Re: Atrivo/Intercage
[EMAIL PROTECTED] writes: It could also be argued that pushing this activity into multiple legal jurisdictions just makes it darn near impossible for law enforcement to take any action. and you'd be able to measure this exactly how? instead of two prosecutions a year that lead to plea bargains or short stints in camp fed, we'd have even fewer prosecutions with even lighter sentences? and that's a bad thing exactly why? let's push this stuff back into the nation-states who sponsor it and then use treaties to wall it off inside those places. -- Paul Vixie
RE: Atrivo/Intercage
It could be argued (since _is_ the North American Network Operators Group) that pushing this sort of criminal activity _out_ of North America is a good First Step to be able to better manage the situation. It could also be argued that pushing this activity into multiple legal jurisdictions just makes it darn near impossible for law enforcement to take any action. --Michael Dillon
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
NANOG: Look, the people posting here who are trashing Intercage are pure security analysts -- they know and understand the evil that is Intercage. STOP TRYING TO ASSIST INTERCAGE -- you are effectively aiding and abetting the enemy. Intercage/Atrivo hosts the malware cc botnets that DDoS your systems and networks. Intercage/Atrivo hosts the spyware that compromises your users' passwords. Intercage/Atrivo hosts the adware that slows your customers' machines. Don't take my word for it, DO YOUR OWN RESEARCH: http://www.google.com/search?hl=enq=intercage+malware You don't get called the ***American RBN*** for hosting a couple bad machines. They have and will continue to host much of the malware pumped out of America. THEY ARE NOT YOUR COMRADES. These people represent the most HIGHLY ORGANZIED CRIME you will ever come across. Most people were afraid to speak out against them until this recent ground swell. This is the MALWARE CARTEL. GET THE PICTURE? Many links have been posted here that prove this already -- instead of asking what customers they cut off, let them show WHAT CUSTOMERS ARE LEGIT-- because there are NONE. I would suggest a different Step 1. Instead of killing power, simply isolate the affected machine. This might be as simple as putting up a firewall rule or two, if it is simply sending outgoing SMTP spam, or it's probably easiest (depending on the network gear of course) to just put the lan port into an isolated VLAN. It's not the 100% solution (some badness rm's itself once it loses connectivity to the internets) but it'd make things simpler for the client/LEA when they need to figure out what happened. -chris
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Sep 23, 2008 at 10:52 PM, Paul Ferguson [EMAIL PROTECTED] wrote: On Tue, Sep 23, 2008 at 10:13 PM, Russell Mitchell [EMAIL PROTECTED] wrote: I believe the blocks your referring to are their 85.255 Blocks? Registered to InHoster. I believe those prefixes are an entity of their's, though I don't know for sure. Perhaps ask them? Thanks, thats right -- Inhoster. Operating out of Odessa and blacklisted virtually everywhere. Sorry, my last post on this issue. As you may (or may not) know, Inhoster's domain(s) were suspended due to criminal activity: http://whois.domaintools.com/inhoster.com The prefixes you mention, were deliberately being originated by AS27595 up until the recent kerfluffle and disconnect on Saturday night: Prefixes added and withdrawn by this origin AS in the past 7 days. - 64.28.176.0/20 Withdrawn - 67.210.0.0/21 Withdrawn - 67.210.8.0/22 Withdrawn - 67.210.14.0/23 Withdrawn - 69.22.162.0/23 Withdrawn - 69.22.168.0/21 Withdrawn - 69.22.184.0/22 Withdrawn - 69.31.64.0/20 Withdrawn - 69.50.160.0/19 Withdrawn - 85.255.113.0/24 Withdrawn - 85.255.114.0/23 Withdrawn - 85.255.116.0/22 Withdrawn - 85.255.120.0/23 Withdrawn - 85.255.122.0/24 Withdrawn - 216.255.176.0/20Withdrawn - 216.255.176.0/22Withdrawn - 216.255.180.0/22Withdrawn - 216.255.184.0/22Withdrawn - 216.255.188.0/22Withdrawn And they magically reappeared in Cernel (AS36445) almost immediately: Prefix AS Path 64.28.187.0/24 12654 3257 36445 67.210.12.0/23 12654 3257 36445 85.255.112.0/20 12654 3257 36445 93.188.161.0/24 12654 3257 36445 93.188.166.0/24 12654 3257 36445 This was not an accident. So what you are saying is that these prefixes have always belonged to Inhoster? Thanks, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI2doTq1pz9mNUZTMRAupwAKDxEF9kyS/UoTb/Hl2FwEGM1tsj2gCfYF16 qyG0vUAmfxfdQg/vqHFCxbw= =T+0o -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: Atrivo/Intercage
On Sep 23, 2008, at 8:12 PM, Joe Greco wrote: Which is not acceptable. You answer your abuse complaints, you shut down your spammers. Period, end of subject. That's a bit '90's. I'll settle for s/answer/handle/, because I don't think that most sites are willing to actually discuss abuse issues with random folks submitting complaints, and so that leaves you with either sending a form letter of some sort, or not saying anything. I went out of my way to get it written into our customer contract that we can discuss abuse issues with the affected parties. And I am simply an employee, neither an executive nor an owner, so this took a bit of doing. But it has given me great pleasure the few times that we made a mistake with a customer, and I got to tell the affected parties that the abuser is now homeless ;-) -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Hello Paul, Sorry I didn't make this clear enough in the previous responses. The prefixes that are registered to Inhoster belong to Esthost. I'm not sure how or why you think those prefixes belong to us. These prefixes belong DIRECTLY to us: - 69.50.160.0/19 Withdrawn - 216.255.176.0/20 Withdrawn These prefixes belong DIRECTLY to nLayer, and were LEASED to us: - 69.22.162.0/23 Withdrawn - 69.22.168.0/21 Withdrawn - 69.22.184.0/22 Withdrawn - 69.31.64.0/20 Withdrawn The prefixes LEASED to us BY nLayer are being reclaimed at the end of this month 09/30/08, as the lease contract is set to cease at that time. Hopefully, that is clear enough for you. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. - Original Message From: Paul Ferguson [EMAIL PROTECTED] To: Russell Mitchell [EMAIL PROTECTED] Cc: nanog@nanog.org Sent: Tuesday, September 23, 2008 11:11:39 PM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Sep 23, 2008 at 10:52 PM, Paul Ferguson [EMAIL PROTECTED] wrote: On Tue, Sep 23, 2008 at 10:13 PM, Russell Mitchell [EMAIL PROTECTED] wrote: I believe the blocks your referring to are their 85.255 Blocks? Registered to InHoster. I believe those prefixes are an entity of their's, though I don't know for sure. Perhaps ask them? Thanks, thats right -- Inhoster. Operating out of Odessa and blacklisted virtually everywhere. Sorry, my last post on this issue. As you may (or may not) know, Inhoster's domain(s) were suspended due to criminal activity: http://whois.domaintools.com/inhoster.com The prefixes you mention, were deliberately being originated by AS27595 up until the recent kerfluffle and disconnect on Saturday night: Prefixes added and withdrawn by this origin AS in the past 7 days. - 64.28.176.0/20 Withdrawn - 67.210.0.0/21 Withdrawn - 67.210.8.0/22 Withdrawn - 67.210.14.0/23 Withdrawn - 69.22.162.0/23 Withdrawn - 69.22.168.0/21 Withdrawn - 69.22.184.0/22 Withdrawn - 69.31.64.0/20 Withdrawn - 69.50.160.0/19 Withdrawn - 85.255.113.0/24 Withdrawn - 85.255.114.0/23 Withdrawn - 85.255.116.0/22 Withdrawn - 85.255.120.0/23 Withdrawn - 85.255.122.0/24 Withdrawn - 216.255.176.0/20 Withdrawn - 216.255.176.0/22 Withdrawn - 216.255.180.0/22 Withdrawn - 216.255.184.0/22 Withdrawn - 216.255.188.0/22 Withdrawn And they magically reappeared in Cernel (AS36445) almost immediately: Prefix AS Path 64.28.187.0/24 12654 3257 36445 67.210.12.0/23 12654 3257 36445 85.255.112.0/20 12654 3257 36445 93.188.161.0/24 12654 3257 36445 93.188.166.0/24 12654 3257 36445 This was not an accident. So what you are saying is that these prefixes have always belonged to Inhoster? Thanks, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI2doTq1pz9mNUZTMRAupwAKDxEF9kyS/UoTb/Hl2FwEGM1tsj2gCfYF16 qyG0vUAmfxfdQg/vqHFCxbw= =T+0o -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Sep 23, 2008 at 11:28 PM, Russell Mitchell [EMAIL PROTECTED] wrote: Sorry I didn't make this clear enough in the previous responses. The prefixes that are registered to Inhoster belong to Esthost. I'm not sure how or why you think those prefixes belong to us. These prefixes belong DIRECTLY to us: - 69.50.160.0/19 Withdrawn - 216.255.176.0/20Withdrawn These prefixes belong DIRECTLY to nLayer, and were LEASED to us: - 69.22.162.0/23 Withdrawn - 69.22.168.0/21 Withdrawn - 69.22.184.0/22 Withdrawn - 69.31.64.0/20 Withdrawn The prefixes LEASED to us BY nLayer are being reclaimed at the end of this month 09/30/08, as the lease contract is set to cease at that time. Hopefully, that is clear enough for you. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. Clear as mud, thanks. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI2d6uq1pz9mNUZTMRAmkcAJ4toRsggJ325VfjkqK8QJKWQG4UegCg84x+ KwcuyxtFp7/x3/vScFTkP3I= =/vFy -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Wow, this topic has really gotten old. On Tue, Sep 23, 2008 at 11:31 PM, Paul Ferguson [EMAIL PROTECTED]wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Sep 23, 2008 at 11:28 PM, Russell Mitchell [EMAIL PROTECTED] wrote: Sorry I didn't make this clear enough in the previous responses. The prefixes that are registered to Inhoster belong to Esthost. I'm not sure how or why you think those prefixes belong to us. These prefixes belong DIRECTLY to us: - 69.50.160.0/19 Withdrawn - 216.255.176.0/20Withdrawn These prefixes belong DIRECTLY to nLayer, and were LEASED to us: - 69.22.162.0/23 Withdrawn - 69.22.168.0/21 Withdrawn - 69.22.184.0/22 Withdrawn - 69.31.64.0/20 Withdrawn The prefixes LEASED to us BY nLayer are being reclaimed at the end of this month 09/30/08, as the lease contract is set to cease at that time. Hopefully, that is clear enough for you. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. Clear as mud, thanks. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI2d6uq1pz9mNUZTMRAmkcAJ4toRsggJ325VfjkqK8QJKWQG4UegCg84x+ KwcuyxtFp7/x3/vScFTkP3I= =/vFy -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Hello John Doe, I welcome any further comments you have. We have to get past people such as yourself, and your blasphemous and false statements. This is the same issue with the recent media and self-proclaimed Security Researchers. Fly-by-night mind you. To help you out in your claims: Yes, we did house a client whom had quite a run with their client's from various locations, such as Russia. That Client is no longer hosted on our network. I myself spent all of monday afternoon, night, and tuesday morning shutting off EVERY machine they had leased in our Billing System. I'm currently working to scan further and see if there's anything I may have missed. Yes, Russia is very well known for Virus and Malware writer's. Yes, we have had issues with malware distribution from our network. This was directly and near singularly related to the former client of ours. We did have another client, Hostfresh, whom had their share of malware issues. Both have been completely and effectively removed. The server's leased to both of them have been canceled, and their machines have been shutoff. Let me know if there's anything else you'd like me to state to the public. We're on a rocky road right now. But it IS starting to smooth out. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. - Original Message From: Mark Foo [EMAIL PROTECTED] To: Bruce Williams [EMAIL PROTECTED] Cc: Christopher Morrow [EMAIL PROTECTED]; nanog@nanog.org; Joe Greco [EMAIL PROTECTED] Sent: Tuesday, September 23, 2008 11:08:21 PM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer NANOG: Look, the people posting here who are trashing Intercage are pure security analysts -- they know and understand the evil that is Intercage. STOP TRYING TO ASSIST INTERCAGE -- you are effectively aiding and abetting the enemy. Intercage/Atrivo hosts the malware cc botnets that DDoS your systems and networks. Intercage/Atrivo hosts the spyware that compromises your users' passwords. Intercage/Atrivo hosts the adware that slows your customers' machines. Don't take my word for it, DO YOUR OWN RESEARCH: http://www.google.com/search?hl=enq=intercage+malware You don't get called the ***American RBN*** for hosting a couple bad machines. They have and will continue to host much of the malware pumped out of America. THEY ARE NOT YOUR COMRADES.. These people represent the most HIGHLY ORGANZIED CRIME you will ever come across. Most people were afraid to speak out against them until this recent ground swell. This is the MALWARE CARTEL. GET THE PICTURE? Many links have been posted here that prove this already -- instead of asking what customers they cut off, let them show WHAT CUSTOMERS ARE LEGIT-- because there are NONE. I would suggest a different Step 1. Instead of killing power, simply isolate the affected machine. This might be as simple as putting up a firewall rule or two, if it is simply sending outgoing SMTP spam, or it's probably easiest (depending on the network gear of course) to just put the lan port into an isolated VLAN. It's not the 100% solution (some badness rm's itself once it loses connectivity to the internets) but it'd make things simpler for the client/LEA when they need to figure out what happened. -chris
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Hello Pedram, Until everyone fully understands the truth in ENGLISH, this topic will continue. This is what they demand. As long as there are questions which relate to us, I will continue to respond. When it's set in stone, and the false claims and false statements are corrected, this topic will cease. I hope soon, people will realise and accept the truth that we are a LEGITIMATE Company that DOES Operate in the USA. We are NOT directly or in-directly related to any Russian's. We do NOT support, write, directly distribute, or knowingly allow the distribution of malware or other abusive activities to originate from our network. While the previous statements are questionable in the public's eye, I hope some time, you will understand it IS the truth. Prove me wrong, PLEASE. If you know of any further malware or further abusive activities, such as the claimed CC Botnets, please PLEASE don't hesitate to tell me. abuse.intercage and russ..intercage and emil.intercage are live and operational. We are currently investigating the rest of our clientel and any site's or communities you can recommend to follow, we will follow. While it is clear that this will not be accepted by the community any time soon, it will eventually be accepted. That is what I am waiting for, however long it takes. I can't stress this enough. We DO need your help to locate and eliminate abusive activities from our network. I know you have information, and I need you to atleast reclaim the faith that we WILL be very active against abuse originating from our network, and we WILL be proactive to locate and eliminate abusive activities on our network. Thank you very much for all your time and future assistance. Have a great day. --- Russell Mitchell InterCage, Inc. - Original Message From: Pedram M [EMAIL PROTECTED] To: nanog@nanog.org Sent: Tuesday, September 23, 2008 11:38:54 PM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer Wow, this topic has really gotten old. On Tue, Sep 23, 2008 at 11:31 PM, Paul Ferguson [EMAIL PROTECTED]wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Sep 23, 2008 at 11:28 PM, Russell Mitchell [EMAIL PROTECTED] wrote: Sorry I didn't make this clear enough in the previous responses. The prefixes that are registered to Inhoster belong to Esthost. I'm not sure how or why you think those prefixes belong to us. These prefixes belong DIRECTLY to us: - 69.50.160.0/19 Withdrawn - 216.255.176.0/20 Withdrawn These prefixes belong DIRECTLY to nLayer, and were LEASED to us: - 69.22.162.0/23 Withdrawn - 69.22.168.0/21 Withdrawn - 69.22.184.0/22 Withdrawn - 69.31.64.0/20 Withdrawn The prefixes LEASED to us BY nLayer are being reclaimed at the end of this month 09/30/08, as the lease contract is set to cease at that time. Hopefully, that is clear enough for you. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. Clear as mud, thanks. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI2d6uq1pz9mNUZTMRAmkcAJ4toRsggJ325VfjkqK8QJKWQG4UegCg84x+ KwcuyxtFp7/x3/vScFTkP3I= =/vFy -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, Sep 24, 2008 at 12:12 AM, Russell Mitchell [EMAIL PROTECTED] wrote: I hope soon, people will realise and accept the truth that we are a LEGITIMATE Company that DOES Operate in the USA. We are NOT directly or in-directly related to any Russian's. We do NOT support, write, directly distribute, or knowingly allow the distribution of malware or other abusive activities to originate from our network. While the previous statements are questionable in the public's eye, I hope some time, you will understand it IS the truth. Prove me wrong, PLEASE. AS27595, and all prefixes which you advertise, will be ultra-scrutinized. You can be sure that you, and many others, will know if when criminal activity re-appears inside prefixes hosted by Atrivo/Intercage. The gloves are off, so to speak. Cheers, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI2epPq1pz9mNUZTMRAumJAKD5lujVV7CTeZ6iQDEjsELHy7+I1wCfeXFH TxVWvBONxa+jozHf9hq+k2c= =L/4x -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Hello Paul, GREAT! I am very pleased with that. This is what we need, and I'm sure you can agree, this is what the Internet needs. Thank you very much for your time. Have a great day. --- Russell Mitchell InterCage, Inc. - Original Message From: Paul Ferguson [EMAIL PROTECTED] To: Russell Mitchell [EMAIL PROTECTED] Cc: nanog@nanog.org Sent: Wednesday, September 24, 2008 12:20:59 AM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, Sep 24, 2008 at 12:12 AM, Russell Mitchell [EMAIL PROTECTED] wrote: I hope soon, people will realise and accept the truth that we are a LEGITIMATE Company that DOES Operate in the USA. We are NOT directly or in-directly related to any Russian's. We do NOT support, write, directly distribute, or knowingly allow the distribution of malware or other abusive activities to originate from our network. While the previous statements are questionable in the public's eye, I hope some time, you will understand it IS the truth. Prove me wrong, PLEASE. AS27595, and all prefixes which you advertise, will be ultra-scrutinized. You can be sure that you, and many others, will know if when criminal activity re-appears inside prefixes hosted by Atrivo/Intercage. The gloves are off, so to speak. Cheers, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI2epPq1pz9mNUZTMRAumJAKD5lujVV7CTeZ6iQDEjsELHy7+I1wCfeXFH TxVWvBONxa+jozHf9hq+k2c= =L/4x -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Russell: Ferg was just being coy -- what you don't understand is there are about 3 other security mailing lists plotting to TAKE YOUR SERVICE DOWN. You FAIL. Law Enforcement might not take action against you (but appear to be interested now), but the community can. GET OFF THE NET WITH YOUR MALWARE! You mistake me for someone who believes you pack of lies! Don't you understand each time you post to this list gives those of us who know the opportunity to post MORE EVIDENCE of your MALWARE? You disconnected Hostfresh and think that's the extent of your cimes? Gimme a break. Only those who are easily socially engineered would believe your pathetic claims of innocence. You've BEEN HOSTING MALWARE since 2003 -- SEE Nanog post: Re: The in-your-face hijacking example http://www.irbs.net/internet/nanog/0305/0038.html Let me know if there's anything else you'd like me to state to the public. Answer Ferg's question -- Why are you moving to CERNAL? Do you think this is going to work? That's just another of Emil's networks. We're on a rocky road right now. But it IS starting to smooth out. That's just the calm before the storm. Go ahead and post a response to each of these allegations: Cybercrime's US Hosts http://www.spamhaus.org/news.lasso?article=636 Report Slams U.S. Host as Major Source of Badware http://voices.washingtonpost.com/securityfix/2008/08/report_slams_us_host_as_major.html?nav=rss_blog A Superlative Scam and Spam Site Registrar http://voices.washingtonpost.com/securityfix/2008/09/estdomains.html?nav=rss_blog ICANN cast as online scam enabler http://www.theregister.co.uk/2008/09/03/cyber_crime_reports/ 'Malware-friendly' Intercage back with the living http://www.theregister.co.uk/2008/09/24/intercage_back_online/ On Tue, Sep 23, 2008 at 11:50 PM, Russell Mitchell [EMAIL PROTECTED] wrote: Hello John Doe, I welcome any further comments you have. We have to get past people such as yourself, and your blasphemous and false statements. This is the same issue with the recent media and self-proclaimed Security Researchers. Fly-by-night mind you. To help you out in your claims: Yes, we did house a client whom had quite a run with their client's from various locations, such as Russia. That Client is no longer hosted on our network. I myself spent all of monday afternoon, night, and tuesday morning shutting off EVERY machine they had leased in our Billing System. I'm currently working to scan further and see if there's anything I may have missed. Yes, Russia is very well known for Virus and Malware writer's. Yes, we have had issues with malware distribution from our network. This was directly and near singularly related to the former client of ours. We did have another client, Hostfresh, whom had their share of malware issues. Both have been completely and effectively removed. The server's leased to both of them have been canceled, and their machines have been shutoff. Let me know if there's anything else you'd like me to state to the public. We're on a rocky road right now. But it IS starting to smooth out. