=
Last night 09/22/08, Esthost has been ENTIRELY Shutdown. They no longer ha=
ve ANY Machine on my network.=0A=A0=0AI'm currently starting to monitor som=
e of the public media, such as google, DroneBL, as well as several Anti-Mal=
ware community websites for abuse.=0A=A0=0ABeing that Esthost is now entire=
ly GONE, we should not have any further issues.=0AIn the case that somethin=
g=A0does arise, such as an exploited host, we're currently developing a gam=
e plan for=A0response to=A0the issues.=0ATo make the best effort towards co=
mbatting=A0abuse on our network, here's what I have planned so far for ANY =
Type of abuse:=0AStep 1,=A0Suspend Power to the affected machine.=0AStep 2,=
Call/Email the client whom the affected machine is leased to.=0AStep 3, Al=
low the client=A0the option to=A0investigate the machine further (Nullroute=
access via KVM)=0AStep=A04, Verify the=A0reported content, domain, user, o=
r exploit=A0is patched/eliminated from the machine.=0AStep 5,=A0Remove the =
Nullroute. Allow the machine to return to the network.=0A=A0=0AAny comments=
? =0A=A0=0AThis is=A0the result of a zero tolerance policy regarding abuse.=
If it's clear that the server owner is the cause of the abusive material e=
tc, the client will then be immediately cancelled. No questions.=A0=0A=0A=
=0AIt seems that this approach will be the best supported by the anti-abuse=
communities, so please let me know your input.=0A=0AThank you for your tim=
e. Have a great day.=0A=A0---=0ARussell Mitchell=0A=0AInterCage, Inc.=0A=0A=
=0A=0A- Original Message =0AFrom: Paul Wall [EMAIL PROTECTED]=
=0ATo: Mark Foo [EMAIL PROTECTED]=0ACc: [EMAIL PROTECTED]: Tues=
day, September 23, 2008 5:46:58 PM=0ASubject: Re: YAY! Re: Atrivo/Intercage=
: NO Upstream depeer=0A=0AHold the rejoicing, Atrivo is back, this time on =
UnitedLayer.=0A=0AI'd contact them, only they seem to change CTOs every mon=
th or two,=0Adoes anybody know who's currently in charge?=0A=0AThank you, a=
nd Drive Slow,=0APaul Wall=0A=0A=0A
--0-593512929-125655=:9145
Content-Type: text/html; charset=us-ascii
htmlheadstyle type=text/css!-- DIV {margin:0px;}
--/style/headbodydiv style=font-family:times new roman, new york,
times, serif;font-size:12ptPHello All,/P
Pnbsp;/P
PIt seems you all missed the memo.BRAs of about 11PM PST Last night
09/22/08, Esthost has been ENTIRELY Shutdown. They no longer have ANY Machine
on my network./P
Pnbsp;/P
PI'm currently starting to monitor some of the public media, such as google,
DroneBL, as well as several Anti-Malware community websites for abuse./P
Pnbsp;/P
PBeing that Esthost is now entirely GONE, we should not have any further
issues./P
PIn the case that somethingnbsp;does arise, such as an exploited host, we're
currently developing a game plan fornbsp;response tonbsp;the issues./P
PTo make the best effort towards combattingnbsp;abuse on our network, here's
what I have planned so far for ANY Type of abuse:/P
PStep 1,nbsp;Suspend Power to the affected machine./P
PStep 2, Call/Email the client whom the affected machine is leased to./P
PStep 3, Allow the clientnbsp;the option tonbsp;investigate the machine
further (Nullroute access via KVM)/P
PStepnbsp;4, Verify thenbsp;reported content, domain, user, or
exploitnbsp;is patched/eliminated from the machine./P
PStep 5,nbsp;Remove the Nullroute. Allow the machine to return to the
network./P
Pnbsp;/P
PAny comments? /P
Pnbsp;/P
PThis isnbsp;the result of a zero tolerance policy regarding abuse. If it's
clear that the server owner is the cause of the abusive material etc, the
client will then be immediately cancelled. No questions.nbsp;/P
DIV style=FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times,
serif
DIV/DIV
DIVnbsp;/DIV
DIVIt seems that this approach will be the best supported by the anti-abuse
communities, so please let me know your input./DIV
DIVnbsp;/DIV
DIVThank you for your time. Have a great day.BRnbsp;/DIV---BRRussell
MitchellBR
DIVInterCage, Inc.BR/DIV
DIV style=FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times,
serifBR
DIV style=FONT-SIZE: 13px; FONT-FAMILY: arial, helvetica, sans-serif-
Original Message BRFrom: Paul Wall lt;[EMAIL PROTECTED]gt;BRTo: Mark
Foo lt;[EMAIL PROTECTED]gt;BRCc: nanog@nanog.orgBRSent: Tuesday,
September 23, 2008 5:46:58 PMBRSubject: Re: YAY! Re: Atrivo/Intercage: NO
Upstream depeerBRBRHold the rejoicing, Atrivo is back, this time on
UnitedLayer.BRBRI'd contact them, only they seem to change CTOs every month
or two,BRdoes anybody know who's currently in charge?BRBRThank you, and
Drive Slow,BRPaul WallBRBR/DIV/DIV/DIV/divbr
/body/html
--0-593512929-125655=:9145--
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Hello All,=0A=A0=0AIt seems you all missed the memo.=0AAs of about 11PM PST= Last night 09/22/08, Esthost has been ENTIRELY Shutdown. They no longer ha= ve ANY Machine on my network.=0A=A0=0AI'm currently starting to monitor som= e of the public media, such as google, DroneBL, as well as several Anti-Mal= ware community websites for abuse.=0A=A0=0ABeing that Esthost is now entire= ly GONE, we should not have any further issues.=0AIn the case that somethin= g=A0does arise, such as an exploited host, we're currently developing a gam= e plan for=A0response to=A0the issues.=0ATo make the best effort towards co= mbatting=A0abuse on our network, here's what I have planned so far for ANY = Type of abuse:=0AStep 1,=A0Suspend Power to the affected machine.=0AStep 2,= Call/Email the client whom the affected machine is leased to.=0AStep 3, Al= low the client=A0the option to=A0investigate the machine further (Nullroute= access via KVM)=0AStep=A04, Verify the=A0reported content, domain, user, o= r exploit=A0is patched/eliminated from the machine.=0AStep 5,=A0Remove the = Nullroute. Allow the machine to return to the network.=0A=A0=0AAny comments= ? =0A=A0=0AThis is=A0the result of a zero tolerance policy regarding abuse.= If it's clear that the server owner is the cause of the abusive material e= tc, the client will then be immediately cancelled. No questions.=A0=0A=0A= =0AIt seems that this approach will be the best supported by the anti-abuse= communities, so please let me know your input.=0A=0AThank you for your tim= e. Have a great day.=0A=A0---=0ARussell Mitchell=0A=0AInterCage, Inc.=0A=0A= =0A=0A- Original Message =0AFrom: Paul Wall [EMAIL PROTECTED]= =0ATo: Mark Foo [EMAIL PROTECTED]=0ACc: [EMAIL PROTECTED]: Tues= day, September 23, 2008 5:46:58 PM=0ASubject: Re: YAY! Re: Atrivo/Intercage= : NO Upstream depeer=0A=0AHold the rejoicing, Atrivo is back, this time on = UnitedLayer.=0A=0AI'd contact them, only they seem to change CTOs every mon= th or two,=0Adoes anybody know who's currently in charge?=0A=0AThank you, a= nd Drive Slow,=0APaul Wall=0A=0A=0A Speaking of missing memos... mailing lists are not highly compatible with HTML or some clients that like to encode list mail. The above is what your mail looked like to some people. I would suggest a different Step 1. Instead of killing power, simply isolate the affected machine. This might be as simple as putting up a firewall rule or two, if it is simply sending outgoing SMTP spam, or for more complex issues, downing the port facing the machine in question. Killing the power may destroy useful forensic clues about what happened to the system, and may damage the system. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
please to not email in html format... yikes! Russ, could you re-mail
whatever content you just sent, in plain text?