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. - Original Message From: Mark Foo [EMAIL PROTECTED] To: Bruce Williams [EMAIL PROTECTED] Cc: Christopher Morrow [EMAIL PROTECTED]; nanog@nanog.org; Joe Greco [EMAIL PROTECTED] Sent: Tuesday, September 23, 2008 11:08:21 PM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer NANOG: Look, the people posting here who are trashing Intercage are pure security analysts -- they know and understand the evil that is Intercage. STOP TRYING TO ASSIST INTERCAGE -- you are effectively aiding and abetting the enemy. Intercage/Atrivo hosts the malware cc botnets that DDoS your systems and networks. Intercage/Atrivo hosts the spyware that compromises your users' passwords. Intercage/Atrivo hosts the adware that slows your customers' machines. Don't take my word for it, DO YOUR OWN RESEARCH: http://www.google.com/search?hl=enq=intercage+malware You don't get called the ***American RBN*** for hosting a couple bad machines. They have and will continue to host much of the malware pumped out of America. THEY ARE NOT YOUR COMRADES.. These people represent the most HIGHLY ORGANZIED CRIME you will ever come across. Most people were afraid to speak out against them until this recent ground swell. This is the MALWARE CARTEL. GET THE PICTURE? Many links have been posted here that prove this already -- instead of asking what customers they cut off, let them show WHAT CUSTOMERS ARE LEGIT-- because there are NONE. I would suggest a different Step 1. Instead of killing power, simply isolate the affected machine. This might be as simple as putting up a firewall rule or two, if it is simply sending outgoing SMTP spam, or it's probably easiest (depending on the network gear of course) to just put the lan port
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, Sep 24, 2008 at 12:27 AM, Mark Foo [EMAIL PROTECTED] wrote: Answer Ferg's question -- Why are you moving to CERNAL? Do you think this is going to work? That's just another of Emil's networks. Actually, I was not being coy. Okay, maybe I was. With regards to the prefix shuffle to Cernel, I think that speaks for itself. With regards to ...another of Emil's networks..., I don't believe that to be true. In fact, I think Emil is just a pawn in this entire mess. It is clear to me -- at least -- that this entire criminal operation is being operated out of Eastern Europe, and their foothold in the U.S. is the major issue here. This is the major heartburn -- ISPs and network operators in the U.S. seem not to care about these issues, and it becomes an 'unpopular' effort to purge these activities in this audience. $.02, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI2e5Wq1pz9mNUZTMRAsf6AJ47BKaCBckIkllV2XN/CJhvIGUqowCgrOSQ kBmKYLTVEipzNwXGxIZa6Zo= =zs8t -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Hello Mark, It really seems YOU _DID_ miss the memo. I think that since no one else is responding to your non-sense, there is no reason for me to either. If you have something accurate to say, I'll be happy to listen. Until then, there's not much I can say. There's no sense in repeating myself. --- Russell Mitchell InterCage, Inc. - Original Message From: Mark Foo [EMAIL PROTECTED] To: Russell Mitchell [EMAIL PROTECTED] Cc: Bruce Williams [EMAIL PROTECTED]; Christopher Morrow [EMAIL PROTECTED]; nanog@nanog.org; Joe Greco [EMAIL PROTECTED] Sent: Wednesday, September 24, 2008 12:27:50 AM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer Russell: Ferg was just being coy -- what you don't understand is there are about 3 other security mailing lists plotting to TAKE YOUR SERVICE DOWN. You FAIL. Law Enforcement might not take action against you (but appear to be interested now), but the community can. GET OFF THE NET WITH YOUR MALWARE! You mistake me for someone who believes you pack of lies! Don't you understand each time you post to this list gives those of us who know the opportunity to post MORE EVIDENCE of your MALWARE? You disconnected Hostfresh and think that's the extent of your cimes? Gimme a break. Only those who are easily socially engineered would believe your pathetic claims of innocence. You've BEEN HOSTING MALWARE since 2003 -- SEE Nanog post: Re: The in-your-face hijacking example http://www.irbs.net/internet/nanog/0305/0038.html Let me know if there's anything else you'd like me to state to the public. Answer Ferg's question -- Why are you moving to CERNAL? Do you think this is going to work? That's just another of Emil's networks. We're on a rocky road right now. But it IS starting to smooth out. That's just the calm before the storm. Go ahead and post a response to each of these allegations: Cybercrime's US Hosts http://www.spamhaus.org/news.lasso?article=636 Report Slams U.S. Host as Major Source of Badware http://voices.washingtonpost.com/securityfix/2008/08/report_slams_us_host_as_major.html?nav=rss_blog A Superlative Scam and Spam Site Registrar http://voices.washingtonpost.com/securityfix/2008/09/estdomains.html?nav=rss_blog ICANN cast as online scam enabler http://www.theregister.co.uk/2008/09/03/cyber_crime_reports/ 'Malware-friendly' Intercage back with the living http://www.theregister.co.uk/2008/09/24/intercage_back_online/ On Tue, Sep 23, 2008 at 11:50 PM, Russell Mitchell [EMAIL PROTECTED] wrote: Hello John Doe, I welcome any further comments you have. We have to get past people such as yourself, and your blasphemous and false statements. This is the same issue with the recent media and self-proclaimed Security Researchers. Fly-by-night mind you. To help you out in your claims: Yes, we did house a client whom had quite a run with their client's from various locations, such as Russia. That Client is no longer hosted on our network. I myself spent all of monday afternoon, night, and tuesday morning shutting off EVERY machine they had leased in our Billing System. I'm currently working to scan further and see if there's anything I may have missed. Yes, Russia is very well known for Virus and Malware writer's. Yes, we have had issues with malware distribution from our network. This was directly and near singularly related to the former client of ours. We did have another client, Hostfresh, whom had their share of malware issues. Both have been completely and effectively removed. The server's leased to both of them have been canceled, and their machines have been shutoff. Let me know if there's anything else you'd like me to state to the public. We're on a rocky road right now. But it IS starting to smooth out. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. - Original Message From: Mark Foo [EMAIL PROTECTED] To: Bruce Williams [EMAIL PROTECTED] Cc: Christopher Morrow [EMAIL PROTECTED]; nanog@nanog.org; Joe Greco [EMAIL PROTECTED] Sent: Tuesday, September 23, 2008 11:08:21 PM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer NANOG: Look, the people posting here who are trashing Intercage are pure security analysts -- they know and understand the evil that is Intercage. STOP TRYING TO ASSIST INTERCAGE -- you are effectively aiding and abetting the enemy. Intercage/Atrivo hosts the malware cc botnets that DDoS your systems and networks. Intercage/Atrivo hosts the spyware that compromises your users' passwords. Intercage/Atrivo hosts the adware that slows your customers' machines. Don't take my word for it, DO YOUR OWN RESEARCH: http://www.google.com/search?hl=enq=intercage+malware You don't get called the ***American RBN*** for hosting a couple bad machines. They have and will continue to host much of the malware pumped out of America. THEY ARE NOT YOUR COMRADES.. These people represent the most HIGHLY
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
. --- Russell Mitchell InterCage, Inc. - Original Message From: Mark Foo [EMAIL PROTECTED] To: Russell Mitchell [EMAIL PROTECTED] Cc: Bruce Williams [EMAIL PROTECTED]; Christopher Morrow [EMAIL PROTECTED]; nanog@nanog.org; Joe Greco [EMAIL PROTECTED] Sent: Wednesday, September 24, 2008 12:27:50 AM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer Russell: Ferg was just being coy -- what you don't understand is there are about 3 other security mailing lists plotting to TAKE YOUR SERVICE DOWN. You FAIL. Law Enforcement might not take action against you (but appear to be interested now), but the community can. GET OFF THE NET WITH YOUR MALWARE! You mistake me for someone who believes you pack of lies! Don't you understand each time you post to this list gives those of us who know the opportunity to post MORE EVIDENCE of your MALWARE? You disconnected Hostfresh and think that's the extent of your cimes? Gimme a break. Only those who are easily socially engineered would believe your pathetic claims of innocence. You've BEEN HOSTING MALWARE since 2003 -- SEE Nanog post: Re: The in-your-face hijacking example http://www.irbs.net/internet/nanog/0305/0038.html Let me know if there's anything else you'd like me to state to the public. Answer Ferg's question -- Why are you moving to CERNAL? Do you think this is going to work? That's just another of Emil's networks. We're on a rocky road right now. But it IS starting to smooth out. That's just the calm before the storm. Go ahead and post a response to each of these allegations: Cybercrime's US Hosts http://www.spamhaus.org/news.lasso?article=636 Report Slams U.S. Host as Major Source of Badware http://voices.washingtonpost.com/securityfix/2008/08/report_slams_us_host_as_major.html?nav=rss_blog A Superlative Scam and Spam Site Registrar http://voices.washingtonpost.com/securityfix/2008/09/estdomains.html?nav=rss_blog ICANN cast as online scam enabler http://www.theregister.co.uk/2008/09/03/cyber_crime_reports/ 'Malware-friendly' Intercage back with the living http://www.theregister.co.uk/2008/09/24/intercage_back_online/ On Tue, Sep 23, 2008 at 11:50 PM, Russell Mitchell [EMAIL PROTECTED] wrote: Hello John Doe, I welcome any further comments you have. We have to get past people such as yourself, and your blasphemous and false statements. This is the same issue with the recent media and self-proclaimed Security Researchers. Fly-by-night mind you. To help you out in your claims: Yes, we did house a client whom had quite a run with their client's from various locations, such as Russia. That Client is no longer hosted on our network. I myself spent all of monday afternoon, night, and tuesday morning shutting off EVERY machine they had leased in our Billing System. I'm currently working to scan further and see if there's anything I may have missed. Yes, Russia is very well known for Virus and Malware writer's. Yes, we have had issues with malware distribution from our network. This was directly and near singularly related to the former client of ours. We did have another client, Hostfresh, whom had their share of malware issues. Both have been completely and effectively removed. The server's leased to both of them have been canceled, and their machines have been shutoff. Let me know if there's anything else you'd like me to state to the public. We're on a rocky road right now. But it IS starting to smooth out. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. - Original Message From: Mark Foo [EMAIL PROTECTED] To: Bruce Williams [EMAIL PROTECTED] Cc: Christopher Morrow [EMAIL PROTECTED]; nanog@nanog.org; Joe Greco [EMAIL PROTECTED] Sent: Tuesday, September 23, 2008 11:08:21 PM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer NANOG: Look, the people posting here who are trashing Intercage are pure security analysts -- they know and understand the evil that is Intercage. STOP TRYING TO ASSIST INTERCAGE -- you are effectively aiding and abetting the enemy. Intercage/Atrivo hosts the malware cc botnets that DDoS your systems and networks. Intercage/Atrivo hosts the spyware that compromises your users' passwords. Intercage/Atrivo hosts the adware that slows your customers' machines. Don't take my word for it, DO YOUR OWN RESEARCH: http://www.google.com/search?hl=enq=intercage+malware You don't get called the ***American RBN*** for hosting a couple bad machines. They have and will continue to host much of the malware pumped out of America. THEY ARE NOT YOUR COMRADES.. These people represent the most HIGHLY ORGANZIED CRIME you will ever come across. Most people were afraid to speak out against them until this recent ground swell. This is the MALWARE CARTEL. GET THE PICTURE? Many links have been posted here that prove this already -- instead of asking what
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Russell, Thanks to the efforts of the people on this list, you've known Estdomains/Esthost was bad news for several weeks or more. Why are you only now shutting them down? Thank you for proving that our research was not for naught, and that Atrivo/Intercage is a black hat operation which needs to be permanently disconnected from the Internet at all costs. Drive Slow, Paul Wall
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Hello Mark, What's YOUR motivation to consistantly attack my company? What's my motivation to continue working @ InterCage? To keep a roof over my family's heads, and to keep them well-fed: 1.) Myself 2.) My Wife 3.) My near 2 year old Son (November) 4.) My near 3 week old Daughter (Born Sept. 4th) It's great that you finally accepted the claim of InterCage being associated with the famed RBN as being alledged. You've taken the first step into seeing how much BS information has been spread out about our company. Whether you support me in my anti-abuse endeavor or not, as long as you get FACTUAL information, I'm happy. However someday, I trust you will find and accept the truth about InterCage. From what I see now from the claims your making, that day may not come soon. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. - Original Message From: Mark Foo [EMAIL PROTECTED] To: Russell Mitchell [EMAIL PROTECTED] Cc: Bruce Williams [EMAIL PROTECTED]; Christopher Morrow [EMAIL PROTECTED]; nanog@nanog.org; Joe Greco [EMAIL PROTECTED] Sent: Wednesday, September 24, 2008 1:14:01 AM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer Russell: Oh I got the memo, you'll be getting served one soon too. I just wonder why you don't consider playing both sides of the fence -- with your knowledge of who's who in the cyber crime field, you could probably get paid more as an informant (either to LEO or one of the Intel companies than whatever you're doing for Emil and (allegedly) the RBN. You can't possible sleep well knowing what your up to now so I figure it's the money that motivates you. Or, maybe you don't really know anyone, you just respond to their demands and they end up with all the money, pr0n chicks, etc. Doesn't that bother you -- don't you want more? Plus, no one would know you were pulling two pay checks -- you manage systems on one side and pass info to the other. It's actually fairly simple -- maybe you already know this ;). If not, please explain this: http://www.spamhaus.org/news.lasso?article=636 Without exception, all of the major security organizations on the Internet agree that the 'Home' of cybercrime in the western world is a firm known as Atrivo/Intercage, based in California. We ourselves have not come to this conclusion lightly but from many years of dealing with criminal operations hosted by Atrivo/Intercage, gangs of cybercriminals - mostly Russian and East European but with several US online crime gangs as well - whose activities always lead back to servers run by Atrivo/Intercage. We have lost count of the times we have tracked a major virus botnet's command and control to Atrivo/Intercage servers, readers can view here some of the current and historic SBL records for Atrivo for a taste of what has been happening in this network. At almost every Internet security conference, or law enforcement seminar on cyber-crime, a presentation will detail some attack, exploit, phish or financial crime that has some nexus at Atrivo/Intercage. The person who runs Atrivo/Intercage, Emil Kacperski is an expert at playing the surprised janitor, unaware of every new criminal enterprise found on his servers and keen to show he gets rid of some criminals once their activities on his network are exposed. His Internet hosting career first came to the attention of most anti-abuse organizations when he pinched (or 'purchased stolen goods' as he put it) and routed an unused block of 65,536 IP addresses belonging to the County of Los Angeles. Spamhaus has dealt with over 350 incidents of cyber-crime hosting on Atrivo/Intercage and its related networks in the last 3 years alone, all of which involved criminal operations such as malware, virus spreaders and botnet command and control servers. Malware found by Spamhaus on Atrivo/Intercage/Cernel/Hostfresh just in the last few months included the Storm Worm installer and controller and a MySpace spambot amongst others. Spamhaus currently sees a large amount of activity related to malicious software and exploits being hosted on Atrivo/Intercage which include DNS hijack malware, IFRAME browser attacks, dialers, pirated software websites and blatantly criminal services. We assume that every law enforcement agency with a cyber-crimes division has a dossier bursting at the seams on Atrivo/Intercage and its tentacles such as Esthost, Estdomains, Cernel, Hostfresh. The only question on everyone's mind is which agency will beat the others to shutting the whole place down and indicting the people behind it. Because if shut down, one thing is certain: the amount of malware-driven crime on the Internet would drop overnight as cyber-criminals rush to find a new crime-friendly host - difficult to find in the US, as Atrivo/Intercage is one of the very few remaining dedicated crime hosting firms whose customer base is composed almost, or perhaps entirely, of criminal gangs. More importantly, millions of Internet users
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Hi! Thanks to the efforts of the people on this list, you've known Estdomains/Esthost was bad news for several weeks or more. [EMAIL PROTECTED] ~]# dig estdomains.com ; DiG 9.5.0-P2 estdomains.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 2970 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;estdomains.com.IN A ;; ANSWER SECTION: estdomains.com. 86400 IN A 94.102.49.3 inetnum:94.102.48.0 - 94.102.63.255 netname:NL-ECATEL-20080829 descr: Ecatel LTD country:NL org:ORG-EL38-RIPE admin-c:RvE16-RIPE tech-c: RvE16-RIPE status: ALLOCATED PA mnt-by: RIPE-NCC-HM-MNT mnt-lower: ECATEL-MNT mnt-routes: ECATEL-MNT source: RIPE # Filtered person: Reinier van Eeden address:Archangelkade 1-3 address:1013 BE Amsterdam mnt-by: IQARUS-MNT e-mail: [EMAIL PROTECTED] phone: +31 64 607 11 12 nic-hdl:RvE16-RIPE source: RIPE # Filtered The same guys were hosting several ROKSO spammers in 2006 allready. This smells badly! Earlier this year they had also this one (also ROKSO) http://www.spamhaus.org/sbl/sbl.lasso?query=SBL65783 The company that Reinier was with was called Icarus earlier, does that ring a bell? 3 of the top 10 ROKSO spammers were hosted there. This is more then just a normal shining. bye, Raymond.