On Tue, Sep 23, 2008 at 11:07 PM, Russell Mitchell [EMAIL PROTECTED] wrote:
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=0-593512929-125655=:9145
--0-593512929-125655=:9145
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Hello All,=0A=A0=0AIt seems you all missed the memo.=0AAs of about 11PM PST=
Last night 09/22/08, Esthost has been ENTIRELY Shutdown. They no longer ha=
ve ANY Machine on my network.=0A=A0=0AI'm currently starting to monitor som=
e of the public media, such as google, DroneBL, as well as several Anti-Mal=
ware community websites for abuse.=0A=A0=0ABeing that Esthost is now entire=
ly GONE, we should not have any further issues.=0AIn the case that somethin=
g=A0does arise, such as an exploited host, we're currently developing a gam=
e plan for=A0response to=A0the issues.=0ATo make the best effort towards co=
mbatting=A0abuse on our network, here's what I have planned so far for ANY =
Type of abuse:=0AStep 1,=A0Suspend Power to the affected machine.=0AStep 2,=
Call/Email the client whom the affected machine is leased to.=0AStep 3, Al=
low the client=A0the option to=A0investigate the machine further (Nullroute=
access via KVM)=0AStep=A04, Verify the=A0reported content, domain, user, o=
r exploit=A0is patched/eliminated from the machine.=0AStep 5,=A0Remove the =
Nullroute. Allow the machine to return to the network.=0A=A0=0AAny comments=
? =0A=A0=0AThis is=A0the result of a zero tolerance policy regarding abuse.=
If it's clear that the server owner is the cause of the abusive material e=
tc, the client will then be immediately cancelled. No questions.=A0=0A=0A=
=0AIt seems that this approach will be the best supported by the anti-abuse=
communities, so please let me know your input.=0A=0AThank you for your tim=
e. Have a great day.=0A=A0---=0ARussell Mitchell=0A=0AInterCage, Inc.=0A=0A=
=0A=0A- Original Message =0AFrom: Paul Wall [EMAIL PROTECTED]=
=0ATo: Mark Foo [EMAIL PROTECTED]=0ACc: [EMAIL PROTECTED]: Tues=
day, September 23, 2008 5:46:58 PM=0ASubject: Re: YAY! Re: Atrivo/Intercage=
: NO Upstream depeer=0A=0AHold the rejoicing, Atrivo is back, this time on =
UnitedLayer.=0A=0AI'd contact them, only they seem to change CTOs every mon=
th or two,=0Adoes anybody know who's currently in charge?=0A=0AThank you, a=
nd Drive Slow,=0APaul Wall=0A=0A=0A
--0-593512929-125655=:9145
Content-Type: text/html; charset=us-ascii
htmlheadstyle type=text/css!-- DIV {margin:0px;}
--/style/headbodydiv style=font-family:times new roman, new york,
times, serif;font-size:12ptPHello All,/P
P /P
PIt seems you all missed the memo.BRAs of about 11PM PST Last night
09/22/08, Esthost has been ENTIRELY Shutdown. They no longer have ANY Machine
on my network./P
P /P
PI'm currently starting to monitor some of the public media, such as
google, DroneBL, as well as several Anti-Malware community websites for
abuse./P
P /P
PBeing that Esthost is now entirely GONE, we should not have any further
issues./P
PIn the case that something does arise, such as an exploited host, we're
currently developing a game plan for response to the issues./P
PTo make the best effort towards combatting abuse on our network, here's
what I have planned so far for ANY Type of abuse:/P
PStep 1, Suspend Power to the affected machine./P
PStep 2, Call/Email the client whom the affected machine is leased to./P
PStep 3, Allow the client the option to investigate the machine further
(Nullroute access via KVM)/P
PStep 4, Verify the reported content, domain, user, or exploit is
patched/eliminated from the machine./P
PStep 5, Remove the Nullroute. Allow the machine to return to the
network./P
P /P
PAny comments? /P
P /P
PThis is the result of a zero tolerance policy regarding abuse. If it's
clear that the server owner is the cause of the abusive material etc, the
client will then be immediately cancelled. No questions. /P
DIV style=FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times,
serif
DIV/DIV
DIV /DIV
DIVIt seems that this approach will be the best supported by the anti-abuse
communities, so please let me know your input./DIV
DIV /DIV
DIVThank you for your time. Have a great day.BR /DIV---BRRussell
MitchellBR
DIVInterCage, Inc.BR/DIV
DIV style=FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times,
serifBR
DIV style=FONT-SIZE: 13px; FONT-FAMILY: arial, helvetica, sans-serif-
Original Message BRFrom: Paul Wall [EMAIL PROTECTED]BRTo: Mark Foo
[EMAIL PROTECTED]BRCc: nanog@nanog.orgBRSent: Tuesday, September 23,
2008 5:46:58 PMBRSubject: Re: YAY! Re: Atrivo/Intercage: NO Upstream
depeerBRBRHold the rejoicing, Atrivo is back, this time on
UnitedLayer.BRBRI'd contact them, only they seem to change CTOs every
month or two
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
On Tue, Sep 23, 2008 at 11:20 PM, Joe Greco [EMAIL PROTECTED] wrote: I would suggest a different Step 1. Instead of killing power, simply isolate the affected machine. This might be as simple as putting up a firewall rule or two, if it is simply sending outgoing SMTP spam, or it's probably easiest (depending on the network gear of course) to just put the lan port into an isolated VLAN. It's not the 100% solution (some badness rm's itself once it loses connectivity to the internets) but it'd make things simpler for the client/LEA when they need to figure out what happened. -chris
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
using bolt cutters on cables has a certain satisfaction... On Tue, Sep 23, 2008 at 8:23 PM, Christopher Morrow [EMAIL PROTECTED] wrote: On Tue, Sep 23, 2008 at 11:20 PM, Joe Greco [EMAIL PROTECTED] wrote: I would suggest a different Step 1. Instead of killing power, simply isolate the affected machine. This might be as simple as putting up a firewall rule or two, if it is simply sending outgoing SMTP spam, or it's probably easiest (depending on the network gear of course) to just put the lan port into an isolated VLAN. It's not the 100% solution (some badness rm's itself once it loses connectivity to the internets) but it'd make things simpler for the client/LEA when they need to figure out what happened. -chris
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Apologies, Yahoo was set to Rich Text :( - Hello All, It seems you all missed the memo.As of about 11PM PST Last night 09/22/08, Esthost has been ENTIRELY Shutdown. They no longer have ANY Machine on my network. I'm currently starting to monitor some of the public media, such as google, DroneBL, as well as several Anti-Malware community websites for abuse. Being that Esthost is now entirely GONE, we should not have any further issues. In the case that something does arise, such as an exploited host, we're currently developing a game plan for response to the issues. To make the best effort towards combatting abuse on our network, here's what I have planned so far for ANY Type of abuse: Step 1, Suspend Power to the affected machine. Step 2, Call/Email the client whom the affected machine is leased to. Step 3, Allow the client the option to investigate the machine further (Nullroute access via KVM)= Step 4, Verify the reported content, domain, user, or exploit is patched/eliminated from the machine. Step 5, Remove the Nullroute. Allow the machine to return to the network. Any comments? This is the result of a zero tolerance policy regarding abuse. If it's clear that the server owner is the cause of the abusive material etc, the client will then be immediately cancelled. No questions. It seems that this approach will be the best supported by the anti-abuse communities, so please let me know your input. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc.