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
define:nanog North American Network Operators Group A membership organization that provides for the exchange of tecnical information among public, commercial ... I think this conversation should have ended way long time ago. My $0.50 cents + $1.00 or $2 Regards, Pedram On Wed, Sep 24, 2008 at 1:29 AM, Russell Mitchell [EMAIL PROTECTED]wrote: Hello Mark, What's YOUR motivation to consistantly attack my company? What's my motivation to continue working @ InterCage? To keep a roof over my family's heads, and to keep them well-fed: 1.) Myself 2.) My Wife 3.) My near 2 year old Son (November) 4.) My near 3 week old Daughter (Born Sept. 4th) It's great that you finally accepted the claim of InterCage being associated with the famed RBN as being alledged. You've taken the first step into seeing how much BS information has been spread out about our company. Whether you support me in my anti-abuse endeavor or not, as long as you get FACTUAL information, I'm happy. However someday, I trust you will find and accept the truth about InterCage. From what I see now from the claims your making, that day may not come soon. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. - Original Message From: Mark Foo [EMAIL PROTECTED] To: Russell Mitchell [EMAIL PROTECTED] Cc: Bruce Williams [EMAIL PROTECTED]; Christopher Morrow [EMAIL PROTECTED]; nanog@nanog.org; Joe Greco [EMAIL PROTECTED] Sent: Wednesday, September 24, 2008 1:14:01 AM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer Russell: Oh I got the memo, you'll be getting served one soon too. I just wonder why you don't consider playing both sides of the fence -- with your knowledge of who's who in the cyber crime field, you could probably get paid more as an informant (either to LEO or one of the Intel companies than whatever you're doing for Emil and (allegedly) the RBN. You can't possible sleep well knowing what your up to now so I figure it's the money that motivates you. Or, maybe you don't really know anyone, you just respond to their demands and they end up with all the money, pr0n chicks, etc. Doesn't that bother you -- don't you want more? Plus, no one would know you were pulling two pay checks -- you manage systems on one side and pass info to the other. It's actually fairly simple -- maybe you already know this ;). If not, please explain this: http://www.spamhaus.org/news.lasso?article=636 Without exception, all of the major security organizations on the Internet agree that the 'Home' of cybercrime in the western world is a firm known as Atrivo/Intercage, based in California. We ourselves have not come to this conclusion lightly but from many years of dealing with criminal operations hosted by Atrivo/Intercage, gangs of cybercriminals - mostly Russian and East European but with several US online crime gangs as well - whose activities always lead back to servers run by Atrivo/Intercage. We have lost count of the times we have tracked a major virus botnet's command and control to Atrivo/Intercage servers, readers can view here some of the current and historic SBL records for Atrivo for a taste of what has been happening in this network. At almost every Internet security conference, or law enforcement seminar on cyber-crime, a presentation will detail some attack, exploit, phish or financial crime that has some nexus at Atrivo/Intercage. The person who runs Atrivo/Intercage, Emil Kacperski is an expert at playing the surprised janitor, unaware of every new criminal enterprise found on his servers and keen to show he gets rid of some criminals once their activities on his network are exposed. His Internet hosting career first came to the attention of most anti-abuse organizations when he pinched (or 'purchased stolen goods' as he put it) and routed an unused block of 65,536 IP addresses belonging to the County of Los Angeles. Spamhaus has dealt with over 350 incidents of cyber-crime hosting on Atrivo/Intercage and its related networks in the last 3 years alone, all of which involved criminal operations such as malware, virus spreaders and botnet command and control servers. Malware found by Spamhaus on Atrivo/Intercage/Cernel/Hostfresh just in the last few months included the Storm Worm installer and controller and a MySpace spambot amongst others. Spamhaus currently sees a large amount of activity related to malicious software and exploits being hosted on Atrivo/Intercage which include DNS hijack malware, IFRAME browser attacks, dialers, pirated software websites and blatantly criminal services. We assume that every law enforcement agency with a cyber-crimes division has a dossier bursting at the seams on Atrivo/Intercage and its tentacles such as Esthost, Estdomains, Cernel, Hostfresh. The only question on everyone's mind is which agency will beat the others to shutting the whole place down
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
It's actually starting to look like WHT. On Wed, Sep 24, 2008 at 1:35 AM, Pedram M [EMAIL PROTECTED] wrote: define:nanog North American Network Operators Group A membership organization that provides for the exchange of tecnical information among public, commercial ... I think this conversation should have ended way long time ago. My $0.50 cents + $1.00 or $2 Regards, Pedram On Wed, Sep 24, 2008 at 1:29 AM, Russell Mitchell [EMAIL PROTECTED]wrote: Hello Mark, What's YOUR motivation to consistantly attack my company? What's my motivation to continue working @ InterCage? To keep a roof over my family's heads, and to keep them well-fed: 1.) Myself 2.) My Wife 3.) My near 2 year old Son (November) 4.) My near 3 week old Daughter (Born Sept. 4th) It's great that you finally accepted the claim of InterCage being associated with the famed RBN as being alledged. You've taken the first step into seeing how much BS information has been spread out about our company. Whether you support me in my anti-abuse endeavor or not, as long as you get FACTUAL information, I'm happy. However someday, I trust you will find and accept the truth about InterCage. From what I see now from the claims your making, that day may not come soon. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. - Original Message From: Mark Foo [EMAIL PROTECTED] To: Russell Mitchell [EMAIL PROTECTED] Cc: Bruce Williams [EMAIL PROTECTED]; Christopher Morrow [EMAIL PROTECTED]; nanog@nanog.org; Joe Greco [EMAIL PROTECTED] Sent: Wednesday, September 24, 2008 1:14:01 AM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer Russell: Oh I got the memo, you'll be getting served one soon too. I just wonder why you don't consider playing both sides of the fence -- with your knowledge of who's who in the cyber crime field, you could probably get paid more as an informant (either to LEO or one of the Intel companies than whatever you're doing for Emil and (allegedly) the RBN. You can't possible sleep well knowing what your up to now so I figure it's the money that motivates you. Or, maybe you don't really know anyone, you just respond to their demands and they end up with all the money, pr0n chicks, etc. Doesn't that bother you -- don't you want more? Plus, no one would know you were pulling two pay checks -- you manage systems on one side and pass info to the other. It's actually fairly simple -- maybe you already know this ;). If not, please explain this: http://www.spamhaus.org/news.lasso?article=636 Without exception, all of the major security organizations on the Internet agree that the 'Home' of cybercrime in the western world is a firm known as Atrivo/Intercage, based in California. We ourselves have not come to this conclusion lightly but from many years of dealing with criminal operations hosted by Atrivo/Intercage, gangs of cybercriminals - mostly Russian and East European but with several US online crime gangs as well - whose activities always lead back to servers run by Atrivo/Intercage. We have lost count of the times we have tracked a major virus botnet's command and control to Atrivo/Intercage servers, readers can view here some of the current and historic SBL records for Atrivo for a taste of what has been happening in this network. At almost every Internet security conference, or law enforcement seminar on cyber-crime, a presentation will detail some attack, exploit, phish or financial crime that has some nexus at Atrivo/Intercage. The person who runs Atrivo/Intercage, Emil Kacperski is an expert at playing the surprised janitor, unaware of every new criminal enterprise found on his servers and keen to show he gets rid of some criminals once their activities on his network are exposed. His Internet hosting career first came to the attention of most anti-abuse organizations when he pinched (or 'purchased stolen goods' as he put it) and routed an unused block of 65,536 IP addresses belonging to the County of Los Angeles. Spamhaus has dealt with over 350 incidents of cyber-crime hosting on Atrivo/Intercage and its related networks in the last 3 years alone, all of which involved criminal operations such as malware, virus spreaders and botnet command and control servers. Malware found by Spamhaus on Atrivo/Intercage/Cernel/Hostfresh just in the last few months included the Storm Worm installer and controller and a MySpace spambot amongst others. Spamhaus currently sees a large amount of activity related to malicious software and exploits being hosted on Atrivo/Intercage which include DNS hijack malware, IFRAME browser attacks, dialers, pirated software websites and blatantly criminal services. We assume that every law enforcement agency with a cyber-crimes division has a dossier bursting at the seams on Atrivo/Intercage and its tentacles such as Esthost, Estdomains, Cernel, Hostfresh
RE: YAY! Re: Atrivo/Intercage: NO Upstream depeer
It is clear to me -- at least -- that this entire criminal operation is being operated out of Eastern Europe, and their foothold in the U.S. is the major issue here. If you believe that this is a criminal operation then you should keep this discussion OFF THE LIST and discourage anyone from taking any action against the bad guys that might disrupt evidence gathering. If this is a criminal matter, then it is best to keep quiet, collect good evidence, and go to court. Better to get a court injunction ordering them to stop sending malware, and then collect evidence showing that they violated the injunction. To do this, they need to have functioning upstream connections to your network. NANOG is not the place to discuss these things. None of this is network operational. The whole discussion amounts to a shouting match between vigilantes and their victims. Some of those victims might also be bad guys, but a shouting match on NANOG does not prove this one way or the other. --Michael Dillon
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Hello Michael, THANK YOU for the Intervention. If anyone would like to continue the chats, drop me an email, and we can continue talks OFF NANOG. Thank you all very much for your time and careful consideration into the issues we're having. Have a great day. --- Russell Mitchell InterCage, Inc. - Original Message From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: nanog@nanog.org Sent: Wednesday, September 24, 2008 2:23:01 AM Subject: RE: YAY! Re: Atrivo/Intercage: NO Upstream depeer It is clear to me -- at least -- that this entire criminal operation is being operated out of Eastern Europe, and their foothold in the U.S. is the major issue here. If you believe that this is a criminal operation then you should keep this discussion OFF THE LIST and discourage anyone from taking any action against the bad guys that might disrupt evidence gathering. If this is a criminal matter, then it is best to keep quiet, collect good evidence, and go to court. Better to get a court injunction ordering them to stop sending malware, and then collect evidence showing that they violated the injunction. To do this, they need to have functioning upstream connections to your network. NANOG is not the place to discuss these things. None of this is network operational. The whole discussion amounts to a shouting match between vigilantes and their victims. Some of those victims might also be bad guys, but a shouting match on NANOG does not prove this one way or the other. --Michael Dillon
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
On Wed, 24 Sep 2008, Russell Mitchell wrote: Hello Mark, What's YOUR motivation to consistantly attack my company? I don't know this Mark, but it seems like he is copying your strategy of stay up last and you win as you both make little sense. Gadi. What's my motivation to continue working @ InterCage? To keep a roof over my family's heads, and to keep them well-fed: 1.) Myself 2.) My Wife 3.) My near 2 year old Son (November) 4.) My near 3 week old Daughter (Born Sept. 4th) It's great that you finally accepted the claim of InterCage being associated with the famed RBN as being alledged. You've taken the first step into seeing how much BS information has been spread out about our company. Whether you support me in my anti-abuse endeavor or not, as long as you get FACTUAL information, I'm happy. However someday, I trust you will find and accept the truth about InterCage. From what I see now from the claims your making, that day may not come soon. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. - Original Message From: Mark Foo [EMAIL PROTECTED] To: Russell Mitchell [EMAIL PROTECTED] Cc: Bruce Williams [EMAIL PROTECTED]; Christopher Morrow [EMAIL PROTECTED]; nanog@nanog.org; Joe Greco [EMAIL PROTECTED] Sent: Wednesday, September 24, 2008 1:14:01 AM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer Russell: Oh I got the memo, you'll be getting served one soon too. I just wonder why you don't consider playing both sides of the fence -- with your knowledge of who's who in the cyber crime field, you could probably get paid more as an informant (either to LEO or one of the Intel companies than whatever you're doing for Emil and (allegedly) the RBN. You can't possible sleep well knowing what your up to now so I figure it's the money that motivates you. Or, maybe you don't really know anyone, you just respond to their demands and they end up with all the money, pr0n chicks, etc. Doesn't that bother you -- don't you want more? Plus, no one would know you were pulling two pay checks -- you manage systems on one side and pass info to the other. It's actually fairly simple -- maybe you already know this ;). If not, please explain this: http://www.spamhaus.org/news.lasso?article=636 Without exception, all of the major security organizations on the Internet agree that the 'Home' of cybercrime in the western world is a firm known as Atrivo/Intercage, based in California. We ourselves have not come to this conclusion lightly but from many years of dealing with criminal operations hosted by Atrivo/Intercage, gangs of cybercriminals - mostly Russian and East European but with several US online crime gangs as well - whose activities always lead back to servers run by Atrivo/Intercage. We have lost count of the times we have tracked a major virus botnet's command and control to Atrivo/Intercage servers, readers can view here some of the current and historic SBL records for Atrivo for a taste of what has been happening in this network. At almost every Internet security conference, or law enforcement seminar on cyber-crime, a presentation will detail some attack, exploit, phish or financial crime that has some nexus at Atrivo/Intercage. The person who runs Atrivo/Intercage, Emil Kacperski is an expert at playing the surprised janitor, unaware of every new criminal enterprise found on his servers and keen to show he gets rid of some criminals once their activities on his network are exposed. His Internet hosting career first came to the attention of most anti-abuse organizations when he pinched (or 'purchased stolen goods' as he put it) and routed an unused block of 65,536 IP addresses belonging to the County of Los Angeles. Spamhaus has dealt with over 350 incidents of cyber-crime hosting on Atrivo/Intercage and its related networks in the last 3 years alone, all of which involved criminal operations such as malware, virus spreaders and botnet command and control servers. Malware found by Spamhaus on Atrivo/Intercage/Cernel/Hostfresh just in the last few months included the Storm Worm installer and controller and a MySpace spambot amongst others. Spamhaus currently sees a large amount of activity related to malicious software and exploits being hosted on Atrivo/Intercage which include DNS hijack malware, IFRAME browser attacks, dialers, pirated software websites and blatantly criminal services. We assume that every law enforcement agency with a cyber-crimes division has a dossier bursting at the seams on Atrivo/Intercage and its tentacles such as Esthost, Estdomains, Cernel, Hostfresh. The only question on everyone's mind is which agency will beat the others to shutting the whole place down and indicting the people behind it. Because if shut down, one thing is certain: the amount of malware-driven crime on the Internet would drop overnight as cyber-criminals rush to find a new crime-friendly host - difficult to find in the US, as Atrivo
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Hello Joe, If we can't power down the machine, due to evidence loss. We can't nullroute the IP, as stated, some malware will delete itself or alter itself when Net Access is lost. Now we can filter a single port, in the case of spam, phishing, etc? You can do whatever you need to, of course. The right thing to do is not always immediately apparent. Some time looking at the traffic on a mirror port (etc) can provide useful clues about how to proceed to an experienced professional. Unfortunately, my experience suggests that handling incidents on the datacenter side is a somewhat different skill set than handling the sorts of incidents that are commonly found on consumer Internet connections. The relative value of an infected machine approaches zero, while the value of a controlling system is fairly high, which implies that more effort may have been put into active defenses, which in turn implies other things. The Geek Squad or other Nerds On Wheels services are probably not going to be able to effectively clean off an impacted server, much less determine useful and clever ways to analyze what is going on, which is where it pays to have someone with contacts into the security community. Alas, I believe that all of this basic stuff should be immediately obvious and familiar to those in the hosting community, which leads me to other questions that are more along the lines of what others have been asking in this thread, and probably not relevant to NANOG. In the event that you are what you claim to be, rather than what many believe you to be based on past history and appearances, you would be well advised to make some contacts within the security community, and be prepared to acquire some expensive advice the next time you have an incident. You would need more help than you're going to be able to get on NANOG. And if you're what many people seem to think, well, tough. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
RE: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Very well said. James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 24, 2008 5:23 AM To: nanog@nanog.org Subject: RE: YAY! Re: Atrivo/Intercage: NO Upstream depeer It is clear to me -- at least -- that this entire criminal operation is being operated out of Eastern Europe, and their foothold in the U.S. is the major issue here. If you believe that this is a criminal operation then you should keep this discussion OFF THE LIST and discourage anyone from taking any action against the bad guys that might disrupt evidence gathering. If this is a criminal matter, then it is best to keep quiet, collect good evidence, and go to court. Better to get a court injunction ordering them to stop sending malware, and then collect evidence showing that they violated the injunction. To do this, they need to have functioning upstream connections to your network. NANOG is not the place to discuss these things. None of this is network operational. The whole discussion amounts to a shouting match between vigilantes and their victims. Some of those victims might also be bad guys, but a shouting match on NANOG does not prove this one way or the other. --Michael Dillon
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
On Wed, Sep 24, 2008 at 04:19:16AM -0400, Paul Wall wrote: Thanks to the efforts of the people on this list, you've known Estdomains/Esthost was bad news for several weeks or more. Why are you only now shutting them down? several weeks? Try several years. And do note the rationale (below) for the refusal to shut them down. From [EMAIL PROTECTED] Sun Sep 4 13:58:23 EDT 2005 Newsgroups: news.admin.net-abuse.blocklisting From: [EMAIL PROTECTED] Subject: Re: Atrivo/InterCage Abuse Approved: NANAB Moderators [EMAIL PROTECTED] Injection-Info: f14g2000cwb.googlegroups.com; posting-host=69.107.73.156; posting-account=2w8xwQ0AAADzda9cIvAir5JUpndTEjLg Nntp-Posting-Date: Fri, 2 Sep 2005 17:48:03 + (UTC) Nntp-Posting-Host: 69.107.73.156 X-Http-Useragent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322),gzip(gfe),gzip(gfe) Organization: http://groups.google.com Message-ID: [EMAIL PROTECTED] References: [EMAIL PROTECTED] [EMAIL PROTECTED] X-Trace: posting.google.com 1125683283 16154 127.0.0.1 (2 Sep 2005 17:48:03 GMT) Date: Fri, 2 Sep 2005 19:51:13 GMT X-Robomod: STUMP, [EMAIL PROTECTED] (Igor Chudov), C++/Perl/Unix Consulting Hello fhh, There is no network of esthost. The network in which Esthost resides is our network. Esthost is one of our larger clients, They are very successful in the industry of web hosting and domain registration. They just recently became an ICANN Accredited Registrar. I won't comment on why they're so successful... But for some, that may be obvious. I believe an investigation by law enforcement is a very corrective step... That would definately clean Esthost up. I can honestly say, there are 2 of our major clients who are very successful... and with both of those comes occasional abuse. On one, it's the occasional spam via exploit. The other... Esthost... Well... A lot worse abuse then just spam. One of the things I find quite rediculous is people have taken all of our business emails from whois etc, and placed them in spam runs. How stupid can you get?... Honestly! You have never received a spam email that came from our business servers... Our clients (like EVERY other companies clients) do get the abuse of spam from their servers. For all of our clients (esthost aside)... This is not very often. We can't please everyone. We try... But when you have to go through and work with a client like esthost who doesn't quite take abuse too seriously... and the only other thing you can do is null their client's server it's hard to get a correct action taken. The correct action on any intentional spammer is to be immediately removed. As well as intentional virii distributors. This is seen with iframecash.biz... We took reports from P Thompson and demanded their removal... That appeared to be resolved... and then they pop up again. If I had the ability... I would cut Esthost as a client... But, in doing so, it causes nearly a quarter if not half of the company's monthly revenue to be cut. That is not too good of a move nor reasonably possible ;) People consider Atrivo/InterCage to be some abuse supporting company... If only any of you knew what the position would be in a company our size. It's not as easy as you believe it to be ;) Thank you for your time. Have a great day. -- Russell Mitchell - Russ[at]Atrivo.com Atrivo Technologies