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Russ, While I think that is great and everything, can you explain why Cernel is now originating prefixes which were originally originated by Atrivo/Intercage? I'd be curious as to your explanation. Thanks, - - ferg On Tue, Sep 23, 2008 at 9:05 PM, Russell Mitchell [EMAIL PROTECTED] wrote: Apologies, Yahoo was set to Rich Text :( - Hello All, It seems you all missed the memo.As of about 11PM PST Last night 09/22/08, Esthost has been ENTIRELY Shutdown. They no longer have ANY Machine on my network. I'm currently starting to monitor some of the public media, such as google, DroneBL, as well as several Anti-Malware community websites for abuse. Being that Esthost is now entirely GONE, we should not have any further issues. In the case that something does arise, such as an exploited host, we're currently developing a game plan for response to the issues. To make the best effort towards combatting abuse on our network, here's what I have planned so far for ANY Type of abuse: Step 1, Suspend Power to the affected machine. Step 2, Call/Email the client whom the affected machine is leased to. Step 3, Allow the client the option to investigate the machine further (Nullroute access via KVM)= Step 4, Verify the reported content, domain, user, or exploit is patched/eliminated from the machine. Step 5, Remove the Nullroute. Allow the machine to return to the network. Any comments? This is the result of a zero tolerance policy regarding abuse. If it's clear that the server owner is the cause of the abusive material etc, the client will then be immediately cancelled. No questions. It seems that this approach will be the best supported by the anti-abuse communities, so please let me know your input. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI2cBUq1pz9mNUZTMRAtbAAJwKk/H/9Pz4YelIgnYvtuCCDhmuswCfcrfV PTUD/SyPo8+zHpACucRPqk4= =+rwg -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 It may be true that Estdomains has moved a couple of the external-facing a hosting hosts into the a Netherlands hosting provider in conjunction with this whole situation -- folks are watching very carefully. estdomains.com A 94.102.49.3 storefront.estdomains.com A 94.102.49.5 www.estdomains.com A 94.102.49.4 www.estsecure.com A 94.102.49.5 AS | IP | AS Name 29073 | 94.102.49.3 | ECATEL-AS AS29073, Ecatel Network % Information related to '94.102.48.0 - 94.102.63.255' inetnum: 94.102.48.0 - 94.102.63.255 netname: NL-ECATEL-20080829 descr: Ecatel LTD country: NL org: ORG-EL38-RIPE admin-c: RvE16-RIPE tech-c: RvE16-RIPE status: ALLOCATED PA mnt-by: RIPE-NCC-HM-MNT mnt-lower: ECATEL-MNT mnt-routes: ECATEL-MNT source: RIPE # Filtered organisation: ORG-EL38-RIPE org-name: Ecatel LTD org-type: LIR address: Ecatel LTD Reinier van Eeden P.O.Box 19533 2521 CA The Hague NETHERLANDS phone: +31702204015 fax-no: +31702204015 e-mail: [EMAIL PROTECTED] admin-c: RvE16-RIPE mnt-ref: ECATEL-MNT mnt-ref: RIPE-NCC-HM-MNT mnt-by: RIPE-NCC-HM-MNT source: RIPE # Filtered DNSLogger: estdomains.com A 94.102.49.3 estdomains.com A 216.255.176.238 estdomains.com NS ans1.esthost.com estdomains.com NS ans2.esthost.com estdomains.com NS temp1.estdomains.com estdomains.com NS ns1.estdomains.com estdomains.com NS temp2.estdomains.com estdomains.com NS ns2.estdomains.com http://www.bfk.de/bfk_dnslogger.html Thanks, - - ferg On Tue, Sep 23, 2008 at 9:05 PM, Russell Mitchell [EMAIL PROTECTED] wrote: Apologies, Yahoo was set to Rich Text :( - Hello All, It seems you all missed the memo.As of about 11PM PST Last night 09/22/08, Esthost has been ENTIRELY Shutdown. They no longer have ANY Machine on my network. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI2cVCq1pz9mNUZTMRAtC1AJ9UK326w0H3C8lpB1cxz6EJC6KbqwCgjlwA 3WvkkgfWuVapwt1OKbys4dk= =B4vI -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Hello Paul, Those are their IP Blocks. We were simply routing them, as they were our client. They've owned these blocks for quite a while. They seem to have moved that after a day of being down. I haven't been monitoring their blocks, and made the decision Sunday Night that they were no longer going to be allowed on our network. I believe the blocks your referring to are their 85.255 Blocks? Registered to InHoster. I believe those prefixes are an entity of their's, though I don't know for sure. Perhaps ask them? Cernel is their own ASN. It's not associated with our company. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. - Original Message From: Paul Ferguson [EMAIL PROTECTED] To: Russell Mitchell [EMAIL PROTECTED] Cc: nanog@nanog.org Sent: Tuesday, September 23, 2008 9:22:03 PM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Russ, While I think that is great and everything, can you explain why Cernel is now originating prefixes which were originally originated by Atrivo/Intercage? I'd be curious as to your explanation. Thanks, - - ferg On Tue, Sep 23, 2008 at 9:05 PM, Russell Mitchell [EMAIL PROTECTED] wrote: Apologies, Yahoo was set to Rich Text :( - Hello All, It seems you all missed the memo.As of about 11PM PST Last night 09/22/08, Esthost has been ENTIRELY Shutdown. They no longer have ANY Machine on my network. I'm currently starting to monitor some of the public media, such as google, DroneBL, as well as several Anti-Malware community websites for abuse. Being that Esthost is now entirely GONE, we should not have any further issues. In the case that something does arise, such as an exploited host, we're currently developing a game plan for response to the issues. To make the best effort towards combatting abuse on our network, here's what I have planned so far for ANY Type of abuse: Step 1, Suspend Power to the affected machine. Step 2, Call/Email the client whom the affected machine is leased to. Step 3, Allow the client the option to investigate the machine further (Nullroute access via KVM)= Step 4, Verify the reported content, domain, user, or exploit is patched/eliminated from the machine. Step 5, Remove the Nullroute. Allow the machine to return to the network. Any comments? This is the result of a zero tolerance policy regarding abuse. If it's clear that the server owner is the cause of the abusive material etc, the client will then be immediately cancelled. No questions. It seems that this approach will be the best supported by the anti-abuse communities, so please let me know your input. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI2cBUq1pz9mNUZTMRAtbAAJwKk/H/9Pz4YelIgnYvtuCCDhmuswCfcrfV PTUD/SyPo8+zHpACucRPqk4= =+rwg -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Hello Joe, If we can't power down the machine, due to evidence loss. We can't nullroute the IP, as stated, some malware will delete itself or alter itself when Net Access is lost. Now we can filter a single port, in the case of spam, phishing, etc? I'll look further into the JunOS. I'm not too familiar with the rules on the Juniper, so I'll take a look further, and see how to achieve this on a single IP rather then the network. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. - Original Message From: Joe Greco [EMAIL PROTECTED] To: Russell Mitchell [EMAIL PROTECTED] Cc: nanog@nanog.org Sent: Tuesday, September 23, 2008 8:20:18 PM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer Hello All,=0A=A0=0AIt seems you all missed the memo.