Re: Atrivo/Intercage
Tom Sparks (Applied Operations) wrote: Basically is what it boils down to for me - its easy to blame an NSP/ISP/Hoster for what their clients do, it takes real dedication to find out whats *actually* going on. We did, and now we're solving the problem. Andrew
Re: Atrivo/Intercage
--- [EMAIL PROTECTED] wrote: From: Andrew D Kirch [EMAIL PROTECTED] Basically is what it boils down to for me - its easy to blame an NSP/ISP/Hoster for what their clients do, it takes real dedication to find out whats *actually* going on. : We did, and now we're solving the problem. -- Apparently, this is what's going on. Making money at the expense of everyone else on the internet: --- If I had the ability... I would cut Esthost as a client... But, in doing so, it causes nearly a quarter if not half of the company's monthly revenue to be cut. That is not too good of a move nor reasonably possible ;) People consider Atrivo/InterCage to be some abuse supporting company... If only any of you knew what the position would be in a company our size. It's not as easy as you believe it to be ;) Russell Mitchell - Russ[at]Atrivo.com Atrivo Technologies -- scott
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
On Wed, Sep 24, 2008 at 12:13 AM, Russell Mitchell [EMAIL PROTECTED] wrote: Hello Paul, Those are their IP Blocks. We were simply routing them, as they were our client. They've owned these blocks for quite a while. They seem to have moved that after a day of being down. You're not very good at this are you? For future reference, when you're trying to pretend like you've cleaned up your act and someone asks you why your second largest cyber criminal customer is no longer on your network, you say we kicked them off for abuse too, not they left us after a day of being down due to outages caused by our hosting of an even bigger criminal. Drive Slow, Paul Wall
Re: Atrivo/Intercage
Hi, On Wed, 2008-09-24 at 07:06 -0700, Scott Weeks wrote: --- [EMAIL PROTECTED] wrote: From: Andrew D Kirch [EMAIL PROTECTED] Basically is what it boils down to for me - its easy to blame an NSP/ISP/Hoster for what their clients do, it takes real dedication to find out whats *actually* going on. : We did, and now we're solving the problem. -- Apparently, this is what's going on. Making money at the expense of everyone else on the internet: --- If I had the ability... I would cut Esthost as a client... But, in doing so, it causes nearly a quarter if not half of the company's monthly revenue to be cut. That is not too good of a move nor reasonably possible ;) People consider Atrivo/InterCage to be some abuse supporting company... If only any of you knew what the position would be in a company our size. It's not as easy as you believe it to be ;) Russell Mitchell - Russ[at]Atrivo.com Atrivo Technologies -- Esthost (the main problem) is actually cut off as of this morning. So actually, they are taking steps to fix the problem. However, as we all know, there is the real story, and then there is the NANOG story. We should keep this all in mind, Intercage are actually trying hard to clean up their network, and now is the time to stop with the whining and actually help them identify the problems. Esthost is a tricky situation because it is a significant portion of their income... but they are offline. I would be reluctant to cut them off too if I were in their position... not because it's the right thing to do, but because they are such a large client that I might not be able to pay the bills at the end of the month. If you were in their position, wouldn't you have concerns about terminating ANY source of income that is that large too? That said, they should have dropped Esthost before it got that big, but they didn't. People make bad choices, but for fucks sake, lets move on already. I have also noticed that most of the people doing the whining aren't even the people who are tracking the problem. Again, a case of the NANOG story verses the real story... William
Re: Atrivo/Intercage
Hi, On Wed, 2008-09-24 at 17:54 -0700, Scott Weeks wrote: --- [EMAIL PROTECTED] wrote: I have also noticed that most of the people doing the whining aren't even the people who are tracking the problem. Again, a case of the NANOG story verses the real story... -- I didn't whine. No, but others have, and it isn't helpful towards resolving this problem. Ultimately, neither is forcing them off the internet. Well, in actuality, that resolves part of the problem, but I suspect that a lot of the affected cybercrime has moved to other networks by now... so in reality the real problem isn't solved (except that the problem is mostly being moved away from Intercage). And shutting down ISPs who host these guys will solve nothing either. They will jump providers until the end of time. The solution here is to go after the *people* who make this crap. They *are* breaking the law and we have the proof. William
Re: Atrivo/Intercage
On Wed, Sep 24, 2008 at 9:50 PM, William Pitcock [EMAIL PROTECTED] wrote: The solution here is to go after the *people* who make this crap. They *are* breaking the law and we have the proof. agreed... but keep in mind 'breaking the law' is relative... So, CP is illegal in the US, but maybe not where it was made (CP's not the best example of course because it lives in a wierd place in everyone's laws)... how about simple hacking? that's illegal in the US (mostly, depending on what's being done) but not in other places, and perhaps not if committed outside the local jurisdiction(s). -Chris
Re: Atrivo/Intercage
On Wed, 24 Sep 2008, William Pitcock wrote: No, but others have, and it isn't helpful towards resolving this problem. Ultimately, neither is forcing them off the internet. Well, in actuality, that resolves part of the problem, but I suspect that a lot of the affected cybercrime has moved to other networks by now... so in reality the real problem isn't solved (except that the problem is mostly being moved away from Intercage). And shutting down ISPs who host these guys will solve nothing either. They will jump providers until the end of time. The fear is evolution in technological advancement they may make rather than just where they will scatter to, but that is a solid point. Still, we have seen in the past that they evolve regardless. The future will tell whether this was a foolishness, or a step in the right directions. The solution here is to go after the *people* who make this crap. They *are* breaking the law and we have the proof. I couldn't agree more. Unfortunately, that isn't happening. Whethr I like it or not there are two layers of attackers. The initiator, and the proxy. The proxy is on networks, and networks we can reach out to. Gadi. William
Re: Atrivo/Intercage
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, Sep 24, 2008 at 7:02 PM, Laurence F. Sheldon, Jr. [EMAIL PROTECTED] wrote: Apprehending criminals is the Law's job. My job is making sure they don't deal that sh*t in MY parkinglot. Exactly. It could be argued (since _is_ the North American Network Operators Group) that pushing this sort of criminal activity _out_ of North America is a good First Step to be able to better manage the situation. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI2vKTq1pz9mNUZTMRAhK3AJ41SKDLnteNVSqjoNlLDMNutY3sNACgu3O8 EZT2NSbpVvHcd7XRgjBAAQA= =bmQI -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: Atrivo/Intercage
--- [EMAIL PROTECTED] wrote: From: William Pitcock [EMAIL PROTECTED] I didn't whine. No, but others have, and it isn't helpful towards resolving this problem. I also wrote you that in private, but you decided to make it public without asking me. That type of action makes your position less valid. scott
Re: Atrivo/Intercage
Hi, On Wed, 2008-09-24 at 19:39 -0700, Scott Weeks wrote: --- [EMAIL PROTECTED] wrote: From: William Pitcock [EMAIL PROTECTED] I didn't whine. No, but others have, and it isn't helpful towards resolving this problem. I also wrote you that in private, but you decided to make it public without asking me. That type of action makes your position less valid. I apologize, I didn't notice that it was private. William
Re: Atrivo/Intercage
On Sep 22, 2008, at 4:33 PM, Tom Sparks (Applied Operations) wrote: Intercage is not a big shop, there are very few people involved in running it I have no dog in this fight, but I would comment on the small shop issue as it relates to handling abuse complaints. I own a small colo/hosting shop too. We don't have many employees. If we had to deal with so many abuse complaints that things were getting lost in the noise, I'd have to seriously examine my AUP and associated enforcement policies, add staff to handle abuse issues, or both. Being small isn't an excuse. In fact, a small shop that runs a clean network should be far better at handling abuse issues than the larger players could ever hope to be. I would have to agree with this latter bit. We count incidents per YEAR. On a hand. Mostly because we haven't made a habit of accepting random clients, I guess, but were it a problem, it would be made not to be. Being proactive is a big part of this. For example, when ARIN began to allow abuse contacts for IP space, we fairly quickly registered a POC for it. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: Atrivo/Intercage
http://www.giantitp.com/comics/oots0595.html I think that sums up this thread. On Tue, 23 Sep 2008, Joe Greco wrote: On Sep 22, 2008, at 4:33 PM, Tom Sparks (Applied Operations) wrote: Intercage is not a big shop, there are very few people involved in running it I have no dog in this fight, but I would comment on the small shop issue as it relates to handling abuse complaints. I own a small colo/hosting shop too. We don't have many employees. If we had to deal with so many abuse complaints that things were getting lost in the noise, I'd have to seriously examine my AUP and associated enforcement policies, add staff to handle abuse issues, or both. Being small isn't an excuse. In fact, a small shop that runs a clean network should be far better at handling abuse issues than the larger players could ever hope to be. I would have to agree with this latter bit. We count incidents per YEAR. On a hand. Mostly because we haven't made a habit of accepting random clients, I guess, but were it a problem, it would be made not to be. Being proactive is a big part of this. For example, when ARIN began to allow abuse contacts for IP space, we fairly quickly registered a POC for it. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Hold the rejoicing, Atrivo is back, this time on UnitedLayer. I'd contact them, only they seem to change CTOs every month or two, does anybody know who's currently in charge? Thank you, and Drive Slow, Paul Wall
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Well, their management team is listed here: http://www.unitedlayer.com/team.html - - ferg On Tue, Sep 23, 2008 at 5:46 PM, Paul Wall [EMAIL PROTECTED] wrote: Hold the rejoicing, Atrivo is back, this time on UnitedLayer. I'd contact them, only they seem to change CTOs every month or two, does anybody know who's currently in charge? Thank you, and Drive Slow, Paul Wall -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI2Y/zq1pz9mNUZTMRAnfWAKClED9vjhHusr2Y6+HJ4Bc9fHAosACeOhfK 8coixrmTH5I3Hlh2phmut5w= =gzBi -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: Atrivo/Intercage
On Sep 22, 2008, at 1:33 PM, Tom Sparks (Applied Operations) wrote: I also don't believe Intercage was complicit in any net-crime; Thats not to say it didn't exist, but more along the lines of they got lost in the noise of running a business. Which is not acceptable. You answer your abuse complaints, you shut down your spammers. Period, end of subject. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=0-593512929-125655=:9145
--0-593512929-125655=:9145
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Hello All,=0A=A0=0AIt seems you all missed the memo.=0AAs of about 11PM PST=
Last night 09/22/08, Esthost has been ENTIRELY Shutdown. They no longer ha=
ve ANY Machine on my network.=0A=A0=0AI'm currently starting to monitor som=
e of the public media, such as google, DroneBL, as well as several Anti-Mal=
ware community websites for abuse.=0A=A0=0ABeing that Esthost is now entire=
ly GONE, we should not have any further issues.=0AIn the case that somethin=
g=A0does arise, such as an exploited host, we're currently developing a gam=
e plan for=A0response to=A0the issues.=0ATo make the best effort towards co=
mbatting=A0abuse on our network, here's what I have planned so far for ANY =
Type of abuse:=0AStep 1,=A0Suspend Power to the affected machine.=0AStep 2,=
Call/Email the client whom the affected machine is leased to.=0AStep 3, Al=
low the client=A0the option to=A0investigate the machine further (Nullroute=
access via KVM)=0AStep=A04, Verify the=A0reported content, domain, user, o=
r exploit=A0is patched/eliminated from the machine.=0AStep 5,=A0Remove the =
Nullroute. Allow the machine to return to the network.=0A=A0=0AAny comments=
? =0A=A0=0AThis is=A0the result of a zero tolerance policy regarding abuse.=
If it's clear that the server owner is the cause of the abusive material e=
tc, the client will then be immediately cancelled. No questions.=A0=0A=0A=
=0AIt seems that this approach will be the best supported by the anti-abuse=
communities, so please let me know your input.=0A=0AThank you for your tim=
e. Have a great day.=0A=A0---=0ARussell Mitchell=0A=0AInterCage, Inc.=0A=0A=
=0A=0A- Original Message =0AFrom: Paul Wall [EMAIL PROTECTED]=
=0ATo: Mark Foo [EMAIL PROTECTED]=0ACc: [EMAIL PROTECTED]: Tues=
day, September 23, 2008 5:46:58 PM=0ASubject: Re: YAY! Re: Atrivo/Intercage=
: NO Upstream depeer=0A=0AHold the rejoicing, Atrivo is back, this time on =
UnitedLayer.=0A=0AI'd contact them, only they seem to change CTOs every mon=
th or two,=0Adoes anybody know who's currently in charge?=0A=0AThank you, a=
nd Drive Slow,=0APaul Wall=0A=0A=0A
--0-593512929-125655=:9145
Content-Type: text/html; charset=us-ascii
htmlheadstyle type=text/css!-- DIV {margin:0px;}
--/style/headbodydiv style=font-family:times new roman, new york,
times, serif;font-size:12ptPHello All,/P
Pnbsp;/P
PIt seems you all missed the memo.BRAs of about 11PM PST Last night
09/22/08, Esthost has been ENTIRELY Shutdown. They no longer have ANY Machine
on my network./P
Pnbsp;/P
PI'm currently starting to monitor some of the public media, such as google,
DroneBL, as well as several Anti-Malware community websites for abuse./P
Pnbsp;/P
PBeing that Esthost is now entirely GONE, we should not have any further
issues./P
PIn the case that somethingnbsp;does arise, such as an exploited host, we're
currently developing a game plan fornbsp;response tonbsp;the issues./P
PTo make the best effort towards combattingnbsp;abuse on our network, here's
what I have planned so far for ANY Type of abuse:/P
PStep 1,nbsp;Suspend Power to the affected machine./P
PStep 2, Call/Email the client whom the affected machine is leased to./P
PStep 3, Allow the clientnbsp;the option tonbsp;investigate the machine
further (Nullroute access via KVM)/P
PStepnbsp;4, Verify thenbsp;reported content, domain, user, or
exploitnbsp;is patched/eliminated from the machine./P
PStep 5,nbsp;Remove the Nullroute. Allow the machine to return to the
network./P
Pnbsp;/P
PAny comments? /P
Pnbsp;/P
PThis isnbsp;the result of a zero tolerance policy regarding abuse. If it's
clear that the server owner is the cause of the abusive material etc, the
client will then be immediately cancelled. No questions.nbsp;/P
DIV style=FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times,
serif
DIV/DIV
DIVnbsp;/DIV
DIVIt seems that this approach will be the best supported by the anti-abuse
communities, so please let me know your input./DIV
DIVnbsp;/DIV
DIVThank you for your time. Have a great day.BRnbsp;/DIV---BRRussell
MitchellBR
DIVInterCage, Inc.BR/DIV
DIV style=FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times,
serifBR
DIV style=FONT-SIZE: 13px; FONT-FAMILY: arial, helvetica, sans-serif-
Original Message BRFrom: Paul Wall lt;[EMAIL PROTECTED]gt;BRTo: Mark
Foo lt;[EMAIL PROTECTED]gt;BRCc: nanog@nanog.orgBRSent: Tuesday,
September 23, 2008 5:46:58 PMBRSubject: Re: YAY! Re: Atrivo/Intercage: NO
Upstream depeerBRBRHold the rejoicing, Atrivo is back, this time on
UnitedLayer.BRBRI'd contact them, only they seem to change CTOs every month
or two,BRdoes anybody know who's currently in charge?BRBRThank you, and
Drive Slow,BRPaul WallBRBR/DIV/DIV/DIV/divbr
/body/html
--0-593512929-125655=:9145--
Re: Atrivo/Intercage
On Sep 22, 2008, at 1:33 PM, Tom Sparks (Applied Operations) wrote: I also don't believe Intercage was complicit in any net-crime; Thats not to say it didn't exist, but more along the lines of they got lost in the noise of running a business. Which is not acceptable. You answer your abuse complaints, you shut down your spammers. Period, end of subject. That's a bit '90's. I'll settle for s/answer/handle/, because I don't think that most sites are willing to actually discuss abuse issues with random folks submitting complaints, and so that leaves you with either sending a form letter of some sort, or not saying anything. Further, many places seem to send form letters but not do anything. I am not sure that there is much (or any) value-add in sending a response, unless further information is needed. From my point of view, the best response is when the problem simply goes away. A personal reply (rather than a form letter) is also generally a really good sign that someone cares enough to show that they're doing something, but again that seems to be the exception rather than the norm. The Afterburner experience, however, should be an excellent example for the difference that simply *showing* you care and are doing something makes. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Hello All,=0A=A0=0AIt seems you all missed the memo.=0AAs of about 11PM PST= Last night 09/22/08, Esthost has been ENTIRELY Shutdown. They no longer ha= ve ANY Machine on my network.=0A=A0=0AI'm currently starting to monitor som= e of the public media, such as google, DroneBL, as well as several Anti-Mal= ware community websites for abuse.=0A=A0=0ABeing that Esthost is now entire= ly GONE, we should not have any further issues.=0AIn the case that somethin= g=A0does arise, such as an exploited host, we're currently developing a gam= e plan for=A0response to=A0the issues.=0ATo make the best effort towards co= mbatting=A0abuse on our network, here's what I have planned so far for ANY = Type of abuse:=0AStep 1,=A0Suspend Power to the affected machine.=0AStep 2,= Call/Email the client whom the affected machine is leased to.=0AStep 3, Al= low the client=A0the option to=A0investigate the machine further (Nullroute= access via KVM)=0AStep=A04, Verify the=A0reported content, domain, user, o= r exploit=A0is patched/eliminated from the machine.=0AStep 5,=A0Remove the = Nullroute. Allow the machine to return to the network.=0A=A0=0AAny comments= ? =0A=A0=0AThis is=A0the result of a zero tolerance policy regarding abuse.= If it's clear that the server owner is the cause of the abusive material e= tc, the client will then be immediately cancelled. No questions.=A0=0A=0A= =0AIt seems that this approach will be the best supported by the anti-abuse= communities, so please let me know your input.=0A=0AThank you for your tim= e. Have a great day.=0A=A0---=0ARussell Mitchell=0A=0AInterCage, Inc.=0A=0A= =0A=0A- Original Message =0AFrom: Paul Wall [EMAIL PROTECTED]= =0ATo: Mark Foo [EMAIL PROTECTED]=0ACc: [EMAIL PROTECTED]: Tues= day, September 23, 2008 5:46:58 PM=0ASubject: Re: YAY! Re: Atrivo/Intercage= : NO Upstream depeer=0A=0AHold the rejoicing, Atrivo is back, this time on = UnitedLayer.=0A=0AI'd contact them, only they seem to change CTOs every mon= th or two,=0Adoes anybody know who's currently in charge?=0A=0AThank you, a= nd Drive Slow,=0APaul Wall=0A=0A=0A Speaking of missing memos... mailing lists are not highly compatible with HTML or some clients that like to encode list mail. The above is what your mail looked like to some people. I would suggest a different Step 1. Instead of killing power, simply isolate the affected machine. This might be as simple as putting up a firewall rule or two, if it is simply sending outgoing SMTP spam, or for more complex issues, downing the port facing the machine in question. Killing the power may destroy useful forensic clues about what happened to the system, and may damage the system. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
please to not email in html format... yikes! Russ, could you re-mail
whatever content you just sent, in plain text?
On Tue, Sep 23, 2008 at 11:07 PM, Russell Mitchell [EMAIL PROTECTED] wrote:
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=0-593512929-125655=:9145
--0-593512929-125655=:9145
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Hello All,=0A=A0=0AIt seems you all missed the memo.=0AAs of about 11PM PST=
Last night 09/22/08, Esthost has been ENTIRELY Shutdown. They no longer ha=
ve ANY Machine on my network.=0A=A0=0AI'm currently starting to monitor som=
e of the public media, such as google, DroneBL, as well as several Anti-Mal=
ware community websites for abuse.=0A=A0=0ABeing that Esthost is now entire=
ly GONE, we should not have any further issues.=0AIn the case that somethin=
g=A0does arise, such as an exploited host, we're currently developing a gam=
e plan for=A0response to=A0the issues.=0ATo make the best effort towards co=
mbatting=A0abuse on our network, here's what I have planned so far for ANY =
Type of abuse:=0AStep 1,=A0Suspend Power to the affected machine.=0AStep 2,=
Call/Email the client whom the affected machine is leased to.=0AStep 3, Al=
low the client=A0the option to=A0investigate the machine further (Nullroute=
access via KVM)=0AStep=A04, Verify the=A0reported content, domain, user, o=
r exploit=A0is patched/eliminated from the machine.=0AStep 5,=A0Remove the =
Nullroute. Allow the machine to return to the network.=0A=A0=0AAny comments=
? =0A=A0=0AThis is=A0the result of a zero tolerance policy regarding abuse.=
If it's clear that the server owner is the cause of the abusive material e=
tc, the client will then be immediately cancelled. No questions.=A0=0A=0A=
=0AIt seems that this approach will be the best supported by the anti-abuse=
communities, so please let me know your input.=0A=0AThank you for your tim=
e. Have a great day.=0A=A0---=0ARussell Mitchell=0A=0AInterCage, Inc.=0A=0A=
=0A=0A- Original Message =0AFrom: Paul Wall [EMAIL PROTECTED]=
=0ATo: Mark Foo [EMAIL PROTECTED]=0ACc: [EMAIL PROTECTED]: Tues=
day, September 23, 2008 5:46:58 PM=0ASubject: Re: YAY! Re: Atrivo/Intercage=
: NO Upstream depeer=0A=0AHold the rejoicing, Atrivo is back, this time on =
UnitedLayer.=0A=0AI'd contact them, only they seem to change CTOs every mon=
th or two,=0Adoes anybody know who's currently in charge?=0A=0AThank you, a=
nd Drive Slow,=0APaul Wall=0A=0A=0A
--0-593512929-125655=:9145
Content-Type: text/html; charset=us-ascii
htmlheadstyle type=text/css!-- DIV {margin:0px;}
--/style/headbodydiv style=font-family:times new roman, new york,
times, serif;font-size:12ptPHello All,/P
P /P
PIt seems you all missed the memo.BRAs of about 11PM PST Last night
09/22/08, Esthost has been ENTIRELY Shutdown. They no longer have ANY Machine
on my network./P
P /P
PI'm currently starting to monitor some of the public media, such as
google, DroneBL, as well as several Anti-Malware community websites for
abuse./P
P /P
PBeing that Esthost is now entirely GONE, we should not have any further
issues./P
PIn the case that something does arise, such as an exploited host, we're
currently developing a game plan for response to the issues./P
PTo make the best effort towards combatting abuse on our network, here's
what I have planned so far for ANY Type of abuse:/P
PStep 1, Suspend Power to the affected machine./P
PStep 2, Call/Email the client whom the affected machine is leased to./P
PStep 3, Allow the client the option to investigate the machine further
(Nullroute access via KVM)/P
PStep 4, Verify the reported content, domain, user, or exploit is
patched/eliminated from the machine./P
PStep 5, Remove the Nullroute. Allow the machine to return to the
network./P
P /P
PAny comments? /P
P /P
PThis is the result of a zero tolerance policy regarding abuse. If it's
clear that the server owner is the cause of the abusive material etc, the
client will then be immediately cancelled. No questions. /P
DIV style=FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times,
serif
DIV/DIV
DIV /DIV
DIVIt seems that this approach will be the best supported by the anti-abuse
communities, so please let me know your input./DIV
DIV /DIV
DIVThank you for your time. Have a great day.BR /DIV---BRRussell
MitchellBR
DIVInterCage, Inc.BR/DIV
DIV style=FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times,
serifBR
DIV style=FONT-SIZE: 13px; FONT-FAMILY: arial, helvetica, sans-serif-
Original Message BRFrom: Paul Wall [EMAIL PROTECTED]BRTo: Mark Foo
[EMAIL PROTECTED]BRCc: nanog@nanog.orgBRSent: Tuesday, September 23,
2008 5:46:58 PMBRSubject: Re: YAY! Re: Atrivo/Intercage: NO Upstream
depeerBRBRHold the rejoicing, Atrivo is back, this time on
UnitedLayer.BRBRI'd contact them, only they seem to change CTOs every
month or two
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
On Tue, Sep 23, 2008 at 11:20 PM, Joe Greco [EMAIL PROTECTED] wrote: I would suggest a different Step 1. Instead of killing power, simply isolate the affected machine. This might be as simple as putting up a firewall rule or two, if it is simply sending outgoing SMTP spam, or it's probably easiest (depending on the network gear of course) to just put the lan port into an isolated VLAN. It's not the 100% solution (some badness rm's itself once it loses connectivity to the internets) but it'd make things simpler for the client/LEA when they need to figure out what happened. -chris
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
using bolt cutters on cables has a certain satisfaction... On Tue, Sep 23, 2008 at 8:23 PM, Christopher Morrow [EMAIL PROTECTED] wrote: On Tue, Sep 23, 2008 at 11:20 PM, Joe Greco [EMAIL PROTECTED] wrote: I would suggest a different Step 1. Instead of killing power, simply isolate the affected machine. This might be as simple as putting up a firewall rule or two, if it is simply sending outgoing SMTP spam, or it's probably easiest (depending on the network gear of course) to just put the lan port into an isolated VLAN. It's not the 100% solution (some badness rm's itself once it loses connectivity to the internets) but it'd make things simpler for the client/LEA when they need to figure out what happened. -chris
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Apologies, Yahoo was set to Rich Text :( - Hello All, It seems you all missed the memo.As of about 11PM PST Last night 09/22/08, Esthost has been ENTIRELY Shutdown. They no longer have ANY Machine on my network. I'm currently starting to monitor some of the public media, such as google, DroneBL, as well as several Anti-Malware community websites for abuse. Being that Esthost is now entirely GONE, we should not have any further issues. In the case that something does arise, such as an exploited host, we're currently developing a game plan for response to the issues. To make the best effort towards combatting abuse on our network, here's what I have planned so far for ANY Type of abuse: Step 1, Suspend Power to the affected machine. Step 2, Call/Email the client whom the affected machine is leased to. Step 3, Allow the client the option to investigate the machine further (Nullroute access via KVM)= Step 4, Verify the reported content, domain, user, or exploit is patched/eliminated from the machine. Step 5, Remove the Nullroute. Allow the machine to return to the network. Any comments? This is the result of a zero tolerance policy regarding abuse. If it's clear that the server owner is the cause of the abusive material etc, the client will then be immediately cancelled. No questions. It seems that this approach will be the best supported by the anti-abuse communities, so please let me know your input. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc.
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Russ, While I think that is great and everything, can you explain why Cernel is now originating prefixes which were originally originated by Atrivo/Intercage? I'd be curious as to your explanation. Thanks, - - ferg On Tue, Sep 23, 2008 at 9:05 PM, Russell Mitchell [EMAIL PROTECTED] wrote: Apologies, Yahoo was set to Rich Text :( - Hello All, It seems you all missed the memo.As of about 11PM PST Last night 09/22/08, Esthost has been ENTIRELY Shutdown. They no longer have ANY Machine on my network. I'm currently starting to monitor some of the public media, such as google, DroneBL, as well as several Anti-Malware community websites for abuse. Being that Esthost is now entirely GONE, we should not have any further issues. In the case that something does arise, such as an exploited host, we're currently developing a game plan for response to the issues. To make the best effort towards combatting abuse on our network, here's what I have planned so far for ANY Type of abuse: Step 1, Suspend Power to the affected machine. Step 2, Call/Email the client whom the affected machine is leased to. Step 3, Allow the client the option to investigate the machine further (Nullroute access via KVM)= Step 4, Verify the reported content, domain, user, or exploit is patched/eliminated from the machine. Step 5, Remove the Nullroute. Allow the machine to return to the network. Any comments? This is the result of a zero tolerance policy regarding abuse. If it's clear that the server owner is the cause of the abusive material etc, the client will then be immediately cancelled. No questions. It seems that this approach will be the best supported by the anti-abuse communities, so please let me know your input. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI2cBUq1pz9mNUZTMRAtbAAJwKk/H/9Pz4YelIgnYvtuCCDhmuswCfcrfV PTUD/SyPo8+zHpACucRPqk4= =+rwg -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 It may be true that Estdomains has moved a couple of the external-facing a hosting hosts into the a Netherlands hosting provider in conjunction with this whole situation -- folks are watching very carefully. estdomains.com A 94.102.49.3 storefront.estdomains.com A 94.102.49.5 www.estdomains.com A 94.102.49.4 www.estsecure.com A 94.102.49.5 AS | IP | AS Name 29073 | 94.102.49.3 | ECATEL-AS AS29073, Ecatel Network % Information related to '94.102.48.0 - 94.102.63.255' inetnum: 94.102.48.0 - 94.102.63.255 netname: NL-ECATEL-20080829 descr: Ecatel LTD country: NL org: ORG-EL38-RIPE admin-c: RvE16-RIPE tech-c: RvE16-RIPE status: ALLOCATED PA mnt-by: RIPE-NCC-HM-MNT mnt-lower: ECATEL-MNT mnt-routes: ECATEL-MNT source: RIPE # Filtered organisation: ORG-EL38-RIPE org-name: Ecatel LTD org-type: LIR address: Ecatel LTD Reinier van Eeden P.O.Box 19533 2521 CA The Hague NETHERLANDS phone: +31702204015 fax-no: +31702204015 e-mail: [EMAIL PROTECTED] admin-c: RvE16-RIPE mnt-ref: ECATEL-MNT mnt-ref: RIPE-NCC-HM-MNT mnt-by: RIPE-NCC-HM-MNT source: RIPE # Filtered DNSLogger: estdomains.com A 94.102.49.3 estdomains.com A 216.255.176.238 estdomains.com NS ans1.esthost.com estdomains.com NS ans2.esthost.com estdomains.com NS temp1.estdomains.com estdomains.com NS ns1.estdomains.com estdomains.com NS temp2.estdomains.com estdomains.com NS ns2.estdomains.com http://www.bfk.de/bfk_dnslogger.html Thanks, - - ferg On Tue, Sep 23, 2008 at 9:05 PM, Russell Mitchell [EMAIL PROTECTED] wrote: Apologies, Yahoo was set to Rich Text :( - Hello All, It seems you all missed the memo.As of about 11PM PST Last night 09/22/08, Esthost has been ENTIRELY Shutdown. They no longer have ANY Machine on my network. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI2cVCq1pz9mNUZTMRAtC1AJ9UK326w0H3C8lpB1cxz6EJC6KbqwCgjlwA 3WvkkgfWuVapwt1OKbys4dk= =B4vI -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Hello Paul, Those are their IP Blocks. We were simply routing them, as they were our client. They've owned these blocks for quite a while. They seem to have moved that after a day of being down. I haven't been monitoring their blocks, and made the decision Sunday Night that they were no longer going to be allowed on our network. I believe the blocks your referring to are their 85.255 Blocks? Registered to InHoster. I believe those prefixes are an entity of their's, though I don't know for sure. Perhaps ask them? Cernel is their own ASN. It's not associated with our company. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. - Original Message From: Paul Ferguson [EMAIL PROTECTED] To: Russell Mitchell [EMAIL PROTECTED] Cc: nanog@nanog.org Sent: Tuesday, September 23, 2008 9:22:03 PM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Russ, While I think that is great and everything, can you explain why Cernel is now originating prefixes which were originally originated by Atrivo/Intercage? I'd be curious as to your explanation. Thanks, - - ferg On Tue, Sep 23, 2008 at 9:05 PM, Russell Mitchell [EMAIL PROTECTED] wrote: Apologies, Yahoo was set to Rich Text :( - Hello All, It seems you all missed the memo.As of about 11PM PST Last night 09/22/08, Esthost has been ENTIRELY Shutdown. They no longer have ANY Machine on my network. I'm currently starting to monitor some of the public media, such as google, DroneBL, as well as several Anti-Malware community websites for abuse. Being that Esthost is now entirely GONE, we should not have any further issues. In the case that something does arise, such as an exploited host, we're currently developing a game plan for response to the issues. To make the best effort towards combatting abuse on our network, here's what I have planned so far for ANY Type of abuse: Step 1, Suspend Power to the affected machine. Step 2, Call/Email the client whom the affected machine is leased to. Step 3, Allow the client the option to investigate the machine further (Nullroute access via KVM)= Step 4, Verify the reported content, domain, user, or exploit is patched/eliminated from the machine. Step 5, Remove the Nullroute. Allow the machine to return to the network. Any comments? This is the result of a zero tolerance policy regarding abuse. If it's clear that the server owner is the cause of the abusive material etc, the client will then be immediately cancelled. No questions. It seems that this approach will be the best supported by the anti-abuse communities, so please let me know your input. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI2cBUq1pz9mNUZTMRAtbAAJwKk/H/9Pz4YelIgnYvtuCCDhmuswCfcrfV PTUD/SyPo8+zHpACucRPqk4= =+rwg -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Hello Joe, If we can't power down the machine, due to evidence loss. We can't nullroute the IP, as stated, some malware will delete itself or alter itself when Net Access is lost. Now we can filter a single port, in the case of spam, phishing, etc? I'll look further into the JunOS. I'm not too familiar with the rules on the Juniper, so I'll take a look further, and see how to achieve this on a single IP rather then the network. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. - Original Message From: Joe Greco [EMAIL PROTECTED] To: Russell Mitchell [EMAIL PROTECTED] Cc: nanog@nanog.org Sent: Tuesday, September 23, 2008 8:20:18 PM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer Hello All,=0A=A0=0AIt seems you all missed the memo.=0AAs of about 11PM PST= Last night 09/22/08, Esthost has been ENTIRELY Shutdown. They no longer ha= ve ANY Machine on my network.=0A=A0=0AI'm currently starting to monitor som= e of the public media, such as google, DroneBL, as well as several Anti-Mal= ware community websites for abuse.=0A=A0=0ABeing that Esthost is now entire= ly GONE, we should not have any further issues.=0AIn the case that somethin= g=A0does arise, such as an exploited host, we're currently developing a gam= e plan for=A0response to=A0the issues.=0ATo make the best effort towards co= mbatting=A0abuse on our network, here's what I have planned so far for ANY = Type of abuse:=0AStep 1,=A0Suspend Power to the affected machine.=0AStep 2,= Call/Email the client whom the affected machine is leased to.=0AStep 3, Al= low the client=A0the option to=A0investigate the machine further (Nullroute= access via KVM)=0AStep=A04, Verify the=A0reported content, domain, user, o= r exploit=A0is patched/eliminated from the machine.=0AStep 5,=A0Remove the = Nullroute. Allow the machine to return to the network.=0A=A0=0AAny comments= ? =0A=A0=0AThis is=A0the result of a zero tolerance policy regarding abuse.= If it's clear that the server owner is the cause of the abusive material e= tc, the client will then be immediately cancelled. No questions.=A0=0A=0A= =0AIt seems that this approach will be the best supported by the anti-abuse= communities, so please let me know your input.=0A=0AThank you for your tim= e. Have a great day.=0A=A0---=0ARussell Mitchell=0A=0AInterCage, Inc.=0A=0A= =0A=0A- Original Message =0AFrom: Paul Wall [EMAIL PROTECTED]= =0ATo: Mark Foo [EMAIL PROTECTED]=0ACc: [EMAIL PROTECTED]: Tues= day, September 23, 2008 5:46:58 PM=0ASubject: Re: YAY! Re: Atrivo/Intercage= : NO Upstream depeer=0A=0AHold the rejoicing, Atrivo is back, this time on = UnitedLayer.=0A=0AI'd contact them, only they seem to change CTOs every mon= th or two,=0Adoes anybody know who's currently in charge?=0A=0AThank you, a= nd Drive Slow,=0APaul Wall=0A=0A=0A Speaking of missing memos... mailing lists are not highly compatible with HTML or some clients that like to encode list mail. The above is what your mail looked like to some people. I would suggest a different Step 1. Instead of killing power, simply isolate the affected machine. This might be as simple as putting up a firewall rule or two, if it is simply sending outgoing SMTP spam, or for more complex issues, downing the port facing the machine in question. Killing the power may destroy useful forensic clues about what happened to the system, and may damage the system. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Sep 23, 2008 at 10:13 PM, Russell Mitchell [EMAIL PROTECTED] wrote: I believe the blocks your referring to are their 85.255 Blocks? Registered to InHoster. I believe those prefixes are an entity of their's, though I don't know for sure. Perhaps ask them? Thanks, thats right -- Inhoster. Operating out of Odessa and blacklisted virtually everywhere. Cheers, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI2dV3q1pz9mNUZTMRAvOwAKCQtLCPC+ZC3M1SVErh8kYGJ3Zp5ACaA/sE eHXtt63emWJNy/0NnVAuI6o= =xUzo -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: Atrivo/Intercage: NO Upstream depeer
Emil, If you've actually shut off the RBN, you should have no problem finding some new transit to turn up, right? We're in a buyer's market, and there are dozens of vendors on-net at 200 Paul who'd love a piece of your business. Drive Slow, Paul Wall On Sun, Sep 21, 2008 at 3:20 PM, Emil Kacperski [EMAIL PROTECTED] wrote: Hello, It's true that David from PIE disconnected our link approx 9pm or so yesterday. Things were going perfect, no complaints for a few weeks now. The only thing I believe is that NTT gave lots of pressure to PIE. For some unknown reason when I tried to reach out to the security guy at NTT he basically said our contract is with PIE. So in a time like this you really get to know who your friends are and who should be avoided. Onward and upward! What doesn't kill you only makes you stronger ;-). Just feel bad for the customers for which I am truly sorry for right now ;-(. Thanks! Contact: Emil Kacperski Company: Intercage Inc. - Atrivo Dedicated Servers San Francisco Datacenter E-Mail: [EMAIL PROTECTED] Phone: 925-550-3947 ICQ: 23531098
RE: Atrivo/Intercage
Just to add my $0.02 to this discussion and a disclaimer - I've known Emil for years, I've seen his shop and even the controversy. 200 Paul is a small community, and most of the folks in there know eachother, I've been in there since 2001 or so. Intercage is not a big shop, there are very few people involved in running it and I have a very hard time believing the accusations made by some of the folks around. I also don't believe Intercage was complicit in any net-crime; Thats not to say it didn't exist, but more along the lines of they got lost in the noise of running a business. I'd guess that given the server volume they've got, abuse emails are less than one percent of all the email they get in a week. From what I've seen, the bulk of their customer base is webhosters, Unix Shell providers and some video/audio streamers. Were I to venture a guess on the number of folks reselling those webservers, its probably on the order of thousands... Any time I've had an issue with one of Atrivo's customers, it only took one email to get it dealt with, or I got Emil on IM or on the phone and it was taken care of. My experience with being on the other end of abuse@, I'd say a good 60-75% of the complaints I saw coming in were bogus. Either people complaining about their ZoneAlarm's going off, people complaining about bounced emails with spam and a bunch of automated stuff that was always wrong. The legit complaints were not always easy to deal with either since a good 20-30% of them were unclear on what was actually wrong until you spent some time digging. Basically is what it boils down to for me - its easy to blame an NSP/ISP/Hoster for what their clients do, it takes real dedication to find out whats *actually* going on. -- Tom Sparks (415) 367-7328x1001
Re: Atrivo/Intercage
On Sep 22, 2008, at 4:33 PM, Tom Sparks (Applied Operations) wrote: Intercage is not a big shop, there are very few people involved in running it I have no dog in this fight, but I would comment on the small shop issue as it relates to handling abuse complaints. I own a small colo/hosting shop too. We don't have many employees. If we had to deal with so many abuse complaints that things were getting lost in the noise, I'd have to seriously examine my AUP and associated enforcement policies, add staff to handle abuse issues, or both. Being small isn't an excuse. In fact, a small shop that runs a clean network should be far better at handling abuse issues than the larger players could ever hope to be.