=0AAs of about 11PM PST= Last night 09/22/08, Esthost has been ENTIRELY Shutdown. They no longer ha= ve ANY Machine on my network.=0A=A0=0AI'm currently starting to monitor som= e of the public media, such as google, DroneBL, as well as several Anti-Mal= ware community websites for abuse.=0A=A0=0ABeing that Esthost is now entire= ly GONE, we should not have any further issues.=0AIn the case that somethin= g=A0does arise, such as an exploited host, we're currently developing a gam= e plan for=A0response to=A0the issues.=0ATo make the best effort towards co= mbatting=A0abuse on our network, here's what I have planned so far for ANY = Type of abuse:=0AStep 1,=A0Suspend Power to the affected machine.=0AStep 2,= Call/Email the client whom the affected machine is leased to.=0AStep 3, Al= low the client=A0the option to=A0investigate the machine further (Nullroute= access via KVM)=0AStep=A04, Verify the=A0reported content, domain, user, o= r exploit=A0is patched/eliminated from the machine.=0AStep 5,=A0Remove the = Nullroute. Allow the machine to return to the network.=0A=A0=0AAny comments= ? =0A=A0=0AThis is=A0the result of a zero tolerance policy regarding abuse.= If it's clear that the server owner is the cause of the abusive material e= tc, the client will then be immediately cancelled. No questions.=A0=0A=0A= =0AIt seems that this approach will be the best supported by the anti-abuse= communities, so please let me know your input.=0A=0AThank you for your tim= e. Have a great day.=0A=A0---=0ARussell Mitchell=0A=0AInterCage, Inc.=0A=0A= =0A=0A- Original Message =0AFrom: Paul Wall [EMAIL PROTECTED]= =0ATo: Mark Foo [EMAIL PROTECTED]=0ACc: [EMAIL PROTECTED]: Tues= day, September 23, 2008 5:46:58 PM=0ASubject: Re: YAY! Re: Atrivo/Intercage= : NO Upstream depeer=0A=0AHold the rejoicing, Atrivo is back, this time on = UnitedLayer.=0A=0AI'd contact them, only they seem to change CTOs every mon= th or two,=0Adoes anybody know who's currently in charge?=0A=0AThank you, a= nd Drive Slow,=0APaul Wall=0A=0A=0A Speaking of missing memos... mailing lists are not highly compatible with HTML or some clients that like to encode list mail. The above is what your mail looked like to some people. I would suggest a different Step 1. Instead of killing power, simply isolate the affected machine. This might be as simple as putting up a firewall rule or two, if it is simply sending outgoing SMTP spam, or for more complex issues, downing the port facing the machine in question. Killing the power may destroy useful forensic clues about what happened to the system, and may damage the system. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Sep 23, 2008 at 10:13 PM, Russell Mitchell [EMAIL PROTECTED] wrote: I believe the blocks your referring to are their 85.255 Blocks? Registered to InHoster. I believe those prefixes are an entity of their's, though I don't know for sure. Perhaps ask them? Thanks, thats right -- Inhoster. Operating out of Odessa and blacklisted virtually everywhere. Cheers, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI2dV3q1pz9mNUZTMRAvOwAKCQtLCPC+ZC3M1SVErh8kYGJ3Zp5ACaA/sE eHXtt63emWJNy/0NnVAuI6o= =xUzo -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: Atrivo/Intercage: NO Upstream depeer
Emil, If you've actually shut off the RBN, you should have no problem finding some new transit to turn up, right? We're in a buyer's market, and there are dozens of vendors on-net at 200 Paul who'd love a piece of your business. Drive Slow, Paul Wall On Sun, Sep 21, 2008 at 3:20 PM, Emil Kacperski [EMAIL PROTECTED] wrote: Hello, It's true that David from PIE disconnected our link approx 9pm or so yesterday. Things were going perfect, no complaints for a few weeks now. The only thing I believe is that NTT gave lots of pressure to PIE. For some unknown reason when I tried to reach out to the security guy at NTT he basically said our contract is with PIE. So in a time like this you really get to know who your friends are and who should be avoided. Onward and upward! What doesn't kill you only makes you stronger ;-). Just feel bad for the customers for which I am truly sorry for right now ;-(. Thanks! Contact: Emil Kacperski Company: Intercage Inc. - Atrivo Dedicated Servers San Francisco Datacenter E-Mail: [EMAIL PROTECTED] Phone: 925-550-3947 ICQ: 23531098
YAY! Re: Atrivo/Intercage: NO Upstream depeer
On Sun, Sep 21, 2008 at 12:46:54PM -0700, Emil Kacperski wrote: Hey James, That's the worst part in all this, so many been with me for years!? I just put my fate into companies I shouldn't have. Emil: Yes, they have been with you for years -- it's quite unfortunate, such great customers. Take those customers who steal identity from the public -- did you get a cut, or just the hosting fees? Next, move to those who host trojans, rogue antivirus, bill people for fake software (and keep billing them), etc. Oh, and the ad-ware, despite being a lower security risk, it was some of the most hated stuff out there. I'd say you have put your fate into companies you shouldn't have -- not just your fate but your business. This is the logical result (actually, this is just the start). I'm surprised it took so long. You can't wash away years of malicious activity by simply claiming innocence and disconnecting some of your worst offenders. Male parta male dilabuntur. For the NANOG folks who apparently don't understand what is going on and are so easily socially engineered by these claims of innocence -- do a little research: http://www.google.com/search?hl=enq=intercage+malware http://www.google.com/search?hl=enq=atrivo+malware Here's some research for you: Complaints on Intercage/Atrivo from 2003: Re: The in-your-face hijacking example http://www.irbs.net/internet/nanog/0305/0038.html From 2006: More super rogue anti-spyware http://updates.zdnet.com/tags/intercage.com.html Be on the lookout for another new supposed anti-spyware program that might be hijacking desktops any day now. This one is called PestTrap and it.s a clone of SpySheriff. SpySheriff was one of the top 10 rogue anti-spyware apps of 2005, coming in at number 2. PestTrap site is hosted at IP address 69.50.167.173 which belongs to an ISP in California, InterCage, Inc., formerly know n as Atrivo. Note the nameservers are mail.atrrivo.com and pavel.atrivo.com . OrgName:InterCage, Inc. OrgID: INTER-359 Address:1955 Monument Blvd. Address:#236 City: Concord StateProv: CA PostalCode: 94520 Country:US Not surprisingly, SpySheriff.com (link to whois) is hosted at InterCage, and we have SpyTrooper.com on the same IP address, 69.50.170.82. The other domain on the IP is Spy-Sheriff.com. This IP is also currently blacklisted. InterCage, Inc. INTERCAGE-NETWORK-GROUP (NET-69-50-160-0-1) 69.50.160.0 - 69.50.191.255 William Lu STANDARDSHELLS (NET-69-50-170-0-1) 69.50.170.0 - 69.50.170.255 The Intercage.com (link to site) home page is white and blank except for . in the upper left corner. Now, that seems odd to me. An ISP with a blank homepage? Google searches for Intercage.com and Intercage, Inc. bring up all kinds of interesting links. A Google search for Atrivo produces even more fascinating information like this and this. More on this one later.