Re: Atrivo/Intercage
On Sep 22, 2008, at 4:33 PM, Tom Sparks (Applied Operations) wrote: Basically is what it boils down to for me - its easy to blame an NSP/ISP/Hoster for what their clients do, it takes real dedication to find out whats *actually* going on. Tom, Atrivo is not just a spammer, and Intercage has _not_ taken care of problems - unless you count moving IP addresses around as taking care of things. I'm sure the people downloading child pr0n or hosting virus / CC servers were very inconvenienced from having to change a hostname. Pardon me if I am incredulous. And not because we were not dedicated in trying to find out what was *actually* going on. Try reading up on your friend before accusing the community of not doing due diligence. And don't give me any BS about not reading his abuse@ mail. Eventually ignorance (willful ignorance?) in the service of evil becomes indistinguishable from malice. Basically, THAT is what it boils down to for me, and apparently everyone else as well. -- TTFN, patrick
Re: Atrivo/Intercage
On Mon, Sep 22, 2008 at 04:48:16PM -0400, Drew Linsalata wrote: I have no dog in this fight, but I would comment on the small shop issue as it relates to handling abuse complaints. I own a small colo/hosting shop too. We don't have many employees. If we had to deal with so many abuse complaints that things were getting lost in the noise Perhaps I should clarify - Abuse complaints being a small percentage of normal requests for service (IE: I need a new hdd, an OS reinstalled) I would agree that anyone beseiged in abuse requests should take a machete to the offending customer's cables :) -- Tom Sparks (415) 367-7328x1001
Re: Atrivo/Intercage
So... apparently AS27595 is back on the air, with aspath's like: 6461 23342 27595 6539 23342 27595 8075 23342 27595 23342 == UnitedLayer, Tom isn't that you or is that another Tom I'm remembering? -Chris
Re: Atrivo/Intercage
On Mon, Sep 22, 2008 at 05:17:42PM -0400, Christopher Morrow wrote: So... apparently AS27595 is back on the air, with aspath's like: 6461 23342 27595 6539 23342 27595 8075 23342 27595 23342 == UnitedLayer, Tom isn't that you or is that another Tom I'm remembering? Yep, same Tom, I was one of the founders of UnitedLayer. I haven't been there since 2006, so its not my doing. I also noticed AS paths like this: * 69.22.162.0/23 701 2914 32335 6461 23342 27595 i I'm not sure whats going on there, but I'm thinking someone needs some help :) -- Tom Sparks (415) 367-7328x1001
Re: Atrivo/Intercage
On Mon, Sep 22, 2008 at 5:25 PM, Tom Sparks (Applied Operations) [EMAIL PROTECTED] wrote: On Mon, Sep 22, 2008 at 05:17:42PM -0400, Christopher Morrow wrote: So... apparently AS27595 is back on the air, with aspath's like: 6461 23342 27595 6539 23342 27595 8075 23342 27595 23342 == UnitedLayer, Tom isn't that you or is that another Tom I'm remembering? Yep, same Tom, I was one of the founders of UnitedLayer. I haven't been there since 2006, so its not my doing. yup, didn't particularly mean it was 'your doing' (even if you were there) but that perhaps (if you were still there) you might be able to influence the ops folks some... if you thought it worthy. I also noticed AS paths like this: * 69.22.162.0/23 701 2914 32335 6461 23342 27595 i I'm not sure whats going on there, but I'm thinking someone needs some help :) yea I suspect that's a history route (or PIE re-opened the links between PIE/Atrivo). Or... Abovenet PIE NTT aren't filtering their customers in a way that keeps PIE form providing transit to NTT for Abovenet :( (NTT says loud and long they filter based on IRR data, PIE might not have updated their IRR info?) wierd though.
Re: Atrivo/Intercage
On Mon, Sep 22, 2008 at 5:48 PM, Christopher Morrow [EMAIL PROTECTED] wrote: On Mon, Sep 22, 2008 at 5:25 PM, Tom Sparks (Applied Operations) [EMAIL PROTECTED] wrote: I also noticed AS paths like this: * 69.22.162.0/23 701 2914 32335 6461 23342 27595 i I'm not sure whats going on there, but I'm thinking someone needs some help :) yea I suspect that's a history route (or PIE re-opened the links between PIE/Atrivo). Or... Abovenet PIE NTT aren't filtering their customers in a way that keeps PIE form providing transit to NTT for Abovenet :( (NTT says loud and long they filter based on IRR data, PIE might not have updated their IRR info?) wierd though. actually, I think PIE sees this route from 6461 and passes it along probably because they didn't update the filters on their sessions when they dropped the links to 27595 :( Also they didn't update the IRR data to remove this set of prefixes. bummers.
Re: Atrivo/Intercage
On Mon, Sep 22, 2008 at 05:50:58PM -0400, Christopher Morrow wrote: actually, I think PIE sees this route from 6461 and passes it along probably because they didn't update the filters on their sessions when they dropped the links to 27595 :( Has anyone actually confirmed that the link is dropped with PIE? Also they didn't update the IRR data to remove this set of prefixes. Looks like they've got all kindsa stuff in there... -- Tom Sparks (415) 367-7328x1001
YAY! Re: Atrivo/Intercage: NO Upstream depeer
On Sun, Sep 21, 2008 at 12:46:54PM -0700, Emil Kacperski wrote: Hey James, That's the worst part in all this, so many been with me for years!? I just put my fate into companies I shouldn't have. Emil: Yes, they have been with you for years -- it's quite unfortunate, such great customers. Take those customers who steal identity from the public -- did you get a cut, or just the hosting fees? Next, move to those who host trojans, rogue antivirus, bill people for fake software (and keep billing them), etc. Oh, and the ad-ware, despite being a lower security risk, it was some of the most hated stuff out there. I'd say you have put your fate into companies you shouldn't have -- not just your fate but your business. This is the logical result (actually, this is just the start). I'm surprised it took so long. You can't wash away years of malicious activity by simply claiming innocence and disconnecting some of your worst offenders. Male parta male dilabuntur. For the NANOG folks who apparently don't understand what is going on and are so easily socially engineered by these claims of innocence -- do a little research: http://www.google.com/search?hl=enq=intercage+malware http://www.google.com/search?hl=enq=atrivo+malware Here's some research for you: Complaints on Intercage/Atrivo from 2003: Re: The in-your-face hijacking example http://www.irbs.net/internet/nanog/0305/0038.html From 2006: More super rogue anti-spyware http://updates.zdnet.com/tags/intercage.com.html Be on the lookout for another new supposed anti-spyware program that might be hijacking desktops any day now. This one is called PestTrap and it.s a clone of SpySheriff. SpySheriff was one of the top 10 rogue anti-spyware apps of 2005, coming in at number 2. PestTrap site is hosted at IP address 69.50.167.173 which belongs to an ISP in California, InterCage, Inc., formerly know n as Atrivo. Note the nameservers are mail.atrrivo.com and pavel.atrivo.com . OrgName:InterCage, Inc. OrgID: INTER-359 Address:1955 Monument Blvd. Address:#236 City: Concord StateProv: CA PostalCode: 94520 Country:US Not surprisingly, SpySheriff.com (link to whois) is hosted at InterCage, and we have SpyTrooper.com on the same IP address, 69.50.170.82. The other domain on the IP is Spy-Sheriff.com. This IP is also currently blacklisted. InterCage, Inc. INTERCAGE-NETWORK-GROUP (NET-69-50-160-0-1) 69.50.160.0 - 69.50.191.255 William Lu STANDARDSHELLS (NET-69-50-170-0-1) 69.50.170.0 - 69.50.170.255 The Intercage.com (link to site) home page is white and blank except for . in the upper left corner. Now, that seems odd to me. An ISP with a blank homepage? Google searches for Intercage.com and Intercage, Inc. bring up all kinds of interesting links. A Google search for Atrivo produces even more fascinating information like this and this. More on this one later.
Re: Atrivo/Intercage: NO Upstream depeered at 2:25am est
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- James Thomas [EMAIL PROTECTED] wrote: Hmmm Seems Pacific bit the bullett around 2:25 est all annoucements were dropped. http://cidr-report.org/cgi-bin/as-report?as=AS27595v=4view=2.0 While this is 'good' news, don't be foooled -- many of these prefixes have been migrated elsewhere, much the same way criminal activity was shifted to other hosting providers after the 'disappearance' of AS40989 last year). For example, see: http://www.cidr-report.org/cgi-bin/as-report?as=as36445view=2.0 Tiscali in the only upstream for Cernel... - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI1o8/q1pz9mNUZTMRAveCAJ9CdMk5m35zwUAtkPrIGfHgPHFwsACbBRdd zhlVMo9Jrfwzyn0YsjSR1nI= =CIeo -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Atrivo/Intercage: NO Upstream depeer
Hello, It's true that David from PIE disconnected our link approx 9pm or so yesterday. Things were going perfect, no complaints for a few weeks now. The only thing I believe is that NTT gave lots of pressure to PIE. For some unknown reason when I tried to reach out to the security guy at NTT he basically said our contract is with PIE. So in a time like this you really get to know who your friends are and who should be avoided. Onward and upward! What doesn't kill you only makes you stronger ;-). Just feel bad for the customers for which I am truly sorry for right now ;-(. Thanks! Contact: Emil Kacperski Company: Intercage Inc. - Atrivo Dedicated Servers San Francisco Datacenter E-Mail: [EMAIL PROTECTED] Phone: 925-550-3947 ICQ: 23531098
RE: Atrivo/Intercage: NO Upstream depeer
Emil, You have a lot of loyal legit customers. What's your plans? Seems like your taking action against the bad clients which is great. Where does this leave Intercage? You seeking alternative routes currently? Offering refunds to those loyal clients? James -Original Message- From: Emil Kacperski [mailto:[EMAIL PROTECTED] Sent: Sunday, September 21, 2008 3:20 PM To: nanog@nanog.org Subject: Re: Atrivo/Intercage: NO Upstream depeer Hello, It's true that David from PIE disconnected our link approx 9pm or so yesterday. Things were going perfect, no complaints for a few weeks now. The only thing I believe is that NTT gave lots of pressure to PIE. For some unknown reason when I tried to reach out to the security guy at NTT he basically said our contract is with PIE. So in a time like this you really get to know who your friends are and who should be avoided. Onward and upward! What doesn't kill you only makes you stronger ;-). Just feel bad for the customers for which I am truly sorry for right now ;-(. Thanks! Contact: Emil Kacperski Company: Intercage Inc. - Atrivo Dedicated Servers San Francisco Datacenter E-Mail: [EMAIL PROTECTED] Phone: 925-550-3947 ICQ: 23531098
Re: Atrivo/Intercage: NO Upstream depeer
Emil Kacperski wrote: It's true that David from PIE disconnected our link approx 9pm or so yesterday. Things were going perfect, no complaints for a few weeks now. The only thing I believe is that NTT gave lots of pressure to PIE. For some unknown reason when I tried to reach out to the security guy at NTT he basically said our contract is with PIE. Some days the dragon wins, some days the knight does.