Re: Atrivo/Intercage: NO Upstream depeer
Hello, It's true that David from PIE disconnected our link approx 9pm or so yesterday. Things were going perfect, no complaints for a few weeks now. The only thing I believe is that NTT gave lots of pressure to PIE. For some unknown reason when I tried to reach out to the security guy at NTT he basically said our contract is with PIE. So in a time like this you really get to know who your friends are and who should be avoided. Onward and upward! What doesn't kill you only makes you stronger ;-). Just feel bad for the customers for which I am truly sorry for right now ;-(. Thanks! Contact: Emil Kacperski Company: Intercage Inc. - Atrivo Dedicated Servers San Francisco Datacenter E-Mail: [EMAIL PROTECTED] Phone: 925-550-3947 ICQ: 23531098
RE: Atrivo/Intercage: NO Upstream depeer
Emil, You have a lot of loyal legit customers. What's your plans? Seems like your taking action against the bad clients which is great. Where does this leave Intercage? You seeking alternative routes currently? Offering refunds to those loyal clients? James -Original Message- From: Emil Kacperski [mailto:[EMAIL PROTECTED] Sent: Sunday, September 21, 2008 3:20 PM To: nanog@nanog.org Subject: Re: Atrivo/Intercage: NO Upstream depeer Hello, It's true that David from PIE disconnected our link approx 9pm or so yesterday. Things were going perfect, no complaints for a few weeks now. The only thing I believe is that NTT gave lots of pressure to PIE. For some unknown reason when I tried to reach out to the security guy at NTT he basically said our contract is with PIE. So in a time like this you really get to know who your friends are and who should be avoided. Onward and upward! What doesn't kill you only makes you stronger ;-). Just feel bad for the customers for which I am truly sorry for right now ;-(. Thanks! Contact: Emil Kacperski Company: Intercage Inc. - Atrivo Dedicated Servers San Francisco Datacenter E-Mail: [EMAIL PROTECTED] Phone: 925-550-3947 ICQ: 23531098
Re: Atrivo/Intercage: NO Upstream depeer
Emil Kacperski wrote: It's true that David from PIE disconnected our link approx 9pm or so yesterday. Things were going perfect, no complaints for a few weeks now. The only thing I believe is that NTT gave lots of pressure to PIE. For some unknown reason when I tried to reach out to the security guy at NTT he basically said our contract is with PIE. Some days the dragon wins, some days the knight does.
RE: Atrivo/Intercage: NO Upstream depeer
Hey James, That's the worst part in all this, so many been with me for years! I just put my fate into companies I shouldn't have. NLayer was bought and Liteup held control of the SF pop, who is fully at the mercy of NLayer / ServerCentral. WVFiber was bought by Host.NET and Randy simply made a choice. And David from PIE I knew who he was from others but hey he has been at the datacenter with me for a number of years, so I gave him the benefit of the doubt. Spamhaus a few days ago added his IP's as a /22. And surprise surprise now it's a /32! http://www.spamhaus.org/sbl/sbl.lasso?query=SBL67906 David didn't even have the balls to contact me and let me know what happened. Has ignored any phone calls, etc. Just told him router admin not to do anything without his approval. In fact his technician acted at first as he didn't know what happened. Just need to put all this behind me. Thanks! Contact: Emil Kacperski Company: Intercage Inc. - Atrivo Dedicated Servers San Francisco Datacenter E-Mail: [EMAIL PROTECTED] Phone: 925-550-3947 ICQ: 23531098
Re: Atrivo/Intercage: NO Upstream depeer
Had you responded to the hundreds of abuse complaints over the years this would not have happened. Sorry, no sympathy for you or the customers not smart enough to move over the last few years of very overt negative news about you. Matt Emil Kacperski wrote: Hey James, That's the worst part in all this, so many been with me for years! I just put my fate into companies I shouldn't have. NLayer was bought and Liteup held control of the SF pop, who is fully at the mercy of NLayer / ServerCentral. WVFiber was bought by Host.NET and Randy simply made a choice. And David from PIE I knew who he was from others but hey he has been at the datacenter with me for a number of years, so I gave him the benefit of the doubt. Spamhaus a few days ago added his IP's as a /22. And surprise surprise now it's a /32! http://www.spamhaus.org/sbl/sbl.lasso?query=SBL67906 David didn't even have the balls to contact me and let me know what happened. Has ignored any phone calls, etc. Just told him router admin not to do anything without his approval. In fact his technician acted at first as he didn't know what happened. Just need to put all this behind me. Thanks! Contact: Emil Kacperski Company: Intercage Inc. - Atrivo Dedicated Servers San Francisco Datacenter E-Mail: [EMAIL PROTECTED] Phone: 925-550-3947 ICQ: 23531098 -- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net PGP: http://www.jonkmans.com/mattjonkman.asc
Re: Atrivo/Intercage: NO Upstream depeer
Matt, Don't believe everything you read. I have unfortunately been a target over the years because I rented machines to Esthost. But the stories made up are way out there. It's all very easy a dedicated server / customer relationship - nothing more. Never did I ignore anymore from the abuse community. Go ahead and find me a IP address that did any spam or anything. You won't find it, I can't remember the last time I got any Spamcop complaints. Not even going to mention Spamhaus because we all know there abuse. We asked a handful of Intercage's most vocal critics if they sent take down requests to Kacperski. None said yes. In his defense, what may have finally happened is that malware researchers stopped bothering to report abusive sites, Eckelberry says. None said YES! That pretty much sums it all up. Maybe I could of reached out more, I guess that was my mistake. But it surely is impossible to deal with if you have to deal with people like John Reid. Thanks! Contact: Emil Kacperski Company: Intercage Inc. - Atrivo Dedicated Servers San Francisco Datacenter E-Mail: [EMAIL PROTECTED] Phone: 925-550-3947 ICQ: 23531098
Re: Atrivo/Intercage: NO Upstream depeer
On Sep 21, 2008, at 4:21 PM, Emil Kacperski wrote: Don't believe everything you read. Most excellent advice. [SNIP] -- TTFN, patrick
Re: Atrivo/Intercage: NO Upstream depeer
Considering the years of abuse, DNSBL listings, ROKSO listings, further abuse, and silence at the abuse switch, I _CERTAINLY_ would not send Atrivo abuse reports, I would send them to the upstreams instead. Considering the almost 40 page white paper produced last month on the abuse from Atrivo, for me to change this practice, I would require: * a rapid, and verifiable response from Atrivo here over some period of time exceeding several months, and continuing thereafter, * the clearing of SBL/ROKSO records, and * a general reduction of abuse eminating from Atrivo. Andrew Emil Kacperski wrote: Matt, Don't believe everything you read. I have unfortunately been a target over the years because I rented machines to Esthost. But the stories made up are way out there. It's all very easy a dedicated server / customer relationship - nothing more. Never did I ignore anymore from the abuse community. Go ahead and find me a IP address that did any spam or anything. You won't find it, I can't remember the last time I got any Spamcop complaints. Not even going to mention Spamhaus because we all know there abuse. We asked a handful of Intercage's most vocal critics if they sent take down requests to Kacperski. None said yes. In his defense, what may have finally happened is that malware researchers stopped bothering to report abusive sites, Eckelberry says. None said YES! That pretty much sums it all up. Maybe I could of reached out more, I guess that was my mistake. But it surely is impossible to deal with if you have to deal with people like John Reid. Thanks! Contact: Emil Kacperski Company: Intercage Inc. - Atrivo Dedicated Servers San Francisco Datacenter E-Mail: [EMAIL PROTECTED] Phone: 925-550-3947 ICQ: 23531098
Re: Atrivo/Intercage: NO Upstream depeer
Greetings, I can further vouch for this... an unusually large amount of botnets reported to DroneBL have command and control servers on Atrivo's network. With the amount of listings and reports I get, it is obvious that Atrivo does not care about the abuse@ inbox... which is unfortunate. William On Sun, 2008-09-21 at 16:49 -0400, Andrew D Kirch wrote: Considering the years of abuse, DNSBL listings, ROKSO listings, further abuse, and silence at the abuse switch, I _CERTAINLY_ would not send Atrivo abuse reports, I would send them to the upstreams instead. Considering the almost 40 page white paper produced last month on the abuse from Atrivo, for me to change this practice, I would require: * a rapid, and verifiable response from Atrivo here over some period of time exceeding several months, and continuing thereafter, * the clearing of SBL/ROKSO records, and * a general reduction of abuse eminating from Atrivo. Andrew Emil Kacperski wrote: Matt, Don't believe everything you read. I have unfortunately been a target over the years because I rented machines to Esthost. But the stories made up are way out there. It's all very easy a dedicated server / customer relationship - nothing more. Never did I ignore anymore from the abuse community. Go ahead and find me a IP address that did any spam or anything. You won't find it, I can't remember the last time I got any Spamcop complaints. Not even going to mention Spamhaus because we all know there abuse. We asked a handful of Intercage's most vocal critics if they sent take down requests to Kacperski. None said yes. In his defense, what may have finally happened is that malware researchers stopped bothering to report abusive sites, Eckelberry says. None said YES! That pretty much sums it all up. Maybe I could of reached out more, I guess that was my mistake. But it surely is impossible to deal with if you have to deal with people like John Reid. Thanks! Contact: Emil Kacperski Company: Intercage Inc. - Atrivo Dedicated Servers San Francisco Datacenter E-Mail: [EMAIL PROTECTED] Phone: 925-550-3947 ICQ: 23531098
Re: Atrivo/Intercage: NO Upstream depeer
Emil Kacperski wrote: Don't believe everything you read. I have unfortunately been a target over the years because I rented machines to Esthost. But the stories made up are way out there. It's all very easy a dedicated server / customer relationship - nothing more. I don't have to believe what I read. I did the research, and I helped write the reports. Have to say I'm VERY proud of contributing to getting you offline. It's not just estdomains. In fact very little of them is related to you. It's the botnet controllers, spam, phishing sites, etc. If you think those things trivial then you need to remain offline. Never did I ignore anymore from the abuse community. Go ahead and find me a IP address that did any spam or anything. You won't find it, I can't remember the last time I got any Spamcop complaints. Not even going to mention Spamhaus because we all know there abuse. You ignored MY abuse complaints. You ignored MY emails to cooperate in getting your net cleaned up. I have HUNDREDS of malware samples using your nets as CnC just in the last few months! So rather than wasting my time emailing your abuse blackhole I helped write a report about you. Time well spent I think. We asked a handful of Intercage's most vocal critics if they sent take down requests to Kacperski. None said yes. In his defense, what may have finally happened is that malware researchers stopped bothering to report abusive sites, Eckelberry says. They didn't ask me. I sent plenty. And if you read his full comments I'm sure he goes on to say because they were tired of having their time wasted by you ignoring them for YEARS! But this thread isn't what nanog is for. We should end this here, until Emil finds someone else willing to peer his crap. Then we can decide how to get that handled. Matt None said YES! That pretty much sums it all up. Maybe I could of reached out more, I guess that was my mistake. But it surely is impossible to deal with if you have to deal with people like John Reid. Thanks! Contact: Emil Kacperski Company: Intercage Inc. - Atrivo Dedicated Servers San Francisco Datacenter E-Mail: [EMAIL PROTECTED] Phone: 925-550-3947 ICQ: 23531098 -- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net PGP: http://www.jonkmans.com/mattjonkman.asc
Re: Atrivo/Intercage: NO Upstream depeer
Hello all, Andrew: It is truly enlightening, to say the least, that you want to talk about all of the SBL Listings, all of the DNSBL Listings, and all of the abuse on our network has never had action taken. - In Spamhaus' article, they did a history of more then ?350? SBL Listings for our company. Today, we have 6 ACTIVE Listings in the SBL. If we haven't acted on abuse claims, why do those numbers not match up? So, sometime over the weekend, Spamhaus listed our ONLY Upstream's /22 IP Block.. There's NO Evidence of any abuse from PIE for the listing. How can they be labeled as a SPAM or Abuse Supporter after routing us for such a short time? That's ethical, legitimate, and reasonable to you? We have ALL of our IP Space listed with Spamhaus because we have a Reseller named Esthost. While their customer track record may not be a straight arrow, they've ALWAYS taken action on abuse we've received for machines leased to them (Just like every other customer we have!). We enacted a zero tolerance policy in light of the community delivering false information and giving false reports to news media. What did that do? It gave us the opportunity to cancel service on EVERY Machine that an abuse was reported on. What happened shortly after? No more reports, no more abuse. Esthost's Registrar entity, EstDomains launched a great campaign to work with the public and take in reports against Malware Customers, as that is what the news media was reporting was the issue. Over 20,000 Domains get suspended by EstDomains in a period of about a week. Your going to come back and say, Well Directi did it in about 2 days!. Yeah? Directi had it placed right on their desk! They didn't have to launch any campaign or go out and ask the COMMUNITY for it. The people behind those false reports on our company gave them a set of Data to allow them to act that fast. So, we see Esthost turning a corner and going out to the community with an outreach program. Community is giving support for it. We enact a zero tolerance policy for our entire network, this isn't made public aside to a GOOD and TRUTHFUL Editor from TheRegister, Dan Goodin. We gave ourselves 1 month to see what is going to happen between the community, and Esthost. In the final stretch of that 1 month, we get blind-sided by Spamhaus. So now, an apparently level-headed James Thomas brings the happenings from last night into the light, and here we are. All of the claims about us being the RBN, Emil being some Russian named Igor, and Atrivo being the epicenter with such partners like InterCage. Did you forget? Emil has a split-personality, that's how they got their claim of InterCage being partnered with Atrivo. As though they're 2 seperate entities! Good Research Matt, Jart, Garth, and all the others who've written about us recently! Thank you all for your time and responses. Good or bad, we're reading them. Have a great day. --- Russell Mitchell InterCage, Inc. - An un-orgranized eCrime ring based out of San Francisco, CA. We would only be so lucky!