RE: Atrivo/Intercage: NO Upstream depeer
Hey James, That's the worst part in all this, so many been with me for years! I just put my fate into companies I shouldn't have. NLayer was bought and Liteup held control of the SF pop, who is fully at the mercy of NLayer / ServerCentral. WVFiber was bought by Host.NET and Randy simply made a choice. And David from PIE I knew who he was from others but hey he has been at the datacenter with me for a number of years, so I gave him the benefit of the doubt. Spamhaus a few days ago added his IP's as a /22. And surprise surprise now it's a /32! http://www.spamhaus.org/sbl/sbl.lasso?query=SBL67906 David didn't even have the balls to contact me and let me know what happened. Has ignored any phone calls, etc. Just told him router admin not to do anything without his approval. In fact his technician acted at first as he didn't know what happened. Just need to put all this behind me. Thanks! Contact: Emil Kacperski Company: Intercage Inc. - Atrivo Dedicated Servers San Francisco Datacenter E-Mail: [EMAIL PROTECTED] Phone: 925-550-3947 ICQ: 23531098
Re: Atrivo/Intercage: NO Upstream depeer
Had you responded to the hundreds of abuse complaints over the years this would not have happened. Sorry, no sympathy for you or the customers not smart enough to move over the last few years of very overt negative news about you. Matt Emil Kacperski wrote: Hey James, That's the worst part in all this, so many been with me for years! I just put my fate into companies I shouldn't have. NLayer was bought and Liteup held control of the SF pop, who is fully at the mercy of NLayer / ServerCentral. WVFiber was bought by Host.NET and Randy simply made a choice. And David from PIE I knew who he was from others but hey he has been at the datacenter with me for a number of years, so I gave him the benefit of the doubt. Spamhaus a few days ago added his IP's as a /22. And surprise surprise now it's a /32! http://www.spamhaus.org/sbl/sbl.lasso?query=SBL67906 David didn't even have the balls to contact me and let me know what happened. Has ignored any phone calls, etc. Just told him router admin not to do anything without his approval. In fact his technician acted at first as he didn't know what happened. Just need to put all this behind me. Thanks! Contact: Emil Kacperski Company: Intercage Inc. - Atrivo Dedicated Servers San Francisco Datacenter E-Mail: [EMAIL PROTECTED] Phone: 925-550-3947 ICQ: 23531098 -- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net PGP: http://www.jonkmans.com/mattjonkman.asc
Re: Atrivo/Intercage: NO Upstream depeer
Matt, Don't believe everything you read. I have unfortunately been a target over the years because I rented machines to Esthost. But the stories made up are way out there. It's all very easy a dedicated server / customer relationship - nothing more. Never did I ignore anymore from the abuse community. Go ahead and find me a IP address that did any spam or anything. You won't find it, I can't remember the last time I got any Spamcop complaints. Not even going to mention Spamhaus because we all know there abuse. We asked a handful of Intercage's most vocal critics if they sent take down requests to Kacperski. None said yes. In his defense, what may have finally happened is that malware researchers stopped bothering to report abusive sites, Eckelberry says. None said YES! That pretty much sums it all up. Maybe I could of reached out more, I guess that was my mistake. But it surely is impossible to deal with if you have to deal with people like John Reid. Thanks! Contact: Emil Kacperski Company: Intercage Inc. - Atrivo Dedicated Servers San Francisco Datacenter E-Mail: [EMAIL PROTECTED] Phone: 925-550-3947 ICQ: 23531098
Re: Atrivo/Intercage: NO Upstream depeer
On Sep 21, 2008, at 4:21 PM, Emil Kacperski wrote: Don't believe everything you read. Most excellent advice. [SNIP] -- TTFN, patrick
Re: Atrivo/Intercage: NO Upstream depeer
Considering the years of abuse, DNSBL listings, ROKSO listings, further abuse, and silence at the abuse switch, I _CERTAINLY_ would not send Atrivo abuse reports, I would send them to the upstreams instead. Considering the almost 40 page white paper produced last month on the abuse from Atrivo, for me to change this practice, I would require: * a rapid, and verifiable response from Atrivo here over some period of time exceeding several months, and continuing thereafter, * the clearing of SBL/ROKSO records, and * a general reduction of abuse eminating from Atrivo. Andrew Emil Kacperski wrote: Matt, Don't believe everything you read. I have unfortunately been a target over the years because I rented machines to Esthost. But the stories made up are way out there. It's all very easy a dedicated server / customer relationship - nothing more. Never did I ignore anymore from the abuse community. Go ahead and find me a IP address that did any spam or anything. You won't find it, I can't remember the last time I got any Spamcop complaints. Not even going to mention Spamhaus because we all know there abuse. We asked a handful of Intercage's most vocal critics if they sent take down requests to Kacperski. None said yes. In his defense, what may have finally happened is that malware researchers stopped bothering to report abusive sites, Eckelberry says. None said YES! That pretty much sums it all up. Maybe I could of reached out more, I guess that was my mistake. But it surely is impossible to deal with if you have to deal with people like John Reid. Thanks! Contact: Emil Kacperski Company: Intercage Inc. - Atrivo Dedicated Servers San Francisco Datacenter E-Mail: [EMAIL PROTECTED] Phone: 925-550-3947 ICQ: 23531098
Re: Atrivo/Intercage: NO Upstream depeer
Greetings, I can further vouch for this... an unusually large amount of botnets reported to DroneBL have command and control servers on Atrivo's network. With the amount of listings and reports I get, it is obvious that Atrivo does not care about the abuse@ inbox... which is unfortunate. William On Sun, 2008-09-21 at 16:49 -0400, Andrew D Kirch wrote: Considering the years of abuse, DNSBL listings, ROKSO listings, further abuse, and silence at the abuse switch, I _CERTAINLY_ would not send Atrivo abuse reports, I would send them to the upstreams instead. Considering the almost 40 page white paper produced last month on the abuse from Atrivo, for me to change this practice, I would require: * a rapid, and verifiable response from Atrivo here over some period of time exceeding several months, and continuing thereafter, * the clearing of SBL/ROKSO records, and * a general reduction of abuse eminating from Atrivo. Andrew Emil Kacperski wrote: Matt, Don't believe everything you read. I have unfortunately been a target over the years because I rented machines to Esthost. But the stories made up are way out there. It's all very easy a dedicated server / customer relationship - nothing more. Never did I ignore anymore from the abuse community. Go ahead and find me a IP address that did any spam or anything. You won't find it, I can't remember the last time I got any Spamcop complaints. Not even going to mention Spamhaus because we all know there abuse. We asked a handful of Intercage's most vocal critics if they sent take down requests to Kacperski. None said yes. In his defense, what may have finally happened is that malware researchers stopped bothering to report abusive sites, Eckelberry says. None said YES! That pretty much sums it all up. Maybe I could of reached out more, I guess that was my mistake. But it surely is impossible to deal with if you have to deal with people like John Reid. Thanks! Contact: Emil Kacperski Company: Intercage Inc. - Atrivo Dedicated Servers San Francisco Datacenter E-Mail: [EMAIL PROTECTED] Phone: 925-550-3947 ICQ: 23531098
Re: Atrivo/Intercage: NO Upstream depeer
Emil Kacperski wrote: Don't believe everything you read. I have unfortunately been a target over the years because I rented machines to Esthost. But the stories made up are way out there. It's all very easy a dedicated server / customer relationship - nothing more. I don't have to believe what I read. I did the research, and I helped write the reports. Have to say I'm VERY proud of contributing to getting you offline. It's not just estdomains. In fact very little of them is related to you. It's the botnet controllers, spam, phishing sites, etc. If you think those things trivial then you need to remain offline. Never did I ignore anymore from the abuse community. Go ahead and find me a IP address that did any spam or anything. You won't find it, I can't remember the last time I got any Spamcop complaints. Not even going to mention Spamhaus because we all know there abuse. You ignored MY abuse complaints. You ignored MY emails to cooperate in getting your net cleaned up. I have HUNDREDS of malware samples using your nets as CnC just in the last few months! So rather than wasting my time emailing your abuse blackhole I helped write a report about you. Time well spent I think. We asked a handful of Intercage's most vocal critics if they sent take down requests to Kacperski. None said yes. In his defense, what may have finally happened is that malware researchers stopped bothering to report abusive sites, Eckelberry says. They didn't ask me. I sent plenty. And if you read his full comments I'm sure he goes on to say because they were tired of having their time wasted by you ignoring them for YEARS! But this thread isn't what nanog is for. We should end this here, until Emil finds someone else willing to peer his crap. Then we can decide how to get that handled. Matt None said YES! That pretty much sums it all up. Maybe I could of reached out more, I guess that was my mistake. But it surely is impossible to deal with if you have to deal with people like John Reid. Thanks! Contact: Emil Kacperski Company: Intercage Inc. - Atrivo Dedicated Servers San Francisco Datacenter E-Mail: [EMAIL PROTECTED] Phone: 925-550-3947 ICQ: 23531098 -- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net PGP: http://www.jonkmans.com/mattjonkman.asc
Re: Atrivo/Intercage: NO Upstream depeer
Hello all, Andrew: It is truly enlightening, to say the least, that you want to talk about all of the SBL Listings, all of the DNSBL Listings, and all of the abuse on our network has never had action taken. - In Spamhaus' article, they did a history of more then ?350? SBL Listings for our company. Today, we have 6 ACTIVE Listings in the SBL. If we haven't acted on abuse claims, why do those numbers not match up? So, sometime over the weekend, Spamhaus listed our ONLY Upstream's /22 IP Block.. There's NO Evidence of any abuse from PIE for the listing. How can they be labeled as a SPAM or Abuse Supporter after routing us for such a short time? That's ethical, legitimate, and reasonable to you? We have ALL of our IP Space listed with Spamhaus because we have a Reseller named Esthost. While their customer track record may not be a straight arrow, they've ALWAYS taken action on abuse we've received for machines leased to them (Just like every other customer we have!). We enacted a zero tolerance policy in light of the community delivering false information and giving false reports to news media. What did that do? It gave us the opportunity to cancel service on EVERY Machine that an abuse was reported on. What happened shortly after? No more reports, no more abuse. Esthost's Registrar entity, EstDomains launched a great campaign to work with the public and take in reports against Malware Customers, as that is what the news media was reporting was the issue. Over 20,000 Domains get suspended by EstDomains in a period of about a week. Your going to come back and say, Well Directi did it in about 2 days!. Yeah? Directi had it placed right on their desk! They didn't have to launch any campaign or go out and ask the COMMUNITY for it. The people behind those false reports on our company gave them a set of Data to allow them to act that fast. So, we see Esthost turning a corner and going out to the community with an outreach program. Community is giving support for it. We enact a zero tolerance policy for our entire network, this isn't made public aside to a GOOD and TRUTHFUL Editor from TheRegister, Dan Goodin. We gave ourselves 1 month to see what is going to happen between the community, and Esthost. In the final stretch of that 1 month, we get blind-sided by Spamhaus. So now, an apparently level-headed James Thomas brings the happenings from last night into the light, and here we are. All of the claims about us being the RBN, Emil being some Russian named Igor, and Atrivo being the epicenter with such partners like InterCage. Did you forget? Emil has a split-personality, that's how they got their claim of InterCage being partnered with Atrivo. As though they're 2 seperate entities! Good Research Matt, Jart, Garth, and all the others who've written about us recently! Thank you all for your time and responses. Good or bad, we're reading them. Have a great day. --- Russell Mitchell InterCage, Inc. - An un-orgranized eCrime ring based out of San Francisco, CA. We would only be so lucky!
Re: Atrivo/Intercage: NO Upstream depeered at 2:25am est
On Sun, 21 Sep 2008, Paul Ferguson wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- James Thomas [EMAIL PROTECTED] wrote: Hmmm Seems Pacific bit the bullett around 2:25 est all annoucements were dropped. http://cidr-report.org/cgi-bin/as-report?as=AS27595v=4view=2.0 While this is 'good' news, don't be foooled -- many of these prefixes have been migrated elsewhere, much the same way criminal activity was shifted to other hosting providers after the 'disappearance' of AS40989 last year). For example, see: http://www.cidr-report.org/cgi-bin/as-report?as=as36445view=2.0 Tiscali in the only upstream for Cernel... Are they all moving to Cernel as predicted, or are some of the prefixes coming from elsewhere? - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI1o8/q1pz9mNUZTMRAveCAJ9CdMk5m35zwUAtkPrIGfHgPHFwsACbBRdd zhlVMo9Jrfwzyn0YsjSR1nI= =CIeo -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Atrivo/Intercage: NO Upstream depeer
William: To date, I have never heard of the DroneBL. I have NEVER received any report from any entity referring to that. The last report for a bot on our network was an EggDrop bot a week or so ago. The report was from the IRC Network Operator, and asked to have it removed from his network because it seemed to be 'forgotten'. It was sitting in a dead channel that hasn't had any activity for months. He did NOT claim any abuse. I'll be more then happy to monitor DroneBL, or have digests or reports from them in regards to our network. - Matt: It's very sad that your PROUD of you contribution to the supposed white paper on our company. I'd like to know, was any of your contribution to the report altered, or mis-represented, or are you truly unaware of how false the information you provided was? Care to have verified it? or are you a Spamhaus admin like John Reid who has that magic stick to make a claim and attack anyone who objects to it with the truth? If you want to see REAL Cyber Crime, take a look at what you caused Matt. Take a good look at Spamhaus, and tell me that they're entirely legitimate with their business. Oh, I forgot, they're a Not-for-profit organization that DOESN'T do business in the USA, nor has any clientel in the USA. - There is absolutely no sense in arguing and biquering over all this crap that you guys have caused with your misinformation and false claims. I don't know how to make this any simpler: If you see abuse from our network, report it to US. If you report it to an upstream, they'll just drop it back down to us. Obviously, we can't do anything right now with our network being OFFLINE.. But I'm dying to see who comes up with some abuse that originated from our network in this downtime! Who will be first!? Spamhaus? Thanks again for all your time and comments. Hopefully, you all will straighten up your act, cause clearly and truthfully, we've been straight the entire time. --- Russell Mitchell InterCage, Inc.
RE: Atrivo/Intercage: NO Upstream depeer
Russell, I really think Atrivo/Intercage has been doing great after reports and community public action. I'm still puzzled as to the why they are still targetting you? I have a few friends who have machines with you so and they run legitimate companies with over 4 machines. Emil has done everything in his power to bring his network back to normal operations. Looks great the past 2 weeks, I wish both of you the best of luck its hard to determine who is a solid friend and who is not. Like emil said... It only will make you stronger. James -Original Message- From: Russell Mitchell [mailto:[EMAIL PROTECTED] Sent: Sunday, September 21, 2008 5:54 PM To: nanog@nanog.org Subject: Re: Atrivo/Intercage: NO Upstream depeer Hello all, Andrew: It is truly enlightening, to say the least, that you want to talk about all of the SBL Listings, all of the DNSBL Listings, and all of the abuse on our network has never had action taken. - In Spamhaus' article, they did a history of more then ?350? SBL Listings for our company. Today, we have 6 ACTIVE Listings in the SBL. If we haven't acted on abuse claims, why do those numbers not match up? So, sometime over the weekend, Spamhaus listed our ONLY Upstream's /22 IP Block.. There's NO Evidence of any abuse from PIE for the listing. How can they be labeled as a SPAM or Abuse Supporter after routing us for such a short time? That's ethical, legitimate, and reasonable to you? We have ALL of our IP Space listed with Spamhaus because we have a Reseller named Esthost. While their customer track record may not be a straight arrow, they've ALWAYS taken action on abuse we've received for machines leased to them (Just like every other customer we have!). We enacted a zero tolerance policy in light of the community delivering false information and giving false reports to news media. What did that do? It gave us the opportunity to cancel service on EVERY Machine that an abuse was reported on. What happened shortly after? No more reports, no more abuse. Esthost's Registrar entity, EstDomains launched a great campaign to work with the public and take in reports against Malware Customers, as that is what the news media was reporting was the issue. Over 20,000 Domains get suspended by EstDomains in a period of about a week. Your going to come back and say, Well Directi did it in about 2 days!. Yeah? Directi had it placed right on their desk! They didn't have to launch any campaign or go out and ask the COMMUNITY for it. The people behind those false reports on our company gave them a set of Data to allow them to act that fast. So, we see Esthost turning a corner and going out to the community with an outreach program. Community is giving support for it. We enact a zero tolerance policy for our entire network, this isn't made public aside to a GOOD and TRUTHFUL Editor from TheRegister, Dan Goodin. We gave ourselves 1 month to see what is going to happen between the community, and Esthost. In the final stretch of that 1 month, we get blind-sided by Spamhaus. So now, an apparently level-headed James Thomas brings the happenings from last night into the light, and here we are. All of the claims about us being the RBN, Emil being some Russian named Igor, and Atrivo being the epicenter with such partners like InterCage. Did you forget? Emil has a split-personality, that's how they got their claim of InterCage being partnered with Atrivo. As though they're 2 seperate entities! Good Research Matt, Jart, Garth, and all the others who've written about us recently! Thank you all for your time and responses. Good or bad, we're reading them. Have a great day. --- Russell Mitchell InterCage, Inc. - An un-orgranized eCrime ring based out of San Francisco, CA. We would only be so lucky!
Re: Atrivo/Intercage: NO Upstream depeer
On Sun, 21 Sep 2008, Russell Mitchell wrote: Hello all, Andrew: It is truly enlightening, to say the least, that you want to talk about all of the SBL Listings, all of the DNSBL Listings, and all of the abuse on our network has never had action taken. Don't kick someone when they are down. Okay. I have but one question, why are you speaking to us all now, instead of last week or last month? Gadi. - In Spamhaus' article, they did a history of more then ?350? SBL Listings for our company. Today, we have 6 ACTIVE Listings in the SBL. If we haven't acted on abuse claims, why do those numbers not match up? So, sometime over the weekend, Spamhaus listed our ONLY Upstream's /22 IP Block.. There's NO Evidence of any abuse from PIE for the listing. How can they be labeled as a SPAM or Abuse Supporter after routing us for such a short time? That's ethical, legitimate, and reasonable to you? We have ALL of our IP Space listed with Spamhaus because we have a Reseller named Esthost. While their customer track record may not be a straight arrow, they've ALWAYS taken action on abuse we've received for machines leased to them (Just like every other customer we have!). We enacted a zero tolerance policy in light of the community delivering false information and giving false reports to news media. What did that do? It gave us the opportunity to cancel service on EVERY Machine that an abuse was reported on. What happened shortly after? No more reports, no more abuse. Esthost's Registrar entity, EstDomains launched a great campaign to work with the public and take in reports against Malware Customers, as that is what the news media was reporting was the issue. Over 20,000 Domains get suspended by EstDomains in a period of about a week. Your going to come back and say, Well Directi did it in about 2 days!. Yeah? Directi had it placed right on their desk! They didn't have to launch any campaign or go out and ask the COMMUNITY for it. The people behind those false reports on our company gave them a set of Data to allow them to act that fast. So, we see Esthost turning a corner and going out to the community with an outreach program. Community is giving support for it. We enact a zero tolerance policy for our entire network, this isn't made public aside to a GOOD and TRUTHFUL Editor from TheRegister, Dan Goodin. We gave ourselves 1 month to see what is going to happen between the community, and Esthost. In the final stretch of that 1 month, we get blind-sided by Spamhaus. So now, an apparently level-headed James Thomas brings the happenings from last night into the light, and here we are. All of the claims about us being the RBN, Emil being some Russian named Igor, and Atrivo being the epicenter with such partners like InterCage. Did you forget? Emil has a split-personality, that's how they got their claim of InterCage being partnered with Atrivo. As though they're 2 seperate entities! Good Research Matt, Jart, Garth, and all the others who've written about us recently! Thank you all for your time and responses. Good or bad, we're reading them. Have a great day. --- Russell Mitchell InterCage, Inc. - An un-orgranized eCrime ring based out of San Francisco, CA. We would only be so lucky!