Re: Atrivo/Intercage: NO Upstream depeer
William: To date, I have never heard of the DroneBL. I have NEVER received any report from any entity referring to that. The last report for a bot on our network was an EggDrop bot a week or so ago. The report was from the IRC Network Operator, and asked to have it removed from his network because it seemed to be 'forgotten'. It was sitting in a dead channel that hasn't had any activity for months. He did NOT claim any abuse. I'll be more then happy to monitor DroneBL, or have digests or reports from them in regards to our network. - Matt: It's very sad that your PROUD of you contribution to the supposed white paper on our company. I'd like to know, was any of your contribution to the report altered, or mis-represented, or are you truly unaware of how false the information you provided was? Care to have verified it? or are you a Spamhaus admin like John Reid who has that magic stick to make a claim and attack anyone who objects to it with the truth? If you want to see REAL Cyber Crime, take a look at what you caused Matt. Take a good look at Spamhaus, and tell me that they're entirely legitimate with their business. Oh, I forgot, they're a Not-for-profit organization that DOESN'T do business in the USA, nor has any clientel in the USA. - There is absolutely no sense in arguing and biquering over all this crap that you guys have caused with your misinformation and false claims. I don't know how to make this any simpler: If you see abuse from our network, report it to US. If you report it to an upstream, they'll just drop it back down to us. Obviously, we can't do anything right now with our network being OFFLINE.. But I'm dying to see who comes up with some abuse that originated from our network in this downtime! Who will be first!? Spamhaus? Thanks again for all your time and comments. Hopefully, you all will straighten up your act, cause clearly and truthfully, we've been straight the entire time. --- Russell Mitchell InterCage, Inc.
RE: Atrivo/Intercage: NO Upstream depeer
Russell, I really think Atrivo/Intercage has been doing great after reports and community public action. I'm still puzzled as to the why they are still targetting you? I have a few friends who have machines with you so and they run legitimate companies with over 4 machines. Emil has done everything in his power to bring his network back to normal operations. Looks great the past 2 weeks, I wish both of you the best of luck its hard to determine who is a solid friend and who is not. Like emil said... It only will make you stronger. James -Original Message- From: Russell Mitchell [mailto:[EMAIL PROTECTED] Sent: Sunday, September 21, 2008 5:54 PM To: nanog@nanog.org Subject: Re: Atrivo/Intercage: NO Upstream depeer Hello all, Andrew: It is truly enlightening, to say the least, that you want to talk about all of the SBL Listings, all of the DNSBL Listings, and all of the abuse on our network has never had action taken. - In Spamhaus' article, they did a history of more then ?350? SBL Listings for our company. Today, we have 6 ACTIVE Listings in the SBL. If we haven't acted on abuse claims, why do those numbers not match up? So, sometime over the weekend, Spamhaus listed our ONLY Upstream's /22 IP Block.. There's NO Evidence of any abuse from PIE for the listing. How can they be labeled as a SPAM or Abuse Supporter after routing us for such a short time? That's ethical, legitimate, and reasonable to you? We have ALL of our IP Space listed with Spamhaus because we have a Reseller named Esthost. While their customer track record may not be a straight arrow, they've ALWAYS taken action on abuse we've received for machines leased to them (Just like every other customer we have!). We enacted a zero tolerance policy in light of the community delivering false information and giving false reports to news media. What did that do? It gave us the opportunity to cancel service on EVERY Machine that an abuse was reported on. What happened shortly after? No more reports, no more abuse. Esthost's Registrar entity, EstDomains launched a great campaign to work with the public and take in reports against Malware Customers, as that is what the news media was reporting was the issue. Over 20,000 Domains get suspended by EstDomains in a period of about a week. Your going to come back and say, Well Directi did it in about 2 days!. Yeah? Directi had it placed right on their desk! They didn't have to launch any campaign or go out and ask the COMMUNITY for it. The people behind those false reports on our company gave them a set of Data to allow them to act that fast. So, we see Esthost turning a corner and going out to the community with an outreach program. Community is giving support for it. We enact a zero tolerance policy for our entire network, this isn't made public aside to a GOOD and TRUTHFUL Editor from TheRegister, Dan Goodin. We gave ourselves 1 month to see what is going to happen between the community, and Esthost. In the final stretch of that 1 month, we get blind-sided by Spamhaus. So now, an apparently level-headed James Thomas brings the happenings from last night into the light, and here we are. All of the claims about us being the RBN, Emil being some Russian named Igor, and Atrivo being the epicenter with such partners like InterCage. Did you forget? Emil has a split-personality, that's how they got their claim of InterCage being partnered with Atrivo. As though they're 2 seperate entities! Good Research Matt, Jart, Garth, and all the others who've written about us recently! Thank you all for your time and responses. Good or bad, we're reading them. Have a great day. --- Russell Mitchell InterCage, Inc. - An un-orgranized eCrime ring based out of San Francisco, CA. We would only be so lucky!
Re: Atrivo/Intercage: NO Upstream depeer
On Sun, 21 Sep 2008, Russell Mitchell wrote: Hello all, Andrew: It is truly enlightening, to say the least, that you want to talk about all of the SBL Listings, all of the DNSBL Listings, and all of the abuse on our network has never had action taken. Don't kick someone when they are down. Okay. I have but one question, why are you speaking to us all now, instead of last week or last month? Gadi. - In Spamhaus' article, they did a history of more then ?350? SBL Listings for our company. Today, we have 6 ACTIVE Listings in the SBL. If we haven't acted on abuse claims, why do those numbers not match up? So, sometime over the weekend, Spamhaus listed our ONLY Upstream's /22 IP Block.. There's NO Evidence of any abuse from PIE for the listing. How can they be labeled as a SPAM or Abuse Supporter after routing us for such a short time? That's ethical, legitimate, and reasonable to you? We have ALL of our IP Space listed with Spamhaus because we have a Reseller named Esthost. While their customer track record may not be a straight arrow, they've ALWAYS taken action on abuse we've received for machines leased to them (Just like every other customer we have!). We enacted a zero tolerance policy in light of the community delivering false information and giving false reports to news media. What did that do? It gave us the opportunity to cancel service on EVERY Machine that an abuse was reported on. What happened shortly after? No more reports, no more abuse. Esthost's Registrar entity, EstDomains launched a great campaign to work with the public and take in reports against Malware Customers, as that is what the news media was reporting was the issue. Over 20,000 Domains get suspended by EstDomains in a period of about a week. Your going to come back and say, Well Directi did it in about 2 days!. Yeah? Directi had it placed right on their desk! They didn't have to launch any campaign or go out and ask the COMMUNITY for it. The people behind those false reports on our company gave them a set of Data to allow them to act that fast. So, we see Esthost turning a corner and going out to the community with an outreach program. Community is giving support for it. We enact a zero tolerance policy for our entire network, this isn't made public aside to a GOOD and TRUTHFUL Editor from TheRegister, Dan Goodin. We gave ourselves 1 month to see what is going to happen between the community, and Esthost. In the final stretch of that 1 month, we get blind-sided by Spamhaus. So now, an apparently level-headed James Thomas brings the happenings from last night into the light, and here we are. All of the claims about us being the RBN, Emil being some Russian named Igor, and Atrivo being the epicenter with such partners like InterCage. Did you forget? Emil has a split-personality, that's how they got their claim of InterCage being partnered with Atrivo. As though they're 2 seperate entities! Good Research Matt, Jart, Garth, and all the others who've written about us recently! Thank you all for your time and responses. Good or bad, we're reading them. Have a great day. --- Russell Mitchell InterCage, Inc. - An un-orgranized eCrime ring based out of San Francisco, CA. We would only be so lucky!