Re: Atrivo/Intercage: NO Upstream depeered at 2:25am est
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Gadi Evron [EMAIL PROTECTED] wrote: http://cidr-report.org/cgi-bin/as-report?as=AS27595v=4view=2.0 While this is 'good' news, don't be foooled -- many of these prefixes have been migrated elsewhere, much the same way criminal activity was shifted to other hosting providers after the 'disappearance' of AS40989 last year). For example, see: http://www.cidr-report.org/cgi-bin/as-report?as=as36445view=2.0 Tiscali in the only upstream for Cernel... Are they all moving to Cernel as predicted, or are some of the prefixes coming from elsewhere? The only prefixes that were being originated by AS27595 which are now being originated elsewhere (at least that I've seen) are: AS27595: - 85.255.113.0/24 Withdrawn - 85.255.114.0/23 Withdrawn - 85.255.116.0/22 Withdrawn - 85.255.120.0/23 Withdrawn - 85.255.122.0/24 Withdrawn AS36445: Prefix AS Path 85.255.112.0/20 12654 3257 36445 - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI1suyq1pz9mNUZTMRAhvOAJ9VKLoPtrQ8QYJTJlAspxoiKgooeACgtdGT AuaBR6QAkHlvrplNjEppamc= =wYt3 -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Atrivo/Intercage: NO Upstream depeer
Gadi Evron wrote: On Sun, 21 Sep 2008, Russell Mitchell wrote: Hello all, Andrew: It is truly enlightening, to say the least, that you want to talk about all of the SBL Listings, all of the DNSBL Listings, and all of the abuse on our network has never had action taken. Don't kick someone when they are down. Okay. I have but one question, why are you speaking to us all now, instead of last week or last month? Gadi. I think he figured out that there's bite to go with the bark. Andrew
Re: Atrivo/Intercage: NO Upstream depeer
Russell Mitchell wrote: - Matt: It's very sad that your PROUD of you contribution to the supposed white paper on our company. I'd like to know, was any of your contribution to the report altered, or mis-represented, or are you truly unaware of how false the information you provided was? Care to have verified it? or are you a Spamhaus admin like John Reid who has that magic stick to make a claim and attack anyone who objects to it with the truth? I'd love to, but nanog isn't the place. I'll be in san fran in the near future. Lets sit down over a beer, I'll bring the research and you can look it over yourself. That would be far more productive than this. I think a few other folks would love to meet up with you as well. Maybe Emil can join us too? It's easy to insinuate from behind a keyboard. Lets get down to facts. But take this off nanog. This is NOT the place for it. Let me know when you'l be in town, I'll schedule my travel in that direction to meet up soon. Matt -- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net PGP: http://www.jonkmans.com/mattjonkman.asc
Re: Atrivo/Intercage: NO Upstream depeer
Russell Mitchell wrote: Andrew: If you have seen how Spamhaus handles our resolved SBL Listings, you would know. Those 6 listings have been resolved for a week now. John Reid and his goons only provide swift LISTINGS, _NOT_ delistings. Possibly why they're so widely used. In the past 12 months, I have received not 1 report of a botnet on our network. Your e-mail is broken, or you're a liar, or both Phishing pages are always nullrouted at the time of the report. The 40 page report you keep referring to is a complete farse. it's 'farce' but that couldn't matter less. But, undoubtably, you truly believe that there is an Atrivo and InterCage is a partner in crime to Atrivo huh? Results *1* - *10* of about *26,900* for atrivo. Results *1* - *10* of about *2,390* for *atrivo crime http://www.google.com/url?q=http://www.answers.com/crimer=67sa=Xoi=dictct=Dcd=1ei=xdTWSInuLpKsgQKTjOTqCAsig2=4_AAUrDMpVIAAFUehFoFNAusg=AFQjCNFDtuAxxhp6jkB15m7JZih5ySf2RQ*. Results *1* - *10* of about *1,880* for *atrivo fraud http://www.google.com/url?q=http://www.answers.com/fraudr=67sa=Xoi=dictct=Dcd=1ei=1NTWSNGPG5XIhgKMyZzaCAsig2=zfBNv_8RR8gu9QGtmQIoFgusg=AFQjCNGithiupXgqQTx4_5iVimy3I7hDeA*. Results *1* - *10* of about *1,100* for *atrivo phish*. It seems that at least 26,900 people join me in the first fantasy, and 6000 or so join me in the second. Cult meetings are on Thrusday, we'll sacrifice a spammer. Anything else you'd like to throw at me here on NANOG? Sure, but I havn't figured out how to hit someone with a two-by-four over the Internet. I truly feel that there are very FEW in the anti-abuse community that smelling fresh air. If you knew where you head was, and where it should be, maybe this conversation and the happenings in the recent week would have actually gave benefit to the internet in whole. Atrivo/Intercage is off the Internet. That sounds like Mission Accomplished to me. I'm done now, there's clearly nothing I can do to impart a clue here. Andrew
Re: Atrivo/Intercage: NO Upstream depeer
Matt: I've already put this offer up. I'll be more then happy to meet up at our datacenter and take you through our space. What I find funny is, your the first one whom participated in the recent reports to actually take up and respond to us. I've emailed Garth and Jart, and both of them refused to respond. I emailed both of them requesting the same information they gave to Directi. If they were able to provide Directi with a list of 20,000+ domains from their control that were abusive, why can't they provide US directly with a single 1? Then, release a joint-statement talking about how the companies need to come together to combat the abusive activities across the net, yet when we extend our hand and open up our network, we don't even get a response! Directi went from being a partner in crime with us to being a great anti-abuse supporting company.. How can YOU claim that WE don't do anything, if you won't report your findings in the first place? Got recent stuff? Why are you willing to give it now that we're OFFLINE? What can we do about it NOW at this very minute? You tell me when your going to be in San Francisco, and I'll make myself available. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. P.S. I just realized all my responses to earlier people like Gadi and them were direct and not cc to NANOG. Will Reply to all now :) - Original Message From: Matt Jonkman [EMAIL PROTECTED] To: Russell Mitchell [EMAIL PROTECTED] Cc: nanog@nanog.org Sent: Sunday, September 21, 2008 4:02:15 PM Subject: Re: Atrivo/Intercage: NO Upstream depeer Russell Mitchell wrote: - Matt: It's very sad that your PROUD of you contribution to the supposed white paper on our company. I'd like to know, was any of your contribution to the report altered, or mis-represented, or are you truly unaware of how false the information you provided was? Care to have verified it? or are you a Spamhaus admin like John Reid who has that magic stick to make a claim and attack anyone who objects to it with the truth? I'd love to, but nanog isn't the place. I'll be in san fran in the near future. Lets sit down over a beer, I'll bring the research and you can look it over yourself. That would be far more productive than this. I think a few other folks would love to meet up with you as well. Maybe Emil can join us too? It's easy to insinuate from behind a keyboard. Lets get down to facts. But take this off nanog. This is NOT the place for it. Let me know when you'l be in town, I'll schedule my travel in that direction to meet up soon. Matt -- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net PGP: http://www.jonkmans.com/mattjonkman.asc
Re: Atrivo/Intercage: Now Only 1 Upstream
It exists but not in bgp form - http://www.spamhaus.org/drop/ Dont Route Or Peer srs On Wed, Sep 17, 2008 at 7:01 PM, Gadi Evron [EMAIL PROTECTED] wrote: On Wed, 17 Sep 2008, Skywing wrote: Putting things in the automated bogon feeds (e.g. Team Cymru) that are not strictly bogons (unallocated addresses) is likely to very quickly erode trust in those services, if that is what you are suggesting. We all want a really really bad stuff BGP feed for anyone who wants it, but the Internet is not ready for that.
Re: Atrivo/Intercage: Now Only 1 Upstream
On 17 Sep 2008, at 18:32, David Ulevitch wrote: At the end of the day, nobody is going to drop packets for amazon's IP space. I have a customer that sells online, and is dropping stuff from ec2 today due to abuse. Andy
Re: Atrivo/Intercage: Now Only 1 Upstream
On Sep 17, 2008, at 4:07 PM, David Ulevitch wrote: Patrick W. Gilmore wrote: On Sep 17, 2008, at 1:32 PM, David Ulevitch wrote: At the end of the day, nobody is going to drop packets for amazon's IP space. I'm afraid reality disagrees with you - there already are networks doing it. Being big does not guarantee you ability to do Bad Things. I didn't imply that it did. Actually, that is exactly what you did. But the ability to block without causing significant collateral damage becomes more and more difficult as IPs become less tied to the organization using them. True (and rather obvious). Here's another obviously true statement: As more more spam comes from a set of IP addresses, it becomes less less likely you should accept e-mail from that space. That said, you're right that people are doing it now. Consensus from friends running their apps on EC2 is that you can't expect to be able to send any email from EC2 and hope for a high deliverability rate. Not news to anyone who works on anti-spam or e-mail deliverability. Perhaps the collateral damage will force Amazon to get things fixed faster. Or maybe not, but either way I don't see how you can blame someone for not wanting to accept e-mail from EC2. -- TTFN, patrick
Re: Atrivo/Intercage: Now Only 1 Upstream
Looks like PIE got themselves a /22 in spamhaus - http://www.spamhaus.org/sbl/sbl.lasso?query=SBL67906 _quote__ 206.223.144.0/22 is listed on the Spamhaus Block List (SBL) 17-Sep-2008 09:57 GMT | SR04 Pacific Internet Exchange LLC. NT Technology ; nttec.com http://cidr-report.org/cgi-bin/as-report?as=AS32335 Hosted/routed Scott Richter AND Alan Ralsky - now decided to pick up Intercage/Atrivo. Perhaps someone does not read the news? http://news.google.com/news?q=intercage http://www.spamhaus.org/news.lasso?article=636 We hope that's the case and this is not a knowing routing decision. On Wed, Sep 17, 2008 at 6:31 AM, Matthew Moyle-Croft [EMAIL PROTECTED] wrote: On 16/09/2008, at 10:17 PM, *Hobbit* wrote: So in cases like this where the community appears to agree that there's a consistently bad apple, what's preventing everyone from simply nullrouting the netblocks in question and imposing the death penalty? Dunno - but something did occur to me this morning on the drive into work:
Re: Atrivo/Intercage: Now Only 1 Upstream
On Tuesday 16 September 2008 23:36:20 *Hobbit* wrote: you expect them to apply a null route? Well, I *have* been talking somewhat idealistically here and there with this crop of questions, but frankly I thought in the 2 or 3 years I was ignoring the list that the NETWORK OPERATORS ostensibly in custody of the intertubes would have pulled things together a little better and grown enough of a pair to firmly state this crap stops here and now and make it happen. :-) Speaking as an observer only, and not as someone who, other than at my own edge, could make a significant impact on the result. Seems to me getting that IP space on a bogon list could be enough to make a serious dent.
RE: Atrivo/Intercage: Now Only 1 Upstream
Putting things in the automated bogon feeds (e.g. Team Cymru) that are not strictly bogons (unallocated addresses) is likely to very quickly erode trust in those services, if that is what you are suggesting. - S -Original Message- From: Lamar Owen [EMAIL PROTECTED] Sent: Wednesday, September 17, 2008 09:26 To: nanog@nanog.org nanog@nanog.org Subject: Re: Atrivo/Intercage: Now Only 1 Upstream On Tuesday 16 September 2008 23:36:20 *Hobbit* wrote: you expect them to apply a null route? Well, I *have* been talking somewhat idealistically here and there with this crop of questions, but frankly I thought in the 2 or 3 years I was ignoring the list that the NETWORK OPERATORS ostensibly in custody of the intertubes would have pulled things together a little better and grown enough of a pair to firmly state this crap stops here and now and make it happen. :-) Speaking as an observer only, and not as someone who, other than at my own edge, could make a significant impact on the result. Seems to me getting that IP space on a bogon list could be enough to make a serious dent.
RE: Atrivo/Intercage: Now Only 1 Upstream
On Wed, 17 Sep 2008, Skywing wrote: Putting things in the automated bogon feeds (e.g. Team Cymru) that are not strictly bogons (unallocated addresses) is likely to very quickly erode trust in those services, if that is what you are suggesting. We all want a really really bad stuff BGP feed for anyone who wants it, but the Internet is not ready for that. Gadi. - S -Original Message- From: Lamar Owen [EMAIL PROTECTED] Sent: Wednesday, September 17, 2008 09:26 To: nanog@nanog.org nanog@nanog.org Subject: Re: Atrivo/Intercage: Now Only 1 Upstream On Tuesday 16 September 2008 23:36:20 *Hobbit* wrote: you expect them to apply a null route? Well, I *have* been talking somewhat idealistically here and there with this crop of questions, but frankly I thought in the 2 or 3 years I was ignoring the list that the NETWORK OPERATORS ostensibly in custody of the intertubes would have pulled things together a little better and grown enough of a pair to firmly state this crap stops here and now and make it happen. :-) Speaking as an observer only, and not as someone who, other than at my own edge, could make a significant impact on the result. Seems to me getting that IP space on a bogon list could be enough to make a serious dent.
Re: Atrivo/Intercage: Now Only 1 Upstream
On Wed, Sep 17, 2008 at 1:01 PM, Gadi Evron [EMAIL PROTECTED] wrote: On Wed, 17 Sep 2008, Skywing wrote: Putting things in the automated bogon feeds (e.g. Team Cymru) that are not strictly bogons (unallocated addresses) is likely to very quickly erode trust in those services, if that is what you are suggesting. We all want a really really bad stuff BGP feed for anyone who wants it, but the Internet is not ready for that. hrm, so actually there's a lot of supporting infrastructure that is necessary (or could be necessary) to implement something of that sort in any decent sized network. Provided you wanted to sinkhole the trafffic off somewhere to 'do the right thing' not just null0 the traffic, of course. There's the additional issue of allowing a third party to manage/traffic-engineer inside your network which might upset some operations folks. If you can build a list on your own in a reasonable fashion with supporting information and high confidence level that's one story, if this list comes from someone else whom you don't even have a billing-relationship with... it's hard to sell that when something bad happens. Certainly not everyone feels this way (see 'popularity' of the existing RBL/xbl lists) but in a larger network, or one that makes money ... How about providing some open-source intelligence in a centralized and machine-parsable fashion (perhaps with community input of intel even) which would allow better decsions to be made? -Chris
Re: Atrivo/Intercage: Now Only 1 Upstream
On Wed, Sep 17, 2008 at 1:07 PM, Christopher Morrow [EMAIL PROTECTED] wrote: On Wed, Sep 17, 2008 at 1:01 PM, Gadi Evron [EMAIL PROTECTED] wrote: On Wed, 17 Sep 2008, Skywing wrote: Putting things in the automated bogon feeds (e.g. Team Cymru) that are not strictly bogons (unallocated addresses) is likely to very quickly erode trust in those services, if that is what you are suggesting. We all want a really really bad stuff BGP feed for anyone who wants it, but the Internet is not ready for that. hrm, so actually there's a lot of supporting infrastructure that is necessary (or could be necessary) to implement something of that sort in any decent sized network. Provided you wanted to sinkhole the trafffic off somewhere to 'do the right thing' not just null0 the traffic, of course. right on. There's the additional issue of allowing a third party to manage/traffic-engineer inside your network which might upset some operations folks. If you can build a list on your own in a reasonable fashion with supporting information and high confidence level that's one story, if this list comes from someone else whom you don't even have a billing-relationship with... it's hard to sell that when something bad happens. and this is the exact reason i will not implement any of these auto-bgp feeds or drop lists in my network. now not only do i have internal operation folks fat fingers to worry about,but what if one of these third parties, as you pointed out, with no money changing hands or formal agreements,has fat fingers one day, and now adds a legitimate allocation to the feed/list? then what? Certainly not everyone feels this way (see 'popularity' of the existing RBL/xbl lists) but in a larger network, or one that makes money ... How about providing some open-source intelligence in a centralized and machine-parsable fashion (perhaps with community input of intel even) which would allow better decsions to be made? -Chris Christian
Re: Atrivo/Intercage: Now Only 1 Upstream
Christopher Morrow wrote: How about providing some open-source intelligence in a centralized and machine-parsable fashion (perhaps with community input of intel even) which would allow better decsions to be made? Reputation based on src_addr is /so/ 2005. ASN has a few more legs perhaps... but... All the growth in Internet-connected compute clouds (EC2, AppNexus, GoGrid, etc.) makes any system based around IP reputation decidedly less useful. At the end of the day, nobody is going to drop packets for amazon's IP space. -David
Re: Atrivo/Intercage: Now Only 1 Upstream
On Sep 17, 2008, at 1:32 PM, David Ulevitch wrote: Christopher Morrow wrote: How about providing some open-source intelligence in a centralized and machine-parsable fashion (perhaps with community input of intel even) which would allow better decsions to be made? Reputation based on src_addr is /so/ 2005. ASN has a few more legs perhaps... but... All the growth in Internet-connected compute clouds (EC2, AppNexus, GoGrid, etc.) makes any system based around IP reputation decidedly less useful. At the end of the day, nobody is going to drop packets for amazon's IP space. I'm afraid reality disagrees with you - there already are networks doing it. Being big does not guarantee you ability to do Bad Things. -- TTFN, patrick
Re: Atrivo/Intercage: Now Only 1 Upstream
On Wednesday 17 September 2008 12:55:49 Skywing wrote: Lamar Owen Wrote: Seems to me getting that IP space on a bogon list could be enough to make a serious dent. Putting things in the automated bogon feeds (e.g. Team Cymru) that are not strictly bogons (unallocated addresses) is likely to very quickly erode trust in those services, if that is what you are suggesting. Seems a similar topic has been here before... hrm... Yep, back around the first of August the subject came up of Is it time to abandon bogon prefix filters? in which thread you (among many others) were a participant. I don't have an archive link, sorry, since I used my personal archive of NANOG to find. Seems there are already trust, DoS, etc issues out there, in spades. But if someone wanted to do a 'badon' list and distribute in a similar fashion nothing is preventing folks for subscribing. The various antispam DNSBL's have multiple feeds of different kinds; some enterprising soul could do the same for routing. Will everyone do that? Of course not; some will choose to not, others will simply not care, and others will just ignore. Perhaps it could be called the wish-they-were-bogons list. Then a I-really-wish-they-were-bogons list for just the more severe block. The point made by Christopher Morrow is well taken: There's the additional issue of allowing a third party to manage/traffic-engineer inside your network which might upset some operations folks. If you can build a list on your own in a reasonable fashion with supporting information and high confidence level that's one story, if this list comes from someone else whom you don't even have a billing-relationship with... it's hard to sell that when something bad happens. Certainly not everyone feels this way (see 'popularity' of the existing RBL/xbl lists) but in a larger network, or one that makes money ... Folks who use a DNSBL are already letting people in their network, in the e-mail sense at least (and some firewall interfaces to these lists). Those same people would likely not have a problem with a wish-they-were-bogons list. But, yeah, it's like chasing a weasel with an M134 with someone else aiming while you hold down the trigger. For infrastructure notes, see Team Cymru's description page at http://www.team-cymru.org/Services/Bogons/routeserver.html Seems easy enough to duplicate (of course, the devil is in the details, and nothing is as easy as it seems); and making the 'thing' 'do the right thing' is a matter of what routes are actually served by your route-servers. Perhaps a good use for that old Internet backbone router (or wannabe) that can no longer take a full BGP feed.
Re: Atrivo/Intercage: Now Only 1 Upstream
On Wed, 17 Sep 2008, Christopher Morrow wrote: On Wed, Sep 17, 2008 at 1:01 PM, Gadi Evron [EMAIL PROTECTED] wrote: On Wed, 17 Sep 2008, Skywing wrote: Putting things in the automated bogon feeds (e.g. Team Cymru) that are not strictly bogons (unallocated addresses) is likely to very quickly erode trust in those services, if that is what you are suggesting. We all want a really really bad stuff BGP feed for anyone who wants it, but the Internet is not ready for that. hrm, so actually there's a lot of supporting infrastructure that is necessary (or could be necessary) to implement something of that sort in any decent sized network. Provided you wanted to sinkhole the trafffic off somewhere to 'do the right thing' not just null0 the traffic, of course. There's the additional issue of allowing a third party to manage/traffic-engineer inside your network which might upset some operations folks. If you can build a list on your own in a reasonable fashion with supporting information and high confidence level that's one story, if this list comes from someone else whom you don't even have a billing-relationship with... it's hard to sell that when something bad happens. Certainly not everyone feels this way (see 'popularity' of the existing RBL/xbl lists) but in a larger network, or one that makes money ... How about providing some open-source intelligence in a centralized and machine-parsable fashion (perhaps with community input of intel even) which would allow better decsions to be made? Chris, that does not solve the one issue you did not mention: liability. Gadi. -Chris
Re: Atrivo/Intercage: Now Only 1 Upstream
On Wednesday 17 September 2008 13:34:22 Patrick W. Gilmore wrote: On Sep 17, 2008, at 1:32 PM, David Ulevitch wrote: At the end of the day, nobody is going to drop packets for amazon's IP space. I'm afraid reality disagrees with you - there already are networks doing it. Indeed. Google's e-mail servers get on the various DNSBL's frequently. Being big does not guarantee you ability to do Bad Things. Might even provide incentive for the grid computing providers to keep tabs on what their uses are doing. Imagine that! Accountability, using the only 'stick' available.