Re: Atrivo/Intercage: NO Upstream depeer
Gadi Evron wrote: On Sun, 21 Sep 2008, Russell Mitchell wrote: Hello all, Andrew: It is truly enlightening, to say the least, that you want to talk about all of the SBL Listings, all of the DNSBL Listings, and all of the abuse on our network has never had action taken. Don't kick someone when they are down. Okay. I have but one question, why are you speaking to us all now, instead of last week or last month? Gadi. I think he figured out that there's bite to go with the bark. Andrew
Re: Atrivo/Intercage: NO Upstream depeer
Russell Mitchell wrote: - Matt: It's very sad that your PROUD of you contribution to the supposed white paper on our company. I'd like to know, was any of your contribution to the report altered, or mis-represented, or are you truly unaware of how false the information you provided was? Care to have verified it? or are you a Spamhaus admin like John Reid who has that magic stick to make a claim and attack anyone who objects to it with the truth? I'd love to, but nanog isn't the place. I'll be in san fran in the near future. Lets sit down over a beer, I'll bring the research and you can look it over yourself. That would be far more productive than this. I think a few other folks would love to meet up with you as well. Maybe Emil can join us too? It's easy to insinuate from behind a keyboard. Lets get down to facts. But take this off nanog. This is NOT the place for it. Let me know when you'l be in town, I'll schedule my travel in that direction to meet up soon. Matt -- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net PGP: http://www.jonkmans.com/mattjonkman.asc
Re: Atrivo/Intercage: NO Upstream depeer
Russell Mitchell wrote: Andrew: If you have seen how Spamhaus handles our resolved SBL Listings, you would know. Those 6 listings have been resolved for a week now. John Reid and his goons only provide swift LISTINGS, _NOT_ delistings. Possibly why they're so widely used. In the past 12 months, I have received not 1 report of a botnet on our network. Your e-mail is broken, or you're a liar, or both Phishing pages are always nullrouted at the time of the report. The 40 page report you keep referring to is a complete farse. it's 'farce' but that couldn't matter less. But, undoubtably, you truly believe that there is an Atrivo and InterCage is a partner in crime to Atrivo huh? Results *1* - *10* of about *26,900* for atrivo. Results *1* - *10* of about *2,390* for *atrivo crime http://www.google.com/url?q=http://www.answers.com/crimer=67sa=Xoi=dictct=Dcd=1ei=xdTWSInuLpKsgQKTjOTqCAsig2=4_AAUrDMpVIAAFUehFoFNAusg=AFQjCNFDtuAxxhp6jkB15m7JZih5ySf2RQ*. Results *1* - *10* of about *1,880* for *atrivo fraud http://www.google.com/url?q=http://www.answers.com/fraudr=67sa=Xoi=dictct=Dcd=1ei=1NTWSNGPG5XIhgKMyZzaCAsig2=zfBNv_8RR8gu9QGtmQIoFgusg=AFQjCNGithiupXgqQTx4_5iVimy3I7hDeA*. Results *1* - *10* of about *1,100* for *atrivo phish*. It seems that at least 26,900 people join me in the first fantasy, and 6000 or so join me in the second. Cult meetings are on Thrusday, we'll sacrifice a spammer. Anything else you'd like to throw at me here on NANOG? Sure, but I havn't figured out how to hit someone with a two-by-four over the Internet. I truly feel that there are very FEW in the anti-abuse community that smelling fresh air. If you knew where you head was, and where it should be, maybe this conversation and the happenings in the recent week would have actually gave benefit to the internet in whole. Atrivo/Intercage is off the Internet. That sounds like Mission Accomplished to me. I'm done now, there's clearly nothing I can do to impart a clue here. Andrew
Re: Atrivo/Intercage: NO Upstream depeer
Matt: I've already put this offer up. I'll be more then happy to meet up at our datacenter and take you through our space. What I find funny is, your the first one whom participated in the recent reports to actually take up and respond to us. I've emailed Garth and Jart, and both of them refused to respond. I emailed both of them requesting the same information they gave to Directi. If they were able to provide Directi with a list of 20,000+ domains from their control that were abusive, why can't they provide US directly with a single 1? Then, release a joint-statement talking about how the companies need to come together to combat the abusive activities across the net, yet when we extend our hand and open up our network, we don't even get a response! Directi went from being a partner in crime with us to being a great anti-abuse supporting company.. How can YOU claim that WE don't do anything, if you won't report your findings in the first place? Got recent stuff? Why are you willing to give it now that we're OFFLINE? What can we do about it NOW at this very minute? You tell me when your going to be in San Francisco, and I'll make myself available. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. P.S. I just realized all my responses to earlier people like Gadi and them were direct and not cc to NANOG. Will Reply to all now :) - Original Message From: Matt Jonkman [EMAIL PROTECTED] To: Russell Mitchell [EMAIL PROTECTED] Cc: nanog@nanog.org Sent: Sunday, September 21, 2008 4:02:15 PM Subject: Re: Atrivo/Intercage: NO Upstream depeer Russell Mitchell wrote: - Matt: It's very sad that your PROUD of you contribution to the supposed white paper on our company. I'd like to know, was any of your contribution to the report altered, or mis-represented, or are you truly unaware of how false the information you provided was? Care to have verified it? or are you a Spamhaus admin like John Reid who has that magic stick to make a claim and attack anyone who objects to it with the truth? I'd love to, but nanog isn't the place. I'll be in san fran in the near future. Lets sit down over a beer, I'll bring the research and you can look it over yourself. That would be far more productive than this. I think a few other folks would love to meet up with you as well. Maybe Emil can join us too? It's easy to insinuate from behind a keyboard. Lets get down to facts. But take this off nanog. This is NOT the place for it. Let me know when you'l be in town, I'll schedule my travel in that direction to meet up soon. Matt -- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net PGP: http://www.jonkmans.com/mattjonkman.asc
